

Now Everyone Wants to Sell You a Magical Anonymity Router - cyphersanctus
http://www.wired.com/2014/10/anonymity-routers/

======
Someone1234
I think Tor is great. But Tor is inherently insecure, and the easier you make
it for "normal" users to utilise Tor the more users who will get caught out by
Tor's inherent insecure nature.

You're trading security for anonymity. That's should be Tor's unofficial tag-
line.

I don't even need to convince you of Tor's relative insecurity, there is a
front page article right now all about it:

[https://news.ycombinator.com/item?id=8501557](https://news.ycombinator.com/item?id=8501557)

~~~
xnull
You mean that by design Tor acts as MITM, and that end-to-end crypto should be
used to provide integrity?

The major users of Tor need to consider even their ISPs as an adversarial
agent - that they are being actively monitored and MITMed. In this sense,
these users are not trading security for anonymity.

For those who trust their telecommunications carriers (in the US even in the
face of CALEA) - they are certainly introducing a MITM. It's also important to
note that the linked article considers the 'security bug' to be owned by
software updaters and software vendors that that do not sign binaries - the
vulnerabilities are not specific to Tor, but it does provide one mechanism to
exploit them.

This is all a good reminder, as the Tor team themselves regularly say, that
secure operational browsing and software practices are crucial to anonymity
and security even with Tor installed.

~~~
ZenoArrow
It's even simpler than that, Tor has been hacked to remove the protection of
anonymity... [http://www.theguardian.com/technology/2014/jul/22/is-tor-
tru...](http://www.theguardian.com/technology/2014/jul/22/is-tor-truly-
anonymising-conference-cancelled)

From that article... "anyone with $3,000 could de-anonymise users of Tor".

That article was from July 2014. As far as I know the fix isn't implemented
yet, but I could be wrong. Here's the most recent article I could find about a
fix... [http://securityaffairs.co/wordpress/26982/hacking/tor-
workin...](http://securityaffairs.co/wordpress/26982/hacking/tor-working-fix-
flaw.html)

~~~
xnull2guest
Like any other software Tor has problems. Just look through their changelog.
Tor has had plenty of issues. But on the whole it's very good.

Remember the "Tor Stinks" slide from the Snowden leaks? The NSA, with direct
taps on the internet backbone, has had lots of trouble deanonymizing Tor
users.

~~~
sitkack
I would assume that the NSA no longer has difficulty deanonymizing tor users,
mostly from their own sloppiness. For a sufficiently paranoid net user, they
will already have other mitigating factors in place. No phone, no cctv, laptop
booted from solid state media, all EEPROMs on motherboard in read only mode,
etc.

~~~
xnull2guest
Oh I agree with that. Targetted versus en masse surveillance, though, as the
cost of personnel and equipment would have to scale with the number of targets
to deanonymize.

Everyone's data gets sucked up as the default, but with Tor - I think they
Snowden docs showed they could only get about 1/4 with automation. I do not
remember the exact percentage.

The combination of CALEA, Stored Communications Act, and Patriot Act under the
Third Party Doctrine mean the system stores and processes our data by default,
over a sliding window. (IIRC there were some Snowden programs that had windows
of around 5 years?)

With Tor you increase the cost to taxpayers a little and decrease the chances
(especially with good cyber hygiene) that you'll give everything. If you use a
cell phone you give your exact time and place 24/7\. Even local police have
access to these cell phone tracking databases. You can't Tor a cell phone.

Tor isn't really a good answer to the system. But if you need privacy, there's
a corner in Tor.

~~~
sitkack
I totally agree that more people should tunnel traffic over Tor, it only helps
everyone the more people that use Tor. If one person used Tor, it would suck.
:)

------
Istof
If I wanted to be truly anonymous, I would rather use some device that I don't
use for anything else that I purchased with cash and browse from an open wifi
or something similar

