The burden of proof is usually on the person making a claim. Without proof or at least evidence to support a claim, that claim becomes something closer to a "faith-based" system or belief.

There are known weaknesses in Tor, and they have been discussed at many conferences including DEF CON. There was an article recently which claimed that the Chinese Government found a way to identify specific users of Tor and VPN in their country, but if people take time to read the article, they can see how tor users were identified, and it was not primarily from weaknesses in Tor, but weaknesses in ISP services and websites these users use, which was then leveraged against tor users to help identify them.

"Chinese Hackers Circumvent Popular Web Privacy Tools"
* http://gadgets.ndtv.com/internet/fea...y-tools-703034

"Chinese snoops try tracking VPN users with fiendish JSONP trickery"
* http://www.theregister.co.uk/2015/06...cy_javascript/

Many times, failure in services come from failing to properly use and configure software or services as this story claimed:

"How the FBI used computer MAC addresses against Lulzsec hackers"
* http://www.hacker10.com/other-comput...lzsec-hackers/
"Although the FBI was unable to read traffic over tor, e.g. visited sites, thanks to physically surveillance of the suspect home they observed that activity in between the MAC address belonging to the suspect’s computer and the tor network only occurred while Jeremy Hammond was inside the house. The FBI used connection times to link him with IRC online chats conducted behind a tor proxy with their informant, “Sabu“, on IRC channels at that very same time. Combined with personal information the suspect willingly gave away on the chat, the FBI managed to establish that a bunch different aliases like “yohoho“, “credibethreat“, “POW“, “burn“, “tylerknowsthis” or “Anarchaos” all belonged to the same person."

So the question becomes, "how did they know where to find the suspect in home in order to sniff the 802.11* traffic and perform correlation analysis?" There were other stories that claimed their suspect used their own home WiFi access point and/or access points of their neighbors and free access points in the area they lived without using tor, and police then used this to narrow their search and select places to sniff for traffic. They may have staked-out several places, sniffing traffic at many, then collect the data from these and find which MAC address of all those found had traffic patterns consistent with those that the target they saw online was using.


More recently:

"Did the FBI Break Tor?"
http://www.slate.com/articles/techno...break_tor.html


Tor is an amazing tool, and it is one of many in an ever-increasing arms race, but it relies on many things that non-experts likely won't consider when using it. This does not mean people should stop using it.

Things can begin to break down when fundamental expectations are not met:
* Can the subnet you are using play funny games with your traffic and have fake internal routes that direct all of your Tor entry node traffic to a single host that answers all IP, and then act as many entry nodes and down-grade your requested key-exchange/Cipher/Key-size to something that is vulnerable enough to pretend to be other entry nodes? (Crypto "downgrade" has come up many times with OpenSSL-related services like Apache HTTPS, and Tor devs have worked to address crypto-downgrade issues. People operating some Tor entry nodes were also accused of running cipher down-grade attacks on in-coming connections. The idea of playing games with routing is not new, either, as this has been done with MitM attacks before Tor even existed.)
* Are you updating your Tor application/service tools to keep up with the latest threats?
* Are you reliably using Tor and not forgetting to use it?
* Is the site you connect to used something you trust? Are they serving 0day Malware exploits in Adobe AcroBat Reader, Adobe Flash? Some new image-processing/library exploit for gif, bmp, jpg, png or other? Have these websites installed malware on your machine that will change your tor config, or network routing, and bypass Tor to "ping" or "phone-home" and identify your "real" location?
* Even if you trust the original people responsible for the site, are you sure the FBI or other government agency has not taken it over to serve malware and identify its users? (Law Enforcement has done this in the past. They have done this a lot.)
* Do first-world government control 5, 10%? or 20% of entry/exit nodes? -- enough to perform correlation analysis on all traffic and timing to eliminate candidates that are not you and reduce the candiates of viable suspects to a number small enough to watch your wifi traffic, or talk to your ISP? With enough traffic, they can use statistics to identify a source IP. How much traffic depends on many things, but primarily on % of total entry/exit nodes; the greater the percent of owned entry/exit nodes by any one "group" the fewer the packets/sessions are needed to ID a "real" source IP.)
* Is there any window during boot of your computer when a piece of software or service will use the network and not use Tor?
* Are the ciphers/hashing/key-exchange systems, protocols and *implementations* you are using so robust that analysis of *past* traffic with exploits over the next 5, 10, 20, 30 years won't expose your secrets? (History is *not* on your side here. What percent hashing systems has lasted more than 20 years with a rating of "strong" the whole time? What Cipher systems have gone totally unweakened and unbroken in 10 or 20 years? Most ciphers and encryption systems do not last very long. Those that may start out strong do not stay "strong" as our knowledge increases. Advances in math, failure/weaknesses in protocols including key exchange, and *more* often, failure in implementation or even more common *use* -- all lead to increased risk in exposing secrets.)
* Something else I do not mention (the list I don't mention is certainly longer than the list I do mention, since I am not a Tor expert)

And from Tor devs:
https://blog.torproject.org/blog/tho...ration-onymous
(Description of known possible weaknesses and methods of attack that may have been used.)

None of this means, "Tor is totally hacked, dude." We know Tor has known-weaknesses. We also strongly suspect Tor has unknown-weaknesses. But I've seen no evidence that Tor alone was responsible for the latest wave of raids.

Tor is one of many elements in an arms race. It helps raise the bar in cost to identify someone. If/when methods of exposure are found, people will look for ways to address those risks.

Maybe all the servers found by law enforcement were running vulnerable services on vulnerable OS? Maybe a new 0day was used to convince each server to bypass Tor and "phone home" to the FBI? There are too many "maybe" to create too much doubt in spaces outside of Tor to say, "Yo. Tor is totally broken, dude."

I do not know if "Tor is hacked" or "Tor is totally broken," but like all software of nearly any significant size, there are bugs in it, and some are probably exploitable. (If nearly all software has bugs, does that mean all software is hacked, and you should stop using software? Cars are involved in car accidents -- some are fatal, so should we stop using cars? Maybe we should climb a mountain and scream at clouds? Oh, but being on top of mountains increase our risk of falling. ;-)

I would say that users of Tor should not consider it a magical shield that will protect their privacy from actions they take that might expose it. Future analysis of their encrypted content may expose their secrets. Users only have to make *one* mistake when configuring/using Tor. Devs only need to make *one* mistake in implementation. Tor Protocol designers need to make only *one* mistake in design that overlooks some corner case, or space for exploit. There only needs to be *one* mistake in the tools used to compile and libs used to run Tor and OS to expose a weakness not even part of the "code" from Tor Devs, but embedded in the resulting binaries. End-user needs to only make *one* mistake in browser config network access etc. to allow malware to infiltrate their machine and work against them. And owners need only make *one* mistake such as on physical access (who can plug something into your USB ports? PCMCIA / PC Card Ports? Firewire ports, etc.?) while your OS is running, even if you use Full Disk Encryption? (See "Evil Maid Attack.")

Last, social engineering is not just "a cool tool used by hackers." Governments have also used social engineering for a long time. Elected officials have professionals in advertising to try to social engineer populations to vote for their candidate. Makers of products and services in the private world do the same, to convince consumers to buy their product. Governments use Fear, Uncertainty and Doubt for many things. It can spread through a community of users when a coordinated collection of raids against many services happen at the same time. Government can keep a method of attack quiet and claim, "we have a tool that allows us to find servers providing illegal services on the Tor network," and scare people into trying something new, which may be less secure. It is hard to estimate. Our government desperately wants to hide its use of "stingray" to gather evidence against alleged criminals that use cell phones, but openly admits to having tools to identify alleged criminals providing allegedly illegal services over the Tor network? That is strange. That sounds like modern diplomacy -- aggressively exaggerate capabilities of weapons/defense against spaces you are weak, but keep quiet conversations on any powerful tools you heavily rely upon.

If I were to use tor, and I was passing information where my life depended upon not being found, I would:
* Not bring my phone, MyFi, etc. leave those at the hotel where I order PayPerView of something i have already seen.
* Wait until I go on vacation, then go to a location far from home (vacation, then walk elsewhere)
* Have a dedicated device just for Tor and not be a phone, or capable of being on any wireless phone network
* Re-program my devices MAC address on each use
* Bare-Metal-Restore OS and firmware from clean install after each use to avoid common small traces (dhcp leases, cookies, etc.)
* Disable all other wireless
* External Yagi antenna to allow me to be in another building far from a public wifi, but have sight of the public space
* Use tor to publish or post an encrypted message or message in image (Steganography) to a forum, or as draft email in shared email account, or spam-like message with attachment
* Stop using it for days, weeks, month until another message is required.
* more...

And with all of this, I would *still* forget something, and would eventually expose myself to being found-out. (No matter how good we think we are, there is always someone better than us.)


TL;DR: Security should be considered in "layers" do not just rely on Tor to keep your privacy. Be vigilant, continuously learn, and find more ways to mitigate risk/exposure than *just* using just Tor.

OUTSTANDING! CotMan! Thank you for the response! Very Very useful and informative. May I use some of this information to respond to those "useful idiots" that are squacking about not using Tor?

I just noticed that I got an invalid server response when I posted my recent response. Wasn't that a problem a while back that was solved?

Correct or not, it is in public for public comment. Feel free to encourage constructive criticism of the content and find failures in the claims. However, just because it remains without correction does not make it right, much like science does not prove anything ; science is used to try to disprove things. After years of exhaustively failing to disprove something do we begin to consider theories might be laws.

One source was addressed, but it appears another exists. We are still working to find the cause for errors. Progress is slow in finding bugs that are difficult to reliably reproduce.