Wikileaks Was Launched With Intercepts From Tor 157
The New Yorker is featuring a long and detailed profile of Julian Assange, founder of Wikileaks. From this Wired's Threat Level pulls out one salient detail: that Wikileaks' initial scoop came from documents intercepted from Tor exit routers. The eavesdropping was pulled off by a Wikileaks activist — neither the New Yorker nor Wired knows who or even in what country he or she resides. "The siphoned documents, supposedly stolen by Chinese hackers or spies who were using the Tor network to transmit the data, were the basis for Wikileaks founder Julian Assange's assertion in 2006 that his organization had already 'received over one million documents from 13 countries' before his site was launched ..."
Update: 06/02 06:31 GMT by T : In reaction to the Wired story, and the New Yorker story on which it drew, Andrew Lewman of the Tor Project points to this explanation / reminder of what Tor's software actually does and does not do. Relevant to the claims reported above, it reads in part "We hear from the Wikileaks folks that the premise behind these news articles is actually false -- they didn't bootstrap Wikileaks by monitoring the Tor network. But that's not the point. The point is that users who want to be safe need to be encrypting their traffic, whether they're using Tor or not." This flat denial of the assertion that Wikileaks was bootstrapped with documents sniffed from the Tor network is repeated unambiguously in correspondence from Wikileaks volunteers.
Re:Old News Is Old (Score:2, Informative)
Tor has leaked much (Score:3, Informative)
As people might recall log-in and password information for 1,000 e-mail accounts belonging to foreign embassies where seen in plain text too.
Tor was always one huge honey pot built on the US telco network with all exit nodes collectable to the NSA.
Others are just building their own small data collection services on top.
Another man in the middle data retention story
Exit Nodes (Score:4, Informative)
Anybody involved with TOR knows that EXIT nodes are a big potential risk, and not only have there been rumors of official government sponsored (and therefore tapped) exit nodes, but even /. had a story about it a long ass time ago. Recently the TOR guys have been trying to curtail this via a few different methods, but it is nothing new. Regardless, exit node sniffing is a novel way to get information, (for example, allow only .gov or .edu traffic)
Re:transparency (Score:4, Informative)
I highly recommend this link on why transparency is not enough [danah.org].
Re:So what? (Score:1, Informative)
No, TOR provides untracability. Whether you want to be anonymous, use a pseudonym, or use your Real Name is up to you.
Re:So what? (Score:4, Informative)
SSL any better? (Score:4, Informative)
While we're at it, your browser SSL encryption is only as secure as the least secure of the certificate authorities that your browser trusts. Any time your browser shows a secure and validated SSL connection it's because someone in your authorities list said it was okay. Just one authority. That's all it takes.
Go look at the list of CAs your browser trusts.
I just checked mine and I see 86 certificates belonging to maybe 30 different organizations. If any single one of those 30 organizations has a compromised certificate, my browser could show a bogus SSL connection as valid. So, I connect to Bank Of America, and the connection appears like a good SSL connection, but that's only because the fake cert in this attack was authorized by some rogue operator at "TÜBTAK UEKAE Kök Sertifika Hizmet Salaycs - Sürüm 3" or whichever of the 30 companies. That's a pretty long chain to deal with for a weakest-link-screws-you scenario.
Maybe some folks here didn't realize that this is how the model works. That's part of the problem.
So I might suggest understanding the difference between an anonymized connection and an encrypted one. Folks should understand how Tor works before using it. Already we have a problem with people using SSL without understanding it.
Anyway, I installed Tor and Torbutton recently and kept running across notices of how Tor works and that I should be aware of how it works to receive the benefits of it.
Here's another way you can protect yourself against bogus SSL certs, by the way: Perspectives [cmu.edu]. See the demo [cmu.edu]. There's a Firefox extension [cmu.edu].
Perspectives shows you an SSL cert's history. That is, how long that cert has been in use by the host you're SSL connecting to (as seen by a number of other hosts on the net). If the cert changed on you today, that's suspicious. If it changed today and you are the only person seeing that new cert, you might consider not using that connection for sensitive communication.
Re:Old News Is Old (Score:3, Informative)
Probably because my answer was just a different way of saying "so what? just because you read it elsewhere yesterday doesn't make it any less interesting for those who DIDN'T read it elsewhere. Considering the news in question, one day, or even one week, late doesn't make a difference"
I just put it in less words the first time around