
A Tor of the Dark Web - slifty
http://slifty.com/2012/08/a-tor-of-the-dark-web
======
runn1ng
Yes, I know I shouldn't say it out loud, but here I am saying it (take me,
Police) - out of curiosity, I went to Hard Candy section of The Hidden Wiki.
(Yes, it is _exactly_ what you would think it is.)

GOD.

There are seriously forums full of pedofiles sharing pictures and - maybe
worse? - their stories and wisdoms. Maybe out of utter fascination, I spend
about few hours on there and I felt like I want to murder all humanity. On one
of these forums, there was this alleged "doctor", who adviced people, from
what age you can have sex with your children without their doctor to notice.
Tips how to kidnap young children. The worst thing was that I just knew that -
if they don't do something stupid - they are basically untracable and
uncatchable, while I would simply want to catch them all and kill them one by
one. (I am sorry for being so expressive.)

There were also some picture forums but really I couldn't stand that, I just
wanted to vomit while I was shaking.

I... am not sure why I am writing this. I am all for Tor. But we have to admit
- when everything is allowed and anonymous, _EVERYTHING_ is allowed and
anonymous. And the dark parts of humanity flow on top. Drug markets, weapon
markets, assasin markets (altough I don't know how sersiously to take those),
terrorist websites, child porn websites.

But - as hard it is for me to say it - to see that the seriously f...d up
child molesters are freely allowed to say really anything there and noone has
a chance to catch them just shows that Tor is _really_ anonymous and safe.

edit: I do not know if The Hidden Wiki is still operating, if the dark places
I visited are still operating, it is about one year and I did not feel any
urge to revisit it again.

~~~
jchrisa
I didn't click through the links described (or even have time to install Tor),
but it occurs to me that one may be able to find these guys via statistical
analysis of writing style.

Spider the web and then correlate less-anonymous writings with the stuff the
ringleaders are saying on the Darknet.

~~~
pvarangot
A while ago Anonymous hacked one of those forums and published the usernames
and hashes. Apparently a lot of them where using the same usernames and
passwords in another porn-related forums in the "lit" web.

Don't know if it resulted in someone being caught by the police or not, but
definitely subtler methods such as statistical analysis of writing style are
not the only way to get a lead from those forums.

~~~
DanBC
So, Tor is only as good as the person using it.

I urge caution against amateur investigations, but it'd be interesting to see
what software tools could be written to help law enforcement do a better job.

Statistical analysis of text

"social web"

etc.

~~~
marvin
Just be careful, if you get too god at this it might be used for things you
don't agree with. This is an area that I would steer completely clear of, the
same way I'd never help develop chemical or biological weapons.

~~~
DanBC
An excellent stance.

You'd have missed out on the opportunity to work with Feynman if you'd
declined work at the Manhattan Project.

~~~
marvin
Are you saying that working with a very skilled person is worth sacrificing
your ethical integrity? I would not hesitate for a second to deny working on
things I consider against my personal beliefs even if there was both money and
fame at stake.

To use the good old reductio ad absurdum, would you be willing to kill a
random stranger if it meant you would get to work with Albert Einstein?

------
klearvue
A word of advice for those living under truly oppressive governments - do not
connect to Tor directly (nor to a Tor bridge, to be on the safe side). Get a
cheap VPS/EC2 abroad and use SSH tunnel to connect to that and from then
onwards - to a Tor bridge. The reason is that, if connecting to Tor directly,
security services will be able to figure out you are using Tor (although not
what you are using it for) and may take an interest.

~~~
tuxcanfly
By the same logic, won't they be able to detect SSH tunneled traffic too?

~~~
noonespecial
My advice would be to spin up a free EC2 instance, put a small "dog fancy"
type blog/website up with a few articles about poodles, and then use something
like openVPN to tunnel your traffic via tcp, port 443 through this.

It looks like you're just doing your wordpress thing, fancying your dogs. Just
watch how much data you tunnel this way. 500 gig in a month might raise some
eyebrows.

Also remember to use your regular un-vpn'd connection to visit
ILoveAhmadinejad.com on a fairly regular basis so not _all_ your traffic goes
to this mysterious blog.

~~~
klearvue
If using OpenVPN, there is one precaution one must take - make sure your
firewall prevents traffic escaping when your VPN connection fails. Shorewall
lets you set up such an arrangement fairly easily. Many US poker players have
been burnt this way when using overseas VPN services to play poker as
operators are able to catch their real location during brief moments of VPN
failure.

With SSH tunnel, if your connection fails, no traffic will escape regardless.

------
TazeTSchnitzel
Ooh, the Tor darknet. I went there recently out of curiosity. You can get used
to doing everything over Tor quite quickly, if you use it for everything you
don't really notice the latency.

Yes, Tor has CP, but I didn't look for it so I didn't find it. Same with all
manner of other illegal content, pretty sure it's there.

I2P and Freenet are more interesting than Tor, though, because they are truly
P2P. Freenet is basically a distributed hash table (DHT) for HTML, CSS, image,
and other files. It filters scripts and cross-origin requests out of HTML
before serving them. I2P is like Tor, but everyone's a relay node (truly P2P,
no central origin), and it's faster, but I haven't tried I2P. I have been on
Freenet... it's slower than Tor!

~~~
corin_
> _Yes, Tor has CP, but I didn't look for it so I didn't find it. Same with
> all manner of other illegal content, pretty sure it's there._

My assumption is that the open web has it too - but given tor isn't a single
place with a directory to everywhere, I don't see how you could stumble on it
accidentally at all.

~~~
TazeTSchnitzel
Well, since Tor's anonymous, (secure enough) directories with legitimate sites
also have illegitimate sites.

Also, yes, I think the open web probably has CP too, but Tor's anonymity means
that CP is probably up for longer there, I suppose.

I've never visited any such sites, this is mostly speculation.

------
tptacek
Tor was not "designed by the Navy" to protect dignitaries in cars or ships or
whatever it is this article is alluding to. It was an academic research
project for the NRL's CHACS group (NRL : CHACS :: MIT : Lincoln Lab).

If you look at the project's publication history, it was almost from the jump
(and continues to be today) a project intended to frustrate online censorship.
The DOD, via both DARPA and the NRL, continues to sponsor the project.

~~~
dsirijus
He mentioned that IDEA, not the implementation nor Tor were invented by the
Navy.

I have no sources on either, but it does seem plausible that solution similar
or exactly the same in the concept was used for communication during warfare.

~~~
tptacek
Tor exists at least in part because the US DOD decided that investing money in
countering online censorship was a worthy use of military funding. This seems
like an important point; it is not made effectively by the article.

------
telecuda
I wish there were a simple way to communicate how large and widespread CP is,
and how much law enforcement could use your smarts to go after these guys.

There are more households sharing CP in your community than there are bus
stops. (We can roughly map IPs of known CP files advertised over torrent
networks.)

There are too few innovators in this space because specifics on CP networks
are privy to law enforcement, and investigators are often patrol cops who get
promoted into a child crimes unit.

It's fine (and true) to say these technologies are used for many more things
than CP, but that's not an excuse to turn a blind eye to it, anymore than
Craigslist does to child exploitation.

~~~
Wohlf
> _There are more households sharing CP in your community than there are bus
> stops._

Sorry if I'm wrong, but I find that hard to believe. Any amount of CP is a
problem IMO, but I don't think it's that bad. In my metropolitan area there's
around 1,671,683 people, and I'd be surprised to learn there's 1000 honest-to-
god pedos.

~~~
telecuda
I live in a metropolitan area of around 500,000 and there are close to 200
markers indicating an IP address that's advertising CP availability.

We have methods of rating each marker (e.g. how many CP files, how many are
teen, child, nudity vs. intercourse, etc). Of those 200, there are a handful
of the worst offenders that law enforcement will use resources to pursue, a
group in the middle that have downloaded a large number where victims are
12-18, and then those who have just a few random files from the known list.

Does that help?

~~~
jmaygarden
How do you avoid prosecution? Being in possession of child pornography is a
crime. If you personally identified these torrents, then you are essentially
confessing.

There is an interesting story in "Three Felonies a Day" where an employer
discovers child pornography on an employee's computer. They contact their
attorney, and the lawyer deletes the offending contact to protect the company.
He then alerts authorities to the employee. The attorney is eventual
prosecuted for evidence tampering. It's an absurd Catch 22.

~~~
telecuda
After re-reading: you avoid prosecution by not being a large enough offender,
or by offending in a jurisdiction where law enforcement is not trained to
catch you. Not all that different than avoiding prosecution as a recreational
drug user when the cops are too busy going after bigger fish.

There's a lot of time and resources spent in between the time of identifying
that an IP address is broadcasting CP to having all the information you need
to bust down the right door and lock up the guy for a long time.

~~~
telecuda
Taking your example of image analysis, companies in this space will build
applications that - for instance - identify which images of the 10,000 on a
bandit's computer are all the same kid. The software company would use sample
images of clothed kids to demonstrate how it works, then only law enforcement
would input confiscated CP images to do the analysis.

------
Revisor
Tor is meant for dissidents and the oppressed, that's all fine and cool. But
for me as a business community admin Tor always, always means trouble. Either
the user using it is a scammer, a fraud or in the best case only a troll.

~~~
AceJohnny2
Unfortunately for every good user (dissident, whistleblower ,etc) you'll have
100 disgusting users. (it'd be interesting the know the ratio, but by Tor's
very nature you can't!)

The promoters rationale is that the protection it provides the endangered good
user is worth having to put up with the disgusting ones.

------
jorgem
The things I always wonder about TOR: Won't I look like someone else's
computer? Is it possible for me to get in trouble for because someone else's
traffic exits from my home network?

~~~
corin_
You can chose whether or not to be an exit node, so nobody else's traffic will
exit through your connection if you don't want it to.

If you do enable it, my presumption is that by demonstrating that you have tor
running you can show that traffic from your connection is as likely to not be
you as to be you - but I'm not sure if this is backed up by law, or has been
tested in court.

~~~
gizmo686
It has not been tested in court yet, however the theory is that safe harbor
laws apply.

~~~
dmix
Safe harbor laws?

~~~
gizmo686
They are a part of the DMCA that protects internet service providers who
transfer illegal data with an automatic protocol. I think the intended case
was to protect ISP so they would not need to police their network.

------
columbo
FYI this is all I get running chromium in linux:
<http://i.imgur.com/7FUlr.png>

~~~
justincormack
Same with Chrome on Android after a flash of the content...

~~~
slifty
Yep -- apologies for that. I found the offending plugin and killed it dead.

------
taixzo
I can't tell from this article whether the author is for or against Tor.

~~~
slifty
Achievement Unlocked: JOURNALISM

------
slifty
I'd like some more good Tor jokes, by the way...

------
derrida
People that argue that Tor enables crime do not realise that Tor also enables
law enforcement (LE). Anonymity has been a tactic of LE from the beginning.
Undercover LE use anonymous looking clothes to blend in with civilians to
monitor criminals, police fighting drug cartels in Mexico wear masks to
protect themselves and their families, informants require anonymity in order
to assist LE with information. But there aren't sites in the onion exchanging
this sort of information, you don't see it, which is the way it is designed to
be.

------
muyuu
I hate it how all discussion about anonymity and privacy ends up in CP.

------
runjake
> They can’t decrypt messages but they are able to track where everything
> comes from and where it is going. They can’t tell what you’re saying, but
> they have all they need.

He's talking about SSL here, right? For the record, this is completely
incorrect. If _"they"_ have access to a trusted CA (and circumstantial
evidence says they do), they can MITM and snoop on whatever they want.

SSL encryption is not secure against state-sponsored attackers and
sophisticated criminal enterprises.

~~~
rmc
If you are serious about encryption, you can use SSL without the Certification
Authority system. Just self sign your own certs and only trust them.

~~~
runjake
And when you eliminate all of the default cert stores, then important things
on the standard OSes most people use like Mac OS X and Windows will break,
such as online banking, webmail, and security updates.

------
dumbluck
Places where illegal content is shared and people communicate for nefarious
reasons and tools that create these places are just magnets for those wishing
to find such people.

Anyone that chooses to take part in such things is at a heightened risk, no
matter what they are doing.

There is no guaranteed right to privacy, regardless what your government
decrees or what the tool you're using claims to do.

Those using Tor will be caught and charged as if they are enabling what the
others are doing.

Be warned.

~~~
nacker
So, according to you, we have no right to privacy, and we will be "caught and
charged" regardless of justice or the facts.

This sounds very much like a warning from Big Brother.

Be warned, Biggie, when the revolution comes, you just might find yourself
with an appointment with the guillotine.

~~~
dumbluck
No, this is a warning for people that think they can work in a public space
and be private. Privacy is a struggle, not a right. If you use a tool and
expect it to keep your privacy, you should not be surprised when it doesn't
work.

As for the guillotine, if big brother (which isn't me, I might add) goes on
the chopping block, there is always another to take his place. The more people
fight for privacy and the more people hack and cause damage, the greater big
brother becomes to compensate. It was said that the meek will inherit the
earth, and it is true.

~~~
nacker
"Privacy is a struggle, not a right."

You are wrong:

"Privacy is a fundamental human right recognized in the UN Declaration of
Human Rights, the International Convenant on Civil and Political Rights and in
many other international and regional treaties. Privacy underpins human
dignity and other key values such as freedom of association and freedom of
speech. It has become one of the most important human rights issues of the
modern age. The publication of this report reflects the growing importance,
diversity and complexity of this fundamental right. "
<http://gilc.org/privacy/survey/intro.html>

You call it meekness, I call it cowardice.

~~~
dumbluck
Are you going to tell these guys to stop taking pictures of my property,
then?: <https://maps.google.com/>

------
molo
A couple questions.

1\. Are users of .onion services protected from the server just as well as the
hidden service is protected?

2\. What reassurances are there that tormail is not a honeypot?

~~~
mcantelon
>1\. Are users of .onion services protected from the server just as well as
the hidden service is protected?

An .onion server, AFAIK, might have the IP of the end point your traffic ended
up going through to reach the .onion server, but not of the point of origin.

The vulnerability with Tor, as a user, comes from folks operating the Tor
nodes. Adrian Lamo, the guy that sold out Bradley Manning, was running Tor
nodes at one points (that's not how he got wind of Manning, but my guess is he
wasn't running the Tor nodes for altruistic reasons).

~~~
ZoFreX
> An .onion server, AFAIK, might have the IP of the end point your traffic
> ended up going through to reach the .onion server, but not of the point of
> origin.

Correct. All any tor node gets with any traffic is the immediate node that it
came from, and the immediate node that it is going to - only one hop in each
direction.

If you get a packet from node C, to give to node E, that packet will be
encrypted so that only E can decrypt it. They then "unwrap it" (like pass the
parcel, or an onion) to reveal its next destination, F - and this unwrapped
one is encrypted so that only F can read it.

(note: precise technical details almost certainly incorrect, but the principle
is accurate)

------
eliben
Can you point to a good technical description of how Tor works under the hood?

~~~
drostie
If you are requesting a very high-level description:
<https://www.torproject.org/about/overview.html.en> . Basically you send an
"envelope within an envelope within an envelope" over TLS (formerly SSL) to
some node, they open it, read the address on the envelope inside, and send it
on, until it gets to the last letter-opener who happens to also be the sort of
node which follows instructions on a sheet of paper. Those instructions may be
an HTTP request for example, or you might ask them to communicate part of a
TLS negotiation with a secure web site, so that they cannot eavesdrop. The
envelopes themselves are encryption containers, so that you can't open the
envelopes en route to see where they're going.

If you want to understand more details about how exactly you create these
"extending" routes and "circuits", the design docs are here:

[https://www.torproject.org/docs/documentation.html.en#Design...](https://www.torproject.org/docs/documentation.html.en#DesignDoc)

In particular, the above picture is a little naive because you cannot send
three open envelopes to the exit node for the return trip without the exit
node learning who you are by peeking inside.

------
co-n-sci-o-us
Tor is the solution to getting hellbanned at HN.

That is "censorship", no?

Tor is also the solution to your Twitter API woes. Like it or not. I'm sure
many SEO people use it to get around Google's restrictions. These are not
necessarily uses that infringe anyone's IP. Twitter is UGC. And Google caches
the entire web, indiscriminantly.

Tor, like the 'net itself, is controversial. It can be used for bad things. It
can also be used for good things. It could be used to break criminal laws, or
to enable copyright infringment. It could be used to violate TOS that may or
may not be enforceable in civil court. Or it could be used just to evade
idiosyncratic censorship by some webmaster that has no legal basis whatsoever.
(This comment itself is being posted through Tor.) It is, however, any way you
look at it, useful.

There may be an "intended purpose" for Tor. But as with almost all software,
that means little. Users decide how they will use it. And that is
unpredictable.

Did the folks at MIT, when they developed Tor, say to themselves, "You know,
this will be used to commit crime"? Probably. But they also probably
envisioned some other uses that were of undisputed benefit to society.

As someone else said, MIT is still behind Tor. Grep the source for the Tor
client for IP numbers. You will find that some belong to MIT. My understanding
is that Tor is controlled by a small group (maybe only one person) because
like anything else that uses a network, there has to be a bootstrap, a "root"
that hands out the initial addresses. And anyone that uses the Tor trusts that
root. Somewhere there is/are a few people with a great responsibility on their
hands: they make Tor possible, for better, or worse.

More people need to use Tor for non-criminal purposes. Using Tor as a
workaround for censorship, whether it is on HN, or in some oppressed country
is to be expected. If you are the censor, and you don't like it, ban Tor. It
is not difficult. HN does not ban Tor.

One of the great myths on the 'net is that an IP address equates to a machine
or a customer account. False. It represents an interface, which is itself an
ephemeral concept. Interfaces can be created, cloned or destroyed at the blink
of an eye.

This may all be frightening or it may be exciting, it all depends on how you
look at it. It shouldn't matter whether you are a good samaritan or a
criminal. It is just technology. Abstract tools. A hammer can be used to build
something or it can be used to destroy something. It has no moral sensibility
on its own.

That's up to you, the user.

As a Tor user (I can't post to HN without it), it bothers me that others are
using it for criminal purposes. But when I look at hammer, I see a tool for
creation, not destruction. I think like a carpenter. What can we build?

The hammer has no consciousness of its own, any more than Tor does.

~~~
drKarl
Just curiosity... why is it that you can't post to HN without Tor?

~~~
angli
My assumption would be that he's hellbanned

------
nacker
Tor is good, but totalitarianism is galloping to control the internet. They
HATE the freedom we have come to take for granted, and they are surely
encouraged by how easily the sheep are persuaded to acquiesce whenever they
point at the familiar boogey men: paedophiles, terrorists, drug dealers, etc.

I am quite optimistic though about the development of mesh networks such as
<http://project-byzantium.org>

Of course it will only take one state to declare it illegal, and there will be
plenty of cowardly fools urging each other NEVER to use it, because it's just
too DANGEROUS, and anyway, TERRORISTS find it useful for pursuing their
nefarious and immoral activities.

I will keep on ignoring them.

------
raikia
wow

