Building tracking system to nab Tor pedophiles

[Jason Edwards]

>> As suggested on IRC, I think
>> the Tor documentation strategy needs to be rethought. Most people
>> barely read the download page, let alone the reems of FAQ questions.
>>
>> We've had two "attacks" now on Tor that rely on unmasking users who
>> use Tor incorrectly. One of them actually published a paper and had
>> decent results at unmasking this way (mostly Asian users who probably
>> can't read our english mailinglist or english FAQ), and the media
>> still doesn't seem to understand that these attacks are well
>> documented.
>>
>> The Tor download page should have a concice "Things to know before
>> downloading" section that lists a few key points about the most easy
>> ways your identity can be revealed through Tor. Something like
>>  
>> Things to know before you download Tor:
>>  - Browser plugins can be made to reveal your IP. 
>>  - This includes Flash, Java, ActiveX and others. 
>>    - It is recommended that you use FireFox and install the extensions 
>>      NoScript, QuickJava, and FlashBlock to control this behavior if
>>      you must have these plugins installed for non-Tor usage.
>>  - Make sure your browser settings have a proxy listed for ALL
>>    protocols (including Gopher and FTP).
>>  - For further details, please consult the Tor FAQ.
>>
>>     
>
> I had advocated something similar some time ago. Actually what I proposed
> was that some sort of test server be set up. I know there are already
> many of them, but I was thinking that there could be testing stages
> in an install wizard (or a post-install testing wizard)
> that takes the user through various tests and what to do in response
> to results. I know a lot of work, maybe another suggestion to be
> listed on the volunteer page or a candidate for summer of code?
>
>   
As a new user (about a week now) and without much of a background, 
hopefully I can offer some insight.  The installation and documentation 
to get up and started is very helpful, especially the screen shots.  
However I am lost with Privoxy configuration, e-mail config (especially 
about the smtp port 465 in Thunderbird), and if.. how.. and when I need 
to  modify modify the torrc file.  I have  subscribed to all the lists 
and am doing my best to absorb the info. 

I usually learn new programs by futzing with them until I have learned 
the ins and outs. However, this is different because the learning curve 
could do some damage (stories of how Tor users were not protected).

My suggestions/responses to help protect green users like me from those 
who can take advantage of our lack of information are:

- A hold your hand walk through of add ons to Firefox and Thunderbird to 
be installed before attempting to use the programs ( just like the set 
info instructions, they were great)

- A few predefined configurations of Privoxy, Noscript etc. with a WALK 
THROUGH on how to access them, what they mean and how to tweak them in 
the future.

- The test server sounds like a great idea. I keep reading about things 
which break pages and reveal your identity but I have no idea if it is 
actually happening. Is there a way to set an alert which notifies the 
user that his/her anonymity has been compromised?

- Again, a list of IMPORTANT things you should not do is a great idea. I 
don't know if I can use another browser without privoxy etc installed 
after I have disconnected from Tor and wish to surf as I did previously. 
Is that bad? I am also pretty sure that I should not use any other 
programs which don't go through Tor while I am connected to Tor.  Is it 
ok to use them after I disconnect?

The takeaway from my rambling is that compromises to security and the 
networks reputation are going to come from users like me, not from a 
developer or experienced user.  To maintain integrity it is a good idea 
to devote time to developing better walk throughs regarding use after 
initial setup and to help new users  from hurting themselves or the 
reputation of the network.

Jay