Interview of Lunar ("Past and future chalenges for Tor") Friday 20 June 2014 RMLL: Hello Lunar ( lunar@torproject.org ), you’re coming to RMLL to speak about Tor project. First, may you introduce yourself briefly? Lunar: I wrote my first code snippets around seven. Not long after, my first server was up and running behind a minitel (french home network experiment with dumb terminals during 80’s and 90’s). Since then, I never really stopped hacking communications tools. I grew up at the time where computing was getting its place in our lives. And we can say I am not fond of the resulting world we’re currently living in. RMLL: Could you tell us some words about your involvement in the Free Software movement, from its discovery to now : your "carreer", your past motivations and your current ones, if they have evolved? Lunar: I first met Free Software in 1996. At the time, free software and Internet were still inseparable. It becomes quickly obvious to use libre Unix OSes when you have no income and still want to participate to the Net. Then discovering the community helps to learn a lot. My involvement as a volunteer became more and more important. I officially became a Debian Developer in 2007. I always got upset to have to bend to the needs of a computer, I prefer to bend it to my needs. On this ground, it became quickly obvious that I needed to be able to modify the software I’m using. Beyond that, for a while, we have been a few to think of Free Software as a medium for social change. Sure, mutual aid within communities of free creation is remarkable and moves the production process outside the traditional capitalist patterns, but obviously it does not look like Linux is going to end poverty. There is now free software in every houses and pockets, and we are just seeing ever increasing inequalities. Nowadays, my ambitions are more modest, but perhaps more crucial : I just wish that disobedience is possible in this world of pervasive surveillance. Being able to build communications tools that we control, rather than tools that control us, is only possible by writing and using Free Software. RMLL: On which projects do you work currently most? what kind of position do you occupy in these projects : developer, community manager, team leader etc? Lunar: Tor takes most of my time. Under various forms: support, the weekly newsletter, automation of some tasks when possible, documentation, conferences and sometimes bits of code ... I stay active on the Debian side where I maintain Tor related packages and also several Ruby packages required by Coquelicot, an application I wrote to be able to share files easily. Following the example given with the Tor Browser, I also started the initiative to make Debian package builds reproducible. The underlying idea is to ensure that the binary produced by the compiler matches the original source code. It is important for the security of the entire ecosystem because we can audit more easily source code than binary. RMLL: Let’s focus on Tor: how did you get interested by this project ? What have been your contributions? Do you focus on client side, on architecture, or do you invest yourself on all aspects of the project? Lunar: Tor is a vast ecosystem. Beyond trainings, my first contribution was done in 2009 using my Haskell skills to update TorDNSEL - the software used to request the list of exit nodes - in order to make this software running under Debian Lenny. Since then, I try to be active in the community where it seems to be useful. To give some examples : Last year, I have seen that on mailing lists the number of messages was just too large for most active contributers to be able to read everything and still contribute. The idea of Tor Weekly News was born, a weekly newsletter which gives news about the community. When with some others volunteers, we founded Nos oignons , a non profit organization in France to manage some Tor exit nodes, I spent time to find a graphical representation allowing to better vizualize the network diversity in terms of countries, operators and networks. This allows to choose more accurately the hosting companies to deal with. The EFF had done very useful infographic to explain the relation between Tor and HTTPS. Sadly, it was only in English. Recently, after having grabbed the source, I could use free technologies to make it easy to be integrated into other docs and to be translated. It is now available in 24 languages and it displays properly right to left writings. RMLL: Security open source projects have recently suffered from important vulnerabilities. This fact puts the light on the low number of developers involved in the development and the code review of these projects. In other part, several NSA attempts to weaken cryptographic security were disclosed. Finally, we saw with TrueCrypt that those projects run with very few contributors who can let go and let the project orphan of its developers. According to you, may Tor suffer from such risks and if so, how Tor can protect itself of suchs risks? Lunar: Tor is one of the few open source projects where I felt that the code was actually audited by people outside of the development team. We have regular bugs reports pointing some slightly dangerous code structure, or even a weak implementation. Design is scrutinized by all research teams who are interested in anonymity. Tor is the most deployed network, it has become a must in the academic world. Unlike TrueCrypt, Tor is "true" free software with a open development community. Even if the number of developers able to understand the entire ecosystem is a concern compared to the overall workload, patches are regularly sent by volunteers. One of the challenges for the project is funding and more generally how to face continuously the always increasing workload. For now, many funding are coming from sponsors. These ones rarely cover maintenance and work for limited time periods. An increase of the share of regular donations from individuals or companies would greatly stabilize the project. RMLL: Last question about Tor: nowadays we often read articles reporting figures completely wrong about Tor or focusing only on its negative usages (malware, botnets, etc). What is the position of the project about these attacks : do not answer, communicate, do some work to minimize the potentially negative uses, etc? Lunar: Media generally look for selling, and therefore want "sensational" news. This gave many articles written hastily. At the same time, it may give a chance for people to discover Tor and how it can help them to be protected against surveillance - from a violent partner, for instance. In the case of malware and botnets, we are actively working with qualified people to try to reduce the impact on the network and on people. We prefer to see the capabilities of the network used by well-intentioned people. Anyway, whenever I read an article lying openly, I remember those people who have told us that it was probably thanks to Tor if they were still alive. RMLL: You just present "Past and Future Challenges for Tor" in the 2014 RMLL / LSM Security track this year. What are your expectations for this talk and more widely for these fifteenth RMLL / LSM? Lunar: "Anonymity is hard." We often rehearse it because problems raised by such networks are often much more complex than it looks at first sight. Many decisions are compromises and it is often difficult to assess the impact. I hope the presentation will familiarize more people to the problems we encountered and it will encourage the most curious of them to help us solving present and future problems. RMLL: Thank you very much for having participated to this interview, Lunar, and see you @ 2014 RMLL for your Tor talk. Interview done by email in June 2014 by Christophe Brocas, translated by Christophe Brocas, Lunar and Philippe Teuwen.