Don't know i this comment has been made this-go-round, but I have long argued that support for the 'clueless' is actually well within the bounds of Cypherpunk concern. Of course, traditional Cypherpunk theology (a la Tim May) is that we shouldn't worry about the clueless. If they can't set up a Tor Client then fcuk 'em: If I'm not clueless then my communications can be made secure. To this I'd offer the following argument, stated elsewhere but summarized here. This argument actually does not contradict the traditional cypherpunk dogma (if such can actually be said to exist), but acknowledges certain realities: 1. Although the mathematical basis of the big encryption algorithms may be sound (and it's been argued by the less-than-clueless that some healthy doubt could be cast on this claim), practical implementations can be made fully secure only through a vast amount of effort that encomapsses computer hardware, firmware, software, and the encryption algorthims themselves, not to mention brute-force attacks than include binoculars and tempest-like surveillance. Thus, any one instantiation of a Platonically secure encryption standard should be regarded as less-than-absolutely secure. 2. Although current implmentations may be less than completely secure, it seems reasonable at this point (given media information) that it is still possible to make a communication secure enough to eat up fairly expensive resources. In other words, they may have the ability to crack just about any single message, but it seems very doubtful that the abiliy exists to grab and crack EVERYTHING. In other words, increasing PGP lengths may not ensure security, but it most likely increases COSTS. 3. Assuming any single message is probably crackable, given enough time and money, it behooves the clued to reduce a message's 'risk profile' as far as possible. In other words, it becomes desirable to remove any easily detectable signs that a message is encrypted or even interesting. This reduces the likihood that it will be swept up and either stored (for cracking later) or given high-priority status through TLA networks. 3. It would seem evident from the above that, even for the clued, it behooves them to accept the need to increase the volume of as-secure-as-possible encrypted traffic, mindful of the fact that 'easy' implementations may actually not be particularly secure, or not secure enough for use by the sufficiently clued. However, as the volume and encrypted strength of traffic increases, it becomes all the more difficult for any one message to get flagged. (I would suggest that this is the real problem that the TLAs are faced with in the information age: They can't keep up with the traffic and must do more and more prioitization at the 'edges' of their network, thus the whole AT&T fiasco.) Most likely, TLAs have to manage to several bottlenecks, another key one being the last resort cracking farms or messages that have resisted penetration through any other means. The cost per message cracked here is probably quite high for very secure mesages. Ideally, one would like as much possible traffic to qualify for this, so as to force as much edge prioritization as possible. 4. Perhaps it is needless to say, but it is probably unfair to try to pin usability on any one technology, such as Tor. However, as suggested below, the value of Tor to all users increases with increased usability and reasonably secure traffic. Thus, I would suggest that it is well within May-sian Cypherpunk orthodoxy to encourage usability for the clueless (or the simply busy), mindful of the limitations (and threat scenarios) that such usabiliy might reasonably be constrained to. -TD

From: Eugen Leitl <eugen@leitl.org> To: cypherpunks@jfet.org Subject: Preconfigured hidden service Date: Fri, 23 Mar 2007 11:17:56 +0100

----- Forwarded message from JT <toruser@fastmail.fm> -----

From: JT <toruser@fastmail.fm> Date: Fri, 23 Mar 2007 03:11:47 -0700 To: or-talk@freehaven.net Subject: Preconfigured hidden service X-Mailer: MessagingEngine.com Webmail Interface Reply-To: or-talk@freehaven.net

Hi,

is it possible to have a preconfigured hidden service in Tor as I2P has? After installing I2P all a user has to do is put html files in the htdocs folder and he is ready to go. He can look up the URL of this website easily.

Every noob can host a hidden eepsite. Is something like this planned for Tor? An simple, secure webserver preconfigured to only listen to 127.0.0 and ready to go? The average user(at least the ones I talk to) barely manages to set up Tor. Some people are even to computer illiterate to click on the onion symbol and choose "start Tor" any yet we need those people in the user base(more distributed trust).

I know the programmer's power of the Tor project is limited (due to the number of programmers) and not everything can be implemented at the same time. And this is not a complaint. I love to participate in political discussions an be able to talk freely and without having to worry about being threatened threatened afterwards. I am very greatful for Tor. The technical side of Tor is already very advanced but all the attacks published in the last months were possible because the usability side of Tor is still lacking a lot. I know it is a common problem for everybody in the IT field to assume that the users of the IT have the same knowledge as the creators but this is not even remotely true. Yes smart project attract also smart users but what about the other 80%? What about the 80-20 rule? :)

If Tor wants to be a hidden free internet within the internet it must provide a one click service to host a website like I2P.

Journalists that work in Sudan, Iraq, Burma, Cuba, Russia or many, many other countries need something that works right away. Not every journalist can go to college and learn how to set up an apache server and configure it. A standard installation should be able to host html only. Tor could learn from I2P. Computer experts can then change the settings to host php, etc also.

I think such a thing would spread like wildfire and the Tor user base would explode. Lots of people want to host their own sites and they would with a one click installation of a hidden service web server.

I really wish I could help with programming and not only making suggestions.

Long live Tor!!

:) -- JT toruser@fastmail.fm

-- http://www.fastmail.fm - Faster than the air-speed velocity of an unladen european swallow

----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://www.ativel.com 8B29F6BE: 099D 78BA 2FD3 B014 B08A 7779 75B0 2443 8B29 F6BE

[demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]

_________________________________________________________________ Its tax season, make sure to follow these few simple tips http://articles.moneycentral.msn.com/Taxes/PreparationTips/PreparationTips.a...