[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Iran cracks down on web dissident technology

On 3/21/2011 10:07 AM, Paul Syverson wrote:
On Mon, Mar 21, 2011 at 02:43:22PM +0100, Anders Andersson wrote:
In a scenario where the military actually
would hide something in the source, all programmers working on the
project would of course be in on it together. There are only a handful
of them.
This is a reasonable concern, but I think you are oversimplifying the
assurance and risk management available to those who are not tech
savvy. If they are just going to look at one or two poorly researched
articles in a
blog/credentialed-news-publication/whatever-medium-you-want that
confirm their expectations, well there's not much more you can do to
help them. Whether they trust you or not, their beliefs will not be
very well grounded.  But if they do have the interest and time (lucky
them), they don't have to be able to read the source code themselves
or pay someone (and why trust the guy you are paying to read it
anyway?, and how do you know that this is the code running on all of
the relays out there?, or the code you downloaded, and ...)
There are good answers to the latter of these for people who
are tech savvy, but how do you get trust those answers short of
a significant self-education? Here are just a few of many possible

The Tor source is available and people are encouraged to check it out,
but that's _not_ the whole story. Tor is also fairly well documented
(meaning that description of what the different parts of the source
code does is available) which encourages people to look at it more
than if it was just this pile of code goo to wade through.  And lots
of independent people _do_ look at the source code. One way you can
tell this is that they find mistakes, sometimes some fairly bad
ones. (Fortunately not too bad very often and generally fixed
quickly.) You can look at the posted history of the announced versions
https://lists.torproject.org/pipermail/tor-announce/ and see
acknowledgments of who found flaws and look them up. Lots of times
these are researchers at some reputed place. Lots of times these are
smart people with no credentials you would recognize. In either case
you could look them up and see who they are. Ask them their experience
reporting a flaw and getting it fixed and what their overall
impression of Tor is. You can do this even if you have no idea what
the flaw is that the release notes are saying they found or how the
Tor people fixed it.

There's also lots of academic researchers looking at Tor all the time
(somewhat overlapping the people looking at the source) and poking
holes in the design, the deployment etc. testing its strengths and
weaknesses, suggesting improvements, which often do get incorporated.
This is also all well documented and vetted by publication in
peer-reviewed scientific venues. It is also work done at reputed
institutions of higher learning in various countries, if you want
to base anything on that. You could contact the authors of these.
There are also people at places you've never heard of if you don't
trust people at big institutions.

If you don't know anyone you trust who is tech savvy, you could
contact your favorite computer science department by looking them up
on the web and ask around till you get directed to someone who knows
something about Tor and ask them.

Yes, maybe someone bogusly directed you to a simulated website of
Enormous State University with fake phone numbers in it, and whoever
you talk to there might inadvertently link you back to the Tor cabal
rather than getting some random professor or savvy student's opinion,
and maybe all those publication venues and researchers and
universities are in on it, and the supposedly independent researchers
who found code flaws were also in on it (or sock puppets created by
Roger to create credibility). But at some point you have to look at
the size, diversity, and entrenchment of the conspiracy you think is
there. At some point there is only so much we can do to reassure
you. (I'm talking about reassuring you that there is no
conspiracy. That the stuff is good is a related but independent
question that the above suggested checks should help with.)  If the
above or some of the many other things you might do to check into it
yourself without needing to understand the technology doesn't convince
you, then probably you have already decided what to believe and no
evidence is going to change that.

And yes there's always things to do to improve
transparency/trustability/usability/etc. People worth trusting
probably have a processes to do that and a relatively independent and
confirmable history of doing it.


1st, a note. I appreciate everyone's reply. If some want to be a bit insulting or sarcastic, that's OK. I'm not highly technically savvy in source code, but I've lived a long time & know a lot about typical modus operandi of many govts. I've read all up thru Klaus Layer's post.

2nd, my reference to a TRUE back door in open source software was fairly tongue in cheek. However, * software is only part of the the Tor system.* Responders are assuming I meant the ONLY way * any * govt could "crack" Tor is thru the software itself (or a back door, etc.). That's not what I meant at all - sorry if I gave that impression. There are lots of exit nodes, for * one * instance. There's lots of eaves dropping on exit nodes. There are probably ways inconceivable to most, how govts could get info from Tor communication. Tell me this: what other form of communication is off limits anymore in many counties, that govts monitor (constitutionally or not)? I am NOT anti-govt, nor am I completely blind.

Axiom (or should be): advanced governments have far more technological ability & capability than 1) anyone knows; 2) the govtS (not just ONE ) will EVER reveal; 3) than any university, institution or other very smart individual or group will necessarily be able to detect, or certainly prove. Most of these are probably in the best interest of citizens. However, I feel comfortable saying, those thinking they know exactly what govts are / are not technologically capable of, are deceiving themselves. They call them "Top Secrets" for a reason.

Fact: Even if someone discovered any govt successfully monitoring something like Tor, if they CHOOSE to, most any govt can shut down "whistle blowers," university / private research, etc., on anything they consider of national security, in an instant.

Anders Andersson wrote:
They need a project like Tor as much as "we" do, if not more. They need ways to communicate with spies and dissidents located all over the world, they need a system that let their people do this without causing any suspicion.

Maybe, but I'm asking why any govt would create a system that it can't control, that could be used by its enemies to do as much or more damage, as the good the govt gets from it? That's one HUGE problem w/ the concept that DoD / NRL created or continues funding anything * like * Tor (not JUST Tor). If they truly have no way of figuring out who's using a communication method, what users are saying or any other means of identifying something about (Tor) users , they have created & still funding a WEAPON for the enemy to use against them. Can't help wondering about that.

You can't have it both ways. Either they can't & enemies are using it (or similar) to plot against MANY govts, or they can & users in "free" countries don't have nearly the privacy they think. Is the DoD / NRL that stupid? Possibly - don't know. But if those saying it is basically impossible for any govt to get useful info from Tor communication are indeed correct, it defies logic any govt would do such a thing. Or is it that they shortsightedly created something they thought would only benefit them, & now the enemy is using it against us? Pandora's box is open?

Paul Syverson wrote:
If they are just going to look at one or two poorly researched
One or 2... poorly researched? Over several yrs, I think there're numerous reputable instances of serious flaws discovered in Tor. Sure, they're patched when announced & confirmed. I'm also sure it will be an ongoing problem, hence part of my concern.

Paul, it's NOT just the software - I'm sure that's regularly, independently examined. ONE thing no one knows, for instance, is what capability govts have once communication leaves exit nodes. Advanced govts aren't prone to shooting themselves in the foot. What some are indicating or at least intimating here, is the US created something (maybe unintentionally) the enemy can NOW use against many countries AND they are still funding it. Does that make sense? Not to me - w/o some reasonable facts, such as why enemies can't use it against govts.

tor-talk mailing list

tor-talk mailing list