Finally! Some Much-Needed Tor Skepticism

In the wake of a Pando article pointing out that Tor is a none-too-well hidden US intelligence operation[1] and everyone ought to view it through the appropriate filters, there’s been an upswell of skepticism in the “anonymity tool” whose purpose is actually just to keep you from telling that it’s American spies visiting your website.

(Not to say that everyone involved in the project is evil, though my skepticism of certain high profile “rock star hackers” is well-known… to their credit Tor makes “following the money” right back to Langley/Washington DC/whatever so easy one might think it’s their way of warning people off.)

While Cryptome published a long-ish piece with some thought-provoking quotes [2] like “The NSA Wants You To Use Tor” and others pointed out that Snowden’s Tor exit nodes were so massive (among the largest on the network at 2gbps) they would have attracted massive attention unless “something else” was a factor, the real interest came in the wake of a Blackhat talk.

Well, the cancellation of a BlackHat talk. [3]

Purporting to show ways anyone with a cool 3 grand could de-anonymize users, complete with examples of how the researchers had ALREADY DONE IT to kiddie porn peddlers and other dark-side-of-the-Darknet lowlifes, the talk was nevertheless quashed by Carnegie Mellon’s legal department.

Who claimed that the researchers hadn’t gotten “approval for public release.” Needless to say academics are not used to the idea of a university having to approve their research for “public release” [4] so there’s definitely SOMETHING going on here.

The ACLU’s Chris Soghoian thinks the problem related to ethics concerns and failing to get ethics board clearances [5] but I’ve watched his judgement be a little odd in the past.

The best comment, however, comes from Dan “Network Ninja-in-Chief” Kaminsky, who pointed out that… as Pando and Cryptome insinuated… Tor is not gonna save your sorry ass from the NSA, and indeed seems to be architected so it’s easy for large entities to use Tor as an intelligence-gathering tool.[6]

To wit: “control 1% of the Tor net and eventually (2 weeks) everyone both enters and exits the net through you.”

Pwned? I am not a “network ninja” but it sure sounds like “Houston, we have pwnage” to me…!

[1]
http://pando.com/2014/07/16/tor-spooks/

[2]
http://cryptome.org/2014/07/trusting-tor-not.pdf

[3]
http://www.reuters.com/article/2014/07/21/us-cybercrime-conference-talk-idUSKBN0FQ1QB20140721

[4]
https://twitter.com/mattblaze/status/491285743814586369
Don’t know full story yet, but a univ claiming right to “approve material for public release” gives me agita. https://www.blackhat.com/latestintel/07212014-a-schedule-update.html

[5]
https://twitter.com/SteveBellovin/status/491282636191834112
@mattblaze @csoghoian thinks it was monitoring and identifying users without IRB permissionthough per @paulohm just monitoring can be bad.

[6]
https://twitter.com/dakami/status/491324808790298625

Dan Kaminsky @dakami 9h

Tor’s ability to anonymize is greatly overestimated and suppressing research that would prove this is likely not in the public interest.

control 1% of the Tor net and eventually (2 weeks) everyone both enters and exits the net through you.

Advertisements
%d bloggers like this: