To Connect People Securely, Tor Project Seeks New Bridges

An anonymous reader links to an article at Ars explaining the dropping inventory of bridges available to users of the Tor project's encrypted messaging system. They're looking for more bridges, but that doesn't necessarily mean buying new hardware per se. From the article: "After campaigning successfully last year to get more volunteers to run obfuscated Tor bridges to support users in Iran trying to evade state monitoring, the network has lost most of those bridges, according to a message to the Tor relays mailing list by Tor volunteer George Kadiankakis. 'Most of those bridges are down, and fresh ones are needed more than ever,' [Tor volunteer George] Kadiankakis wrote in an e-mail, 'since obfuscated bridges are the only way for people to access Tor in some areas of the world (like China, Iran, and Syria).' For those who want to donate bridges to the Tor network, the easiest route is to use Tor Cloud, an Amazon Web Service Elastic Compute Cloud image created by the Tor Project that allows people to leverage Amazon's free usage tier to deploy a bridge."

Maybe

[fustakrakich]

It turns out that a bridge makes a lousy hiding place

Re:

[fustakrakich]

Why would this be modded offtopic? A Tor bridge is no different from a physical one, both with easily traceable paths. The simple fact is that under its present configuration the internet cannot be made secure. It's not even very robust. My old POTS line is still more reliable.

Re:

[Nethead]

Troll hiding under a bridge? Get it?

Re:

[Anonymous Coward]

No wonder my torrents over Tor have been a bit slower. Oh well, just have to do all of my torrenting when I am asleep.

Can money be donated?

[Anonymous Coward]

I don't have the technical chops or resources to help them out with obfuscated bridges, but I might be willing to donate a few bucks to a worthy cause.

Re:

[larry bagina]

Can you afford a raspberry pi? That and a 24-7 internet connection is all you need.

Re:Can money be donated?

[randomErr]

Relevant Link: http://www.instructables.com/id/Raspberry-Pi-Tor-relay/ [instructables.com]

Re:

[AlphaWolf_HK]

The main concern for me is security. I don't trust anonymous entry into my private network. Perhaps if I had a proper DMZ I would do so, but that requires more equipment and features than my router and ISP permits.

(For those confused: No, that DMZ feature on your linksys router isn't a true DMZ, it's just a static NAT with PAT, and you really shouldn't be using it if you care anything about security. If it is using the same public IP and same subnet and vlan as everything else inside of your network, it is

Re:

[Vrtigo1]

That's a great and technically accurate description of what the DMZ feature is on most routers and why you shouldn't expect it to work like an actual DMZ does. Kudos to you.

Re:

[Anonymous Coward]

Enjoy your jail time!

Re:

[davester666]

I volunteer to be a Tor bridge, but just redirect all the traffic to another bridge so I don't get into trouble.

Re:

[negRo_slim]

This is what I was just wondering. I saw the article linked that talked of cloud-based bridges and I'm wondering if I just goto the tor project homepage can I count on some of that donation helping with this issue?

Re:Can money be donated?

[bill_mcgonigle]

Have a read here:

http://www.torservers.net/donate.html [torservers.net]

Re:

[Anonymous Coward]

https://www.torproject.org/donate/donate.html.en [torproject.org]

Re:

[PhamNguyen]

Sure, you can donate here [cia.gov]. They take paypal.

I think not!

[techno-vampire]

AC gets modded down all the time.

Re:

[Cwix]

With an attitude like that, I would predict many more!

It's not very hard to block AWS IPs

[Anonymous Coward]

seriously guys... how long will this take until they just ban AWS IPs? and what use would be 1000 people signing up all to get similiar amazon IPs anyway

And the risks ?

[b100dian]

Let's say I'd be 'in' to help Tor. What are the risks for me, in a eastern country - like Romania ?

Re:

[slashmydots]

Now someone correct me if I'm wrong but there's entry node (which doesn't know if it's an entry or not) and a bridge then an exit node. The exit node, if the target website isn't using SSL, is vulnerable to looking like it's accessing whatever website/server the original viewer is on. So exit nodes are a bad idea. But bridges don't know the end target or whether it's an entry or intermediary bridge so basically it's just routing SSL traffic from one point to another and adding 1 more layer of encryption

Re:

[slashmydots]

Lol okay, I'll correct me. I just researched it and bridges reside outside the "onion" part. They're allegedly still fully encrypted but you'll probably look suspicious to someone somewhere running encrypted connections to Iran constantly.

Re:And the risks ?

[Anonymous Coward]

You are correct, as long as you configure your node as non exit, you are pretty much safe in nearly every european country and plenty of others.

No traffic leaves the tor network through your node and thus nothing should point to you (if the network works, if it doesn't, there are a lot of problems for a lot of people).

Depending on your country this can be very different. In some countries that do not have certain liberties simply having tor may be an issue, while tor does it best to hide everything and itself, it will likely stand out simply by being an encrypted connection, it may lead to you and lead to some questioning or worse.

For the sake of all users in such situation, stop making encrypted connections stand out and make them the norm. There really isn't any reason that everybody should be able to know what you do. Not in a "free" country and not in a non free one. Use SSH wherever you can, just that will be helpful for tor since it can then hide between those connections a bit better. Force encryption on your bittorrent, it may even lead to speedup. And if you believe your country is fine, do host a tor relay, it doesn't have to be an exit node to help the network, although there is a shortage of those as well as non exit nodes. Maybe once upon a time everything everywhere will go through a tor like service, once we get pissed off by all the people being able to see what you do.

Re:

[Dekker3D]

As far as I know, a bridge is a hidden entry node. Unlike regular ones, they're not published on a huge list.. you can only request a few via a certain url at a time.

Look for the Cupcake project

[ptaff]

Cupcake [github.com] allows you via a browser extension to run a bridge if you won't/can't install the whole Tor suite [torproject.org].

Currently available for Chrome / Chromium [google.com], Firefox is in the works.

Please help Tor!

Re:

[PopeRatzo]

Cupcake allows you via a browser extension to run a bridge if you won't/can't install the whole Tor suite.

That is very helpful, thank you.

I know of a company that might be willing to set up a bunch of these bridges as long as they don't find out about them. If you catch my drift.

wait, what? why?

[slashmydots]

How about someone with a fiber connection that I keep hearing about on slashdot just opens vidalia and configures it to run as an intermediary node. Isn't that functioning as a bridge? I have a 10MB connection but the upload is 1MB and my computer doesn't run anywhere near 24/7 or I'd run an intermediate node that way. Why the hell is anyone bother with amazon web services? Just for the bandwidth? Because I think my i5-2400 could encrypt thousands of people's SSL traffic on the fly easily so that just leaves bandwidth. So is there something else I'm missing or can people with massive bandwidth easily self host a bridge?

Re:

[raxx7]

You're not missing anything, running a bridge at your home is fine.
But since you're not willing to spare your scarce bandwidth, then AWS instance is an easy and cheap way to contribute.

silkroad should pay

[purnima]

Tor is totally decentrlized. But surely there has to be a decetralized system that incentives people to bridge in the network. Presently, we're asked to do this out of the goodness of our hearts, like a charity. "Think of the poor Iranian freedom lover's," meh, when we know fully well that much of the traffic is silkroad related and what ever other illegal crap has found a home in the Tor space.

Whoever is running the apparently lucrative silkroad can make small bitcoin donations to "bridging" volunteers. It's cheaper than paying their taxes to a real government. You wanna distribute the north east Iranian goodies? pay for the network!

Re:

[purnima]

Yes sure.

Take bitcoin for example. Why is it valued at all? It has built in incentives but also its value probably comes from its use for money laundering and other illegal activities.

Re:

[purnima]

Isn't the whole idea of Tor-bitcoin is to make an anarchist-nirvana where there is no such thing as criminal and non-criminal.

Re:

[Sigg3.net]

Mixing money into it is sure to invoke govt attention.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[ArchieBunker]

Poorly worded headlines are the least of your worries here. We still have to deal with advertisements disguised as stories and summaries that contradict what the article really says.

Iran elections

[Okian Warrior]

If memory serves, four years ago the Iran elections resulted in much oppression and general chaos. A global call went out for Tor nodes and other resources in order to help the Iranian people at the time.

The next Iranian elections will be in June of this year. Perhaps we should be forward-looking and set up a robust network ahead of time?

Anyone remember these Slashdot posts of note?

http://yro.slashdot.org/story/09/06/29/1230216/the-technology-keeping-information-flowing-in-iran [slashdot.org]

http://yro.slashdot.org/story/09/06/22/1347228/mass-arrests-of-journalists-follow-iran-elections [slashdot.org]

http://science.slashdot.org/story/09/06/16/2137203/statistical-suspicions-in-irans-election [slashdot.org]

Absolute offtopic but...

[Thor Ablestar]

... While I always see 1-2 Chinese nodes in I2P NetDB, I have not seen any Iranian node. Why? Does it mean that anybody trying to connect is persistently looked for, or just the system is not popular? Or, maybe, TOR client is much less visible than I2P node and so is more secure?

Liability

[dargaud]

I feel a lot safer running an open wifi that logs all connection than running a tor node. After all I know who my neighbors are. But who knows what goes through TOR? After reading a few scare stories of TOR volunteers getting their door kicked in and their gear confiscated, that's the reason I'm not running a node, although I support the idea. But if it's to support untraceable spam, kiddie porn and DDOS operations, no thanks. Anyone has a breakdown of the kind of traffic that goes through TOR?

Re:

[ickleberry]

I have run a tor exit node on my home DSL line for years. Never had a door kicked in. Only trouble I had was being blocked from boards.ie and geocaching.com