Update your Tors - Tor security advisory: "relay early" traffic confirmation attack

Cathal Garvey cathalgarvey at cathalgarvey.me
Tue Aug 5 00:15:49 PDT 2014

> Why disregard a technology just because it might
> be used by spies?

Quite right! Good job I didn't say that, then.

I said, rather, that a combination of NSA docs, US government funding,
and the Tor project's own admission that an adversary with sufficient
ability to track and correlate traffic, means that Tor is not likely to
be sufficient against that particular adversary; the US National
Security Infrastructure.

There's nuance in there, of course. The FBI for example are pretty low
on the rungs, and won't get all the Tor-killing toys from the NSA unless
it suits the NSA. The CIA are more likely to get that access or may have
it in-house, but they'll shoot you in your bed rather than make a trial
and reveal their tricks.

Against other governments, whose exit nodes the Tor project don't
explicitly bless in the directory server(s), Tor is likely to be more
valuable. So I'd recommend Tor to a person in China or Iran because,
although both nations also have excellent anti-speech infrastructure,
the structural issues that make me wary of Tor are mostly US centric.

The top-down traffic correlation "thing" is a big problem with the Onion
Routing approach, and something I'm tempted to think recommends i2p's
"Garlic Routing" as a better avenue for research. As all i2p nodes are
by default routing traffic for others, and nodes can be configured to
vary their tunnel length, correlating traffic becomes (AFAIK) far more
difficult even for a top-down adversary. Code i2p up in a safe, portable
and vertically integrated way without untrusted, unsigned code execution
(Javascript) and I'm sold.

On 05/08/14 02:06, James York wrote:
> On 2014-08-04 15:33, Cathal Garvey wrote:
>> A less controversial reading of the (US Govt Money) >>= Tor "thing" is
> that, while the Tor devs may be doing their best, Tor is ultimately an
> asset to the US Intelligence apparatus rather than a liability.
>   The missing context here is that the NSA runs its own anonymity networks
> because it doesn't trust community-run infrastructure.
>   Some things are useful to the intelligence community.  Like phones.  And
> cars.  And the Internet.  Why disregard a technology just because it might
> be used by spies?

T: @onetruecathal, @IndieBBDNA
P: +353876363185
W: http://indiebiotech.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0x988B9099.asc
Type: application/pgp-keys
Size: 6176 bytes
Desc: not available
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20140805/7e06a6a1/attachment-0002.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 901 bytes
Desc: OpenPGP digital signature
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20140805/7e06a6a1/attachment-0002.sig>

More information about the cypherpunks mailing list