[tor-talk] Tor spying

[Marsh Ray]

On 09/07/2011 09:21 PM, Indie Intel wrote:
>
> Apparently people are spying on Tor users by setting up their own
> exit nodes and sniffing traffic?!

Oh yeah. It happens.

> This Moxie Marlinspike is even a well-respected researcher,
> apparently. He gives talks at Blackhat to government hacker wannabes.

You may have the threat a bit backwards.

Just try to imagine the spying that goes on over the internet as a 
whole. Governments, ISPs, telcos, businesses, spouses, employees, 
malware on your LAN, bad guys are all sniffing traffic all the time. 
Some digital satellite ISPs have an unencrypted downlink and the entire 
hemisphere can see the traffic.

The difference here is that these security researchers have blessed the 
public with the fruits of their research and we have benefited from it.

> But stealing email passwords and credit card information? How is this
> legal in the US?

It's a gray area. I wouldn't do it myself, but I'm grateful to the 
others who have on occasion done something useful with it.

> The more I research this, the more it seems this sort of ``research''
> is more common than not. Wikileaks, Jacob Appelbaum, Adrian Lamo,
> Moxie Marlinspike... who else? Iran?!

Yeah, who don't?

> The Tor Project needs to shed some light on this or it will have a
> serious problem with people wanting to use Tor at all...

It's even a FAQ
> https://trac.torproject.org/projects/tor/wiki/doc/TorFAQ#CanexitnodeseavesdroponcommunicationsIsntthatbad

Personally, if I were going to transmit a credit card or email password 
in-the-clear over Tor I'd choose Moxie or Jacob over some random node 
any day. But I'd do everything possible to avoid that in the first place.

- Marsh