Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

That seems like a decent assumption to me. When your IP talks to another on the Internet, you no longer have any control over the metadata of that connection. It will show up in the logs of the other IP, and the owner of that IP is free to do anything with those logs.

It seems far more naive to assume there is an expectation of privacy on the Internet.



So the government mining of all meta data sent to any third party (including all texts, phone calls, and internet usage) is fine? Also, what about the data itself. You are putting the data on lines you don't own, so that is all fine too, no?


I think you've just stumbled across the crux of the government's position regarding PRISM.

To provide a contrasting example: GCHQ tapped fiber-optic lines between corporate datacenters. Those lines are not public and are therefore not supposed to be up for grabs; tapping them without the consent of their owners is an espionage activity.

Attaching to an open network that fuzz-routes data and then cheating on the policies of that network that are intended to anonymize the requesters of the data is just good old-fashioned protocol circumvention. Definitely rude and demonstrative of a major practical weakness in tor, but probably not illegal. It doesn't sound like there was any law for SEI to break here (though I hadn't heard the suggestion that the CFAA might apply, which is an interesting legal angle to explore).


are you going to tell me that if I did did same thing I wouldn't be accused of hacking by the US government. That seems doubtful.


That's why you encrypt your data, and assume it is not secure if it is not encrypted. "Here, third party, please have my meaningless binary blob. You may do with it as you wish. Thank you for transiting it across your network in accordance with the TCP/IP protocol."


Third party: "You're welcome! Since you seem to be very interested in that specific subject (the destination IP address happens to map to a site specified for that subject), we sold this information to Google and they will now show more ads regarding that subject."

No, seriously. I believe it is good practice to encrypt all data over all kind of wires (public or not). However, most of the time, we do not encrypt metadata, which can be just about as useful as the actual data (and way easier to analyze). Do you really think that any government cares much about what you say to a specific person? They only care that you talk to that person, when you talked to that person, and how frequently you talked to that person. The same goes for almost anything. If your ISP were interested in your data, they would actually value metadata a lot more then the actual payload because metadata can be analyzed quite easily and reliably.

Tor was (and still is) your only protection against these kinds of attacks because your ISP only knows you're talking to some Tor nodes, the Tor nodes can see very few of the websites you visit (or email recipients you send to) because you will use another nodes for the next website/email, and the website will not know who you are if you don't authenticate because many requests can come from that Tor node.


Seems like Tor is demonstrably not as good protection as people hope it to be. Hm.


Please remember that Tor has since fixed these bugs. What is important, though, is that nobody (not even the government) should be allowed to legally decipher _all_ (or most) of the traffic going through a network/service.

We could say the same for HTTPs, because it also had its fair share of vulnerabilities.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: