Hello list,
I just visited BridgeDB and got a bridge from "Team Cymru", according to the whois of the IP - should the Tor Project really allow a company trying to "track and take down threat actors and criminals around the globe" host a substantial portion of the network, according to their info page:
https://team-cymru.com/company/
The following was also very concerning:
"Team Cymru is comprised of former…" - ... - Law enforcement - ISP backbone engineers - ...
I suspect that they log connections to their relays and bridges, and maybe even more.
Such companies profit from gathering and selling information's, exploits and the likes.
bad-relays rejected this message, which is concerning.. I hope someone here could redirect it to the right people, or do the Tor Project higher-ups know the people behind Team Cymru and vouch for them?
Bye, Lisa Winter
Lisa Winter:
Hello list,
I just visited BridgeDB and got a bridge from "Team Cymru", according to the whois of the IP - should the Tor Project really allow a company trying to "track and take down threat actors and criminals around the globe" host a substantial portion of the network, according to their info page:
https://team-cymru.com/company/
The following was also very concerning:
"Team Cymru is comprised of former…"
- ...
- Law enforcement
- ISP backbone engineers
- ...
I suspect that they log connections to their relays and bridges, and maybe even more.
Such companies profit from gathering and selling information's, exploits and the likes.
bad-relays rejected this message, which is concerning.. I hope someone
I am not sure which message you are talking about but, for the record, that mailing list contains a quite similar mail from you. So, that one at least did not get rejected.
Georg
here could redirect it to the right people, or do the Tor Project higher-ups know the people behind Team Cymru and vouch for them?
Bye, Lisa Winter _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
Georg Koppen:
Weird - I got the following reply a few hours after submitting the mail:
Your message has been rejected, probably because you are not subscribed to the mailing list and the list's policy is to prohibit non-members from posting to it.
However, I was already a subscribed and confirmed member at this post.
Maybe someone decided to still approve it after someone else had already declined the message.
Anyway, I hope this is being looked into, a reply regarding The Tor Projects official stance on Team Cymru would also be great, because right now, I avoid their relays and bridges like the plague.
I decided to do some own research, and it seems like the Tor Project has a long-standing relationship with Team Cymru (at least since 2012, and maybe even earlier):
https://blog.torproject.org/knock-knock-knockin-bridges-doors
Still, I'm slightly paranoid when organizations like these start spinning up many different relays, effectively getting to see a substantial portion of the network's traffic.
So long, Lisa
2021-03-22 17:17 GMT, Georg Koppen gk@torproject.org:
Lisa Winter:
Hello list,
I just visited BridgeDB and got a bridge from "Team Cymru", according to the whois of the IP - should the Tor Project really allow a company trying to "track and take down threat actors and criminals around the globe" host a substantial portion of the network, according to their info page:
https://team-cymru.com/company/
The following was also very concerning:
"Team Cymru is comprised of former…"
- ...
- Law enforcement
- ISP backbone engineers
- ...
I suspect that they log connections to their relays and bridges, and maybe even more.
Such companies profit from gathering and selling information's, exploits and the likes.
bad-relays rejected this message, which is concerning.. I hope someone
I am not sure which message you are talking about but, for the record, that mailing list contains a quite similar mail from you. So, that one at least did not get rejected.
Georg
here could redirect it to the right people, or do the Tor Project higher-ups know the people behind Team Cymru and vouch for them?
Bye, Lisa Winter _______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
On Mon, Mar 22, 2021 at 09:21:24PM +0000, Lisa Winter wrote:
I decided to do some own research, and it seems like the Tor Project has a long-standing relationship with Team Cymru (at least since 2012, and maybe even earlier):
https://blog.torproject.org/knock-knock-knockin-bridges-doors
Still, I'm slightly paranoid when organizations like these start spinning up many different relays, effectively getting to see a substantial portion of the network's traffic.
Yes, we've been interacting with Team Cymru folks for more than a decade now.
I even went to one of the conferences they organized a few years ago hosted by the Council of Europe, where they had an audience full of government and law enforcement people that I could teach about "what Tor actually is" and "how the internet actually works" from my perspective, because otherwise they'd just hear the "Tor is bad and the internet is full of bad people" myths and FUD from their colleagues. You can read more about that kind of outreach here: https://blog.torproject.org/trip-report-october-fbi-conference (different conference but same idea)
Also, their CEO is on Tor Project Inc's board currently, and I regard that as a great step because he can help with (among other things) oversight that we're running the business side of Tor properly: https://www.torproject.org/about/reports/
I think most of the infrastructure that Team Cymru has set up for Tor, we've asked them to do it. So that right there should help you look at it differently.
Another answer might be that I'm a lot more worried about the groups that *haven't* come forward to identify themselves, yet are trying to watch the internet or build datasets about internet users etc.
And a third answer could be that the goal of the Tor design is to distribute trust over multiple relays in your path, so the risk of any one of those relays trying to attack you isn't so bad. (This angle is a bit tricky of course, because even though that's true, having a lower probability of being attacked is still better.)
In summary, yes it makes sense to wonder about the various organizations that want to get involved in Tor, and understand their motives. But we need to design our systems so that they don't fall apart if a small piece of the network is trying to attack it. And at the same time we need to strengthen our *communities* so that they are robust and represent many different skills and interests and perspectives, because that's how you grow mainstream acceptance. So, it is a balance, and there are many ways in which we need to be doing that balance better, and I'd put this one pretty far down the list.
Hope that helps! --Roger
tor-relays@lists.torproject.org
-
Georg Koppen -
Lisa Winter -
Roger Dingledine