Both the allegations against “the Dread Pirate Roberts” and the particulars of his entire story are bonkers—fake identities, multiple murder plots, and the shockingly dumb missteps that ultimately led to his downfall. (A ton of great reporting and writing have emerged from this saga over the past few days; I especially recommend the coverage by Ars Technica and The Verge.) But while the tech press and narrative yarn-spinners everywhere were busy sinking their claws into this juicy story, ex-visitors of the extant site were running around in cyber circles, worrying about what it all meant, and about, among other things, whether Tor was still safe.
Responding to the Silk Road bust, Dingledine addressed the situation in a Tor Project blog post that day, assuring Tor users that there was, thus far, no evidence that Tor had been compromised. The FBI’s criminal complaint against Ullrich cited old-fashioned detective work and full-time Web browsing—not cyberattacks.
In one response comment, a Tor user brought up the now-familiar “60% funding from the government” point as proof that Tor was some type of law-enforcement front (perhaps this user read the Post headline, but not the article below it?). Then the same user exclaimed, in time-honored Caps-Lock fashion, “ANYONE ELSE FEEL SAFE USING TOR AFTER FREEDOM HOSTING AND NOW SILK ROAD? ANYONE ELSE NOTICE IT’S THE ILLEGAL SITES GETTING NABBED? IF THAT’S NOT A CLEAR INDICATION THAT TOR IS INVOLVED WITH THE GOVERNMENT THEN I GOT A BRIDGE TO SELL YOU IN SAN FRAN.” Which sort of begs the question of why legal sites would get “nabbed,” but, all kidding aside, Tor users may be forgiven for feeling skittish, considering the circumstances.
Dingledine responded to the capslock commenter with a reminder that there is a difference between the FBI and the NSA, and that one simple solution always remains an option for the truly worried. “There are some serious adversaries attacking the Internet these days,” read his response. “It may be that Tor can’t protect you against the NSA’s large-scale Internet surveillance, and it may be that no existing anonymous communication tool can. ‘Stop using the Internet’ is a perfectly reasonable answer.’”
The tech press even got in on the hand-wringing. “Tor Can’t Always Keep You Safe; Just Ask Silk Road” scolded a particularly misleading PC Magazine headline on Thursday. While you can’t ask Silk Road anything these days, that doesn’t mean Tor can’t “keep you safe” if you use it correctly. It just might land you in jail if you use it to create a drug empire and order assassinations.
As that same Tor blog post notes, Tor is a tool for anonymization—but it “won’t keep someone anonymous when paired with unsafe software or unsafe behavior.” And even that caveat is directed more toward the websites using Tor’s “hidden service feature” and less toward the casual anonymity-seeking, Web-browsing individual.
Then, finally, the latest scoops in The Guardian and The Washington Post on Friday answered a lot of questions about the NSA and Tor. NSA documents provided by Snowden reveal many different attempts and strategies (some of them successful) to attack Tor users. The slideshow is called “The Tor Problem,” helpfully explaining that Tor is a big, big problem, because terrorism.) Emphasizing Andrew Lewman’s point from above, the documents demonstrate that the NSA has been trying to crack Tor since 2006, even though other government agencies—such as the State Department—have been funding it and actively promoting it as a tool of democracy and liberation for people living under dictatorship rule.
These latest files show that the NSA has been able to, for instance, spot a random Tor user, attack that person’s computer via vulnerable browser software, and then, through those attacks, monitor his or her online activities. One proposed technique turns out to be the same one that the Chinese government uses to block its citizens from accessing the censored Internet there.
However, according to these new documents, the NSA has not been able to target a specific person for a cyberattack. It also hasn’t figured out how to generalize this method in order to perform any kind of mass-Tor-surveillance. And, significantly, these revelations don’t hint at any new vulnerability in the overall Tor network itself—which seemed like a relief to the privacy experts interviewed by the Guardian and the Post. A lot of other attacks and attempts appear to be hypothetical or to have failed. (Technical details are available here, courtesy of longtime encryption master Bruce Schneier.)