In a move almost staggeringly myopic, agents from Swedish National Crime and the Swedish Security Police raided Dan Egerstad on Monday of this week, rather clearly on the basis of his massive non-hack of the TOR routing service.
For those not catching on, Dan is the gentleman we all cheered a short while ago for having the ingenuity to set up and connect several new TOR (an anonymizing packet routing system) nodes and see if people were actually using the network with unencrypted protocols (which would basically be foolish in the extreme). It turns out that Dan's suspicions were right, and that not only were people using the network insecurely, lots of people, up to and including embassies and government and military offices were using the network unsafely--effectively sending emails and other sensitive traffic across the network completely in the clear where anyone who added their connectivity to the network could see it. This is very, very bad.
Let me make this clear... Anyone, myself included, can at any time, add their resources to and use the TOR network, simply by joining it and using it. (Non-technical explanation for simplicity) Participants in the network pass each other's traffic back and forth randomly through encrypted links, counting on the misdirection of a massive shell game to protect their privacy. Users are supposed to encrypt all their traffic as well as an additional step to keep the last site that handles the traffic before it goes back out to the Internet at large from being able to see what's being sent around. The encryption of the TOR network itself protects the contents up to that point, but no farther. For embassies and other installations that might have things going on where a breach of security could mean people die, incorrect use of the network almost guarantees that someone's likely to get hurt--possibly many, many someones. Dan figured that if anyone can do this, bad people were probably already doing it.
After doing his due diligence and trying to tell the people using the network unsafely the mistakes they were making (and getting nowhere), Dan took the more civic-minded approach of shouting it to the heavens by publishing samples and account information of the hapless fools on his website, and announcing the disturbing results of his completely legal and ethical research to security-oriented mailing lists in hopes that people would take notice and stop endangering themselves and others. The resulting splash should certainly penetrate far and wide and just maybe, make the problem go away.
It now appears that, true to history, anyone foolish enough to take away any powerful organization's ability to lie to itself about utter and terrifying failures of their security model is someone those organizations are going to try to hold responsible for it. Seeming to be under pressure from other organizations (very likely the ones Dan was trying to protect) the Swedish authorities have basically confiscated most of Dan's stuff, and it remains to be seen just how far this will go before sanity takes hold again.
We can now chalk up another one to the forces of ignorance and stupidity for attacking people who are working to help them stay safe. Dan should have been getting a medal (or at least a thank you) for this work, and instead, people are trying to destroy his life. Way to go, folks.
Tor has it's uses.. But they have mostly to do with obscuring the view of your traffic on the segment of the network which you currently reside. At the exit points, you have zero knowledge of how trustworthy the network is or isn't.. Hence, you always need to assume that your traffic hits the open network on a hostile segment. This fact needs to be understood by anyone who uses the Tor network to protect their identity.
Tor doesn't actually provide any kind of end-to-end security unless you are using Tor hidden services.
