Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Privacy

Executive Director Andrew Lewman Answers Your Questions About Tor and Privacy 53

A while ago you had a chance to ask Executive Director of the Tor project Andrew Lewman about fighting laws and technology that threaten anonymity and the importance of privacy. Below you'll find his answers to your questions.
The NSA TrueCrypt Ploy Again?
by TechForensics

How can we ever be sure Tor has not morphed into an eviscerated TrueCrypt and that at some point, after achieving their means of compromise, the NSA won't force a version they can easily backdoor on the public?

They like to compromise software and then put it back, so it becomes an intelligence asset. In my understanding only a legal technicality allowed TrueCrypt to issue a cryptic public announcement which effectively let the public know TrueCrypt was potentially compromised. I wonder whether the NSA will even allow Tor to recommend a transparently ineffective alternative.


Lewman: No agency has ever asked Tor to put in lawful intercept access, also known as a “backdoor.” Tor is not subject to the same legal requirements as other Internet service providers or content providers to incorporate that into the system. Our FAQ answer states this clearly.

How can strategies be drawn so if Tor is easily, possibly undetectably breached, the public will have some inkling of it?

Lewman: Tor maintains an open community and believes in transparency. We always strive to report out as quickly as we can about any issues affecting the Tor network.



Cryptowall 2.0
by Anonymous Coward

Cryptowall 2.0 is using state of the art cryptographic services like Tor, Bitcoin, and file encryption, combined with standard exploits to hold data ransom. I think it's among the more sophisticated attacks I've ever seen. How do you think more malware of this type will pressure you to change the service?

Lewman: Tor is used by millions of people for legitimate purposes and certainly anytime someone uses technology in a way that harms other people, we are disheartened. Our approach to this is, and has been, to work with malware researchers and law enforcement to help people remove the malware or to change the incentives behind including Tor in the malware at all.



Tor connections
by Anonymous Coward

Why hasn't TOR moved towards a connectionless routing between the client and the exit node? A permanent connection is being established each time with the same pattern: computer -> entry node -> middle node -> exit node -> website. This can lead to a traffic pattern analysis, given an observer with enough "peer exchange nodes" under his monitoring. In some cases all the connections could be monitored with only country/continent level entry points. Wouldn't a bunch of state-less P2P like connections between the client and the exit node be better suited against such traffic inspection?

Lewman: We would love to get to the point that Tor could provide a connectionless routing between client and exit node that does not compromise anonymity. It is something that we have thought about for a while and started research on a while back. More research on this needs to be done in order to roll it out to the Tor network. We would love for someone to help further study that and help us figure out how to make that happen.



Have you used I2P...
by Anonymous Coward

And what are your thoughts on its design compared to Tor and as a complement to it?

Lewman: We try to keep up with any new technology that emerges and have tried many of the different online privacy products and software out there- I2P, Freenet, Retroshare, GNUNet and others certainly have some interesting work and research about online privacy. We are open to collaborating with anyone that shares our mission of protecting online security and anonymity for users.



Balance between simple privacy and lawlessness
by TWX

Tor can be used for good and for evil. How do you go about attempting to design the features of Tor to maximize one and minimize the other?

Lewman: The Tor network is designed to provide protection online for ordinary citizens, victims of abuse, and individuals in dangerous parts of the world share information over public networks without compromising their anonymity. Most of the people that use Tor have legitimate uses for wanting privacy such as activists or reporters that need to keep their locations private. Criminals can already do bad things and there are certainly lots of options available to them for breaking the laws.



Re:Balance between simple privacy and lawlessness
by mlts

Along the lines to this question, how can Tor's PR be helped? As of now, part of an IT person's job is to block Tor's exit nodes, on the application, kernel, and router level, because those nodes to be a source of many attacks. So, because of the bad reputation, it gets entirely locked out of many websites. This can be fixed by running a VPN over Tor so the exit comes from the VPN's servers, but there goes the anonymity for the most part.

Lewman: With so much concern these days about people’s privacy being compromised online, I would love more businesses to take a look at how Tor could help them protect their confidential documents like patents, product development ideas, or financial documents. Even in some situations when a company is doing competitive intelligence research online and it's important that the competitor does not know, it keeps the competitor from knowing that someone is looking at them online.



What is your biggest fear?
by AmiMoJo

What is your biggest fear? After the TrueCrypt developers were apparently threatened or otherwise convinced to abandon development, does the NSA worry you? The FBI has been complaining about encryption lately too, as have law enforcement agencies in other countries. Or is there something else that concerns you?

Lewman: My biggest concern is making sure that the 2.5 million people around the world that currently use Tor and the thousands of new people that download it every day, have a safe, reliable way to protect their privacy online.



Tor has been compromised
by kheldan

News stories I've read lately seem to indicate that the Tor exit nodes have been and still are being compromised by organizations and some oppressive governments. What are you doing about this?

Lewman: The Tor network has been around for 10 years and it has never been successfully hacked. Many have tried and many more will try. We work with researchers all the time to improve the network.



Darknet takedowns.
by brokenin2

Do you know how the takedown of so many "darknet" sites was accomplished recently, or do you at least have some suspicions? The government seems to by lying about how they took down the original Silk Road site, and I'm wondering if you believe this is to: a) Hide a technical solution that they have at their disposal, or b) Hide the egregiously illegal/inadmissable things they did to accomplish this, or c) some of each.

Lewman: We have no knowledge of how the agencies working together "took down” silkroad and other darknet sites but news reports vary widely on the actual number of sites that were taken down. We've been watching carefully to try and learn if there are any flaws with Tor that we need to correct. Nothing so far about this case makes us think they found a way to compromise the Tor software or network. The FBI says that their suspect made mistakes in operational security and was found through actual detective work.
This discussion has been archived. No new comments can be posted.

Executive Director Andrew Lewman Answers Your Questions About Tor and Privacy

Comments Filter:
  • by Anonymous Coward on Wednesday February 04, 2015 @02:09PM (#48982143)

    Wow, this guy just ducks every question. My trust in Tor goes down after reading this.

    • by kheldan ( 1460303 ) on Wednesday February 04, 2015 @02:28PM (#48982363) Journal
      That's pretty much how I feel about the 'answer' to the question I asked. A 'boilerplate' answer.
      • Re: (Score:3, Interesting)

        Yep, it sounded more like an FBI/NSA press release. The simple fact is that if you can't blend in, you're going to stand out. That is the big problem with Tor.

        • by Anonymous Coward

          Except that according to Snowden's documents the NSA itself admits to not being able to break Tor. But obviously you're the kind of guy who thinks that Snowden is a "triple" agent and he carried out a giant NSA conspiracy to promote NSA-compromised software, right?

          • But obviously you're the kind of guy who thinks that Snowden is a "triple" agent...

            Gee, now that you mention it, it does sound kinda plausible. After all, this really is industrial espionage, you know, find out what the other guy has, bla bla bla. It's like a form of 'trade', so to speak. I'll have to look into it.

      • by Anonymous Coward
        Totally agree. I did not get a warm fuzzy feeling at all. Not that I was expecting one, but my confidence in Tor actually went down like GP suggests.
      • Agreed -- Lewman answered like the head of a corporation, not like the leader of a privacy movement.

        The NSA TrueCrypt Ploy Again?
        - trust us.

        Cryptowall 2.0
        - we're legitimate and don't like bad things.

        Tor connections
        - we're interested and have been considering this, but haven't made any headway. We need you to join our community and implement this for us.

        Have you used I2P...
        - yes. And most of the others. We'd love for their developers to join our community and implement some of their good ideas for us.

        Balance between simple privacy and lawlessness
        - we're legitimate and don't like bad things.

        What is your biggest fear?
        - that we won't get more people joining our community and will instead have people leave it.

        Tor has been compromised
        - it hasn't been compromised in the ways we consider important. Trust us.

        Darknet takedowns.
        - on the other hand, maybe it's been compromised and we just haven't figured out how yet. We don't know. Trust us.

    • by lgw ( 121541 )

      Wow, this guy just ducks every question. My trust in Tor goes down after reading this.

      I can't tell whether he's stonewalling, or TOR is successful enough to have a PR Tool answer these questions (without understanding them). I'd think that if TOR were subverted they'd be less obvious, but then again he could be playing the Manchurian Candidate (was he typing in Morse Code?).

      Dammit, why did all the tinefoil hatters have to be right?

    • by gweihir ( 88907 )

      Unfortunately, that is my take-away as well. Meaningless corporate boilerplate, just if he was an FBI representative that tries to avoid lying about things he knows.

      This is however not the way Roger Dingledine operates and his answers (I had opportunity to ask him questions way back, and he strikes me as a perfectly honest person and still does) are much, much better. I think this person here is more in place to allow the project to interface with law enforcement (and they do, they never made a secret of th

    • What question did he duck
  • by Anonymous Coward

    The /. mobile site needs some way to collapse the answers, or to make it easy to jump past them to the comments. It takes forever to scroll past them when using a smart phone. I've already read the answers, so I don't want to see them again when I'm trying to read new comments.

  • The style of answers itself is a message: they are already indoctrinated and under control.
  • Wow (Score:5, Insightful)

    by dlenmn ( 145080 ) on Wednesday February 04, 2015 @03:08PM (#48982781)

    Not even a politician could have given more non-answers.

    • My thoughts exactly while reading this. If you're not going to say anything more than generic PR-friendly statements that just sidestep the questions, then why bother framing it as an "Ask Slashdot"? Just pay Slashdot a few bucks and have them post a link to your webpage on the Slashdot front page.

    • Not even a politician could have given more non-answers.

      It's more like the answers of a PR representative.

  • I would have been more impressed if he said "we're considering ways to limit lawlessness without compromising the premise of protection of citizens in dangerous parts of the world" "Tor can be used for good and for evil. How do you go about attempting to design the features of Tor to maximize one and minimize the other? Lewman: The Tor network is designed to provide protection online for ordinary citizens, victims of abuse, and individuals in dangerous parts of the world share information over public netw
    • by Actually, I do RTFA ( 1058596 ) on Wednesday February 04, 2015 @03:37PM (#48983101)

      He didn't dodge it. He said "We're not worried about lawlessness. Our job is to make the most secure product we can. Our job is not to help enforce laws" It's a rejection of the premise of the question, sure. But it's not a dodge. It's a clearly articulated moral stance.

      And, fundamentally, the laws people may be breaking could be morally bankrupt. Besides, it seems technically impossible to limit lawlessness without harming anonymity.

      • He didn't dodge it. He said "We're not worried about lawlessness. Our job is to make the most secure product we can. Our job is not to help enforce laws" It's a rejection of the premise of the question, sure. But it's not a dodge. It's a clearly articulated moral stance.

        Your paraphrase would be a moral stance, but he didn't actually say that. His answer ignores that Tor is used for Evil, it doesn't come out and say that any evil created by Tor is a necessary byproduct of the good that it creates.

  • So this must be partially in response to the knowledge that Steve Gibson was going to be talking about some problems with Tor in this week's Security Now: http://twit.tv/show/security-n... [twit.tv]

  • I've listened to cell phone calls before just screwing around with a scanner. I've heard a person confirming a reservation and give their credit card number. This was mid 90's. So know how easy it is - or was at that time.

    I found this post looking for something else, it's off topic for the thread. This pertains to Wifi as well as a PC.

    "If you have to use public Wifi then use free VPN service like Hotspot Shield, CyberGhost, OkayFreedom, Spotflux, SafeIP or SecurityKISS which will provide the same security a

Children begin by loving their parents. After a time they judge them. Rarely, if ever, do they forgive them. - Oscar Wilde

Working...