dark web briefest intro - was Re: educate me Please

Zenaan Harkness zen at freedbms.net
Fri Jul 21 18:26:57 PDT 2017 

----- Forwarded message from Zenaan Harkness <zen at freedbms.net> -----
> Hi Zee, What is the reality of this dark web?   If it doesn't show
> on Google, then how can you find it?
...

As to the dark web - it certainly exists. As we see on the news,
every 2 or 4 years the authorities take down one or other of the
largest dark web "market place" websites - so evidently these
places attract a lot of people.

And then there are the smaller sites they take down which usually
don't hit the front page of the news.

There are all sorts of dark web sites - market places, forums, simple
websites, ssh gateways (apparently a lot of people access their
normal web servers over ssh), and apparently a lot of ways to slip up
for those doing something illegal - and Tor is designed so that the
large state-level authorities can pretty much always uncover someone
if that's what they want to do; Tor is not secure against GPAs
(Global Passive Adversaries), and is absolutely not secure against an
active adversary.

One of the key features that the Tor company/group has never
implemented is chaff-filled network - that is, you specify "I want to
allocate 100 KB/s to my node, and I want that divided equally amongst
my outward connections, and any peer node that "randomly drops"
packets, becomes less trusted by me.

I asked the devs directly (or someone else did, can't remember for
sure), and the reason came back "our funding proposals for this
feature have never been approved" - which makes sense, since the CIA,
DIA, DOD and NSA fund the creation of the Tor network, they don't
want to fund features which make it much harder for them to uncloak
users they are targetting.

A volunteer could also try to implement this feature, but it's a lot
of work, and even the I2P folks have not yet even tried to implement
it.


So, even if you were researching data/info for a book you are
writing, you really need to spend a lot of time reading about the
security aspects, to find out what can give you even a small modicum
of "reasonable plausible deniability" for your research activities.

For example:

 - run an exit node (carries its own risks, but one of the better
   ways to achieve plausible deniabililty) at home

 - alternatively, or in addition, configure your node as a bridge/
   Tor-network entry node, and invite a handful of friends to use it
   as their gateway to the Tor network (the alternative, if you
   don't run your own node, is that Tor browser picks a random node
   to use to enter the Tor network, and there's a damn good chance
   the CIA or FBI are running that node)

 - don't run Tor browser on Windows

 - don't run Windows of any version

 - learn Qubes OS or Tails OS and use that

 - experiement for a few months with something completely innocuous -
   running a website promoting information about Marijuana or
   something, and once you're comfortable, then move on to something
   more innocuous

 - if you choose to run a Tor node (can increase the security, can
   reduce it if you stuff up the config) there are plenty of folks on
   the Tor mailing lists who will answer questions, and plenty of
   links to read to Stay Safe (C)(R)

 - if you intend to run a dark web website that some authorities
   really would not like - say e.g. promoting homosexuality to the
   Saudi's - then you should really be running your own ISP with
   multiple internet links (e.g. Telstra and Optus), so that any
   virtual servers you link into the dark web are relatively robust;
   then, never allow your website to get too popular - keep it to a
   very manageable number of invitees - never make your invites over
   the clear net (normal internet) only invite truly trusted friends
   in person, face to face, with mobile phones turned off and out of
   reach of all recording devices (including of course, all phones);
   to invite random people, do so on a dark web forum only.

 - if you're going to run a dark web website, you really, really,
   really need to know how to configure firewalling, web server,
   https certificates, ssh for admin access etc etc, in such a way as
   to be truly, actually, secure, if there's any chance your website
   is going to be targetted by the local authorities from your own
   jurisdiction, you need to not make even 1 single mistake - that
   mistake will bring you undone!

Good luck :)
Zen

----- End forwarded message -----

More information about the cypherpunks mailing list