[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and Google error / CAPTCHAs.

This thread/discussion/response is getting very fragmentary, so pardon if I
slash-and-burn a little to try and restore a theme:

On 3 October 2016 at 09:46, grarpamp <grarpamp@xxxxxxxxx> wrote:

> On Sun, Oct 2, 2016 at 5:53 PM, Alec Muffett <alec.muffett@xxxxxxxxx>
> wrote:
> >    "How many more of X?  How many X should there be in total?
> > So now we need "more than 1" proxy network - but still, how many?
> Fermi Napkin is legit approach.
> Though network quality and purpose must also be included in that.

So this is about proxy networks, their number, quality, diversity, function
and purpose.

To a first approximation I am in favour of maximising all of those, but
practically I feel that that's a foolhardy proposition - simply, my Netflix
viewing, or whatever, does not need to be anonymised.

It _might_ benefit from a VPN (because see all the stories of ISPs choking
bandwidth where they are not receiving a kickback) - but in such
circumstances I'd prefer the solution to be "choose an ISP who are not a
bag of dicks, and 'out' their ill-behaviour as much as possible", rather
than to re-engineer the internet for this edge-case.

Generalising: more tools, please, but let's not pretend that more than a
fraction of bandwidth will benefit greatly from anonymity technologies.

> Everyone isn't aware of why they might want it, and what they
> are up against today. So of course their current position when
> asked might be as such. Educate them and maybe they'll think
> differently.

I kind-of agree, but I'm not able - on grounds of pragmatism - to tell the


> all those proxy
> > networks which are designed to let people watch TV when they are not in
> > their home country <cough/>
> That would be one of "purpose"s above.

Agreed, that's why I mentioned it.

But for the 98% of the time that I *am* in the UK, I don't need (nor want)
to take the performance hit of the BBC's geolocation-restricting firewall

> We want big crowds of about that size.
> Yes, underutilization is a problem, especially for anonymity
> networks that require utilization to deliver claimed properties.

I was thinking about that, having pressed "send".

It seems logically impossible, as well as unwise, to try and say "Tor is
over-full, go use AltTor" when one of the key points of Tor is to strip
identity; after all, whom will you identify to tell this too, and how?

I feel that we just have to let market demand, and ability to scale &
deliver value, be the deciding factor in what is available...

> > Good question.  My take: innovate and evangelise, stop pretending that
> > one-size-fits-all.
> Tor has plenty of both, so the next step is to get off tor lists and get
> on to the next size list.

...as opposed to pretending that some manner of centralised policy,
doubtlessly run by a cabal of people of impeccable ethics, is either of
possible OR desirable.

> Foster & support I2P for... well, whatever I2P is good at. I have no
> > interest in filesharing and a major valueprop of Tor to me is bridging to
> > clearnet through exit nodes
> I2P offers exit services. Its users can operate exit nodes.

Yeah, I saw the numbers.  Tor wins.  I suspect that exit services are not
I2P's main value proposition?

> having a namespace which intersects the rest of the web
> s/namespace/URI scheme/

Good clarification.

I am _very_ glad that the IETFers who argued against ".onion" and said that
Tor somehow needed to become a "scheme" (eg: "onions://foo.onion/") were

My take on the whole matter is "just because Tor Onionspace is not based
upon DHS does not make the HTTPS protocol/scheme any different"

However, do be alert: some folk in the IETF are still not content with that

[on forking]

> Create _new_ stuff.  That'd be superb.  Just don't try to be like the
> early
> > Torfork weenies, proclaiming that they would split the Tor userbase (and,
> > presumably, onion namespace) and that this would be "progress".
> It's one approach, and forking is valid per license, so cannot complain.
> https://rotorbrowser.com/ https://twitter.com/indieonion

Oh, I can complain. :-)

Being independent from both parties I am free to characterise the
indieonion brigade as a bunch of pseudo-student-radicals bent on trolling
the community a-la Gamergate.

If eventually it turns into a wholly new privacy technology or a separate
and compatible Tor implementation that would be great.

But it should never be pretended that it started as anything other than a
tantrum by a handful of marginally-post-juvenile twerps, butthurt about
Tor's internal "drama" and threatening to split the Tor network.

It's that latter bit that I _really_ did not like. Make things better, but
don't fuck with the infra, and don't split the userbase.

We know the whitepapers tell us some of these systems have
> enough bits^2 to do that. That researchers are collecting and
> making anonymized statistical analysis from live systems. And
> we know there are deployments of same or similar ideas for those
> exact purposes in places from advertising to NSA.

The reason I wrote "that's bullshit" is because one moment someone is
calling for more anonymity - even being hardcoded by default into the
network - yet the next moment the same person is castigating (?) the
platform providers for not bothering to apply all the possible signals and
technologies at their disposal, to track, deanonymise, and even merge
multiple identities ("User 476 types in exactly the same way as User
9945!") - in pursuit of authentication.

A huge chunk of the people on this list, I aver, would be totally
freaked-out at the suggestion that what is needed is a _more_ comprehensive
approach to platform identity.

> > The issue is that "authentication" and "deanonymisation" are from many
> > practical perspectives **exactly the same thing**.
> Depends on the context.

Almost.  It depends on the "perspective", and "intent".

Unfortunately, as I have seen first hand, you can build a tool "for great
good!" only for a bunch of privacy activists to say "ZOMG THIS IS CLEARLY

Privacy activists can be total assholes sometimes.  Me included.

[On User Service]

> To reduce harm and cost, sometimes you will get a little of both.
> With a bit of training, an entry level helpdesk junkie can review and
> nuke an amazing amount of genuinely bad accounts.

"Helpdesk", he says. Ho ho ho ho...

I'd suggest the
> big corps can afford to dedicate a junkie or two to similar tasks,
> under recognition that IP blocks alone take out good with bad.

True, and - to reassure you - spamspotting is already often based on more
than just IP address/block/ASN.

It's a source of constant amazement to me that folk believe this stuff is
not already being tried - or got tried and then replaced by something

If the CIO/CSO/CTO, even on down into the techs, at any of these top N sites
> in their categories, did *not* know about tor / vpn / proxy (or have a
> staffer
> they knew to go ask about what's up with the IP's), after decades of these
> tools existance and relavance as a class to netsec, even if only in a "Oh
> is that that DeepSilkLeaks thing I heard on the news" sort of way, I'd
> consider
> them incompetant and fire them.

Then you'd be firing some of the best netops and sysops people in the
world, merely because they believed the things that the media have told
them about "the dark web".

> > Parachuting clones of me into organisations is not what changes things.
> > ...
> > but there are also these *other* people who use the service
> Yes, the gist of what I meant was, they don't trust hearing it from
> users, and they don't trust hearing it from the likes of Tor Project,
> to them they're both biased and outside.


> who need especially it in sudden
> > rushes when bad things happen, so we need to build things such that
> > accommodations are made for that.
> That's backwards, you're not going to onboard users when shtf unless
> you've already done the work to allow them in general population
> long beforehand.

Frequently it's not "onboarding" - the spikes are largely people who -
faced with a sudden network block - fire up a tool (Tor Browser) that
bypasses the block and gets them to the site on which they are *already*
registered and which they *want to use*.

Then when the block is finished, they go back to Chrome or whatever their
preferred browser is - the one with session-cookie persistence, with Flash
support and great for playing music and porn.

The majority of users will use Tor "at need"; a relative minority use it


tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to