How Safe is Tor for Journalists?

[ContentWriter]

I am impressed by the technical expertise of members in this forum, especially the Bitcoin Technical and Mining sections. There's an issue I've been grappling with: Tor use in news reports.

I have been using Tor and learning from Reddit how to be adept at its use, but I'm a bit skeptical about its safety. How do journalists who report corruption in government circles effectively evade detection through Tor? How can I be sure that the other reporter at the other end isn't a government agent? How sure am I that they somehow can't track my location through any of the Tor nodes? I always use Tor with virtual machine and Tails. Any new suggestions from here are welcomed.

[mocacinno]

I am impressed by the technical expertise of members in this forum, especially the Bitcoin Technical and Mining sections. There's an issue I've been grappling with: Tor use in news reports.

I have been using Tor and learning from Reddit how to be adept at its use, but I'm a bit skeptical about its safety. How do journalists who report corruption in government circles effectively evade detection through Tor? How can I be sure that the other reporter at the other end isn't a government agent? Any suggestions from here are welcomed.

What you're asking is basically the technical datasheet of the tor protocol... There are dozens of sites that guide you trough this... For example, wikipedia is already a good source to start from: https://en.wikipedia.org/wiki/Tor_(network)#Operation

But, basically, they use "onion routing". A very simplified explanation would be that when you send a very simple package over tor, 3 nodes are randomly selected (an entry node, a middle node and an exit node). Your client adds 3 layers of encryption to your package. Each layer can only be decrypted by the correct node... So basically, let's say you send the package <test>. It gets encrypted in such a way: encryption_entry_node(encryption_middle_node(encryption_exit_node(<test>))). Each node only knows the next node in the path. So the entry node knows your ip and the address of the middle node. The middle node knows the entry node and the exit node. The exit node knows the middle node and the ip of the receiver.

Is it 100% safe... Nothing is 100% safe... The more random nodes, the safer i guess... But if every node in your path is compromised by the same actor, they can connect you to your surfing habits....
Then there's hidden services, those websites with a .onion domain... In these cases, you don't use an exit node... But onion routing is also used to "meet" the hidden service somewhere in the onion network. You don't connect to the hidden service directly, the hidden service doesn't know you, you don't know the hidden service (well, you don't know where it's located... obviously you do know the uri).

Last but not least, most people that get compromised when using tor are compromised due to lacking opsec... Things like re-using monikers, bragging, spending ill-gotten gains,...

[Lucius]

~snip~
Last but not least, most people that get compromised when using tor are compromised due to lacking opsec... Things like re-using monikers, bragging, spending ill-gotten gains,...

Can we say even if you have the best operational security when you use Tor some three letter agencies have the tools and resources with which they can detect anyone who happens to be their target?

I also read some articles about the advantages/disadvantages of using VPN + Tor, do you think it makes sense in terms of increasing security or does one more server just slow down the surfing speed even more?

[mocacinno]

Can we say even if you have the best operational security when you use Tor some three letter agencies have the tools and resources with which they can detect anyone who happens to be their target?

I think this is a safe assumption...

I also read some articles about the advantages/disadvantages of using VPN + Tor, do you think it makes sense in terms of increasing security or does one more server just slow down the surfing speed even more?

I have read similar articles in the past... Like you say, there are pro's and con's... Personally, i'm on the fence... VPN+Tor will add an extra layer of security, hiding the fact you're using tor from your ISP and hiding your real ip from the entry node. On the other hand, you have to trust your VPN provider  and the performance might degrade.

[kotajikikox]

Can we say even if you have the best operational security when you use Tor some three letter agencies have the tools and resources with which they can detect anyone who happens to be their target?

Tor and VPN add an extra layer of security and anonymity but we can’t conceal everything. For the agencies who have a target, they can do anything and will do everything to get to their target. Using additional layers of security will make it harder for these agencies but it would still be possible.

I also read some articles about the advantages/disadvantages of using VPN + Tor, do you think it makes sense in terms of increasing security or does one more server just slow down the surfing speed even more?

If you really value privacy and security then you have no choice because the usage of vpn and tor together decreases the speed with more and more layers added.