Tor! What is it good for?

Thanks to everyone that attended the March ITS Innovation Lunches about Tor!

Here is the presentation that I put together on the subject, with links to relevant news articles and the Tor and Tails project sites.



There were a lot of questions and interest in Tor, which is great!

Links from the presentation

• Want to learn more about Tor? Visit the Tor Project site.
• Want to learn more about Tails? Visit the Tails project site. 

How can you access the Tor network?

• Using the Tor Browser.
• Using Tor-configured email clients and other services.
• Using a Raspberry Pi router configured to access the Tor network.

Potential use cases for Tor include: 

• Circumventing the Great Firewall of China, especially since it has recently started blocking VPN connections. 
• Avoiding a government- or Internet Service Provider-initiated block of certain websites. Turkey blocked Twitter for a period during the Occupy Gezi protests in 2013.
• Visiting sites that are politically or legally sensitive in the country you live in, such as communicating with potential partners in a country where it is illegal to be gay. 
• Domestic violence survivors, whether in a shelter or still in the abusive situation. 

Questions from the audience—Answered!

Since Tor and Tails are both anonymity-based, questions came up about security. Tor doesn't provide end-to-end encryption, leaving exit node traffic vulnerable to spying. What can you do to get around that?

• Use HTTPS Everywhere, a Firefox, Chrome, and Opera extension put out by the Electronic Frontier Foundation (EFF). 
• If you maintain a website or server, the EFF and others have started a project called Let's Encrypt to make the process of obtaining a secure certificate from a certificate authority not only easier, but free! 

How easy would it be to compromise the network?

• In 2011, French researchers claimed to have compromised the Tor network. The Tor Project's response states that those claims were exaggerated. 
• Documents released by Edward Snowden and shared by Der Spiegel include details about Tor deanonymization research conducted by GCHQ and the NSA. More details and context is provided by The Guardian's article: NSA and GCHQ target Tor network that protects anonymity of web users. 

Since file-sharing isn't allowed, what are other safe, secure ways to share larger files on the network?

• Use email that is Tor-enabled and preferably encrypted.
• To share files in a whistleblowing scenario, organizations have started using SecureDrop, and the New Yorker set up a service called StrongBox built on the same framework.

When you visit a website, what IP address DO they get, since your original is hidden?

• Suspicion around the room was correct—the Tor exit node's IP address is the one shared with the destination web server. There are only so many Tor exit nodes, so the more there are, the safer (and more anonymous) Tor users there are. 

Is Alex Halderman's group at U-M doing research regarding Tor?

• The Internet scanning tool ZMap developed by his research group was used to identify 86% of Hidden Tor Bridges.

People were also curious about what email options, for example, were available for people who did most of their computing on the Tails operating system.

• Hushmail is a private email account that you can set up.
• Alternatively, you can use GPGTools to encrypt your existing email, and send secure encrypted emails to people, who can then read them after they decrypt them. 
• To use GPGTools and other forms of encryption, you need to set up a public key so that people can send you encrypted messages, and you send them encrypted emails in return! I set up an account on Keybase (here's me), which has a slick web interface for encryption, and also makes it really easy to set up and start using encryption. If you're interested in setting up an account, contact me for an invite.

And since Tails is an anonymity and privacy-based operating system for Windows, Mac, and Linux, there were questions about mobile options as well.

• Blackphone was mentioned, a device developed by Silent Circle Technologies that promises strong encryption and protected communications.
• BlackBerry is developing a tablet with a security and encryption focus. 
• For GSM-based phones abroad, there is the Cryptophone.
• If you want to use encryption and privacy tools on your existing mobile device, you can install encrypted messaging apps:
• TextSecure and RedPhone are an open source Android apps developed by Open Whisper Systems that provide encrypted texting and calling.
• The same company also develops Signal, an app for iPhones that does the same things.
• The EFF keeps a scorecard of secure messaging apps available as well.

Thanks again to everyone that came to the lunch! Next month's lunch will cover Arduino!