> Saying that Tor is just a LEA honey-trap is just plain FUD.
Explain why the FBI has been able to unmask nearly every high profile hidden service operator they go after then? Each time it's a different strategy, and they have all been incredibly effective. Some relied on bugs in Tor, others on broken tools used to access it, others on poor UX that encourages operational security failures. Russian intelligence ran their own set of exit nodes for a period and replaced all executable downloads with malware! You are objectively less safe using the public Tor network.
I don't think the concept of "crowding" is a recognized security property of a system. At least, I've never seen it used before. The way that single-hop commercial VPN services "crowd" people together creates a massive liability. The way that Tor allows anyone on their public network creates a free-for-all where you're exposed to more surveillance and more malicious code (entry/exit node manipulation). Each of these offer straightforward targets for a slow, lumbering, resourced attacker to eventually completely compromise with users none the wiser.
Well, it is the FBI. And it get's help from the NSA, for sure. There are public understandings for each of the large takedowns. Maybe some of that was parallel construction. But the point is that the public Tor network is the best that we have for anonymity. Whatever its weaknesses, creating your private Tor network is no better than a private VPN. Or maybe a chain of them. But you can't have an anonymity system without lots of users. That's what I mean by crowding.
If the NSA can help deanonymize Tor hidden services, people shouldn't stand up Tor hidden services. The point of cryptography isn't simply to make it more difficult to attack something; it's to make it intractable.
My intuitions are generally with you, but Tor developers have claimed that low-latency anonymity against a pervasive network adversary may be impossible, and formally excluded it from their threat model back in 2004. In that case, the best that can be done may be to defend successfully against some weaker adversaries (although a better move in many ways is to switch to high-latency anonymity).
Maybe successfully defending against the weaker adversaries is useful to many people, although it raises a serious challenge of how to clearly disclose the risks and limitations, which I see as a very important challenge for Tor on both the browser and hidden service sides.
(Hidden services might have categorically worse problems so that there's almost no realistic threat model in which their current design is safe; maybe that's what you're getting at?)
Yes. I share Dan Guido's take on Tor. It's an interesting and important research project that is in no way appropriate for the problems to which most of its users apply it.
Like everything else in cryptography, users don't care if things are insecure: things must be secure, because users want them to be! Ignore the Tor users getting zorched by governments; they're all outliers!
> My intuitions are generally with you, but Tor developers have claimed that low-latency anonymity against a pervasive network adversary may be impossible, and formally excluded it from their threat model back in 2004.
This is a point that I wish more people were familiar with. Tor has been oversold as the privacy project to protect from everything. The Snowden docs leaked out and privacy activists ruffled around their pockets asking, "what do we have to rally behind?" They found Tor and stuck with it, despite it certainly not being built for that task.
They're all going to be "isolated incidents". That's the nature of a honey trap. It's not much of a trap if it springs just because you look at it funny.
Explain why the FBI has been able to unmask nearly every high profile hidden service operator they go after then? Each time it's a different strategy, and they have all been incredibly effective. Some relied on bugs in Tor, others on broken tools used to access it, others on poor UX that encourages operational security failures. Russian intelligence ran their own set of exit nodes for a period and replaced all executable downloads with malware! You are objectively less safe using the public Tor network.
I don't think the concept of "crowding" is a recognized security property of a system. At least, I've never seen it used before. The way that single-hop commercial VPN services "crowd" people together creates a massive liability. The way that Tor allows anyone on their public network creates a free-for-all where you're exposed to more surveillance and more malicious code (entry/exit node manipulation). Each of these offer straightforward targets for a slow, lumbering, resourced attacker to eventually completely compromise with users none the wiser.