TechStuff Classic: The Secrets of Tor and the Deep Web

the hammer Mjolner, and his brother is Loki. She's not even growing her eyes, She's just staring me down this time. Okay. So seriously, though, what tour is free software. It's an open network, and it helps you defend against traffic analysis. In other words, people trying to figure out what you are doing and who you're commun ninicating with. Traffic analysis is a form of network surveillance that threatens personal freedom

and privacy. Uh, it threatens confidential business activities and relationships, and it threatens state security. Therefore, some folks got together and said, hey, you know what we should do is we should come up with the means to allow people to communicate over the Internet, but do so in a private, anonymous fashion, so that you can set up these anonymous channels. Perhaps the most popular way to access this is through

a customized build a Firefox called the Tour Browser Bundle. Right, Yeah, because just using Tour on its own is one thing to do to to allow you to have a little more of an anonymous presence, but it requires more than that, because if you access Tour through some other means, if you don't have say Flash disabled in your web browser, then you're still kind of broadcasting where you are because Flash often involves uh identification information in order for it

to work. So it is a and source. So if you feel like getting in there and and doing your own thing, you're absolutely able to um and uh and And a lot of people do use it in one form or another. At its peak, in more than half a million people were using it every day. Yeah, oddly enough, I think as I a call in that year, there was some news that broke about government agencies. Yeah, Edward Snowden had that leak about the n s A, and

suddenly people were thinking, you know, I was like it doubled. Yeah, Yeah, it was one of those things where people began to get very concerned. And it's not necessarily that these people are doing anything wrong. In fact, that's not the point at all. The point is that they have an expectation to privacy and being able to hold this kind of anonymous communication with other people. The communication itself isn't necessarily anonymous, but the channels are. Uh, you know, that's just that's

just an expectation we have. It's not that, you know, I'm planning something to Ferry. It's just if I want to send a message to Lauren, and it's just for Lauren's eyes, I don't think anyone else has the right to look in on that. So yeah, and in normal internet traffic, that's absolutely a possibility. Yes, Because we've talked a lot about how information travels across the internet. You know,

it all gets divided up into these little packets. Then the packets go across the network and then get put together Willy Wonka style on the other side, so that you get whatever it is you were trying to send, which is unfortunately probably not a delicious chocolate bar no or Mike TV either. It's not neither of those things. What it might be like if I, if I were to send that email to Lauren, and it's a sizeable email,

that email gets divided up into numerous packets. The packets go across the Internet, not necessarily taking the same path, and they eventually reassemble on the other side and then Lauren can read it. But in order for that to happen, these packets have to have little bits of information so the routers know where to send the information onto next. So it's kind of like an address on a piece

of mail. So let's say that you've got a snoop in your neighborhood and this person is getting into everybody's business. And the way this person does it is they look at all the mail that's going in and out of a person's mailbox. And even if they're not opening that mail and and reading all of it, just just the fact that you're sending it to particular people at particular

times can tell that snoop a lot about what's going on. Right, So if you're sending out, uh, you know, envelopes to say a medical facility, that could give a lot of information to a snoop if they're seeing that stuff from various insurance companies is coming into you that could you know, I'm going with a medical thing here, but really this applies to any sort of communication. So so what we're saying is that it's not enough for the content of

what you send over the internet. Uh necessarily, I mean you are hypothetical, you maybe you're fine, it's not enough for you to encrypt the content, but the actual transfer of the content in some cases needs to be encrypted exactly. And there are a lot of legitimate cases where you would want that to happen. I mean, let's talk about

journalists for example. So you might have a journalist who is pursuing some major story, perhaps they're in unfriendly territory to do so, and they want to be able to contact sources that might be in danger otherwise if there if if this communication were publicly known or really anything that could endanger the journalist, a source, or the story itself, then you would want to have a way of securely communicating and making sure that no one's really snooping in

on you. Well, that's that's a perfectly legitimate source. There are governments that use this kind of thing in order

so that they can gather information and disseminate information. Uh, you've got companies that use this kind of stuff in order to have secure communications about upcoming products or services that are not part of the public knowledge and don't need to be oh sure, I mean even if you're just doing r and D about something you know, like like let's say that you're the example that you used

and in our notes here is Apple. Like if here, if you're creating a new product and you start researching patents online, um, the right person could could find your searches and figure out what you were looking for, and

that sucks for you. Yeah, yeah, if you had the next big idea and you were waiting, because you know, like the company of Apple, they get a lot of a boost from folks whenever they announced something brand new that surprises everyone, which of course is exactly why you have so many news agencies scrutinizing everything Apple does in order to try and guess what's coming next. So the more you're able to keep that secret, the bigger the

impact is when you unveil it. Because the worst, the worst feeling is when you tune into an Apple of that and it ends up being exactly what you expected. It was. Time to be right. Every everyone still tunes in but then they're like, oh, but that's exactly what they were talking about last week. I know, and you

read what they wrote last week, so stop it me. Sure, and and lots of other people who could generally be considered to be working for for non nefarious purposes, but nonetheless would like a little bit of secrecy, uh, for example, activists or whistleblowers, um or you know Chinese citizens who really just want to use Facebook or read news from other countries. Sure, and we've seen plenty of examples also,

things like the Arabs Spring. You know, places in the world where you have people who are trying to enact change in a very harsh environment where if their activities were picked up on by official sources, government sources, state sponsored sources, they could face some serious consequences. And it's not necessarily the again, like you said, that they're doing anything nefarious, it's just they can't do it at all without fear of some form of consequence unless that can

remain secure. So you've got to figure out how do we make this secure. Also, we have to figure out how do we frame this in such a way where we also admit some people do use it for nefarious purposes. Oh, sure, of course. I mean there are plenty of people out there who are going to use this kind of anonymous connection in order to conduct illegal or otherwise illicit activities. We've talked about some of them in previous episodes, in fact,

and we'll mention some more as we go along. So again, it's one of those things where you would probably argue that it's a relatively small percentage of the population using it for these purposes, but they're the ones who get the most press, uh, and so therefore it kind of creates this public perception that people who use tour are

up to something. Also, you know, we mentioned the fact that in a normal Internet communication, the you know what, what amounts to the the address on the label is perfectly visible because it needs to be so that it can route across gets to the place it's gone. Yeah, and Tour they had to figure out a way around that so that you could have it be ob you skated, so that if someone were to snoop in on communication, they would not be able to determine what the origin

nor destination were. And that is pretty amazing stuff because you gotta you gotta figure out a way of implementing that where it can still work, Like, how do you disguise the address and still hope that it gets to where it's going, Because if we did that to the to the US Postal Service, our stuff would never get anywhere. And it wouldn't be their fault either, because you just wouldn't be following the rules. Oh sure, Yeah, if you don't write your address on something, then how does it

get to that place? So here's another funny thing, Lauren, Um, who was it that came up with this whole tour idea? I mean it must have been like, um, like hackers, you know at def con convention, who all got together and so we don't want the government looking in on

our stuff, right, you know? It was the government. It was the it was it was the U. S. Naval Research Laboratory UM back in back in actually, which makes it extra hilarious that that the n s A has kind of been trying to crack trying to crack it because you've got a government agency doing its best to figure out how to intercept information that goes across a tour network, and another government US government entity that's responsible

in large part for the creation for its creation and furthermore, other governmental agencies that are responsible for funding it. As of one point two four million dollars, half of tours revenue UH came from government grants, including a large part

from the Department of Defense. So this is an example of two different parts of the United States government working at odds against each other, one part saying this is absolutely necessary for us to be able to operate in a secure way, and the other part saying, we want to be able to see what's going on here. So so so yeah. But but this all got its start back with the U. S. Navy and UM. It was part of an onion rooting project. Routing project, Yeah, rooting.

If you're in England, it's routing. Here in the US, it's usually routing either way. Why would you even call it an onion It's because it relies upon quote a layered object to direct the construction of an anonymous, bidirectional real time virtual circuit between two communicating parties and initiator and responder. And that's as clear as day. Yeah, we can just end the podcast now, guys, don't worry. We're going to explain the whole layered thing a little bit

later on. So we will. We will make sure that you understand why an onion It's actually a pretty clever way to describe what's going on. But the project had specific goals to research and develop and build anonymous communication systems, to analyze other anonymous communications systems, and to create low latency Internet based systems that resisted traffic analysis, eavesdropping, at other attacks from outsiders as an Internet routers or insiders as an onion routing servers. I have more to say

about the secrets of tour. The deep Web got a lot of layers to peel off that onion. But before we get to that, let's take a quick break. So the ideal was to create some form of distributed system where you could have two parties communicating with one another and no one would be able to know that those

two parties were in communication. They would know the communication is going on because traffic is moving across the network, but because of the network's design, they would have no way of knowing what to end parties were actually communicating

with one another. Because, just as we were saying with that snoop, even if you can't see what the information itself is, just knowing who is talking to whom gives you a lot of info right because of this, and funnily enough, the Navy actually had to step back from the project in order to make it actually useful because

the network needs to be open, right. Um. So, I mean if if you know, if you can see that everything is coming through, if if only the Navy used it, then you would know whenever communication was happening that the Navy was communicating with people like you would. You would have limited the number of people that could possibly be the ones communicating by making it open and say this

is a playground where everyone can come in. Suddenly you can't tell who's communicating with whom because there's so many's too much noise and not in the traffic, right. Um. So, the project incorporated as a nonprofit in two thousand six, and it currently depends a whole lot on crowdsourcing. UM. There are only nine full time tour employees as of

this podcast, which we are recording on April. By the way, um and uh, the rest of the development is spread across dozens of part time assistants and hundreds of volunteers. The code is open source, which actually makes it harder to mess with. Um. You know, like if someone say, say the n s A tried to create a vulnerability deliberately, then anyone could catch it, right, Yeah, it's not like

it's hidden the way behind closed doors. In that way, it gets overlooked and you suddenly have this back door entrance into the Tour network. No, it's it's it's much more likely for someone to catch it if lots of people are looking. Yeah exactly. Yeah, you've got lots of people checking on it all the time. So it's actually more secure by being in plain sight in that way. So here's how it used to work. Because you know, I mentioned that tour was had an onion in the oh,

but it doesn't really involve onions anymore. And then we've mentioned onions. Yeah, so yeah, so we're gonna we're gonna go back to how it worked originally because the way it works now is not that much different, but it doesn't involve the onion metaphor anymore. So, first of all, to achieve anonymity, the Tour Network uses something called privoxy filters, which prevent client information from reaching servers. So this means

that a client, you know, that's that's your computer. When you are trying to access anything, Let's say you're using your your browser to access your email, because I love that example. It's easy one. So your your computer is the client. It's sending a request to another computer. It's asking for data from this computer that hosts the the

email service that you use, and that is called the server. Now, normally the server receives information that can identify the client, so you have some sort of address that identifies this is the machine that's asking for that information. So then the server knows exactly who it's talking to. Well, privoxy filters prevent that from happening, so it's possible for a client's identity to remain unknown to the server and also to the rest of the network as these requests go

across the network. Also, one of the other things that has and we'll talk more about this in a bit, is the ability to create hidden services. But you know, I'm not going to spoil that because the discussion we have later on will really kind of bring that to light and it will make much more sense after we talk about exactly how this communication occurs. Yes, so it's possible to use onion routing software to send information completely anonymously.

In other words, you could use it so that you could send an anonymous message to someone else, they would not know the identity of that person. But that's not the purpose of tour. The purpose, like I said before,

is to allow anonymous channels of communication. So you and the person with whom you're communicating know each other's identity, but nobody else does, right, So this allows you to have that honest, open expression of information without fear of someone else snooping in on you or any other consequences apart from whatever consequences come from just that communication between two parties. If you tell someone that they dressed like a slab, there's going to be consequences. What I'm saying

doesn't have to be someone snooping in on you. Good point. I get that a lot. Uh. So it uses proxy servers, and a proxy server acts as an intermediary between a client and some other server. So you can kind of think of it as this is the go between. So if I were to send a request to get my email, but I wanted to go through a proxy server, I

would log into the proxy server. The proxy server would then send my request onto the email server, and from the email servers perspective, it looked like the proxy server was the origin of that request, it isn't able to see back to exactly there's a hop missing there. So that's really important in this. And uh, the communication part is the tricky part. Like I said, So you've got this information, it's passing between nodes or little routers within

the tour network. Okay, so think of these nodes as rest stops between the client, the sender, and the recipient the server. Right. Each node only knows the identity of the node before it and the node after it, right, So uh, and the note before it and after it completely is dependent upon when you're sending the message, because you're you're going to create new pathways every time you create a connection, so it's not like you have a set path each time. It's like the Internet. It's very flexible.

So when you send a message, and let's say it's going through letters A through G, we're just designating these nodes as A through G and for some reason it's going into a B, C, D, E F G order. So node D only knows about nodes C and E. The information came from C. It knows it has to send the information onto E. It has no awareness of a B or you know, effor G. So that's it. And that means that if you were to intercept information passing between two nodes, you would just know which note

it came from and which node it went to. You wouldn't know the actual person who sent it, nor would you know the person to whom it went. Ultimately, on top of that, the nodes encrypt the communication as it's passed along. Yes, and this is where you get that layer and layer and layer of encryption. And because there's so many layers of encryption, well, what else has lots of layers? An onion? I was going to think of

Game of Thrones, but yes, Onion is right. Onion is exactly the thing that they went with because Game of Thrones really wasn't that popular. Also, it's proprietary. I mean, you know, yeah, that probably would have George R. Martin gotten a little upset about that. But yeah, so so Onion is in fact what they went with because there's so many different layers of encryption. Still a little bit more to talk about with the secrets of tour in the Deep Web, but before we get to that, let's

take another quick break. Okay, so here's my example, and I think it's a doozy of an example. Because it's completely believable. I decided to use as an example two of our beloved co workers here at how stuff works. Uh And when you start thinking to yourself, who would be so paranoid that they would need an incredibly secure communication process? Two names leap to mind from the shadows and then back into the shadows, because that's where they belong.

One of them wearing a gremlin mask. Yeah, and maybe a fedora on top of it. It's not a fedora, I know, Ben Dora. No, it's a trill Bey, I'm going to call it a fedora anyway. So Ben Bolan and Matt Frederick so stuff they don't want you to know hosts. Yes, and if you've never ever listened to that show, go check it out. Watched the show. Yeah, that's great. So so let's say that Ben wants to contact Matt and he wants the communication to be secure, so he sends it across the Tour network using this

freely available software. He's got the Tour bundle installed and he sends the message along. So here's what happens. Ben would contact a proxy server on the TORN network. Now, that proxy server would then determine the route of nodes or the number of hops that it will take to get from the proxy server to Matt's computer. So for argument's sake, let's say again that it's just uh five nodes, So it's a B, C, D E. Those are the

Those are the nodes that it's going to go through. Now, each hop becomes an encryption layer on this onion, and the core of the onion is Ben's original message to Matt, So that's the very center. Now Ben's proxy server starts to construct layers of encryption based upon the path that this onion is going to take journeying from the proxy server all the way to Matt's computer, and the innermost layer will be the encryption for Matt's proxy. Yes, so the next layer out would be the node just before

it gets to Matt's proxy. The next layer out would be the node before that, and so on and so forth until you got to the first node that the proxy server sends this onion onto. Now, every time the onion travels to a new node, it decrypts that layer. The corresponding layer strips of encryption. Yeah, so that that layer of the onion gets pulled away, and that's how

the node knows where to send it onto. Next, so proxy service sends it on to node A. Note A strips away that encryption and sees that needs to send it on to Node B. Node B gets this onion. Now Node BE only knows that Note A set the onion, doesn't know where the onion originally came from, and it decrypts that. Next layer strips it free UH, finds the identification of Notes C and send it along. Yep. Node C doesn't know about Node A, just notes knows about Node B, so so on and so forth till it

gets to Matt. By the time it gets to Matt, all those layers of encryption have been stripped away and that can actually read what the messages. Therefore, anyone who's trying to analyze all of this traffic would would just see a message passing between two seemingly random routers with with no way of knowing either where that information came from or what the ultimate destination is. Yep. And because you've encrypted it so many times, they probably can't even

tell what the information. They can't read it, they don't know where it's going. They're in the dark. So to them, it's just all they know is that traffic is going across this network, but they don't have any way of deriving meaning from that. Now, once Matt's proxy receives that onion, a virtual circuit forms along the notes. Think of it as like a temporary pathway that solidifies between uh Ben's proxy and that's final computer, and it allows for encryption

to pass both ways. So you have two different kinds of encryption. You've got one kind whenever Ben sends a message to Matt, and essentially you have the inverse of that when Matt sends it to Ben. So unless you have the key to that encryption, you can't figure out

what's going on either. So it's it's pretty secure or now there are some la Mainly we're talking about vulnerabilities when you send it from your computer to that proxy server and when that last proxy sends it to the destination, because this is when you don't have the protection of the network itself. It's when it's you can think of it as the information is leaving the network to get

to wherever it's going or entering. Yeah, and again, if you're using a browser that still has certain things enabled like Flash or Java, then you may end up having sending along some information that people could identify you on based on that, but within the network itself, it's incredibly secure, right And and so this, this circuit that that you've created, well will last as long as both parties want it to.

You can you can send a command to collapse it at the end of your session, you say destroy, and it collapses. This uh, this virtual circuit, and then if you wanted to create a new one, you could, and it would be a new virtual circuit, probably taking a totally different hathway through the nodes. And you know, I made the example of ABC D E that kind of stuff, but really, you know, it could be any order. You know, it's it's and it will be any order, right, that's all.

That's one of the whole points because if it were the same pathway each time, then you would ultimately be able to determine who sent it and who it went to. So it has to be uh, you know. And of course, the more the more routers you have available, the more of these relay nodes you have, the more secure the

communication becomes, so that's also really important. Then there's also a concept called loose routing, which adds another layer of security on this because like I said, you know, you ultimately you have these proxies that no way more information than all the nodes do. They have to in order to be able to make that layer of encryption and have this onion pass from one spot to the next. So one thing you could do with loose routing is that the proxy ends up sending the onion on to

the first node. But that's all the proxy knows about the probably and then the first nodes responsibility is to create the rest of that pathway. So even that first stop isn't aware of where, how, what path it's gonna take to get to its destination. It just knows this is the first step of that path, but beyond that, I don't know. So it adds another layer of security

to it that way. Now, again, if you were able to target that first node, you might be able to figure some stuff out, but really you just know that it came from a proxy. You wouldn't know who sent the information to the proxy in the first place. But yeah, so we've got these these endpoints that have some vulnerabilities, but other than that, it's it's pretty secure. Uh, I've got to We've got a great little bit about how secure it is, and a little in just a little while.

But today nodes or relays within the system still don't know the origin or ultimate destination of information, and you still create virtual circuits between the initiator and the recipient for encrypted anonymous channels. But there's no more use of this onion metaphor. I mean, it's not it's not the same implementation. You get the same result, but it's a different implementation that does it. But it's this, you know,

it's following a lot of the same philosophies. And you've got a Tour directory that keeps track of all the available nodes that are on the system at any given moment. As of January, there were about five thousand computers around the world operated by those volunteers that I mentioned serving

as potential nodes in this system. Right, And when you send a message to a recipient across the Tour network, your tour browser or whatever consults this directory, which then gives it a route of nodes, and then you can send the encrypted information across and each node further encrypt the message again and only knows the note immediately before and after, kind of like the previous version we just

talked about. So it's not that different. It's just this whole layer metaphor is kind of no longer as accurate. But um, yeah. One thing you've got to remember is that because you've got this extra layer of encryption going on and it's purposefully obvious, skating the the origin by hopping around a lot, communication is not as quick, right.

It's going to take a longer necessarily, So if you're using tour in order to send instant messages, your definition of instant maybe a little different than what it normally would be. It may just be pretty darn quick, but not as instant as this other method. Yeah. Um. Furthermore, it is not the most secure thing that you can do. No. I actually read a great article on the best way of using tour as as part of an approach to securely using the Internet and maintaining your anonymity, and I

thought about including it in this podcast. I really did, guys. I was gonna go all into the tips this guy had, and then I realized that it was so in depth and there was so much to keep tak into consideration that really we could just do a full podcast just on that, and perhaps in the future we will. If you guys in particular, want to know. Seriously, I want to be as anonymous and secure as possible. Tell me what I need to do. Well, we'll we'll give you podcast.

We should we should do that episode. UM, I'll tell you right now. It's crazy, but but right because because even if you're using the most recent version of Tour I mean, which, as we have just detailed, is an incredibly uh complex and encrypted process, a determined party could exploit vulnerabilities and Firefox itself, which which Tour is based in. UM, it could attempt to set up monitoring nodes in the network, or it could just methodically work on key decryption in

order to spy on your activities so stuff can still happen. Yeah, we'll think about doing a full security episode. I mean, I kind of think we'll have to pull Ben in for that one. Oh, that would be great. We should totally do more classovers. We'll we'll see if we can get Ben to be available for an episode where we really talk about and you know it's going to sound paranoid and crazy, but the thing is technology in order for it to work, UH needs to have certain information

so I can allow you to have this communication. But because it needs that certain information. It means at your anonymity is at risk, so you've got to do these kind of crazy things. Also they're wacky bugs like heartbled Yeah actually, um okay, go ahead and mention this so

heart bleed. If you listen to our previous episode, we talked all about this vulnerability that was an open SSL versions one point zero point one through one point zero point one f and UH and how that ended up meaning that people who use the heartbeat method could get access to encryption keys and thus see everything that's going

across the server. So you might wonder does this work on the tour network, this crazy relay node network, And the short answer is, technically it works, but it doesn't help anybody out because even if you were to see the information moving across a node, it still has multiple

layers of encryption, so it's not as vulnerable. Vulnerable, Yeah, although I mean toward toward being toward did say that you know, if you if you only want to be secure, you might just want to stay off the internet for a few days, right, And they did say that they had planned on rolling out patches of the open ssl UH software because the upgrade the newest patch does patch that vulnerability. So they are going to be fixing up

those nodes over time anyway. In fact, by the time this podcast comes out, most of them may already be addressed. But yeah they said that, Um that worst case scenario, you're probably still pretty okay, you know in the grand scheme of things. That herd bleed story was a real eye opener. Yeah. Then we have the other thing we alluded to earlier, oh right, hidden services, and that's where that dark net or deep web kind of thing comes in.

Um okay. So, so tour also provides a way to to offer up access to a server or to run an entire service without revealing your IP addressed to your users and from behind a firewall. Um, sites and services set up like this are are off the beaten Internet path. You can't even find them using Google or other web searches. You have to be using tour in order to find them. And um they're they're all using what's called the dot Onion extension because onions. Um okay. So, so basically how

this works. The hidden service has a public to tour listing, and so when a client wants to access that service, the client sets up a rendezvous node and sends along an access request via the usual tour encryption routing process UM through a random introduction node that the service has set up UM, and then the client and service can contact each other through that rendezvous node, again using the usual tour circuits UM. It's it's like the introduction and

the rendezvous nodes are translators, right. It protects the service and the client because neither knows where the other is. That the translators are the recipients for each party's communications. And so this this deep web or darknet hosts law of different stuff, some things that are definitely in the nefarious category, like the Silk Road, although Silk Road still has some legit. Sure of the stuff that was on

Silk Road was completely legal, the other not so much. Yeah, so a silk Road, of course that got shut down, but it existed on tour and this kind of hidden web because you know, you wouldn't want it to be easily accessible, uh, and then everything would come crashing down, you know, ultimately came crashing down anyway, but it was hidden better than just sitting there and on the web. So yeah, that's that's definitely one of the other issues.

And again there are other things that are on this deep net, this this dark net or rather or deep web that again not nefarious at all. They have very legitimate purposes for existing. It's completely legal, but it's also designed in such a way as to protect the identity

of the people who need to use the services. So it again, just because we have some really high profile examples of naughtiness doesn't mean that the entire network is naughty, just like there are other services that people have used where some people are using it in order to get like illegal downloads of whatever content they want, but most

people aren't. A lot of the focuses on the people who are the pirates, and thus the entire service gets painted as yeah, yeah, it's I I read a really great quote and I don't have it open right now, and um. Bloomberg business Week did a really great article in January about about tour in general and the kids who are running it and all that kind of stuff, and uh, the the example that I think they used was that, you know, you don't hear about someone who's

stalker couldn't find them. You you hear about the kid who got drugs or the child porn rang or something, right, Right, So you know, there are some very very the Navy wouldn't have been interested in making this uh in order just to have crime happened, because as low as your opinion of the Davy, maybe depending on if you're a

Marine or not, it's it's really not in that business. No. But but certainly the fact that this kind of illegal activity can go on means that it attracts attention from, for example, the n s A. Yes, uh, I love the stories about the n s A and Tour because they're both infuriating and funny at the same time. So infuriating in that uh, the n s A has attempted.

We know the n s A has attempted to try and crack because some of those slides that have come out from Standon's League as specifically mentioned Tour yep and UH. One of the documents within the n s A is titled Tour Stinks. And the reason they say Tour stinks is because it's so gosh darn't hard to figure out

what information is within the Tour network. Now, they do note that if you are able to target those points where information is coming into the network are coming out of the network, then you are more likely to be able to determine what is going on and who was

talking to whom. But if it's within the network itself, there's no report that has leaked so far that has indicated the NSA has been able to crack that, which has not stopped a whole lot of theorists from saying that they have totally cracked it, and that the reports saying that they haven't cracked it are just so that people feel, yeah, that they people will feel a false sense of security using Tour. Here's the thing about conspiracy theories, and again, I wish we had been on here right now.

Uh you know, you can. You can have a lack of evidence and that becomes evidence, or if you have a denial, then that becomes hard evidence. You know. So I I think, I really do think, because I don't think the n s A ever intended for all the information to leak out based upon I don't know everything that's happened since then. Uh so I'm pretty willing to believe that they have not yet cracked how to get look at information in a meaningful way on the Tour

network itself. In general, I would say that Tour seems for many purposes pretty secure. Now keep in mind you still have to uh practice good internet security on your own, even if you're using tour. UH And like I said, well, maybe we'll do a full episode on that. If you're interested in that, let's no because you know maybe that our listeners are thinking, wow, they did a heart bleed episode in a tour episode. Go back to talking about Nintendo and that wraps up this classic episode from hope

you enjoyed it. If you have any topics that you think I should tackle for future episodes of tech Stuff, or maybe there's one that you've listened to and you think that really needs an update it's seriously overdue. Let me know the best way to do that is over on Twitter. The handle I use is tech stuff hs W and I'll talk to you again really soon. Tech

Stuff is an I Heart Radio production. For more podcasts from I Heart Radio, visit the i Heart Radio app, Apple Podcasts, or wherever you listen to your favorite shows.