Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Tor Users Urged To Update After Security Breach

timothy posted more than 3 years ago | from the points-of-failure dept.

Privacy 161

An anonymous reader writes "If you use Tor, you're cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: 'In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.' Tor users should visit the download page and update ASAP."

cancel ×

161 comments

Sorry! There are no comments related to the filter you selected.

first (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#30855690)

post

Re:first (0)

Anonymous Coward | more than 3 years ago | (#30855736)

post

Crap, I should have posted that through Tor; now Slashdot knows my ip address :(

Re:first (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#30855802)

Don't bother trying. Slashdot banned Tor. I don't know why.

Re:first (0)

Anonymous Coward | more than 3 years ago | (#30856038)

crapflooding.

Re:first (-1, Troll)

Anonymous Coward | more than 3 years ago | (#30856100)

Fuck a nigger today.

Re:first (-1, Offtopic)

Anonymous Coward | more than 3 years ago | (#30856120)

Good idea. Yo mama is used up and worn out. No one wants to do her anymore.

Re:first (2, Interesting)

JWSmythe (446288) | more than 3 years ago | (#30856378)

    Technically, it can't be. But since most of the exit points are pretty well known, it's not all that hard. If more people made themselves exit points, rather than just taking advantage of the network, that problem would go away.

    I've tried Slashdot. It's been a matter of switching exit points until you find one that isn't forbidden. Google is really on top of it though. I suspect they may have a tie-in with the network map, so they know the exit points as they come and go.

Re:first (1)

Dr. Evil (3501) | more than 3 years ago | (#30856496)

Running an exit node is very, very, very risky.

On the other hand, putting services like Slashdot or Google on as hidden services, it might reduce the demand for the exit nodes.

Has any major company done this yet?

Re:first (2, Insightful)

JWSmythe (446288) | more than 3 years ago | (#30856844)

    Ideally, everyone that runs a client is an exit node too. But, much like an open AP on your network, when the police come knocking at your door, just saying "But, I was just connected to Tor" isn't going to be much of a defense. It may work in court, but you may be waiting a long time for that day to come.

Re:first (0)

Anonymous Coward | more than 3 years ago | (#30856534)

I used TOR yesterday, here, several times but for a good reason. What the hell are you talking about?

Por (0, Offtopic)

hoboroadie (1726896) | more than 3 years ago | (#30855738)

quoi?

From: Anonymous Coward (5, Interesting)

Anonymous Coward | more than 3 years ago | (#30855722)

Anyone else find it so funny that a news story about anonymity is suggested to slashdot by anonymous coward?

I think it's the best form of joke... one with an epic amount of unexpected expectedness.

Takes all types... (2)

adbge (1693228) | more than 3 years ago | (#30855786)

Anyone else find it so funny that a news story about anonymity is suggested to slashdot by anonymous coward?

I think it's the best form of joke... one with an epic amount of unexpected expectedness.

If you think that's funny, just think...

Every Anonymous Coward posting about this article will be an Anonymous Coward posting about an Anonymous Coward's anonymity story. A story by an Anonymous Coward for Anonymous Cowards about Anonymous Cowards. Anonymous anonymous anonymous.

Re:From: Anonymous Coward (0)

Anonymous Coward | more than 3 years ago | (#30855804)

what's so unexpected about it?

Re:From: Anonymous Coward (0)

Anonymous Coward | more than 3 years ago | (#30855964)

If you think that's funny, why not gather some Tor Bridges for each day's use and use them instead of regularly connecting to Tor?

https://bridges.torproject.org/ [torproject.org]

Here's some useful tor bridges from today:

bridge 212.185.225.5:443
bridge 109.120.56.218:443
bridge 203.153.227.210:5557
bridge 174.22.134.22:443
bridge 68.52.174.15:443
bridge 79.84.34.209:443
bridge 18.85.46.218:14242
bridge 74.82.1.191:19030
bridge 24.110.168.130:443
bridge 78.34.108.121:443
bridge 94.23.58.19:1443
bridge 72.24.220.108:443
bridge 74.207.232.33:443
bridge 77.251.74.120:443
bridge 72.174.8.28:443
bridge 91.6.174.212:8888
bridge 169.234.106.251:9001
bridge 69.62.132.186:443
bridge 97.102.122.25:443
bridge 129.244.144.200:9001
bridge 83.169.1.47:442
bridge 188.40.112.195:443
bridge 92.107.52.186:9001
bridge 79.6.97.120:443
bridge 66.51.242.115:9001
bridge 92.25.201.211:443
bridge 93.194.192.154:8080
bridge 121.190.2.55:443

just add them to your torrc file along with:

UseBridges 1

And enjoy!

Re:From: Anonymous Coward (0)

Anonymous Coward | more than 3 years ago | (#30856228)

I think it's funny that the only person who is not anonymous is Roger Dingledingle.

Re:From: Anonymous Coward (1, Insightful)

DNS-and-BIND (461968) | more than 3 years ago | (#30856682)

A joke? How, exactly, is it funny? I'm curious to know. Who cares who submits the stories, anyway? Half of them turn out to be fakes or misleading anyway.

The real TOR way to do it would not be anonymously, but instead giving it to another person's slashdot account, who submits it for you. But go ahead with the "funny" "jokes".

Sooo...... (-1, Troll)

NeutronCowboy (896098) | more than 3 years ago | (#30855768)

How many child porn downloaders and uploaders are shitting their pants right about now? My guess is more than spies and Chinese dissidents.

Re:Sooo...... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#30855886)

There's no denying that child molesters make up the vast majority of the Tor user base, in fact the main use that Tor has served is as a warning to what people will do when you grant them excess freedom from reprocussions. Of course, this comment will be modded 'troll' just like the parent, because the slashtard stallmanites don't want it known that 2 out of 3 tor sites either host child porn, or are pointers to such.

To anyone who wants to know the truth --go ask the devlopers over at the freenet project how much harm the child molesters cause the anonymity movement -at least THEY are willing to admit to the truth!

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30855932)

mmm, 2/3, did you just pull these numbers out of your ass or do you have anything to back them up?
In other words [citation needed]

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30855978)

There are several indexes and even a wiki available in tor land that provide lists of sites hosted there, a look at those will tell anyone who wants to know exactly how many sites there are devoted to the tastes of child molesters (unlike more niave slashdotters, I make ZERO distinction between kiddy diddlers and "pedophiles" -they are one and the same).

You will have to look for yourself, as I believe it's immoral to aid or abet child molesters in their endevors, so I will not divulge the addresses where they are able to find links to pedophiliac content.

Re:Sooo...... (3, Informative)

Anonymous Coward | more than 3 years ago | (#30856026)

I spent a bit over a year working with the FBI gathering information on a pedophile ring who was using one of our servers (to coordinate picture trading going on in Asian image board sites). Neither agents' opinions, the content gathered, nor the actual research I've seen, agree with your unsupported assertion that "they are one and the same". Though, two troll paratrooper points for accusing those who disagree with you of naivete. Good show, golf claps all around.

I also don't know to what extent the "pedo" content in actual prepubescent kids, versus underage pubescent ("jailbait"). No, I don't really want to know either. Anyway, ephibophilia is illegal, but arguably medically normal, and ephibophiles and pedophiles make up separate populations.

Re:Sooo...... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#30856252)

Anyway, ephibophilia is illegal, but arguably medically normal, and ephibophiles and pedophiles make up separate populations.

No, it's not illegal. For that matter, neither is pedophilia. ACTING on ephibophilia or pedophilia is illegal.

Re:Sooo...... (1)

DigiShaman (671371) | more than 3 years ago | (#30856382)

I disagree.

If you happen to stumble upon some questionable content, that's one thing. However, it's quite another to be on the constant pursuit of it. The way I see it, the later is generating a market demand. While that person isn't doing anything illegal from a physical standpoint, I still view them as an accessory to a crime.

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856712)

Sorry, meant to say ephibophiliac content, not ephibophilia itself. You can fantasize about all the jailbait you want, you just can't have naked photos of 17 year olds.

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856578)

Anyway, ephibophilia is illegal

Well that's quite surprising to me, since ephebophilia is a state of mind, and last I checked, there is no such thing as an illegal thought.

Re:Sooo...... (4, Insightful)

trytoguess (875793) | more than 3 years ago | (#30856094)

In short, people attracted to children will rape them? A bit like saying all men will rape women no? But that's not a perfect analogy, you can have sex with a man or woman without too much difficulty, whereas a pedophile can only masturbate. How about, would all slovenly, unattractive, misanthropes, who've zero chance of getting sex resort to rape? I rather doubt it, and even though pedophilia disturbs me, I don't think the sexual drive of that group is somehow stronger than your average male or female.

Re:Sooo...... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#30856202)

People with sexual urges will eventually create an opportunity act on them, and readily available pornographic content simply encourages them by giving them validation and a sense of moral acceptance. While this is not a problem for most heterosexual males who can simply purchase a few minutes with a prostitute as a last resort -it's a huge problem for child molesters as it is inherently impossible for a child to offer their consent, even ignoring the physical impossibilities of having sex without causing damage.

So, it's not possible to make a valid comparison between normal, adult desires (where there can be reciprocity and fulfillment) and the desires of a pedophile (where there can never be mutual desire, consent nor legal fulfillment). This creates a situation where a pedophile will inevitably become much more desperate than a normal person could ever imagine. While the occasional pedophile may hold himself back (or, more nobly, commit suicide) he is by far the exception.

Sooner or later, the pedophile must act on his desires, or commit suicide. Sadly, too few deviants are noble enough to choose the latter course of action.

Re:Sooo...... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#30856306)

People with sexual urges will eventually create an opportunity act on them,

Catholic priests.

Re:Sooo...... (2, Interesting)

trytoguess (875793) | more than 3 years ago | (#30856420)

People with sexual urges will eventually create an opportunity act on them, and readily available pornographic content simply encourages them by giving them validation and a sense of moral acceptance.

Hmm... then how about homosexuality? It's not hard to find stories of people who denied attraction to the same sex their whole life in order to avoid being socially stigmatized.

As for the effects of pornography, does masturbating calm your sexual urges, or does it inflame them?

Re:Sooo...... (-1)

Anonymous Coward | more than 3 years ago | (#30856468)

Excellent trollgument, but drop the asseriton that "mutual desire" matters. Does my hamburger (or a vegans carrot sandwich) desire to be eaten? Does the prostitute you mentioned desire the john?

Fulfillment being unattainable legally and/or morally is your only successful argument; grate work pushing it while ignoring people who do in fact wank their whole lives without fucking hookers. (That'd be 90% of /.ers, but maybe they'll not notice...)

+1.12434984 troll points for you.

Re:Sooo...... (-1, Troll)

Anonymous Coward | more than 3 years ago | (#30856290)

Everyone who modded the parent up is a gullible jackass. Please GTFO /. now, you idiots!

Re:Sooo...... (1)

trytoguess (875793) | more than 3 years ago | (#30856452)

Do try harder. As a member of slashdot you should appreciate the need to coldly analyze all things even if they are distasteful.

Re:Sooo...... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#30856402)

I dislike how the second party gets abused though and don't say that they can consent to the pictures. You leave the child pretty twisted and the molesters don't care. It is just not fair to the child. It might not be fair to the molester as he can't help it, but it is not a victim less act. What they need is help understanding and managing. There is just so much social taboo around it that it is a real struggle for them.

Re:Sooo...... (2, Informative)

trytoguess (875793) | more than 3 years ago | (#30856432)

This is somewhat tangential, but there is illustrated porn where just about any deviance can be catered to without harming a minor. Actually molesting a child is wrong of course.

Mercy-downmod parent? (0)

Anonymous Coward | more than 3 years ago | (#30856474)

While you have a perfectly valid point, your comment defending pedophiles now stands completely without context, as pretty much all of comments leading to it remain 0-score.

I'm not sure whether to congratulate your courage in posting with your account or assume it was an accident and offer condolences.

Re:Mercy-downmod parent? (1)

mister_playboy (1474163) | more than 3 years ago | (#30856672)

Those of us who are interested in everything Slashdot has to offer will still see the context.

I personally don't understand who would want to browse a discussion where you only see half of what is going on, but to each his own.

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856148)

"Tor land"? I though Tor simply let you access the general net anonymously and didn't have any special sites only available to it like Freenet. Feel free to correct me if I'm wrong.

Re:Sooo...... (2, Informative)

larry bagina (561269) | more than 3 years ago | (#30856642)

tor also lets you run an (anonymous) file server.

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856152)

There are several indexes and even a wiki available in tor land that provide lists of sites hosted there, a look at those will tell anyone who wants to know exactly how many sites there are devoted to the tastes of child molesters...

CLUE:
Tor is not a "place", it's a method. Tor contains no destinations, it's just a way of routing traffic to destinations which exist independently of tor. Put another way, there's no such fucking thing as "tor land", you FUD-spurting troll.

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856348)

CLUE-CLUE TRAIN coming through:
See the .onion [wikipedia.org] pseudo-TLD.

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856376)

You fail it. [wikipedia.org] ("it" is knowing WTF you're talking about, fag-ass.)

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856620)

People who express extreme moral outrage are, more often than not, doing so for two reasons: to divert attention from their own proclivities, and to assuage their own guilty conscience. So... When's the last time you touched?

I think all of us here agree that pedophilia is abnormal, and that child abuse, whether sexual or not, is horrifying. But to draw a complete equivalence between the two just shows that you have no ability to think logically. Irrationality will not help us to reduce the prevalence of this problem. If being attracted to children makes one a child rapist, then being attracted to women makes you a rapist. Are you attracted to women? I guess you're one sick piece of shit then.

Re:Sooo...... (2, Insightful)

Runaway1956 (1322357) | more than 3 years ago | (#30856192)

I don't know where to find good citations - but you can research easily enough.

Download not just TOR, but I2P, freenet, anonnet - search for more if you like. You WILL BE exposed to child porn. No questions asked, you'll be exposed.

It's safe to say that 2/3 to 3/4 of all the sites out there are trash that you don't even want to see. But - there are also some interesting things that are NOT pornography.

You can go explore, or not. It's slow, it's aggravating because all the CP gets in the way, there's not a whole LOT OF good stuff to find, but, go explore all the same. Make sure you read the documentation - you don't want to broadcast your IP across the dark web, with all your personal details. You think the regular internet is bad? LMAO

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856632)

Download not just TOR, but I2P, freenet, anonnet - search for more if you like.

Ultimately, it's a signal-to-noise problem. One government's signal is another government's noise.

If you're a cypherpunk, Freenet is a way of helping Chinese human rights activists hide amongst the communications of thousands of North American pedos. Freenet is also a way of helping North American pedos hide amongst the communications of thousands of Chinese human rights activists.

Where the inventor of Freenet - and other strong (and Tor doesn't even claim to be particularly strong) anonymity systems - got it wrong, was the assumption of a "sane" legal system. In the legal systems in the real world, "plausible deniability" means that governments can categorize Freenet users as either counterrevolutionaries or pedos, whichever gets their agents promotions and improves their conviction rates.

I remember experimenting with Freenet several years ago. I'm neither a pedo nor a human rights activist, but I live in a surveillance state and I know a no-win situation when I see one. (The big lesson I learned that weekend? If you want to get magnetic media above its curie point, thermite's a great way to start a campfire, but don't roast any marshmallows over it.)

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856974)

>I'm neither a pedo nor a human rights activist, but I live in a surveillance state

So, how is life in the UK these days?

Re:Sooo...... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#30855942)

Not that I'm defending pedophilia, but the fact that you're conflating pedophiles and child molesters makes me suspect your statistics.

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856338)

paros?

Re:Sooo...... (1, Insightful)

Anonymous Coward | more than 3 years ago | (#30855988)

Sounds like anonymity projects are suffering the same problem as encryption in general -- it's too hard to use unless you're pretty sure you have a need for it.

With the casual farming of information that goes on by Internet ad networks, the lack of security of public Wi-Fi, and the push for deep packet inspection by ISPs, I think we've reached a point where attacks on the privacy of innocent users justifies a need for average folks to have access to these sorts of products (and associated education.)

But until it's as simple as hitting a button in Firefox to use Tor, of course it's only going to be the enthusiasts and scumbag fringes that'll put the time into researching and securing their privacy online.

Re:Sooo...... (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#30856280)

Unfortunately, the online anonymity mechanisms all suffer from a fundamental problem:

Since, in order to get your packets from point you to point wherever and back, some number of untrusted machines have to know your IP and your desired destination(at a minimum, your destination gets to know, more typically, a fair few machines controlled by one or more ISPs will be involved) all the anonymity mechanisms attempt to break up the round-trip into chunks too small to be useful. It is always going to be slower, and less efficient(ie. less useful data transferred over a pipe of given capacity) to have your packets follow an intentionally tortuous path intended to make following them hard than it will be to be open about your intentions and let the usual mechanisms for efficient routing take over.

This isn't to say that it isn't worth it, especially for whatever qualifies has "high risk activity" in your jurisdiction or just to give the marketing bastards the finger; but it will always be a tradeoff in ways that a nice frontend and easy config for the noobs will never solve.

Re:Sooo...... (4, Informative)

clang_jangle (975789) | more than 3 years ago | (#30856344)

But until it's as simple as hitting a button in Firefox to use Tor, of course it's only going to be the enthusiasts and scumbag fringes that'll put the time into researching and securing their privacy online.

Duh! [mozilla.org]

Re:Sooo...... (4, Insightful)

xous (1009057) | more than 3 years ago | (#30856042)

Hi,

How did you collect your statistics when Tor is decentralized? Sure you could analyze the outbound traffic on a exit node but I doubt that this would be enough of a sampling to extrapolate a meaningful conclusion. Since you offer no supporting evidence your claim is irrelevant to the discussion.

I also do not think that the number of child molesters could be large enough to represent a "vast majority" because I doubt the original content producers would distribute a such a high risk material for free. It is much more likely that pedophiles are distributing the material to other pedophiles. I think that it is important to note the difference because while I find either appalling I'd rather have them fapping to "old child pornography" instead of creating a demand for new material and reducing the profit margins of the people that are actually doing these horrible things to children. The lesser of of two evils is still evil but we don't live in a idealistic world.

Unfortunately freedom has it's costs.

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856688)

Sure you could analyze the outbound traffic on a exit node but I doubt that this would be enough of a sampling to extrapolate a meaningful conclusion.

Depends on your budget and how many consumer/residental ISP accounts, each of which runs one customized exit node, you can buy.

Unfortunately freedom has it's costs.

If all you can afford is $1.05, you're playing the wrong game.

If you're a state actor, an entire network could be effectively compromised for less than the rounding error on a line item on your budget.

The only way the cypherpunks can compete with those kinds of budgets is to go complteley black-hat, and start distributing trojans that - rather than adding compromised machines to spamming botnets - add the compromised machines to anonymity botnets.

As a white-hat, that's not a compromise I'm willing to make. (The only smudges on my white hat are from pirated music and the occasional bit of mainstream pr0n, all readily available - and tolerated by my government - on the non-anonymous networks.)

Re:Sooo...... (1, Informative)

Anonymous Coward | more than 3 years ago | (#30855992)

I love it when clueless people comment and show their ignorance, it's good for future reference.

It still seems this breach is unrelated to Tor itself. To be clear, it doesn't seem that anyone specifically attacked our servers to get at Tor. It seems we were attacked for the cpu capacity and bandwidth of the servers, and the servers just happened to also carry out functions for Tor.

* Does this mean someone could have matched users up to their destinations?
No....

* Does this mean someone could have learned more about Tor than an ordinary user?
Since our software and specifications are open, everyone already has access to almost everything on these machines...

Re:Sooo...... (1)

Velorium (1068080) | more than 3 years ago | (#30856024)

Why is this modded troll? This is a valid notion.

Re:Sooo...... (0)

Anonymous Coward | more than 3 years ago | (#30856088)

Because it's not? Why is everyone commenting here so fucking stupid. If you want to know why, read how Tor works, what was actually compromised and for what purposes.

Tor weaknesses (4, Interesting)

girlintraining (1395911) | more than 3 years ago | (#30855790)

The problem with Tor is that there's no way to detect compromises -- every node on the network could be compromised and you'd never know. Authors of botnets have greater anonymity than we do -- ironically because it's run by a central authority. An illegal and immoral one, yes, but one that comes with a measure of anonymity. Few botnet authors are actually caught even with the most primitive security methods. They don't even use encryption and they often can't be found...

Re:Tor weaknesses (5, Informative)

v1 (525388) | more than 3 years ago | (#30855866)

They don't even use encryption and

Oh but they do, and that's the key to the problem. Everyone and their dog knows where the C&C servers are, and can monitor the commands sent out. Problem is, the commands are cryptographically signed, usually with a hideously large key (last one I saw was 2048 BYTES) so you can't subvert their network. Improperly signed commands are merely ignored.

The bot herders get their anonymity from any of a hundred ways to anonymously sign into the IRC C&C channel. I'd speculate that most of them use TOR to do so.

Re:Tor weaknesses (1)

broken_chaos (1188549) | more than 3 years ago | (#30855938)

last one I saw was 2048 BYTES

It may make more sense, as long as that reference to bytes (not bits) is accurate, to refer to this as a 16 kilobit key instead, as public key encryption is usually referenced in bits. While RSA of this length can be done (even using GPG, though you have to modify the source to bypass the compatibility restrictions), it's quite a bit of overkill. The other algorithms used (since RSA is almost always only used for signing/encrypting something smaller -- like signing an SHA256 hash or encrypting an AES key) would almost certainly be much weaker.

...Mind you, in this instance, weaker still means "likely not in any danger of being broken for 20+ years".

Re:Tor weaknesses (1)

Anpheus (908711) | more than 3 years ago | (#30856370)

I believe at the beginning of 2010 the NIST increased their recommendation for RSA to a minimum of 2048 bits due to security concerns of 1024 bit keys.

Re:Tor weaknesses (1)

iluvcapra (782887) | more than 3 years ago | (#30856428)

It may make more sense, as long as that reference to bytes (not bits) is accurate, to refer to this as a 16 kilobit key instead, as public key encryption is usually referenced in bits.

We could just quote the key size in terms of "cardinality of encodings of state of every atom in the universe," in which case I believe a 16 kilobit key would be about 200 universe-states. :)

Re:Tor weaknesses (2, Interesting)

X0563511 (793323) | more than 3 years ago | (#30856736)

The fun begins when they start noting illegal commands and retaliating. Fun.

Re:Tor weaknesses (4, Insightful)

snowgirl (978879) | more than 3 years ago | (#30855874)

The problem with Tor is that there's no way to detect compromises -- every node on the network could be compromised and you'd never know. Authors of botnets have greater anonymity than we do -- ironically because it's run by a central authority. An illegal and immoral one, yes, but one that comes with a measure of anonymity. Few botnet authors are actually caught even with the most primitive security methods. They don't even use encryption and they often can't be found...

There's a lot to be said for hiding in a crowd though. While it is true that every node in the network could be compromised, and we'd never know, collecting all that data together to target you individually becomes more and more difficult the more people use the network... and we're not talking about big-O of n, we're talking at least big-O n squared or so.

As with all forms of security, there's nothing you can do to guarantee security, you simply raise the burden of breaching that security until the opportunity to breach you is not worth the cost to breach you.

Re:Tor weaknesses (1)

madddddddddd (1710534) | more than 3 years ago | (#30856334)

why "big-O of n" and then just "big-O n squared"?

O(n) O(n^2) too hard?

Re:Tor weaknesses (1)

girlintraining (1395911) | more than 3 years ago | (#30856892)

There's a lot to be said for hiding in a crowd though.

Not when the IP headers of every packet sent through every major peer exchange point on this continent is recorded by this government, and the governments that control the intercontinental links each have peering arrangements so that said data is available on a reciprocal basis with other intelligence agencies operating under their respective governments worldwide.

Most TCP/IP sessions can be reconstructed for months after their original transmission, because the cost of storing said data is so low and there's an intelligence value in having it accessible. Thanks to delta compression algorithms, they don't need to store the complete packet log at each collection point -- because the data is largely the same.

All of this depends on an interesting fact about entropy: Very little of what you transmit is actually unique. Most of the traffic online is just a retransmit of something sent earlier, which makes the computational resources required to log all internet traffic and store it for months at a time make it a reasonably easy problem to solve. Easy, I mean, for a government with hundreds of millions to throw at the problem, not mere mortals like you or I. And of course there's ways to pair petabytes off the dataset using whitelisting and other data management methods.

It honestly impresses me that people think that the internet is a substantial barrier to this kind of intelligence gathering; Since it runs on the same networks, uses largely the same technologies, and is often run by the same companies that deliver telecommunications services... Which anyone will tell you give full access to their lines and equipment with the flashing of a badge and a post-it note. You don't even have to buy them a beer after.

Hiding in a crowd only works if you've done nothing to attract attention to yourself and can hide in statistical obscurity, surfing the noise floor. The moment you do anything even remotely interesting (and using Tor qualifies), bend over and kiss your anonymity goodbye.

Re:Tor weaknesses (1)

ShakaUVM (157947) | more than 3 years ago | (#30856830)

>>They don't even use encryption and they often can't be found...

Also, they used "123456" and "iloveyou" as the master password on 2 of the 7 nodes.

No, they CAN'T all be compromised (0)

Anonymous Coward | more than 3 years ago | (#30856944)

I doubt that FBI, NSA, CIA, GRU, etc. [wikipedia.org] all share their nodes with each other. As such, it is reasonable assumption that each node only belongs to one (or two at most) intelligence agency.

Now, if there are enough of such agencies, each controls so small partition of the nodes that it isn't a problem. On the other hand, if one agency has a wide control over the network, it means that the other agencies have very limited control. That leads us to a situation where Tor is useful against all but one agency, which isn't that shabby either.

There are some problems - it might be that all nodes in russia are controlled by GRU (though I really doubt CIA would let that happen) - but most of such are negated as long as the routing goes through nodes in several countries.

Further Details From Roger On or-talk mailing list (5, Informative)

Anonymous Coward | more than 3 years ago | (#30855820)

Roger's entries to date on the subject (excluding first page linked within /. summary):

(this is for those who are too lazy to page through mailing list threads, this post is
missing other individuals replies as well as future replies from Roger and others)

http://archives.seul.org/or/talk/Jan-2010/msg00165.html [seul.org]

Here are some more technical details about the potential impacts, for
those who want to know more about Tor's innards:

----- #1: Directory authority keys

Owning two out of seven directory authorities isn't enough to make a new
networkstatus consensus (you need four for that), but it means you've
only got two more to go. We've generated new v3 long-term identity keys
for these two authorities.

The old v3 long-term identity keys probably aren't compromised, since
they weren't stored on the affected machines, but they signed v3 signing
keys that are valid until 2010-04-12 in the case of moria1 and until
2010-05-04 in the case of gabelmoo. That's still a pretty big window,
so it's best to upgrade clients away from trusting those keys.

You should upgrade to 0.2.1.22 or 0.2.2.7-alpha, which uses the new v3
long-term identity keys (with a new set of signing keys).

----- #2: Relay identity keys

We already have a way to cleanly migrate to a new v3 long-term identity
key, because we needed one for the Debian weak RNG bug:
http://archives.seul.org/or/announce/May-2008/msg00000.html [seul.org]

But we don't have a way to cleanly migrate relay identity keys. An
attacker who knows moria1's relay identity key can craft a new descriptor
for it with a new onion key (or even a new IP address), and then
man-in-the-middle traffic coming to the relay. They wouldn't be able to
spoof directory statements, or break the encryption for further relays
in the path, but it still removes one layer of the defense-in-depth.

Normally there's nothing special about the relay identity key (if you
lose yours, just generate another one), but relay identity keys for
directory authorities are hard-coded in the Tor bundle so the client
can detect man-in-the-middle attacks on bootstrapping.

So we abandoned the old relay identity keys too. That means abandoning
the old IP:port the authorities were listening on, or older clients will
produce warn messages whenever they connect to the new authority. Older
Tor clients can now take longer to bootstrap if they try the abandoned
addresses first. (You should upgrade.)

----- #3: Infrastructure services

Moria also hosted our git repository and svn repository. I took the
services offline as soon as we learned of the breach -- in theory a clever
attacker could give out altered files to people who check out the source,
or even tailor his answers based on who's doing the git update. We're
in pretty good shape for git though: the git tree is a set of hashes
all the way back to the root, so when you update your git tree, it will
automatically notice any tampering.

As explained in the last mail, it appears the attackers didn't realize
what they broke into. We had already been slowly migrating Tor services
off of moria (it runs too many services for too many different projects),
so we took this opportunity to speed up that plan. A friendly anonymous
sponsor has provided a pile of new servers, and git and svn are now up
in their new locations. The only remaining Tor infrastructure services on
moria are the directory authority, the mailing lists, and a DNS secondary.

----- #4: Bridge descriptors

The metrics server had an archive of bridge descriptors from 2009.
We used the descriptors to create summary graphs of bridge count and
bridge usage by country, like the ones you can see at
http://metrics.torproject.org/graphs.html [torproject.org]

So it's conceivable that some bad guy now has a set of historical bridge
data -- meaning he knows addresses and public keys of the bridges, and
presumably some of the bridges are still running at those addresses and/or
with those public keys. He could use this information to help governments
or other censors prevent Tor clients from reaching the Tor network.

I'm not actually so worried about this one though, because a) we didn't
have that many bridges to begin with in 2009 (you should run a bridge!),
b) there seems to be considerable churn in our bridges, so last year's
list doesn't map so well to this year's list), and c) we haven't been
doing a great job lately at keeping China from learning bridges as it is.

Hope that helps to explain,
--Roger

http://archives.seul.org/or/talk/Jan-2010/msg00167.html [seul.org]

On Wed, Jan 20, 2010 at 11:12:29PM -0500, Peter Thoenen wrote:
> > In early January we discovered that two of the seven directory
> > authorities were compromised (moria1 and gabelmoo), along with
> > metrics.torproject.org, a new server we'd recently set up to serve
> > metrics data and graphs. The three servers have since been reinstalled
> > with service migrated to other servers.
>
> While the issue was resolved, could this of had an impact had they known
>what they broke into between the time of breach and time of discovery?

Yes, depending on how paranoid you want to get.

I don't think they could have done anything particularly devious with
the directory authority. We've got that pretty well sorted out with the
distributed trust thing -- nothing moria1 does can rig the consensus
by itself.

So it's really a question of the services running.

Moria was running a nameserver for torproject.org (still is), so they
could send web requests elsewhere. If people check SSL certs, no problem
(modulo the usual points about SSL not being perfect); if they don't
check SSL certs, we hope they check package signatures. This risk isn't
specific to our machines though -- your local ISP can lie to you about
your DNS resolves, or some jerk could redirect our bgp record like how
Pakistan stole Youtube for a few hours last year.

It was also the mail host for @torproject.org, though most of the mails
went off to other mail servers after that. So they could have read my
mail. Most of my mail is public (and/or boring) anyway though.

I could imagine that they might try to sneak in a commit to the git
repository. We have a hook that mails all commits to the mailing list,
and we watch that pretty well. But they could disable the hook during
their commit. As I mentioned in the earlier mail, the git tree is made up
of hashes, so they can't just modify it outright. I've looked over the
'git log' output, and didn't find anything odd. It might be neat to do
an automated comparison of "mails that made it to the mailing list" vs
"commits to the git repository", if we wanted another layer of checking.

Svn is less secure. It's just a database, and people can muck with it how
they like. We've compared several of the svn repositories to backups, and
nothing looked out of the ordinary. Good thing we moved Tor, Torbutton,
BridgeDB, etc to git last year. The website wml files are still in svn
and not git though, to make it easier for our volunteer translators;
give us a holler if you find "Tor sucks" scribbled in some corner. :)

If you want to scale up on the paranoid meter, you could imagine ssh
client buffer overflows for the developers when we connected to it. That
rabbit-hole goes as far as you like.

Speaking of rabbit-holes, my gpg key is nearly a decade old and only
1024 bits. Sometime in the next little while I'm going to switch to a
bigger one.

> Do we know how they broke in?

As I understand it, we have a 450G disk image from one of the machines
sitting somewhere in Canada, but not anywhere near any of the Tor people.

The attacker(s) were sloppy, so we know some things like the name of the
local-to-root exploit they used (which by its name works on a surprisingly
wide spread of kernel versions... security is hard). I still don't know
how they got in to moria originally, though. Too much was going on on
that machine.

--Roger

http://archives.seul.org/or/talk/Jan-2010/msg00169.html [seul.org]

On Thu, Jan 21, 2010 at 12:25:08AM -0500, grarpamp wrote:
> It would be easier to just sign the git revision hashes at various intervals.
> Such as explicitly including the revision hash that each release is
> made from in the release docs itself. And then signing that release.
> That way everyone... git repo maintainers, devels, mirrors, users...
> can all verify the git repo via that signature. Of course the sig key material
> needs to be handled in a sanitary way, but still, it's the idea that matters.
> And git, not svn, would need to be the canonical repo committers commit
> to, etc.
>
> Thanks for Tor.

We do sign the git repository for each release (stable and development).

Do a git clone of Tor, and then 'git tag -l'.

Saying the git hash of the release in the release notes is not a crazy
notion though.

--Roger

Re:Further Details From Roger (4, Insightful)

inviolet (797804) | more than 3 years ago | (#30856266)

As explained in the last mail, it appears the attackers didn't realize what they broke into. We had already been slowly migrating Tor services off of moria (it runs too many services for too many different projects), so we took this opportunity to speed up that plan. A friendly anonymous sponsor has provided a pile of new servers, and git and svn are now up in their new locations.

Mmmm, yes, free.

And you will never, in a million years, detect the compromised hardware in those machines.

The only way for tor (or wikileaks or other dangerous-to-the-authorities service) to buy hardware, is anonymously. If someone wants to donate servers, have them sell the servers and give you the cash.

Re:Further Details From Roger (5, Informative)

VortexCortex (1117377) | more than 3 years ago | (#30856644)

Wait... Anyone can be a TOR node [torproject.org] and it's still secure.

TOR data is very encrypted.

It doesn't matter if the hardware or software is compromised, it's still secure because a TOR node is just one node in a chain of encrypted nodes. You encrypt your data 5 times if you're sending it through 5 nodes.

Each node takes off one layer of encryption and forwards the still encrypted data to the next node. If any intermediate nodes (2 3 4 in our 5 node example) are compromised (in software or hardware), they can not see the message in plain text, or determine the originating IP or destination IP of the traffic.

If the first node is compromised it can see your source IP, but not the destination IP or any part of the message (it's still encrypted.)

If the exit node is compromised it can see the destination IP, and clear text message, but not the source IP.

These multiple layers of encryption mean that if any one node is compromised the system is still very secure.

Taking off a layer of encryption at each router is like peeling an onion... hence, "The Onion Router".

(this is an oversimplified explanaion -- if you're talking compromised code repositories, viruses and trojans are usually not delivered as source code, the tampering would be evident.)

Re:Further Details From Roger On or-talk mailing l (0)

Anonymous Coward | more than 3 years ago | (#30856326)

"A friendly anonymous sponsor has provided a pile of new servers, and git and svn are now up in their new locations."

Am I the only one to find this suspiciously timely? Did the "anonymous sponsor" guarantee that none of the onboard chips/chipset were made in China or tampered with?

I think I just stopped using Tor.

oh god oh god oh god (0)

Anonymous Coward | more than 3 years ago | (#30855826)

now the cia + barack obama know i was browsing cp

Wait a minute... (3, Funny)

creimer (824291) | more than 3 years ago | (#30855854)

How do you update a Tor SF paparback book?

Re:Wait a minute... (0)

Anonymous Coward | more than 3 years ago | (#30856054)

Is it an EBOOK?

Re:Wait a minute... (1)

creimer (824291) | more than 3 years ago | (#30856236)

Nope. Paperback, dead tree edition. How you get a security breach from a dead tree is beyond me. ;)

Re:Wait a minute... (0)

Anonymous Coward | more than 3 years ago | (#30856730)

dead tree -> truncheon -> elbow -> password -> security breach

Re:Wait a minute... (1)

GaryOlson (737642) | more than 3 years ago | (#30856258)

With a trilogy. The last two books add depth and detail to the initial book which was mostly inane and lacking in depth. The new details of course reinterpret all the facts, plot, and characters of the first book till the first book is almost unrecognizable.

Re:Wait a minute... (1)

creimer (824291) | more than 3 years ago | (#30856598)

The Wheel of Time [wikipedia.org] series must be buggy as hell then. What is now, book 12? Books 13 and 14 are coming in the next few years. ;)

Re:Wait a minute... (1)

ravenshrike (808508) | more than 3 years ago | (#30856888)

Clearly it was done in C++ and some idiot set up a loop in Book 1. Possibly in the chapter about fields.

Re:Wait a minute... (1)

zmollusc (763634) | more than 3 years ago | (#30857104)

The bugginess is offset slightly by the neat RAID array of authors.

US Intelligence almost certainly monitors TOR (3, Interesting)

presidenteloco (659168) | more than 3 years ago | (#30855968)

I mean. That's where I'd go fishing for people trying to communicate secrets,
if I was them.

Now I don't want to spread paranoia, but
did you know that the patent on Onion Routing was filed by the US Department of the Navy?
Look it up.

Remember kiddies. Always use your own encryption layer.

Re:US Intelligence almost certainly monitors TOR (0)

Anonymous Coward | more than 3 years ago | (#30856050)

don't you mean intelligence worldwide?

the US != the world

btw, are you using an encryption method developed by your countries' government? think about that, and who had a hand in internet's development? what about secret rooms at telcos, the van watching your monitor right now, writeprint, etc?

there is no privacy, no matter how many layers you wrap, the failure itself is technology.

Re:US Intelligence almost certainly monitors TOR (3, Insightful)

wiredlogic (135348) | more than 3 years ago | (#30856126)

They probably do more than just monitor. They almost certainly run their own exit nodes so they can log everything flowing through what they pwn.

Re:US Intelligence almost certainly monitors TOR (1)

some_guy_88 (1306769) | more than 3 years ago | (#30856586)

They'd have to monitor/run more than just the exit nodes in order to figure out it was you though right? Isn't that the whole idea?

Just a single un-compromised node on the path from you to the destination would mean you were still anonymous (assuming there was enough traffic on the network). Although, if there wasn't much traffic and they had your entry and exit node you might be in trouble?

Re:US Intelligence almost certainly monitors TOR (0)

Anonymous Coward | more than 3 years ago | (#30856960)

But, they also look at timing. If they can see a connection at your isp going into what appears to be a Tor, and they have some compromised Tor exit nodes, then they can look at the timing from when you send a packet and when a packet exits the Tor node. There was a slashdot article about this some time ago.

Wow, that's a lot of porn (0)

Anonymous Coward | more than 3 years ago | (#30856594)

May be they trying to enter adult content industry...

Snail Mail (1)

ArchieBunker (132337) | more than 3 years ago | (#30856250)

IMHO sending a message inside a birthday card draws a LOT less attention than using obscure and suspicious looking encryption software. But thats just my opinion.

Re:Snail Mail (0)

Anonymous Coward | more than 3 years ago | (#30856304)

IMHO sending a message inside a birthday card draws a LOT less attention than using obscure and suspicious looking encryption software. But thats just my opinion.

Great for one-offs - but somebody's gonna notice when you start getting 10 birthday cards every day of the year...

Re:Snail Mail (5, Funny)

MrNaz (730548) | more than 3 years ago | (#30856314)

Dear John & Cynthia.
Thank you for all your support this year, and I wish you all the best for the next.
Yours truly,
John and Sarah.

P.S., Attack at dawn.

Re:US Intelligence almost certainly monitors TOR (0)

Anonymous Coward | more than 3 years ago | (#30856354)

I never thought about it. But if you ask me, important secrets shouldn't be massive amount of data, and there are plenty algorithms that you could use altogether with encryption. Steganography on facebook media or Flickr pictures or YouTube videos? Imagine hiding data in a Rick Astley video, and then try to figure out who downloaded it? Best way, if you ask me? Go mainstream, it will go easily unnoticed.

Re:US Intelligence almost certainly monitors TOR (1)

noz (253073) | more than 3 years ago | (#30856436)

This is because the US Navy are the initial authors of Tor. It was opened when they no longer withed to maintain it.

Re:US Intelligence almost certainly monitors TOR (2, Insightful)

BitZtream (692029) | more than 3 years ago | (#30856650)

Yes, the government created it, this is well known. They created it so they could securely communicate by bouncing signals off of unsecured ships, like your random cruise ship or an allied warship.

They were involved with its creation, of course the watch it. So do lots of other people.

As a general rule, people hiding their activities DO HAVE SOMETHING TO HIDE. The minority use something like this for legitimate uses. However, our founding fathers had the opinion that until we know you're hiding something bad, you can hide it so no one can come after your for something you do in private that doesn't bother anyone else. This helps to prevent people from having a bad opinion of you, prejudice and hate.

It doesn't however change the fact that it will be used, primarily by people using it to hide illegal activities. It would be retarded if they DIDN'T watch it and as a tax payer I'd be pissed if they didn't.

Reality says that most people have no need to use this sort of protection and that its of very little use to the majority of the people on the planet, even those doing minor illegal activities.

I've talked about plenty of things over the phone, email and hell, even posted on bulletin boards (the real ones, cork board and paper with pushpins) at grocery stores about illegal activities. None of it was anything major of course, minor little crap, all of which were misdemeanors. There are 2 reasons why nothing ever came of it.

A. It was minor crap, no one actually cares about what I did unless I was stupid enough to do it in front of an ON DUTY cop.

B. Hiding in plain site and blending in with the crowd makes you a lot less obviously a target than the person hiding things, regardless of what you are hiding.

So yes, when you make it obvious you're trying to hide something people are going to pay attention to try and figure out what you're hiding, thats being a good detective and what I expect from people who's job is to detect stuff.

Re:US Intelligence almost certainly monitors TOR (2, Interesting)

Mr.Bananas (851193) | more than 3 years ago | (#30857166)

Have a read at this piece of work: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 [ssrn.com] While hiding in plain sight has its value, not being able to hide anything can have plenty of harm to an innocent person, especially if they have no control of how their data is used or interpreted.

Re:US Intelligence almost certainly monitors TOR (1)

djupedal (584558) | more than 3 years ago | (#30857176)

>Hiding in plain site and blending in with the crowd makes you a lot less obviously a target than the person hiding things, regardless of what you are hiding.

Comparing your anecdote about hiding inside a group of grocery store customers doesn't apply to the debate at hand. How does one 'hide' in the manner you propose when they elect to do it inside a (tor) group that is already flagged as being watch-worthy?

If the group was looting the store, and you wanted to loot too, would there be any logic to stating "I'm hiding by being inside the group of looters!"? At that point you are either a tor user or you're not. If you're a tor user it is silly to claim hiding rights inside the group.

Reset and try again, please, thanks.

I'll be the lemming this time...the obligatory: (0)

Anonymous Coward | more than 3 years ago | (#30856066)

the chinese did it.

New Tor attacks and anonimity attacks all the time (1, Interesting)

Anonymous Coward | more than 3 years ago | (#30856186)

Attacking Tor at the Application Layer

http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-gregory_fleischer-attacking_tor.pdf [defcon.org]

https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Video%20and%20Slides.m4v [defcon.org]

https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Slides.m4v [defcon.org]

https://media.defcon.org/dc-17/audio/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Audio.m4b [defcon.org]

Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:

http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-barisani-bianco-sniff_keystrokes.pdf [defcon.org]

http://www.defcon.org/images/defcon-17/dc-17-presentations/Andrea_Barisani-Daniele_%20Bianco/defcon-17-barisani-bianco-sniff_keystrokes-wp.pdf [defcon.org]

https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Andrea%20Barisani%20and%20Daniele%20Bianco%20-%20Sniffing%20Keystrockes%20with%20Lasers%20and%20Voltmeters%20-%20Video%20and%20Slides.m4v [defcon.org]

Router Exploitation

http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf [defcon.org]

https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20FX%20-%20Router%20Exploitation%20-%20Video%20and%20Slides.m4v [defcon.org]

https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20FX%20-%20Router%20Exploitation%20-%20Slides.m4v [defcon.org]

Unmasking You

http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-abraham-hansen-unmasking_you.pdf [defcon.org]

Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data

http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-alonso-palazon-tactical_fingerprinting.pdf [defcon.org]

Down the Rabbit Hole: Uncovering a Criminal Server

http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-iftach_ian_amit-rabbit_hole.pdf [defcon.org]

There's so much in security it just goes on and on, flaws are always there.

This message was brought to you by the "Just Say No To The Lizards" Anonymous camp-pain.

That said, how many Tor users have you seen on the news in cuffs?

Re:New Tor attacks and anonimity attacks all the t (0)

Anonymous Coward | more than 3 years ago | (#30857196)

Attacking Tor at the Application Layer
Nothing really new here, just ordinary application attack vectors. Change habits accordingly to counter these exploits. Most scenarios assume application is FireFox/HTTP.

Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line Leakage:
Assumes physical location has already been found, not really a valid assumption in most scenarios. Assumes PS/2 HIDs etc. and as the presentation says can be defeated by implementing TEMPEST protection.

Router Exploitation
Presentation only covers Cisco IOS issues, thus only applicable in environments which deploy them. Even then, some of the issues outlined aren't that relevant in regards to the use Tor.

Unmasking You
Again, nothing new. Change your habits accordingly in regards to the configuration of your system. Encrypt your connections using proper effective mechanisms for key distribution etc. which are relevant to what you are doing.

Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Yet again nothing new, use open and minimal formats and strip your metadata. This isn't even a problem with Tor itself.

Down the Rabbit Hole: Uncovering a Criminal Server
I don't even see how many of the issues raised here are directly relevant to Tor, the issues raised have available counter measures anyway. Change your habits accordingly.

So basically, the issues you've raised are either already known with counter-measures available or aren't even directly relevant to Tor. Tor is a tool, it is said repeatedly that it doesn't automagically protect you, you have to use it correctly.
By the way, Lizard says "Hi" ^.^ [duiops.net]

Tor is going to get people killed. (-1, Redundant)

jyoull (512280) | more than 3 years ago | (#30856924)

I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.

I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared right quick (hello China)... shouted down every time because it's not a POPULAR point of view.

I see that I'm not the only one in this discussion with concerns. Thank god things are changing.

Re:Tor is going to get people killed. (3, Insightful)

Anonymous Coward | more than 3 years ago | (#30856978)

I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.

I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared right quick (hello China)... shouted down every time because it's not a POPULAR point of view.

I see that I'm not the only one in this discussion with concerns. Thank god things are changing.

Whoever these people you have met traveling from conference to conference are not the authors of tor:

# tor --help
Jan 21 22:48:35.191 [notice] Tor v0.2.1.22. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
Copyright (c) 2001-2004, Roger Dingledine
Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
Copyright (c) 2007-2009, The Tor Project, Inc.

tor -f [args]
See man page for options, or https://www.torproject.org/ [torproject.org] for documentation.

Re:Tor is going to get people killed. (1)

jyoull (512280) | more than 3 years ago | (#30857230)

This is why i said "Tor movement" not "authors of Tor"

It doesn't matter. The innocent, non-techies are not hearing from "the authors of Tor". They're hearing from others who are running around promoting it as the salvation of free speech in non-free places... and they are believed.

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?