[lawl]

Uhm, so where exactly does the FBI/NSA come in?

As of now there is some guy stating that some hoster has been pwnd and uploaded some JS that expoloited something that might be FF17 that might have been shipped with the tor browser bundle.

Why exactly does he thing FBI/NSA is involved? If he has the exploit code why didn't he upload it?

Lots of conclusions based on assumptions. As of now I'd think it's more likely someone just pwnd the largest TOR hidden host provider, uploaded a sploit that will affect most of the users (tor browser bundle) and called it a day.

Sure there MIGHT be some GOV/whatever involvment. But wouldn't it be time to wait with such accusations until we got some actual proof? Not even uploading the alleged exploit doesn't really help his position.

I would think that since about 60% of TOR projects funding comes from the .gov[0], that they have an incencitive to keep it online. I could imagine they have some nodes for which they wouldn't want to reveal the physical location. I don't know warhead controllers or something. Of course that only works if the're are enough nodes involved so you can hide yourself. That's why I think this might not have been a .gov action.

[0] https://www.torproject.org/about/findoc/2012-TorProject-Annu...

[duaneb]

TOR is also a great honeypot. There are no ways of validating a given node is not governmental, either.

[aspensmonster]

Indeed. Many people seem to misunderstand the purpose of the tor network. It is designed to conceal the sourcing node of a packet. That's it. Nothing more, nothing less. The only guarantee you get --and the only one you really need to remain anonymous-- is that your IP isn't stamped on the packets coming out of the exit node. You're not supposed to trust the exit node --or anything else you connect to through it-- for anything else. That's why you don't send login credentials in the clear over the exit node. It's why you don't send plaintext email over tor, or sign into services that are ever touched by a non-tor connection, or engage in plaintext conversation on IRC and have any expectation of privacy. Tor guarantees a different IP on the network packet, and that is it. And so far, it seems that the Tor project has made good on this guarantee. I've yet to hear about a deanonymization incident that can't be traced back to mistakes such as the ones above.

[superuser2]

There are no ways of validating anything is not governmental.

[duaneb]

Yes, but there are degrees of this, and TOR gives you nothing without the resources of the government.

[superuser2]

The government is allowed to create fake identities and corporations, use private facilities and infrastructure, etc. in order to run sting operations against sophisticated criminals. That's exactly the sort of "real police work" they should be doing, rather than surveillance.

Where is there ever a "degree" of visibility as to whether something is a government honeypot?