I know you all are dealing with DDoS and how that goes. I run DDoS mitigation for some juicy targets and do a lot of on-call response to handle those issues, so believe me when I say I know what you are dealing with.
However, that being said, it appears you are blocking tor exit nodes with a 403, likely at your web termination point (nginx, apache, whatever), and this kind of sucks.
I get that tor can bring some attacks, and I fully support a modulated response to those attacks, preferably one with a reasonable time decay, but please don’t just block all of tor
Alternatively, be one of the cool kids, and setup an onion service for lemmy.world!
An onion service would be interesting.
Genuine question: Why would you use Tor to connect to Lemmy?
Tor is an incredibly useful tool to work around organization supported firewalls.
- Employer: Don’t try to work around your employer’s protections. It just takes one bored IT person to make a call and you are fired
- College/Family: There are stronger arguments for this but I suspect you are in a “suboptimal” situation if you are dealing with that and… yeah
- Government: This is the big use of Tor and why I still generally suggest it, even if I have many concerns with the ethics of the system and its supporters. And let’s drill down to that
If you are doing stuff on Lemmy that your government would not approve of: STOP!!! We have stories of twitter and other social media sites outright volunteering information to authoritarian governments while having a CEO spew hate and vitriol on an hourly basis. And those are large companies with at least some degree of oversight.
Lemmy is instances hosted and managed by people in their off time. And you know almost nothing about those admins.
So if you are saying or looking at anything that you would not want the public to know: Do not fucking do it on Lemmy. There is still plenty of user activity that can be used to trace back to you if anyone ever cares enough.
Never underestimate the power of tracking cookies. You may think you are protecting your privacy but… you really aren’t. And if you run ALL traffic through tor… you are in basically the exact same boat the moment one tracking cookie has been associated with the Dominos pizza down the street.
On mobile, so have to be short: I don’t want to leak my IP to every random site that hosts am image and shows up in my feed. I use tor for everything, and turning it off to browse lemmy.world is pointless.
Tor is useful for more than just getting around your work firewall.
Look into tor browser, tracking cookies is only the beginning.
Again, what are you actually protecting yourself on by preventing random sites from seeing your IP?
Information your IP conveys:
- Probably what ISP you have
- Probably your general location unless you have gone out of your way to have a static IP for your home (in a way that is not just asking/paying your ISP for it)
So unless you have a very non-standard internet set up, it basically lets me know you are in Faketown, New Jersey. Which is not particularly useful information. And likely has already been conveyed to anyone you care about because of the tracking cookie for said Dominos.
The reason why this CAN be an issue and you see streamers block their IPs: DDOS attacks exist. But if you are going to websites that are likely to DDOS the visitors for poops and giggles… maybe consider going to different sites? Or, yeah, that is a use case for tor.
But the idea of putting ALL traffic through tor (just like ALL traffic through a vpn) just… mostly defeats the purpose of it because you are still making a nice and easily tracked “profile”. And it is very clear that site admins can detect what is tor so that they don’t assume you are regularly traveling between Faketown and Luxemburg or whatever.
This is an increasingly common problem with people who, quite frankly, are in the Dunning-Kruger regime of cybersecurity/infosec. They see a tool so they want to use it. They don’t think about what that tool actually gives them or how using nothing but that tool can actually compromise them.
Sorry, I cannot possibly match your asymmetric post length in my replies. I’ll simply leave it at: I want to use Tor, for a lot of different reasons, not all of them are you going to eventually uncover with your argumentation, because I don’t plan on talking about them, not because they are illegal. If you don’t want to use it, then fine, its not for you. I was Tor today to get past some train internet, which is heavily filtered. Its very useful, but annoyingly I could not get to lemmy.world because tor was blocked. That ruined my enjoyment of my trip :)
I do not agree with you that using tor actually compromises you, but if you do, then go ahead and keep believing that. Seemed to work fairly well for Snowden, and quite a lot of others who depend on it daily.
You have yet to refute a single point and the extent of your argument is “I want it”.
Also, Snowden, really? The guy who got caught and had the Espionage Act thrown at him, fled to Russia, and now lives there until the end of his days? Putting his shit posting and memes through tor isn’t protecting him. Last dollar in time, the US government (and other governments) know EXACTLY where he is at all times. Him being more useful to Russia as a political pawn than as currency to give to the US government is what keeps him safe.
But, and I realize this might be hard for you to understand: Tor is incredibly useful for some activities (I even said I suggest it to others in the comments you refuse to read). But the more you do through Tor as “you”, the more of a profile there is which lets anyone who actually cares about you track you down.
Need to blow a whistle: Tor can be a good tool for that. But only if you are doing it from an identity that has never been linked to any of your personal identities AND the data doesn’t contain anything that is identifiable either (that last bit being Snowden’s problem, if I remember correctly).
I suggest you open a post somewhere that is “I dont think people should use Tor” and we can argue that there. This seems fairly off-topic here and I don’t plan on arguing with you about if I should use Tor or not. You can count that as a win if you want, I don’t mind.
Why would I make that post? I have never said that.
All I have done is:
Ask why you want to use Tor to access Lemmy. Clearly the site team block those endpoints because they are common attack sources. You have yet to provide any argument outside of… literally responding to me talking about why you should not trust Lemmy or The Fediverse for anything that a government would care about by… claiming you need to use it because it protects you from the government.
I then made it a point to respond to the FUD you continue to propagate because, by pretending that putting all of your traffic through tor and then connecting to laughably insecure services, you are actively hurting those who actually need to protect their activities by basically telling them something on the level of “Tape a hideakey rock to the bottom of your car”.
All of which seems on topic to me. At least moreso than “I want it”
The fact that you are assuming someone wants to use Tor on Lemmy to do something illegal shows that you have fallen prey to the idea that Tor itself is illegal or meant for illegal activity, it’s the driving force behind many of the pushes to block Tor or even to attempt to extinguish it.
Fact of the matter is Tor is a tool, a tool that like any is not inherently evil or illegal. Tor’s purpose also isn’t to facilitate illegal activity, its purpose is to provide privacy and anonymity to people who want it. It sounds to me like you have been listening to a lot of those “scary” deep web videos or assuming people use Tor for those reasons and not for legitimate privacy and security reasons, (like for example did you know that Lemmy doesn’t proxy images?). This is one thing I really hate about those types of content, they portray the idea of privacy and security as if it’s evil or nefarious, or that the idea of hosting your own hidden service is creepy or wrong, it’s really gross actually, all for clicks and views, but they push it as if it’s real, it’s harmful to services like Lemmy which are currently outside of the mainstream and probably are associated with Dark web contend just by virtue of not being Big tech products, for a while I’d heard similar stories about linux too (people talked about how linux is for criminals, glad that one didn’t catch on).
TL;DR you shouldn’t be assuming that people want to use Tor (a privacy and security tool) for nefarious or evil purposes due to it’s reputation with nontechnical people, especially when those people are known for spreading misleading or even wrong information about the subject itself.
Defend yourself against tracking and surveillance. Circumvent censorship…
Governments use the internet for social control, through both surveillance and censorship. Many countries, such as China, Iran, and even the United States practice active surveillance of the social relationships of everyone. They then sell that data to companies, and then that data gets sold to the US government to work around 4th amendment protections (https://www.wired.com/story/odni-commercially-available-information-report)
Internet service providers happily cooperate with government repression, they practice intrusive monitoring of your traffic through deep packet inspection, they track your DNS usage, and they get people thrown in jail, expelled from school, or banned from the internet, sometimes just for ‘copyright infringement’.
Corporations have discovered how to make money from the internet: surveillance. By tracking your online habits, advertising companies build detailed profiles of your individual behavior in order to better sell you junk, Every single major internet ad company now uses behavioral tracking.
Tor isn’t the only way to get around these things, but it is one tool in the arsenal. The fediverse is a step in the right direction, and the fact that I can run my own lemmy is a huge plus, which is what I probably will be doing if lemmy.world continues to block Tor, but that is a selfish solution, and doesn’t help my friend’s in countries with restrictive internet.
I’m not interested in stopping doing stuff on lemmy because the government doesn’t approve of it. Political repression doesn’t mean I should also be profiled or have my speech restricted. I want to be able to help people find abortion support in my state, where it is illegal, and I want to do that without worrying about ending up in some kind of purge list because the GOP becomes full fascist sometime in the next couple years.
- Who are the admin team of lemmy.world? From a quick glance, at least a few of the staff have photos (whether that is them or not is anyone’s guess).
- What are their political backgrounds?
- How likely are they to stand up against an aggressive government who wants information on people who are circumventing an abortion ban?
- How likely are they to assist said government?
And, most importantly
- Even if you have satisfactory answers to all of the above, how much do you trust that the new sysadmins that are being recruited meet the same requirements?
The fediverse is amazing as a tool to decouple social media and discourse from corporations (even if that can be coopted. Facebook is already trying). It is a HORRIBLE tool from an infosec perspective. Because instance admins can more or less see EVERYTHING you do. And even if you trust your own instance, you have no guarantees that the PMs you are sending a user on a different instance are protected either.
So, like I said in the other post you ignored after seeing one sentence, if you are doing ANYTHING where the government or even the general public finding out can hurt you: Don’t fucking do it on Lemmy.
This reminds me way too much of bitcoin back in the day. People figured that because it was not “controlled” by credit card companies and governments that they were fully anonymous. When the reality was that the ledger is public record and you don’t even need a warrant to search through it. And even if you are smart enough to use a tumbler or five: There is a reason that so much funding went in to graph analysis, if you catch my drift.
And just to make it clear. This is not any shade whatsoever being thrown at the lemmy.world admin team. You folk are doing great, thanks.
The point is more: I don’t know you. Why would I trust you with my personal and private secrets. Especially if they can have negative repercussions on my life if they get out. And, just the same, I don’t expect you to ask me to hold on to your credit card and social security card while you go get some blow or whatever.
As an alternative, you can run your own instance of Lemmy and funnel all the non activitypub traffic via the clearweb and all your browsing via tor.
I doubt admins will unblock tor because the amount of shit that gets yeeted out vastly outweighs the few users who legitimately use it. I worked for an ISP for almost a decade and use tor for data validation but the amount of other crap coming from exit nodes is unbelievable.
If you could reduce your arguments to smaller, digestible chunks that can be engaged with, then I would. Your format for engaging, with huge long argumentation, is just too exasperating to bother to attempt to reply. It is not the content, or arguments, I’d happily discuss those with you in person or by email like this, but this isn’t email, or usenet, and there is no way way to reply in line, quoting what you said, so I can reply to specific points. Instead, you write a kind of essay of points that stops any meaningful reply. I tried to engage that way, and I’m frustrated that I can’t actually, and properly, reply to you, especially the points that are wrong, or specious argumentation, but this message alone took me so long to write, and I’m just talking about how I am only really writing this point and not engaging with your arguments, that I’m not going to continue in this venue, in this way.
If you would like to exercise your arguments, maybe bring them to the Tor forum, where it is designed for this kind of structured discussion, or the mailing list.
Typical infosec fallacy: letting the perfect be the enemy of the good.
Yep, this is why am onion service would be good. No exit yeet. I’m 20 years into an ISP, and we have found productive ways to deal with those issues, without blocking. We are even running our own exit now
Make SURE to host your Exit Node as a foreign LLC entity in a non-cooperating country of the 14 eyes alliance. Or else they might (probably will) go after you for hosting… umm… bad stuff, sometimes involving children.
Not really necessary.
Just because it is now entertaining me how horrifically bad all of your infosec advice has been:
https://lemmy.world/post/2067119 is what they are referring to. Probably educate yourself on that.
