If you do a DNS lookup of torproject.org, you’ll find that one of the website’s hosts is TeamCymru:
Why is Tor being hosted on Team Cymru’s network, a data broker known to sell internet backbone data to companies. Their careers page states that “We do this through a suite of offerings that reduce business risk by providing attack surface + vulnerabilities + threats so both the C-suite and security teams gain the vantage points they need.” Translation: They sell data in the same of security.
Why is Tor giving a for-profit company like this permission to host the Tor Project website?
For the sake of my own curiosity: does it matter? Why should that be of great concern (particularly considering TLS and such) that IP access via Team Cymru would be more relevant any other ISP, or more concerning than, say, an exit node in .ru?
Even if Team Cymru sells a slice of data that is netflow data thought to be Tor Browser downloads, let’s talk about what anyone would do with that data before we start using more tinfoil.
I’m not saying it’s not a valid question, but I would argue it would be more productive to discuss the potential harms involved in any entity providing IP access to torproject.org, and what ideally should be done about it.
Adding two sources to your OSINT:
search Tor Project | People for Cymru and consider this (Faravahar) directory authority somehow affiliated to Cymru…
Ooooh, the Tor website is hosted by a Tor Project supporter. How terrible. Would Amazon, Google, Oracle, whatever cloud be better?
You can access the Tor website via the hidden service.
It’s commonly known that Rabbi Rob Thomas, founder and CEO of Team Cymru, is a member of The Tor Project’s Board of Directors & that Team Cymru is running Tor Relays.
Communities can get a free BGP-based anti-DDoS service from them for their ASN.
What someone might do is to deanonymize flows, which is exactly what Tor is supposed to prevent.
It doesn’t matter who hosts Tor’s Web site. It is a matter of concern that Cymru’s founder/boss is on the Tor Project’s board of directors. Sorry, Rob, even to me what you’re doing didn’t seem so harmful back in the day, but now it’s clearly not OK. And it’s a conflict of interest.
Oh, and by the way, the fact that it’s legal to collect those data in the first place, let alone aggregate them, is a bad public policy failure.
Right @jbash, much better to let the criminals and authoritarian governments that don’t announce that they run hundreds of exit nodes with the resources to actually deanonymize flows, than someone with ethics.
It’s not either-or. Those governments will do whatever they do, regardless of whether Cymru ALSO democratizes the ability to deanonymize flows by selling the data to just anybody. You can have just the governments, or the governments plus anybody who buys a subscription.
By the way:
- I have seen at least one ISP admin claim to have used Cymru or Cymru-like data to ACTUALLY deanonymize flows, albeit as a demonstration.
- Those governments get to save money if they can buy the data commercially rather than collecting them themselves. And only very large governments have the reach to even begin to go it alone.