[tor-talk] WP: The feds pay for 60 percent of Tor's development. Can users trust it?

Asa Rossoff asa at lovetour.info
Sat Sep 7 17:20:11 UTC 2013


>From Nathan Suchy, September 07, 2013 4:20 PM UTC:
> You can check the source code. No back doors. Plus people at the FBI have

> used it for anonymity...

 

A back door is not always easy to spot.  Especially for people who are not
experts in all the technologies involved.  And Tor, and the technologies it
depends on, are not fault-proof, as we know.  So any fault could be declared
a backdoor if assumed intentional.

...

> On Sep 6, 2013 8:14 PM, <
<mailto:BM-2D9WhbG2VeKsLCsGBTPLGwDLQyPizSqS85 at bitmessage.ch>
BM-2D9WhbG2VeKsLCsGBTPLGwDLQyPizSqS85 at bitmessage.ch>

> wrote:

> 

>>
<http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/06/the-feds-pays-
for-60-percent-of-tors-development-can-users-trust-it/>
http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/06/the-feds-pays-f
or-60-percent-> of-tors-development-can-users-trust-it/

 

Tor funding is always an interesting point, no doubt.

 

If you use the official binaries, certainly, even checking the hashes, and
you personally review and understand the code, you have to trust that the
people compiling the code used unmodified open source code (if the exact
compile process they are using is documented, this could be verified
independently).

 

Keeping it open source offers a level of security, but still requires actual
scrutiny, esp. now that we know just how much the Feds are interested in
decrypting traffic and focusing attention on those who encrypt their
traffic.

 

Trust is involved.  Speaking of which, do we have bios of all Tor
contributors, esp. those that authorize code changes and those that compile
code?  Do we have public ongoing accounting of who gets paid how much and
for what?

 

Redundant compilations by parties we could consider independent, if they are
identical, could provide a check on that.  Linux distribution binaries are
another question.  If security is of great import, you need to have a chain
of trust, careful custody, and secure transfer of source code and binaries
all around.  And of course install it on a secure system that doesn't
already have some kind of backdoors.

 

Does Tor automatically validate its executable upon running and refuse to
start if modified?  That would be a good feature.  Not sure the most secure
way to implement such a feature, but I know some software already does that.

 

 

I have no conspiracy, but I do think transparency is really important.  As
we can see from this article and the list poster who posed a very reasonable
public interest question, even for public relations and Tor's ability to
increase userbase and trust.

 

Tor has the option of refusing funding from any government entity, but
obviously, literally at a cost.

 

And thank you very much to those working hard for great ideals on this
project.

Asa Rossoff

 

-- I signed this message with an X.509 certificate ... hahha hahaha ha!



More information about the tor-talk mailing list