Right now it has a shadowy reputation because the only people who require that feature are criminals. A few of those are committing crimes against unjust laws, but they are badly outnumbered by widely-disapproved-of behavior.
The anonymity comes with a cost. Tracking makes for a smoother web experience for most people.
So it's a hard sell to say, "Hey, you should do this thing that makes your life harder, in order to help disguise criminals". There's good reason to think that ordinary people should take better care of their privacy, even if they don't realize it, but I don't think that they're itching to apply a technology that has a "shadowy reputation" for a reason.
If everything is cost-benefit right down to atoms and energy, damn any principles, then what's the point? I'd rather take a stand for my privacy than make my life inconsequentially easier by assisting yet another questionable online service with tracking info. I highly doubt that info is as ubiquitously necessary as is asserted.
Can you please explain how is tracking making a smoother web experience for me? I mean really, what context am I missing here, that I can't grasp your statement?
Also not having to constantly perform CAPTCHAs. A lot of web sites are happy to provide service for free, but don't want it bombarded with bots. They can record you to ascertain that you behave like a human, at a cost to privacy. Faced with privacy-preserving tools like TOR, they revert to inconveniences like CAPTCHA.
I agree that most people don't care, but "Tracking makes for a smoother web experience for most people" is just nonsense - tracking slows down almost every single web page that uses it!
The internet has become progressively worse with the invention of smartphones and lowering the barrier of access for the common people, I would not like to see the same happen to Tor. If the long winded forum discussions and info sharing turns into Facebook tier posting I'll become depressed.
A long time ago ... I recall certain sites and services (like a MUD I tried to join) would not allow you to make an account if you were from AOL. I forget if it was just by email address or if they actually checked the IP address.
Would love a reputation service that correlates IPs and/or email addresses to the amount time users spend on Facebook. I'm sure this data is out there and purchaseable, to be honest.
People who are generally ambivalent on TOR are the ones that we need to convert. I believe the message needs to be that anonymity is not only desirable but mandatory as well, especially because of the rise of platforms that literally track each and every possible metric about your daily life and habits. Besides, even if someone says that TOR is used for illegal purposes, we all need to remind them that legality is distinct from morality and is always defined by those currently in power.
"Tor is only used for illegal purposes" is as valid as saying "only criminals use cash so they can buy things without a digital trail." I pay cash -- and refuse to use affinity/shopper cards because I would rather pay for my privacy which is worth more to me than 4 cents/gallon off on gasoline.
Cash is still king in Germany, and it always weirds tourists out. Personally I think it's great, and just like you do much of my shopping in cash because I don't want my bank knowing everything about my diet etc.
Could you unpack it? Of course if I steal your cash I would be guilty etc, how does that make OK not accepting currency that is legal tender in country?
Various laws may exist elsewhere enforcing a requirement to accept cash (or not, depending on the jurisdiction). But an appeal to "legal tender" isn't going to cut it. Legal tender for what? For debt.
You may be misinterpreting a technical term. "Debt" is everything in economy. You make me a coffee, I am in debt to you for $1, take my note if you accept legal tender. Which I assumed you must if you are a legal business.
That only applies if you've already entered into a contract at that point – that's certainly true anywhere you'll only have to pay after having already been furnished with the desired goods and/or services [1], like in restaurants and cafés with table service, gas stations (depending on local traditions), etc. etc.
In most other regular shops on the other hand, you'll only enter into the actual contract the moment you pay for the goods, so unless your jurisdiction has a specific law mandating the acceptance of cash in that kind of situation (like e.g. New York city I think?), the merchant is perfectly free to simply refuse entering into a contract with you.
[1] With the caveat that depending on the jurisdiction the shop owner may fully legally put up a sign along the lines of "No cash payment" and in that case it's you who are in breach of contract in the first point. Maybe if you then get sued for non-payment you can pay cash through the court system, but that certainly wouldn't be a pleasant way of paying by cash.
What you write is exactly what baffles me. You think I'm baffled because I don't understand how it works but it seems that I do, and that you don't seem to realize that it works in baffling ways makes it more depressing. There's debt being created by service or product changing hands but you just put up a sign and refuse accepting legal tender to pay that debt? What?
> There's debt being created by service or product changing hands but you just put up a sign and refuse accepting legal tender to pay that debt?
Yes, but the interpretation is that you picking up a bottle of milk or whatever in a supermarket or elsewhere doesn't yet make a contract and that the goods haven't actually legally changed hands at that point.
It's only when you're presenting your chosen goods at the register that you're legally making an offer to buy those goods, and unless there's a law specifically mandating cash acceptance for shops, the merchant (as represented by the cashier or a self-service checkout machine) is free to simply refuse your contract offer. And because in that case no contract was ever successfully made, there's no debt, either, and the concept of legal tender doesn't even enter into it…
I find it odd to phrase it as "move on" given the direction much of the rest of the world is headed. Anytime things become digitized, the centuries of civil and social rights, rights which people fought and died for, end up getting completely thrown to the wayside. The exact same would happen to money.
In some ways we're already seeing the foreshadowing of this in some of the previously most liberal places on Earth, like Canada. Even if one may not agree with what the truckers were protesting about, it seems unconscionable to freeze people's bank accounts as punishment for engaging in, or supporting, a completely and genuinely peaceful protest. [1]
People got their bank accounts frozen because they contributed to fundraisers for the trucker protest. If they could contribute to the protesters using a more private method of payment, they wouldn't be subject to these authoritarian retributions from the government.
In the 1930s, "Progress" was the replacement of a relatively free society with Nazi authoritarianism. In the 1940s, "Progress" (for half of the country) was the replacement of Nazi authoritarianism, where the secret police mostly targeted ethnic/political/sexual minorities, with Soviet authoritarianism, where the secret police targeted literally everyone and everything. So perhaps that is an object lesson in the value of not "moving on" from a relatively good situation
I was there a few weeks ago and cash-only places were still very common, I'd say at least 10x as common as Germany at the end of COVID. (Though granted, some places might only take EC-Karte)
We were hitting cash only places all the time there, whereas in Germany I found that cash only became rare during the pandemic.
Hell, even recharging the IC cards in Japan had to be done using cash at a machine. Why can't you use a debit card? Who knows.
> Cash is still king in Germany, and it always weirds tourists out.
I love it. I drove to Germany to have the maintenance done, change the tires and renew the extended manufacturer warranty for two years on my german car (extended warranty which I need to pay for) and it was a hefty bill. I pulled a bit more than 3 000 EUR in cash and they were just used to it. As in: a totally normal occurrence.
I did it basically to test if it was true that cash was king in Germany: I had credit and debit cards in backup just in case. But cash just worked.
Cash is fighting back in the USA, lots of restaurants and even shops (including mechanics, etc) have a surcharge for credit cards now, but if you pay cash or debit (or even check at some of them) - no surcharge.
The concert venue I went to last weekend is cards only now. There seems to be a bifurcation in the market where some vendors take cards grudgingly and others want nothing to do with cash.
There certainly is - the smaller vendors are trying to avoid raising prices as best they can whilst the big ones are trying to reduce cash handling costs.
> worth more to me than 4 cents/gallon off on gasoline.
The stores are getting wiser about this. My local Fred Meyer (a Kroger brand now) has a fuel rewards program -- for every $100 you spend, you get 10 cents off per gallon on your next fillup. Given how expensive groceries are, a lot of people are saving more like 50 cents per gallon, not 4.
They've also started doing instant discounts at the register, which was something that Safeway aggressively did from the beginning. FM isn't quite that aggressive yet, but when I scan the shopper card just before paying, it isn't unusual for it to knock $20-30 off a $150 purchase.
If it really were just 4 cents a gallon, I expect less people would bother. But it's not. The stores are steadily increasing the penalty for shopping without a loyalty card.
> They've also started doing instant discounts at the register, which was something that Safeway aggressively did from the beginning. FM isn't quite that aggressive yet, but when I scan the shopper card just before paying, it isn't unusual for it to knock $20-30 off a $150 purchase.
It's a shitty psychological trick that Fred Meyer pulled off.
People think shopper cards save money, and while it's technically true, it's the wrong framing of what's happening. What's really happening is that the store requires the card to get sale prices.
In other words, Fred Meyer creating the shopper card did not create additional savings. It just started gatekeeping sales behind data collection.
Yeah. Or here's another way to frame that: stores started punishing you for not providing your information by giving you higher prices.
Or another one: when you use a savings card, you trade some of your data for a couple bucks off.
(While on that note: in many countries – pretty much everywhere I've been, actually – you can just get a new savings card every couple months, or get a few and round-robin them and replace every couple months etc. Just fill out the sign up form with some garbage data and you're good to go.)
I've yet to see an actual detailed argument on how the data collected helps them; the only thing I've ever seen was the creepy "target knows you're pregnant" - but most grocery store chains send me the exact same ads as everyone else, and nothing is personalized or targeted.
So what are they doing with the loyalty card data? Nothing? Is it all just a mental trick to get me not to go elsewhere?
But they'll always give you a new card. You can sign up for a new loyalty program id every time you checkout. But then again... If you don't pay by cash it won't matter as they'll link the sales by your payment method and bridge the multiple loyalties.
Also if they were thinking they could have bluetooth beacons at the registers to track cash users that have bluetooth enabled.
Also they have cameras looking at every checkout line. They implemented them originally to observe when lines got too backed up so they could automate sending out more cashiers. They could move to facial recognition of they really wanted. Not sure if they do that now.
When you make less than $15 an hour like a lot of Americans that can be quite a bit of money. Especially since a lot of older cars that they would be more likely to drive are probably less fuel efficient and have larger tanks.
I was just in Safeway (a former Albertson's if it matters) yesterday. I bought a couple of items but bypassed the scanning of a shopper card/entering a phone number. The self-checkout knocked the prices down to the reward card level anyway. I can only assume they've linked my payment method to a reward card in the past. That or they are no longer requiring rewards cards to get the discounts.
Since the register already priced my bill higher at the time I swiped my card and then dropped the price, I have to assume it's the former.
People's data is being farmed and their identity leaked and sold on the dark web, and they're probably not educated enough to care. That's what you want to preserve?
No, they and other large vendors are just selling data that enables that. The fraudsters couldn't work without the industrial torrent of personal data that is an object of avid commerce.
It weirds me out any time I open YouTube on the TV and the first thing I see is an ad related to some recent online purchase, however obscure.
No, criminals are. Criminals will also break into your home and steal your stuff, or break into your car and drive away, or pick your wallet right out of your pocket.
The existence of crime is not an example of the need for anonymity.
Anonymity is one of those things that if you do not fight consistently for, will be eventually taken away from you. I fail to envision a society where anonymity doesn't really matter for most people because as long as there is a society, it'll imply there is a control structure. And as long as there is a control structure, it'll keep on dictating what you can and cannot do. Unless you unreasonably assume that such a structure will always, without a fail, be perfectly correct, in the event that you disagree with it, you're certain to be in trouble.
I'd like to reiterate once again, there is a distinction between morality and legality. For instance, it's never immoral to bring wrongdoings to light, and yet, it's horrendously illegal to expose classified government secrets, even if they are terrible.
> I believe the message needs to be that anonymity is not only desirable but mandatory as well, especially because of the rise of platforms that literally track each and every possible metric about your daily life and habits
Normal people don’t care if their metrics are being tracked - that is happening to practically everybody all day every day, and very few people are experiencing any direct and measurable negative consequences. In their defence, why should they weigh the hypothetical-risk above the real-benefits of giving up privacy (ie, convenience and price)?
I believe if the message of privacy advocates is to have any effect at all on normal people, we really need to start focussing on things that normal people care about, not hypothetical and philosophical arguments
It's a frog in a steadily boiling water problem. People not caring about their privacy enables certain actors to increasingly encroach it and then suddenly you find that these actors know everything there is to know about you including what you buy, eat, use, discard etc. This is not just a hypothetical scenario. For instance, look at any digitally capable dictatorial regime. No one now has the power to speak up in these regimes because everything they say is tracked and can be traced back to them and they themselves gave the regime this power happily in the past.
I was pleasantly surprised to find Tor mode in Brave browser. I was looking for private browsing mode and it was right there. It was pretty darn fast and usable too. I honestly hope this feature and browser get more uptake
Brave has loads of good features Chrome doesn't but people are put off by it because "muh crypto integration", which can be disabled permanently in settings.
Yeah, to me it seems like a skeevy browser for people without the IQ to use Firefox with good add-ons like uBlock Origin and not be put off by crypto integration.
FF is pretty crap these days (as a lifelong FF fanboy). I'd hesitate to use it except for HN where its low speed and security are part of the experience.
I don't understand comments like this. Chromium grinds to a crawl and even locks up with more than a handful of tabs, and its developers are deliberately adding new security vulnerabilities.
The review process for new web APIs in general is pretty shoddy and not terribly concerned with security (eg Canvas). However I was specifically referencing this of the past few days: https://news.ycombinator.com/item?id=36910978
Agree, my IQ is too low to catch up with amount of changes to omnibar look, addition of cool color schemes or preinstalled extensions to advertise a TV show
The crypto integration is an indication of a compromised vision and a lack of judgment. If the dev is willing to shove that in, what else is in there that I’m not aware of?
If you can agree that moving away from a purely ad-supported internet is a good thing, then micro-payments are a strong alternative, and internet-native money at the protocol level is a technically appropriate solution.
Can you imagine google chrome bringing Tor integration into their browser? Why not?
Brave's completely open source. [1] I'm not using this as a 'go look at their source code' type meme, because obviously you won't. It's absolutely massive and one man auditing the code alone, just to see if he might want to use the browser, is absurd. But at the same time Brave attracts higher information users that are going to be disproportionately more interested in security, privacy, and so on. And there are a lot of people regularly poking through the source code, as well as contributing to improvements in it.
So I think the answer to question is - absolutely nothing. The very few missteps Brave has made get broadcast from the ends of the world. The fact the biggest thing people can find to complain about it is some crypto stuff, which is opt-in and easily completely disabled, or an autocomplete tagging a referrer - that was patched out in less than 24 hours, is strongly indicative of the quality and integrity of the browser.
> or an autocomplete tagging a referrer - that was patched out in less than 24 hours
That functionality (which would modify some literal URLs typed in by users, not just make autocomplete suggestions!) was present in the source repository for roughly a month and a half until it was disabled by default, and remained present as an option for over a year after that.
This is misleading. Brave had added items such as cryptocoin affiliate "cards" on the new tab page even for users who have had every cryptocoin aspect disabled.
Further, there is no way to pre-emptively disable the cryptocoin elements on new profiles on the same Brave installation.
They also started selling people's copyrighted website data to ai companies via a new api recently, explicitly "granting" a license to use it for ai training, without the copyright owners (ie, independent bloggers) permission
- Part of the protection Tor provides is due to having the single browser made specifically for Tor. Nearly everyone uses it; this gives you a sufficiently large crowd to blend into. There are fingerprintable clusters inside this crowd, but at least they are still large enough. By using any other browser, you make yourself stand out and even diminish the anonymity of the whole network a tiny bit. This can become a problem if enough people are using custom browsers. Brave in particular is also not restricted enough by default (no JS etc). Default settings for everyone matter.
- Brave's Tor feature wasn't thoroughly tested in real situations. AFAIK they had issues with it, and also warned users not to rely on it as it's not complete.
> Brave in particular is also not restricted enough by default
While I'm in agreeance with everything you've said it should be pointed out that Tor Browser doesn't ship with JS disabled either, it simply breaks so much of the web that they've concluded it's not reasonable for a browser to do by default if they want to attract new users.
If you mean Tor Browser then of course, as it's the only widely used browser in the Tor network. It's still the most tested option, and is paired with reference Tor implementation, which is more complete than Brave's.
Practically everything I do on the web involves authentication and a login and an identity. They're all US-based services. It's stuff that I use to manage my household, and finances. It's also social media stuff; some of it's pseudonymous, but I've got Facebook too.
These services factor in security hints such as device fingerprinting, and a consistent local IP address that belongs to an ISP account I pay for. That's as safe as it gets in this modern digital jungle.
I also use Chrome. I don't use Firefox. Don't try to get me using Firefox; it's incompatible with my workflow. I don't even have it installed to debug website errors. I also own a Chromebook and I do a lot on the Chromebook. 100% of my employment relies on it, and 20% of my personal use is there, too. TOR isn't compatible with ChromeOS (prove me wrong.)
The #1 error of TOR users is that they eventually reveal themselves online, by authenticating to some service, or by going to haunt specific websites or URLs they like. This is similar to people in Witness Protection or abuse victims who run away: they eventually contact family or friends and reveal personal details, and then they're re-victimized.
Not trying to prove you wrong on this one, just a Chromebook fan myself. Have you tried/do you consider app support on Crostini/Linux? I haven't tested it, so unsure if it works, but all of the Linux programs I've installed have ran fine on a Chromebook.
A simple article on Chrome Unboxed suggests you can install Tor browser and have it work. I think there is less issues with TOR and more issues with you fundamentally not caring about privacy. Like most of the internet.
That's it? Privacy is just the lack of tracking? There are no other components to a private life?
Tracked by whom? Anyone? Is it OK if your parents track you? Does your government have a direct involvement in, say, public city streets?
Is this about technological tracking? What if you walk through a forest, and some stranger comes up behind your path, and uses natural evidence to find out something about you, and which way you went? How would you prevent that?
Sure, it's easiest if you stay on the happy path. You'll only regret that if you or what you want to do online falls out of favor of whomever is in power.
It's just amazing to see the tech support bros come out and I've got at least six replies telling me how I can use Tor when my OP listed fewer than half the reasons I won't use it, but tech support comes out and asks me if I tried rebooting my ideology and upgrading my politics to the latest.
I am off facebook. I think they are not the bulk of the problem anyways.
You can see something similar with your Google ads profile, but only if you have personalized ads on. (I am sure they still have the profile on you, you just can't view it)
>I have yet to find something which lets you get a good peek at that data. Does anyone know of anything?
You don't need Tor to avoid advertisers. Blocking all cookies and browsing in private mode will get you 99% of the way there. Throw in an ad-blocking VPN and there's basically nothing anyone can know about you that you aren't explicitly sharing.
This is not really true, because of how centralized the web is. From Google fonts to jquery and the million in between endpoints, most sites you visit are going to be reporting you to Google. Logging into a single identity verifying site or even just viewing a distinct set of sites can all work as instant deanonymizers.
A VPN that has multiple users using the same IP simultaneously can help on this front, but I don't know how common this is? Basically emulating how Tor exit nodes work. Though even that is also almost certainly possible to break.
Reaction: Sounds nice...but the author seems oblivious to the motivations and technical skill levels of >95% of web users. And to TOR's (in)ability to grow its infrastructure, to support anything resembling the traffic that would result from anything resembling a "we all use it" scenario.
I haven't used TOR recently but from my memory one of the biggest issues with is was speed. Yes you get anonymity but websites also load 2-3x slower because they have to go through all the nodes on the network. The people that care about privacy at the expense of speed already use TOR, and for everyone else it's going to be a very hard sell.
I think it's heavily dependant on the site you're using. Loading this page in Firefox on android with a pretty crappy connection took ~2 seconds. In the Tor browser it was ~6seconds
Definitely slower and this is a pretty minimal page, but I've got a hunch it really starts to choke when a page is loading a ton of different css/js assets at load
What's still often slow in Tor is making initial connections to hidden (onion) services. Last year during a DDoS attack on Tor this was unreasonably slow and took minutes or more, at which point sites just appeared broken. Once connected, though, it would still work pretty well. So if your experience is using Tor to access onion services you might have an inflated idea of its slowness for normal purposes.
Visits to normal websites were only somewhat affected and were still pretty reliable.
I don't think they are subjective at all. Tor is inherently slow based on how it works. It has gotten faster since inception but even in last year or two it is a multiple slower. Until that is non-existent adoption will be challenging at best.
What I’m saying is that Tor used to be, many years ago, annoyingly slow, sometimes even excruciatingly so. But today I don’t even notice that I’m using Tor. It might be “a multiple” slower, but I don’t notice it, is my point.
Yep. Decentralization entails degraded service, almost as a thermodynamic principle. It's the "eating your vegetables" of technology; even if you think people should, you can guess how many actually do.
Why do you believe decentralization is responsible for TOR’s speed? Decentralization often improves speed by routing around traffic, and the regular non-TOR internet is decentralized. BitTorrent is often faster than regular internet due to its additional decentralization of the data. I suspect TOR is slow due to intentionally long and twisty routes, added encryption, extra hops that require more processing, low numbers of exit nodes, and limited bandwidth at the exit nodes. In a way, the speed is probably partly a byproduct of TOR accidentally centralizing traffic at the scarce exit nodes.
All this stuff is on the Internet, so the Internet's decentralization is a floor that we can build further decentralization on top of.
But wouldn't a hypothetical direct data link to somewhere be faster than using the Internet to get there?
It'd be more brittle, yes. It can go down with little fault tolerance; it can't serve someone else; it can be trivially MITM'd. These are the downsides of centralization and the upsides of decentralization.
> BitTorrent is often faster than regular internet
I torrent a lot, and one thing that doesn't come to mind is "fast".
You can stream 4K movies on Netflix. I'm betting you can't do that as well with a torrent...
> I suspect TOR is slow due to intentionally long and twisty routes, added encryption, extra hops that require more processing, low numbers of exit nodes, and limited bandwidth at the exit nodes. In a way, the speed is probably partly a byproduct of TOR accidentally centralizing traffic at the scarce exit nodes.
Like with torrenting or Bitcoin or PeerTube or whatever, you've listed a bunch of extra complexity that's all corollary to the thing being decentralized and necessarily making it slower. :p
A lot more has to happen to solve a harder coordination problem. You end up using random, non-industrial grade relays. It's more complex, and it's going to be slower.
What does that buy you though? Resilience, like if a relay goes down. Flexibility, like if you wanna use a different relay to circumvent a geolock. Privacy, in that it's much harder for an adversary to monitor you. There's no free lunch for those things, though, tragically, and they're secondary/tertiary on many people's priority list.
But TOR isn’t really any more decentralized than the internet; and it might even be less decentralized due to exit node contention. Decentralization does not seem to have anything to do with TOR’s relatively slow speed, nor does decentralization seem to have any “thermodynamic principle” of slowing things down, right? The extra complexity of TOR is precisely the thing slowing it down, by design. (Well one of the things, scarce bandwidth is another - there have always been calls & pleas for more participation in order to increase the network’s bandwidth & capacity.)
We can’t exactly compare Netflix to an unnamed slow torrent of your choice in any fair or reasonable way given that Netflix is something like 15% of all internet traffic and is heavily optimized. The fair comparison is using BitTorrent to download a file compared to a direct http or ftp download from the original source/host - and for that BitTorrent usually wins handily in my experience. Plus I’ve definitely seen some popular torrents download much faster than anything Netflix has ever served me, in terms of bytes per second.
> You can stream 4K movies on Netflix. I'm betting you can't do that as well with a torrent...
Depends on the torrent. Any popular "Linux ISO" can easily saturate my 1400mbps download speed so I download the UHD bluray remux whenever it's available. Videos encoded at 100mbps look at a lot better on a high dpi display compared to Netflix's 10mbps "4K" and also doesn't limit you to clients that support DRM.
The UX isn't great, but if you select the "Download in sequential order" option you can start watching a torrent in 5 seconds while it downloads in the background
Bittorrent is fast because it can saturate your connection by downloading chunks from multiple connections the same way things like “axel” (wget alternative) and Download Accelerator apps accomplish it over http.
There isn’t an interesting statement on Bittorrent vs internet here. Browsers just don’t make this optimization themselves, probably because most files are small, but also out of respect for the single origin server.
Ironically, once I cut all vegetable and, in fact, all plant-based calories, out of my diet, I experience dramatic health and fitness benefits. I expect in this case the conventional wisdom is also exactly backwards and in fact transparency is more important than privacy.
Not decentralization, but anonymous decentralization that involves indirect routing. Decentralization can actually offset that anonymity tax somewhat by the fact that you might have multiple sources that you can request data from in parallel.
Latency is bad, throughput is pretty decent. Unfortunately this is a side effect of it's routing system (routing through 3 random nodes around the world).
Latency is actually pretty reasonable once you're connected. Connection times are where most people really feel the slowness with Tor. For example, chat and SPA's are pretty snappy over Tor.
There is no anonymity with tor if there is logging. There is only Obfuscation for most use cases. The latency makes is also have poor appeal. An untrusted internet or a hostile network isn’t going to change because there is a pretext of anonymity. I personally think highly trusted peers are the only solution.
In my experience, TOR's been fine for latency, but the problem I've been having is getting stuck in an infinite loop of Cloudflare "Checking if the site connection is secure."
There just isnt enough exit nodes that cloud providers have opted to either blacklist, or heavily deprioritize those nodes' traffic.
I'd want to see every computer connected to the internet turn into an exit node! It makes it infeasible to block those IPs, and also prevents people from being charged a crime for such traffic.
> prevents people from being charged a crime for such traffic.
Depending on the jurisdiction, this may not be true. In any case it could cause punishment by forcing the exit node operator to get the runaround of the legal system.
Also it is conceivable that governments would update laws to make it illegal, if there was such an impact to NSA data collection to warrant it.
It's a nice thought and running an exit node is on my short term to do list, but I also recognize the costs associated with it and what it may mean for my family.
I've been on the Internet for 25 years and only got robbed once, and even then, the credit card charges were reversed so it didn't cost me anything other than the annoyance of updating some accounts once I got my new credit card number.
This is the "workaround" now that websites aren't given free range access to your cookie jar. They make a unique identifier out of a range of info like OS, browser, screen size, whatever seemingly harmless info they can get.
Sounds like it should be illegal. That said, changing my User Agent to IE+Win7 changed the identifier for me. Looks like Firefox's "resist fingerprinting" setting also works. I wish there was a separare setting for private browsing.
That said, that was enlightening, thank you for pointing this out. It's disgusting that there are companies selling this.
Consistent visitor ID over months or years, even as browsers are upgraded.
This advertisement implies some things that could potentially be illegal, but I don't think that practice is by itself. Stalking as a service really gives Saas a new meaning .
This one overestimates uniqueness because it doesn't consider stability (e.g. it uses your current battery charge level as a uniqueness measure, which is obviously not stable minute-to-minute let alone day-to-day).
This right here… when the government can just run exit nodes and case after case comes out about the government capturing data from a tor node they operated, that problem needs solved first.
I very rarely use Tor because using Tor without being an exit node just slows it down for everyone else using it and running an exit node means CSAM passing through your router sooner or later which I find unacceptable. Most of my privacy needs are met by a commercial VPN.
Here's a novel thought: take the money you give to the commercial VPN provider and donate it to Tor instead. They can spend it on running more exit nodes themselves, which fixes both the issues you say you have with it.
It would make up for it, but not fix it. The network would still be faster without my traffic. Plus, torrenting hundreds of gigabytes of data over Tor would be rather abusive.
In that case, donate them money and don't use it? I'm not sure how this private VPN you're using is any better - it too would be faster without your traffic. They spend your money on the same thing the Tor project could spend it on.
We agree it would be a very bad fit to use the torrent protocol over Tor, a seedbox would be better for your purposes.
The Tor Project is a non-profit and the Tor service is used not just by criminals but people under repressive regimes around the world, and there are no real alternatives to it. My VPN provider is a for-profit company and its users are free to choose another company.
a seedbox would be better for your purposes.
A seedbox would suit my torrenting needs but it doesn't fulfil the additional roles of bypassing video stream throttling on my mobile network or letting my overseas friends bypass network censorship.
> but I don't want to get anywhere near illegal stuff.
Then you should probably stop using the web altogether.
I'm seriously confused how using Tor places you closer to "illegal stuff" then browsing as you do? Could you clarify?
Even if we're going to draw the distinction between .onion sites and the plain web (and there's nothing about Tor that requires you to visit or interact with .onion sites) I'm nearly certain that there are many orders of magnitude more "illegal stuff" being shared on traditional websites than the "dark web". Plenty of drugs are purchased through Venmo, and Tumblr and Twitter have had pretty high incidents of child exploitation materials being shared on there (and, despite having been a heavy user of those sites at some point, never came across any content close to that).
My experience has been that, barring 4chan 10 years ago, it is extremely rare that you'll ever come across any "illegal stuff" unless you are looking for it.
I was talking about running an exit node. In an ideal world everyone could run an exit node and help others to bypass censorship. Unfortunately sooner or later some sick fuck would abuse it to post CSAM or hack something. And then good luck explaining the cops that it wasn't you.
Are there any app that uses the Tor network and existing hidden protocols to provide anonymous chat?
This could be an alternative to some of the instant messaging systems that provide privacy but not anonymity.
I know that some chat messaging systems can use Tor as the transport, but they have problems of their own.
What I'm thinking about is something along the lines that each user app hosts a hidden service that receives messages through a standard HTTP API. Users need to hand their hidden service address to friends. The protocol itself already handles payload encryption and routing but messages could be further encrypted at the app level before being sent (using the other user's public key once an initial exchange has been done).
Granted, sending a message would require all parties to be online at the same time, but there could be a set of relay servers to hold messages until they get fetched.
I'm sure there are lots of hairy issues to take into account, but I would expect the existing protocol to mitigate some of these compared to a ground-up approach (like Session is doing). Tor is fairly mature and, despite all attacks on its infrastructure and protocol, it is still standing.
I'm also wondering if such a messaging system couldn't be useful for some IoT types of scenarios, as it would protect the location and communication of the source of the data, so the devices could not be easily physically found and hacked.
None of this would be useful for high-bandwidth real-time data, but you can get reasonable latencies and traffic sent this way.
> Granted, sending a message would require all parties to be online at the same time, but there could be a set of relay servers to hold messages until they get fetched.
We actually do a bit better than this! We use a gossip network (libp2p gossipsub) so all peers don't have to connect directly, and a CRDT over a private IPFS network so that everyone in a community eventually syncs all messages. As long as there's a continuity of online peers, the availability of messages is the same as a central server, and with a few Android users in the mix it's pretty easy to get to that level of continuity.
(The battery impact of staying connected all the time on Android isn't as bad as you'd think, and we haven't even begun to optimize it.)
And yes, it builds on the maturity of Tor rather than trying to roll its own onion routing layer as Session is doing. Quiet is still a work in progress, but we've been dogfooding the desktop app for over a yearn now as our main team chat, and the Android app for a little less than that. We're working on iOS now, which is... tricky. But we're hopeful.
I use Tor occasionally to see what's going on in the flip side of the net and to contribute to routing, but honestly you aren't going to convince anyone who isn't ideologically inclined to support it. It doesn't help that Tor itself is full of scams and dark markets selling who knows what. It seems to have gotten better over the years, but normal people aren't going to put up with that. Nobody wants to see that stuff.
If you use a Tor browser you see the same web as with your "normal" browser. You'd need to actively search for dark web and shady markets (and no you can't just google that up either, you'd need to lurk much deeper). It's not possible, never was, to "accidentally" see that stuff if you use web the way you did it before Tor.
Yes. I don't get ambushed by illegal content, as most of my surfing with Tor is for browsing the clearnet, (which is fairly innocuous and more sanitized than the dark web). I do use the 'real world' onions[0] to read The New York Times, etc
>Tor itself is full of scams and dark markets selling who knows what.
Did you forget to read the article? They make the point that this is not the case. Tor Browser can be used to access most of the web besides aggressively anti-privacy platforms like Meta.
If you choose to go on a "Dark Web Search Engine" and that's what you find, that's entirely your decision and not something you would stumble upon.
>but normal people aren't going to put up with that. Nobody wants to see that stuff.
They would never see that stuff by accident, as they never do right now.
Does anybody use Tor for everything? I'd be interested in hearing their experience if so. There are sites that I have been unable to get working in tor, usually due to the browser. Some services actively block it. There's also a performance hit.
Also, while you should always assume your traffic is open to inspection/modification before it reaches its destination, this is more likely to happen with tor, not less likely. The Tor browser does help here, by not easily allowing obvious mistakes like using http.
I use Tor for everything that doesn't require identification, and I use very few of those services. For example, this HN account and the email for it have never been used without connecting through Tor. Feel free to ask me anything.
>There are sites that I have been unable to get working
This happens, most of the time because of Cloudflare. A solution is to get a new Tor circuit 3-5 times, and then the page will load. If a site simply won't work, like Meta platforms I won't use them. Using alternative front-ends[1] makes most sites that usually wouldn't work, work as well.
>The Tor browser does help here, by not easily allowing obvious mistakes like using http.
This is false, HTTPS only is enabled by default in Tor Browser. It's common knowledge for everyone including users of Google Chrome and Firefox to not use HTTP sites.
I use it for just about everything except for things tied to IRL identities. (short-lived usage like making a search request, to persistent identities like this)
Some services block Tor. Sometimes they can be bypassed by pressing "New Tor circuit for this site" a few times, sometimes they cannot. Some of the methods listed here [0] can help (though I wouldn't log into any accounts using this as TLS isn't being terminated at your machine).
Some features don't work in Tor Browser, off the top off my head, sites using AudioContext, Webauthn, Webassembly. (webassembly can be a pain due to some encrypted paste bin sites using it).
I run multiple instances of Tor Browser (separated with Linux namespaces, particularly netns because Tor Browser will fail to load if an existing Tor service is running at port 9150) so that I can multitask between for example posting this on HN and random browsing in another instance. That also helps with the webassembly thing as I run a script to spin up a temporary instance of Tor Browser, enable webassembly in about:config, and load the failing page.
For the sites that block Tor that I need to login to or that don't work with the ad-hoc methods listed above, I will fallback to using a VPN + an about:config-modified version of Tor Browser that has the Tor proxy disabled. Mullvad Browser can also be used as an alternative.
I also use it outside of TB for IRC among other things. You have to be careful as there is no uniform configuration for everyone like TB.
If we all use it, it will slow to a crawl. Even more than now.
Nobody that’s not halfway suicidal is running exit nodes on their home machines (I won’t, I don’t want police knocking on my door).
And just for the onionspace… yeah I saw some bad stuff there. After what I saw I don’t think anonymity is a good idea. There is darkness inside people that lack of rules, lack of order, lack of accountability brings out.
And in the end it can't circumvent stuff like the great firewall of China.
In the end Toe is just a legacy project from the CIA/NSA that has outlived it's usefulness. The NSA has certainly redteamed all the ways to take it down or uncloak users, if needs be, so it's not even a tool against a potential fall into dictatorship of the USA.
> And in the end it can't circumvent stuff like the great firewall of China.
Actually, this isn't true: Tor with private Snowflake bridges can be very effective against the Great Firewall. I'm an activist who works in this area and I've spoken with activists who were using it as recently as this year.
The issue is scaling bridge discovery, since any automated bridge discovery mechanism rapidly exposes available bridges to a determined censor. But any team doing high profile, notable, or sensitive work can find an individual or organization outside China to provide them with private bridges. So Tor is one effective option now for key activists in China, just not a mass-scale solution for everyone.
for anonymity, yes (if using a "private" snowflake). for daily use or basic firewall circumvention, not really. as others have mentioned, it is more convenient and faster to just use shadowsocks to a digital ocean droplet or other vm.
Tor is a meme in 2023. Even advocates for it seem to believe it's only really good for circumvention, which is the totally wrong way to look at it. Having a built-in outproxy to the web is probably it's greatest flaw, not its strength. Why? Because there's nothing stopping anyone from setting up exit nodes and analyzing the traffic. The open web itself is a vulnerability. Being an anonymizer for the web also encourages people to not contribute energy to "hidden services" but to the non-hidden web, which is self defeating.
And as others have pointed out, Tor wouldn't scale if everyone was using it. Contrast this with I2P which not only would scale but become more resistant to DDOS attacks with the more nodes on the network. Unlike For, I2P has no distinction between nodes, mostly because it's not designed to be an outproxy. But no, let's keep insisting that everyone use a deep state tool with chronic flaws because reasons. /s
> And as others have pointed out, Tor wouldn't scale if everyone was using it. Contrast this with I2P which not only would scale but become more resistant to DDOS attacks with the more nodes on the network.
One objection a lot of people in this thread have to using Tor is the (misconception) that they'll be relaying Tor traffic. (It doesn't work this way in Tor.) But what you're saying is that i2p will scale because this is the default behavior in i2p. But is that what people want?
Also, hidden services have been harder for Tor to scale than exit nodes, at least in the past few years. I don't think this is the result of the fact that Tor provides exit nodes. I think it's just a result of the onion service connection process being a series of fragile steps.
I do agree that supporting traffic to the web results in the Tor dev team prioritizing this use case over traffic to hidden services, but that's understandable given that it's the vast majority of their traffic and usage.
>Because there's nothing stopping anyone from setting up exit nodes and analyzing the traffic.
This should be assumed. So what?
In 2023, almost every website supports https and unencrypted traffic is the exception, not the rule. So if someone sets up an exit node, they can only collect metadata from a few circuits from a competent user. Of course, this becomes a problem when someone sets up hundreds or thousands of nodes, but that - including statistical analysis or the use of 0-days - can only be done by a small minority.
It's certainly an interesting mindset: "I'd rather live in a neighborhood where the HOA is run by psychopathic busybodies, even if it means I have to become a pod person!"
>yeah I saw some bad stuff there. After what I saw I don’t think anonymity is a good idea
This is a somewhat one-sided way of thinking.
Tor is a tool that can be used for useful things as well as misused for bad things (like a knife or a truck). Now, leaving aside the fact that websites related to credit card fraud, child pornography, and terrorism also have a large presence on the Clearweb.
Also, I'd like to note that Instagram is a global hub for human trafficking, and the moderators' stories don't sound any more innocuous than the Onion stories.
I use Tor daily and abide by the law, but don't want to miss the anonymity or pseudonymity of a Whonix VM and a Tails session.
Since I've been hosting Tor Nodes since I was 14, I don't have to worry about showing up on blacklists of 3-letter organizations, since I've been on top for over a decade anyway.
Why exactly are you trying to compare mustard gas to Tor? I'm kind of lost here.
But anyway, to answer your question: mustard gas is not one thing, it's a class of chemicals. But one of them became the first ever chemotherapy drugs, Mustine:
> Since I've been hosting Tor Nodes since I was 14
Honest question: why do people host exit nodes when they aren't 14 anymore?
Given how dangerous it is to host one, and how little personal benefit one gets from it, I kinda assumed most exit nodes are hosted by three-letter agencies from various countries. Is that so? If not, how so?
I wouldn't be surprised if the author, and a large segment of HNers agreeing with her, did a swift about-face when they realized that Tor also provides an end-run around the internet backbone black-holing of IPs that some Tier 1 ISPs did to KiwiFarms last year, during the height of the campaign to deplatform it. More people using Tor in general means more people having the means and know-how to evade censorship, and we can't have that, can we?
I don't think anyone would be surprised - what you're describing is pretty obvious to anyone who has ever looked into Tor for more than .1 seconds. It's also pretty well understood that when restrictions can be evaded it will be used for both good & bad purposes, that's just the nature of it.
That accusation has been repeatedly debunked. Also, on a more positive note, amongst all the gossiping and somewhat rude behaviour, they've documented a significant amount of illegal activity by others. In particular, how certain individuals of gender have been grooming children and committing sex crimes - which is why these creeps tried so hard to take Kiwifarms offline. And ultimately failed, as it's still up and running, even on the clearnet.
Not even wikipedia own founder believes on it anymore. It's essentially useless for anything political related because you already know that they will be heavily biased in favor of a given side...
Actually wouldn't a move to Tor completely destroy the ability to effectively moderate any sort of community since you have no way of banning spammers/bots? Even a "lawless" place like 8chan or Kiwifarms will have trouble holding discussions if all their forums are filled with copy-pasted CP from some random botnet
To be honest despite agreeing with many arguments around privacy, they're not quite compelling enough to convince me to adopt Tor's approach to it which in my mind is akin to hiding in a bin.
Sure, you're hidden, but you're also in with a lot of stuff you don't want to be in with and that can come with legal liabilities and ethical issues that I don't feel qualified to mitigate. And as other people have pointed out maybe the government or your least favourite company actually has a camera in the bin you chose to hide in.
A common misconception about Tor is that by using Tor as an end user you are also hosting and relaying stuff on the Tor network for other users.
This is not the case, unless you explicitly set up a relay node or volunteer to run a Snowflake bridge.
True, you're mixed in with other users from the point of view of websites that might treat you as spam, say. But you aren't taking on any liability unless you run an exit node, and even that is fairly well-established as safe in at least some jurisdictions.
I think even as a user, the risk then is that law enforcement agencies want to unmask/correlate users which leads to the possibility of them screwing that up and conflating people's identities. Arguably this is more of an issue with trust in those performing/acting on the analysis but on an individual level still factors into the "do I want to use tor?" mental model.
Couldn't you make the same argument about https requests over the clear net? You're request is being processed by intermediaries through your isp which three letter agencies could incorrectly correlate with you.
I know there are deep fundamental technical differences, but I could see an outcome where the end result is the same across both services. I'm not trying to justify to use tor as well, just that I don't think the argument of guilt through incorrect association is solved by not using tor.
Well, you are _absolutely_ taking on the potential liability implicit in becoming a person of interest in any case involving the exchange of materials that you are facilitating.
You may not _lose_ but you may find yourself with your life seriously disrupted.
In the case of Tor, the government you're trying to hide from actually made the bins and handed them out all over the world so that CIA agents would have somewhere to dead-drop files in.
For perspective, the same entity, Open Tech Fund (OTF), has funded many projects in the tools-for-activists space, including Signal, NoScript, Wireguard, Tails, Mediawiki, OpenVPN, Filezilla, Psiphon, Tahoe-LAFS, Briar, Lantern, and Qubes.[1]
Quite a lot of serious projects in this space are US-government funded.
OTF does somewhat focus on needs in regions that are geopolitical priorities for the US, but since most of these projects (like Signal or Wireguard) are building general purpose tools, it seems pretty good for the world overall and not nefarious. Germany recently started a similar fund and hopefully more countries will too! [2]
(I know people involved in both OTF and Sovereign Tech Fund I work with a user researcher who's funded by a small grant from OTF on my project Quiet.[3])
One funny historical note is that OTF grew out of Radio Free Asia, a program started after the Tiananmen Square massacre to broadcast AM, satellite and shortwave pro-democracy propaganda in Mandarin into China.[4] So the mission of funding general purpose anti-censorship and privacy tools kinda makes sense!
I can understand that argument due to the nature of Tor, but if you use it as a communication medium only, how is different from using non-Tor internet or a cell phone. Yet, no one seems to argue that you are one of those nefarious internet or cell phone user. I think the argument is solid. The fact that is is not commonly used makes it a niche application. If it was more widely adopted, all those 'bad things' would likely be on par with regular phone/net issues in terms of volume.
Imagine if I was under investigation for drug trafficking, or tax fraud, or whatever have you. “He had Tor on his computer to access the Dark Web” is extremely strong jury bait even though it doesn’t intrinsically mean anything. The government might not be able to prove what, if anything, I did - but I'll still probably look pretty dang guilty just for having it.
The other downside would be how trying to be secret can shine a spotlight - kind of like the bomb threat at that school (I’m forgetting the name). The student used Tor, but was quickly identified… because nobody else on the school network used Tor. (Make no mistake - I’m glad the student was caught - I’m just taking about how trying to increase your privacy can backfire.)
> I'm not sure it would that's like going "he owns a car he could have used it to speed"
I think these and other rebuttals fall into the category of completely logical arguments that should, but won't, convince a non-tech-savvy judge or jury.
True but we're talking about juries who are essentially random members of the public and are far from guaranteed to spot a fallacy or buy that it is a fallacy even when pointed out. I think a big difference to them could be how cars are socially normalised but tor is not. There's a good chunk of the population who would hear the car version and think "that's ridiculous, I drive a car!" but hear the tor version and think "that's a strange and alien thing to me, definitely something a suspicious person would do".
> True but we're talking about juries who are essentially random members of the public and are far from guaranteed to spot a fallacy or buy that it is a fallacy even when pointed out.
In the US, at least, juries are generally less sophisticated than a random sample of the general public; anyone who displays significant world knowledge or critical thinking during jury selection will be removed.
This is not actually true. Lawyers prefer jurors with critical thinking skills because it means they can be reasoned to; jurors without critical thinking skills are unpredictable wildcards.
Most jurors are gainfully employed in stable jobs, or were but are now retired, and care enough about their civic responsibilities not to try to get out of jury duty.
Lawyers for one side will have a preference for certain jurors; the other side's lawyers might like a few wild-cards (as to increase the chance of a hung jury).
Usually people "too knowledgeable" get bumped from the pool.
the other side's lawyers might like a few wild-cards (as to increase the chance of a hung jury).
No, never. The defense never wants a hung jury, because the prosecution will just get another chance to have another jury trial, with a new jury, but having learned from the failure of the first trial. The defense always wants finality.
Prosecutions don't want hung juries either, because there is always the risk that the judge will either dismiss the charges (if more than half of the jury leaned toward the defense) or pressure prosecutors to offer a better plea deal to avoid wasting time on a new trial.
Usually people "too knowledgeable" get bumped from the pool
If by that you mean people who know too much about the case already, then yes, because the defendant deserves a fair trial. If you mean people who are "too knowledgeable" in general, then no, unless it's clear that they're going to take this "knowledge" and rely on that "knowledge" instead of what is presented to them in court. Lawyers generally try to exclude tech bros, because they think they know everything about criminal law based on watching a few episodes of Law & Order and CSI.
You're not more "in the bin" as with some fellow knife users who stick them into humans - or a better parallel, recent community favourite Mastodon, which, according to it's federated nature, has also a massive CSAM problem(1). In the digital world, either you have complete freedom (also meaning choose your own server/fellow bin companions) or complete censorship - not much in between.
> You're not more "in the bin" as with some fellow knife users who stick them into humans
Except that the law has come to terms (outside the UK) with the possibility of peaceful knife ownership, whereas the law around Tor and such things is still in the "probably non-technically savvy judge has heard scary terms around Tor and wants to be on the safe side" stage.
There are many places outside of UK that don't allow to carry knives with certain features (e.g. fixed blade or assisted opening) or with blade length above a certain limit. In US, this is often covered by municipal bylaws.
the csam problem is a fediverse problem. not just a mastondon problem, let me just say i am one of the most vocal critics of mastodon after running an instance for 5 years and running. but its unfair to call it a mastodon problem, mastodon is just a fediverse client. the csam can come from any fediverse peer.
but it is indeed a problem, and mastodon mirrors all remote content that is in your federation network and now you have csam splattered across the connections of mastos w only blacklists if entire instances to recourse.
its a bad approach but they've buried head in the sand years ago. things like pleroma do not do this by default
False. Mastodon blocks those CSAM instances (speccially the Japanese ones) in masse. It's the opposite of you say. Twitter and FB have a harder problem on that because they are single-net based.
What do you mean by "specifically the Japanse ones"? Is CSAM more prevalent there or is something along the lines of having more loli content posted there which fals under child pornography laws in certain countries?
Pavoo. It didn't have art related CSAM, which in the end there are just drawings, but real people CSAM. Not porn, just top nudes which in Japan they have an ambiguous stance. Thus, blocking pavoo.net on every Mastodon instance was almost mandatory to keep your sanity in good levels.
On Japan and nudity, I know some of it it's being used not as sexualization, but as a hard prank (Takeshi's Castle, hidden camera pranks on toilets with falling walls, nudity jokes at Doraemon/Crayon Shin Chan, Dragon Ball and Bulma...), but for sure in this case didn't have an intention to ridicule anyone.
Akibahara had a mall where on a single flat there were magazines were displaying illegal nudity as if they were used as a sports magazine or something like that. Creepy stuff. It seems the Japanese people are sexually represend in their teens so they can hyperfocus at school over anything else but then this creates "sexually disabled" adults with lots of troubles on relationships and a hard lack of teenage discoveries.
If privacy is really private, and not merely a promise from a benevolent entity they won't look at your details, not that they can't, then you will always find in your company those who need privacy because they are hiding from all of society that hate them. Even if we were to go 100,000 years into the future where morals are entirely different and alien to modern day ones, if privacy exists at all, you'll find it most popular among those whose behaviors are the most morally repugnant to the futuristic society.
Privacy is good even when you have nothing to hide, but it is imperative for those who do need to be hidden. The ethical issues I generally see people concerned with are ethical issues with privacy itself, not a specific implementation.
There's also a very long history of ideas that were fundamental to scientific and societal progress being morally repugnant to a majority, initially.
Heliocentrism, democracy, etc.
Without some degree of freedom to violate the majority's morality (or even one's parents' morality!) without judgement, we should expect society to stagnate due to arbitrary lock-in of the status quo on any sufficiently controversial issue.
Privacy is great because it lets groups violate the majority's morality invisibly, without flagrantly disrupting the sense the majority has of there being a moral order.
Privacy gives you the upside of social innovation without the downside of a generalized, diminished belief in the morality of others (which can be a downward spiral for societal self-organization.)
Tor doesn't want people using it for building normal communities. Their treatment of tor v2 and the wiping away of all those links, indices, and sites shows this. Yes, 1 year of warning that all of .onion domains were going away was given, thanks The Tor Project. But why bother building a community on an onion domain when they're only treated as temporary and transient identifiers by the tor project?
No, I tried building normal websites and community on tor for 10 years. Then the tor porject wiped it out for potential future security. They will always prioritize the needs of the people who really need privacy over us. And that's fine. But I will not make the mistake of building on tor again.
According to Tor Project, v2 onion services were "fundamentally insecure" [1]. It sucks that you lost your URL, but wasn't redirection an option?
Tor definitely has a commitment to people building communities using hidden services, but they also have a commitment to your community members' expectations of security, no?
You can't redirect clients that cannot even parse your domain name. I can't update the links in all the indices and search engines built the last decade. I can't change the links to my .onion site on other people's sites. No, most .onion domains just went away, poof, inaccessible and sit unvisited while the remaining tor v2 infrastructure goes unused because the tor project clients dropped support. There's more to a web than any single site. And that web of interconnected links was destroyed with no recourse.
As for fundementally insecure, yeah, in a few years maybe by spending $10k you could brute force a hash and take over a domain. So they killed it entirely to protect the people that need absolute privacy and security. They could've left v2 alongside v3 and let people choose but the tor project considers that too risky for their prized use case.
Those of us just using tor for owning our own domains were not important in comparison. That "not being important" will continue. Shadowy users are what tor cares about. Not open communities. Tor is great for pseudo-privacy. It is not great for people wanting to make normal sites on it.
395 comments
[ 3.4 ms ] story [ 857 ms ] threadRight now it has a shadowy reputation because the only people who require that feature are criminals. A few of those are committing crimes against unjust laws, but they are badly outnumbered by widely-disapproved-of behavior.
The anonymity comes with a cost. Tracking makes for a smoother web experience for most people.
So it's a hard sell to say, "Hey, you should do this thing that makes your life harder, in order to help disguise criminals". There's good reason to think that ordinary people should take better care of their privacy, even if they don't realize it, but I don't think that they're itching to apply a technology that has a "shadowy reputation" for a reason.
Most of us don't live in authoritarian regimes where something as silly as saying the king looks like an idiot is a crime
Also, deities: https://en.m.wikipedia.org/wiki/Blasphemy_law
https://en.wikipedia.org/wiki/L%C3%A8se-majest%C3%A9
That includes being selective about who you allow to have an account.
Would love a reputation service that correlates IPs and/or email addresses to the amount time users spend on Facebook. I'm sure this data is out there and purchaseable, to be honest.
That said ... paying electronically is so convenient, damn it.
(haven't been to Germany)
For debts. Steal it, get caught, be ordered to pay restitution. Then your legal tender argument will make sense.
https://www.law.cornell.edu/wex/legal_tender
Various laws may exist elsewhere enforcing a requirement to accept cash (or not, depending on the jurisdiction). But an appeal to "legal tender" isn't going to cut it. Legal tender for what? For debt.
In most other regular shops on the other hand, you'll only enter into the actual contract the moment you pay for the goods, so unless your jurisdiction has a specific law mandating the acceptance of cash in that kind of situation (like e.g. New York city I think?), the merchant is perfectly free to simply refuse entering into a contract with you.
[1] With the caveat that depending on the jurisdiction the shop owner may fully legally put up a sign along the lines of "No cash payment" and in that case it's you who are in breach of contract in the first point. Maybe if you then get sued for non-payment you can pay cash through the court system, but that certainly wouldn't be a pleasant way of paying by cash.
Yes, but the interpretation is that you picking up a bottle of milk or whatever in a supermarket or elsewhere doesn't yet make a contract and that the goods haven't actually legally changed hands at that point.
It's only when you're presenting your chosen goods at the register that you're legally making an offer to buy those goods, and unless there's a law specifically mandating cash acceptance for shops, the merchant (as represented by the cashier or a self-service checkout machine) is free to simply refuse your contract offer. And because in that case no contract was ever successfully made, there's no debt, either, and the concept of legal tender doesn't even enter into it…
Germans have a certain paranoia. I understand where it comes from but how are you ever going to move on if you hold these beliefs so tightly?
In some ways we're already seeing the foreshadowing of this in some of the previously most liberal places on Earth, like Canada. Even if one may not agree with what the truckers were protesting about, it seems unconscionable to freeze people's bank accounts as punishment for engaging in, or supporting, a completely and genuinely peaceful protest. [1]
[1] - https://fortune.com/2022/02/16/trudeau-freeze-freedom-convoy...
Japan though, now there's a place where cash only shops are still prevalent.
We were hitting cash only places all the time there, whereas in Germany I found that cash only became rare during the pandemic.
Hell, even recharging the IC cards in Japan had to be done using cash at a machine. Why can't you use a debit card? Who knows.
I love it. I drove to Germany to have the maintenance done, change the tires and renew the extended manufacturer warranty for two years on my german car (extended warranty which I need to pay for) and it was a hefty bill. I pulled a bit more than 3 000 EUR in cash and they were just used to it. As in: a totally normal occurrence.
I did it basically to test if it was true that cash was king in Germany: I had credit and debit cards in backup just in case. But cash just worked.
The stores are getting wiser about this. My local Fred Meyer (a Kroger brand now) has a fuel rewards program -- for every $100 you spend, you get 10 cents off per gallon on your next fillup. Given how expensive groceries are, a lot of people are saving more like 50 cents per gallon, not 4.
They've also started doing instant discounts at the register, which was something that Safeway aggressively did from the beginning. FM isn't quite that aggressive yet, but when I scan the shopper card just before paying, it isn't unusual for it to knock $20-30 off a $150 purchase.
If it really were just 4 cents a gallon, I expect less people would bother. But it's not. The stores are steadily increasing the penalty for shopping without a loyalty card.
It's a shitty psychological trick that Fred Meyer pulled off.
People think shopper cards save money, and while it's technically true, it's the wrong framing of what's happening. What's really happening is that the store requires the card to get sale prices.
In other words, Fred Meyer creating the shopper card did not create additional savings. It just started gatekeeping sales behind data collection.
Or another one: when you use a savings card, you trade some of your data for a couple bucks off.
(While on that note: in many countries – pretty much everywhere I've been, actually – you can just get a new savings card every couple months, or get a few and round-robin them and replace every couple months etc. Just fill out the sign up form with some garbage data and you're good to go.)
So what are they doing with the loyalty card data? Nothing? Is it all just a mental trick to get me not to go elsewhere?
Also if they were thinking they could have bluetooth beacons at the registers to track cash users that have bluetooth enabled.
Also they have cameras looking at every checkout line. They implemented them originally to observe when lines got too backed up so they could automate sending out more cashiers. They could move to facial recognition of they really wanted. Not sure if they do that now.
Since the register already priced my bill higher at the time I swiped my card and then dropped the price, I have to assume it's the former.
Everyone should know how to use Tor, but we shouldn't have to, at least not all the time.
People's data is being farmed and their identity leaked and sold on the dark web, and they're probably not educated enough to care. That's what you want to preserve?
You mean, after it's sold and resold by the likes of facebook or google in open transactions?
It weirds me out any time I open YouTube on the TV and the first thing I see is an ad related to some recent online purchase, however obscure.
The existence of crime is not an example of the need for anonymity.
Normal people don’t care if their metrics are being tracked - that is happening to practically everybody all day every day, and very few people are experiencing any direct and measurable negative consequences. In their defence, why should they weigh the hypothetical-risk above the real-benefits of giving up privacy (ie, convenience and price)?
I believe if the message of privacy advocates is to have any effect at all on normal people, we really need to start focussing on things that normal people care about, not hypothetical and philosophical arguments
Chrome feels a lot faster than Firefox to me (Especially on Facebook!), yet I still use Firefox to resist Google's stranglehold on the web.
Hope you trust Mozilla with that same level of info (in twenty years)!
Misleading way to say more APIs, I presume?
Can you imagine google chrome bringing Tor integration into their browser? Why not?
So I think the answer to question is - absolutely nothing. The very few missteps Brave has made get broadcast from the ends of the world. The fact the biggest thing people can find to complain about it is some crypto stuff, which is opt-in and easily completely disabled, or an autocomplete tagging a referrer - that was patched out in less than 24 hours, is strongly indicative of the quality and integrity of the browser.
[1] - https://github.com/brave/
That functionality (which would modify some literal URLs typed in by users, not just make autocomplete suggestions!) was present in the source repository for roughly a month and a half until it was disabled by default, and remained present as an option for over a year after that.
https://github.com/brave/brave-core/commits/master/component...
You may mean that it was modified less than 24 hours after users noticed it and raised an outcry, but that still doesn't exactly inspire confidence.
Further, there is no way to pre-emptively disable the cryptocoin elements on new profiles on the same Brave installation.
- Part of the protection Tor provides is due to having the single browser made specifically for Tor. Nearly everyone uses it; this gives you a sufficiently large crowd to blend into. There are fingerprintable clusters inside this crowd, but at least they are still large enough. By using any other browser, you make yourself stand out and even diminish the anonymity of the whole network a tiny bit. This can become a problem if enough people are using custom browsers. Brave in particular is also not restricted enough by default (no JS etc). Default settings for everyone matter.
- Brave's Tor feature wasn't thoroughly tested in real situations. AFAIK they had issues with it, and also warned users not to rely on it as it's not complete.
While I'm in agreeance with everything you've said it should be pointed out that Tor Browser doesn't ship with JS disabled either, it simply breaks so much of the web that they've concluded it's not reasonable for a browser to do by default if they want to attract new users.
Meanwhile, we know for certain that Firefox has played a role in multiple deanonymizations.
Practically everything I do on the web involves authentication and a login and an identity. They're all US-based services. It's stuff that I use to manage my household, and finances. It's also social media stuff; some of it's pseudonymous, but I've got Facebook too.
These services factor in security hints such as device fingerprinting, and a consistent local IP address that belongs to an ISP account I pay for. That's as safe as it gets in this modern digital jungle.
I also use Chrome. I don't use Firefox. Don't try to get me using Firefox; it's incompatible with my workflow. I don't even have it installed to debug website errors. I also own a Chromebook and I do a lot on the Chromebook. 100% of my employment relies on it, and 20% of my personal use is there, too. TOR isn't compatible with ChromeOS (prove me wrong.)
The #1 error of TOR users is that they eventually reveal themselves online, by authenticating to some service, or by going to haunt specific websites or URLs they like. This is similar to people in Witness Protection or abuse victims who run away: they eventually contact family or friends and reveal personal details, and then they're re-victimized.
Sorry TOR, you're not for me.
If you reveal yourself by logging today none of your other sessions from yesterday or tomorrow will be revealed or connected.
It seems futile to use Tor when the OS itself is made by a notorious spyware vendor. But there are Tor browsers for Android that should work.
So, like, Windows 10?
Tracked by whom? Anyone? Is it OK if your parents track you? Does your government have a direct involvement in, say, public city streets?
Is this about technological tracking? What if you walk through a forest, and some stranger comes up behind your path, and uses natural evidence to find out something about you, and which way you went? How would you prevent that?
https://en.wiktionary.org/wiki/track#English
Please tell us what sites you worked on so we Firefox users can avoid using them :)
Or they're so bad they wouldn't even load the entry page in FF?
The only One who is in power will judge me justly, and I eagerly anticipate that with joy and thanksgiving.
How about using HN to make this comment? Even if you use your real name for it, you add some traffic to Tor, which helps.
I have yet to find something which lets you get a good peek at that data. Does anyone know of anything?
I had a look when I went in there a few years ago to disable all their collection and they basically know every website you go to.
You can see something similar with your Google ads profile, but only if you have personalized ads on. (I am sure they still have the profile on you, you just can't view it)
You don't need Tor to avoid advertisers. Blocking all cookies and browsing in private mode will get you 99% of the way there. Throw in an ad-blocking VPN and there's basically nothing anyone can know about you that you aren't explicitly sharing.
A VPN that has multiple users using the same IP simultaneously can help on this front, but I don't know how common this is? Basically emulating how Tor exit nodes work. Though even that is also almost certainly possible to break.
If cloud flare is silent, they know who you are.
Definitely slower and this is a pretty minimal page, but I've got a hunch it really starts to choke when a page is loading a ton of different css/js assets at load
Visits to normal websites were only somewhat affected and were still pretty reliable.
All this stuff is on the Internet, so the Internet's decentralization is a floor that we can build further decentralization on top of.
But wouldn't a hypothetical direct data link to somewhere be faster than using the Internet to get there?
It'd be more brittle, yes. It can go down with little fault tolerance; it can't serve someone else; it can be trivially MITM'd. These are the downsides of centralization and the upsides of decentralization.
> BitTorrent is often faster than regular internet
I torrent a lot, and one thing that doesn't come to mind is "fast".
You can stream 4K movies on Netflix. I'm betting you can't do that as well with a torrent...
> I suspect TOR is slow due to intentionally long and twisty routes, added encryption, extra hops that require more processing, low numbers of exit nodes, and limited bandwidth at the exit nodes. In a way, the speed is probably partly a byproduct of TOR accidentally centralizing traffic at the scarce exit nodes.
Like with torrenting or Bitcoin or PeerTube or whatever, you've listed a bunch of extra complexity that's all corollary to the thing being decentralized and necessarily making it slower. :p
A lot more has to happen to solve a harder coordination problem. You end up using random, non-industrial grade relays. It's more complex, and it's going to be slower.
What does that buy you though? Resilience, like if a relay goes down. Flexibility, like if you wanna use a different relay to circumvent a geolock. Privacy, in that it's much harder for an adversary to monitor you. There's no free lunch for those things, though, tragically, and they're secondary/tertiary on many people's priority list.
We can’t exactly compare Netflix to an unnamed slow torrent of your choice in any fair or reasonable way given that Netflix is something like 15% of all internet traffic and is heavily optimized. The fair comparison is using BitTorrent to download a file compared to a direct http or ftp download from the original source/host - and for that BitTorrent usually wins handily in my experience. Plus I’ve definitely seen some popular torrents download much faster than anything Netflix has ever served me, in terms of bytes per second.
Depends on the torrent. Any popular "Linux ISO" can easily saturate my 1400mbps download speed so I download the UHD bluray remux whenever it's available. Videos encoded at 100mbps look at a lot better on a high dpi display compared to Netflix's 10mbps "4K" and also doesn't limit you to clients that support DRM.
The UX isn't great, but if you select the "Download in sequential order" option you can start watching a torrent in 5 seconds while it downloads in the background
There isn’t an interesting statement on Bittorrent vs internet here. Browsers just don’t make this optimization themselves, probably because most files are small, but also out of respect for the single origin server.
Don't actually take this bet.
Not decentralization, but anonymous decentralization that involves indirect routing. Decentralization can actually offset that anonymity tax somewhat by the fact that you might have multiple sources that you can request data from in parallel.
I'd want to see every computer connected to the internet turn into an exit node! It makes it infeasible to block those IPs, and also prevents people from being charged a crime for such traffic.
Depending on the jurisdiction, this may not be true. In any case it could cause punishment by forcing the exit node operator to get the runaround of the legal system.
Also it is conceivable that governments would update laws to make it illegal, if there was such an impact to NSA data collection to warrant it.
It's a nice thought and running an exit node is on my short term to do list, but I also recognize the costs associated with it and what it may mean for my family.
Road B: Takes 2 hours, chance of getting robbed is 2%.
That said, that was enlightening, thank you for pointing this out. It's disgusting that there are companies selling this.
Consistent visitor ID over months or years, even as browsers are upgraded.
This advertisement implies some things that could potentially be illegal, but I don't think that practice is by itself. Stalking as a service really gives Saas a new meaning .
This one overestimates uniqueness because it doesn't consider stability (e.g. it uses your current battery charge level as a uniqueness measure, which is obviously not stable minute-to-minute let alone day-to-day).
We agree it would be a very bad fit to use the torrent protocol over Tor, a seedbox would be better for your purposes.
a seedbox would be better for your purposes.
A seedbox would suit my torrenting needs but it doesn't fulfil the additional roles of bypassing video stream throttling on my mobile network or letting my overseas friends bypass network censorship.
Then you should probably stop using the web altogether.
I'm seriously confused how using Tor places you closer to "illegal stuff" then browsing as you do? Could you clarify?
Even if we're going to draw the distinction between .onion sites and the plain web (and there's nothing about Tor that requires you to visit or interact with .onion sites) I'm nearly certain that there are many orders of magnitude more "illegal stuff" being shared on traditional websites than the "dark web". Plenty of drugs are purchased through Venmo, and Tumblr and Twitter have had pretty high incidents of child exploitation materials being shared on there (and, despite having been a heavy user of those sites at some point, never came across any content close to that).
My experience has been that, barring 4chan 10 years ago, it is extremely rare that you'll ever come across any "illegal stuff" unless you are looking for it.
This could be an alternative to some of the instant messaging systems that provide privacy but not anonymity.
I know that some chat messaging systems can use Tor as the transport, but they have problems of their own.
What I'm thinking about is something along the lines that each user app hosts a hidden service that receives messages through a standard HTTP API. Users need to hand their hidden service address to friends. The protocol itself already handles payload encryption and routing but messages could be further encrypted at the app level before being sent (using the other user's public key once an initial exchange has been done).
Granted, sending a message would require all parties to be online at the same time, but there could be a set of relay servers to hold messages until they get fetched.
I'm sure there are lots of hairy issues to take into account, but I would expect the existing protocol to mitigate some of these compared to a ground-up approach (like Session is doing). Tor is fairly mature and, despite all attacks on its infrastructure and protocol, it is still standing.
I'm also wondering if such a messaging system couldn't be useful for some IoT types of scenarios, as it would protect the location and communication of the source of the data, so the devices could not be easily physically found and hacked.
None of this would be useful for high-bandwidth real-time data, but you can get reasonable latencies and traffic sent this way.
Maybe it's all just a dumb idea...
Ricochet was a big inspiration for my project Quiet.[3]
Cwtch also deserves a mention, though it depends on ephemeral servers and isn't fully p2p. Briar is another and frequently comes up on HN. [4][5]
1. https://en.wikipedia.org/wiki/Ricochet_(software)
2. https://www.ricochetrefresh.net/
3. https://tryquiet.org/
4. https://cwtch.im/
5. https://briarproject.org/
https://github.com/TryQuiet/quiet/#readme
> Granted, sending a message would require all parties to be online at the same time, but there could be a set of relay servers to hold messages until they get fetched.
We actually do a bit better than this! We use a gossip network (libp2p gossipsub) so all peers don't have to connect directly, and a CRDT over a private IPFS network so that everyone in a community eventually syncs all messages. As long as there's a continuity of online peers, the availability of messages is the same as a central server, and with a few Android users in the mix it's pretty easy to get to that level of continuity.
(The battery impact of staying connected all the time on Android isn't as bad as you'd think, and we haven't even begun to optimize it.)
And yes, it builds on the maturity of Tor rather than trying to roll its own onion routing layer as Session is doing. Quiet is still a work in progress, but we've been dogfooding the desktop app for over a yearn now as our main team chat, and the Android app for a little less than that. We're working on iOS now, which is... tricky. But we're hopeful.
[0] https://github.com/alecmuffett/real-world-onion-sites
Did you forget to read the article? They make the point that this is not the case. Tor Browser can be used to access most of the web besides aggressively anti-privacy platforms like Meta.
If you choose to go on a "Dark Web Search Engine" and that's what you find, that's entirely your decision and not something you would stumble upon.
>but normal people aren't going to put up with that. Nobody wants to see that stuff.
They would never see that stuff by accident, as they never do right now.
Also, while you should always assume your traffic is open to inspection/modification before it reaches its destination, this is more likely to happen with tor, not less likely. The Tor browser does help here, by not easily allowing obvious mistakes like using http.
>There are sites that I have been unable to get working
This happens, most of the time because of Cloudflare. A solution is to get a new Tor circuit 3-5 times, and then the page will load. If a site simply won't work, like Meta platforms I won't use them. Using alternative front-ends[1] makes most sites that usually wouldn't work, work as well.
>The Tor browser does help here, by not easily allowing obvious mistakes like using http.
This is false, HTTPS only is enabled by default in Tor Browser. It's common knowledge for everyone including users of Google Chrome and Firefox to not use HTTP sites.
[1]: https://github.com/mendel5/alternative-front-ends
> This is false, HTTPS only is enabled by default in Tor Browser
I think you misread me. I said the Tor browser does help here.
My bad, you're right! That shows my bias when it comes to this topic, way too much FUD.
Some services block Tor. Sometimes they can be bypassed by pressing "New Tor circuit for this site" a few times, sometimes they cannot. Some of the methods listed here [0] can help (though I wouldn't log into any accounts using this as TLS isn't being terminated at your machine).
Some features don't work in Tor Browser, off the top off my head, sites using AudioContext, Webauthn, Webassembly. (webassembly can be a pain due to some encrypted paste bin sites using it).
I run multiple instances of Tor Browser (separated with Linux namespaces, particularly netns because Tor Browser will fail to load if an existing Tor service is running at port 9150) so that I can multitask between for example posting this on HN and random browsing in another instance. That also helps with the webassembly thing as I run a script to spin up a temporary instance of Tor Browser, enable webassembly in about:config, and load the failing page.
For the sites that block Tor that I need to login to or that don't work with the ad-hoc methods listed above, I will fallback to using a VPN + an about:config-modified version of Tor Browser that has the Tor proxy disabled. Mullvad Browser can also be used as an alternative.
I also use it outside of TB for IRC among other things. You have to be careful as there is no uniform configuration for everyone like TB.
0: https://gitlab.torproject.org/legacy/trac/-/wikis/org/doc/Li...
Nobody that’s not halfway suicidal is running exit nodes on their home machines (I won’t, I don’t want police knocking on my door).
And just for the onionspace… yeah I saw some bad stuff there. After what I saw I don’t think anonymity is a good idea. There is darkness inside people that lack of rules, lack of order, lack of accountability brings out.
In the end Toe is just a legacy project from the CIA/NSA that has outlived it's usefulness. The NSA has certainly redteamed all the ways to take it down or uncloak users, if needs be, so it's not even a tool against a potential fall into dictatorship of the USA.
Actually, this isn't true: Tor with private Snowflake bridges can be very effective against the Great Firewall. I'm an activist who works in this area and I've spoken with activists who were using it as recently as this year.
The issue is scaling bridge discovery, since any automated bridge discovery mechanism rapidly exposes available bridges to a determined censor. But any team doing high profile, notable, or sensitive work can find an individual or organization outside China to provide them with private bridges. So Tor is one effective option now for key activists in China, just not a mass-scale solution for everyone.
And as others have pointed out, Tor wouldn't scale if everyone was using it. Contrast this with I2P which not only would scale but become more resistant to DDOS attacks with the more nodes on the network. Unlike For, I2P has no distinction between nodes, mostly because it's not designed to be an outproxy. But no, let's keep insisting that everyone use a deep state tool with chronic flaws because reasons. /s
One objection a lot of people in this thread have to using Tor is the (misconception) that they'll be relaying Tor traffic. (It doesn't work this way in Tor.) But what you're saying is that i2p will scale because this is the default behavior in i2p. But is that what people want?
Also, hidden services have been harder for Tor to scale than exit nodes, at least in the past few years. I don't think this is the result of the fact that Tor provides exit nodes. I think it's just a result of the onion service connection process being a series of fragile steps.
I do agree that supporting traffic to the web results in the Tor dev team prioritizing this use case over traffic to hidden services, but that's understandable given that it's the vast majority of their traffic and usage.
Um. I'm pretty sure that nodes relaying Tor traffic is the fundamental principle underlying Tor.
Everyone relays Tor traffic when using it.
This should be assumed. So what?
In 2023, almost every website supports https and unencrypted traffic is the exception, not the rule. So if someone sets up an exit node, they can only collect metadata from a few circuits from a competent user. Of course, this becomes a problem when someone sets up hundreds or thousands of nodes, but that - including statistical analysis or the use of 0-days - can only be done by a small minority.
This extends to social networking too. As much angst as there is about moderation, it’s a feature people want.
Maybe, but it's nothing in comparison the darkness that comes out of people who want rules and someone held accountable.
This is a somewhat one-sided way of thinking.
Tor is a tool that can be used for useful things as well as misused for bad things (like a knife or a truck). Now, leaving aside the fact that websites related to credit card fraud, child pornography, and terrorism also have a large presence on the Clearweb.
Also, I'd like to note that Instagram is a global hub for human trafficking, and the moderators' stories don't sound any more innocuous than the Onion stories.
I use Tor daily and abide by the law, but don't want to miss the anonymity or pseudonymity of a Whonix VM and a Tails session.
Since I've been hosting Tor Nodes since I was 14, I don't have to worry about showing up on blacklists of 3-letter organizations, since I've been on top for over a decade anyway.
But anyway, to answer your question: mustard gas is not one thing, it's a class of chemicals. But one of them became the first ever chemotherapy drugs, Mustine:
https://en.m.wikipedia.org/wiki/Chlormethine
Honest question: why do people host exit nodes when they aren't 14 anymore?
Given how dangerous it is to host one, and how little personal benefit one gets from it, I kinda assumed most exit nodes are hosted by three-letter agencies from various countries. Is that so? If not, how so?
Any ideas for how to eradicate it without authoritarianism?
The people on KiwiFarms are actively harmful and engage in illegal harassment activities.
https://en.wikipedia.org/wiki/Kiwi_Farms#Harassment
Well then why haven't they been prosecuted?
Not even wikipedia own founder believes on it anymore. It's essentially useless for anything political related because you already know that they will be heavily biased in favor of a given side...
https://www.independent.co.uk/news/world/americas/us-politic...
Sure, you're hidden, but you're also in with a lot of stuff you don't want to be in with and that can come with legal liabilities and ethical issues that I don't feel qualified to mitigate. And as other people have pointed out maybe the government or your least favourite company actually has a camera in the bin you chose to hide in.
This is not the case, unless you explicitly set up a relay node or volunteer to run a Snowflake bridge.
True, you're mixed in with other users from the point of view of websites that might treat you as spam, say. But you aren't taking on any liability unless you run an exit node, and even that is fairly well-established as safe in at least some jurisdictions.
I know there are deep fundamental technical differences, but I could see an outcome where the end result is the same across both services. I'm not trying to justify to use tor as well, just that I don't think the argument of guilt through incorrect association is solved by not using tor.
Just morality-lacking trash, at best.
You may not _lose_ but you may find yourself with your life seriously disrupted.
Quite a lot of serious projects in this space are US-government funded.
OTF does somewhat focus on needs in regions that are geopolitical priorities for the US, but since most of these projects (like Signal or Wireguard) are building general purpose tools, it seems pretty good for the world overall and not nefarious. Germany recently started a similar fund and hopefully more countries will too! [2]
(I know people involved in both OTF and Sovereign Tech Fund I work with a user researcher who's funded by a small grant from OTF on my project Quiet.[3])
One funny historical note is that OTF grew out of Radio Free Asia, a program started after the Tiananmen Square massacre to broadcast AM, satellite and shortwave pro-democracy propaganda in Mandarin into China.[4] So the mission of funding general purpose anti-censorship and privacy tools kinda makes sense!
1. https://www.opentech.fund/results/supported-projects/
2. https://sovereigntechfund.de/en/
3. https://tryquiet.org
4. https://www.opentech.fund/about/our-history/ & https://en.wikipedia.org/wiki/Radio_Free_Asia
The other downside would be how trying to be secret can shine a spotlight - kind of like the bomb threat at that school (I’m forgetting the name). The student used Tor, but was quickly identified… because nobody else on the school network used Tor. (Make no mistake - I’m glad the student was caught - I’m just taking about how trying to increase your privacy can backfire.)
I think these and other rebuttals fall into the category of completely logical arguments that should, but won't, convince a non-tech-savvy judge or jury.
In the US, at least, juries are generally less sophisticated than a random sample of the general public; anyone who displays significant world knowledge or critical thinking during jury selection will be removed.
Most jurors are gainfully employed in stable jobs, or were but are now retired, and care enough about their civic responsibilities not to try to get out of jury duty.
Usually people "too knowledgeable" get bumped from the pool.
No, never. The defense never wants a hung jury, because the prosecution will just get another chance to have another jury trial, with a new jury, but having learned from the failure of the first trial. The defense always wants finality.
Prosecutions don't want hung juries either, because there is always the risk that the judge will either dismiss the charges (if more than half of the jury leaned toward the defense) or pressure prosecutors to offer a better plea deal to avoid wasting time on a new trial.
Usually people "too knowledgeable" get bumped from the pool
If by that you mean people who know too much about the case already, then yes, because the defendant deserves a fair trial. If you mean people who are "too knowledgeable" in general, then no, unless it's clear that they're going to take this "knowledge" and rely on that "knowledge" instead of what is presented to them in court. Lawyers generally try to exclude tech bros, because they think they know everything about criminal law based on watching a few episodes of Law & Order and CSI.
https://www.theverge.com/2023/7/24/23806093/mastodon-csam-st...
Except that the law has come to terms (outside the UK) with the possibility of peaceful knife ownership, whereas the law around Tor and such things is still in the "probably non-technically savvy judge has heard scary terms around Tor and wants to be on the safe side" stage.
but it is indeed a problem, and mastodon mirrors all remote content that is in your federation network and now you have csam splattered across the connections of mastos w only blacklists if entire instances to recourse.
its a bad approach but they've buried head in the sand years ago. things like pleroma do not do this by default
On Japan and nudity, I know some of it it's being used not as sexualization, but as a hard prank (Takeshi's Castle, hidden camera pranks on toilets with falling walls, nudity jokes at Doraemon/Crayon Shin Chan, Dragon Ball and Bulma...), but for sure in this case didn't have an intention to ridicule anyone.
Akibahara had a mall where on a single flat there were magazines were displaying illegal nudity as if they were used as a sports magazine or something like that. Creepy stuff. It seems the Japanese people are sexually represend in their teens so they can hyperfocus at school over anything else but then this creates "sexually disabled" adults with lots of troubles on relationships and a hard lack of teenage discoveries.
Privacy is good even when you have nothing to hide, but it is imperative for those who do need to be hidden. The ethical issues I generally see people concerned with are ethical issues with privacy itself, not a specific implementation.
Heliocentrism, democracy, etc.
Without some degree of freedom to violate the majority's morality (or even one's parents' morality!) without judgement, we should expect society to stagnate due to arbitrary lock-in of the status quo on any sufficiently controversial issue.
Privacy is great because it lets groups violate the majority's morality invisibly, without flagrantly disrupting the sense the majority has of there being a moral order.
Privacy gives you the upside of social innovation without the downside of a generalized, diminished belief in the morality of others (which can be a downward spiral for societal self-organization.)
No, I tried building normal websites and community on tor for 10 years. Then the tor porject wiped it out for potential future security. They will always prioritize the needs of the people who really need privacy over us. And that's fine. But I will not make the mistake of building on tor again.
Tor definitely has a commitment to people building communities using hidden services, but they also have a commitment to your community members' expectations of security, no?
1. https://support.torproject.org/onionservices/v2-deprecation/
As for fundementally insecure, yeah, in a few years maybe by spending $10k you could brute force a hash and take over a domain. So they killed it entirely to protect the people that need absolute privacy and security. They could've left v2 alongside v3 and let people choose but the tor project considers that too risky for their prized use case.
Those of us just using tor for owning our own domains were not important in comparison. That "not being important" will continue. Shadowy users are what tor cares about. Not open communities. Tor is great for pseudo-privacy. It is not great for people wanting to make normal sites on it.
Fixed it.
No, using Tor is equivalent to holding up a sign to the spooks "Hey, over here! Look at me!"
Use services that respect your freedom. Hacker News works just fine using Tor Browser. ;)