Slashdot is powered by your submissions, so send in your scoop

 



Forgot your password?
typodupeerror
×
Security The Internet

Tor - The Yin or the Yang? 139

An anonymous reader writes "Whitedust is running a interesting article on Tor, The Onion Router project sponsored by the EFF. Tor aims to offer anonymous internet use. Once sponsored by the Naval Research Lab with support from DARPA, it is now managed by The Free Haven Project. Although Tor claims to improve safety and security, the article goes into detail on how Tor can be used as a anonymous attack platform."
This discussion has been archived. No new comments can be posted.

Tor - The Yin or the Yang?

Comments Filter:
  • by Anonymous Coward
    yin yang wins over ying yang
  • by Anonymous Coward
    it's yin, not ying, you insen.... blah. :)
  • Cultural Idiots (Score:2, Informative)

    by jvagner ( 104817 )
    It's "yin or yang". Good going, Slashdot.
    • Re:Cultural Idiots (Score:3, Informative)

      by atteSmythe ( 874236 )
      Messup is [sic] from TFA.
    • Re:Cultural Idiots (Score:1, Insightful)

      by Anonymous Coward
      Ying referes to an aspect of the male anatomy... So is this slip up a foreshadowing that Tor will eventually get the shaft?
    • Actually, isn't it a mistake to try to seperate the two?

      It's the "Yin and Yang", or the 'Yin-Yang' as I understand it-- two opposite pieces of the same energy, both integral and complementary to each other. They cannot be removed from the whole, or the whole is destroyed.

      Using the word 'or' actually distorts the original meaning-- 'or' imply two different pieces, the Yin OR Yang-- with we're really talking about one thing.

      Yes, this sounds pedantic, but I think it's actually an important difference.
      • It would be a very important difference, if you were right.

        Yin and Yang are opposites. They are two separate concepts that, together, balance one another out. If one or the other is too out of balance, you see problems, according to the theory.

        But the fact that yin or yang energy can be out of balance would indicate they are, in fact, two different things. Look at Chinese medicine, some substances are considered to have a strong 'yin' value, others to be primarily 'yang'.

        In short, you're getting it ri
        • It should be 'Yin and Yang' never 'Yin or Yang,' and upon looking at an actual picture [tk421.net] you may see why.

          You cannot have good without evil, or hot without cold, because if something is relative, you always have to have something to measure it against.

          Also, a much better arguement, in this particular case, is that the Yin contains the seed of the Yang, and the Yang the seed of the Yin. One never exists without atleast a little bit of the other.

    • Wasn't Thor part of the Norde mythology? What's Taoism got to do with it?

      Of course, i could be wrong, and the yin / yang mentioned by the submitter is just out of topic.
    • which I have always heard descibed as ying-yang
  • by Lumpy ( 12016 ) on Friday July 22, 2005 @04:49PM (#13139801) Homepage
    It's already being used this way. Friends still in IRC have been fighting Tor attacks by crapflooders that require 15-20 bans to get rid of the jerk. and the IP's line up with Tor proxies.

    It's not hard to modify the client to do nasties for you. hell it can be used to attack any web forum easily without modification.

    unfortunately the kiddies discovered it useful for attacking already.
    • by dgatwood ( 11270 ) on Friday July 22, 2005 @05:06PM (#13139954) Homepage Journal
      This just tells us what we already knew--online forums and chat mechanisms and other similar technologies should always be designed to require registration.

      IRC is a relic from the ancient design museum, a reminder that once, when the internet was young, everyone who could run a server on the 'net could be trusted. SMTP is the same way, along with a number of other fossilized protocols. These protocols, if they are to continue to be useful in the new age of IP spoofing, dynamic IPs, and wormhole routing, need to be redesigned with a modicum of security built into them.

      Most people aren't willing to create an account with their real email address to post crapfloods. The few who do can be easily banned by email address.

      I know, I know, I'm posting on the world's biggest counterexample for my opinion. Such is life.

      • One of my 8 yahoo ones, or one of my 10 gmail accounts, or my 4 hotmail accounts or the mailinator account I'm about to make up for the next online form I come across that requires a 'valid email address'?

        Or do you mean the 'real' email address that belongs to one of the more obscure web-based email services?

        Real authentication is impractical in large numbers; this is why it has never been implemented. It barely worked when you sent a photo copy of your drivers' license in to your local BBS; but now, in t
        • The point is that an extra layer of authentication makes it harder. Nothing makes it impossible, but at some point, it becomes hard enough that most people planning to do stupid things (crapfloods, spam, trolls, etc.) won't bother unless they're making a lot of money doing it.

      • A note that some IRC networks (well, Freenode) automatically detect Tor connections and assign them a hostmask of the form whateverwhatever.tor, and it's easy enough to ban or ignore *.tor from there.
      • Literary authors in the past authored quite a few creations under artistic names. It's especially nice to use names like sillybilly on slashdot, where you can let it go and voice your opinions and abuse your right to freedom of expression to the limit, without having to fear someone disliking a single sentence of yours and hunting you down for it. I mean it's not impossible, nothing's impossible, but it adds an extra fence, extra layer of safety. I don't think I'd like to know everyone's real names here, be
        • It's especially nice to use names like sillybilly on slashdot
          What kind of nickname is "sillybilly"?
          Why are you hiding behind a nickname?
          Do you have something to hide?
          You'd never see me hiding behind some ridiculous nickname.

          Your friend,
          some guy I know
          • I like this nickname, because it has so many sides. First, it's cute, immature, happy, childish. Childish is someone who is overly honest to the point of innocence and hasn't lost the ability to still wonder at a top spinning, a magnet pushing another one apart, or be like a baby dazzled by the colors and textures spinning before his eyes. 2nd, I tend to get overly serious and grandiose sometimes, and then all you have to do is look at the name, to come back to your senses. Imagine bugs bunny telling you th
            • My post was meant to be humorous.
              You see, I was criticizing you for using a ridiculous nickname, when my own nickname is just as ridiculous.
              To make this clear, I signed my post, which I normally never do.
              Intentional hypocracy is supposed to be funny here on Slashdot, and, occasionally, elsewhere.
              It's like those posts that begin "Your a moron.", which is a kind of joke because the intentionally mis-spelled "You're" is showing that the person who stated "Your a moron." is also a moron.
              (A similar situation is
      • on our irc channel we had a problem with a single jerk who always used a different nickname. so the channel was set to require a nickserv registered nick. didn't stop him. he registered his 20+ nicks and continued to annoy us.

    • Of course since the directory of Tor nodes (not client nodes, but endpoints) is public, it would not be hard to make a script that klines (or +b or eggdrop bans) all the Tor exit points.
    • unfortunately the kiddies discovered it useful for attacking already.

      Actually, it's also being used by security professionals and pen-testers for legitimate testing and assessment. There's currently a discussion regarding TOR for pen-testing purposes on the SecurityFocus pen-test mailing list. See http://securityfocus.com/archive/101/406238/30/0/ t hreaded [securityfocus.com].

      Just because the kiddies are using it doesn't minimize the usefulness of the protocol. Bitorrent, P2P, and other protocols face the same abuse issu

  • While I do see some valid uses for it, I've only seen it abused on IRC by people who are using them to flood. I know, IRC isn't the center of the online universe.
    • I wish there was a "Understated" moderation point I could give.

      IRC is great and all, but it is at the outer edges of the online universe to say the least.
  • by Brad Mace ( 624801 ) on Friday July 22, 2005 @04:53PM (#13139837) Homepage
    For a society to be free, it MUST be possible for people to do things that are against the law. That's just how it works. If people do something illegal then you can punish them, but only an extremely facist government could hope to prevent crimes before they occur.
    • For a society to be free, it MUST be possible for people to do things that are against the law. That's just how it works. If people do something illegal then you can punish them, but only an extremely facist government could hope to prevent crimes before they occur.

      But you don't just want a free society, you want a just society. When people can commit crimes anonymously, there is no punishment.

      So avoid facism, but retain your ability to punish those to actually do break the law.

      • Seriously. I've recently started a website that has an online forum (what, you were expecting a link? I'm not eager for a /.'ing) after a schism with another online forum, and I've gotten wave after wave of trolls coming over and wrecking the place.

        I had most of them banned, and the ones with static IP addresses banned by the IP, and then one of them brilliantly discovered the use of proxies and anonymous surfing sites (it was brilliant for a bunch of trolls, atleast), and I was back at square one.

        I'm r

        • The Problem is with People. And the problem is so prolific on the internet because you can do things on the internet that in real life would get the crap beaten out of you. After all, if you walked into a bar and started calling everyone in it faggots, you'd probably wind up with a cracked skull.

          You need to distinguish between someone who provides unpleasant information and someone who engages in physical assault. Calling people names is not grounds for cracking skulls or any such response. "Sticks and st
          • Oh bull. You're entirely missing the point.

            The negative to anonymity is that immature or socially maladjusted individuals can destroy the signal to noise ratio in a forum with impunity. The criteria you are "distinguishing" by isn't even relevent in the example shown. The hypothetical tool crying faggot to everyone is not providing unpleasant information. He is purposefully inciting the people around him. Mr. Tool is abusing his freedom of expression and in the non-anonymous setting a variety of social pre

      • 3, Interesting
        -22 Idiotic

        "But you don't just want a free society, you want a just society."
        No we want a free society. People have been fighting for freedom throughout the ages.
        Most people here in the US have relatives who died giving us this freedom.

        You want justice at the expense of freedom, go live somewhere else - like a police state, with ID cards, where the authorities have a right to search anyone and sieze anything.
        Where they can identify suspected dissenters by tracking their reading materi

      • If you don't want to be swallowed whole by your government, like in China, you have to be able to have the ability to remain 100% anonymous, no exceptions. Because the moment you give anyone the power to remove the cloak of anonymity, you destroy anonymity from tyrants completely.

        I find arguments against online anonymity to be silly, usually taking two tracks:

        A) Hackers will attack us!
        B) Bad guys (usually meaning pedophiles) will hide there!

        B is a given. I support the death penalty for pedophiles (even
        • Do you support the death penalty for other mentally-ill people too? Paedophiles are seriously sick individuals and the system treating them just as common criminals is why there is so much tragedy caused by them. Deal with them in the same way as the criminally-insane, namely sectioned away from those they are a danger too.
    • Absolutely! Those fascist laws against my killing someone who is just asking for it should be abolished! The government is infringing on my right to bitch-slap anybody that pisses me off!

      While I agree that fewer laws would be better for society, I can't agree with your statement that "it MUST be possible for people to do things that are against the law". If people do things that harm other people, they should be punished in proportion to the harm done and the probability of getting caught. If nobody is harm

    • that totally felt like a line straight out of minority report. *shivers*
    • "but only an extremely facist government could hope to prevent crimes before they occur."

      And I quote:
      "So we had to make a shift in the way we thought about things. So being reactive, waiting for a crime to be committed or waiting for there to be evidence of the commission of a crime, didn't seem to us to be an appropriate way to protect the American people." - John Ashcroft; June 5th, 2003 [pbs.org]
  • RBL tor nodes? (Score:5, Insightful)

    by blueskies ( 525815 ) on Friday July 22, 2005 @04:53PM (#13139842) Journal
    If it becomes a large enough of a problem, i can see people firewalling based apon a list of tor nodes.
  • Fantastic! (Score:3, Insightful)

    by Anonymous Coward on Friday July 22, 2005 @04:55PM (#13139859)
    Let's all demonize useful technology before it gets out of the gate! Next year we can all mourn the loss of Sourceforge when it's 'determined' to be a repository for terrorist software development. Oh god, won't somebody help me off of this slippery slope?!
    • Re:Fantastic! (Score:4, Insightful)

      by Jeff DeMaagd ( 2015 ) on Friday July 22, 2005 @05:06PM (#13139955) Homepage Journal
      Oh god, won't somebody help me off of this slippery slope?!

      Just as well. Slippery slope is a logical fallacy anyway.
      • It's also an accurate empirical observation regarding human nature.
      • Just as well. Slippery slope is a logical fallacy anyway.

        It may be a common argument, but the concept that things will generally continue to exhibit the same behavior is a pretty reasonable line of thought.

        It's easy to *call* something a fallacy, but think about the implications here. Calling the "slippery slope" argument a fallacy is like calling all of statistics a fallacy.

        I think the "slippery slope" "fallacy" is basically a way to allow one person to control the debate about a subject to their
      • Wow! You took philosophy 100 too!

        Yeah, it's a logical fallacy, whop de doo, you know the name of some arguement technique agreed upon by ivory towered professors. It's still a valid to use in a debate considering that emperically it has a very high chance of being true to a small or large degree.

        Pointing out that Bush was a C student cokehead is an ad homiem attack, yet it's a perfectly reasonable point about his competency given that he's the President.

        There are more things in heaven and earth, Jeff
    • Stop blamming the people who ban tor nodes from their network.

      The real problem is with the tor nodes who give unrestricted access. If you're running a node in order for people to be able to browser the web anonymously, then
      WHY WOULD YOU ALLOW TRAFFIC TO PORT 22 OR 6667?

      Most tor nodes don't restrict traffic, and are irresponsible. Don't belive me? Check it out for yourself:

      http://serifos.eecs.harvard.edu:8000/cgi-bin/exit. pl?ports=6667&addr=1&textonly=1 [harvard.edu]
  • Give people anonymity and of course they are going to do bad things with it. The net is as anonymous as it needs to be. I see this only causing more trouble and headaches...
    • Normal person + anonymity + audience = Total Fuckwad [penny-arcade.com]

      I guess we're seeing here that the size of the audience doesn't really matter, if at all.

      -paul

      • Off Topic (Score:1, Offtopic)

        In response to your .sig: What about those of us who realise that a .45 is better for stopping someone on PCP than a .22, but a .22 is better for a Mob-Style, back of the head, execution?

        Not that I've ever done either of those. Oh, no.

        What, you think I'm lyin'? You callin' me a liar?

        /me draws his .45

        You callin' me a liar, issat i-

        /me puts his .45 away...

        Er...

    • Just more proof to John Gabriel's Internet Fuckwad Theory, the gift that just keeps on giving...
    • Extending that argument a bit -- Give people in government anonymity and of course they are going to do bad things with it -- especially when you toss in righteousness and a paycheck. Did you notice the House (USA) just extended the Patriot Act, giving anonymous people a paycheck to watch my web traffic in case I do something bad. Shouldn't we thwart such abuse?against such abuse? Shouldn't the billions whose web traffic is so heavily filtered they don't even know we're having this discussion be invite

  • Because the slashcoders worked overtime to ban posting to slashdot from as many tor servers as they could find.

    You can't post to this page.

  • Whitedust commented that the flaws in Tor could be fixed by moving away from the Onion network to an extended "Onion Ring" network.
  • RIAA Alert
    Tor
    KILL
    KILL
    KILL
  • Tor is a good idea, and maybe even a step in the right direction, but it is by no means a "solution" for true Net anonymity and/or privacy. In fact, it is a better tool for attack anonymity than it is for privacy.

    Call me paranoid, but I don't trust anyone other than the intended recipient to decrypt any sensitive data. The way I understand the program to work (correct me if I'm wrong) is that a "trusted" server on the end decrypts your packets and acts as the "proxy" between the tor network and the Inte

    • You can tell tor what type of nodes to connect to, you don't have to just use "trusted nodes." It comes OOTB like that, but all it takes is a quick edit.

      If you are sending unencrypted traffic over tor and you really have a need for anonymity you are stoopid anyway and you will die. If you are doing something that could cost you your freedom you need more than one layer - and tor, no matter how big the onion, is still just one layer.
    • You're misunderstanding the protocol. The purpose is to anonymize connections versus content.

      An example scenario: a US intelligence agent may need to contact an agency server from within a foriegn country. Anyone sniffing packets would notice that a user is connecting to a server at www.someagency.mil, even if the content itself was encrypted. Tor anonymizes the connection, as the agent now connects to one of any number of Tor nodes. Tor uses encryption to protect route and address information, not conte
    • by Anonymous Coward
      The way I understand the program to work (correct me if I'm wrong) is that a "trusted" server on the end decrypts your packets and acts as the "proxy" between the tor network and the Internet.

      1) You don't have to use any particular node or nodes as "trusted". There is no centralization in architecture, only in default configuration.
      2) The trusted node can be the intended recipient.
      3) You should be using encryption anyway if you care about protecting your data.
  • by Anonymous Coward
    You have got to be kidding me. I can barely use Tor to surf for porn at work, its so damn slow. IRC? Ya, it crawls too. This is using US tor servers too - good luck if one of the routers in the route is in some high speed country like bangladesh. Tor is a great idea maybe, but as it stands right now is so slow its not even funny.
  • by nweaver ( 113078 ) on Friday July 22, 2005 @05:20PM (#13140064) Homepage
    A: Tor is a documented protocol. If you really REALLY want to block Tor on your network, configure your IDS to recognise the protocol setup, and kill THAT.

    B: You can't quake through Tor. Tor only supports TCP, and it adds a fair bit of latency to boot.
    • Wrong side of the equation. WTFA.

      A> It is the proxy TOR that is sprouting attack packets. Not the TOR network itself. TOR is a carrier, AND a emitter of attack launch platform. You talk only of a stopping the carrier network which is usually beyond your reach.

      B> Quake will works through TOR using port redirector and a IP tunnel that works perfectly fine across UDP/TCP boundary. (although why would ANY serious gamer want to do this)
  • by powerline22 ( 515356 ) * <thecapitalizt AT gmail DOT com> on Friday July 22, 2005 @05:23PM (#13140085) Homepage
    I live in the USA, and I use it all the time at my high school. Why? My high school thinks it prudent to block many sites such as hackaday.com and coxandorkum.com. I also used it when I was in china to bypass the great firewall to check my evil capitalist college email.

    I think that if anyone is being blocked from visitng any site, anywhere, they should use this to show how stupid and ineffective filters are, especially in schools. Why bother to educate responsibility on the internet when you can force it on kids!
  • by Anonymous Coward
    ...you can use it to protect your family from dangerous animals (deer, frog hoards, and spiders...I hate spiders), or you can kill people, which is wrong.
  • To be pedantic... it's never a question of one or the other, since they are each others dual.

    Anonymity conceals identity. People who commit crimes often don't want to get caught, so anonymity is something they desire.

    Nothing to see here; move along.

  • There's only two types of people that would bother with annonymous internet usage... those doing something they fear might get them in trouble, and those that fear being monitored regardless if they're doing anything bad or not... either way, annonymous internet usage is somewhat a product of fear.

    Not saying there's anything wrong with acting on fear, but it can't be healthy to live always fearing "Oh no they might see me reading /." or whatnot.
    • as much as some people might call that flamebate.. its still basically 100% accurate...

      theres always the third group who "likes to be different" and test the boundaries of the law... but that group isnt really big enough to count....

      it does suck though to live in land where the freedom was paid for with more deaths than id want to count... yet - where everyones getting the opinion that its ok to have some freedoms taken away if it makes you safer... which is basicallyk why people dont fuss about the litt
    • I gotta wonder where the hue and cry would be if the government was cracking down on Tor instead of a fellow network admin.

      Having said that, there are any number of legitimate reasons for using this technology, many of which have already been noted on here. Let's take a slightly different look at things:

      There's only two types of people that would bother with annonymous internet usage... those doing something they fear might get them in trouble, and those that fear being monitored regardless if they're
    • there could be a situation someday where even you and your loved ones had something to fear from people knowing what you were reading and expressing, as well as knowing with whom you interacted. that fear could be real and major, not imagined and insignificant.

      and you're right, living in fear isn't healthy. but the world is full of massive amounts of oppression and suffering and it is difficult for some to not live in fear every day.

      so, while the geeks of the world have privilege and resources and inher
  • an RBL populated with the tor master list.

    a BGP feed of tor hosts.

    anyone game?
  • Any technology that empowers people can be used both for good and bad. Fire, knives, cars, gas, etc. Tor is not something that's likely to cause an end to the world, there are a lot more potent things to worry about.
  • If you want a complete all-in-one Tor platform, look no further, Tor Desktop. [virtualpri...achine.com]
  • The Tor project has a FAQ about abuse, from the perspective of Tor server operators and other folks on the internet. Of particular interest are:

    Also of interest on the main Tor FAQ is:

    Basically, Tor goes through some effort in order to be easy to block, by making sure that you can easily get a list of exactly the Tor nodes

  • Not much you can do about it. Encryption, anonymous remailers, proxies, all can be used for good and bad purposes. So can speech, religion, press, arms, etc.

    Either we stand up to our responsibilities as adults and advanced and civilized people with a sense of honor, propriety, and duty, and chase criminals and terrorists while playing by the traditions, rules, regulations, and laws... or we dispense with our rights, liberties, and privileges in the name of safety and prevention of infractions.

    As we all
  • You can beat someone to death with a Subway sandwich, if you are determined enough. Should we stop eating sandwiches so everyone will be safer?
  • Someone, I think here on /., said they used to run a TOR server but stopped when they audited their exiting traffic* and found it was mostly spam, warez, and porn.

    If respectable people don't use TOR for respectable things like breaching the Great Firewall of China, then many respectable people will stop running TOR nodes.

    *Traffic that is leaving the TOR network at his node. At this point, it's no longer encrypted.

Avoid strange women and temporary variables.

Working...