Tor Users Urged To Update After Security Breach

← Back to Stories (view on slashdot.org)

Tor Users Urged To Update After Security Breach

Posted by timothy on Thursday January 21, 2010 @02:47PM from the points-of-failure dept.

An anonymous reader writes "If you use Tor, you're cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: 'In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.' Tor users should visit the download page and update ASAP."

161 comments

Min score:

Reason:

Sort:

first by Anonymous Coward · 2010-01-21 14:50 · Score: -1, Offtopic

post
1. Re:first by Anonymous Coward · 2010-01-21 14:57 · Score: 0
  
  post
  Crap, I should have posted that through Tor; now Slashdot knows my ip address :(
2. Re:first by Anonymous Coward · 2010-01-21 15:05 · Score: -1, Offtopic
  
  Don't bother trying. Slashdot banned Tor. I don't know why.
3. Re:first by Anonymous Coward · 2010-01-21 15:40 · Score: 0
  
  crapflooding.
4. Re:first by Anonymous Coward · 2010-01-21 15:53 · Score: -1, Troll
  
  Fuck a nigger today.
5. Re:first by Anonymous Coward · 2010-01-21 15:56 · Score: -1, Offtopic
  
  Good idea. Yo mama is used up and worn out. No one wants to do her anymore.
6. Re:first by JWSmythe · 2010-01-21 16:39 · Score: 2, Interesting
  
  Technically, it can't be. But since most of the exit points are pretty well known, it's not all that hard. If more people made themselves exit points, rather than just taking advantage of the network, that problem would go away.
  I've tried Slashdot. It's been a matter of switching exit points until you find one that isn't forbidden. Google is really on top of it though. I suspect they may have a tie-in with the network map, so they know the exit points as they come and go.
  
  --
  Serious? Seriousness is well above my pay grade.
7. Re:first by Dr.+Evil · 2010-01-21 17:03 · Score: 1
  
  Running an exit node is very, very, very risky.
  On the other hand, putting services like Slashdot or Google on as hidden services, it might reduce the demand for the exit nodes.
  Has any major company done this yet?
8. Re:first by Anonymous Coward · 2010-01-21 17:11 · Score: 0
  
  I used TOR yesterday, here, several times but for a good reason. What the hell are you talking about?
9. Re:first by JWSmythe · 2010-01-21 18:19 · Score: 2, Insightful
  
  Ideally, everyone that runs a client is an exit node too. But, much like an open AP on your network, when the police come knocking at your door, just saying "But, I was just connected to Tor" isn't going to be much of a defense. It may work in court, but you may be waiting a long time for that day to come.
  
  --
  Serious? Seriousness is well above my pay grade.
10. Re:first by Anonymous Coward · 2010-01-21 19:50 · Score: 0
  
  Mod sibling post insightful.
11. Re:first by xaxa · 2010-01-21 23:39 · Score: 1
  
  Technically, it can't be. But since most of the exit points are pretty well known, it's not all that hard.
  There is a list of TOR exit points in case you want to black- or white-list them.
  
  If more people made themselves exit points, rather than just taking advantage of the network, that problem would go away.
  Last time I looked at it, I concluded that most of the traffic on TOR was child pornography and shared music/films. I didn't want to risk the police thinking I was responsible.
  (But, I only have ADSL so it's not much of a loss.)
12. Re:first by NotBornYesterday · 2010-01-22 02:12 · Score: 2, Insightful
  
  I concluded that most of the traffic on TOR was child pornography and shared music/films.
  Please explain how you arrived at this conclusion. Did you actually survey TOR traffic to see what it contained, or are you simply assuming that the only reason most people want anonymity is CP & file sharing? I was under the the impression that TOR encrypted its traffic, except for what entered/exited at the exit nodes.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
13. Re:first by grub · 2010-01-22 03:22 · Score: 1
  
  Last time I looked at it, I concluded that most of the traffic on TOR was child pornography and shared music/films.
  
  Unless you were able to sniff all the traffic going through TOR, I fail to see how you reached this conclusion.
  
  .
  
  --
  Trolling is a art,
14. Re:first by JWSmythe · 2010-01-22 03:34 · Score: 1
  
  That's not exactly a "list", but it does make a good way to test if an IP is an exit point.
  I don't know about your assertion on child porn and piracy. There was a story not too long ago about how particular agencies were using TOR, and their mail passwords were compromised because they were sent plaintext, and exit nodes got them by sniffing the traffic.
  
  --
  Serious? Seriousness is well above my pay grade.
15. Re:first by Anonymous Coward · 2010-01-22 05:43 · Score: 0
  
  Run an exit node. If the original communication wasn't encrypted (ie: http instead of https), then you'll see everything that they originator gets.
From: Anonymous Coward by Anonymous Coward · 2010-01-21 14:55 · Score: 5, Interesting

Anyone else find it so funny that a news story about anonymity is suggested to slashdot by anonymous coward?
I think it's the best form of joke... one with an epic amount of unexpected expectedness.
1. Re:From: Anonymous Coward by Anonymous Coward · 2010-01-21 15:05 · Score: 0
  
  what's so unexpected about it?
2. Re:From: Anonymous Coward by Anonymous Coward · 2010-01-21 15:28 · Score: 0
  
  If you think that's funny, why not gather some Tor Bridges for each day's use and use them instead of regularly connecting to Tor?
  https://bridges.torproject.org/
  Here's some useful tor bridges from today:
  bridge 212.185.225.5:443
  bridge 109.120.56.218:443
  bridge 203.153.227.210:5557
  bridge 174.22.134.22:443
  bridge 68.52.174.15:443
  bridge 79.84.34.209:443
  bridge 18.85.46.218:14242
  bridge 74.82.1.191:19030
  bridge 24.110.168.130:443
  bridge 78.34.108.121:443
  bridge 94.23.58.19:1443
  bridge 72.24.220.108:443
  bridge 74.207.232.33:443
  bridge 77.251.74.120:443
  bridge 72.174.8.28:443
  bridge 91.6.174.212:8888
  bridge 169.234.106.251:9001
  bridge 69.62.132.186:443
  bridge 97.102.122.25:443
  bridge 129.244.144.200:9001
  bridge 83.169.1.47:442
  bridge 188.40.112.195:443
  bridge 92.107.52.186:9001
  bridge 79.6.97.120:443
  bridge 66.51.242.115:9001
  bridge 92.25.201.211:443
  bridge 93.194.192.154:8080
  bridge 121.190.2.55:443
  just add them to your torrc file along with:
  UseBridges 1
  And enjoy!
3. Re:From: Anonymous Coward by Anonymous Coward · 2010-01-21 16:15 · Score: 0
  
  I think it's funny that the only person who is not anonymous is Roger Dingledingle.
4. Re:From: Anonymous Coward by DNS-and-BIND · 2010-01-21 17:41 · Score: 1, Insightful
  
  A joke? How, exactly, is it funny? I'm curious to know. Who cares who submits the stories, anyway? Half of them turn out to be fakes or misleading anyway.
  The real TOR way to do it would not be anonymously, but instead giving it to another person's slashdot account, who submits it for you. But go ahead with the "funny" "jokes".
  
  --
  Shutting down free speech with violence isn't fighting fascism. It IS fascism!
5. Re:From: Anonymous Coward by Anonymous Coward · 2010-01-21 21:51 · Score: 1, Funny
  
  I wonder if the intruder was using Tor when they broke in ?
Por by hoboroadie · 2010-01-21 14:57 · Score: 0, Offtopic

quoi?

--
They feared that it could be used to suppress protest or support unpopular rule.
Sooo...... by NeutronCowboy · 2010-01-21 15:00 · Score: -1, Troll

How many child porn downloaders and uploaders are shitting their pants right about now? My guess is more than spies and Chinese dissidents.

--
Those who can, do. Those who can't, sue.
1. Re:Sooo...... by Anonymous Coward · 2010-01-21 15:14 · Score: -1, Troll
  
  There's no denying that child molesters make up the vast majority of the Tor user base, in fact the main use that Tor has served is as a warning to what people will do when you grant them excess freedom from reprocussions. Of course, this comment will be modded 'troll' just like the parent, because the slashtard stallmanites don't want it known that 2 out of 3 tor sites either host child porn, or are pointers to such.
  To anyone who wants to know the truth --go ask the devlopers over at the freenet project how much harm the child molesters cause the anonymity movement -at least THEY are willing to admit to the truth!
2. Re:Sooo...... by Anonymous Coward · 2010-01-21 15:21 · Score: 0
  
  mmm, 2/3, did you just pull these numbers out of your ass or do you have anything to back them up?
  In other words [citation needed]
3. Re:Sooo...... by Anonymous Coward · 2010-01-21 15:24 · Score: 1, Insightful
  
  Not that I'm defending pedophilia, but the fact that you're conflating pedophiles and child molesters makes me suspect your statistics.
4. Re:Sooo...... by Anonymous Coward · 2010-01-21 15:31 · Score: 0
  
  There are several indexes and even a wiki available in tor land that provide lists of sites hosted there, a look at those will tell anyone who wants to know exactly how many sites there are devoted to the tastes of child molesters (unlike more niave slashdotters, I make ZERO distinction between kiddy diddlers and "pedophiles" -they are one and the same).
  You will have to look for yourself, as I believe it's immoral to aid or abet child molesters in their endevors, so I will not divulge the addresses where they are able to find links to pedophiliac content.
5. Re:Sooo...... by Anonymous Coward · 2010-01-21 15:32 · Score: 1, Insightful
  
  Sounds like anonymity projects are suffering the same problem as encryption in general -- it's too hard to use unless you're pretty sure you have a need for it.
  With the casual farming of information that goes on by Internet ad networks, the lack of security of public Wi-Fi, and the push for deep packet inspection by ISPs, I think we've reached a point where attacks on the privacy of innocent users justifies a need for average folks to have access to these sorts of products (and associated education.)
  But until it's as simple as hitting a button in Firefox to use Tor, of course it's only going to be the enthusiasts and scumbag fringes that'll put the time into researching and securing their privacy online.
6. Re:Sooo...... by Anonymous Coward · 2010-01-21 15:33 · Score: 1, Informative
  
  I love it when clueless people comment and show their ignorance, it's good for future reference.
  
  It still seems this breach is unrelated to Tor itself. To be clear, it doesn't seem that anyone specifically attacked our servers to get at Tor. It seems we were attacked for the cpu capacity and bandwidth of the servers, and the servers just happened to also carry out functions for Tor.
  
  * Does this mean someone could have matched users up to their destinations?
  No....
  
  * Does this mean someone could have learned more about Tor than an ordinary user?
  Since our software and specifications are open, everyone already has access to almost everything on these machines...
7. Re:Sooo...... by Velorium · 2010-01-21 15:39 · Score: 1
  
  Why is this modded troll? This is a valid notion.
8. Re:Sooo...... by Anonymous Coward · 2010-01-21 15:39 · Score: 3, Informative
  
  I spent a bit over a year working with the FBI gathering information on a pedophile ring who was using one of our servers (to coordinate picture trading going on in Asian image board sites). Neither agents' opinions, the content gathered, nor the actual research I've seen, agree with your unsupported assertion that "they are one and the same". Though, two troll paratrooper points for accusing those who disagree with you of naivete. Good show, golf claps all around.
  I also don't know to what extent the "pedo" content in actual prepubescent kids, versus underage pubescent ("jailbait"). No, I don't really want to know either. Anyway, ephibophilia is illegal, but arguably medically normal, and ephibophiles and pedophiles make up separate populations.
9. Re:Sooo...... by xous · 2010-01-21 15:42 · Score: 4, Insightful
  
  Hi,
  How did you collect your statistics when Tor is decentralized? Sure you could analyze the outbound traffic on a exit node but I doubt that this would be enough of a sampling to extrapolate a meaningful conclusion. Since you offer no supporting evidence your claim is irrelevant to the discussion.
  I also do not think that the number of child molesters could be large enough to represent a "vast majority" because I doubt the original content producers would distribute a such a high risk material for free. It is much more likely that pedophiles are distributing the material to other pedophiles. I think that it is important to note the difference because while I find either appalling I'd rather have them fapping to "old child pornography" instead of creating a demand for new material and reducing the profit margins of the people that are actually doing these horrible things to children. The lesser of of two evils is still evil but we don't live in a idealistic world.
  Unfortunately freedom has it's costs.
10. Re:Sooo...... by Anonymous Coward · 2010-01-21 15:50 · Score: 0
  
  Because it's not? Why is everyone commenting here so fucking stupid. If you want to know why, read how Tor works, what was actually compromised and for what purposes.
11. Re:Sooo...... by trytoguess · 2010-01-21 15:52 · Score: 4, Insightful
  
  In short, people attracted to children will rape them? A bit like saying all men will rape women no? But that's not a perfect analogy, you can have sex with a man or woman without too much difficulty, whereas a pedophile can only masturbate. How about, would all slovenly, unattractive, misanthropes, who've zero chance of getting sex resort to rape? I rather doubt it, and even though pedophilia disturbs me, I don't think the sexual drive of that group is somehow stronger than your average male or female.
12. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:00 · Score: 0
  
  "Tor land"? I though Tor simply let you access the general net anonymously and didn't have any special sites only available to it like Freenet. Feel free to correct me if I'm wrong.
13. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:01 · Score: 0
  
  There are several indexes and even a wiki available in tor land that provide lists of sites hosted there, a look at those will tell anyone who wants to know exactly how many sites there are devoted to the tastes of child molesters...
  
  CLUE:
  Tor is not a "place", it's a method. Tor contains no destinations, it's just a way of routing traffic to destinations which exist independently of tor. Put another way, there's no such fucking thing as "tor land", you FUD-spurting troll.
14. Re:Sooo...... by Runaway1956 · 2010-01-21 16:07 · Score: 2, Insightful
  
  I don't know where to find good citations - but you can research easily enough.
  Download not just TOR, but I2P, freenet, anonnet - search for more if you like. You WILL BE exposed to child porn. No questions asked, you'll be exposed.
  It's safe to say that 2/3 to 3/4 of all the sites out there are trash that you don't even want to see. But - there are also some interesting things that are NOT pornography.
  You can go explore, or not. It's slow, it's aggravating because all the CP gets in the way, there's not a whole LOT OF good stuff to find, but, go explore all the same. Make sure you read the documentation - you don't want to broadcast your IP across the dark web, with all your personal details. You think the regular internet is bad? LMAO
  
  --
  "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
15. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:08 · Score: -1, Troll
  
  People with sexual urges will eventually create an opportunity act on them, and readily available pornographic content simply encourages them by giving them validation and a sense of moral acceptance. While this is not a problem for most heterosexual males who can simply purchase a few minutes with a prostitute as a last resort -it's a huge problem for child molesters as it is inherently impossible for a child to offer their consent, even ignoring the physical impossibilities of having sex without causing damage.
  So, it's not possible to make a valid comparison between normal, adult desires (where there can be reciprocity and fulfillment) and the desires of a pedophile (where there can never be mutual desire, consent nor legal fulfillment). This creates a situation where a pedophile will inevitably become much more desperate than a normal person could ever imagine. While the occasional pedophile may hold himself back (or, more nobly, commit suicide) he is by far the exception.
  Sooner or later, the pedophile must act on his desires, or commit suicide. Sadly, too few deviants are noble enough to choose the latter course of action.
16. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:19 · Score: 1, Insightful
  
  Anyway, ephibophilia is illegal, but arguably medically normal, and ephibophiles and pedophiles make up separate populations.
  
  No, it's not illegal. For that matter, neither is pedophilia. ACTING on ephibophilia or pedophilia is illegal.
17. Re:Sooo...... by fuzzyfuzzyfungus · 2010-01-21 16:24 · Score: 1
  
  Unfortunately, the online anonymity mechanisms all suffer from a fundamental problem:
  
  Since, in order to get your packets from point you to point wherever and back, some number of untrusted machines have to know your IP and your desired destination(at a minimum, your destination gets to know, more typically, a fair few machines controlled by one or more ISPs will be involved) all the anonymity mechanisms attempt to break up the round-trip into chunks too small to be useful. It is always going to be slower, and less efficient(ie. less useful data transferred over a pipe of given capacity) to have your packets follow an intentionally tortuous path intended to make following them hard than it will be to be open about your intentions and let the usual mechanisms for efficient routing take over.
  
  This isn't to say that it isn't worth it, especially for whatever qualifies has "high risk activity" in your jurisdiction or just to give the marketing bastards the finger; but it will always be a tradeoff in ways that a nice frontend and easy config for the noobs will never solve.
18. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:26 · Score: -1, Troll
  
  Everyone who modded the parent up is a gullible jackass. Please GTFO /. now, you idiots!
19. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:27 · Score: -1, Troll
  
  People with sexual urges will eventually create an opportunity act on them,
  Catholic priests.
20. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:32 · Score: 0
  
  paros?
21. Re:Sooo...... by clang_jangle · 2010-01-21 16:33 · Score: 4, Informative
  
  But until it's as simple as hitting a button in Firefox to use Tor, of course it's only going to be the enthusiasts and scumbag fringes that'll put the time into researching and securing their privacy online.
  Duh!
  
  --
  Caveat Utilitor
22. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:33 · Score: 0
  
  CLUE-CLUE TRAIN coming through:
  See the .onion pseudo-TLD.
23. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:39 · Score: 0
  
  You fail it. ("it" is knowing WTF you're talking about, fag-ass.)
24. Re:Sooo...... by DigiShaman · 2010-01-21 16:40 · Score: 1
  
  I disagree.
  If you happen to stumble upon some questionable content, that's one thing. However, it's quite another to be on the constant pursuit of it. The way I see it, the later is generating a market demand. While that person isn't doing anything illegal from a physical standpoint, I still view them as an accessory to a crime.
  
  --
  Life is not for the lazy.
25. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:45 · Score: 1, Insightful
  
  I dislike how the second party gets abused though and don't say that they can consent to the pictures. You leave the child pretty twisted and the molesters don't care. It is just not fair to the child. It might not be fair to the molester as he can't help it, but it is not a victim less act. What they need is help understanding and managing. There is just so much social taboo around it that it is a real struggle for them.
26. Re:Sooo...... by trytoguess · 2010-01-21 16:48 · Score: 2, Interesting
  
  People with sexual urges will eventually create an opportunity act on them, and readily available pornographic content simply encourages them by giving them validation and a sense of moral acceptance.
  Hmm... then how about homosexuality? It's not hard to find stories of people who denied attraction to the same sex their whole life in order to avoid being socially stigmatized.
  
  As for the effects of pornography, does masturbating calm your sexual urges, or does it inflame them?
27. Re:Sooo...... by trytoguess · 2010-01-21 16:50 · Score: 2, Informative
  
  This is somewhat tangential, but there is illustrated porn where just about any deviance can be catered to without harming a minor. Actually molesting a child is wrong of course.
28. Re:Sooo...... by trytoguess · 2010-01-21 16:54 · Score: 1
  
  Do try harder. As a member of slashdot you should appreciate the need to coldly analyze all things even if they are distasteful.
29. Re:Sooo...... by Anonymous Coward · 2010-01-21 16:57 · Score: -1
  
  Excellent trollgument, but drop the asseriton that "mutual desire" matters. Does my hamburger (or a vegans carrot sandwich) desire to be eaten? Does the prostitute you mentioned desire the john?
  Fulfillment being unattainable legally and/or morally is your only successful argument; grate work pushing it while ignoring people who do in fact wank their whole lives without fucking hookers. (That'd be 90% of /.ers, but maybe they'll not notice...)
  +1.12434984 troll points for you.
30. Re:Sooo...... by Anonymous Coward · 2010-01-21 17:19 · Score: 0
  
  Anyway, ephibophilia is illegal
  Well that's quite surprising to me, since ephebophilia is a state of mind, and last I checked, there is no such thing as an illegal thought.
31. Re:Sooo...... by Anonymous Coward · 2010-01-21 17:29 · Score: 0
  
  People who express extreme moral outrage are, more often than not, doing so for two reasons: to divert attention from their own proclivities, and to assuage their own guilty conscience. So... When's the last time you touched?
  I think all of us here agree that pedophilia is abnormal, and that child abuse, whether sexual or not, is horrifying. But to draw a complete equivalence between the two just shows that you have no ability to think logically. Irrationality will not help us to reduce the prevalence of this problem. If being attracted to children makes one a child rapist, then being attracted to women makes you a rapist. Are you attracted to women? I guess you're one sick piece of shit then.
32. Re:Sooo...... by Anonymous Coward · 2010-01-21 17:31 · Score: 0
  
  Download not just TOR, but I2P, freenet, anonnet - search for more if you like.
  Ultimately, it's a signal-to-noise problem. One government's signal is another government's noise.
  If you're a cypherpunk, Freenet is a way of helping Chinese human rights activists hide amongst the communications of thousands of North American pedos. Freenet is also a way of helping North American pedos hide amongst the communications of thousands of Chinese human rights activists.
  Where the inventor of Freenet - and other strong (and Tor doesn't even claim to be particularly strong) anonymity systems - got it wrong, was the assumption of a "sane" legal system. In the legal systems in the real world, "plausible deniability" means that governments can categorize Freenet users as either counterrevolutionaries or pedos, whichever gets their agents promotions and improves their conviction rates.
  I remember experimenting with Freenet several years ago. I'm neither a pedo nor a human rights activist, but I live in a surveillance state and I know a no-win situation when I see one. (The big lesson I learned that weekend? If you want to get magnetic media above its curie point, thermite's a great way to start a campfire, but don't roast any marshmallows over it.)
33. Re:Sooo...... by larry+bagina · 2010-01-21 17:32 · Score: 2, Informative
  
  tor also lets you run an (anonymous) file server.
  
  --
  Do you even lift?
  These aren't the 'roids you're looking for.
34. Re:Sooo...... by Anonymous Coward · 2010-01-21 17:42 · Score: 0
  
  Sure you could analyze the outbound traffic on a exit node but I doubt that this would be enough of a sampling to extrapolate a meaningful conclusion.
  Depends on your budget and how many consumer/residental ISP accounts, each of which runs one customized exit node, you can buy.
  
  Unfortunately freedom has it's costs.
  If all you can afford is $1.05, you're playing the wrong game.
  If you're a state actor, an entire network could be effectively compromised for less than the rounding error on a line item on your budget.
  The only way the cypherpunks can compete with those kinds of budgets is to go complteley black-hat, and start distributing trojans that - rather than adding compromised machines to spamming botnets - add the compromised machines to anonymity botnets.
  As a white-hat, that's not a compromise I'm willing to make. (The only smudges on my white hat are from pirated music and the occasional bit of mainstream pr0n, all readily available - and tolerated by my government - on the non-anonymous networks.)
35. Re:Sooo...... by Anonymous Coward · 2010-01-21 17:50 · Score: 0
  
  Sorry, meant to say ephibophiliac content, not ephibophilia itself. You can fantasize about all the jailbait you want, you just can't have naked photos of 17 year olds.
36. Re:Sooo...... by Anonymous Coward · 2010-01-21 18:51 · Score: 0
  
  >I'm neither a pedo nor a human rights activist, but I live in a surveillance state
  
  So, how is life in the UK these days?
37. Re:Sooo...... by justice2010 · 2010-01-21 20:27 · Score: 1
  
  I digress. When "something" is freely available,free being the operative word,then much like a 'free' newspaper, it's always self supporting.Usage is driven by chance,and readership somewhat mercurial. Moreover,suggesting that someone is an "accessory to a crime" for viewing said 'questionable content' is flawed. Example: A woman is raped in a public park.There were 200 witnesses who walked past, but chose not take the matter any further. There was however,a security camera present that captured the said offense, inclusive of the 200 witnesses who failed to act. All 200 witnesses have been identified by the CCTV and are now all "an accessory to a crime".
38. Re:Sooo...... by Anonymous Coward · 2010-01-21 22:59 · Score: 0
  
  While that person isn't doing anything illegal from a physical standpoint, I still view them as an accessory to a crime.
  That's great for you, but whether something is illegal doesn't depend on your personal opinion: it depends on what the law says.
  FWIW, you seem to be missing the GP's (not me, I'm a different AC) point, anyway. What he said was merely that being sexually attracted to children, or non-adult teenagers, is not in itself illegal.
39. Re:Sooo...... by Neoprofin · 2010-01-21 23:13 · Score: 1
  
  Depends where you live and what you know. There are quite a few places that have laws regarding your responsibility to aid those in need. I believe in Wisconsin it only applies specifically to people with emergency medical training but there is some group that is under a legal obligation to help. I personally don't agree not only because I don't think an unwilling population makes the best responder but also because I think the legislation of morality is a slippery slope.
  
  That being said, especially after the event in Oakland last year where the 15 year old was gang raped for two hours out side of a school dance and no one so much as called the police I wish a stronger sense of moral obligation existed in some people.
40. Re:Sooo...... by Neoprofin · 2010-01-21 23:17 · Score: 1
  
  Unless you subscribe to the theory of many that it creates an atmosphere encouraging to the exploitation of real children.
  
  Of course I don't think that's anymore logical than saying videogames contribute to a society more accepting of stereotypical villains with bad voice acting.
41. Re:Sooo...... by Opportunist · 2010-01-21 23:23 · Score: 4, Insightful
  
  The price of freedom isn't vigilance in this time and age, it's having to deal with unpopular content.
  Is tor used by people who want to circumvent laws for whatever reason? Yes. Duh. Basically that's what it was created for. We deem it positive that tor allows dissidents to avoid their laws concerning the freedom of speech, but we don't deem it positive that it also allows the circumvention of our laws. That's very human, but also quite a bit of a double standard.
  I hope /. is a bit above the killer arguments of "think of the children" (honestly, if you think of the children all the time, you're prolly a pedo yourself) and we're able to look at it from a bit of a detached position. Because that's what we have to deal with here. Basically swapping child porn in the US is, at least from a purely content point of view, not different from swapping anti-government ideas in China: Both is illegal, and both requires additional security to be done without prosecution. The question is now whether we're willing to accept the existance of the former to enable the latter. You will only get them together. Is the freedom of the Chinese people (and, given the recent development in the west, probably ours soon, too) worth it, knowing that this will also allow communication of pedophiles, terrorists, spies and maybe even worse? Or should we toss both? That's basically the options we have.
  And before someone replies with "but tor doesn't allow chinese to discuss freely, isn't secure, etc": This isn't just about tor. That question affects all tools that allow free speech. The question is, is free speech worth dealing with the effects of free speech that you do not want to exist?
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
42. Re:Sooo...... by Opportunist · 2010-01-21 23:31 · Score: 1
  
  Emotions are rarely a good adviser when trying to find a sensible solution. Thus, yes, coldly analyzing even horrible ideas is basically the correct way to come to a conclusion that will in the long run result in the least troubles.
  For reference, see the current headless chicken approach to terrorism.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
43. Re:Sooo...... by Opportunist · 2010-01-21 23:35 · Score: 1
  
  The content of secret dropboxes reflect the legality of content in the community. Since it is a bit of a hurdle to access those items, and the download speed is fairly slow, people will not host legal content this way, simply for convenience and availability reasons.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
44. Re:Sooo...... by NotBornYesterday · 2010-01-22 02:16 · Score: 1
  
  You won't have to wait long. We're getting there.
  
  --
  I prefer rogues to imbeciles because they sometimes take a rest.
45. Re:Sooo...... by WillDraven · 2010-01-22 02:44 · Score: 1
  
  And in many states you can actually have sex with them, you just cant take pictures.
  
  --
  This is my sig. There are many like it but this one is mine.
46. Re:Sooo...... by phorm · 2010-01-22 02:44 · Score: 1
  
  You know, however much my jobs have sucked at various times, I think that the parent's job would suck worse. Dealing with images of abused kids as a regular job = really not fun. Tracking down and actually catching some of the offenders would likely be lightening, but I over time could see it easily working towards a storm-trooper attitude of bowling over (human) obstacles to get at the real bad guys if you had to see the evil things they do all the time...
47. Re:Sooo...... by GameboyRMH · 2010-01-22 03:52 · Score: 1
  
  DURR WUT IS FIREFOX I GO ON THE INTERNET WITH (INTERNET EXPLORER / SAFARI)??? I DONT SEE A TOR BUTTON THIS IZ HARD!!!
  Until off-the-shelf computers come with Tor or something similar ready to go right out of the box, of course it's only going to be the enthusiasts and scumbag fringes that'll put the time into researching and securing their privacy online.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
48. Re:Sooo...... by Anonymous Coward · 2010-01-22 05:27 · Score: 0
  
  Unfortunately freedom has it's costs.
  Yes, it's a buck 'o five.
49. Re:Sooo...... by Anonymous Coward · 2010-01-23 05:31 · Score: 0
  
  Actually, they are most commonly anonymous *web* servers, as in HTTP.
  But you could run practically any kind of server.
Takes all types... by adbge · 2010-01-21 15:03 · Score: 2

Anyone else find it so funny that a news story about anonymity is suggested to slashdot by anonymous coward?
I think it's the best form of joke... one with an epic amount of unexpected expectedness.
If you think that's funny, just think...
Every Anonymous Coward posting about this article will be an Anonymous Coward posting about an Anonymous Coward's anonymity story. A story by an Anonymous Coward for Anonymous Cowards about Anonymous Cowards. Anonymous anonymous anonymous.
1. Re:Takes all types... by Anonymous Coward · 2010-01-21 23:29 · Score: 0, Redundant
  
  We are Anon and we are legion.
Tor weaknesses by girlintraining · 2010-01-21 15:04 · Score: 4, Interesting

The problem with Tor is that there's no way to detect compromises -- every node on the network could be compromised and you'd never know. Authors of botnets have greater anonymity than we do -- ironically because it's run by a central authority. An illegal and immoral one, yes, but one that comes with a measure of anonymity. Few botnet authors are actually caught even with the most primitive security methods. They don't even use encryption and they often can't be found...

--
#fuckbeta #iamslashdot #dicemustdie
1. Re:Tor weaknesses by v1 · 2010-01-21 15:11 · Score: 5, Informative
  
  They don't even use encryption and
  Oh but they do, and that's the key to the problem. Everyone and their dog knows where the C&C servers are, and can monitor the commands sent out. Problem is, the commands are cryptographically signed, usually with a hideously large key (last one I saw was 2048 BYTES) so you can't subvert their network. Improperly signed commands are merely ignored.
  The bot herders get their anonymity from any of a hundred ways to anonymously sign into the IRC C&C channel. I'd speculate that most of them use TOR to do so.
  
  --
  I work for the Department of Redundancy Department.
2. Re:Tor weaknesses by snowgirl · 2010-01-21 15:12 · Score: 4, Insightful
  
  The problem with Tor is that there's no way to detect compromises -- every node on the network could be compromised and you'd never know. Authors of botnets have greater anonymity than we do -- ironically because it's run by a central authority. An illegal and immoral one, yes, but one that comes with a measure of anonymity. Few botnet authors are actually caught even with the most primitive security methods. They don't even use encryption and they often can't be found...
  There's a lot to be said for hiding in a crowd though. While it is true that every node in the network could be compromised, and we'd never know, collecting all that data together to target you individually becomes more and more difficult the more people use the network... and we're not talking about big-O of n, we're talking at least big-O n squared or so.
  As with all forms of security, there's nothing you can do to guarantee security, you simply raise the burden of breaching that security until the opportunity to breach you is not worth the cost to breach you.
  
  --
  WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
3. Re:Tor weaknesses by broken_chaos · 2010-01-21 15:23 · Score: 1
  
  last one I saw was 2048 BYTES
  It may make more sense, as long as that reference to bytes (not bits) is accurate, to refer to this as a 16 kilobit key instead, as public key encryption is usually referenced in bits. While RSA of this length can be done (even using GPG, though you have to modify the source to bypass the compatibility restrictions), it's quite a bit of overkill. The other algorithms used (since RSA is almost always only used for signing/encrypting something smaller -- like signing an SHA256 hash or encrypting an AES key) would almost certainly be much weaker.
  ...Mind you, in this instance, weaker still means "likely not in any danger of being broken for 20+ years".
4. Re:Tor weaknesses by madddddddddd · 2010-01-21 16:32 · Score: 0
  
  why "big-O of n" and then just "big-O n squared"?
  
  O(n) O(n^2) too hard?
5. Re:Tor weaknesses by Anpheus · 2010-01-21 16:38 · Score: 1
  
  I believe at the beginning of 2010 the NIST increased their recommendation for RSA to a minimum of 2048 bits due to security concerns of 1024 bit keys.
6. Re:Tor weaknesses by iluvcapra · 2010-01-21 16:50 · Score: 1
  
  It may make more sense, as long as that reference to bytes (not bits) is accurate, to refer to this as a 16 kilobit key instead, as public key encryption is usually referenced in bits.
  We could just quote the key size in terms of "cardinality of encodings of state of every atom in the universe," in which case I believe a 16 kilobit key would be about 200 universe-states. :)
  
  --
  Don't blame me, I voted for Baltar.
7. Re:Tor weaknesses by X0563511 · 2010-01-21 17:57 · Score: 2, Interesting
  
  The fun begins when they start noting illegal commands and retaliating. Fun.
  
  --
  For large sets, this will be our guide even unto death, for the LORD will work for each type of data it is applied to...
8. Re:Tor weaknesses by ShakaUVM · 2010-01-21 18:17 · Score: 1
  
  >>They don't even use encryption and they often can't be found...
  Also, they used "123456" and "iloveyou" as the master password on 2 of the 7 nodes.
9. Re:Tor weaknesses by girlintraining · 2010-01-21 18:29 · Score: 1
  
  There's a lot to be said for hiding in a crowd though.
  
  Not when the IP headers of every packet sent through every major peer exchange point on this continent is recorded by this government, and the governments that control the intercontinental links each have peering arrangements so that said data is available on a reciprocal basis with other intelligence agencies operating under their respective governments worldwide.
  Most TCP/IP sessions can be reconstructed for months after their original transmission, because the cost of storing said data is so low and there's an intelligence value in having it accessible. Thanks to delta compression algorithms, they don't need to store the complete packet log at each collection point -- because the data is largely the same.
  All of this depends on an interesting fact about entropy: Very little of what you transmit is actually unique. Most of the traffic online is just a retransmit of something sent earlier, which makes the computational resources required to log all internet traffic and store it for months at a time make it a reasonably easy problem to solve. Easy, I mean, for a government with hundreds of millions to throw at the problem, not mere mortals like you or I. And of course there's ways to pair petabytes off the dataset using whitelisting and other data management methods.
  It honestly impresses me that people think that the internet is a substantial barrier to this kind of intelligence gathering; Since it runs on the same networks, uses largely the same technologies, and is often run by the same companies that deliver telecommunications services... Which anyone will tell you give full access to their lines and equipment with the flashing of a badge and a post-it note. You don't even have to buy them a beer after.
  Hiding in a crowd only works if you've done nothing to attract attention to yourself and can hide in statistical obscurity, surfing the noise floor. The moment you do anything even remotely interesting (and using Tor qualifies), bend over and kiss your anonymity goodbye.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
10. Re:Tor weaknesses by Onymous+Coward · 2010-01-21 20:43 · Score: 1
  
  When he talks about hiding in the crowd, he talks about hiding in the Tor crowd.
  When you talk about compressing packets, you probably aren't referring to encrypted packets. Including SSL. Which there's lots of.
  I ran a Tor node for a long time. And never used it myself. Others are welcome to "raise the noise floor" with such participation and/or licit uses.
  I think mix networks should work pretty well, but I wouldn't say that I have a complete grasp of the details. Nor do I expect you have, judging by your response. My guess is that if you have a substantial quantity of Tor nodes on your side of an eavesdropper tap that traffic analysis doesn't stand a real chance. Does that sound right to you? So mesh networks should be an anathema to would-be attackers. And any steps in that direction (more reliable peers and connections to peers) help. Anyway, I wouldn't already expect my government to be placing record-keeping taps at each ISP rather than just peering points.
  http://en.wikipedia.org/wiki/Tor_(anonymity_network)#Weaknesses
  As with any discussion about security, I note that the issue isn't black and white. There are many degrees and kinds of being hidden or vulnerable and countlessly varied purposes for hiding. If I want not to be traceable as the annoying AC who makes racist remarks on Slashdot, would I use Tor? Sure (or I wouldn't even bother). I wouldn't bend over and kiss my anonymity goodbye. If I were planning an attack on the World Trade Center, would I use Tor? Maybe. Though I'd be careful about my entry node and its immediate peers. And probably my endpoint would be an .onion service run by someone I trusted.
11. Re:Tor weaknesses by Anonymous Coward · 2010-01-21 21:18 · Score: -1, Troll
  
  I'm surprised. That seems very insightful for a girl.
12. Re:Tor weaknesses by Anonymous Coward · 2010-01-22 00:03 · Score: 0
  
  Mod parent up!
  (and also an explanation: the reference to "200 universe-states" is for *all* of the possible states in the key to be enumerated, at the same time. I.e. to build a lookup table that big you would need particles from 200 universes like ours)
13. Re:Tor weaknesses by Anonymous Coward · 2010-01-22 02:27 · Score: 0
  
  When she talks about hiding in the crowd, she talks about hiding in the Tor crowd.
  FTFY. ;) A very interesting post, by the way.
14. Re:Tor weaknesses by Rich0 · 2010-01-22 03:59 · Score: 1
  
  Actually, that would be an unwise design - as it causes a node to take action when it gets an unauthenticated command. That basically gives anybody some level of control on your botnet.
  For example, I can spoof a fake command from some IP - now the botnet takes down a server of MY choosing. While it is busy doing that, it probably isn't taking down the server the botnet owner wants it to take down, or sending spam, or whatever.
  Nope - you design a node to treat an unauthenticated command as if it was never received.
15. Re:Tor weaknesses by LearnToSpell · 2010-01-22 05:48 · Score: 1
  
  And "Chuck Norris" on the other 5.
  
  --
  Haida Manga
16. Re:Tor weaknesses by girlintraining · 2010-01-22 06:38 · Score: 1
  
  When he talks about hiding in the crowd, he talks about hiding in the Tor crowd.
  Let me rephrase this: Tor is not as resistant to traffic analysis as it is believed, because the Tor authors make assumptions about the state of surveillance on the network which are fundamentally flawed. Specifically, they believe that security is improved by obscuring the location of the node to peers. Because of this, routing paths between nodes are made longer, increasing the statistical likelihood that it will pass through a collection point.
  Tor has limited utility -- if you initiate a connection domestically, to an international location that does not have access to the database mentioned earlier, then a degree of security is possible. But for protecting citizens against domestic spying by its government, Tor is inadequate. It may be inadequate in a wider theatre as well, but such an analysis is beyond the scope of this post.
  
  --
  #fuckbeta #iamslashdot #dicemustdie
17. Re:Tor weaknesses by Anonymous Coward · 2010-01-22 17:45 · Score: 0
  
  Yea- of course it helps to have a Russian, Chinese, US, or some other corrupt government or official paid off.
18. Re:Tor weaknesses by Onymous+Coward · 2010-01-23 19:16 · Score: 1
  
  What do you mean by "[they obscure] the location of the node to peers"?
Further Details From Roger On or-talk mailing list by Anonymous Coward · 2010-01-21 15:08 · Score: 5, Informative

Roger's entries to date on the subject (excluding first page linked within /. summary):
(this is for those who are too lazy to page through mailing list threads, this post is
missing other individuals replies as well as future replies from Roger and others)
http://archives.seul.org/or/talk/Jan-2010/msg00165.html
Here are some more technical details about the potential impacts, for
those who want to know more about Tor's innards:
----- #1: Directory authority keys
Owning two out of seven directory authorities isn't enough to make a new
networkstatus consensus (you need four for that), but it means you've
only got two more to go. We've generated new v3 long-term identity keys
for these two authorities.
The old v3 long-term identity keys probably aren't compromised, since
they weren't stored on the affected machines, but they signed v3 signing
keys that are valid until 2010-04-12 in the case of moria1 and until
2010-05-04 in the case of gabelmoo. That's still a pretty big window,
so it's best to upgrade clients away from trusting those keys.
You should upgrade to 0.2.1.22 or 0.2.2.7-alpha, which uses the new v3
long-term identity keys (with a new set of signing keys).
----- #2: Relay identity keys
We already have a way to cleanly migrate to a new v3 long-term identity
key, because we needed one for the Debian weak RNG bug:
http://archives.seul.org/or/announce/May-2008/msg00000.html
But we don't have a way to cleanly migrate relay identity keys. An
attacker who knows moria1's relay identity key can craft a new descriptor
for it with a new onion key (or even a new IP address), and then
man-in-the-middle traffic coming to the relay. They wouldn't be able to
spoof directory statements, or break the encryption for further relays
in the path, but it still removes one layer of the defense-in-depth.
Normally there's nothing special about the relay identity key (if you
lose yours, just generate another one), but relay identity keys for
directory authorities are hard-coded in the Tor bundle so the client
can detect man-in-the-middle attacks on bootstrapping.
So we abandoned the old relay identity keys too. That means abandoning
the old IP:port the authorities were listening on, or older clients will
produce warn messages whenever they connect to the new authority. Older
Tor clients can now take longer to bootstrap if they try the abandoned
addresses first. (You should upgrade.)
----- #3: Infrastructure services
Moria also hosted our git repository and svn repository. I took the
services offline as soon as we learned of the breach -- in theory a clever
attacker could give out altered files to people who check out the source,
or even tailor his answers based on who's doing the git update. We're
in pretty good shape for git though: the git tree is a set of hashes
all the way back to the root, so when you update your git tree, it will
automatically notice any tampering.
As explained in the last mail, it appears the attackers didn't realize
what they broke into. We had already been slowly migrating Tor services
off of moria (it runs too many services for too many different projects),
so we took this opportunity to speed up that plan. A friendly anonymous
sponsor has provided a pile of new servers, and git and svn are now up
in their new locations. The only remaining Tor infrastructure services on
moria are the directory authority, the mailing lists, and a DNS secondary.
----- #4: Bridge descriptors
The metrics server had an archive of bridge descriptors from 2009.
We used the descriptors to create summary graphs of bridge count and
bridge usage by country, like the ones you can see at
http://metrics.torproject.
oh god oh god oh god by Anonymous Coward · 2010-01-21 15:08 · Score: 0

now the cia + barack obama know i was browsing cp
Wait a minute... by __aaclcg7560 · 2010-01-21 15:10 · Score: 3, Funny

How do you update a Tor SF paparback book?
1. Re:Wait a minute... by Anonymous Coward · 2010-01-21 15:43 · Score: 0
  
  Is it an EBOOK?
2. Re:Wait a minute... by __aaclcg7560 · 2010-01-21 16:16 · Score: 1
  
  Nope. Paperback, dead tree edition. How you get a security breach from a dead tree is beyond me. ;)
3. Re:Wait a minute... by GaryOlson · 2010-01-21 16:19 · Score: 1
  
  With a trilogy. The last two books add depth and detail to the initial book which was mostly inane and lacking in depth. The new details of course reinterpret all the facts, plot, and characters of the first book till the first book is almost unrecognizable.
  
  --
  Every mans' island needs an ocean; choose your ocean carefully.
4. Re:Wait a minute... by __aaclcg7560 · 2010-01-21 17:24 · Score: 1
  
  The Wheel of Time series must be buggy as hell then. What is now, book 12? Books 13 and 14 are coming in the next few years. ;)
5. Re:Wait a minute... by Anonymous Coward · 2010-01-21 17:56 · Score: 0
  
  dead tree -> truncheon -> elbow -> password -> security breach
6. Re:Wait a minute... by ravenshrike · 2010-01-21 18:28 · Score: 1
  
  Clearly it was done in C++ and some idiot set up a loop in Book 1. Possibly in the chapter about fields.
7. Re:Wait a minute... by zmollusc · 2010-01-21 19:20 · Score: 1
  
  The bugginess is offset slightly by the neat RAID array of authors.
  
  --
  They whose government reduces their essential liberties for temporary security, receive neither liberty nor security.
8. Re:Wait a minute... by Opportunist · 2010-01-21 23:05 · Score: 1
  
  Do papercuts count? They share a lot of features with security breaches. They are easy to get if you're not careful, they are barely noticable, everyone will think you're a crybaby if you're complaining about them and yet they hurt like hell.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
9. Re:Wait a minute... by machine321 · 2010-01-21 23:37 · Score: 1
  
  Redundant Author Is Dead?
10. Re:Wait a minute... by harmonise · 2010-01-22 10:02 · Score: 1
  
  How do you update a Tor SF paparback book?
  With new pieces of papar.
  
  --
  Cory Doctorow talking about cloud computing makes as much sense as George W Bush talking about electrical engineering.
11. Re:Wait a minute... by ShaunC · 2010-01-22 11:27 · Score: 1
  
  By visiting TORForge, of course...
  
  --
  Thanks to the War on Drugs, it's easier to buy meth than it is to buy cold medicine!
12. Re:Wait a minute... by docwatson223 · 2010-01-23 03:41 · Score: 1
  
  Online Editions, Kindle, .pdf and for backup you can go Hardback.
13. Re:Wait a minute... by Anonymous Coward · 2010-01-23 16:25 · Score: 0
  
  Definitely not RAID 0, though.
US Intelligence almost certainly monitors TOR by presidenteloco · 2010-01-21 15:29 · Score: 3, Interesting

I mean. That's where I'd go fishing for people trying to communicate secrets,
if I was them.
Now I don't want to spread paranoia, but
did you know that the patent on Onion Routing was filed by the US Department of the Navy?
Look it up.
Remember kiddies. Always use your own encryption layer.

--

Where are we going and why are we in a handbasket?
1. Re:US Intelligence almost certainly monitors TOR by Anonymous Coward · 2010-01-21 15:43 · Score: 0
  
  don't you mean intelligence worldwide?
  the US != the world
  btw, are you using an encryption method developed by your countries' government? think about that, and who had a hand in internet's development? what about secret rooms at telcos, the van watching your monitor right now, writeprint, etc?
  there is no privacy, no matter how many layers you wrap, the failure itself is technology.
2. Re:US Intelligence almost certainly monitors TOR by wiredlogic · 2010-01-21 15:57 · Score: 3, Insightful
  
  They probably do more than just monitor. They almost certainly run their own exit nodes so they can log everything flowing through what they pwn.
  
  --
  I am becoming gerund, destroyer of verbs.
3. Re:US Intelligence almost certainly monitors TOR by Anonymous Coward · 2010-01-21 16:35 · Score: 0
  
  I never thought about it. But if you ask me, important secrets shouldn't be massive amount of data, and there are plenty algorithms that you could use altogether with encryption. Steganography on facebook media or Flickr pictures or YouTube videos? Imagine hiding data in a Rick Astley video, and then try to figure out who downloaded it? Best way, if you ask me? Go mainstream, it will go easily unnoticed.
4. Re:US Intelligence almost certainly monitors TOR by noz · 2010-01-21 16:51 · Score: 1
  
  This is because the US Navy are the initial authors of Tor. It was opened when they no longer withed to maintain it.
5. Re:US Intelligence almost certainly monitors TOR by some_guy_88 · 2010-01-21 17:21 · Score: 1
  
  They'd have to monitor/run more than just the exit nodes in order to figure out it was you though right? Isn't that the whole idea?
  Just a single un-compromised node on the path from you to the destination would mean you were still anonymous (assuming there was enough traffic on the network). Although, if there wasn't much traffic and they had your entry and exit node you might be in trouble?
6. Re:US Intelligence almost certainly monitors TOR by BitZtream · 2010-01-21 17:33 · Score: 2, Insightful
  
  Yes, the government created it, this is well known. They created it so they could securely communicate by bouncing signals off of unsecured ships, like your random cruise ship or an allied warship.
  They were involved with its creation, of course the watch it. So do lots of other people.
  As a general rule, people hiding their activities DO HAVE SOMETHING TO HIDE. The minority use something like this for legitimate uses. However, our founding fathers had the opinion that until we know you're hiding something bad, you can hide it so no one can come after your for something you do in private that doesn't bother anyone else. This helps to prevent people from having a bad opinion of you, prejudice and hate.
  It doesn't however change the fact that it will be used, primarily by people using it to hide illegal activities. It would be retarded if they DIDN'T watch it and as a tax payer I'd be pissed if they didn't.
  Reality says that most people have no need to use this sort of protection and that its of very little use to the majority of the people on the planet, even those doing minor illegal activities.
  I've talked about plenty of things over the phone, email and hell, even posted on bulletin boards (the real ones, cork board and paper with pushpins) at grocery stores about illegal activities. None of it was anything major of course, minor little crap, all of which were misdemeanors. There are 2 reasons why nothing ever came of it.
  A. It was minor crap, no one actually cares about what I did unless I was stupid enough to do it in front of an ON DUTY cop.
  B. Hiding in plain site and blending in with the crowd makes you a lot less obviously a target than the person hiding things, regardless of what you are hiding.
  So yes, when you make it obvious you're trying to hide something people are going to pay attention to try and figure out what you're hiding, thats being a good detective and what I expect from people who's job is to detect stuff.
  
  --
  Persistent Volume manager for Kubernetes - https://github.com/dwimsey/openshift-pvmanager
7. Re:US Intelligence almost certainly monitors TOR by Anonymous Coward · 2010-01-21 18:49 · Score: 0
  
  But, they also look at timing. If they can see a connection at your isp going into what appears to be a Tor, and they have some compromised Tor exit nodes, then they can look at the timing from when you send a packet and when a packet exits the Tor node. There was a slashdot article about this some time ago.
8. Re:US Intelligence almost certainly monitors TOR by Mr.Bananas · 2010-01-21 19:32 · Score: 2, Interesting
  
  Have a read at this piece of work: http://papers.ssrn.com/sol3/papers.cfm?abstract_id=998565 While hiding in plain sight has its value, not being able to hide anything can have plenty of harm to an innocent person, especially if they have no control of how their data is used or interpreted.
9. Re:US Intelligence almost certainly monitors TOR by djupedal · 2010-01-21 19:34 · Score: 1
  
  >Hiding in plain site and blending in with the crowd makes you a lot less obviously a target than the person hiding things, regardless of what you are hiding.
  
  Comparing your anecdote about hiding inside a group of grocery store customers doesn't apply to the debate at hand. How does one 'hide' in the manner you propose when they elect to do it inside a (tor) group that is already flagged as being watch-worthy?
  
  If the group was looting the store, and you wanted to loot too, would there be any logic to stating "I'm hiding by being inside the group of looters!"? At that point you are either a tor user or you're not. If you're a tor user it is silly to claim hiding rights inside the group.
  
  Reset and try again, please, thanks.
10. Re:US Intelligence almost certainly monitors TOR by Anonymous Coward · 2010-01-21 20:38 · Score: 0
  
  That's mitigated by sending random data at a constant rate, so there are no spikes in usage when you are actually using it.
  Also, as anybody who's used tor can tell you, the data you put into the tubes won't come out at the same time, or even several minutes later, or ever. Tor probably produces complete connections 5% of the time, and the rest fail due to latency or bad hosts in between.
11. Re:US Intelligence almost certainly monitors TOR by Anonymous Coward · 2010-01-21 20:47 · Score: 0
  
  AES, or Rijndael, was not developed by any countries' government. It was devised by independent cryptographers, and subsequently adopted by the United States Government as an encryption standard. The cipher algorithms themselves are well known, and are constantly under scrutiny by many cryptanalysts who would love nothing better than to find a back door intentionally built into the algorithms.
12. Re:US Intelligence almost certainly monitors TOR by dkf · 2010-01-21 21:17 · Score: 1
  
  That's mitigated by sending random data at a constant rate, so there are no spikes in usage when you are actually using it.
  Actually, you want to introduce white noise in the rate at which you send the data too. Without that, it's possible to see when you're sending traffic by looking for spikes above the background rate.
  
  --
  "Little does he know, but there is no 'I' in 'Idiot'!"
13. Re:US Intelligence almost certainly monitors TOR by Opportunist · 2010-01-21 23:07 · Score: 1
  
  You better stop using the internet. Remember who invented it? Hint: It wasn't Al Gore.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
14. Re:US Intelligence almost certainly monitors TOR by Anonymous Coward · 2010-01-22 02:12 · Score: 0
  
  > it will be used, primarily by people using it to hide illegal activities.
  I can list dozens of activities which harm nobody,
  damage no property, yet are illegal for various reasons.
  Law stems from power, and in many cases,
  ethics has surprisingly little to do with it.
  There is value in building a society somewhat *resistant* to laws,
  so unjust laws or unjust enforcement won't lead to its demise.
  Meanwhile, TOR is often used as a pre-emptive defense.
  One of the messages TOR use sends from activist to government
  simply reads:
  "We encrypt everything, legal or otherwise,
  since we intend to keep our privacy. Our thoughts and plans,
  as well as our identities, are *not* your business. To compromise them,
  you need to do actual work and pay actual money. So think twice."
15. Re:US Intelligence almost certainly monitors TOR by b4dc0d3r · 2010-01-22 03:09 · Score: 1
  
  As a general rule, people hiding their activities DO HAVE SOMETHING TO HIDE
  Whether they are watching banned movies in your living room, or watching Shrek with your children, I bet most people close their curtains when it gets dark. What are they hiding?
  Let me guess, you're the cop who pulled me over on super bowl sunday and wanted to search my car because I blew 0.00 on your breathalyzer. I was speeding, so the pullover was valid. I have anxiety problems, and being pulled over at night by a single cop is not the most comfortable experience. You thought I was acting suspiciously because of my general anxiety and wanted to search my car.
  "If you have nothing to hide, you have nothing to worry about."
  So, that's wrong. I'm not hiding anything, I'm enforcing my rights. Ignorance of the law is no excuse, right? So you expect people to know the law. But if they call you on it, all of a sudden it's suspicious. That's a double standard, and you as an authority figure are applying pressure to get me to do something I don't feel like doing, which is pretty much an abuse of power.
  "Hi judge, I just pulled this guy over and he said I couldn't search his car, that makes me think something's up. Can I have a warrant?"
  Sorry, that wouldn't work (that part didn't actually happen, because he knew it wouldn't work). The proper way to search is to ask my permission or get a warrant. Since I said no, now you have to get a warrant. If you can't convince a judge, you never had probable cause. Here's my legally owned prescription anxiety drugs in a properly labeled container, still think I'm acting suspiciously? You already gave me a field sobriety test which came back negative or I'd already be in the back seat of your car, so I'm not impaired by those drugs, and if I were under their influence I wouldn't seem so anxious, eh? Still think I'm acting suspiciously?
  "Yes, you're hiding something. What's wrong, you have a joint in there you don't want me to find? An unregistered gun?"
  OK, fine. You know what, search my car. No ticket, nothing turned up in the search, I got an apology and a warning. An apology, and no ticket, from a cop who pulled me over for going 75 in a 60 zone. Did I have something to hide? Yes, my personal belongings from someone who has no reason to see what I'm doing. I'm hiding from the government and its agencies anything it does not have, by the laws of the land, any right to see.
  When you have probable cause you can come for me, until then go away.
  They might be crazy, but I'd expect anyone who believes in UFOs and thinks Roswell was a coverup would use TOR to gather and share evidence that "the gvmt doesn't want you to see." Or people sharing "true stories from 9/11 workers showing it's an inside job" or "OKC bombing was an inside job and we just found a patsy to blame" and "John Wilkes Booth was hired by the CIA" and "Lee Harvey Oswald worked for Hoover". These people are mostly harmless and think they have something to hide - the opposite of your supposition. They are hiding despite having nothing to hide. Nothing substantial of course, but they think they do.
  Even more important, which I should have listed first, is the idea of free speech. People can't make changes if the government hides things from them, so it makes sense to create software that lets people share ideas. Silly harmless ones like above, or profound movements where the people force change in their government by revealing information. Someone sharing old 1970s era pictures of naked children is doing no actual harm (unless you want to conflate and suppose and imagine and maybe project, the pictures already exist). Someone working to free the Chinese people from a protective government is doing a great service (*in my opinion at least). Subverting your own government is treason, but I can freely say that I believe other citizens should subvert their governments without fear. What if I send that sentiment to my fri
I'll be the lemming this time...the obligatory: by Anonymous Coward · 2010-01-21 15:46 · Score: 0

the chinese did it.
New Tor attacks and anonimity attacks all the time by Anonymous Coward · 2010-01-21 16:07 · Score: 1, Interesting

Attacking Tor at the Application Layer
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-gregory_fleischer-attacking_tor.pdf
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Video%20and%20Slides.m4v
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Slides.m4v
https://media.defcon.org/dc-17/audio/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Audio.m4b
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-barisani-bianco-sniff_keystrokes.pdf
http://www.defcon.org/images/defcon-17/dc-17-presentations/Andrea_Barisani-Daniele_%20Bianco/defcon-17-barisani-bianco-sniff_keystrokes-wp.pdf
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Andrea%20Barisani%20and%20Daniele%20Bianco%20-%20Sniffing%20Keystrockes%20with%20Lasers%20and%20Voltmeters%20-%20Video%20and%20Slides.m4v
Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20FX%20-%20Router%20Exploitation%20-%20Video%20and%20Slides.m4v
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20FX%20-%20Router%20Exploitation%20-%20Slides.m4v
Unmasking You
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-abraham-hansen-unmasking_you.pdf
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-alonso-palazon-tactical_fingerprinting.pdf
Down the R
Snail Mail by ArchieBunker · 2010-01-21 16:18 · Score: 1

IMHO sending a message inside a birthday card draws a LOT less attention than using obscure and suspicious looking encryption software. But thats just my opinion.

--
Only the State obtains its revenue by coercion. - Murray Rothbard
1. Re:Snail Mail by Anonymous Coward · 2010-01-21 16:27 · Score: 0
  
  IMHO sending a message inside a birthday card draws a LOT less attention than using obscure and suspicious looking encryption software. But thats just my opinion.
  Great for one-offs - but somebody's gonna notice when you start getting 10 birthday cards every day of the year...
2. Re:Snail Mail by MrNaz · 2010-01-21 16:28 · Score: 5, Funny
  
  Dear John & Cynthia.
  Thank you for all your support this year, and I wish you all the best for the next.
  Yours truly,
  John and Sarah.
  P.S., Attack at dawn.
  
  --
  I hate printers.
Re:Further Details From Roger by inviolet · 2010-01-21 16:22 · Score: 4, Insightful

As explained in the last mail, it appears the attackers didn't realize what they broke into. We had already been slowly migrating Tor services off of moria (it runs too many services for too many different projects), so we took this opportunity to speed up that plan. A friendly anonymous sponsor has provided a pile of new servers, and git and svn are now up in their new locations.
Mmmm, yes, free.
And you will never, in a million years, detect the compromised hardware in those machines.
The only way for tor (or wikileaks or other dangerous-to-the-authorities service) to buy hardware, is anonymously. If someone wants to donate servers, have them sell the servers and give you the cash.

--
FATMOUSE + YOU = FATMOUSE
Re:Further Details From Roger On or-talk mailing l by Anonymous Coward · 2010-01-21 16:30 · Score: 0

"A friendly anonymous sponsor has provided a pile of new servers, and git and svn are now up in their new locations."
Am I the only one to find this suspiciously timely? Did the "anonymous sponsor" guarantee that none of the onboard chips/chipset were made in China or tampered with?
I think I just stopped using Tor.
Mercy-downmod parent? by Anonymous Coward · 2010-01-21 16:58 · Score: 0

While you have a perfectly valid point, your comment defending pedophiles now stands completely without context, as pretty much all of comments leading to it remain 0-score.
I'm not sure whether to congratulate your courage in posting with your account or assume it was an accident and offer condolences.
1. Re:Mercy-downmod parent? by mister_playboy · 2010-01-21 17:40 · Score: 1
  
  Those of us who are interested in everything Slashdot has to offer will still see the context.
  I personally don't understand who would want to browse a discussion where you only see half of what is going on, but to each his own.
  
  --
  Do what thou wilt shall be the whole of the Law ::: Love is the law, love under will
Wow, that's a lot of porn by Anonymous Coward · 2010-01-21 17:22 · Score: 0

May be they trying to enter adult content industry...
Re:Further Details From Roger by VortexCortex · 2010-01-21 17:33 · Score: 5, Informative

Wait... Anyone can be a TOR node and it's still secure.
TOR data is very encrypted.
It doesn't matter if the hardware or software is compromised, it's still secure because a TOR node is just one node in a chain of encrypted nodes. You encrypt your data 5 times if you're sending it through 5 nodes.
Each node takes off one layer of encryption and forwards the still encrypted data to the next node. If any intermediate nodes (2 3 4 in our 5 node example) are compromised (in software or hardware), they can not see the message in plain text, or determine the originating IP or destination IP of the traffic.
If the first node is compromised it can see your source IP, but not the destination IP or any part of the message (it's still encrypted.)
If the exit node is compromised it can see the destination IP, and clear text message, but not the source IP.
These multiple layers of encryption mean that if any one node is compromised the system is still very secure.
Taking off a layer of encryption at each router is like peeling an onion... hence, "The Onion Router".
(this is an oversimplified explanaion -- if you're talking compromised code repositories, viruses and trojans are usually not delivered as source code, the tampering would be evident.)
Tor is going to get people killed. by jyoull · 2010-01-21 18:40 · Score: -1, Redundant

I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.
I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared right quick (hello China)... shouted down every time because it's not a POPULAR point of view.
I see that I'm not the only one in this discussion with concerns. Thank god things are changing.
1. Re:Tor is going to get people killed. by Anonymous Coward · 2010-01-21 18:52 · Score: 3, Insightful
  
  I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.
  I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared right quick (hello China)... shouted down every time because it's not a POPULAR point of view.
  I see that I'm not the only one in this discussion with concerns. Thank god things are changing.
  Whoever these people you have met traveling from conference to conference are not the authors of tor:
  # tor --help Jan 21 22:48:35.191 [notice] Tor v0.2.1.22. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64) Copyright (c) 2001-2004, Roger Dingledine Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson Copyright (c) 2007-2009, The Tor Project, Inc. tor -f [args] See man page for options, or https://www.torproject.org/ for documentation.
2. Re:Tor is going to get people killed. by jyoull · 2010-01-21 19:46 · Score: 1
  
  This is why i said "Tor movement" not "authors of Tor"
  It doesn't matter. The innocent, non-techies are not hearing from "the authors of Tor". They're hearing from others who are running around promoting it as the salvation of free speech in non-free places... and they are believed.
3. Re:Tor is going to get people killed. by Anonymous Coward · 2010-01-22 00:27 · Score: 0
  
  In other words, "Tor movement" is a phrase you made up for members of the Tor community that you don't personally like. And yet you're being expected not to be modded down for making wide, sweeping remarks about the very same people.
  You're pretty fucking stupid for MIT, I hope no one knows you're posting here. That would be embarrassing.
No, they CAN'T all be compromised by Anonymous Coward · 2010-01-21 18:44 · Score: 0

I doubt that FBI, NSA, CIA, GRU, etc. all share their nodes with each other. As such, it is reasonable assumption that each node only belongs to one (or two at most) intelligence agency.
Now, if there are enough of such agencies, each controls so small partition of the nodes that it isn't a problem. On the other hand, if one agency has a wide control over the network, it means that the other agencies have very limited control. That leads us to a situation where Tor is useful against all but one agency, which isn't that shabby either.
There are some problems - it might be that all nodes in russia are controlled by GRU (though I really doubt CIA would let that happen) - but most of such are negated as long as the routing goes through nodes in several countries.
Re:New Tor attacks and anonimity attacks all the t by Anonymous Coward · 2010-01-21 19:38 · Score: 0

Attacking Tor at the Application Layer
Nothing really new here, just ordinary application attack vectors. Change habits accordingly to counter these exploits. Most scenarios assume application is FireFox/HTTP.

Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line Leakage:
Assumes physical location has already been found, not really a valid assumption in most scenarios. Assumes PS/2 HIDs etc. and as the presentation says can be defeated by implementing TEMPEST protection.

Router Exploitation
Presentation only covers Cisco IOS issues, thus only applicable in environments which deploy them. Even then, some of the issues outlined aren't that relevant in regards to the use Tor.

Unmasking You
Again, nothing new. Change your habits accordingly in regards to the configuration of your system. Encrypt your connections using proper effective mechanisms for key distribution etc. which are relevant to what you are doing.

Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
Yet again nothing new, use open and minimal formats and strip your metadata. This isn't even a problem with Tor itself.

Down the Rabbit Hole: Uncovering a Criminal Server
I don't even see how many of the issues raised here are directly relevant to Tor, the issues raised have available counter measures anyway. Change your habits accordingly.

So basically, the issues you've raised are either already known with counter-measures available or aren't even directly relevant to Tor. Tor is a tool, it is said repeatedly that it doesn't automagically protect you, you have to use it correctly.
By the way, Lizard says "Hi" ^.^
Tor WILL get people killed, if it hasn't already by jyoull · 2010-01-21 19:47 · Score: 1, Insightful

TOR apologists, no fair modding down these comments just because you don't like them.
I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.
I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared right quick (hello China)... shouted down every time because it's not a POPULAR point of view.
I see that I'm not the only one in this discussion with concerns. Thank god things are changing.
Torbutton auto-install by Anonymous Coward · 2010-01-21 19:54 · Score: 0

If Torbutton installed it and verified it was working correctly that would really help it to spread. Still, the bundles help.
Re:Tor WILL get people killed, if it hasn't alread by u38cg · 2010-01-21 20:03 · Score: 1

The bigger problem is that Tor is hardly deniable. Your traffic might be secure, but in many circumstances the fact that you are sending secure traffic is far more interesting. Given the right circumstances, that enough is sufficient for the state to use rubber hose cryptanalysis...

--
[FUCK BETA]
Re:Further Details From Roger by Kjella · 2010-01-21 20:29 · Score: 1

Yes, but at the top is some form of directory service. If you compromise the majority of those servers you can create a new network consensus, and direct everyone to route through tor1,tor2...torX.nsa.gov. Or some suitable set of apparently random international network of nodes set up for the purpose. The layers don't work if the entire onion is rotten.

--
Live today, because you never know what tomorrow brings
Re:Further Details From Roger by wall0159 · 2010-01-21 20:30 · Score: 2, Interesting

"A friendly anonymous sponsor has provided a pile of new servers, and git and svn are now up
in their new locations"
I read this to mean that tor are hosting git and svn on the new, anonymously-donated servers. I expect that if they were hardware-compromised, that could be used, in turn, to compromise the source-repositories. Please correct me if I'm wrong tho...
Having said all that - I'd also expect a project like tor to be pretty careful with security! Also, it's quite possible that although the servers were anonymously-donated, they may still have been sourced by the tor project - it's hard to imagine a guy in a trench-coat and dark glasses knocking on their door, handing them a server before fading into the shadows, and them welcoming it with open arms!
Oh no! by interkin3tic · 2010-01-21 20:35 · Score: 1

This is torrible news! The torror...
Re:Further Details From Roger by Aceticon · 2010-01-21 21:31 · Score: 1

You don't seem to have read the GGP post at all.
It lists plenty of venues of attack for a suficiently willing and knowledgeable attacker which state agencies would be.
I wouldn't so easilly dismiss attacks delivered via source code if I was you: the GP was talking about attacks by state security services - these guys usually employ full time some pretty clever people who can usually make their own code they're no just a bunch of script kiddies downloading tools from the Internet (although from the Google attacks I suspect that, like in many other things, the Chinese went for quantity over quality and a lot of their "State Hackers" are little more than script-kiddies). Understanding and subtly altering a code base is not that hard if you're an good and experienced programmer.
State agents thus have both the resources and the willingness for impersonating a friendly interested party, providing free machines that are actually compromised at the BIOS or even hardware level and subtly compromise TOR via the source code once the Source Control repository gets put in one of the trojaned machines - some of them might even have a wise enough leadership that they're willing to go slowly and carefully infiltrate and take over the TOR system using techniques like this.
Hmmm, Tor vs IPREDATOR by Anonymous Coward · 2010-01-21 21:41 · Score: 0

A better proxy VPN?
Re:Further Details From Roger by L4t3r4lu5 · 2010-01-21 21:41 · Score: 1

If the exit node is compromised it can see the destination IP, and clear text message, but not the source IP.
So, collect enough packets at a compromised exit node and you can build a usage pattern with possibility of identification? Using Tor to check email or blog from oppressed nations just looked a little less appealing.

--
Finally had enough. Come see us over at https://soylentnews.org/
Re:Further Details From Roger by Anonymous Coward · 2010-01-21 22:51 · Score: 0

I'm not sure if you're not misunderstanding the purpose of Tor. Well, either that, or I am. :)
In any case, the purpose of Tor is not encryption but anonymity. This bears repeating: unless you take additional steps to encrypt the data sent through Tor, it WILL be plainly readable at some point. Intermediate nodes won't be able to decrypt it, obviously, but the exit node will see it, for obvious reasons.
The only thing the exit node doesn't know is who actually made the request, although this could quite possibly be inferred from the data being sent.
You should ALWAYS encrypt data sent through Tor.
Re:Further Details From Roger by Opportunist · 2010-01-21 23:02 · Score: 1

Using tor to transmit anything unencrypted is a very DUMB thing. You have to understand that between the exit node and the target server, all traffic is done in the same fashion it would be done between you and the target server if you didn't use tor. If there is no inherent encryption (like https or ssh), it will NOT be encrypted between the exit node and the server.
In other words, it is trivial for someone who wants to sniff passwords to establish an exit node and just collect packets.
tor is NOT an encryption tool. It is a tool to mask your whereabouts, to give you the means to access information your government does not want you to see. It's a tool to avoid prosecution when you access "illegal" information (read: information your government deems illegal). It is NOT a tool to increase your security against MITM sniffing. Quite the opposite.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
What was the cause of the breach? by master_p · 2010-01-21 23:05 · Score: 2, Interesting

The links are not very informative about what allowed the breach to happen. Was a security model vulnerability? man-in-the-middle attack? buffer overflow?
Re:Further Details From Roger by Anonymous Coward · 2010-01-22 03:10 · Score: 0

If the exit node is compromised it can see the destination IP, and clear text message
A lot of people put to much faith in TOR anonymizing capabilities, and forget this one little detail: If you are using an insecure transport method to begin with (ie: FTP, POP3, SMTP) you are still vulnerable to an attack from someone running a compromised exit node. Sure, it won't be direct, but it wouldn't be to hard to run a node and gather user names and passwords, and that can easily lead to figuring out who you are.
In other words: TOR is NOT A SECURE COMMUNICATIONS CHANNEL!!! It doesn't have any magical properties to keep plain text communications away from a random attacker. If you want to be secure, you must use a secure protocol!
Re:Tor WILL get people killed, if it hasn't alread by Hatta · 2010-01-22 03:11 · Score: 1

Fighting oppression has always gotten people killed. If Tor allows people to speak out with less risk, it's done it's job.

--
Give me Classic Slashdot or give me death!
Tin Foil Hat Securely On by Anonymous Coward · 2010-01-22 03:19 · Score: 0

FTA: "A friendly anonymous sponsor has provided a pile of new servers ..."
Hairs standing on the back of my neck.
Re: Sending secure traffic is far more interesting by presidenteloco · 2010-01-22 06:57 · Score: 1

Good point. Bang on.
Now as we move to encrypted fragmented cloud storage and computing, that assumption will presumeably have to change, as it will become routine to encrypt both your stored content and its transmission. And I can see anonymization being offered as part of cloud services of the future, to prevent corporate espionage (shady forms of "business intelligence") etc.
When encryption and anonymization of net communications becomes the norm, then who do you watch, and how?

--

Where are we going and why are we in a handbasket?
Tor - Wonderland's Largest Honeypot by Anonymous Coward · 2010-01-22 12:17 · Score: 0

Though the looking glass, Alice wrote:
Dear Trusting Fools,
I invited the jabberwocky and his friends into the white rabbit's house where I'm staying and he slipped something into the sauce. It's for your own good, you know.
Love,
Alice
++
The note is slipped through the looking glass and on the other side it reads:
Dear Friends,
Goodness! I've had some troubled times here in Wonderland, but everything is resolved and it has nothing to do with the sauce, everything is fine!
Love,
Alice
PS. I have a whole new batch of sauce you really should try! We're switching to the new batch now, we urge you to switch, too, for the sake of your health! We've added new vitamins!
Re:Tor WILL get people killed, if it hasn't alread by Anonymous Coward · 2010-01-22 16:24 · Score: 0

You're right. We had better just give up.