A good friend emailed me the other day to ask if I thought using Tor's network and software is truly as secure as everyone thinks. My immediate reply was no, I don't think Tor or any other so-called anonymizing service is truly secure. If you want absolutely anonymity, don't use the Internet.
No service or product can claim to give you absolute privacy or anonymity. Here are six good reasons why.
Reason No. 1: Your location is traceable
Everyone on the Internet has an IP address, be it public or private. Ultimately, that address, along with upstream logs, can be used to identify you. Ask nearly any computer security criminal charged with a felony.
Some clever folks think they can play interesting tricks to make their originating IP address less obvious. For example, many cyber criminals use wireless networks not owned by them (at a coffee shop, a neighbor's Wi-Fi, and so on). They still get caught.
This is nothing new. In 1995, Tsutomu Shimomura tracked down notorious hacker Kevin Mitnickby following triangulating wireless signals to modem connected to a neighbor's house. Hundreds of child pornographers get caught each year who believed they were safe because they were using someone else's network and source IP address. This defense isn't new and rarely works in the real world when the cops decide to get serious about finding you.
Reason No. 2: Your cloak has holes
What about the anonymizing services? Oddly, many of the services and programs that guarantee you privacy have never undergone serious penetration testing. In fact, not just the anonymizing options, but security software in general is full of exploit holes. I don't mean a few — I mean dozens to hundreds of holes.
Years ago, one of the penetration-testing teams I was working with was hired to go at a popular AV vendor's virus scanner. We found hundreds of easy-to-exploit holes. The same can be said for encryption software.
Phil Zimmerman of the legendary Pretty Good Privacy program has moved on to encrypting VoIP and cellphone transmissions. Zimmerman is one of the world's foremost encryption experts, and he designs some of the best encryption products, including a product called Silent Circle, an encrypted email service with military-grade encryption that shut down Friday. He's also one of the world's most passionate privacy experts — one of the few who actually faced a treason charge over his support of that Fourth Amendment freedom.
In short, Zimmerman is the type of guy you want designing privacy software, but even he has a hard time keeping bugs out of his products. At the end of June, it was reported that an open source library Silent Circle relies upon was found to have multiple security flaws. Plus, here'swhat one reviewer found in February. Keep in mind that Zimmerman is one of my heroes, and in my opinion, his products are less likely to have issues than competing products.
Sign up for CIO Asia eNewsletters.