[tor-talk] Iran cracks down on web dissident technology
Joe Btfsplk
joebtfsplk at gmx.com
Mon Mar 21 19:06:04 UTC 2011
On 3/21/2011 10:07 AM, Paul Syverson wrote:
> On Mon, Mar 21, 2011 at 02:43:22PM +0100, Anders Andersson wrote:
>> In a scenario where the military actually
>> would hide something in the source, all programmers working on the
>> project would of course be in on it together. There are only a handful
>> of them.
> This is a reasonable concern, but I think you are oversimplifying the
> assurance and risk management available to those who are not tech
> savvy. If they are just going to look at one or two poorly researched
> articles in a
> blog/credentialed-news-publication/whatever-medium-you-want that
> confirm their expectations, well there's not much more you can do to
> help them. Whether they trust you or not, their beliefs will not be
> very well grounded. But if they do have the interest and time (lucky
> them), they don't have to be able to read the source code themselves
> or pay someone (and why trust the guy you are paying to read it
> anyway?, and how do you know that this is the code running on all of
> the relays out there?, or the code you downloaded, and ...)
> There are good answers to the latter of these for people who
> are tech savvy, but how do you get trust those answers short of
> a significant self-education? Here are just a few of many possible
> ways.
>
> The Tor source is available and people are encouraged to check it out,
> but that's _not_ the whole story. Tor is also fairly well documented
> (meaning that description of what the different parts of the source
> code does is available) which encourages people to look at it more
> than if it was just this pile of code goo to wade through. And lots
> of independent people _do_ look at the source code. One way you can
> tell this is that they find mistakes, sometimes some fairly bad
> ones. (Fortunately not too bad very often and generally fixed
> quickly.) You can look at the posted history of the announced versions
> https://lists.torproject.org/pipermail/tor-announce/ and see
> acknowledgments of who found flaws and look them up. Lots of times
> these are researchers at some reputed place. Lots of times these are
> smart people with no credentials you would recognize. In either case
> you could look them up and see who they are. Ask them their experience
> reporting a flaw and getting it fixed and what their overall
> impression of Tor is. You can do this even if you have no idea what
> the flaw is that the release notes are saying they found or how the
> Tor people fixed it.
>
> There's also lots of academic researchers looking at Tor all the time
> (somewhat overlapping the people looking at the source) and poking
> holes in the design, the deployment etc. testing its strengths and
> weaknesses, suggesting improvements, which often do get incorporated.
> This is also all well documented and vetted by publication in
> peer-reviewed scientific venues. It is also work done at reputed
> institutions of higher learning in various countries, if you want
> to base anything on that. You could contact the authors of these.
> There are also people at places you've never heard of if you don't
> trust people at big institutions.
>
> If you don't know anyone you trust who is tech savvy, you could
> contact your favorite computer science department by looking them up
> on the web and ask around till you get directed to someone who knows
> something about Tor and ask them.
>
> Yes, maybe someone bogusly directed you to a simulated website of
> Enormous State University with fake phone numbers in it, and whoever
> you talk to there might inadvertently link you back to the Tor cabal
> rather than getting some random professor or savvy student's opinion,
> and maybe all those publication venues and researchers and
> universities are in on it, and the supposedly independent researchers
> who found code flaws were also in on it (or sock puppets created by
> Roger to create credibility). But at some point you have to look at
> the size, diversity, and entrenchment of the conspiracy you think is
> there. At some point there is only so much we can do to reassure
> you. (I'm talking about reassuring you that there is no
> conspiracy. That the stuff is good is a related but independent
> question that the above suggested checks should help with.) If the
> above or some of the many other things you might do to check into it
> yourself without needing to understand the technology doesn't convince
> you, then probably you have already decided what to believe and no
> evidence is going to change that.
>
> And yes there's always things to do to improve
> transparency/trustability/usability/etc. People worth trusting
> probably have a processes to do that and a relatively independent and
> confirmable history of doing it.
>
> HTH,
> Paul
1st, a note. I appreciate everyone's reply. If some want to be a bit
insulting or sarcastic, that's OK. I'm not highly technically savvy in
source code, but I've lived a long time & know a lot about typical modus
operandi of many govts. I've read all up thru Klaus Layer's post.
2nd, my reference to a TRUE back door in open source software was fairly
tongue in cheek. However, * software is only part of the the Tor
system.* Responders are assuming I meant the ONLY way * any * govt
could "crack" Tor is thru the software itself (or a back door, etc.).
That's not what I meant at all - sorry if I gave that impression. There
are lots of exit nodes, for * one * instance. There's lots of eaves
dropping on exit nodes. There are probably ways inconceivable to most,
how govts could get info from Tor communication. Tell me this: what
other form of communication is off limits anymore in many counties, that
govts monitor (constitutionally or not)? I am NOT anti-govt, nor am I
completely blind.
Axiom (or should be): advanced governments have far more technological
ability & capability than 1) anyone knows; 2) the govtS (not just ONE )
will EVER reveal; 3) than any university, institution or other very
smart individual or group will necessarily be able to detect, or
certainly prove. Most of these are probably in the best interest of
citizens.
However, I feel comfortable saying, those thinking they know exactly
what govts are / are not technologically capable of, are deceiving
themselves. They call them "Top Secrets" for a reason.
Fact: Even if someone discovered any govt successfully monitoring
something like Tor, if they CHOOSE to, most any govt can shut down
"whistle blowers," university / private research, etc., on anything they
consider of national security, in an instant.
Anders Andersson wrote:
> They need a project like Tor as much as "we" do, if not more. They need ways to communicate with spies and dissidents located all over the world, they need a system that let their people do this without causing any suspicion.
Maybe, but I'm asking why any govt would create a system that it can't
control, that could be used by its enemies to do as much or more damage,
as the good the govt gets from it? That's one HUGE problem w/ the
concept that DoD / NRL created or continues funding anything * like *
Tor (not JUST Tor). If they truly have no way of figuring out who's
using a communication method, what users are saying or any other means
of identifying something about (Tor) users , they have created & still
funding a WEAPON for the enemy to use against them. Can't help
wondering about that.
You can't have it both ways. Either they can't & enemies are using it
(or similar) to plot against MANY govts, or they can & users in "free"
countries don't have nearly the privacy they think. Is the DoD / NRL
that stupid? Possibly - don't know. But if those saying it is
basically impossible for any govt to get useful info from Tor
communication are indeed correct, it defies logic any govt would do such
a thing. Or is it that they shortsightedly created something they
thought would only benefit them, & now the enemy is using it against
us? Pandora's box is open?
Paul Syverson wrote:
> If they are just going to look at one or two poorly researched
> articles...
One or 2... poorly researched? Over several yrs, I think there're
numerous reputable instances of serious flaws discovered in Tor. Sure,
they're patched when announced & confirmed. I'm also sure it will be an
ongoing problem, hence part of my concern.
Paul, it's NOT just the software - I'm sure that's regularly,
independently examined. ONE thing no one knows, for instance, is what
capability govts have once communication leaves exit nodes. Advanced
govts aren't prone to shooting themselves in the foot. What some are
indicating or at least intimating here, is the US created something
(maybe unintentionally) the enemy can NOW use against many countries AND
they are still funding it. Does that make sense? Not to me - w/o some
reasonable facts, such as why enemies can't use it against govts.
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>
More information about the tor-talk
mailing list