Two basic claims: Tor is tainted because (1) the concepts the software is based on were developed with partial funding from the military and (2) Zed thinks one of the committers is untrustworthy. Guess what? That describes a huge amount of software, including Mac OS X and Firefox. God damn Zed, this Hitler sandwich shit is pretty weak.
Zed also has a problem with Tor because he thinks there is a "gigantic percentage of hackers and security experts on the volunteer payroll of a group who's job is to illegally wiretap people and circumvent the law on behalf of the government". He thinks some of these people work on Tor and thus Tor is untrustworthy. Funny though, his ISP is likely guilty of the same thing. I wonder if Zed takes that into account as a part of his paranoid fantasy.
There are serious problems with using Tor and Zed fails to mention any of them. You'll want to read what Thomas has to say on the subject (http://searchyc.com/tptacek). Specifically, Thomas mentions that a general problem with tools like Tor is that it identifies your traffic as a subset of all traffic thats probably worth monitoring. You're essentially adding bright red neon signs to your most sensitive traffic. The amount of traffic going through the Tor network is small enough that it is a tractable problem for a nation state to attempt to monitor all of it. Thomas also goes into how the incentive structure for these tools is completely broken. The defenders are academic researchers going for tenure, the attackers are nation states with millions of dollars to spend, and the users are dissidents that get killed when the tool fails. Unfortunately, arguments with this level of nuance appear to escape Zed in this case. I fear he doesn't have the domain knowledge to write something intelligent about this issue.
Thing is, you don't have to believe Firefox is trustworthy to believe it's your best bet for surfing the web. The whole point of Tor is to be trustworthy; hence, there's no point in it if you don't trust it. Plus, like you said, using Tor may be worse than nothing, so you have to have a pretty strong motivation and pretty strong trust. Using Firefox or OSX requires no such trust.
A comprised web browser or operating system gives the attacker your email credentials, which by proxy gives them the rest of your life. You're trying to argue that an untrustworthy browser/OS is not as significant as an untrustworthy Tor. There isn't such an argument to be made. Browsers and operating systems require trust.
No, all they require is being just as trustworthy as the other browsers and operating systems, even if that level is zero. Tor is an extra inconvenience and calls extra attention to you and therefore requires a credible claim of providing extra security to make up for the downside.
Nope. If the trustworthiness of all browsers was zero, people would do their banking in person. You're trying to get away with arguing only the relative and not absolute trust of browsers is the only thing that matters. Not gonna happen.
Security is relative and depends on your particular goals. I may have zero confidence that the government has not subverted Firefox, but that would not stop me from using it. If there are government back doors in Firefox, they aren't being exploited on a large scale for robbery or identity theft, and that makes it good enough for online banking. It wouldn't make Firefox good enough for evading government surveillance, but depending on your purposes, using a web browser you don't trust might be better than not using a web browser at all.
If someone of sufficient expertise decides to hack you and take your banking info, they will, just like if someone decides to rob you on the street, they will. We assume there are vulnerabilities in any piece of software as big as Firefox. Your security depends on not being a particularly tempting individual target for highly skilled attackers and staying up-to-date enough to avoid mass automated attacks, and those factors depend on relative risks that can't even be objectively measured.
Edit/PS: I am also confident that the government would not insert back doors that are likely to be found by criminals, because those vulnerabilities would be exploited by foreign governments and would hurt U.S. commercial interests, which I imagine is the only kind of mistake that would result in Congress taking drastic punitive action (slashing budgets, reducing autonomy, increasing oversight) towards an intelligence agency.
Do you avoid software like FreeBSD, Linux, Mac OS X, and all other software that fits the criteria of your post? Point is, you have shitty reasons and probably aren't consistant in your application of them. Government funding and a committer you don't like preclude the usage of a huge amount of software.
My general frustation with your blog post is that your arguments apply to many popular pieces of software. It feels disingenuous and it feels like it's provocative solely for the purpose of being provocative.
As someone living on the other side of the Great Firewall of China it's become VERY clear that a government can effectively censor the internet(without VPN to get out it's terrible), provided that the government in question put enough effort into it.
As I said in another comment, the Chinese government has beaten Tor. You can't download it or even read about it(almost everything Tor related is blocked). Even when you have it you can't connect, as all bridge IPs are blocked the moment the gov discovers them.
It's slow as hell to boot and on top of this the Chinese government is still able to monitor those who can connect with traffic analysis(a Tor weakness).
I'm something of a lazy cipherpunk and had hoped that most services and sites would have moved onto darknets like i2p by now. But sadly this is not the case, however it is the place where we finally need to go.
TLDR: I don't use Tor because it don't work, plain and simple. Never mind the insecurity mentioned by Zed, and no one here is talking about this.
At the end of the day when you're dealing with a government that has absolutely no qualms about simply taking you away and killing you discreetly, regardless of who you are, there is no hack clever enough to protect you.
"At the end of the day when you're dealing with a government that has absolutely no qualms about simply taking you away and killing you discreetly, regardless of who you are, there is no hack clever enough to protect you."
The thing is that for many people the risk of getting killed is worth it, and protecting the source is not the ultimate goal.
History has shown us that dissidents will often and gladly risk their own lives to get their message out. And often, despite the risks, they've managed to evade detection and capture even when they were up against huge, ruthless spy networks like those of the Soviet Union, post-war East Germany, or the Gestapo.
If enough people were using it, I'd think that a) some of them would be government operatives and b) the traffic could be analyzed to identify and remove internet access from a large number of the participants. I don't know that much about darknets so maybe the traffic analysis is not so straightforward.
They could switch from a blacklist to a whitelist and then you would only be able to connect to other nodes if they were run surreptitiously on pre-approved networks.
Properly used, good steganographic software will hide your use of encryption. Ideally, your communication stream will seem perfectly innocuous to all observers.
Of course, in real life nothing is perfect. So there's always a chance your use of encryption will be detected. But using steganography properly should still reduce that chance to well below that of obviously encrypted systems like TOR, Freenet, etc.
Also, just as importantly, the more people use steganography, the greater the cost of widespread monitoring will become.
As pointed out in other replies in this thread, when you use regular encryption or systems like TOR, you're effectively raising a big red flag for anyone who cares to monitor your communication. So detection is really easy.
But if you use steganography, the snoopers will have to work much harder to even stand a chance of detecting that there's anything unusual about your communication. Multiply this by thousands or millions of people using steganography (especially if it's embedded in huge data transfers, like video streams) and the resource drain for effective, widespread monitoring could become unsustainable.
Right now the snoopers can go after the low-hanging fruit of obviously encrypted communications, and then maybe use rubber hose cryptanalysis to decrypt it, or simply block it. Steganography has the potential change the game drastically.
Stealth circumvention tools are even harder to write than just plain old circumvention tools, which we already are struggling with. It's a disaster waiting to happen. See Haystack and this comment by Thomas: http://news.ycombinator.com/item?id=1690871.
"Get circumvention at all wrong and you achieve the opposite of what the tool is intended for: you put a big red flag on people breaking their local laws. ... Don't build circumvention tools."
That attitude is so wrongheaded I hardly know where to begin.
First of all, anyone who uses something like TOR in China has already put a huge (and very very obvious) red flag on their communications stream.
So, if those people are going to be trying to break through the firewall anyway, why should't they do so with the best tools available? Why shouldn't they try to hide their communication in a stream of innocuous traffic rather than obviously red-flagging it?
And why shouldn't concerned programmers write tools to make the hiding of such information more effective?
Look, many people are going to try to communicate even when they're forbidden from doing so, and they're going to try to circumvent censorship. So we can either try to make it easier for them, or harder. I'm on the side of making it easier.
Sure, some people are going to get caught despite using steganographic software. But I'm willing to bet a lot fewer of them will get caught than using bare encryption systems like TOR.
If you're going to put a big blinking red light on all your packets so that the largest, best-armed surveillance state in the world can collect and analyze them, I guess there's very little harm in waving rubber chickens over them too. Go ahead with the stego.
You might want to read Neils Provos' stegdetect stuff, first. The world needs more fun grad student projects, and you wouldn't want people to have to rehash the same stuff he broke 10 years ago.
Sure, steganography and steganalysis are in an arms race, just like encryption and cryptanalysis.
But if the existence of such an arms race doesn't stop someone from using encryption it shouldn't stop them from using steganography.
Of course, you need to be prudent about it. Use the most secure techniques available, and don't use methods you know have been broken.
Finally, know that you are taking a risk, that nothing is 100% foolproof, and the more powerful and determined your adversary the more of a risk you're taking.
The difference is that with cryptography the actors are nation states v. nation states. With steganography the actors are activists v. nation states.
Also, what makes you think activists have the technical expertise available to know what the "most secure techniques available" are and what methods have been broken?
"The difference is that with cryptography the actors are nation states v. nation states. With steganography the actors are activists v. nation states."
I don't know where you got the idea that nation states are the only ones who use cryptography. Plenty of activists, along with other non-state actors do so all the time.
Plenty of cryptography is also designed by individuals not in the service of any nation state (as far as we know, anyway). In fact, some argue that such encryption is more trustworthy than encryption developed by nation states themselves.
"Also, what makes you think activists have the technical expertise available to know what the "most secure techniques available" are and what methods have been broken?"
I can't speak for any and all activists. It's really up to them to acquire such expertise or get advice from people who have such expertise.
That said, the problem here is no different from figuring out which encryption to use. So your criticism applies equally to encryption as it does to steganography.
I don't know where you got the idea that nation states are the only ones who use cryptography. Plenty of activists, along with other non-state actors do so all the time.
We're not talking about users, we're talking about attackers and developers. Why would users have anything to do with our discussion?
Plenty of cryptography is also designed by individuals not in the service of any nation state (as far as we know, anyway). In fact, some argue that such encryption is more trustworthy than encryption developed by nation states themselves.
Developed by academics, but tested by both academics and the government. The testing is the thing that's actually important.
I can't speak for any and all activists. It's really up to them to acquire such expertise or get advice from people who have such expertise.
The point is that the technical expertise is not available. It's not up to them. It's not available. What you suggest they do is not possible.
That said, the problem here is no different from figuring out which encryption to use. So your criticism applies equally to encryption as it does to steganography.
Nope. Get back to me when we get government backed standards and recommendations for anonymity (hint: we have them for crypto).
"We're not talking about users, we're talking about attackers and developers. Why would users have anything to do with our discussion?"
Actually, in the message you responded to, I was specifically talking about users. I've been talking about users of crypto/stego all along!
They're the ones who take virtually all of the risk. The people who write the crypto/stego often aren't even in the same country, and they do their development in countries where crypto/stego are perfectly legal.
So I don't know why you started talking about developers all of a sudden.
However, I thought you might have switched subjects, so I specifically addressed crypto development in my second paragraph.
"Developed by academics, but tested by both academics and the government. The testing is the thing that's actually important."
That testing is only worthwhile if your threat model does not include the government itself, which has a vested interest in breaking all encryption, whether or not it has been "certified" by them.
"The point is that the technical expertise is not available. It's not up to them. It's not available. What you suggest they do is not possible."
How is it not available? There are plenty of people who design and analyze stego. There's your expertise.
"Get back to me when we get government backed standards and recommendations for anonymity (hint: we have them for crypto)."
That testing is only worthwhile if your threat model does not include the government itself, which has a vested interest in breaking all encryption, whether or not it has been "certified" by them.
The government also has a vested intrest that the cryptography used by itself and its citizens be reasonably secure, else industrial espionage and other similar activities become trivial. Note that the NSA approved AES for the protection of Top Secret information. If you want to argue the NSA deliberately let the majority of classified information in the United States be protected by a flawed algorithm you're going to have to provide some proof.
How is it not available? There are plenty of people who design and analyze stego. There's your expertise.
The people that are good at building and designing crypto and stego (Are there any good stego systems? Doubt it.) systems are outside the paygrade of most companies, nevermind activists. The expertise is not available.
--
Your arguments are disconnected from reality and don't really have any particularly notable knowledge of this domain. This conversation has been a net loss, and judging by your average of ~2 karma per comment, other people seem to agree. I'll let you have the last word if you'd like it, but please refrain from wasting so much space in the future.
And your two-sentence reply that didn't specifically address a single point in my post is supposed to be some deep, thorough analysis?
Pot, meet kettle.
Despite this, I'll do you the kindness of actually addressing the point you made by giving you a big, "so what?"
Activists and dissidents often go up against nation states. That's the nature of the business. And they knowingly take risks to do so.
The question is, are they simply going to use bare encryption, thereby virtually guaranteeing to draw attention to themselves in a state like China? Or are they going to wrap their encrypted message in a layer of steganography, thus giving themselves at least a chance to avoid detection in the first place?
You made an asinine comparison, between cryptography/cryptanalysis (where advances involve fundamental breakthroughs in mathematics and information theory) and stegonography/steganalysis (where advances have been made, recently, from simple measurement studies).
How in-depth do you want me to get with you? I gave you an actual (high-level, easy-to-read, summarized) academic source. You clearly haven't read it. Why not go take some time with it and come back not sounding like a crank?
"How about a third option: they use a method of communication that wont get them killed. You're presenting a false dichotomy."
Got any suggestions? Because I know the millions of Chinese who attempt to circumvent China's firewall daily would love to hear about it.
The point is that probably 90% of the time, these people aren't using anything better than bare encryption (if that), and they're drawing attention to themselves anyway. If they're going to do that anyway, I think it makes much more sense to hide the communication via stego.
Hard problems don't become easier just because they find social justice applications. Math doesn't care what China does to its dissidents, as Wang Xiaoyun has made pretty clear to us.
I'm envisioning a piece of software that lets you IM folks, but with the messages steganographically embedded in emoticons and the cleartext messages autogenerated.
The more different types of traffic that messages could be hidden in, the better.
But, personally, I think the best place to hide them right now is video streams.
The thing about steganography is that the smaller your hidden message is and the larger the data it's hiding in is, the less of a chance there is of it being detected, and also the greater the cost of such detection will be.
Think of it this way:
How effective you are at hiding your message, and the cost of hostile detection are proportional to:
size of covertext
--------------------------
size of hidden message
In my opinion, the ideal medium for two-way, realtime steganographic communication would be something like Skype, where large, bidirectional video streams are used. It might not be too hard to hack up some webcam filter that injects hidden messages in to the outgoing videostream and another filter to decode messages from the incoming videostream.
For one-way communication (or even two-way, delayed communication) any of the video hosting services like Youtube or Vimeo would be great. This should be even easier to implement than the Skype filters I describe above, as the processing can be done offline at your own leisure.
If using steganography to hide information in these videostreams becomes common, the cost to snoopers trying to find messages in them will become simply gigantic. And those costs will only increase as videostream sizes dramatically increase as they inevitably advance to offering higher resolutions (in the short-term), and even 3D-video (in the long-term).
An extra tip, if you're going to try something like this, is to make sure to use crappy/defective webcams that naturally inject noise in to the videostream anyway, and maybe film whatever you're filming on a nicely chaotic background like a closeup of trees billowing in the wind, ocean waves crashing on the shore, etc... that should hopefully provide plenty of chaos for your message to hide in.
This is silly. You can programatically detect e.g. anomalous keyframes from traffic today. Anything you do to try and embed messages in any rich media format (audio, lossy images, video, &c) can be reversed and turned into a filter. The filters won't even need to be accurate; they'll baseline, wait for you to trip a threshold, and then send people to your door to collect your machine.
I'm particularly amused by the comment about using complicated images of ocean waves and trees, as if computers were just mechanical humans trying to make sense of the shapes in the picture.
X is a video of a completely featureless white screen.
Y is a video of a jungle canopy in the midst of a storm.
At some point in both videos, one pixel changes color slightly. Which video do you think it will be easier to spot the change in?
Of course, the amount of information that can be transmitted in the color change of one pixel is ridiculously small, so in a real life example more pixels (or perhaps some other data in the video) would need to be used to embed the message, but the video size can grow along with the size of the hidden message.
As for "anomaly detection", the thresholds at which such detectors function have to be tuned in such a way that they don't give too many false positives to make them useless.
And they're not magic. They can only detect certain types of anomalies, not any an all past or future steganographic techniques that could conceivably be used to hide the message.
Steganographic techniques can and have been designed to mimic expected statistical profiles. Take a look, for instance, at Peter Wayner's work on Mimic Functions:
The other thing I should note is that even if it is (theoretically) possible to detect a message hidden via steganography, the cost of doing so goes up as the amount of data the message is hidden in increases.
Even detecting a message hidden with even the simplest steganographic technique will be much higher than detecting the use of bare encryption, which is already out in the open.
So widespread use of steganography in large datastreams like youtube videos and Skype will create a huge computational burden on the snoopers attempting steganalysis.
Steganalysis doesn't work by noticing a pixel gone awry in a video of a storm. Your notion of how this works seems drawn from movie plots, like the guys who sneak past motion detectors by moving real, real slow. Also, "the contributing editor of the Infoworld Test Labs and author of the Morgan Kaufman book _Disappearing Cryptography_, as summarized by Wikipedia" loses to academic crypto researchers. Sorry.
Come back when you have such a peer reviewed algorithm actually implemented in software. Until then you're just talking about a "sufficiently advanced compiler."
What would prevent the Chinese government from just blocking I2P?
Also, while Tor isn't used in China there seem to be some other Proxy Services that are used. A non-tech-savvy friend of mine who is Chinese citizen and moved back to China one year ago, uses some kind of proxy service to connect to sites like Facebook. I have the impression that the knowledge how to circumvent the firewall is rather common in China.
There are many paid VPN services available to those who have credit cards. These VPN services are based outside China. But this is quite expensive for most Chinese people to use.
The reason Tor isn't used in China is that most of the bridge relay IP addresses are blacklisted by Chinese ISP's and net-cops. Now the list of bridge relays are not public, but China has enough man power(working full time I might add) to get ahold of nearly all the ip's and block them.
Actually it wouldn't be too difficult to automate this at all.
Knowlege to circumvent the wall is available, it's the resources to do so that are lacking.
I2P currently is too small to show up on the Chinese governments radar. Apart from this I don't know how I2P gets the ip's of the darknet node. The only guaranteed way to be safe is to have a Freind to Friend network, with absolutely no public connection nodes.
I was curious about this, so I started googling for how to do this. Sure enough, it's a bitch and the only way to really do it easily is to use a GUI like Tork. Not to mention I can't seem to figure out how you find his nodes in order to BadExit them, and I very seriously doubt his nodes will get listed in anything official.
Anyone got good instructions on how to actually BadExit his nodes? I want to post them so people actually can.
Check one of the online directory servers (e.g. http://torstatus.blutmagie.de/) and use the Advanced Query Options to find all the nodes where "Contact" - "Contains" - "appelbaum.net" to find which nodes he administers. Then add the fingerprint of every node you want to avoid to the ExcludeNodes entry.
You should obviously confirm the list above with other sources, because one or all of the following might be true:
1. I may be in cahoots with Jacob, plotting to hack your codez.
2. The directory server I linked to may be a co-conspirator. Fortunately, there are other directory servers you can query.
3. There is no three. Anybody can put up a node and declare anything. If Jacob, or I, are using Tor nodes nefariously, do you really think we'll put our names on them?
P.S. Don't forget to restart Tor after you change the torrc.
Why would you even want to BadExit his nodes? Using Tor you're vulnerable anyway. Any exit node can snoop on your traffic or even change it.
Enumerating some bad nodes does not substantially improve this. The above can only be prevented by using something like SSL plus a trusted certificate on top of Tor.
Am I the only one who is disappointed that two supposedly professional adults can't manage to have a grown up conversation about this? Reading the back and forth is pretty disheartening.
Oh, it's pretty much impossible to have any rational conversation these days. The majority of the technology speech these days is manipulative, flat out wrong, very anti free speech, and hyperbolic. When you start from that, there's just no point trying to be reasonable.
While I agree, you started the conversation by breaking Godwin's Law. I don't think Applebaum paid particularly close attention to your piece, but I probably wouldn't either in his position. A cursory skimming of your post reads as, "would you eat a sandwich from Hitler? No? Then why do you use software from Applebaum?" I don't think that's a fair distillation of your argument, but it is reasonable to think that someone briefly scanning your work might think it to be so.
Complaining about tech speech being hyperbolic whilst simultaneously [implicitly] comparing Applebaum to Hitler is a little ballsy, tbh.
You not only got that backwards, but Godwin's law is not one that can ever be 'broken' — just because you haven't used Hitler in an analogy yet doesn't mean you aren't asymptotically approaching such a comparison.
Using der Fürher in an internet argument is a realization Godwin's law, not a violation of it.
If Appelbaum actually works on Tor then just BadExit'ing his nodes is obviously not enough. Even a clean compile (for the paranoid: do you trust your compiler?) from a fully audited (do you have the resources?) source code is not enough. In order to use Tor you gotta trust the other nodes, including the code that runs there.
I doubt Jacob is hacking his own code, he'd have way too much to lose and I do believe he actually loves the project. If he were to do anything it'd be handing interesting traffic off various exit nodes he and friends control to Wikileaks. That'd be about all I or anyone else could allegedly claim.
Ok, but (if I understand how Tor works) then the fact that he works on Tor has nothing to do with his control of exit nodes. Anybody can run an exit node, whether or not they work on Tor.
Especially since bad actors (including governments) have been running exit nodes and sniffing the traffic — Wikileaks got its start by doing it, and the Chinese got access to a bunch of embassy webmail accounts that way.
Tor exit nodes are already extraordinarily untrustworthy, one run by anyone associated with Wikileaks might as well be a chinese room with Hitler inside!
Ad Hominems are a-ok now are they? Well here's Zed's thought process:
a) Read Greenwald Salon article accusing Wired of having shady connections.
b) Roll that basic premise into a set of wild accusations and things we already know about Tor.
c) Sit back and enjoy the whole chaos of the troll. When someone attacks bring out the usual sockpuppets and sycophants to say "but Zed does all this great coding", "Zed is not like that in real life/conferences".
d) Profit/save on therapist fees by feeding own teenager-like angst and need for attention.
Ad hominem is a fallacy when the motives or nature of the arguer are brought up inappropriately. If it is relevant, it is not ad hominem, usually because it expands into something else if you really think about it. As long as we've suspended Godwin's Law for the day...
"The sky is blue." "He's a Nazi!" is ad hominem.
"Has anyone noticed the Jews have an awful lot of banking jobs?" "He's a Nazi!" is, if true, very relevant. The first statement is likely not just a mere observation that may be true or may be false but is historically associated with antisemitism and is probably being used as the thin end of the wedge and not a neutral observation. It's relevant here because it expands into an argument where the origins and motivations of the arguer are in fact very relevant.
Similarly, when you see a new physics theory coming from a known crackpot, while the fact they are a crackpot may technically have no effect on the truth value of the theory, when it comes time for you to evaluate the theory you are justified in noticing it's coming from a crackpot.
Bayesian logic lets you express it even more cleanly; in Aristotelian logic the motivations of the speaker are irrelevant to the abstract truth of the statement; in more practical Bayesian logic, as you personally examine the likely truth value of somebody else's statement (with no presumption of access to the abstract truth) their motivations can be very relevant. "ad hominem" is over-weighting their motivations or falsely weighting their motivations, and under this formulation you also get reverse ad hominem, in which you under-weight their motivations, which is every much a fallacy as the original ad hominem, and which Zed talks about in his post.
All things considered, people being hyper about ad hominem is probably better than letting it slide too often, because it is certainly true that on average it is not a valid attack. But he's absolutely correct that it is sometimes valid, and while I'm not sure Zed's necessarily correct about Tor, I do think he's a lot more justified in his opinions than the pileon here consensus is indicating.
Ad hominems are totally alright in my book, especially since everyone loves doing them to me and then bitching when they're done back.
For example, your post doesn't have a single link giving counter evidence. You'd think you could bring some of that out but so far, in this entire thread, there hasn't been one link with counter evidence. There's been links to our twitter conversation, links to things supporting Tor is crap, links to discussions of Steganography, but so far I can't see 1, not ONE link with counter evidence proving me wrong.
I actually would love some, and was hoping I'd get some since I provided references, but nope. Just bullshit rhetoric and ad hominem from people who claim to hate bullshit rhetoric and ad hominem. So don't go acting like you're all above the drama.
Ad hom arguments aren't mental illnesses. They're logically fallacious, which matters a great deal in ritualized forensic arguments but not so much in informal or general argumentation, where the attributes (particularly: credibility and authority) of particular stakeholders can often be very relevant.
My advice is a friendly one. If Zed has issues that drive him to behaviour that's considered problematic, that costs him jobs and good will, I say he should try to look into himself with some professional help. Zed is a very talented programmer and I hate to see him in situations like the "Rails is a Ghetto" thing.
And, Thomas, "ritualizing" may be the only way to keep forensics sound. When you prove something, you want it to remain proved.
Not much. When someone does something, and that same person has a goal that you disapprove of, you have to think about two things: the influence of that deed on that naughty goal, and and the influence of that deed on your goals.
Note that those two things can be conflated in one: if you disapprove some goal, then a part of your goal is to make that not happen. So in the end, the only thing that matters is the influence of the deed on your goals, period.
Now the deed cannot be evaluated alone. You need to know how it interacts with the world. And the first place to look at is the other deeds of the same person. (There lies the validity of Ad Hominem arguments.) However it's not the only place to look at.
For instance, if a Paper-Clip-Maniac wants to solve the Friendly AI problem, you probably don't want that problem solved: it could fill the universe with paper clips, wiping out all sentient life in the process. Now, say you're a transhumanist, and you want to cure Death. Solving the FAI problem suddenly look much better. It may even be worth the risk induced by that Paper-Clip-Maniac.
What he is talking about is not Ad Hominem but Conflict of Interest. For example, a judge is required to recuse him or herself from a case in which he or she has a personal interest, such as a business relationship with the plaintiff or defendant.
This is probably why Zed has the words "Conflict Of Interest" as a section heading in a very large font.
A COI argument is a form of ad hom argument. In ritualized debate, what should matter is the intrinsic value of the evidence each side brings to bear, not the identity, influences, or motivations of the sides themselves.
For example: "I will go on record right now saying Wikileaks rocks. ... if anyone from Wikileaks tries to work with me or on any project I'm on you bet your ass I'm not trusting them one bit. Never trust a traitor, no matter how noble their intentions."
So Wikileaks "rocks", yet anyone involved in Wikileaks is a traitor and shouldn't be trusted? That seems contradictory. Taking this logic further, are journalists who cite Wikileaks' work also traitors that shouldn't be trusted?
As a fan of Zed's and someone that isn't completely sold on Tor, I'd love to see a sober critique of the project's vulnerbilities from Zed, but this post isn't it.
It's an interesting question. If Project Vigilant had compromised Tor, I'd expect there to be quite a few pedophiles who had used it to share cp getting busted. I'm not aware of any such incidents, let alone many. I imagine that the government wouldn't want to give away that they had it compromised, and so would simply use the information to compose a list of people to watch for slip ups, but one would expect to see a rise in the number of arrests, which would likely get at least some play in the MSM.
Conversely, if the NSA had compromised it one would expect to see no outward signs, as they a) don't care about pedophiles, b) would claim "national security" to hide the means of tracking terror suspects from the public's eye, and c) likely wouldn't tell anyone when they did apprehend someone.
I think it's probably pretty likely that the NSA is running a few nodes, but that's the risk you take wit something like Tor, just as bittorrent seeders risk riaa proxies downloading from them.
I find funny that I was re-reading a novel this morning during the commute, about a WWII cryptographer and arrived at the point were he sees that the warning in every secret document was "never take any action that could reveal the enemy that we can break their encryption".
I don't suppose MILINT has gotten any less competent in the last 60-odd years, but not disclosing that Tor is compromised would seriously hamper using it as a source for law enforcement, hence my thinking it would be more likely to be NSA. If so, I doubt we'd ever know, short of somebody leaking it.
If there was an organized effort to bust people using Tor then a pattern would emerge. In so much if they were high-profile targets (political dissidents, whistleblowers, spies, etc.). If they were cp collectors I don't think anyone would care enough to do an investigation.
This assumes that political dissidents, whistleblowers and spies are using tor in any significant numbers. It seems quite unlikely to me that this is true. I think you'd find that the vast majority of tor traffic is comprised of people trying to mask their location for criminal reasons, people looking to bypass local firewall restrictions and people using it as a free VPN.
Yes, but even criminals talk. If there were a string of busts and the item connecting them all was the fact that Tor was used by the criminals then it would be an easy conclusion to say that Tor has been compromised.
Most of the CP cases are done with a lot social engineering. Instead of having some sort of super router that can sniff through all the packets its just a bunch of LEOs in an office trying to gain the confidence of the criminals.
This was my thinking as well. The overwhelming majority of cases you hear about are broken using old-fashioned police work. Even petitioning ISPs for records seems to be a fairly minor part of the equation.
A pedophile running a hidden TrueCrypt volume and using Tor to trade chid pornography on onion sites is likely to get caught only if they pull a Bradley Manning, that is, saying the wrong thing to the wrong person. Unfortunately, most pedophiles these days that trade in child porn are likely more technologically advanced than the people responsible for tracking them.
> so would simply use the information to compose a list of
> people to watch for slip ups
How would they 'watch for slip ups' though? One would think that they would have to justify to a judge why the person was under surveillance in the first place.
>The problem is that Tor's pedigree is less than stellar. First, it was originally a US Navy project then released to various "hackers" (a word which in a lot of ways is just synonymous with "NSA collaborator" or at least a wannabe). Whether the source code started there or just the idea, you have to ask why the hell the Navy would work on this and then release it.
Goodness me! We should also be examining that DARPA developed honeypot called Teh Internets and take a second look at that ominous collaborator Sir Tim Berners-Lee.
Once I got to Zed quoting Project Vigilant's volunteer count I had to laugh. Zed's bullshit detector needs a tune-up.
Their cockfight theme is brilliant. If they had voting, bystanders can egg the participants on and add fuel to the fight... not that this particular duo need to be. When one "wins" votes, this can be displayed http://www.ruleworks.co.uk/poultry/images/mating.jpg
Bettween.com is good for this sort of thing, and looks like it does a better job of threading which tweets others are in reply to than NearMetter is doing.
This, to me, sounds like a classic case of not knowing what you're protecting against. TOR hides your IP address by preventing the destination server ever needing to do a TCP/IP handshake. There is no way to complete a TCP/IP handshake without you revealing your IP address. TOR then also stops the server you /do/ handshake with knowing the destination of your packet.
This is all TOR is supposed to do. This allows you to be anonymous to the receiving end, but it does not guarantee it. It is your responsibility to surf safely, to sanitise your traffic, to encrypt your traffic and do the rest. We know that most people can be uniquely differentiated by combining all the available information from their browsers (some of which doesn't need javascript) http://panopticlick.eff.org/ . Therefore we know, using TOR or not, that we need to be careful to do things well when we want to be anonymous.
There is little in this article which makes me worried about TOR. TOR isn't the problem, if any of this is true, then the problem is the government collecting data in various ways. Whether you agree with this is a matter for yourself to consider and not a reason to avoid using TOR.
It doesn't matter that Tor was originally a US Navy project. Tor is open source. DARPA created the internet. Do you think the internet is a conspiracy by the US government to wiretap American citizens too?
Tor is used in China to access censored data. Tor is used to send encrypted data anonymously from oppressive countries. Both of these things align perfectly with the honest motives of Wikileaks.
Step outside your world Zed. Some people have a real need for projects like Tor.
The softly stated allegation is that Wikileaks can use their knowledge of Tor weaknesses to SNOOP and extract traffic not directed at them. At least, that's what I understood.
(I rather suspect that Mr Shaw is trolling, but anyway.)
It's certainly true that humans have all manner of interesting behaviors owing to the fact that we're smart apes with huge numbers of survival heuristics. I would pause before taking a sandwich from Hitler, because I'm human, but it's not pertinent to the question of whether the sandwich is any good. (Except in as far as you think it more or less likely that the sandwich is poisoned etc.)
So I find the whole first half of the text to be a flabby way of saying that the arguments of dishonest people need to be evaluated more critically than those of honest people. But I find that the arguments of honest people need to be critically evaluated too. I think that the authors of Haystack were honest, but their assertions turned out to be dangerously wrong. (Which, by the way, we know thanks to Mr Appelbaum.) So, as a guide, the motives of the author don't seem to be very useful to me.
Then, in the second half, we find a mixture of arguments that I find valid, and many that I don't. A sense of vertigo at the amount of trust that we have to put into software is justified. It is possible to hide major bugs in code and we're standing on a stack of hardware, kernel, and userland which is incomprehensible to any one person these days.
It's also true that there are some fairly effective attacks against Tor for the capable opponent. It's a real-time mix-net, with all the tradeoffs implied and it generates a lot of research. I recommend reading some papers of the papers, I find them often to be very good.
But accusing the Tor people of being NSA agents because they once got funding from the navy doesn't hold water. The Internet was an ARPA funded project. Military spending has subsidised much of the modern world.
Many people have read through Tor's source and evaluated the protocol etc. Of course, all those people could be NSA agents too, publishing fake papers. You could, in fact, be in The Matrix. But you probably aren't.
Some, likely massively exaggerated, secret project might be monitoring every ISP on the planet and thus able to break any real-time mix net, but they probably aren't.
Likewise, all the Tor node operators that I have met might all be NSA plants, but they probably aren't.
And finally the author picks out Mr Appelbaum for special criticism because he connects him with Wikileaks. I think his assertion that the goals of Tor and Wikileaks are in conflict is wrong, but we could go around all day trying to pin down the goals of Wikileaks so that's probably not fruitful. But it does seem ironic that the author voices support for Wikileaks right after asserting that such supporters are not to be trusted.
So, while the stack of software is, indeed, large, Tor remains a reasonable tool to use. If the author is so concerned with the human aspect, the Tor authors are make regular appearances at conferences and are wonderful people to meet. So do, and are, node operators in my experience.
Also, on top of Tor, there's a fair chance that the author is using a browser who's network and SSL stack I've had a hand in. And who knows what kind of person he's taking a sandwich from now?
>So I find the whole first half of the text to be a flabby way of saying that the arguments of dishonest people need to be evaluated more critically than those of honest people. But I find that the arguments of honest people need to be critically evaluated too.
You over-simplified the argument here, I think. I read it more as a person's motivations need to be considered, not particularly honesty. And nearly everybody has motivations that may influence how and what information they present to you.
But how can we know a person's actual motivations? Those are internal to the individual, we can't see them. Heck, in many ways the individual himself doesn't really understand his own motivations.
Trying to consider motivations is thus completely fruitless. We only have the history of a person's actions, and to a lesser extent, the history of his statements, to guide us.
What is a used car salesman's motivation? It's reasonable to assume that their motivation is to get you to buy a used car.
What is a crack addict's motivation? It's reasonable to assume that their motivation is to get more crack.
These are somewhat extreme cases, but you can almost always tell what a person's motivation is by observing them. What is a married man's motivation for not wearing his ring? He either: forgot it, lost it, is having an affair, or is no longer married. And you can probably tell which if you ask him the right questions.
It's not a trivial question of who is offering you something. It's a combination of who is offering you something, what they're offering and how much you need it.
If you were dying of thirst and Hitler had a water bottle, against any other concerns, you're taking it. Also, if you needed change for a pay phone to call a tow truck and Hitler offered you a quarter, you're probably not going to stick to your principles in that case either; because the risks are so much lower and need a bit higher than the aforementioned sandwich (we'll suppose you have gloves and no plans on licking the quarter before inserting it into the phone).
So, really, that Zed doesn't use Tor says more about his own situation than whether he thinks a better or truly-trustworthy way to anonymize live bits is even possible.
The problem with your argument is that some those same people have contributed articles to Wired driving certain unproven assumptions in the Manning case..
Its extremely troubling to say the least from a trust aspect..
It's somewhat informative to compare Zed's response to personal criticisms vs those he targets with his own criticisms. Follow the chain of twitter replies and make up your own mind.
Well I did try to use Tor to get past censorship(I'm in China) and it's not effective here unless you already know someone outside the Chinese network to connect to (that is not a public ip).
If we're playing the suppose game, what if the chinese government collapses? That'd turn the tide too, and there's probably a better chance of that happening then there ever being millions of tor exits.
I'm playing the guessing game because I believe the FreedomBox will happen (more than 0.9 probability within 5 years). We have the hardware and most of the software. The final set-up should take a year or so, then we just have to sell that. And selling will be easy. Who wouldn't want a bit of personal cloud at home? We don't even need to overthrow Microsoft, or eradicate Windows. No coercion is required, except with some ISPs.
The Chinese government collapsing within 5 years? That takes a revolution. I assign less than 0.1 probability to that.
I think 2. is interesting to talk about, because the intersection of legal activities with what those in power find objectionable is the battlefront of liberty.
So while Tor may not be interesting to joe public yet, I do think it's worth exacting discussion of it's strengths and flaws.
FWIW this includes Zed's criticisms up until the point he took his ball and went home.
Strongly disagree with (2). I use Tor because anonymous communication is essential in a democratic society. This has been known since the Federalist Papers were published anonymously in 1787-1788 [1] and has been constantly reaffirmed by our courts since then. The most oft citied case is McIntyre v. Ohio Elections Comm'n. As Justice Thomas wrote in his concurrence: the Framers shared the belief that [anonymous publishing] was firmly part of the freedom of the press. It is only an innovation of modern times that has permitted the regulation of anonymous speech. [2]
In terms of protecting your anonymity, even when correctly managing cookies you may be uniquely identifiable by browser fingerprinting: https://panopticlick.eff.org/
At least the last time I looked, the network appeared quite thin, with much of your traffic by default traveling through a small collection (perhaps as low as one) of exit nodes.
TOR also represents a juicy target for eavesdropping by its nature as a concentrator for people trying to avoid it. If you were a burglar, it would make sense to stay the hell away from a place the cops had identified as a hotbed of burglary since they'll probably be concentrating their efforts there.
Most of these things apply to other possible solutions, but at least there you may get the advantage of most users of those services "having nothing to hide" making them not as juicy a target.
If I was super, super concerned about my privacy and anonymity when sending a specific few documents or such, I'd most likely take a page out of the black hat handbook and compromise a few lightly administered servers and use a not commonly used covert channel.
"Wikileak's job is to take people's secrets and show them and who's hiding them to the world."
Here we see the again the conflation of organizations and individuals in an opinion piece connected to Wikileaks. Why does this happen so regularly?
I don't know anything about Appelbaum, but it's perfectly possible that he believes in personal privacy and institutional transparency, a not particularly radical, surprising, or unusual stance which would resolve this "conflict of interest" perfectly.
Remember that Zed Shaw was "a top qualified soldier in the US Army". Maybe Zed is a bad actor in the pay of the US Army and this article is an attempt to discredit Tor for their benefit! ;)
The problem with Tor, as I see it, is that it can easily make you more vulnerable rather than less so.
When I access some random website from home, my traffic is vulnerable to capture and analysis by my ISP, the intervening backbones, and the website that I am accessing. I don't trust my ISP and the backbone providers not to examine my traffic, but I do have quite a bit of confidence that they don't care about me. I'm not very interesting.
If I use Tor, I add another party who can capture and examine my traffic: The Tor exit node.
I most emphatically do not trust random Tor exit nodes not to examine my traffic. I'm quite confident that the NSA and other government organizations run their own Tor exit nodes--after all, a stream of traffic generated by people who are interested in hiding their activities is likely to be quite interesting.
I can encrypt my traffic...but not all of it, and do I really want to trust that everything important is properly encrypted?
If I had something to hide, I'd do so by blending into the crowd, not by slapping a big "I'm trying to hide" label on my traffic and sending it to the people most likely to be interested in it.
Funny, I think in terms of my "informational immune system" all the time, and the one time I used it here I got downvoted into oblivion (though it looks like I recovered a bit!): http://news.ycombinator.org/item?id=2006412
Geeks are opposed to certain sources of knowledge, probably because they see themselves as on the receiving end of bad assumptions based on their clothes and mannerisms, and I agree with them that it's always best to avoid subjective judgments when possible. However, there are so many situations in life where you can't audit the source code yourself, and when there's serious risk, you have to make use of the information you have. You can't investigate the provenance of the cheese sandwich, and even if you could, do you really want to spend your whole life playing Sherlock Holmes? I'm thankful for open source and the people who read code, but I am not going to read the source code of every damn piece of software I use. Sometimes I'm just going to say, "The only source for this software is a shareware site in a country I've never heard of, and it claims to come bundled with porn, so I do not feel comfortable installing it on my Windows PC no matter how good some guy on 4chan says it is." Nothing against porn or countries I've never heard of, but my Spidey sense is tingling.
So why use OpenSSL, then? It's been written by people I don't know. Some of them may be Vigilants. Some of them may be secret members of the Wikileaks team. One of them even studied only 12km from the BND headquarters. It has had exploitable holes before.
It's reasonable to assume that if Hitler wanted you to die, he wouldn't poison you with a sandwitch and risk being called a woman behind his back.
Anyway, motivations do not matter one bit when it comes to evaluating whom to trust with your data, if it's not safe by design then it's not safe period.
Tor is not exactly an ideal solution to the problem of privacy, as zed has pointed out. It is however a great solution to the closely related problems of anonymity and legal deniability.
If you're running an international criminal network I imagine it's ideal.
Am I wrong in taking the cheese sandwich from Hitler if it's a very good cheese sandwich? After all, I'm writing this on a Mac, a platform owned by a company that has interesting views on what people should and shouldn't be able to do with their own kit. I buy Windows from Microsoft (which according to many Usenet postings is clearly the closest thing to accepting a cheese sandwich from Hitler, especially in the Linux groups).
I think Zed's fallen wide of the mark here. He's failed to address the technical failings with Tor, instead opting to launch his own ad hominem attack on Jacob Applebaum (who's done more than just work on Tor and Wikileaks) and the history of the project as a US Navy tool.
If he has such a problem with Tor then it's worth auditing the code and seeing for yourself. It's not perfect, but Tor has it's uses. If you really need the kind of anonymity to protect something life threatening then don't use Tor (due to it's failings in the cheese sandwich quality department, not because of it's history or contributors).
I have heard that China runs lots of nodes in order to a) spy on people who want to hide from the chinese government and b) spy on foreigners and c) make life harder for western intelligence agencies.
Maybe every secret police or spy organization runs exit nodes and you just have to use those from a government that has no interest in you.
Huh? Where's the conflict between Wikileaks and Tor? Wikileaks publishes goverment's secrets. Goverments sniff(presumably) citizens' communications, both content and session data. Tor helps citizens to leak those secrets hiding their session data.
It's a myth that having the source code for a cryptosystem is going to allow you to spot backdoors. Crypto flaws have hidden for many, many years in far more important projects than Tor. Crypto flaws are very subtle; you can create a backdoor in a crypto routine simply by changing the way it happens to influence the L1 cache.
OMG! The government created something useful therefore it can only, fundamentally, be a trojan horse. While I'm sure there could be some crackers out there trying to insert bad code. I also believe these things tend not to stick around for long. Especially when blame says "Hey, I've inserted code here, here and here. Try not to read me too closely."
I've tried Tor in the past and I stopped because:
* It's really slow.
* It's the chatroulette of really questionnable material. You stumble into some shit and think WTF?!
* The amount of traffic it generated caused my shitty router to slow down significantly or crash completely.
As I understood it, some of the guys who leaked material for Wikileaks did so by using Tor normally, like would a Chinese journalist. Wikileaks doesn't need to crack or misuse Tor in any way to receive leaks through it.
I didn't understand the part where Wikileaks and Tor are supposed to have different goals. I thought the point of Wikileaks was to publish information anonymously - surely Tor would be suitable to help with that (Tor as it is supposed to work)?
I must admit that I am simply too chicken to use Tor. In Germany I think it can actually get you in trouble if some pedophile exits through your node.
Also last I checked, there really were some issues with the security model. That was quite a long time ago, not sure if they have been fixed now.
Using Tor does not mean that you are an exit node. You have to actually set that up and it is warning you about it. Using Tor as a client only is safe and secure.
If people do bad things through your exit node, you are in danger regardless where you live. The law enforcement must be aware of what your server was doing. Its understanding varies from place to place.
OK, then I guess I made that decision to chicken out about running an exit node. It seems a bit parasitic to not run one and still participate, though?
It's important to remember that TOR is an anonymizer not an encryption scheme. It hides who you are not what you say. Think of it as using Hitlers wifi while you eat that sandwich.
> P.S. I have a long bet that SELinux is an NSA backdoor. Any takers?
I don't know if it's an NSA backdoor, but there were several security alerts related to SELinux. I don't understand why all common distros use this. I don't, I compile my kernels from unpatched vanilla source.
There were several security advisories in the past years, of various privilege escalation or other security holes that were actually in SELinux and not present in the vanilla source. I didn't keep a log of the details but you probably can find them in the advisories archives.
I don't remember precisely, just that the proof of concepts simply didn't work on a kernel without SELinux. When the proof of concept is for instance a privilege escalation, this is quite significant.
I, for one, would like to point out to Mr. Shaw (and others) that the Swastika is a religious symbol to a lot of people ; maybe even 20% of all humanity (the Hindus, for one).
Just because the Swastika was co-opted by Hitler and his cronies means nothing to most people outside the western world (which is in a minority).
Secondly (while I have this soapbox): whether you take the sandwich from Hitler or not depends on whether Hitler is your "Der Fuhrer" or not (remember, he's long dead, so time travel is involved in Mr. Shaw's hypotheticals). If Hitler is your Fuhrer, then you _better_ take that sammich and eat it if he offers it to you! :-D
Haha, oh, Zed. Pretty sure the military STILL uses Tor. Oh no! What could the Navy or army have use for a tool that protects them from surveillance?! Oh right, everything...
It was all fun and games when Zed was talking shit about Ruby but he's jumped the shark. It was bad enough when he freaked out because someone was converting his books code to Ruby from Python. Free code but not free book?
The report is that "A branch of the U.S. Navy uses Tor for open source intelligence gathering". All this means is that they use it to obscure their origin IP address from a website when they are collecting publicly available information (so that people don't look at their logs and see a huge navy.mil spider or the like) and has nothing to do with anti-surveillance or a sophisticated attacker being able to track them.
Two basic claims: Tor is tainted because (1) the concepts the software is based on were developed with partial funding from the military and (2) Zed thinks one of the committers is untrustworthy. Guess what? That describes a huge amount of software, including Mac OS X and Firefox. God damn Zed, this Hitler sandwich shit is pretty weak.
Zed also has a problem with Tor because he thinks there is a "gigantic percentage of hackers and security experts on the volunteer payroll of a group who's job is to illegally wiretap people and circumvent the law on behalf of the government". He thinks some of these people work on Tor and thus Tor is untrustworthy. Funny though, his ISP is likely guilty of the same thing. I wonder if Zed takes that into account as a part of his paranoid fantasy.
There are serious problems with using Tor and Zed fails to mention any of them. You'll want to read what Thomas has to say on the subject (http://searchyc.com/tptacek). Specifically, Thomas mentions that a general problem with tools like Tor is that it identifies your traffic as a subset of all traffic thats probably worth monitoring. You're essentially adding bright red neon signs to your most sensitive traffic. The amount of traffic going through the Tor network is small enough that it is a tractable problem for a nation state to attempt to monitor all of it. Thomas also goes into how the incentive structure for these tools is completely broken. The defenders are academic researchers going for tenure, the attackers are nation states with millions of dollars to spend, and the users are dissidents that get killed when the tool fails. Unfortunately, arguments with this level of nuance appear to escape Zed in this case. I fear he doesn't have the domain knowledge to write something intelligent about this issue.