the revelation that there is or was a flaw of that scale is a service to the Internet
Right on all points regarding Tor's failures, except this above is the crux of the problem. Specifically, that the researchers did NOT disclose this to either the Tor project or the broader security community. They disclosed it to the Feds, pulled their presentation, and sat on it presumably forever until third parties smelled something fishy.
Patrick and you are correct in your criticism of the criticism, but the fact that academic security researchers have become obsequious functionaries to state power is a MUCH larger issue here, so much so that you are arguing at completely orthogonal purposes to many of us.
My guess is that this orthogonality is lost on AMEDICALRe, and theirs on you.
Where do you think Tor came from in the first place? The US Naval Research Lab. Why do you think the USG went to CMU for this research? Because CMU has been a bastion of state-funded computer security research since the 1990s.
No, the big story here is that Tor was broken for a pittance. But that story is a lot less fun than demanding scalps from CMU, because it suggests that you might not in fact be able to thwart national SIGINT agencies with volunteer open source projects, and we nerds demand a monopoly on technological skill.
Do you think it was broken for $1M without using an already existing computing infrastructure that costed much more?
I'm more interested in knowing how much the real total cost involved here is. Maybe it's not a pittance that any VC in SV could cough.
"No, the big story here is that Tor was broken for a pittance."
That was my prediction and take-away from this. I've constantly warned against relying on Tor to stop nation-states. It's requirements, especially synchronous and performance, make the anonymity goal ridiculously difficult.
That the attacks are still so inexpensive is more disturbing. Opens up doors to non-nation-state attackers that have money and connections to smart people.
Right on all points regarding Tor's failures, except this above is the crux of the problem. Specifically, that the researchers did NOT disclose this to either the Tor project or the broader security community. They disclosed it to the Feds, pulled their presentation, and sat on it presumably forever until third parties smelled something fishy.
Patrick and you are correct in your criticism of the criticism, but the fact that academic security researchers have become obsequious functionaries to state power is a MUCH larger issue here, so much so that you are arguing at completely orthogonal purposes to many of us.
My guess is that this orthogonality is lost on AMEDICALRe, and theirs on you.