Because of “parallel construction” (1) it will always be difficult to really get to the bottom of this issue. I’m not sure we’re ever safe from the prying eyes of nation states. We should all assume we’re never totally secure, and act accordingly.
But I get “burnt out” on the level of paranoia necessary for that kind of research. I’m also exhausted from trying to convince others to wake up from their apathy over privacy and security.
Security is a process that requires continuous improvement. New exploits, new information, and new technology will never stop affecting our security postures. I accept that I will miss things, get breached, and improve over time.
For whistle-blowers, spies, and criminals, breaches have much more severe consequences. But it’s going to happen to them as part of the “job.” Cat-and-mouse, I suppose.
Anyway, I assume Tor isn’t secure, because no networks are secure.
The difficulty of OPSEC is why I personally have faith in that the engineers for nuclear reactors are not all undercover foreign spies. Even for the most well funded organizations, doing perfect operational security for decades on end is an almost impossible task. If you also need to produce results, like if the majority Tor relay operators were all secret NSA employees, I see that as close to impossible to do for 16 years.
> assume we’re never totally secure, and act accordingly
That is true. Assume that at any given year NSA could be running the Tor network only to be discovered the next year. I do however doubt that they have that good opsec to have been running for 16 years, through all the leaks, and not be discovered.
There is no hope for our world. Facebook Google can do whatever they want. Why would people care about government spying on them?
For the average person knowing that Facebook listens to them and shows them ads about what they search and talk about, probably doesn't care because they don't know what the impact is to them, or perhaps they don't see an immediate impact. Realistically, in the world of surrounding problems and concerns that we each have in our daily lives, Facebook showing me ads based on what I search for is probably quite low on the list.
I work in IT & Cyber risk and one thing I have learnt is that just because something sounds bad doesn't mean it realistically is. Everyone of us lives in a world of risks that are individual to each of us each day, some risks we rate higher than others for various reasons based on their consequence and likelihood. Therefore for a risk to be large enough for people to take action or mitigate, it needs to have a tangible impact on people's lives first and foremost. People have different risk appetites and therefore I may choose to mitigate the risk by putting less information into my Facebook account, you may choose to completely stop using the service and delete your account.
I could talk all day about the potential reasons why its a bad idea for Facebook to provide advertisements based on search history. But I don't have enough time in the day to take into account everything that people say I should care about as much as each person thinks I should.
"I should take a brief moment to explain how funding proposals work, for those who worry that governments come to us wanting to pay us to do something bad. There is never any point where someone comes to us and says, 'I'll pay you X to do Y.' The way it works is that we try to find groups with funding for the general area that we want to work on, and then we go to them with a specific plan for what we'd like to do and how much it would cost for us to do that, and if we're lucky they say okay."
The example of the bomb threat is one such, that person was unmasked by looking at the means, motive and opportunity of all suspects.
TOR wont help you if the initial suspect pool is already very small (people that took that exam at that time) (motive). And only one student connected to TOR on premise during the time of the threat (opportunity, means).
The CIA has been doing things like this since forever. Many of the "storied journalists" of the late 20th century were CIA propagandists. It would be trivially easy for the CIA to turn one of their own assets into a "privacy celebrity." They would go around giving conferences to "privacy advocates" and techies, spinning yarns about their "dedication to user privacy" and the average person would believe it. In fact, the CIA, in the 1950s, used a personality test heuristic that could identify narcissists and liars and would recruit these people to insert into various "movements."
I actually do find it rather amusing when I read comments from seemingly well meaning techies praising some celebrity "privacy activist" that travels around the country giving TED talks and the like, promoting various privacy technology initiatives, never once even considering that it's quite likely that celebrity is working for the NSA and simply mouths all the "progressive" and "cyber-libertarian" talking points that sell the idea to idealists. Idealists are easily manipulated because they "want to believe."
The Three Letter Agencies are "people hackers" more than "technology hackers" and the average techie-type doesn't have a clue.
tl;dr the entire "electronic privacy movement" is likely astroturf run by the intelligence community.
You'll notice any web posts about "how to get on the dark web" suggest Tor. Uh, huh.
>never once even considering that it's quite likely that celebrity is working for the NSA
The Tor Foundation itself could also have been founded by Mork from Ork to hide his pornographic consumption from Orson.
I highly doubt either is true, it's probably not some conspiracy. I imagine the bulk of Tor traffic is DNM trade which intelligence agencies just aren't going to care about some 17 year old ordering MDMA for his friends with bitcoin.
No, "Mork from Ork" is a fictional character, while the people who started the Tor project and the Tor foundation are real people, and were funded, since the beginning, by the Office of Naval Research and the NSA. In fact, the article goes into this extensively, and these facts are not in question:
>The technology was funded by the Office of Naval Research and DARPA. Early development was spearheaded by Paul Syverson, Michael Reed and David Goldschlag — all military mathematicians and computer systems researchers working for the Naval Research Laboratory, sitting inside the massive Joint Base Anacostia-Bolling military base in Southeast Washington, D.C.
>But in 2002, seven years after it began, the project moved into a different and more active phase. Paul Syverson from the Naval Research Laboratory stayed on the project, but two new guys fresh outta MIT grad school came on board: Roger Dingledine and Nick Mathewson. They were not formally employed by Naval Labs, but were on contract from DARPA and the U.S. Naval Research Laboratory’s Center for High Assurance Computer Systems.
>At the very end of 2004, with Tor technology finally ready for deployment, the US Navy cut most of its Tor funding, released it under an open source license and, oddly, the project was handed over to the Electronic Frontier Foundation.
So creating bizarre strawmen about "Mork from Ork" and using weasel-words like "conspiracy theory" doesn't add anything to the discussion.
>I imagine the bulk of Tor traffic is DNM trade which intelligence agencies just aren't going to care about some 17 year old ordering MDMA for his friends with bitcoin.
This is also a strawman, no one (except for you) was talking about "17 year old ordering MDMA for his friends with bitcoin."
It's interesting that there is so much ostensible "faith" in the Tor Foundation and a seeming emotional reaction to questions about it. I say "ostensible" because my suspicion is those reactions are feigned.
The job of the NSA is signals intelligence; the Tor network is a juicy target for signals intelligence; NSA has been involved in not just the foundational technology of Tor, but the various Tor research projects.
If the NSA does NOT have "back doors" into the Tor network, they aren't doing their job.
You'll be hard pressed to find someone working at a major university that hasn't (directly or indirectly) received government funding for something. You'll be almost as hard pressed to find a major tech, freight, medical, agricultural, transportation, aerospace, natural resources company etc that hasn't had (or doesn't have active) government contracts.
That doesn't mean everything is a government conspiracy to spy on people.
>The federal government spent $116 billion on research and development (R&D) in 2017,
No one suggested that "everything is a government conspiracy to spy on people."
The job of the NSA is to "spy on people." It's America's top funded intelligence agency. It's full of extermely competent and very intelligent people and their employer, the United States of America, is the world's sole superpower, the world's largest economy, and likely the most technologically sophisticated nation of earth.
The NSA is one of the reasons for America's preeminent place in the world.
For people attempting to pass communication privately for any purposes an intelligence agency would be interested in, they're almost certainly using things like random in-game chats (this has even been in the news for non-interest stuff like drug trade).
The handful of paranoid people using Tor to check Facebook or google search 'how to poison my lover' aren't the people the NSA is interested in.
The people in oppressive governments using Tor (where it's not blocked) to share images of crime/abuse and political statements are more of interest to agencies like the CIA.
>The NSA is one of the reasons for America's preeminent place in the world.
Hardly. America's preeminent place in the world is a result of access to natural resources, some of the best farmland in the world and a technologically advanced military with a million plus well-equipped active duty personnel and the fact that we don't share borders with a major threat (Canada is not a threat and we co-staff several military installations with Canadian personnel, in fact NORAD is a direct result of mutual-staffing from an agreement made in 1957 and is co-commanded by a USAF and RCAF generals).
Oh, and the whole part where we were the first nuclear power and the only country crazy enough to have used not one, but two, nuclear weapons in aggression.
If confidence is decreased in the network (e.g. due to an intelligence leak) there is no reason a new network could not supplant it
While nothing can prove definitively anything, we do have https://metrics.torproject.org/bubbles.html#country and the directory of relay nodes are in the open. One can simply pull the list and compare them to any geo-ip database.
(Disclaimer: Andrea Shepard is an internet friend of mine)
No use throwing the baby out with the bath water. Makes me wonder - who would benefit from not having this conversation?
>who would benefit from not having this conversation?
The companies that have a vested financial interest in mass surveillance, their technical employees, the public communication platform for the investment funds that fund startups in this space (cough) and the intelligence agencies that work directly with, and are sometimes embedded in, those technology companies.
Imagine if someone did find some exploit in Tor code, it would go over the head of 99% of coders anyway, and the accusations of "Russian hacking" would drown out most sensible discussion anyway.
I don't know anything about the conspiracy that runs everything, but it is hard to believe that it involves the CIA, NSA, or the Russian equivalents, because they are demonized so much. The real rulers of the world must hate those entities. Anyone that is scapegoated by millions must be a diversion.
Seems nothing wrong.
No one guarantee anything.
That's my point. And I'm suggesting going a step further to non-domestic agencies.
Nowhere do I suggest the point in the article is false. I merely suggest it is closer to cherrypicking as others are obviously neglected. Does the FBI come to mind at all, for instance?
It brings to mind how answering strongly agree on "Everyone steals" on a company screening personality test is a quick ticket to get blacklisted.
Furthermore, it is their mandate to do what they do; ask yourself: which agencies exist that have attempted to extend beyond the scope of theirs?
This is a serious concern, esp. in diplomatic relations.
The NSA really shouldn't be bringing up their mandate given how they have persistently undermined their own nation's security for the sake of snooping. And it is one of the most economically dependent upon it no less and needs the advanced economy to power its supremacy. It is so stupid one needs to invent elaborate and absurd fantasies to remotely justify it.
It still stinks of whataboutism to complain of dishonesty - not refuting the truth or justifying it as right but deflecting it and crying foul. Everyone is doing it is a poor excuse for juvenile delinquency and a worse one for agencies of world powers.