00:00:00.601-->00:00:07.541
>> Alright, how's everybody
doing? Having a good time?
Alright, how many people here

00:00:07.541-->00:00:12.546
use Tor? Yeah...alright. How
many people trust Tor? No, there
we go! How 'but that, that's

00:00:16.016-->00:00:20.654
good to see. Well, these two
gentleman have been working on a
project that is going to help

00:00:20.654-->00:00:26.994
us, maybe, perhaps, trust Tor a
little bit more. Or at least
find those people that are out

00:00:26.994-->00:00:31.498
there messing around with Tor,
making it untrustworthy. Let's
give these two guys a big round

00:00:31.498-->00:00:36.503
of applause. [applause] >> Thank
you for the introduction. Uh, it
seems that we have problem with

00:00:42.342-->00:00:46.613
the slides not showing up. So,
apparently, they are working on
fixing it. So in the meantime,

00:00:46.613-->00:00:52.619
we are going to start. I'm
Guevara Noubir and this is joint
presentation and work with, uh,

00:00:52.619-->00:00:58.892
Amirali Sanatinia, we both from
Northeastern University. We work
on, uh, developing security,

00:00:58.892-->00:01:04.765
privacy techniques, building
systems to enhance security. We
also interested in, uh,

00:01:04.765-->00:01:11.605
investigating the potential of
attacks on real-world systems
and therefore, this work. So

00:01:11.605-->00:01:16.877
unfortunately, you cannot see
the slides, but the talk is
about something called "Honey

00:01:16.877-->00:01:21.882
Onions" that we developed and it
is about exposing snooping Tor
HSDir relays. And so, this is in

00:01:25.285-->00:01:30.290
the context of Tor, large number
of people use it. Uh, it's quite
popular. Uh, we're interested,

00:01:32.359-->00:01:38.198
so, uh, we're interested in
understanding how many of the
Tor Relays, uh, are misbehaving,

00:01:38.198-->00:01:43.203
these are relays that, uh, host,
uh, what's called hidden
services. And in fact, this

00:01:46.840-->00:01:51.845
issue that we're going to be
talking about, uh, is known to
the Tor people and they've been

00:01:51.845-->00:01:58.051
working on, uh, having long term
solution and also short term
solution. Our interest was in

00:01:58.051-->00:02:02.990
knowing how many today of these
relays are misbehaving. So, uh,
the next slide that can't see,

00:02:06.626-->00:02:12.566
unfortunately, is about "What is
Tor?" Tor is very powerful and
popular tool for enhancing

00:02:12.566-->00:02:17.571
privacy. I personally [inaudible
audience comment]...yeah, so.
Uh, so, uh, so it, uh, I

00:02:22.476-->00:02:26.780
personally, regularly use Tor
anytime, for example, I want to
check something that has to do

00:02:26.780-->00:02:32.019
with help or any when I Google
something, I don't want to have
the whole world know about it,

00:02:32.019-->00:02:37.591
so I use it and I feel that's a,
uh, you know, of all the systems
that exist today, it's really

00:02:37.591-->00:02:43.530
one of the best, uh, systems
that one can use. So maybe one
question to the audience, the

00:02:43.530-->00:02:48.535
first question was, how many of
you know about it. So, how many
of you use it? Ok, fair number.

00:02:52.339-->00:02:57.344
So, how many of you run the
relay? Yeah. Uh, so how many of
you have hidden service?	That's

00:03:03.283-->00:03:08.288
running? Ok. I say, I see, I see
much less numbers. And it could,
uh, mean that, uh, Uh, maybe

00:03:11.591-->00:03:17.831
some of you don't want to even,
uh, disclose this information.
So this work is about showing

00:03:17.831-->00:03:22.269
that, when in fact, you can't,
while you can't trust maybe Tor
about various kind of things,

00:03:22.269-->00:03:27.607
you cannot trust that your
hidden service, uh, the
existence of it is not hidden.

00:03:27.607-->00:03:33.947
Um, and this is the goal of this
work. So Tor provides, uh, two
types of services, that are

00:03:33.947-->00:03:38.952
quite well known. One of them is
that you can browse the Internet
anonymously and says that you

00:03:38.952-->00:03:45.926
can go to some website and the
goal is that, uh, your ISP, the
website, would not know that you

00:03:45.926-->00:03:50.931
are doing so. Type of services,
called hidden services, it
allows one to run, uh, server,

00:03:54.868-->00:04:01.374
uh, website, for example, and,
uh, no one would be able to know
what's this IP address and

00:04:01.374-->00:04:08.181
therefore, it's, uh, physical
location. Uh, so Tor is used by
a large number of people. I

00:04:08.181-->00:04:13.386
think they have over a million
people every day that would use
it. Uh, most of these users are

00:04:13.386-->00:04:20.360
normal users. Uh, so most of
them try to browse the Internet,
don't want to reveal things

00:04:20.360-->00:04:25.799
about themselves. Some people
try to circumvent censorship. So
all these are reasonable

00:04:25.799-->00:04:31.404
applications. You also have fair
number of journalists whenever
they want to communicate with

00:04:31.404-->00:04:36.443
their sources or they want to
access information and they
don't want to reveal that. So

00:04:36.443-->00:04:41.915
that is another type of use of
Tor. You have also activists,
whistle blowers, they don't want

00:04:41.915-->00:04:43.917
to reveal information about, uh,
themselves, who they're talking
to, what information is being

00:04:43.917-->00:04:45.919
shared, uh, you also have law
enforcement and military use.
Uh, you know they reveal

00:04:45.919-->00:04:50.924
information, but what they're
doing, they also, uh, um,
sometimes they also want to hide

00:05:00.300-->00:05:05.639
amount the group of larger
people who are much more normal.
And also you have obviously

00:05:05.639-->00:05:10.644
criminals who use Tor their
activities. Um, uh, in fact, I
don't see slides, but, so the

00:05:17.050-->00:05:23.857
next one is about hidden
services. Hidden service is
basically, uh, this capability

00:05:23.857-->00:05:28.862
of being able to run this
website Tor server and hide
physical location. It has other

00:05:32.098-->00:05:38.205
side effects that are quite
interesting. One of them is by
writing your website as a hidden

00:05:38.205-->00:05:42.742
service, you can hide, you,
you'll have the self
authentication. You don't need

00:05:42.742-->00:05:47.380
certificates, because they're on
an address itself, uh, includes
information by the public key

00:05:47.380-->00:05:54.321
and allows you to self
authenticate. It allows you also
to have end-to-end encryption.

00:05:54.321-->00:05:59.326
And there are many systems,
besides websites, that use uh,
um, Tor hidden services. Secure

00:06:01.328-->00:06:07.968
Drop, for example, used by the
New Yorker or the Guardian
allows one to communicate with

00:06:07.968-->00:06:13.473
journalists and provide
information to journalists. But
even mainstream systes like

00:06:13.473-->00:06:20.180
Facebook, they have, uh, hidden
service. Um, you have also
applications like Ricochet that

00:06:20.180-->00:06:25.752
allows secure messaging and
every client runs a hidden
service so you can hide the

00:06:25.752-->00:06:30.757
identity, the clients, whose
talking to whom and they also
get rid of central entities. You

00:06:33.393-->00:06:39.099
also have other types of people
who use it like the Silk Road,
for example, ran as uh a hidden

00:06:39.099-->00:06:44.971
service, you have ransomware
like Cryto Locker used hidden
services so that they could hide

00:06:44.971-->00:06:49.476
the location of the server that
collects the bit coins that
people would have to pay. So

00:06:49.476-->00:06:54.481
there's a variety of people who
use it. Um, so, maybe to also
clarify, you know, for this

00:06:56.850-->00:07:01.788
talk, so Tor claims to have set
of uh, um, of a, properties, but
it does not really claim, for

00:07:06.059-->00:07:09.996
example, that these will give
you, if you go use the Tor
browser, you don't have any

00:07:09.996-->00:07:14.834
guarantee that you have
end-to-end encryption. Because
if you just browse a website

00:07:14.834-->00:07:21.574
that is, uh, does not have
https, any traffic going from
the exit node would be, uh, in

00:07:21.574-->00:07:28.081
the clear. Uh, for hidden
services, when you create hidden
service, there's no guarantee

00:07:28.081-->00:07:30.083
for you that that hidden
service, it's existence, is
protected. Uh, Tor aims at, uh,

00:07:30.083-->00:07:32.085
at least in what's they have in
system today is that, you can't
really tell where is the

00:07:32.085-->00:07:37.090
location, but not the fact that
it exists. And this work was
about finding out, uh, you know,

00:07:46.766-->00:07:52.372
how many relays misbehaved, try
to get this information as an
indicator of other malicious

00:07:52.372-->00:07:57.377
activities. Uh, within the space
of, uh, in general looking at,
uh, privacy infrastructure and

00:08:00.046-->00:08:05.051
attacks on it, uh, so, uh,
whenever you have a privacy
infrastructure, uh, various kind

00:08:08.221-->00:08:13.226
of entities try to attack it
maybe to reduce it's popularity
or, uh, to misuse it. I mean

00:08:15.462-->00:08:20.934
cryptography, in general, use
for good things, lot of people
try also to misuse it. And there

00:08:20.934-->00:08:27.040
has been work related to this
trying to find how many of the
HSDir relays would be snooping

00:08:27.040-->00:08:32.045
into the traffic of users. Which
is different from what we are,
uh, doing. Uh, other work looked

00:08:34.714-->00:08:39.619
into all these hidden services,
what kind of information, what
kind of content do they have?

00:08:39.619-->00:08:44.624
Um, so here, what we want to
know is out of the Tor relays,
the subset of them that can

00:08:47.260-->00:08:52.265
serve as, uh, HSDir flag,
therefore, they host descriptors
about hidden services. How many

00:08:55.335-->00:09:00.974
of them, uh, are misbehaving?
And misbehaving, meaning that
they log information that

00:09:00.974-->00:09:05.445
they're not supposed to do, so
whoever is running, they
modified the code to be able to

00:09:05.445-->00:09:10.316
log this information. And later
on they might visit, uh, these
websites. And as I mentioned,

00:09:10.316-->00:09:14.287
this is, uh, a problem that is
known to Tor people and have
been working on resolving and

00:09:14.287-->00:09:20.026
they have other techniques that
they use to identify these
misbehavior relays. Our

00:09:20.026-->00:09:26.933
techniques have the advantage
that we can cover larger scale
of, uh, misbehaving devices. So

00:09:26.933-->00:09:31.404
this is not really about like
breaking the privacy of Tor if
you browse some place, but more

00:09:31.404-->00:09:36.409
about the hidden service
existence. The questions we try
to address, there are four of

00:09:38.511-->00:09:44.784
them. The first one is, "How
many of the Tor relays are
misbehaving in the sense that I

00:09:44.784-->00:09:49.789
defined?" [audience applause]
That makes my life easier. So
there are four questions we try

00:09:56.996-->00:10:02.469
to address. One of them is, "How
many of them are misbehaving?"
And if you could have a small

00:10:02.469-->00:10:07.340
number, the lower bound of that
number, we have an idea, but how
much misbehavior is happening in

00:10:07.340-->00:10:12.178
Tor. The next thing is that,
"Which one of them are
snooping?" And trying to find

00:10:12.178-->00:10:17.917
out, uh, information that
they're not supposed to collect.
The third one, "What do they

00:10:17.917-->00:10:22.455
really do, how much, are they
just collecting information, do
they try to attack, uh, are they

00:10:22.455-->00:10:27.460
aggressive or not?" And the last
one is, "Why they are really?"
Besides, uh, what relay and what

00:10:30.730-->00:10:36.402
IP addresses. So we have
addressed mostly the first two
questions and a little bit of

00:10:36.402-->00:10:40.807
the third one, uh, the last one
with really who they are, that
won't really solve and this

00:10:40.807-->00:10:42.809
might be, you know, nice
community for looking into that
and pushing this war to the next

00:10:42.809-->00:10:44.811
stage. So, I'll first maybe I'll
explain a little bit how hidden
services work. Uh, this diagram

00:10:44.811-->00:10:46.813
somehow summarizes that. So to
run hidden service, what you do,
you pick a random public key.

00:10:46.813-->00:10:48.815
Some people will go and select
one that will end up in an onion
address that they prefer, like

00:10:48.815-->00:10:53.820
Facebook has a nice one. But
typically you pick a random
public private key. You hash the

00:11:15.642-->00:11:22.582
public key in specific way that
gives you the dot onion address.
Then what you do, you pick a

00:11:22.582-->00:11:28.221
subset of the relays, what's
called introduction point, few
of them, and you setup a Tor

00:11:28.221-->00:11:35.161
circuit to them. These
introductions points will help,
um, people come back to you

00:11:35.161-->00:11:40.166
later on. Then you hash your dot
onion address with time
information and other things and

00:11:43.102-->00:11:48.107
that gives you descriptor. A
descriptor ID. And, uh, it also
tells you, which relays with the

00:11:50.944-->00:11:57.650
HSDir flag you should put this
descriptor information with. And
you can have, find two, and you

00:11:57.650-->00:12:02.589
end up with a set of six relays
with the HSDir flag where you
put your information. Now, on

00:12:05.692-->00:12:10.296
the other hand, at the same
time, you give your dot Onion
address to whoever you want to

00:12:10.296-->00:12:16.970
communicate with you. And that's
in a, and then in step three,
this client, he'll take the dot

00:12:16.970-->00:12:23.042
Onion address and he will hash
it the same way you did and
every day's gonna give him the

00:12:23.042-->00:12:29.115
descriptor IDs that will tell
him which HSDir relays he should
come to. So in step three, he

00:12:29.115-->00:12:34.387
will go to these relays and ask
them what are the introduction
points to be able to talk to

00:12:34.387-->00:12:40.927
this hidden service. In step
four, the client will also
select something called the

00:12:40.927-->00:12:45.932
rendezvous point. Some other
relay, he sets up a circuit to
it...relays with the HSDir flag,

00:13:17.330-->00:13:23.436
which one of them are
misbehaving in the sense that I
defined earlier? So now going

00:13:23.436-->00:13:28.441
back to, uh, just a little bit
more specific about HSDir. So
you have, uh, these relays, they

00:13:31.611-->00:13:36.616
have identifiers, uh and that
will show up in something called
the ring of HSDir identifiers.

00:13:39.152-->00:13:44.157
And your Onion address, once you
hash it, gives you this
descriptor ID and you find the

00:13:46.693-->00:13:51.698
first HSDir after the descriptor
ID and you pick the first three,
mean the first one, second and

00:13:54.033-->00:13:59.038
third and then you hash it again
in a different way and it gives
you another descriptor ID and

00:13:59.038-->00:14:04.510
then you find the other two or
the other three after that and
you have now three and three

00:14:04.510-->00:14:11.484
relays that, uh, will host
information how you would be
reached. The reason why it

00:14:11.484-->00:14:15.988
changes everyday and you take
more than one is to put, to have
reliability and protect against

00:14:15.988-->00:14:20.927
denial of service. Such that, is
you're always hosting your
information same location,

00:14:20.927-->00:14:25.031
someone who's, uh, who wants to
block you, he might have that
information and won't serve it

00:14:25.031-->00:14:32.004
to anyone. Uh, the side effect
is that whenever they host that
information, they can log it and

00:14:32.004-->00:14:37.009
they can go visit your, um,
HSDir, um your system that you
don't want to leak. So our

00:14:39.445-->00:14:44.150
system, how to detect whose
misbehaving, the idea is quite
simple. We can create a large

00:14:44.150-->00:14:50.089
number of these things, we call
Honey Onions, like Honey Pot.
Uh, we set them up in a secure

00:14:50.089-->00:14:54.360
way and sense that we, we follow
all the instructiones that they
are not going to leak. We don't

00:14:54.360-->00:15:01.234
tell anyone about them. We know
that if someone comes visit our
service, then whoever had the

00:15:01.234-->00:15:05.905
information leaked it. He logged
it and maybe gave it to someone
and leaked it. So that is the

00:15:05.905-->00:15:10.910
fundamental idea. But it is not
that trivial because
informatione everyday, you're

00:15:10.910-->00:15:15.982
gonna give it to six people. Or
six relays. So it could be any
of the six. So you'll have to

00:15:15.982-->00:15:22.722
find out who out of the six.
Since we want to look at the
global scale, we generate

00:15:22.722-->00:15:27.727
several batches. Everyday we
generate some number. Every week
another number and every month,

00:15:29.929-->00:15:36.135
uh, another batch. The reason
for this that some of them will
collect these Onion addresses,

00:15:36.135-->00:15:41.340
but they won't visit them
immediately. They will wait for
few days to confuse us that it

00:15:41.340-->00:15:46.345
might be someone else. So we
could compute that we need
fifteen hundred, uh, Onion to be

00:15:49.148-->00:15:55.388
able to cover 95 percent of
these relays. So everyday we
generate fifteen hundred, every

00:15:55.388-->00:16:00.326
week fifteen hundred and every
month fifteen hundred. And, um,
and then we see who's visiting.

00:16:02.995-->00:16:08.401
Some of you remember there was a
peak in the Tor number of hidden
services. So I don't have time

00:16:08.401-->00:16:14.006
to come out to that, but it is
not us, um, for various reasons,
but, I mean, that number was

00:16:14.006-->00:16:19.245
much larger than what we
generated. We generated, at any
node, we had forty-fiver hundred

00:16:19.245-->00:16:24.450
onions in the system. So before
I bore you a little bit with
some math, I just show you, the

00:16:24.450-->00:16:29.455
reason for [audience laughter],
so we choose this name Honey
Onion, because it made sense.

00:16:31.924-->00:16:36.696
Then we Googled it a little bit
and we found that, oh, it has
meaning. And it was in fact

00:16:36.696-->00:16:42.034
quite interesting that the
meaning really matched what we
were doing, so, so we couldn't

00:16:42.034-->00:16:47.039
resist using it, um, um. So,
how, um, how do you find out
who's misbehaving? The idea is

00:16:50.243-->00:16:56.716
quite, again, so, we create the
honion, we put it on six places,
if one of those misbehaving, we

00:16:56.716-->00:17:02.722
know that one of the six is bad.
But then, as we create more,
they might end up in different

00:17:02.722-->00:17:09.195
locations and now we have that
for these two honion, the
visits, there are two people who

00:17:09.195-->00:17:14.867
could explain it. Uh and then
later on we put more and you can
tell with these maybe not going,

00:17:14.867-->00:17:18.671
depending on the assumption and
so on, you can see that there is
some, maybe possible way how to

00:17:18.671-->00:17:24.143
one could find out who is
misbehaving. So, the
architecture of systems that we

00:17:24.143-->00:17:29.181
built, in step 1, you generate
all these Honions that we gonna
place. Uh, on these, uh,

00:17:31.584-->00:17:36.589
servers. jThen some of them get
visited whenever there is a
visit, it gives us information,

00:17:38.724-->00:17:43.729
uh, that all who knew about it
should become suspicous. We put
them in some graph that we built

00:17:45.831-->00:17:50.202
that's called a bipartite graph,
that has nodes that correspond
to honions and nodes that can

00:17:50.202-->00:17:55.207
respond to relays and whenever
there's a visit for the honion,
we we put all the edges to all

00:17:57.810-->00:18:03.950
the relays that had this
information. So since I'm
running a little out of time, so

00:18:03.950-->00:18:08.554
maybe get to what we exactly
did, so I'm not maybe going to
talk about details of the math.

00:18:08.554-->00:18:14.260
The first thing is that we
wanted to know what is the
smallest set of suspicous of

00:18:14.260-->00:18:19.265
relays that could explain the
visits that we see. That will
tell us the lower bound on how

00:18:21.400-->00:18:26.105
many of these relays are
misbehaving. If you find the
smallest set that explains the

00:18:26.105-->00:18:31.644
visit, we know that there should
be more than that that are
misbehaving and there's a way to

00:18:31.644-->00:18:36.382
formulate it, which I'm going to
skip maybe that math. The, uh,
this is not necessarily a

00:18:36.382-->00:18:42.521
trivial problem, there's some
heuristics that could, um, give
some approximation and we could

00:18:42.521-->00:18:47.626
formulate this as something
called integer linear program,
where basically to each relay

00:18:47.626-->00:18:53.466
we're going to give some
variable, either zero or one.
One meaning that it is malicious

00:18:53.466-->00:18:58.471
and we want to minimize some of
these x i's, that uh, you find
the smallest set, but we need to

00:19:00.706-->00:19:05.711
explain every visit. Uh and this
can be solved with something
called a ILP Solver. And before

00:19:09.281-->00:19:14.854
we tell you what we found, why
we trusted this sol-, this
technique, uh, works, uh,

00:19:14.854-->00:19:19.759
reasonably well. Well, uh, so we
also did some simulations,
selecting some of these to, uh

00:19:19.759-->00:19:22.028
malicious and so on and so you
see that, uh, we can get between
ninety-seven percent accuracy

00:19:22.028-->00:19:27.033
to, uh, eighty-one assuming,
eighty-one means that there was
a significant number of

00:19:32.471-->00:19:36.375
malicious ones. So now I'm going
to pass the token to Amirali
whose going to tell you the

00:19:36.375-->00:19:42.114
results of the experiment. >> So
good thing the slides are back,
because otherwise I didn't have

00:19:42.114-->00:19:48.220
much to talk about. Uh, here we
can see under from left to right
on the bottom you can see our

00:19:48.220-->00:19:53.426
schedules for daily, weekly and
monthly visits and the reason
behind having three schedules is

00:19:53.426-->00:20:00.199
if adversary visits a honion,
immediately we can catch them in
our daily, but if uh, but if

00:20:00.199-->00:20:05.171
they would wait for "y", then
they wouldn't show up in the
daily, but we can still spot

00:20:05.171-->00:20:10.409
them in the weekly and monthly.
Uh, the other thing as was
mentioned by Guevara, the rise

00:20:10.409-->00:20:16.649
in the number of Onion services,
the only, at each point in time,
you're only at forty-five

00:20:16.649-->00:20:22.988
hundred, but the number of
increasing honion addresses was
at least more than a magnitude

00:20:22.988-->00:20:29.428
much more than what we had. So
we are sure it is not us. And we
started our experiments on

00:20:29.428-->00:20:33.432
February twelfth and most of the
results, as we explained, are
based on the seventy-two days

00:20:33.432-->00:20:38.104
that we are running this
experiment although we have them
for further and we discuss them

00:20:38.104-->00:20:43.109
later. Um, we are sure that the
visits are not a result of the
rise in the number of onion

00:20:45.344-->00:20:48.147
addresses, because, uh, the
increase was happening on
eighteenth of February and we

00:20:48.147-->00:20:50.149
can still see visits even
happening on twelve and thirteen
of February. So it happened

00:20:50.149-->00:20:57.056
before the increase. The other
thing to mention in the daily
graph, you see there are not

00:20:57.056-->00:21:01.994
many visits during the peak and
one of the reasons is that to
get the HSDir flag, it would

00:21:05.731-->00:21:11.337
take ninety-six hours or four
days, so after people saw there
are a lot of new onion

00:21:11.337-->00:21:16.675
addresses, they probably setup
new relays and took them four
days to get the HSDir flag. And

00:21:16.675-->00:21:21.747
after that, they started
probing. The other things that
you see more visits on weekly

00:21:21.747-->00:21:26.418
and monthly, because they are
running for longer times, so,
uh, this adversaries or the

00:21:26.418-->00:21:31.423
malicious HSDir had more time to
visit them. And this is an
example of a typical

00:21:35.561-->00:21:42.334
connectivity graph that we have,
for example, uh, the gray
circles in the middle are the

00:21:42.334-->00:21:48.607
honions. The visited honions.
And the black ones above them
are the HSDir's that are picked

00:21:48.607-->00:21:55.147
by ILP and that explain the
visits. All the other colorful,
uh, nodes are the other HSDir

00:21:55.147-->00:22:00.152
who have been hosting these
honions. As you can see, for
example, for the one in the

00:22:00.152-->00:22:06.392
orange one, the top right, that
one is more trivial to peak,
because you only have one HSDir

00:22:06.392-->00:22:11.397
who visits, both of you are
honions. But the power of ILP
really comes in the cases with

00:22:13.532-->00:22:18.037
the purple one, top left, then
you have many HSDir who have
been hosting many of the visited

00:22:18.037-->00:22:23.008
honions, but you want to know
what is the lure about or who
are the most likely HSDirs and

00:22:23.008-->00:22:28.781
that where really our technique
and ILP comes to power. And we
can peak these four and identify

00:22:28.781-->00:22:35.387
these are the most likely,
suspicious, HSDirS. Oh and
apparently we are running out of

00:22:35.387-->00:22:41.193
time. So, uh, the snooping
behavior, we saw some of them
visiting everything, the

00:22:41.193-->00:22:46.999
variables on Alibaba. Alibaba
this one visiting most of the
honions and the Tor people

00:22:46.999-->00:22:52.037
identified, they also identified
them, we talked to Tor people
and after awhile they become

00:22:52.037-->00:22:57.076
more advance and they delay
their visit. The top, uh, the
bottom left graph. And the

00:22:57.076-->00:23:01.413
geographical location we mostly
see them in Europe and Northern
America is because Tor is more

00:23:01.413-->00:23:06.352
and it's also representive of
the user of Tor. You don't have
it much in Middle East and China

00:23:06.352-->00:23:10.623
because it's mostly blocked and
this location doesn't
necessarily mean these are the

00:23:10.623-->00:23:14.760
countries who are snooping.
These are the relays that are
located in this country. Not the

00:23:14.760-->00:23:19.632
country themselves. And to give
you more statistic, more than
half of them are hosting on

00:23:19.632-->00:23:24.470
Cloud infrastructure and they
also have the exit flag about
twenty-fiver person, which is

00:23:24.470-->00:23:30.042
much more than what you would
have. Uh, and some of them are
doing some attacks and some of

00:23:30.042-->00:23:35.047
them are less aggressive.
[applause] >> So maybe just one
final comment, so since we've

00:23:45.924-->00:23:52.498
done this work, in fact, uh,
whoever was snooping, changed
their behavior and now in fact

00:23:52.498-->00:23:56.669
you can see that most of them
delay, they don't really visit
quite immediately. They wait for

00:23:56.669-->00:24:01.240
days and sometimes weeks for
them to visit. So is still an
interesting problem. Think we'll

00:24:01.240-->00:24:06.245
stop here, sorry that we
couldn't really talk about the
last part in detail. [applause]