cleanup, fix references

svn:r8941

2 files changed, 70 insertions, 37 deletions

diff --git a/doc/design-paper/blocking.tex b/doc/design-paper/blocking.tex
index 1168cd4839..7decfc4235 100644
--- a/doc/design-paper/blocking.tex
+++ b/doc/design-paper/blocking.tex
@@ -49,7 +49,7 @@ by government-level attackers.
 
 Anonymizing networks like Tor~\cite{tor-design} bounce traffic around a
 network of encrypting relays.  Unlike encryption, which hides only {\it what}
-is said, these network also aim to hide who is communicating with whom, which
+is said, these networks also aim to hide who is communicating with whom, which
 users are using which websites, and similar relations.  These systems have a
 broad range of users, including ordinary citizens who want to avoid being
 profiled for targeted advertisements, corporations who don't want to reveal
@@ -71,8 +71,9 @@ less for its anonymity properties than for its censorship
 resistance properties---if they use Tor to access Internet sites like
 Wikipedia
 and Blogspot, they are no longer affected by local censorship
-and firewall rules. In fact, an informal user study (described in
-Appendix~\ref{app:geoip}) showed China as the third largest user base
+and firewall rules. In fact, an informal user study
+%(described in Appendix~\ref{app:geoip})
+showed China as the third largest user base
 for Tor clients, with perhaps ten thousand people accessing the Tor
 network from China each day.
 
@@ -112,7 +113,7 @@ security implications; ..... %write the rest.
 To design an effective anticensorship tool, we need a good model for the
 goals and resources of the censors we are evading.  Otherwise, we risk
 spending our effort on keeping the adversaries from doing things they have no
-interest in doing and thwarting techniques they do not use.
+interest in doing, and thwarting techniques they do not use.
 The history of blocking-resistance designs is littered with conflicting
 assumptions about what adversaries to expect and what problems are
 in the critical path to a solution. Here we describe our best
@@ -123,7 +124,7 @@ attacker---if we can defend against this attacker, we inherit protection
 against weaker attackers as well.  After all, we want a general design
 that will work for citizens of China, Iran, Thailand, and other censored
 countries; for
-whistleblowers in firewalled corporate network; and for people in
+whistleblowers in firewalled corporate networks; and for people in
 unanticipated oppressive situations. In fact, by designing with
 a variety of adversaries in mind, we can take advantage of the fact that
 adversaries will be in different stages of the arms race at each location,
@@ -131,7 +132,7 @@ so a server blocked in one locale can still be useful in others.
 
 We assume that the attackers' goals are somewhat complex.
 \begin{tightlist}
-\item The attacker would like to restrict the flow of certain kinds
+\item The attacker would like to restrict the flow of certain kinds of
   information, particularly when this information is seen as embarrassing to
   those in power (such as information about rights violations or corruption),
   or when it enables or encourages others to oppose them effectively (such as
@@ -142,10 +143,11 @@ We assume that the attackers' goals are somewhat complex.
 \item Usually, censors make a token attempt to block a few sites for
   obscenity, blasphemy, and so on, but their efforts here are mainly for
   show.
-\item Complete blocking (where nobody at all can ever download) is not a
+\item Complete blocking (where nobody at all can ever download censored
+  content) is not a
   goal. Attackers typically recognize that perfect censorship is not only
   impossible, but unnecessary: if ``undesirable'' information is known only
-  to a small few, resources can be focused elsewhere
+  to a small few, further censoring efforts can be focused elsewhere.
 \item Similarly, the censors are not attempting to shut down or block {\it
   every} anticensorship tool---merely the tools that are popular and
   effective (because these tools impede the censors' information restriction
@@ -167,8 +169,9 @@ We assume that the attackers' goals are somewhat complex.
   greater danger than consumers; the attacker would like to not only block
   their work, but identify them for reprisal.
 \item The censors (or their governments) would like to have a working, useful
-  Internet. Otherwise, they could simply ``censor'' the Internet by outlawing
-  it entirely, or blocking access to all but a tiny list of sites.
+  Internet. There are economic, political, and social factors that prevent
+  them from ``censoring'' the Internet by outlawing it entirely, or by
+  blocking access to all but a tiny list of sites.
   Nevertheless, the censors {\it are} willing to block innocuous content
   (like the bulk of a newspaper's reporting) in order to censor other content
   distributed through the same channels (like that newspaper's coverage of
@@ -194,7 +197,7 @@ connection~\cite{clayton:pet2006}.  Against an adversary who could carefully
 examine the contents of every packet and correlate the packets in every
 stream on the network, we would need some stronger mechanism such as
 steganography, which introduces its own
-problems~\cite{active-wardens,tcpstego,bar}.  But we make a ``weak
+problems~\cite{active-wardens,tcpstego}.  But we make a ``weak
 steganography'' assumption here: to remain unblocked, it is necessary to
 remain unobservable only by computational resources on par with a modern
 router, firewall, proxy, or IDS.
@@ -203,7 +206,7 @@ We assume that while various different regimes can coordinate and share
 notes, there will be a time lag between one attacker learning how to overcome
 a facet of our design and other attackers picking it up.  (The most common
 vector of transmission seems to be commercial providers of censorship tools:
-once a provider add a feature to meet one country's needs or requests, the
+once a provider adds a feature to meet one country's needs or requests, the
 feature is available to all of the provider's customers.)  Conversely, we
 assume that insider attacks become a higher risk only after the early stages
 of network development, once the system has reached a certain level of
@@ -225,7 +228,8 @@ we can do about this issue.
 We assume that the attacker may be able to use political and economic
 resources to secure the cooperation of extraterritorial or multinational
 corporations and entities in investigating information sources.  For example,
-the censors can threaten the hosts of troublesome blogs with economic
+the censors can threaten the service providers of troublesome blogs
+with economic
 reprisals if they do not reveal the authors' identities.
 
 We assume that the user will be able to fetch a genuine
@@ -266,15 +270,17 @@ from volunteering a relay in order to learn that Alice is reading
 or posting to certain websites. The third property helps keep users safe from
 collaborating websites: consider websites and other Internet services 
 that have been pressured
-recently into revealing the identity of bloggers~\cite{arrested-bloggers}
+recently into revealing the identity of bloggers
+%~\cite{arrested-bloggers}
 or treating clients differently depending on their network
-location~\cite{google-geolocation}.
-% and cite{goodell-syverson06} once it's finalized.
+location~\cite{goodell-syverson06}.
+%~\cite{google-geolocation}.
 
 The Tor design provides other features as well that are not typically
 present in manual or ad hoc circumvention techniques.
 
-First, Tor has a fairly mature way to distribute information about servers.
+First, Tor has a well-analyzed and well-understood way to distribute
+information about servers.
 Tor directory authorities automatically aggregate, test,
 and publish signed summaries of the available Tor routers. Tor clients
 can fetch these summaries to learn which routers are available and
@@ -340,7 +346,8 @@ Sixth, Tor has an established user base of hundreds of
 thousands of people from around the world. This diversity of
 users contributes to sustainability as above: Tor is used by
 ordinary citizens, activists, corporations, law enforcement, and
-even government and military users~\cite{tor-use-cases}, and they can
+even government and military users\footnote{http://tor.eff.org/overview},
+and they can
 only achieve their security goals by blending together in the same
 network~\cite{econymics,usability:weis2006}. This user base also provides
 something else: hundreds of thousands of different and often-changing
@@ -351,9 +358,10 @@ single server from linking users to their communication partners.  Despite
 initial appearances, {\it distributed-trust anonymity is critical for
 anticensorship efforts}.  If any single server can expose dissident bloggers
 or compile a list of users' behavior, the censors can profitably compromise
-that server's operator applying economic pressure to their employers,
+that server's operator, perhaps by  applying economic pressure to their
+employers,
 breaking into their computer, pressuring their family (if they have relatives
-in the censored area), or so on.  Furthermore, in systems where any relay can
+in the censored area), or so on.  Furthermore, in designs where any relay can
 expose its users, the censors can spread suspicion that they are running some
 of the relays and use this belief to chill use of the network.
 
@@ -497,10 +505,12 @@ first introduction into the Tor network.
 
 \subsection{Blocking resistance and JAP}
 
-K\"{o}psell's Blocking Resistance design~\cite{koepsell:wpes2004} is probably
+K\"{o}psell and Hilling's Blocking Resistance
+design~\cite{koepsell:wpes2004} is probably
 the closest related work, and is the starting point for the design in this
-paper.  In this design, the JAP anonymity system is used as a base instead of
-Tor.  Volunteers operate a large number of access points to the core JAP
+paper.  In this design, the JAP anonymity system~\cite{web-mix} is used
+as a base instead of Tor.  Volunteers operate a large number of access
+points that relay traffic to the core JAP
 network, which in turn anonymizes users' traffic.  The software to run these
 relays is, as in our design, included in the JAP client software and enabled
 only when the user decides to enable it.  Discovery is handled with a
@@ -539,17 +549,20 @@ about relays also allows the censor to do so, he can trivially discover and
 block their addresses, even if the steganography would prevent mere traffic
 observation from revealing the relays' addresses.
 
-\subsection{RST-evasion}
+\subsection{RST-evasion and other packet-level tricks}
+
 In their analysis of China's firewall's content-based blocking, Clayton,
 Murdoch and Watson discovered that rather than blocking all packets in a TCP
 streams once a forbidden word was noticed, the firewall was simply forging
 RST packets to make the communicating parties believe that the connection was
-closed~\cite{clayton:pet2006}.  Two mechanisms were proposed: altering
-operating systems to ignore forged RST packets, and ensuring that sensitive
-words are split across multiple TCP packets so that the censors' firewalls
-can't notice them without performing expensive stream reconstruction.  The
-later technique relies on the same insight as our weak steganography
-assumption.
+closed~\cite{clayton:pet2006}. They proposed altering operating systems
+to ignore forged RST packets.
+
+Other packet-level responses to filtering include splitting
+sensitive words across multiple TCP packets, so that the censors'
+firewalls can't notice them without performing expensive stream
+reconstruction~\cite{ptacek98insertion}. This technique relies on the
+same insight as our weak steganography assumption.
 
 \subsection{Internal caching networks}
 
@@ -557,15 +570,16 @@ Freenet~\cite{freenet-pets00} is an anonymous peer-to-peer data store.
 Analyzing Freenet's security can be difficult, as its design is in flux as
 new discovery and routing mechanisms are proposed, and no complete
 specification has (to our knowledge) been written.  Freenet servers relay
-requests for specific content (indexed by a digest of the content) to the
-server that hosts it, and then caches the content as it works its way back to
+requests for specific content (indexed by a digest of the content)
+``toward'' the server that hosts it, and then cache the content as it
+follows the same path back to
 the requesting user.  If Freenet's routing mechanism is successful in
 allowing nodes to learn about each other and route correctly even as some
 node-to-node links are blocked by firewalls, then users inside censored areas
 can ask a local Freenet server for a piece of content, and get an answer
 without having to connect out of the country at all.  Of course, operators of
 servers inside the censored area can still be targeted, and the addresses of
-external serves can still be blocked.
+external servers can still be blocked.
 
 \subsection{Skype}
 
@@ -573,10 +587,10 @@ The popular Skype voice-over-IP software uses multiple techniques to tolerate
 restrictive networks, some of which allow it to continue operating in the
 presence of censorship.  By switching ports and using encryption, Skype
 attempts to resist trivial blocking and content filtering.  Even if no
-encryption were used, it would still be quite expensive to scan all voice
+encryption were used, it would still be expensive to scan all voice
 traffic for sensitive words.  Also, most current keyloggers are unable to
 store voice traffic.  Nevertheless, Skype can still be blocked, especially at
-it central directory service.
+its central directory service.
 
 \subsection{Tor itself}
 
@@ -1295,7 +1309,7 @@ Tor encrypts traffic on the local network, and it obscures the eventual
 destination of the communication, but it doesn't do much to obscure the
 traffic volume. In particular, a user publishing a home video will have a
 different network signature than a user reading an online news article.
-Based on our assumption in Section~\ref{sec:assumptions} that users who
+Based on our assumption in Section~\ref{sec:adversary} that users who
 publish material are in more danger, should we work to improve Tor's
 security in this situation?
 
@@ -1510,7 +1524,7 @@ If it's trivial to verify that a given address is operating as a bridge,
 and most bridges run on a predictable port, then it's conceivable our
 attacker could scan the whole Internet looking for bridges. (In fact, he
 can just concentrate on scanning likely networks like cablemodem and DSL
-services---see Section~\ref{block-cable} above for related attacks.) It
+services---see Section~\ref{subsec:block-cable} above for related attacks.) It
 would be nice to slow down this attack. It would be even nicer to make
 it hard to learn whether we're a bridge without first knowing some
 secret. We call this general property \emph{scanning resistance}.
diff --git a/doc/design-paper/tor-design.bib b/doc/design-paper/tor-design.bib
index 9075a6215e..b5a8dfb83b 100644
--- a/doc/design-paper/tor-design.bib
+++ b/doc/design-paper/tor-design.bib
@@ -1374,6 +1374,25 @@ Stefan Katzenbeisser and Fernando P\'{e}rez-Gonz\'{a}lez},
    note = {\url{http://nms.lcs.mit.edu/~feamster/papers/usenixsec2002.pdf}},
 }
 
+@techreport{ ptacek98insertion,
+  author = "Thomas H. Ptacek and Timothy N. Newsham",
+  title = "Insertion, Evasion, and Denial of Service: Eluding Network Intrusion Detection",
+  institution = "Secure Networks, Inc.",
+  address = "Suite 330, 1201 5th Street S.W, Calgary, Alberta, Canada, T2R-0Y6",
+  year = "1998",
+  url = "citeseer.ist.psu.edu/ptacek98insertion.html",
+}
+
+@inproceedings{active-wardens,
+  author = "Gina Fisk and Mike Fisk and Christos Papadopoulos and Joshua Neil",
+  title = "Eliminating Steganography in Internet Traffic with Active Wardens",
+  booktitle = {Information Hiding Workshop (IH 2002)},
+  year = {2002},
+  month = {October},
+  editor = {Fabien Petitcolas},
+  publisher = {Springer-Verlag, LNCS 2578},
+}
+
 %%% Local Variables:
 %%% mode: latex
 %%% TeX-master: "tor-design"