Tor's Response to Prism Surveillance Program

Due to several requests received today from members of the press community and others we felt it was in the best interest of time and consistency to provide a statement regarding today's developments and stories surrounding the NSA Prism surveillance program.

The Tor Project is a nonprofit 501(c)(3) organization dedicated to providing tools to help people manage their privacy on the Internet. Beyond our free, open source technology and extensive research we actively foster important conversations with many global organizations in order to help people around the world understand the value of privacy and anonymity online. As a result, members of the core Tor team and the greater Tor community are out in the world sharing knowledge and insights with countless individuals every day - many times handing out free Tor stickers; with no donation requested or expected. Edward Snowden, like tens of thousands of people, put Tor stickers on their devices. He likely got it at a conference from one of us in the past year.

Today, as always, the team at Tor remains committed to building innovative, sustainable technology solutions to help keep the doors to freedom of expression open.

For more on our view on this situation visit also our blog post:
https://blog.torproject.org/blog/prism-vs-tor.

For further questions please contact us at execdir@torproject.org.

Anonymous

June 10, 2013

Permalink

as google, facebook, yahoo,... and TOR says: "we are innocents, we don't spy you" :P

Anonymous

June 10, 2013

Permalink

Hi, i'm using Tor bundle x86_64-2.3.25-8-dev-en-US
I'm unable to download these 2 files via Tor:
live.debian.net/cdimage/release/stable+nonfree/amd64/iso-hybrid/SHA512SUMS.sign

live.debian.net/cdimage/release/stable+nonfree/amd64/iso-hybrid/SHA512SUMS

i wasnt able to download SHA512SUMS* files from debian.net / debian.org server via Tor also ~1 month ago. (This problem has nothing to do with PRISM. I hope)

I enter one of these 2 links and Tor FREEZES until the connection timeouts. I cant get these files via Tor ! But i can connect everywhere else via Tor.
Maybe the responses i 've received were manipulated in the road from server (debian.org/debian.net) to the exit node in a precise way to freeze Torbrowser?

i can get the files using direct connection (my ISP without Tor), but obviously those files are useless if i cant compare them with the same files downloaded from an encrypted & anonymous connection.

I've read about the PRISM case and the leaker says that "they're planting bugs in PCs" ...

1)Is it possible that my ASUS pc is bugged by NSA?
2)Is it possible it makes itself recognize when my traffic exit the Tor network (after the Exit node) ? How does it works, does the bug inject a "padding-pattern" in the TCP data of my traffic to make it detectable once it exit the Tor Network?
3) how can i avoid it? altering data before it get transmitted to Tor so i can disrupt that pattern.... but HOW can i do this?

I noticed this problem the first time ~ on 15th May 2013

Anonymous

June 10, 2013

Permalink

(still me)

Starting Torbrowser in a Debian-wheezy_Russian_version VM i still couldn't connect to get the 2 SHA512SUM* files.
So i tried using the Iceweasel (10.0.12) that comes in the VM installation, setting 9150 @ localhost as proxy config for the browser and it worked.

I remember that the Debian's SHA512SUM problem is not only for the latest Torbundle version, i tested many (old) version 1 month ago and the result was the same.

So, since iceweasel + Torbundle (used as proxy) worked, it means that the problem could be a bug in the Firefox used for the Torbundle: Some Firefoxs cant handle files named SHA512SUM if the server hosting these files is debian.org or debian.net.

Worth of note is the fact that the problem is only about these 2 files and only if they are from debian's servers. I still can browse debian.org / debian.net servers , but i cant download those 2 files... strange o.O

In years of Tor use i NEVER had any sort of problem.
Then ... 1 month ago i need to do a debian installation and i noticed this problem.
Previous installation was not more than 2 or 3 month before, when i had no problem getting the files.

i hope there'll be a fix

keep the good work ;)

Tor rocks!!

Anonymous

June 10, 2013

Permalink

strange blog posting. a response to the prism program is actually about giving out stickers. this article is lacking real information. i would have expected a different statement on this topic.

See the previous post on this blog for a more technically substantive discussion.

Yeah, I realize that the sticker issue is kind of ridiculous, but I hear that's what the press was asking about all day Monday.

LOL
you dont even know what you're talking about.
Tor nodes are run by volunteers.
You too can start a Tor node. You only need to run the program and enable it as relay node or exit node or entry/bridge node.

Consider this:
The Tor software used by all those volunteers is provided to all of us as a free download. I wonder then, how many of you have inspected the code to see if it has support code for NSA and DHS snooping? You talk in theories and conjecture, but do not really have any idea about the code itself.
Startpage did the right thing: the denounced the unconstitutional and immoral spying on the people, and clearly stated they would not let themselves be used for it.
Why didn't the TOR folks do the same thing? My understanding is that TOR accepts money from the US government. I read that in a TOR description article. If that is true, what do you think are the chances a little arm-twisting has been going on?
I want a clear statement from TOR that they do NOT allow 1)spy code inserted in their build and 2)they do not provide ANY data or access to anybody directly or indirectly associated with the US government. Let's hear it.

and btw, NSA has access to all ISP datas, in the US, and EU (through corporations &/or governments cooperation).

Tor is specially good if you're using it from China/Russia/Iran to connect to an EU/US server (protects you from CN/RU/IR eavesdroppers)
Or from EU/US if you're connecting to a Chinese or Russian or Iranian server (protects you from EU/US eavesdroppers)

Are you saying Americans who use Google's gmail ( has a HTTPS option ) should use yandex.ru ( also an HTTPS option )? Instead of going to a Google server in the US, your email should go to a server in Russia?

Yes, Americans should use Yandex.mail, Russian servers. If Facebook gives you the willies, use QQ International, Chinese servers. Maybe you trust Russian and Chinese security services more than US.

I wouldn't do that. Russian security can be slow because of bureaucracy but they get what they want - no one wants to stand in their way - too easy to lose a business.

I think he means that if you live in a Western/NATO jurisdiction it may be better to have a Russian/SCO free https email account as Russia doesn't cooperate much with American Intelligence (unless you're an international drug smuggler or Islamic extremist that is), and vice versa if you're living in a Russian jurisdiction. Clearly, it would only be very stupid for someone living in the West to operate a google email account nowadays.

Anybody in the world can run a tor exit node. Tor can't do anything about it because they have designed their application this way. It is possible to play with blocking or allowing exit nodes by the country they're located in, maybe it could be done with specific nodes, idk, it's all open source so maybe if you're a programmer, but it would run counter to the whole idea of the service- global network across different jurisdictions. It is widely believed that intelligence services of various countries run tor exit nodes. That's way tor stress that people use ssl if possible to connect to websites to prevent eavesdropping.

Anonymous

June 11, 2013

Permalink

Is this post some kind of joke? It's completely content free. You guys have been known to cooperate with (that is, work for) the US government. You don't have anything more interesting to comment on apart from stickers??

Anonymous

June 12, 2013

Permalink

Yes interesting question; is TOR giving out data to NSA or any other organisation about its users?

Tor has no data on its users. That's the whole point of the network. The nodes are run by volunteers, and the data that runs into the network is encrypted. The project itself has no capacity or interest in monitoring exit node traffic, but it may happen -- even so, the purpose of the network is to foil an attacker identifying the origin (not the content) of traffic. To identify the origin the attacker would have to have huge resources (someone such as the NSA) be lucky, determined, and paying very close attention probably to multiple parts of the network all at once.

Otis possible, but the whole point is to make it hard while making the system useable for regular people.

-- Shava Nerad *not* speaking for the project, former staff, longtime volunteer

Anonymous

June 12, 2013

Permalink

This is open source, I already know that.

Google is telling a LIE. Also Facebook. And Obama.

Hey tor,
Are you really sure that your software hasn't a backdoor to NSA?
That's because when I use NSA IP Blocklist, I got a bunch of Blocking alerts.

I think that Most of Tor Relay are already on hand of NSA.
Please add tor nodes ONLY NSA-CLEAN. thank you.

Just FYI, this is the NSA IP List I found from reddit:
http://www.reddit.com/r/WTF/comments/1g61nv/national_security_agencynsa…

It does not matter only NSA can controkl exit nodes theese are not needed for onion routes.
You dont understand tor , its like bitcoin creators can not control the network...

Anonymous

June 12, 2013

Permalink

How can TOR protect us from ISP-level eavesdroppers if all data including cipher passwords passes via ISP?

Anonymous

June 12, 2013

Permalink

For some poeple the fear of NO CONTROL , is the biggest fear it self , creating paranoia , the fact that control can be avoided this easy makes them so fearfull that there MUST be a big brother and great leader!
And cant deal with it if ther is none , only your self.

Anonymous

June 12, 2013

Permalink

Cool. But I have a question. Its just out of curiosity I am asking. When You guys have kept the services free, no donation expected than where do funds for so much extensive program and such arrangements is managed? Is it owing to some Trust members or so?

Anonymous

June 13, 2013

Permalink

That's the problem Tor nodes can be operated by anyone. A criminal, a cop, the NSA. It would be so easy for the government to have a bunch of exit nodes set up to see all the communication and data being passed back to the receiver. Tor was created by the military industrial complex to begin with. Trustworthy they're not.

Anonymous

June 13, 2013

Permalink

As said above, how is one to know if TOR is not giving out user info/data to the ----n-xxx-s-xxx-a----- Please provide more proof that TOR is not on the Gov's side.

Anonymous

June 13, 2013

Permalink

02:39 14/06/2013

I feel very uncomfortable that TOR was used or developed for the US navy. If there is a "back door" to the NSA, then it just makes their job easier in collecting information. It seems a bit naive to me that there is anything much that can be hidden from certain governments.
I'll stick with my sledgehammer tactics of having 10 computers and many throwaway PAYG Sims, and 723 email addresses to keep my privacy. If I want a bit of privacy - in no way assured - then I'll use my proxy servers and some other undiscussed methods to help with my privacy. I don't care if I only want to talk about what I'm getting my girl for her birthday, the government - our servants - have no right to this, and this smokescreen about anti terrorism is just an excuse to spy on us. George Orwell was just a few years too early, but all soothsayers are.

I think that Tor is just another tool for the government to spy. The time will come when all the common people will rise up against all governments and overthrow them. US government violates rights of its people just like any other country

The basis of my ignorance was taught to me in grade school. Further pushed into my brain in a christian middle school; and halfway soldered to my brain in the the first year of a christian high school (which i was kinda booted/left because i refused to tuck in my shirt and they tried to charge my parents 30 dollars more a day to hold me for an extra hour in detention , due to my breaking the tucked in shirt law)

I was taught that America is number 1 and basically everywhere else is third world. Until recently i didn't think much of it. China was literally all red and you couldn't do anything really without being publicly executed (and they had a village of midgets and a big wall that we should model and build between mexico and usa) . Russia, was drunk red and horrible, but better then China and everyone carried Kalashnikov derivatives . England had bad teeth they secretely hated us for being terrorists and revolting against their opressive rule.

shiit i forgot my point.

Tor's code is open source and constantly under review by the most tin-hat privacy experts in the world internationally. You or I might not find a back door in the code, but other people much more clever than I am, certainly, at the Chaos Computer Club and so on, consider it a sacred trust and a game to comb software such as Tor for faults. Nothing is perfect, but I should expect a backdoor in the code here.

My understanding is that Navy intelligence wanted a tool they could use on the open net to hide operatives. If only MI used it, they'd be identifiable by fingerprint of the software. So we are just chaff for the NSA, under that theory, to hide them hiding what they wish to keep hidden themselves. Tor users may be the only secrets left safe, if the NSA hasn't built better yet. ;)

Spot-on comment, friend. We are living in Orwellian times. We have found the enemy, and it is us (U.S.). A government that won't trust it's People definitely cannot be trusted. Period. Only a fool would see it otherwise.

Anonymous

June 14, 2013

Permalink

How do you know that Edward Snowden has Tor stickers on his devices? And why would the media be asking about that topic? I would like to see some pictures.

Anonymous

June 14, 2013

Permalink

Nothing is secure. If the Tyranny wants information they will get it. If we tear down this tyranny another will sprout to replace it unless WE limit the ability to do so. (That's what the Constitution was meant to do)

"Necessity is the plea for every infringement of human freedom. It is the argument of tyrants; it is the creed of slaves." William Pitt, Nov. 18, 1783

Some solutions to consider:
Stop supporting multinational corporations, end ALL campaign finance and the farce which has become the US national campaigning race, replace all of the government/civil servants with people that aren't funded by those corporations and if one gets out of line act like any other free countrymen would, take to the streets and throw them out, put term limits on the senate and congress and all other local offices. No more career politicians. WE ARE ALL THE GOVERNMENT.

At this moment we are teetering on an edge and which side we fall on will determine whether we regain our freedom (long ago lost) or become more enslaved. If you think this is hyperbole then you should reevaluate how free you really are.

Just a thought.

You are right, but you stopped way short.

Stop sending your money to those who ASSIST in this tyranny. Why do you all keep Gmail accounts, and Facebook accounts, knowing full well these traitors have handed over full unfettered illegal access to a "secret court" in DC? If we accept secret courts, we have already shown that we will accept all of it: secret trials, secret convictions, secret executions, torture of US Citizens for the slightest infringements of a legal system gone beserk.

Cancel your "smart phone." It tracks you, and can be converted to bug you even with it turned off. Verizon betrayed us. Switch to prepaid phones and stop sending them $200 a month for playtoys. This is serious business here. We are all going to have to make some sacrifices if we are to regain our freedom.

When did you last hear a politician say he was a "servant of the People?" They are emboldened, rash, unapologetic and megalomaniacs. Take the power back.

Drop out of Facebook and Gmail and Yahoo mail and Hotmail. Use the little guy. Use Startpage or DuckDuckGo for searches. Let's all get smart here. At least give the traitors and tyrants some financial pain to have to think about, show them there are no free shots. Start your own ISP, like we did in 1998.

Anonymous

June 15, 2013

Permalink

I just read that Tor is 80% funded by the US Government, mainly through the State Department. He who has the gold, makes the rules.

Signing off Tor now.

Anonymous

June 15, 2013

Permalink

Some say TOR can\t be trusted. Some say you trust TOR with great risk at hand of course. Wouldn\t it be better when in doubt leave it out

Why don\t people just go back to using traditinal pen and paper letter writing, sent by postal service. You can use security envelopes that will visually obscure note content if placed through a high luminosity scanner.

We\ve doent his before the internet. Why can\t we do it theses days
Are we too lazy

If you have to talk with someone about something very confidential, don\t use a telephone. Just make your call to the person you want to disclose sensitive information and state you want to meet, face to face and talk over coffee. You can always whisper the secret info in the persons ear. The italian mafia has been doing it since the advent of mafia.

You people make it too easy for government surveillence.

I know we need the internet, but it\s merely a
convenience. Getting your data to destination instantly.

Besides, can you really trust something made by the same government that spies on you.

Caution with everything. Trust nobody. Never make your life an open book on the internet. Facebook users are silly, ignorant, attention whore, wannabe net celebrities. Is your self importance that great, that you need to have 15,000 friends and a million likes_

If you want some information about you to be known forever, then process it on the internet. As long as the internet lives and storage devices operate, your personal data is in cyberspace permamently.

In my opinion, the internet should die. It has done more to harm humanity than help because now that all the truth is out there about corruption the governments are beating the piss out of people to silence them. Money, connections, political clout, military equate to power. If you have none of those in significant quantity you can do nothing to stop the forces that want to control you. Only solution is live in the Himalayan mountains. Nobody will bother to come after you or track you. Government wont even waste a drone strike on you.

If your letter crosses US border, either incoming or outgoing, US Customs can open your envelope and read your letter to see if it contains national security information. In the old days, US Customs would place green tape with a stamped code on the tape, on the back of your envelope to reseal your envelope.