[tor-talk] Iran cracks down on web dissident technology

Paul Syverson syverson at itd.nrl.navy.mil
Mon Mar 21 15:07:49 UTC 2011


On Mon, Mar 21, 2011 at 02:43:22PM +0100, Anders Andersson wrote:
> On Mon, Mar 21, 2011 at 4:32 AM, Ali-Reza Anghaie <ali at packetknife.com> wrote:
> > I find it curious that ~credibility~ of tor is being called into
> > question by some. The source is readily available, the libraries it
> > compiles against are readily available, the change logs, code control
> > records, etc. are all readily available. Certain contributors to tor
> > have come under fire from various Governments and private
> > institutions. For bloody sin sake EVERYTHING has had Uncle Sam
> > involved in some variable way at this point. Linux, GCC, sendmail,
> > bind, etc. etc.
> >
> > FUD is an energy stealer and if you can afford that energy loss then
> > at least put it to good use auditing and tracking down bugs or any
> > backdoors you suppose. -Ali
> 
> I think that it's more curious that someone used Tor and didn't know
> that it used to be a military research project. Like the internet.
> 
> But to be honest, if you don't know anything about programming it
> doesn't matter that the source code is available, how are you supposed
> to check? Pay someone a ridiculous amount of money to check it for
> you? And there's no way to know how many independent programmers have
> validated the source code. In a scenario where the military actually
> would hide something in the source, all programmers working on the
> project would of course be in on it together. There are only a handful
> of them.

This is a reasonable concern, but I think you are oversimplifying the
assurance and risk management available to those who are not tech
savvy. If they are just going to look at one or two poorly researched
articles in a
blog/credentialed-news-publication/whatever-medium-you-want that
confirm their expectations, well there's not much more you can do to
help them. Whether they trust you or not, their beliefs will not be
very well grounded.  But if they do have the interest and time (lucky
them), they don't have to be able to read the source code themselves
or pay someone (and why trust the guy you are paying to read it
anyway?, and how do you know that this is the code running on all of
the relays out there?, or the code you downloaded, and ...)
There are good answers to the latter of these for people who
are tech savvy, but how do you get trust those answers short of
a significant self-education? Here are just a few of many possible
ways.

The Tor source is available and people are encouraged to check it out,
but that's _not_ the whole story. Tor is also fairly well documented
(meaning that description of what the different parts of the source
code does is available) which encourages people to look at it more
than if it was just this pile of code goo to wade through.  And lots
of independent people _do_ look at the source code. One way you can
tell this is that they find mistakes, sometimes some fairly bad
ones. (Fortunately not too bad very often and generally fixed
quickly.) You can look at the posted history of the announced versions
https://lists.torproject.org/pipermail/tor-announce/ and see
acknowledgments of who found flaws and look them up. Lots of times
these are researchers at some reputed place. Lots of times these are
smart people with no credentials you would recognize. In either case
you could look them up and see who they are. Ask them their experience
reporting a flaw and getting it fixed and what their overall
impression of Tor is. You can do this even if you have no idea what
the flaw is that the release notes are saying they found or how the
Tor people fixed it.

There's also lots of academic researchers looking at Tor all the time
(somewhat overlapping the people looking at the source) and poking
holes in the design, the deployment etc. testing its strengths and
weaknesses, suggesting improvements, which often do get incorporated.
This is also all well documented and vetted by publication in
peer-reviewed scientific venues. It is also work done at reputed
institutions of higher learning in various countries, if you want
to base anything on that. You could contact the authors of these.
There are also people at places you've never heard of if you don't
trust people at big institutions.

If you don't know anyone you trust who is tech savvy, you could
contact your favorite computer science department by looking them up
on the web and ask around till you get directed to someone who knows
something about Tor and ask them.

Yes, maybe someone bogusly directed you to a simulated website of
Enormous State University with fake phone numbers in it, and whoever
you talk to there might inadvertently link you back to the Tor cabal
rather than getting some random professor or savvy student's opinion,
and maybe all those publication venues and researchers and
universities are in on it, and the supposedly independent researchers
who found code flaws were also in on it (or sock puppets created by
Roger to create credibility). But at some point you have to look at
the size, diversity, and entrenchment of the conspiracy you think is
there. At some point there is only so much we can do to reassure
you. (I'm talking about reassuring you that there is no
conspiracy. That the stuff is good is a related but independent
question that the above suggested checks should help with.)  If the
above or some of the many other things you might do to check into it
yourself without needing to understand the technology doesn't convince
you, then probably you have already decided what to believe and no
evidence is going to change that.

And yes there's always things to do to improve
transparency/trustability/usability/etc. People worth trusting
probably have a processes to do that and a relatively independent and
confirmable history of doing it.

HTH,
Paul


More information about the tor-talk mailing list