Hacker News new | more | comments | ask | show | jobs | submit login
Almost everyone developing Tor was or is funded by the US government (2014) (yashalevine.com)
76 points by mimixco 39 days ago | hide | past | web | favorite | 51 comments

This article is from 2014. I did a lot of research on this a few years ago, and found plenty of circumstantial evidence that either (a) TOR is a honeypot, or (b) a large % of users have bad OPSEC, or (c) both a and b are true.

Because of “parallel construction” (1) it will always be difficult to really get to the bottom of this issue. I’m not sure we’re ever safe from the prying eyes of nation states. We should all assume we’re never totally secure, and act accordingly.

But I get “burnt out” on the level of paranoia necessary for that kind of research. I’m also exhausted from trying to convince others to wake up from their apathy over privacy and security.

Security is a process that requires continuous improvement. New exploits, new information, and new technology will never stop affecting our security postures. I accept that I will miss things, get breached, and improve over time.

For whistle-blowers, spies, and criminals, breaches have much more severe consequences. But it’s going to happen to them as part of the “job.” Cat-and-mouse, I suppose.

Anyway, I assume Tor isn’t secure, because no networks are secure.


When people claim Tor is a NSA honeypot I have now a default reply: how much faith do you have in the opsec of NSA to run continuously each year with leakers like Snowden and Manning? opsec is hard to do for dedicated security researchers. It is very hard.

The difficulty of OPSEC is why I personally have faith in that the engineers for nuclear reactors are not all undercover foreign spies. Even for the most well funded organizations, doing perfect operational security for decades on end is an almost impossible task. If you also need to produce results, like if the majority Tor relay operators were all secret NSA employees, I see that as close to impossible to do for 16 years.

> assume we’re never totally secure, and act accordingly

That is true. Assume that at any given year NSA could be running the Tor network only to be discovered the next year. I do however doubt that they have that good opsec to have been running for 16 years, through all the leaks, and not be discovered.

Most people just simply dont care. Take Facebook for example. I heard from multiple people telling me they think FB listens to them and show them ads about what they talk about. I ask them, will they stop using FB because of it? No! All my friends use Facebook.

There is no hope for our world. Facebook Google can do whatever they want. Why would people care about government spying on them?

You need to remember that the data world we live in today is very new. And the understanding of data privacy and its implications are mostly only understood by those in the realm of technology.

For the average person knowing that Facebook listens to them and shows them ads about what they search and talk about, probably doesn't care because they don't know what the impact is to them, or perhaps they don't see an immediate impact. Realistically, in the world of surrounding problems and concerns that we each have in our daily lives, Facebook showing me ads based on what I search for is probably quite low on the list.

I work in IT & Cyber risk and one thing I have learnt is that just because something sounds bad doesn't mean it realistically is. Everyone of us lives in a world of risks that are individual to each of us each day, some risks we rate higher than others for various reasons based on their consequence and likelihood. Therefore for a risk to be large enough for people to take action or mitigate, it needs to have a tangible impact on people's lives first and foremost. People have different risk appetites and therefore I may choose to mitigate the risk by putting less information into my Facebook account, you may choose to completely stop using the service and delete your account.

I could talk all day about the potential reasons why its a bad idea for Facebook to provide advertisements based on search history. But I don't have enough time in the day to take into account everything that people say I should care about as much as each person thinks I should.

I remember hearing about this on a Security Now episode [1]. Just because the US government funds the project does not mean they dictate features. Here is a quote from Roger Dingledine (co-founder of Tor) found in [1]:

"I should take a brief moment to explain how funding proposals work, for those who worry that governments come to us wanting to pay us to do something bad. There is never any point where someone comes to us and says, 'I'll pay you X to do Y.' The way it works is that we try to find groups with funding for the general area that we want to work on, and then we go to them with a specific plan for what we'd like to do and how much it would cost for us to do that, and if we're lucky they say okay."

[1] https://www.grc.com/sn/sn-693.txt

Old news, but I'm still not a big fan of TOR, primarily because they've conflated the difference between anonymity and privacy on a network. You can't have it both ways. Either I can provide guarantees about the integrity and authenticity of traffic happening between your machine and a destination, or I can provide an unprovable, probabilistic claim that it's "anonymous".

This is old (2014) FUD about funding sources, which are obviously public like for any other 501c3.

Moreover it lazily conflates the exploits (javascript/http/websocket unmasking) and implies it was an intentional vulnerability in the protocol itself.

Indeed, a number of examples cited are not vulnerabilities in TOR.

The example of the bomb threat is one such, that person was unmasked by looking at the means, motive and opportunity of all suspects.

TOR wont help you if the initial suspect pool is already very small (people that took that exam at that time) (motive). And only one student connected to TOR on premise during the time of the threat (opportunity, means).

Isn't tor and its protocol open source though? Can't anyone inspect the code that powers it, fork it, create their own network if they want to?

The easiest way is to just run a fuckton of exit nodes, and do traffic analysis. With a $20 million annual budget to buy commercial hosting services/colo from ISPs worldwide I could easily have >50% of all high bandwidth exit nodes in existence. That's chump change for a national intelligence agency of a five eyes nation.

Exit nodes aren't the killer feature of Tor anymore, everyone blocks those easily, it's hidden services.

Consider that the Tor Foundation itself may have been started by NSA agents and collaborators. Tor was originally invented for the US Navy, after all. There's a foundation that provides legal representation to "average people" who want to run Tor exit nodes. I read a study of Tor exit nodes in Germany and they are all financed and legally represented by a foundation that, to my eyes at least, is obviously a CIA front.

The CIA has been doing things like this since forever. Many of the "storied journalists" of the late 20th century were CIA propagandists. It would be trivially easy for the CIA to turn one of their own assets into a "privacy celebrity." They would go around giving conferences to "privacy advocates" and techies, spinning yarns about their "dedication to user privacy" and the average person would believe it. In fact, the CIA, in the 1950s, used a personality test heuristic that could identify narcissists and liars and would recruit these people to insert into various "movements."

I actually do find it rather amusing when I read comments from seemingly well meaning techies praising some celebrity "privacy activist" that travels around the country giving TED talks and the like, promoting various privacy technology initiatives, never once even considering that it's quite likely that celebrity is working for the NSA and simply mouths all the "progressive" and "cyber-libertarian" talking points that sell the idea to idealists. Idealists are easily manipulated because they "want to believe."

The Three Letter Agencies are "people hackers" more than "technology hackers" and the average techie-type doesn't have a clue.

tl;dr the entire "electronic privacy movement" is likely astroturf run by the intelligence community.

Very true. I'd recommend Yasha Levine's (the post author's) book Surveillance Valley for anyone interested in this topic.

You'll notice any web posts about "how to get on the dark web" suggest Tor. Uh, huh.

.onion addresses point to hidden services, and I was under the impression that the "dark web" usually just refers to these hidden services. So what other alternatives exist besides "Tor" and associated .onion addresses to access the dark web if its not hidden services?

There are other 'dark webs'. Most prominent afaik are i2p and freenet (although both of those do something slightly different than tor).

>Consider that the Tor Foundation itself may have been started by NSA agents and collaborators.


>never once even considering that it's quite likely that celebrity is working for the NSA

The Tor Foundation itself could also have been founded by Mork from Ork to hide his pornographic consumption from Orson.

I highly doubt either is true, it's probably not some conspiracy. I imagine the bulk of Tor traffic is DNM trade which intelligence agencies just aren't going to care about some 17 year old ordering MDMA for his friends with bitcoin.

>The Tor Foundation itself could also have been founded by Mork from Ork to hide his pornographic consumption from Orson.

No, "Mork from Ork" is a fictional character, while the people who started the Tor project and the Tor foundation are real people, and were funded, since the beginning, by the Office of Naval Research and the NSA. In fact, the article goes into this extensively, and these facts are not in question:

>The technology was funded by the Office of Naval Research and DARPA. Early development was spearheaded by Paul Syverson, Michael Reed and David Goldschlag — all military mathematicians and computer systems researchers working for the Naval Research Laboratory, sitting inside the massive Joint Base Anacostia-Bolling military base in Southeast Washington, D.C.

>But in 2002, seven years after it began, the project moved into a different and more active phase. Paul Syverson from the Naval Research Laboratory stayed on the project, but two new guys fresh outta MIT grad school came on board: Roger Dingledine and Nick Mathewson. They were not formally employed by Naval Labs, but were on contract from DARPA and the U.S. Naval Research Laboratory’s Center for High Assurance Computer Systems.

>At the very end of 2004, with Tor technology finally ready for deployment, the US Navy cut most of its Tor funding, released it under an open source license and, oddly, the project was handed over to the Electronic Frontier Foundation.

So creating bizarre strawmen about "Mork from Ork" and using weasel-words like "conspiracy theory" doesn't add anything to the discussion.

>I imagine the bulk of Tor traffic is DNM trade which intelligence agencies just aren't going to care about some 17 year old ordering MDMA for his friends with bitcoin.

This is also a strawman, no one (except for you) was talking about "17 year old ordering MDMA for his friends with bitcoin."

It's interesting that there is so much ostensible "faith" in the Tor Foundation and a seeming emotional reaction to questions about it. I say "ostensible" because my suspicion is those reactions are feigned.

The job of the NSA is signals intelligence; the Tor network is a juicy target for signals intelligence; NSA has been involved in not just the foundational technology of Tor, but the various Tor research projects.

If the NSA does NOT have "back doors" into the Tor network, they aren't doing their job.

> and were funded, since the beginning, by the Office of Naval Research and the NSA. In fact, the article goes into this extensively, and these facts are not in question:

You'll be hard pressed to find someone working at a major university that hasn't (directly or indirectly) received government funding for something. You'll be almost as hard pressed to find a major tech, freight, medical, agricultural, transportation, aerospace, natural resources company etc that hasn't had (or doesn't have active) government contracts.

That doesn't mean everything is a government conspiracy to spy on people.

>The federal government spent $116 billion on research and development (R&D) in 2017,


>That doesn't mean everything is a government conspiracy to spy on people.

No one suggested that "everything is a government conspiracy to spy on people."

The job of the NSA is to "spy on people." It's America's top funded intelligence agency. It's full of extermely competent and very intelligent people and their employer, the United States of America, is the world's sole superpower, the world's largest economy, and likely the most technologically sophisticated nation of earth.

The NSA is one of the reasons for America's preeminent place in the world.

The NSA is more interested in HVTs at a nation state level, not people selling porn passwords, drugs and cvv2 dumps.

For people attempting to pass communication privately for any purposes an intelligence agency would be interested in, they're almost certainly using things like random in-game chats (this has even been in the news for non-interest stuff like drug trade).

The handful of paranoid people using Tor to check Facebook or google search 'how to poison my lover' aren't the people the NSA is interested in.

The people in oppressive governments using Tor (where it's not blocked) to share images of crime/abuse and political statements are more of interest to agencies like the CIA.

>The NSA is one of the reasons for America's preeminent place in the world.

Hardly. America's preeminent place in the world is a result of access to natural resources, some of the best farmland in the world and a technologically advanced military with a million plus well-equipped active duty personnel and the fact that we don't share borders with a major threat (Canada is not a threat and we co-staff several military installations with Canadian personnel, in fact NORAD is a direct result of mutual-staffing from an agreement made in 1957 and is co-commanded by a USAF and RCAF generals).

Oh, and the whole part where we were the first nuclear power and the only country crazy enough to have used not one, but two, nuclear weapons in aggression.

Sure but it's a lot of code to go through and it's not the only problem. What if the majority of the nodes are from the NSA?

Is there any circumstantial or direct evidence to support that or is that just speculation?

If confidence is decreased in the network (e.g. due to an intelligence leak) there is no reason a new network could not supplant it

> What if the majority of the nodes are from the NSA?

While nothing can prove definitively anything, we do have https://metrics.torproject.org/bubbles.html#country and the directory of relay nodes are in the open. One can simply pull the list and compare them to any geo-ip database.

I think this claim is about nodes controlled by the NSA, not about nodes housed inside the US. Presumably the NSA could be in control of servers hosted in other geographies.

For this to work, you'd convince millions of people to use your forked protocol. A network that only you and your friends use doesn't give you much anonymity.

It's by operating the exit nodes that they can see the traffic.

Both FBI & Tor are on Honeypots. I remember this article, https://www.wired.com/2015/04/silk-road-1/ which confirms the FBI tactics of setting up exit nodes.

Dumb question - is the supposition then that HTTPS is completely broken as well? Or is it merely that the NSA will be able to see who tor users are talking to, if not what they say?

The initial iteration of the internet was also funded by the US government via DARPA. DARPA was also partially responsible for the US Interstate Highway System.

for anyone who isn't already familiar with yasha levine -- suffice to say that he is not qualified to discuss the technical capabilities of tor

Can you elaborate? I'm not familiar.

He wrote Surveillance Valley. I think he's quite qualified to comment on it.

Dan Brown wrote Da Vinci Code, but I don't think he's qualified to talk about the history.

The Da Vinci Code is a fictional novel. Levine's book is well researched and he cites his sources. Is he despised on HN because he's Russian? That would be xenophobic. Is there something else about him that I'm missing?

OP here... Any guesses why this was flagged? Yasha Levine is the author of Surveillance Valley, a well-reviewed book that covers this topic extensively.

I didn't flag the link, but fwiw Yasha Levine is not a good person. An incident from a while ago: https://motherboard.vice.com/en_us/article/ae3n8p/that-time-...

(Disclaimer: Andrea Shepard is an internet friend of mine)

I’ve seen this information discussed here before (1) and the response was pretty hostile. I’m not sure why the article was flagged but I find this topic extremely relevant to our community.

No use throwing the baby out with the bath water. Makes me wonder - who would benefit from not having this conversation?


>the response was pretty hostile.

>who would benefit from not having this conversation?

The companies that have a vested financial interest in mass surveillance, their technical employees, the public communication platform for the investment funds that fund startups in this space (cough) and the intelligence agencies that work directly with, and are sometimes embedded in, those technology companies.

Imagine if someone did find some exploit in Tor code, it would go over the head of 99% of coders anyway, and the accusations of "Russian hacking" would drown out most sensible discussion anyway.

It would really advance your viewpoint more, if you waited for someone else to bring up "Russian hacking" and then accused them of "whataboutism".

I don't know anything about the conspiracy that runs everything, but it is hard to believe that it involves the CIA, NSA, or the Russian equivalents, because they are demonized so much. The real rulers of the world must hate those entities. Anyone that is scapegoated by millions must be a diversion.

The whole point are to have a lot of traffic not belong to military but military can use. Also everyone will try to break it as it is a much high value network. And there are ways to do so eg in exit and enter where you are not protected.

Seems nothing wrong.

No one guarantee anything.

So, do i need to change the tor client configuration to not favor fast (exit) nodes as much?

Right to privacy and freedom from surveillance is a dream.

It's attainable if you are in a recognized higher social class, which often correlates with having much wealth.

Relatively undergeneralized as the entirety of the internet's traffic is collected by various agencies, and singling out the NSA seems rather hamfisted.

There are three points here: First, Tor was and continues to be funded by the NSA, among other government agencies. Second, the NSA created Tor for themselves to protect their own agents. Third, by operating Tor exit nodes, they are able to spy on other people's traffic, hence a honeypot.

>among other government agencies.

That's my point. And I'm suggesting going a step further to non-domestic agencies.

Nowhere do I suggest the point in the article is false. I merely suggest it is closer to cherrypicking as others are obviously neglected. Does the FBI come to mind at all, for instance?

The thrust of this is not to name which agencies use Tor to spy on you, but to point out the fact that the entire Tor system was developed by the government and is probably a big honeypot. Who cares what TLA-named agency is using it this week? The point is that it's not the security panacea it's made out to be by tech libertarians.

Tor is in their demense so critcism is always relevant - dismissal on those grounds is whataboutism. It would be like dismissing DES S-box tampering or Elliptical Curve insecurity with "there are plenty of insecure algorithm mistakes no big deal!".

It brings to mind how answering strongly agree on "Everyone steals" on a company screening personality test is a quick ticket to get blacklisted.

I didn't justify the NSA nor 'dismiss', I said everyone does it, so singling them out in particular is dishonest.

Furthermore, it is their mandate to do what they do; ask yourself: which agencies exist that have attempted to extend beyond the scope of theirs?

This is a serious concern, esp. in diplomatic relations.

Well they were responsible for Tor that makes it germane - that was what I met by being in their domain. It is always perfectly fair to throw shade on them for their project based on their past actions.

The NSA really shouldn't be bringing up their mandate given how they have persistently undermined their own nation's security for the sake of snooping. And it is one of the most economically dependent upon it no less and needs the advanced economy to power its supremacy. It is so stupid one needs to invent elaborate and absurd fantasies to remotely justify it.

It still stinks of whataboutism to complain of dishonesty - not refuting the truth or justifying it as right but deflecting it and crying foul. Everyone is doing it is a poor excuse for juvenile delinquency and a worse one for agencies of world powers.

Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact