I learned some new things about Tor today that I found alarming, perturbing enough to keep me from touching it again and sketchy enough to make me want to try to offer you some of that information, those of you who know what Tor is, in case you hadn’t come across it yourself. Before you use Tor, or before you continue to rely on the IP-anonymizing system as I’ve seen an increasing number of our visitors do under the presumption that you’re safe from the spooks, you may want to consider the following as it may sway you in another direction or at least make you want to learn the dos and don’ts of using Tor before continuing.
Communicating using either anonymity-providing mechanisms such as Tor or encryption tools such as PGP not only draws suspicion to you, it is presently considered grounds by the US Foreign Intelligence Surveillance Court for the NSA to gather and retain the data without a warrant.
The Tor Project, started by the US Navy for the purpose of “DoD / Intelligence usage (open source intelligence gathering, covering of forward deployed assets)… not helping dissidents in repressive countries,” receives in the neighborhood 80% of its funding from the US Government (DoD and State chiefly) and a significant portion of the remainder from governments of other nations including the Swedish International Development Cooperative Agency, also Google.
Easily-googled howtos illustrate with a short list of steps how simple it is for anyone of laymen skill level with the same equipment you’re looking at right now — voyeurs, hackers and government agencies — to sniff your Tor-routed data and to inject code into your inbound traffic to reveal your IP address or obtain it by other basic means including sniffed email headers. Activities involving this collected data range from identity theft to dragnet prosecution.
It has been observed and speculated that over 50% of Tor exit nodes are operating under such configurations, and, in stands to obvious inference that most, at least a pretty substantial portion, of such nodes are operating for the purpose of collecting and analyzing your data for subsequent purposes you really, really don’t want, and a subset of those node operators are attempting to compromise your machine.
The Tor network, which the FBI regards in their statements to the media as “the largest facilitator of child porn on the planet,” is disproportionately and densely comprised of illegal activity and the reputation of its use is commonly associated with the likes of heinously deviant pornography, money laundering, gun and drug running and illegal leakage of privileged information. Participants in the Tor network (users, onion site operators and node operators alike) have learned the hard way that Tor does not guarantee your privacy or insulate your computer from vulnerabilities of its other software, nor may it protect you from guilt by association (we generally block all Tor exit nodes as a means to fend off spam hacking attempts, a common practice, though I’ve disabled that for this article).
Listen, I am by no means a security expert (hence my offering you two dozen links to people who may know better), but I do know that I learned enough about the pitfalls of Tor and pursuits of digital anonymity to scare myself away from touching any of it in the future, in part because I am by no means an expert. I’m itching to see if I can configure my server to sniff Tor traffic out of curiosity right now, but routing traffic in both directions that is likely both densely illegal and being surveilled by others just seems too self-destructive. Also, because I admittedly don’t know what I’m doing, I might jeopardize the other functions and users of the server my ISP. Given the inherent nature of Tor traffic, I can’t understand why anyone of any skill level would go ahead and light up a Tor exit node. It takes a lot of free speech passion or a lack of understanding of what you’re computer starts doing when it acts in that capacity I suppose.
Maybe you are an expert however. Maybe you want Tor because your life depends on flying under the radar rather than wanting to install Tor just because you read some Snowden leak and want to stick it to the man. Maybe you work for Wikileaks or the NSA. But the takeaway of what I just learned is that the weakest link in the preservation of your privacy when using these sorts of techniques may not be the tools themselves but how you use them – PEBCAK. I’m inclined to bank on a reasonable ration of privacy by just blending in and crossing my fingers, but if the likes of Tor interests you still, I’ll leave you with this link, i2p2.de/how_networkcomparisons, and a wish of good luck. Now, as for me, I’ll go bootleg myself a copy of Enemy of the State…. without using Tor.
Update: This is neither here nor there, but I mentioned Tor’s funding and my intending to watch Enemy of the State — Gene Hackman’s fictional ex-NSA/CIA character who spends his days in a Faraday cage attended Drexel University in Philadelphia. Turns out in real life Drexel (known for not having that much money to blow around) is among the top of the list of Tor’s benefactors, and a little googling shows the NSA has a pretty friendly relationship with Drexel. Just throwing that out there, not implying that any of that is related or has any meaning whatsoever. But if you want to get recruited to work for the NSA and score some free Tor stickers for your laptop in the same location, but don’t have the grades and money to get into MIT, maybe aim for Drexel.