Re: [tor-talk] Tor-friendly email provider
Hello, > Oskar Wendel: >> Do you have any recommendations? > > https://trac.torproject.org/projects/tor/wiki/doc/EmailProvider I don't understand the recommendation of this list for mail.ru > BAD will lock your account later when using tor, no anon recovery > possible mail.ru will look my account if I was using Tor and this is recommended by TorProject.org for Tor user? Hmmm - Any comments about this recommendation? Did I misunderstood something? Greetings Karsten N. -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and Google error / CAPTCHAs.
Hi Alec, Thanks for your detailed and informative response. I had never heard of "scraping". BTW: are you the Alec Muffett name-checked in Kevin Mitnick's autobiography? I assume so. It may be of note that when I got the Google error, Amazon also required a CAPTCHA in order for me to login to my account. Whomever was using the exit node maliciously, was obviously affecting non-Google organizations too. Since you used to work at Facebook (and I know you've posted on this list before about the FB onion address), I've a couple of questions based on my experiences with FB and Tor. I'm wondering if FB (and, for that matter, other companies like Google) have some kind of hierarchy of "badness" of IP addresses. For example, for FB is an exit node "worse" than a SOCKS proxy which is "worse" than a VPN? I ask because I usually login to my FB via a London-based IP provided by my ISP. However, when I try to login to my FB account via an exit node with a London IP or via a SOCKS proxy with a London IP, I am asked to verify myself by selecting photos of my friends. I could well understand this if I was logging in from an IP - any type of IP - in, say, France but I don't really understand why a London-based IP should be suspicious since it matches the usual geographical login location, unless of course, all exit nodes and known SOCKS proxies are suspicious to FB irrespective of whether or not they correlate with the "normal" IP location of the user (in my case London). What I am trying to ask is: how does FB (or similar organisations) decide that an IP is "bad" when it is in the same place as the IP that normally logs in to an account. I wonder if you have any thoughts on the matter. Thanks! On 2016-09-24 14:21, Alec Muffett wrote: On 24 September 2016 at 13:07, wrote: Question: what are these people actually doing with the exit node IP that upsets Google? That's a good question; I don't know about Google specifically, but when I was at Facebook the most common Tor-exit-node-related problem was called "scraping". Scraping was/is when people with bad intentions hid behind Tor in order to disguise attempts to access and copy people's public pages, looking for personal information (names, addresses, pet names, emails, anything...) which could be correlated somehow and monetised, eg: via phone fraud or phishing. Tor is useful to these people because if they were making such access attempts from a single IP address, or a single subnet, it would be easy to track and stop them. So "scraping", along with other/similar reasons, is why tor exit nodes have such shitty "IP Reputation" in the tech industry. The Tor exit nodes hide a bunch of people who are doing scraping. Of all the big companies in tech, Facebook probably has some of the theoretically easiest challenges of addressing scraping - because quite a lot of content is only available when one is "logged in" to Facebook, so instead of blocking IP addresses Facebook instead can block _accounts_ that scrape; however that is not a panacea and fighting scraping at Facebook is still a _massive_ task. By comparison Google may have a even harder challenge to combat scraping because much of Google content is meant to be available without logging-in, therefore Google rely more heavily upon IP-address as an identifier. Continuing the spectrum - Cloudflare have an enormously harder challenge than Google, because they are mostly supplying only "network-level" services to their customers, so lack knowledge of username, userids, and (most?) cookies that actual platform-providers might be able to use when fighting scraping. If you correlate this spectrum with "corporate friendliness towards Tor", I think you will see a causative pattern emerge; Tor does great work in enabling access to these services and platforms for people in need, but it also serves to hide/enable scrapers and other malfeasance. To not recognise this and instead (for example) to violently beat-up Cloudflare for "blocking tor" serves only to entrench anti-Tor sentiment. This is why a few months ago I wrote a blogpost[1] explaining how best I believe to get more companies to be friendly towards Tor. Because any amount of denial, public raging and placard-waving is not going to help. It needs outreach. It needs mutual understanding and communication of benefits. - alec [1] https://www.facebook.com/notes/alec-muffett/how-to-get-a-company-or-organisation-to-implement-an-onion-site-ie-a-tor-hidden-/10153762090530962 -- http://dropsafe.crypticide.com/aboutalecm -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Re: [tor-talk] Tor and Google error / CAPTCHAs.
On 25 September 2016 at 17:54, wrote: > Hi Alec, > > Thanks for your detailed and informative response. I had never heard of > "scraping". Scraping comes in many forms and with many motives and intentions - in the previous email I managed to outline a couple, but that is no more than a sketch of one aspect of the topic. Scraping also raises interesting legal arguments, both pro-and-con - for instance: * https://en.wikipedia.org/wiki/Facebook,_Inc._v._Power_Ventures,_Inc. * http://blog.icreon.us/web-scraping-and-you-a-legal-primer-for-one-of-its-most-useful-tools/ ...and Weev: * http://arstechnica.com/tech-policy/2012/11/internet-troll-who-exploited-att-security-flaw-faces-5-years-in-jail/ ...and of course, Aaron Swartz: * http://www.newyorker.com/tech/elements/when-programmers-scrape-by ...so when I say "many forms and with many motives and intentions", I must acknowledge "dual use" - that some forms of scraping are benign, or are protest, or are sharing that which perhaps should be shared. But here, primarily, I am discussing the forms of scraping which are third-party-based and exploitative of user data with intent to defraud; or similar. BTW: are you the Alec Muffett name-checked in Kevin Mitnick's > autobiography? I assume so. > Yeah, that was a long time ago. :-) > It may be of note that when I got the Google error, Amazon also required a > CAPTCHA in order for me to login to my account. Whomever was using the exit > node maliciously, was obviously affecting non-Google organizations too. > Indeed, that's possible; in fact I should amend my previous post to point out that "scrapers" - people who scrape - do so through many different proxy networks, not only Tor, and also that some forms of scraping utilise (eg:) malicious browser plugins that are installed by otherwise entirely blameless people: victims who don't realise that their web browser is now helping a part of some scraping outfit's infrastructure. You ask an interesting question about "badness" of IP addresses; long story short what you are referring to are "IP reputation databases" - which are used by many people, for instance: https://github.com/botherder/targetedthreats/blob/master/targetedthreats.rules …from Claudio Guarnieri (@botherder) is a list of IP-based Snort IOC (Indicator of Compromise) rules for civil society organisations to use. tldr: If your organisation sees network traffic matching the list of IOCs on your network, bad shit may be happening to you. Speaking generally about industry rather than specifically about FB or any other company: there are only (worst-case) 4 billion IPv4 addresses in the world (and a few more v6) and since the average hard drive is ~1Tb nowadays it's pretty trivial to build & share databases of how much "badness" is measured to be emanating from any given IP address. So that's what tends to happen: it's not (necessarily) a matter of what kind of software the computer is running (though that is helpful to know) - nor would it completely matter what country the computer appears to be in (though some countries _are_ more lax about quenching bad network neighbourliness). Instead it's more (though not exclusively) a matter of measuring actual observed behaviour emanating from given IP addresses. What happens *after* such information gets collected is more interesting; some organisations call for network "shunning" a-la redlining ( https://en.wikipedia.org/wiki/Redlining) - others enforce CAPTCHAs on IP addresses which are known to enable scrapers. Yet more do rate-limiting or temporary bans. An organisation's response to scraping seems typically the product of: 1) the technical resources at its disposal 2) its ability to distinguish scraping from non-scraping traffic 3) the benefit to the organisation of sieving-out and handling the non-scraping traffic, rather than ignoring it all I would argue that Facebook was the first to launch a really large onion site by scoring highly (HHH/HMH) in all three of these categories: big brains, actual high-signal login credentials, and a million normal people who want to use Facebook over Tor (especially "at need"). By comparison I would estimate Google as HMM (or HML) and Cloudflare as HLL; both companies with great people (I know many of them) but with Medium or Low abilities to sort scraping from non-scraping, and Medium or Low impetus to do so. This is why corporate outreach is so important for Tor: to build awareness and raise perception so that that third statistic becomes more important for other companies to address. - alec -- http://dropsafe.crypticide.com/aboutalecm -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
