tl;dr I would like to (A) design a "capture the onion" contest to get people trying to break the next-gen onion service protocol and code, and run the contest at the next Defcon; (B) craft a funding proposal to help us do A well; and (C) run a Tor village at the next Defcon too.
Part A:
We have this new onion service design, and one of its features is that we hope it is now impossible to discover onion addresses through in-protocol flaws. How do we know that we designed it right? How do we know that we implemented it right?
Imagine if we deploy a local Tor network on the Defcon network, where random Defcon attendees can run relays. The anonymity properties would be terrible, because the trust isn't distributed over a large area and because Sybil attacks and other shenanigans are likely. But new-style onion services should be able to advertise themselves, and have their onion address remain private, even in this terrible environment.
The goals of the contest would be getting people to (1) beat on our new onion service design, and (2) learn more about the Tor design and code.
A proper contest has a variety of puzzles at a variety of difficulty levels. (If the only challenge were to uncover our private new-style onion addresses, most people would fail, and they would quickly become bored.) So we would want to include intermediate challenges. One example would be to run old-style onion services too, since there are known attacks against the old design. In an ideal world we'd brainstorm 15 or 20 puzzles, not all onion service related, to keep the attention of a variety of skill levels, and more importantly to raise the amount of Tor clue for people at each level.
(The way you actually "capture" an onion could be by visiting the website behind it, and being given a token that proves you went to it.)
Many fun contest designs include both offense and defense, i.e. they pit teams against each other rather than against the game itself. I don't know how to make use of this point, but maybe we will come up with ideas.
I also pondered whether we could team up with an existing contest, e.g. ask the capture-the-flag people to be a module in their bigger plans. But capture-the-flag has been going through contortions to keep the offense from being too easy -- for example, this year they surprised people with a 27-bit architecture that uses 9-bit bytes and is middle-endian. Sounds fun if you're into that, but maybe not so useful for our needs. :)
Part B:
Our SponsorR program manager has expressed interest in helping to make this idea happen. In fact, it started out as his idea. He's asked us to put together proposals for the low end, the medium end, and the high end of what it would cost. (I asked him for hints on what he meant by each category, and he wouldn't commit, saying instead "whatever it would cost".)
Piece one that would want attention is contest design, i.e. coming up with the puzzles, and figuring out how one would implement them, and also balancing the game so it's fun -- everybody can make progress at something, there aren't any puzzles that will destabilize the whole thing, it's clear who made the most progress, etc.
Piece two would be sorting through how to harden a Tor network to survive being run in this terrible environment. We'd probably want to make the directory authorities more robust, like by making them onion services themselves, and/or making them "push" the consensus to the fallbackdirs rather than being able for pulls. This piece could involve large amounts of design and coding, so we'd want to make a roadmap and prioritize items.
(We will want to declare certain types of attack out of scope for the contest, and frowned upon if people do them, but also we will want to show up with a robust network.)
Piece three would be the actual operations of the contest, including deploying the network and sandboxing the components, but also including running everything during the weekend. The first year will be a learning experience all around, but the more we can learn surprising things rather than expected things, the better. :)
We might also be wise to deploy the network, and parts or all of the game, beforehand for playtesting. And I bet some of the puzzles will work better if people know about them, and prepare for them, beforehand.
Part B2:
Now, there is a strong argument that if what we want most is an exploit on the new code, we should sign up for Pwn2Own or the like, and offer a $10k+ prize.
After all, weekend contests are fun for raising interest and getting people to learn more, but in isolation they may not be an efficient way of getting people to discover complicated bugs.
I think it's worth exploring both approaches, and maybe combining them in some cool way if we can think of how best to do it.
Note that we already have our bug bounty program in place, and it would be very straightforward to highlight and advertise this category of bug for the top tier $3k payout, or even a higher payout if we wanted. But coordinating with a higher profile zero-day event could still bring more attention to the topic.
Part C:
A bunch of people I ran into at Defcon expressed interest in a Tor village next year. Rather than taking on all the logistics issues ourselves, I've instead been coordinating with organizers from two existing villages, who each have no plans to use their village space from 5pm onward each evening.
This way we could have a designated "hang out and answer Tor questions" spot, with quite low logistics costs. And if we wanted to make it into something more we could.
Eight years ago, when I was last at Defcon, I saw many many Tor shirts. This year I saw almost none. We have definitely been paying less attention to the American hacker scene lately than we should have been. I think it would be really great to get a huge pile of Tor shirts there next year, perhaps with a table in the Tor village, and perhaps also at already established booths like EFF and Calyx.
--Roger
On 1 September 2017 at 17:09, Roger Dingledine arma@mit.edu wrote:
tl;dr I would like to (A) design a "capture the onion" contest to get people trying to break the next-gen onion service protocol and code, and run the contest at the next Defcon; (B) craft a funding proposal to help us do A well; and (C) run a Tor village at the next Defcon too.
I'm so glad you wrote this email. I lamented the lack of Tor exposure at Defcon this year, but didn't feel I was in a position to say anything.
While I was briefly at Defcon this year, I wandered around the vendor area - which, if you've never been, is part vendors selling things like lockpicks and various hacking hardware like wifi pineapples and part charities and organizations like EFF, Calyx, ACLU. I had the overwhelming thought "Tor should be here."
---------
I am completely sold on the idea of getting more representation at Defcon. I am not sold on the idea of a Capture the Onion contest being the best way to do it. Firstly, contests are a lot of work. I'm wondering how much attention and time developing and testing and reviewing it will detract from other efforts.
Secondly, while I think we could be creative in finding ways to hide flags in a contest network, I think the number of flags that we would be able to hide that are 'Tor-specific' would be dwarfed by the number that are more general application-security or crypto-specific. Maybe the answer to this concern is just to brainstorm ideas for a few weeks and see what we come up with though.
Thirdly - right now, the techniques used to perform attacks on .onions are public, but the code is not (AFAIK.) If we run this contest, we should expect this code to be published and expect to see an increase in the amount of relays we have to detect and block. The lack of public code is Security through Obscurity - obscurity doesn't provide protection, but it does reduce the amount of attackers you have to deal with. And we have to do manual work to counter each attacker. This isn't a terribly strong point (maybe by next summer a whole suite of attack tools on .onions will be published and it doesn't matter if two more are floating around) - but I wanted to mention it. Especially if we intend to keep the old-style onions limping along for multiple years. (Alternately this would accelerate their obsolete.)
Fourthly, I am also worried about the maintenance of the contest infrastructure. If we can't keep it up and running, and debug problems, the contest will flop.
Finally, I'm worried about participation. Some people will play in the contest, but the number of people who we reach with the contest will be two or three order of magnitudes smaller than the number we reach through efforts like a vendor table or the village. (And I think we should direct our efforts appropriately.)
I like Part B2 - if the goal of the contest is to give a focus on getting the new .onion code reviewed, I think it would be more effective to do a Pwnium style contest/prize. Pwnium was Google's old contest (which ran for months) giving enhanced payouts on certain targets.
If the goal is to get more Tor mindshare at Defcon, I think a contest would do that, but I'm not certain it hits the right balance of return on investment.
---------
I love the idea of a village, especially an evening village (I'm imaging something like 5 to 10 or 11.) I think we should definitely make it more than a just 'hang out with Tor' space. I think we can come up with a lot of things we could do here; and we should aim to have both 'active' and 'passive' experiences.
Active would be something like "At 6PM we're going to do an hour long (45min+questions) deep technical walkthrough of how the new .onion design works". Passive would be something like "We have sketchbooks and colored pencils. Are you artistic? Sketch some Tor/onion artwork and we'll share it on our blog!"
---------
I am not sure if a Village satisfies the same purpose as a vendor table though. Nearly everyone at Defcon will walk through the vendor area once. Not everyone will go to Defcon in the evening or go to a village they aren't directly interested in. I think we should have both (and our own table, separate from Calyx/EFF), but I recognize it means we would effectively need twice as many people at the conference to staff the table and the village (since we couldn't expect the same people to commit to doing both.)
I think we should bring a pile (a very large pile) of T-shirts to sell, as well as other things (which we can brainstorm.) Free pamphlets on how to use Tor (which I think we have) and ones on how to run a relay (which we can make.) I'm also imagining a special brand-new sticker design we can give out to relay operators who stop by.
---------
I am completely psyched about this. I have a bunch of ideas I didn't put in this email (and more details/ideas about what I did mention). I am totally volunteering to do a lot of brainstorming, planning, and logistics works. I am _hopeful_ I will be able to attend next year and help staff everything.
-tom
Defcon's Call for Everything is now open, with a deadline of March 1. https://defcon.org/html/defcon-26/dc-26-calls.html
-tom
On 5 September 2017 at 13:25, Tom Ritter tom@ritter.vg wrote:
On 1 September 2017 at 17:09, Roger Dingledine arma@mit.edu wrote:
tl;dr I would like to (A) design a "capture the onion" contest to get people trying to break the next-gen onion service protocol and code, and run the contest at the next Defcon; (B) craft a funding proposal to help us do A well; and (C) run a Tor village at the next Defcon too.
I'm so glad you wrote this email. I lamented the lack of Tor exposure at Defcon this year, but didn't feel I was in a position to say anything.
While I was briefly at Defcon this year, I wandered around the vendor area - which, if you've never been, is part vendors selling things like lockpicks and various hacking hardware like wifi pineapples and part charities and organizations like EFF, Calyx, ACLU. I had the overwhelming thought "Tor should be here."
I am completely sold on the idea of getting more representation at Defcon. I am not sold on the idea of a Capture the Onion contest being the best way to do it. Firstly, contests are a lot of work. I'm wondering how much attention and time developing and testing and reviewing it will detract from other efforts.
Secondly, while I think we could be creative in finding ways to hide flags in a contest network, I think the number of flags that we would be able to hide that are 'Tor-specific' would be dwarfed by the number that are more general application-security or crypto-specific. Maybe the answer to this concern is just to brainstorm ideas for a few weeks and see what we come up with though.
Thirdly - right now, the techniques used to perform attacks on .onions are public, but the code is not (AFAIK.) If we run this contest, we should expect this code to be published and expect to see an increase in the amount of relays we have to detect and block. The lack of public code is Security through Obscurity - obscurity doesn't provide protection, but it does reduce the amount of attackers you have to deal with. And we have to do manual work to counter each attacker. This isn't a terribly strong point (maybe by next summer a whole suite of attack tools on .onions will be published and it doesn't matter if two more are floating around) - but I wanted to mention it. Especially if we intend to keep the old-style onions limping along for multiple years. (Alternately this would accelerate their obsolete.)
Fourthly, I am also worried about the maintenance of the contest infrastructure. If we can't keep it up and running, and debug problems, the contest will flop.
Finally, I'm worried about participation. Some people will play in the contest, but the number of people who we reach with the contest will be two or three order of magnitudes smaller than the number we reach through efforts like a vendor table or the village. (And I think we should direct our efforts appropriately.)
I like Part B2 - if the goal of the contest is to give a focus on getting the new .onion code reviewed, I think it would be more effective to do a Pwnium style contest/prize. Pwnium was Google's old contest (which ran for months) giving enhanced payouts on certain targets.
If the goal is to get more Tor mindshare at Defcon, I think a contest would do that, but I'm not certain it hits the right balance of return on investment.
I love the idea of a village, especially an evening village (I'm imaging something like 5 to 10 or 11.) I think we should definitely make it more than a just 'hang out with Tor' space. I think we can come up with a lot of things we could do here; and we should aim to have both 'active' and 'passive' experiences.
Active would be something like "At 6PM we're going to do an hour long (45min+questions) deep technical walkthrough of how the new .onion design works". Passive would be something like "We have sketchbooks and colored pencils. Are you artistic? Sketch some Tor/onion artwork and we'll share it on our blog!"
I am not sure if a Village satisfies the same purpose as a vendor table though. Nearly everyone at Defcon will walk through the vendor area once. Not everyone will go to Defcon in the evening or go to a village they aren't directly interested in. I think we should have both (and our own table, separate from Calyx/EFF), but I recognize it means we would effectively need twice as many people at the conference to staff the table and the village (since we couldn't expect the same people to commit to doing both.)
I think we should bring a pile (a very large pile) of T-shirts to sell, as well as other things (which we can brainstorm.) Free pamphlets on how to use Tor (which I think we have) and ones on how to run a relay (which we can make.) I'm also imagining a special brand-new sticker design we can give out to relay operators who stop by.
I am completely psyched about this. I have a bunch of ideas I didn't put in this email (and more details/ideas about what I did mention). I am totally volunteering to do a lot of brainstorming, planning, and logistics works. I am _hopeful_ I will be able to attend next year and help staff everything.
-tom
tor-project@lists.torproject.org
-
Roger Dingledine -
Tom Ritter