Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Alec Muffett <alec.muffett@xxxxxxxxx>]

Rolling together a couple of Joe's emails…



> If the intent is to say Google & other sites are trying to protect
> themselves & their users at all costs - point taken - in part.
>

Not at all costs, but I believe I've done a fair job in previous mails of
explaining how they might consider it to be uneconomic to add "special
case" code to reduce friction for Tor users.

If you've not read those yet, let me know off-list and I will send you the
text again, rather than repeat it.



If you're trying to sell that Tor isn't blocked because it's Tor, that'll
> be a hard sell.


I don't actually understand this sentence.

1) I have explained at length that Tor is one technology - a big one - from
which spamming and scraping emanate and attack platforms/their users.

2) To defend your platforms you block the spamming and scraping, therefore
you block Tor.

3) If you're at least vaguely sympathetic to legitimate people who want to
access your site over Tor, you try and give them a filter bypass so that
they can continue to use your site over Tor.

4) But there are very few of them, and you probably don't understand Tor
very well, so you probably make an inferior / poorly-integrated job of it.
Hence crappy CAPTCHAs.

5) Thus arises the current situation, today.

I don't believe that this is hard to understand?


If you're trying to defend Google and their colleagues' wonderful, law
> abiding, privacy respecting, above board track records and philanthropic
> endeavors, you're on the wrong list.


Why do I get the feeling that you are trying to haze me, or chide me, or
warn me off-of having opinions other than whatever ones you currently hold?

Apart from anything else, that would be a recipe for groupthink - and
groupthink is a bad idea.

All companies do bad shit.  All companies do good shit.  Sometimes they
manage to achieve both simultaneously. But if you want to take this thread
and digress into an argument about which company did what and when, and if
you want to try coercing me into doing so, then "fuck you" because I am
here to talk about Onion sites and setting them up, and all the wonderful
technological things that they can do - things which y'all on the tor-talk
list have completely missed for the past decade whilst you've been focusing
monomaniacally on "spooky things".


On 4 October 2016 at 05:21, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:

> 1) If less than 0.1% of the people who use your site do so "anonymously",
>> the amount of ad-revenue associated with them is negligible. There are
>> bigger leaks to plug.
>>
> Possibly partly true, but I consider other reasons that sites
> (essentially) block users, sometimes lumped with Tor users.
>

Yes, that's because you are possibly paranoid, thinking that companies are
"Out to get Tor Users!" - it's entirely possible that CloudFlare have been
through a phase like that, but I feel that's understandable if/when parts
of the Tor community have been producing "Fuck Cloudflare" badges.



> "You can't use our site unless you allow cookies"  WTH - Really? Why is
> that?


They are called "session cookies" and if you have a few dozen, a few
hundred, a few thousand machines which coordinate in order to send you
webpages in a timely fashion, the session cookie is the thing which
stitches this all together.

It's a bit like the ignition key for a car.  You could create a car which
would "just go" whenever someone is sitting in the driver seat, but then
the car would have no sense of ownership.

Most people want to stay in charge of the resources they own, so they
demand a sense of ownership, so they need a key.

And - like some vehicle manufacturers - if one complains "we can do so much
better than cookies/ignition-keys nowadays" - the answer is "yes, but
that's not how we got here, and a lot of folk are simply geared-up for
keys".


Could it be that certain tracking - not just on that domain - won't work
> unless cookies are allowed?
>

I love your habit of using interrogatives to convey conspiracy.  :-)

When cookies are enabled and resources are fetched from a site, then yes
they can become ad-tracking and so forth.

That is how that mechanism works.

A huge bunch of people consider it to be entirely legitimate, or if not
that then at least a minor nuisance / the cost of using the network at all.

One may scream "ZOMG CORPORATE MONETIZATION!!!" but a lot of sites are
getting more frank about saying "Look, we are funded by advertising, please
turn off AdBlock or we will just quit and give up" - and so I whitelist ads
on those sites, even if it means digital breadcrumbs about where I have
been are available to the NSA or whomever.

Seeing adverts is the quid-pro-quo of that's site's existence.

One may then say "YES BUT EVIL TRACKING... FACEBOOK... GOOGLE..." - and,
okay, if you are worried about tracking on random sites, install tools like
PrivacyBadger and *manage* your risk.

But cookies are not inherently evil, especially "first party" cookies which
enable "the site you are currently looking at" to function.

Third-party cookies are arguably more evil, I agree.



> "You're using  ad blocking software.  Our site won't work correctly, if at
> all."  [see #3 below]
>

...and in fact, if everyone uses them, the site may eventually cease to
exist. :-)



> On many sites, Tor is lumped together with ad and script blocking browsers
> - unprofitable and often largely untrackable.  We're no longer talking
> about a tiny % of users.


See my explanation at the start of this post; you are trying to pull off an
astonishing feat of mathematics, suggesting that Tor users are a
substantial number of people who are blocked because Tor is classified as
an ad-blocker (hint: no it is not) and a lot of ad-blockers are blocked
(hint: mathematics does not work that way).

2) In my experience the "blocking" that companies do to Tor (and similar)
>> is 100% grounded in the threats from spam, scraping, testing phished
>> credentials, and other forms of bad behaviour.
>>
> Are you saying that TBB is the only browser used for malicious purposes?
> :)


No, I am not saying that, and before I disassemble your argument with
examples, I am interested to know why you are asking this?

Oh - wait, I think it's because of your understanding of how commutation
works.  Let me see if I can simplify a bit:

1) About 100% of blocking that happens to Tor users, happens because Tor is
perceived or experienced to be amongst the sources of spamming and scraping.

2) This it not a claim that 100% of spamming and scraping comes through
Tor.  That's what "amongst" implies.

3) Phrased differently: the blocks and CAPTCHAs that Tor users experience
are "collateral damage" in the war on scraping and spamming.

Is that clear?


I promised examples; here's a couple:

Within Tor: TBB is not the only route for spamming and scraping which comes
through Tor; in fact quite a lot of the spamming and scraping which comes
through Tor is sourced from "curl"

Outside of Tor: there is this stuff called "Browser Malware" which is
implemented in (say) extensions for Chrome or plugins for Firefox, on the
clearnet.  Normal people get scammed into installing the malware because of
some value proposition ("It turns your webpages pink and animates happy
bunnies at the bottom of your screen" / whatever) - and then proceeds to do
low-impact scraping and spamming in the background, whilst the victim gets
on with using their browser. Essentially it's a parasitic browser extension
which turns the victim into a source of scraping, which then gets detected
by {Google, Facebook, whatever} and subjected to an block until the victim
cleans up their system / extensions / whatever.


That other browsers can't be or aren't adapted by skilled users for similar
> malicious or unwanted behavior?
>

I think I just gave you a concrete example of that, without any of the
insinuating, conspiratorial questioning.  :-)



> I don't really buy that.  For one thing, it's too slow.  Even using a
> plain browser with a proxy - which I rarely do - I'm seldom blocked.
> Disregarding financial sites.  But Tor is blocked all the time on these
> same sites.  They don't say you're blocked, you just can't get in or use
> the site - even with scripts allowed.  I can use many federal govt sites
> just fine with TBB, but I can't do a Google search?  Talk about scraping!


I'm really getting the impression that what I have been explaining to-date
has not really been clear enough for you.

Perhaps this posting can/will help?



> 3) I would bet a substantial amount of beer that anonymous proxy networks
>> are negligible threats to advertising revenue in comparison to "People on
>> the Clearnet who use AdBlock+".
>>
> I can't speak for everyone, but if ads were - still - presented as just
> ads, and trackers weren't trying to record everything you do across the
> entire internet, sell that data, provide it to the govt - on request, for a
> fee, then I wouldn't mind allowing small ads.


I understand what you're saying.



> WAY back in the day, I'd click on some ads of free sites that I wanted to
> support.  That was way before things got to present practices. Now, there's
> no way I'll let them record every move.  My medical issues, political
> interests, legal matters...


Your privacy is clearly a very important matter.

    - alec


-- 
http://dropsafe.crypticide.com/aboutalecm
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk