Slashdot Mirror

← Back to Stories (view on slashdot.org)

Facebook Sets Up Shop On Tor

Posted by Soulskill on from the mixing-privacy-with-antiprivacy dept.

itwbennett writes: Assuming that people who use the anonymity network want to also use Facebook, the social network has made its site available on Tor, Facebook software engineer Alec Muffett said in a post on Friday. Facebook also decided to encrypt the connection between clients and its server with SSL, providing an SSL certificate for Facebook's onion address. This was done both for internal technical reasons and as a way for users to verify Facebook's ownership of the onion address. Since it is still an experiment, Facebook hopes to improve the service and said it would share lessons learned about scaling and deploying services via an onion address over time.

125 comments

  1. Facebook is trash by Anonymous Coward · · Score: 0

    Zuckerberg gives Obama full access to Facebook anyway so who cares if it's behind Tor?

  2. They wanted to release this years ago... by Anonymous Coward · · Score: 5, Funny

    ... but it took all this time to calculate that .onion URL.

    1. Re:They wanted to release this years ago... by Wonko+the+Sane · · Score: 2, Insightful

      The fact that it was possible for them to generate that vanity URL means that Tor hidden service identifiers do not contain enough bits to be secure.

    2. Re:They wanted to release this years ago... by Anonymous Coward · · Score: 0

      Tor now allows you to specify part of your URL. The rest is calculated.

    3. Re:They wanted to release this years ago... by Anonymous Coward · · Score: 0

      There's a mailing list email claiming that they were only looking for an address prefixed with facebook and got lucky. Who knows if that's the truth. It still likely took a lot of computing time to get.

    4. Re:They wanted to release this years ago... by NotInHere · · Score: 5, Informative

      On how they got the address: https://lists.torproject.org/p...

      This is how .onion addresses are made: https://gitweb.torproject.org/...

      Then they hash the key (using SHA-1), and base32-encode the first 80 bits (first half of the hash).

    5. Re:They wanted to release this years ago... by davydagger · · Score: 5, Insightful

      >facebookcorewwwi.onion/

      the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)

      its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.

      Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.

    6. Re:They wanted to release this years ago... by bluefoxlucid · · Score: 1

      It's 80 bits.

      It's an SHA-1 hash, but in square root of the time. Facebook wanted to work out facebook*.onion, so they only had to sha-1 'facebook' and then store that state. After that, feed 40 sha-1 bits to the sha-1 function to generate a bunch of different hashes, keeping the ones that match.

      This works all the time, as long as there are collisions in that space that match your hash.

      --
      Support my political activism on Patreon.
    7. Re:They wanted to release this years ago... by Anonymous Coward · · Score: 0

      They didn't actually generate the entire vanity URL. They only generated 8 characters in and then selected the most logical easy to remember 2nd part. Generating 8 characters of what you want is significantly easier than generating 10. While there is a lot for work that needs to be done in regards to tor hidden services it's not likely anybody can duplicate the vanity URL that facebook's got.

    8. Re:They wanted to release this years ago... by stephenmac7 · · Score: 1

      There is a list of generation times on a 1.5 Ghz processor that can be found on the Shallot repository which also includes software to do it.

      --
      "No man's life, liberty, or property are safe while the legislature is in session." -- Judge Gideon J. Tucker
    9. Re:They wanted to release this years ago... by jeffmeden · · Score: 1

      >facebookcorewwwi.onion/

      the fact that its possible to calculate that far into an onion's address should make you cautious of the technology. While its unlikely that an ameture is going to crack a tor address/key, it now seems very likely that someone with enough rackspace, and the ability to make custom ASICs for the proccess could do so.(if cryptocurrencies can make asics, why can't people wanting to smash crypto do the same. similar tech, and especially if your a large company/government, buying them in bulk shouldn't be a problem)

      its also know that facebook buys custom chips from intel who makes them with extra database specific functions built in, and intel now sells the service to any high volume buyer willing to pay extra.

      Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.

      De-anonymizing attacks have almost certainly already taken place (see the 2014 "Cicada 3301" contest for one example) so this shouldn't be the tipoff that if you are relying on a Tor hidden service for long term anonymity you are probably not going to find it. Tor can be used anonymously by clients who change their actual whereabouts often enough to avoid a pattern, but hidden services are ripe for exploit and always will be, the process is just too complex to avoid all possible weak links.

    10. Re:They wanted to release this years ago... by Kjella · · Score: 1

      Facebook wanted to work out facebook*.onion, so they only had to sha-1 'facebook' and then store that state. After that, feed 40 sha-1 bits to the sha-1 function to generate a bunch of different hashes, keeping the ones that match.

      That doesn't make any sense at all, if they can choose "facebook" I can choose "facebookcorewwwi" and feed it 0 bits to get my hash. It is the other way around, you must generate a public key and SHA-1 hash that, cut to 80 bits and convert to base32 and that'll be your service descriptor. Since each letter = 5 bits they basically brute force created 2^40 = public keys to find one that hashed to facebook*. There are tools for this, the estimate for a single 1.5 GHz processor choosing 8 letters is about ~25 days. Note that spoofing a full address would take millions of years the same way.

      --
      Live today, because you never know what tomorrow brings
    11. Re:They wanted to release this years ago... by davydagger · · Score: 1

      look again, its facebookcorewww, with just one character left random.

    12. Re:They wanted to release this years ago... by bluefoxlucid · · Score: 1

      they can choose "facebook" I can choose "facebookcorewwwi" and feed it 0 bits to get my hash.

      I was assuming they had HASH(seed) = 0xDEADBEEF and they were trying to HASH("FACEBOOK" + whatever) and get 0xDEADBEEF. To do this, you would feed your hash function--which iteratively generates a hash based on a stream--"FACEBOOK", and then start appending 40-bit strings.

      There was some assertion that the full length of the identifier is 80 bits, and that Facebook only brute forced 40 bits. This is how you find a hash collision with a known prefix: you hash the prefix, then continue computing the next 40 bits in brute force, rather than running the full 80 bits repeatedly. There is always the danger of not finding a collision, of course, even if your hash function is smaller than 40 bits.

      --
      Support my political activism on Patreon.
    13. Re:They wanted to release this years ago... by bluefoxlucid · · Score: 1

      That looks like plausible words; random letters can form words. How often have you found "ass" and "dicks" in word searches?

      --
      Support my political activism on Patreon.
    14. Re:They wanted to release this years ago... by mythosaz · · Score: 1

      Which means if they had meager 1,000 1.5Ghz machines at their disposal, they could have generated 1000 different facebookXXXXXXXX addresses in 25 days and picked the best one.

      A thousand random 8-character strings didn't get me any cool names: http://www.random.org/strings/...

      ...but I'm pretty sure 1000x1.5Ghzx25d is on the low end of what Facebook can deliver for a project.

    15. Re:They wanted to release this years ago... by Anonymous Coward · · Score: 0

      Scallion running on my nVidia 550TI only needs 50 minutes to find a ^facebook address, assuming they used a similar procedure in there brute force and depending on how long they spent looking, and which address in the sequence they chose, its probably pretty resonable to say someone could crack this.
      g2.2xlarge instace 1536 CUDA cores, my 550 TI only has 192 so we can assume this instance would be considerably faster. $0.65 per hour for on demand utilization, if we assume it scales liniarly with cores thats a facebook hash every 5 minutes or so, 5 cents a hash. Facebook says they relied on luck to get corewwwi, so I assume we can do the same. Say they had 100,000 potential hashes to pick from, thats only 500$ of compute time.

    16. Re:They wanted to release this years ago... by Anonymous Coward · · Score: 0

      58 minutes in 1 delicious Facebook onion address for you
      facebookg6px6ws7.onion
      http://pastie.org/9688781

    17. Re:They wanted to release this years ago... by fustakrakich · · Score: 1

      Its not unreasonable to say tor is broken until they move to 4096 bit keypairs.

      Its not unreasonable to say tor is broken completely if facebook is involved.

      --
      “He’s not deformed, he’s just drunk!”
    18. Re:They wanted to release this years ago... by davydagger · · Score: 1

      This I understand, that if it was just facebook* I wouldn't be worried.

      Its the fact that its facebookcorewww?, which bothers me, and the insinuation that both core and www are just random.

      Then everyone started jumping down my throat with what I already know about onion addresses under a false pretext.

  3. Anonymity? by MachineShedFred · · Score: 5, Interesting

    So you go through Tor to access Facebook, where you immediately have to log in, and...

    What's the point again?

    --
    Slashdot still doesnâ(TM)t support Unicode after it was added to the HTML standard in 1997.
    1. Re:Anonymity? by rogoshen1 · · Score: 5, Funny

      Because people concerned enough about anonymity to use tor, are also avid products of social media -- of course. Did you forget to drink your kool-aid this morning?

    2. Re:Anonymity? by NotInHere · · Score: 2

      It has some advantages. Location data is very important data, and facebook loses it. They still know where your friends are, but its better than before.

    3. Re:Anonymity? by Charliemopps · · Score: 5, Insightful

      So you go through Tor to access Facebook, where you immediately have to log in, and...

      What's the point again?

      Some countries block facebook. I think that's the point.

    4. Re:Anonymity? by Anonymous Coward · · Score: 0

      Some people under oppressive governments may feel scared to use Facebook lest the government accuse them of using the internet to collaborate on protests. This isn't an egalitarian move by Facebook: that's one potential user that they didn't serve ads to.

    5. Re:Anonymity? by Anonymous Coward · · Score: 0

      Which is more likely, getting caught using an encrypted proxy to defeat teh firewall or getting caught using (increasingly popular) TOR to do so w/o end to end encryption?

    6. Re:Anonymity? by bill_mcgonigle · · Score: 4, Insightful

      So you go through Tor to access Facebook, where you immediately have to log in, and...

      You really don't know anybody who uses Facebook pseudononymously? If you make an account called 'Hootie McBoob' you might get dinged, but there are thousands of 'Bill Riker's (have some fun with it).

      If you're coming in from your home IP or a Verizon or AT&T mobile, you're gonna be decloaked in a hurry, even by a passive listener. So, if you want to participate in a community that's on Facebook but not be known to the outsiders, Tor makes sense. Right now you can exit Tor on one of the spooks' exit nodes, but then you're just enabling the traffic analysis. By offering Tor directly, you avoid the risk of using an additional hostile exit node.

      This looks to be Facebook engineers doing the best they can given the cards they're holding. It's obviously more secure to not use any social networking systems at all, but if you rank security/privacy below functionality for some uses, this move makes sense to improve the situation.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
    7. Re:Anonymity? by davydagger · · Score: 1

      as well as IP source address, and with that, an ISP name, and localtion down to city. That can tell someone what network to sniff if they want your personal information.

    8. Re:Anonymity? by Anonymous Coward · · Score: 0

      This. This was the first and only actual reason I could think of.

    9. Re:Anonymity? by Anonymous Coward · · Score: 0

      Real name policy. Srsly, tried it. You can create a pseudonym, but they will close your account. That or make you log in by IDing photos of your 'friends' who are also pseudonyms with photos of everything from anime to cats. Which cat is Bill Riker? Simply making or receiving friend requests by certain "undesirable" accounts is enough to trigger it.

    10. Re:Anonymity? by Anonymous Coward · · Score: 0

      Because people concerned enough about anonymity to use tor, are also avid products of social media -- of course. Did you forget to drink your kool-aid this morning?

      In the meantime, the NSA has a new way to discover who certain TOR users are by this method, want to preserve privacy? DO NOT use Farcebook (caps are necessary for emphasis)

    11. Re:Anonymity? by Anonymous Coward · · Score: 0

      That's the only reason I can see.

    12. Re:Anonymity? by SuricouRaven · · Score: 2

      I suspect the point is part publicity stunt, and partly an effort to guard against any countries that may take measures to block access to facebook. The use of SSL alone can force those countries to go to an 'all or nothing' approach to censorship, but TOR accessibility means that even if they block the site by DNS and IP users can still get through with a little more effort. This is important not only from a free speech point of view*, but commercially to ensure those countries remain full of potential users.

      *Much as I hate to say this, facebook is actually useful for something. Occasionally. Like organising protests and disseminating accounts of abuses of power.

    13. Re:Anonymity? by xaotikdesigns · · Score: 1

      Couldn't you also set up a sock puppet account to use to keep your anonymous fan page updated? You don't have to friend people or put any actual info in your account, just use it to update your hacking/revolution/secret society/terrorisim network/whistleblower/whatever page.

      --
      XDInd
    14. Re:Anonymity? by xaotikdesigns · · Score: 1

      What about using TOR through the proxy?

      --
      XDInd
    15. Re:Anonymity? by pegr · · Score: 4, Interesting

      Oh, even better. What root CA is signing off on .onion domains now?

      Yet again, because people have no g*d damn clue how SSL works, we have to live with encryption that, in practice, is TOTALLY MEANINGLESS!

    16. Re:Anonymity? by Anonymous Coward · · Score: 0

      Getting caught using an encrypted proxy. A proxy typically has an IP address for an extended period of time so they get blocked. Tor is encryped from client to entry node and since it's more peer oriented it's a lot harder to block. The exit point in this case isn't important to encrypt, Facebook in particular is already end-to-end SSL encrypted and the endpoint is either not in the blocking country, or if it is by some stroke of luck it's not able to be associated with the end user.

    17. Re:Anonymity? by Anonymous Coward · · Score: 0

      as well as IP source address, and with that, an ISP name, and localtion down to city.

      Not with tor.

    18. Re:Anonymity? by Anonymous Coward · · Score: 0

      My guess is that Facebook set this up so someone can correlate anonymous FB usage with other Tor usage and with non-anonymous FB users, but perhaps I've just become too pessimistic :(

    19. Re:Anonymity? by Anonymous Coward · · Score: 0

      you go through Tor to access Facebook, where you immediately have to log in, and...

      What's the point again?

      .
        - when you follow clickbait, it blocks the vzw evercookie and any hotspot spying
        - hides the IP address so you can have more than one account per household without facebook connecting them, and if you have more than one account for yourself Facebook cannot discover this trivially by using (home ip, work ip,) as a unique identifier
        - prevents your location throughout the day from being tracked by the NSA every time you check facebook

      The better question is, "how is this different from browsing https://www.facebook.com/ over Tor?" I suspect maybe the answer is, "avoids govt- and hacker-controlled exit nodes."

      However I wonder if running a local exit node advertising "use for https://www.facebook.com/ only" might not be a better approach. I think Tor makes this possible? And I think .onion addresses are slower than exit node addresses, aren't they? It would be nice to see someone from Facebook explain the reasoning behind the choice.

    20. Re:Anonymity? by brunes69 · · Score: 1

      I know there are some people who use Facebook pseudononymously but honestly I never saw the use case. The whole point of Facebook is to connect with friends and family to share things. If you are anonymous, you can't do that, so why are you on Facebook?

      Anonymous Twitter accounts make a lot more sense than anonymous facebook accounts.

    21. Re:Anonymity? by Anonymous Coward · · Score: 1

      I know there are some people who use Facebook pseudononymously but honestly I never saw the use case. The whole point of Facebook is to connect with friends and family to share things. If you are anonymous, you can't do that, so why are you on Facebook?

      Because having an account usually allows you to access more profiles than not being logged in at all; some profiles are so restricted that you need to be a friend on their friends list to view, but that's another matter entirely.

    22. Re:Anonymity? by Anonymous Coward · · Score: 0

      I was in danger of becoming too pessimistic, until I realized that that wouldn't work out.

    23. Re:Anonymity? by MouseTheLuckyDog · · Score: 1

      You mean the part of social media that requires your real name for registration?

    24. Re:Anonymity? by sudon't · · Score: 2

      So you go through Tor to access Facebook, where you immediately have to log in, and...

      What's the point again?

      Well, presumably, you're not logging in with your real name. Using a standard connection, even with a fake name, you're still giving away a lot of information by being tied to your IP address. By using the Tor Browser, you are disassociated from your home IP address, and the Tor Browser makes it a bit easier to dump cookies once your session ends. Make no mistake though, you're probably only protecting yourself from FB itself, and advertisers and other commercial data collectors. Whatever dossier they build up will be harder to put a real name and address to. It might be helpful to those plotting the next "Facebook Revolution" by making it more difficult for some governments to figure out in a timely manner exactly who's posting.

      It'll be interesting to see how this works because FB flags me each time I log in from a different IP, and forces me to answer a "security question."

      --
      -- sudon't

      Air-ride Equipped

    25. Re: Anonymity? by Anonymous Coward · · Score: 0

      This is a trap for the mental cases. Let them get caught. Let them be on toe and behave badly and then get ass raped.

    26. Re: Anonymity? by Anonymous Coward · · Score: 0

      If you can't play by the rules, don't play.

    27. Re:Anonymity? by jeffmeden · · Score: 2

      Couldn't you also set up a sock puppet account to use to keep your anonymous fan page updated? You don't have to friend people or put any actual info in your account, just use it to update your hacking/revolution/secret society/terrorisim network/whistleblower/whatever page.

      You forgot trolling/catfishing/generally shitting in the pool. I can see this having one rampant use: creation and manipulation of throwaway/hacked accounts. They better have one amazing captcha on the Tor-facing login page or Facebook is about to get a whole lot filthier.

    28. Re: Anonymity? by dAzED1 · · Score: 1

      The point is that the rules make this new feature pointless.

    29. Re:Anonymity? by Anonymous Coward · · Score: 1

      Connections to tor hidden services don't need https, since the in-transit connection is already encrypted as it's transmitted through the tor network.

    30. Re:Anonymity? by Anonymous Coward · · Score: 0

      I can't see that they'd be doing this without trackability. Or everyone goes to tor and they lose revenue. They either have a way to track thru tor, or they'll use the node to develop the capability (further) either way tor will be compromised and that tech will then be appropriated by the spooks.

    31. Re:Anonymity? by Anonymous Coward · · Score: 0

      I don't know about completely false names, but I have multiple Facebook friends whose names only vaguely resemble their legal names for various reasons (some are teachers / in other public professions, some are trans*, some I don't know why (maybe stalkers?)). All of them have obviously false last names on Facebook. It's not a problem for communicating with them because full name search is pretty useless on Facebook anyway.

    32. Re:Anonymity? by neatville · · Score: 1

      It goes against their TOS to use a fake name but why not just do it anyways, if privacy is your thing and you're using Tor.

    33. Re:Anonymity? by penguinoid · · Score: 1

      In unrelated news, a gun shop that had been selling boots with a target on them, is now selling steel-toed boots with a target on them.

      --
      Don't waste your vote! Vote for whoever you want, unless you live in a swing state it won't matter anyways
    34. Re:Anonymity? by danknight48 · · Score: 0

      So you go through Tor to access Facebook, where you immediately have to log in, and... What's the point again?

      Its mainly for the muppets who see Tor all over the news and just want a new fad to follow.
      They assume that because the media is shoving Tor down their throats, they have to use it because its "popular" and "cool". Rather than understanding what its designed for.

      Gotta love the sheep flocking crowd.

      Facebook's just in it for the news coverage, with a chance of bringing in some of those sheep who will log in, simple as.

    35. Re:Anonymity? by Anonymous Coward · · Score: 0

      That's fine until you find that the server you just sent your credentials to wasn't actually run by Facebook at all.

  4. So, lemme get this straight... by Opportunist · · Score: 1, Insightful

    I should access a network the intent of which is to track every move I make through a network that is supposedly granting me anonymity.

    What the fuck is the point?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:So, lemme get this straight... by Anonymous Coward · · Score: 0

      Here's one point, duh.

    2. Re:So, lemme get this straight... by Anonymous Coward · · Score: 0

      I should access a network the intent of which is to track every move I make through a network that is supposedly granting me anonymity.

      What the fuck is the point?

      The point is that Mark Zuckerberg wants to slurp info on everyone, and now even those in hostile-to-freedom countries now get their data sold on via Farcebook. Win Win for the shareholders.

    3. Re:So, lemme get this straight... by sinij · · Score: 2

      Maybe if you don't have any Facebook friends and want someone to read your feed? At least this way you can be fairly certain that spooks will read it.

    4. Re:So, lemme get this straight... by Hadlock · · Score: 1

      China, Iran, North Korea, occasionally Turkey, Libya, Egypt, perhaps Russia, Ukrane, Hong Kong. Something like 25% of the internet either can't or potentially can't access Facebook right now. But with TOR you can.

      --
      moox. for a new generation.
    5. Re:So, lemme get this straight... by Anonymous Coward · · Score: 0

      And US spies (whose agencies, y'know, FUND Tor) can more easily hide under the group of Facebook users.

  5. lol by Charliemopps · · Score: 3, Insightful

    So the most invasive, anti-privacy business on earth, doesn't like the fact that governments are using the very same tactics to prevent people from using it's site so they now support Tor?

    We're through the looking glass now for sure.

    1. Re:lol by idontgno · · Score: 1

      "It's only wrong when someone else does it."

      I have no idea why I have to say it out loud. Hypocrites don't believe they're hypocrites. Frankly, they don't believe in hypocrisy. What they want, they deserve. What anyone else wants, is either irrelevant (if it doesn't interfere with what they want) or evil (if it does interfere with what they want).

      Say what you will about unvarnished greed. At least it's internally consistent.

      --
      Welcome to the Panopticon. Used to be a prison, now it's your home.
    2. Re:lol by davydagger · · Score: 1

      no one likes competition.

      Don't imagine that burger king ever liked the fact McDonalds sold hamburgers

    3. Re:lol by Qzukk · · Score: 1

      At least it's internally consistent

      Until it starts demanding big government for everyone but them, paid for by everyone but them. Even the greedy can be hypocrites.

      --
      If I have been able to see further than others, it is because I bought a pair of binoculars.
    4. Re:lol by GameboyRMH · · Score: 1

      Read the GP's post again. Big government for everyone else is what they want. Everyone but them paying for it is what they want. Big government for themselves interferes with what they want.

      Internally consistent.

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
    5. Re:lol by Anonymous Coward · · Score: 0

      The same tactics? Facebook doesn't block Facebook. What the hell are you smoking?

    6. Re:lol by Anonymous Coward · · Score: 0

      Banksters are lefties at heart. They think "everybody should be a billionaire" and surely they work on becoming one by all means possible. Including 1929 2.0

  6. HAHAHAHHAHAHAHA by style7711 · · Score: 0

    hahahahahahahha !

  7. Facebook on Tor by Anonymous Coward · · Score: 0

    Facebook on Tor is like putting a condom around your car on the trip to a whorehouse.

    -- MyLongNickName

    1. Re:Facebook on Tor by rogoshen1 · · Score: 1

      at least at the brothel you know you're getting fucked, and they're upfront about that being their business model.

    2. Re:Facebook on Tor by GameboyRMH · · Score: 1

      +1 Excellent Analogy XD

      --
      "When information is power, privacy is freedom" - Jah-Wren Ryel
  8. Words. I can't even. by SkunkPussy · · Score: 3, Insightful

    So you're going to go to all of this trouble to use a completely secure connection which conceals your identity and information about your browsing. Then you're going to go to a website where the first thing you do identify yourself to that website then the second thing you do is give yourself a cookie that identifies you to any website anywhere on the internet that has a facebook like button?

    --
    SURELY NOT!!!!!
    1. Re:Words. I can't even. by Kardos · · Score: 1

      It seems like they are viewing tor as a "free vpn" so people can use facebook without their employer/school/etc knowing what they are doing.

    2. Re:Words. I can't even. by Anonymous Coward · · Score: 0

      You're an idiot and don't understand how this can be used.

    3. Re:Words. I can't even. by davydagger · · Score: 1

      >yourself a cookie that identifies you to any website anywhere on the internet that has a facebook like button?

      no script and private browsing.

      If you haven't figured it out already, browse facebook in a private browsing/incognito window. If your not using FF or chrome/chromium, kill yourself.

      Also, use https-everywhere, and noscript.

    4. Re:Words. I can't even. by Opportunist · · Score: 1

      Wait! Do I have to go to facebook from there or can I use it as another VPN hop?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    5. Re:Words. I can't even. by Kardos · · Score: 1

      It's VPNs all the way down!

    6. Re:Words. I can't even. by NotInHere · · Score: 2

      If you browse it with TBB (Tor browser bundle), you still have that "identify yourself" part, but the cookie gets deleted the moment you close tor browser. Browsing tor with your normal browser is something very stupid, not just because of cookies, but also because of fingerprinting. Tor browser for example deactivates canvas tracking, or webrtc, and spoofs the useragent. Try this site with your favourite browser and with tor browser, and compare the results.

    7. Re:Words. I can't even. by LessThanObvious · · Score: 3, Interesting

      It makes some sense. If you use a "real name like" pseudonym they don't know unless you get reported. Turn off ability of people to tag you in photos. Use a selfie that is recongnizable to friends, but useless for facial recognition algorithms. Never access outside TOR, blackhole DNS facebook.com and all known ad networks assuming that wouldn't break it within TOR. Register with a matching pseudonym email. Give a fake location and date of birth. Run AD-Blocker Plus, Ghostery, NoScript, etc.. Preferably dual boot, Live-CD or at least use different user login on the OS level when toggling between TOR and public use. For a normal person who wants to see what your friends are doing, but doesn't want to gave Facebook everything it could work good enough. As others mentioned, the ability to use in a country where it is banned is pretty worth while. If you are in that situation then maybe use a real photo at first if your friends need to recognize you to "add you", but change it later to a picture that isn't recognizable as you. It certainly matters for those in repressed countries to be able to communicate to the outside world. Tip: If you give a fake date of birth remember what you gave! I got locked out of mine because they used that as my only option for security question to access a stale account.

    8. Re: Words. I can't even. by Anonymous Coward · · Score: 0

      That so scary. Me eat coookies!

    9. Re:Words. I can't even. by Anonymous Coward · · Score: 0

      NSA and their friends will MITM sites and then inject some funny stuff into the many holes of FF. Holes which they can facilitate via their friends at Google-Mozilla.

    10. Re:Words. I can't even. by Anonymous Coward · · Score: 0

      Then they will force you to unlock account via an SMS sent to your smartphone. GOTCHA.

    11. Re:Words. I can't even. by Anonymous Coward · · Score: 0

      Throwaway PAYG phones briefly used in the countryside where triangulation is difficult FTW.

    12. Re:Words. I can't even. by Anonymous Coward · · Score: 0

      (My browser to hit back and nuked a long reply on the final editing stages. Trackpads are way too sensitive on Scientific Linux)
      "content not found" on a fully-loaded flash player is a total pain when you're whitelisting today's dynamic sites. Once in a while you must yield to using a noscript-free browser because one page just won't load. Simplest case is when you have a friend over who needs to sit down on my heavily configured nightmare for a quick web check. No, having a backup account to switch to doesn't cut it. People get suspicious when you suggest that they can't sit on the same browsing session you had open.

      Most video-heavy browsers on slashdot know this (never really gets much attention). They all have to peel layer after layer of ad servers mixed with desired Flash content and use trial-and-error to get site underpinnings / css for comments, buttons and menus to work. Did I mention video thumbnails? Sometimes cloudfare (it's like akamai, but blocks us aggressively) stops you cold on manga sites or random cdns have numbered servers (hotmail, yahoo, youtube) or per-video IP numbers that are a pain to "temporarily allow", so you start "whitelisting" way too much.

      Then the cold truth hits me when I randomly go without noscript sometimes... some crook loads a site on a loop demanding to download spyware. Kill -9 ends up losing me my whole browsing session. How come chrome.exe is all you can see in the process list on Windows? (no tab title information or aything --killing a single rogue tabs because there's no title data is just like russian roulette)

    13. Re: Words. I can't even. by Anonymous Coward · · Score: 0

      the average person will not and is not going to successfully go thru all those steps. this is a farce. real security concious people know this is fucked. everyone else keep drinking.

  9. Why? by jenningsthecat · · Score: 2

    Because I need the ultimate in privacy between me and the video billboard in Times square where I'm posting the intimate details of my life. Yeah, right.

    Problem is, there will be many, many people who will think "Oh! Facebook is protecting my privacy now, so they must be OK!"

    --
    'The Economy' is a giant Ponzi scheme whose most pitiable suckers are the youngest among us and the yet-unborn.
    1. Re:Why? by Anonymous Coward · · Score: 0

      Because I need the ultimate in privacy between me and the video billboard in Times square where I'm posting the intimate details of my life. Yeah, right.

      Problem is, there will be many, many people who will think "Oh! Facebook is protecting my privacy now, so they must be OK!"

      Meanwhile, intelligent users will think "Holy shit! If I choose to login whilst using Tor, the NSA / CIA / FBI / KGB will all know who I am without a doubt"

      There was an old saying, I think its "Friends don't let friends use Facebook"

    2. Re:Why? by Vokkyt · · Score: 1

      I think more people will just think "What's Tor?"

      This is really a "news for nerds" sort of deal here. The general public, and even most power users aren't going to be all that interested in it due to the niche. As to why Facebook has elected to pursue an onion site, who knows. I doubt it's because they see a big future in Tor, or maybe they do. Given that Tor has a bit of a burden of knowledge to actually understand what it offers, most users won't know or care.

      I'm willing to believe that it's possible an irresponsible journalist could really misrepresent the story to the public, but I guess I'd like to see it before it happened, and I feel that the Facebook PR engine would be quick to jump on any major misrepresentation due to recent allegations of Law Enforcement Officers using Facebook to aide in arrests for drug users. It's just not the kind of urban legend that they'd want out there to have to deal with.

    3. Re:Why? by Anonymous Coward · · Score: 0

      Friends don't let friends use Google+, because no one on Google+ has friends.

    4. Re:Why? by Anonymous Coward · · Score: 0

      The simple fact that FB endorses TOR means dozens of millions of people use it. Tough shit for you and your FtMeade friends.

    5. Re:Why? by Anonymous Coward · · Score: 0

      I could say the same for Facebook, I mean how many of your facebook friends do you know in real life? less than a quarter for most people.

  10. Oh, the irony! by MagickalMyst · · Score: 0

    Facebook and Tor are mutually exclusive!

    --
    Political correctness is really just herd psychology pushed by insecure people who desperately seek social conformity.
  11. On-Line PARTYVAN! by Anonymous Coward · · Score: 0

    we deliver, in more ways than one!

  12. What? by Anonymous Coward · · Score: 0

    Isn't Facebook the complete opposite of anonymity?

  13. People missing the point by CaptBubba · · Score: 1

    A lot of people here are really completely missing the point of this. It isn't for privacy conscious US or EU users, it is for users in countries where Facebook is completely banned/blocked. China, Iran, Syria, etc.

    And it is a great thing to happen. It would be wonderful if Twitter did the same.

    1. Re:People missing the point by Opportunist · · Score: 1

      I always thought that TOR is quite capable of doing that all by itself?

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:People missing the point by CaptBubba · · Score: 1

      It is, but Facebook having their own TOR address is much more reliable (and likely faster) than having to use one of a limited number of exit nodes. Every person using the internal address will also reduce the burden on the exit nodes and give higher speeds so this is a win for everyone.

    3. Re:People missing the point by SuricouRaven · · Score: 1

      Yes, but it means going via an exit node. Exit notes can't sniff or meddle in your traffic if you use SSL, but they are under high contention. Few people are willing to take the legal risk of running one, as it carries a possibility of being falsely accused of a serious crime.

    4. Re:People missing the point by Anonymous Coward · · Score: 1

      tor has been blocked in China for years, it's actually easier to block tor than facebook since with tor all you have to block is the protocol while if you want to block facebook (or any other TLS-encrypted site) you have to individually block each of the hundreds of constantly changing public IP-addresses

      I guess they could block based on TLS certificate but for some reason this isn't done, that's why you can get around some blocks with hosts files etc

    5. Re:People missing the point by ndato · · Score: 1

      Also, when using a TOR address there is no exit-node, and the data is encripted end-to-end.

    6. Re:People missing the point by Anonymous Coward · · Score: 0

      the more stuff that runs in the darknet, the better. no need to hit an Exit node.

    7. Re:People missing the point by Anonymous Coward · · Score: 0

      Facebook is HTTPS-only anyway, so it's already encrypted end-to-end.

  14. An amateurish spelling of 'ameture' by Anonymous Coward · · Score: 0

    n/t

  15. Facebook and Tor by Anonymous Coward · · Score: 0

    A zillion people get to Facebook via Tor? Will this slow down the Tor network?

    1. Re:Facebook and Tor by mythosaz · · Score: 2

      More people running Tor potentially means more Tor exit nodes.

      Who knows. Possibly a good thing.

  16. Lolwut? by Anonymous Coward · · Score: 0

    So you sign into facebook... with tor. Even if it's from a repressive country, the exit node is connecting to a page WITH YOUR NAME ON IT.

    You basically automatically have flagged yourself as a tor user, which even in the "free world" is nearly probable cause for suspecting you of being a pirate/cp/terrorist/whatnot.

    1. Re:Lolwut? by Anonymous Coward · · Score: 0

      No.

      They are operating an onionsite, there are no exit nodes involved.

    2. Re:Lolwut? by Anonymous Coward · · Score: 0

      You are a coward who deserves to die in chains. Free People Assert Their Right To Use TOR. Fuck NSA-GCHQ !

  17. Useless by Anonymous Coward · · Score: 0

    It's totally meaningless to use an anonymity software if then you do login on a social network

  18. where's the slashdot.onion? by slashdice · · Score: 0

    Oh yeah, that's right.

    --
    Copyright (c) 1990 - 2014 Dice. All rights reserved. Use of this comment is subject to certain Terms and Conditions.
  19. Is this an Onion story? by Anonymous Coward · · Score: 0

    Is this an Onion story?

    1. Re:Is this an Onion story? by sinij · · Score: 3, Funny

      Well, yes it is Onion story

  20. Anonymous Coward by Anonymous Coward · · Score: 0

    So, now I can anonymously and secretly give a company and all of my fb friends my personal and private data.

    I got it!

  21. Nice try NSA by rrohbeck · · Score: 4, Interesting

    Then all you have to do is enable Javascript to make Facebook work.

    --
    thegodmovie.com - watch it
  22. and who at facebook will do the time for running a by Anonymous Coward · · Score: 0

    and who at facebook will do the time for running an exit node. As they need a guy who can take prison as child sex offender

  23. Anonymity? by Anonymous Coward · · Score: 0

    They want to deceive the naive people. Historically, Facebook has been playing 100% "show your ID card"-cop for NSA-GCHQ-Unit8200. They will lock your account if you don't provide your ID via an SMS code sent to your mobile phone.

    Google is in the same league.

    I dont know why this is but I suspect they are scared to hell what could happen if the 99% woke up to the crimes of the 1% who run NY finance, Google, facebook and the like.

  24. Not gonna use Facebook, but... by Anonymous Coward · · Score: 0

    It would go a long way if major sites followed this example, or if major vhosts, cloud providers and blog platforms just ran exits directly to their infrastructure, allowing access to the public addresses over Tor. They don't have to run open exits at all - just exits to their own destinations - and doing so would reduce the burden on existing wildcard exits.

  25. Anonymize your connection through tor... by Arancaytar · · Score: 1

    ... then log into Facebook with your real name and post your data from that connection.

  26. the magic rule by slashmydots · · Score: 1

    The magic rule of anonymity on Tor is don't go to websites that will actively attempt to use code to find out who you are....oh and don't log in as your actual first and last name on the worst website for privacy on the entire internet. That's probably a rule too.

  27. Network = KnownStuff by NotQuiteReal · · Score: 1

    When you push the Enter button, it goes somewhere, you know not where.

    --
    This issue is a bit more complicated than you think.
  28. SSL? by hobarrera · · Score: 1

    Wasn't it like 10 days ago that we say the demise of SSL 3.0, the last version still alive?
    Yesterday we had news of Chrome dropping support for it.

    Now facebook it setting up new servers that use it?

    1. Re:SSL? by Kiwikwi · · Score: 1

      Wasn't it like 10 days ago that we say the demise of SSL 3.0, the last version still alive? Yesterday we had news of Chrome dropping support for it.

      Now facebook it setting up new servers that use it?

      SSL 3.0 is from 1996. The latest version of SSL is called TLS 1.2 and is from 2008, with 1.3 under development.