Forgot your password?
typodupeerror
The Internet Privacy

Group Thinks Anonymity Should Be Baked Into the Internet Itself Using Tor 123

Posted by samzenpus
from the don't-track-me-bro dept.
Hugh Pickens DOT Com writes "David Talbot writes at MIT Technology review that engineers on the Internet Engineering Task Force (IETF), an informal organization of engineers that changes Internet code and operates by rough consensus, have asked the architects of Tor to consider turning the technology into an Internet standard. If widely adopted, such a standard would make it easy to include the technology in consumer and business products ranging from routers to apps and would allow far more people to browse the Web without being identified by anyone who might be spying on Internet traffic. The IETF is already working to make encryption standard in all web traffic. Stephen Farrell believes that forging Tor into a standard that interoperates with other parts of the Internet could be better than leaving Tor as a separate tool that requires people to take special action to implement. 'I think there are benefits that might flow in both directions,' says Farrell. 'I think other IETF participants could learn useful things about protocol design from the Tor people, who've faced interesting challenges that aren't often seen in practice. And the Tor people might well get interest and involvement from IETF folks who've got a lot of experience with large-scale systems.' Andrew Lewman, executive director of Tor, says the group is considering it. 'We're basically at the stage of 'Do we even want to go on a date together?' It's not clear we are going to do it, but it's worth exploring to see what is involved. It adds legitimacy, it adds validation of all the research we've done.'"
This discussion has been archived. No new comments can be posted.

Group Thinks Anonymity Should Be Baked Into the Internet Itself Using Tor

Comments Filter:
  • interesting (Score:5, Insightful)

    by ganjadude (952775) on Friday November 29, 2013 @08:17AM (#45554593) Homepage
    I like the concept, however If we are going to turn tor into a standard would it not make more sense to start from scratch and create a new standard based on tor instead? for all of tors advantages there are numerous disadvantages.
    • Re:interesting (Score:4, Insightful)

      by aaaaaaargh! (1150173) on Friday November 29, 2013 @08:37AM (#45554695)

      Many if not most existing standards have turned out to be fairly mediocre from a security point of view, think of cell phone and wireless encryption for example. There is also some evidence from the Snowden leak that standards procedures and committees have been weakened by members acting overtly or secretly on behalf of government agencies. So they should be really cautious about such offers.

      And why re-invent the wheel and make something fro scratch? Tor is working well, even too well in the eye of some people ...

      • by Anonymous Coward

        That's the point. TOR does NOT work well. It's too easy to compromise with a bogus exit node.
        TOR is not safe. Not at all.

        • by Anonymous Coward

          The purpose of Tor is to allow you to connect to endpoints that need not be point-to-point encrypted aka ordinary web pages. There is no way you can make the exit nodes secure under this model, or at least none has been found so far.

          Or let me ask differently: How would you fix it? A web of trusted exit nodes run by the government of choice? :P

          • by noh8rz10 (2716597)

            There's no such thing as absolute privacy. you need to ask, privacy from whom. If you want privacy at a coffeeshop, use a VPN client so you don't get packet sniffed. If you want privacy at your home (shared) computer, clear your browser cache. If you want privacy from the servers you're connecting to, then TOR may be a good option. If you want privacy from NSA, then forget about it. It's best to assume the entire internet is a military resource, and you have guest privileges.

          • Re:interesting (Score:4, Informative)

            by Jane Q. Public (1010737) on Saturday November 30, 2013 @12:39AM (#45559549)

            "Or let me ask differently: How would you fix it? A web of trusted exit nodes run by the government of choice? :P"

            No. Everybody here is missing the point.

            If/when exit nodes are everywhere, hosted by everybody, two things happen:

            (A) It becomes impractical to the point of impossibility to monitor all the exit nodes, and at the same time

            (B) the VALUE of monitoring any given exit node is diluted far past the point of making it worth anybody's time.

            • Hm. Less than 1% of my internet traffic is web browsing. A very sizable chunk (random number) 40% is very latency sensitive.

              Why would I want to participate in this? It would make 40% of my internet traffic utterly useless and would be pointless for 99% of my traffic.

        • Yes, but this is currently only a problem because there are very few exit nodes. What if EVERY user was an exit node? What if "Contains TOR Privacy!" would become a sales point on routers? If the exit nodes were in the millions and then chosen at random by the client, it would pretty much be impossible for a Government to gather information from a bogus exit now because they'd statistical only collect data from 1 user, chosen at random, at a time. Not only that, but since everyone would be using it, rather

          • Re:interesting (Score:5, Interesting)

            by UltraZelda64 (2309504) on Friday November 29, 2013 @11:38AM (#45555881)

            While I do agree with you, an interesting negative to that would be:

            If everyone runs their own Tor exit node, including unknowingly every dumb Windows and Mac user out there, then malware writers (the NSA?) would have a field day writing bad stuff that attacks and takes advantage of a very large number of exit nodes. So which is better: fewer exit nodes but a few known bad ones as it is now, or shitloads of exit nodes where the vast majority cannot be trusted? All it would take is one major outbreak to basically destroy Tor's purpose...

            • "If everyone runs their own Tor exit node, including unknowingly every dumb Windows and Mac user out there, then malware writers (the NSA?) would have a field day writing bad stuff that attacks and takes advantage of a very large number of exit nodes. So which is better: fewer exit nodes but a few known bad ones as it is now, or shitloads of exit nodes where the vast majority cannot be trusted? All it would take is one major outbreak to basically destroy Tor's purpose..."

              This is not a real concern. It would be ridiculously easy for independent malware checkers to detect this.

              Not to mention that it is highly illegal for the government to do that. Regardless of the recent revelations that they DID do that... it's still illegal. Than can be and are being sued over it.

              • One, you could argue that it is "ridiculously easy" for security programs to check anti-virus software, period, but people still get screwed--whether it's because they have not kept up to date on something, haven't kept their antivirus subscription going, or their program just didn't catch it.

                Two, you really think the NSA gives a flying fuck if something is "illegal"? Really? Literally all of the information we have so far on them thanks to Edward Snowden only proves that they don't give a rat's ass about w

            • by dewrox (1646725)

              If everyone runs their own Tor exit node, including unknowingly every dumb Windows and Mac user out there, then malware writers (the NSA?) would have a field day writing bad stuff that attacks and takes advantage of a very large number of exit nodes. So which is better: fewer exit nodes but a few known bad ones as it is now, or shitloads of exit nodes where the vast majority cannot be trusted?

              In my mind this is not interesting but rather bordering flamebait. How is what you propose any different than what exists now? Malware writers are having a field day right now with all of the unsecured exit nodes. ( yes you are an exit node on the internet, regardless if you are a tor exit node ) So the true question is would you rather have a greater possibility of retaining your privacy, or just keep living in a deluded fantasy where you think you have any semblance of privacy when you don't? Don't be t

        • by colordev (1764040)
          Thank's fot the FUDBAR. Now tell us what is safe and what will better promote peoples privacy, democracy and the development of human rights.

          > Just to remind you Mr. Anonymous Coward a hundred of million persons were killed by their own governments during the last century. What makes you think govermnents 20 years from now will not execute jews, communists, homosexuals, retards or gypsies like they did in Germany(in 1930-40's), or they will not execute people living in cities or wearing glasses, Buddh [wikipedia.org]
      • Many security projects have also been deliberately crippled by cooperation with US export encryption regulations, and by the laws concerning suveillance capability for audio communications. These laws require "law enforcement" access to the communications. While Tor might skirt these regulations as not serving text, many fundamental encryption and anonymization technologies would directly block such monitoring.

      • Re:interesting (Score:5, Interesting)

        by WaffleMonster (969671) on Friday November 29, 2013 @12:46PM (#45556379)

        There is also some evidence from the Snowden leak that standards procedures and committees have been weakened by members acting overtly or secretly on behalf of government agencies. So they should be really cautious about such offers.

        In some ways IETF is almost a joke. "Consensus" building is supposed to be the key to movement yet there is no barrier to entry other than having sufficient number of brain cells to send a message to a mailing list. I have observed several instances of "ballot stuffing" where hoards of random people who very likely know and have contributed nothing at the last moment express support for x. The arbiter of what consensus means is always WG chair(s) who themselves mostly always work for a corporations with skin in the game.

        The IETF process is most successful as a middle ground where there is market incentive to work together. In the case of tor there is no market to speak of to incentivize such behavior.

        And why re-invent the wheel and make something fro scratch? Tor is working well, even too well in the eye of some people ...

        My guess they might start with existing specification and evolve standard based on IETF process.

        An example of this SSL v3 was mostly Netscape's doing while TLS v1 and later were products of the IETF. In this case there were no radical changes between versions and backwards compatibility was retained. There was also huge market incentive for broad compatibility and getting security right.

    • Re: (Score:2, Interesting)

      by Joce640k (829181)

      If you can tap into/analyze the internet backbones (as the NSA can) then Tor isn't very anonymous. They can track packets and figure out who's really connected to who even though the packets are relayed.

      I don't know if this can easily be fixed, but now would be the time to do it.

      • by Joce640k (829181)

        ...and if you're the NSA you'll also up your own Tor nodes, which helps considerably.

        • by f3rret (1776822)

          ...and if you're the NSA you'll also up your own Tor nodes, which helps considerably.

          This, however, they can (and probably already are) do.

      • by Kjella (173770)

        It's not quite as simple as that, you can do many things that like padding things out to fixed sizes so you can't see JPG of 185254 bytes move through the network, but say only 256kb blocks. You can wait for other packets to come in and only multiple blocks at once so there's no clear link between which come in and which go out. You can pad things with dummy traffic so it appears you're routing it to several different nodes, that you're not the end point when you are and that you're not the starting point w

      • by f3rret (1776822)

        If you can tap into/analyze the internet backbones (as the NSA can) then Tor isn't very anonymous. They can track packets and figure out who's really connected to who even though the packets are relayed.

        I don't know if this can easily be fixed, but now would be the time to do it.

        They can't identify EVERYONE, and they cannot identify anyone in real time.

      • by AmiMoJo (196126) *

        Tor is resilient to that kind of analysis. For example it will combine packets together and pad them with dummy data before forwarding them. The NSA sees an encrypted packet go in but it never comes out again, only a different packet that may contain one or more other packets and is encrypted with a different key emerges.

        Tor only has one major vulnerability, assuming you use it perfectly. That vulnerability is the NSA controlling a significant number of nodes on the Tor network. It would have to be an awful

    • Re:interesting (Score:5, Insightful)

      by jones_supa (887896) on Friday November 29, 2013 @08:39AM (#45554715)
      Let's still not forget that even if they end up designing a system which has some disadvantages, it would still be zillion times better than the current system. I just don't want this plan to be discontinued because some perfectionist nerd found some theoretical flaw from it, which can only be exploited by milking a Mongolian horse under full moon. That being said, of course we should still try to make as robust system as possible.
      • The problem is, the NSA budget allows for a lot of mongolian horses so there is always one available for milking at the appropriate time.
        • It would still be an improvement. Obtaining those horses would create an extra step for NSA. All the ways you can make the spying process even slightly harder for NSA is good, as they currently can basically just set up taps almost anywhere and start listening without too much effort.
          • by Joce640k (829181)

            Yes. One of the best defenses is to make it expensive for them to do.

            • really LOL??

              since when is cost a consideration for a government that is already $17trillion dollars in debt?

              • Re:interesting (Score:5, Insightful)

                by Catbeller (118204) on Friday November 29, 2013 @10:51AM (#45555561) Homepage

                Where was all this concern about the debt when Reagan and Bush W. were cutting taxes, emptying the Social Security trust fund, and spending madly on military and spy agencies? When Reagan took office, the debt was 3 trillion. When Bush took office, it was 6 trillion. Clinton actually paid the debt down a half trillion in his final year: Bush immediately declared the surplus the people's money and gave the surplus back - then raised spending until he left the country another extra six 6 trillion in debt, with obligations to pay for wars and refund the money stolen from the SS trust fund since 1984. Republicans cut taxes and raise spending, run up the debt, have a rich man's party, then step back and let Democrats take all the blame and make the spending cuts and tax increases to try to repair the damage. This has been a thirty+ year tax-cut-based robbery. And always, always an excuse to cut aid to the poor, never the rich.

                • according to the u.s. constitution, Congress allocates spending.

                  just fyi...and also I would like to know where in my comment I specifically blamed any one political party for the national debt?

    • Re:interesting (Score:5, Insightful)

      by jellomizer (103300) on Friday November 29, 2013 @09:18AM (#45554945)

      They are disadvantage on almost every thing out there.

      You can pine on the disadvantages, or you can rate them and see how to fix them, without cutting into an other advantage, or increasing an other disadvantage.

      Normally if a protocol is Fast, it is unsecured. if it is Secure, it is slow. If it is complex and full featured, there are a lot of failures in implementation, if it is solid, there is a lot less features.

      Life is full of tradeoffs, Stop pining on the road you didn't take, and work on the road you took to make it better.

      • Normally if a protocol is Fast, it is unsecured. if it is Secure, it is slow.

        Look at CJDNS. It's fast, simple and reasonably secure. While it doesn't officially provide anonymity, it's IMHO difficult enough to breach it's anonymity without disproportional waste of sniffing equipment. The NSA or KGB sniffers on backbone just aren't enough.

        • CJDNS lets you use web browsers. That immediately makes it a useless way to develop secure communications that less technical people can use. All it takes is one line of JavaScript to unmask your real IP address. You disabled JavaScript? Well now most of the web doesn't work. How useless is that?

          It's still a valiant and interesting effort. The security of it is still debatable.
          • In Soviet Russia Reading doesn't punish YOU! Punishable are only posting, hosting and refusing to filter. Posters should care of their security theirselves, be it disabling of JavaScript or booting a specially crafted anonymous Linux. Webhosting does not need Javascript or browsers. Refusing to filter is ISP crime, not bloggers, and I have a sincere hope that earlier or later the loss of reputation will be less than fines for non-filtering.

            And BTW. The earlier the FSB catches all the young Nazi fools for p

  • Wasn't there an article here earlier about how it's not so difficult as earlier imagined to track inputs and output of Tor and connect them to the person using it?
    • by Captain Hook (923766) on Friday November 29, 2013 @08:34AM (#45554679)
      Tor's weakness is when one organisation, such as the NSA, controls a large percentage of the exit nodes.

      The larger percentage of the exit nodes a single organisation controls the better chance they have to seeing all the packets from any given user.

      Becoming an Internet standard would dramatically increase the number of exit nodes making it harder for a single entity to control a decent proportion of them, although the basic attack would still work with enough resources.
      • A single compromised exit node is enough to breach the anonymity of the user. After this, everything that he writes under a nickname can be attributed to him.

      • by fa2k (881632) <pmbjornstad AT gmail DOT com> on Friday November 29, 2013 @10:32AM (#45555407)

        Owning exit nodes is not sufficient to reveal the identity of tor users. Owning a large percentage of relay nodes AND exit nodes could compromise the anonymity, as one could just follow the progression of any data throughout the network. If the traffic volume is small enough to be able to statistically separate the streams from various users, it may be sufficient to surveil relay and exit nodes, instead of actually owning the hardware.

        There are limitations: the exit node can mess with the data at will, in both directions, and this is how the FBI owned the visitors to a pedo site. They injected some HTML (I'm not positive that it was HTML/JS, but one would assume) to make the browsers of the users connect to FBI servers outside of Tor. It was a bug in firefox that allowed this.

        There are two strategies to protect against this,
        1) Encrypt everything; only access SSL sites over Tor. This works in theory because the exit node can no longer mess with the data stream. The only way to reliably use this strategy is to *block* non-SSL traffic. There are so many websites with mixed content, which may pull images and ads from non-SSL streams. Also, NSA may be able to break SSL either by a proper MITM attack (completely hypothetical, no evidence exists) or by owning private keys for some CAs.

        2) Block any non-tor access from the system used to access Tor. This is possible at the network level with extra hardware, VMs and possibly with SELinux. If the browser *cannot* communicate over the standard internet, only Tor, then one is moderately safe. It's still important to configure the browser to not send identifiable information for fingerprinting and tracking cookies.

        By doing 1 and 2 one is quite safe. It may be fine to use a less safe setup for non-secret stuff, like checking facebook, and contributing to flood the tor network with un-interesting traffic. If the "really anonymous" mode required restarting Tor, the NSA would be able to see this from ISP logs, of course.

        • by Splab (574204) on Friday November 29, 2013 @11:35AM (#45555851)

          You really should read up on technologies before making statements like that.

          The Pedo busts were not attacking exit nodes, it was an attack on the hidden services within the network, there is no mim attack on hidden services, as no one knows who is talking to who. What the FBI did was compromising the servers hosting the material, serving malware that send a single request out outside the TOR network.

          Regarding 2; this only works if your software is perfect, which it won't be. The Pedo bust was abusing a known bug in Firefox 17, which had been fixed for quite a long time, it only takes a single bug in the stack to inject some data, that can be collected at some point later - Even if you only allow data through TOR and using SSL, there is nothing preventing FBI sending enough data about your local network, to help identifying you. (For instance, a quick wifi-scan gives you enough information to place my system somewhere in Denmark, using WIFI databases, like the stuff google collected with street view, you can probably pinpoint it even further)

          While forcing SSL is a nice idea, generally, it wont work; as you said, people are doing mixed content - on top of that, it only takes a single compromised request to a CDN like jQuery, to have your system thoroughly compromised, see http://www.youtube.com/watch?v=ZCNZJ_7f0Hk [youtube.com] (While they are compromising anonymous proxies, the attack will work just as well on TOR)

          • by fa2k (881632)

            You're right about the first point, it was a hidden service which FBI took control over, sorry I completely forgot and should have checked. Hidden serivces seem to have SSL-like protection built-in, thanks to the encryption of Tor, but when the FBI controls the server that's of course moot. That's also a different threat model than I thought of before, so bad example.

            I still believe it's possible to be safe, but may have underestimated the risks before. The best way seems to be to use VMs or clean installat

            • by fa2k (881632)

              Some corrections are in order, hope I caught all my mistakes now..

              Hidden serivces seem to have SSL-like protection built-in, thanks to the encryption of Tor,

              Probably not, that was made up. there is encryption, but I don't see how they could have authentication (unless the certificate was in the *.onion name, but they're not that long)

              The best way seems to be to use VMs or clean installations like booting from CD. There is then a separate computer for the Tor client, blocking anything but the Tor HTTP proxy with a firewall on the interface connected to the client.

              To clarify, client & gateway be connected directly, no others computers including no internet

              The client shouldn;'t have any unique software

              ..including language & keyboard layout

              (don't know [about blocking] audio / microphone).

              OF course block mic. Not only can the malware *hear you speaking*, the mic probably also has a unique noise spectrum, and there

            • by Splab (574204)

              Sorry, but I don't think you understand how TOR hidden services work (to be fair, Wikipedia is downright useless here) :-)

              https://www.torproject.org/docs/hidden-services.html.en [torproject.org] - they do a much better introduction than I could ever hope to do ;)

        • by dbIII (701233)

          1) Encrypt everything; only access SSL sites over Tor

          Those stupid "web accelerator" boxes that proxy https so internally have everything as if it is plain text are presumably the NSA or similar's way to deal with that - at least they are a big fat target for criminals looking for banking passwords. The inconvenience of having all SSL traffic going via those flagged as a man in the middle attack (which is accurate) means that users click to use the certs and anyone that has a way in to those devices can see

      • And since a lot of us now live under bandwidth limitations, who would want to run an exit node?

        That doesn't even address the potential for the feds to arrive at your door due to some moron out there trying to browse kiddie pron that happens to come out thru your node..

        Unless we had 'protected' entities with enough bandwidth handling all the exits to the 'open net', then the concept of making this 'the standard' is flawed.

        ( freenet has a similar issue with bandwidth use.. who can afford to contribute what is

    • by Chrisq (894406)

      Wasn't there an article here earlier about how it's not so difficult as earlier imagined to track inputs and output of Tor and connect them to the person using it?

      I think that this type of traffic analysis becomes harder as more people use it. The other weakness is if someone controls a large number of exit nodes - if routesr etc all could act as exit nodes it would be safer .... unless someone had a backdoor into the routers!!!

    • by AHuxley (892839)
      If your the NSA or GCHQ every packet into and out of a country belongs to the gov for that ~"day". e.g. your message can go from the UK "around" the world a few times and back into the UK.
      The GCHQ gets your entry IP, the message and your destination IP.
  • But how else then shall they keep us safe from all the Bad Guys, ne'er-do-wells, pedophiles, terrorists, communists, liberals, hippies, criminals, foreigners, pirates, gays, racists, misogynists, thought crimes, neighbors, and YOU?
  • by coder111 (912060) <coder&rrmail,com> on Friday November 29, 2013 @08:30AM (#45554641)
    Hmm, TOR is a nice project and all, but it has its benefits and drawbacks. I think IETF need to give quite a bit of thought before adopting some technology as a standard.

    I'm all for anonymous communication with encryption though. I hate what corporations and governments are doing to the internet. I do believe internet is the most important human discovery since fire, and its freedoms need to be preserved...

    --Coder
    • by Anonymous Coward

      I don't know that I'd consider the internet a "discovery". More of an invention. A discovery is like finding a new species of animal that's existed for a long time, but we didn't know it was there.

    • by Lennie (16154)

      If something would happen at the IETF, mostly likely out come would be if the IETF would create a work group to create a protocol, maybe based on one of those existing protocols. Just like HTTP/2.0 is based on SPDY, but isn't SPDY.

    • by Joce640k (829181)

      Hmm, TOR is a nice project and all, but it has its benefits and drawbacks. I think IETF need to give quite a bit of thought before adopting some technology as a standard.
      --Coder

      Even if they do, the NSA will make sure it never gets built into a major OS or anything that people can download/use simply.

      I've always suspected the reason why Outlook (or whatever) doesn't have encryption enabled by default was because of visits from the men in black SUVs.

      After the last couple of months I'm 99.999999% sure it's true.

  • until someone simply creates an STCP/SUDP/SIP standard where the first thing any newly established connection does is negotiate SSH-style encryption (fuck TLS), with fallback to regular TCP. Can't be that hard, can it?
    • Go for it.

      Don't worry - you won't get anywhere close, but I guarantee you will learn a lot.

      Start by trying to define what you are protecting from whom, and how two arbitrary endpoints who have never met can know they are talking to each other and not a man in the middle.

      • by Joce640k (829181)

        how two arbitrary endpoints who have never met can know they are talking to each other and not a man in the middle.

        My take on this is that the messenger apps should permanently show a fingerprint of the encryption key on screen (eg. at the bottom of the window).

        If the key is easily visible then people would be able to compare keys when they meet in real life. Any mass tampering by the NSA would then be obvious and provable. You can also compare keys in other ways, eg. in a voice call.

        It doesn't prevent man in the middle attacks but it makes it impossible to do in secret.

  • by Anonymous Coward on Friday November 29, 2013 @08:37AM (#45554701)

    *OMG* no! Tor does nothing if you want to spill your personal guts all over the internet. Also cookies and other nefarious tracking technologies work
    wonderfully right through tor. tor doesn't block you if you want to scream your name and credit card number and whatnot to the internet ...
    can we just have websites work without javascript and FLASH?!

  • by Anonymous Coward on Friday November 29, 2013 @08:43AM (#45554743)

    How feasible would it be to split the internet right down the middle but share the same lines?

    So on one half you could keep the wild wild west net and on the other all the cry babies and censor-happy types can have their walled wide web.
    Then just onion-up the wild wild west side.

    • by Anonymous Coward

      Also, I realized a bit of a misunderstanding in my own post that could lead to confusion.
      Note that I do mean the internet when I refer to wild wild west and walled wide web, those were just metaphors for the web being the most commonly used services for the standard user.

      I'd personally love for such a thing to happen because it would essentially finally emulate the real world.
      At the moment it is just a horrific mess of services mashed together with broken censorship all around.

      The walled wide web would be g

    • How feasible would it be to split the internet right down the middle but share the same lines?

      So on one half you could keep the wild wild west net and on the other all the cry babies and censor-happy types can have their walled wide web.
      Then just onion-up the wild wild west side.

      This wouldn't work because you're forgetting the censor-happy people's mentality: they aren't trying to censor the internet so that they can't get to certain material, they are trying to censor it so that _you_ can't get to certain material because the _idea_ of you looking at certain stuff in private offends them. So this kind of split couldn't happen because the censor-happy people still don't want to allow you to get to the "wild wild west" net.

      Wide-scale censoring is all about "I find what you do in private to be offensive so you should be locked up for offending me!" and almost never to do with "I find this content offensive so don't want to see it myself". Much the same way as various activities happening between consenting adults in private are illegal - this isn't about protecting anyone from anything other than offense caused by their own narrow-mindedness.

      Note, I do think there is a place for local-scale censorship, such as preventing kids/teachers at school from accidentally stumbling across stuff they shouldn't. However, where kids are *actively* trying to get at porn, et-al, censorship is never going to work and it is far better to spot kids doing this so someone can have a talk with them. That's not to say that I necessarilly think kids looking at porn is a bad thing (indeed, it's completely normal), but talking to them about it to put it into context is probably a good plan.

      • "However, where kids are *actively* trying to get at porn, et-al, censorship is never going to work"

        I work at a school. You are quite correct. If they want to find something enough, they will find a way.

      • And the best thing about "local-scale censorship" is you get to decide what to censor. If you happen to think that the human body is fine to be viewed but violence is horrible, then you can ban violent sites and allow sites that show humans sans clothing. If you think that certain combinations of adult humans are abhorrent, you can block that from being viewed by you (or anyone else in your house). And so on. Meanwhile, other people with other ideas of what is fine to view and what isn't will view (or b

    • by nurb432 (527695)

      It's already been done. Its called 'FreeNet'.

  • There are so many ways that browsers and other software that communicates via the Internet give up the identity of the user. Tor can't stop any of them, and they explicitly say so. I'm working on designing a new protocol and the software to run it that anonymizes communications better, and I had to eliminate the chance that existing software could tunnel through it because of this. Any software that tunnels communication which isn't secure will automatically be a major security risk. Even turning off JavaSc
  • by pedantic bore (740196) on Friday November 29, 2013 @10:11AM (#45555271)
    I've worked with the IETF on several RFCs. I'm also familiar with the challenges that the Tor project faces daily, and what they have to do to stay ahead of the entities trying to break Tor. I think for Tor to even stop to talk to the IETF would be an waste of their time; Tor needs to be nimble, and the IETF standards process is painfully, horribly slow and unable to move quickly on anything. Given that Tor releases updates on a cycle that is shorter than the normal time a draft spends in the AD review queue, by the time an RFC got to the standards track it would already be out-of-date.
  • All these anonymous routing techniques place a lot of load on the internet and a great deal of latency. I have a proposal to help:

    A content-addressible distributed store for static content. You can make it work like Freenet if you really want to be paranoid, but that isn't needed. Just a distributed caching system indexed by, say, sha256 hash.

    It'd take some minor revisions to web browsers, but you can make this work with backwards compatibility by using a reserved word in a URL. Eg, http://theserver.com/mag [theserver.com]

  • Tor project should sell tor applicances in every shape. routers, phones, desktops, laptops. Lots of phones/routers have GNU/Linux customizeable firmware. Nobody has taken upon themselves to offer up turn-key solutions/support for these.
    Jolla Phone, Mozilla Firefox OS phone, Cyanogenmod?, Iphone, Ubuntu Phone.

    You could configure it with tor DIY as you would your desktop, but for your grandma that doesn't cut the mustard.
    That's why a turn-key service-offering like that would be best.
    That would be something

  • The shortest path between two points would not be a straight line, but it would go around three sides, twice.
    Can't we all just get a long so we wouldn't need this sort of nonsense. *sigh*

    • I feel ya. Possibly a saner and still effective system would be to simply enforce end-to-end encryption in all communications.
  • by Cajun Hell (725246) on Friday November 29, 2013 @12:13PM (#45556155) Homepage Journal

    One thing you've gotta admit about Tor, is that it's an inefficient way to get packets from point A to point B. If we had Tor built into the all Internet protocols, don't you think one of the first things you would do, would be to look at some case where you didn't like the performance you were getting, and then you'd "invent" a shiny new protocol that directly links two points, providing massive performance improvements at the cost of making traffic analysis easier? And don't you think there are shitloads of applications, where that tradeoff would make sense? Inventing not-Tor would be the biggest thing, ever.

    Crypto is good. Modern CPUs can handle it effortlessly, nearly for "free." There are some cases (e.g. shared caches) where you might not want the tradeoff, but overall it's turning out to be a no-brainer, almost always worth the compromise. You just can't say that about onion routing, though. It's subjectively good, at best.

    BTW, also: here in America, a lot of us have asymmetric connections for the "last mile."

  • On the topic of Tor use... Viewing /. through the Tor browser bundle sucks. It's the goddamn autorefresh feature. Go stick a tube down someone else's throat - if I want my goddamned page updated, I'll do it myself. When it happens on auto, i get what I'm looking at whipped away from me, then it takes a while to reload and render and jerks my damn page position around or just sends me to the pink-page-of-untrusted-ip-address-shame. Autorefresh sucks, m-kay?
  • In an unrelated story US Government Officials today announced the seizure of large amounts of heroine cocaine and guns at the house of all the guys names mentioned in the article. Government spokesmen said today "Definitely not planted. Definitely not planted. We are excellent drivers". All above mentioned persons have been placed in a prison of our choosing and will be arraigned to answer their charges in 16 to 24 years.

Programmers do it bit by bit.

Working...