[tor-talk] Tor and Google error / CAPTCHAs.

Wed Sep 28 02:28:11 UTC 2016

On 09/27/2016 03:45 AM, Alec Muffett wrote:
> On 27 September 2016 at 09:42, Mirimir <mirimir at riseup.net> wrote:
> 
>> On 09/27/2016 01:39 AM, Alec Muffett wrote:
>>> On 27 September 2016 at 06:42, grarpamp <grarpamp at gmail.com> wrote:
>>> In such circumstances they are not actually looking at you / what you are
>>> searching for. They are looking at the behaviour of all traffic, of
>>> everyone and everything else which emanates from that exit node.
>>
>> Are they even doing that? It's my impression that they're just looking
>> up the IP address in some list that includes all Tor exit relays. But
>> yes, I get how that's arguably enough, in that all Tor exits will on
>> average look alike.
>>
> 
> Exactly, especially since circuits rotate around exit nodes fairly rapidly.
> 
> And eventually someone has to write the code which says "This IP is
> emanating bad stuff, but it is currently a Tor node, so just put it on the
> naughty step for a few minutes until it calms down, rather than blocking it
> for a longer period."

That would be an excellent development. So I was wrong. Maybe there is a
resolution to the conflict :) Or at least, as long as jerks are a
minority among Tor users.

> Once someone has done _that_, then the organisation is on the path to
> caring about the real people who access the site over Tor, and finding
> better solutions.

Right.

>> I can't imagine any resolution to this. Anonymity is Tor's key goal.
>> There are jerks who need anonymity. And there are providers who want to
>> exclude jerks. If you want Tor's "anonymity", and you want to evade
>> discrimination against Tor users, you need to avoid identification as a
>> Tor user. What else?
> 
> 
> Exactly.  This manifests where folk on Twitter complain that "zomg i'm
> using the onion site and it's blocked me!" - when in fact some perhaps code
> is running - code that someone took the time to write - to learn/remember
> that you are a person who logs-in over Tor, that you really are who you
> claim to be, and that this is all "okay".
> 
> Otherwise the first time that someone logs-in from a Tor exit node might be
> someone using Tor to experiment with your credentials, which they phished
> off you via an e-mail, or something. (This is another popular misuse of Tor
> from the perspective of the big platforms.)
> 
> It is definitely a _tough_ problem.

That is a _much_ harder problem. Because people who want an account, but
want to obscure their true identity, don't look that different from
people who might have stolen their credentials. Usernames and passwords
are easily stolen, so sites have been using cellphone accounts. But in
many places, it's hard or impossible to get cellphone accounts that
aren't linked to identity. And even when it is, device tracking and poor
OpSec render that moot. And India's move to biometrics-based IDs is even
worse.

I'm a pretty technical guy, and it's been years since I managed to get a
Facebook account for a persona. But I see that bogus and stolen Facebook
accounts are available in bulk from criminals, marketed to criminals. Or
at least, to advertisers ;)