55 comments

[ 3.4 ms ] story [ 40.7 ms ] thread
Interesting read, but is the author someone I should know? Are they popular in the community?
I wonder how the author will live with himself knowing that he's directly facilitating all the horrible things that go on Tor. I know that I can't do that, so kudos to him.
They will think about all the good it does as well.
Same way power plant workers live with themselves, knowing that criminals use electricity too.
Not a good analogy. Most usage of Tor is either unnecessarily paranoid people, criminal enterprises, and state agencies. In fact, so far the leaks (Snowden, Wikileaks, etc) are the only cases I've heard of where Tor usage legitimately helped.

Can you say the same thing about electricity?

Again, I'm not saying that Tor should be shut down, it's just unsettling to work on something that the majority of its usage is "bad".

Union workers , journalists, security researchers, IT managers, lawyers, and judges and prosecutors are the professions of people I teach the usage and inner working of TOR to.

They all have legitimate use cases for it.

And nobody has any idea what "most" (according to which metric anyway? Bandwidth, number of connections?) of TOR usage is for.

I don't think TOR has to be justified by giving such use cases. Why can't I be a normal person and still use TOR for my browsing?
Do you have a citation that the majority of Tor usage is condemnable? I mean there’s nothing wrong with a state agency or a paranoid person browsing using Tor, for example. This is the first I’ve heard that the majority of Tor use is morally or ethically wrong.
More accurately, your opinion is that most usage of Tor is...

His analogy is spot on.

Snowden taught us the state agencies should be feared and that nobody was unnecessarily paranoid. Anyone speaking truth to power should be cautious.
The same way a lawyer who defends freedom of speech lives with themselves when a significant portion of people who invoke freedom of speech [and get in trouble for it] are terrible people promoting terrible ideas.
> unnecessarily paranoid people, criminal enterprises, and state agencies

These things are the most newsworthy which is why you hear about them most often. Don't conflate "most newsworthy" with the "most common" use case for Tor.

>> Tor usage legitimately helped.

Every time I have needed to bypass a stupid local filter to read one of my favorite news sources (torrentfreak.com). Every time I've wanted to see what my website/project looks like to people from a variety of geographically different IP addresses.

VPNs/Proxies do this job just fine though, without the additional latency/bandwidth penalty of Tor.
Good luck finding any VPNs/Proxies that isn't also used by criminals, which was the initial point you made. Tor is also different because it's a open source project, driven by their own non-profit foundation and doesn't costs any money to use. Also hard to find any VPNs/proxies that offer those things.
The difference is that criminals that use VPNs/Proxies can be easily caught, unlike Tor users.
You're talking over each other. It's plain to see. The conversation you're having rests upon the answer to the questions: "What percentage of Tor usage is malicious compared to VPN, electricity, crowbar usage, etc.? And what percentage is morally acceptable?". Just pointing out that Tor is used by some good people and some bad people some of the time is useless on its own.

Personally, I have a suspicion, that despite my love of freedom, Tor usage is probably primarily paranoid people and drugs, and a small percentage facilities anonymous exploitation of children in a way that no other technology can. I would love to be proved wrong and see some facts that Tor is actually a net good for the world.

Also one thing I've noticed is that the majority of good use cases for Tor you can achieve with just the Tor browser, whereas the majority of bad use cases you need Tor hidden services. E.g. as a journalist you can still use Tor browser to talk to your sources anonymously. But try hosting a drugs website or child porn on the clear net: you need Tor hidden services for that. Basically you'd only really use hidden services if you want to host content that is banned in every country, e.g. pedophilia or drug network. Whereas if you're a freedom fighter, why not use Tor to connect to a Wordpress website hosted in a country that's sympathetic to your cause? I just don't see a use case for hidden services. Yes, it is less trust in a central provider, but at what cost? You can also just move hosting countries. "At what cost" goes back to the first two questions and it would be interesting to know how we all feel about it.

Thank you Moodles, for writing a reasonable comment amidst a torrent of unreasonable ones.
On the other hand, buying drugs on Tor is way safer than buying drugs in the street.
Sure, but this is moving the goalposts. First it was: "It's used for good things, not evil things!". And now it's "actually, who cares, this is a good thing anyway". Now we're arguing over the pros and cons of freely available drugs, including ones such as fentanyl. I often find debates around Tor (and other things too) are like this: you discover half the people you're arguing with are ideologically driven. Are we arguing about the fundamental facts of how Tor is used, or the fundamental morals we should have?
Is it really moving the goalposts? Tor being used to buy drugs came into the discussion because of the moral implications of developing a tool that can be used for bad things. There are two things in that discussion: what are the usage statistics of Tor (for example: 20% drugs, 10% child pornography, 50% oppressed people, 20% "noise". This is a pure invention and I have no idea if this reflects or not the actual usage of Tor), and are those things morally good or bad.

The discussion turned around "Tor is used a lot to buy drugs, which is bad". At least that's how I interpreted this part of your comment:

> Personally, I have a suspicion, that despite my love of freedom, Tor usage is probably primarily paranoid people and drugs, and a small percentage facilities anonymous exploitation of children in a way that no other technology can. I would love to be proved wrong and see some facts that Tor is actually a net good for the world.

You didn't directly said that buying drugs on Tor is bad, that's my assumption, but I think that it's a fair assumption considering what you wrote. So my point was a refutation that Tor being used to buy drugs is necessarly a bad thing.

> Are we arguing about the fundamental facts of how Tor is used, or the fundamental morals we should have?

I think both are important if you want to determine whether Tor is a net plus or minus. I don't have any statistics to contribute and don't want to pretend that I have any. I think that if you take a point of view close to "drugs users will buy drugs anyway" and "drugs users shouldn't be exposed to more dangers just because they want to buy drugs", drugs on Tor can be seen as a positive. Of course you're free to disagree on those two views.

My personal view is that I like some drugs (weed, DMT, mushrooms) and will ebulliently buy them and encourage most others to as well, but I’m skeptical that allowing random people to sell heroin, fentanyl and meth is a good idea. But I don’t know if dark net markets are good or evil given the state many addicts find themselves in. Perhaps in my above posts I was conflating “bad” with “criminal” though.

The reason I said it was moving the goalposts is because the initial arguments implicitly assumed drug markets were bad and only listed reasons “Union workers , journalists, security researchers, IT managers, lawyers, and judges and prosecutors” (really curious how some of those really need Tor by the way), but I appreciate you’re a different person so I shouldn’t have said that. The pros and cons of drug markets is a difficult debate. Regardless, I do think a lot of support (and criticism) for Tor is ideologically driven and no amount of statistics about drugs or child porn will change some people’s minds because they simply ideologically like (or hate) the concept at a fundamental level. I suppose it’s the same for all political issues?

(comment deleted)
A more apt comparison might be crowbar manufacturers, since that is something people often associate with criminals even though it is a very legitimate tool in many other uses.
I wonder how heads of states will live with themselves knowing that they are directly facilitating all the horrible things that go on the World.

On the other hand, I consider fighting against mass surveillance and for maintaining privacy a good thing.

Interesting, curious what your occupation is?
I wonder how the creators of the internet can live with themselves knowing that they facilitated all the horrible things that go on the internet. I know that I can't do that, so kudos to them.
For all of the bad people using tools like Tor, there are also plenty of good (and more importantly, innocent) people. Researchers, journalists, minorities, residents of oppressive regimes.

Like most things, anonymity can be abused. However, as the saying goes, "don't throw the baby out with the bathwater".

As in buying weed? Does anyone have a hard data? I would guess jazz cabbage alone makes up a lot of traffic
If you pay government taxes in any capacity anywhere, I wonder how you will live with yourself knowing that you're directly facilitating all the horrible things that governments do, like drop bombs on humans for oil and bulldoze homes.
I love Tor, but this analogy doesn't work. We don't have a choice when it comes to taxes. Working for the Tor Project is clearly a choice.
"That Tor is mostly written in C is quite terrifying, and I'm very happy that I'm going to help fix that!"

I don't get why so many people are so terrified by C. It's been working well for almost 50 years.

Using C for this purpose (application processing untrusted data) is absolutely terrifying. Already when it was invented, C was a step backwards in terms of language design.

C has been very successful, and there are definitely advantages like the ubiquitous support, but its lack of memory safety is causative for three quarters of all security bugs in software that is built in it. This share has been found by multiple independent projects so it's kind of a constant.

And Tor is not just a random networked application, it manages data highly interesting for state level actors.

do you have a statistic for three quarters?
Because C makes it really really easy to write test-free unsafe crap.

The list of bugs caused by use if C is genuinely ridiculous.

Now, I think there are ways to write robust C - I don't get many bugs now that I usually use AddressSanitizer and a static analyzer (the GCC one is really nice) but that simply isn't good enough any more for high-reliability code.

Let's not mention all the undefined or compiler specific behavior. I love C but come on - let's be realistic
I absolutely hate C. Just that I have to use it sometimes.
> It's been working well for almost 50 years.

If you count being the source of countless security vulnerabilities "working well."

It's pretty senseless to use C in security-sensitive contexts. Let alone Tor.

For some definitions of "working well", but not many definitions that include robustness against hackers.
While security researchers keep taking advantage of memory corruption bugs during those 50 years.
an interesting codependency curve
I very much prefer

    "Product X is written in C so I am re-writing it in Rust" 
over

     "Product X is written in C, so someone else should re-write it in Rust."
Great to see!
You know what tor needs far more than a rewrite in some corporate meme language? Someone to work on the onion services side. There's plenty of people working on the pseudoanonymous proxy to the clear web features but .onion is left to decay and rot (https://blog.torproject.org/v2-deprecation-timeline).

Because of the lack of developer resources or anyone at the tor project giving a damn they have removed support for all tor v2 as of october 15th (a week ago). And this is extremely silly since >90% of HSDirs are tor v2 (https://www.encryptionin.space/tracking-hsdirs-and-the-versi...). But they don't have the resources to maintain the (slightly less secure) v2 stuff alongside v3, so they're just throwing the entire 15 years of all of tor's domains, linking, search indices, and writing in the trash and starting anew from very few users and little infrastructure.

And apparently no one cares that Tor has deleted itself. No news. No blog posts. Nothing but the well hidden post and upset comments from a year ago. I've talked to various people on their IRC and they say even if people continue to run tor v2 supporting clients The Tor Project will eventually push out their centralized consensus flag to ban them from the network.

v2 are deprecated of safety. The "rewrite in some corporate meme language" would address this issue.
>The "rewrite in some corporate meme language" would address this issue.

No it won't, the issues with v2 are with its design, not its implementation.

Off-topic, but can someone tell me if this comment is phrased properly? I suspect that using "with" twice in the sentence is a little bit wrong, but I don't know how to correct it.
I think it's fine but the repetition sounds wrong, if that makes sense.
Personally I would say: “the issue with v2 is its design, not its implementation” or “one of the issues with v2 is its design, not its implementation”.

However your initial phrasing is perfectly intelligible, and probably grammatical (not that that’s so important, if it’s intelligible).

The way users of v2 effect the safety of v3 and the tor project is in terms of directory and resources, etc, and potential exhaustion attacks native to v2. But with porting and some work most of this could be mitigated. The safety of the hash and the length used couldn't but there still isn't a real world example of a collision in use. It's pretty drastic to entirely throw away 15 years of inter-linking, indices, etc when <5% of users (probably less) of onion services have switched to v3.