[Noisebridge-discuss] TOR re: Anti-piracy / anti-Pirate Bay law currently in Congress

Jeffrey Carl Faden jeffreyatw at gmail.com
Fri Aug 8 16:14:07 UTC 2014


On Thu, Aug 7, 2014 at 9:56 PM, Thomas Stowe <stowe.thomas at gmail.com> wrote:

> Hi Noisebridge! I'm just taking the opportunity to well, some might say
> address my being wronged (treated very poorly) via your list by one of your
> members some few years ago. Personally, I'm just going to go there and say
> that this is an "I Told You So!" e-mail. Because, well, some of you treated
> me poorly, and well, you deserve at least that much. Maybe it's not the
> most constructive choice, but well, the more people that know, the more
> that I feel better. :-) Maybe I'm a bit of an egotist, but that's not
> exactly insulting to me. I am superior to most people, which is why I keep
> superior company for the most part. That goes with the whole
> not-worth-my-time thing.
> So, as the title stated, I decided to talk about it a little bit some time
> ago. You made it obvious that you weren't worth discussing it with, and you
> decided to make the Noisebridge-Discuss list a hostile place, which is why
> I left it and won't return. It wasn't the first time I'd noticed
> problematic personalities @ NB. I've included my article and a good part
> our original interaction from the list archives (
> https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/016627.html
> * )*, including my "crazy, unfounded speculations" to paraphrase Jacob,
> about the nature of global surveillance and our general ability to
> compromise the TOR network by highlighting it's weak points. Yes, I was
> right. Yes, you're a douche, and that douchery makes you a dumbass, dumbass.
> Now that there're more than concepts put out there, and attacks have moved
> beyond what I was doing but not publishing, I hope you realize that
> sometimes, instead of going out of your way to insult people, it might be
> better to do more than make remarks and sarcastic suggestions if you want
> the information. Even if you think that they can't possibly be right,
> because *gasp* that would make them smarter than you or make you feel
> inferior.
> Follow Leads. Ask Questions. I had better things to do, like try to find a
> job, rather than  than point out the obvious and search for vulnerabilities
> that will help, well, not me. If I'm going to do unpaid work, it'll be to
> people who deserve it, or abused puppies. My health hasn't been all that
> great, with dental issues and arthritis that I'm well, too poor to get
> treatment for at the moment, and the same was then. I've made progress, and
> have more free time, but still, not for assholes.
> I felt that Jacob, of all people and those others, who like him, and
> perhaps because of him, were predisposed to attack anything I'd said. And
> thus not even worthy of my time. I had a couple of drinks tonight and
> decided to finally get around to writing this e-mail.
> Of course, I'm sure some of you were jizzing in your pants when you bought
> BlackHat tickets, or perhaps you couldn't go and wanted to the research and
> outcomes from the now-pulled CMU researchers. I doubt you even remembered
> that interaction.
> After that interaction, I wrote this. I decided to publish it about 2
> years later, as I do sometimes. I wrote up much more after discussing it
> with other security-educated individuals after it was published, but I'm
> more interested in watching the TOR network burn and be reborn due to it's
> use by so many pedos, cybercriminals and trash. TOR will have to change in
> nature and philosophy before anyone should give a fuck about it IMHO. It
> won't stay relevant, mostly because the philosophy is counter-productive,
> encourages "Freedom" for anyone, including those that prey upon others.
> The"Digital Wild West" is argued for mostly by proponents of "A Human Right
> of Privacy", and political components in nations where peoples are being
> oppressed.
> I agree with the latter. I've never assumed we have a right to, or that we
> had, regardless of rights, Privacy. I'm privacy-agnostic whether that be
> because of lexical fingerprinting algorithms, servitor-type intelligent
> agents or well, design flaws, In fact, I've always known differently, for
> reasons that I'm not going to disclose. You all can wonder about that. It
> won't make me any money or get me a job to explain it to you, or make me
> feel any better. ;)
> That you didn't play nice, Jacob & Co., and reacted like a group of
> bipolar shrimp, just makes you obviously gullible and perhaps a bit stupid.
> Hell, that was obvious from the start given your lack of emotional
> intelligence. Go work for Google, take their "Search Inside Yourself"
> class. You need it.
> http://www.businessinsider.com/search-inside-yourself-googles-life-changing-mindfulness-course-2014-8
> I made sure to space the text of this e-mail out so well, you would
> actually take the time to read, this time. ^_~
> I wrote this article, published and copyrighted by 2600 Magazine. Feel
> free to drop me an e-mail at my 2600 e-mail addy if you doubt it. And no,
> it's not a super-secret identity, I've held it since I was 16 years old,
> and used it on EfNet IRC from the time I was 12. These days it's just
> another of my pen names.
> *My article.*
> Anonymity and You, Firefox 17 Edition(Link)
> <https://www.linkedin.com/redir/redirect?url=http%3A%2F%2Fstore%2E2600%2Ecom%2Fwinter20132014%2Ehtml&urlhash=LDPF&trk=prof-publication-title-link> 2600
> Magazine, The Hacker Quarterly, Winter 2013-2014
> by l0cke (l0cke at 2600.com)
> I want to address this recent thing going on with the Firefox exploit used
> to break Tor’s anonymity. Anonymity is important to have. Privacy is a
> right, if not a privilege, and definitely not a privilege that can be taken
> away for an arbitrary reason.
> Someone had asked me years ago about how to track someone down over the
> Internet at one point and I said, “Just get someone to click a link or use
> an exploit like the Chinese were using with Flash to track down
> dissidents.” I’m not surprised. I’ve made my opinion on it well known to
> many parties and I’ve kept my mouth shut about it because at every turn
> privacy activists or programmers tell me that “Tor isn’t broken and your
> attempts to point out our flaws are asshattery,” whether motivated by
> wanting to keep things like that secret or to comfort themselves and others
> who use the service. There are many means one could use to break Tor’s
> protection, including taking advantage of OS and software components or by
> using analysis to make educated guesses about the location of both Tor
> users and Tor services.
> There is no such thing as true anonymity, though one might be able to set
> up a VPN or proxy like JonDonym, or another instance of Tor, or maybe even
> chain them without much, if any, technical knowledge whatsoever to prevent
> vulnerabilities like this from hitting. One could also make Tor the
> operating proxy for all of one’s Internet traffic on a machine or entire
> network via firewall, or by using a special app that only allows traffic
> through that proxy and/or VPN and disconnects any traffic outside of it
> before it reaches the physical network connection - or via software on the
> router/firewall that drops anything not going to Tor or whatever anonymity
> service.
> I’ve pointed out to many security software developers that the security of
> the Tor software just isn’t there. I suggested that either there was
> something in the code or something the code interacts with that was
> exploitable. What it was, I don’t know. But take everything that’s
> connected to software you use as an extension of that software. This recent
> event proves that even more. I know people who think there are magic
> services that make one anonymous. There aren’t. And with our knowledge now
> of PRISM - if someone can see the traffic on both ends and just match up
> timestamps and file size transfers, then guess what? You’re on candid
> camera, a lead to be pursued by someone wanting to track down who received
> or transferred those files or both. By files, I mean even web traffic.
> Five things to take into account that aren’t being done right now in any
> anonymity service:
> 1) No Real-Time Communication. A true anonymous service would be like old
> FTPMail. It will send a request at a randomized time that has nothing to
> point it back at the user. An even smarter one will send or receive traffic
> at a time that’s generated based upon human psychology, i.e., no porn
> requests at night or on weekends.
> 2) Fabricate Clues to Location. Create blocks of downtime that have no
> reason because one’s downtime can show one’s location.
> 3) Do Like UPS. Make the anonymity node perform the request - it sends
> and receives all data so that it’s not parsed by the web browser directly.
> Think the way a parcel service delivers mail.
> 4) Sterilize All Content. Perform transforms on text - the easiest is to
> translate text from an original language through several others. I’d go one
> step further because this can be reversed and use a mathematically
> generated dictionary or array using dictionaries, thesauri, and the like to
> add even more randomness. Plus it’d look kinda crazy and reminiscent of
> leetspeak. “Thee hast better not g0nn4 speek dat 2 dem, boy” for “You’d
> better not tell them that,” etc.
> Sterilize images, audio, video, and the like as well - at least insofar as
> what created the container, any information in the images, etc. Killing
> lighting and replacing it with a solid color would be good too - filters so
> that someone can’t use the sunlight or stars to tell where one is based
> through an image or video. Also, creating blocks over all people in images
> and blocks over any visible text in any language.
> Sterilize all hypertext and code - any kind of code or markup or uncommon
> phrasing that might be found if reposted as a fingerprint (i.e., using
> “hast” a lot in text instead of “has”) or processed by a computer like the
> code that created the GET request.
> 5) Use or Adapt Third-Party Tools. For now, use whatever you can on top
> of your anonymity services. Use NoScript and make sure that DNS requests
> don’t leak. Make sure that whatever IP protocol you use is stable and
> doesn’t send information to servers you request to. Don’t take a program
> author’s word for anything, ever. Test against tools that benchmark and
> look for those things or figure out how to test them yourself. Also, be
> wary of services that may contact another server for certificates or
> verification - HTTPS ends up connecting to an index to verify the
> certificate a site gives. If you’re not careful, some tools can contact DNS
> servers you already use. Use a plugin that makes sure that a proxy (like
> Tor) is always enabled if connecting to a site. Some services, even when
> working, have a big flaw: the operator. If you forget to turn on the
> anonymity service or ensure that it’s running, that’s on you.
> I believe that’s why TorButton is no longer a standard option in Tor.
> Become a programmer in spirit if not in mind. To do any less is to invite
> disaster. Learn how these things work and chances are if you think of some
> new way to do something, someone else has or you can figure out how to
> adapt their work to your own use.
> I’d go so far as to make it impossible to easily upload or download images
> via Tor, even if it means you have to kill all forms of compression or make
> them readable by a “processing node” that handles the no-real-time rule as
> well as sanitizing the stuff, killing all content that isn’t text or isn’t
> hypertext to be sanitized and shown as a special local only-viewing-markup
> in JSON or XML. That might not stop people from creating new versions of
> uuencode out of text or hypertext, but it would make easy access to sending
> and receiving child porn harder. ■
> *Our original interaction. Note the date, then Google when the rest came
> about. Years later.*
> [Noisebridge-discuss] Anti-piracy / anti-Pirate Bay law currently in
> Congress *Thomas Stowe* stowe.thomas at gmail.com
> <https://mail.google.com/mail/?view=cm&fs=1&tf=1&to=noisebridge-discuss%40lists.noisebridge.net&su=%5BNoisebridge-discuss%5D%20Anti-piracy%20/%20anti-Pirate%20Bay%20law%0A%20currently%20in%20Congress&In-Reply-To=4CA17F65.8000005%40appelbaum.net>
> *Mon Sep 27 23:04:15 PDT 2010*
>    - Previous message: [Noisebridge-discuss] Anti-piracy / anti-Pirate
>    Bay law currently in Congress
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/016626.html>
>    - Next message: [Noisebridge-discuss] Anti-piracy / anti-Pirate Bay
>    law currently in Congress
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/016631.html>
>    - *Messages sorted by:* [ date ]
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/date.html#16627>
>     [ thread ]
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/thread.html#16627>
>     [ subject ]
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/subject.html#16627>
>     [ author ]
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/author.html#16627>
> ------------------------------
> Wow, the only assertion I made was that TOR is compromised and you basically
> just told everyone to completely ignore what I've said. Look, I know you're
> passionate about TOR and that's great - you guys made a really cool suite of
> software but don't take this wrong when I say this because I don't mean it
> as a personal slight. You're naive. You think that it's okay to run an exit
> node and it's wrong to push people in the direction not to run exit nodes,
> even in the case that they will have their computers taken and have charges
> pending against them and be forced to spend money out of pocket to promote
> anonymity. That's a dream that we all have - no consequences. The reality is
> that things do happen to people and I don't really care if the guy from
> Germany became a developer for TOR after he had gone through hell with the
> law. The relevant fact is, he did go through hell with the law and everyone
> sane looking out for their own survival should consider that not running an
> exit node would be and is a good decision. It's stupid to endanger yourself
> for a cause that's dead before it's gotten off the ground. Personally, I'm
> not going to a privacy-martyr and I don't think anyone else should ever
> consider it. Are you saying that with the TOR code not being compromised
> that it equates to saftey? Can't TOR developers find users causing problems
> or possibly a law enforcement exit-node honeypot set up to be used to catch
> users causing problems? With encryption export laws, current attitudes of
> law and requests made to companies and groups dealing in security by
> governments, are we wrong to hold the TOR network suspect because we don't
> understand or haven't looked at the source code? I believe your statement
> regarding that there is no backdoor but I still won't take your word for it
> and I honestly don't have the time to look over the code or search for
> novel, new exploits that have yet to be found that would reveal TOR users'
> identities. I didn't state that there is one, I said that there I don't
> trust it and there might possibly be one. That's an opinion, logically based
> upon other events that are ongoing in global use of the Internet and
> technologies. <sarcasm on> But you're right, "TOR anonymity" is more
> important than my possible legal fees or spending a week in jail until it's
> figured out that it wasn't me accessing whatever it was that I could be
> arrested for. <sarcasm off>. But then again because you refuted me by
> stating that everything I stated was bullshit and of course you proved your
> point by stating you're a TOR dev so you must be right by way of having
> authority on the subject. I don't find you to be objective in your
> criticism, but "that's only my opinion" based upon you being a dev and how
> passionate you seem to be. If I was going to make a claim like "it's
> backdoored", I would've posted code to back it up and not speculated based
> upon many other things in the world. It's not as if our government were
> capable on spying on all of us if they wanted in many ways, is it? :P I'd
> say my statements are correct, sane and hold the best interest of TOR users
> who might run an exit node first and the EFF and their "campaign for
> privacy" second but really showed that I care for both.
> I sometimes wonder if people think that poking fun at my signature or
> stating that it's idiotic means a damned thing beyond that they were pretty
> much mentally masturbating to the fact that they could insult the fact that
> I have it in my e-mails. Glad I could help you get off. It's not so much an
> ice-breaker to me as one might think as it is a tell of where your mind is
> and where you come from that you'd waste energy and time on it.
> On Tue, Sep 28, 2010 at 12:38 AM, Jacob Appelbaum <jacob at appelbaum.net <https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss>>wrote:
> >* On 09/27/2010 10:31 PM, Ronald Cotoni wrote:
> *>* > I am sure you are right that TOR has been compromised.  I would suggest
> *>* > taking a look at the source http://www.torproject.org/download.html.en. <http://www.torproject.org/download.html.en.>
> *>*  You
> *>* > can download it there and then confirm or deny this.  It should be fairly
> *>* > trivial for you to do this.  A lot of other projects are open source as
> *>* well
> *>* > that you can use for encryption on top of tor (a vpn service over tor for
> *>* > example if you are super paranoid)
> *>>* Yes, feel free to audit Tor - we'd love to hear about any bugs or issues
> *>* that you've found.
> *>>* >
> *>* > Other than that you are right, you
> *>* > should NEVER do something that you wouldn't do in the open over tor or
> *>* any
> *>* > other service.  It is just douchy and well wrong.
> *>>* What? He's basically incorrect in everything that he's said - he knows
> *>* basically nothing on the topic, offers no evidence, makes tons of bogus
> *>* assertions, and then encourages people to stop helping. WTF?
> *>>* There are lots of reasons to use Tor:
> *>* https://www.torproject.org/torusers.html.en <https://www.torproject.org/torusers.html.en>
> *>>* All the best,
> *>* Jake
> *>* _______________________________________________
> *>* Noisebridge-discuss mailing list
> *>* Noisebridge-discuss at lists.noisebridge.net <https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss>
> *>* https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss <https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss>
> *>-------------- next part --------------
> An HTML attachment was scrubbed...
> URL: http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20100928/90afca5a/attachment.htm
> ------------------------------
>    - Previous message: [Noisebridge-discuss] Anti-piracy / anti-Pirate
>    Bay law currently in Congress
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/016626.html>
>    - Next message: [Noisebridge-discuss] Anti-piracy / anti-Pirate Bay
>    law currently in Congress
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/016631.html>
>    - *Messages sorted by:* [ date ]
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/date.html#16627>
>     [ thread ]
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/thread.html#16627>
>     [ subject ]
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/subject.html#16627>
>     [ author ]
>    <https://www.noisebridge.net/pipermail/noisebridge-discuss/2010-September/author.html#16627>
> ------------------------------
> More information about the Noisebridge-discuss mailing list
> <https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss>
> Regards,
> Tom
> Phone (Mobile, SMS & Voice Mail): +1 (210) 704-7289
> E-Mail/GChat/Live: stowe.thomas at gmail.com
> Skype: ThomasStowe
> Social Accounts: Facebook <http://www.facebook.com/thomascstowe> &
> LinkedIn <http://www.linkedin.com/profile/view?id=47613162&trk=tab_pro> &
> Twitter <http://www.twitter.com/readhere>
> Web Presence: Portfolio / Resume <http://www.thomasstowe.info/>
> [image: http://]
> [image: http://]about.me/tstowe
>   <http://about.me/tstowe>
> A conscience reminder to unintended recipients of this e-mail: The
> information transmitted in this communication is intended only for the
> person or entity to which it is addressed and may contain confidential
> and/or privileged information. Any review, re-transmission, dissemination,
> copying or other use of, or taking of any action in reliance upon,
> this information, or any part thereof, by persons or entities other than
> the intended recipient, is strictly prohibited and may be unlawful.
> Furthermore, this material may be copyrighted and any type of publishing of
> such without being the rights-holder or written permission by
> the rights-holder is forbidden by US and some International laws. If you
> received this in error, please contact the sender immediately and please
> destroy this communication and all copies thereof, including all
> attachments.
> _______________________________________________
> Noisebridge-discuss mailing list
> Noisebridge-discuss at lists.noisebridge.net
> https://www.noisebridge.net/mailman/listinfo/noisebridge-discuss
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://www.noisebridge.net/pipermail/noisebridge-discuss/attachments/20140808/7f9b9fbb/attachment.html>

More information about the Noisebridge-discuss mailing list