The Tor BSD Diversity Project (TDP)

⋔ Blog ⋔ FAQ ⋔ Resources ⋔ GitHub ⋔ Contact ⋔ TDP Onion ⋔

The TDP Projects:
⋔ Tor Browser for OpenBSD ⋔ BSD Relay Guides ⋔ Corporate Relays ⋔ Ports for PETs ⋔ Statistics ⋔

Resources

This page collects links and information relevant to TDP. We welcome relevant submissions from others.

The BSDs and Related Projects

• FreeBSD: performance, cutting-edge networking and filesystem features

• NetBSD: portability, stability, support for many devices

• OpenBSD: security, correctness, standards-compliance, leadership in addressing serious issues confronting the computing ecosystem

• DragonFly BSD: multiprocessing, alternative approaches to filesystem design

• OpenSSH: the defacto standard on the Internet for secure command-line access, portable and lightweight VPN features, constant advances in crypto, security

• LibreSSL: a renewed focus on simplicity, correctness and sustainability/maintainability for TLS

• FreeNAS: FreeBSD-based networked-attached storage system

• OPNSense firewall: easy-to-use web interface to OpenBSD’s packet filter (pf) on a FreeBSD base

BSDs and Tor

• Tor-BSD Mailing List hosted by the New York City *BSD User Group

• An Unofficial BSD Buildbot for the Tor Project A distributed test build system for finding problems with BSD Tor builds.

• Christian Bruffer at MeetBSD 2007 presentation on FreeBSD, Protecting Privacy with Tor

• Tor Network Status A useful overview of the current public Tor relays, with a filtering ability to check relay numbers by operating system, and other attributes.

• Tor Metrics More useful graphs about the Tor network, including platform usage.

• attila’s blog

Relevant BSD Bits

• Theo de Raadt slides on arc4random

• Kode Vicious’ Column from ACM’s Queue Magazine

• Poul-Henning Kamp article on “A Generation Lost in the Bazaar” from ACM’s Queue Magazine’s “The Bike Shed” column

• Ted Unangst post on OpenBSD-misc “Improving Browser Security”

• Theo de Raadt slides on “Exploit Mitigation Techniques: An Update After 10 Years”

• Ted Unangst slides on “LibreSSL: More than 30 Days Late”

• Ted Unangst blog post on “Reproducible Builds are a Waste of Time”

• Ted Unangst blog post on “random in the wild” pointing to scary uses of rand 3 which are disturbingly common.

The Danger of Technology Monocultures

* CyberInsecurity: The Cost of Monopoly. How the Dominance of Microsoft’s Products Pose a Risk to Security. Note: the original PDF on the Computer and Communications Industry Association (CCIA) web site is no where to be found. Originally at https://www.ccianet.org/papers/cybersecurity.pdf.

An explosive paper arguing Microsoft’s desktop monopoly is a critical weakness in global infrastructure. The paper prompted the firing of one of the authors Dan Geer from @Stake (later acquired by Symantec) in 2003.

* Monoculture on the Back of the Envelope

A short piece by Dan Geer from USENIX’s ;login magazine two years later.

* Schneier-Ranum Face-Off on the dangers of a software monoculture

In 2010, Bruce Schneier and Marcus Ranum debate the issue. Note that a login is necessary to access the piece.

* Bruce Schneier’s blog entry on “Software Monoculture”

Bruce Schneier illustrates some of the weaknesses in the “monoculture is insecurity” argument. First, even seemingly identical computer hosts have some diversity in terms of networks, software, and so on. Second, there are significant costs to diversity. Verisign diversified its infrastructure with three operating systems, including FreeBSD, and they incur significant costs in doing so. Finally, diversity does not mean two’s and three’s of each, but hundreds or thousands to robustly mitigate system-wide disasters.

* Risks of Monoculture Revisited

After the followup debate, the Microsoft Principal Cybersecurity Strategist concludes that monocultures aren’t really that bad after all. Desktop diversity seems to have established with the advent of Android and Ubuntu, and the expansion of Apple products, so the relevance of the Windows desktop monoculture may have decreased.

About Bananas

* Bananas: We have no bananas today

The lack of diversity in cultivated bananas remains the best non-technical example of precarious monocultures

Related and Useful Projects

• flashrd Building small OpenBSD i386 and amd64 embedded systems. An ideal platform for small Tor relays and bridges.

• FreeBSD’s Crochet A tool for building FreeBSD images for embedded systems on a variety of architectures, including contemporary armv6 and armv7 hardware such as Raspberry Pis and BeagleBones.

Chatter About TDP

• BSDNow.tv News Item on TB 5.5 Release

• TDP announced on the Tor-talk mailing list

• Followed up by a headline on BSDNow.tv

• Reddit on TDP: Before we publicly announced, a TDP Reddit thread. Very appreciated, but one important point of clarification: we are not interested in having Linux relays moved to BSD. If someone runs a relay, they should use the operating system they are most comfortable with. TDP is about affecting the BSD community and not converting anyone to the BSDs. Another quick comment is that we strongly agree in the larger monoculture problem. Ideal diversity would encompass a variety of applications and hardware, and that applies to Tor as much as anything. But there’s a major issue to consider, and that’s interoperability. There needs to be some agreement on protocols before there can be any routing or communications in general. If one mail server only talks SMTP and the other only UUCP, email routing does not happen.

Complementary Tor Links

• The Tor Project’s Git Repository. The home of of most of the Tor Project’s code base and most of TDP’s upstream.

• Tor GitWeb Tuning Document, including sections on FreeBSD and OpenBSD.

• Ten Things to Look for in a Circumvention Tool. A dated but timeless piece from 2010 for those who doubt the integrity of an open source anonymity network versus the array of VPN and proxy services.

From the Attic

• “Findings Report on the Tor Browser Bundle User Experience” via hidden web site or via Tor2Web. This report from 2012–2013, summed up research conducted on the user experience (UX) for the Tor Browser bundle.

• “The LibTech Scene and the BSD Projects after Snowden” via hidden web site and via Tor2Web is the basis of a number of birds-of-feather and similar events taking place from 2012 through 2014, including vBSDCon in 2013 and NYCBSDCon 2014.

• An older, incomplete how-to entitled “Simple Web Sites with Tor’s Hidden Services: Unrestricted and Impossible to Block” via a hidden web site or via Tor2Web.

Materials

• A one-page informational flier providing an overview of TDP for a BSD audience. It’s a call for engagement in which the case for using the *BSDs is assumed. The flier should print out on a single page.

Copyright © 2018 by The Tor BSD Diversity Project (TDP). All Rights Reserved.

last updated: Wed Aug 9 17:31:51 2017 UTC