[tor-talk] Tor and solidarity against online harassment

Sat Dec 13 21:57:16 UTC 2014

On 12/13/2014 03:04 PM, Mirimir wrote:
> On 12/13/2014 11:28 AM, Jonathan Wilkes wrote:
>> On 12/12/2014 02:20 PM, Roger Dingledine wrote:
>>> On Fri, Dec 12, 2014 at 03:23:42PM -0300, Juan wrote:
>>>>> You might like
>>>>> https://www.torproject.org/docs/faq#Backdoor
>>>>>
>>>>> We won't put backdoors in Tor. Ever.
>>>>      LOL!
>>>>
>>>>      You work for the pentagon and are subjects of the US state.
>>>>
>>>>      The US government has secret 'courts'  and secretly forces its
>>>>      subjects to tamper with all kinds of 'security'  systems, in the
>>>>      name of 'national security'.
>>>>
>>>>      Whatever public declamations you make carry very little weight.
>>> Hello Mr. Tor hater,
>>>
>>> We get funding from a variety of groups, including US government groups.
>>> We do not "work for the pentagon" but that is a separate discussion and
>>> it shouldn't derail this one.
>> Hi Roger,
>> I'm afraid you're going to continue to hit up against this criticism for
>> the foreseeable future, for the following reasons:
>> 1) The NSA's betrayal of trust on the internet (and its standards) have
>> all but removed good faith from the equation in the minds of a lot of
>> people
> Yes. It seems that the NSA is aiming to compromise everything. So why
> should Tor be exempt? But as others have noted, Tor software and the Tor
> network are open to public inspection.

Yes, with two caveats:
* only people with sufficient expertise in network security will audit 
the system in any meaningful sense
* it excludes the people with sufficient expertise who are under 
contract _not_ to release the results of their audit or knowledge of 
exploits to the public

>   Individual relays, of course, are
> not. The NSA and other adversaries can easily participate.
>
> However, Tor is by design a Chaum-style network of untrusted nodes. As
> long as one of the three nodes in a circuit is honest, users remain
> anonymous. Even simultaneous attacks by non-colluding adversaries can
> protect users' anonymity. In order to avoid detection, malicious relays
> tend to behave at least somewhat like honest ones. So as long as enough
> attackers aren't colluding, they help protect users against each other.
> That is very clever.

How does the assumption that enough attackers aren't colluding hold up 
against revelations about the tactics of the Five Eyes?

Either way, it turns out to be extremely difficult to explain that 
design feature to someone, much less a general audience.  And I don't 
mean "explain" as in they nod, "oh, right, that's neat."  I mean explain 
such that they can repeat the essence to someone else and still be 
technical correct in their description.

Because of that, and because of the toxic atmosphere wide-net 
surveillance has created, there are a lot of potential Tor 
users/relay-operators who bail on the idea before even getting to that 
technical description.  They're not conspiracy theorists-- they're just 
people who don't get excited about programming cleverness.  We can try 
to think of more metaphors for them, and make more and more 
precision-guided arguments against the "I-dont-wanna-help-the-bad-guys" 
meme.  But we have to remember that isn't nearly as effective as, "you 
can use Network B run by this other group, and it works in a similar 
way," or, "even Facebook is using it for location anonymity."

>
>> 2) practically speaking, Tor Browser Bundle _is_ private browsing mode
>> for the time being.  There is no other game in town (at least in terms
>> of usability and being gratis)
> There are also VPN services and the JonDonym network. It's true that
> they're not free, in a usable way.

Right.

>   It's also true that they're less
> anonymous, although JonDonym is arguably close. And of course, they
> can't be trusted.

Right.

>   However, they can readily be combined with Tor, in
> order to further distribute trust among untrusted nodes.

Tor remains a single point of rhetorical attack here.  How convenient 
that the government-funded overlay enters the flow-diagram once more! 
troll the trolls.  My point is that the effectiveness of that troll only 
starts to go away once it is Tor OR Software B that can be combined to 
distribute trust.

>
>> So someone looks on your resume and finds a summer at the NSA.  If the
>> wider free software community was adequately funded to sustainably
>> research and protect users privacy, that would be that. Tor would take a
>> temporary hit and Privacy Software B's website would temporarily see
>> more hits and development effort.
> Son las cosas de la vida ;)

Except when there isn't a viable usable free alternative, in which case 
the people choosing to steer clear of Tor most likely experience a 
decrease in privacy.  But as far as the dev effort tides, yes.

>
>> In the real world, however, there isn't a Software B.  It will be a long
>> time before even a Debian user can apt-get install and easily use
>> Gnunet.  Non-technical users see a world of NSA surveillance and a
>> single usable, well-maintained piece of software available for anonymous
>> browsing run by people funded by the U.S. government. Conspiracy
>> theories flourish in that type of climate.  And until there are as many
>> (effective) private browsers competing with each other as there are
>> normal browsers, these kinds of attacks will continue to be (at least
>> somewhat) effective.
>>
>> Anyway, for those who are willing to listen to a little reason and live
>> in a country where encryption isn't illegal, here's a Pascal's wager for
>> Tor Browser Bundle use:
>>
>>                          Something to hide    Nothing to hide
>>                          -----------------    ---------------
>>
>> Tor is a honey-pot:     Tor use is BAD       Tor use is No worse than
>> not using Tor
>>
>> Tor isn't honey-pot:    Tor use is GOOD      Tor use is GOOD
> Well, it depends on who you're hiding from, and whose honey-pot Tor
> might be. But the focus here is the NSA. So, worst case, using Tor is
> bad if you're hiding from the NSA. But really, only fools think that
> simply using Tor is enough for hiding from the NSA. You need a
> multi-layered approach. I write a lot about this.

I write this restatement of the wager mostly for the people who have 
nothing to hide.  "I've got nothing to hide, so I might as well take a 
dip in the anonymity pool."

>
>> Of course this doesn't work if Tor use simply lands you in jail, or gets
>> you disappeared by government agents.  But if that is the case you have
>> much bigger issues to deal with than private browsing.
> Right. Escape might be the first priority.
>
>> -Jonathan