There are nine of them (actually ten, but one is just for bridges), so you'd have to disrupt at least five of them to prevent them forming a majority vote on consensus together. Looks like the countries that own the IP address allocations for each dirauth are:
Austria, Germany, Germany, Holland, Holland, Sweden, US, US, US
If the above is all correct, a US<->Germany collaboration - to pick the largest set from two countries - would be one way to cause a large problem.
$ cat ips | xargs -I% curl -s http://ipinfo.io/%/country | paste - ips | sort
AT 86.59.21.38
DE 131.188.40.189
DE 193.23.244.244
NL 194.109.206.212
NL 82.94.251.203
SE 171.25.193.9
US 128.31.0.39
US 154.35.32.5
US 199.254.238.52
US 208.83.223.34
And here are the organizations they're associated with:
$ cat ips | xargs -I% curl -s http://ipinfo.io/%/org | paste ips -
128.31.0.39 AS3 Massachusetts Institute of Technology
86.59.21.38 AS8437 Tele2 Telecommunication GmbH
194.109.206.212 AS3265 XS4ALL Internet BV
82.94.251.203 AS3265 XS4ALL Internet BV
131.188.40.189 AS680 Verein zur Foerderung eines Deutschen Forschungsnetzes e.V.
193.23.244.244 AS50472 Chaos Computer Club e.V.
208.83.223.34 AS40475 Applied Operations, LLC
171.25.193.9 AS198093 Foreningen for digitala fri- och rattigheter
154.35.32.5 AS14987 Rethem Hosting LLC
199.254.238.52 AS16652 Riseup Networks
For what it's worth, XS4ALL has a tremendous reputation when it comes to privacy in The Netherlands, being one of the first ISPs in NL, founded by true hackers. They were the first (and only one?) that started disclosing how many subpoenas they were receiving from the government, have fought a lot against blocking TPB in court, etc -- I'm not surprised at all they are the ones hosting the Tor servers (I am a customer, and am allowed to run an Exit node, and they are very supportive when they receive abuse complaints, their entire customer support staff knows about Tor). I would be surprised if they would easily cave to a government order / seizure of their servers.
Do note that XS4ALL is owned by KPN, which is a monolith like Comcast or Verizon. If the authorities come knocking hard enough, KPN will make sure it it shut down, or worde. XS4ALL is a good provider, I enjoy my IPv6 and fiber to home very much, service is good, they still provide a shell server which I use for IRC, I like them
Sad as it might be, I have to agree with you. Upon acquisition, KPN said it will let XS4ALL be as independent as possible, and as far as I can tell, they put their money where their mouth is (let them fight court battles, where KPN (the ISP) does not), but if there is little legal room for XS4ALL to move in, KPN will make sure XS4ALL complies.
On the other hand, XS4ALL is always looking for the boundaries of privacy and free speech -- if there is no more (legal) room left, and as such have reached the boundary, I have no doubt they would comply. But they probably make a big stunt out of it again, using it as a marketing opportunity, which KPN, of course, will have no problems with. As long as they comply with the law.
MIT runs Lincoln Lab which is a think tank / R&D facility for the military. You have to pass through an armed checkpoint to get to the the complex located on an AF base. I would consider that node compromised already.
Note that 'the military' and 'a hypothetical government agency opposed to Tor' are not necessarily the same thing.
Counterintuitively sometimes the best protection is to operate under another agency. That makes moving against Tor a battle of internal politics rather than a legal battle.
'The government' rarely has uniform views on something as complex as Tor.
The mistake of course being that the military (and the CIA, it's very useful for their assets) is pro-TOR and were the ones who developed it. It's the FBI/NSA that are anti-TOR. The government is rarely monolithic, especially when it comes to the security divisions.
It's not monolithic but power is magnified. A branch of the military relying on Tor for operational security ensures that the DoD will be at least split on officially sanctioning the technology.
It's also open source. Can we stop with this fucking red herring already? He's talking about a service, right now, under the direct control of the US military. You're talking about grant funding for an open source tool.
No, he's not. He's talking about a single research laboratory MIT runs on a military base. Which somehow makes the entire university under direct control of the military?
Assuming the PTR RRs are accurate, that would appear to be true:
$ traceroute 128.31.0.39
...
15 mitnet.trantor.csail.mit.edu (18.4.7.65) 40.218 ms 40.661 ms 40.900 ms
16 asperta.helicon.csail.mit.edu (128.30.0.246) 45.345 ms 47.082 ms *
17 belegost.csail.mit.edu (128.31.0.39) 44.074 ms !X 45.023 ms !X 45.549 ms !X
This is a very big deal if it happens. Roger's linked post on the Tor site talks about "seizure" of directory authority servers; only government authorities would have that power. In the U.S. that would typically happens only after a court grants a seizure order, which would be under seal at this stage.
Of the countries where the servers are located, the U.S. has the most extreme copyright laws, which means, sadly, FedGov is the leading candidate to be behind any possible seizure.
It would be interesting if an enterprising journalist were to ask MIT, SF-based Applied Operations, and RiseUp if they've been contacted by law enforcement on this matter. Those organizations host some of the U.S.-based servers. RiseUp has a warrant canary but it hasn't been updated recently: https://help.riseup.net/en/canary
Of course we don't know what actually is going on and it all may be (I hope!) a false alarm.
PS: If multiple governments cooperate and a majority of servers are taken down, what happens to Tor after the consensus interval expires? I don't know; maybe someone more familiar with Tor does. The consensus interval was changed to 72 hours a few years ago: https://trac.torproject.org/projects/tor/ticket/7986
Update: Someone at the Tor project kind-of-answered my question about the expiration of the consensus interval a moment ago here:
"If four out of the 9 dir auths were compromised and taken offline, then the remaining 5 will continuing publishing the consensus and the network will continue operating normally. If more than 5 are taken offline then this was a horrendously large operation and the necessary corrective actions will be taken to ensure the network remains operational." https://blog.torproject.org/blog/possible-upcoming-attempts-...
I would expect that each authority server's configuration data is securely and reliably backed up, so if the physical servers are seized, then a replacement can be fairly easily provisioned. Maybe some operators will even have one waiting on standby, in case of a normal hardware failure or similar.
Presumably the IP address space isn't being seized or otherwise disbanded, so it could be dropped in exactly as specified in the hard-coded configuration - that is, the same IP address and port.
Any ongoing and persistent impersonation of the server wouldn't be viable, as the long-term directory authority identity keys are kept offline.
Maybe I'm missing something here but it sounds like more of a symbolic violation, rather than a potentially catastrophic disabling event that brings down Tor.
I think you're probably overestimating the portability of IP addresses, and underestimating the coercive power of the organization that does the seize.
IP addresses are assigned to a network provider, not a customer. If I'm hosted by a US provider and the FBI seizes my server, is that provider going to say "sure, just spin up a new box on the old IP", or are they going to tell me to get off their network? What if the FBI has an opinion on which decision the provider should take? What if the FBI has an opinion on which action the directory operator should take?
Can they really say to MIT, for example, that port 9131 on IP address 128.31.0.39 is now out of bounds? Or coerce all of Riseup's peers (including any future ones) to cease connecting to their entire 199.254.238.0/24 range, or even just firewall off 199.254.238.52 upstream?
As far as I know, there's no precedent for this where the provider - and, crucially, the owner of the IP address block - is hosting the server itself.
I don't think the change to 72 hours was merged; I think it's still at 24 hours.
> PS: If multiple governments cooperate and a majority of servers are taken down, what happens to Tor after the consensus interval expires?
As I understand it, the network would die (all clients would refuse to use the consensus, and thus not connect) 24 hours after the last good consensus.
It's very interesting that the project has some advanced notice about a threat.
My first guess would be that a nation has made some demands of the project that the project won't comply with, and that country has suggested they will seize the directory authority servers located inside it if the demands aren't met soon. [Edit: a new comment by arma on the original story, "To be sure to keep our source safe, we're not providing more details quite yet", makes this seem less likely.]
Or perhaps an insider has leaked some plans to the project.
Along another line of thought, if the US government wanted to further complicate online privacy, I imagine they'd choose a time like now, when headlines about the "cyber intrusions" of 2014 are at a peak. I wonder what other actors could have large enough power over their directory authority servers for the project to post this message.
Edit: Indeed, from a post below by paralelogram [0] and by checking https://atlas.torproject.org , it appears 4 of 9 are in the US. There are also two in Germany, one in the Netherlands (as well as another there that is only for bridge relays), one in Austria, and one in Sweden.
It could be an opportunistic attack on Tor by MPAA members. If the FBI surveyed all their IT people regarding attacks and they all complained about Tor, they might be able to stampede the FBI and cooperating LEAs into a takedown of directory servers.
What ability does TOR have to operate in a decentralized manner without the directory servers? Is that something that is possible now, or is it being worked on, or is it even possible?
edit: this question was asked in the blog comments, here is arma's response
Based on my understanding of the TOR network, it currently cannot function without directory authorities. The directory authorities provide a signed list of all of the TOR network relays, and that includes the set of encryption certificates used for each relay and all of the configuration information about it.
The TOR clients come hard coded with a list of directory authorities. Without the ability to query the directory authorities they cannot find a usable TOR route. I don't know if there is some caching involved, but if not then this would effectively stop the network for anyone trying connect to TOR.
So why couldn't signed lists of relays just, say, float around on a DHT, with a cache-and-forward model like Freenet, but where newer documents (provided they're signed with the same key) will overwrite older documents in the same cache slot?
Actually, to put it another way, Freenet is itself the optimal bootstrapping mechanism for Tor. Maybe the two projects should merge, such that Tor would effectively be an optimization over the specific case of two peers generating and searching for one-another's signed Freenet documents (this effectively being an IP tunnel already).
It's already done that way. Tor relays cache signed consensus documents from the directory authorities. It doesn't change the fact that you need some trusted computers, somewhere, that give you an accurate view of the network.
I mean we have the "technology" to do distributed trusted computation (without trusted hardware). It would just be extremely difficult to bring it into the TOR project without rewriting large parts of it.
Storing and transmitting the consensus is not the issue. The issue is that you need to decide what relays get into the consensus. You also can't choose a system where different clients get different relay directories, or people will be able to profile clients by which relay directories they're using.
I've always thought one of the biggest weaknesses of Tor was that it did rely on a central authority. BitTorrent moved from a centralised tracker model to a decentralised DHT, so I'm quite sure it's theoretically possible. In the worst case, I think a DHT could be used as a routing layer, storing and retrieving encrypted packets in it, and achieve a similar anonymity effect... of course the latencies are going to be horrible, so it might be better to just use it as a way to setup multihop tunnels.
Someone posted a somewhat toxic but somewhat valid point, and the project responded with more details about their 'source'. I add their response but it may be best to read the original post.
To be sure to keep our source safe, we're not providing more details quite yet.
But actually, we don't know many more details than the ones we posted. And as for your 'why', that's an excellent question, and one we've been wrestling with too. There are nine directory authorities, spread around the US and Europe. If they're trying to hunt down particular Tor users, most possible attacks on directory authorities would be unproductive, since those relays don't know anything about what particular Tor users are doing.
Our previous plan had been to sit tight and hope nothing happens. Then we realized that was a silly plan when we could do this one [post the warning] instead.
I doubt this will be a popular post, but I'll make it anyway.
If there are some seizures of directory authorities or other project infrastructure, this won't be some totally unpredictable occurrence. It was only about a month and a half ago that some relays were seized as part of a general takedown against Tor hidden services. The Tor project posted this blog in response:
That blog post convinced me to shut down my relay. The reason is, to an ambitious prosecutor this blog post looks like:
"We view law enforcement operations as attacks and are looking for ways to defeat them, because we are determined to shield the identities of our criminal clients"
... which is exactly what resulted in the operators of the Silk Roads getting arrested even though they were not personally selling drugs.
The blog post makes casual reference to the "enormous social value" of hidden services and claim they're worried about "secret police repressing dissidents", but doesn't cite any actual examples. Actually I've never heard of a hidden service that has enormous social value - whilst there are a small number of .onion addresses that aren't completely illegal or unethical, for all the examples I know of the operators are not anonymous.
To police forces around the world who keep having investigations hit a dead end because of Tor, going after the project directly will not seem very different than going after services like Liberty Reserve. The people running it are stating publicly that they will do their best to frustrate investigations, and that is dangerously close to admitting participation in a criminal conspiracy. Thin ice doesn't even begin to describe their current situation.
> The blog post makes casual reference to the "enormous social value" of hidden services and claim they're worried about "secret police repressing dissidents", but doesn't cite any actual examples.
I'll give you one:
Russia currently has laws that, among other things, require the author of a blog to register personal information with the government if the blog has more than 3,000 daily readers[1]. The law is specifically intended to prevent anonymity.
When working as intended, hidden services enable those blog authors to protect their identity and ensure the government doesn't harass, arrest or kill them.
It's much, much easier for them to just write a Wordpress or Blogger blog, hosted in the USA where Russia can't get access to the logs. Or in any other jurisdiction that won't respond to Russian requests for their data.
The big advantage is - anyone can read your blog. Not just people who are willing to download and use the Tor browser.
Most famous cases of dissent in recent times have preferred to play jurisdictional arbitrage rather than use Tor. Snowden is being kept safe by Russia, his information was published by a British newspaper that then shifted reporting to New York to avoid the UK government goons. Apparently for now that's good enough.
This is why I talked about specific examples of hidden services being used in this way and actually getting real traction - I can't think of any.
I see your point about hidden services severely limiting the practical accessibility of the content. But isn't it a good idea to use Tor rather than HTTP(S) to compose that blog in such situation?
In theory yes, in practice most people I know in places with strict firewalls use commercial VPNs rather than Tor (faster, easier).
Also if you're hosting on a site like Wordpress or Blogger all the government sees is an SSL connection to wordpress.com or google.com. They don't get to see if you're reading or composing. So in practice it's probably good enough.
> "Actually I've never heard of a hidden service that has enormous social value"
You make it sound like you've actually looked. Perhaps you've spoken to some Ukrainians, or protesters in Turkey or Honk Kong, and they've assured you they have little use for "hidden services"?
I have looked (or at least paid close attention) and I am unaware of anyone in Ukraine, Turkey or Hong Kong using hidden services for political reasons.
Additionally, Tor gets way less traffic from people trying to evade national firewalls than VPN services do. They aren't the big fish in that space at all.
Besides, I'm not sure what your point is. Societies don't tend to judge a thing by whether there's a single good use, somewhere. They weigh things up.
Hidden services can be enumerated, so it's not impossible to find one if there's some awesome hidden service somewhere. But such a site would get a lot of attention very quickly. It wouldn't be secret very long.
Hopefully this whole story will amount to nothing. It'd be very sad if Tor disappeared. But let's face it - when you have the Prime Minister of a technically advanced western country tasking one of the worlds most advanced intelligence agencies with "break the dark web" they were going to hit serious problems sooner or later anyway. And mostly that's because of hidden services. It'd be a crying shame if this one feature with hardly any legitimate usage caused the entire project to tank.
Societies don't 'weigh' anything up. Governments with idealogical leanings make decisions regardless of evidence. You only have to look at the 'war on drugs' to see how, regardless of the evidence put before them, politicians will blindly follow their ideologies. 'Weighing up' implies a reasoned judgement, based on the arguments for and against and based on the available evidence. To think that the UK or US (or any other) government works that way is naive.
I agree that they are vastly inflating the utility of Tor for people in repressive regimes given how easy it is to block Tor at an ISP level (e.g. Tor is completely blocked in China).
there are ~1200 directly connecting users [0] and ~200 bridge users [1] who might dispute the assertion that 'Tor is completely blocked in China'.
instead of casting aspersions on a free software project, i would encourage you to please help make tor more useful for these users, or to build your own alternative.
There is a small subset of IPs in the Shanghai Free-trade Zone which are not subject to the same Internet restrictions as the rest of China. This along with government IPs and inaccurate IP-to-country mappings could account for those stats. For comparison, there are more than 300000 users in the US for a country that is considerably smaller in terms of population.
For what it's worth, I have unsuccessfully tried using Tor (and Tor bridges) a few times in Shenzhen and I'm a lot more tech savvy than your average political dissident. Tor's blog even has a post about how it is being blocked in China if you don't believe me: https://blog.torproject.org/blog/closer-look-great-firewall-...
> instead of casting aspersions on a free software project, i would encourage you to please help make tor more useful for these users, or to build your own alternative
I doubt I could build a better alternative and I was not criticising the Tor project as a whole.
Interestingly it's partially the same issue - the directory servers have static IP's. ISP's are simply blocking traffic to these directory server IPs. Without access to the directory servers, can you still use Tor?
Also see above article for thoughts on how to circumvent this mode of censorship.
Tor has a network of unpublished bridges it provides via offline methods in high risk countries. You can also request unpublished bridges via email [1]. Pluggable transports [2] allow your tor traffic to look like Skype or SSL. These tools combined allow most of the "noble use cases" of tor to operate without being hunted down.
The last update I heard is that the GFW does active probing to detect Tor bridges and relays. That is, there are computers inside China that are triggered by something, which then actually speak the Tor protocol to an IP to check if it's capable of subverting the firewall. If so, it gets blocked.
There isn't really any way around that which scales, which is why Tor is basically a non-entity in China right now. Everyone I know from the west who spends time in China just uses commercial VPN services, not Tor.
They pointedly didn't mention China in their list of repressive regimes: "Iran, Syria, and Russia".
I think for most people, China is the first country that comes to mind when you think about internet censorship. But my experience is that it is impossible to connect to Tor there. Maybe they are acknowledging that tacitly.
Or maybe they were trying to make the blog post more palatable to US government readers, since Iran, Syria, and Russia are currently bad guys, while things with China are supposed to be fine.
As 'blunder has mentioned elsewhere, you should use pluggable transports (try obfs3, scramblesuit, fte in https://bridges.torproject.org/options) when in mainland China. Don't use vanilla Tor bridges or vanilla Tor there.
Assuming it's a legal entity that will be performing these seizures, I'm curious to know the case against these servers. To my (albeit somewhat limited) knowledge of the Tor network, these DA's exist solely to maintain the integrity and structure of the network, and to provide a list of known relays to clients.
I also understand that this list of trusted DA's is hardcoded into Tor clients. Since this is the case, I'd be curious how the network could be restored if there is a coordinated action on these servers.
The Sony hack will probably be used as an excuse, whether that's the main reason or not. That's how the US gov operates now. They take advantage of certain situations to pass or do stuff that normally would have no chance of passing, even if those situations are barely related to what they're trying to pass.
Example: The Patriot Act written many years before 9/11 by law enforcement agencies to help them in the War on Drugs, and then shamelessly used the 9/11 excuse to pass it. If the Patriot Act was "just about terrorists", then it should've referred only to terrorists. But it didn't. And now 99 percent of NSLs are used in drug cases.
I'm not sure if the above comment is downvoted because of the Patriot Act claim, but that claim happens to be correct. I wrote about this for CNET here:
http://www.cnet.com/news/how-bin-laden-and-911-attacks-shape...
"Long before 9/11, the U.S. Department of Justice drafted the so-called Enhancement of Privacy and Public Safety in Cyberspace Act (PDF), which goes by the awkward and not very memorable acronym of EPPSCA. In July 2000, the Clinton administration forwarded EPPSCA to Congress, where it was introduced by Sen. Patrick Leahy (D-Vt.) and met with a generally chilly response... EPPSCA was designed to give police more authority to conduct Internet surveillance, not thwart terrorists armed with box cutters... within hours of the 9/11 attacks, the Justice Department had dusted off EPPSCA as a way to respond to bin Laden. On September 13, 2001, two days after the worst terrorist attack in U.S. history, the U.S. Senate approved the "Combating Terrorism Act of 2001," which includes portions copied directly from EPPSCA."
As for the rest of the above comment, this is likely to be a fluid situation and I'm reserving judgment until we know more. It is possible that the good folks at Tor are wrong (I'd like them to be!) and no seizure happens. Government authorities sometimes bluff.
I think it is worth noting that, while hard-coded, this line suggests that the DA list can be overridden ( https://gitweb.torproject.org/tor.git/tree/src/or/config.c#n... ). Theoretically this should allow the Tor project to provision replacement servers and publish their IP addresses without modifying the "hard-coded" list in every Tor client. With that said, I know very little about Tor and this comment should be taken with a boulder of salt.
The project would have to publish new source code containing new servers, and get everyone to upgrade immediately. I don't think there would be another way to restore the network (which is by design).
just because they need a list of nodes doesn't mean they need to be hardcoded into the client. the other option of course would be to fetch the list remotely.
ah, point taken. i didn't think too hard about this apparently. if they had a host serving a list of trusted DAs, that host would be just as valuable a target.
Maybe like Bittorrent DHT? The client could keep a cache of other known nodes. You could share them on pastebin versus having them b only hard coded. You could preloaded a hundred peer nodes, instead of 9 master nodes. It doesn't strictly eliminate the problem, but it makes it less likely that one or two governments can just shut it all down.
This is kind of how i2p does it. Currently i2p has like 6 "reseed servers" which bootstrap you into finding some other peers. Once you are connected to the network you then can contact "floodfill" servers, which are essentially a distributed form of the directory authorities. Floodfills are autonomously chosen routers on the network, and distribute other nodes to whoever asks.
Seems like somebody in the DoJ just decided that Tor's balance between geeky CompSci curiosity and enabler of real-world criminal behavior has tipped too far in the latter direction. The legal case has been ripe for a while-- after all, Megaupload and many other networks have been disabled by the US government for enabling significantly LESS serious criminality. Ummm... world's biggest drug marketplace, anyone??? What's important to remember is that the gov't can't just go in and seize the directory authority servers willy-nilly. Instead, they must do it as part of a legal process against a specific, identified target. In this case, the likely target is going to be the Tor project itself and possibly the individuals leading it. The legal case might ruffle a few techie feathers but only an insignificant portion of the general public will care, and that portion can be mollified with the "stopping the bad horrible criminals" routine.
Those were not shutdown for "enabling" criminal activity. They were shut down for actually doing criminal activity. With megaupload it was failure to abide by the DMCA, with silk road it was handling money for/from drug dealers. I cannot see how Tor has actually done anything criminal beyond what a thousand other transitory service providers do every day.
According to the internal emails the prosecutors got their hands on, megaupload was paying out to the top uploaders, and megaupload showed knowledge of what the uploads where. I can't stand commercial piracy.
If this turns out to be (1) real and (2) linked to the Sony fiasco, then North Korea has triumphed. They have taken down two enemies in a single hack: a film and an internet technology. That puts them ahead of the MPAA and the NSA combined.
I think we can guess we're about to be told the North Koreans used TOR so decisive action needs to be taken against the network as part of the retaliation measures just announced.
The targeted servers are directory servers, which are not what the user runs. AFAIK there is nothing that can be done short of supporting TOR through donations, so they can focus on whatever needs to be done.
The United States may occasionally do some shady shit, but the Chinese will frequently conduct blatant theft of intellectual property off your servers. This is why very few tech companies will host within China proper.
Aside from the physical takedowns, expect a financial crackdown. Tor project assets would be seized, Paypal accounts locked, and CC services withdrawn.
The United States Government will fail because even if they were to significantly disrupt the Tor network we'll pull out the Zero Knowledge Proofs on them. We have the crypto and technology to build a super resilient Tor replacement that they cannot do a single thing about. Tor is antiquated and I personally hope they take it out because it's replacement will be 100x better.
Lots of people around the world depend on the anonymity of Tor today and having the Government take it out, whilst indirectly kick-starting the next generation anonymity network is all and well for me and my armchair, but it's going to be life threatening for many.
Until this 100x better solution exists Tor must be kept running at any cost, many lives depend on it.
They haven't been sent an NSL at the time of the writing of that post. They don't have details on what the attack is, only that they think there is going to be one.
the most recently restarted dirauths appear to run Tor 0.2.6.1-alpha-dev, including four of the five US-based dirauths (moria1, Faravahar, urras, dizum). gabelmoo, tor26, longclaw, Tonga, and maatuska appear to be running Tor 0.2.5.10. dannenberg is running Tor 0.2.5.9-rc.
How often do they tend to restart usually? (For instance, I'd be unsurprised to hear e.g. that Roger tests his commits on his dirauth, and so that server never has high service uptime, or something.)
i don't want to speak for roger, but my general understanding over the past few years was that roger typically appeared to run fresher alpha code on a sister relay named moriatoo (https://atlas.torproject.org/#details/5C91CC4554CA2EE1904BA6...) before upgrading moria1.
but at the moment, moriatoo is running 0.2.6.0-alpha-dev and moria1 is running 0.2.6.1-alpha-dev
These unmaskings have been performed through (usually egregious) opsec failures on the part of the user, rather than performed by attacking the Tor network directly.
Also I believe there were some traffic correlation attacks where the attacker was able to get netflow data from both entrance nodes and (?) the traffic destination outside of Tor.
Well be specific. Some have been caught due to using outdated Tor software. Others, like the recent Silk Road bust, because they used "hidden services" incorrectly, and the hidden services were never actually advertised by Tor as being perfectly safe.
But the latter one has nothing to do with users, but with "website" operators inside the Tor network.
I'm hoping Utter.io can help with this by making the infrastructure more trustworthy in the coming years. I'll be launching a Kickstarter right after the 1st to raise money for the project (which is currently in preview mode): https://www.kickstarter.com/projects/kordless/683224456?toke...
If funded, a user governed foundation will be set up to help prevent influence by misaligned interests, such as those seen with existing providers and closed source software vendors. Infrastructure was always meant to be open, transparent and trustworthy.
First, I'd like to point out you are referring to something that isn't on the Kickstarter page, but linked to by it. You are talking about this: http://utter.io/prezo. Yes, it's a little out of date. Yes, I substitute the industry's word 'datacenter' for Amazon's term 'region'.
Three days ago I updated the longer video version from that page and put it on the Kickstarter page, down below the other video. In addition to removing other content, I edited out the amounts you are referring to because they change constantly and are less important to my pitch now I'm doing a Kickstarter campaign. Also, AWS added a 10th region to their list a few months ago. I don't 'count' the government cloud as a public offering.
It remains a truth that AWS runs out of ten geographic regions. So, 80% of the world's public cloud is run out of (by your math) <~40 physical buildings. Not a cloud, IMHO.
Besides, there doesn't appear to be any public information on how many physically different locations Amazon runs for AWS, which makes it impossible to say how many physical locations (datacenters) they run. I'm not 100% convinced that a 'zone' maps to a physical building, given my memory of ping times across zones and having issues with two neighbor zones at the same time in the early days of using AWS.
Amazon having different terminology than the industry's causes confusion and my comments reflected that confusion when I used the term 'datacenter' erroneously. FWIW, Rackspace calls their dataceneters 'datacenters': http://www.rackspace.com/about/datacenters.
Any remaining minutia related to this topic will be resolved by the end of the week. I'm updating Utter.io in preperation for the Kickstarter launch.
You can see the list of trusted directory authorities in Tor's src/or/config.c:
https://gitweb.torproject.org/tor.git/tree/src/or/config.c#n...
There are nine of them (actually ten, but one is just for bridges), so you'd have to disrupt at least five of them to prevent them forming a majority vote on consensus together. Looks like the countries that own the IP address allocations for each dirauth are:
Austria, Germany, Germany, Holland, Holland, Sweden, US, US, US
If the above is all correct, a US<->Germany collaboration - to pick the largest set from two countries - would be one way to cause a large problem.