The feds pay for 60 percent of Tor’s development. Can users trust it?

[Renegade]

Just what you didn't want to hear.

http://www.washingto...-can-users-trust-it/

The feds pay for 60 percent of Tor’s development. Can users trust it?

This week, we learned that the NSA had managed to circumvent much of the encryption that secures online financial transactions and other activities we take for granted on the Internet. How? By inserting backdoors into the very commercial software designed to keep sensitive medical records, bank files and other information private.

The NSA’s sustained attempt to get around encryption calls into question many of the technologies people have come to rely on to avoid surveillance. One indispensable tool is Tor, the anonymizing service that takes a user’s Internet traffic and spits it out from some other place on the Web so that its origin is obscured.

So far there’s no hard evidence that the government has compromised the anonymity of Tor traffic. But some on a Tor-related e-mail list recently pointed out that a substantial chunk of the Tor Project’s 2012 operating budget came from the Department of Defense, which houses the NSA.

Seriously? Is there never going to be any good news?

More at the link.

[40hz]

No.

[40hz]

FWIW, me being both a closet BOFH and a professional cynic, I never really did trust TOR - nor did I use it much because of that.

It just sounded too good to be true (and was capable of being used for far too much mayhem) to be left alone and generally remain unchallenged as much as it was. That always says "honeypot" or "Coventry" to me.

[Renegade]

What's the "Coventry" reference?

[40hz]

Story of an alleged cover-up from WWII. See here.

Coventry and Ultra

In his 1974 book The Ultra Secret, Group Captain F. W. Winterbotham asserted that the British government had advance warning of the attack from Ultra: intercepted German radio messages encrypted with the Enigma cipher machine and decoded by British cryptoanalysts at Bletchley Park. He further claimed that Winston Churchill ordered that no defensive measures should be taken to protect Coventry, lest the Germans suspect that their cipher had been broken.[19] Winterbotham was a key figure for Ultra; he supervised the "Special Liaison Officers" who delivered Ultra material to field commanders.[13]

However, Winterbotham's claim has been rejected by other Ultra participants and by historians. They state that while Churchill was indeed aware that a major bombing raid would take place, no one knew what the target would be.[20][21]

Peter Calvocoressi was head of the Air Section at Bletchley Park, which translated and analysed all deciphered Luftwaffe messages. He wrote "Ultra never mentioned Coventry... Churchill, so far from pondering whether to save Coventry or safeguard Ultra, was under the impression that the raid was to be on London."[22]

Scientist R. V. Jones, who led the British side in the Battle of the Beams, wrote that "Enigma signals to the X-beam stations were not broken in time," and that he was unaware that Coventry was the intended target. Furthermore, a technical mistake caused jamming countermeasures to be ineffective. Jones also noted that Churchill returned to London that afternoon, which indicated that Churchill believed that London was the likely target for the raid.[23]

BBC did an article on it here.

True or not, "Coventry" has become the term usually applied to the practice of taking a hit in order not to reveal you have prior information about it. It's a good albeit expensive strategy. Because misplaced confidence in flawed security or encryption systems is easily twice as dangerous as not having any at all.

@Ren - I'm amazed there's a conspiracy story you didn't recognize immediately. (You must be up to something pretending your didn't recognize it right away!  )

[Renegade]

@Ren - I'm amazed there's a conspiracy story you didn't recognize immediately. (You must be up to something pretending your didn't recognize it right away!  )

-40hz (September 09, 2013, 11:27 AM)

I've been working overtime on getting lit.

I wasn't aware of that. (Or I'm too drunk.)

I do read a fair bit on WWII, and have done some pretty extensive study and first-hand research on WWII in war archives, but I sure as hell won't talk much about that. It's political suicide. It's a big topic. Why talk about truth that can get you ostracized when there are lots of other things to get you praised? (WWII dogma is fixed - it's a dead topic, and don't you dare say a word about Market Garden, etc.)

[TaoPhoenix]

I dunno what to think. I never suspected a budget angle. I did hear how the exit nodes got taken over, and so I didn't really trust it from that angle.

I also think that all of these concepts were legit maybe around 1997, before the big machinery ramped up. But to paraphrase a depressing vision I had around 2000, we're all staring into an abyss, without a lot of exciting real new tech, so that's the perfect environment for all this govt encroachment to grind itself into place.

[J-Mac]

I don’t trust it - never felt very comfortable when I used it shortly after I first heard about it. Now I really don’t feel comfortable using TOR.

Jim

[mwb1100]

It's political suicide.

-Renegade (September 09, 2013, 12:45 PM)

Wait a second... you have political ambitions?

[IainB]

I don’t trust it - never felt very comfortable when I used it shortly after I first heard about it. Now I really don’t feel comfortable using TOR.
Jim

-J-Mac (September 09, 2013, 03:52 PM)

^^ +1 likewise.
"Trust" would require proof that it is trustworthy, and I am unaware of any such proof.

For example, remember this DCF discussion? - Norton Identity Safe -- Free Download
Section 10 of the Norton agreement, copied below: (my emphasis)

10 Privacy; Data Protection:
From time to time, the Software may collect certain information from the Device on which it is installed, which may include:
 
— Information on potential security risks as well as URLs of websites visited that the Software deems potentially fraudulent The URLs could contain personally identifiable information that a potentially fraudulent website is attempting to obtain without Your permission. This information is collected by Symantec for the purpose of delivering the functionalities of the software, and also for evaluating and improving the ability of Symantec’s products to detect malicious behavior, potentially fraudulent websites and other Internet security risks.

— URLs of websites visited as well as search keywords and search results only if the Norton Safe Web feature is enabled This information is collected by Symantec for the purpose of providing protection and of evaluating and advising You regarding potential threats and risks that may be associated with a particular Web site before You view it.
— Executable files and files that contain executable content that are identified as potential malware. including information on the actions taken by such files at the time of installation These files are submitted to Symantec using the Software’s automatic submission function The collected files could contain personally identifiable information that has been obtained by the malware without Your permission Files of this type are being collected by Symantec only for the purpose of improving the ability of Symantec’s products to detect malicious behavior Such automatic submission function may be deactivated after installation by following the instructions in the Documentation for applicable products.

— The name given to the Device during the initial setup of such Device. If collected, the name will be used by Symantec as an account name for the Device under which You may elect to receive additional services and/or under which You may use certain features of the Software. You may change such account name at any time after installation of the Software (recommended).

— Status information regarding installation and operation of the Software This information indicates to Symantec whether installation of the Software was successfully completed as well as whether the Software has encountered an error- The status information could contain personally identifiable information only if such information is included in the name of the file or folder encountered by the Software at the time of installation or error- The status information is collected by Symantec for the purpose of evaluating and improving Symantec’s product performance and installation success rate Symantec may also use this information to optimize its web-pages .

— Information contained in email messages that you send through the Software to Symantec to report as spam or as incorrectly identified as spam These email messages may contain personally identifiable information and will be sent to Symantec only with your permission. and will not be sent automatically If you send such messages to Symantec. Symantec will use them only for the purpose of improving the detection ability of Symantec’s antispam technology. Symantec will not correlate these files with any other personally identifiable information.

— Information contained in a report that You may choose to send through the Software to Symantec when the Software encounters a problem The report includes information regarding the status of both the Software and Your Device at the time that the Software encountered the problem The status information about Your Device may include the system language, country locale, and the operating system version for Your Device, as well as the processes running. their status and performance information, and data from files or folders that were open at the time the Software encountered the problem. The information could contain personally identifiable information if such information is included in, or is a part of the name of the files or folders open at the time the Software encountered the problem This information will be sent to Symantec only with Your permission. and will not be sent automatically. The information is collected by Symantec for the purpose of correcting the encountered problem and improving Symantec’s product performance. This information will not be correlated with any personally identifiable information.

— The Internet Protocol (lP) address and/or Media Access Control (MAC) address and the Machine ID of the computer on which the Software is installed to enable the Software to function and for license administration purposes .

— Other general, statistical information used for product analysis, and for improving product functionality.
In additon to the terms and conditions above, the following terms and conditions will also apply to Your use of the Software on mobile Devices :

— The Software may access the International Mobile Equipment Identity (IMEI) in order to generate a hash that ensures anonymity The hash is used to analyze and aggregate equipment data for statistical purposes. The IMEI is not collected or stored by Symantec. This information is used for the purpose of identifying the telecommunications device eligible to receive Content Updates for the Prerelease Software This information will not be correlated with any other personally identifiable information, such as Your account information. Alter the service has terminated the data is retained in statistical form exclusively for internal research.

Unless it is expressly defined as optional. the collected information as set out above is necessary for the purpose of the functionality of Symantec’s products
Information may be transferred to the Symantec group in the United States or other countries that may have less protective data protection laws than the region in which You are situated (including the European Union) and may be accessible by Symantec employees or contractors exclusively to be used in accordance with the purposes described above For the same purposes the information may be shared with partners and vendors that process information on behalf of Symantec Symantec has taken steps so that the collected information. if transferred. receives an adequate level of protection
Subject to applicable laws, Symantec reserves the right to cooperate with any legal process and any law enforcement or other government inquiry related to your use of this Software This means that Symantec may provide documents and information relevant to a court subpoena or to a law enforcement or other government investigation. In order to promote awareness, detection and prevention of Internet security risks. Symantec may share certain information with research organizations and other security software vendors. Symantec may also use statistics derived from the information to track and publish reports on security risk trends by using the Software. You acknowledge and agree that Symantec may collect, transmit, store, disclose and analyze such information for these purposes.
CPS / IDS 1.0 / IE

As I wrote:

...In the doco somewhere it also says that it uses your unique CPU ID, or something, to hash/encrypt data.
NIS is your Friend...     

-IainB (May 30, 2012, 06:19 PM)

I coined the term "Dubiousware" for that, rather than "Freeware".
Wouldn't touch it with a bargepole.

[IainB]

...Seriously? Is there never going to be any good news? ...

-Renegade (September 09, 2013, 09:07 AM)

[J-Mac]

^ Aha! EG Marshall in "Creepshow"!! Campy but cool flick.   

Jim