Instead of only bashing tor, why not discuss the alternatives?
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better? Certainly some advanced attack and/or backdoor will screw them all. For a start, I would like to know: 1. What are alternatives to tor (possibly with less functionality)? 2. Is the alternative known to be in bed with shady stuff like TLAs? 3. Did they have braindamaged bugs (like debian's openssl memset())? 4. What is their security/anonymity bug history? 5. To what attacks they are known to be vulnerable? 6. To what attacks they are conjectured to be immune? As an aside, I heard critique of Riffle: MIT are allegedly in bed with USA. Don't know it this makes sense or not.
On Tue, Jul 19, 2016 at 11:44:16AM +0300, Georgi Guninski wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
Certainly some advanced attack and/or backdoor will screw them all.
For a start, I would like to know:
1. What are alternatives to tor (possibly with less functionality)?
from the top of my head: dissent, riffle, i2p, mixminion pynchon-gate percy++
2. Is the alternative known to be in bed with shady stuff like TLAs? 3. Did they have braindamaged bugs (like debian's openssl memset())? 4. What is their security/anonymity bug history? 5. To what attacks they are known to be vulnerable? 6. To what attacks they are conjectured to be immune?
As an aside, I heard critique of Riffle: MIT are allegedly in bed with USA. Don't know it this makes sense or not.
---end quoted text--- -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
On 07/19/2016 02:12 AM, stef wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
Certainly some advanced attack and/or backdoor will screw them all.
For a start, I would like to know:
1. What are alternatives to tor (possibly with less functionality)? from the top of my head: dissent, riffle, i2p, mixminion
On Tue, Jul 19, 2016 at 11:44:16AM +0300, Georgi Guninski wrote: pynchon-gate percy++
2. Is the alternative known to be in bed with shady stuff like TLAs? 3. Did they have braindamaged bugs (like debian's openssl memset())? 4. What is their security/anonymity bug history? 5. To what attacks they are known to be vulnerable? 6. To what attacks they are conjectured to be immune?
As an aside, I heard critique of Riffle: MIT are allegedly in bed with USA. Don't know it this makes sense or not.
---end quoted text---
dissent, riffle, i2p, mixminion pynchon-gate percy++ NONE of these are intended for the same target audience as tor. IOW NONE of the above could CONCEIVABLY be used by a journalist or computer-illiterate dissident in Tanzania right NOW. And honestly, imho, I2P is probably just a compromises as tor, but it's so much more fucking obuscurant, to hide that possibility. I tried using it for a while. Fucking useless and continues to be so. No one's mentioned Retroshare. It seems a likely candidate. Rr
On Tue, Jul 19, 2016 at 08:34:05AM -0700, Rayzer wrote:
1. What are alternatives to tor (possibly with less functionality)? from the top of my head: dissent, riffle, i2p, mixminion pynchon-gate percy++
NONE of these are intended for the same target audience as tor. IOW NONE of the above could CONCEIVABLY be used by a journalist or computer-illiterate dissident in Tanzania right NOW.
this was not my interpretation of "alternatives to tor", and surely some come with much reduced functionality, percy++ just being a library. there's much more use-cases than using a browser anonymously, in some of these use-cases tor can indeed be replaced by these technologies. also i still consider that some people on this list are actually building stuff, instead of being overly verbose, and for those, at least pynchon gate and percy++ should be interesting building blocks. a real alternative to tor would tackle the GPA issue, for that i think the only solution is high-latency, that means also that browsing the web will be quite a different experience with such. btw david chaums cmix is also an interesting inspiration for a replacement in certain use-cases, but surely not in general either. and not for dissidents in tanzania now (which was no explicit requirement anyways). but then those dissidents probably have also problems with computers in general including tor.
And honestly, imho, I2P is probably just a compromises as tor, but it's so much more fucking obuscurant, to hide that possibility. I tried using it for a while. Fucking useless and continues to be so.
we agree on this one. however this was not the point of the question i believe, and as such fits as an answer. -- otr fp: https://www.ctrlc.hu/~stef/otr.txt
On Tue, Jul 19, 2016 at 8:42 AM Rayzer <rayzer@riseup.net> wrote:
On 07/19/2016 02:12 AM, stef wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
Certainly some advanced attack and/or backdoor will screw them all.
For a start, I would like to know:
1. What are alternatives to tor (possibly with less functionality)? from the top of my head: dissent, riffle, i2p, mixminion
On Tue, Jul 19, 2016 at 11:44:16AM +0300, Georgi Guninski wrote: pynchon-gate percy++
2. Is the alternative known to be in bed with shady stuff like TLAs? 3. Did they have braindamaged bugs (like debian's openssl memset())? 4. What is their security/anonymity bug history? 5. To what attacks they are known to be vulnerable? 6. To what attacks they are conjectured to be immune?
As an aside, I heard critique of Riffle: MIT are allegedly in bed with USA. Don't know it this makes sense or not.
---end quoted text---
dissent, riffle, i2p, mixminion pynchon-gate percy++
NONE of these are intended for the same target audience as tor. IOW NONE of the above could CONCEIVABLY be used by a journalist or computer-illiterate dissident in Tanzania right NOW.
One (not really) counterexample, though for a very narrow use case is/was NightWeb, which was an Android app that embedded I2P. Was somewhat easier to set up than OrBot plus a browser, but unfortunately its author abandoned it. Again, though, not actually the web, though email through Tor is not exactly easy to use either. Speaking of which, there's also a standalone Bote app. You can only send messages to other Bote users, but it's easier to set up and probably more secure than Tor-based solutions due to the lack of a central target, despite the concerns about I2P's security you mention below. And honestly, imho, I2P is probably just a compromises as tor, but it's
so much more fucking obuscurant, to hide that possibility. I tried using it for a while. Fucking useless and continues to be so.
This continues to be my main concern about I2P. It hasn't had nearly the attention Tor has. It could have gaping holes and we wouldn't necessarily know about them, while any holes in Tor have to be subtle at this point, opinions about Tor's funding & governance model notwithstanding.
No one's mentioned Retroshare. It seems a likely candidate.
I keep meaning to spend more time looking at that. Thanks for the reminder.
Rr
On Tue, Jul 19, 2016 at 08:34:05AM -0700, Rayzer wrote:
dissent, riffle, i2p, mixminion pynchon-gate percy++
NONE of these are intended for the same target audience as tor. IOW NONE of the above could CONCEIVABLY be used by a journalist or computer-illiterate dissident in Tanzania right NOW.
Aren't the shiny features easy to do if there is core functionality? Given socks proxy or network interface it is trivial.
On 07/20/2016 12:08 AM, Georgi Guninski wrote:
On Tue, Jul 19, 2016 at 08:34:05AM -0700, Rayzer wrote:
dissent, riffle, i2p, mixminion pynchon-gate percy++
NONE of these are intended for the same target audience as tor. IOW NONE of the above could CONCEIVABLY be used by a journalist or computer-illiterate dissident in Tanzania right NOW.
Aren't the shiny features easy to do if there is core functionality?
Given socks proxy or network interface it is trivial.
I suspect the shiny gui is a venue for a number of security risks. Rr
On 07/20/2016 08:56 AM, Spencer wrote:
Hi,
Rayzer: NONE could be used by a journalist right NOW.
i2p mail works just fine XD
Rayzer: I suspect the shiny gui is a venue for security risks.
How ?
Wordlife, Spencer
Not a coder so I can't supply anything more than a hunch but the graphics security end of the 'user experience' was just recently noted here: http://www.extremetech.com/computing/231820-netflix-only-streams-1080p-to-a-... IOW, if you're using any browser but MS Edge Netflix DRM coding apparently doesn't work, and many guis use browser 'parts' or... ahem, Java, to display a gui. Another example was the hacked LOIC dDos tool so popular with anons a few years ago. You plugged in an IRC address/channel and the tool was remotely operated. By whom, and what logs were kept was, and still is, unknown. But that sort of spying is almost too crass to list as a security flaw. The users were their own worse enemies Rr
On Tue, Jul 19, 2016 at 11:44:16AM +0300, Georgi Guninski wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
Great question Georgi.
Certainly some advanced attack and/or backdoor will screw them all.
For a start, I would like to know:
1. What are alternatives to tor (possibly with less functionality)?
I2P has been touted, but despite a stated intention, it still lacks the most relevant fundamental enhancement over tor: - chaff traffic (i.e. maintain e.g. a 15kibps connection to each of my direct peers, throtting and chaff-filling as needed to achieve that)
2. Is the alternative known to be in bed with shady stuff like TLAs? 3. Did they have braindamaged bugs (like debian's openssl memset())? 4. What is their security/anonymity bug history? 5. To what attacks they are known to be vulnerable? 6. To what attacks they are conjectured to be immune?
As an aside, I heard critique of Riffle: MIT are allegedly in bed with USA. Don't know it this makes sense or not.
Fundamentals of any stack for any system are: - physical concept - N2N/ neighbour to neighbour vs software overlay on existing ISP based centralised "Internet" as people know it today - hardware - open cores are available - but audit trails and distribution networks and more still need to be solved conceptually, before any sort of kickstarter/ community group funding - ability/ tools/ software for small community groups to randomly audit a random chip, circuit board, ethernet jack, etc, to verify that it conforms to a FLOSS design - bios and firmware - EVERY piece of the stack MUST be FLOSS! - needs to be audited - drivers - more FLOSS required - need a minimal set, to go with chosen hardware - needs to be audited - network stack - floss of course - needs to be audited Pick any level of the stack, have a think, and contribute. My current pet thought lorenz well is the network stack - twould be good to have an analysis of available stack, comparing them re various attributes, including: - simplicity - dependencies - libraries, data structures - suitability to user space operation - what application-level APIs/ libraries would we want to target, e.g. just UDP (not TCP :), sockets, SCTP, ethernet, more? - "flexibility" - to what level is it field tested? Sadly, there is much work to do before we can even begin to satisfy the Juan's of the world :/
1. What are alternatives to tor (possibly with less functionality)?
I2P has been touted, but despite a stated intention, it still lacks the most relevant fundamental enhancement over tor: - chaff traffic (i.e. maintain e.g. a 15kibps connection to each of my direct peers, throtting and chaff-filling as needed to achieve that)
I2P is a good contender to replace hidden services, but isn't really designed to replace the routing/anonymization for access to the clearnet. Maybe JAP for that aspect? Tor has a lot of traction, I don't see anything replacing it until/unless it disappears. Any overlay network has a lot of hard yards to do to become popular, as Tor and I2P have discovered. J
On Tue, Jul 19, 2016 at 07:30:57PM +1000, Zenaan Harkness wrote:
Fundamentals of any stack for any system are:
- physical concept - N2N/ neighbour to neighbour vs software overlay on existing ISP based centralised "Internet" as people know it today
Engineer Gets Tired Of Waiting For Telecom Companies To Wire His town -- So He Does It Himself https://tech.slashdot.org/story/16/07/20/202200/engineer-gets-tired-of-waiti... THIS is the kind of thing we need more of, only with a relentless eye toward freedom and the enablement of individual control (not centralised control) over the physical network. Anyone live anywhere near this guy, to spend some hours having coffee? In general it has always been, and will always be, the grassroots individuals working together who will longer term change the world - for the better or for the worse. "Which role do I play?"
On Tue, 19 Jul 2016 11:44:16 +0300 Georgi Guninski <guninski@guninski.com> wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
We need to get rid of tor first. Resources wasted on tor are resources that can't be used in good projects.
Certainly some advanced attack and/or backdoor will screw them all.
For a start, I would like to know:
1. What are alternatives to tor (possibly with less functionality)? 2. Is the alternative known to be in bed with shady stuff like TLAs? 3. Did they have braindamaged bugs (like debian's openssl memset())? 4. What is their security/anonymity bug history? 5. To what attacks they are known to be vulnerable? 6. To what attacks they are conjectured to be immune?
As an aside, I heard critique of Riffle: MIT are allegedly in bed with USA. Don't know it this makes sense or not.
Of course it does. As a matter of fact tor cunts dingledine and syverson are part of mit, or part of mit projects like 'dissent'.
On Tue, Jul 19, 2016 at 2:59 PM juan <juan.g71@gmail.com> wrote:
On Tue, 19 Jul 2016 11:44:16 +0300 Georgi Guninski <guninski@guninski.com> wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
We need to get rid of tor first. Resources wasted on tor are resources that can't be used in good projects.
They are not your resources to redirect, but the resources expended on Tor are tiny compared to, say, Bitcoin. Or even just Ethereum. This is not a good argument, and I think it may be motivated by your own personal feelings about Tor. Which you are perfectly entitled to have, but you should not be surprised when people who do not share those feelings don't find your arguments based on them compelling.
Certainly some advanced attack and/or backdoor will screw them all.
For a start, I would like to know:
1. What are alternatives to tor (possibly with less functionality)? 2. Is the alternative known to be in bed with shady stuff like TLAs? 3. Did they have braindamaged bugs (like debian's openssl memset())? 4. What is their security/anonymity bug history? 5. To what attacks they are known to be vulnerable? 6. To what attacks they are conjectured to be immune?
As an aside, I heard critique of Riffle: MIT are allegedly in bed with USA. Don't know it this makes sense or not.
Of course it does. As a matter of fact tor cunts dingledine and syverson are part of mit, or part of mit projects like 'dissent'.
So design your own?
On Wed, 20 Jul 2016 16:51:49 +0000 Sean Lynch <seanl@literati.org> wrote:
On Tue, Jul 19, 2016 at 2:59 PM juan <juan.g71@gmail.com> wrote:
On Tue, 19 Jul 2016 11:44:16 +0300 Georgi Guninski <guninski@guninski.com> wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
We need to get rid of tor first. Resources wasted on tor are resources that can't be used in good projects.
They are not your resources to redirect,
No they are not mine. They belong to the people who the US gov't/military robs. No taxes no tor.
but the resources expended on Tor are tiny compared to, say, Bitcoin.
What, the pentagon puts more money on bitcoin than tor?? =)
Or even just Ethereum. This is not a good argument, and I think it may be motivated by your own personal feelings about Tor.
My feelings about tor are the logical result of basic moral principles, reasoning and bla bla bla. I am not a 10 year old girl having a fit about dressing. And actually I'd expect 10 year old kids to be smarter about authority and the establishment than any tor apologist =P Tor is criminal garbage created by the pentagon to serve their ends. It would be very weird for a libertarian anarchist(your caee I think?) to believe otherwise.
Which you are perfectly entitled to have, but you should not be surprised when people who do not share those feelings don't find your arguments based on them compelling.
Come on Sean, do not take me for an idiot. My arguments are arguments. They are not based on 'feelings'. If anything the people driven by feelings, not logic and evidence, are the tor supporters.
Certainly some advanced attack and/or backdoor will screw them all.
For a start, I would like to know:
1. What are alternatives to tor (possibly with less functionality)? 2. Is the alternative known to be in bed with shady stuff like TLAs? 3. Did they have braindamaged bugs (like debian's openssl memset())? 4. What is their security/anonymity bug history? 5. To what attacks they are known to be vulnerable? 6. To what attacks they are conjectured to be immune?
As an aside, I heard critique of Riffle: MIT are allegedly in bed with USA. Don't know it this makes sense or not.
Of course it does. As a matter of fact tor cunts dingledine and syverson are part of mit, or part of mit projects like 'dissent'.
So design your own?
On July 21, 2016 5:21:04 AM EDT, juan <juan.g71@gmail.com> wrote:
On Wed, 20 Jul 2016 16:51:49 +0000 Sean Lynch <seanl@literati.org> wrote:
On Tue, Jul 19, 2016 at 2:59 PM juan <juan.g71@gmail.com> wrote:
On Tue, 19 Jul 2016 11:44:16 +0300 Georgi Guninski <guninski@guninski.com> wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
We need to get rid of tor first. Resources wasted on tor are resources that can't be used in good projects.
They are not your resources to redirect,
No they are not mine. They belong to the people who the US gov't/military robs. No taxes no tor.
Well, phrasing I guess, but most of the relays just belong to volunteers. I run a relay most of the time, although I dont consider it one of the top 5 or even top 10 services I maintain on that particular box... It's kind of just a half ass interesting service to fuck with occasionally. John -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
On Thu, 21 Jul 2016 06:56:56 -0400 John <jnn@synfin.org> wrote:
On July 21, 2016 5:21:04 AM EDT, juan <juan.g71@gmail.com> wrote:
On Wed, 20 Jul 2016 16:51:49 +0000 Sean Lynch <seanl@literati.org> wrote:
On Tue, Jul 19, 2016 at 2:59 PM juan <juan.g71@gmail.com> wrote:
On Tue, 19 Jul 2016 11:44:16 +0300 Georgi Guninski <guninski@guninski.com> wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
We need to get rid of tor first. Resources wasted on tor are resources that can't be used in good projects.
They are not your resources to redirect,
No they are not mine. They belong to the people who the US gov't/military robs. No taxes no tor.
Well, phrasing I guess, but most of the relays just belong to volunteers.
Apologies John, I really don't mean to pick on you personally. I'd point out though that the organization exists thanks to state funding. The whole thing would be rather different if all the participants were volunteers. (are all high speed nodes also run by and paid for volunteers?)
I run a relay most of the time, although I dont consider it one of the top 5 or even top 10 services I maintain on that particular box... It's kind of just a half ass interesting service to fuck with occasionally.
John
On Thu, Jul 21, 2016 at 9:05 AM juan <juan.g71@gmail.com> wrote:
On Thu, 21 Jul 2016 06:56:56 -0400 John <jnn@synfin.org> wrote:
On July 21, 2016 5:21:04 AM EDT, juan <juan.g71@gmail.com> wrote:
On Wed, 20 Jul 2016 16:51:49 +0000 Sean Lynch <seanl@literati.org> wrote:
On Tue, Jul 19, 2016 at 2:59 PM juan <juan.g71@gmail.com> wrote:
On Tue, 19 Jul 2016 11:44:16 +0300 Georgi Guninski <guninski@guninski.com> wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
We need to get rid of tor first. Resources wasted on tor are resources that can't be used in good projects.
They are not your resources to redirect,
No they are not mine. They belong to the people who the US gov't/military robs. No taxes no tor.
Well, phrasing I guess, but most of the relays just belong to volunteers.
Apologies John, I really don't mean to pick on you personally.
I'd point out though that the organization exists thanks to state funding. The whole thing would be rather different if all the participants were volunteers.
(are all high speed nodes also run by and paid for volunteers?)
Whatever I may think of your other beliefs about the organization, the funding model is definitely a problem. Same goes for Mozilla taking money from Google, MS, eBay, etc. Organizations building important infrastructure need to be independent.
I run a relay most of the time, although I dont consider it one of the top 5 or even top 10 services I maintain on that particular box... It's kind of just a half ass interesting service to fuck with occasionally.
John
On July 21, 2016 11:59:37 AM EDT, juan <juan.g71@gmail.com> wrote:
On Thu, 21 Jul 2016 06:56:56 -0400 John <jnn@synfin.org> wrote:
On July 21, 2016 5:21:04 AM EDT, juan <juan.g71@gmail.com> wrote:
On Wed, 20 Jul 2016 16:51:49 +0000 Sean Lynch <seanl@literati.org> wrote:
On Tue, Jul 19, 2016 at 2:59 PM juan <juan.g71@gmail.com> wrote:
On Tue, 19 Jul 2016 11:44:16 +0300 Georgi Guninski <guninski@guninski.com> wrote:
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better?
We need to get rid of tor first. Resources wasted on tor are resources that can't be used in good projects.
They are not your resources to redirect,
No they are not mine. They belong to the people who the US gov't/military robs. No taxes no tor.
Well, phrasing I guess, but most of the relays just belong to volunteers.
Apologies John, I really don't mean to pick on you personally.
I'd point out though that the organization exists thanks to state funding. The whole thing would be rather different if all the participants were volunteers.
(are all high speed nodes also run by and paid for volunteers?)
Good question, i actually don't know the answer.. I expect the relationships get pretty incestuous at the higher levels. The top 10 "public" relays are all doing in the range of 50MB/s+.... You can browse the public relays here - https://atlas.torproject.org/ For comparison, my relay, when it's up, is capped at 200KB/s. John -- Sent from my Android device with K-9 Mail. Please excuse my brevity.
As an aside, I heard critique of Riffle: MIT are allegedly in bed with USA. Don't know it this makes sense or not.
Of course it does. As a matter of fact tor cunts dingledine and syverson are part of mit, or part of mit projects like 'dissent'.
MIT is not as cohesive as people seem to think. Some groups might as well be at DARPA while others don't take military funding. The university really doesn't care. On that basis, I don't think the MIT name is enough to credit or discredit a project. You really have to look at the history of the research group. Additionally this was a grad student's project for a thesis requirement so by department policy it can't contain any confidential information.
From: Georgi Guninski <guninski@guninski.com> To: cypherpunks@cpunks.org Sent: Tuesday, July 19, 2016 1:44 AM Subject: Instead of only bashing tor, why not discuss the alternatives?
Instead of only bashing tor, why not discuss the alternatives and move to something allegedly better? Tor reminds me a bit of the Clipper chip, that brief attempt to implement a DES (56 bit key),key-escrowed chip for encrypted telephones that was tried in 1993. https://en.wikipedia.org/wiki/Clipper_chip
If the USG had simply abandoned the plan for key escrow (giving the government the keys), the world wouldarguably have been better off (compared to no encryption at all) for awhile if they'd implemented 56-bit DES. But, that was distasteful, in large part because it would have been a shame to build a system that was less secure than it could have been with then existing technology. However, I think the main impediment to implementing secure phones in that time frame (1993) was that it wouldhave been necessary to transmit data rates over the POTS (Plaint Old Telephone System) that weren't reallypractical: Modems had gotten to about 14.4kbps by then, as I recall. Tor, likewise, should not be less secure than it could be. Multiple transfer hops (as opposed to the current one-hop),decoy (a given packet 'explodes' into multiple packets, maybe only one is 'real') transfers, padded with adjustable filler traffic, etc, should have been added by now. Why the delay? Jim
On Thu, Jul 21, 2016 at 08:58:47AM +0000, jim bell wrote:
Tor, likewise, should not be less secure than it could be. Multiple transfer hops (as opposed to the current one-hop),decoy (a given packet 'explodes' into multiple packets, maybe only one is 'real') transfers, padded with adjustable filler traffic, etc, should have been added by now. Why the delay?
AIUI, there current stated reason is "we do those things we get funding for, and we've never been able to get funding for these particular things" - although the cynic in me can't help think that they are failing to properly apply the funding they get/ failing to make the 'proper' (perhaps semi-devious) funding applications. Of course the basic problems are: 1) GPAs/ USA monitors the whole world's internet 2) the CIA/USA/NSA is the only one currently funding Tor to any decent extent. We got a long way to go..
participants (11)
-
Georgi Guninski -
Jason Richards -
jim bell -
John -
Joy -
juan -
Rayzer -
Sean Lynch -
Spencer -
stef -
Zenaan Harkness