[Solar-general] Why I Don't Use Tor

Nicolás Reynolds fauno en kiwwwi.com.ar
Mie Ene 12 14:00:57 CET 2011


Me parece que derrapó un poco al final, pero no deja de ser interesante.

------
http://sheddingbikes.com/posts/1293530004.html

Shedding Bikes: Programming Culture And Philosophy

Shedding Bikes

What do you think? [1]post en sheddingbikes.com

By Zed A. Shaw

Why I Don't Use Tor

I have this hypothetical question I've been using periodically to talk about
the relevance of ad hominem in evaluating software:

What if Hitler gave you a cheese sandwich?

It's a pretty simple question. Imagine you're sitting there and, yeah,
Hitler is eating across the table from you. He's got a cheese sandwich and
he hands it to you. "Hey, want my grilled cheese?"

Most normal folks would turn him down, politely most likely but they'd
definitely not eat a sandwich from a guy who used to slowly increase his
doses of arsenic. But also, you're probably thinking, "No way, this guy's an
insane mass murderer, I'm not eating that damn sandwich."

Ok, change this up some more, what if you were walking by and there was a
box labeled "Cheese Sandwich" and right under that is a Nazi Swastika. You
gonna eat it? No Hitler involved, just a box with a cheese sandwich on it
sitting there looking like you can eat it if you want?

Sure, you might open it, look at it, maybe sniff it, but most normal people
won't eat it. Why? Because that Swastika has suddenly got you thinking about
the /history/ of this sandwich. Why is that on there? Where did this thing
come from? Is it poisoned?

Let's go one step further, and say you just find a random sandwich in a
clear plastic bag on a table. Nobody's around, and you're kind of hungry.
You going to eat it? Again, most normal people who can buy a sandwich won't
eat it. It's just laying there. Who knows how long it's been there or what
the hell's been done to it.

Instinctively, humans have this sense of avoiding things that will poison
them, and that involves using their memories, sense of history, and ability
to think ahead to predict what could happen. This is how we're able to
figure out how to eat a huge range of stuff no other species has figured
out. We use this finely honed sense of "that food will poison you" to avoid
getting sick and to find food that will keep us fed.

Programmers and other "logical" types seem to lose this ability when it
comes to information. They'll frequently get /information poisoned/ with
stupid ideas because they think the motivations and history of the person
telling them something doesn't matter. They remove the context of the words
and evaluate only what's said and nothing else, and then believe the most
absurd stuff ever.

This belief that any look at a speaker's motivations is "ad hominem" leads
many smart people to believe the incredibly stupid things.

Everything Has Already Been Said

The reason evaluating a person's motivations matters these days is because
there's been a massive increase in the amount of information created and
stored over the last 500 or so years. Basically, a whole hell of a lot has
already been said by someone else at some point. In fact, most ideas are so
horribly unoriginal that the only thing you really have to go on when
evaluating them is why someone could be telling you this.

Let's say I tell you that my software is "language agnostic". Well, that's
been done before in other ways, so you have to look at why I might be
telling you that. The idea itself isn't original or that useful, but if I
then tell you, "because I want people to be able to use the best tool and
not get caught up in language wars," then you can evaluate the statement
better.

However, if I tell you don't look at my motivations, or where I'm coming
from, or what I used to do, and claiming "ad hominem!" then I'm most likely
trying to trick. An honest person has no problem with you looking past the
words to the motivation. Dishonest people will try to bluff so you don't
look too closely.

If more technologists did this kind of critical thinking, then it'd be
harder to get them to use potentially dangerous or crap technology. If they
accepted that most everything has been said or tried already, then they can
use motivations and historical context to figure out why things might be
different. They can also use it to call bullshit or question why things are
the way they are.

The Sordid Past And Present Of Tor

Tor by itself, without knowing its history, seems like a great idea. You
point your browser at it and suddenly you can view web pages without people
knowing that it's actually you. Great right?

The problem is that Tor's pedigree is less than stellar. First, it was
originally a [2]US Navy project then released to various "hackers" (a word
which in a lot of ways is just synonymous with "NSA collaborator" or at
least a wannabe). Whether the source code started there or just the idea,
you /have/ to ask why the hell the Navy would work on this and then release
it.

The Navy of course gave some hand-wavy answer of wanting to use it, but the
Navy just doesn't do something like this without another reason. Who knows
what it is, but I this makes my spidey sense go off.

That's the first strike against Tor, but let's look at more reasons to not
use Tor. How about the research that showed [3]how easy it is to break in
various ways. Those might be fixable, so how about that there can be
[4]super nodes that with just a small sample of traffic can figure out a lot
of content?

Alright, maybe that can be fixed, but then you read about [5]a semi-secret
volunteer group collecting data from 12 ISPs and handing it to the
government. This Project Vigilant apparently has 600-1500 volunteers who are
all hackers collecting and analyzing data and handing it straight to the
government without user consent. Project Vigilant also claims it:

tracks more than 250 million IP addresses a day and can âEURoedevelop
portfolios on any name, screen name or IP address.âEUR

Holy crap, that's a lot of traffic analysis. Given how small the "hacker"
community is, that's also a gigantic percentage of hackers and security
experts on the volunteer payroll of a group who's job is to illegally
wiretap people and circumvent the law on behalf of the government.

I don't have to remind you abou the panic over [6]the OpenBSD and NETSEC
accusations. What about the various entries to the [7]Underhanded C. The
truth is, if a large group of determined and patriotic hackers want to
infiltrate and inject seemingly innocent maliciousness into code they
definitely can. With 600+ potential recruits, they definitely are.

Conflict Of Interest

But all of this is just unsubstantiated and could be hypothetical, what
actually worries me is [8]Jacob Appelbaum works on Tor and works for
Wikileaks. This to me is the /Hitler Grilled Cheese/ of the argument, the
historical context that drives me away from Tor. Wikileak's job is to take
people's secrets and show them and who's hiding them to the world. Tor's job
is to do the inverse. The two project's goals don't align, and having one
dude do both gives me the willies.

You see, if it is fairly probable that there are multiple attacks against
Tor, that there is a group actively trying to collect enough data to make
Tor pointless, a group with enough people to infiltrate the Tor project, and
then Jacob is working for Wikileaks and Tor, then there's too much going on
for me to trust jack and/or squat. Jacob's affiliation with Wikileaks has
made Tor a target big time, in addition to the obvious conflict of interest.

For me--and this is /not/ an accusation against Jacob--the chance that
someone on the Tor project is in cahoots with someone else is too high. It's
either the government, this Project Vigilant, or Wikileaks, and who knows
what. When claims surfaced that Wikileaks got its initial set of magically
appearing documents from Tor, I wasn't surprised. Having Jacob claim
otherwise doesn't help at all, and I still won't believe this didn't happen
until possibly decades later when whatever really happens is declassified.

Finally, I will go on record right now saying Wikileaks rocks. I think there
needs to be more of this, and actually I think the world will benefit more
from more international coverage and more corporate leaks. But, if anyone
from Wikileaks tries to work with me or on any project I'm on you bet your
ass I'm not trusting them one bit.

Never trust a traitor, no matter how noble their intentions.

P.S. I have a long bet that SELinux is an NSA backdoor. Any takers?


 References:
   1. mailto:post en sheddingbikes.com
   2. http://www.onion-router.net/
   3. http://docs.google.com/viewer?url=http://www.csnc.ch/misc/files/publications/the_onion_router_v1.1.pdf&pli=1
   4. http://archives.seul.org/or/talk/Apr-2007/msg00039.html
   5. http://blogs.forbes.com/firewall/2010/08/01/stealthy-government-contractor-monitors-u-s-internet-providers-says-it-employed-wikileaks-informant/
   6. http://arstechnica.com/open-source/news/2010/12/fbi-accused-of-planting-backdoor-in-openbsd-ipsec-stack.ars
   7. http://underhanded.xcott.com/
   8. http://en.wikipedia.org/wiki/Jacob_Appelbaum

------------ próxima parte ------------
Se ha borrado un mensaje que no está en formato texto plano...
Nombre     : no disponible
Tipo       : application/pgp-signature
Tamaño     : 490 bytes
Descripción: no disponible
Url        : https://lists.ourproject.org/pipermail/solar-general/attachments/20110112/4880d19d/attachment.pgp 


Más información sobre la lista de distribución Solar-general