Re: Compromise of Tor, anonymizing networks/utilities

[jf <jf () danglingpointers net>]

> > > In any case, it is a certainty than that some law enforcement agencies
> > > are running tor nodes; it has been spotted in actual use at many such
> > > locales. Tor might a great idea but it is sadly lacking in many aspects
> > > of its implementation.
> >
> > It would help if you were more specific here. Especially, could you
> flesh out
> > what you mean by, "it is sadly lacking in many aspects of its
> > implementation."

It's really quite simple. If you or I can setup a tor node and use it to
mitm/pop people/etc, or use it and the various tracking methods previously
shown (wasnt it hd who did the js/flash callhome stuff?), then any
inclined entity with the resources, can employ the same tactics at a much
larger scale over as diversified and distributed as a region as their
resources will allow.

If you consider who has those types of resources you're basically stuck
with mega-corporations, governments, telcos and potentially some
spammers/botnets. While I think it's doubtful we'll see a mega-corporation
involved in something like that, you never know though a few 'eccentric'
board members can take you to some weird places.. Governments however, are
quite obviously one entity that both has proper motivation and typically
proper resources to employ it and the mega-telco's in places like the US
have pretty much shown their colors already; don't fret though,
i bet your countries telco's aren't any better. The
spammers/phishers/botnets/etc, well it's irrelevant to this point.

That all considered, it becomes obvious that, if you presume that its
goal was anonymity to everyone, which is dubious at best if you consider
some of its .mil background,  that this is a deep design flaw. Or at least
that's my opinion.


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/