Peeling the Onion: Security depends on being sensible as much as software

Right to privacy campaigners, libertarians and no doubt several questionable characters are up in arms following the news that the FBI has compromised the infamous Tor – The Onion Router – that allows anonymous online browsing.

In a statement released earlier today (Tuesday), the group posted a statement following the disappearance of several servers that it routes to from its network.

The reason behind the sudden takedown appears to be related to the attempted extradition of Eric Eoin Marques, a US-Irish national linked to child abuse images by the FBI. The 28 year old is the subject of a US arrest warrant for charges relating to images hosted on the Freedom Hosting network, itself hosted on the Tor network.

Tor has been quick to distance itself from the Freedom Network, saying ‘the persons who run Freedom Hosting are in no way affiliated or connected to the Tor Project Inc., the organisation coordinating the development of the Tor software and research’.

However the bigger story for many Tor users is how the FBI identified Marques in the first place.

According to form Washington Post reporter and security blogger Brian Krebs, users were identified using a flaw in Firefox 17, upon which the Tor browser is based. Rumours have been flying about the FBI uploading malicious code, with many accusing them of playing dirty.

Whilst nobody can be sorry to see people involved in child abuse facing justice, and the issue of what’s fair when it comes to the investigation of such people being highly contentious, it also serves to highlight a certain naiveté amongst the anonymous legions.

Any security software is only as secure as the person using it. You could have the world’s strongest door with the world’s biggest lock, but if you leave the key on the bar in your local pub then it’s not going to make much difference.

NSA whistleblower Edward Snowden said in June that although email security such as PGP is pretty much unbreakable, the ‘endpoint security’ is generally so weak that anyone wishing to read those emails can often find a way around rather than through security. So whilst you may have downloaded encryption software to send emails via your phone, if you leave it unlocked then someone can simply pick it up and read it in plaintext for himself or herself.

Ultimately, any security system is only as competent as the person using it and once secure information leaves your head via any sort of communication with another person, you need to think about who else is paying attention.