Interviews: Ask Executive Director Andrew Lewman About Tor and Privacy

samzenpus writes Andrew Lewman wears many hats: biologist, advocate against domestic violence, programmer, Executive Director of the Tor project and a member of the board of directors. He works to preserve the right to speak and read freely online by fighting laws and technology that threaten anonymity. Just how hard that has become is much clearer now that the NSA's interest in Tor has become public. Andrew has agreed to give us some of his time and answer any questions you might have. As usual, ask as many as you'd like, but please, one per post.

Simple questions

[Bodhammer]

Can TOR be trusted and how can I truly know that?

Re:

[TWX]

However, depending on what you initially do, there are limits on what you can continue to do. You have a lot of lattitude, granted, but whatever you do must be in the moment. If you stop your defense and start again you run the risk of being prosecuted as that woman that fired the warning shot in Florida was going through before saner heads prevailed.

Re:

[o_ferguson]

Been there - sorta. The only time I ever hit my wife was when she had me in a choke hold and I was on the verge of blacking out. One quick shot with a closed fist to just below her left eye was enough to make he break the hold so I could run from the room. You actions were not unreasonable, but yes you are a wife beater (as am I - deal with it) and no, you should not have shot or otherwise escalated it. This isn't the type of thing you can't come back from, either - mine was the low point in our relationshi

The NSA TrueCrypt Ploy Again?

[TechForensics]

How can we ever be sure Tor has not morphed into an eviscerated TrueCrypt and that at some point, after achieving their means of compromise, the NSA won't force a version they can easily backdoor on the public?

They like to compromise software and then put it back, so it becomes an intelligence asset. In my understanding only a legal technicality allowed TrueCrypt to issue a cryptic public announcement which effectively let the public know TrueCrypt was potentially compromised. I wonder whether the NSA wil

Re:

[NotInHere]

The problem is also that TOR still has value if it is monitored by the NSA, as it enables people in China and other countries to access censorship-poor (some might call it -free) internet.

Re:

[samzenpus]

You mean these answers from Aug. 20? http://features.slashdot.org/s... [slashdot.org]

Re:

[samzenpus]

I just tried to search with the "interviews" tag and it showed up. Searching with the "features" tag should work as well.

Re:

[AmiMoJo]

What happened to the interview with Limor "Lady Ada" Fried too...

Re:

[jones_supa]

Huh? How does UEFI violate one's privacy?

Re:

[jones_supa]

And why would it do any of these things? I'm sure it would not be good business for a hardware manufacturer to include such malicious features.

How many Tor users are aware that Tor

[wiredog]

was originally developed by the US Government, and is still supported financially by the US Government?

"Few", or "almost none"?

FaceBook on Tor

[P3r1$c0p3]

The announcment of FaceBook being available on Tor seems to be a ploy to confuse single dimesion thinkers into revealing themselves. Is this being sponsored by alphabet soup agencies as a way to kind of model the topology of the Tor network, or is it more social experiment on how people who would login to their online identity while trying to be anonymous at the same time think?

Tor connections

[Anonymous Coward]

Why hasn't TOR moved towards a connectionless routing between the client and the exit node? A permanent connection is being established each time with the same pattern: computer -> entry node -> middle node -> exit node -> website. This can lead to a traffic pattern analysis, given an observer with enough "peer exchange nodes" under his monitoring. In some cases all the connections could be monitored with only country/continent level entry points.
Wouldn't a bunch of state-less P2P like connectio

Tor has been compromised

[kheldan]

News stories I've read lately seem to indicate that the Tor exit nodes have been and still are being compromised by organizations and some oppressive governments. What are you doing about this?

Re:

[AmiMoJo]

If you are relying on the exit not being being evil you are doing it wrong. Tor still requires you to assume that your connection is untrustworthy, it just prevents people identifying your real IP address by analysing the packet headers.

Balance between simple privacy and lawlessness

[TWX]

Tor can be used for good and for evil. How do you go about attempting to design the features of Tor to maximize one and minimize the other?

Re:

[mlts]

Along the lines to this question, how can Tor's PR be helped? As of now, part of an IT person's job is to block Tor's exit nodes, on the application, kernel, and router level, because those nodes to be a source of many attacks. So, because of the bad reputation, it gets entirely locked out of many websites. This can be fixed by running a VPN over Tor so the exit comes from the VPN's servers, but there goes the anonymity for the most part.

the biggest question on our mind

[slashmydots]

We haven't heard any solid proof of a complete failure of Tor's privacy to catch a criminal through a serious exploit. There's a theory out there that a government agency wouldn't blow their cover just to arrest some copyright infringer or small time law breaker on a hidden service. They instead are passively spying to covertly and constantly catch terrorists who think they're protected or they're preparing for a gigantic sweep and mass arrests. What do you think is the likelihood of a situation like tha

Tor

[Anonymous Coward]

Have you received a National Security Letter?

Darknet takedowns.

[brokenin2]

Do you know how the takedown of so many "darknet" sites was accomplished recently, or do you at least have some suspicions? The government seems to by lying about how they took down the original Silk Road site, and I'm wondering if you believe this is to: a) Hide a technical solution that they have at their disposal, or b) Hide the egregiously illegal/inadmissable things they did to accomplish this, or c) some of each.

What kind of cookies do you like?

[rockabilly]

...

Will there ever be a choice of number of hops?

[LinuxWeenie]

It is my understanding that the number of hops within the Tor network is normally a fixed value, somewhere around 3. Given the potential for compromise of entrance/exit nodes in various countries, perhaps allowing a larger number of hops or even a randomly determined number of hops between two values might give more probability of not being detected. Could you comment on the number of hops chosen and how they relate to the probability of anonymity in the Tor network assuming all other suggested configurat

Re:

[NotInHere]

See this one [stackexchange.com].

Do you know

[NotInHere]

why slashdot doesn't allow visitors from tor?

What is your biggest fear?

[AmiMoJo]

What is your biggest fear? After the TrueCrypt developers were apparently threatened or otherwise convinced to abandon development, does the NSA worry you? The FBI has been complaining about encryption lately too, as have law enforcement agencies in other countries. Or is there something else that concerns you?

Managing Good and Evil

[speedplane]

Tor can be used for both obvious good (e.g., subverting oppressive regimes), obvious bad (e.g., murder for hire, child porn), and a semi-bads (purchasing contraband, hate speech). Despite all of the good that Tor does, how does Tor morally justify itself in light of all the bad that occurs on its networks? Is there some way of weighing the good and bad (i.e., if it got bad enough, would you shut it down)? Or does it decide to not justify itself (i.e., it's just a tool, people will use it how they wish)?