“The western governments run most of the exits” is one of those things everybody “knows” but rarely backs up.
The list of all relays is public knowledge by design. There’s contact information attached to relays. The big operators are known individuals and organizations. They contribute. Interact.
Which ones are actually the governments doing bad things against their citizens? It’s hard to tell? Then why do you make such claims?
Relays that observably do bad things are removed from the network all the time. Are those ones the government? Tor seemingly has a reasonable handle on the situation if that’s the case.
If the fed is doing correlation attacks, why would they run relays at all? “Just” tap the IXPs near major hubs of relays. Or heck, get data from the taps you already had. Silent and more widespread.
Pushing people away from tor potentially makes it even easier to deanonymize them, depending on the adversary model assumed.
> “The western governments run most of the exits” is one of those things everybody “knows” but rarely backs up.
Thanks for pointing this out. Seems obvious in retrospect but I don't really recall seeing a lot of evidence for this despite seeing the claim quite commonly. That said, the use of "rarely" makes me wonder what evidence has been presented in such rare instances. Just curious. (Of course it's also fine if the phrasing was just communication style.)
Meanwhile you have ignored all other potential attack vectors. Fingerprinting (remarkable how little entropy it takes to identify an individual), zero-days that escape Tor's sandbox, etc. Why does Tor browser even ship with javascript enabled? Why aren't major fingerprinting features disabled a la carte?
The point is if you cannot assure anonymity with 100% certainty, you are simply setting people up.
Tor was literally developed by the intelligence community. I’m sure there are a variety of means to gather actionable intelligence from it, with or without the cooperation of the exit node volunteers.
Beyond a principled stance re communications, I can’t think of a reason to use it. If you’re planning to resist some regime that controls telecom infrastructure, the fact that you’re using it is both uncommon and notable.
Tor was literally developed by the Naval Research Lab. Not a part of the IC.
I know because I work there. AMA (edit: about tor. Because people say a lot about it without actually knowing much. But now I should put my phone down so… too late!)
To protect our most sensitive communications and vulnerable communities , Tor usage should be normalized so it is common and not notable.
I think if the Tor Project wants to boost their network they might try putting anything about how to do so on their website, easily-accessible. I'm trying to figure out how to run a relay and having a pretty challenging time finding anything at all about this. They just really want me to download Tor Browser, it seems.
Edit: I finally found it![0] I had to go to Donate, Donation FAQ, "Can I donate my time?" , "Learn more about joining the Tor community.", and then "Relay Operations" -> "Grow the Tor network" at the bottom right. I would really hope there's a more direct path than this...
No prob - and thanks! Looks like I found it right as you were drafting this message. It would be really useful to add some call to action about "Help grow the Tor network!" anywhere on the home page. Partly just to increase the "welcoming-ness" but mostly to reduce friction for ppl who want to contribute, and help make it clear that the network needs support from whoever :)
I still think the IC, and especially the state department, benefits from having Tor fulfill its actual design goals most of the time. There are operations and state department goals that can benefit from Tor working properly. It's the same with encryption in general -- the IC benefits from there being strong and bug-free crypto implementations. That they have in the past backdoored some of them doesn't change that they've also hardened others. I'm sure they come up with and deploy various attacks on Tor all the time, same with foreign nations (whom the state department would like to thwart). I'm skeptical though that they can do working attacks at any time and against any set of people.
For your AMA, if you want: How's the job? What keeps you working there? How's patriotism these days?
The job these days is boring but secure. Tor stuff was more exciting, then I switched teams because grass-is-greener.
At least for the teams I have been on and my view of leadership, there is very little political talk.
But patriotism isn’t politics… lol. The higher you get the more “hoo rah America!” is a part of the motivational speech or report or whatever. Down here in the streets it’s just another job. Pride in the country isn’t much of a driver. At least for me.
> Tor was literally developed by the intelligence community. I’m sure there are a variety of means to gather actionable intelligence from it, with or without the cooperation of the exit node volunteers.
These two statements make little sense together. It was originally developed by the Navy. Okay. So why would they design it from the get-go with such a fatal flaw that would risk their own adversaries gathering "actionable intelligence" from it?
I'd like to stress if we're talking about the Navy's involvement, then you're questioning the design of the whole thing from the very beginning, not just the current implementation.
People saying that the government funds Tor so it's insecure is like saying that the government funds the army which kills people on purpose, so any government hospital will also kill people on purpose
I think their point is that no matter how secure your base password is, once one site leaks it, the bad guy basically knows your password to every site.
I have been using the internet since the 90s, my Hotmail account is 23 years old and I have never lost any of my accounts. I think it’s working quite well in my experience.
or it just continues working for another 23 years. Do you have a password system that has worked successfully for as long? Just because you “feel” that it’s not good doesn’t mean your feelings are correct.
It would also be very annoying at home games. It would take a special group of friends to tolerate or even get a kick out of how optimally you’ve solved a self-imposed problem.
It’s a fun mental exercise and programming problem, but that’s it IMO.
- buy a pack of gum with a counterfeit $100, get 98 real dollars back
- even with legit currency, it can throw off the drawer. Business might have a policy for cashiers to never have more than, say, $200 in the drawer. Force half of that to be your $100, and now the cashier has crippled change-making ability. Business have this policy to make them less tempting to rob and limit the damage if they are.
I have walked out of a few places when they said they either do not accept $100 bills or cash at all. This is how we pressure businesses and fight back in the war on cash. But if you are just buying a pack of gum, you should be considerate of transaction costs for them.
Grocery stores still accept $100s. It is the places where the average purchase is much smaller (or robberies are more common), like coffee shops or convenience stores. Gas stations might accept the bill but only if the change needed is under $20. And then they drop the bill in the safe, rather than put it in the till.
It was not uncommon for someone to show up with their paycheck to do their weekly shopping, handing it over to the cashier and taking the rest in change. The amount of cash that worked through a busy grocery store must have been pretty amazing.
Volunteers run probes and earn credits. Credits can be shared and spent to run measurements of their custom design. All measurement results are public info (I’m pretty sure, it’s been a while since I did stuff with RIPE atlas).
So all that nonsense about credits and volunteering may not matter to you if the results are useful.
I have a few 100million RIPE atlas credits I don't need. So if anyone want to test it just drop me a mail with your RIPE account and I'm gladly send you a few millions. My email is in my profile.
I jumped from Nord to Mullvad as soon as my 3 year Nord sub was up. The throughput speed is unquestionably and substantially faster with Mullvad, and they don't force me to change my password every 3 mos like Nord got all righteous about.
Mullvad costs a little more, but they're better in every way, including staying out of your way.
I'm happy where I am but if I had to jump, it'd be to Mullvad.
I personally wouldn't use Nord for free.
2018 Nord's ties to Tesonet. 2019 Data breach. Repeated rewrites of site to handle false claims allegations. Endless reports of performance issues. I guess each of these things can be minimized with enough explainers but why bother?
A function called ':' is defined. In its body, it calls itself twice at the same time (':|:') (piping the output of the first call into the second, which doesn't do anything useful) and sends these calls to the background ('&'). After function ':' is finished being defined, it is called.
The first call spawns two clones. Each of those spawn two more. Etc.
Completely.
Exits aren’t a part of the circuit. Ever.