Tor Project Board Member is CEO of Company Selling Capability for Attribution
blog.torproject.orgTeam Cymru (the company the article is about) has a response to the coverage: https://www.team-cymru.com/post/team-cymru-myth-vs-fact
In short, they claim that:
- The "PCAP" data, email addresses, etc that they sell comes from them running malware samples on their own infrastructure. It's not based on captured Internet data.
- The web page addresses etc that they sell are the results of automated vulnerability scans and honeypots, not captured Internet data.
- The netflow data they sell is captured from real ISP traffic, but it is a small sample (only 1 in 10,000 netflows is captured), and it can't identify individual websites if they use a CDN or shared hosting infrastructure (which most websites do).
I have no clue how true these claims are, but those are the claims.
Wouldn't captured netflow data show which tor nodes users were connected to?
Only entry guards which isn't secret info. You will need to get very lucky to correlate that with relay traffic with the guard. Even with decent 1:10 sampling I would say it us only a little better than a random guess at best.
> But of course, not actively endangering our users is a low bar. It is reasonable to raise questions about the inherent disconnection between the business model of Team Cymru and the mission of Tor which consists of private and anonymous internet access for all. Rob Thomas's reasons for choosing to resign from the board are his own, but it has become more clear over the months since our initial conversation how Team Cymru's work is at odds with the Tor Project's mission
Looks like he was going to get fired anyway.
Actual title is "The Role of the Tor Project Board and Conflicts of Interest"
The Motherboard piece mentioned is: https://www.vice.com/en/article/y3pnkw/us-military-bought-ma...
If you are using Tor, seriously ask yourself if it's a good idea to install software that was developed by DARPA and has never solved the exit node problem.
This is such an odd comment. ARPANET and by extension DARPA are embedded in the origin story of the Internet and I'm sure DARPA will continue to fund fringe technologies that emerge to change the way we communicate into the future.
It isn't, in and of itself a reason for suspicion on the level implied, nor would I argue above and beyond baseline healthy suspicion in anything.
> ARPANET and by extension DARPA are embedded in the origin story of the Internet and I'm sure DARPA will continue to fund fringe technologies that emerge to change the way we communicate into the future.
That doesn't matter at all. Tor is not proposing to accomplish the same thing the internet does. If we are to take Tor at its word, it is proposing the exact opposite of what is in the interest of government and law enforcement.
I have really bad news: the internet was formulated by the government.
But seriously, the exit node issue is a real sore thumb.
Which exit node issue in particular?
That it's hard to get enough volunteer capacity, that exit node operators can sometimes get in trouble for things users did, that attackers can run exit nodes in order to look at traffic content, that attackers can run undisclosed families of relays in order to perform some traffic correlation attacks when a circuit uses multiple relays controlled by the same party, or that some sites may block or CAPTCHA exit nodes?
How would you solve the various exit node issues? If anyone can run an exit node, it's bound to be as trustworthy as the "anyone" that runs it. Plus once your traffic is out of the onion-routed network, it's open to all the usual attacks on the public internet. I2P tries not to deal with non-I2P traffic at all because the problem is so difficult.
> I2P tries not to deal with non-I2P traffic at all because the problem is so difficult.
The problem is difficult because what I2P is doing is essentially the correct approach in this area. Designing an "anonymous" network around accessing an inherently non-anonymous network with a handful of dominant sites is how you run into limitations like needing exit nodes. Yet most people keep insisting upon Tor, as if it's a good idea for the "dark web" to be effectively a single application with an inherent flaw it may never overcome.
It's because Tor does a much better job of being usable to general users, combined with the network effect of Tor Hidden Services, means that more people think of Tor as the "dark web" and more people will use Tor. I2P definitely takes the more secure-by-default state.
> It's because Tor does a much better job of being usable to general user
By having a browser ship with Tor, yes. The rest of Tor is hardly less complicated than running I2P. And I'm not saying that I2P needs to be as popular as Tor. If I2P never gets to having a competitor to the Tor Browser, it will always remain in minority use. That doesn't mean people shouldn't be aware of it or consider it as an alternative for their own use.
> combined with the network effect of Tor Hidden Services
I'm not sure what you mean by that. I2P is almost entirely focused around hidden services, and those services more or less work the same way for the end user with the added bonus that there's a loose sort of "DNS" that creates human readable URLs for services. How does Tor's services have more of a network effect than those on I2P?
> means that more people think of Tor as the "dark web" and more people will use Tor.
Yes. That also isn't anywhere near an ideal knowledge level these users should have. It's not the problem of I2P or even the responsibility of Tor per se that people think this way.
Someone who is reading this very comment and thinks that Tor is the end-all-be-all of the dark web and isn't privy to its origins should think twice before relying on it, because they clearly don't understand the tool that they are using. They probably shouldn't be doing anything remotely "private" or "anonymous" on the internet if all they know is that Tor is the magic thing they install to hide the naughty things they do.
I think people here are misunderstanding me. I'm not saying to never use Tor under any circumstance. I'm telling people to think before they use a tool with known flaws and an interesting origin story. There's nothing unreasonable about this.
> I'm not sure what you mean by that. I2P is almost entirely focused around hidden services, and those services more or less work the same way for the end user with the added bonus that there's a loose sort of "DNS" that creates human readable URLs for services. How does Tor's services have more of a network effect than those on I2P?
Tor's tech doesn't create the network effect, it's just that the network effect exists for various reasons. Facebook is on Tor, for example, but it's not on I2P. This notoriety means a beginner to the private net will be more likely to reach for Tor than I2P.
> That doesn't mean people shouldn't be aware of it or consider it as an alternative for their own use.
To some extent I do think the Tor project has spent more resources on trying to make Tor usable for folks who aren't just power users, but I2P has also had a fraction of the resourcing that Tor has. It's a sort of "worse is better" here. It might also be the case that the pool of users interested in the anonymous net is small enough that there's just not enough room for a lot of competitors. I'm not sure and the nature of these networks make it hard to draw any ideas about their size/shape.
> I think people here are misunderstanding me. I'm not saying to never use Tor under any circumstance. I'm telling people to think before they use a tool with known flaws and an interesting origin story. There's nothing unreasonable about this.
This is mostly tone I think. I agree with what you're saying. I also think Tor, for better or for worse, has a lot of somewhat rabid fans. But yeah if I wanted to run a net service that I only wanted accessed anonymously, I'd probably use I2P.
> I have really bad news: the internet was formulated by the government.
The internet isn't one piece of software you knowingly install on your system. The internet isn't promising anonymity. Likewise to Tor, I wouldn't install a radar scanner in my car if I knew the company was owned by the U.S. Marshal Service given the kind of incentives that exist for them to take advantage.
I was very particular in saying "formulated". They didn't "make" the internet as we know it, nor do they "own" the internet. I just mean that the very foundation of American internet is the U.S government. After all, my point wasn't against trusting the internet, It was more that everything built on the foundation is as trustworthy as the foundation itself.
These two things are also properties of the Internet itself are they not?
Do you really expect anonymity out of the internet or trust that your IP traffic isn't being analyzed and logged? It certainly is, and it being a government project isn't an argument in its favor. The internet isn't selling itself as a tool of anonymity, never has, and isn't software you're installing on your hardware.
Direct link:
https://www.vice.com/en/article/y3pnkw/us-military-bought-ma...
Didn't google deprecate/stop prioritizing AMP? so why are they still using it?
Is it because Its an opportunity to track users so use it as longer as possible?
While I can appreciate the measured tone in TFA, at some point you've got to take a step back and ask what the hell is going on. This instance reeks of an egregious conflict of interest and this response is negligent on behalf of the board.
The current TOR Board scenario is akin to having a known child-abusing relative babysit your own kid, catching them inexplicably sitting with the kid alone in a darkened room in a state of undress, then saying:
"Well, this is strange.. but we can't prove you were planning anything malicious this time around. As you were, mate!"
Sometimes a harsh response is warranted to preserve integrity of that which is important. This is one of those times.
My confidence in TOR was already kind of low, now how can I trust and be assured the lack of firm response isn't due to integrity already being compromised and no longer the main priority?
The public trust in TOR is EVERYTHING the project has*.
* had
Hard disagree. The measured tone in TFA is how adults debate issues. Invoking phrases like "child-abusing relative" and "kid alone in a darkened room in a state of undress" is the kind of hyperbole that sites like Twitter and HN love to employ that reduce the quality of conversations and how threads turn into shouting matches.
Ask yourself how the hyperbole you engage in leads to "curious conversation", how you're "assuming good faith", and how you're "eschewing flamebait". Because TFA seems to invoke curious conversation and good faith and your hyperbolic analogies just seem like ideological-battle oriented flamebait.
> Sometimes a harsh response is warranted to preserve integrity of that which is important. This is one of those times.
I'm pretty sure this is explicitly against "Please don't use Hacker News for political or ideological battle. It tramples curiosity."
P.S. As a long time HN reader/user, these hyperbolic flamebait comments in the service of political ends are exactly the kinds of comments that I find degrade this site the most. When people complain about this site turning into Reddit, it's these kinds of comments I think about.
Why are you attacking the commenter's character and chose not to respond to a single concern they brought up? They've asked some good questions and AFAICT they're legitimately concerned and only acting in good faith.
Your claim that they've violated HN guidelines is misplaced, at best.
Who's side are you on? Are you defending the guy with conflicting interests who is on the board and simultaneously selling a tor removal kit?
>Who's side are you on? Are you defending the guy with conflicting interests who is on the board and simultaneously selling a tor removal kit?
From my reading, they didn't claim to take either side nor comment on the article in question, but made a meta-comment. Which is okay to do.
Yeah but it sucks for the rest of us who were hoping for informed adult convo but instead must witness this.
I have yet to read a single HN thread which does not involve some sort of meta-commenting or tangential conversation, exactly like what is happening in this thread.
OPs comment wasn’t just off the cuff emotionally charged rhetoric though. They acknowledged that there are times for a measured response, and there are times that a measured response is inappropriate. That outrage and pitchfork wielding are appropriate responses. They made the case that this was one of those times.
I agree.
Bring enough people together with varied enough opinions and each of them will feel their own personal deep concerns are worth wielding pitchforks for. Eventually every conflict will involve pitchforks and the temperature of any discussion will be high enough that all you have are flames whereupon conflicts will just be hidden from public view and taken care of under the table so as not to risk the public flames of wrath.
Welcome to the internet. It’s pitchforks all the way down, baby
The comment would have been better without the strained analogy.
One counter argument to the gp might be something like: this is exactly the kind of expertise The Tor Project should want to consult.
Ooh, I like that. That’s why I come to HN, it’s the angles I would have never considered.
Thanks! Made my day :)
Tor was taken over by the CIA a while ago when they purged the old hacker board for "inappropriate behavior towards women": https://www.theguardian.com/technology/2016/oct/11/jacob-app...
You know, the same thing they did to Assange. I wonder how that's going. https://www.wsws.org/en/articles/2021/06/28/assa-j28.html
>Key witness against Assange admits to lying in exchange for US immunity
Oh yeah.
But hey, we might have destroyed one of the crown jewels of free software because the CIA played SJWs like a fiddle but at least we're good people: https://www.youtube.com/watch?v=O4hh1YhDfbA
Maybe if those two guys had kept their dicks in their pants and not gone around molesting and raping as if they were somehow immune to any consequences, they'd not have got in any trouble for it.
Not everything is a shadowy government conspiracy. Most often, people behave despicably just by themselves. Particularly the arrogant, domineering egotists - such as the two you mentioned.
>Not everything is a shadowy government conspiracy. Most often, people behave despicably just by themselves. Particularly the arrogant, domineering egotists - such as the two you mentioned.
>>Sigurdur “Siggi” Thordarson, a convicted criminal from Iceland, has admitted that the main allegations he made against Julian Assange, which form a central component of the US indictment against the WikiLeaks founder, were lies proffered in exchange for immunity from American prosecution.
I guess clicking was too hard.
It literally was a government conspiracy. If that hadn't worked they would have planted some child porn on both of them. And if that didn't they'd have done an Epstein.
It is always hilarious seeing people with a Che shirt defending the CIA.