request for general ideas related to TOR

[L&LD]

We'll agree to disagree then.

 

[heysoundude]

I thought I had. See here:


What am I failing to disclose? (Actually, I'm more interested in the generalities than the specifics atm, but these are the ones I would be most concerned about.)
I think I may have overemphasized the "sharing" aspect of it simply by mentioning it. While not identical, it's not really very different from two family members sharing the same internet connection; one being very concerned about privacy, the other couldn't care less.



Thank you for this. Helpful. I will put checking it out on my list.

Generalities - okay, good:

I think you'll come to find that eventually it's a daunting task for a SOHO network admin, and you'll be chasing your tail and having users complaining about problems trying to make your $300 router do all of what you want, and your efforts might expose yourself more than you're able to protect. The big thing is not giving away anything that can be used to profile you (each individual "you" on YOUR network/connection to the interwebz), and that means having users aware of what they are giving away, and making conscious choices to stop entirely or curtail their/those activities. I've got my extended fam communicating via Signal and Telegram and Jitsi (my IT pro cousins on the other side of the Atlantic in their former eastern bloc country were a big help with that) - they're open source, encrypted and non-FAANG...

from your sig, I see you've already chosen unbound for DNS. that's a bigger deal than most realize in terms of not being tracked/analyzed by big data.
Diversion and SkyNet are also good choices to help leak as little as possible. but what about what slips through?

I use Brave as my browser (desktop and mobile - they have fixed sync and I've always gotten better results FOR ME using DuckDuckGo), and it still catches a number of ads and trackers and blocks scripts that may harvest data...and this is just me, my devices. you'll have to educate and slowly migrate other users on your network...and that'll mean campaigning against Facebook and Insta (and WhatsApp) and snapchat and TikTok, Google/Gmail/YouTube, Microsoft/outlook/hotmail/Skype/LinkedIn, then there's Amazon...and Netflix and Spotify too and whatever other online services we have all come to enjoy, appreciate, rely on for living life in this day and age. those companies apps are DIRECT connections to them...don't forget that.

Got Netflix on your Smart TV? does it have a webcam for skype? can you get into the back end and have a peek at what they're doing? Install open source alternatives to their offerings?
what about a Ring Cam doorbell? are you sharing who comes to your door/passes by your house with the web in general? you're choosing to bust their privacy without their knowledge or consent
"Hey Alexa - Tell Jeff Bezos to turn down his headphones: the wife's a screamer"

and then there's your ISP, the main pipeline to all of that - do they log? do they have a warrant canary?
Feel protected using a commercial VPN? You might want to look a little deeper into that.
what about a DDNS tunnel? do you use one of those?
in what country are your providers (DDNS/VPN tunnels) based? are they based in the 5/9/14/20 eyes countries?

what I think may be a big deal is IPv6 - migrating your devices to prefer that kind of connection obfuscates activities in that IF someone is trying to find your particular grain of sand, the beach is that much larger, so unless they have your particular identifiers specifically...in which case all of the above becomes wonderfully helpful...especially once more people drop IPv4 and commit to v6 (that'll be a big have-have not divide in the not too distant future, I'm thinking) - get more sand on that big beach. or actually, maybe "spaghetti bowl" is a better analogy, since theoretically each device is "directly connected" to the server/device it's talking to: get more tangles happening. but that means you'll have to do it all PER DEVICE...

oy vey. see what I mean about chasing your tail?
educate your users, encourage and aid them to move away from known data absorbers, and to be mindful/protective of their activities.
something is better than nothing.

 

[garycnew]

Hi @dazedandlost

Welcome to the rabbit-hole. I have to agree that the best tool for the job really depends on what it's being used for.

Not too long ago, I wrote a Small Tutorial on Asuswrt-Merlin's implementation of Tor. It's mostly technical in nature, but should give you a basic understanding of how it can be used with Asuswrt-Merlin. Additionally, I have a tutorial on how to compile Onion-Share, which can be used for file transfers over Tor.

Hopefully, after reviewing those tutorials, you'll have a better idea whether Tor is the right tool for your current job.

BTW... Only the first letter of the acronym Tor is capitalized, per the Tor Project, and distinguishes those whom are familiar with Tor vs those whom are not.

Good Luck!


Gary

 

[bennor]

BTW... Only the first letter of the acronym Tor is capitalized, per the Tor Project, and distinguishes those whom are familiar with Tor vs those whom are not.

Well to be fair it is capitalized in the Asus-Merlin GUI.

On a serious note spelling of the name aside. Just a general anecdotal observation of Tor to add to this discussion. As a long time on and off user of the Tor (used it for years before they rolled it into the browser package). Biggest issue I've had with Tor (the browser version) in recent years is the constant CAPTCHA screens that stop the browsing until I verify I'm a human when trying to visit various websites. In my use, Tor has its uses but I don't use it everyday. YMMV and all that.

 

[dazedandlost]

You know what: These are the kinds of comments that I find extremely helpful and thought provoking. Thank you. And thank you to garycnew for the welcome and the pointers to his tutorials, which I have happily placed on my todo (aka the where did I put that anyway) list.

I am not a coder but I'm not especially afraid of coding. Some years ago, I successfully built the then current version of Linux from Scratch (which proves nothing except that I am capable of following a fairly complex recipe if it is detailed and explicit enough). I always intended to return to it. I never did, tho, because of too many competing instances of the Pareto principle and because few if any of my tuits are round. In my travels, I learned that "security is a process, not a product" and I believe that the same label could be applied to privacy.

Thank you heysoundude for your thoughtful and extensive comments and also the critique of the details in my sig; exactly what I was looking for. Much of what you said is in close harmony with my present thinking and what I am trying to do is closely similar in many cases. I don't think I will respond point by point unless you want me to, and doing so would take a while. I hope to look into Signal and Telegram and Jitsi, and practical application of ipv6, of which I have a very limited conceptual understanding, is presently beyond me.

I have had an instance of Brave running for several months but I have never made serious use of it. That is quite likely to change fairly soon when I figure out chiefly how to run Noscript on it, how significant its google origins, and also how to get the kind of granularity in control and information about what others are doing on my machine that I see at least hints of from Noscript, ublockOrigin, and, as far as browsers go, Epiphany. I also need to see Youtube running in some kind of sandbox such as what I suspect the container tabs in Firefox might provide.

Staying with the "generalities" theme, one of the last curiosities for me is what I see as the dearth of egress monitoring. This is, frankly and for reasons which I think are obvious in the overall privacy context, astounding to me. My vague and admittedly extremely limited understanding is that expensive commercial products exist but the unwashed masses are mostly excluded.

Oh, and betcha the TOR tab changes fairly soon in one of the next releases.

 

[feranick]

Because it's free, that's one main reason why its widely used. But anyone who takes the time to research TOR, and who created it, will understand that it has its potential security and privacy issues. Anyone who is serious about privacy should research paid VPN vendors, or if wanting to setup one's own VPN, look into OpenVPN and WireGuard and other self installed VPN server/client options.

TOR and VPN serve completely different purposes. TOR is to enhance anonymity, VPN is designed to protect privacy. The former allows for anonymous and untrackable access to the web but in itself does not assures privacy (intended as a way to transfer data securely between two locations under the user control). VPN does the opposite, it's absolutely not anonymous, but it allows for a secure communication, but only between two sites under the control of the user (say, to connect to a corporate network). If you use it to connect to the web in general, it will only prevent sniffing the data that is in transit, but it will do absolutely nothing to your anonymity.

 

[L&LD]

Tor doesn't enhance anonymity. Only gives the feel-goods that it does.

request for general ideas related to TOR

Ok, I admit it, I am a privacy nutcase. I recognize that privacy is hard and complex, some people may think that the available gains are not worth the effort and sometimes what a person does intending to enhance privacy actually diminishes it. I’m also not very good at it. Nevertheless, I think...

www.snbforums.com

 

[feranick]

Tor doesn't enhance anonymity. Only gives the feel-goods that it does.

request for general ideas related to TOR

Ok, I admit it, I am a privacy nutcase. I recognize that privacy is hard and complex, some people may think that the available gains are not worth the effort and sometimes what a person does intending to enhance privacy actually diminishes it. I’m also not very good at it. Nevertheless, I think...

www.snbforums.com

Please provide unbiased references to your statement.

 

[L&LD]

Logic is my reference.

What are yours?

 

[dazedandlost]

I know that not everyone agrees with me but I do not believe either privacy or anonymity are binaries, in which case both statements can be true.

 

[L&LD]

Which statements are you referring to?

 

[dazedandlost]

On rereading what I wrote, I am ashamed at how poorly I expressed what I was trying to say. I apologize. I don’t think I can repair the flaws in it in a reasonable number of words so I would prefer not to make the attempt right now.

 

[feranick]

Which statements are you referring to?

Logic alone is pointless, and therefore your point moot. You need to point to actual software auditing (or in general in unbiased scientific peer review)

 

[feranick]

Logic alone is pointless, and therefore your point moot. You need to point to actual software auditing (or in general in unbiased scientific peer review)

My point is: there is no perfect software. Tor, like any, isn't either. There are certainly well documented weaknesses, but knowledge is key for informed decisions. Tor has its merits and uses, and in conjunctions with VPN is a valuable tool. Its deployment needs to be evaluated based on the specific case study, rather than to an holistic: "Tor is bad".

 

[Mathieu]

This is a very interesting debate, which goes beyond the 'technical' or 'technological' knowledge I usually seek from this Community.

Underlying the question of Anonymity there is a moral issue: is it desirable or not? By whom? And importantly, to what purpose? (that takes us back to @Tech9 post at #5)

How could 'freedom' exist in repressive states (could say undemocratic, but 'Democracy' is another disputed concept) if its proponents cannot somehow hide from repression?
At the same time, what to do with the 'bad guys' (terrorists, child molesters etc...) who too would seek Anonimity?

And obviously, the flip side of this has to be 'Identity'.
How can you prove you are who you are, when that is needed?

So at times one wants the world to know, without a doubt, they are a uniquely identifiable person, whereas at other times, one would desire to be left alone and not be another database record (that would be sold on for a profit). And spare the scrutiny.

Definitely very interesting.

[This message was written by a human]
[Edit: clarifying]

 

[dazedandlost]

This is a very interesting debate, which goes beyond the 'technical' or 'technological' knowledge I usually seek from this Community.

Yes.

I have no doubt that many people will have very strongly held positions about this, as do I. (Un?)Fortunately, I doubt very much that SNB will be seen as the proper place for discussing those positions. So I won't.

 

[Centrifuge]

(Un?)Fortunately, I doubt very much that SNB will be seen as the proper place for discussing those positions.

Why is that? Nothing in the rules that prohibits discussions of privacy and anonymity or Tor for that matter. Basically SNB will shut you down if they don't like what you're doing.

 

[dazedandlost]

Why is that? Nothing in the rules that prohibits discussions of privacy and anonymity or Tor for that matter. Basically SNB will shut you down if they don't like what you're doing.

Thanks for the link. It seems quite clear that your interpretation is correct. Still, it doesn't seem appropriate to me right now. Maybe I'll change my opinion after I've thought about it for a while.