[tor-talk] Harvard student used Tor to send bomb threats, gets caught by old-fashioned policework

tor at bitmessage.ch tor at bitmessage.ch
Tue Jan 7 16:12:24 UTC 2014


> tor at bitmessage.ch:
>> I appreciate your perspective but still think the community may still be
>> better off--including those who take the time to RTFM--by taking a harm
>> reduction approach to the RTFM-related problems you've mentioned.
>
> the fundamental problem here is that this is not a technological issue.
> it's a user issue that will, in the end, breakdown at the "rtfm" point.
> currently, the tor browser bundle has a link on the opening page which
> documents the standard tips on remaining anonymous. outside of writing
> more detailed instructions on identity correlation and linking them in
> the basic instructions, there isn't much more that can be done outside
> of discovering a technological means that makes connecting to the tor
> network itself invisible.

My point was that "this is not a technological issue" arguments sometimes
seem like "not my department" arguments. As a community, we have to decide
whether we exclusively care about the technology or whether we also care
about how easy it is for users to understand and make practical use of the
documentation that comes with it. Maybe it's not a technological issue in
the way you've framed it, but I still think it's an important issue and
hopefully something we can work toward addressing.

>
>> We may not feel sympathetic to this user's situation because of the
>> circumstances, but I hoped to point out that something similar could
>> plausibly happen to some *other* person using Tor for good that we
>> probably wouldn't want to experience the Syrian equivalent or the
>> Chinese
>> equivalent of the consequences this person now faces.
>
> the more you look at the circumstances involved, the less likely that
> is. the man who made the threat was using tor for offensive, rather than
> defensive, purposes. additionally, he was engaging in an offensive
> operation against an entity that he was personally connected to. for
> people looking to circumvent censorship, it is unlikely that they will
> be viewing any servers run by their respective oppressors while using
> the tor network. rather, they'll most likely be communicating with
> servers that are not run by their respective oppressors and, instead,
> are blocked by them. completely different scenarios.

I think the offensive/defensive framing is mostly semantics. If you're a
pro-democracy activist in China or a blogger exercising free speech in
Syria, your government probably *does* consider your work an "offensive
operation". And while you're right that something like a blogging
platform's server probably won't be run by the Syrian government in most
hypothetical "user doing good things" scenarios, we have very good
evidence that a BlueCoat device *would be* run by the Syrian government
and that Syrian citizens are directly and personally connected to that
"entity". If BlueCoat's deep packet inspection (hypothetically) got better
at identifying users in Syria relying on pluggable transports and/or
bridges to access Tor, correlation attacks roughly analogous to what
happened to this Harvard student might be possible. If something like that
actually happened to you, you might not care as much about exactly how you
were de-anonymized as the simple fact that you WERE de-anonymized. You
might even wish that Tor's community had had a stronger spirit of mutual
aid and solidarity toward all of its users, and not merely the ones who
were "smart enough." And you might wish that smart people from Tor's
community hadn't brushed you off with "rtfm" and "this is not a
technological issue."

>
>> Framing user education as an
>> important problem to solve or mitigate where possible seems like a more
>> constructive approach to me. Maybe we can't prevent all users from
>> making
>> unwise choices, but to the extent we can help more of them, I still
>> think
>> we should try.
>
> https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting
>
> it's there. maybe the harvard student would have been smart enough to
> figure out what it meant. maybe he wouldn't. or, like so many others,
> maybe he would have decided to role the dice anyways under the
> assumption that capture was unlikely. without the tor project
> documenting every possible way someone may get caught through their
> various uses of tor, i'm hard pressed to think of a solution to te
> problem posed by ignorant users.

I wasn't trying to suggest that a lot of great people haven't been working
very hard on user education for a very long time, or that solid
documentation and research aren't already there. But wouldn't we all be
better off if users had a better understanding of exactly how and when
they were choosing to "roll the dice"? I was suggesting that maybe we can
aspire to do better in terms of how effectively users are informed of
important, complex information that they may not initially understand.

And I think it's really sad when people from our community suggest that
Harvard students just aren't smart enough to understand the documentation.
How smart should someone have to be, exactly, and how much time should
someone have to invest in understanding it? Would an MIT student have to
be de-anonymized in a similar fashion for us to conclude that we might be
able to do more on user education? An MIT-trained programmer? An
MIT-educated cryptography researcher? Would someone like Roger or Nick
themselves have to be de-anonymized in a similar fashion before we could
conclude that user education is something that could be done more
effectively?

Where people go to school isn't a good predictor of whether people
understand technology, and it may never be possible to prevent everyone
from making mistakes while using Tor that they might regret. It's not the
easiest problem to solve, it may not have purely technical solutions, and
this student isn't a good example in a lot of ways.

But I still hope that we can try to do better helping the users we do want
to support--even the people who might not be "smart enough" right now.


>
> --
> tor-talk mailing list - tor-talk at lists.torproject.org
> To unsubscribe or change other settings go to
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
>





More information about the tor-talk mailing list