How Shari Steele Plans To Take Tor Mainstream

blottsie writes: Over her career, Shari Steel has taken on United States Department of Justice, the National Security Agency, and the Federal Bureau of Investigation. She built the Electronic Frontier Foundation into an international powerhouse for protecting online rights. Today, she has a new mission, perhaps her heaviest challenge yet: Take the Internet's most powerful privacy tool mainstream. From the Daily Dot article linked, a hint of one reason that bringing Tor mainstream isn't straightforward: At the heart of Tor's image problems are what's known as "hidden services" -- sites that are only accessible through the Tor network. Hidden services have been home to drug and gun marketplaces, child pornography forums, fraud and hacking sites, and sites where you can place bets on when a high-profile target may be assassinated. While the media tends to focus on the nefarious elements Tor enables, hidden services make up only about 1 percent of the Tor network, according to Steele, and are in no way operated by the Tor Project.

"I'm trying to teach everyone that we need to recognize that we are doing the work of the angels," Steele says. "What we are providing is really important and really great, and there happen to be uses that are residual that aren't what we're doing. We're not creating this for [illegal activity]. And OK, maybe it's being used for that, but that's not what we're about!"

1 percenters

[Stormcrow309]

Great, we will have geeks getting stomped by bikers for wearing 1%ers patches.

Re:1 percenters

[VernonNemitz]

Nevertheless, the fact remains that anything that can be used can also be abused. A pillow can be a murder weapon or help you sleep better. An H-bomb can deflect a dangerous asteroid or destroy a city. Water is problematic. :) Government can be tyrannical or ...hmmm!. And so on.

Re:1 percenters

We make dangerous pillows comply to safety standards, nuclear bombs are highly restricted, and water supplies are very regulated.

Hmm. Hmm. Hmm. Hmm. Hmm.

Re:1 percenters

Using a nuclear weapon in an attempt to deflect an asteroid.

Yeah, that'll work out well...

Re:1 percenters

[Maritz]

Show me the safety standard-compliant pillow that cannot be used to suffocate someone.

Re:1 percenters

When no one has pillows, only criminals will have pillows....

More like 'Plans to ruin Tor forever'

Oh, I'm sure in their efforts to take Tor 'mainstream', they'll also poke holes in it's otherwise inherent security 'for the sake of security and FOR GODS SAKE THINK OF THE CHILDREN!'. Politicians, police, and especially the intelligencia (aka secret police) already want all encryption banned, so obviously this new 'mainstream' version of Tor will include a way for all of them to determine who is using Tor, when, for what, and especially who is running exit nodes. May as well just abandon it now, unless you want to get put on a watchlist (if you aren't already). Of course it's not lost on me that Tor likely has already been compromised to the point where it's basically useless for the purpose it was originally intended. Oh well maybe someone else will start up something similar and manage to keep a lid on it longer before government assholes get their mitts on it and fuck it all up.

Re:More like 'Plans to ruin Tor forever'

[Narcocide]

You don't have any idea who/what the EFF actually is/does, do you?

Re:More like 'Plans to ruin Tor forever'

You don't know who the U.S. Military actually is/does, do you? That's who developed Tor in the first place. It's been getting way, way too much attention lately, and now someone is going to 'take it mainstream'? THEY. WILL. RUIN. IT. It'll end up just another surveillance tool/honeypot. Mark my words!

Re:More like 'Plans to ruin Tor forever'

[KGIII]

EFF and the ACLU (plus the local chapter) get donations every year - sometimes more often if I read about an issue they're needing help with funding. I am not affiliated with either but I do like to remind folks that both groups are hard at working at helping with our liberties. So, if you've got a buck or two and want to help out, I'm certain they'd appreciate it.

Re:More like 'Plans to ruin Tor forever'

[beastofburdon]

End up? Are you really foolish enough to think the CIA would develop a tool for anonymity and release it to the public before it was thoroughly defeated? It is only good for pirating, anything that would be subversive to the government's ambitions done on TOR will get you killed.

Re:More like 'Plans to ruin Tor forever'

[cold+fjord]

Might I suggest you consider FIRE for a donation? They do good work, including much that the ACLU seems to have little appetite for.

Re:More like 'Plans to ruin Tor forever'

[KGIII]

Thank you. I was, until now, entirely unfamiliar with them. They look like they might be a worthy cause. Free speech means protecting the speech that is not preferred and these folks get funding from the government. So, it's a noble goal and I thank you for bringing it to my attention. I'm in the process of getting some BTC, where I'll wash it, and then I'll push it on to them anonymously in chunks over the weekend and into the coming week*. I need neither a shirt nor recognition. I care not about the tax write-off, I generally exceed the allowed amount anyhow.

I'll avoid mentioning a specific total but they'll get a good chunk - as I may not remember to donate until next year (I have put it into my calendar so it will remind me to check again in a year). But, suffice to say, it's a goodly chunk and would net a number of t-shirts. They look like a worthy cause and, I repeat myself, thank you for bringing them to my attention. They'll be put into the yearly cycle which is usually appreciated by the organizations. I also try to keep to a budget every month - and what's excess gets donated, sometimes at almost random(ish) and between the groups that I keep in mind.

* Why spread out? Meh, it's a privacy thing. I like anonymity with some things. Or at least not being able to make certain attributions. I've found that doing so means that I don't get as many heart-felt requests (even after ensuring I ticked the box to not subscribe to such) from various groups. I know, pretty factually, that more than one group has shared my email address - I use catch-all and then use a custom email address that indicates the source. I've had this happen multiple times and those groups no longer get donations.

Well, I don't blame the gunmaker

[NotDrWho]

For how someone uses the gun.

But still, you have to wonder about a large-scale gunrunner who knows that his guns are being used to kill civilians in some civil war.

Re:Well, I don't blame the gunmaker

[Krishnoid]

I'll bet he gets maimed by one of his own munitions, then captured by guerilla forces, and has to wear an electromagnet in his chest to keep metal from entering his heart. Hopefully he learns from this and uses his knowledge for good instead of evil. You know, an ironic sort of punishment.

Re:Well, I don't blame the gunmaker

[DogDude]

Sir, put down the the Glenn Beck, and slowly walk away.

Re:Well, I don't blame the gunmaker

If you'll pick up the Constitution and a history book (and READ THEM) then we have a deal.

Re:Well, I don't blame the gunmaker

If you'll admit that the political situation of 1800 isn't even remotely comparable to that of 2016, and to pretend otherwise is borderline criminally negligent, you're on.

Re:Well, I don't blame the gunmaker

[bigfinger76]

Pretending that humans have evolved dramatically in that time is also a boner move.

Re:Well, I don't blame the gunmaker

Lol I did read the constitution I doubt you have.

Re: Well, I don't blame the gunmaker

Humans haven't. Guns have.

Re: Well, I don't blame the gunmaker

[Narcocide]

All of you, stop trying to turn this into a discussion about guns. This conversation is about network security. The two technologies could not be more fundamentally different.

Re:Well, I don't blame the gunmaker

[Narcocide]

Aside from your cute reference to the plot of Ironman, this STILL HAS NOTHING TO DO WITH NETWORK SECURITY.

Re:Well, I don't blame the gunmaker

[Opportunist]

You really think your gun would stop the biggest military (by a margin and then some) on the planet from infringing on what you perceive to be your rights? They'll blow a hole into your history book and your constitution before you can yammer anything about having any kind of "right".

You have no rights anymore. You have privileges. And only until they happen to be in the way of someone important. Then they will simply be removed. The main reason you have that oh so important right to bear arms (or arm bears, I keep forgetting) is that it doesn't matter to anyone in power.

Re:Well, I don't blame the gunmaker

[Maritz]

Your bushmaster will really come in handy when a drone-launched hellfire missile is screeching towards your house. lol. If it's about defending yourselves from the government shouldn't you have, at a minimum, tanks? APCs? Something like that?

Re: Well, I don't blame the gunmaker

You need a motorcycle, a sidecar, an atomic bomb, and a deadman's switch at the very least just to start.

Re: Well, I don't blame the gunmaker

[beastofburdon]

Don't forget about the part where the gun can be disabled wirelessly so that you can never challenge the government.

Re:Well, I don't blame the gunmaker

[beastofburdon]

And that is why we have gun control, so that it is much harder to oppose the government.

Re:Well, I don't blame the gunmaker

[beastofburdon]

You dumb shit. The point of the right to bear arms is so that a very large group of citizens can overthrow the corrupt government, not a single moron with mental issues. By the way, we can still take on the military. Our government will do anything they can(propaganda) to make us think that we are powerless, but that is just a ruse. And you are here trying to propagate that propaganda. Oh, and the reason they haven't taken that right away completely yet, is that they know they will die for it. There is no other reason.

Re:Well, I don't blame the gunmaker

[wyHunter]

He's a lefty so that's not likely.

Re:Well, I don't blame the gunmaker

[RockDoctor]

you have to wonder about a large-scale gunrunner who knows that his guns are being used to kill civilians in some civil war.

What do you have to wonder about them? They're making a profit, aren't they? And that is their job.

Re: Well, I don't blame the gunmaker

Don't forget about the part where the gun can be disabled wirelessly so that you can never challenge the government.

That would be fascist.

Re:Well, I don't blame the gunmaker

[nbauman]

Selling arms to dictatorships is just one of those things we have to put up with in life.

http://sciencenordic.com/unite...
The United States arms most dictatorships
January 1, 2012 - 07:00

You'll have to come up with a better reason than that to shut down anonymous networks.

Like, "Because we want to control which dictatorships get arms."

Re:Well, I don't blame the gunmaker

[Opportunist]

Dude, face it: You are powerless. You can't even get a sizable number of people to VOTE for something other than The Party, you really think that you have any chance to get a sizable number to get off their fat asses and away from their flatscreen TVs to overthrow the corrupt government? Please.

The main reason you still have that 2nd is that it is a great tool to get some votes because the other party (i.e. the other side of The Party) wants to take your guns away, so vote for us!

Yes, it's a propaganda element. So don't feel bad, you at least had something right. In some kinda way, at least.

If you want to be on an NSA watchlist...

[NoNonAlphaCharsHere]

...set up a Tor relay node. Easy peasy.

Re:If you want to be on an NSA watchlist...

[Narcocide]

I hear that pretty much any VPN or other sort of tunneling or encrypted network traffic pretty much accomplishes the same thing. Probably just posting to discussions about this type of topic Slashdot does it too.

Re:If you want to be on an NSA watchlist...

Guess I'm on some lists then. I've been running Tor and Freenet nodes on and off since the early 2000s. Currently have one of each running on an OVH dedi that I control (modern Xeons handle it like a champ, over and above the intended purpose of the server) and I ran both from my home cable and dsl for years and years too (not an exit node, except for an accidental week once that lead to no issues.)

I've also spent a lot of time over the years hanging out with drug dealer types of varying size and success levels, and have had plenty of scrutiny directed my way for it.

For the record, it has had zero effect on my ability to find employment, or travel to and from the US via airports as recently as 2015 (I'm Canadian.)

Lets blame Microsoft or Apple then

Blaming Tor for the illegal sites is like blaming Microsoft or Apple for letting people use those computers for illegal activity.

Didn't the NSA already break Tor?

[JustNiz]

I'm fairly sure that I read somewhere quite a while back that Tor was already broken by one or other of the organs of the US government, and some people doing something illegal via Tor got caught and prosecuted. No?

Re:Didn't the NSA already break Tor?

[Iamthecheese]

No. I'm not saying it's not broken, I read a paper some years ago showing that Tor can be compromised by anyone owning 50% of the nodes. Using fast nodes can cut that percentage significantly. At the time there were, IIRC, 2400 total Tor nodes. So to say Tor wasn't compromised would be to say the US government didn't have the means and will to set up 1200 systems in various places as Tor nodes. I don't know how many nodes there are now but if it's not in the hundreds of thousands, I would bet my ass the whole network is compromised.

But the people who were caught were caught because they leaked personal information in various forms, or downloaded a script that directly leaked their IP's. It wasn't a weakness in the network. My guess is Tor intelligence is mostly being used for actual national security work: tracking down known terrorists who are dumb enough to rely on Tor for anonymity. There's got to be some parallel construction happening as well, but I think they only use it for serious stuff.

Re:Didn't the NSA already break Tor?

I'm fairly sure that I read somewhere quite a while back that Tor was already broken by one or other of the organs of the US government,

Well yes you likely did read that, also likely more than once.
The NSA does keep claiming to have broken Tor, however they have never once demonstrated this ever, including the examples fitting your description.

and some people doing something illegal via Tor got caught and prosecuted. No?

Yes, a few times, but not once due to decrypting Tor traffic in the middle.

In one case they exploited the web server itself and gained root. While technically yes that is "decrypting tor", that is also exactly where the decryption is supposed to happen when functioning correctly, so I don't really count that as Tor has nothing to do with it.
SSL or TLS on the regular https internet can be bypassed if you have access to the server too.

In the other case an undercover FBI agent infiltrated the drug ring group and gained all their evidence for court that way.
That too is not the fault of encryption failing or not. If you were a cop and I admit and mostly prove my crimes to you, it doesn't really matter if I send that to you encrypted with full intent you are going to decrypt it or not.

Now what the NSA *has* done is setup and run a large number of tor exit nodes, so they can monitor traffic people send through Tor with the intent the traffic exits Tor and enters the Internet again in plain text.
This too is not a failing of Tor, it is one of the bullet point listed issues Tor does not and can not address, so no one should expect that.

If the software states "clicking button X does action Y" and lo-and-behold clicking button X actually does action Y, that isn't a failing, despite the claims of those who for some reason state things in reverse form from the documentation.
(Fairly normal for slashdot however. "Hmm, the docs say it does A and only A. I know, I'll keep saying over and over that it can't possibly do A, and lie saying the devs claimed it would do B C and D when in fact that never happened! Now I will look smrt!")

Re:Didn't the NSA already break Tor?

[gweihir]

It is not. Get your facts straight.

Re:Didn't the NSA already break Tor?

[JustNiz]

I may not be totally correct about Tor but at least I'm not an arrogant dick like you.

Re:Didn't the NSA already break Tor?

[tlhIngan]

I'm fairly sure that I read somewhere quite a while back that Tor was already broken by one or other of the organs of the US government, and some people doing something illegal via Tor got caught and prosecuted. No?

Well, it's not Tor itself that's the problem it's poor OpSec that was the issue causing the identity of the site owner to leak out. And there's another one involving an Apache module that is configured to listen to requests from localhost by default, except that Tor dark sites do exactly that so it went from a proper configuration to a vulnerability.

And reportedly, the NSA owns a LOT of exit nodes to which they use to monitor traffic. But that's not unexpected - Tor exit node traffic is easily monitored (you can't even trust SSL) by the exit node and poor OpSec again will lead to Tor users being identified.

In short, get everyone to use Tor and they'll be easily identifiable as they start using Facebook, social networking, as well as e-commerce and everything else.

You can only be anonymous by also being anonymous.

Re:Didn't the NSA already break Tor?

[gweihir]

You are clueless and shoot off your mouth and the person pointing it out is an "arrogant dick"? Are you campaigning for equal credibility for idiots and morons or what?

Re:Didn't the NSA already break Tor?

[AHuxley]

Onion routing vs Tempora https://en.wikipedia.org/wiki/... would show that in a nation every packet in and out can be reconciled.
The US gov origins and fronts for funding for onion routing to help US backed NGO's, spies, freedom groups, color revolutions.
https://pando.com/2014/07/16/t...
As for the NSA, GCHQ? Why would anything the US gov created be left out of their reach? Collect it all is the mission. A lot of nations globally have given or got asked or offered to share their entire telco systems and networks with the US and UK. Hard to escape that computer power and shared bases, collection sites.

The next question is US state and federal law enforcement budgets, if onion routing fails at that low cost, any well funded nation can do the same.
How?
Equipment interference ie getting bespoke gov malware to the user via some induced interaction seems to be the method thats hinted at.
The vocal supporters of onion routing will push news that the method as designed is still good but more and more open court sessions show issues surrounding real ip's been discovered on a per case funding level. Federal police can pay the costs per year, per case thats lower than spy budgets with billions to spend on contractors.
If the method offered cant secure all packets in and out of a computer network, OS, a real ip will leak.
A link thats a trap or expensive total network overview, the result of an ip leak is the same.

Re:Didn't the NSA already break Tor?

[cavreader]

"The NSA does keep claiming to have broken Tor"
The NSA has never made such a claim and there is no evidence that TOR has been broken by the NSA or anyone else.

However, I wouldn't be surprised if the NSA could figure out how to compromise TOR since the government has been involved with the TOR project since it's inception. It was originally designed and built by the US Naval Research Laboratory. Their stated purpose at the time was to protect US intelligence communications. Onion routing was originally developed by DARPA in 1997. And the US is the largest donor to the TOR project providing almost 40% of the project budget.

Re:Didn't the NSA already break Tor?

[KGIII]

Gotta be honest here... You're really being the dick in this situation. Read their post again. Note the question mark? Heaven forfend, someone try to learn something when we're always telling people that if they don't know they should ask and learn. (Or just directing them to the manual.) However, in all fairness, a number of articles have made it a bit confusing and one might believe that TOR has been broken. By all accounts, it hasn't so long as you remain on the .onion domains. Exiting the network might be visible with traffic shaping and timing detection methods. It also confers no benefit to those who do not secure their browser and are leaking personal information. I can see how that would be confusing.

You could have, of course, just told 'em that but you had to feel superior, huh? Kids these days. ;-) But yeah, you're kind of a dick tonight.

Re:Didn't the NSA already break Tor?

[JustNiz]

>> You are clueless and shoot off your mouth
No, I simply asked a question.

>> and the person pointing it out is an "arrogant dick"?
exactly. See the way you did it, both originally and just then.

>> Are you campaigning for equal credibility for idiots and morons or what?
Thanks for just further confirming my assertion that you are, in fact, an arrogant dick.

Re:Didn't the NSA already break Tor?

" Equipment interference ie getting bespoke gov malware to the user via some induced interaction seems to be the method thats hinted at. "

>Must accept any interference recieved.

Govt backdoors are mandated.
(Intel Vpro, Amd's version, etc)

Re:Didn't the NSA already break Tor?

Yeah, I'm sure they press released it, because the NSA loves to tell everyone about their successes.

In all seriousness, the issue is that they can see the traffic for more of less 100% of the internet. Things are easier to correlate when you have that kind of access.

You're probably thinking of the whole Silk Road mess a few years back. Ignore all the bullshit you read about "parallel construction" and buzzwords like that. The Silk Road owner fell because his OPSEC was terrible and he actually brought up Silk Road to Customs Agents on at least one occasion. When somebody (who worked for the IRS oddly enough) finally connected the dots through some basic investigative work, that fucker was put under full surveillance and he was basically fucked at that point. His arrest and prosecution wasn't about Tor security.

Re:Didn't the NSA already break Tor?

New documents reveal which encryption tools the NSA couldn't crack

Snowden files reveal NSA had 'major problems' tracking Tor dark web users and cracking encryption

Snowden docs show Tor, TrueCrypt, Tails topped NSA's 'most wanted' list in '12

Re:Didn't the NSA already break Tor?

[Maritz]

If the NSA broke Tor, they would not say that. They would be fucking encouraging people to use it if they'd broken it.

Re:Didn't the NSA already break Tor?

[Maritz]

Sadly the general tone of Slashdot seems to lean in that direction.

Re:Didn't the NSA already break Tor?

[MrNiceguy_KS]

In short, get everyone to use Tor and they'll be easily identifiable as they start using Facebook, social networking, as well as e-commerce and everything else.

I think the whole point of this exercise is to make Tor usage as widespread as possible. Right now, I'd imagine that Tor usage is an immediate red flag for further attention. But if you get millions of people using Tor for social networking, e-commerce, and other general, innocuous purposes, than it becomes just another security precaution, no more suspicious than having your phone PIN-locked.

This is partly the reason I make it a point to use Tor on a semi-regular basis myself.

Re:Didn't the NSA already break Tor?

[KGIII]

I won't argue but I will add that you're right, it's not uncommon. However, I've communicated with 'em before and they're usually not a dick. Even I'm a dick sometimes. Though, often it's my poor articulation that makes it seem like it was intentional but sometimes I'm still a dick. I suspect they were just grumpy or drunk. ;-)

Re:Didn't the NSA already break Tor?

The NSA has been accorded god like status when it comes to hacking and monitoring electronic communications but their focus is very narrow. If you show up on the NSA or CIA's radar they can use their toolset to target a specific person or a specific group. What is amusing is that the government is just as vulnerable as the average citizen when I comes to cyber attacks. The US government is at the top of the list when it comes to the number of attacks from individuals and foreign governments. US corporations are also prime targets for industrial espionage as well. All you hear about is the US espionage abilities with nary a mention of all the other countries on the planet who do the exact same thing.

Why?

What does my mom need Tor for?

Re:Why?

You don't want to know.

Re:For whose still unknown about Tor... This is:

[reboot246]

Not me. When I saw her photo, I thought at first that it was Bruce Jenner!

Sorry, I calls 'em as I sees 'em.

Mole

Seems awfully philanthropic for something capable of being so lucrative. Follow the cheese. I really want to believe this is truly altruistic intent but I'm sensing otherwise.

Re:For whose still unknown about Tor... This is:

[wjcofkc]

Do I mod you up? Do I mod you down? Funny or Troll? Fuck it, I'll just post and admit that was my very first thought too.

Re:For whose still unknown about Tor... This is:

Oh we are on reddit now.

The work of angels?

[dsmatthews9379]

Angels are the, some times murderous, henchmen of the universal dictator. Biblical metaphors are never a good idea, except in sermons to people that welcome being preached at.

Re:For whose still unknown about Tor... This is:

Yeah ... it's important that women - particularly those in the public eye - match up to expectations on sexual attractiveness. Otherwise, how will guys know who to mate with?

Why can't people be even a little bit nice?

Re:For whose still unknown about Tor... This is:

[R3d+M3rcury]

Actually, I was thinking of Roger Daltry.

My problems with it.

[waspleg]

I'm a big advocate for TOR and what they try to do but there are some big obstacles.

* Speed sucks.
* There are no good search engines.
* Exit nodes are widely blocked and/or monitored.

I saw a good BBC documentary that explains TOR in laymen's terms https://www.youtube.com/watch?v=rZhmuGVSdaY if anyone is interested.

Re:My problems with it.

It sounds like you haven't used it in a while. It's gotten a lot better. Tor is really fast now and while sites blocking exit nodes is a problem it's probably more important that hidden service work be improved. There are ways to get around sites that block Tor for those who actually need to access public web sites over Tor. On the other hand the people who really need to remain anonymous in order to publish content have no such ability to protect themselves adequately against attack. It's the weak spot of Tor. It's the real reason it exists. Unfortunately the funding isn't coming from those who want to protect users privacy so much as those who want to ensure they can utilize it as a tool to investigate crime, enemies of state, and similar. I do think we can fix the site blocking problem- but it will take change in the software and/or a lot more outreach with organizations. Adding a sufficient number of exit IP addresses should solve this problem. However that'll require recruiting larger more organizations and large organizations to participate in running Tor exit nodes. Organizations that have lots of IP addresses. Examples of places we could potentially run Tor exit nodes and expand the number of exit IP addresses: Libraries. And guess what there is something called the Library Freedom Project (.org) that is doing just that! But they do need a lot more help.

Re:My problems with it.

My speed within TOR is great!!! For example, I use bittorrent within strictly onionland (no exits, exactly like I2P, in fact, we're linked into I2P as well), and can torrent an entire uncompressed full raw vob DVD-9 rip in well under a day. Turns out, since I only have about an hour or so free time a day, and only watch one or two movies a week, the average 90 minute movie per day suits me more than fine :)
TOR isn't slow at all, you're just too impatient and bad at scheduling, fix that up a bit and you'll be just fine.

Re:My problems with it.

[AmiMoJo]

Speed is okay for general browsing, especially since you would normally have full ad-blocking enabled and scripts disabled. For searching, I presume you mean for hidden services because google works with Tor, and well... Maybe the reason most of those sites don't make themselves available for indexing by search engines is because they don't want to be found that way.

As for exit node monitoring, it's really only an issue for n00bs. Maybe the Tor Browser bundle should block non-HTTPS sites by default.

1/3 Image, 1/3 Society,1/3 Tech

[Voyager529]

Tor's issues with respect to going mainstream, in my opinion, are as follows:

1.) It's complicated. Yes, it can be streamlined, which is the goal, but even if it were, it's still inherently more complicated than "not using Tor".
2.) No need. "I'm just browsing Facebook and paying bills online...and if someone is really snooping that traffic, what difference does it make?"
3.) Location data is convenient. As much as I hate Google tracking me, I'd much prefer knowing about restaurants near me when I'm hungry, than ones in Malaysia.
4.) Many people's first encounters with Tor are the result of ransomware...which are usually a traumatic experience. That's not exactly great marketing.
5.) Tor slows down browsing significantly; adding additional users would exacerbate the issue.
6.) Even the "good guys" have questions about the utility of Tor (compromised exit nodes, honeypots, etc.)
7.) Tricky on mobile devices.

Honestly, I see Tor's problems having much less to do with technological problems than with sociological ones. For most people, Shari would have to establish a need for them to use Tor. I don't see her being effective in that - not because of who she is, but because of her audience.

Re:1/3 Image, 1/3 Society,1/3 Tech

[tnk1]

Tor is useful when you need it and really have no better choice, but its not going to be a mass solution. There's too many things you have to get right for it to work the way it is intended and not expose you to discovery.

And yes, it is slow. Painfully slow.

Another thing I consider when I look at encrypted or otherwise more purposely "secure" transmission methods is that if you're using them, you're now in a group of people that is passing more "interesting" traffic. Observers may or may not be able to read what you are saying, but they're a whole lot more interested in whatever it is you are saying, if you show that you're taking more than the usual precautions with it.

It also means that even if they can't see you, there are specific Tor .onion sites which are only a small subset of the Internet, and those sites can become infected with malware that talks back to the investigators, as it has been seen in the past. In that way, a Tor user may be more likely to get caught in the dragnet and investigated. And it doesn't have to be something like a Silk Road type of site either, although you're certainly a target if you look at one of those kind of sites.

So, when I hear of people trying to take this sort of thing mainstream, I can totally see why you'd want to do that. It makes it less likely that you're a higher priority surveillance target just for using it.

Unfortunately, most people have to have a good reason to be inconvenienced in this manner during normal transmission of data because they just want to send a message or look at a site and don't care who knows where they browse. We'll need something a lot more user friendly (and more secure) than Tor for that sort of adoption.

Re:1/3 Image, 1/3 Society,1/3 Tech

[Snotnose]

5.) Tor slows down browsing significantly; adding additional users would exacerbate the issue.

This. I've tried to use Tor several times over the last 10 years, it's always been so slow I gave up on it before getting 3-4 pages.

Re:1/3 Image, 1/3 Society,1/3 Tech

1) My grandmother thought the VCR was complicated
2) "what difference does it make?" Is that you Hillary? (It makes a lot of difference, I'll spare you the details)
3) Having the restaurants location data and knowing where it is in relationship to yourself is convenient. ____, inc recording and storing the details of your location is the problem
4) In my life, sadly of which too much is spent online, I have never encountered 'Tor ransomware'. But maybe this is a reality for some?
5) My understanding of Tor is limited, but by reading what is published it sounds like the problem with tor performance is similar to the problem Verizon has with a fraction of a percentage of its data plan (ab)users: a few dumbasses downloading pirate bay torrents kills the experience for everyone else.
6) Again limited understanding of tor, but wouldn't more users help the anonymity problem more than hurt it?
7) https://play.google.com/store/apps/details?id=org.torproject.android

Re:1/3 Image, 1/3 Society,1/3 Tech

[Voyager529]

1) My grandmother thought the VCR was complicated

Yes, there will always be those who cannot adapt. However, the problem attempting to be solved is that there is a majority of people for whom Tor is prohibitively complicated.

2) "what difference does it make?" Is that you Hillary? (It makes a lot of difference, I'll spare you the details)

No, it's not Hillary. I too know it makes a difference. The problem is that the perception of the implications for most people is that they are trivial. Hence, why this is a social issue as much as a technological one.

3) Having the restaurants location data and knowing where it is in relationship to yourself is convenient. ____, inc recording and storing the details of your location is the problem

Yes, but Tor doesn't solve this problem. Running a Google search through Tor will show me restaurants near the exit node rather than my actual location, and then store that data.

4) In my life, sadly of which too much is spent online, I have never encountered 'Tor ransomware'. But maybe this is a reality for some?

I fix computers for dozens of people, from home users to small businesses. I've run into ransomware a number of times, and almost invariably, the instructions were basically, "send 0.5 Bitcoin using this Tor address...", or some approximation thereof. Clearly, not the EFF's fault this happens, or that it happens that way...but when the two most common ways people hear about Tor are "Silk Road" and "Cryptowall", it's difficult to argue that the battle to legitimize Tor in the court of public opinion is a steeply uphill one.

5) My understanding of Tor is limited, but by reading what is published it sounds like the problem with tor performance is similar to the problem Verizon has with a fraction of a percentage of its data plan (ab)users: a few dumbasses downloading pirate bay torrents kills the experience for everyone else.

That may well be the case. Unfortunately, there's no meaningful way to prohibit that sort of use.

6) Again limited understanding of tor, but wouldn't more users help the anonymity problem more than hurt it?

Tor isn't like Bittorrent - there are lots more 'leechers' than 'seeders'. Using a Tor browser does not also require you to be an exit node, and being an exit node means that you may be legally liable for the traffic, depending on jurisdiction. Even if not, it means that your bandwidth will constantly be saturated by other people's data. Thus, there's every disincentive to be one.

7) https://play.google.com/store/...

Android is the easy one. iOS...not so much.

Re:1/3 Image, 1/3 Society,1/3 Tech

Your perspective is exaggerated. Anybody who has ever visited a "foreign" site is on one or another of the NSA's lists. While it is true its true that a lot of people do use Tor for purposes that might be investigated the reality is there are a lot more mundane users. For instance buying drugs on Silk Road doesn't lead to the arrest of drug buyers. It only leads to the arrest of drug dealers. Drug dealers already have a problem and Tor *does help* reduce there attack surface area. It may not be perceived as a good thing that there is illegal activity going over the Tor net, but it does help mask those of us who really do need to remain anonymous.

Tor hidden sites are the least perfect tool for anonymity. They do a poor job hiding the server operator even if it's as good as it gets. That's something which they are hoping to work on though and will be improved going forward with enough new user-funded financial support. The people who need Tor need to be able to blend in and these illegal users give those who actually need anonymity that anonymity. I say if your utilizing Tor for illegal activities you any sort your helping broaden the user bade and in turn doing the world a favour by helping people who are oppressed, whistle blowing, etc. Your helping people in the middle east escape oppression. Hell your helping people in the United States escape oppression. The reality is while Tor is being used for illegal stuff what you consider illegal somebody else calls oppression. There probably are great examples of crimes being committed over Tor that almost nobody in the United States would object to. Would you object to an oppressed queer escaping the middle east, or what about a women with a child escape that oppression?

Tor does a lot of good and the reality is the majority of 'criminal' activity on Tor doesn't actually result in harm to anybody. It's morally objectionable that we lock people up for non-violent behaviour. There is far more of that which goes on that harms nobody. It just gets projected as 'drug dealers kill people! drug dealers ruin peoples lives! we can't have that!'. Drug dealers don't force drugs on people. Drug dealers online at best can supply those drugs. They can't make you take them.

Or the 'think of the children' crowd. Well, I hate to break it to people, but unmasking people who look at illegal porn won't help stop child molestation or stop harmful sorts of sex trafficking. The only thing you can say for sure is a paedophile jacking off to kiddie porn isn't out molesting children. There may be a small handful that do both- but Tor isn't exactly preventing the real rapists from being arrested. The paedophiles who rape have to enter the real world and solving that problem comes down to enabling kids to speak out about oppression and victimization! It's something Tor actually enables too.

 

Re:1/3 Image, 1/3 Society,1/3 Tech

Tor is awesome at three things only:
a) keeping two endpoints from knowing the IP address of the other
b) encrypting your data in transit to whatever the last TOR node is
c) giving you an exit IP address wherever in the world you want
A and B apply to client 2 exit and client 2 hidden_service.

Tor is horrible and does absolutely nothing against timing and correlation attacks by passive adversaries.
Tor refuses to add full time full channel fill traffic that would begin to solve this issue.
Admittedly Tor was never designed to include that, and their mentality is naturally legacy there, but their other 'reasons' for not even talking about doing it range from lame to fishy.

And of course, unless you know what you're doing, Tor transports only IPv4-TCP, which sucks balls as far as getting anything that's not that to work with it.

Re:1/3 Image, 1/3 Society,1/3 Tech

[AmiMoJo]

I think perhaps you misunderstand the goal of Tor. It's not really aiming to be the default way people browse the web. We should concentrate on other technologies for that, like making sure everywhere uses HTTPS properly.

Tor is ideal for low bandwidth stuff like messaging and browsing simple but important web sites. It's useful when you need to communicate privately and securely, even if it isn't always perfect. So there are two important points here:

1. Even if it isn't always used perfectly, it still prevents most adversaries from identifying you because the equipment and skill needed to subvert it is beyond the means of, say, most law enforcement. This can still be improved but is very important for people who live in places where law enforcement is a threat to their safety.

2. Merely by existing and being an option, it makes people realize that their normal communications are not secure.

Re:1/3 Image, 1/3 Society,1/3 Tech

[houghi]

3.) Location data is convenient. As much as I hate Google tracking me, I'd much prefer knowing about restaurants near me when I'm hungry, than ones in Malaysia.

When I am hungry, I can type in 'City' and get it.

What I dislike about it is how it is NOT used to help me. Filling out an adress and they ask for a state? Whare I live we have no states.

And looking at Google: I understand that you want me to use google.TLD, but do NOT assume that I want to see something in a certain language depending on my location. I want it in English, just like my browers main and only manguage is. Next to that, I work in a bi-lingual city and they WILL get it wrong.
So for the love of whatever you pray to, use the language setting in the brower, or are you already take so much data, you can not use that?

Concerning TOR, I won't be using it, because I am sure it does not matter. I rather know I am being followed than hope that I am not.

It might take off if it becomes something that is default. A bit like pgp. Not that hard to use, but nobdy uses it, because it is not already installed (and I would want to use it only for the signature, so I know my bank is my bank). So a bit like Linux. No pre-install, no desktop year. Pre-install and everybody uses it killing WIndows (Android/Apple)

Re:For whose still unknown about Tor... This is:

Heh... Glad I scrolled down. I was gonna say, "That guy from The Who. I can't remember his name."

Corporate TOR sponsorship

[Anomalyst]

They need to petition large/multinational corporations like BK, MickyD, Pepsico, Walmart, etc to install tor exit nodes at all their retail locations and make available something like an all inclusive raspberry PI package with a rolling distro configured to auto-update to keep it secure. Maybe with a bitcoin full node as well. Call it a the Raspberry Freedom with the audio catch phrase "PHHHHHHHT" raspberry sound (distinctly discernible from the farting apps constituting so much of whats available for apple products, please).

Re:For whose still unknown about Tor... This is:

[Opportunist]

Make it 5 and I'll fire up Photoshop.

Tor's image

I'd say there's a problem with how the mainstream perceives tor. "A browser for illegal websites" is how one of my most tech-savvy friend described it.

I2P?

From the article:
"a recent attack on Tor, led by Carnegie Mellon University and funded by the FBI, allowed law enforcement to unmask users."

Then why setup any new "hidden service" within TOR instead of I2P?

I wonder if any of these new block chain distributed decentralized files systems technologies get implemented with hidden services in TOR or I2P, such as filecoin or Storj.

Comment

[WallyL]

So unrelated to the story specifically, but this is a discussion about a woman in technology who actually does stuff? She's not complaining about SJW issues; she's out there fighting the fight with us-- for us! So for once, we can relax and not have a big feminism discussion just because a woman is doing something tech-wise.

Thank you, Shari.

Tor's problem is not hidden services

[Keybounce]

Tor's problem is not hidden services.

Tor's problems:
1. Speed sucks. Since *ANY* node can be used in the pathway, your speed is limited to the upload speed of the slowest node you are using. Since you have no control by default over which nodes are used, you cannot prevent this.

Scarily, when I was playing/using Tor, the best results came from limiting my usage to only half a dozen nodes. Never mind the goal of security here.

The work-around: Use an IP-like system, where your stream is sent over many links, and re-assembled at the end. Even if one link is slow, it will only handle a few packets.

2. The goals are in conflict. Tor has *at least two different goals*.
Goal #1: Prevent your neighbor/public lan/ISP from seeing what you are doing. This is as simple as a one-hop channel. Instead of talking to my destination, I talk to a single forwarder. Done.
Goal #2: Prevent tracking. If I talk to a single forwarder, then a single node knows who I am, and who I am talking to. This can be prevented by a two-hop. Node #1 knows that a connection is going in from site H, and out to site 2, but doesn't know that H is the requesting host. Node #2 knows that it is talking to destination D, and host #1, but doesn't know who the requesting host is. "Perfect", right? Well, not if node 1 is doing the splitting.
Goal #3: Provide real privacy. There's a good analysis that I don't have a link to showing that the two-hop is traceable. And if the first hop is splitting (instead of the host splitting), then the two hop doesn't have enough security. Basically, if I remember correctly: If you always change the entry and exit nodes, you will eventually have a pair controlled by an attacker, so you have to limit your switching of those. To prevent being tracked, you need a random third node in-between.

The more nodes? The slower the speed, and a different set of attacks being defended against.
For most people? A single hop suffices.
For those that want light security? Two hops.
For those that want speed? Have multiple paths, and assembly at the end.

What kills Tor, beyond these, are things you, as a user, cannot control:

** Stupid websites that assume anything coming from a Tor node are attacks and delete them **.

I mean, **stupid**. I can actually log in, with name and password, and still get "Sorry, we don't accept hackers using Tor" type messages.

As long as sites are going to say "We can arbitrarily deny service to people who are concerned about privacy", then nothing will get fixed.

As far as "splitting" paths go? Here's what the Tor docs say:
> You should split each connection over many paths.
>
> We don't currently think this is a good idea. You see, the attacks we're worried about are at the endpoints: the adversary watches Alice (or the first hop in the path) and Bob (or the last hop in the path) and learns that they are communicating.

Tor is concerned about the security of your communication. Tor is not concerned about the speed of your communication. As long as "Use the best possible security, regardless of speed cost" is the goal, then Tor will only be focused on people who need to best possible security -- namely, those who are taking actions against a government or large corporation.

That's not my department, said Werner von Braun

[mcswell]

From the OP: "We're not creating this for [illegal activity]. And OK, maybe it's being used for that, but that's not what we're about!"

https://www.youtube.com/watch?...