This allows to have a profile of commonly visited websites, making your shadow profile look less creepy to the governments, and you a lesser target of any kinds of snooping.

You’re afraid that by securing your communication and following sound security practices you’ll stand out and appear suspicious. This is exactly what the gov and other pushers of mass surveillance want you to think. The idea has no merit.

The privacy arising from the Tor network improves as traffic increases – privacy in numbers. Being afraid to use it, and then minimizing your use as you do is detrimental to privacy for a few reasons:

• When you need Tor’s protection the most (e.g. when you’re buying drugs or whistle blowing), you’ve made that traffic stand out from your other traffic. IOW, you’re signaling your adversary precisely when it’s most interesting to pay extra attention to you. Your drug purchase traffic should look no different than your bicycle purchase.
• You also harm the privacy of others by reducing the cover traffic that helps everyone.
• If the bicycle shop never gets legitimate Tor traffic, this prompts the shop to mistreat Tor users by policy, which in turn weakens the usefulness of the Tor network and actually constrains it to malicious use cases – when in fact there are non-malicious use cases that are often denied (e.g. a Qwant search).

Using Tor for searches ironically puts you at risk if you are spending all your time on Tor network.

What does time have to do with anything here? If all you do is search the web, most of your time is likely spent reading the screen, not moving data. And when you are retrieving data, you’re less exposed if you do so over an e2e tunnel that runs over Tor – not the clearnet as you suggest.

There is a good chance you will end up using the clearnet via mobile phone or computer at some place or time, thus breaking your OPSEC like a twig.

There’s so many things wrong in this statement. I rarely use a “phone” (and rarely as a phone) but when I do I am not limited to clearnet. If you do a web search from your phone of course you should still use Tor, tools permitting.

You speak of OPSEC as if to know what my threat model is. You don’t. And generally speaking in the context of the thread, it’s safe to say mass surveillance is in all our threat models. Of course you should avoid the clearnet to mitigate mass surveillance. It’s poor advice to tell ppl to do their searches over clearnet. It’s also poor advice to tell people that if the hypothetical situation arises that they’re forced to use the clearnet, that this somehow ruins all the OPSEC they’ve done on past searches before that point. It’s asinine.

Formally speaking, the rule of least privilege is sensible. That is, you give the least amount of privilege necessary to get the job done. If you don’t need to expose your home IP in one search and you don’t need to expose to your ISP where you visit, of course you should not. If in another circumstance you need to give up that protection for some bizarre reason, then the rule of least privilege still applies; that is, you only give what you must. To suggest that ppl throw their hands up and say “because I can’t securely do this search on my phone, I might as well give up on all my searches and do it all on the clearnet” is absolutely foolish.

You secure what you can to the best extent that you can, or you’re not doing security properly. If after exhausting non-clearnet searches you still don’t get the search result that you’re after, only then would it be sensible to resort to Qwant over clearnet. I’ve never had to do that, btw. I’ve always been able to find what I need w/out clearnet searching. Some searx instances successfully scrape MS Bing, which brings you close to Qwant results w/out the clearnet and without financially sponsoring Microsoft.

I can’t see which post you’re replying to. These thread lines are an optical illusion.

Antifa’s method of activism is controversial

While there is nothing controversial about being anti-racist, Antifa is not simply anti-racist. It’s the style of activism that’s controversial. From wikipedia:

Antifa is an anti-fascist political movement in the United States[2][3][4][5] comprising a diverse[6][7] array of autonomous groups that aim to achieve their objectives through the use of both non-violent and violent direct action rather than through policy reform.[8][9][10][11] Antifa political activists engage in protest tactics such as digital activism and militancy,[11][12] sometimes involving property damage, physical violence and harassment, against fascists, racists and the far-right

Petitioning for policy reform is relatively non-controversial. But that’s not Antifa. Obviously some of the more extreme actions (e.g. violence and property destruction) are controversial - and Antifa is open to them.

Antifa’s ideology is controversial

Components of Antifa ideology:

• anti-racism (non-controversial of course)
• anti-capitalism (obviously controversial and IMO unpopular)
• anarchy (obviously controversial and IMO unpopular)

I can’t even get my head around how it’s possible to be both anti-capitalist and anarchist at the same time. Anarchy is also favored by the extreme right, and obviously anarchy is a recipe for pure uncontrolled capitalism – most oppressive form of capitalism. What am I missing?

Lemmy censorship

In the case of lemmy.ml leadership, what we see is extreme censorship. We’re not just talking censorship of trashy messages. I recently posted a thread on the status of the cock.li email servers, and it was censored because the word “cock” appeared in the domain name. (proof). Obviously it’s essential to mention the domain name of the service we’re talking about.

No one will care if racist msgs get censored, but any post that’s incompatible with an anti-capitalist or anti-government viewpoint is also likely to be censored when you see how fast and loose they are with the censor trigger.

This is quite false to begin with. One does not need to use Tor all the time, firstly.

We’re talking about searches. Of course you should use Tor for searches. To avoid Tor (and the like) in the context of web searching is to compromise more of your identity attributes for nothing. That’s a bad trade.

Secondly, I am not a DDG patron,

I was speaking generally. Ppl bashing Startpage w/such emotion (“backstabbing”) tend to be DDG patrons. This particular crowd is relatively irrational. Startpage has some issues but nowhere near as extreme as the laypeople’s reaction.

Moreover, DDG being a US company is an instant red flag for me.

Sure, but it shouldn’t be the biggest red flag in your box of red flags, and it shouldn’t outweigh sound security practices (like using Tor or i2p or the like for web searching).

It is a fact that any search engine, no matter SearX (instance) or Qwant or Ecosia or DDG, have to rely on either Google’s or Microsoft’s web crawlers and index databases.

That is not a fact. Gigablast, Exalead, Mojeek, & Metager are all search engines with unique indexes that rely wholly on their own crawling. Some searx instances source from a local YaCy crawler.

It’s also an oversight to describe searx instances, Qwant, Ecosia, and DDG as equals in this regard. Most searx instances scrape their results, which means they do not financially support the privacy abusing corporation they source from. DDG pays MS & Yahoo for API access, thus financially sponsoring adversaries of privacy proponents. Qwant and Ecosia likely also pay for API access (and if they don’t, you can bet the price is paid by direct data sharing - which Ecosia and Qwant admit to in their privacy policy).

What matters to us is tracking, and Qwant helps prevent it effectively.

Qwant treats Tor users with hostility. This means that Qwant disables an important tool to help prevent tracking. You’re left with trusting Qwant’s adherence to their privacy policy, which is obviously a bad idea when it’s a company who is hostile toward users who act to protect themselves. We have to trust privacy policies to some extent, but Qwant ensures that the extent of trust needed is greater than it is with Tor friendly services.

It’s suspect that Qwant allows Tor users to submit a query, and only thereafter pushes a Google reCAPTCHA – which is exactly what Ecosia does. This suggests that Bing triggers the CAPTCHA, which means that more information is being fed to Bing than just the query string.

And the privacy policies confirm this. Ecosia’s privacy policy admits to sharing everything with Bing, while Qwant only admits to sharing user agent and the first 3 octets of your “salted” IP address, approximate geolocation with Bing. What’s the “salt”? It’s not necessarily random (in fact, not likely random). It could even be an encoded composition of anything from your browser print. Whatever is sent, it’s evidentally specific enough for Bing to know the query comes over Tor. And in any case, you’re trusting some weasel wording with Qwant. You have no guarantee that the hash that Qwant generates is not unique to you and non-unique across your multiple visits. The hash could even be more unique than your IP address, and it’s supplemented with your approximate geographic location (which as well could simply be expressed as “Tor” since exit node geolocation is meaningless).

Although Ecosia admits to sharing more data than Qwant, Ecosia honors the do-not-track flage and Qwant does not. It’s quite possible that setting the DNT flag reduces Ecosia’s info sharing more than Qwant’s.

I see a pattern of emotional StartPage bashing – and it’s bizarre that it often comes from loyal DDG patrons. Both DDG and StartPage profit from untargeted ads. Both are US companies. StartPage self-hosts while DDG hosts on Amazon. DDG’s supply chain is far more evil than Startpage’s.

Qwant is worse than both DDG & SP b/c it treats tor users with hostility. Qwant and DDG both source from MS Bing, and I find MS a more evil force in the world than Google. I’m not just talking about privacy but also involvement in fossil fuels and private prisons.

Even by your standard of trusting the privacy policy, DDG is a fail. DDG has already been caught violating their own privacy policy.

W.r.t threat models, an appropriate threat model for most people is to at a bare minimum control for mass surveillance, since we’re all impacted by it. DDG directly pushes CloudFlare sites to users and its supply chain is infested with PRISM corps and other mass surveillance entities.

see https://lemmy.ml/post/31321

Runnaroo’s IP is owned by Google according to my records, although the “Cloud Firewall” add-on says it’s owned by Amazon. Either way, that’s not good.

BTW, ycombinator is has ties to Peter Thiel and runs on Amazon AWS, so not a good link to share publicly.

I think rejecting spam is better compared

Hold on… we’re talking about ham here not spam. Should the large corporations be dictating terms, so small providers and self-sufficient people cannot self-serve and be in control of their own data?

When outlook.com refuses an email on the basis of IP reputation alone, corporate interests prevail and the little guy is forced to dance for them. I will not dance for them. And I will not share every outbound message with a corporate 3rd party. This is why I run my own mail server. EFF wrote a good article on collateral damage done by this brain-dead anti-spam practice.

The smart and RFC-compliant approach is to accept every RFC-compliant msg (interoperability is the purpose of RFCs and they’ve broken that). Smart recipients score the message and IP reputation is only 1 of many factors for assessing whether something is spam. When a service uses IP reputation alone, it’s crude and reckless because it blocks ham and other factors get ignored, resulting in a poor judgement.

That’s probably the most comprehensive ESP data I’ve seen. Here’s a few that are missing:

• mail2tor (claims to have imap and smtp service but they’re broken… effectively it’s web-only, and i think clearnet inbound mail does not work)
• onionmail.info (imap,pop3,onion host forces use of self-signed SSL cert which is kind of silly)
• elude.in (used to have free pop3 or imap but jerked the rug out from free-riders w/out warning)
• underwood (Tor only [both directions])
• wiremail
• torbox (Tor only [both directions])

I would like to see some columns to cover whether a service can send or receive to/from tor and clearnet networks. Some onion services can receive clearnet and some cannot (as they only give you a .onion email address). I don’t think I’ve found any clearnet email providers that can handle sending to .onion email addresses - which means a non-tor user cannot email someone with an .onion address.

This would be useful to keep track of.

Gmail is has “Softfail” for the SPF. I don’t think that’s accurate. I run my own mail server on a dynamic IP, and gmail usually instantly rejects my connection. I’d speculate this happens about 90% of the time. Perhaps the other 10% is a softfail (msg is accepted but then sent to recipient’s spam box).

It’s a shame that “reject” is coded green. It’s evil when SPF settings reject messages from dynamic IP addresses in an incompetent bid to block spam in a way the recklessly causes collateral damage to legit self-hosters. This ultimately forces senders to share their outbound email with yet another 3rd party, which is an attack on privacy. It also helps large corporations keep a stranglehold on the whole email industry.

I will not email outlook or gmail users. I tell them if they want email from me they have to switch to a service that works… that respects the RFC. It breaks email to reject RFC-compliant messages purely on the basis of IP reputation.

I’ve been boycotting EasyJet because they 403 Tor users. Interesting to see their collateral-damage prone security methods have failed them anyway.

#PoeticJustice

Tor Browser is a tool for achieving anonymity while using services are actively trying to identify you. If every service had a perfect record of no-logging, no-tracking and no-fingerprinting then the Tor project would be obsolete.

You’re conflating Tor and its network with Tor Browser, which is an optional browser client for the web. Tor serves purposes beyond anonymity. Tor also conceals metadata from your ISP, not just the service. Tor also conceals your whereabouts – and gives you the option to appear in a different location of your choice. If I’m in India trying to buy airfare from California to London, some airlines try to be smart and guess your location as a basis for where to make the sale and consequently force you to use Indian money and payment methods. Tor can make you appear to be in California to make the transaction possible. Some merchants try to restrict sales to the country they operate in. E.g. sears.com will show you the door if you access it from outside the US, when in fact you may be travelling out of the country looking to do transaction within the US.

DDG is not capable of any serious direct attacks on Tor identification and if you have evidence showing the contrary please share it here.

DDG and DDG’s privacy-abusing partners all profit from advertising. The metadata has value to marketers so all contributions to that data ultimately feeds the bottom line – and thus feeds privacy abusers (Amazon, Verizon/Yahoo, Microsoft). Data is worth more than oil. The mere use of Tor is itself immediately evident to DDG simply from the IP address, and that data is also worth money. And that’s before we even begin to discuss the browser prints.

Tor cannot change the fact that DDG was caught using tracker cookies,

This is intentionally obtuse and you know it. I’m obviously not arguing that the Tor project can change anything about DDG internally, but it’s cookie policy and identity resetting feature prevent DDG from linking multiple sessions together (and you should not be doing multiple unrelated activities in the same browser without a reset, as they advise.)

You’ve argued that Tor eliminates all direct privacy abuses from DDG that were enumerated in the referenced article. This shows a fundamental misunderstanding of how cookies work. The Tor network does nothing to cause or hinder cookies. The Tor Browser honors cookies (if it didn’t, you wouldn’t be able to login to websites). Users can take extra steps with any browser to mitigate abuses with cookies but this has nothing to do with Tor.

DDG relies on users trusting them. Most DDG users trust DDG, and thus didn’t generally do anything special to mitigate tracker cookies when DDG was pushing them. DDG has proven to be untrustworthy, and Tor Project is still directing users to it.

Tor does not prevent fingerprinting.

Tor browser is the most developed anti-fingerprinting project out there.

You’re conflating Tor with TB here by quoting a comment about Tor. You should have addressed what I said just after that (about Tor Browser), b/c I’ve already addressed this. While I agree that TB has the best FP resistence, this does not support your thesis.

You’ve lost track of the thread and your line of reasoning. You’re trying to advocate Tor Browser defaulting to DDG on the basis that Tor eliminates privacy abuse arising out of DDG use. When in fact Tor has the same effect on any search service. The same reasoning would just as well support Google as a default search engine.

The problem is that default search serves as an endorsement by a trusted authority. And it’s more than that, because users who aren’t meticulous or don’t care about endorsement will actually use the default b/c they either can’t be bothered to change it, or they don’t know how. If you can’t see the privacy abuse then you’re not following the money.

ACLU, EFF, & Tor all pre-date Paypal’s existence.

How’s that relevant?

It’s proof that they are capable of surviving without Paypal.

Now PayPal is ubiquitous and they depend on it.

It’s an unnecessary dependency – and it’s a stretch to call it a dependency at all. You’d do better to argue that banks are essential. But certainly not Paypal. Paypal is replaceable by already existing payment methods.

PayPal contributes a huge portion of their donations. Judging by the use of the word most I would assume that over half. But that’s not relevant. What’s important that PayPal is hugely important for their monetary survival.

This is non-sequitur logic. It does not follow that because most donations are via Paypal, that absence of Paypal implies those donations go to zero. Those donations simply take a different path in the absence of Paypal. Now the case of Wikileaks is special because banks and credit cards cooperated in the blockade at the same time, so the normal alternate paths were shut down as well.

I extend this logic from WikiLeaks to ACLU, EFF etc because I think it would be reasonable to assume that WikiLeaks donations sources are representative, and thus can be applies to other organizations.

Even if you were able to establish that Wikileaks can’t survive without Paypal, it would not extend to ACLU or EFF, which are American orgs not in the slightest at risk of a blockade. ACLU and EFF both have US bank accounts, and so do the Paypal donors. In the US Paypal is 100% redundant.

My point was that Tor already has one shady donor, so why would they accept/deny donations from other unethical organizations/sources?

It’s a red herring. While every single Paypal donation acts as an enabler for Paypal and directly generates data for abusive sharing, payments from the government do not pose a direct, tangable, obvious compromise on civil liberties. Perhaps you can speculate that Tor does favors in return, but you’d have to elaborate on what those favors are and whether they compromise civil liberties. Either way, it’s irrelevant to this discussion. Even in the most perverse case scenario, such payments still do not support a case for Paypal donations. This is just grasping at straws.

But that doesn’t really contradict my point which is that however unethical PayPal is, a lot of projects/organizations depend on it, because PayPal is convenient to use, and thus a lot of people use it, and so it becomes a major source of income for many of the aforementioned organizations projects, and so they can’t stop accepting donations via it.

In the face of many options, people choose the most convenient, for the most part. When you eliminate the most convenient payment option, they will still choose the most convenient option. The high numbers are nothing more than a testament to what a majorty of people find most convenient and this has fooled you to think it’s essential. It is not.

Because otherwise they would have virtually no money at all, and thus shut down

ACLU, EFF, & Tor all pre-date Paypal’s existence. No, they don’t “need” Paypal for survival.

(see what happened when WikiLeaks when major payment providers blocked them), because, unfortunately, almost everyone uses those payment methods at the moment.

This proves my point. Wikileaks was not just blocked by Paypal, it was blocked by credit cards as well. Despite the massive blockade, Wikileaks survived.

Paypal is the biggest offender of payment blockades (particularly political in nature and biased in favor of Peter Thiel’s right-wing agenda), which only advances the point that we have an ethical duty to shrink Paypal.

And if you think about the word ethical, what would you qualify as so?

By my own standard it’s unethical for any org or person to accept Paypal, but I’m not applying my own standards here in the context you’re replying to. I’m applying the standards of the orgs themselves. Paypal works against ACLU’s own mission. Paypal works against EFF’s own mission. Notice that I did not name countless vendors of electronics, bicycle parts, etc that accept Paypal, because Paypal doesn’t contradict their mission.

It’s one thing to hold everyone to your own standard, but if you can’t hold an organization to their own ethical principles something is wrong.

I mean, their main sponsor by far is CIA, what else is here to say?

First of all, the Navy invented Tor, so if you have a problem with a nation having an intelligence agency or military then you’re advocating against Tor’s creator.

There are countless free software projects that operate without a dime because people who need that software have an interest in contributing maintenance code. If Tor Project were to hypothetically get zero funding, you might see little or no outreach programs, Tor stickers, and marketing frills, but the software would live on.

I don’t have a bank account, nor do I have PayPal, so I’m not really sure about that, but from what I know it’s a lot more convenient to pay with PayPal than it is to pay from a traditional bank account. But again, not sure about this…

Convenience is the top rationalization for unethical conduct and transactions. It also has the least merit.

lol what? How? I mean, you really only need to leave your Bitcoin address… that’s weird…

Things have changed, so my comment is no longer relevant. In the past, Tor Project did not publish a BTC address. Donors were forced to go to a CloudFlare site and do the transaction through a 3rd party (bitpay.com). It was an absolute embarrassment for Tor Project and there was a long bug report about it. The bug report lingered for years but it seems to have been deleted– likely due to the embarrassment. They claimed that they could not simply let BTC enter because they need to make a tax declaration on what they receive, and the tax declaration must be in a national currency. So they used a 3rd party who instantly converted all their bitcoin donations into national currency for accounting purposes. They foolishly chose a CloudFlare site to do that. Seems to be history now. They are using btcpayserver.org and superficially i see no issues there.

It’s worth noting that Tor Project has a record of not eating their own dog food. Apart from subjecting ppl to CloudFlare sites, their bug tracker has a history of mistreating Tor users, and if you try to subscribe to their newsletter using an onion email address they can’t handle it.

All of the mentioned issues with DDG relating immediately to the user in the thread you linked are circumvented by the Tor browser.

That’s not true, nor would it suffice if it were true. I’ll deal with the truthfulness first:

• Tor cannot change the fact that DDG was caught using tracker cookies, nor does Tor prevent the storage and transmission of cookies of any kind (be it session cookies or tracker cookies).
• Tor does not prevent fingerprinting. A specific browser (Tor Browser, should you choose to use it) can resist fingerprinting but it’s not fool proof. Anti-fingerprinting is lost when a user installs browser plug-ins.
• Tor cannot change the fact that DDG includes your language with the session data that it collects.
• Tor does not prevent DDG from sharing your session data with advertisers.
• Tor cannot prevent DDG from producing Tor-hostile CloudFlare sites in the results. Tor is useless against data CloudFlare collects on all traffic (including HTTPS traffic with user creds).

It’s also insufficient to disregard issues that do NOT “relate immediately” to the user. Of the tens of privacy abuses cited in that article, there is exactly one bullet point that does not directly affect Tor users. Let’s do a walk-through: Tor cannot change history, so Weinburg’s history of privacy abuse does not change. Tor cannot prevent DDG from blacklisting Framabee. All of the abuses w.r.t CloudFlare are actually more acutely exaserbated for Tor users, and in fact deanonymization of Tor users arise out of CloudFlare. Tor does not circumvent DDG’s censorship of anything, including the threesome injunction. Tor does not stop DDG from partnering with other privacy abusers like Amazon & Verizon. Tor does not prevent DDG from abusing a spot at FOSDEM to market their service.

The user is not forced to use DDG

This is irrelevant. The issue is that DDG’s money bought influence, and it worked. Torproject is abusing the public trust and exploiting its perceived credibility.

and frankly shipping with DDG puts them ahead of every major browser project.

Nonsense. A privacy-centric browser does not “get ahead” by endorsing a privacy abuser – most especially one that masquerades as a privacy champion. Tor project is playing a significant part in proliferating DDG’s falsely positioned marketing. And it only cost DDG $25k.

The EFF have done so much important legal work for the wide-adoption of Tor in the US. They should be applauded for this and I’m not sure why you bring up being close to the EFF as though it’s a bad thing.

I never said it was “a bad thing”. It’s important to understand the effect of that relationship. When one project sells out it enables the corruption to spread to other partners.

Sure it has. First of all, there is the same effect when the NRA donates money to a republican candidate. There doesn’t need to be an explicit reciprocity agreement for a senator to realize they need to please the NRA. And when a senator takes an action that benefits the NRA, they can make countless excuses citing other (official) reasons for their action. This is the same for any org that receives donations.

DDG, who is falsely positioned as privacy respecting gave $25k to Tor Project, who then endorses DDG and maintains DDG as the default search engine on Tor Browser. The effect is directly evident. DDG also leads users straight to the prime adversary of the Tor community: CloudFlare.

Tor Project is also very tight with EFF. If they were any tighter they’d be the same org. And so you will find that EFF also endorses DDG despite its history of wrongdoing.

correction: these projects need as much money as they can ethically get. When their mission is inherently ethical in nature, tossing out ethics (ethics of their own mission) defeats their own purpose and undermines their credibility. They’re subjecting unwitting donors to civil liberties abuses. You don’t do that to your supporters – the people trying to help out.

ACLU and EFF only need money from Americans, since they only benefit Americans. They must have US bank accounts to deposit the Paypal money into, and their US based donors also necessarily have US bank accounts. So check & ACH wire are inherently available. And in most cases credit card is also a common option for US-based donors & recipients. Adding Paypal is purely adding to the privacy abuse.

Tor Project are simply sellouts. They never turn down money. They’ve accepted donations from DDG and Reddit. Tor Project has a strong presence in the US and Germany. Nixing Paypal does not hinder conventional US or European payment methods. I’m not sure how much of their funding comes from Russia or Asia but at a very minimum they could restrict the Paypal option to the regions that need it. Note as well the Torproject accepts bitcoin and they do so in a manner that ironically subjects donors to a CloudFlare site (the top adversary of the Tor Project). They’re simply reckless.

FSF is essentially US-based and serving the US. FSFE covers Europe. Other regions benefit incidentally from FSF, FSFE,Protonmail, & Framasoft. In any case, they too could limit Paypal to non-US-EU payments.

I’m always disgusted when I see projects centered on civil liberties who accept Paypal. In particular, these organizations should be ashamed of using Paypal:

• ACLU
• EFF
• Tor Project
• FSF – they try to discourage Paypal with: “(not recommended: requires nonfree JavaScript)”, but really they shouldn’t be accepting it
• Pinephone store – exclusively Paypal! You can’t buy a phone without it!
• Protonmail
• Thinkprivacy – would be foolish to donate here anyway
• Framasoft

I can’t upvote b/c the headline is wrong. But it’s a good story.

Nothing in that article says that Munich is switching back to anything linux based. It only says that Munich stands behind the “Public Money - public code” paradigm that started in Italy. This simply means that if Munich writes any code itself, then it will be open source (and it need not run on linux). This principle is meant to prevent a government from directly developing closed source software. Munich is still free to use public money to buy existing closed-source COTS software, and Munich will likely continue with its commitment to Microsoft.

If Munich were to switch back to Ubuntu, this would be much bigger news.

it’s also worth noting that Session is founded and staffed by alt right people.

Signal does not accept non-mobile phone numbers.