Slashdot Mirror

← Back to Stories (view on slashdot.org)

Executive Director Andrew Lewman Answers Your Questions About Tor and Privacy

Posted by samzenpus on from the here-it-is dept.

A while ago you had a chance to ask Executive Director of the Tor project Andrew Lewman about fighting laws and technology that threaten anonymity and the importance of privacy. Below you'll find his answers to your questions. The NSA TrueCrypt Ploy Again?
by TechForensics

How can we ever be sure Tor has not morphed into an eviscerated TrueCrypt and that at some point, after achieving their means of compromise, the NSA won't force a version they can easily backdoor on the public?

They like to compromise software and then put it back, so it becomes an intelligence asset. In my understanding only a legal technicality allowed TrueCrypt to issue a cryptic public announcement which effectively let the public know TrueCrypt was potentially compromised. I wonder whether the NSA will even allow Tor to recommend a transparently ineffective alternative.

Lewman: No agency has ever asked Tor to put in lawful intercept access, also known as a “backdoor.” Tor is not subject to the same legal requirements as other Internet service providers or content providers to incorporate that into the system. Our FAQ answer states this clearly.

How can strategies be drawn so if Tor is easily, possibly undetectably breached, the public will have some inkling of it?

Lewman: Tor maintains an open community and believes in transparency. We always strive to report out as quickly as we can about any issues affecting the Tor network.



Cryptowall 2.0
by Anonymous Coward

Cryptowall 2.0 is using state of the art cryptographic services like Tor, Bitcoin, and file encryption, combined with standard exploits to hold data ransom. I think it's among the more sophisticated attacks I've ever seen. How do you think more malware of this type will pressure you to change the service?

Lewman: Tor is used by millions of people for legitimate purposes and certainly anytime someone uses technology in a way that harms other people, we are disheartened. Our approach to this is, and has been, to work with malware researchers and law enforcement to help people remove the malware or to change the incentives behind including Tor in the malware at all.



Tor connections
by Anonymous Coward

Why hasn't TOR moved towards a connectionless routing between the client and the exit node? A permanent connection is being established each time with the same pattern: computer -> entry node -> middle node -> exit node -> website. This can lead to a traffic pattern analysis, given an observer with enough "peer exchange nodes" under his monitoring. In some cases all the connections could be monitored with only country/continent level entry points. Wouldn't a bunch of state-less P2P like connections between the client and the exit node be better suited against such traffic inspection?

Lewman: We would love to get to the point that Tor could provide a connectionless routing between client and exit node that does not compromise anonymity. It is something that we have thought about for a while and started research on a while back. More research on this needs to be done in order to roll it out to the Tor network. We would love for someone to help further study that and help us figure out how to make that happen.



Have you used I2P...
by Anonymous Coward

And what are your thoughts on its design compared to Tor and as a complement to it?

Lewman: We try to keep up with any new technology that emerges and have tried many of the different online privacy products and software out there- I2P, Freenet, Retroshare, GNUNet and others certainly have some interesting work and research about online privacy. We are open to collaborating with anyone that shares our mission of protecting online security and anonymity for users.



Balance between simple privacy and lawlessness
by TWX

Tor can be used for good and for evil. How do you go about attempting to design the features of Tor to maximize one and minimize the other?

Lewman: The Tor network is designed to provide protection online for ordinary citizens, victims of abuse, and individuals in dangerous parts of the world share information over public networks without compromising their anonymity. Most of the people that use Tor have legitimate uses for wanting privacy such as activists or reporters that need to keep their locations private. Criminals can already do bad things and there are certainly lots of options available to them for breaking the laws.



Re:Balance between simple privacy and lawlessness
by mlts

Along the lines to this question, how can Tor's PR be helped? As of now, part of an IT person's job is to block Tor's exit nodes, on the application, kernel, and router level, because those nodes to be a source of many attacks. So, because of the bad reputation, it gets entirely locked out of many websites. This can be fixed by running a VPN over Tor so the exit comes from the VPN's servers, but there goes the anonymity for the most part.

Lewman: With so much concern these days about people’s privacy being compromised online, I would love more businesses to take a look at how Tor could help them protect their confidential documents like patents, product development ideas, or financial documents. Even in some situations when a company is doing competitive intelligence research online and it's important that the competitor does not know, it keeps the competitor from knowing that someone is looking at them online.



What is your biggest fear?
by AmiMoJo

What is your biggest fear? After the TrueCrypt developers were apparently threatened or otherwise convinced to abandon development, does the NSA worry you? The FBI has been complaining about encryption lately too, as have law enforcement agencies in other countries. Or is there something else that concerns you?

Lewman: My biggest concern is making sure that the 2.5 million people around the world that currently use Tor and the thousands of new people that download it every day, have a safe, reliable way to protect their privacy online.



Tor has been compromised
by kheldan

News stories I've read lately seem to indicate that the Tor exit nodes have been and still are being compromised by organizations and some oppressive governments. What are you doing about this?

Lewman: The Tor network has been around for 10 years and it has never been successfully hacked. Many have tried and many more will try. We work with researchers all the time to improve the network.



Darknet takedowns.
by brokenin2

Do you know how the takedown of so many "darknet" sites was accomplished recently, or do you at least have some suspicions? The government seems to by lying about how they took down the original Silk Road site, and I'm wondering if you believe this is to: a) Hide a technical solution that they have at their disposal, or b) Hide the egregiously illegal/inadmissable things they did to accomplish this, or c) some of each.

Lewman: We have no knowledge of how the agencies working together "took down” silkroad and other darknet sites but news reports vary widely on the actual number of sites that were taken down. We've been watching carefully to try and learn if there are any flaws with Tor that we need to correct. Nothing so far about this case makes us think they found a way to compromise the Tor software or network. The FBI says that their suspect made mistakes in operational security and was found through actual detective work.

53 comments

  1. Fuck laws by Anonymous Coward · · Score: 0

    The "people" that come up with and enforce these fucking so-called laws like a bunch of disgusting thugs need to be fucking exterminated in cold blood with extreme cruelty. Death to the nanny-stater control freak scum.

    1. Re: Fuck laws by Anonymous Coward · · Score: 0

      Never. Going. To. Happen. What you call "nanny state" we call "civility". It's inevitable. The internet, that last bastion of anarchy, is being brought to heel. Accept it.

    2. Re: Fuck laws by Anonymous Coward · · Score: 0

      The internet, that last bastion of anarchy, is being brought to heel. Accept it.

      And with it, so goes the end of the era of privacy. Asshat.

    3. Re: Fuck laws by bigfinger76 · · Score: 1

      I feel a strong draft.

    4. Re:Fuck laws by Anonymous Coward · · Score: 0

      Time for you to get some therapy. Maybe one day you won't be a hopeless square-peg.

  2. Its safe, just trust me! by Anonymous Coward · · Score: 5, Insightful

    Wow, this guy just ducks every question. My trust in Tor goes down after reading this.

    1. Re:Its safe, just trust me! by kheldan · · Score: 4, Insightful

      That's pretty much how I feel about the 'answer' to the question I asked. A 'boilerplate' answer.

      --
      Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
    2. Re:Its safe, just trust me! by fustakrakich · · Score: 3, Interesting

      Yep, it sounded more like an FBI/NSA press release. The simple fact is that if you can't blend in, you're going to stand out. That is the big problem with Tor.

      --
      “He’s not deformed, he’s just drunk!”
    3. Re:Its safe, just trust me! by Anonymous Coward · · Score: 1

      Totally agree. I did not get a warm fuzzy feeling at all. Not that I was expecting one, but my confidence in Tor actually went down like GP suggests.

    4. Re:Its safe, just trust me! by Em+Adespoton · · Score: 5, Insightful

      Agreed -- Lewman answered like the head of a corporation, not like the leader of a privacy movement.

      The NSA TrueCrypt Ploy Again?
      - trust us.

      Cryptowall 2.0
      - we're legitimate and don't like bad things.

      Tor connections
      - we're interested and have been considering this, but haven't made any headway. We need you to join our community and implement this for us.

      Have you used I2P...
      - yes. And most of the others. We'd love for their developers to join our community and implement some of their good ideas for us.

      Balance between simple privacy and lawlessness
      - we're legitimate and don't like bad things.

      What is your biggest fear?
      - that we won't get more people joining our community and will instead have people leave it.

      Tor has been compromised
      - it hasn't been compromised in the ways we consider important. Trust us.

      Darknet takedowns.
      - on the other hand, maybe it's been compromised and we just haven't figured out how yet. We don't know. Trust us.

    5. Re:Its safe, just trust me! by Anonymous Coward · · Score: 1

      Except that according to Snowden's documents the NSA itself admits to not being able to break Tor. But obviously you're the kind of guy who thinks that Snowden is a "triple" agent and he carried out a giant NSA conspiracy to promote NSA-compromised software, right?

    6. Re:Its safe, just trust me! by fustakrakich · · Score: 1

      But obviously you're the kind of guy who thinks that Snowden is a "triple" agent...

      Gee, now that you mention it, it does sound kinda plausible. After all, this really is industrial espionage, you know, find out what the other guy has, bla bla bla. It's like a form of 'trade', so to speak. I'll have to look into it.

      --
      “He’s not deformed, he’s just drunk!”
    7. Re:Its safe, just trust me! by lgw · · Score: 1

      Wow, this guy just ducks every question. My trust in Tor goes down after reading this.

      I can't tell whether he's stonewalling, or TOR is successful enough to have a PR Tool answer these questions (without understanding them). I'd think that if TOR were subverted they'd be less obvious, but then again he could be playing the Manchurian Candidate (was he typing in Morse Code?).

      Dammit, why did all the tinefoil hatters have to be right?

      --
      Socialism: a lie told by totalitarians and believed by fools.
    8. Re:Its safe, just trust me! by Anonymous Coward · · Score: 0

      to not being able to break Tor

      That document was from 2006.

    9. Re:Its safe, just trust me! by Anonymous Coward · · Score: 0

      FALSE, the most recent is dated June 2012:

      http://www.spiegel.de/media/me...

      Pages 20, 21.

      Which once again proves that you anti-Tor trolls are either idiots or liars.

    10. Re:Its safe, just trust me! by Anonymous Coward · · Score: 0

      >Dammit, why did all the tinefoil hatters have to be right?

      They're not. There's just a huge tinfoil-hat problem at Slashdot. Did you not notice all the smart people leaving, and the remaining people losing their minds?

    11. Re:Its safe, just trust me! by lgw · · Score: 1

      Yeah, sorry, when it comes to NSA subversion of crypto products and standards, not only were they right, they weren't nearly paranoid enough. The smart people have been trickling away slowly for 5 years or so now, as /. has been changing its focus to clickbait.

      --
      Socialism: a lie told by totalitarians and believed by fools.
    12. Re:Its safe, just trust me! by gweihir · · Score: 1

      Unfortunately, that is my take-away as well. Meaningless corporate boilerplate, just if he was an FBI representative that tries to avoid lying about things he knows.

      This is however not the way Roger Dingledine operates and his answers (I had opportunity to ask him questions way back, and he strikes me as a perfectly honest person and still does) are much, much better. I think this person here is more in place to allow the project to interface with law enforcement (and they do, they never made a secret of that) and hence speaks language they understand. Interfacing is however not the same as cooperating, not at all. Interfacing in this case means things like making sure law enforcement does not go after exit-node operators, for example, because there is absolutely nothing to be gained there.

      Still, putting this person up for an interview here was a mistake.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    13. Re:Its safe, just trust me! by Anonymous Coward · · Score: 0

      If law enforcement wants to, they can go after the operators of TOR exit nodes (or anyone who connects to and participates in the network) - for assisting those who use the network for illegal purposes [by handling their traffic]. All they'd need to do is apply the standards used to go after money launderers.

      If we're talking about law enforcement in the United States, this would be a bit complicated, since TOR is basically a federal project. (The US would either have to try and convict a fair number of its own agents, or it would be acting hypocritically)

    14. Re:Its safe, just trust me! by Anonymous Coward · · Score: 0

      The real tinfoil hatters don't out themselves by expressing themselves so clearly about it. In like manner, they also avoid the use of TOR, since that would be like shouting to the snoop, "I have something I want to hide; please hear me out!".

      Instead, they meet each other casually, agree to a protocol, then later surreptitiously exchange data with each other, a few bits at a time, through very reasonably mundane activities.

    15. Re:Its safe, just trust me! by bcoinbilly · · Score: 1

      What question did he duck

    16. Re:Its safe, just trust me! by gweihir · · Score: 1

      Law enforcement in many countries actually seems to be using TOR, as their own IP ranges routinely get blocked by shady enterprises. In his talks, Roger usually says that after they understand how TOR works, they are all for keeping it up and secure.

      --
      Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
    17. Re:Its safe, just trust me! by Anonymous Coward · · Score: 0

      All the answers could have been longer and more technical but the only crap answer was the short I2P one.

      Most of these questions have been asked before and should already be known to Slashdot readers. It's not a mistake that he linked the FAQ.

      Nobody asked about the possible integration of Tor into default Firefox.

      In short, you are all faggots #soylentnews

  3. Bad /. mobile user experience. by Anonymous Coward · · Score: 1

    The /. mobile site needs some way to collapse the answers, or to make it easy to jump past them to the comments. It takes forever to scroll past them when using a smart phone. I've already read the answers, so I don't want to see them again when I'm trying to read new comments.

    1. Re:Bad /. mobile user experience. by Anonymous Coward · · Score: 0, Offtopic

      The /. mobile site needs some way to collapse the answers, or to make it easy to jump past them to the comments. It takes forever to scroll past them when using a smart phone. I've already read the answers, so I don't want to see them again when I'm trying to read new comments.

      This article has 782 comments. We've loaded the first 20 for you. Would you like to see more comments?

      *yes*

      This article has 782 comments. We've loaded the first 40 for you. Would you like to see more comments?

      *yes*

      This article has 782 comments. We've loaded the first 60 for you. Would you like to see more comments?

      *yes*

      This article has 782 comments. We've loaded the first 80 for you. Would you like to see more comments?

      *yes*

      This article has 782 comments. We've loaded the first 100 for you. Would you like to see more comments?

      *yes*

      This article has 782 comments. We've loaded the first 120 for you. Would you like to see more comments?

      *yes*

      This article has 782 comments. We've loaded the first 140 for you. Would you like to see more comments?

      *yes*

      This article has 782 comments. We've loaded the first 160 for you. Would you like to see more comments?

      *yes*

      This article has 782 comments. We've loaded the first 180 for you. Would you like to see more comments?

      *yes*

      This article has 782 comments. We've loaded the first 200 for you. Would you like to see more comments?

      *yes*

      This article has 782 comments. We've loaded the first 220 for you. Would you like to see more comments?

      *yes*

      "Ah, here it is, that goatse comment I was looking for that missed being part of the first post chain by seconds ... "

  4. Re:Tor and systemd? by allquixotic · · Score: 1

    Tor's integration with systemd, if any, would be very very tiny. Basically systemd would be responsible for managing the start/stop cycle of Tor and collecting any log files.

    This is entirely optional, though. You can always run Tor without it being integrated into systemd's service management facility at all. If you need it in the background and headless, just run `screen -mdS tor [tor_cmdline]`.

    I do not believe that Tor would be automatically running on a default Fedora install. You would have to enable it yourself.

  5. Bennett by Anonymous Coward · · Score: 0

    How do you feel about longtime bullshit contributor Bennet Hasselton?

    1. Re:Bennett by Anonymous Coward · · Score: 0

      Hey Einstein, the questions were already asked. These are his answers.

  6. It's true then, what I've been told some time ago. by chrysosphinx · · Score: 1

    The style of answers itself is a message: they are already indoctrinated and under control.

  7. Wow by dlenmn · · Score: 4, Insightful

    Not even a politician could have given more non-answers.

    1. Re:Wow by aardvarkjoe · · Score: 2

      My thoughts exactly while reading this. If you're not going to say anything more than generic PR-friendly statements that just sidestep the questions, then why bother framing it as an "Ask Slashdot"? Just pay Slashdot a few bucks and have them post a link to your webpage on the Slashdot front page.

      --

      How can we continue to believe in a just universe and freedom to eat crackers if we have no ale?
    2. Re:Wow by hcs_$reboot · · Score: 1

      Not even a politician could have given more non-answers.

      It's more like the answers of a PR representative.

      --
      Slashdot, fix the reply notifications... You won't get away with it...
  8. Re:It's true then, what I've been told some time a by Dins · · Score: 1

    That's what I got out of it too.

  9. Re:It's true then, what I've been told some time a by Qzukk · · Score: 4, Insightful

    It's hard to say. To be honest, to me they sound exactly like the non-answers I'd expect any executive officer to give. The fact they don't mention PRISM at all in reference to recent US government capability is definitely interesting, given that they used to openly state that TOR is weak against such widespread surveillance.

    --
    If I have been able to see further than others, it is because I bought a pair of binoculars.
  10. he dodged the good vs evil question by vpness · · Score: 1

    I would have been more impressed if he said "we're considering ways to limit lawlessness without compromising the premise of protection of citizens in dangerous parts of the world" "Tor can be used for good and for evil. How do you go about attempting to design the features of Tor to maximize one and minimize the other? Lewman: The Tor network is designed to provide protection online for ordinary citizens, victims of abuse, and individuals in dangerous parts of the world share information over public networks without compromising their anonymity. Most of the people that use Tor have legitimate uses for wanting privacy such as activists or reporters that need to keep their locations private. Criminals can already do bad things and there are certainly lots of options available to them for breaking the laws."

    1. Re:he dodged the good vs evil question by Actually,+I+do+RTFA · · Score: 3, Insightful

      He didn't dodge it. He said "We're not worried about lawlessness. Our job is to make the most secure product we can. Our job is not to help enforce laws" It's a rejection of the premise of the question, sure. But it's not a dodge. It's a clearly articulated moral stance.

      And, fundamentally, the laws people may be breaking could be morally bankrupt. Besides, it seems technically impossible to limit lawlessness without harming anonymity.

      --
      Your ad here. Ask me how!
    2. Re:he dodged the good vs evil question by speedplane · · Score: 1

      He didn't dodge it. He said "We're not worried about lawlessness. Our job is to make the most secure product we can. Our job is not to help enforce laws" It's a rejection of the premise of the question, sure. But it's not a dodge. It's a clearly articulated moral stance.

      Your paraphrase would be a moral stance, but he didn't actually say that. His answer ignores that Tor is used for Evil, it doesn't come out and say that any evil created by Tor is a necessary byproduct of the good that it creates.

      --
      Fast Federal Court and I.T.C. updates
    3. Re:he dodged the good vs evil question by Actually,+I+do+RTFA · · Score: 1

      Yeah, if you insist every answer be self-contained. But the cryptolocker answer came first. Between the two, it seems pretty obvious.

      --
      Your ad here. Ask me how!
  11. Re:Tor and systemd? by Rich0 · · Score: 2

    I've been running tor using system without any issue at all for many months now. Like you say, it just starts/stops your network.

    Maybe if you wanted to route ALL your network traffic over it you'd need to play with networkd and a proxy and all that, but this isn't a typical use case. It really wouldn't be any different than doing the same thing with any init/network-manager/etc.

  12. Security Now by NuAngel · · Score: 2

    So this must be partially in response to the knowledge that Steve Gibson was going to be talking about some problems with Tor in this week's Security Now: http://twit.tv/show/security-n...

    1. Re:Security Now by Actually,+I+do+RTFA · · Score: 1

      TOR talks about these same issues on their site, how they are a result of deliberate choices, and why.

      --
      Your ad here. Ask me how!
    2. Re:Security Now by Anonymous Coward · · Score: 0

      TOR shouldn't be considered to be truly anonymous anymore - it was never designed to withstand an org like the NSA who can not only watch but modify all and any inputs and outputs... there is no anonymous system that can protect against something like that with our current technology - the Internet needs to be re-designed!

    3. Re:Security Now by Anonymous Coward · · Score: 0

      The transcript isn't up, and I refuse to listen to an hour and a half of Steve blathering on. However, given his track record, the problem he has "discovered" is probably one of the well-known confirmation attacks. The only unknown is whether it's a fingerprinting attack or a timing attack.

    4. Re:Security Now by Anonymous Coward · · Score: 0

      Steve Gibson...would that be the same Steve Gibson who claimed the novel "invention" of half-open SYN port scanning on grc.com?

      Gibson is a twat. Nobody with any serious interest in security issues, or anything else computer related, pays attention to what that moron spews out.

  13. Re:It's true then, what I've been told some time a by Anonymous Coward · · Score: 0

    Would you explain what other answers you would have expected to be given to those lame, sometimes ridiculous "questions", some of them starting from blatantly false premises (e.g., the one who says that TrueCrypt is compromised) ?

    Documents leaked by Snowden prove that the NSA itself admits to not being able to break Tor. Is it enough or you are one of the guys who think that Snowden himself is a giant PR conspiracy by the NSA itself to promote compromised software?
     

  14. Re:Tor and systemd? by lgw · · Score: 0

    Tor's integration with systemd, if any, would be very very tiny

    Systemd would of course integrate to make sure your (alread undreadable binary) log files were now firmly encrypted and, like any good onion router, not decryptable by you but only by nodes at least 2 hops away.

    I don't even know if I'm joking.

    --
    Socialism: a lie told by totalitarians and believed by fools.
  15. "Solidarity against online harassment" by jp_831 · · Score: 0

    I tried to post a comment similar to the one below under this thread. Not at all surprising that the moderator didn't allow it through:

    Given Tor's "Solidarity against online harassment", how long until the Tor network is intentionally compromised by the developers at the behest of the SJWs and the Cathedral (a term coined by Mencius Moldbug used to describe the Harvard-US government axis) to unmask and dox those engaging in so-called "harrassment", defined as 'anyone who expresses mere disagreement with an SJW or the political Left in general'?

  16. Re:Tor and systemd? by lennier · · Score: 2

    undreadable binary) log files

    I saw what you did there, Roberts.

    --
    You are not a brain: http://books.google.com/books?id=2oV61CeDx-YC
  17. Executive Director Andrew Lewman Doesn't Answer Yo by Anonymous Coward · · Score: 0

    There, fixed that for you

  18. VPN servers not so secure... by Trax3001BBS · · Score: 1

    I've listened to cell phone calls before just screwing around with a scanner. I've heard a person confirming a reservation and give their credit card number. This was mid 90's. So know how easy it is - or was at that time.

    I found this post looking for something else, it's off topic for the thread. This pertains to Wifi as well as a PC.

    "If you have to use public Wifi then use free VPN service like Hotspot Shield, CyberGhost, OkayFreedom, Spotflux, SafeIP or SecurityKISS which will provide the same security as your home router." http://malwaretips.com/threads...

    -Below is something I've written up for well family.-

    I've done the leg (finger?) work here. All are free with varying limited data usage. Reading the privacy policy of each, SecurityKISS is my choice and the only one that offers true anonymity if you wish (absolute only with the free service), and the only one that doesn't require a registration. But ones call is routed to Ireland, (and it's jurisdiction), it's noted that they have never given any information out to anybody. http://www.securitykiss.com/ab...
    ---End

    Then checked out out their Facebook page, NSA has compromised their system or service, This found due to a Snowden release. "Starting with 2014/12/17 SecurityKISS discontinued the PPTP service." The CEO made mention they may have the data but it's still has to be decrypted, something I can only assume has been.
    https://www.facebook.com/pages...

    Damn odd it's not listed in their Privacy policy, but then PPTP is still being offered as a service..

  19. Firefox Tor by Anonymous Coward · · Score: 0

    Nobody asked about the possible integration with default Firefox that has been hinted, potentially expanding Tor's userbase from 2.5 million to 100 million??