This is perhaps the most unnecessarily rude comment to be at the top of a hacker news thread in some time. Let's all remember that disagreeing with someone doesn't mean being glib or mean.
Anonymous random new account, I don't know how intimidated you think I'm going to by whatever your academic credentials will turn out to be when you reveal them, but nobody I know in security research is talking about this Tor work the way you are, or would take umbrage at what Patrick said. Patrick knows what he's talking about.
Dude the fact that nobody you know is worried should be the first clue that something is really wrong or you are hanging out with wrong people. Security, Privacy & Data Mining research are ripe for bureaucratic takedown. Incidences like these will only lead to harsher requirements and stifle future research. Its essential for the security community to police itself. As far as Patrick knowing what he's talking about I do not take anyone who has never published a research article, let alone an abstract seriously.
We have access to hundred of millions of medical records, if were to throw away integrity, ethics and morality out of the window. The results would be spectacular enough to warrant a front page news in all major newspapers. And it would completely destroy any future medical research in this field, since we would have betrayed public trust.
Oh and guess what we are exempt from IRB. The true reality is that research to a large extent cannot be completely controlled / monitored. It is thus extremely essential for a research community to hold itself to some ethical standards.
I'm not sure what the last part of your first paragraph was supposed to mean, but if I wanted to compare my own computer security cite record with yours, would I search scholar.google.com for "AMEDICALRe"?
You've misread Patrick's messages to spectacular effect, leaving me with the impression that you were simply champing at the bit to jump at him and his silly bingo card site.
Tor chose world governments as their adversary, and if $1MM was all it took to buy unmasking of users, they failed. That's important information, and regardless of CMU's ethics (and I think this was an ethical lapse), the revelation that there is or was a flaw of that scale is a service to the Internet.
To his credit, I'd guess he's not sharing his bona fides because doing so would jeopardize the program he alleges to be involved in, and there isn't a particular reason to doubt the veracity of his claim by virtue of his creating an anonymous account to protect said program.
While his passion for the issue has made his message more aggressive than you'd like, don't dismiss his claim because you believe he's just full of piss and vinegar. Looking past the totally unrelated arguments about his identity, I don't have any difficulty believing what he's said. I know several folks in American academia who have stated unequivocally that the amount of computing power and data analysis ability available to them would make Dr. Evil blush.
Let's be honest and set emotional responses and character assault aside here. If you take the emotion out of what he said, can you honestly say the rest of it is bullshit? It rings true to me, and he's right: if academia, which is generally held by the public to be above the sort of cloak and dagger stuff that happened with Tor, lost its way and tossed their ethics out the window ... Well, that's a Bad Thing in ways we can only begin to understand. Who's left for us to trust?
It is totally fine if they disagree with me. What's not fine is the way they chose to express their disagreement: by taking umbrage at the idea that anyone, let along the author of a Bingo Card site, would have an opinion contrary to theirs.
I don't even think I disagree with the second part of 'AMEDICALRe's root comment. But of course, that comment has very little to do with what Patrick actually said. Patrick is responding to the fact that an anti-surveillance tool that chose as its adversaries all the world's governments was broken for a sum of money any angel investor in SFBA could have coughed up.
Fair enough. But I would argue that qualifying Tor as a group targeting world governments is a bit dramatic. That may be propagandist commentary on their part - they're entitled to make it, and people still use Tor in spite of it - but isn't the primary intention of Tor to preserve free speech and anonymity, and to offer protection from persecution (or prosecution) by nation-states that seek to quell dissent? And if all the worlds' governments are truly the stated target of Tor, why on earth should an American academic institution insinuate itself into that battlefield? For that matter, given the stated powers of our governments network and data analysis engines, why were they even needed?
They provided information "on that battlefield" that shows that Tor is wholly inadequate to "offer protection from persecution by nation-states". If you're in a place where your life is on the line and you think Tor will help you, this shows clearly that is incorrect. That is useful, even critical information, since lives depend on it. Maybe you don't know the source or the method but the output is very valuable.
> I would argue that qualifying Tor as a group targeting world governments is a bit dramatic. That may be propagandist commentary on their part - they're entitled to make it, and people still use Tor in spite of it - but isn't the primary intention of Tor to preserve free speech and anonymity, and to offer protection from persecution (or prosecution) by nation-states that seek to quell dissent?
I don't understand what you're trying to say. Surely, if the primary intention of Tor is to protect users from persecution by nation-states, then their adversaries are world governments?
> was broken for a sum of money any angel investor in SFBA could have coughed up.
perhaps nitpicking, and a bit tangential to this debate, but I can't imagine the $1m on its own would be enough to break it.
I imagine they have some fairly beefy research budget with an existing infrastructure with a substantial computing power and prior research experience to begin with. So quite a tall giant to stand on. If I had to guess, the $1m was only there to cover time spent on this very specific task at hand, and for allocating researchers' time away from other tasks...
the revelation that there is or was a flaw of that scale is a service to the Internet
Right on all points regarding Tor's failures, except this above is the crux of the problem. Specifically, that the researchers did NOT disclose this to either the Tor project or the broader security community. They disclosed it to the Feds, pulled their presentation, and sat on it presumably forever until third parties smelled something fishy.
Patrick and you are correct in your criticism of the criticism, but the fact that academic security researchers have become obsequious functionaries to state power is a MUCH larger issue here, so much so that you are arguing at completely orthogonal purposes to many of us.
My guess is that this orthogonality is lost on AMEDICALRe, and theirs on you.
Where do you think Tor came from in the first place? The US Naval Research Lab. Why do you think the USG went to CMU for this research? Because CMU has been a bastion of state-funded computer security research since the 1990s.
No, the big story here is that Tor was broken for a pittance. But that story is a lot less fun than demanding scalps from CMU, because it suggests that you might not in fact be able to thwart national SIGINT agencies with volunteer open source projects, and we nerds demand a monopoly on technological skill.
Do you think it was broken for $1M without using an already existing computing infrastructure that costed much more?
I'm more interested in knowing how much the real total cost involved here is. Maybe it's not a pittance that any VC in SV could cough.
"No, the big story here is that Tor was broken for a pittance."
That was my prediction and take-away from this. I've constantly warned against relying on Tor to stop nation-states. It's requirements, especially synchronous and performance, make the anonymity goal ridiculously difficult.
That the attacks are still so inexpensive is more disturbing. Opens up doors to non-nation-state attackers that have money and connections to smart people.
