Slashdot Mirror
Tor Project Installs New Board of Directors After Jacob Appelbaum Controversy (theverge.com)
An anonymous reader writes: The Tor Project announced today that is has elected an entirely new board of directors as part of a larger shake-up after accusations of misconduct by former employee Jacob Appelbaum. Appelbaum left the company in June after the nonprofit organization said it had received multiple accusations against him. The seven board members that are leaving the organization said in a statement today that it is their "duty to ensure that the Tor Project has the best possible leadership." The New York Times reports that the board agreed to step down following the controversy surrounding Appelbaum. Some of the board members who will be leaving include Tor Project co-founders Roger Dingledine and Nick Mathewson, who will continue to work on the organization's technical research and development team, according to the statement. They will be replaced with several prominent cryptographers and scholars, including University of Pennsylvania professor Matt Blaze, Electronic Frontier Foundation Executive Director Cindy Cohn, and security technologist Bruce Schneier. Meanwhile, researchers at MIT have been working on a new anonymity network that they say is more secure than Tor.
Are we seeing an actual change of the guard, and if so, is it actually to benefit privacy, security, and anonymity, or are we going to find out all these new board members have been compromised/were already working for the government to compromise our security?
I don't really believe that, but it is worth asking and scrutinizing periodically, just like the tor code and processes itself.
mass surveillance. Hillary does too, but she is DINO at this point.
Agreed. She is a Republican so this is the fault of Reoublivans.
Exactly. She is a Republican so everything she does is the fault of the Republicans.
Why does every single project meant to keep us secure have someone accused of sex crimes under fishy circumstances? Even Linus gets some of this now. I hope he avoids going anywhere without reliable witnesses present.
Why is there no mention of the fact that one of the alleged anonymous "victims" said that the people who came forward did not speak for her and that the accusations were completely false? I seem to remember that Slashdot never bothered to post that story and yes, I did, in fact, submit it.
Make of this what you will. Do we only cover the parts of the story we want people to hear?
What (some) people fail to realize is that Tor is another tool in the toolbox, not a panacea. There's no such thing as perfect security. Security is comprehensive and comes in layers. Security is not a project to purchase or a widget to install. I'm surprised this has to be explained on /., but every Tor post seems to elicit this type of visceral reaction, while other security-related software doesn't.
The vast majority of these FBI Tor "exploits" are people running with JS or Flash enabled in the Tor browser, against the big-blinking warnings plastered all over Tor.
From the Wikipedia article on Applebaum:
The Tor Project and several other organizations ended their association with Appelbaum in June 2016 following several allegations of sexual abuse; Appelbaum denied the accusations.
Okay, so he's being thrown under the bus due to an accusation.
Reading further:
One woman, who has been held-up as an example of one of his victims, hotly contested allegations that Appelbaum abused her and questioned the validity of other allegations against him.
Women are generally sensitive about sexual abuse, so having a woman deny the allegations, and with insight into the situation question the other allegations, shouldn't we at least wait for charges being filed?
Various activists and others have publicly supported Appelbaum, citing that extrajudicial social reactions to the allegations were overly extreme, and had violated Appelbaum's fundamental rights, resulting in a witch-hunt.
Are we a society rules by law?
Or do we simply try things in the court of public opinion, where the loudest voice is the strongest evidence?
We have an entire board being replaced due to an accusation.
The potential for abuse is enormous.
I'm surprised Microsoft hasn't bought out the Tor Project, closed the source, and changed it so all nodes including exit nodes are ran by Microsoft.
The board stepped down.
Voluntarily.
@" FBI Tor "exploits" are people running with JS or Flash enabled in the Tor browser"
No, FBI attacked *servers* first.
1) Tor browser bundle COMES with Javascript enabled and Noscript installed instead to selectively disable it. Why would it permit javascript to be enabled at all for a dark site if the intention was to make it secure? Pasting a warning is not a fix.
2) The bad nodes and problems with the directory servers are known, disclosed by Snowden et al. and have received zero action from the Tor Project board.
"There's no such thing as perfect security. "
Known attacks have received excuses from the Tor project, not fixes.
Jacob needs to fork the project and fix it, not make excuses.
https://lwn.net/Articles/69440...
"Accordingly, we are pleased to announce an excellent slate of new directors who have agreed to
serve on Tor's board. The old directors have, as of July 12, 2016, elected these directors as the
new Tor board:
Matt Blaze
Cindy Cohn
Gabriella Coleman
Linus Nordberg
Megan Price
Bruce Schneier[1]
Roger Dingledine and Nick Mathewson will continue in their roles as co-founders of the Tor Project,
leading Tor's technical research and development. We will all continue to support Tor's mission,
community, management, and organization; and we are happy to offer Shari, the new board, and the
entire team our help and knowledge. We thank the Tor community for their patience and help in this
transition."
[1] isn't he former DoD or something?
> Reading Roger's response, does this sound like a man actively hunting for bad nodes? Because it sounds like a man covering up bad nodes to me.
If you read the lists... Roger, Paul and a couple others consistanly use very chosen words when it comes to talking around certain pointed issues.
> It should be obvious that Tor would be the first to receive a demand to backdoor their product, and given their funding they would be the most compliant.
US GOV has not been able to legally coerce action in that manner yet.
Though nothing prevents them from funding things in that direction.
> Jacob should fork TOR, secure it, relaunch it himself and be very careful about the people he hires.
Jacob is smart enough to realize "Tor" is not sufficient against nation states and other global entities and actors.
Anything he does will not be a direct mindfork of tor.
Security is comprehensive with no need for layers if you just use the apk spam host file, remember?
Moral within an organisation is always important, and stakeholders should have confidence in the board to manage things, but;
This is an organisation that lots of powerful people and government would like to see destroyed, it maintains a product that is controversial, and is used in some extreme circumstances.
Do they really need to manage the perception of their work so aggressively. People will have very strong views for/against TOR independent of perceived employee behaviour.
Can Tor as an organisation be trusted if public perception is more important to them than proven facts.
Is TOR just about money now ?
> Jacob needs to fork the project and fix it, not make excuses. Agree. But do= these actions not set TOR on the path for that course of action? His links were identified and segregated out of the system and now he is out of the management. Yeah... he is still involved but likely will be watched now. It would be best to throw him out completely.
Accusation.
Just about anyone who is to be 'taken down' in western societies seems to be done by sexual impropriety. JFK, MLK both had allegations of misconduct.
That's a convenient way to brush things off.
For MLK the FBI has sex tapes (including video) recorded in his hotel room. Those tapes were not a fabrication but rather a surprise, as the FBI was instead hoping to get evidence of MLK being in cahoots with commies (of which there's no evidence).
Back then the FBI tried to leak those but the media refused to play ball (that was a long time before Gawker). So they sent a ridiculous letter to his house, with a copy of those tapes. Here's an actual quote from that letter which was allegedly read by his wife first:
The American public will know you for what you are, an evil, abnormal beast, and Satan could not do more
Years later a bunch of right-wingers tried to get those tapes released but a judge sealed them until 2027.
So take off your tinfoil hat. It's healthy to ask questions, but when you raise doubts about sexual allegations simply on the basis that the alleged perpetrator is famous and therefore some nefarious organization must be trying to frame him, you're making it more difficult for real victims to come out.
lucm, indeed.
Tor is on Github isn't it? I assume he (Jacob) can just fork it, without being involved with 'Tor Project'.
And that would be the best solution, because the board didn't do the code with security holes, they just let in the bad actors who did the code.
Roger is doing what is called "being diplomatic". That is probably one of the main reasons the project still exists. For example, most law enforcement realizes after talking to Roger that Tor actually benefits them more than it is a problem for them and that going after exit-nodes is pointless. So Roger need to be careful to accuse people, because Tor really is something that benefits society as a whole and he must not piss off people that could kill the project while not understanding what it offers. Tor is not a l33t haxor underground project and it cannot be as it needs size to work in practice. As to "pointed issues", I asked him personally about the financing of the project more than a decade ago and got a detailed and honest explanation that danced around nothing.
Also note that there are no known attacks against Tor that even hint at an intentionally inserted vulnerability as long as you look at the actual details. People being de-anonymized were either stupid (logging into Facebook over Tor after doing something that got somebodies attention without restarting the client first and the like) or the attack target was not the Tor Network, but the Tor-browser with a vulnerability it shares with regular Firefox. In the latter case, it was at least in some instances also people ignoring the start-up warning and using a non-current version of the Tor browser bundle. The Tor website warns against all that. The Tor network verification screen warns you right there that staying anonymous is not trivial and points you at documentation that (at least to me) is clear and well-written. The tor developers cannot fix stupid. In fact, no technology can fix stupid, even if many stupid users demand that these days.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
This is an overtake of Tor and there is a new network by MIT which no doubt will spy on people for da goverment
The issue is not with unfounded accusations. The people that worked with Applebaum over the years found the accusations very plausible, because of the conduct he has shown to the rest of the board members. They know why they finally got rid of him.
This story isn't about some accusations that came out of the blue, but about an organization finally pulling the plug on a really mean character that has used his social skills and status for over a decade to abuse countless people.
My problem is: Why haven't they done so sooner. If you read the accounts, you really have to wonder how toxic the organizations (TOR, CCC, cDc, et al) were that hosted this gigantic psychopath for so long. And if you look at his bio (Wikipedia), his psychological problems aren't a big surprise.
So why has this been going on for so long, and how many other (smarter) abusers still hide in these communities? There is a lot of abuse that can't be adequately addressed by criminal law, but still warrants dealing with and the TOR project has not shown any interest in finding out how to deal with these issues in the future. Neither have cDc or the CCC.
A few things:
1. There are only a few employees actually working for Tor. Most of the research surrounding it is done by academics at other institutions. I also personally know that Tor was doing similar research into "attack nodes" as what was done at NEU, albeit not as sophisticated.
2. These attack nodes were explicitly targeting hidden services, not Tor clients. This research has no impact on the security of the most common use case of Tor, which is to anonymize access to public websites.
I don't really agree with most of your post, but modded up for the sake of letting people express their views without instant -1. Some modders can't obviously stand differing views. Posting AC for the sake of averting a nuclear retaliation.
Tor seems to have 2 fundamental problems they can't fix:
1. Tor hidden servers seem to have a new "oops, totally not anonymous" exploit every few months since the dawb of the project.
2. No one one can seem to write a secure web browser. Even with js etc disabled, FF (and everyone else) has had flaws simply in the code that renders a page. Not common at all, but all it takes is 1, and nations can afford to buy such exploits (and we know they do).
There no actual evidence of a successful attack on the onion routing element of TOR, and the team seems do an OK job of fixing theoretical issues, but if servers are flawed and the browser is flawed, so what?
I think TOR is doing a great job, however, of protecting privacy from the likes of Google and Facebook. If that's your goal, TOR is a great tool.
Socialism: a lie told by totalitarians and believed by fools.
The board stepped down.
Voluntarily.
So did Appelbaum.
Please provide more reliable evidence before advocating shunning people.
Otherwise, we'll just publish a pedophile alert to everyone near you saying that the Ixian may be a rapist and a pedophile based on anonymous internet comments. I mean, I don't have any proof or anything, but you certainly could be one, so women and children should shun you to avoid allowing a creep like you to continue their predatory practices.
I have watched many Jacob Appelbaum speeches. Appelbaum often expresses how governments are out to get him, how he is on the cast iron list of the NSA, and authorities look for ways to incriminate him. So what the hell is he doing sleeping with so many people? If you consider yourself to be an activist, a journalist or a high profile target, you mitigate risk. You don't jump in bed with as many people as possible. This is how many people get neutralized. Keep it in your pants, get a wife/husband, whatever. But don't go hopping into bed with lots of people and then complain when this is used against you.
As for sex allegations, Appelbaum seems to be more guilty of a lack of sensitivity and tact than being an actual rapist. The women he approached were too vulnerable, confused, and unsure of themselves. Freaking nitroglycerin. If these women wanted nothing to do, physically, with Appelbaum. They could have told him, 'no'. However, there was a women he propositioned in a restaurant in a very tactless way. That was bad. Then there was a girl he kissed...and she didn't want it. He could have asked for permission first, but she could have also just smacked him to bring the message home clear.
grab Tails 1.4.1 from kat.cr
add these to your torrc
StrictNodes 1
ExcludeNodes {us}
done. Just run it in a VM as a LiveCD, that is simplest. There are more tricks but they spawn counter-measures from braindead CIA/NSA/FBI. Why entertain the dead?
I think you've really hit upon the crux of the "why do I care?" question.
For me, Tor is about securing my privacy from those who would exploit it; it's about securing my day-to-day rather pedestrian concerns which mainly revolve around not giving personal information to advertisers that I haven't consented to. Those do NOT include kiddie pr0n or anything that a nation-state would give a flying fuck about. I'm not trading in state secrets.
Therefore, for me, Tor is just fine. For people involved in kiddie pr0n or trading state secrets, well, fuck those guys. Not my problem.
This comment is my opinion and does not represent an official position of Donald Trump or others I do not work for