Comment by flufluflufluffy 16 hours ago
As knowledgeable users of the Internet in 2024, we would do well to assume that nothing is 100% “safe” (I.e. there’s no such thing as perfect security/privacy).
However, some things, like Tor, can make your use of the Internet safer.
If all you’re doing is arguing that Tor shouldn’t be used because it isn’t/was never “safe”, then you might as well not use the Internet at all.
They have the opposite of a point. The logical conclusion of that line of reasoning is that everyone should use privacy tools so no one can be singled out. And that ordinary users with "nothing to hide" should be the first to start using them.
I mean, sure. And while we're at it pigs should fly.
Functional security means understanding your risks, and using privacy tools is a risk - in the sense that it does single you out in the current environment.
Your actual communications can be secure, but that doesn't stop a bad actor/government from picking you up and beating you with a wrench until you talk - if they get suspicious enough.
Just saying "everyone should use these tools!" is not actually a counter-argument. It's a fine long term goal, but it's not addressing the real risk that some folks might be in.
Anyone who search for medical information online should always use a VPN and a browser that cleans itself before and afterward. Health status is one of the most valuable user data available to data brokers and is heavily collected and sought after.
I also use tor in my work in order to get a third-party perspective on a website, or when inspecting suspicious links.
>If all you’re doing is arguing that Tor shouldn’t be used because it isn’t/was never “safe”, then you might as well not use the Internet at all.
Exactly, and this same form of spurious argument came up in an hn post yesterday about cavity prevention, centering on an argument that a new advance in cavity treatment "cannot guarantee" to end cavities forever. [0]
I feel as though I've never been fooled by these arguments, although surely I have different types of weaknesses that are unique to me. But it seems to stand out as a form of argument that somehow has persuasive power among intelligent types whom I would never expect to fall for other forms of obviously fallacious arguments.
The 90s had the opportunity to deploy something like PGP widely, but because there was no perfectly safe way to distribute the keys it never went anywhere. The most practical solution the crypto nerds could accept was the web of trust, where you were supposed to physically meet everyone you wanted to communicate with so you could physically exchange the keys, which was never going to scale.
Email to this day is unencrypted at rest and completely transparent to whomever is running your mail server. You don't think Google runs GMail out of the goodness of their heart do you?
I remember reading on here years ago that people were concerned that the government was reading their "private" emails. I've always just considered email to be sent in plain text. Just 10 years ago only 30% of emails from Gmail were encrypted. Even though now its 99% of outgoing email is encrypted, but all those emails sent before are probably sitting in a database somewhere. And it still reverts to unencrypted if the recipient doesn't support TLS.
Well, for the sake of clarity I would say Tor is safer only if it’s not a honey trap. That is not knowable as a user, but I think that suspicion is well-deserved.
I think the Middle East gave us a very clear example of how state actors may target channels in unexpected ways.
But that's half the point. If someone has an intention to undergo some illegal activities with full intention not to be caught, only 100% "safe" solution works for them. Normally we talk about risk tolerance, but this particular use case is a bit special.
There are no "100% safe" solutions. There will always be weaknesses and vulnerabilities in any system. The sort of criminal who requires or expects 100% safety is quickly going to be caught due to being a dullard. Knowing you're never truly "safe" is what good criminals are keenly aware of at all times: you can plan and prepare for certain eventualities. Once you think you're "safe", it's the beginning of the end.
Security is a process, not a "state".
You don't do something, once, and then are good to go forever. Banks don't just put cash in a safe and forget about it; they have audits, security guards, cameras, threat intelligence profiling criminal gangs, etc.
As someone who's actually used Tor for illegal activities(buying drugs) this is completely missing the point. Criminals generally are not thinking about doing something completely risk free. The dumb ones don't consider risk at all, because they're desperate/addicted, and just hope/assume they won't get caught. More clever ones assume they'll be caught and try to make conviction less likely.
For instance, for buying drugs, the ordering isn't the risky bit. Receiving it in the mail is. Even if tor was magically "100% safe" the crime overall wouldn't be. The point of using tor is not to eliminate all risk, it's just to decouple payment from reception. I had my drugs intercepted by customs once, but they couldn't prove I ordered them, so they dropped the case. I'm sure it might've been possible for them to prove it if they spent a lot of resources trying to trace crypto transfers and so on, but police only do that if the fish is big enough because they're resource constrained.
Tor is just another tool criminals can use to reduce risk. It's not perfect, but for most things it's the best thing available.
> If someone has an intention to undergo some illegal activities with full intention not to be caught
As opposed to... people who undergo illegal activities with the intention to BE caught???
The only 100% safe method is to not do the illegal activity at all. There's always a risk/rewards analysis to be performed when committing any act that could have negative consequences whether you're playing the stock market or doing credit card fraud. For any major criminal that gets caught, you can usually read the arrest affidavit which offers a pretty interesting look into how the criminal was caught despite the careful measures they took. The one for DPR is interesting to read and shows how despite taking careful measures, DPR left a trail of breadcrumbs that investigators used to track him down. His use of Tor was pretty solid (assuming the whole affidavit isn't complete parallel construction fiction) but it was everything else he did outside of it that got him in the end. There's another story of a university student that sent threats to his school to get out of an exam or something through anonymous emails over Tor. They only caught him because he was the only person using Tor on the school network at the time the email was sent. If he was off campus, he may have remained anonymous.
An analog crime I think about is the murders in Moscow, Idaho. The criminal did take some careful measures like wearing gloves but he left a knife sheath behind that contained DNA evidence. Everything else they had on him was circumstantial, he owned a similar car to what police thought they saw on people's doorbell cameras and his phone went offline during the time of the murders and also pinged a tower close to the crime scene hours afterwards. Police found a partial genealogy match to his DNA which I'm sure they compared to similar car owners and cell tower records. If he hadn't left the sheath behind, wore something like a Tyvek suit, and simply left his phone at home, the suspect pool would have likely been too large. His careful measures (turning off his phone, making multiple passes in his car) likely contributed to police focusing on him once the DNA proved a link.
> The only 100% safe method is to not do the illegal activity at all.
Nope. Not even that is 100% safe because you can be falsely convicted of a crime you never even committed. Many privacy tools reduce that risk as well, because you're less likely to be convicted by e.g. a lazy prosecutor willing to take things out of context if you provide them with less source material to trawl through.
> Nope. Not even that is 100% safe because you can be falsely convicted of a crime you never even committed.
That's so exceptionally unlikely as to be something you can discount as a possibility, providing you don't actually commit crimes.
Agreed – you can never truly be completely "safe", but Tor remains the most privacy-preserving tool we've got.
When people say they're distrustful of Tor (for various reasons) to the extent they refuse to use it, they seldom suggest alternative tools/measures that provide anywhere near the level of safety offered by Tor.