25 tbreg relays in directory

punkle jones punkle.jones at gmail.com
Mon Jun 29 14:19:21 UTC 2009

Unlurking for the first time, I think.

Why not join forces with a popular freeware/shareware product like Aim or
Winamp, with an "uncheck to opt out" option and a description of tor.  Such
a bundle could be preset to relay, and there's got to be a magic bandwidth
that most western users could tolerate.  Is it ethically wrong to insert TOR
into the userspace of the less-informed by associating it with a popular
(hopefully not unsavory) download?  Does this concept fly in the face of
free will?  Is it just too sneaky?  It's not like you'd be putting five new
toolbars into their browser.

On Mon, Jun 29, 2009 at 8:13 AM, Jim McClanahan <jimmymac at copper.net> wrote:

> Scott, when I did a "reply" on your email, it (tried to) sent it your
> personal email account rather than the list.
> ------
> Scott Bennett wrote:
> >
> >      On Mon, 29 Jun 2009 05:14:25 -0600 Jim McClanahan <
> jimmymac at copper.net>
> > wrote:
> > >Scott Bennett wrote:
> > >
> > >>      Ouch.  This provides another example in support of having a way
> > >> for the directory authorities to render insecure versions ...
> > >> and only usable as clients to connect to the tor project's web site to
> > >> download a current version of tor.
> > >
> > >This kind of thinking baffles me.  It seems diametrically opposed to the
> > >notion of free software.  I could understand if the outdated client was
> >
> >      How so?  It's still free of charge, freely available, and freely
> > modifiable and redistributable.  (GPL3-licensed software doesn't
> > qualify, IMO.)
> I did not not mean it was not technically free software.  The license
> takes care of that.  My meaning is that the goal is to restrict people
> rather than to grant freedom.  It is an issue of perspective rather than
> license technicalities.  I probably could have phrased it better.
> (I happen to like, to the extent I understand it, GPLv3.  But I don't
> see how it is relevant to this discussion and I don't know why it was
> injected into it.)
> >
> > >endangering the Tor network (which was discussed in the portion of the
> > >comment I skipped over with the ellipsis).  And I would have no problem
> >
> >      Insecure relays endanger the network
> That is why I inserted the ellipsis and made the parenthetical comment
> about it.  I am not arguing against neutralizing insecure relays.  The
> danger to the network is perfect justification IMO.
> > Insecure clients installed
> > virally onto systems without notice to the users endanger those users.
> It's not like the clients ended up there on their own w/o the consent of
> the user or owner.  Trying to enforce a policy on people when those
> people are not harming others reeks (IMO) of unsavory things like police
> states and nanny states.  I am opposed.  It is personal perspective, not
> technical argument.  Obviously, it is technically possible to do what
> you describe.  And because of the free license, it is technically
> possible and legally permissible for people to undo those changes on
> their copies of the software.  It is also possible for the software to
> lie to the network about what it is.  But as I stated, this attitude of
> trying to coerce other people baffles me.  I am not saying nobody does
> it.  The world is full of tyrants.
> Just to flesh out my view a little more, I would have no problem with a
> configuration option that says "allow the tor network to nearly disable
> this client at <somebody's> discretion."  As long as it could be
> disabled.  But I really wonder why Tor developers would be interested in
> spending the time to implement such a thing.
> >
> > >with a friendly advisory as long is it wasn't incessant nagware that
> > >couldn't be disabled.  But I don't understand the desire to dictate to
> >
> >      I don't think the current log messages are so influential as all
> that.
> > Just take a look at the current consensus. :-(
> >
> > >people or some nanny viewpoint of trying to save people from
> > >themselves.  (Before somebody makes an argument of keeping the Internet
> > >free of compromised machines, I rather imagine the number of machines
> > >compromised because of Tor software would be lost in the statistical
> >
> >      Again, when the software is installed by stealth onto the machines
> > of unsuspecting users, then the probability on each user's machine
> becomes
> > 100%.  In other words, the number of machines w.r.t. the user is 1 out of
> 1,
> > a ratio that cannot be considered "lost in the noise" for that user.
> By stealth???  If that is really so, I guess you could try to make the
> same argument about *any* free software that somebody decided to turn
> into malware.  But I am still unconvinced the people who installed
> didn't know they were installing something.
> > >noise of all the other ways machines get compromised.  And I don't think
> > >the unsavory purpose these "tbreg" instances are put to is a relevant
> > >factor.)
> > >
> >      How so?  I note that you deleted all the relevant context in your
> reply.
> I did not reproduce Pei Hanru's email in its entirety because I did not
> see it as necessary.  Or particularly relevant for this discussion.  As
> I stated, "I don't think the unsavory purpose these 'tbreg' instances
> are put to is a relevant factor."  The unsavory purpose I referred to
> and perhaps what you call "relevant context" is the fact that Tor was
> part of software sold to (for the purpose of) (quoting Pei Hanru)
> "automatically register large number of TaoBao accounts." It is my
> opinion (yes, once again, *opinion*) that the fact that an unscrupulous
> person (or group of people) used the free software in question in a
> manner that *might* be analogous to certain freeware (*not* free
> software) actually being a trojan, i.e. malware that arguably was
> installed "by stealth," is not justification for taking a tyrannical
> attitude toward the users of said free software, in this case, Tor.
> If there is "relevant context" that is eluding me, please inform me
> about it.
> BTW, if the person/group/company which sold the software Pei Hanru
> referred to violated the license Tor is released under, I have no
> problems with people seeking legal redress.  It is just what I view as a
> tyrannical attitude toward users that I find abhorrent.
> Lest I again be accused of not providing relevant context, here is what
> I take to be the (arguably) relevant (for the discussion of disabling
> software against a user's wish) part of Pei Hanru's email.  Please
> inform me if I am still missing the context to which you refer:
> On Sun, 28 Jun 2009 12:09:25 UTC, Pei Hanru wrote:
> > The short answer is, someone are making use of Tor to do nasty things, >
> and all "tbreg"s aren't aware they are running Tor relays.
> >
> > The long answer.
> >
> > "tbreg" stands for "TaoBao REGistrar".  TaoBao is an eBay-like website
> > in China. Some sellers want to quickly increase their reputations
> > (so-called refresh) in order to attract more buyers. The first thing
> > for them is to register multiple accounts. However, TaoBao is rigorous
> > on this, a single IP is only allowed to register one or two accounts.
> > So, someone realize this need and begin to sell softwares which
> > automatically register large number of TaoBao accounts. Tor, together
> > with Privoxy are used as a HTTP proxy to bypass the IP restriction. For
> > some reasons I don't understand, this software will run Tor as a relay.
> BTW, I have already thanked Pei Hanru in a different email for tracking
> this down.  Nothing I have said in this email should in any way be
> construed as critical of Pei Hanru.  I appreciate the effort in tracking
> this down and posting the results to the mailing list.

Punkle Jones  // cDc/NSF NON-31337 humanoid
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20090629/662378b5/attachment.htm>

More information about the tor-talk mailing list