To the EFF: a Tor Challenge proposal

Hello Electronic Frontier Foundation,

In mid 2011, the EFF started a “Tor Challenge” which encouraged more than 500 people to run their own Tor relays.

It was a brilliant way to bring awareness to the project and expand the Tor network. A year later, it seems that 90% of those relays are no longer operational. The Tor Challenge does not seem to be designed for long-term Tor support, which would be ideal. I am writing to you in hopes of re-initiating the Tor Challenge, but also wanting to add some new functionality. I believe that an EFF sponsored program such as the Tor Challenge can be highly successful for two reasons. First, it is a not-for-profit with the ability of collecting tax-deductible donations. Second, it is a legal/rights-oriented organization which can help alleviate the possible perceived worry in regards to running Tor nodes. With the EFF putting its name on this program, it helps remove the possible drama of uneasy emotions while simultaneously promoting a willingness to contribute to the Tor Project.

  1. Lead by example
  2. Create a community
  3. Award the community

# Lead by example

Looking at Torstatus.blutmagie.de, I see two EFF-run Tor relays. I am really happy to see them, but I’m disappointed by how “slow” they are, and the fact that neither of them are Tor exit-routers.

  • observatory5.eff.org [173.236.34.122]
  • tor1.eff.org [64.147.188.11]

In order to make maintaining EFF-run Tor nodes more sustainable, the EFF should make the Tor Challenge into a dedicated program. Not knowing the internals of the EFF, here are some suggestions:

  1. Make the Tor Challenge a formal program within the EFF, even if it is solely supported by new volunteers (like me!).
  2. Re-initiate your social-media and outreach for the program, but also give the program its own home page, as an example, Torchallenge.eff.org.
  3. Expand the bandwidth of your two current Tor nodes (100 Mbps+), but turn at least one of them into a Tor exit-router.
  4. Rename them for self-branding (for example: Exit01.torchallenge.eff.org and Relay01.torchallenge.eff.org)
  5. Allow volunteers of the Tor Challenge to ask for EFF donations, specifically for funding EFF maintained Tor nodes.
  6. The Tor Project currently has a wiki page of Tor-friendly ISPs and hosting companies. Expand their work and actively engage with US-based companies to educate and identify them. This has the added benefit of looking for companies to donate hosting/bandwidth to EFF for the expansion of EFF maintained Tor nodes.

On one of my Tor exit-routers web page,Tor.anon.is, I specify how much traffic the router has processed since its inception. I do this because it enhances my interest for keeping a node online. It is simply amazing to realize how many people I am actually helping through general-quantification. I would encourage the EFF to devise a real-time tool for displaying the same type of information on your relay’s web pages, and to make those tools available to the Tor Challenge community. You might take the opportunity to perform research (simple surveys) to identify why people run Tor nodes. That might also allow you to devise new ways of enhancing the Tor Challenge community for long-term engagement.

# Create a community

Torchallenge.eff.org (example) should be a one-two punch for educating and highlighting the contributions made by the numerous individuals and organizations that run long-term Tor nodes. It might make people feel as though they are part of a greater community. As a Tor exit-router operator, I would feel very alone if for not hanging out in the #Tor IRC channel. What finally made me push myself to running my own Tor exit-router was the University of Washington hackathon. For me, it was a sense of wanting to engage with these many amazing people. By encouraging in-person meet-ups, even if sponsored by related organizations, I strongly feel that this would enhance one’s sense of community. Without that sensation of connection, there is certainly a higher learning-curve to become at ease when taking the risk of running a long-term Tor exit-router.

The Tor Challenge home page should be social (to some extent) so that people can share their own achievements and to see the successes of others. Torstatus.blutmagie.de does have a fair number of metrics available, as does Atlas.torproject.org, but what is missing is the long-term documentation of who has done what, including the amount of traffic and uptime that people and organizations have contributed. It is also limited by the focusing on the tor node, not on the people and organizations behind them.

  1. The Tor Project currently has a fair amount of material for both educating people about Tor and how they might use and/or support Tor. Certainly expand on these ideas but also find specific ways to engage people who want to run their own Tor nodes.
  2. Devise metrics for contributors so that people can identify with their contributions, but also the contributions of others via that shared connection.
  3. Create a blog so that people can tell their stories – from those of whom who use Tor, but also from those who contribute to Tor.
  4. Create hash-tags and other ways for people to share via popular online social networks.
  5. The social aspects of the Tor Challenge home page should not be limited to people and their contributions. Let people create their own “guilds” or TorChallenge clubs that bring awareness to hacker spaces as well as university clubs and/or organizations.

# Award the community

The amazing people who maintain their own Tor relay likely already have a strong understanding of why they support the Tor Project. However, some people are still learning, want to learn more, or want other ways of making connections. An award system might be a good way to provide needed feedback loops. Mozilla has initiated an “Open Badges” program, and it seems ideal for this type of knowledge development and community building.

  1. Create a Tor Challenge OpenBadges authority, and provide direct feedback to the individuals and organizations who have earned achievements.
  2. Research and develop new metrics and new ways to award badges.
  3. Create ways for people to share their badges on social networks as well as blogs/personal pages.
  4. Automate the delivery of awarded badges, detailing the next steps and/or additional ways to get involved with either the Tor Project or the Tor Challenge.
  5. Send out monthly newsletters to the Tor Challenge community alerting all of Tor updates, issues, news stories, and of course, the new achievements awarded to community members.

I hope that the ideas that I present above are useful to you. I understand that these ideas may already have been implemented to some degree, and I hope that you understand that I do not want to step on anyone’s feet, especially the amazing people at the Tor Project. Feel free to reuse or republish any of the above verbiage, and please contact me if you have any questions or concerns. Thank you for your time.

Advertisements

Updated my Tor Exit Router policy

Revised: https://atlas.torproject.org/#details/6B53D408A434C2410FADA8224097CC60A441F7C5

From: https://trac.torproject.org/projects/tor/wiki/doc/ReducedExitPolicy

ExitPolicy accept *:20-23     # FTP, SSH, telnet
ExitPolicy accept *:43        # WHOIS
ExitPolicy accept *:53        # DNS
ExitPolicy accept *:79-81     # finger, HTTP
ExitPolicy accept *:88        # kerberos
ExitPolicy accept *:110       # POP3
ExitPolicy accept *:119       # accept nntp as well as default exit policy
ExitPolicy accept *:143       # IMAP
ExitPolicy accept *:194       # IRC
ExitPolicy accept *:220       # IMAP3
ExitPolicy accept *:389       # LDAP
ExitPolicy accept *:443       # HTTPS
ExitPolicy accept *:464       # kpasswd
ExitPolicy accept *:465       # smtps (SMTP over SSL)
ExitPolicy accept *:531       # IRC/AIM
ExitPolicy accept *:543-544   # Kerberos
ExitPolicy accept *:554       # RTSP
ExitPolicy accept *:563       # NNTP over SSL
ExitPolicy accept *:636       # LDAP over SSL
ExitPolicy accept *:706       # SILC
ExitPolicy accept *:749       # kerberos 
ExitPolicy accept *:873       # rsync
ExitPolicy accept *:902-904   # VMware
ExitPolicy accept *:981       # Remote HTTPS management for firewall
ExitPolicy accept *:989-995   # FTP over SSL, Netnews Administration System, telnets, IMAP over SSL, ircs, POP3 over SSL
ExitPolicy accept *:1194      # OpenVPN
ExitPolicy accept *:1220      # QT Server Admin
ExitPolicy accept *:1293      # PKT-KRB-IPSec
ExitPolicy accept *:1500      # VLSI License Manager
ExitPolicy accept *:1533      # Sametime
ExitPolicy accept *:1677      # GroupWise
ExitPolicy accept *:1723      # PPTP
ExitPolicy accept *:1755      # RTSP
ExitPolicy accept *:1863      # MSNP
ExitPolicy accept *:2082      # Infowave Mobility Server
ExitPolicy accept *:2083      # Secure Radius Service (radsec)
ExitPolicy accept *:2086-2087 # GNUnet, ELI
ExitPolicy accept *:2095-2096 # NBX
ExitPolicy accept *:2102-2104 # Zephyr
ExitPolicy accept *:3128      # SQUID
ExitPolicy accept *:3389      # MS WBT
ExitPolicy accept *:3690      # SVN
ExitPolicy accept *:4321      # RWHOIS
ExitPolicy accept *:4643      # Virtuozzo
ExitPolicy accept *:5050      # MMCC
ExitPolicy accept *:5190      # ICQ
ExitPolicy accept *:5222-5223 # XMPP, XMPP over SSL
ExitPolicy accept *:5228      # Android Market
ExitPolicy accept *:5900      # VNC
ExitPolicy accept *:6660-6669 # IRC
ExitPolicy accept *:6679      # IRC SSL  
ExitPolicy accept *:6697      # IRC SSL  
ExitPolicy accept *:8000      # iRDMI
ExitPolicy accept *:8008      # HTTP alternate
ExitPolicy accept *:8074      # Gadu-Gadu
ExitPolicy accept *:8080      # HTTP Proxies
ExitPolicy accept *:8087-8088 # Simplify Media SPP Protocol, Radan HTTP
ExitPolicy accept *:8332-8333 # BitCoin
ExitPolicy accept *:8443      # PCsync HTTPS
ExitPolicy accept *:8888      # HTTP Proxies, NewsEDGE
ExitPolicy accept *:9418      # git
ExitPolicy accept *:9999      # distinct
ExitPolicy accept *:10000     # Network Data Management Protocol
ExitPolicy accept *:11371     # OpenPGP hkp (http keyserver protocol)
ExitPolicy accept *:19294     # Google Voice TCP
ExitPolicy accept *:19638     # Ensim control panel
ExitPolicy reject *:*

Statement of Purpose

Thank you for allowing me the opportunity to share my ambitions and goals regarding the University of Washington (UW) master’s degree program in Infrastructure Planning and Management (MIPM).

Earlier this year, I passed the interview portion for a network administration position within the Seattle Police Department (SPD). Following the extensive background-check process, I was denied the position due to a lack of work-related experience compared to another candidate. I consider the SPD application experience a success for three reasons. First, it was an honor to simply spend time with SPD information technology managers and being challenged with technical and non-technical questions. Working for the City of Seattle has been a long-time desire, especially concerning the security of critical infrastructure. Second, at the end of my interview, I was praised for my ability to be articulate when providing answers. For nearly two years, I have been employed by Big Fish Games in their network operations center (NOC). Having made it a specific point of mine to further develop appropriately-verbose communication skills, it was wonderful feedback to hear. Finally, during the SPD’s interview process, I was asked if there was anything I would like to add to bolster my prospect of being hired. I specifically mentioned the MIPM program with the intention of working directly with the SPD for any and all related projects. Two of my three interviewers were clearly interested in the UW’s MIPM program. One responded by explaining the SPD’s desire to work closer with the University of Washington. I hope that I will be presented with a future opportunity to work for the SPD on some form of city-level information assurance development.

For over two years, I have been maintaining high standards for information technology (IT) infrastructure incident response and problem management in two separate NOCs. My first NOC position was with Microsoft supporting online business communications technologies across 19 internationally-spread datacenter co-locations. The majority of my professional NOC experience has been with Big Fish Games where I help support their entire IT infrastructure, encompassing 4 internationally-spread datacenter co-locations.

IT professionals, who are fortunate enough to be able to rely on a NOC for all initial triage and communications support, differ in terms of knowledge specialization and development. Unlike network or database administrators, NOC personnel must holistically understand all operational aspects of their entire business infrastructure. Contrast to Microsoft, an extremely large company, Big Fish Games is a medium-sized company with 99% revenue dependency on IT infrastructure and uptime. I feel very fortunate to be valued as a peer in a company like Big Fish Games where one is able to clearly understand where professional specializations and business drivers merge.

Prior to my NOC experiences, I had a successful internship at Microsoft as a Support Analyst on a datacenter deployment operations team. Although I feel that this internship was too short (three months), I helped perform a diverse set of large-scale hardware and software deployments, including some in Microsoft’s famous 470,000 square foot facility in Quincy, WA. I believe that these experiences with large-scale IT systems are setting the stage for even greater work in support of critical infrastructure.

Working as an information systems problem manager has allowed me to gain a unique understanding and appreciation for the IT field. I am looking forward to shifting gears from a response-oriented (reactive) career to a forward-thinking (pro-active) career in IT.

My future plans involve working in a security-focused role in Seattle while maintaining high academic performance in the MIPM program. Professional IT security experience is a requirement for Certified Information Systems Security Professional (CISSP) certification. Additionally, in 2013, I would like to attend the Oxford Scenarios Programme, hosted by the Saïd Business School, University of Oxford. This futures-development coursework would dramatically increase my contributions to the MIPM program. The Oxford Scenarios Programme would also fit in with my long-term objectives of executive-level information assurance development.

The MIPM program is a clear next-step. Being a critical and strategic thinker, I have outlined two primary objective-oriented paths with many levels of goals—one path academic, one career-oriented. I have taught myself the concept of how to pursue what I can when I can, and to merge these two paths whenever possible. The MIPM program would undoubtedly be one of those rare events where I can merge both paths. My long-term career objectives include the executive management of information assurance processes. Furthermore, I hope to advance my company, Sagawa LLC., which will build a network security appliance that utilizes Suricata, an intrusion detection and prevention system (IDPS) developed by the Open Information Security Foundation (OISF). OISF is funded by the Department of Homeland Security (DHS) and the Navy’s Space and Naval Warfare Systems Command (SPAWAR). I originally became interested in developing my skills in security information and event management (SIEM) using Suricata because of the DHS and Navy’s direct support for its development—supporting federal information assurance initiatives greatly appeals to me.

I have many hobbies. For entertainment (please keep in mind that I am an introvert), I study information philosophy and information systems theory, and have a general interest in complex systems theory and intelligence analysis. Also, I read a great deal of information-security related media. I contribute to the Crypto.is project (https://crypto.is/) by developing public-domain licensed standard operating procedures for installing and using open-source cryptographic communication tools. Additionally, I maintain two Tor (https://torproject.org/) exit routers. I have a keen interest in supporting international freedom of expression and the right to read (anti-censorship).

Every single year of my formal education has been an outstanding challenge. The one exception was a single quarter spent with Dr. Barbara Endicott-Popovsky in the UW’s IMT 551. I was undoubtedly on the edge of my seat during every class because of my excitement concerning the course material. As a young child, I was diagnosed as both gifted and learning-disabled. Like many students with this “twice-exceptional” condition, I have dealt with an unnecessary amount of frustration coming from teachers and mentors. Elementary and middle school teachers repeatedly called me lazy. High school administrators told me not to pursue higher education. Toward the end of my undergraduate degree, my disabilities-support adviser declared me a failure and that I would only succeed in life as an entrepreneur. These once-frustrating set-backs have not overcome my tenacity.

Due to my academic history, you may not view me as an ideal candidate for a respected tier-one research institution. My twice-exceptional condition is rooted to a physical re-conditioning of my brain, and it forces me to assimilate and process information differently. For example, my team-lead at Big Fish Games told me that he values my feedback when problem-solving because I present unique, useful information. There is no doubt that I have academic weaknesses; however, my cognitive differences also give me uncharacteristic academic strengths. I passionately believe that my differences will aid the MIPM program for which I clearly see myself graduating successfully.