

Some thoughts on hidden services - sinak
https://blog.torproject.org/blog/some-thoughts-hidden-services/

======
AlyssaRowan
From what I gather, there are 25-30ish or so child abuse sites on .onions; law
enforcement knows about all of them; and law enforcement bots probably make up
the vast bulk of their traffic.

My take is that the very unusual spike is probably law enforcement bots
(Internet Watch Foundation, et al) regularly spidering the sites - if they
restarted Tor each time, to try to make it harder for the sites to block the
spider, as I believe they probably do, then they would cause a brand new HSDir
lookup each time, which would skew Dr Owen's stats considerably compared to
even high-traffic hidden services used by regular users - as we see reflected
in the data. Dr Owen also thinks (from his 31c3 talk) that this is indeed a
plausible explanation, although of course there is insufficient data to test
this hypothesis (and nor is there any reasonable way of getting it).

Oh, and by the way, it is not only impractical for Tor to do anything about
child abuse - it is not _for_ Tor to do anything about this. Tor is a
censorship-resistant, privacy-preserving computer network, by design. Please
do not disrespect the value of liberty by asking anyone to find a way to
censor it. If it _can_ be censored for _any_ reason, then it is _vulnerable_
to being censored for _every_ reason, and that vulnerability would need to be
fixed. There is no fairy dust that can change that, and Tor is far too
important for that - the devs know that well. Indeed, the anonymity that Tor
provides can be (and is regularly) used by law enforcement to _infiltrate_ the
few online child abuse networks. (You'd probably see more on Hotmail, Yahoo
and Facebook than on Tor.)

The big problem of child abuse is not at all new, and it is _not_ an internet
problem. You're not even scratching the surface by saying it's a problem of
poorly-resourced childrens' services; lack of appropriate treatment of the
most at-risk people; of vulnerable young people being failed by the people and
services they trust to protect them most; and of vicious organised crime
exploiting the most innocent and the most guilty alike. It is complex, and
multifaceted - and though it might make headlines to do so, absolutely no part
of it can be solved by just blaming a convenient scapegoat like "the dark web"
and fucking up the internet in revenge. That just makes everything worse. If
you want to take action there, maybe donate to Sure Start or something
instead, that might actually do some good.

------
batemanesque
sickening, if unsurprising, that their only recommendation is to improve the
public profile of hidden services rather than make any actual attempt to
address abuse. would be nice to see them adopt something other than the
Reddit-naïf position on the misuse of "free speech"/cryptography

~~~
qnr
I wonder if it is possible to implement blacklists so that each relay operator
may exclude their node from serving requests for hidden services they don't
approve of.

E.g. a law abiding tor relay operator in Mauritania may decide to block the
infamous underground apostasy discussion forum. It still remains accessible
via other routes but the Mauritanian relay is now not involved with serving
the site in any way.

~~~
mike_hearn
It is possible and I suggested they do just that, some months ago. It won't
surprise you to learn that this suggestion went down like a lead balloon, with
lots of people assuming I must be an NSA agent, evil, etc. They consider the
possibility for nodes to control which HS's they support to be a vulnerability
and want to close it.

Tor has exit policies, which are somewhat similar ... exits can choose not to
handle certain kinds of traffic (or _only_ handle certain kinds). However they
also seem to believe that exit policies shouldn't exist and only do, because
of "unreasonable" ISPs that care about abuse.

The people in the Tor community seem oblivious to the political risk they're
taking on with the hidden service feature. They keep claiming that dissidents
etc use hidden services in the abstract, but all the real world examples
people are actually familiar with are the worst kinds of abuse. Recently they
announced they'd received a tipoff that directory authorities might be seized.
Nothing seems to have happened yet, but the apparent credibility of this
threat should have set alarm bells ringing at Tor HQ. Given that HS' represent
a tiny fraction of overall Tor traffic, there are virtually no legit hidden
services and all the really horrible abuse Tor is famous for relies on it,
they should consider just dumping hidden services entirely. Otherwise they're
putting everything at risk for a minority feature few users really care about.

~~~
newaccountfool
> there are virtually no legit hidden services

Sorry what? No wonder you got shot down with your TOR suggestion you appear to
know nothing about it.

~~~
dogma1138
There are legit hidden services indeed, but there a question if the legit ones
actually need the protection TOR provides...

The sad truth currently is that the people who use TOR the most are the people
who either do not need it's protection or do not deserve it.

As much as we like to play the victim card especially in light of the NSA
scandals the truth is that people in free countries don't really get into
trouble for doing shit over the internet even when it's illegal (to some
extent).

And no i don't count the FBI knocking on your door if you post on facebook
that you are going to kill Obama, or the police arresting that dutch teenage
retard that tweeted she put bombs on 3 flights and told TWA(?) to figure out
which a violation of privacy or civil liberties, those people deserved what
they got.

On the other hand if you live in a country where legitimate activities taken
over the internet can land you in jail or worse then even being suspected of
using TOR will get you in trouble.

Even with all the improvements on masking TOR traffic it is still fairly
easily identifiable, heck every entry level internet filtering appliance can
block TOR these days with very high degree of accuracy even when the user
doesn't use public access nodes.

So TOR doesn't and it's current state cannot provide protection to anyone
living under a regime that does massive deep packet inspection of internet
traffic(and yes i know the US technically qualifies for that too, but they are
still not N. Korea, Iran, China, or Saudi Arabia).

The 2nd problem that TOR has is the fact that early adopters of such
technologies tend to be criminals, the same was true with early P2P networks.
Heck I still remember trying to download Shrek of Kazaa or eDonkey and getting
a ton of pedo pictures instead, and that was very common in the early
2000's...

But this was true to everything from cellphones which back in the 90's meant
you were either a business douche or a drug dealer, disk and phone encryption,
and offshore bank accounts.

P.S. Currently i actually have less trust in hidden services than i do in
normal secure websites, after Facebook brute forced their address
([https://facebookcorewwwi.onion/](https://facebookcorewwwi.onion/)) and
according to them with relative ease. And since anyone holding the private key
for the hidden service can update the directories and route all new traffic to
them i think it's not farfetched that a sufficiently funded agency or an
individual can do the same. So while i still consider onion routing to be
relatively safe form ease dropping, i consider all hidden services of
sufficient importance to be compromised.

~~~
newaccountfool
Facebook only managed to bruteforce the first 40bits of their .onion domain
name. They stated themselves that it would be almost impossible to bruteforce
the whole address.

