Re: Password Pro Facebook Hack V 1.5 2012 Key.torrent
Brie Hoffler
Today Facebook unveiled its hidden service that lets users access their website more safely. Users and journalists have been asking for our response; here are some points to help you understand our thinking.
I didn't even realize I should include this section, until I heard from a journalist today who hoped to get a quote from me about why Tor users wouldn't ever use Facebook. Putting aside the (still very important) questions of Facebook's privacy habits, their harmful real-name policies, and whether you should or shouldn't tell them anything about you, the key point here is that anonymity isn't just about hiding from your destination.
There's no reason to let your ISP know when or whether you're visiting Facebook. There's no reason for Facebook's upstream ISP, or some agency that surveils the Internet, to learn when and whether you use Facebook. And if you do choose to tell Facebook something about you, there's still no reason to let them automatically discover what city you're in today while you do it.
Also, we should remember that there are some places in the world that can't reach Facebook. Long ago I talked to a Facebook security person who told me a fun story. When he first learned about Tor, he hated and feared it because it "clearly" intended to undermine their business model of learning everything about all their users. Then suddenly Iran blocked Facebook, a good chunk of the Persian Facebook population switched over to reaching Facebook via Tor, and he became a huge Tor fan because otherwise those users would have been cut off. Other countries like China followed a similar pattern after that. This switch in his mind between "Tor as a privacy tool to let users control their own data" to "Tor as a communications tool to give users freedom to choose what sites they visit" is a great example of the diversity of uses for Tor: whatever it is you think Tor is for, I guarantee there's a person out there who uses it for something you haven't considered.
I think it is great for Tor that Facebook has added a .onion address. There are some compelling use cases for hidden services: see for example the ones described at using Tor hidden services for good, as well as upcoming decentralized chat tools like Ricochet where every user is a hidden service, so there's no central point to tap or lean on to retain data. But we haven't really publicized these examples much, especially compared to the publicity that the "I have a website that the man wants to shut down" examples have gotten in recent years.
So I am excited that this move by Facebook will help to continue opening people's minds about why they might want to offer a hidden service, and help other people think of further novel uses for hidden services.
Another really nice implication here is that Facebook is committing to taking its Tor users seriously. Hundreds of thousands of people have been successfully using Facebook over Tor for years, but in today's era of services like Wikipedia choosing not to accept contributions from users who care about privacy, it is refreshing and heartening to see a large website decide that it's ok for their users to want more safety.
As an addendum to that optimism, I would be really sad if Facebook added a hidden service, had a few problems with trolls, and decided that they should prevent Tor users from using their old address. So we should be vigilant in helping Facebook continue to allow Tor users to reach them through either address.
The short answer is that for the first half of it ("facebook"), which is only 40 bits, they generated keys over and over until they got some keys whose first 40 bits of the hash matched the string they wanted.
So to be clear, they would not be able to produce exactly this name again if they wanted to. They could produce other hashes that start with "facebook" and end with pronouncable syllables, but that's not brute forcing all of the hidden service name (all 80 bits).
For those who want to explore the math more, read about the "birthday attack". And for those who want to learn more (please help!) about the improvements we'd like to make for hidden services, including stronger keys and stronger names, see hidden services need some love and Tor proposal 224.
Facebook didn't just set up a hidden service. They also got an https certificate for their hidden service, and it's signed by Digicert so your browser will accept it. This choice has produced some feisty discussions in the CA/Browser community, which decides what kinds of names can get official certificates. That discussion is still ongoing, but here are my early thoughts on it.
Against: Tor's .onion handshake basically gives you all of that for free, so by encouraging people to pay Digicert we're reinforcing the CA business model when maybe we should be continuing to demonstrate an alternative.
In favor: Actually https does give you a little bit more, in the case where the service (Facebook's webserver farm) isn't in the same location as the Tor program. Remember that there's no requirement for the webserver and the Tor process to be on the same machine, and in a complicated set-up like Facebook's they probably shouldn't be. One could argue that this last mile is inside their corporate network, so who cares if it's unencrypted, but I think the simple phrase "ssl added and removed here" will kill that argument.
So I haven't made up my mind yet about which direction I think this discussion should go. I'm sympathetic to "we've taught the users to check for https, so let's not confuse them", but I also worry about the slippery slope where getting a cert becomes a required step to having a reputable service. Let us know if you have other compelling arguments for or against.
In terms of both design and security, hidden services still need some love. We have plans for improved designs (see Tor proposal 224) but we don't have enough funding and developers to make it happen. We've been talking to some Facebook engineers this week about hidden service reliability and scalability, and we're excited that Facebook is thinking of putting development effort into helping improve hidden services.
And finally, speaking of teaching people about the security features of .onion sites, I wonder if "hidden services" is no longer the best phrase here. Originally we called them "location-hidden services", which was quickly shortened in practice to just "hidden services". But protecting the location of the service is just one of the security features you get. Maybe we should hold a contest to come up with a new name for these protected services? Even something like "onion services" might be better if it forces people to learn what it is.
We've been debating the names a lot lately -- I'm increasingly a fan of "the private web", as contrasted with the public web which is based on tracking you and profiting from that. It mixes together the security properties the user gets from Tor with the security properties the site gets from Tor. But you need both, so I'm ok with that.
The other developer Chris, along with myself have never been too happy with the name of the project and the connotations of "darkweb" (especially that iceberg picture, ugh). Problem is, neither of us can think of a name that describes what the project does any better than dwe. "privateweb-everywhere" might be a good alternative, but I don't know how the user might see this. What if a user loads our "privateweb" extension into their normal browser expecting it to function the same? It would break the internet for them pretty catastrophically. We are totally open to suggestions on how to rename this project though!
I checked out the list, it's awesome, and I think it's a great idea. but there's one concern: JavaScript may be enabled when visiting the onion version which might be security and privacy issue. (the leaks, and anonmity websites might be hacked and malwared to inject spyware and the like to the visitors' devicesso it's always a good idea to visit them via tor with javascript disabled).
Another thing, many of the websites have https support, so it would be great if you contact them and ask them to include their onion address in the certificate (like Facebook did) which add https on top of tor's encryption, increasing security and privacy.
Also, i2p isn't included in TorBrowser, so you might want to make a separate addon for i2p as it might be just a waste of storage and an unnecessary increase in size of the browser without any usability.
Dude, user will visit the same website, if it is hacked it doesn't matter whether it's hidden or clear web. But otherwise there is no difference between visiting the either website with javascript. But actually clearnet is worse because it could be MITMed by three letter agencies
Including the site in their HTTPS cert is actually something I personally hadn't considered until Facebook threw their .onions into their cert. I wasn't even sure a CA would issue a cert for a .onion until Friday!
The i2p rules were kept seperate until this afternoon after a discussion with Chris. It's easier to maintain a single directory of rules and keep them turned off, than what we had which was several smaller directories. The size of the extension didn't increase all that much, since we are talking about KB of a difference.
In terms of combating total commercial overtake of the public internet, I've recently come to think of and refer to what you term the public web as the corporate web. I really believe that one should be very careful here with terms, as it would seem that
facebook is making inroads into "the private web" .
As facebook's business model is corporate surveillance (based on tracking you and profiting from that), this is a step towards merging the public and private webs and so leads towards the private web becoming commercialised.
In the real world, there are those with unbending dedication to their ideas who spend lifetimes aggravated that the world won't change for them. Then there are people who figure out how to implement ideas in our imperfect world. Names frame ideas and color perceptions and are truly important. And politicians use names like "patriot act" for that very reason. It worked. Better to make a real and positive difference with a little merchandising than to complain all day and die without impact.
7fc3f7cf58