
Tor Wars: The Signal Awakens - vishnuks
http://techcrunch.com/2015/11/08/tor-wars/?sr_share=facebook
======
mark_l_watson
An important point the article makes is how important it is for a large number
of people to use Tor, even if only occasionally. I try to use Tor at least
once or twice a week for general web browsing. I also donated money to them.

It is really important for people to also support groups like the EFF and ACLU
financially: a good investment in future freedom. History shows that large
empires tend to get tough on their citizens as the empires wane. We live in an
era right now where the current large empire is waning.

~~~
tete
I actually switched to using Tor whenever I go on wild hunts about stuff that
I find interesting. Basically that means whenever I visit Wikipedia, because I
can waste hours there, going over the weirdest topics.

Usually I get drawn in by stuff like history and end up on things like Soviet
Union, Nazi Germany, Japan in WW2, etc. or stuff like Ku Klux Klan, the
"Islamic State". If there is some surveillance system it will probably be
thinking I am into each and every kind of extremism. And since extreme groups
like the Nazis have the wildest conspiracy theories that also is something I
don't want to identified with.

Using Tor by using the Tor Browser is actually pretty nice and pretty fast,
both to set up and when browsing. Years ago Tor used to be rather slow. That
totally changed.

The are a few annoyances though.

Some websites seem to have weird rules such as "block Tor completely". Come
on, your website can still be exploited. You will not really stop anyone that
way.

Then there is the problem of websites usually requiring JavaScript for
everything. The latter is weird, cause it's like people use "front end
frameworks" for stuff where it doesn't really make sense and even slows down
the page a lot. I am not saying JavaScript is evil, but I think people overuse
them these days. Of course you might decide to enable JavaScript and unless
you set the Tor Browser to highest security at least HTTPS sites will deliver
and execute JavaScript.

Another major annoyance is CloudFlare. They require you to enter a CAPTCHA
(which for some time didn't work), when accessing a website via Tor. The only
way to disable it is for the website owner to completely disable security. I
mean I get that they probably want to prevent some script kiddies from
"hacking" unpatched Wordpress or so, but maybe this can be enhanced. Cause
like I said above. The approach of filtering certain IPs isn't really
enhancing actual security and nobody is going to DDOS you via Tor. ;)

~~~
thefreeman
> nobody is going to DDOS you via Tor

Uhh, yes they will... and that is pretty much the exact reason for the
captcha.

~~~
tete
It's rather hard and inefficient to do that over Tor.

It's actually way easier to just use your regular botnet or pretty much every
other approach.[1]

And then it's rather simple to prevent this with your ordinary approach. There
are currently around 1000 exit nodes[2]. Compared to most DDOS attacks that is
really small number of nodes. For various reasons (measures that are mostly
there to make sure Tor can be used for regular browsing in a usable manner,
even when there is people that want to download lots of large files) you will
run into limitations rather quickly.

[1] [https://www.torproject.org/docs/faq-
abuse.html.en#DDoS](https://www.torproject.org/docs/faq-abuse.html.en#DDoS)

[2]
[https://metrics.torproject.org/relayflags.html?graph=relayfl...](https://metrics.torproject.org/relayflags.html?graph=relayflags&start=2015-08-10&end=2015-11-08&flag=Exit)

------
hackuser
I don't agree with this statement from the article:

 _This, and Tor’s history of US government sponsorship, has led to series of
really embarrassing conspiracy theories from the likes of PandoDaily. This is
why non-technical journalists should not write about technical subjects. If
you’re going to suggest that open-source software has dark ulterior
vulnerabilities,_ you need to point at exactly where they are in the code (or
deployment process), _or you will quite rightly be laughed out of the room.
Funding and relationships are not unimportant — and I’m sure Pando will now
write me off as part of the shadowy conspiracy, as Tor developer Jacob
Appelbaum is an old friend — but it’s the running code that actually matters.
Sadly, non-engineers don’t seem to understand this, or how laughably
ridiculous they look as a result._

The author, Jon Evans, seems to imply this is a widely accepted standard,
which is not my experience. It also doesn't seem realistic: While it's great
that open source software's source code is available, it's not possible to
review it all much less to catch subtle exploits that might have been
introduced by security agencies - we can't even catch many unintentional
exploits. Also, we know from leaks that security agencies have tried and have
succeeded at times. Realistically it comes down to trust.

Think of it this way: How many HN readers, a sophisticated population, have
reviewed Tor's code? How many feel they have no choice but to choose either to
trust them or not? Also, how many open source projects have had security
audits performed by anyone?

~~~
ikeboy
Friendly reminder that SELinux was developed by the NSA, and is now part of
Linux. So clearly the open source community doesn't care _too_ much about who
created a piece of code.

Case study 2: bitcoin.

~~~
grubles
Case study 1: the US Department of Defense created ARPANET, the first network
to implement TCP/IP.

~~~
ikeboy
I think for that, in particular, there's a very strong argument to be made
that any backdoors would have been discovered by now.

