[Noisebridge-discuss] Anti-piracy / anti-Pirate Bay law currently in Congress

Tue Sep 28 05:33:07 UTC 2010

On 09/27/2010 09:33 PM, Thomas Stowe wrote:
> There's a bit of an educated guess that I agree with that Tor is
> compromised. The Navy was doing stuff with it and then there were some
> documents leaked to wikileaks because of an exit-point exploit and I'd
> hazard to guess that anyone after that would've used the power of authority
> to cause the EFF and others to put backdoors in their privacy software and
> also full access to source.

Huh? What?

Hi, I'm a Tor developer and a long time Noisebridge person.

Tor is a Free Software project - Noisebridge runs a few Tor nodes even.
Part of the point of Tor is that the trust, unlike the other systems
above, is distributed. It's not a privacy by policy system, it's a
privacy by design system. The source code is absolutely available (under
the BSD license) for inspection, modification, redistribution, and so on:
https://www.torproject.org/download-unix.html.en
https://www.torproject.org/dist/tor-0.2.2.16-alpha.tar.gz

Tor is related to the US Navy by way of Paul Syverson's research on
Onion routing. He's a great researcher, I suggest you read some of his
papers as linked by the anonbib: http://www.freehaven.net/anonbib/

It's possible to sniff exit nodes (legally or illegally) - and
essentially all systems that exit to the general internet suffer from
this problem.

But we have a FAQ item about backdoors in Tor:
https://www.torproject.org/faq#Backdoor

For anyone too lazy or network impaired, the above link says the following:

There is absolutely no backdoor in Tor. Nobody has asked us to put one
in, and we know some smart lawyers who say that it's unlikely that
anybody will try to make us add one in our jurisdiction (U.S.). If they
do ask us, we will fight them, and (the lawyers say) probably win.

We think that putting a backdoor in Tor would be tremendously
irresponsible to our users, and a bad precedent for security software in
general. If we ever put a deliberate backdoor in our security software,
it would ruin our professional reputations. Nobody would trust our
software ever again — for excellent reason!

But that said, there are still plenty of subtle attacks people might
try. Somebody might impersonate us, or break into our computers, or
something like that. Tor is open source, and you should always check the
source (or at least the diffs since the last release) for suspicious
things. If we (or the distributors) don't give you source, that's a sure
sign something funny might be going on. You should also check the PGP
signatures on the releases, to make sure nobody messed with the
distribution sites.

Also, there might be accidental bugs in Tor that could affect your
anonymity. We periodically find and fix anonymity-related bugs, so make
sure you keep your Tor versions up-to-date.

>  There are a few softwares like JAP (Jondonym)
> that have been required to put a backdoor in that can be activated with a
> warrant. Given the FBI's history of illegal wiretaps and overzealous
> behavior of companies hired to track down piracy sites and large groups of
> pirates I'd hazard to guess that Tor, VyprVPN, HideMyAss and everything else
> is compromised. 

JAP is a very sad story - they did indeed backdoor their software. Part
of what made their back door possible was their architecture. Tor has
not, will not, and frankly, probably cannot do that. We would never ever
do that.

I personally would quit and scream bloody murder about it if anyone ever
forced such a thing. We are extremely transparent specifically because
we WILL NOT EVER BACKDOOR Tor. We WANT EVERYONE TO WATCH to ensure that
we are never put into that position or if someone is interested in
trying that, they'll be discouraged by the SERIOUS ATTENTION they will
attract for their certain to fail attempts.

> This guess gives me enough pause that I'd suggest that you
> don't do anything stupid that you're afraid to get caught doing, ever. If
> you can find a fool-proof anonymity plan, it's going to be illegal. Almost
> all ways to get high speed Internet access anonymously are illegal and if
> you do something via Tor, they're essentially going to go after the
> exit-point's owner which is another Tor user offering anonymity services so
> not only are you doing something stupid but you're putting the blame on
> someone else for what you did. 

This is one of the risks of running an exit relay.

> There've been cases of Child Porn
> investigations and raids on innocent people because they were running Tor
> servers who almost faced jail time and spent thousands of dollars defending
> themselves in court and by that time they'd been in jail and on television
> for being a sex offender interested in child porn.

One of the people who had such an experience in Germany is now a paid
full time Tor developer. Sometimes if you believe in something, you put
your full weight behind it. In our case, we have many people who
contribute code, time, expertise, money and/or other great stuff because
we believe in privacy by design, anonymity, and often circumvention of
restrictive firewalls that attempt to erase history.

Yeah - bad people can use the internet to do thing that aren't nice or
even down right horrible:
https://www.torproject.org/faq-abuse.html.en

> Don't be a douchebag, use
> your own IP, whether you were issued it by your ISP or you buy it. If you
> government or ISP blocks torrents, use a service that condones torrent usage
> and don't "chance" screwing someone else's life up. Torrent "Seedboxes" can
> still be purchased that will enable you to get all of your torrents faster,
> anyhow. If you're too poor to pay for a seedbox or anonymity service, save
> your money. If not, you're pretty much a scared human being who I have 0
> respect for and if others understand exactly what you're doing to Tor users,
> they will see you as a scared little person who doesn't care if they screw
> others lives up. I hope that you folks take this into consideration. I know
> about these technologies because I've used them in the past. I don't condone
> piracy but if you're going to do it, don't give the EFF a bad name and that
> goes doubly so to the people kind enough to offer their computers, time and
> bandwidth to tor. Think back to the lady talking about the courts'
> understanding of technologies and the Internet. Is a judge going to
> understand that it was one of the people you offer anonymity services to?
> I'd suggest that those of you who care about your future shut down tor exit
> nodes that you run, but only because there's shitty people out there who
> don't care if you go to jail because of their actions.
> 

I agree with you on only one point - don't torrent over the Tor network.
The Tor network is important to a lot of people and it would be a shame
if the movie industry caused a lot of nodes to vanish.

I disagree with your suggestion about shutting down Tor nodes - if you
care about the future, it's imperative that you run a Tor node. It's
probably the last bit of anonymity you're going to have online that
isn't made of (presumably empty) promises.

In the USA, we have really strong protections against prosecution of Tor
exit node operators. It's also been the case for a long time that the
EFF has said they're looking for a test case.

> 
> The information transmitted in this communication is intended only for the
> person or entity to which it is addressed and may contain confidential
> and/or privileged information. Any review, retransmission, dissemination,
> copying or other use of, or taking of any action in reliance upon, this
> information, or any part thereof, by persons or entities other than the
> intended recipient, is strictly prohibited and may be unlawful. If you
> received this in error, please contact the sender immediately and delete and
> destroy this communication and all copies thereof, including all
> attachments.
> 

^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
That's totally my favorite part of your email.

All the best,
Jake