Tor Users Urged To Update After Security Breach 161
An anonymous reader writes "If you use Tor, you're cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: 'In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.' Tor users should visit the download page and update ASAP."
From: Anonymous Coward (Score:5, Interesting)
Anyone else find it so funny that a news story about anonymity is suggested to slashdot by anonymous coward?
I think it's the best form of joke... one with an epic amount of unexpected expectedness.
Takes all types... (Score:2)
Anyone else find it so funny that a news story about anonymity is suggested to slashdot by anonymous coward?
I think it's the best form of joke... one with an epic amount of unexpected expectedness.
If you think that's funny, just think...
Every Anonymous Coward posting about this article will be an Anonymous Coward posting about an Anonymous Coward's anonymity story. A story by an Anonymous Coward for Anonymous Cowards about Anonymous Cowards. Anonymous anonymous anonymous.
Re: (Score:2, Insightful)
The real TOR way to do it would not be anonymously, but instead giving it to another person's slashdot account, who submits it for you. But go ahead with the "funny" "jokes".
Re: (Score:1, Funny)
I wonder if the intruder was using Tor when they broke in ?
Tor weaknesses (Score:5, Interesting)
The problem with Tor is that there's no way to detect compromises -- every node on the network could be compromised and you'd never know. Authors of botnets have greater anonymity than we do -- ironically because it's run by a central authority. An illegal and immoral one, yes, but one that comes with a measure of anonymity. Few botnet authors are actually caught even with the most primitive security methods. They don't even use encryption and they often can't be found...
Re:Tor weaknesses (Score:5, Informative)
They don't even use encryption and
Oh but they do, and that's the key to the problem. Everyone and their dog knows where the C&C servers are, and can monitor the commands sent out. Problem is, the commands are cryptographically signed, usually with a hideously large key (last one I saw was 2048 BYTES) so you can't subvert their network. Improperly signed commands are merely ignored.
The bot herders get their anonymity from any of a hundred ways to anonymously sign into the IRC C&C channel. I'd speculate that most of them use TOR to do so.
Re: (Score:2)
last one I saw was 2048 BYTES
It may make more sense, as long as that reference to bytes (not bits) is accurate, to refer to this as a 16 kilobit key instead, as public key encryption is usually referenced in bits. While RSA of this length can be done (even using GPG, though you have to modify the source to bypass the compatibility restrictions), it's quite a bit of overkill. The other algorithms used (since RSA is almost always only used for signing/encrypting something smaller -- like signing an SHA256 hash or encrypting an AES key) w
Re: (Score:2)
I believe at the beginning of 2010 the NIST increased their recommendation for RSA to a minimum of 2048 bits due to security concerns of 1024 bit keys.
Re: (Score:2)
It may make more sense, as long as that reference to bytes (not bits) is accurate, to refer to this as a 16 kilobit key instead, as public key encryption is usually referenced in bits.
We could just quote the key size in terms of "cardinality of encodings of state of every atom in the universe," in which case I believe a 16 kilobit key would be about 200 universe-states. :)
Re: (Score:3, Interesting)
The fun begins when they start noting illegal commands and retaliating. Fun.
Re: (Score:2)
Actually, that would be an unwise design - as it causes a node to take action when it gets an unauthenticated command. That basically gives anybody some level of control on your botnet.
For example, I can spoof a fake command from some IP - now the botnet takes down a server of MY choosing. While it is busy doing that, it probably isn't taking down the server the botnet owner wants it to take down, or sending spam, or whatever.
Nope - you design a node to treat an unauthenticated command as if it was never
Re:Tor weaknesses (Score:5, Insightful)
The problem with Tor is that there's no way to detect compromises -- every node on the network could be compromised and you'd never know. Authors of botnets have greater anonymity than we do -- ironically because it's run by a central authority. An illegal and immoral one, yes, but one that comes with a measure of anonymity. Few botnet authors are actually caught even with the most primitive security methods. They don't even use encryption and they often can't be found...
There's a lot to be said for hiding in a crowd though. While it is true that every node in the network could be compromised, and we'd never know, collecting all that data together to target you individually becomes more and more difficult the more people use the network... and we're not talking about big-O of n, we're talking at least big-O n squared or so.
As with all forms of security, there's nothing you can do to guarantee security, you simply raise the burden of breaching that security until the opportunity to breach you is not worth the cost to breach you.
Re: (Score:2)
There's a lot to be said for hiding in a crowd though.
Not when the IP headers of every packet sent through every major peer exchange point on this continent is recorded by this government, and the governments that control the intercontinental links each have peering arrangements so that said data is available on a reciprocal basis with other intelligence agencies operating under their respective governments worldwide.
Most TCP/IP sessions can be reconstructed for months after their original transmission, because the cost of storing said data is so low and there
Re: (Score:2)
When he talks about hiding in the crowd, he talks about hiding in the Tor crowd.
When you talk about compressing packets, you probably aren't referring to encrypted packets. Including SSL. Which there's lots of.
I ran a Tor node for a long time. And never used it myself. Others are welcome to "raise the noise floor" with such participation and/or licit uses.
I think mix networks should work pretty well, but I wouldn't say that I have a complete grasp of the details. Nor do I expect you have, judging by yo
Re: (Score:2)
When he talks about hiding in the crowd, he talks about hiding in the Tor crowd.
Let me rephrase this: Tor is not as resistant to traffic analysis as it is believed, because the Tor authors make assumptions about the state of surveillance on the network which are fundamentally flawed. Specifically, they believe that security is improved by obscuring the location of the node to peers. Because of this, routing paths between nodes are made longer, increasing the statistical likelihood that it will pass through a collection point.
Tor has limited utility -- if you initiate a connection domes
Re: (Score:2)
What do you mean by "[they obscure] the location of the node to peers"?
Re: (Score:2)
>>They don't even use encryption and they often can't be found...
Also, they used "123456" and "iloveyou" as the master password on 2 of the 7 nodes.
Re: (Score:2)
Further Details From Roger On or-talk mailing list (Score:5, Informative)
Roger's entries to date on the subject (excluding first page linked within /. summary):
(this is for those who are too lazy to page through mailing list threads, this post is
missing other individuals replies as well as future replies from Roger and others)
http://archives.seul.org/or/talk/Jan-2010/msg00165.html [seul.org]
Here are some more technical details about the potential impacts, for
those who want to know more about Tor's innards:
----- #1: Directory authority keys
Owning two out of seven directory authorities isn't enough to make a new
networkstatus consensus (you need four for that), but it means you've
only got two more to go. We've generated new v3 long-term identity keys
for these two authorities.
The old v3 long-term identity keys probably aren't compromised, since
they weren't stored on the affected machines, but they signed v3 signing
keys that are valid until 2010-04-12 in the case of moria1 and until
2010-05-04 in the case of gabelmoo. That's still a pretty big window,
so it's best to upgrade clients away from trusting those keys.
You should upgrade to 0.2.1.22 or 0.2.2.7-alpha, which uses the new v3
long-term identity keys (with a new set of signing keys).
----- #2: Relay identity keys
We already have a way to cleanly migrate to a new v3 long-term identity
key, because we needed one for the Debian weak RNG bug:
http://archives.seul.org/or/announce/May-2008/msg00000.html [seul.org]
But we don't have a way to cleanly migrate relay identity keys. An
attacker who knows moria1's relay identity key can craft a new descriptor
for it with a new onion key (or even a new IP address), and then
man-in-the-middle traffic coming to the relay. They wouldn't be able to
spoof directory statements, or break the encryption for further relays
in the path, but it still removes one layer of the defense-in-depth.
Normally there's nothing special about the relay identity key (if you
lose yours, just generate another one), but relay identity keys for
directory authorities are hard-coded in the Tor bundle so the client
can detect man-in-the-middle attacks on bootstrapping.
So we abandoned the old relay identity keys too. That means abandoning
the old IP:port the authorities were listening on, or older clients will
produce warn messages whenever they connect to the new authority. Older
Tor clients can now take longer to bootstrap if they try the abandoned
addresses first. (You should upgrade.)
----- #3: Infrastructure services
Moria also hosted our git repository and svn repository. I took the
services offline as soon as we learned of the breach -- in theory a clever
attacker could give out altered files to people who check out the source,
or even tailor his answers based on who's doing the git update. We're
in pretty good shape for git though: the git tree is a set of hashes
all the way back to the root, so when you update your git tree, it will
automatically notice any tampering.
As explained in the last mail, it appears the attackers didn't realize
what they broke into. We had already been slowly migrating Tor services
off of moria (it runs too many services for too many different projects),
so we took this opportunity to speed up that plan. A friendly anonymous
sponsor has provided a pile of new servers, and git and svn are now up
in their new locations. The only remaining Tor infrastructure services on
moria are the directory authority, the mailing lists, and a DNS secondary.
----- #4: Bridge descriptors
The metrics server had an archive of bridge descriptors from 2009.
We used the descriptors to create summary graphs of bridge count and
bridge usage by country, like the ones you can see at
http://metrics.torproject. [torproject.org]
Re:Further Details From Roger (Score:5, Insightful)
Mmmm, yes, free.
And you will never, in a million years, detect the compromised hardware in those machines.
The only way for tor (or wikileaks or other dangerous-to-the-authorities service) to buy hardware, is anonymously. If someone wants to donate servers, have them sell the servers and give you the cash.
Re:Further Details From Roger (Score:5, Informative)
Wait... Anyone can be a TOR node [torproject.org] and it's still secure.
TOR data is very encrypted.
It doesn't matter if the hardware or software is compromised, it's still secure because a TOR node is just one node in a chain of encrypted nodes. You encrypt your data 5 times if you're sending it through 5 nodes.
Each node takes off one layer of encryption and forwards the still encrypted data to the next node. If any intermediate nodes (2 3 4 in our 5 node example) are compromised (in software or hardware), they can not see the message in plain text, or determine the originating IP or destination IP of the traffic.
If the first node is compromised it can see your source IP, but not the destination IP or any part of the message (it's still encrypted.)
If the exit node is compromised it can see the destination IP, and clear text message, but not the source IP.
These multiple layers of encryption mean that if any one node is compromised the system is still very secure.
Taking off a layer of encryption at each router is like peeling an onion... hence, "The Onion Router".
(this is an oversimplified explanaion -- if you're talking compromised code repositories, viruses and trojans are usually not delivered as source code, the tampering would be evident.)
Re: (Score:2)
Yes, but at the top is some form of directory service. If you compromise the majority of those servers you can create a new network consensus, and direct everyone to route through tor1,tor2...torX.nsa.gov. Or some suitable set of apparently random international network of nodes set up for the purpose. The layers don't work if the entire onion is rotten.
Re: (Score:3, Interesting)
"A friendly anonymous sponsor has provided a pile of new servers, and git and svn are now up
in their new locations"
I read this to mean that tor are hosting git and svn on the new, anonymously-donated servers. I expect that if they were hardware-compromised, that could be used, in turn, to compromise the source-repositories. Please correct me if I'm wrong tho...
Having said all that - I'd also expect a project like tor to be pretty careful with security! Also, it's quite possible that although the servers wer
Re: (Score:2)
You don't seem to have read the GGP post at all.
It lists plenty of venues of attack for a suficiently willing and knowledgeable attacker which state agencies would be.
I wouldn't so easilly dismiss attacks delivered via source code if I was you: the GP was talking about attacks by state security services - these guys usually employ full time some pretty clever people who can usually make their own code they're no just a bunch of script kiddies downloading tools from the Internet (although from the Google att
Re: (Score:2)
If the exit node is compromised it can see the destination IP, and clear text message, but not the source IP.
So, collect enough packets at a compromised exit node and you can build a usage pattern with possibility of identification? Using Tor to check email or blog from oppressed nations just looked a little less appealing.
Re: (Score:2)
Using tor to transmit anything unencrypted is a very DUMB thing. You have to understand that between the exit node and the target server, all traffic is done in the same fashion it would be done between you and the target server if you didn't use tor. If there is no inherent encryption (like https or ssh), it will NOT be encrypted between the exit node and the server.
In other words, it is trivial for someone who wants to sniff passwords to establish an exit node and just collect packets.
tor is NOT an encryp
Wait a minute... (Score:4, Funny)
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Clearly it was done in C++ and some idiot set up a loop in Book 1. Possibly in the chapter about fields.
Re: (Score:2)
The bugginess is offset slightly by the neat RAID array of authors.
Re: (Score:1)
Redundant Author Is Dead?
Re: (Score:2)
With new pieces of papar.
Re: (Score:1)
By visiting TORForge [macmillan.com], of course...
Re: (Score:1)
Re: (Score:2)
Re: (Score:2)
Do papercuts count? They share a lot of features with security breaches. They are easy to get if you're not careful, they are barely noticable, everyone will think you're a crybaby if you're complaining about them and yet they hurt like hell.
US Intelligence almost certainly monitors TOR (Score:4, Interesting)
I mean. That's where I'd go fishing for people trying to communicate secrets,
if I was them.
Now I don't want to spread paranoia, but
did you know that the patent on Onion Routing was filed by the US Department of the Navy?
Look it up.
Remember kiddies. Always use your own encryption layer.
Re:US Intelligence almost certainly monitors TOR (Score:4, Insightful)
They probably do more than just monitor. They almost certainly run their own exit nodes so they can log everything flowing through what they pwn.
Re: (Score:1)
They'd have to monitor/run more than just the exit nodes in order to figure out it was you though right? Isn't that the whole idea?
Just a single un-compromised node on the path from you to the destination would mean you were still anonymous (assuming there was enough traffic on the network). Although, if there wasn't much traffic and they had your entry and exit node you might be in trouble?
Re: (Score:2)
That's mitigated by sending random data at a constant rate, so there are no spikes in usage when you are actually using it.
Actually, you want to introduce white noise in the rate at which you send the data too. Without that, it's possible to see when you're sending traffic by looking for spikes above the background rate.
Snail Mail (Score:2)
IMHO sending a message inside a birthday card draws a LOT less attention than using obscure and suspicious looking encryption software. But thats just my opinion.
Re:Snail Mail (Score:5, Funny)
Dear John & Cynthia.
Thank you for all your support this year, and I wish you all the best for the next.
Yours truly,
John and Sarah.
P.S., Attack at dawn.
Re: (Score:2)
This is because the US Navy are the initial authors of Tor. It was opened when they no longer withed to maintain it.
Re: (Score:2, Insightful)
Yes, the government created it, this is well known. They created it so they could securely communicate by bouncing signals off of unsecured ships, like your random cruise ship or an allied warship.
They were involved with its creation, of course the watch it. So do lots of other people.
As a general rule, people hiding their activities DO HAVE SOMETHING TO HIDE. The minority use something like this for legitimate uses. However, our founding fathers had the opinion that until we know you're hiding somethin
Re: (Score:2, Interesting)
Re: (Score:2)
Comparing your anecdote about hiding inside a group of grocery store customers doesn't apply to the debate at hand. How does one 'hide' in the manner you propose when they elect to do it inside a (tor) group that is already flagged as being watch-worthy?
If the group was looting the store, and you wanted to loot too, would there be any logic to
Re: (Score:2)
Whether they are watching banned movies in your living room, or watching Shrek with your children, I bet most people close their curtains when it gets dark. What are they hiding?
Let me guess, you're the cop who pulled me over on super bowl sunday and wanted to search my car because I blew 0.00 on your breathalyzer. I was speeding, so the pullover was valid. I have anxiety problems, and being pulled over at night by a single cop is
Re: (Score:2)
You better stop using the internet. Remember who invented it? Hint: It wasn't Al Gore.
New Tor attacks and anonimity attacks all the time (Score:1, Interesting)
Attacking Tor at the Application Layer
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-gregory_fleischer-attacking_tor.pdf [defcon.org]
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Video%20and%20Slides.m4v [defcon.org]
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer% [defcon.org]
Tor WILL get people killed, if it hasn't already (Score:2, Insightful)
TOR apologists, no fair modding down these comments just because you don't like them.
I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.
I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared r
Re: (Score:2)
Re: Sending secure traffic is far more interesting (Score:2)
Good point. Bang on.
Now as we move to encrypted fragmented cloud storage and computing, that assumption will presumeably have to change, as it will become routine to encrypt both your stored content and its transmission. And I can see anonymization being offered as part of cloud services of the future, to prevent corporate espionage (shady forms of "business intelligence") etc.
When encryption and anonymization of net communications becomes the norm, then who do you watch, and how?
Re: (Score:2)
Fighting oppression has always gotten people killed. If Tor allows people to speak out with less risk, it's done it's job.
What was the cause of the breach? (Score:3, Interesting)
The links are not very informative about what allowed the breach to happen. Was a security model vulnerability? man-in-the-middle attack? buffer overflow?
Re: (Score:3, Interesting)
Technically, it can't be. But since most of the exit points are pretty well known, it's not all that hard. If more people made themselves exit points, rather than just taking advantage of the network, that problem would go away.
I've tried Slashdot. It's been a matter of switching exit points until you find one that isn't forbidden. Google is really on top of it though. I suspect they may have a tie-in with the network map, so they know the exit points as they come and go.
Re: (Score:2)
Running an exit node is very, very, very risky.
On the other hand, putting services like Slashdot or Google on as hidden services, it might reduce the demand for the exit nodes.
Has any major company done this yet?
Re: (Score:3, Insightful)
Ideally, everyone that runs a client is an exit node too. But, much like an open AP on your network, when the police come knocking at your door, just saying "But, I was just connected to Tor" isn't going to be much of a defense. It may work in court, but you may be waiting a long time for that day to come.
Re: (Score:2)
Technically, it can't be. But since most of the exit points are pretty well known, it's not all that hard.
There is a list of TOR exit points [torproject.org] in case you want to black- or white-list them.
If more people made themselves exit points, rather than just taking advantage of the network, that problem would go away.
Last time I looked at it, I concluded that most of the traffic on TOR was child pornography and shared music/films. I didn't want to risk the police thinking I was responsible.
(But, I only have ADSL so it's not much of a loss.)
Re: (Score:3, Insightful)
I concluded that most of the traffic on TOR was child pornography and shared music/films.
Please explain how you arrived at this conclusion. Did you actually survey TOR traffic to see what it contained, or are you simply assuming that the only reason most people want anonymity is CP & file sharing? I was under the the impression that TOR encrypted its traffic, except for what entered/exited at the exit nodes.
Re: (Score:1)
Last time I looked at it, I concluded that most of the traffic on TOR was child pornography and shared music/films.
Unless you were able to sniff all the traffic going through TOR, I fail to see how you reached this conclusion.
.
Re: (Score:2)
That's not exactly a "list", but it does make a good way to test if an IP is an exit point.
I don't know about your assertion on child porn and piracy. There was a story not too long ago about how particular agencies were using TOR, and their mail passwords were compromised because they were sent plaintext, and exit nodes got them by sniffing the traffic.
Oh no! (Score:2)
This is torrible news! The torror...
Re: (Score:1, Informative)
It still seems this breach is unrelated to Tor itself. To be clear, it doesn't seem that anyone specifically attacked our servers to get at Tor. It seems we were attacked for the cpu capacity and bandwidth of the servers, and the servers just happened to also carry out functions for Tor.
* Does this mean someone could have matched users up to their destinations?
No....
* Does this mean someone could have learned more about Tor than an ordinary user?
Since our software and specifications are open, everyone already has access to almost everything on these machines...
Re: (Score:1)
Re:Sooo...... (Score:5, Insightful)
The price of freedom isn't vigilance in this time and age, it's having to deal with unpopular content.
Is tor used by people who want to circumvent laws for whatever reason? Yes. Duh. Basically that's what it was created for. We deem it positive that tor allows dissidents to avoid their laws concerning the freedom of speech, but we don't deem it positive that it also allows the circumvention of our laws. That's very human, but also quite a bit of a double standard.
I hope /. is a bit above the killer arguments of "think of the children" (honestly, if you think of the children all the time, you're prolly a pedo yourself) and we're able to look at it from a bit of a detached position. Because that's what we have to deal with here. Basically swapping child porn in the US is, at least from a purely content point of view, not different from swapping anti-government ideas in China: Both is illegal, and both requires additional security to be done without prosecution. The question is now whether we're willing to accept the existance of the former to enable the latter. You will only get them together. Is the freedom of the Chinese people (and, given the recent development in the west, probably ours soon, too) worth it, knowing that this will also allow communication of pedophiles, terrorists, spies and maybe even worse? Or should we toss both? That's basically the options we have.
And before someone replies with "but tor doesn't allow chinese to discuss freely, isn't secure, etc": This isn't just about tor. That question affects all tools that allow free speech. The question is, is free speech worth dealing with the effects of free speech that you do not want to exist?
Re: (Score:3, Informative)
I spent a bit over a year working with the FBI gathering information on a pedophile ring who was using one of our servers (to coordinate picture trading going on in Asian image board sites). Neither agents' opinions, the content gathered, nor the actual research I've seen, agree with your unsupported assertion that "they are one and the same". Though, two troll paratrooper points for accusing those who disagree with you of naivete. Good show, golf claps all around.
I also don't know to what extent the "pe
Re: (Score:1, Insightful)
No, it's not illegal. For that matter, neither is pedophilia. ACTING on ephibophilia or pedophilia is illegal.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
That being said, especially after
Re: (Score:2)
And in many states you can actually have sex with them [wikipedia.org], you just cant take pictures.
Re: (Score:1)
You know, however much my jobs have sucked at various times, I think that the parent's job would suck worse. Dealing with images of abused kids as a regular job = really not fun. Tracking down and actually catching some of the offenders would likely be lightening, but I over time could see it easily working towards a storm-trooper attitude of bowling over (human) obstacles to get at the real bad guys if you had to see the evil things they do all the time...
Re: (Score:2)
Re:Sooo...... (Score:5, Insightful)
In short, people attracted to children will rape them? A bit like saying all men will rape women no? But that's not a perfect analogy, you can have sex with a man or woman without too much difficulty, whereas a pedophile can only masturbate. How about, would all slovenly, unattractive, misanthropes, who've zero chance of getting sex resort to rape? I rather doubt it, and even though pedophilia disturbs me, I don't think the sexual drive of that group is somehow stronger than your average male or female.
Re: (Score:1, Insightful)
I dislike how the second party gets abused though and don't say that they can consent to the pictures. You leave the child pretty twisted and the molesters don't care. It is just not fair to the child. It might not be fair to the molester as he can't help it, but it is not a victim less act. What they need is help understanding and managing. There is just so much social taboo around it that it is a real struggle for them.
Re: (Score:3, Informative)
This is somewhat tangential, but there is illustrated porn where just about any deviance can be catered to without harming a minor. Actually molesting a child is wrong of course.
Re: (Score:2)
Of course I don't think that's anymore logical than saying videogames contribute to a society more accepting of stereotypical villains with bad voice acting.
Re: (Score:3, Interesting)
People with sexual urges will eventually create an opportunity act on them, and readily available pornographic content simply encourages them by giving them validation and a sense of moral acceptance.
Hmm... then how about homosexuality? It's not hard to find stories of people who denied attraction to the same sex their whole life in order to avoid being socially stigmatized.
As for the effects of pornography, does masturbating calm your sexual urges, or does it inflame them?
Re: (Score:2)
Do try harder. As a member of slashdot you should appreciate the need to coldly analyze all things even if they are distasteful.
Re: (Score:2)
Emotions are rarely a good adviser when trying to find a sensible solution. Thus, yes, coldly analyzing even horrible ideas is basically the correct way to come to a conclusion that will in the long run result in the least troubles.
For reference, see the current headless chicken approach to terrorism.
Re: (Score:2)
Those of us who are interested in everything Slashdot has to offer will still see the context.
I personally don't understand who would want to browse a discussion where you only see half of what is going on, but to each his own.
Re: (Score:2, Informative)
Re: (Score:3, Insightful)
I don't know where to find good citations - but you can research easily enough.
Download not just TOR, but I2P, freenet, anonnet - search for more if you like. You WILL BE exposed to child porn. No questions asked, you'll be exposed.
It's safe to say that 2/3 to 3/4 of all the sites out there are trash that you don't even want to see. But - there are also some interesting things that are NOT pornography.
You can go explore, or not. It's slow, it's aggravating because all the CP gets in the way, there's not
Re: (Score:2)
The content of secret dropboxes reflect the legality of content in the community. Since it is a bit of a hurdle to access those items, and the download speed is fairly slow, people will not host legal content this way, simply for convenience and availability reasons.
Re: (Score:1, Insightful)
Not that I'm defending pedophilia, but the fact that you're conflating pedophiles and child molesters makes me suspect your statistics.
Re: (Score:1, Insightful)
Sounds like anonymity projects are suffering the same problem as encryption in general -- it's too hard to use unless you're pretty sure you have a need for it.
With the casual farming of information that goes on by Internet ad networks, the lack of security of public Wi-Fi, and the push for deep packet inspection by ISPs, I think we've reached a point where attacks on the privacy of innocent users justifies a need for average folks to have access to these sorts of products (and associated education.)
But unt
Re: (Score:2)
Since, in order to get your packets from point you to point wherever and back, some number of untrusted machines have to know your IP and your desired destination(at a minimum, your destination gets to know, more typically, a fair few machines controlled by one or more ISPs will be involved) all the anonymity mechanisms attempt to break up the round-trip into chunks too small to be useful. It is always going to be slower
Re:Sooo...... (Score:5, Informative)
Duh! [mozilla.org]
Re: (Score:2)
DURR WUT IS FIREFOX I GO ON THE INTERNET WITH (INTERNET EXPLORER / SAFARI)??? I DONT SEE A TOR BUTTON THIS IZ HARD!!!
Until off-the-shelf computers come with Tor or something similar ready to go right out of the box, of course it's only going to be the enthusiasts and scumbag fringes that'll put the time into researching and securing their privacy online.
Re:Sooo...... (Score:5, Insightful)
Hi,
How did you collect your statistics when Tor is decentralized? Sure you could analyze the outbound traffic on a exit node but I doubt that this would be enough of a sampling to extrapolate a meaningful conclusion. Since you offer no supporting evidence your claim is irrelevant to the discussion.
I also do not think that the number of child molesters could be large enough to represent a "vast majority" because I doubt the original content producers would distribute a such a high risk material for free. It is much more likely that pedophiles are distributing the material to other pedophiles. I think that it is important to note the difference because while I find either appalling I'd rather have them fapping to "old child pornography" instead of creating a demand for new material and reducing the profit margins of the people that are actually doing these horrible things to children. The lesser of of two evils is still evil but we don't live in a idealistic world.
Unfortunately freedom has it's costs.
Re: (Score:3, Insightful)
I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.
I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared right quick (hello China)... shouted down every time because it's not a POPULAR point of view.
I see that I'm not the only one in this discussion with concerns. Thank god things are changing.
Whoever these people you have met traveling from conference to conference are not the authors of tor:
# tor --help
Jan 21 22:48:35.191 [notice] Tor v0.2.1.22. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
Copyright (c) 2001-2004, Roger Dingledine
Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
Copyright (c) 2007-2009, The Tor Project, Inc.
tor -f [args]
See man page for options, or https://www.torproject.org/ [torproject.org] for documentation.
Re: (Score:2)
This is why i said "Tor movement" not "authors of Tor"
It doesn't matter. The innocent, non-techies are not hearing from "the authors of Tor". They're hearing from others who are running around promoting it as the salvation of free speech in non-free places... and they are believed.