
Thoughts and Concerns about Operation Onymous - ehPReth
https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-onymous
======
hackuser
Based on the following it seems very unwise to expect Tor hidden services to
be secure against any determined attaker; I'd expect attacks to be well-known
(among attackers). It's also sad to learn how little help this critical FOSS
project receives (and I haven't been helping them either).

> _it 's important to note that Tor currently doesn't have funding for
> improving the security of hidden services._

and

> _In a way, it 's even surprising that hidden services have survived so far.
> The attention they have received is minimal compared to their social value
> and compared to the size and determination of their adversaries._

Which links to a 2013 article[1] which says,

> _Hidden Services are in a peculiar situation. While they see a loyal fan-
> base, there are no dedicated Tor developers to take care of them._

[1] [https://blog.torproject.org/blog/hidden-services-need-
some-l...](https://blog.torproject.org/blog/hidden-services-need-some-love)

EDIT: add a little clarity and 'add' succinctness

------
yc1010
If I were dissident in an oppressed country (sigh the way things are going we
in the west arent that far behind authoritarian regimes such as China, Iran
and Russia) i would be very very worried now as the same method could be used
or "discovered" by entities who are more interested in suppressing dissent
than this silly war on drugs waged by western countries.

~~~
maxerickson
If the regime is cranky enough, I think just using Tor would catch their
interest.

(I'm assuming they would just have ISPs monitoring traffic or whatever)

~~~
simonh
Exactly, if Tor being insecure and therefore your traffic getting you in
trouble is your primary worry that's actualy a first world problem. Even using
Tor at all is easily sufficient for any truly authoritarian regime to come
down hard on you regardless of what your traffic contains.

> we in the west arent that far behind authoritarian regimes such as China,
> Iran and Russia

In terms of the surveilance capabilities of the state, you're probably right.
But e.g. China censors perhaps hundreds of thousands of messages a day and
blocks access to vast swathes of the web. It actively uses online surveilance
to crack down on activists and civil society groups on a routine basis. I
don't like governmental overreach in surveilance and I think their systematic
weakening of civilian security and privacy are massively counter-productive.
There are also too many cases of police abusein many wester countries. But
that's not the same as running a systematic, actively authoritarian police
state.

------
jpalomaki
"The task of hiding the location of low-latency web services is a very hard
problem and we still don't know how to do it correctly"

Maybe it would be better to re-think the applications? Instead of traditional
web apps that require low-latency connection to be usable, maybe build fat
client web apps where the information is synched from the server to local
datastore and accessed from there.

These apps could live in the tor-browser just like we have Chrome apps. Maybe
the tor-browser could expose a special Javascript API that would prove high-
latency, anonymity protecting message passing mechanism between client and
servers.

------
butwhy
If they want to get a crowdsource campaign going, better to do it ASAP so they
can cash in on the general public's feeling about the shutdown and arrests
(and before everyone forgets). Similar to how the heartbleed bug caused a
major donation drive to the ssl project shortly after it happened.

------
contingencies
Mixed feelings here. It seems fairly clear from the material released thus far
that opsec failures have been a major enabling component in recent regulatory
ingress. Therefore, this is a fairly poor article in that it encourages a
chilling effect and general panic. However, it's also a good article in that
it encourages people to focus on sponsoring or improving the security of
hidden services as a Tor project design goal. It stops short of pointing out
where to send money, though.

(Update: read
[https://news.ycombinator.com/item?id=8579944](https://news.ycombinator.com/item?id=8579944)
for informed-sounding, better take on tech background.)

------
lsiebert
You'd think that people running hidden services that are commercial and
illegal in nature might push some money to the TOR project for these purposes.

