What good is it if you can't surf the web?

Something tells me Tor ain't nearly as secure as everyone thinks.

Math is hard. really really hard. The NSA knows this and has admitted as much that they can't break Tor.

What is much easier to break is the technical configuration required to always maintain your anonymity online. Most people don't have the discipline...as even the Silk Road kingpin found out the hard way.

Any spy agency worth its salt won't spend too much effort picking the lock on the front door - they'll look for people who leave a window cracked for air conditioning.

100th Window.

"Math is hard. Really, really hard." - pixelpusher220

Speak for yourself!
Most people do not care enough about mathematics to WANT to LEARN!
HELL! Most people can't distinguish primes from composites!
Learn how to factor large number primes for beginners.

No, I assure you he is correct: Math IS really, really hard. Even if all people had the combined knowledge of the world's greatest mathematicians, the time needed to complete processes for finding solutions does not decrease. As you obviously have some grasp of math, you must know that as any mathematical algorithm becomes more complex, with each new variable there is an exponential increase in difficulty in deriving useful information without knowledge of the hash. Unless the whole argument of P vs NP has been broken (and I am not excluding the possibility that with its army of supercomputers, the NSA has, in fact, already done so), then even the government has an infinitesimal chance of being able to break complex encryption schemes. It's not a matter of being smarter, it is more a matter of outliving the universe so that one has time to complete the calculations.

Mathematics is not 'hard.' He plainly stated mathematics is 'really, really hard', as in very difficult. I simply stated for him to speak for himself. As I implore you to do the same.
Edited
~

"Really, really hard" implies the level of difficulty, just as you and he stated. However, difficulty can refer to either the amount of work it takes to complete, or the level of ability it takes to be competent.
For example, a computer (which most modern encryption specialists use, these days, as opposed to the pure mental ability you seem to be referring to) may be able to do millions of floating point calculations per second, but it would still take an impossibly long time to crack a secure scheme. Human brains, no matter how knowledgeable they may be about math concepts, can not compete with computer speeds. As an example, try to crack even a simple substitution-based newspaper cryptograph in your head. Possible, sure, though it would take a few minutes for someone, assuming that they were extremely gifted with grammar and math. Now consider a 256-bit, time-based cipher that has multiple levels of key/hashtext algorithms. Aside from the memory requirements, grasp of logic flow, and the number of iterations you would have to keep track of in your mind simultaneously, the fact that the cyphertext would evolve as time went along would make it virtually impossible to solve before the key had changed.
I do not claim that understanding the *concepts* are difficult, only the solving of them, even with supercomputers capable of far faster calculations.
But I mean really, how arrogant do you have to be to argue that mathematics is not hard? Even Niels Bohr thought that there was a limit to how far human intellect could go in understanding all the variables present in the mathematical formulas underlying the real world. Perhaps you have just not been exploring far enough to meet a challenge. I implore you: Stop speaking arrogantly, and seek something you haven't learned yet.

I'm fine with how I speak.
Please answer this....
How much math have you applied to any given real world product?
Or are you just one of those theoretical desktop types?

My science use is both theoretical and applied. With your fed-fishing comment, I think you must have taken offense where none was given when I suggested you seek further exploration. Mathematics is a field wide enough that no one person can FULLY understand all of it, or even a single branch, due to the complexity. You may be fine with how you speak, but that does not prevent you from being incorrect. Or arrogant. At the levels of computation we are discussing when it comes to encryption, math *IS* really hard, no matter which definition we gauge it by: length of procedural iterations OR complexity of encryption concepts. Otherwise, useful encryption could not exist, as anyone with an Apple IIe could crack it.
Now let's stop, as I am done explaining both myself and concepts in math and grammar to you.

You never directly answered my very simple question which leads me to believe you never applied any math to create any real world product. Yet your spinneret keeps tirelessly weaving. In my circle, you are called a phishing phage. An unsated delivery vessel of unwarranted rhetorical sputum. Noone asked for you to interject your opinion into my conversation as my comment was clearly directed at pixelpusher. Yes, you may stop phishing for conversation now.

Sad little unsated phage, go find your next attachment.
~fin

Never referred to anything other than making the statement math is not hard. You took my statement for something other than its literal meaning. There is nothing to infer about what I stated. Seems you must be out fishing for the feds. Can't be baited, so bye.

You are correct: I can't be baited.
On a side note, you took pixelpuseher's original statement for *nothing* other than its literal meaning, and assumed it is what he meant, rather than using grammatical context.
Perhaps you would find more of a challenge in Writing than in problem solving.

Or, just bribe/compromise someone who lives behind that front door to just open it in order to receive some reward/avoid some consequence

The NSA didn't tell everyone, they had an INTERNAL memo, where by your logic they'd be telling the actual truth.

That memo was part of the disclosures by Snowden. So yes, the NSA can't crack Tor.

You can bet the NSA and FBI are running their own exit nodes and monitoring all the traffic.

Agreed. But that still means they need to try and match inputs from anywhere to the exit nodes they are running. It's a step but by no means a solution to the issue.

What the NSA "admits" may or may not be truthful. It could just as easily be disinformation designed to confuse.

Public statements surely could be self serving as you say. But internal communications? Much less likely to be false flag info... This was an internal only document discussing Tor and their efforts to crack it.

Its called counter-intel

if I remember correctly it takes a while for someone like the NSA to know what you u are browsing but they have to target you specifically

it was, NSA already hacked it though, probably through unethical means

The NSA did not 'hack' Tor. The NSA used a vulnerability in a browser, exploiting that vulnerability as a means to then monitor users who used Tor. Note this only compromised what that user saw / interacted with - it never compromised the underlying Tor security.

People need to stop thinking of the NSA as an ethical entity.

Unethical? The NSA just added a bunch of exit nodes so they could monitor the traffic. Then they figured out how to "tag& track" in TOR do to vulnerabilities. A side effect is the NSA actually helped speed the TOR up.

Why decrypt it? Infosec 101: Don't attack the crypto, attack the endpoints. Or if you're the NSA: infiltrate the standards groups and development effort and do both!

True. The NSA probably depends on Tor as much as they want to exploit it: http://pando.com/2014/07/16...

Yup, don't crack when you can simply track to a less vulnerable gate. Pretty hard to find a person in an airport on foot, but if you know what plane they leave on and what time.....takes seconds.

"think I'm an idiot"...."retort'....dude. Calm down. nobody called you an idiot and there's no need for the hostile tone unless you just like that kinda thing.

I think even a cursory reading of the Snowden revelations shows that the NSA's programs to infiltrate standards groups and private companies to weaken encryption are way more serious than you're indicating. $250 million goes a long way.

But to your original topic re: needing quantum computing to crack all that traffic...that was my point. They very rarely decrypt it. They attack either endpoint through weakening, unknown proplems in entropy,etc. or plain ol' shenanigans, and they spend a heckuva lot of money on it. So saying they don't have the horsepower to decrypt even a small segment of Tor traffic doesn't mean they can't decrypt a large chunk of it in real time through other means.

That's what we've learned over the last couple years. We used to think that you were relatively safe as long as you weren't specifically targeted. What we learned is that they weren't just going for the ability to get specific individuals. They were looking for the ability to decrypt all traffic, at will, on the fly. And they apparently succeeded with SSL and other "safe" protocols. It's completely reasonable to assume they have had continued success.

These are smart (the smartest), motivated people with a virtually unlimited budget. The details of these programs are not revealed to anyone. They tell each other "there is no need-to-know" when it comes to those capabilities. Do you really think they're going to come out and say "yeah Tor? No problem!" in a press release? This is THE serious-est of bidness to them.

Have you seen the shortcomings in the Silk Road case? Basically the government's claims of how they tracked them are bogus. They could have never been discovered that way. They will not reveal their capabilities even when they legally have to.

And they don't care about US companies. US tech firms are already losing billions because of these programs and other countries, (esp China) are slowly coming up with homegrown alternatives.

The goal of Federal agencies since the failure of clipper chip, etc. is real time decryption, analysis, and logging of all traffic. That's what they wanted and they decided they weren't going to give it up. There is no reason to think they haven't already succeeded. Any risk scenario that depends on "not being targeted" is not valid.

w/r/t silk road 2.0:
http://blog.erratasec.com/2...

There's definitely more to that story...even if the guy was a doofus.

and w/r/t evidence of what the NSA is doing with TOR
https://www.schneier.com/bl...
http://www.bbc.com/news/tec...
http://pando.com/2014/07/16... (allready ref'd above)
http://www.cnet.com/news/ns...

I don't think we'll ever see direct evidence that Tor is completely compromised by the NSA. But given their interest, the history of the project, their abilities, their budget, and the fact that patriotic and/or traitorous (depending on your worldview) analysts are leaking casual clues as to what kind of things they're finding, I wouldn't trust it with anything I would want to remain secret.

And there's always the question of what they can get down the road. If they're capturing and storing all Tor traffic, they might be able to trivially reconstruct it at a later date as they discover other methods. That date might not be that far away.

So moving forward to the subject at hand.... These little devices are a mixed bag security-wise. They would improve the Tor network by adding plenty of private nodes to the network and increasing the overall size of the haystack relative to the needle. However, you can bet with even a mild level of adoption they'd be subjected to a miniature manhattan project. If/when they cracked, there would be a ton of exposed content. And due to the nature of Tor it might actually weaken or crack the entire network.

Lastly, how do we know they aren't already cracked? Are all these creators on the up-and-up? What about people at the chip fab? Are they going to audit their designs to make sure they were manufactured to spec? Lots of slip betwixt a cup and lip for the whole process...and the NSA et al is extremely interested in it.

So to wrap my part up....I wasn't disagreeing with you exactly. But crypto is waaay more than just the math and computational power. And these days even the people who created it and thought it would usher in a new age of rights and freedom have admitted that it's only a small part of the bigger picture.

Really, you think they exploited Tor to help speed it up or even that their exploiting in any way helped the software...impressive. I am sure the ones who stole my credit card number where just trying to improve ATM speeds as well....

Correct. And also by finding these vulnerabilities they have made it stronger.

Herding them into the slaughterhouse.

What exactly is telling you that?

Do you think the design overall is insecure? Well, the concept sounds pretty good to me. It's absolutely not broken-by-design.

Do you think there are backdoors in Tor, or in the encryption tor uses? Tor is open source, and that means everyone can check the source code for backdoors and then make a build from that checked source code. It is however technically possible that your hardware RNG (random number generator) is backdoored in some way. You can't be sure about that unless you built your CPU yourself. This, of course, is a threat to every encryption ever.

Do you think the people who run nodes are untrustworthy? I agree on that. The FBI and NSA are said to run some tor nodes too. That doesn't matter however, because your connection is routed through a series of encrypted nodes. As long as one node in the chain is trustworthy, you're safe. There are things built into Tor to prevent whole chains of untrustworthy or compromised nodes, like Guard nodes (look that up if you're interested). I myself run a small tor node (as everyone can do), to contribute to an non-compromised network.

Do you think people use Tor in an insecure way? Absolutely, people do. Tor doesn't magically prevent you from (accidentally) doing less-than-smart things like registering on sites with your personal email address. Tor also can't prevent spyware on your own system from working. If there's a keylogger on your system and you use Tor, your keystrokes still get logged. There are people who allow javascript, flash applets and Java applets to run via Tor. That's also a bad idea, because you're allowing arbitrary code to be executed on your system which can be used to fingerprint your system, reducing your privacy, or to exploit your system, reducing your general security + privacy.

tl;dr: Tor is not 100% secure, but everyone can learn exactly where it's secure and where it's not by looking at freely available resources. Also don't do stupid things while using Tor.

Tor and Bitcoin are not secure. Already accessible by the NSA and FBI. If the internet is an ocean full of fish, Tor is barrel of naughty fish trying to hide from 10 year old's who paid a dollar to fish. I feel sorry for the suckers that aren't doing anything illegal but are likely going to get caught in the cross fire.

Meanwhile, the rest of the 6 billion fish stay in the big gigantic ocean.

The person who wrote this article must have never lived in China. Tor never worked for me in Beijing. Only a few select VPN services that constantly modified their settings to keep up with the Great Firewall. China is able to scan the pattern of data packets, detect Tor transmissions and prevent them from going through.

Thats evil! We are not forced to consume products or entertainment We should not be forced into government surveillance.

Meanwhile the NSA reads all your info too...... And they lied repeatedly to Congress about it

Get used to it. Organizations from Governments to Feminists are
demanding the internet be policed and controlled not just for threats
from genuine criminals but for everything that could be considered one,
which is basically anything they don't like. Pretty soon I won't even be
able to post this over a vpn. you already can't access certain sites
without allowing cookies or javascript so unless you're willing to give
up the functionality then you better accept that you're already being
tracked and cataloged. Hail Hitler.

Which feminists are demanding that the internet be policed and controlled? Also, since when was feminism an organization?

I don't blame a bit after NSA disclosure. Go China.

But do you grammar?