First off, please take a little time to read my comment here:
http://ryansholin.com/2010/05/31/wikileaks-and-tor-moral-use-of-an-amora...
http://ryansholin.com/2010/05/31/wikileaks-and-tor-moral-use-of-an-amora...
If you read that, I explain that Tor does not ensure (and has never promised to ensure) the security of the contents of data from point a to point b online. Tor obscures the origin from the destination.
The system is structured so that the exit nodes don't have to be trusted. If you read any of the Tor documentation, they tell you that. They tell you that anything you send over the wire unencrypted will come out for that last jump from exit-node to destination unencrypted, and anyone trying to intercept traffic at the exit node (the person running the node or an attacker) or the destination (the person running that service or an attacker) can read your stuff.
This is not news. On the other hand, your private information, including usernames/passwords, are probably in more danger on an open cafe wireless, where the kid next to you may be monitoring the unencrypted traffic on the wireless.
Mostly, we pay no attention to these things. But gosh, you'd expect Chinese hackers might have more incentive to take care? :)
Second, Assange says that something between a few and none of the materials published on Wikileaks came from the Chinese hacker monitoring. However the materials they did publish concerned documents outlining persecution of Tibetan activist NGOs and such. These organizations were warned.
This is a classic whistleblower scenario -- one I'd expect MoJo to understand. Any time there's a whistleblower, information is essentially stolen, violating some institution's security. This is true if it's Deep Throat spilling secrets to journalists he's sworn to keep. It's true if a chemical plant employee walks off with a manila folder with test results not meant for the public. It's true if someone takes information on a thumbdrive or laptop to present to the press or law enforcement. And it's true if someone intercepts a cell phone or internet data (whether or not from Tor).
All of these whistleblowers broke some form of security or confidentiality. I'm generally sorry when I hear that people are sniffing traffic from the Tor Network, but we know it happens, just as surely as we know somewhere right now, a sysadmin is reading someone's work email on an office server.
As we speak, there are activists, journalists, bloggers all over the world whose identity is being preserved by using Tor, writing in danger zones. Global Voices Online and Reporters without Borders are only two of the groups who train their people to use Tor to obscure the origin of their communications. They also teach people to use encrypted services (like https://gmail.com) rather than unencrypted services (http://gmail.com) so that end-to-end encryption will obscure the *contents* of their communication. Tor doesn't do that.
I'm former Tor staff, and a current volunteer. I spoke as executive director of Tor for a worldwide conference at Amnesty International (http://politics.gather.com/viewArticle.action?articleId=281474977022186), and was proud to be working with organizations including Human Rights Watch and many others during my tenure there. We focus on educating these people -- journalists, human rights activists, citizen journalists in countries where speech is not free, ...
We also document proper use of Tor to protect the user. However, my experience is that ignorant people will use Tor without protecting themselves or their data, and in the case of crackers, this can actually help law enforcement catch them. Although really *smart* criminals will use botnets and other more secure options than Tor, Tor remains the best solution for internet anonymity that doesn't involve stealing or exploiting someone else's computer or resources, and that is why it is in such widespread use among people who want to engage in civil disobedience, whistleblowing, or dissent.
You can learn more about who uses Tor, and why, here:
http://www.torproject.org/torusers.html.en
http://www.torproject.org/torusers.html.en
Assange stated pretty clearly that only a few whistleblower documents were published from Tor-sniffed hacking. Regardless of what you think of Wikileaks, dragging Tor through the mud just scares people away from a good resource, including people whose safety might eventually depend on their anonymity -- some successors of the Iranian election activists who used Tor to get media out of Iran, wherever that next need arises.
I'm no longer working on project staff, but I still do volunteer work for them. The way the media has engaged in scare tactics around something that isn't news (that exit nodes pass unencrypted content unencrypted) in a way that might scare someone into an insecure situation online, or drive them to use criminal means to protect themselves, makes me furious.
The Tor Project tried to make this into a teachable moment here:
https://blog.torproject.org/blog/plaintext-over-tor-still-plaintext
https://blog.torproject.org/blog/plaintext-over-tor-still-plaintext
I hope MoJo folks will learn more about Tor, and perhaps even support the project in the future. Feel free to contact me with any questions.
