Let's look at the fundamental flaw of TOR... Anonymity... But for whom? If I set up a Tor node for others to connect "anonymously" to the world, guess what?
I can see anything that traverses through
my node. How do you know I don't have a rogue node? How can you be sure you're not connecting to a rogue node. You can't. This has already been proven and is likely continuously being done. (rogue sniffing nodes)
In January 2007, the nascent Wikileaks project used a Tor exit node to capture its initial 1.2 million documents from users, ostensibly Chinese hackers engaged in government espionage.[18]
In September 2007, Dan Egerstad, a Swedish security consultant, revealed that he had intercepted usernames and passwords for a large number of email accounts by operating and monitoring Tor exit nodes.[19] As Tor does not, and by design cannot, encrypt the traffic between an exit node and the target server, any exit node is in a position to capture any traffic passing through it which does not use end-to-end encryption, e.g. TLS. While this may or may not inherently violate the anonymity of the source, depending on the data transferred, it affords added opportunities for data interception by self-selected third parties, greatly increasing the risk of exposure of sensitive data by users who are careless or who mistake Tor's anonymity for security.[20]
Source
http://en.wikipedia.org/wiki/Tor_%28anonymity_network%29#WeaknessesWikiLeaks Was Launched With Documents Intercepted From Torhttp://www.wired.com/threatlevel/2010/06/wikileaks-documents/So let's look at the concept for a moment.
Coworker --> use of work network --> anonymize --> World
How is this in any shape form or fashion work related. What is so mission critical that someone need use anonymity software to do ANYTHING. It would defeat any argument. "We need to ensure..." Ensure what, you're exposing yourself to an unknown party and potential attacker - how can you be sure I'm not randomly sniffing my node?
If security is key here, then a company needs encryption (PGP, etc.) however, if they're in a country that doesn't allow for encryption programs, there is still a better option, e.g., hushmail, renting out cloudspace in another country, etc., there is no need for TOR in the workplace from my point of view. On the contrary, how do I know my employees won't use it to exfiltrate data without a trace?
The Anonymous DreamTor_User --> Random Node --> Internet (Where Tor_User = Unknown because endpoint see's RandomNode)
The Harsh RealityTor_User --> RandomNode (installs tap: take a copy of everything before we send it) --> Internet (Internet sees random node... Tor User feels safe... RandomNode compromises data)
So what makes you think say a competitor or government doesn't have rogue Tor nodes? Hell forget those, let's say ANYONE period having rogue Tor nodes. The risks outweigh the costs if you're truly using it for *real world* purposes. There is no reliability and no accountability. The accountability part (why wouldn't you want someone knowing who you are unless you have something to hide) is what the Tor user is trying to avoid (from my perspective) but it's that same accountability that
will can come back to haunt them. Haunt them in the sense that: "OMG, all my IP (intellectual property) was compromised... How could someone do this! We've never been 'owned'" Sure you never been compromised... You
GAVE your data away.
General Certification : CPT Practical Submission
