In 2006, Tor research was funded was through a no-bid
federal contract awarded to Dingledine’s consulting
company, Moria Labs. And starting in 2007, the Pentagon
cash came directly through the Tor Project itself —
thanks to the fact that Team Tor finally left EFF and
registered its own independent 501(c)(3) non-profit.
How dependent was — and is — Tor on support from
federal government agencies like the Pentagon?
In 2007, it appears that all of Tor’s funding came from
the federal government via two grants. A quarter million
came from the International Broadcasting Bureau (IBB), a
CIA spinoff that now operates under the Broadcasting Board
of Governors. IBB runs Voice of America and Radio Marti, a
propaganda outfit aimed at subverting Cuba’s communist
regime. The CIA supposedly cut IBB financing in the 1970s
after its ties to Cold War propaganda arms like Radio Free
Europe were exposed.
The second chunk of cash — just under $100,000 — came
from Internews, an NGO aimed at funding and training
dissident and activists abroad. Tor’s subsequent tax
filings show that grants from Internews were in fact
conduits for “pass through” grants from the US State
Department.
All this is public information, repeated many many times by the Tor developers themselves. It's on the "financial reports" section of torproject.org. Go and check it out.
It's good to be critical of things especially where security is concerned, but if the code is open, the protocol is open, the development is open, I don't see how it matters if it was a US Navy project?
Sincere question: don't these facts call the utility of SELinux and Tor into question?
If the answer is "because math", well... I don't speak math. Being illerate in this manner, I must depend on the reputations of the parties involved (and the reputations of the parties that report who was involved!).
So... Can a person who does not trust the NSA trust products they paid for?
> Can a person who does not trust the NSA trust products they paid for?
Remember a couple of things:
* The NSA relies on SELinux as a part of their internal computer security system. (However, as the NSA document leaks reveal, even the best system fails when poorly configured!)
* Both SELinux and Tor are open source software, developed in the open. It's not unthinkable that there's a problem with the design of the software of either project, but the commit history and mailing lists of both projects are available for public perusal and audit.
* Well regarded security researchers have looked at both Tor and SELinux and declared them to be reasonably well designed systems that do what they say on the tin.
Anyway. If the NSA involvement really squicks you out, there's always either Grsecurity and PaX [0] or AppArmor [1]. Grsecurity is primarily developed by Brad Spengler. PaX is developed by an anonymous cabal known as PaX Team. [2] AppArmor has been developed by Canonical (the Ubuntu guys) since ~2009.
Man, those STIGs are both a blessing and a curse for defense contractors.
A blessing, 'cause if your system is configured as per the STIG, there's not a damn thing the auditors can say when they roll through.
A curse for many folks deploying a Linux system, 'cause if your particular variant of Linux doesn't have a STIG, -regardless of how similar it is to one that does- IME there's next to nothing you can do to get an auditor to approve the hardening work you've done.
Slightly off-topic here, but flipping through this[1] Abstract Algebra textbook(2009), I found it amusing that the author thanks NSA for support among others :D.
You can definitely trust the sensational value in finding out that any project advocating freedom and data security would be exploited by a government.
That's what I do, it's not perfect but I love reading source code and figuring out how things work so I know others, much smarter than me, love that too.
The public cases of the US government going after Tor, for example, have all read like external attacks on the protocol design flaws to build a larger case.
I would be more suspicious over placing exit nodes in libraries because I assume they're state owned in the US. Don't know since I'm not from there though. I just think it's sort of ironic because the attacks that have been performed all required possession of exit nodes.
> I would be more suspicious over placing exit nodes in libraries...
Librarians are more often rabidly pro-privacy and pro-anonymity than not. They're often very well read, well educated, and know their history.
> I just think it's sort of ironic because the attacks that have been performed all required possession of exit nodes.
Unless you have information that I do not (if you do, please link to it) control of a single exit node gives you no more power than your ISP already has over you. What attacks were you thinking of? Keep in mind that Tor explicitly does not protect against:
* An adversary that can listen to the communication between a large number of nodes in the Tor network and targeted Tor users. (Similarly, Tor cannot protect against a malicious adversary who controls a very large number (1/3? 51%? I can't remember) of the nodes in the Tor network.)
* Tampering with or recording of the data that leaves or is returned by a Tor exit node. (Again, this is an attack that anyone between you and your communication partner can launch, whether you're using Tor or not.)
>Librarians are more often rabidly pro-privacy and pro-anonymity than not. They're often very well read, well educated, and know their history.
Few librarians are involved in network operations at the library though. I'm just speaking from my experience here in Sweden but that stuff is usually handled by a local IT department or out sourced to a company.
So the danger would be in having a federal oversight on network operations of libraries. I do not believe we have that in Sweden at least. Probably the US government allow libraries to manage themselves on that front too.
>Unless you have information that I do not (if you do, please link to it) control of a single exit node gives you no more power than your ISP already has over you. What attacks were you thinking of? Keep in mind that Tor explicitly does not protect against:
Exit nodes, as in plural.
So hypothetically if the federal government did manage network operations for libraries in the US, and the Tor network was successful in onboarding many libraries in this project, that could mean massive control of Tor exit nodes.
I don't think they're state-owned, but they depend on community and county (and maybe state and Federal) sources for funding. Depending on the community politics, libraries could face funding cuts for running exit nodes.
If the library staff are at all bureaucrat-savvy, they can probably obfuscate the activity. I hope so. I think this is a very good idea.
I think he means state-owned in the sense that the IC can easily watch the traffic going to and leaving the exit node, and with many exit nodes leveraging this into a passive attack on the network.
If this is true, if ToR is to stick to a goal of establishing truly anonymous browsing, ToR needs to establish links through a diverse number of jurisdictions.
That is interesting. Yes, many states have a "schools and libraries" WAN which public and private EDU-related facilities participate in. Said network is surely monitored by commercial network appliances. (BlueCoat et al.)
I haven't heard of them being monitored in more competent ways, but the opportunity is surely there.
Don't take this the wrong way, but... this is hardly news. From top of the Tor Project's "Who uses Tor?" page:
"Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the Naval Research Laboratory.[0] It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications." [1]
The article you link to quotes one of the original TOR authors, but fails to link to his words. They're here. [2]
Even if Tor hadn't originally been built by the NRO, spooks would still be using it for their "open source" intelligence gathering: it is effective, well-built software that protects against the threats that it claims to protect against.
That Pando Daily article attempts to claim that the fact that NSA captures Tor traffic makes Tor a danger. The leaked NSA slides from which that fact comes from also reveal that NSA captures and stores (for a long time) all encrypted traffic that they cannot decrypt. [3] This means that connecting to a non-USian site using SSL/TLS makes you just as much a target as Tor usage. :)
I get that people freak out about government funding of this project or that project, but there are a few things to keep in mind here:
1) Tor is open source and is developed in the open. [4]
2) Respected cypherpunks and cryptographers have periodically evaluated the project and declared it to be effective and high quality.
3) A weakening of Tor or the Tor Network reduces its value for intelligence gathering and covert law enforcement operations.
[3] Other NSA slides reveal that the NSA can't actually break Tor. They have to rely on endpoint compromise or improper configuration of hidden services to unmask Tor users.
