Law Enforcement Undermines Tor

Posted by pantalaimon 10/25/2024

Law Enforcement Undermines Tor(marx.wtf)

105 points | 78 commentspage 2

radku 10/25/2024|

Would using VPN prevent prying eyes from detecting the IP address? This issue seems to be related only to Tor users who do not use VPN?

immibis 10/25/2024|

Yes, the German monitoring would point to the VPN provider, instead of directly at the user. However, they would then install a monitoring device at your VPN node.

ryandv 10/25/2024||

[flagged]

Communitivity 10/25/2024||

"everyone is assumed to be acting in good faith". Right. I think that when it comes to network service security the old adage told to my father by an Irish Catholic priest applies: "Bill, once you understand that most people are just no damn good, then you'll be fine".

Or, in the words of the NSA, "Trust, but verify".

I agree that HTTPS is bad though, as it is used. We only do one-sided TLS, not mutual. Most people don't verify the server's cert by looking at it. Most apps don't encrypt messages before they go over TLS. In a more secure world a proxy with stateful packet inspection would not be possible.

As is often the case, the problem isn't technical (or at least not mainly technical). Employers, governments, and ISPs want proxies that inspect traffic, either for CYA or to increase budgets by increasing situational awareness. For governments, situational awareness increases wins by enabling them to catch people they deem bad actors. For employers and governments, increased SA means a decreased chance of leaks and people not doing what they're supposed to do with their time. For ISPs, it means they can monitor the traffic and restrict certain things (like video streaming, or running a server from home) to increase profit.

I can think of at least one potential solution. Still, it requires a technically savvy public, a patient public, and money: Open Source phones in everyone's hands, circles of trust, distributed freenet with data passed E2E encrypted via gossip protocol when two phones get near enough for Bluetooth data transmission (figure 50m roughly) where both phones are within some N degrees of separation via circles of trust. However, this mean's getting/sending data is asynchronous with long delays and no guarantees.

viraptor 10/25/2024|||

I guess you weren't around for the fun when https://en.wikipedia.org/wiki/Firesheep was popular.

ryandv 10/25/2024||

I have seen the Wall of Sheep in person when HTTPS everywhere was just getting started, and you would still see wireless networks secured with WEP. This is pre-Snowden.

viraptor 10/25/2024||

So you're aware of those cases and just going with "yeah, let's ignore those account takeovers, impersonations, data theft, etc. across any service from social media to banking and payment" because just bad people need encryption? Walk me through the process of a non-vile person using banking securely from a cafe/hotel in your scenario.

ryandv 10/25/2024||

Do you not understand what I am doing?

viraptor 10/25/2024||

If you're being facetious, it's hard to tell, because you're not over the top enough. There are people who genuinely hold that position and you can occasionally find them on HN. Often under the "HTTPS is a scam and makes everything slower and hard to debug" banner though.

GrantMoyer 10/25/2024|||

Agreed. An added benefit is then ISPs could monitor traffic and sell the data to AD or insurance companies, who could use it to drive more sales or cancel risky insurance policies, increasing the efficiency of the economy.

luma 10/25/2024|||

You imply that the only bad actors one needs to protect themselves against are the police. The vilest criminals can also use my data against me.

jeffhuys 10/25/2024|||

Yeah that's all fun, I don't have anything to hide either. But what if I actually WILL in the future, retroactively? I've said a few things here and there, what if certain types of speech end up getting banned and if you don't remove it on time (or lost access), you risk jail-time?

Seems far away, but it's literally happening in England.

Please watch out with this kind of thinking - it's dangerous to everyone.

ryandv 10/25/2024||

> what if certain types of speech end up getting banned and if you don't remove it on time (or lost access), you risk jail-time?

So racism, homophobia, and transphobia? Why would you support technologies that promote and support the dissemination of hate speech and misinformation?

bronson 10/25/2024|||

For the near future, more like info on safe abortions. Or union organizing.

immibis 10/25/2024||||

In Germany (which also happens to be the country that successfully attacked Tor) it is currently illegal to support Palestine. Is there anything in your private messages that you wouldn't want the government to know?

potato3732842 10/25/2024||||

>So racism, homophobia, and transphobia? Why would you support technologies that promote and support the dissemination of hate speech and misinformation?

Historical content ought not to be censored at the behest of the morals of the present. There is great value in being able to access the content of the past in it's primary source form. If that makes me some sort of "ist" so be it.

123yawaworht456 10/25/2024|||

because they are based

gmuslera 10/25/2024|||

Schools should ban the teaching of math so future criminals won’t be able to use encryption for their evil deeds.

It is not a thin line the one you are crossing.

fguerraz 10/25/2024|||

Technology is never a solution to your democracy problems.

notpushkin 10/25/2024|||

It’s 2024 and I can’t tell if this is sarcasm or not.

michaelt 10/25/2024|||

Then allow me to knock it up a notch!

Encryption isn't needed, because nothing important happens over the internet.

Nobody shops online, or does their banking online. Nobody would ever work from home over the internet - how would the boss know if workers were sleeping on the job? People who want to buy stocks from their phone simply phone their stockbroker. Anyone can post any nonsense on the internet, so it's useless for any serious research. Dating online, where anyone can lie about anything? I hardly think that's likely.

The idea that a control system for an important bit of infrastructure like a power plant would be connected to the internet? A car with a driver assistance system getting software updates over the internet? Utterly inconceivable.

A pandemic that shifts almost the entire economy and almost all socialisation online? I doubt that would ever happen. In my society, we cover our mouths when we sneeze, and wash our hands after using the bathroom.

Just look at the most valuable companies, that have driven the growth of the economy over recent decades. Apple, Google, Microsoft, Nvidia, Amazon, Facebook, Netflix. If there's one thing they have in common, it's that they're absolutely nothing to do with the internet.

The internet is, at its heart, nothing more than a chatroom for shut-in losers to talk about pokemon - so there's no need for anything online to be private.

pixxel 10/25/2024||

> so there's no need for anything online to be private

I disagree. Unless you’re being sarcastic?

notpushkin 10/26/2024||

@michaelt: looks like you need to knock it further up still!

ryandv 10/25/2024||||

Feel free to debate the statement on its merits, at face value.

WillAdams 10/25/2024|||

The problem is, just the mere fact of communication is sufficient to determine relationships, which can make any sort of organized action simple to identify, root out and quash:

https://kieranhealy.org/blog/archives/2013/06/09/using-metad...

>The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.

If the 2nd Amendment applies to a modern firearm (and it should), then the 4th amendment has to apply to e-mails and text messages.

amiga386 10/25/2024|||

Your proposal is too modest. Why should only law enforcement see our messages? All messages should be treated like the banns of marriage and read aloud by the local priest or posted on the church walls, so that all interested parties can learn their contents and raise any relevant legal objection.

Attrecomet 10/25/2024||

In actual fact, your proposal is too modest. Why should only electronic messages be so publicized? After all, relevant communication, either for our protectors in law enforcement (and secret services, don't forget their hard work for our prosperity) or for us members of society, happens via all kinds of mediums.

Privacy of correspondence might have had some relevance in the past, but today, with LLMs helping us work through the huge amount of data, every letter should automatically be scanned and added to a database for further consumption. Every telephone conversation. Actually, we should force phone manufacturers to turn their devices into permanent microphones and record everything they hear, gathered in public databases.

The best results from last week's search can then be read aloud in church or at community meetups.

hydrolox 10/25/2024|||

In fact, your proposal is too modest still. We are still free to think whatever we want! We should fast forward the development of neuralink chips and broadcast everyone's thoughts live to everyone at all times so that you can make a judgement of unethical behavior

123yawaworht456 10/25/2024||

Your lack ambition. We should instead proceed with Human Instrumentality Project and turn the mankind into an abstract singularity.

rapind 10/25/2024|||

I’m OK with this so long as I’m in a position of power and exempt from having my communications public.

amiga386 10/25/2024|||

It's your lucky day! I have trained an LLM that reliably detects sarcasm. It was trained on only the finest sarcasm, dramatic irony, situational irony, ridicule and tomfoolery. As an amazing side effect it can even detect whether statements were made in bad faith or good faith with 100% reliability. You need never guess someone's intentions again! The machine will tell you.

I intend to launch it soon, don't miss this investment opportunity!

0x_null 10/29/2024|

[flagged]