
Italian Anti-Corruption Authority Adopts Onion Services - jakobdabo
https://blog.torproject.org/italian-anti-corruption-authority-anac-adopts-onion-services
======
kodablah
Nice. I am hoping onion services become more ubiquitous for desktop use. So
many decentralized networks work so hard to solve things like NAT busting and
network issues, and they still forget about anonymity.

I am personally working on a tiny side project to build a chat/forum/etc
platform based around onion services for all users. Traditionally, it was
annoying to have to ask users to install Tor and open up the control port so
your app could leverage it. In a recent alpha there is an experimental tiny
little C API that can start the Tor system in-app [0]. Leveraging some of the
work from [1], I put in some effort to get all the steps working to compile
Tor statically in a a single Rust exe on Windows [2]. As Tor's embeddability
game increases, I hope more apps will consider using it as part of their
network stack. Granted I know the problems that are inherent with "vendoring"
security libs like these, but for some uses the benefits outweigh the costs of
requiring separate downloads and separate daemons running.

0 - [https://blog.torproject.org/tor-0331-alpha-released-back-
uns...](https://blog.torproject.org/tor-0331-alpha-released-back-unstable-
development) 1 -
[https://github.com/iCepa/Tor.framework](https://github.com/iCepa/Tor.framework)
2 - [https://github.com/cretz/rtsw-poc](https://github.com/cretz/rtsw-poc)

~~~
jerheinze
A mix between IPFS and onions would also be very promising. There's current
work on that.[1]

[1] :
[https://github.com/ipfs/notes/issues/37](https://github.com/ipfs/notes/issues/37)

~~~
kodablah
Yeah, I've seen that. OpenBazaar's onion transport is similar to what I'm
talking about when I mean the user has to have their own tor process IIRC. I
would have used Go instead of Rust of CGO on Windows and static compilation
didn't suck so much.

------
forgotmypw
They're running a Tor website... that requires JavaScript. smh

>Error! :(

>Your browser is not running Javascript that is required to use the
whistleblowing client.

>It's common believe that Javascript and security don't sound well together,
for this reason we suggest to use the Tor Browser, an extremely tuned FireFox
browser with Tor integrated. Here you can found and download the latest
release of: Tor Browser.

~~~
jerheinze
Note that those who want a JS-free whistleblowing platform should look for
SecureDrop.[1] It's also harder to setup and may not be possible for certain
threat models.

[1] : [https://securedrop.org/directory](https://securedrop.org/directory)

------
ziofill
It's refreshing to notice that in the typical italian political climate of
general incompetence, there are still people who do a good job.

~~~
fmntf
You are right in the first part (I'm italian). Regarding people doing a good
job, I don't know if this is the case. I tried to use this service (just to
see how it works), and:

    
    
      - "anonymous reports will be considered only in particular cases" (!)
      - you cannot report if you are a private person/company
      - you have no kind of legal counseling / protection
      - other limitations
    

I'm not sure if it was designed to get actual reports or not.

~~~
jessaustin
How anonymous could it be, if they know whether a reporter is a "private
person/company"?

~~~
fmntf
Look at the form, they ask for you are you working, in which departments,
etc.. It is just silly!

~~~
mirgj
Not really, they ask you other information and only these market with * are
required.

In fact, only a few information are required. Your job title aka position
(make sense in case is a manager reporting an illegal activity other than a
cleaner which might have really small amount of information) the entity
involved and if you work in that entity or you just had some sort of
relationship.

After all it make sense to have a big set of data to investigate in. If not
would be complicated for anyone to understand what's going on. You're still
reporting it at the anti corruption authority, so even if you give them more
details you should be confident that they'll treat it carefully.

All the personal data (such as name, last name and so on) are optional. And,
if you choose to not share your personal data, the form will be considered
only if you complied with a level of detail that's enough to do an eventual
investigation (if not, since they can't reach you out to ask you or details,
would be useless to say "on December 2014 I saw a guy giving 10 euro to
another one in the aisle of the department X in the state company Y. But was
too dark and I can't tell who they are").

------
newbuser
Anyone able to comment on the state of Tor security and suggest an up to date
OpSec guide to using Tor?

~~~
3pt14159
This opinion is controversial, and I’m not going to go into all of the reasons
why, but unless you REALY know what you’re doing Tor can’t be trusted.

I’d wager only 1% of people on Hacker News would be capable of using a Tor
setup for more than a day without getting owned.

You’re better off buying a burner iPod or iPad, stick to public wifi spots,
and factory reset it once a week. Even then, watch what you type since
vocabulary is fingerprintable.

It’s very hard to stay dark these days.

~~~
kasey_junk
Is that actually a controversy? I feel like everyone I talk to with any
credible claim to security expertise recommends against it.

So much so that I’d like to see an expert recommend it.

~~~
3pt14159
There is a wide and growing gulf between what cyber experts know and what the
tech savvy public knows. The world is changing so fast right now you almost
need to invent your adversary's tools to be free from them.

If you're talking with large numbers of people that don't trust Tor then it
speaks more to the quality of your friends than it does about the prevalence
of this opinion.

------
Pica_soO
The more one studys the mechanics of corruption, the more one begins to
understand that a similar battle has been waged in biology since the dawn of
time.

The corrupting entity can not replace the corrupted entity, because it does
not have the sufficient structures- and would fall prey to other corrupting
entitys almost instantly. It can not grow bigger then the corrupted entity,
due to its being dependent regarding nourishment on the corrupted entity.

All is fair in this little war. Strategys include shedding hard to corrupt
matter (skin, muscus, nails and hair), have tissue with incredible replacement
rates (colon-cells). Fast pace the life cycle of the corrupted entity, and
have not enough nourishment in the offspring to continue the corruption.

Remedys include using of all natural substances (eat leaves to kill the
worms), to behaviour changes (famous the way foxes bath, with a brush of hair
forming a flea-raft)

Synchronize breeding cycles, to starve parasites and diseases. Destroy
breeding grounds and switch locations, for stationary parasites.

Diversify into different corrupted entity-types to prevent specialized
parasites from target hopping.

Im aware that this is dangerous comparison, and thus want to press that i do
not compare humans with vermin. I do compare organizations made up by humans
with organisms and parasites.

This measure is basically encouraging the parasites infrastructure to turn
upon themselves. There is no reward and there is no protection of the parasite
being damaged. So it will be used mainly by other parasites to battle among
one another (leak information about the neighboring clan)- or to have
parasites on the parasites (aka the lower echelon members of the mafia
removing upper echelons to raise).

~~~
dandare
I would love to read this as a much longer article with links. What did you
mean with the fox?

~~~
Pica_soO
My father is a hunter- he observed foxes, with lots of fleas ripping out hair
and then going slowly into ponds, letting the raft of hair float away with the
fleas on them.

I have to admit i never observed this myself, so for what is worth is
currently hear say.

------
rotrux
It's been unfortunate to watch regulatory bodies accross the globe try to
suppress p2p over the last few months by highlighting only its illicit uses.

Kudos to Italy for betting on the horse that will inevitably win.

~~~
chii
why do you think tor is going to 'inevitably win'? Win at what exactly?

~~~
rotrux
Ahh ok good question I didn't really flesh that out.

>"Why do you think tor is going to 'inevitably win'?"

Not just tor, but p2p in general. __Basically the theory is that, as a
species, we 're used to few-source/many-sink communications networks. __

We 've been using them from the printing-press all the way up to DVDs. The
internet & its "many-source" capabilities represents a threat to the prior
(and existing) information-source monopolies...such as any media industries,
national-banks, or governments.

A great way not completely lose control of information dissemination is to
control the paths information must take.

Two great examples of threatening p2p protocols are Tor and the distributed
bitcoin-ledger. Taken in conjunction with "criminal activity" historically
being the way to demonize most cutting-edge tech when it challenges the
status-quo, and a pattern starts to present itself.

To answer your question: I think our regulators are being reactionary Luddites
& that p2p is sort of the spirit of what's driving this whole internet-
thing...otherwise it would be interactive television.

~~~
chii
i understand your sentiments, but i think the p2p model is never going to
become so mainstream that they take over the equivalent centralised model. The
reason being that "normal" people prefer ease and convenience.

The internet is practically already interactive television! very few people
create and host, compared to the number of consumers.

~~~
diggan
> The reason being that "normal" people prefer ease and convenience

You're assuming we can't build a p2p network that is faster and better than
the centralized ones we have today. People will eventually choose p2p because
it brings them more ease and convenience.

------
ecesena
Onion link to the service:
[http://bsxsptv76s6cjht7.onion/](http://bsxsptv76s6cjht7.onion/)

(source linked in the article, but in Italian:
[http://www.anticorruzione.it/portal/public/classic/Servizi/S...](http://www.anticorruzione.it/portal/public/classic/Servizi/ServiziOnline/SegnalazioneWhistleblowing))

~~~
mtgx
Looks like they aren't taking advantage of the latest version of the onion
services. A shame.

[https://blog.torproject.org/tors-fall-harvest-next-
generatio...](https://blog.torproject.org/tors-fall-harvest-next-generation-
onion-services)

~~~
jerheinze
> Looks like they aren't taking advantage of the latest version of the onion
> services. A shame.

Because they're still not production ready. The code for v3 onion services
still needs to mature, and when it does, it will become the default.

------
cm2187
Stupid question: there are so many public places that provide free wifi
without authentication. If you go into one of these places and it is populated
enough, and you have MAC randomization on, no smartphone on you, isn’t it good
enough? Surely there are CCTV. But if you connect from a changing room or
toilets of a busy mall, I don’t see how anyone could trace the connection.

~~~
letsgetphysITal
[https://panopticlick.eff.org/](https://panopticlick.eff.org/)

See how unique you are. Spoiler; You are unique unless you are paranoid.
Really, really paranoid.

~~~
cm2187
Unique doesn't mean identified (and if you disable javascript browser
fingerprinting doesn't really works). In any case Tor doesn't help with that
either.

------
singularity2001
Too bad onions was compromised by the NSA. that makes speaking up against the
Bad Guys a bit more dangerous.

Admittedly there is a high chance that the Italian high brass has NO finger on
the American high brass, however as long as there is no certainty it's a
safety risk.

~~~
jstanley
Even if you believe the NSA have some practical attacks against Tor, are you
not still better off using Tor than not using it?

~~~
singularity2001
What happened to my brain? I just bought the idea that the surveillance state
is overall more effective in suppressing criminality.

~~~
mar77i
It's simple. Hand over the monopoly on information to your surveillance state
and you don't get to know when it still doesn't work.

If thinking the govt is broken is treason, you can't fix it any more, but not
because it's perfect.

