Last month, Swedish security specialist Dan Egerstad exposed the passwords and login information for 100 e-mail accounts on embassy and government servers. In a blog entry today, Egerstad disclosed his methodology. He collected the information by running a specialized packet sniffer on five Tor exit nodes operated by his organization, Deranged Security.

Tor is an onion routing service that facilitates anonymous Internet communication. Originally developed by the US Naval Research Laboratory and formerly funded by the Electronic Frontier Foundation, Tor is designed to protect users from traffic analysis and other kinds of network surveillance. It works by relaying connections through a series of distributed network servers. When a Tor user visits a web site, the IP address detected and logged by that site will be the IP address of one of the Tor nodes rather than the actual user. This makes it possible for users to obscure their identity under certain circumstances.

Unfortunately, many Tor users do not realize that all of their network traffic is being exposed to Tor exit nodes. Tor users who do not use encryption are broadly exposing themselves to identity theft. Egerstad was originally doing a study on e-mail encryption, but during the course of the research project, he decided to create the packet sniffer and expose sensitive e-mail login data in order to increase awareness of the fact that Tor exposes sensitive information when not used with encryption.

Egerstad believed that privately disclosing his findings to the organizations whose passwords he obtained would not convince them to change their practices. He also knew that it was only a matter of time before others with malicious intent would perform the same kind of experiment, so he felt that broad public disclosure was the only way he could generate enough attention to force people to think about the problem.

"Experience tells me that even if I would contact everyone on this list most are not going to listen," Egerstad wrote when he released the login information last month. "So f*** it! Here is everything you need to read classified email and f*** up some serious International business. Hopefully this will put light on the security problems that are never talked about and get at least this fixed with a speed that you never seen your government work before. As a Swedish citizen I can't give this information to anyone without getting into trouble, so instead I'm giving it to everyone."

After publicly releasing the information, Egerstad's site was taken down at the request of US law enforcement officials. After it was brought back earlier this week, Egerstad expressed frustration and pointed out that the information was already spreading across the Internet. Taking down Egerstad's site only served to silence his message about security and did not prevent dissemination of the sensitive data. "I've seen people saying that the US would be angry now that we forced foreign countries to tighten their security so NSA or whatever can't read their secrets any longer. To me it sounds like bulls*** taken out of a bad book but after this silly little stunt I'm reconsidering. Is there any reason you DO NOT want people to secure their systems?" asked Egerstad.

According to Egerstad, the information disclosed is only a fraction of what he collected. He continues to argue that the responsibility for exposing the login information rests on the organizations that failed to use encryption and that he simply drew attention to information that was essentially already public. "ToR isn't the problem, just use it for what it's made for," Egerstad notes. "[The system administrators for the organizations whose passwords were exposed] are responsible for giving away their own countries secrets to foreigners. I can't call it a mistake, this is pure stupidity and not forgivable!"

Egerstad also points out that very little is known about the intentions and activity of other Tor exit node operators, some of whom are already known to be associated with malicious hacker groups and foreign governments.