
Almost everyone developing Tor was or is funded by the US government (2014) - mimixco
https://yashalevine.com/articles/tor-spooks
======
zigzaggy
This article is from 2014. I did a lot of research on this a few years ago,
and found plenty of circumstantial evidence that either (a) TOR is a honeypot,
or (b) a large % of users have bad OPSEC, or (c) both a and b are true.

Because of “parallel construction” (1) it will always be difficult to really
get to the bottom of this issue. I’m not sure we’re ever safe from the prying
eyes of nation states. We should all assume we’re never totally secure, and
act accordingly.

But I get “burnt out” on the level of paranoia necessary for that kind of
research. I’m also exhausted from trying to convince others to wake up from
their apathy over privacy and security.

Security is a process that requires continuous improvement. New exploits, new
information, and new technology will never stop affecting our security
postures. I accept that I will miss things, get breached, and improve over
time.

For whistle-blowers, spies, and criminals, breaches have much more severe
consequences. But it’s going to happen to them as part of the “job.” Cat-and-
mouse, I suppose.

Anyway, I assume Tor isn’t secure, because no networks are secure.

1.[https://en.m.wikipedia.org/wiki/Parallel_construction](https://en.m.wikipedia.org/wiki/Parallel_construction)

~~~
qnsi
Most people just simply dont care. Take Facebook for example. I heard from
multiple people telling me they think FB listens to them and show them ads
about what they talk about. I ask them, will they stop using FB because of it?
No! All my friends use Facebook.

There is no hope for our world. Facebook Google can do whatever they want. Why
would people care about government spying on them?

~~~
NoPicklez
You need to remember that the data world we live in today is very new. And the
understanding of data privacy and its implications are mostly only understood
by those in the realm of technology.

For the average person knowing that Facebook listens to them and shows them
ads about what they search and talk about, probably doesn't care because they
don't know what the impact is to them, or perhaps they don't see an immediate
impact. Realistically, in the world of surrounding problems and concerns that
we each have in our daily lives, Facebook showing me ads based on what I
search for is probably quite low on the list.

I work in IT & Cyber risk and one thing I have learnt is that just because
something sounds bad doesn't mean it realistically is. Everyone of us lives in
a world of risks that are individual to each of us each day, some risks we
rate higher than others for various reasons based on their consequence and
likelihood. Therefore for a risk to be large enough for people to take action
or mitigate, it needs to have a tangible impact on people's lives first and
foremost. People have different risk appetites and therefore I may choose to
mitigate the risk by putting less information into my Facebook account, you
may choose to completely stop using the service and delete your account.

I could talk all day about the potential reasons why its a bad idea for
Facebook to provide advertisements based on search history. But I don't have
enough time in the day to take into account everything that people say I
should care about as much as each person thinks I should.

------
miccah
I remember hearing about this on a Security Now episode [1]. Just because the
US government funds the project does not mean they dictate features. Here is a
quote from Roger Dingledine (co-founder of Tor) found in [1]:

"I should take a brief moment to explain how funding proposals work, for those
who worry that governments come to us wanting to pay us to do something bad.
There is never any point where someone comes to us and says, 'I'll pay you X
to do Y.' The way it works is that we try to find groups with funding for the
general area that we want to work on, and then we go to them with a specific
plan for what we'd like to do and how much it would cost for us to do that,
and if we're lucky they say okay."

[1] [https://www.grc.com/sn/sn-693.txt](https://www.grc.com/sn/sn-693.txt)

------
HardLuckLabs
Old news, but I'm still not a big fan of TOR, primarily because they've
conflated the difference between anonymity and privacy on a network. You can't
have it both ways. Either I can provide guarantees about the integrity and
authenticity of traffic happening between your machine and a destination, or I
can provide an unprovable, probabilistic claim that it's "anonymous".

------
FiloSottile
This is old (2014) FUD about funding sources, which are obviously public like
for any other 501c3.

~~~
_red
Moreover it lazily conflates the exploits (javascript/http/websocket
unmasking) and implies it was an intentional vulnerability in the protocol
itself.

~~~
SCHiM
Indeed, a number of examples cited are not vulnerabilities in TOR.

The example of the bomb threat is one such, that person was unmasked by
looking at the means, motive and opportunity of all suspects.

TOR wont help you if the initial suspect pool is already very small (people
that took that exam at that time) (motive). And only one student connected to
TOR on premise during the time of the threat (opportunity, means).

------
cphoover
Isn't tor and its protocol open source though? Can't anyone inspect the code
that powers it, fork it, create their own network if they want to?

~~~
walrus01
The easiest way is to just run a fuckton of exit nodes, and do traffic
analysis. With a $20 million annual budget to buy commercial hosting
services/colo from ISPs worldwide I could easily have >50% of all high
bandwidth exit nodes in existence. That's chump change for a national
intelligence agency of a five eyes nation.

~~~
TLAFanBoy
Consider that the Tor Foundation itself may have been started by NSA agents
and collaborators. Tor was originally invented for the US Navy, after all.
There's a foundation that provides legal representation to "average people"
who want to run Tor exit nodes. I read a study of Tor exit nodes in Germany
and they are all financed and legally represented by a foundation that, to my
eyes at least, is obviously a CIA front.

The CIA has been doing things like this since forever. Many of the "storied
journalists" of the late 20th century were CIA propagandists. It would be
trivially easy for the CIA to turn one of their own assets into a "privacy
celebrity." They would go around giving conferences to "privacy advocates" and
techies, spinning yarns about their "dedication to user privacy" and the
average person would believe it. In fact, the CIA, in the 1950s, used a
personality test heuristic that could identify narcissists and liars and would
recruit these people to insert into various "movements."

I actually do find it rather amusing when I read comments from seemingly well
meaning techies praising some celebrity "privacy activist" that travels around
the country giving TED talks and the like, promoting various privacy
technology initiatives, never once even considering that it's quite likely
that celebrity is working for the NSA and simply mouths all the "progressive"
and "cyber-libertarian" talking points that sell the idea to idealists.
Idealists are easily manipulated because they "want to believe."

The Three Letter Agencies are "people hackers" more than "technology hackers"
and the average techie-type doesn't have a clue.

tl;dr the entire "electronic privacy movement" is likely astroturf run by the
intelligence community.

~~~
mimixco
Very true. I'd recommend Yasha Levine's (the post author's) book Surveillance
Valley for anyone interested in this topic.

You'll notice any web posts about "how to get on the dark web" suggest Tor.
Uh, huh.

~~~
arthurcolle
.onion addresses point to hidden services, and I was under the impression that
the "dark web" usually just refers to these hidden services. So what other
alternatives exist besides "Tor" and associated .onion addresses to access the
dark web if its not hidden services?

~~~
earenndil
There are other 'dark webs'. Most prominent afaik are i2p and freenet
(although both of those do something slightly different than tor).

------
tdhz77
Both FBI & Tor are on Honeypots. I remember this article,
[https://www.wired.com/2015/04/silk-
road-1/](https://www.wired.com/2015/04/silk-road-1/) which confirms the FBI
tactics of setting up exit nodes.

------
Coffeewine
Dumb question - is the supposition then that HTTPS is completely broken as
well? Or is it merely that the NSA will be able to see who tor users are
talking to, if not what they say?

------
LinuxBender
The initial iteration of the internet was also funded by the US government via
DARPA. DARPA was also partially responsible for the US Interstate Highway
System.

------
hubb
for anyone who isn't already familiar with yasha levine -- suffice to say that
he is not qualified to discuss the technical capabilities of tor

~~~
tdhz77
Can you elaborate? I'm not familiar.

~~~
mimixco
He wrote Surveillance Valley. I think he's quite qualified to comment on it.

~~~
inn_shopper
Dan Brown wrote Da Vinci Code, but I don't think he's qualified to talk about
the history.

~~~
mimixco
The Da Vinci Code is a fictional novel. Levine's book is well researched and
he cites his sources. Is he despised on HN because he's Russian? That would be
xenophobic. Is there something else about him that I'm missing?

------
mimixco
OP here... Any guesses why this was flagged? Yasha Levine is the author of
Surveillance Valley, a well-reviewed book that covers this topic extensively.

~~~
zigzaggy
I’ve seen this information discussed here before (1) and the response was
pretty hostile. I’m not sure why the article was flagged but I find this topic
extremely relevant to our community.

No use throwing the baby out with the bath water. Makes me wonder - who would
benefit from not having this conversation?

1.[https://news.ycombinator.com/item?id=12826863](https://news.ycombinator.com/item?id=12826863)

~~~
TLAFanBoy
>the response was pretty hostile.

>who would benefit from not having this conversation?

The companies that have a vested financial interest in mass surveillance,
their technical employees, the public communication platform for the
investment funds that fund startups in this space (cough) and the intelligence
agencies that work directly with, and are sometimes embedded in, those
technology companies.

Imagine if someone did find some exploit in Tor code, it would go over the
head of 99% of coders anyway, and the accusations of "Russian hacking" would
drown out most sensible discussion anyway.

~~~
perl4ever
It would really advance your viewpoint more, if you waited for someone else to
bring up "Russian hacking" and then accused them of "whataboutism".

I don't know anything about the conspiracy that runs everything, but it is
hard to believe that it involves the CIA, NSA, or the Russian equivalents,
because they are demonized so much. The real rulers of the world must hate
those entities. Anyone that is scapegoated by millions must be a diversion.

------
ngcc_hk
The whole point are to have a lot of traffic not belong to military but
military can use. Also everyone will try to break it as it is a much high
value network. And there are ways to do so eg in exit and enter where you are
not protected.

Seems nothing wrong.

No one guarantee anything.

------
Tepix
So, do i need to change the tor client configuration to not favor fast (exit)
nodes as much?

------
stunt
Right to privacy and freedom from surveillance is a dream.

~~~
tenebrisalietum
It's attainable if you are in a recognized higher social class, which often
correlates with having much wealth.

------
superobserver
Relatively undergeneralized as the entirety of the internet's traffic is
collected by various agencies, and singling out the NSA seems rather
hamfisted.

~~~
mimixco
There are three points here: First, Tor was and continues to be funded by the
NSA, among other government agencies. Second, the NSA created Tor for
themselves to protect their own agents. Third, by operating Tor exit nodes,
they are able to spy on other people's traffic, hence a honeypot.

~~~
superobserver
>among other government agencies.

That's my point. And I'm suggesting going a step further to non-domestic
agencies.

Nowhere do I suggest the point in the article is false. I merely suggest it is
closer to cherrypicking as others are obviously neglected. Does the FBI come
to mind at all, for instance?

~~~
mimixco
The thrust of this is not to name which agencies use Tor to spy on you, but to
point out the fact that the entire Tor system was developed by the government
and is probably a big honeypot. Who cares what TLA-named agency is using it
this week? The point is that it's not the security panacea it's made out to be
by tech libertarians.

