NSA and UK intel agency GCHQ target online anonymity tool Tor, according to leaked Snowden documents
Fantastic news for the TOR community, really. Myth confirmed.
The fact that Tor was created by the US government doesn’t throw up any red flags? Does no one believe in disinformation anymore? How about this: the NSA absolutely has 100% full access to Tor. The Firefox exploit is an easy way to blame a 3rd party for ‘vulnerabilities’. I wonder if GCHQ even know this. Also, Tor is a fantastic honeypot to catch scumbags. I’m sure terrorists are the primary target but snagging DPR and EEM is a bonus.
I’m pretty sure that journalists are still safe using Tor though. Believe it or not, America actually does love freedom!
Meanwhile in other obvious news…
Wrong place for paranoia, with TOR: some US Navy affiliated research outfit, possibly along with DARPA, did kick in for its development, because the state department wanted something with those capabilities; but the protocols and clients have been OSS, and in friendly hands, for years now.
The bigger issue is likely that TOR depends on volunteer relay and exit nodes(and, by necessity, exit nodes can see some interesting things, though not tie them back to the user without some additional information), which are always in short supply.
So, if somebody with decent amounts of cash is interested in owning TOR, the easy, inconspicuous, no-hacking-needed attack is to operate lots and lots of TOR nodes. Not out of the NSA’s IP block or anything, that’d be idiotic, just steadily add a VPS here, a cut-rate colo there, some AWS instances over here, through a bunch of contractors, front companies, and so on. Once you own enough nodes, the probability that a user’s trip ends up taking enough hops through your servers that you can identify them.
That’s the danger: by the standards of anonymity-enthused cypherpunks, enough bandwidth for TOR to work properly is pretty expensive; but by the standards of a sinister three letter agency it would probably be a fairly inexpensive project.
(By way of example, this Swedish researcher set up 5 rogue exit nodes, with essentially zero resources, and scored enough cool stuff to get some heat from the feds. Various other research groups set up nodes from time to time, just to have a look. A wimpy little VM with a 100mb link is enough to make you a valued member of the network, so the costs of entry are low.)
The US excels at spending money to create new weapons that it has to turn around and spend an order of magnitude more money to defend against.
TOR is open source — if there were some backdoor for the US Government built-in it’d be near impossible to hide.
SR has been around for years, if they had a reliable method of identifying people using the service you don’t think DPR would have been caught much sooner? He’s a savvy kid that made a handful of mistakes, it’s not rocket science.
You’d also have to assume that the NSA intentionally leaked documents to Snowden to convince users otherwise… I’m not buying it.
Would it be better to shut down SR as soon as it launched or let it build and harvest the data? It would have given a fascinating and educating look into online drug transactions.
Also, a backdoor would be too obvious, too hard to hide. FuzzyFungus mentioned a better way of controlling Tor in his comment above.
It’s either that or healthcare for all
Not sure the government is into allowing international drug trafficking and murder for hire because they think it’s “fascinating and educating”. That’s far from the simplest outcome here.
Does this document mean what I think it means? Does it mean that if you’ve ever used Tor (traffic traced to an exit node) then the NSA will hack your computer and track everything you do from now on?
People have analyzed the TOR software a fair bit now. It is unlikely that there are any backdoors in it that aren’t also backdoors in a ton of other crypto using software. If libSSL is inherently flawed somehow, then TOR is nowhere near the top of our concerns.
TOR itself seems pretty safe. What you do on your TOR link may or may not be safe. Browsers will happily divulge way more information than you would like when tweaked in certain ways, and if you want to foolishly type your name into a TOR protected server, TOR won’t stop you.
Tor provides anonymity not security. If your traffic is unencrypted a tor node can read it. I could think of a few ways a bad tor node could make it tor less effective but I would have to read the code.
Defending against ultra hostile attackers is going take the collective intelligence of planet earth.
So. . . .when will we start seeing TOR II ?? Here’s hoping for a bastard child of Richard Stallman and Phil Zimmerman. . .
This topic was automatically closed after 5 days. New replies are no longer allowed.