The Dark Web Shouldn’t Be Necessary for Security

By   Dr. Muhammad Malik
InfoSec Leader & Editor-in-Chief , Information Security Buzz | Nov 16, 2014 05:03 pm PST

With growing privacy and security issues, Dark Web networks such as Tor are becoming more popular. In your opinion, what are the main issues with Tor, and what does the future hold for the Dark Web?

The main issues with TOR, as I see it, are:

–          TOR is both funded by (at least initially) and attacked by the USG. Can it be trusted to not be fundamentally broken?
–          People trust and/or depend on TOR’s inherent security, but it isn’t perfect. (Yet? Ever will be?)
–          TOR / Dark Web networks should not be a necessity to use for so many people. We need to fight for our basic rights.
–          People use TOR for its privacy/security but fail at (basic) OPSEC while employing it.

As we’ve come to learn, for decades three-letter agencies have been investing significant resources into their ability to spy on everything at will. It would not be too far a stretch to imagine the reason for funding TOR initially was hidden from public sight. To speculate a little, this reason could have been: “Let’s create a  haven of safety for would-be-bad guys, knowing they will go there and use it, but unbeknownst to them, we will at all times retain the ability to monitor everything going on.”

Conspiracy theories aside, people trust and depend on TOR to work. As this week’s huge Dark Web busts by LEA worldwide demonstrate, it’s possible–maybe even simple–to catch the bad guys on the Dark Web. Which is just perfect and is as it should be. We need law enforcement to be able to stop the guys breaking the law. Consistently. We also need those good guys, those individuals who depend on secrecy and privacy to keep them safe from abusive surveillance regimes, to be able to stay safe. Can they do this with TOR as it is now? With security tools in general being of a level below what they should be, in both security and useability? I do not think so.

In either case, it shouldn’t be necessary for people in general to have to depend on Dark Web services for anonymity, security and privacy, at least in the parts of the world where we profess to support these ideals. It just simply shouldn’t. We have to enact changes in legislation in the Western world to limit the potential for and ongoing instances of abuse. (Along these lines, we should probably stop using the worn out old “#BecauseTerrorism” for every abuse we authorize, ignore, or simply don’t know about.)

We also need to make security as a concept better on the meta-level. There shouldn’t be any need to be an OPSEC expert to be able to have a reasonable expectation of security and privacy online. We need to build our devices and software securely by default, and we need to somehow enforce this. Not many of us question the fact that bigpharma have to test drugs before marketing them. Why don’t we hold Apple, Microsoft, and others to the same standards?