Slashdot Mirror

← Back to Stories (view on slashdot.org)

Interviews: Ask Executive Director Andrew Lewman About Tor and Privacy

Posted by samzenpus on from the go-ahead-and-ask dept.

samzenpus writes Andrew Lewman wears many hats: biologist, advocate against domestic violence, programmer, Executive Director of the Tor project and a member of the board of directors. He works to preserve the right to speak and read freely online by fighting laws and technology that threaten anonymity. Just how hard that has become is much clearer now that the NSA's interest in Tor has become public. Andrew has agreed to give us some of his time and answer any questions you might have. As usual, ask as many as you'd like, but please, one per post.

61 comments

  1. Simple questions by Bodhammer · · Score: 3, Insightful

    Can TOR be trusted and how can I truly know that?

    --
    "I say we take off, nuke the site from orbit. It's the only way to be sure."
    1. Re:Simple questions by Anonymous Coward · · Score: 0

      Contrary to popular Hollywood wisdom, you can never know that you can trust something or someone.

    2. Re:Simple questions by Anonymous Coward · · Score: 0

      Back doors in crypto algorithms, zero-day exploits, compromised implementations, Trusting Trust, a hacked CPU--you can't absolutely trust anything!

  2. Is TOR compromised? by Anonymous Coward · · Score: 0

    Is TOR compromised?

  3. The NSA TrueCrypt Ploy Again? by TechForensics · · Score: 1

    How can we ever be sure Tor has not morphed into an eviscerated TrueCrypt and that at some point, after achieving their means of compromise, the NSA won't force a version they can easily backdoor on the public?

    They like to compromise software and then put it back, so it becomes an intelligence asset. In my understanding only a legal technicality allowed TrueCrypt to issue a cryptic public announcement which effectively let the public know TrueCrypt was potentially compromised. I wonder whether the NSA will even allow Tor to recommend a transparently ineffective alternative.

    How can strategies be drawn so if Tor is easily, possibly undetectably breached, the public will have some inkling of it?

    --
    Those are my principles, and if you don't like them... well, I have others.
    1. Re:The NSA TrueCrypt Ploy Again? by NotInHere · · Score: 1

      The problem is also that TOR still has value if it is monitored by the NSA, as it enables people in China and other countries to access censorship-poor (some might call it -free) internet.

    2. Re:The NSA TrueCrypt Ploy Again? by Anonymous Coward · · Score: 0

      And truecrypt still has value, as a thief cannot decrypt your data, even when the NSA can.

  4. Cryptowall 2.0 by Anonymous Coward · · Score: 0

    Cryptowall 2.0 is using state of the art cryptographic services like Tor, Bitcoin, and file encryption, combined with standard exploits to hold data ransom. I think it's among the more sophisticated attacks I've ever seen. How do you think more malware of this type will pressure you to change the service?

  5. Just curious by Anonymous Coward · · Score: 0

    Andrew, do you know why /. keeps prompting us to ask these questions when it takes months for them to get answered, if ever? For example, I don't think we've ever seen any answers from Dr. Stroustrup from August. (I once received an email from him very promptly after I wrote him, so I'm sure it's not his fault.)

    I look forward to seeing your answer to this question sometime in 2015. Or not: if we never see it at all, I understand. Thanks for at least trying.

    1. Re:Just curious by samzenpus · · Score: 1

      You mean these answers from Aug. 20? http://features.slashdot.org/s...

    2. Re:Just curious by Anonymous Coward · · Score: 0

      Thanks. Just before I posted my question, I looked for that one via the search feature and also the "Interviews" tag, but failed to find it. Is there some systematic way for me to find these answer thingys in the future?

    3. Re:Just curious by samzenpus · · Score: 1

      I just tried to search with the "interviews" tag and it showed up. Searching with the "features" tag should work as well.

    4. Re:Just curious by Anonymous Coward · · Score: 0

      I put "Stroustrup" into the search box just now and it came up, so I guess I simply missed it the first time. Sorry 'bout that. Thanks for your help.

    5. Re:Just curious by AmiMoJo · · Score: 1

      What happened to the interview with Limor "Lady Ada" Fried too...

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  6. Re: Regarding security by Anonymous Coward · · Score: 0

    Access denied

  7. Why with encryption bother when... by Anonymous Coward · · Score: 0

    you cannont trust the Hardware? Since UEFI it pretty much doesn't matter what kind of Software you run, you cannot have privacy. I fear compromised Hardware probably dates back to Pentium III with its Processor Serial Number.

    1. Re:Why with encryption bother when... by jones_supa · · Score: 1

      Huh? How does UEFI violate one's privacy?

    2. Re:Why with encryption bother when... by Anonymous Coward · · Score: 0

      It basically an Operating System with Network support that loads before anything else. It can do pretty much anything. From simple homephone and tracking to fuck with your (installed) os kernel. You have a laptop with UEFI, built-in webcam and soundcard? Consider your privacy gone.

    3. Re:Why with encryption bother when... by jones_supa · · Score: 1

      And why would it do any of these things? I'm sure it would not be good business for a hardware manufacturer to include such malicious features.

  8. How many Tor users are aware that Tor by wiredog · · Score: 1

    was originally developed by the US Government, and is still supported financially by the US Government?

    "Few", or "almost none"?

    --

    Best Slashdot Co
  9. FaceBook on Tor by P3r1$c0p3 · · Score: 1

    The announcment of FaceBook being available on Tor seems to be a ploy to confuse single dimesion thinkers into revealing themselves. Is this being sponsored by alphabet soup agencies as a way to kind of model the topology of the Tor network, or is it more social experiment on how people who would login to their online identity while trying to be anonymous at the same time think?

  10. Tor connections by Anonymous Coward · · Score: 2, Interesting

    Why hasn't TOR moved towards a connectionless routing between the client and the exit node? A permanent connection is being established each time with the same pattern: computer -> entry node -> middle node -> exit node -> website. This can lead to a traffic pattern analysis, given an observer with enough "peer exchange nodes" under his monitoring. In some cases all the connections could be monitored with only country/continent level entry points.
    Wouldn't a bunch of state-less P2P like connections between the client and the exit node be better suited against such traffic inspection?

  11. Re:Domestic Violence by TWX · · Score: 1

    However, depending on what you initially do, there are limits on what you can continue to do. You have a lot of lattitude, granted, but whatever you do must be in the moment. If you stop your defense and start again you run the risk of being prosecuted as that woman that fired the warning shot in Florida was going through before saner heads prevailed.

    --
    Do not look into laser with remaining eye.
  12. Everyone who uses TOR is on a watchlist by Anonymous Coward · · Score: 0

    The government knows that by using TOR you must have something to hide. So why use TOR if you're not doing illegal activities? Why use TOR if you ARE doing illegal activities?

    1. Re:Everyone who uses TOR is on a watchlist by Anonymous Coward · · Score: 0

      The government knows that by using the Internet you must have something to hide. So why use the Internet if you're not doing illegal activities? Why use the Internet if you ARE doing illegal activities?

      The government knows that by breathing you must have something to hide. So why breathe if you're not doing illegal activities? Why breathe if you ARE doing illegal activities?

      Dude, we're well past the point of it mattering what we do or don't do, we're all being considered to be potential criminals, guilty until proven innocent, and like proving all negatives, it's essentially impossible.

    2. Re:Everyone who uses TOR is on a watchlist by Anonymous Coward · · Score: 0

      I'm a lady you insensitive clod!

    3. Re:Everyone who uses TOR is on a watchlist by Anonymous Coward · · Score: 0

      Duuude.

  13. Tor has been compromised by kheldan · · Score: 3, Insightful

    News stories I've read lately seem to indicate that the Tor exit nodes have been and still are being compromised by organizations and some oppressive governments. What are you doing about this?

    --
    Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    1. Re: Tor has been compromised by Anonymous Coward · · Score: 0

      Some Tor exit nodes are compromised. Not all, but if you ever trusted exit nodes you are asking to be pwned. This is a known weakness in the design of the system but using TLS (and being very vigilant as to which certificates you trust to avoid MITM attacks) mitigates against many threats to your anonymity.

      You can help by running an exit node yourself, if you have the resources. Even if you can't run an exit node, you can still run a relay. Every relay helps the network and the more relays, the harder it is for NSA and pals to run certain types of analysis. Running a relay yourself also improves your anonymity as it becomes much harder for an adversary to tell which streams originate with you and which are just relayed.

    2. Re:Tor has been compromised by AmiMoJo · · Score: 1

      If you are relying on the exit not being being evil you are doing it wrong. Tor still requires you to assume that your connection is untrustworthy, it just prevents people identifying your real IP address by analysing the packet headers.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  14. Balance between simple privacy and lawlessness by TWX · · Score: 1

    Tor can be used for good and for evil. How do you go about attempting to design the features of Tor to maximize one and minimize the other?

    --
    Do not look into laser with remaining eye.
    1. Re:Balance between simple privacy and lawlessness by Anonymous Coward · · Score: 0

      "Evil" has been very broadly defined by some countries; any version of Tor which blocks the evil bit would become completely worthless.

    2. Re:Balance between simple privacy and lawlessness by mlts · · Score: 1

      Along the lines to this question, how can Tor's PR be helped? As of now, part of an IT person's job is to block Tor's exit nodes, on the application, kernel, and router level, because those nodes to be a source of many attacks. So, because of the bad reputation, it gets entirely locked out of many websites. This can be fixed by running a VPN over Tor so the exit comes from the VPN's servers, but there goes the anonymity for the most part.

  15. the biggest question on our mind by slashmydots · · Score: 2

    We haven't heard any solid proof of a complete failure of Tor's privacy to catch a criminal through a serious exploit. There's a theory out there that a government agency wouldn't blow their cover just to arrest some copyright infringer or small time law breaker on a hidden service. They instead are passively spying to covertly and constantly catch terrorists who think they're protected or they're preparing for a gigantic sweep and mass arrests. What do you think is the likelihood of a situation like that being true, where the NSA or something similar has completely broken Tor and we just don't know it yet?

  16. Domestic Violece Question by Anonymous Coward · · Score: 0

    Do you speak out against ALL domestic violence or only the MINORITY of domestic violence cases of men against women?

  17. Tor by Anonymous Coward · · Score: 1

    Have you received a National Security Letter?

  18. Darknet takedowns. by brokenin2 · · Score: 2

    Do you know how the takedown of so many "darknet" sites was accomplished recently, or do you at least have some suspicions? The government seems to by lying about how they took down the original Silk Road site, and I'm wondering if you believe this is to: a) Hide a technical solution that they have at their disposal, or b) Hide the egregiously illegal/inadmissable things they did to accomplish this, or c) some of each.

  19. What kind of cookies do you like? by rockabilly · · Score: 1

    ...

  20. BINGO by Anonymous Coward · · Score: 0

    Why does TOR use only one route to the exit router ? Why dont they establish hundreds of routes and reassemble the stream at the exit router ?

    1. Re: BINGO by Anonymous Coward · · Score: 0

      Read the Tor FAQ: https://www.torproject.org/docs/faq.html.en#SplitEachConnection

  21. Will there ever be a choice of number of hops? by LinuxWeenie · · Score: 1

    It is my understanding that the number of hops within the Tor network is normally a fixed value, somewhere around 3. Given the potential for compromise of entrance/exit nodes in various countries, perhaps allowing a larger number of hops or even a randomly determined number of hops between two values might give more probability of not being detected. Could you comment on the number of hops chosen and how they relate to the probability of anonymity in the Tor network assuming all other suggested configurations have been realized.

    1. Re:Will there ever be a choice of number of hops? by NotInHere · · Score: 1

      See this one.

  22. Do you know by NotInHere · · Score: 1

    why slashdot doesn't allow visitors from tor?

  23. Re:Domestic Violence by o_ferguson · · Score: 1

    Been there - sorta. The only time I ever hit my wife was when she had me in a choke hold and I was on the verge of blacking out. One quick shot with a closed fist to just below her left eye was enough to make he break the hold so I could run from the room. You actions were not unreasonable, but yes you are a wife beater (as am I - deal with it) and no, you should not have shot or otherwise escalated it. This isn't the type of thing you can't come back from, either - mine was the low point in our relationship, and things have been getting better ever since - we both just needed that one crazy moment to let off some steam...

    --
    - In Soviet Korea, only old people loose all their bases to Natalie Portman's petrified hot grits overlords.
  24. BINGO by Anonymous Coward · · Score: 0

    The largest vulnerability in the system is the exit node itself. Many of them are poisioned, injecting malware into the system, and others track all of the usage.

    A regular audit of exit nodes by a third party could eliminate this, perhaps.

  25. Re:Domestic Violence by Anonymous Coward · · Score: 0

    You must be the dumbest guy I've ever met on the Internet.

  26. Ever danced with an onion in the pale moonlight? by Anonymous Coward · · Score: 0

    yeah

  27. What is your biggest fear? by AmiMoJo · · Score: 1

    What is your biggest fear? After the TrueCrypt developers were apparently threatened or otherwise convinced to abandon development, does the NSA worry you? The FBI has been complaining about encryption lately too, as have law enforcement agencies in other countries. Or is there something else that concerns you?

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  28. CIA by Anonymous Coward · · Score: 0

    Why would the Tor project hire a manager who left the CIA a day before? Was there really nobody better qualified and less dubious for the job? Is CIA-style management really what Tor needs most?

  29. Have you used I2P... by Anonymous Coward · · Score: 0

    And what are your thoughts on its design compared to Tor and as a complement to it?

    Followup question posted in reply below:

  30. P2P network chaining. by Anonymous Coward · · Score: 0

    As a followup to above: Do you think that anonymity could be enhanced, at the expense of network traffic and processing overhead, through easier chaining of multiple p2p architectures, similiar to the once popular 'open gateways' of the past. Assuming you are for or against such a setup, what thoughts do you have on the technical (in)feasibility of it?

  31. Managing Good and Evil by speedplane · · Score: 1

    Tor can be used for both obvious good (e.g., subverting oppressive regimes), obvious bad (e.g., murder for hire, child porn), and a semi-bads (purchasing contraband, hate speech). Despite all of the good that Tor does, how does Tor morally justify itself in light of all the bad that occurs on its networks? Is there some way of weighing the good and bad (i.e., if it got bad enough, would you shut it down)? Or does it decide to not justify itself (i.e., it's just a tool, people will use it how they wish)?

    --
    Fast Federal Court and I.T.C. updates
  32. Hosting for Tor Exit Nodes by Anonymous Coward · · Score: 0

    How do you do this without getting yourself arrested and your assets stolen?