[tahoe-dev] Tahoe-LAFS plus anonymizing transports Fwd: [liberationtech] ANNOUNCING Tahoe, the Least-Authority File System, v1.8.2

[Zooko O'Whielacronx]

Folks:

I posted the Tahoe-LAFS v1.8.2 release announcement on the
liberation-tech mailing list:

https://mailman.stanford.edu/mailman/listinfo/liberationtech

Which is the mailing list associated with a Stanford University
project exploring the effects of anti-censorship technology on
society. A journalist named Rebecca MacKinnon expressed interest so I
wrote the following summary for that list.

Regards,

Zooko

---------- Forwarded message ----------
From: Zooko O'Whielacronx <zooko at zooko.com>
Date: Sat, Feb 5, 2011 at 5:35 PM
Subject: Re: [liberationtech] ANNOUNCING Tahoe, the Least-Authority
File System, v1.8.2
To: Rebecca MacKinnon <rebecca.mackinnon at gmail.com>
Cc: liberationtech at lists.stanford.edu


On Wed, Feb 2, 2011 at 8:28 AM, Rebecca MacKinnon
<rebecca.mackinnon at gmail.com> wrote:
> This sounds great. Thanks for sharing.
> As a non-techie I would love to know what others on the list think of it.

Thanks for the interest, Rebecca MacKinnon.

I should hasten to add that Tahoe-LAFS was not designed with
censorship-resistance in mind. Tahoe-LAFS's security properties are
focussed on the data: we make it very difficult for anyone, even a
sophisticated and well-funded power, to delete data, forge data, or
read data that was not intended for them.

However, we make no attempt at "anonymity"—to hide who is uploading,
downloading, or hosting the data, or which files they are using (but
Tahoe-LAFS does conceal the *contents* of the files from unauthorized
readers). Instead of trying to obscure the relationship between the
client to the server, we just use direct TCP connections.

We do have one feature which lends itself to circumventing censorship,
which is that the data is spread over multiple servers so that if some
of the servers are unreachable you can retrieve the data from the
others. This is similar to the effect that you get by replicating the
data—uploading a copy of it to each of several different servers—but
it is much more efficient in terms of upload bandwidth and server-side
storage.

Also, perhaps more importantly, the "unforgeability" guarantee that
Tahoe-LAFS provides is independent of the behavior of the storage
servers, so you can spread the data across many separate servers
without risking forged data, even if some of the servers turn out to
be malicious or get taken over by malicious parties.

Now at the dawn of the Tahoe-LAFS project in 2006, we decided not to
try to include anonymity features because we knew from experience how
difficult those can be to do right. I hoped at the time that people
would eventually combine Tahoe-LAFS with anonymizing and circumventing
transport layers, and I'm happy to see that almost five years later
that has started happening—there are at least three different projects
in progress to combine Tahoe-LAFS with three different anonymizing
transports:

Tor:
http://tahoe-lafs.org/trac/tahoe-lafs/ticket/1349

I2P:
http://duck.i2p.tin0.de/

anonymous-proxy-servers.net:
http://anonymous-proxy-servers.net/wiki/index.php/Tahoe-lafs-setup

N.B. I do not know much about the latter two. I understand Tor well
enough and know enough about its developers to have a degree of
confidence in the security that it offers, but I haven't studied the
latter two yet.

Regards,

Zooko