Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Encryption Network Privacy Communications Networking Security Social Networks The Internet United States News Politics Technology

Tor Promises Not To Build Backdoors Into Its Services (engadget.com) 69

An anonymous reader quotes a report from Engadget: Tor has published what it calls a "Social Contract" comprised of promises to users and the principles the team believes in. Whatever the reason is, its social contract contains one interesting pledge: "We will never implement front doors or back doors into our projects," the team wrote. Tor's ability to keep users anonymous made it the go-to browser of people looking for drugs, illegal firearms, hitmen, child porn and other things you won't find on eBay or YouTube. If there's a browser law enforcement agencies would want a backdoor to, it's Tor, especially since its main source of funding is the U.S. government. That's right -- the famous anonymizing network gets most of its money from a government known for conducting mass surveillance on a global scale. Loudly proclaiming that it will never build a backdoor into its services might not even matter, though. The government already proved once that it's capable of infiltrating the dark web. If you'll recall, the FBI identified 1,500 users of a child porn website called "Playpen" by deploying a Tor hacking tool. It led to numerous court battles that opened up the discussion on the validity of evidence obtained without warrant through malware. "We believe that privacy, the free exchange of ideas, and access to information are essential to free societies. Through our community standards and the code we write, we provide tools that help all people protect and advance these rights," Tor writes in the contract.
This discussion has been archived. No new comments can be posted.

Tor Promises Not To Build Backdoors Into Its Services

Comments Filter:
  • Back doors (Score:5, Insightful)

    by Dunbal ( 464142 ) * on Thursday August 11, 2016 @08:04PM (#52687949)
    Tor doesn't need back doors when the FBI runs all the exit nodes.
    • Actually... (Score:2, Interesting)

      by Anonymous Coward

      5 eyes and 'friendly' nations.

      UK and France both definitely doing so (run TBB and see how long it takes you to end up on a UK, US, or French entrance node that seems to build a substantial amount of its connections through the same country's nodes, or a collection of likely affiliated nations nodes (ex: UK, US, UK) Happens far too often to be considered statistically unlikely, and Tor has already stated that the node exclusion lists have been relegated to soft filters in the event that a connection cannot b

      • by Anonymous Coward

        It's more than just the exit nodes I think.

        Javascript turned 'on' in the browser bundle, disabled sometimes by a 3rd party app not in their control. Directory server problems never addressed: too easy to become a authoritative directory server, why no DHT type approach? 100 attack nodes ignored, it was an outside university that spotted those, yet anytime TOR setup a test server it would have been attacked by those nodes, and somehow they didn't notice all the attack traffic before anyone would know the nod

        • "TOR has failed in its primary mission of permitting free speech." TOR's primary mission was creating a secure messaging framework for classified military communications. The government didn't implement TOR so they gave everything over to a civilian foundation and continued to funding the project.

  • by Anonymous Coward
    The United States Naval Research Laboratory. If it didn't have a backdoor when it was developed in the mid 1990s, it surely does by now.
    • If it didn't have a backdoor when it was developed in the mid 1990s, it surely does by now.

      The fact that the FBI had to use it''s own malware to get to those Playpen people, and that they had to subpoena the Carnegie Mellon researchers to get their attack method that led to the closing of the Silk Road 2 should be indication enough that up to a very short time ago there where no backdoors (just vulnerabilities).

    • Did you know that a large part of the linux kernel was developed by the NSA [wikipedia.org]? Sometimes government organizations actually do things to help their citizens, as is their mandate. The source code for both is available for you, and everyone else, to peruse if you don't trust it.
  • by JustAnotherOldGuy ( 4145623 ) on Thursday August 11, 2016 @08:20PM (#52688033) Journal

    "Tor Promises Not To Build Backdoors Into Its Services"

    What they mean is they won't knowingly allow anyone to build a backdoor in. But one or two people with any kind of access to the code could conceivably add something that the team as a whole wouldn't know anything about.

    With that said, good on them for taking this position. I still don't know if I can trust them or Tor itself, but taking this position was a good thing to do.

    • Already done (Score:2, Interesting)

      by Anonymous Coward

      Knowingly?

      To sum up, your browser connects to an owned server, from which it knows a list of owned directory servers and owned onion servers. It picks an owned route and encrypts with the owned keys of the servers along that route. U R Owned!

      Then there are Bridges. These are extra servers tacked onto the list of servers to obfuscate the entry nodes, because the entry nodes are known and too easy to intercept.

      To obtain a Bridge server detail, you send an email request to Gmail or Yahoo, or RiseUp email. Two

    • by AmiMoJo ( 196126 )

      I still don't know if I can trust them or Tor itself

      What's the alternative? Do everything offline? Seems like the real world has a lot of surveillance built in too.

    • They already know they're specifically targeted for this. They were among the first to report an NSA man-in-the-middle attack on a new laptop delivery as it was delivered to a three letter agency for several days before being sent to the Tor project coder who ordered it. They were going to look for how that machine was bugged, but I never saw a follow up on that story. Considering how the Guardian's office computers and laptops had specific chips on the motherboards destroyed in a police raid after that
    • by PMuse ( 320639 )

      Publishing this statement now permits Tor to stop publishing this statement as soon as they are forced to backdoor their service. For instance, in the event of a gag order forbidding them from speaking about the new back door.

      Every security service should make a public statement like this that they can withdraw when circumstances force them to.

      • Publishing this statement now permits Tor to stop publishing this statement as soon as they are forced to backdoor their service.

        Good point. I have some "canary" pages on some of a few of my sites that state stuff to the effect that I have never received any National Security Letters, Foreign Intelligence Surveillance Court orders, subpoenas, etc etc.

        If I did/do, they'd go away.

  • the operating system itself has backdoors in to it, plus keyloggers and trojans and who knows what else...

    but i give tor an E for effort for trying to be good while surrounded by and buried neck deep in vulnerable software
    • by AHuxley ( 892839 )
      The cost of getting any ip out of onion routing is now well within the budget of getting an average US federal case to court.
      Collect it all is now a tool for any state task force with federal funding.
  • It's also a potentially useful canary phrase. If it disappears then...

    However, by now I'm sure any warrant/order would contain language that prevents them from removing it.

    • by gweihir ( 88907 )

      And since everybody of them sits in the US, they would have zero chance to do it anyways....NOT.

  • by gweihir ( 88907 ) on Thursday August 11, 2016 @09:57PM (#52688521)

    Seriously, is TOR so unbreakable that you shills need to bad-mouth it at any opportunity?

    First, the promise to not backdoor is ages-old. Second, who finances it has been known since shortly after the beginning of the project. I asked Roger Dingledine more than a decade ago about it and his answer makes a lot more sense than the often repeated "The gobbermet founds it, it has backdoor!" that never comes with any additional details. And as to backdoors, it is very hard to keep backdoors in FOSS projects with active communities hidden for a long time. Add to that that anybody that finds a working backdoor in TOR has instant fame, backdoors in TOR are rather unlikely. And as to "TOR was broken in the past by the FBI", that is just a shameless lie. What was broken was the JavaScript engine of Firefox that served as basis of an outdated TOR browser bundle that the users did not upgrade despite very clear warnings each time they started it. That is right, the FBI simply implemented that attack against Firefox after the vulnerability was fixed (and likely they did it form the documentation of that vulnerability) and caught these 1500 idiots that way, no vulnerability in TOR and only a FF vulnerability that had already been patched in the current TOR browser bundle.

    Now, despite these facts, the same idiotic anti-TOR propaganda keeps going. I can only speculate that this is intended to drive people away from TOR and to less-secure alternatives that are a lot easier to break.

    • by AmiMoJo ( 196126 )

      If there is a backdoor, they seem very reluctant to use it. Snowden used Tor successfully. Many people in China and the UK use it successfully, including Wikileaks. Who exactly are they going to use it against people like that, who are they using it against and why should I be worried?

      • by gweihir ( 88907 )

        Indeed. That already tells us that either there is no backdoor, or they are unable to use it effectively. And all that can be seen without even a single technological argument. Just needs a few working brain-cells.

    • Seriously, is TOR so unbreakable that you shills need to bad-mouth it at any opportunity?

      Apparently. I remember one of the Snowden leaks had an NSA quote along the lines of "Tor makes for a sad analyst" so it is an inconvenience to domestic spy programs.

  • by 6Yankee ( 597075 ) on Friday August 12, 2016 @01:43AM (#52689105)

    "will never" != "have never".

    Now that it's got all the backdoors the NSA needs, they can promise not to add any more.

  • We will never implement front doors or back doors into our projects,...

    The mailing address of the Tor Project is in Seattle, WA, USA. If they mean it then it makes sense to check where's the nearest Consulate of Ecuador. Better be safe than sorry.

  • "We will never implement front doors or back doors into our projects..."

    Isn't the whole point of the "back door" idea that people are expressly permitted to enter through the front door if they have a key? Why are they hating on legitimate receivers of encrypted data?

    </pedantry>
  • Translation: Tor has back doors in its services.

Make sure your code does nothing gracefully.

Working...