PRISM vs Tor

by mikeperry | June 8, 2013

By now, just about everybody has heard about the PRISM surveillance program, and many are beginning to speculate on its impact on Tor.

Unfortunately, there still are a lot of gaps to fill in terms of understanding what is really going on, especially in the face of conflicting information between the primary source material and Google, Facebook, and Apple's claims of non-involvement.

This apparent conflict means that it is still hard to pin down exactly how the program impacts Tor, and is leading many to assume worst-case scenarios.

For example, some of the worst-case scenarios include the NSA using weaponized exploits to compromise datacenter equipment at these firms. Less severe, but still extremely worrying possibilities include issuing gag orders to mid or low-level datacenter staff to install backdoors or monitoring equipment without any interaction what-so-ever with the legal and executive staff of the firms themselves.

We're going to save analysis of those speculative and invasive scenarios for when more information becomes available (though we may independently write a future blog post on the dangers of the government use of weaponized exploits).

For now, let's review what Tor can do, what tools go well with Tor to give you defense-in-depth for your communications, and what work needs to be done so we can make it easier to protect communications from instances where the existing centralized communications infrastructure is compromised by the NSA, China, Iran, or by anyone else who manages to get ahold of the keys to the kingdom.

The core Tor software's job is to conceal your identity from your recipient, and to conceal your recipient and your content from observers on your end. By itself, Tor does not protect the actual communications content once it leaves the Tor network. This can make it useful against some forms of metadata analysis, but this also means Tor is best used in combination with other tools.

Through the use of HTTPS-Everywhere in Tor Browser, in many cases we can protect your communications content where parts of the Tor network and/or your recipients' infrastructure are compromised or under surveillance. The EFF has created an excellent interactive graphic to help illustrate and clarify these combined properties.

Through the use of combinations of additional software like TorBirdy and Enigmail, OTR, and Diaspora, Tor can also protect your communications content in cases where the communications infrastructure (Google/Facebook) is compromised.

However, the real interesting use cases for Tor in the face of dragnet surveillance like this is not that Tor can protect your gmail/facebook accounts from analysis (in fact, Tor could never really protect account usage metadata), but that Tor and hidden services are actually a key building block to build systems where it is no longer possible to go to a single party and obtain the full metadata, communications frequency, *or* contents.

Tor hidden services are arbitrary communications endpoints that are resistant to both metadata analysis and surveillance.

A simple (to deploy) example of a hidden service based mechanism to significantly hinder exactly this type of surveillance is an XMPP client that also ships with an XMPP server and a Tor hidden service. Such a P2P communication system (where the clients are themselves the servers) is both end-to-end secure, and does *not* have a single central server where metadata is available. This communication is private, pseudonymous, and does not have involve any single central party or intermediary.

More complex examples would include the use of Diaspora and other decentralized social network protocols with hidden service endpoints.

Despite these compelling use cases and powerful tool combination possibilities, the Tor Project is under no illusion that these more sophisticated configurations are easy, usable, or accessible by the general public.

We recognize that a lot of work needs to be done even for the basic tools like Tor Browser, TorBirdy, EnigMail, and OTR to work seamlessly and securely for most users, let alone complex combinations like XMPP or Diaspora with Hidden Services.

Additionally, hidden services themselves are in need of quite a bit of development assistance just to maintain their originally designed level of security, let alone scaling to support large numbers of endpoints.

Being an Open Source project with limited resources, we welcome contributions from the community to make any of this software work better with Tor, or to help improve the Tor software itself.

If you're not a developer, but you would still like to help us succeed in our mission of securing the world's communications, please donate! It is a rather big job, after all.

We will keep you updated as we learn more about the exact capabilities of this program.

Comments

Please note that the comment area below has been archived.

June 09, 2013

Permalink

to be honest, beyond what you have mentioned here, I am a bit concerned about this:

[ unsafe shortened urls pointing at unknown/unpopular url shorteners ]

which I am guessing by this point probably affects not just computers with Windows but pretty much anything...

Curious how to get this crap out of our computers because apparently end to end encryption is not enough.

Thoughts / responses?

Sorry for censoring your comment, but...

to be honest, in a post where I mention the use of weaponized exploits by governments, and where you yourself appear to be alluding to weaponized exploits, I could not in good conscience post your sketch URLs.

Nor as a software developer who writes software that people depend on could I click on those URLs myself without spending a few hours/days to get a fresh computer, fire up a VM, and examine what the hell they did to it.

Do you have any non-shortened versions?

To answer your general point: I truly believe that the use of weaponized exploits risks crashing the world economy. Software engineering is simply not prepared to deal with this threat.

With the number of dependencies present in large software projects, there is no way any amount of global surveillance, isolation, or firewalling could sufficiently isolate and protect the software development process of widely deployed software projects in order to prevent scenarios where malware sneaks in through a dependency into software that is critical to the function of the world economy.

Such malware could be quite simple: One day, a timer goes off, and any computer running the infected software turns into a brick.

This shit is a doomsday scenario on the order of nuclear conflagration, and anything short of global disarmament risks humanity (or at least large sectors of the world economy) losing access to computing for months or even years.

There is no M.A.D. scenario as a deterrent here either. Stockpiling more exploits does not make us safer. In fact, the more exploits exist, the higher the risk of the wrong one leaking -- and it really only takes a chain of just a few of the right exploits for this to happen. There will also be no clear vector for retaliation. Moreover, how do you retaliate if you have no functioning computer systems or networks left?

If there's *anything* we should be spending the NSA's $10B+/yr budget on, it's making sure key software development processes are secure against tampering, exploitation, and backdoors, not reading people's fucking email.

End the madness before it's too late.

June 10, 2013

In reply to mikeperry

Permalink

Hi, it doesn't bother me that you have excluded the shortened URLs etc. Let me try again... Also, I agree with the stuff you have said above. Yes. Yes. Yes. Also, end the madness, ditto!

That said, here is (hopefully better) non-shortened link... Anything you can do to provide remedy or clarification, would be great help.

http://www.governmentsecurity.org/forum/topic/35049-anything-that-remov…

July 14, 2013

In reply to mikeperry

Permalink

Tor needs a toaster. What I mean is that most people r4eally do not wish to figure out how to load and configure secure stuff and keep prying unconstitutional searches and seizures of our digital effects. Most people do nor really need to understand it either AS Long AS it works and is effortless. They need something that they point and click and they have the best we can manage LIKE a TOASTER plug it in and everything comes out light brown with no special skills. REMEMBER, the more grandmothers and children who use Government or better grade encryption the better everyone else will blend in. I personally have no real need except that it ticks me off to live in a police state with the likes of The NSA looking over everyones shoulders and denying freedoms that were well understood at the foundation of our nation.
Is there some way to have a torified way to have my computer generate BTC for donation to TOR perhaps on a distributed basis. OR perhaps could TOR SET UP ITS OWN CYBERCURRENCY!

It might be nice to also keep out 10 % of what I make for future uses which i might figure out later.

June 09, 2013

Permalink

Thanks for your article. A great problem in my opinion is also that the general public is hardly aware of their possibilities to protect itself with the tools named above. The tor browser bundle is excellent solution and solves a lot of beginner problems.

What i have to criticize about the Tor site is that even for a technically interested user like myself (IT consultant) its pretty hard to get into the different concepts of tor usage (relay, bridge relay, exit) and through the documentation of installing them.

Keep up your great work and thanks for it! I've donated a few times and also make tor use public whenever i can, i. e. my YouTube Channel.

Perhaps, as with your youtubes, the emphasis can be distributed to us techies to help educate. Im starting to run a weekly series of short tutorials on encryption, mainly for my non techie friends, aiming to talk through concepts such as public/private keys, email, tor, diaspora, etc. The hope for me is to get more non experts using these tools by default. Storms such as Prism represent great opportunities to spread information on basic use while the issues are on peoples minds.

Hi,

I'm a "non-techie" who is new to Tor and very concerned with internet privacy and security which is why I have it installed in my own and my mother's computer. I am only beginning to have a basic idea of how all this works and you mentioned giving short tutorials to your technically disadvantaged friends. Wouldn't it be helpful if there were such a tutorial for the rest of us who are not your friends? I mean I read the above article and checked out some of the other services you mentioned but I'm not quite sure what they do or how they can serve me. Anyway it would be a great service to many people if there were some way for the rest of us to understand encryption and the internet, how to protect our emails etc.

Maybe you could compile a tutorial on a DVD for sale. I know I would buy one and the proceeds could go to serving the Tor Project because believe me I am not the only person who's concerned, interested and yet clueless and under-informed.

June 09, 2013

Permalink

Have you considered the possibility that the NSA is able to factor large numbers, such as the 1024 and 2048 bit keys used in RSA and what that would mean for Tor?

Tor was designed at the turn of the century, when it was widely believed that 1024 bit RSA was large enough to last for many decades. Moreover, at that time support for longer key lengths raised the serious risk of overloading relay CPUs. In fact, we still face the CPU overload issues with 1024 bit RSA keys today, and this actually introduces its own security risks (due to DoS attacks, circuit failure attacks, and related route capture issues).

The good news is we are in the process of upgrading Tor's protocols to support faster, stronger ECC keys, as well as making it easier to change key length and algorithms in the future should the NSA prove to be lying about ECC, too. See the "Key Length" section of https://blog.torproject.org/blog/hidden-services-need-some-love and the links therein for more details

June 09, 2013

In reply to mikeperry

Permalink

What do you mean lying about ECC too? At the turn of the century did the NSA say that 1024 bit RSA would be safe for decades to come?

No, I just meant the SIGINT group's habit of repeatedly lying to Congress and the public makes the COMSEC group's recommendations about ECC curve choice and key length carry less weight by themselves.

It does appear that NSA's previous recommendations on crypto have all been validated so far, but at the end of the day, we don't actually know which NSA group each recommendation actually comes from.

However, since many external researchers and institutions are also in agreement about ECC key length and curve choice at the moment, my concerns don't really have much weight. I was just being snarky.

June 10, 2013

In reply to mikeperry

Permalink

I can verify with a 100% certainty that NSA has broken 1024 and 2048 AES....since at least 2007..

If that is true, and if the NSA has active MITM intercept systems installed either near the Tor network infrastructure or around the world, then they could break Tor by either capturing routes or altering the consensus to send targeted users through tagged routers.

However, if the intercepts are passive, then because Tor uses Forward Secrecy, simply breaking the RSA keys offline and performing passive intercept is not enough to decrypt Tor communications, unless they can also break DH (and for Tor 0.2.4.8+, ECDH).

Do either you or the Skype commenter below you care to comment about DH/ECDH, or if you have any knowledge about active vs passive global intercept? So far, all the official leaked info we've seen (Mark Klein, et al) seems to indicate that the dragnet surveillance is based on a half-duplex splitter-style configuration that would not be capable of active MITM and in-flight traffic manipulation required to intercept the DH/ECDH handshake..

Either way, we are aware that RSA 1024 is insufficient (and we are assuming that DH in Zp is insufficient), and we are in the process of upgrading, as I said in the parent comment. It will happen sooner if you help!

June 16, 2013

In reply to mikeperry

Permalink

If "NSA has active MITM intercept systems", how would we know about it?
How would this look like, to a Tor user?
Are there any signs to look for? In "View the Network" window?
But more important:
Can you, or some other Tor developer, design a method to detect/verify if this is the case?

These are two articles with more details on this subject:
http://arstechnica.com/tech-policy/2013/06/details-emerge-about-prism-b…
Quote: "We hack network backbones – like huge internet routers"

http://bigstory.ap.org/article/secret-prism-success-even-bigger-data-se…

I'm no puter techy by any stretch. I have however matain and do try over the last 20 years attempt to read and get a basic understanding of things. From my limited knowledge I understand there's a distinction between encrypted data.voice, or video. And assigning a key to be able to decrypt the file source. While one exists in the wild the other remains private. I remember when 256 bit was thought to be pretty unbreakable. In some ways it is still tough to crack. It would take all the cold air the artic polar region can provide to cool down all the processors necessary to crack something 1000 bit or greater. It's just not possible to have that kind of resource. I believe a little bit of paranoid as taken over your rational. Tor is a thorn to the nsa in that it is like one of those play ball pens they have for children. Only if they can lock on to your ip as the outgoing or input source that they may get to you. The only thing inside of pc to date is the hardware to operate it. Maybe they may mandate gps devices or keylogger hardware. use all your security software often to keep nosy people out. I do believe what Prism is really about is harvesting personal info much like how google does. I would under this circumstance always feel this method is suspect to many other advantages that would be illegal.
hope some of this will be reassuring.

Citation definitely needed. If the NSA has genuinely broken 2048-bit AES encryption, that's a very big deal, because the current literature on encryption says this is impossible before the heat death of the universe, even with every computer on Earth at your disposal. Your say so that you can verify it isn't enough I'm afraid.

In short: citation please.

You are referring to brute-force attacks. "Breaking" a crypto system such as RSA or AES implies a design weakness. Brute-force attacks remain unfeasible as long as reasonably-sized keys are used.

June 10, 2013

In reply to mikeperry

Permalink

AES 1024 and 2048 broken many years ago by NSA...since at least 2008..they also had quite a hard and frustrating time figuring out Skype until it was purchased by an American corporation. ;) (fun little tid bit)

July 14, 2013

In reply to mikeperry

Permalink

Have you considered using NTRU instead of ECC.
RSA and ECC can both be broken by quantum computers, NTRU cannot.
NTRU is faster than RSA and ECC.

Factoring large numbers might not be necessary if the encryption used is based on a trust model founded on the public Certificate Authorities.

(I do not know what trust model Tor uses and would LOVE to know... hope someone knowledgeable can comment.)

Google on [certificate authority hacked] and you'll find that the CA infrastructure has been compromised. An eavesdropper possessing stolen CA credentials or tools for generating them can access encrypted streams with little computational or practical effort.

Tor does not rely on any CAs. Every node generates its own keys and directory authorities are hard coded into the application. If you are looking for an introduction to the way Tor works there are several videos on YouTube.

June 09, 2013

Permalink

Well, is this enough imputes to get you guys/gals focusing more on HS?!

I am REALLY disappointed that my offer of $100 (or more) a month to support HS dev (see the very FIRST post in that HS blog post you linked to) wasn't taken up, NO ONE EVEN TRIED TO CONTACT ME. I guess you guys/gals have all the money you need . . . oh wait, not you don't (fell free to slap Tor Projects' collective forehead)

Tor really needs developers these days. The Hidden Service blog post was not about getting money, it was about getting developers.

Even if Tor got your $100 per month, they wouldn't have a developer to give the money to.

This is not true. So far, every position we have announced to hire for has gotten scores of high-quality applicants. There is no reason to believe hidden services would be any different.

There are also many contractors at Tor who do not work full time, and even small donations would allow us to fund more of their time.

So you are suggesting I shouldn't give $100 a month? It's not that my $100 will be a big difference, but if lots of people did that it would. So, don't you put up or shut up?

Well, look at it this way: We have an extremely large number of people who donate around that many hours per month to Tor by running relays, occasionally helping to track down bugs, and writing the occasional patch. These efforts are extremely important, and Tor would not be possible on its current budget without them.

If you're not technical enough to devote your time, or if you don't have that time, or if you do donate your time, but your day job/family/whatever prevents you from doing more, small donations are just as awesome as volunteering more time.

From this perspective, $100/mo is absolutely a huge contribution from an individual.

June 10, 2013

In reply to mikeperry

Permalink

Hi Mike!

Can my $100 be earmarked for HS work? Or is there only one way to donate, to a large kitty that you guys use at your discretion?

I'm cutting the cord to T.V., so that's $100 I won't be spending per month that I can donate to Tor. I use Tor much more than my T.V., anyway! :D

This is a good question. I'm not the one to answer it unfortunately. Perhaps email the donations address listed on the donate page?

To support this, we probably would have to define our own large buckets carefully such that they are big enough to justify the management overhead involved in allocating and prioritizing development for each bucket...

That management is its own expense though, and right now, tor is rather light on the management/overhead side (and all of our management is rather overwhelmed with tracking large sponsors' specific line-item feature deliverables).

I am personally in favor of creating these large buckets for large scale sponsors, too, because specific feature deliverables are really hard to handle when we have so many different things we need to react to on a given day just to keep stuff running properly for each of our major components.

June 09, 2013

Permalink

Below, let me post the offer I already made (in the HS need love blog post) and no one even bothered to respond to; maybe this time will be different?

Though, I doubt it, most Tor Project folks seem to hate communication via. blog posts, yet, they don't offer a real discussion forum (e-mail lists are not a real solution for laypersons)!

"Are we able to donate to Tor Project and make sure said donations are only used for use X, which in this case would be to research/implement some of the points above?

I'd send in at least $100 a month to support such a project."

June 09, 2013

Permalink

Many thanks for your blog on the PRISM program. Wikipedia > HTTP Secure > Overview, says "As of 2012-06-22 12.3% of the Internet's 186821 most popular web sites have a secure implementation of HTTPS". I know this information is almost a year old and that more websites have HTTPS. Let's hope 100% of the websites we use are in that 12.3% plus more. The EFF interactive graphic showing use/ non use of Tor and/ or HTTPS is indeed excellent! I'm sure the websites of TorBirdy, Enigmail, OTR and Diaspora have had more 'hits' since your blog was published. I look forward to updates about PRISM vs Tor. Thanks again!

June 09, 2013

Permalink

So when is the Tor Browser Bundle gonna stop being the flagship of the Tor project so we can get email (Torbirdy is barely a consideration) and chat clients (OTR is likewise barely an option) similarly hardened instead of waiting on the Tor project to do it for us?

Modularity is the only way you avoid stuff like feature-creep and backdoors.

Nope. I'm sick of, as you can see with the 3.0 alpha builds, Tor being more and more asinie Firefox-dependent crap instead of taking a modular approach which enables creation of hardened clients and use of portable bundles that do more than web browse.

Now it's all controlled through a Firefox addon. Next it'll be written in Flash? /sarcasm

June 09, 2013

Permalink

Most likely, they just take all the data streams going to/from the entry nodes, all the data streams going from/to the exit nodes, and then use traffic and timing analysis to figure out the rest.

This is indeed possible in the more extreme scenarios of total NSA compromise of global Internet infrastructure that I mentioned in the original post, especially with the relatively low number of concurrent Tor users that we have today.

However, if they take any shortcuts to reduce the resolution of their timing information to conserve storage, computation, or bandwidth, then it is very likely that they will be unable to fully correlate the activity of very large numbers of Tor users in the future. Similarly, if Tor (or a Tor user) takes efforts to obscure high-resolution timing data through padding or other schemes, either the NSA's false positive rates will go up, or their success rates will go down.

Such a correlation also assumes the NSA would be capable of recognizing and correlating custom pluggable transports and other entrance mechanisms that would allow entrance into the Tor network without looking like the Tor protocol. After all, one can write a new pluggable transport in python in just a few weeks...

Such correlation also adds another N^2 factor to the complexity (computation costs) of metadata analysis for the dragnet scenario. This can prove quite expensive if they have to correlate against potentially large volumes of traffic due to pluggable transports that look like say, bittorrent.

In fact, as bandwidth becomes cheaper and transmissions more frequent and varied, it seems like correlation will only continue to get harder.

The situation is further worsened if users can move around or compromise hosts at will (perhaps because say, the military industrial complex now has an incentive against US companies actually *fixing* flaws in software, and also because that shit will leak like a powerpoint deck in no time flat).

They may have short term victories because of the relatively low numbers of Tor users today, but in the long run it sure seems like our job is easier and cheaper by many, many orders of magnitude. Thank chaos for that, because I would rather have secure communications than oppressive, secret surveillance engineering who-knows-what political machinations behind the scenes...

It really makes one wonder exactly how much money we need to throw into those shiny black holes at Fort Meade and Utah before this becomes clear...

Excellent point. Thank you.

Running a bridge or relay will help to remove some of the high-resolution inter-packet timing information that makes correlation accurate.

Custom padding schemes are probably actually less help than being some sort of relay. If you don't have a really full understanding of exactly what you're doing, you're likely only hurting the Tor network for no reason, because naive padding schemes can be modeled and subtracted from the packet traces easily.

In fact, I think it is fair to speculate that running the latest and greatest pluggable transport bridges to help censored users is the best existing way to defend your own traffic from correlation, especially if your transport is under heavy use.

That way, you avoid showing up in the public Tor network router list, but still have a Tor traffic stream coming out of your IP to blend with your client-originating traffic. Further, the fact that the pluggable transports are necessarily under rapid development to avoid detection by censorship systems will at least mean that the NSA needs to devote constant attention to recognizing the input stream to your pluggable transport bridge. And if that is hard for China, it's probably hard for NSA, too.

June 11, 2013

In reply to mikeperry

Permalink

Great comments, thanks :) BTW, I'm the same guy that's offering to send in $100/mo.

Looks like I'm to start using those Tor Browser bundles. Thanks for the confirmation.

June 11, 2013

In reply to mikeperry

Permalink

Hey Mike,

Me again.

What are your thoughts about running Tor Flashproxy badge (Firefox w/o Tor) and Cupcake (Chrome/Chromium w/o Tor), with respect to this topic overall (i.e. for when we're not using Tor . . . )? I use both those in the respective bowers I use.

Also, I assume this would be dumb, so please let me know if it's dumb: Installing Tor Flashproxy badge into Tor Browser.

June 10, 2013

Permalink

Mobile devices are used much to access the internet. There are free apps available from the Guardian Project for Android but I don't see any mention in the download section of free apps for Apple iOS. Why is that. That is not a criticism as I appreciate what the Tor project does but as mobile devices could become the most used means to access the internet in the near future you could give some information on free apps for Apple devices.

June 10, 2013

Permalink

You're not in the business of reviewing tools, but since you mentioned a few I'm curious whether you or anyone has an informed perspective on Gliph (http://www.gli.ph), an iOS/Android/web-based app that promises 256-bit encrypted p2p messaging. It's hard to validate developers' claims.

June 10, 2013

Permalink

Hi, Are I2P and Freenet models the best options for privacy & security? Approximately how soon before upgraded encryption is actually implemented and used for the Tor? Will there be a flag day getting it online? Thanks

I2P's communication model is similar to Tor's hidden services, and against a passive adversary probably has similar metadata analysis resistance properties.

However, I2P does not attempt to strongly authenticate the network routers or network membership. This makes it more vulnerable to router impersonation, route manipulation, route capture, and Sybil attacks than Tor is.

Tor also has its own variety of route capture attacks, but because of the consensus and authenticated network membership, we're in a better position to defend against them.

I2P's RSA key lengths appear to be the same as Tor's.

Beyond that, I2P's scant protocol documentation makes it hard to comment much further.

I know even less about Freenet, but last time I checked, it did not support arbitrary stream-based communications that would be required for doing cool stuff like Diaspora, or even realtime chat.

June 10, 2013

Permalink

Mobile Users:
The Onion Browser for iOS is free, in the Apple App Store, as well as ChatSecure, an XMPP App with OTR built in.

June 10, 2013

Permalink

I would love to support Tor but until all pedophile .onion sites are deleted and not allowed within the Tor network I can't. Many others feel the same way.

The ability to censor any onion sites would compromise Tor in a way that would render its most compelling features useless.

See also: https://www.torproject.org/docs/faq-abuse.html.en#RemoveContent

TL;DR: If people are going to post evidence of their child abuse crimes online, shouldn't police be using that evidence to infiltrate the abuse rings, find the children, and stop the abuse, rather than simply trying to hide it?

This is not to say that any search engines that index .onion (or the Internet) couldn't or shouldn't take these sites out of their index to make them harder to find (especially accidentally), but adding the ability to shut down arbitrary endpoints is not the right solution.

People should have "moral compasses," if indeed there were such a thing. And they should all be pointing the one true way, I guess. And everybody should be guided by them. Hurray? Tor should have a moral compass? And telephony too, I'll bet. And fiber optics, copper, cars, guns, knives, pen & paper? A very foolish notion. Stipulated: the very sun itself should not shine on pedophiles, and they should all trip and fall down, and remain unable to rise. Well, you've certainly established your moral bona fides -- no Tor for you until it's not Tor!

June 14, 2013

In reply to mikeperry

Permalink

It would seem to me that the more people who view "pedo/CP" material and sites, the more chances for predators to be exposed and their victims identified.

I am fairly certain that at least one child-rapist is now, finally, behind bars as a direct result of evidence I saw at a "pedo"-oriented site and acted-upon. Yet, both myself as well as the people who cooperated with me put ourselves at risk in coming forward and presenting the evidence.

"Sunlight is the best disinfectant."

And especially the scams, because of course the "hired assassins" are fake. And the panhandlers, they are a nuisance. And once we do that, we can get down to business and have a central committee decide what people are allowed to say to each other.

Because they, and several other offers of illegal activity came into existence at the same time. They all demanded the exact same amount of money, regardless of the service offered. They all required up-front payment and some of them were obviously fraudulent.

It boggles my mind how people can put credit in things like that with all of the outrageous things that are in hidden services, I2P, the public Internet and the like.

There is no comparison or justification for Tor not to do anything about the abuse and sexual exploitation of children that is happening on .onion sites. I hope I am wrong and I hope they're secretly working with crime agencies around the world to get all these pedos locked up and that is why so many .onion pedo sites exist. Tor is known as a pedohaven on every popular site..that's practically the only thing Tor is known for on any website, forum, or chan board.

Perhaps if you were abused and molested and video recorded like I was and found a video of your young self being raped on a popular .onion pedo site, you'd feel way different about all of this. Freedom of speech shouldn't include the protection of pedophiles to upload CP content, share it, download it and discuss it.

Sorry but I just have to reply.

Censor the Abuse and Sexual exploitation of Children! Save the Children! NOW!

Perhaps you should review some recent history. There was this little governmental take over in Germany oh not so long ago. One of their main tactics to impress restrictions upon its citizens was to declare "It is for the sake of our children!"

Citation: Mein Kampf

Freedom has its bad points. CP is one of them. But, it is not bad enough to give up ANY freedom.

I'm sorry you had to go through what you did. The individual who did so had no right to take away your freedom to not be raped.

"There is no comparison or justification for Tor not to do anything about the abuse ..."
I might as well say that there is no justification for you to not end violence. The people working on the Tor Project don't have any more ability to stop CP than you do to end warfare. You don't seem to understand how these things work.

"that's practically the only thing Tor is known for on any website, forum, or chan board. "
The sites that I visit know Tor for very different things (such as helping the Iranian protestors communicate when Iran tried to block social media, helping Chinese people learn about Christianity and helping people report crimes without fear of retaliation). The Tor Project maintains a list of some of their users here:
https://www.torproject.org/about/torusers.html.en

Included in the list are children. If you don't use Tor, then your location could be traced by others online. I know how to trace the origin of emails, for example. Others are much better at it than I am. If you don't want some pedo who's noticed your kid online to be able to push a button and find out where your kid is, then have your kid use Tor. If you don't use Tor, you can be traced by criminals as easily as by cops.

"Perhaps if you were abused ... like I was ... you'd feel way different about all of this."
Perhaps if you would read "What Colour are your bits?", then you would understand that what you're asking for is impossible. If it were possible to take down sites that violate US law, then it would also be possible to take down anything else, including things that violate Chinese law, such as discussions about democracy. It isn't about people not caring. It just can't be done.

What Colour are your bits?: http://ansuz.sooke.bc.ca/entry/23

Here's something I really don't understand:
Would that crime really have hurt you that much less if there wasn't a video online?

It seems to me like the actual abuse would be bad enough that a video shouldn't make it much worse. It's terrible either way. Even destroying Tor completely wouldn't have prevented most of the pain. It would only destroy the good uses.

CP came before Tor. Molestation came before CP. Both will outlive Tor by centuries.

If Tor were weakened sufficiently that it was possible to remove CP from it, then it would be possible to trace all its users, including Reporters without Borders and Human Rights Watch. Putting a tiny dent into child abuse by shutting down or weakening Tor, even if it were possible, wouldn't be worth the damage done to NGOs. Many good people would be tortured and killed, probably including children.

By the way, how is it that you've spent enough time on pedo sites to have discovered a video of yourself? If you posted something about me on one of those sites, I'd never find out. I'm starting to wonder if you just made that up.

While I agree with most of what you wrote, a little more sensitivity (and affording the benefit of the doubt to; assuming good faith) to the poster you are replying-to is in order.

"By the way, how is it that you've spent enough time on pedo sites to have discovered a video of yourself?"

Logic fail.

Spending any considerable length of time at the sites in question is not necessary in order for the claim in question to be plausible.

(Besides which, I don't agree that merely *viewing* *anything* should, in and of itself, be considered a crime.)

Re: "drug sites":

-What about, for example, chemotherapy patients, many of whom are dying anyway?
Would you deny them the little respite and relief they claim that marijuana provides them?

Current drug policy in many places does just that, leaving such people-- in misery-- with no alternative but the very "black markets" that you refer-to.

- Alcohol is a DRUG that is at least as deadly and claims at least as many lives as any number of substances that don't enjoy the blessings of the law and social acceptance.

What about "taking down" some of the (legal, sanctioned, privileged) mega corporations that promote, glamorize and glorify this poison?

Re: "money laundering": Can whatever Tor may facilitate in this regard even hold a candle to the likes of the Wall Street banksters or even (or especially) the Federal Reserve, the World Bank, etc., et al?

Not that two wrongs make a right but perspective is needed.

http://arstechnica.com/tech-policy/2012/06/fbi-halted-one-child-porn-in…

>wangstramedeous | Ars Praetorian Tue Jun 12, 2012 1:55 pm

>Child pornography is a symptom of a larger malaise in society, namely child abuse and exploitation. Simply putting so much emphasis on one medium of distribution (media delivered via the internet) suppresses and ignores what is going on all around us. Really, its a snap shot of a reality that is part of the fabric of society. Destroying the evidence of it in one aspect does nothing to address it.

>It is simply an act of making unseen what is clearly a problem more widespread and larger than people looking at videos and pictures. Even if we were to imagine that we wiped out every single cache available online, it ignores that one of the most vulnerable segments of our population is still being exploited. The lopsided nature of policies targeting people that consume the media vs people who actually engage in abuse belies this.
.......

http://news.cnet.com/8301-13578_3-9899151-38.html

>by PzkwVIb March 21, 2008 4:55 AM PDT

>If people are abusing children and producing child porn, then go after them. [...]downloading such material does not harm a hair on a child's head. [...]Making possession, which on the net can even mean hidden thumbnails on web pages, is just plain Stupid.
[...]

>but as a law enforcement official or a politician you get the same boost in popularity if you go after the easier to catch people than the ones actually harming children.

"The love between men and boys is at the foundation of homosexuality. For the gay community to imply that boy-love is not homosexual love is ridiculous." - "No Place for Homo-Homophobia.", San Francisco Sentinel, March 26, 1992

"Shame on us if our lesbian/gay voices remain silent while our
NAMBLA brothers are persecuted once again, and shame on those
lesbians and gay men who will raise their voices to condemn NAMBLA,
insisting that boy lovers (and presumably the boys they love and who
love them) are not part of this thing called the lesbian/gay
community."
- Steve Hanson, "Shame on Us.", Bay Area Reporter, January 23, 1992

"NAMBLA is by no means on the fringe of the "gay rights" movement. For years, it was a member in good standing of the International Lesbian and Gay Association (ILGA), and was only jettisoned by ILGA when the parent organization applied for United Nations consultative status in 1993. Years earlier, the ILGA itself had resolved that "Young people have the right to sexual and social self-determination and that age of consent laws often operate to oppress and not to protect." "
- http://www.lifeissues.net/writers/clo/clo_09homosexuality.html

While I agree with most of what you wrote, a little more sensitivity (and affording the benefit of the doubt to; assuming good faith) to the poster you are replying-to is in order.

"By the way, how is it that you've spent enough time on pedo sites to have discovered a video of yourself?"

Logic fail.

Spending any considerable length of time at the sites in question is not necessary in order for the claim in question to be plausible.

(Besides which, I don't agree that merely *viewing* *anything* should, in and of itself, be considered a crime.)

The "love" being referred-to in the above quotes is little more than an Orwellian euphemism for the buggering and sodomizing of tender youth by adult males.

(This is particularly disturbing when one considers the distinct physical as well as psychological disadvantage that the *receptive* partner in anal penetration is placed at: The bulk of the considerable risk of deadly infection as well as injury, ALL of the pain, discomfort and inconvenience that are endemic to this act, etc. )

Do You really believe 911 was terrorist attack??? Your government is the biggest gang of amoral criminal feeding lie and destruction around the world. Are you insane: i want all adv sites are deleted, censored sites - deleted etc means I want to decide what to delete - "many others feel the same way" and we are from nsa/cia/fbi/etc.com.

June 10, 2013

Permalink

i just found out about this and i am interested in helping. i dont have money but i do have loads of free time and the ability to learn. i am not a developer but i am seriously considering trying to become one. i will look into the stuff here and try to figure out what i can do. many thanks TOR project. y'all are great :-)

June 10, 2013

Permalink

Let me understand, Tor uses 1024 RSA keys and NSA could pobabily have quantum computing device in her hands and you do think Tor is still reasonably secure? Why?

"NSA could pobabily have quantum computing device in her hands"

"her hands"?

How many women work for the NSA?

Sounds like political correctness run amok.

June 10, 2013

Permalink

I think it's the time to considered the new protocol. The internet is borne thanks to the US military network, and that's made the government and agents easily to pry on them. I think we should make the TAN (The Alter Network) that can be rival the existence of the internet it self. Simply by using the existence of TOR hidden service as an example, add with either geo or satelitte connection to increase the bandwith. Let the government rule the net while the civilian made their own un-regulated aka rebel network. Serverless and portability is the key here. But of course the problem is how to get the new internet alternative can be work. First we shall needed the the energy source, second we shall needed fully double or triple encryption this one modelled after freenet and garlic I2p layer and finally hopping and jumper like tor it self.
Yes it's too big if only one or 2 but if all the people who loves the freedom joint hand in hand together then we shall made it. For the energy resources I work the hardest, but should this power resources available where can I send the plan for free for all of you? I'll do this because of the freedom to express our thought is above of all. I come from Indonesia the pseudo democratic nation who actually be the one who shall oppress any of freedom of thought

June 11, 2013

Permalink

Hello. Here is how NSA most probably works (one of the ways, as they use multiple ways to get the deciphered data. It does not hack the https, but it accesses the data after it has been decrypted from https, at the Server side. (meaning they get the IP and the name).

Can you comment how Tor could do against this way?
the link in german, but google translates it very good:http://fm4.orf.at/stories/1719346/

thnx.

June 11, 2013

Permalink

There was a breach a good while ago in secrecy in San Francisco when a technician blew the whistle on a "secret room" at AT&T that intercepted all electronic traffic (IIRC). It's not clear whether the honchos knew or not. It wouldn't be necessary.

June 11, 2013

Permalink

Brief comment regarding the donation issue (donator wanting to contribute to a small sub-developed part of Tor)...perhaps a solution would be to contact the Software Freedom Conservancy to see about incorporating these small parts of Tor into their umbrella framework? They do awesome work for many Free Software projects and to my mind it'd be worth a discussion if nothing else.

Cheers.

June 12, 2013

Permalink

Why nobody is asking how many TOR nodes are set up by NSA and by its cover companies? NSA-TOR-nodes could be even visible via cable modems, ADSL lines etc. If there are 10000 Tor nodes online and 9500 of them are set up by NSA what would it mean? Also EFF interactive graphics only recognizes case where NSA is out-side of TOR. What if they have captured the TOR? Would somebody more familiar with TOR comment this?

May I ask how you plan on doing such "actual searching" without getting yourself flagged as suspicious in the process?

Rely on Tor?

How will you even know that whatever info you find won't have been manipulated and altered by potentially NSA-run exit nodes?

If you've found some way of achieving reasonably reliable, trustworthy end-to-end encryption for all of the sites you may visit, please share it with us!

Because the number of sites that support HTTPS-TLS is still a distinct minority (as problematic as the whole CA- thing is in the first place.)

June 12, 2013

Permalink

Diaspora... WOW.

We are seeing the beginning, but I fear your mention of DIASPORA* is misplaced. I predict it will die a silent death if only because of their ignorance of Web 3.0, i.e. the new RDF based communications model. They are ignorant. (*shock* I thought it was only the corporate suits that were ignorant!?)

"sarahmei closed the issue January 08, 2012"

No one is going to custom write libraries for every new DIASPORA* that comes along! I'm not, that's for sure. They believed that if they just built a brand new protocol and API, they would come. (Ignoring all the same protocols already implemented in RDF at the same time.) No, we will not. I really don't have the time. No one does. We will write a FOAF and a SIOC RDFa parser, ONCE, and THAT IS IT. We will not change our code to accommodate Salmon (I prefer rock fish) or whatever new API comes along. We will not write a JSON parser for your new gizmo.

No. Just no. This "is something we can certainly think about" but maybe we should think just a little harder. Enough excuses. I do not trust your Ruby code enough to run it. I will proxy my curl calls through Tor, maybe, if I have time. I am not in the Silicon Valley API game and I don't want to be. DIASPORA* will take their lead in the industry and they will flush it down the toilet and the movement will falter, pushing the dream of a decentralized world that much farther away. They will waste the time of countless talented programmers and dreamers. And the consequences will spread far beyond DIASPORA* and in to every decentralized communication project.

So I am glad you linked to the other projects. Hopefully that will be enough. [P.S. this is a shorter, sanitized version of a longer diatribe I also submitted for moderation.]

Isn't RDF related to Internet becoming a total surveillance database?

cf. Paul Marks: Pentagon Sets Its Sights On Social Networking Websites
New Scientist #2555, 2006

June 13, 2013

Permalink

Now that we know that the NSA (and probably other intelligence agencies in other countries) listens on communications that crosses borders, should we consider to configure TorBrowser to (by default) use entrynodes from the country that we live in?

Or do we all need to use bridges like people in China and Iran, when our own governments "hates freedom" as much as they do?

June 14, 2013

Permalink

Several of the links in the post are not HTTPS (TLS-encrypted).

How concerned need we be that (when using Tor) over the risk of of exit nodes altering content at such sites? (In subtle, yet critical ways that would likely go undetected.) (Via MITM/ injection/ whatever)

June 14, 2013

Permalink

I really dislike all these Tor sites like Tor2Web that allow you to browse .onion sites from your own browser without installing Tor. They are not safe in anyway. Tor shouldn't allow them.

June 15, 2013

Permalink

I legitimately found an underground warrior vs lion underground gambling association.
Thank you Tor.

June 15, 2013

Permalink

If 2,048 bit encryption isn't enough, why not start developing 4,096 bit, or 8,128 bit methods?

June 15, 2013

Permalink

What in NSA or wherever it calls is able to controla big amount of tor exit nodes ?

What if they started to spend billions in order to buy super fast computers, only to decrypt Tor ?

I know that my questions may seem a little bit stupid ones but i am pretty sure i am not the only one waiting for answers

June 16, 2013

Permalink

Hi!

I do not know the technical ins and outs, but the whole episode caused two thoughts:
a) Conservative people and organisations should be wary. What the IRS did to them, could be repeated here using the NSA
b) It is scary. If Tor is not absolutely safe, it serves as a service to point out that "these people use Tor, so they have something to hide. Focus on them!"

What do you -- or others here -- think about these issues?

I have seen posted several times a rumour that intelligence agencies in the USA keep a list of regular Tor users with the help of major ISPs. If you find this hard to believe look up "Main Core" on Wikipedia. This is one of the reasons I use a VPN.

June 16, 2013

Permalink

To anyone who is worried about the last mile problem (ie, unencrypted http-connections).

I'm working on a way to create ubiquitous encryption a reality.

It works by specifying anonymous client certificates for each and every account at each web site. It makes account management easier and safer than email addresses and passwords.

It deploys DNSSEC and DANE to protect against evil Certificate Authorities that try to MitM your browser.

It uses https (TLS) at every step so it protects against passive snooping. Making it safe to use NSA's Tor exit nodes to request a copy of the US-consitution :-)

By encrypting all data all the times, people that really need to rely on Tor, whistleblowers, journalists are better hidden in the noise. Even when you and I use it to post pictures on facebook.

It's open source code (AGPL3+) on my site: http://eccentric-authentication.org/
There are some demos too.

Cheers, Guido.

Sounds very interesting.

Have you discussed this at all with anyone at the Tor Project?

Perhaps you could collaborate with them?

June 17, 2013

Permalink

While it is true that what I don't know about this esoterica would fill volumes, I am aware of some larger issues that deserve our profound consideration. To roughly paraphrase, "because we CAN do a thing, does it follow that we SHOULD"? I am referring , of course, to the whole concept of making public/civilian electronic communications absolutely inviolate to snooping.

Why would anyone even question the effort? A worthy question on the surface, but deeper thinking recalls the tragic events of 9/11. There can be no doubt whatsoever that the 9/11 conspirators not only exploited, but depended on the wholesale freedoms of American society to plot and execute their atrocities. While, in principal, the idea of being snooped upon is almost instinctively repugnant, do we really want to play into the hands of evil-doers of all descriptions by facilitating their means of hiding their communications from the "sunshine"? IMHO, a strong case can be made for the position that "if you have nothing to hide, what difference does it make in the big picture"?

I am not naive to the possibility/probability of abuse, but I am prepared to take a stand when evaluating the relative risk of quasi-perfectly secure civilian communications. To me, the risk of allowing the evil plans of terrorists and enemy states plotting murder and mayhem against my country to go undetected DEFINITELY outweighs the risk of having my "right" to privacy impinged upon.

Mass surveillance and data rentention have nothing to do with stopping terrorist attacks. Even full-blown hardcore totalitarian police/surveillance states can't stop terrorist attacks. This is about the state having power over the individual. With a detailed history of your habits they can manipulate data to make you look bad, make you look guilty, find out your weaknesses, blackmail you or whatever they want. They can use this as a weapon against anyone who becomes a threat to them by speaking out, becoming a whistleblower, posting anti-government messages, etc. This is about the state having a monopoly on information, privacy and power.

- I am aware of some larger issues that deserve our profound consideration.

I certainly hope the profound consideration you mention is more than an appeal to fear.

- I am referring , of course, to the whole concept of making public/civilian electronic communications absolutely inviolate to snooping.

You seam to be implying that those in government have the right to private communications, but members of the public do not.

- There can be no doubt whatsoever that the 9/11 conspirators not only exploited, but depended on the wholesale freedoms of American society to plot and execute their atrocities. While, in principal, the idea of being snooped upon is almost instinctively repugnant, do we really want to play into the hands of evil-doers of all descriptions by facilitating their means of hiding their communications from the "sunshine"?

The 9/11 conspirators used public roads. Do we really want to play into the hands of evil-doers of all descriptions by facilitating their means of transportation?

You use the word "sunshine" to describe wholesale spying on everyone, by unaccountable persons, conducted in secret.

- IMHO, a strong case can be made for the position that "if you have nothing to hide, what difference does it make in the big picture"?

Having everything you do recorded for later scrutiny by those in power, is antithetical to the notion of a free society.

- I am not naive to the possibility/probability of abuse,

You are astoundingly naive.

- but I am prepared to take a stand when evaluating the relative risk of quasi-perfectly secure civilian communications.

This stand you are prepared to take certainly is not one based on principal. Your reaction to terrorism is what makes it effective, your willingness to abandon the bill of rights and fundamentally change our society. Are there any rights you are not willing to give up at the mere mention of 9/11? The presumption of innocence perhaps? If we imprison everyone we will imprison all of the terrorists. Or the right of assembly? If we outlaw meting in groups of three or more, criminal conspiracies will be more difficult. If you find these notions objectionable, than I ask what makes these rights more valuable than your right to privacy?

- To me, the risk of allowing the evil plans of terrorists and enemy states plotting murder and mayhem against my country to go undetected DEFINITELY outweighs the risk of having my "right" to privacy impinged upon.

I think you use of quotation marks here is very telling.

"the 9/11 conspirators not only exploited, but depended on the wholesale freedoms of American society to plot and execute their atrocities. "

What about all of the atrocities, murder and mayhem executed by the U.S. and other "good" states?

Perhaps you should start with some Chomsky. Listen/read carefully, apply critical thought, verify and check-out the sources he cites, form your own judgments.

"The people can always be brought to the bidding of the leaders. That is easy. All you have to do is tell them they are being attacked and denounce the pacifists for lack of patriotism and exposing the country to danger. It works the same way in any country."
- Hermann Goering, during his trial at Nuremberg

Read about "Blowback" to find out why terrorists attacks happen. They don't happen because of lack of police or lack of spying on the people. Read some Ron Paul

I would have agreed with this in 2001, but I have to be more objective now. How many people died on 9/11? How many people have died in every terrorist attack since? The actual risk of your dying in a terrorist attack are not that great. If we all give up our freedom to avoid immediate loss of life for a small few because we are scared of being one of the few, they have won. We need to take our licks, and respond appropriately.

Those who deny freedom to others, deserve it not for themselves. - Abe Lincoln

This has nothing to do with your privacy. The tiny possibility that TOR is used to communicate plans of terrorism, rather than a far more secure meeting in the middle of nowhere, is not a good reason to reduce everyone to carefully monitored sheep. Just in case is no justification for intrusions into privacy,

If the freedom of speech is taken away, then dumb and silent we may be led, like sheep to the slaughter - George Washington.

A couple of quotes there for you, from the people that BUILT your country, and would be disgusted by your safety over freedom argument.

If one thing can be gained from PRISM, it is that everyone has something to hide, no matter how insignificant it seems, and everyone should have the right to do so.

June 17, 2013

Permalink

I've been using TorBrowser over the last few weeks, reading the news and blogs instead of an ordinary browser. I'm getting used to it. It works well. However, viewing Vidalia's network map connections at the bottom of my screen as I surf the web shows that roughly 99.9 percent of the time I'm using one of the same three entry nodes. Always the same three regardless of restarts and time between using Tor. When I start up it will immediately connect to one of those three first.

I'm in Australia. I have the latest version of TorBrowser which I downloaded using the previous version. I suspect it's not supposed to do this. Once or twice would be a coincidence, but everyday, nearly every time?

I can post the names of the three If it helps. Apologies if this is normal or covered elsewhere.

June 18, 2013

Permalink

The over-reliance on technical 'solutions' at the expense of so called 'humint' contributed, in large part, to the failures leading up to the WTC attacks. Ironically, the response has been to redouble the effort and expenditure on the discredited methodology of trawling for pearls. At the time of the aforementioned attacks, data-mining was in full swing, but an intelligence service run by dullards is self-defeating, as the attackers demonstrated. So now a larger net is used, which will result in a exponential rise in false positives that will prove impossible to investigate meaningfully. All the while, beneath the radar, plotters will run their organisations using grubby scraps of paper and the occasional innocuous telephone call over public lines. All that is being created is a growing undercurrent of fear fed upon by corrupt security services, profiteering armaments manufacturers and self-aggrandizing, power hungry politicians.

June 18, 2013

Permalink

Why WOULDN'T the NSA, et al operate as many exit nodes, entry guards, bridges, etc. as they possibly could?

June 21, 2013

Permalink

I have reason to think that the use of Tor may set off some sort of flag with the NSA or some other organization. While the traffic itself is secure, the endpoints may not necessarily be so, as your documentation makes note of. I have noticed a number of anomalous things after recently using TOR. And since I am sure you do not include any back doors, etc, I must conclude that unless one uses different relay servers other than the defaults, you may run the risk of showing up on someone's radar, though they have no idea of what you may have been doing when USING TOR.

I noticed for example my computer's camera coming on by itself. I also noticed behavior on my system symptomatic of password/keystroke capture systems. Having worked with Computer Security in one way or another since 1986, including with companies who performed contracts with the government, I recognize that something is going on. I suspect that it may very well be of government origin, perhaps even using zero day exploits discovered in the Windows operating system, such as STUXNET uses. Against which none of our current security measures have any real defense.

June 25, 2013

Permalink

Hi folks,

Nice to know people are dead against a surveillance society but one thing bothers me about all this:

Why does no one ever mention the massive 1.5 petabytes of personal data, including lifestyle and purchase data, that Experian has collected over the years on the Worlds population????

In my book Experian are capable of more personal damage than any Gov agency and as it's in the hands of private enterprise and does not carry the penalty of a criminal record it is not strictly legislated against or controlled.

I know from first hand experience that 'employee vetting' for example prevents me from getting a decent job as I have unserviced debts left over from when I was made redundant last, through no fault of my own.

Folks, remember I said this, and remember we're all under control from a private system that controls you via your pocket.

Bring down the 5th column that threatens us all.

Anonymous

June 27, 2013

Permalink

@runasand @torproject #prism #facebook #google To me it seems that the tor problem can never be really solved by negotiating with the agents of the prism - i use anonymox to interface with them. Solving the problem is critical for all the users of such services - an amount of billion users? Could tor have a service of which the end point is (static ip etc) like on aninmox, so that tor/anonymox would not just be swapped but integrated? Additionally could Out of the record messaging OTR be provided as a additional option?

June 28, 2013

Permalink

All I know is Tor is not effective against the NSA, FBI, DEA etc. Anyone would be a fool to think otherwise. Don't ask how I know, I've said too much already. Using Tor to post this message and I feel the heat already. The Feds have the biggest and brightest working to stay ahead of the game and they have all our tax dollars behind them. Do we really stand a chance? Go stone age? Not likely.

June 28, 2013

Permalink

All I know is Tor is not effective against the NSA, FBI, DEA etc. Anyone would be a fool to think otherwise. Don't ask how I know, I've said too much already. Using Tor to post this message and I feel the heat already. The Feds have the biggest and brightest working to stay ahead of the game and they have all our tax dollars behind them. Do we really stand a chance? Go stone age? Not likely.

July 01, 2013

Permalink

Quite often it looks like the first hop from my computer in the USA is to somewhere on another continent. Does this not invite further scrutiny from the NSA? A reply by someone familiar with Tor would be appreciated.

July 05, 2013

Permalink

Y'all are diddling yourselves. Just like modern medicine in America, you're "treating symptoms" rather than "curing disease". The root cause of the symptoms stemming from the disease at issue is "The Patriot Act" (and successor versions, plus whatall-and-whatever has since followed therefrom). Repeal the Act, and/or "defund" its continuing implementation(s). This is a "political" Problem, which necessitates a "political" Solution. Refer especially to the Fourth Amendment to the United States Constitution -- which makes it perfectly plain and patently obvious that "Big Brother" has vastly both over-reached and over-stepped with The Patriot Act (et alia) in knee-jerk over-reaction to "9/11". Write your Senators and Representative, join/support one or more groups/organzations that exist to oppose "Big Brother" over-reach/over-step, and otherwise START to individually act to "cure the disease" rather than react to it a la merely "treating symptoms" Besides which, there ain't NO WAY that "clever smarts" will ever defeat the limitless combination of "legality" and "taxation" that THE STATE can easily and readily align and employ against nebulously-defined "suspected" AND/OR "prospectively-suspect" TERRORIST ENTITIES! No doubt exists in my mind that YOU ALL (and now me, too) have a "classified file" (somewhere) with each our names on it. "Day late, dollar short" applies -- and EVER will be so in this instance.

August 04, 2013

Permalink

Any information on the text below? Curious if it is been debunked or is a real threat. Not my words, but supposedly from someone that is in the know.

If you run TOR, with java script enabled:

What the exploit does:

The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn't get deleted.

Presumably it reports the users origin IP back to the FBI.

August 05, 2013

Permalink

Im reading so mutch about free jornalists but where are they?

An exampel:
Every western country has shown bulshit about the turkey in the media. A minority of idiots + some Organised groops (which profits from the hapenings) started to destroy the City and the Media here in the west was like: "The turks are agains Erdogan because he is a muslim and the Islam is evil." Do you realy think they would choose him as the President if he would be sutch evil?
I dont give a f*ck for journalism since it doesnt exist (at least in the west, turkeys media had shown news which where pro and agains Erdogan\the fake freedom fighters, I dont know how and if the Media works at the eastern countrys).

But even if not for jornalists im sure that the TOR project could help some people
( Im not one of them but at least I feel beter if I know that not everythink I do is Analysed by some one. You dont need to know that I need Wikipedia to understand how marmalade is mayde).

August 06, 2013

Permalink

Looks like you were dead on with those weaponized exploits. Even though the the exploit the FBI used to compromise TOR will soon be out completely burned, there will be no way to know for sure they don't have an next gen exploit deployed. TOR can't guarantee anonymity and I just hope they haven't cracked AES-256