Hacker News new | past | comments | ask | show | jobs | submit login

As for uncensorable, if the content is illegal, the torrent peers may be incriminated distribution of illegal content



Neither argument has been tested, but the defense would that you were acting as an ISP with dumb pipes.

Which logically leads to an unrelated question -- if ISPs are doing DPI on every packet, they at least theoretically 'know' whether you're transmitting 'illegal' content. If I were a rights holder, I'd be making that argument against ISPs. I don't know how I'd sleep at night, maybe, but I wouldn't let ISPs have their cake (valuable user data) and eat it too (immunity based on status as ISP-only).


It's been tested for Freenet. LEA adversaries can participate, and identify peers. Judges issue subpoenas. Many defendants have accepted plea bargains. Plausible deniability doesn't work. What works is using Tor.


Even Tor isn't a magic bullet, specifically because of other technologies used in combination, such as a web browser.

https://www.eff.org/pages/playpen-cases-frequently-asked-que...


Yes, the FBI exploited a Firefox vulnerability to drop NIT malware on Playpen users. And said malware phoned home to FBI servers, bypassing Tor.

However, any Whonix users would not have been affected, for two reasons. One, this was Windows malware, and Whonix is based on Debian. Two, Whonix comprises a pair of Debian VMs, a Tor-gateway VM and a workstation VM. Even if the malware had pwned the workstation VM, there is no route to the Internet except through Tor.


Then I recommend you change this:

What works is using Tor.

to this:

What works is using [Whonix].


Too late to edit. But I added a comment. Thanks.


Wait, did they reveal how their exploit worked? I thought they had already dropped two cases rather than reveal the internals of the NIT? Like Tor Browser could still be unpatched for this?


Yes, they didn't reveal the Firefox bug or the details of NIT. And yes, Tor browser could still be vulnerable.

You must isolate Tor process and userland in separate VMs, or even separate physical devices. Even if the browser gets pwned, and the NIT gets dropped, you'll be OK, because the Internet is reachable only through Tor. Whonix is an easy to use implementation.

I've been ragging on Tor Project about this for years. But they don't want to frighten people by making Tor too complicated to use. You could be cynical, and say that they want the cannon fodder for their government masters. Or you could say that they think it's more important to protect the most people, rather than to most strongly protect technically competent people. I have no clue what the truth is. Maybe there's a range of opinion.


If Tor is too difficult to use, people won't use it. Edward Snowden and Laura Poitras had to dedicate a significant amount of time to get Glenn Greenwald to just use TAILS, a plug and play Tor operating system. Someone like that is not going to use Whonix, even if maybe they should be.


Yeah, I get that. And I realize that I've gone off the deep end. It's hard to imagine anymore how easily people's eyes glaze over. I've written guides that lay everything out, step by step. And many people still can't seem to get it.

But Whonix really is trivial. You install VirtualBox. You download the Whonix gateway and workstation appliances. You import them in VirtualBox. You start them. You work in the workstation VM. There's nothing to configure. That literally should be enough information to use Whonix. Plus there's a wiki and a support forum.


In my opinion, Whonix on Qubes is much more user-friendly. Just install Qubes and use preconfigured anon-Whonix VM.


If the workstation vm is pwned what stops it from hitting the usual home router internal network address and/or changing the route?

Is there some network isolation going on which prevents that?


The workstation VM has no route to the home router except through the Tor gateway VM. With Whonix, the gateway VM isn't even a NAT router. Plus there are iptables rules that block everything except Tor. The gateway VM only exposes Tor SocksPorts to the workstation VM. You'd need to break the network stack in the gateway VM in order to bypass Tor.


Right so can't I just add one then? Most vm setups I might have a default route to the other VM running tor but I can still talk to e.g 192.168.0.1 even if I'm not putting traffic through it.

Is this some kind of 'vm specific' virtual network which can't talk on the real lan? Is that implemented on the hypervisor?


Yes, for Whonix it's a VirtualBox internal network. There's no direct routing through the host, only among VMs. You can do much the same on VMware.

Edit: I forget that I'm writing on HN. When I say VM, I'm referring to full OS-level VMs, not namespace, Java, etc VMs.


That sounds like a pretty neat setup. I know I can just google all this so please forgive me the inane questions; it depends on virtualbox though?

That's a bit of a nonstarter for a few of.

We probably aren't the target base for the project though so maybe it doesn't matter...


Yes, it depends on VirtualBox. But there are versions for KVM, and for Qubes. More of a nonstarter, though. Or even using physical devices, such as Raspberry or Banana Pi.

Years ago, I created a LiveDVD with VirtualBox plus Whonix gateway and workstation VMs. I had to hack at both Whonix VMs to reduce size and RAM requirements. But I got a LiveDVD that would run with 8GB RAM. It took maybe 20 minutes to boot, but was quite responsive.


In theory breaking properly-configured Whonix would require a VM escape, pretty much the holy grail of exploits (a few have happened recently). The alternative is a complete break of Tor, which has proven unlikely.


Too late to edit.

I should have said: "What works is using Whonix, or otherwise using Tor securely with leaks blocked."


Do you have a source for those cases? I did some searches but can't seem to find anything.


See https://freenetproject.org/news.html#news

I read up on this a while ago, but didn't keep links. There was some discussion on /r/Freenet. For example: https://www.reddit.com/r/Freenet/comments/5tnx81/freenet_use... Missouri police developed a custom Freenet client that logged everything. But I don't remember the name :(


> Neither argument has been tested, but the defense would that you were acting as an ISP with dumb pipes.

Unlikely.

To become a peer, you must first visit the website, fully downloading the content.

Which makes an argument to you consenting to share the information.


Just like an ISP has to take your request and transmit it and the response. No difference in theory. In practice, I would worry whether courts would ignore theory.


But there is no person involved directly in the pipeline with an ISP. Every request goes through an automated process.

Governments do and have asked ISPs to update and block against certain websites. Thus, the automated system is expected to behave adequately.

However, as a person becomes involved, they become an active participant in the pipeline.

That is a huge theoretical difference.

A person is not automated, they have common reason, and intellect that goes beyond the rules that can be encoded in a dumb system.

This reasoning is what allows us to hold a person accountable to their actions.

If you visited a ZeroNet site, found it was bad stuff, immediately left and deleted the cache, you might have a case for innocence.

But if you immediately left, but continued to actively share the content... It's a different message.

You could become part of a child pornography ring, for example.

And courts enjoy making examples of distributors of such materials.

Pleading your innocence, becomes difficult at that point.

You've shared illegal content from your own property.


I wonder how all that would change if you only had a portion of any of the files, at what point would they draw the line?

Either way it's a damn difficult question to answer, but God's be damned if I wouldn't prefer a distributed internet.


Hell yes, to both those points.

At least IPFS is working hard towards Tor integration. That might be something one day.


> At least IPFS is working hard towards Tor integration. That might be something one day.

Actually, that day is today already! OpenBazaar had the same need of a Tor transport and made one! It's available here: https://github.com/OpenBazaar/go-onion-transport/

Basically a plug-and-play transport for IPFS.


I hope they get a chance to add a better README to that, looks interesting.


Yeah, it's not the most documented repository. In the absence of that, you can check out the following document and implementation for some better understanding:

- https://github.com/OpenBazaar/openbazaar-go/blob/4a9ee8de8fd...

- https://github.com/OpenBazaar/openbazaar-go/blob/4a9ee8de8fd...

Hope that helps a bit. Keep in mind that none of this have been verified and might not work as advertised. Just a warning.


Courts exist to evaluate circumstantial evidence. Complex theories are often ignored.

The ISP, like a container ship, is not responsible of every bit it moves around. Individuals are.


I understand this logic, but state can then say that being ISPs without license is a crime too.




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: