Wikileaks Was Launched With Intercepts From Tor

The New Yorker is featuring a long and detailed profile of Julian Assange, founder of Wikileaks. From this Wired's Threat Level pulls out one salient detail: that Wikileaks' initial scoop came from documents intercepted from Tor exit routers. The eavesdropping was pulled off by a Wikileaks activist — neither the New Yorker nor Wired knows who or even in what country he or she resides. "The siphoned documents, supposedly stolen by Chinese hackers or spies who were using the Tor network to transmit the data, were the basis for Wikileaks founder Julian Assange's assertion in 2006 that his organization had already 'received over one million documents from 13 countries' before his site was launched ..." Update: 06/02 06:31 GMT by T : In reaction to the Wired story, and the New Yorker story on which it drew, Andrew Lewman of the Tor Project points to this explanation / reminder of what Tor's software actually does and does not do. Relevant to the claims reported above, it reads in part "We hear from the Wikileaks folks that the premise behind these news articles is actually false -- they didn't bootstrap Wikileaks by monitoring the Tor network. But that's not the point. The point is that users who want to be safe need to be encrypting their traffic, whether they're using Tor or not." This flat denial of the assertion that Wikileaks was bootstrapped with documents sniffed from the Tor network is repeated unambiguously in correspondence from Wikileaks volunteers.

So what?

[msauve]

The summary is written as if Tor is suppose to be secure from eavesdropping. It isn't. It's supposed to offer anonymity. There's nothing to indicate that the _source_ of the documents was compromised.

Re:So what?

[Anonymous Coward]

There's a very simple solution to this problem:

Encrypt your data before sending it over Tor

I sincerely hope any serious US agency using Tor for operations would take this precaution; it seems stupid not to do so, unless the goal is to provide disinformation

Re:

[hitmark]

one question tho, unless one is using a throw away key, wont the use of encryption defeat the purpose of tor in the first place?

Re:

[NotBornYesterday]

No. Let's say you are ratting out a bad guy who is likely monitoring your network (government, employer, etc.). If you forward incriminating documents via encrypted transmission what you sent is concealed, but the fact that you sent something, and the destination to which you sent it are not.

If you use TOR to cover your tracks, the destination may be obscured, but what you sent may be in the open if not protected by encryption above and beyond what TOR uses internally.

Re:

[hitmark]

ok, i see i was not clear about my thinking. What i had in mind was the most used encryption system today, where one have a public and private key. Cant the public key being used in the encryption rat out where the message is going, even if one use tor?

Re:

[NotBornYesterday]

Good question, and beyond my ability to answer with certainty, but my guess is "no".

Re:

[tibman]

I see what you're saying. If the private key could be tied to a specific person then i'd say you're boned. But there's nothing stopping you from generating a new key-pair that nobody knows about.

Re:So what?

[Anonymous Coward]

...because if the US govt agencies DIDN'T use such common-sense security tactics, they (and me, and my family, and my community) would easily be taken over by another government that is just as effective in screwing the world, dominating the weak, and murdering innocents.

I don't excuse our government's behavior, but it's not as if the rest of the world is made up of sane, caring individuals...

Re:

[druke]

god damn.. I already used my mod points

Re:

[Philip K Dickhead]

They use the same secrecy to turn you into a slave.

Re:

[Anonymous Coward]

As long as they entertain us, we don't care. In fact, you're blocking the TV.. move out of the way..

Re:So what?

[Unordained]

I use a car to get to work. Terrorists use cars to blow things up. Clearly, the tool is equal to the usage.

Re:So what?

[blai]

Terrorists use bombs to blow things up.

Re:

[RichiH]

People making tunnels, savely detonating avalanches, digging for resources, destructing old buildings use bombs. Terrorists use cars to blow things up. Clearly, the tool is equal to the usage.

And while the bomb may cause the explosion (or rather the explosive in the bomb), cars are used regularly as a deployment vector of the bomb.

Re:

[kabloom]

Obviously, the GP was thinking terrorists who use car bombs to blow things up.

Re:

[CAIMLAS]

And terrorists would use over-ripe cantelopes to blow things up (or shoot people with roofing guns) if more effective alternatives were not available. In the 13th century they'd cut off people's heads (and governments would do same/similar) with swords; today, they do other things, because they're more effective.

The tools used are inconsequential; it's the actors we should be concerning ourselves with.

Re:

[LBt1st]

Building-7 wasn't hit by a plane.

Re:

[Unordained]

Note to future self: avoid car analogies, use gun analogies instead. Example: "They use the same gun to shoot your dinner."

Re:

[JasterBobaMereel]

If they send unencrypted sensitive data over a public network they get everything they deserve ...

Private secure networks are there for a reason

Encryption is there for a reason

Tor (Anonymizing networks) are there for a reason

Use the combination you need depending on the data you need to send ....

Re:Innocent world theory does not apply to govs.

[Fjandr]

The attempts by large groups to dominate the weak occurred long before capitalism, and will continue should capitalism ever cease to exist. It is simply one model of domination. There are many more in existence.

Re:

[Aceticon]

The attempts by large groups to dominate the weak occurred long before capitalism, and will continue should capitalism ever cease to exist. It is simply one model of domination. There are many more in existence.

The thing is, Capitalism + Democracy are "sold" to the masses as Freedom. In fact, the US, the largest country which has adopted that model activelly tries to export it's version of it to other countries and continously brain-washes their own people with the idea that everybody has a chance to raise

Re:

[Philip K Dickhead]

Supreme executive power derives from a mandate from the masses, not from some farcical aquatic ceremony.

Re:

[Anonymous Coward]

No, this article reflects on Wikileaks not on Tor. The summary is written as if some information was more stolen than purposely leaked. This reflects on Wikileaks in two ways:

First, it seems somehow more noble when an internal dissident leaks an embarrassing secret, for example the Pentagon Papers. Whereas coming by information that was not purposely leaked is more suspect. (Though still possibly useful and possibly ethical. For example, publishing specs of the lost iPhone 4G.)

Second, since this inform

Re:

[Achromatic1978]

Though still possibly useful and possibly ethical. For example, publishing specs of the lost iPhone 4G

No wonder you posted AC. A brave soul, indeed, claiming on Slashdot that the publishing of the iPhone 4G specs could in any way be construed as 'useful', or even 'ethical'. Be ready for your attitude readjustment from the RDF faithful...

Re:

[fractoid]

Hey now, I'm usually accused of being an angry anti-apple troll, and even I think that gizmodo was out of line. Apple employee loses a phone he was road-testing, gizmodo buys it (selling property you don't own is stealing, and buying it is receiving stolen goods), and then they rat the guy out, putting his job in jeopardy. It doesn't count as 'reasonable effort to return stolen goods' that they phoned some sales goon who said "um wat idunno".

Re:

[msauve]

I suggest you let Tor know. The headline on their web site [torproject.org] says "Tor: anonymity online."

A leak != Espionage

[crmarvin42]

Should rename them WikiThief.

My big question is whether or not their tactic for acquiring the documents is still usable by say, the Chinese Government.

Re:A leak != Espionage

[linzeal]

Heh, there have been rumors this has been a bonanza for the intelligence community. If wikileaks is doing it you can bet every three letter agency in the world has been doing it too.

That may be an understatement

[Burz]

Almost anyone could get into that game, at least in a small way with one or more Tor exit nodes.

That's the problem with using something that bridges back to the normal Internet: Security can be quite low without painstaking preparation. I2P at least will not pose such a risk because your destinations are all inside the darknet, and even https is discouraged because the connections are considered secure as well as anonymous (your base64 address acts as the public key that pairs with your local identity which

Re:

[StikyPad]

::Shakes fist in the air::

Damn you, NPS!!!

Re:

[Tycho]

So what does the USGS, USDA and the NOAA use to gather foreign intelligence? Well aside from contacting the foreign authorities through the standard methods.

Re:

[linzeal]

The DMV has been given extraordinary powers since all these MADD sponsored mandatory DUI sentencing guidelines have begun to be expanded. My friend was arrested for suspicion of DUI in Oregon 2 years ago and was never charged but he still can't get it off his record.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[account_deleted]

Comment removed based on user account deletion

transparency

[rwa2]

Transparency is what the information age is for. It will be interesting to see how political bodies adjust... on one hand, the leaks are damaging, and truly innocuous or routine things can be spun and blown way out of proportion by opposition groups. On the other hand, they now have to behave to higher ethical standards (or at least the appearance of high ethical standards) because virtually anything could become public knowledge.

Re:transparency

[Strong Arm Coat]

Where's the "Wishful Thinking" mod when you need it?

Re:transparency

[Willbur]

I highly recommend this link on why transparency is not enough [danah.org].

Re:

[Yvanhoe]

If higher ethical standards were incompatible with efficiency in a given process, I would like them to make their case and their point. The public opinion doesn't have very high ethical standards either.

Well I guess

[stillpixel]

those chinese hackers are good for something.. I'm thinking if we ever catch one though.. we'll sentence them to work in that Foxconn plant making iPhones ...

Eww

[garethw]

WiliLeaks? Really?

Re:

[betterunixthanunix]

http://trueslant.com/barrettbrown/2010/03/24/cia-state-department-apparently-acting-on-plan-to-destroy-wikileaks/ [trueslant.com]

Worry

[cappp]

Personally reading the linked articles made me really, really uncomfortable. Obviously wiki-leaks as a site has its own particular biases and political goals, everyone does, but the way in which they went about gathering this payload fills me with a really agonising ambivalence.

It really strikes to the heart of my feelings about wikileaks itself. Democracies require informed populations and accountability – they’re premised on the fundamental idea that the voting public makes choices based o

Re:

[DarkKnightRadick]

I don't question the validity of their information. If their information wasn't valid, then companies wouldn't sue to have it taken down the way they have been. They'd be going with anti-defamation suits. They haven't been.

Re:

[FuckingNickName]

They are.. leaking.. supposedly.. restricted information /Shatner. This will always be considered "ethically questionable" - to those who wouldn't have wanted the leaks. Also, how do you think information in general is leaked?

1. Information at some point gets into the hands of some person A who is prepared to do with it other than what the information "owner" B intended.

2. A redistributes that information somehow, usually without B's initial knowledge.

If people exchange unencrypted stuff over Tor - i.e. the

Re:

[NotBornYesterday]

I'm worried for more reasons than just the probity of the data and editorial bias, which are important issues on their own. I am far more worried about what this means for privacy in general, and the extent to which the fourth estate will go in violating privacy freedoms to advance their own cause.

Where's the outrage, people? Let's just flip this picture around for a minute; what if someone (Wikileaks, maybe) ran a story saying that the US or Russian or Chinese govt had compromised TOR in the same way

Re:Worry

[cappp]

That's an interesting point, I'd not heard of Samizdat before. For anyone else who's out of the know - wikipedia defines it as

Samizdat was a key form of dissident activity across the Soviet bloc in which individuals reproduced censored publications by hand and passed the documents from reader to reader, thus building a foundation for the successful resistance of the 1980s

. I guess what I'm trying to say is that WikiLeaks is straddling the gap between public interest and public concern in a way that is beginning to make me feel uncomfortable. Just me. Despite what the mods have deigned from on high I'm not trying to troll or anything like that. I am genuinly concerned that the project is grounded in what I consider to be ethically-suspect actions that potentially reflect an attitude to privacy, security, and mature discussion that I find distasteful.

As to the accuracy, who knows what they're chosing not to show? That's a somewhat facicious point but there is an element of truth. If they're not above a little serrupticious information gathering then how can I trust that they're not also willing to make a few alterations here and there in what they chose to publisize. When they posted that video of military action the New Yorker ran an interesting piece at http://www.newyorker.com/online/blogs/georgepacker/2010/04/truth-but-not-the-whole-truth.html [newyorker.com] which makes some compelling points about the video as presented:

The producers themselves have chosen not to provide them. There appears to be a purpose to the omissions, which is underlined by the Orwell quote at the start, the prefatory explanation, the quotes and dedication at the end, even the way the helicopter crew’s cruel remarks are edited in a few places for effect. Although the producers identify the camera of the Reuters journalist who, along with his assistant, will be killed by Apache cannon fire, they don’t point to the AK-47 or the RPG launcher carried by other men with whom the journalists are walking in a group. Stripped of much context and weighted with commentary, this video is both an important document of the war, courageously leaked after the military had steadily refused to release it, and, in its way, a propaganda film.

I'm concerned that we're trading one kind of spin for another.

Re:

[myowntrueself]

I am genuinly concerned that the project is grounded in what I consider to be ethically-suspect actions that potentially reflect an attitude to privacy, security, and mature discussion that I find distasteful.

There should be no expectation of privacy for any unencrypted communication ever.

It is ridiculous to send unencrypted information via the *inter*net and then get annoyed when your 'privacy' is invaded.

I fully support privacy but ONLY when the person who wants privacy takes reasonable precautions. Otherwise they are idiots and deserve neither support nor sympathy.

Re:

[NotBornYesterday]

Bullshit.

Among civilized people, there is a perfectly legitimate right to and expectation of privacy when communicating via electronic means. Witness the brouhaha over the Patriot Act, "warrantless wiretaps", etc., and various privacy laws around the globe. That's not to say that it wouldn't be trivial to violate those rights, but that it would be wrong. In fact, it's the kind of thing that Wikileaks would likely expose if it found evidence the US government did it.

I'd say that by using TOR, the us

Re:

[WNight]

Only because of laws that don't respect reality.

Whole picture

[manaway]

Films like this deserve to be seen. Anonymous distribution is, so far, one avenue to make that possible. If intercepted at an exit node by more than one party, that just gives more opportunity for an honest publisher and any propagandist a video to deliver to the public. Obviously it would always be best to have the whole unedited film available for reference. Though even then you have to use your critical skills to interpret what you're viewing.

For example: the New Yorker's "compelling points" of the video

Re:

[NotBornYesterday]

Some empty-handed locals, some locals with weapons

That's what insurgents look like. They kill Americans all the time. They were approaching an American position. That's who the helo pilots and gunners were there to stop.

initiate the killing of locals and journalists on the ground

You assume foreknowledge. Impossible for the gunner to tell he was killing journalists. As you mention, some of the guys on the ground were carrying weapons. They crew in the air were - to the best of their knowledge, - protecting their fellow soldiers on the ground who were being approached by armed men.

weaponless locals drives in and tries to rescue the wounded, but are also shot, along with their kids,

Again, that assumes foreknowle

Re:

[manaway]

Let's presume that we agree on two things: the golden rule is a moral fundamental and facts are important.

Some empty-handed locals, some locals with weapons

That's what insurgents look like. They kill Americans all the time. They were approaching an American position. That's who the helo pilots and gunners were there to stop.

Let's try a golden rule counter-example. You have a gun and I have a camera and we are walking around our neighborhood, say a block from your house. Italy invaded our country 7 years ago under some pretense and continues to occupy our country. Currently there is an armed Italian helicopter flying over us about to open fire. Whom is the insurgent? How would an Italian describe the situation?

That's what insurgents [you and I] look like. They [we] kill Italians all the time. They [we] were approaching an Italian position. That's who [us] the helo pilots and [Italian] gunners were there to stop.

No one in the

Re:

[NotBornYesterday]

You have a gun and I have a camera and we are walking around our neighborhood, say a block from your house.

If I am armed and you are travelling through a war zone with me, then we implicitly understand that our lives are at stake. At this point, getting shot at should NOT be a surprise.

Since we're indulging in a little make-believe, let's explore this a little further. If you are a journalist and I am an insurgent fighter, why are you following me into a war zone? Probably to film the imminent firefight between my group of fighters and the occupying Italians. Any Italian gunship crew in that position is go

Re:

[manaway]

You have a gun and I have a camera and we are walking around our neighborhood, say a block from your house.

If I am armed and you are travelling through a war zone with me, then we implicitly understand that our lives are at stake. At this point, getting shot at should NOT be a surprise.

This jumps right past the most important step. It is the step which most of the world can see but indoctrinated Americans are trained to ignore. To be a morally acceptable act, the invading military must justify its violent invasion, otherwise it is aggression. And unjustified aggression is universally immoral and commonly illegal. Once unjustified aggression has begun, horror follows, and all of the immoral acts that follow, by all individuals, are the responsibility of the original initiators. We should k

Re:

[NotBornYesterday]

Although I disagree with some of what you say, I agree with other parts, and I respect you for being sincere, respectful, and thoughtful. Thanks for that.

I apologize if some of this is out of order. Also, I didn't respond to everything you wrote. I wish I had more time to delve into these things.

To be a morally acceptable act, the invading military must justify its violent invasion, otherwise it is aggression. And unjustified aggression is universally immoral and commonly illegal. Once unjustified aggression has begun, horror follows, and all of the immoral acts that follow, by all individuals, are the responsibility of the original initiators.

I consider the justification for the invasion of Iraq a separate topic from the question of whether the gunship crew acted correctly given the circumstances they were in and the information at their disposal.

Di

Re:

[manaway]

I consider the justification for the invasion of Iraq a separate topic from the question of whether the gunship crew acted correctly given the circumstances they were in and the information at their disposal.

Taking an event out of context is omission, a way to deceive. Typically this is done where one outcome is desired, see also kangaroo courts [wikipedia.org].

From the gunship's point of view, you see some armed individuals, others who are carrying items which are hard to distinguish (turns out later to be camera w/telephoto lens), and some who may be unarmed, or possibly concealing arms (a suicide belt, for example). Given that Palestinians are known to attack fully armed Israeli troops with nothing more than rocks they can throw, the idea of unarmed or lightly armed fighters approaching US troops with hostile intent is not out of the question.

Curious that you use as an example Palestinians throwing rocks against invaders with guns and bombs, since there are more than a few parallels with Iraqis; but I suppose pursuing that discussion is larger than what we want to get into here. In summary: never bring a rock to a machine gun fight, unless you're making a symbolic gesture to show a basic unfairness and injus

Re:

[tsm_sf]

Your problem, if I may be so blunt, is that you seem to think there might be one universal truth to any given situation. There isn't. There are only different perspectives.

Re:

[alexo]

That's an interesting point, I'd not heard of Samizdat before.

Just FYI, "samizdat" is literally "self publishing".

Re:

[tibman]

Great link, thanks.

Re:

[BJ_Covert_Action]

Well that's why I always figured that you have to take Wikileaks, like all information on the internet, with a healthy dose of skepticism. Don't get me wrong, wikileaks is a great resource and tool for a vigilant populace. However, like any other tool, it can be misused and abused. Who is to say that everything on wikileaks is legit? Who is to say that everything posted to wikileaks was actually leaked from somewhere? Who is to say that the things posted don't have some ulterior motive?

I remember my dad

Re:

[Alex Belits]

In Soviet Russia much of the samizdat was of a purely factual nature, and by contradicting official reports delegitimized the government.

Only if you count Solzhenitsyn's historical fiction as factual. Because the rest was obviously fictional, merely seen as hostile by the government -- with genres from poetry to fantasy and science fiction.

Wikileaks funds?

[Anonymous Coward]

If you want to see how even Wikileaks volunteers don't know how funds are used in their organization read the following link at Cryptome

http://cryptome.org/0001/wikileaks-funds.htm

Cryptome has also published a lot of Wikileaks founder's personal emails in which, like many of us at different points in time in our lives, he speaks of how broke he is. After founding Wikileaks, he told an Australian newspaper Sydney Morning Herald that he did not use a single cent from Wikileaks for funding his personal expen

Tor has leaked much

[AHuxley]

http://www.wired.com/threatlevel/2007/11/swedish-researc/ [wired.com]
As people might recall log-in and password information for 1,000 e-mail accounts belonging to foreign embassies where seen in plain text too.
Tor was always one huge honey pot built on the US telco network with all exit nodes collectable to the NSA.
Others are just building their own small data collection services on top.
Another man in the middle data retention story :)

Re:

[aaaaaaargh!]

Tor was always one huge honey pot built on the US telco network with all exit nodes collectable to the NSA.

Perhaps the NSA has the power to surveille exit nodes in foreign countries but even if so describing Tor as a honey pot is misleading. As others have pointed out, anyone with rudimentary knowledge of how Tor works can easily figure out that you either just use it for surfing the web with Javascript and Java disabled and without giving away any personal information or you have to use an encrypted connection. The Tor docs made that clear from the beginning. However, securing a web browser not to leak informat

Re:

[AHuxley]

exit nodes in foreign countries - loop in via US telco peering.
The US telco network is part Asia and the EU by default.
Add in US bases and most of them would have friendly telco taps.
So yes, the NSA is really many areas Bell's and private telcos.
They grew up in the digital age, step by step and with each upgrade.
TOR use would just be one more dictionary list. Getting the IP"s would have been fun, but once understood, a stable ongoing effort.

Exit Nodes

[carp3_noct3m]

Anybody involved with TOR knows that EXIT nodes are a big potential risk, and not only have there been rumors of official government sponsored (and therefore tapped) exit nodes, but even /. had a story about it a long ass time ago. Recently the TOR guys have been trying to curtail this via a few different methods, but it is nothing new. Regardless, exit node sniffing is a novel way to get information, (for example, allow only .gov or .edu traffic)

rather, stuff coming from exit nodes

[Onymous Coward]

More precisely, it is not the nodes themselves that are the risk, but the (unencrypted) communication coming from the exit nodes.

Dedupe Bandwidth Savings

[Nemilar]

The author mentions the disk access for deduped primary storage (he points out (rightfully so) that deduped primary storage will perform slower than non-deduped primary storage), but he failed to mention what I think is an important point when discussing deduplication and network performance/bottlenecks.

If you dedupe your backups (the author mentions, for example, a VTL solution), you then gain the ability to replicate only the unique data to your DR site. In terms of saving bandwidth, this can be an absol

This is why I only use Tor

[fishexe]

...for getting around the Great Firewall to d/l porn and access facebook, not for doing anything that needs to be secure.

Re:

[Terrasque]

I use Tor to browse porn, too :)

I bet there's one in the CIA that starts every morning like this :
"One more day of checking Tor image captures for hidden data. *picks up extra large hand lotion bottle* God I love this job!"

Education

[somenickname]

In the not so distant past, things like Algebra and Geometry were considered "premium" learning. Now, anyone who has been through high school has been exposed to those concepts and, even if they can't use that math, they have been exposed to it. The internet has become such a pervasive part of our culture that an understanding of how it works and even ethics classes on how to use it should be taught at an early age.

That doesn't preclude idiot bureaucrats without that education from thinking that sending i

Always look on the bright side...

[Michael Woodhams]

Tor lets you collect your porn anonymously, but at a heavy bandwidth price. The three letter agencies are (we guess) providing Tor nodes with lots of bandwidth so as to be able to sniff the exit traffic.

Result? The NSA is subsidising your anonymous porn collection!

You don't have to care about encryption so long as you don't mind if the NSA has sniffed your porn before you do.

This is a difficult subject

[Dr. Evil]

... it's a Wired article which doesn't suck.

Maybe Wired journalists are okay at writing about journalism?

I'm not sure if I should continue ignoring this publication. It's confusing.

Update: "...The point is that users who want to be safe need to be encrypting their traffic, whether they're using Tor or not." This flat denial of the assertion that Wikileaks was bootstrapped with documents sniffed from the Tor network is repeated unambiguously in correspondence from Wikileaks volunteers."

Okay, I have my a

And again...

[vegiVamp]

Another post that says "nothing happened, and rumors that say it happened are false". What idiot poured redbull in kdawson today ?

Re:

[sammyF70]

I didn't.

Re:

[DarkKnightRadick]

You should try going elsewhere for you news aside from /. :p The first referenced article is the one I read.

Re:

[chromas]

Go somewhere else? I don't understand the concept.

Re:

[X0563511]

Why? I can stand to wait a day or two (or much longer, usually). In return, I have much less places I need bother to look.

I, unlike some others, don't have an addiction to knowing what is going on RIGHT NOW everywhere else in the world.

Re:

[DarkKnightRadick]

I don't either, and generally I don't read the online (or offline) papers. I do get news from several sources though (mainly because I subscribed to a feed for keeping up with what groups are doing politically).

Re:

[fractoid]

much less places

many fewer places

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[DarkKnightRadick]

because my submissions have a history of being rejected (somewhere around a 12% acceptance rate). Also, I didn't think such a dry profile (as interesting as it was to me) was /. worthy.

Re:

[sammyF70]

Probably because my answer was just a different way of saying "so what? just because you read it elsewhere yesterday doesn't make it any less interesting for those who DIDN'T read it elsewhere. Considering the news in question, one day, or even one week, late doesn't make a difference"
I just put it in less words the first time around

Re:

[_KiTA_]

I read about this yesterday.

I read this first post yesterday.

And the day before that. And the day before THAT. And the day be... well, actually, the day before that was some idiot 13 year old GNAA twit. But the day before THAT...

Re:Fundamental Flaw?

[Cougar Town]

Would this be a fundamental flaw of the TOR network? If you don't know who's controlling the exit nodes, then you will never know if the information you send is truly secure.

Tor offers anonymity, not security. Encryption and signing is for security. The two can be combined.

Re:Fundamental Flaw?

[Virak]

No, this is a fundamental flaw with unencrypted communication, which is exactly what you're doing when you use Tor to access things outside of the Tor network without additional encryption. Either stay inside the network or ensure whatever you're running over it has its own encryption, simple as that. As always, the biggest threat to security is incompetence.

Re:

[Burz]

Part of the problem is that the secure/insecure distinction has an explanation that is buried somewhere in a faq on the website. It would be better if people were given a browser with Tor that in one unified visual element allow people to tell immediately what the anonymity and security levels are at the moment.

Re:

[X0563511]

Actually, it's broadcast all over the Tor client window every time you start it up.

SSL any better?

[Onymous Coward]

While we're at it, your browser SSL encryption is only as secure as the least secure of the certificate authorities that your browser trusts. Any time your browser shows a secure and validated SSL connection it's because someone in your authorities list said it was okay. Just one authority. That's all it takes.

Go look at the list of CAs your browser trusts.

I just checked mine and I see 86 certificates belonging to maybe 30 different organizations. If any single one of those 30 organizations has a compromised certificate, my browser could show a bogus SSL connection as valid. So, I connect to Bank Of America, and the connection appears like a good SSL connection, but that's only because the fake cert in this attack was authorized by some rogue operator at "TÜBTAK UEKAE Kök Sertifika Hizmet Salaycs - Sürüm 3" or whichever of the 30 companies. That's a pretty long chain to deal with for a weakest-link-screws-you scenario.

Maybe some folks here didn't realize that this is how the model works. That's part of the problem.

So I might suggest understanding the difference between an anonymized connection and an encrypted one. Folks should understand how Tor works before using it. Already we have a problem with people using SSL without understanding it.

Anyway, I installed Tor and Torbutton recently and kept running across notices of how Tor works and that I should be aware of how it works to receive the benefits of it.

Here's another way you can protect yourself against bogus SSL certs, by the way: Perspectives [cmu.edu]. See the demo [cmu.edu]. There's a Firefox extension [cmu.edu].

Perspectives shows you an SSL cert's history. That is, how long that cert has been in use by the host you're SSL connecting to (as seen by a number of other hosts on the net). If the cert changed on you today, that's suspicious. If it changed today and you are the only person seeing that new cert, you might consider not using that connection for sensitive communication.

Re:

[DragonWriter]

While we're at it, your browser SSL encryption is only as secure as the least secure of the certificate authorities that your browser trusts.

Rather, its only at most as secure as the least secure of the certificate authorities that your browser trusts; its quite possible that either your computer or the server you are accessing is, itself, less secure than any of the CAs involved, in which case those are the limiting factors.

Re:

[Onymous Coward]

While we're at it, your browser SSL encryption is only as secure as the least secure of the certificate authorities that your browser trusts.

Rather, its only at most as secure as the least secure of the certificate authorities that your browser trusts

Yes, this is what I'm saying. Maybe I could have written it more clearly.

And I suppose we really shouldn't be referring to any one system's security as a limiting factor when all the systems -- your computer, the server accessed, the CAs -- add in.

Re:

[Randle_Revar]

>Would this be a fundamental flaw of the TOR network?
Depends on your point of view. It is certainly a well known issue. And there are other issues as well:

https://trac.torproject.org/projects/tor/wiki/TheOnionRouter/TorFAQ?action=recall&rev=554#AnonymityandSecurity [torproject.org]

Re:

[thePsychologist]

Please tell me you don't think Tor is secure in the manner you suggest?! It's not meant to be. Tor is for anonymity, not security for your information.

To put it more concretely, you want to use Tor if you don't want someone to know _you're_ doing something, which is not necessarily bad I should add. For instance, if you want to blog about what you saw last night in the alley. Tor isn't for sending information you don't want _anyone_ to read.

Anonymity protects you, not your data. So, you should use Tor for c

Re:

[joshki]

Ever heard of a tagout bill?

--- Navy Chief ET

Re:

[TheLink]

If wikileaks is getting documents by being a Tor exit node, then for someone who is trying to secretly leak stuff to wikileaks, I'd say this is not a flaw, this is a feature :).

Re:

[X0563511]

Actually, SSH through Tor should be no slower than regular traffic through Tor. Assuming you have something more powerful on hand than some 1990s Pentium laying around.

Re:Hmmmmm

[grcumb]

Sounds like an excellent way to spread disinformation.....even better than say.....the New York Times.

You know, even as recently as the salad days of my youth, I could have labeled you a troll for writing that about the NYT.

Now, alas, all I can do is nod my head sadly in agreement.

Re:

[Attila Dimedici]

Sounds like an excellent way to spread disinformation.....even better than say.....the New York Times.

You know, even as recently as the salad days of my youth, I could have labeled you a troll for writing that about the NYT.

Now, alas, all I can do is nod my head sadly in agreement.

Of course, you would have been wrong. I would be surprised if there is anybody on this forum old enough to have a childhood before the NYT won a Pulitzer for its reports that the famine in the Ukraine under Stalin was not happening.

Re:

[shentino]

Interestingly enough my business law professor skipped the ethics chapter.

Re:

[drinkypoo]

Yes, mark me as a troll for assaulting the precious wikileaks, but really, he's a douche promoting what essentially amounts to corporate espionage in almost every case.

If it takes a douche to blow the whistle on evil corporations breaking the law, then bring on the Summer's Eve. (I just like that one because it sounds like a pornstar)