Hacker News new | past | comments | ask | show | jobs | submit login
Russian FOSS activist arrested in Russia for his Tor exit-node
305 points by choojoy on April 12, 2017 | hide | past | favorite | 111 comments
Dmitry Bogatov was arrested on the 6th of April: he became part of the big penal case initiated by Russia’s Investigation Committee on "incitations to mass riots" during the protest action that took place on the 2nd of April in Moscow. According to the Investigation Committee, Bogatov was publishing messages on the forum sysadmin.ru, inciting to violent actions, for example, "he" was suggesting to bring to the Red Square "bottles, fabric, gasoline, turpentine, foam plastic". According to the Investigation, the experts had analyzed the text of these messages and proved a "linguistic and psychological characteristics of incitations to terrorism". However, Dmitry claims that he has nothing to do with posting the incendiary messages.

Dmitry Bogatov, 25 years old, teaches maths in MFUA (Moscow Finance and Law University) was a free and open source software activist (https://sinsekvu.github.io/pages/about.html). Dmitry was administrating a Tor exit node (https://atlas.torproject.org/#details/2402CD5A0D848D1DCA61EB708CC1FBD4364AB8AE) from his house. In fact, the author of "incendiary messages" (called "Airat Bashirov") was using Tor, and, by lack of chance, he used the ip adress of Dmitry's exit node.

Dmitry's lawyer, Alexei Teptsov, presented videos from surveillance cameras, that proved that, during the moments when the "incendiary messages" were posted, Dmitry was away from his computer. He was coming back from a fitness center with his wife, Tatiana, a genetician, and then went to a supermarket, where cameras were also working. Moreover, "Airat Bashirov", the author of the provocative messages, continues to post on sysadmin.ru, while Dmitry is under arrest. The last post was seen on the forum on April 11.

Dmitry will stay in pre-trial detention center until June 8 at least. Now the Investigation is examining all his seized devices.

Not to excuse the behavior here, but anyone else who would like to run a Tor exit node can learn from this situation. Follow the best practices[0] for running an exit node, which would include not running it from your home.

You are much less likely to be raided and arrested if a cloud server in a datacenter somewhere, leased by an anonymous LLC you control, is the subject of an investigation.

[0] https://blog.torproject.org/blog/tips-running-exit-node

If you actually think you run a high risk of being raided for your behaviour, is it ethical to put some poor saps running your data center in that position instead of you?

Admittedly, I guess data centers run this risk automatically by the fact of providing data storage/transfer services.

I am involved in a non-profit that operates Tor exit nodes for a while ( https://nos-oignons.net ), and before then I was running exit nodes on my own.

The main benefit of setting up a non-profit is not shifting the risk to “the poor saps in the data center”: the police isn't going to kick down the door of the datacenter any more than they would raid your ISP.

The main benefit is that you get listed as abuse contact, and you get contacted the same way an ISP gets contacted: you get a somewhat-polite email (or a fax <3) asking who that IP address belongs to. At that point, you can explain what Tor is and that you do not know the origin of the connection; somehow, it's more difficult to have that conversation when you are in an interrogation room, talking to someone likely believes you are guilty.

It's also ethical to warn the data centre of your intentions, if their ToS doesn't explicitly exclude Tor exits already.

and speaking of anonymous LLC's, I know a registered agent that takes cryptocurrency for several years

so now you can email him anonymously over TOR, and pay his bitcoin invoices Shapeshifting some Monero

I also checked the Panama Papers and none of those entities they filed for me appeared in the leak, but even in the off chance they did, you wouldn't be associated.

GreenCloudVPS also takes cryptocurrency.

and finally, there is at least one jurisdiction in the world that still offers legit bearer share companies which require no registration. And your entity no longer needs a banking relationship to acquire goods and services.

>and finally, there is at least one jurisdiction in the world that still offers legit bearer share companies which require no registration. And your entity no longer needs a banking relationship to acquire goods and services.

what does this mean? what is a bearer share company? and which jurisdictions would that be?

> what is a bearer share company?

A bearer instrument is an instrument which states that it is owned/controlled/usable/valid for the benefit of whoever possesses it, and normally doesn't rely on registering that ownership with an authority.


A bearer share company is a company that doesn't know or register who owns it. If, at a particular moment, you own the physical certificates that connote ownership, you own the company.

I read this as a "to really understand this if you need to actually consider doing it, one must do their own research on the matter" weed-out-while-still-confirming-type responses.

But how do you get the bitcoins without giving someone a credit card / debit account? It's a part of the chain that seems like it could all be traced back to one person. Person A buys bitcoins using their credit card. The bitcoins are then used to pay for the VPS. Are there any only bitcoin marketplaces that accept gift cards?

Bitcoin tumblers [0] are a thing:

[0]: https://en.wikipedia.org/wiki/Cryptocurrency_tumbler

On Paxful, you can buy a variety of ways that are essentially anonymous.

Rob someone on LocalBitcoins, obviously.

Just buy the bitcoin. The objective is to unlink the transaction later. Using cryptocurrency should be a completely benign action, and if there's any ounce of thought in your mind that makes you think it is an admission of "I'm doing something sketchy", then that's more reason to buy cryptocurrency and use it everywhere for completely benign things. Just like most contrived trends, you do it ironically until it is an actual habit.

For unlinking, Monero (cryptonote technology) is the private cryptocurrency to use today. The primary different between competitors is that Monero is private by default. Other 'private cryptocurrencies' are public by default with an optional privacy gimmick (see mixers, Dash, Zcash). Transparency is the optional gimmick in cryptonote.

You want to keep a balance of Monero, and use services like Shapeshift, over TOR, to pay for invoices priced in bitcoin.

Exchanges like Kraken allow you to buy Monero directly nowadays with USD. So bitcoin isn't part of this equation anymore, the network effects supporting bitcoin's incumbency were extremely overstated.

But if that infrastructure isn't yet available in your area, buy Monero on an altcoin exhcange after buying bitcoin. Or even shapeshift Bitcoin for Monero, just to top up your balance.

This is the separation of cash and state, so don't worry about what they think, this is a parallel infrastructure that doesn't leverage their financial institutions.

The "This happens in the US too" comments are an annoying pointless digression.

Just like in the Wikileaks threads when people go on about the abuses in other countries, and how unfair it is that JUST America's/ the DNC's/ the CIA/ the NAS's dirty laundry gets aired.

Repression and abuses of power should concern us all. One evil does not negate an other.

There's only one comment that says simply "this happens in the US too", and it's unclear whether it's trying to excuse the Russian authorities or simply pointing out that authoritarianism is not limited to Russia (Russian/Russia seems, perhaps accidentally, heavily emphasised in the subject).

The other posts that refer the US are in response to comments stating/implying that it's a specifically Russian thing, pointing out that no, similar things occur in the US.

They're not trying to say one evil (Russian) is negated by another (American), but that both sides do evil.

It is the primary mode of Russian paid trolls to use the "tu quoque" method of argumentation ("You do it too!") in online discussions. However, tu quoque is a fallacy. It is irrelevant to the discussion if other places do other things. We are talking about this specific instance. It also is trying to create a false equivalence, stating that if a bad thing happens once in country A, it is as bad as country B. However the frequency and severity of these matters is almost universally different, which shows the false equivalence.

The idea is to shift the conversation from one of utter disapproval for Russia's actions, to one where positions are negotiable.

If the US has even one instance of doing this, then questions arise such as:

1. Maybe this is unavoidable, and if so how much time/money should we spend chasing down an unavoidable issue?

2. Maybe there are specific circumstances where this is okay? Why isn't this one of those specific circumstances? We should trust the Russian government, just as American's give their own government the benefit of the doubt.

i agree that "One evil does not negate an other", but it's worth noting that persistent one-sided storytelling contributes to a persistent one-sided view of the world.

What's concerning to me here is "Now the investigation is examining all his seized devices". It's possible, although perhaps slightly paranoid, that the message posting was intended to create pretext for seizure.

This may be a little far-fetched - there's likely easier ways to generate pretext - but it might be something for owners of Tor exit nodes to be aware of.

It's more likely that Russia just does not like Tor in general, so they find excuses to put users in jail and mess with their devices just to dissuade other people from using Tor.

From that perspective, your theory is not so far-fetched because it's not like the Russian government went through a lot of effort to frame this activist in particular. Any other Tor user would do.

Added to that, they need to show they are fighting terrorism online. Finding actual terrorists is hard and dangerous. Finding people reposting memes on Facebook or running Tor exit nodes and jailing them under terrorism and "extremism" laws is much more cost effective, and looks the same in the statistical reports. Since there is no independent courts in Russia and prosecutorial abuse is almost never punished (it's very hard to punish it even in the US, in Russia it's orders of magnitude harder), and acquittal in Russian court is vanishingly rare (only 0.4% criminal cases end in acquittal) - there's no risk involved except for maybe couple of articles in the press.

When are authorities, or people in general, going to realize that IP addresses are NOT a "smoking gun".

It's Russia, They don't likely believe him to be the culprit, instead they're trying to break down the spirit of the masses for using or the facilitation of TOR which they cannot control.

We do that in the US, too. Just last week, the government attempted to order Twitter to reveal the identity of a Trump critic. If they really going to prosecute anyone, they wouldn't have backed down after Twitter sued. No, it was intimidation for future critics, just to chill speech one more notch.

I haven't heard of this. On what grounds did they ask for this?

“production of the indicated records is required in connection with an investigation or inquiry to ascertain the correctness of entries, to determine the liability for duties, taxes, fines, penalties, or forfeitures, and/or to ensure compliance with the laws or regulations administered by CBP and ICE.”

Exactly. And what a silly move, since even shutting down all the Tor nodes in Russia would not stop Russians from using Tor for the same activities.

It will be interesting to see if Russia adopts a network monitoring and censorship strategy as China has[0]. Of course, it would be tragic if they did.

[0] https://en.wikipedia.org/wiki/Great_Firewall

It will be adopted in Russia. I have an acquaintance who's working on deep packet inspection for Rostelekom and he tells me it should be ready within the next 2 years.

The Russians have had taps at every domestic and foreign (Rus-biz related) telco site for years through the SORM platform. https://en.wikipedia.org/wiki/SORM

I would imagine that there is a level of capability that already exists beyond 2 years out.

I suspect we'll do it here in the US too eventually, under a "national security" umbrella to, "protect ourselves some foreign cyber-terror" or such nonsense. The UK will probably do it first...

Edit: Remember that a huge portion of this country is demanding a 2000 mi long wall be built along one border... don't underestimate stupid and scared.

It is already happening in the US, just slightly differently. Befitting our "national character", as the Chinese term it, our great wall is made of advertising.

Deep packet inspection is here today for Comcast and other ISP customers. The nominal reason for the surveillance is typical adtech panty-sniffing, but of course the data is also available for subpoena, assuming ISPs actually ask for one, or just freely given out (that's more of an ATT thing).

And given that we know the FBI recruits Geek Squad techs to become informants and collaborators[1], who really thinks the FBI, DEA or another TLA won't do the same/hasn't already started doing the same with, say, network techs at Comcast? The same come-ons that worked for the Stasi work just fine elsewhere.

The people down-voting this comment, if they're doing so out of the belief that "it won't happen here", are simply wrong.

The surveillance-entertainment complex was born in the US, and the tools are massively attractive to anyone who covets power. Anyone who doesn't think the world-empire of the day will use them is deluding themselves.

[1] https://www.washingtonpost.com/local/public-safety/if-a-best...

> These men [Cheney and Rumsfeld] planned for suspension of the Constitution, not just after nuclear attack, but for any “national security emergency,” which they defined in Executive Order 12656 of 1988 as: “Any occurrence, including natural disaster, military attack, technological or other emergency, that seriously degrades or seriously threatens the national security of the United States.”


for a great firewall you have two choices

1) block SSL/TSL traffic and VPNs at the border

2) Man in the middle attack (this would needs browsers to accept certificates with a matching wildcard domain )

(1) would block internet commerce at the border - this is not acceptable in western countries were free trade is above everything else. (2) is a problem because the wildcard certificates will leak out and criminals will use them, this will eliminate trust and kill internet commerce internally (also it is quite resource intensive)

In any event a great firewall is a great tragedy: for Russia that would mean the end of any remaining freedom of speech and an end to the independent opposition - for example Navalny will no longer be able to mobilize anyone. Its a fact how freedom of communication directly translates into political liberties; block one of them and you loose the other... (it is also a Pyrrhic victory for the Russian state because limiting information results leads to ptechnological backwardness)

So for the meantime that means that a great firewall in a western country is very unlikely. Of course internet pundits said that of Russia at the turn of this century.... so the fact remains that it is impossible to predict anything.

TIL: the great firewall of china is called golden shield ( https://en.wikipedia.org/wiki/Golden_Shield_Project ) in Russia they might as well call it "stalin's pipe"

They're effectively adopting it piecemeal already, what with the current list of banned websites.

They did meet with Chinese GFW experts recently:


They already have publicly saleable data for every single citizen..

Possibly this is more about trying to discourage people from running exit nodes rather than a matter of technical understanding (could be a little of both)

It's about encouraging people not to oppose Putin in any way and they really don't care if those they make an example of are actually guilty in any way.

You seem to think the authorities are worried about the truth. Luckily, there are many countries where that is the case. But, almost by definition, oppressive regimes aren't so worried about the details.

In order to convince everyone they're not, you'll have to show how virtually every lead based on IP is false.

And I'm not so sure that is true.

If they're sensible, and I believe they have the ability to be, then you only have to show that many IP leads are dead ends (or rather, not the end). Tor exit nodes demonstrate that. Malware demonstrates that.

Leads are fine. Follow the lead, see where it goes. But if it goes nowhere, don't just lock a guy up until June anyway just because.

> don't just lock a guy up until June anyway just because

That's the idea of writ of habeas corpus, internet or no internet.

Your probably playing devils advocate but the issue overall applies to the concept of reasonable doubt being applied (supposedly) in a court of law in a criminal trial (at least a court of law in the US and others).

Certainly if law stated we should convict people based instead on 'virtually' conclusive evidence your conclusion is valid. I just hope they are real, real careful with that evidence! To prevent the worry of getting caught up when you are innocent, we (and other countries) choose instead to base decision on a criminal matter conversely by rejecting a criminal case on reasonable doubt.

With that understood; I ask you as a technical person (assuming you probably are as this is Hacker News); is it reasonable to say that an IP may not accurately tie to a particular individual in at least some non-extraordinary circumstances?

As a technical engineer I already know the answer it does not; and it can happen due to admin negligence at a minimum (admin wipes out the leases or changes the address pool then changes it back because it was a mistake). At least I certainly hope no one was convicted based on their IP in any network I have managed (or at least they had a good enough attorney to know to check in with me!).

They got a closed case, why would they care if they got the right guy?

They already know.

The same thing happened to someone I know in the UK, a few years back. He was arrested at dawn and put in a cell for a whole day after an offence was committed from the IP address under his control.

He said the officer interviewing him admitted he understood that the offender and node owner were probably different people, but it was close enough to justify an arrest.

This was a high-profile case where they did actually find and arrest the actual offender, so they had real leads - could only conclude this was intimidation.

Oh, they know it very well. They just don't care. It's not like they try to catch somebody specific. They just try to find somebody to blame, convict him and then report that they did their part.

1) The title is misleading.

2) If someone using your TOR node posts a message threatening to kill someone, YOU will be SWAT-ed first and only then police will find out you run TOR exit-node and maybe you are not the one who posted it. You implicitly accept risks associated with your operation.

Why would running a Tor exit node ever imply that the people exiting at that node are speaking on your behalf? Is a coffee shop "vouching" for you by letting you use its wifi? Is your ISP?

And if you're a cop, why would you dispatch a SWAT team to a Tor exit node at all? You can see if the IP is on the list and if so you'll have a hell of a time proving that the traffic came from the person running it even if they did (after all, why would they even use their own IP address when you could have used Tor?). At that point, you're basically punishing a random, innocent person for the (legal) act of running an exit node.

Unfortunately in most countries yes, you are responsible for the traffic that exits from you IP, even if you have a public WiFi for example. Then you have to prove in a court that the traffic wasn't effectively generated by you, and good luck to explain to a judge what is a TOR exit node is, and even that, how you can identify the traffic that exits from TOR from the one generated by you on purpose ?

So the best thing is, don't run a TOR exit node with a network connection registered with your name.

> Why would running a Tor exit node ever imply that the people exiting at that node are speaking on your behalf?

If we imply that TOR exit-node owners are innocent by default, what stops me from installing TOR node, posts threatening messages and when police comes say "hey i am humble TOR node owner, look somewhere else"?

> why would you dispatch a SWAT team SWAT was just an example.

Whatever law enforcement agency that investigate your case.

>You can see if the IP is on the list

You have to know there is such thing as TOR exists & see first part of the comment.

> If we imply that TOR exit-node owners are innocent by default, what stops me from installing TOR node, posts threatening messages and when police comes say "hey i am humble TOR node owner, look somewhere else"?

If you're savvy enough to run a Tor exit node and want to post threatening messages, why wouldn't you use Tor yourself?…

But anyway, at least in the United States, everyone is "innocent by default" - that is, until proven guilty beyond a reasonable doubt. If the presence of a Tor exit node, or an open proxy, or an open Wi-Fi network, or any number of other things makes an IP address insufficient evidence by itself, well, that's too bad. It may still be sufficient evidence to launch an investigation into the owner of the Internet connection, to gather more evidence - but even then, the standard is based on the likelihood that they committed the crime, not something about incentives to run exit nodes.

>But anyway, at least in the United States, everyone is "innocent by default"

The presumption of innocence only applies to the jury. Even with it, you can be arrested and the prosecutor will make the best possible case against you. It does not apply to anything that has happened in this story so far.

> You have to know there is such thing as TOR exists & see first part of the comment.

I would suggest that anyone who is in the business of identifying people based on their IP, especially for criminal matters, should be aware of Tor. Doesn't have to be every beat cop, but whatever process allows a police officer to turn "this is the IP address the suspect used" into "this is an address/person associated with that IP address" should have "Be Aware - this IP address is the endpoint of an anonymizing service and so there's really no way to associate it to a single person."

Kinda like how if you are given a physical address and it turns out to be a public park or something, you think, "Oh, this is different in kind than a private house" rather than just finding whoever happens to be standing in the park and taking them down to the station for questioning.

> Why would running a Tor exit node ever imply that the people exiting at that node are speaking on your behalf?

Because you are allowing them to speak on your behalf by running a tor exit nodes.

It's that simple.

3) You'll have an army of pissed off cops who will try to find something to charge you with, like aiding and abetting or some other tertiary charge. And then you can HOPE a prosecutor doesn't try to make an example out of you by telling you to either plea to 6 months of jail or face a jury trial that could send you to jail for 30 years.

> posts a message threatening to kill someone

do internet threats generally hold any credibility? what's the actualization rate?

Probably pretty close to 0%, but I think the question is a bit problematic.

If the actualization rate is any greater than 0%, police need to respond, because if it gets ignored and the person making the threat actually follows through, then people will go up in arms about how someone said they were going to kill somebody and the police did nothing.

Take another scenario. Some high school kid writes a tweet that he's going to shoot up his school tomorrow. Would it be fair for the school to get shut down and the kid taken into custody?

The question is "do police believe internet threats are credible?" It appears that many police departments do not find the threats credible by themselves, so SWATing isn't as dangerous as it was a few years ago.

But it also appears that some police departments are more easily convinced than others. So the real question is "does the police department in my area -- the one most likely to decide whether to raid my house -- believe internet threats are credible?"

Yes, don't run Tor exits from home.

In Soviet Russia you do not critique the government, the government critiques you. If necessary, jails you. If absolutely necessary, poisons you with Polonium-210.

If someone in the US posted publicly about bringing "bottles, fabric, gasoline, turpentine, foam plastic" to a protest, they'd get a visit from the FBI. Speech that incites violence is something they investigate regularly.

It looks like he didn't post any of that though.

Exactly. It looks like. You can't just blame authorities because they arrested him for investigation while the only thing you know is that it looks like he hasn't written them.

The thing is they have already had people been sent to prison for a single "like" in social networks or for expression of dislike in comments section. It didn't look like somebody cared to investigate anything. Something tells me it wouldn't be surprising at all if the "arrested for investigation" is turned into "sent to jail" in this case, too.

They have to make sure he didn't queue up messages to be automatically posted according to a predetermined schedule while he was establishing an alibi away from his computer.

Obviously he's a FOSS extremist..

I don't think everything that's transpired is right, but if that situation played out in the US, I'd expect the FBI to investigate in an attempt to find out who posted a call to violence online.

The first person of interest would most likely be the user of the IP address at that time.

It's unfortunate that operators of Tor exit nodes have a large amount of risk placed on them, but I don't think it's a situation borne of Soviet-era backwardness or unique to modern Russia.

This happens in the U.S., too.

I know this opinion is not going to be popular, but here it goes: by running a Tor exit, you're letting anonymous people do whatever they want in your behalf, because the exit IP address relates their activities to you. I believe it's irresponsible to do so. This kind of stuff is going to happen.

I also don't believe the "an IP address doesn't identify a person" mantra that's so widely used in the privacy-aware circles. Your ISP gives you an IP address for yourself, and if you let others use it, you know you can get yourself in trouble, the same you'd get yourself in trouble if you let anybody who asked you use a rifle of yours, or a car. Would you let someone you don't know at all drive your car? What if he runs over someone? Would you be responsible of it for letting him use your car? Would you risk going to prison?

The alternative is worse: I could be looking at pedophilia or terrorism sites all day and if they catch me say "well I also run a Tor exit node so how do you prove it was me!". Your IP identifies you, so be responsible!

> I could be looking at pedophilia or terrorism sites all day and if they catch me say "well I also run a Tor exit node so how do you prove it was me!"

Why would that be a problem, looking at things on the internet?

But advocating to sacrifice anonymity is a problem. It makes those fighting governments very vulnerable and easily silenced. And gives a way for governments to take action against anonymity.

I also agree that merely looking at things shouldn't be illegal, no matter how offensive or disturbing the content is. After all, we wouldn't arrest someone for reading a book, and there are some pretty fucked up books out there. So why is it different with the internet?

In the case of child porn, the typical argument is that even downloading/viewing/possessing it exploits the victim(s).

Personally, I'd prefer the law enforcement emphasis to stay on those creating/buying/selling/distributing child porn, but oh well.

The idea is, if there is demand, there will be offer to match it. War on Drugs all over again. And now with ads, merely watching videos on YouTube makes one an actor in the economy around this kind of videos.

As for child porn, I bet a good chunk (most?) of the content is directly paid. Such transactions do encourage the corresponding offer. This works for regular online stores, so it most likely work for child porn as well.

Now if the downloading or hoarding of the data doesn't imply any direct or indirect transaction to the benefit of the provider… that probably doesn't help exploitation one bit. But you have to be careful not to perform or facilitate such transactions —or just stay the hell away.

"As for child porn, I bet a good chunk (most?) of the content is directly paid."

What I allways heard in this debate (from privacy activists) is, that most of the stuff is actually shared noncomercial in closed circels. And to get into such a circle you would have to provide them with fresh material (made by yourself).

But on a quick check, I could not find reliable numbers(or those claims), but I guess they would be hard to get in the first place.

Anyhow, I agree that total surveillance would for sure reduce horrible crimes ... But I rather have privacy and police focused on the actual crimes happening.

And the actual crime in this case is the production. And even though it does might lower the barriers for some if they can savely pay/consume for CP, and therefore increase production, I can imagine the danger is a kick for others as well.

And even if we could manage to ban all CP from the internet, then those people might want to get their kicks then in real life.

Anyhow, I think that is where society has to focus on - the actual fucked up people. And there are plenty of them around and they won't go away, because you lock them off from their sick internet kicks.

But on the other hand, yes, it might be easier for police etc. to keep track of them, if they are not anonymus. Unfortunately I think that most people wanting to eliminate privacy don't care at all about the children, but rather want plain power.

And there are good reasons to not trust governments who wants to know everything about the people but not wanting the people to know about what they are doing ...

I mean, we are even talking about russia here. Would you trust them?

Again, I'm going to use the War on Drug. They cracked down on users, and it plain didn't work. Do reduce drug demand, you want to help users, not put them in jail. And also help unhappy people in general —in practical terms, this often means helping poor people, that is, having a functioning welfare system.

Child porn may be similar. I don't know.

And of course total surveillance is too high a price to pay. I'd rather have some more child abuse and some more "terrorism" and a little bit more crime, if that's the price we have to pay for privacy (and I'm not even sure we do). As much as I don't like horrible stuff happening, total surveillance is much worse —if only because of the sheer number and comprehensiveness of the effects. I'll take torture over dust speck¹.


I guess we agree on the main topic, I just want to point out, in case you ever want to go into politics, or some other public position ... never phrase a sentence like that:

"I'd rather have some more child abuse "

media would lynch you cheeringly and totaly ignoring everything after. Kind of a sad world we are living in, though ...

The internet is faster and more accessible than publishing a book, which makes government critters anxious that people will use it to spread controversial ideas and eventually take down the establishment.

> and eventually take down the establishment.

That last one is kinda inevitable. The internet, even the spied centralised version we see at Facebook and Gmail, has a flattening effect: for the first time in recorded History, people can write. And other people respond to them. Even the printing press failed to achieve that —mostly.

Sure, there are bubbles and such, but there no escaping the fact that public forums train people in public debates. This will have a political effect.

Now I can only hope the transition will not be too bloody.

> and eventually take down the establishment.

>> That last one is kinda inevitable.

It allways is and was. Happened allready many times, it is called human history ;)

> ...the same you'd get yourself in trouble if you let anybody who asked you use a rifle of yours.

You lost me here. This is more like letting someone make a call with your phone. Rifles are inherently dangerous, even gun enthusiasts agree on that. We're talking about information more broadly here.

If I lend my neighbor my rifle and he kills someone or something that wasn't legal to kill, it isn't my problem - as long as he was legal posses a firearm. This isn't the same as sharing your IP address.

A shared IP address can be in use by me and my "friends" on Tor - at the same time. A rifle is only in the hands of one person at a time.

If you put a phone booth on the street in front of your house or business, like a free phone booth, are you liable for the contents of the calls placed on it? What if there were two phones? A hundred?

What if it wasn't a phone but a mailbox? A big chalk board? A bulletin board?

What if it weren't a mailbox but a free parking lot? Bob could put a thumb drive in his glove compartment, park his car, and then have Alice pick it up. Am I liable for what's on that drive because I provided free parking that was used as a medium for illegal information?

That why I think sharing things with strangers cannot logically make you liable for their speech and information.

Having a free-to-use shotgun and a box of shells in front of your house is an entirely different question. That's why I said the analogy was a poor one.

When the police find the weapon, they'll see it's registered by you and knock on the door.

You're not gonna have a fun experience explaining that you lend your rifles to your neighbour at the time of the murder.

> This is more like letting someone make a call with your phone

If someone uses my phone to make a threatening phone call, I'm probably first in line to be investigated. Just because it's not inherently dangerous, or would result in legal consequences for the phone owner, doesn't mean it is a risk-free thing to do.

> If someone uses my phone to make a threatening phone call, I'm probably first in line to be investigated.

Sure. There are practical consequences. But if it's a working phone booth on the sidewalk out front, the prosecutor can't prove much with "it was your phone". Of course, you could be put through the wringer or even convicted based on really flimsy evidence.

For what reason would a person want to use Tor instead of his regular connection?

And before you tell me Tor is nothing more than a privacy tool, remember that most sites ban Tor exits because the majority of users are troublemakers.

Seriously? I imagine >95% of consumers would adopt tor quickly if browsing performance was comparable to standard browsing (hell it would be packaged with firefox). The general public hates being tracked and having their privacy invaded. Just look at the political mess created when congress gave ISP's the right to sell user browsing data at the end of last month.

> hell it would be packaged with firefox

It already is, unofficially. If you download the right version.

>The general public hates being tracked and having their privacy invaded. Just look at the political mess created when congress gave ISP's the right to sell user browsing data at the end of last month.

You gotta be kidding me. If that were the case nobody would ever use Facebook, or browse the web without an ad blocker and blocking 3rd party cookies. I also like privacy but we have to understand that nobody really cares about that. Maybe it's because they are not educated and don't know what the risks are, but whatever the reason, privacy is ignored by most people.

In the case of Facebook, users might very well not know the extent by which Facebook tracks them. In the case of ad-blockers, users (at least those I've met) tend to not know they exist, and are excited to try them out.

I'm not sure the general public sees ad blocking as an ethically green area. More of a grey area so many aren't comfortable doing it even if they love the experience.

You can opt out of Facebook though, or set up a fake account.

>And before you tell me Tor is nothing more than a privacy tool, remember that most sites ban Tor exits because the majority of users are troublemakers.

So... don't tell you the truth, because you've already decided that a bunch of anonymous people are "bad".

Have you ever considered a career in law enforcement or politics?

What's the truth? Most websites require you to fill a captcha, confirm your mobile number, or simply block you if you happen to use the service from a Tor exit. That's something you can check yourself, go to the big sites (Alexa top for example), and see it. Even Hacker News shows you a captcha if you register from Tor.

Do you believe those sites are in some kind of major plot to bother Tor users, or they simply are fed up with the abuse coming from Tor? Ockham's razor.

> Ockham's razor

state actors are annoyed by whistleblowers. tor is useful to whistleblowers. tor is bad.

Are you talking about most websites worldwide, or most websites in US specifically, or the West in general?

Because if it's the latter, then your sample suffers from rather extreme selection bias.

> For what reason would a person want to use Tor instead of his regular connection?

If I'm doing some background research for my work, I don't want to have to wonder if my ISP will sell me out, allowing a competitor to know what I've been up to.

If I'm hanging around gear head websites and letting people know just what a drooling fanboy I am for the products of a particular car company, I really don't want my ISP to sell me out and let the local car dealer know.

> because the majority of users are troublemakers

This statement is actually wrong. The majority of users are probably normal people. The majority of the traffic coming from exit nodes, though, may come from scripts/bots ; but that is a really small percentage of users.

IP address is too weak point of such failure. Your wifi password can leak or be guessed, and wired connection can have mitm so easily. Trojans may operate as exit nodes of some dark network. IP should not be used as identity in any way even in investigation process (not to mention courts). IP doesn't identify you, it simply leads to your connection point.

In practice though, these clinical cretins can throw you into russian jail for two months without taking counter-evidence into account. Just because.

> the same you'd get yourself in trouble if you let anybody who asked you use a rifle of yours.

If someone borrows my car and crashes into someone else, I'm not legally responsible. Same goes for companies that let anyone use their cars, like rental services.

This story illustrates why Tor will never actually bring down a repressive regime. Tor appears to be based on the idea that if you can't prove who actually said something, then you can't punish them. Repressive regimes can punish those people anyway.

You're missing a key point. Consider North Korea. I doubt that there are many Tor exits there. But if North Koreans can access Tor, they can use exits elsewhere. And it's unlikely that the North Korean government will be assassinating Tor exit operators. So there's nobody for it to punish.

North Koreans, outside of a select few, can't access the internet, and thus can't access Tor anyway.

OK, so make it Americans. I don't believe that the US is prosecuting foreign Tor relay operators, either.

I know ​the US isn't perfect, but is it the kind of repressive regime that the Tor project talks about? Or, to put it another way, should Tor consider it a success that they can take down regimes no more repressive than the US?

I won't be drawn into a debate on relative repressiveness. But consider how LGBT activists were generally harassed a decade or two ago. And still are, in some parts of the US. Or the War on Drugs.

I'm sure that some Tor supporters in the CIA are hot on taking down particular regimes. But I don't recall seeing that as an official Tor Project use case.

Regarding the example of North Korea, I'm sure that there are ways of hitting Tor. At least, if you can reach the Internet at all. Maybe it's not worth the risk, however.

Maybe they stopped making a big deal about it, but it was one of their "we make the world a better place" use cases when they started out (of course, they also said "no warranties that we got the security perfectly right").

Honest question, its not illegal to run an unrestricted wifi access point, and you can't be held accountable for others using that ip for illegal means in court today. So how does this differ from running a TOR exit node?

Well, in Russia it is illegal to run an unrestricted wifi access point - since 2014 you're technically supposed to verify identities of everyone you give access. Many don't, but it's technically illegal - so if they don't like you for whatever reason, then that wifi will be valid reason to punish you, by making you accountable for others using that for illegal means.

And people in Russia have went to jail literally for pressing 'Like' on a single post.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact