[Noisebridge-discuss] TOR re: Anti-piracy / anti-Pirate Bay law currently in Congress

Thomas Stowe stowe.thomas at gmail.com
Fri Aug 8 04:56:52 UTC 2014


Hi Noisebridge! I'm just taking the opportunity to well, some might say
address my being wronged (treated very poorly) via your list by one of your
members some few years ago. Personally, I'm just going to go there and say
that this is an "I Told You So!" e-mail. Because, well, some of you treated
me poorly, and well, you deserve at least that much. Maybe it's not the
most constructive choice, but well, the more people that know, the more
that I feel better. :-) Maybe I'm a bit of an egotist, but that's not
exactly insulting to me. I am superior to most people, which is why I keep
superior company for the most part. That goes with the whole
not-worth-my-time thing.

So, as the title stated, I decided to talk about it a little bit some time
ago. You made it obvious that you weren't worth discussing it with, and you
decided to make the Noisebridge-Discuss list a hostile place, which is why
I left it and won't return. It wasn't the first time I'd noticed
problematic personalities @ NB. I've included my article and a good part
our original interaction from the list archives (
https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/016627.html
* )*, including my "crazy, unfounded speculations" to paraphrase Jacob,
about the nature of global surveillance and our general ability to
compromise the TOR network by highlighting it's weak points. Yes, I was
right. Yes, you're a douche, and that douchery makes you a dumbass, dumbass.

Now that there're more than concepts put out there, and attacks have moved
beyond what I was doing but not publishing, I hope you realize that
sometimes, instead of going out of your way to insult people, it might be
better to do more than make remarks and sarcastic suggestions if you want
the information. Even if you think that they can't possibly be right,
because *gasp* that would make them smarter than you or make you feel
inferior.

Follow Leads. Ask Questions. I had better things to do, like try to find a
job, rather than  than point out the obvious and search for vulnerabilities
that will help, well, not me. If I'm going to do unpaid work, it'll be to
people who deserve it, or abused puppies. My health hasn't been all that
great, with dental issues and arthritis that I'm well, too poor to get
treatment for at the moment, and the same was then. I've made progress, and
have more free time, but still, not for assholes.

I felt that Jacob, of all people and those others, who like him, and
perhaps because of him, were predisposed to attack anything I'd said. And
thus not even worthy of my time. I had a couple of drinks tonight and
decided to finally get around to writing this e-mail.

Of course, I'm sure some of you were jizzing in your pants when you bought
BlackHat tickets, or perhaps you couldn't go and wanted to the research and
outcomes from the now-pulled CMU researchers. I doubt you even remembered
that interaction.

After that interaction, I wrote this. I decided to publish it about 2 years
later, as I do sometimes. I wrote up much more after discussing it with
other security-educated individuals after it was published, but I'm more
interested in watching the TOR network burn and be reborn due to it's use
by so many pedos, cybercriminals and trash. TOR will have to change in
nature and philosophy before anyone should give a fuck about it IMHO. It
won't stay relevant, mostly because the philosophy is counter-productive,
encourages "Freedom" for anyone, including those that prey upon others.
The"Digital Wild West" is argued for mostly by proponents of "A Human Right
of Privacy", and political components in nations where peoples are being
oppressed.

I agree with the latter. I've never assumed we have a right to, or that we
had, regardless of rights, Privacy. I'm privacy-agnostic whether that be
because of lexical fingerprinting algorithms, servitor-type intelligent
agents or well, design flaws, In fact, I've always known differently, for
reasons that I'm not going to disclose. You all can wonder about that. It
won't make me any money or get me a job to explain it to you, or make me
feel any better. ;)

That you didn't play nice, Jacob & Co., and reacted like a group of bipolar
shrimp, just makes you obviously gullible and perhaps a bit stupid. Hell,
that was obvious from the start given your lack of emotional intelligence.
Go work for Google, take their "Search Inside Yourself" class. You need it.

http://www.businessinsider.com/search-inside-yourself-googles-life-changing-mindfulness-course-2014-8

I made sure to space the text of this e-mail out so well, you would
actually take the time to read, this time. ^_~

I wrote this article, published and copyrighted by 2600 Magazine. Feel free
to drop me an e-mail at my 2600 e-mail addy if you doubt it. And no, it's
not a super-secret identity, I've held it since I was 16 years old, and
used it on EfNet IRC from the time I was 12. These days it's just another
of my pen names.

*My article.*

Anonymity and You, Firefox 17 Edition(Link)
<https://www.linkedin.com/redir/redirect?url=http%3A%2F%2Fstore%2E2600%2Ecom%2Fwinter20132014%2Ehtml&urlhash=LDPF&trk=prof-publication-title-link>
2600
Magazine, The Hacker Quarterly, Winter 2013-2014
by l0cke (l0cke at 2600.com)

I want to address this recent thing going on with the Firefox exploit used
to break Tor’s anonymity. Anonymity is important to have. Privacy is a
right, if not a privilege, and definitely not a privilege that can be taken
away for an arbitrary reason.


Someone had asked me years ago about how to track someone down over the
Internet at one point and I said, “Just get someone to click a link or use
an exploit like the Chinese were using with Flash to track down
dissidents.” I’m not surprised. I’ve made my opinion on it well known to
many parties and I’ve kept my mouth shut about it because at every turn
privacy activists or programmers tell me that “Tor isn’t broken and your
attempts to point out our flaws are asshattery,” whether motivated by
wanting to keep things like that secret or to comfort themselves and others
who use the service. There are many means one could use to break Tor’s
protection, including taking advantage of OS and software components or by
using analysis to make educated guesses about the location of both Tor
users and Tor services.


There is no such thing as true anonymity, though one might be able to set
up a VPN or proxy like JonDonym, or another instance of Tor, or maybe even
chain them without much, if any, technical knowledge whatsoever to prevent
vulnerabilities like this from hitting. One could also make Tor the
operating proxy for all of one’s Internet traffic on a machine or entire
network via firewall, or by using a special app that only allows traffic
through that proxy and/or VPN and disconnects any traffic outside of it
before it reaches the physical network connection - or via software on the
router/firewall that drops anything not going to Tor or whatever anonymity
service.


I’ve pointed out to many security software developers that the security of
the Tor software just isn’t there. I suggested that either there was
something in the code or something the code interacts with that was
exploitable. What it was, I don’t know. But take everything that’s
connected to software you use as an extension of that software. This recent
event proves that even more. I know people who think there are magic
services that make one anonymous. There aren’t. And with our knowledge now
of PRISM - if someone can see the traffic on both ends and just match up
timestamps and file size transfers, then guess what? You’re on candid
camera, a lead to be pursued by someone wanting to track down who received
or transferred those files or both. By files, I mean even web traffic.


Five things to take into account that aren’t being done right now in any
anonymity service:


1) No Real-Time Communication. A true anonymous service would be like old
FTPMail. It will send a request at a randomized time that has nothing to
point it back at the user. An even smarter one will send or receive traffic
at a time that’s generated based upon human psychology, i.e., no porn
requests at night or on weekends.


2) Fabricate Clues to Location. Create blocks of downtime that have no
reason because one’s downtime can show one’s location.


3) Do Like UPS. Make the anonymity node perform the request - it sends and
receives all data so that it’s not parsed by the web browser directly.
Think the way a parcel service delivers mail.


4) Sterilize All Content. Perform transforms on text - the easiest is to
translate text from an original language through several others. I’d go one
step further because this can be reversed and use a mathematically
generated dictionary or array using dictionaries, thesauri, and the like to
add even more randomness. Plus it’d look kinda crazy and reminiscent of
leetspeak. “Thee hast better not g0nn4 speek dat 2 dem, boy” for “You’d
better not tell them that,” etc.


Sterilize images, audio, video, and the like as well - at least insofar as
what created the container, any information in the images, etc. Killing
lighting and replacing it with a solid color would be good too - filters so
that someone can’t use the sunlight or stars to tell where one is based
through an image or video. Also, creating blocks over all people in images
and blocks over any visible text in any language.


Sterilize all hypertext and code - any kind of code or markup or uncommon
phrasing that might be found if reposted as a fingerprint (i.e., using
“hast” a lot in text instead of “has”) or processed by a computer like the
code that created the GET request.


5) Use or Adapt Third-Party Tools. For now, use whatever you can on top of
your anonymity services. Use NoScript and make sure that DNS requests don’t
leak. Make sure that whatever IP protocol you use is stable and doesn’t
send information to servers you request to. Don’t take a program author’s
word for anything, ever. Test against tools that benchmark and look for
those things or figure out how to test them yourself. Also, be wary of
services that may contact another server for certificates or verification -
HTTPS ends up connecting to an index to verify the certificate a site
gives. If you’re not careful, some tools can contact DNS servers you
already use. Use a plugin that makes sure that a proxy (like Tor) is always
enabled if connecting to a site. Some services, even when working, have a
big flaw: the operator. If you forget to turn on the anonymity service or
ensure that it’s running, that’s on you.


I believe that’s why TorButton is no longer a standard option in Tor.
Become a programmer in spirit if not in mind. To do any less is to invite
disaster. Learn how these things work and chances are if you think of some
new way to do something, someone else has or you can figure out how to
adapt their work to your own use.


I’d go so far as to make it impossible to easily upload or download images
via Tor, even if it means you have to kill all forms of compression or make
them readable by a “processing node” that handles the no-real-time rule as
well as sanitizing the stuff, killing all content that isn’t text or isn’t
hypertext to be sanitized and shown as a special local only-viewing-markup
in JSON or XML. That might not stop people from creating new versions of
uuencode out of text or hypertext, but it would make easy access to sending
and receiving child porn harder. ■


*Our original interaction. Note the date, then Google when the rest came
about. Years later.*
[Noisebridge-discuss] Anti-piracy / anti-Pirate Bay law currently in
Congress *Thomas Stowe* stowe.thomas at gmail.com
<https://mail.google.com/mail/?view=cm&fs=1&tf=1&to=noisebridge-discuss%40lists.noisebridge.net&su=%5BNoisebridge-discuss%5D%20Anti-piracy%20/%20anti-Pirate%20Bay%20law%0A%20currently%20in%20Congress&In-Reply-To=4CA17F65.8000005%40appelbaum.net>
*Mon Sep 27 23:04:15 PDT 2010*


   - Previous message: [Noisebridge-discuss] Anti-piracy / anti-Pirate Bay
   law currently in Congress
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/016626.html>
   - Next message: [Noisebridge-discuss] Anti-piracy / anti-Pirate Bay law
   currently in Congress
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/016631.html>
   - *Messages sorted by:* [ date ]
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/date.html#16627>
    [ thread ]
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/thread.html#16627>
    [ subject ]
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/subject.html#16627>
    [ author ]
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/author.html#16627>

------------------------------

Wow, the only assertion I made was that TOR is compromised and you basically
just told everyone to completely ignore what I've said. Look, I know you're
passionate about TOR and that's great - you guys made a really cool suite of
software but don't take this wrong when I say this because I don't mean it
as a personal slight. You're naive. You think that it's okay to run an exit
node and it's wrong to push people in the direction not to run exit nodes,
even in the case that they will have their computers taken and have charges
pending against them and be forced to spend money out of pocket to promote
anonymity. That's a dream that we all have - no consequences. The reality is
that things do happen to people and I don't really care if the guy from
Germany became a developer for TOR after he had gone through hell with the
law. The relevant fact is, he did go through hell with the law and everyone
sane looking out for their own survival should consider that not running an
exit node would be and is a good decision. It's stupid to endanger yourself
for a cause that's dead before it's gotten off the ground. Personally, I'm
not going to a privacy-martyr and I don't think anyone else should ever
consider it. Are you saying that with the TOR code not being compromised
that it equates to saftey? Can't TOR developers find users causing problems
or possibly a law enforcement exit-node honeypot set up to be used to catch
users causing problems? With encryption export laws, current attitudes of
law and requests made to companies and groups dealing in security by
governments, are we wrong to hold the TOR network suspect because we don't
understand or haven't looked at the source code? I believe your statement
regarding that there is no backdoor but I still won't take your word for it
and I honestly don't have the time to look over the code or search for
novel, new exploits that have yet to be found that would reveal TOR users'
identities. I didn't state that there is one, I said that there I don't
trust it and there might possibly be one. That's an opinion, logically based
upon other events that are ongoing in global use of the Internet and
technologies. <sarcasm on> But you're right, "TOR anonymity" is more
important than my possible legal fees or spending a week in jail until it's
figured out that it wasn't me accessing whatever it was that I could be
arrested for. <sarcasm off>. But then again because you refuted me by
stating that everything I stated was bullshit and of course you proved your
point by stating you're a TOR dev so you must be right by way of having
authority on the subject. I don't find you to be objective in your
criticism, but "that's only my opinion" based upon you being a dev and how
passionate you seem to be. If I was going to make a claim like "it's
backdoored", I would've posted code to back it up and not speculated based
upon many other things in the world. It's not as if our government were
capable on spying on all of us if they wanted in many ways, is it? :P I'd
say my statements are correct, sane and hold the best interest of TOR users
who might run an exit node first and the EFF and their "campaign for
privacy" second but really showed that I care for both.


I sometimes wonder if people think that poking fun at my signature or
stating that it's idiotic means a damned thing beyond that they were pretty
much mentally masturbating to the fact that they could insult the fact that
I have it in my e-mails. Glad I could help you get off. It's not so much an
ice-breaker to me as one might think as it is a tell of where your mind is
and where you come from that you'd waste energy and time on it.

On Tue, Sep 28, 2010 at 12:38 AM, Jacob Appelbaum <jacob at
appelbaum.net <https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss>>wrote:

>* On 09/27/2010 10:31 PM, Ronald Cotoni wrote:
*>* > I am sure you are right that TOR has been compromised.  I would suggest
*>* > taking a look at the source
http://www.torproject.org/download.html.en.
<http://www.torproject.org/download.html.en.>
*>*  You
*>* > can download it there and then confirm or deny this.  It should be fairly
*>* > trivial for you to do this.  A lot of other projects are open source as
*>* well
*>* > that you can use for encryption on top of tor (a vpn service over tor for
*>* > example if you are super paranoid)
*>>* Yes, feel free to audit Tor - we'd love to hear about any bugs or issues
*>* that you've found.
*>>* >
*>* > Other than that you are right, you
*>* > should NEVER do something that you wouldn't do in the open over tor or
*>* any
*>* > other service.  It is just douchy and well wrong.
*>>* What? He's basically incorrect in everything that he's said - he knows
*>* basically nothing on the topic, offers no evidence, makes tons of bogus
*>* assertions, and then encourages people to stop helping. WTF?
*>>* There are lots of reasons to use Tor:
*>* https://www.torproject.org/torusers.html.en
<https://www.torproject.org/torusers.html.en>
*>>* All the best,
*>* Jake
*>* _______________________________________________
*>* Noisebridge-discuss mailing list
*>* Noisebridge-discuss at lists.noisebridge.net
<https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss>
*>* https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
<https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss>
*>-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20100928/90afca5a/attachment.htm

------------------------------


   - Previous message: [Noisebridge-discuss] Anti-piracy / anti-Pirate Bay
   law currently in Congress
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/016626.html>
   - Next message: [Noisebridge-discuss] Anti-piracy / anti-Pirate Bay law
   currently in Congress
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/016631.html>
   - *Messages sorted by:* [ date ]
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/date.html#16627>
    [ thread ]
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/thread.html#16627>
    [ subject ]
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/subject.html#16627>
    [ author ]
   <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/author.html#16627>

------------------------------
More information about the Noisebridge-discuss mailing list
<https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss>


Regards,

Tom





Phone (Mobile, SMS & Voice Mail): +1 (210) 704-7289

E-Mail/GChat/Live: stowe.thomas at gmail.com

Skype: ThomasStowe

Social Accounts: Facebook <http://www.facebook.com/thomascstowe> & LinkedIn
<http://www.linkedin.com/profile/view?id=47613162&trk=tab_pro> & Twitter
<http://www.twitter.com/readhere>

Web Presence: Portfolio / Resume <http://www.thomasstowe.info/>


[image: http://]

[image: http://]about.me/tstowe
  <http://about.me/tstowe>





A conscience reminder to unintended recipients of this e-mail: The
information transmitted in this communication is intended only for the
person or entity to which it is addressed and may contain confidential
and/or privileged information. Any review, re-transmission, dissemination,
copying or other use of, or taking of any action in reliance upon,
this information, or any part thereof, by persons or entities other than
the intended recipient, is strictly prohibited and may be unlawful.
Furthermore, this material may be copyrighted and any type of publishing of
such without being the rights-holder or written permission by
the rights-holder is forbidden by US and some International laws. If you
received this in error, please contact the sender immediately and please
destroy this communication and all copies thereof, including all
attachments.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20140807/9487ff50/attachment.html>


More information about the Noisebridge-discuss mailing list