> [email protected]: >> I appreciate your perspective but still think the community may still be >> better off--including those who take the time to RTFM--by taking a harm >> reduction approach to the RTFM-related problems you've mentioned. > > the fundamental problem here is that this is not a technological issue. > it's a user issue that will, in the end, breakdown at the "rtfm" point. > currently, the tor browser bundle has a link on the opening page which > documents the standard tips on remaining anonymous. outside of writing > more detailed instructions on identity correlation and linking them in > the basic instructions, there isn't much more that can be done outside > of discovering a technological means that makes connecting to the tor > network itself invisible.
My point was that "this is not a technological issue" arguments sometimes seem like "not my department" arguments. As a community, we have to decide whether we exclusively care about the technology or whether we also care about how easy it is for users to understand and make practical use of the documentation that comes with it. Maybe it's not a technological issue in the way you've framed it, but I still think it's an important issue and hopefully something we can work toward addressing. > >> We may not feel sympathetic to this user's situation because of the >> circumstances, but I hoped to point out that something similar could >> plausibly happen to some *other* person using Tor for good that we >> probably wouldn't want to experience the Syrian equivalent or the >> Chinese >> equivalent of the consequences this person now faces. > > the more you look at the circumstances involved, the less likely that > is. the man who made the threat was using tor for offensive, rather than > defensive, purposes. additionally, he was engaging in an offensive > operation against an entity that he was personally connected to. for > people looking to circumvent censorship, it is unlikely that they will > be viewing any servers run by their respective oppressors while using > the tor network. rather, they'll most likely be communicating with > servers that are not run by their respective oppressors and, instead, > are blocked by them. completely different scenarios. I think the offensive/defensive framing is mostly semantics. If you're a pro-democracy activist in China or a blogger exercising free speech in Syria, your government probably *does* consider your work an "offensive operation". And while you're right that something like a blogging platform's server probably won't be run by the Syrian government in most hypothetical "user doing good things" scenarios, we have very good evidence that a BlueCoat device *would be* run by the Syrian government and that Syrian citizens are directly and personally connected to that "entity". If BlueCoat's deep packet inspection (hypothetically) got better at identifying users in Syria relying on pluggable transports and/or bridges to access Tor, correlation attacks roughly analogous to what happened to this Harvard student might be possible. If something like that actually happened to you, you might not care as much about exactly how you were de-anonymized as the simple fact that you WERE de-anonymized. You might even wish that Tor's community had had a stronger spirit of mutual aid and solidarity toward all of its users, and not merely the ones who were "smart enough." And you might wish that smart people from Tor's community hadn't brushed you off with "rtfm" and "this is not a technological issue." > >> Framing user education as an >> important problem to solve or mitigate where possible seems like a more >> constructive approach to me. Maybe we can't prevent all users from >> making >> unwise choices, but to the extent we can help more of them, I still >> think >> we should try. > > https://www.torproject.org/docs/faq.html.en#AttacksOnOnionRouting > > it's there. maybe the harvard student would have been smart enough to > figure out what it meant. maybe he wouldn't. or, like so many others, > maybe he would have decided to role the dice anyways under the > assumption that capture was unlikely. without the tor project > documenting every possible way someone may get caught through their > various uses of tor, i'm hard pressed to think of a solution to te > problem posed by ignorant users. I wasn't trying to suggest that a lot of great people haven't been working very hard on user education for a very long time, or that solid documentation and research aren't already there. But wouldn't we all be better off if users had a better understanding of exactly how and when they were choosing to "roll the dice"? I was suggesting that maybe we can aspire to do better in terms of how effectively users are informed of important, complex information that they may not initially understand. And I think it's really sad when people from our community suggest that Harvard students just aren't smart enough to understand the documentation. How smart should someone have to be, exactly, and how much time should someone have to invest in understanding it? Would an MIT student have to be de-anonymized in a similar fashion for us to conclude that we might be able to do more on user education? An MIT-trained programmer? An MIT-educated cryptography researcher? Would someone like Roger or Nick themselves have to be de-anonymized in a similar fashion before we could conclude that user education is something that could be done more effectively? Where people go to school isn't a good predictor of whether people understand technology, and it may never be possible to prevent everyone from making mistakes while using Tor that they might regret. It's not the easiest problem to solve, it may not have purely technical solutions, and this student isn't a good example in a lot of ways. But I still hope that we can try to do better helping the users we do want to support--even the people who might not be "smart enough" right now. > > -- > tor-talk mailing list - [email protected] > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
