On Mon, Mar 21, 2011 at 02:43:22PM +0100, Anders Andersson wrote: > On Mon, Mar 21, 2011 at 4:32 AM, Ali-Reza Anghaie <a...@packetknife.com> > wrote: > > I find it curious that ~credibility~ of tor is being called into > > question by some. The source is readily available, the libraries it > > compiles against are readily available, the change logs, code control > > records, etc. are all readily available. Certain contributors to tor > > have come under fire from various Governments and private > > institutions. For bloody sin sake EVERYTHING has had Uncle Sam > > involved in some variable way at this point. Linux, GCC, sendmail, > > bind, etc. etc. > > > > FUD is an energy stealer and if you can afford that energy loss then > > at least put it to good use auditing and tracking down bugs or any > > backdoors you suppose. -Ali > > I think that it's more curious that someone used Tor and didn't know > that it used to be a military research project. Like the internet. > > But to be honest, if you don't know anything about programming it > doesn't matter that the source code is available, how are you supposed > to check? Pay someone a ridiculous amount of money to check it for > you? And there's no way to know how many independent programmers have > validated the source code. In a scenario where the military actually > would hide something in the source, all programmers working on the > project would of course be in on it together. There are only a handful > of them.
This is a reasonable concern, but I think you are oversimplifying the assurance and risk management available to those who are not tech savvy. If they are just going to look at one or two poorly researched articles in a blog/credentialed-news-publication/whatever-medium-you-want that confirm their expectations, well there's not much more you can do to help them. Whether they trust you or not, their beliefs will not be very well grounded. But if they do have the interest and time (lucky them), they don't have to be able to read the source code themselves or pay someone (and why trust the guy you are paying to read it anyway?, and how do you know that this is the code running on all of the relays out there?, or the code you downloaded, and ...) There are good answers to the latter of these for people who are tech savvy, but how do you get trust those answers short of a significant self-education? Here are just a few of many possible ways. The Tor source is available and people are encouraged to check it out, but that's _not_ the whole story. Tor is also fairly well documented (meaning that description of what the different parts of the source code does is available) which encourages people to look at it more than if it was just this pile of code goo to wade through. And lots of independent people _do_ look at the source code. One way you can tell this is that they find mistakes, sometimes some fairly bad ones. (Fortunately not too bad very often and generally fixed quickly.) You can look at the posted history of the announced versions https://lists.torproject.org/pipermail/tor-announce/ and see acknowledgments of who found flaws and look them up. Lots of times these are researchers at some reputed place. Lots of times these are smart people with no credentials you would recognize. In either case you could look them up and see who they are. Ask them their experience reporting a flaw and getting it fixed and what their overall impression of Tor is. You can do this even if you have no idea what the flaw is that the release notes are saying they found or how the Tor people fixed it. There's also lots of academic researchers looking at Tor all the time (somewhat overlapping the people looking at the source) and poking holes in the design, the deployment etc. testing its strengths and weaknesses, suggesting improvements, which often do get incorporated. This is also all well documented and vetted by publication in peer-reviewed scientific venues. It is also work done at reputed institutions of higher learning in various countries, if you want to base anything on that. You could contact the authors of these. There are also people at places you've never heard of if you don't trust people at big institutions. If you don't know anyone you trust who is tech savvy, you could contact your favorite computer science department by looking them up on the web and ask around till you get directed to someone who knows something about Tor and ask them. Yes, maybe someone bogusly directed you to a simulated website of Enormous State University with fake phone numbers in it, and whoever you talk to there might inadvertently link you back to the Tor cabal rather than getting some random professor or savvy student's opinion, and maybe all those publication venues and researchers and universities are in on it, and the supposedly independent researchers who found code flaws were also in on it (or sock puppets created by Roger to create credibility). But at some point you have to look at the size, diversity, and entrenchment of the conspiracy you think is there. At some point there is only so much we can do to reassure you. (I'm talking about reassuring you that there is no conspiracy. That the stuff is good is a related but independent question that the above suggested checks should help with.) If the above or some of the many other things you might do to check into it yourself without needing to understand the technology doesn't convince you, then probably you have already decided what to believe and no evidence is going to change that. And yes there's always things to do to improve transparency/trustability/usability/etc. People worth trusting probably have a processes to do that and a relatively independent and confirmable history of doing it. HTH, Paul _______________________________________________ tor-talk mailing list tor-talk@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
