Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Mirimir]

On 09/27/2016 03:45 AM, Alec Muffett wrote:
> On 27 September 2016 at 09:42, Mirimir  wrote:
> 
>> On 09/27/2016 01:39 AM, Alec Muffett wrote:
>>> On 27 September 2016 at 06:42, grarpamp  wrote:
>>> In such circumstances they are not actually looking at you / what you are
>>> searching for. They are looking at the behaviour of all traffic, of
>>> everyone and everything else which emanates from that exit node.
>>
>> Are they even doing that? It's my impression that they're just looking
>> up the IP address in some list that includes all Tor exit relays. But
>> yes, I get how that's arguably enough, in that all Tor exits will on
>> average look alike.
>>
> 
> Exactly, especially since circuits rotate around exit nodes fairly rapidly.
> 
> And eventually someone has to write the code which says "This IP is
> emanating bad stuff, but it is currently a Tor node, so just put it on the
> naughty step for a few minutes until it calms down, rather than blocking it
> for a longer period."

That would be an excellent development. So I was wrong. Maybe there is a
resolution to the conflict :) Or at least, as long as jerks are a
minority among Tor users.

> Once someone has done _that_, then the organisation is on the path to
> caring about the real people who access the site over Tor, and finding
> better solutions.

Right.

>> I can't imagine any resolution to this. Anonymity is Tor's key goal.
>> There are jerks who need anonymity. And there are providers who want to
>> exclude jerks. If you want Tor's "anonymity", and you want to evade
>> discrimination against Tor users, you need to avoid identification as a
>> Tor user. What else?
> 
> 
> Exactly.  This manifests where folk on Twitter complain that "zomg i'm
> using the onion site and it's blocked me!" - when in fact some perhaps code
> is running - code that someone took the time to write - to learn/remember
> that you are a person who logs-in over Tor, that you really are who you
> claim to be, and that this is all "okay".
> 
> Otherwise the first time that someone logs-in from a Tor exit node might be
> someone using Tor to experiment with your credentials, which they phished
> off you via an e-mail, or something. (This is another popular misuse of Tor
> from the perspective of the big platforms.)
> 
> It is definitely a _tough_ problem.

That is a _much_ harder problem. Because people who want an account, but
want to obscure their true identity, don't look that different from
people who might have stolen their credentials. Usernames and passwords
are easily stolen, so sites have been using cellphone accounts. But in
many places, it's hard or impossible to get cellphone accounts that
aren't linked to identity. And even when it is, device tracking and poor
OpSec render that moot. And India's move to biometrics-based IDs is even
worse.

I'm a pretty technical guy, and it's been years since I managed to get a
Facebook account for a persona. But I see that bogus and stolen Facebook
accounts are available in bulk from criminals, marketed to criminals. Or
at least, to advertisers ;)

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Mirimir]

On 09/27/2016 07:21 PM, Jeremy Rand wrote:



> ... In contrast, almost every time I try to do a Google Search, I get a
> CAPTCHA (and if I try to complete the CAPTCHA, I usually fail many times).

With Google search, I often get an outright denial of service, even
after passing the CAPTCHA and submitting the search request. But then,
I'm typically using the highest security setting. So damn, I really miss
the Google option in Disconnect :(


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Mirimir]

On 09/27/2016 06:50 PM, Joe Btfsplk wrote:



> Sometimes, they start renewing pictures in the [CAPTCHA] array
> that I've already checked, before I get to the end & submit.  I
> tried doing it faster - they replaced them faster.
> Obvious they didn't want Tor users on those types of sites.

That CAPTCHA type has become common. The instructions say to keep
selecting rivers/address numbers/storefronts until no more appear. There
can be many reoccurrences per changing box, even ten or more. But only
2-4 boxes change, and the ones that you don't select don't change. So
the whole process goes pretty quickly. It's _much_ easier than those old
distorted-character CAPTCHAs :)
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Jeremy Rand]

Joe Btfsplk:
> On 9/26/2016 11:57 PM, Jeremy Rand wrote:
>> If it matters, I usually have Tor Browser in Medium-High security level,
>> so Javascript is enabled for HTTPS sites (including Google Translate).
>>
>> Cheers,
>> -Jeremy
>>
> Yep, mine can be in Med or Med High security, and a lot of captcha's &
> other features don't work reliably.  Even if allow all scripts for the
> page.
> Sometimes it does work.
> 
> The times - as a test - I immediately visited the same sites w/ firefox
> (immediately going to same site probably isn't a good idea, if strict
> anonymity is required) & same NoScript settings -AFAIK, plus had AdBlock
> and / or Ghostery running, the captchas or page features usually worked
> right away.  I'm convinced that sometimes, it's just Tor Browser they
> don't like, or certain countries of exit relay, or certain IPa ranges. 
> I've repeated it enough to know it's not a fluke.
> For a fact, I know it's mostly *not* because I incorrectly solved the
> captcha, which they often say.
> 
> Sometimes, they start renewing pictures in the array that I've already
> checked, before I get to the end & submit.  I tried doing it faster -
> they replaced them faster.
> Obvious they didn't want Tor users on those types of sites.

For me, I cannot remember getting a CAPTCHA when visiting Google
Translate via Tor Browser in Medium-High security mode.  If it's ever
happened, it was many, many months ago.  In contrast, almost every time
I try to do a Google Search, I get a CAPTCHA (and if I try to complete
the CAPTCHA, I usually fail many times).

So I'm rather surprised to hear that other Tor Browser users are having
trouble with Google Translate.  Admittedly, I'm not a heavy user of
Google Translate, but it sounded like hikki was saying that they were
always blocked, which doesn't match my experience at all.

I'm really curious if there's some other interesting variable that could
explain the discrepancy that we're not thinking of.  But given that Tor
Browser is intended to be non-fingerprintable, I'd think there shouldn't
be any such variables.

Strange.

-Jeremy



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Joe Btfsplk]

On 9/27/2016 9:57 AM, blo...@openmailbox.org wrote:



This is exactly my issue. If I login to my Gmail or FB account then
invariably Gmail or FB thinks I am a suspicious person hence "Something
seems a bit different about the way you're trying to sign in. Complete
the step below to let us know it's you and not someone pretending to be
you" or worse "Google couldn't verify it's you, so you can't sign in to
this account right now." In the FB case, I am asked to identify my
"friends" half of whom have baby photos or the image is unclear..
Sometimes I get them wrong and am locked out for a few hours. And this
is when connecting via the FB .onion address.

IMO, and I am curious to know what Alec thinks, Google, FB, etc are
creating far too many false positives. Googling "Something seems a bit
different about the way you're trying to sign in" results in numerous
cases where innocent users have been locked out.

Two questions:

Is there a way that using an exit node for Gmail, FB, etc will not be
considered suspicious? Is that even possible?
I can't say about Gmail today (I hope you're not trying to use it w/ 
Tor, hoping for anonymity).
But w/ other login sites that balked at Tor, forcing a exit relay in 
same country that you signed up from, sometimes fixed the messages like, 
"We've detected unusual behavior...  Give us your home phone & address & 
we'll call you." :D   Sometimes even Startpage, DDG, etc. will pop a 
captcha.  I wonder why, until I look at the exit country & it's China or 
Uzbekistan or such.  After I change that to a country less known for 
cybercrime, no more capthcas on those sites.


Is it possible to use a different proxy way to access Gmail, FB, etc
without being seen as suspicious? For example, one could use proxychains
with Tor followed by a SOCKS proxy to login.
Probably depends on the proxy.  You could try, but I'm guessing that's 
what a lot of spammers & scammers try.  Gmail has pretty strict rules to 
try & prevent fraud (keep a good reputation). They don't want to lose 
many users, or they don't get to scan the email & scrape the private 
data.  Would be financial loss, so they don't want other ISPs or sites 
blocking gmail.


It's hard to sign up for gmail w/ Tor.  They want SMS authentication, 
which is usually going to blow most users' anonymity.
By contrast, if you create an acct w/ non-Tor browser, then access it w/ 
TBB, that accomplishes nothing - as for anonymity.


Only creating an acct w/ TBB & then *never* accessing it w/ anything 
else (& not having addons or plugins that might leak IPa) will 
accomplish anonymity.  For Tor Browser email, it just seems a better 
idea to start w/ a provider that's both Tor friendly AND privacy / 
security conscious.  That's not google.


Even then, I'm not sure.  What if you get an email - via TBB, that 
mentions your real name, or is from someone in your town - using their 
real IPa - saying, "come on over tonight, to 123 Oak St.," or gives 
their phone #, etc.?  Then the mail provider effectively knows which 
town you live in, at minimum.  The right agencies can then cross 
reference that person's contacts - if they want.  And then probably the 
national security agency know all that.


In both cases above (exit node and exit node plus SOCKS) we assume that
the IP address more or less matches the "normal" non-proxy login. I am
in Paris and use a Paris exit node and a Paris SOCKS proxy for example.

Finally, thanks for participating in this discussion. It is rare to have
people who work or used to work at the major webmail and social media
companies from a) getting involved and b) providing a nuanced (not
anti-Tor) perspective.


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Joe Btfsplk]

On 9/26/2016 11:57 PM, Jeremy Rand wrote:

If it matters, I usually have Tor Browser in Medium-High security level,
so Javascript is enabled for HTTPS sites (including Google Translate).

Cheers,
-Jeremy

Yep, mine can be in Med or Med High security, and a lot of captcha's & 
other features don't work reliably.  Even if allow all scripts for the page.

Sometimes it does work.

The times - as a test - I immediately visited the same sites w/ firefox 
(immediately going to same site probably isn't a good idea, if strict 
anonymity is required) & same NoScript settings -AFAIK, plus had AdBlock 
and / or Ghostery running, the captchas or page features usually worked 
right away.  I'm convinced that sometimes, it's just Tor Browser they 
don't like, or certain countries of exit relay, or certain IPa ranges.  
I've repeated it enough to know it's not a fluke.
For a fact, I know it's mostly *not* because I incorrectly solved the 
captcha, which they often say.


Sometimes, they start renewing pictures in the array that I've already 
checked, before I get to the end & submit.  I tried doing it faster - 
they replaced them faster.

Obvious they didn't want Tor users on those types of sites.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] is it me or did tor talk get really quiet?

[Joe Btfsplk]

On 9/26/2016 7:07 PM, Moritz Bartl wrote:

On 09/26/2016 09:02 PM, Joe Btfsplk wrote:

Some may say they still get several tor-talk emails / day  and I do, too.

But several current, relevant technical questions I've asked about Tor
issues get no comments.
Questions I'm pretty sure a lot of people would be interested in. And
that at least some advanced users would have partial answers or
suggestions for, but not a peep.
This is in stark contrast to the past on this list.

At times, it almost seems that many knowledgeable people gave up or moved.
Need to find where the cool kids are hanging. :)

Some of it has moved to more specific lists like
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-onions and
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-project
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays . I
know you, Joe, are aware of that, but others who follow this thread
might not be so I wanted to mention it.


Thanks Moritz.  I was aware of some, but not all.  I'm a bit confused.
The subject matter for tor-onions and tor-relays lists are pretty obvious/./

But the tor-project link says,
"About tor-project
Moderated discussion list for tor contributors..."  [ellipsis is included]

/"How do I get permission to post to tor-project@
Just ask. Anyone is allowed to watch, but *posting is restricted* to 
those that actively want to make Tor better."/


What does "for tor [Sic] contributors" mean, exactly, or "those that 
actively want to make Tor better?"


Is tor-project list not for fairly advanced users, or bug filers, or 
those giving more to the community than just asking questions (but never 
contribute useful input)?  Or is it only for devs or people providing 
highly technical input (e.g., providing code suggestions or highly 
technical bug work arounds, etc.)?


Is tor-talk now for the most basic beginner questions / answer / 
discussion?  If still for technical issues and fairly technical people 
rarely visit it, there may be mostly questions & few answers.  Is this 
partly because on tor-talk, numerous times that unmoderated discussions 
strayed from Tor issues?


--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Alec Muffett]

On 25 September 2016 at 19:14, Alec Muffett  wrote:

> An organisation's response to scraping seems typically the product of:
>
> 1) the technical resources at its disposal
> 2) its ability to distinguish scraping from non-scraping traffic
> 3) the benefit to the organisation of sieving-out and handling the
> non-scraping traffic, rather than ignoring it all
>


Just to reinforce this a bit, it's not only the biggest/hugest names:

Why does @Airbnb not allow connections over Tor?
https://twitter.com/dosch/status/777602410978086912 (and thread)

I haven't actually tested this "block", nor do I have any special knowledge
of Airbnb, but I would expect them to suffer similarly from scraping & spam
sourced by people of bad intention who use Tor to hide their tracks.

I believe that I suggested "outreach", and perhaps "charm", as being
beneficial for turning companies from "victims of Tor" into "evangelists
for Tor"? :-) 

- alec

-- 
http://dropsafe.crypticide.com/aboutalecm
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor-friendly email provider

[nusenu]

>> https://trac.torproject.org/projects/tor/wiki/doc/EmailProvider
> 
> I don't understand the recommendation of this list for mail.ru
> 
>> BAD will lock your account later when using tor, no anon recovery
>> possible
> 
> mail.ru will look my account if I was using Tor and this is recommended
> by TorProject.org for Tor user? Hmmm - 

just because something is on a wiki hosted on tpo it is not necessarily
endorsed or recommended by the Tor Project in any way.

And since you experienced problems with mail.ru you can easily move it
from the "good" section to the other section - it is a wiki after all..



signature.asc
Description: OpenPGP digital signature
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Alec Muffett]

On 27 September 2016 at 15:57,  wrote:

> On 2016-09-27 09:45, Alec Muffett wrote:
> Two questions:
>
> Is there a way that using an exit node for Gmail, FB, etc will not be
> considered suspicious? Is that even possible?
>

I feel that there's probably no silver bullet.

In some ways this is exactly what Mirimir posted about above - I think
there is much (much!) more to Tor than "Anonymity", but the architecture of
TorBrowser in particular revolts against long-lived session session cookies
and the other technologies which afford strong, trustable, long-term
concepts of authenticated communication between a browser and a site.

For more about this, the latter half of a video I did at a conference a
couple of years ago may be interesting:

  https://video.adm.ntnu.no/pres/54b660049af94

Summary: authentication is not just binary "I Have A Session Cookie!" any
more.


Is it possible to use a different proxy way to access Gmail, FB, etc
> without being seen as suspicious? For example, one could use proxychains
> with Tor followed by a SOCKS proxy to login.
>

If I understand you right (?) I think that was exactly the reason
we/Facebook set up the Onion site.  A Tor-sympathetic access mechanism,
more likely to be selected by human beings than folk pursuing the
scraperfriendly adequate location-anonymity which exit nodes provide.



> In both cases above (exit node and exit node plus SOCKS) we assume that
> the IP address more or less matches the "normal" non-proxy login. I am in
> Paris and use a Paris exit node and a Paris SOCKS proxy for example.
>

Check the video - it's not just "location".  Remember, when working in a
London office, employees of non-UK companies often ip-geolocate to being in
(eg:) USA, FR, NL, or JP; this _really_ confuses organisations (eg: The
BBC) who fee (or are) obligated to take geolocation overly seriously.



> Finally, thanks for participating in this discussion. It is rare to have
> people who work or used to work at the major webmail and social media
> companies from a) getting involved and b) providing a nuanced (not
> anti-Tor) perspective.


You're welcome! It's nice to share!

 -a

-- 
http://dropsafe.crypticide.com/aboutalecm
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[blobby]

On 2016-09-27 09:45, Alec Muffett wrote:

On 27 September 2016 at 09:42, Mirimir  wrote:

Exactly.  This manifests where folk on Twitter complain that "zomg i'm
using the onion site and it's blocked me!" - when in fact some perhaps 
code
is running - code that someone took the time to write - to 
learn/remember

that you are a person who logs-in over Tor, that you really are who you
claim to be, and that this is all "okay".

Otherwise the first time that someone logs-in from a Tor exit node 
might be
someone using Tor to experiment with your credentials, which they 
phished
off you via an e-mail, or something. (This is another popular misuse of 
Tor

from the perspective of the big platforms.)

It is definitely a _tough_ problem.

-a



This is exactly my issue. If I login to my Gmail or FB account then 
invariably Gmail or FB thinks I am a suspicious person hence "Something 
seems a bit different about the way you're trying to sign in. Complete 
the step below to let us know it's you and not someone pretending to be 
you" or worse "Google couldn't verify it's you, so you can't sign in to 
this account right now." In the FB case, I am asked to identify my 
"friends" half of whom have baby photos or the image is unclear.. 
Sometimes I get them wrong and am locked out for a few hours. And this 
is when connecting via the FB .onion address.


IMO, and I am curious to know what Alec thinks, Google, FB, etc are 
creating far too many false positives. Googling "Something seems a bit 
different about the way you're trying to sign in" results in numerous 
cases where innocent users have been locked out.


Two questions:

Is there a way that using an exit node for Gmail, FB, etc will not be 
considered suspicious? Is that even possible?


Is it possible to use a different proxy way to access Gmail, FB, etc 
without being seen as suspicious? For example, one could use proxychains 
with Tor followed by a SOCKS proxy to login.


In both cases above (exit node and exit node plus SOCKS) we assume that 
the IP address more or less matches the "normal" non-proxy login. I am 
in Paris and use a Paris exit node and a Paris SOCKS proxy for example.


Finally, thanks for participating in this discussion. It is rare to have 
people who work or used to work at the major webmail and social media 
companies from a) getting involved and b) providing a nuanced (not 
anti-Tor) perspective.

--
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Alec Muffett]

On 27 September 2016 at 09:42, Mirimir  wrote:

> On 09/27/2016 01:39 AM, Alec Muffett wrote:
> > On 27 September 2016 at 06:42, grarpamp  wrote:
> > In such circumstances they are not actually looking at you / what you are
> > searching for. They are looking at the behaviour of all traffic, of
> > everyone and everything else which emanates from that exit node.
>
> Are they even doing that? It's my impression that they're just looking
> up the IP address in some list that includes all Tor exit relays. But
> yes, I get how that's arguably enough, in that all Tor exits will on
> average look alike.
>

Exactly, especially since circuits rotate around exit nodes fairly rapidly.

And eventually someone has to write the code which says "This IP is
emanating bad stuff, but it is currently a Tor node, so just put it on the
naughty step for a few minutes until it calms down, rather than blocking it
for a longer period."

Once someone has done _that_, then the organisation is on the path to
caring about the real people who access the site over Tor, and finding
better solutions.


> I can't imagine any resolution to this. Anonymity is Tor's key goal.
> There are jerks who need anonymity. And there are providers who want to
> exclude jerks. If you want Tor's "anonymity", and you want to evade
> discrimination against Tor users, you need to avoid identification as a
> Tor user. What else?


Exactly.  This manifests where folk on Twitter complain that "zomg i'm
using the onion site and it's blocked me!" - when in fact some perhaps code
is running - code that someone took the time to write - to learn/remember
that you are a person who logs-in over Tor, that you really are who you
claim to be, and that this is all "okay".

Otherwise the first time that someone logs-in from a Tor exit node might be
someone using Tor to experiment with your credentials, which they phished
off you via an e-mail, or something. (This is another popular misuse of Tor
from the perspective of the big platforms.)

It is definitely a _tough_ problem.

-a

-- 
http://dropsafe.crypticide.com/aboutalecm
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Mirimir]

On 09/27/2016 01:39 AM, Alec Muffett wrote:
> On 27 September 2016 at 06:42, grarpamp  wrote:



>> So sorry... when I search 'keyboard controllers' and get
>> captcha'd, so far I'm thinking, "really?, such low tolerance?,
>> you're full of shit".
>>
> 
> I understand that perspective, but again that's looking at the "tail
> wagging the dog".
> 
> In such circumstances they are not actually looking at you / what you are
> searching for. They are looking at the behaviour of all traffic, of
> everyone and everything else which emanates from that exit node.

Are they even doing that? It's my impression that they're just looking
up the IP address in some list that includes all Tor exit relays. But
yes, I get how that's arguably enough, in that all Tor exits will on
average look alike.

I can't imagine any resolution to this. Anonymity is Tor's key goal.
There are jerks who need anonymity. And there are providers who want to
exclude jerks. If you want Tor's "anonymity", and you want to evade
discrimination against Tor users, you need to avoid identification as a
Tor user. What else?


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

Re: [tor-talk] Tor and Google error / CAPTCHAs.

[Alec Muffett]

On 27 September 2016 at 06:42, grarpamp  wrote:

> On Sat, Sep 24, 2016 at 10:21 AM, Alec Muffett 
> wrote:
> > [scraping}
> For some reason I view that as a copout.
>

You know, I would never phrase it that way, but in some respects I agree
with you.  I'll explain...

I mean, provide real data showing that it's intolerable and
> I'll say yes with you. Otherwise google [et al's] infrastructure
> can surely handle it (the load), and even possibly intelligently
> defend against it.
>

It's not right to conflate:

"their infrastructure can surely handle it!"

...with:

"they cannot be bothered to sort the wheat from the chaff!"

...but the latter is a lot closer to the truth than the former, and I find
it regrettable.

Let's do some back-of-the envelope maths: I have no idea of Google's
statistics but if 1 million people use Facebook over Tor, and Facebook
serves 1.7 billion people, then the Tor-using population of Facebook is
about:

  ( 1 million / 1.7 billion ) * 100 = 0.06% (rounded up)

...of the userbase.

To put this into context, imagine a vacuum cleaner, and a bag of dust it in
is about 1.5kg / 3.3lbs; then put a single grain of rice into the bag
(1/64g) -

  ( 1 / ( 64 * 1500 ) ) * 100 = 0.001%

So globally per capita, the overall percentage of people who use Facebook
over Tor would be about 60 grains of rice.

That's about a teaspoonful of rice in a vacuum cleaner.  Have you ever
vacuumed-up a teaspoonful of dropped rice and not bothered to pick it out
of the bag?

You have to really _care_ about that rice, care about those users in order
to want to do that.  It's not economical behaviour.

But the situation is actually _worse_ than this, because the vast majority
of "legitimate" traffic does not pass through Tor en-route to Facebook or
Google, most of it is via apps, or via direct browsing.

When you're dealing with the traffic which emanates from Tor's exit nodes
the relative percentage of dust (scraping & spam) to rice (legit people)
increases greatly.

I don't know the numbers - 10x, 100x ? - it will vary from platform to
platform, and (as stated before) FB will have a slightly easier time of it
because of the richer signals from login credentials.

It might be 6 grains of rice in a vacuum cleaner. or 1 grain. Or less,
depending on the platform.

So to convince people who work at companies of the value of hunting for and
recovering these grains of rice, you have got to make them _care_.


So sorry... when I search 'keyboard controllers' and get
> captcha'd, so far I'm thinking, "really?, such low tolerance?,
> you're full of shit".
>

I understand that perspective, but again that's looking at the "tail
wagging the dog".

In such circumstances they are not actually looking at you / what you are
searching for. They are looking at the behaviour of all traffic, of
everyone and everything else which emanates from that exit node.

They are mostly looking at a bag of dust, not at your rice-grain legitimate
search.

And if you want to make them care about that, and if you would like them to
do better, my first tip is not to go around telling the (say: Google)
engineers that they are "full of shit".

It's a human thing.  It tends to make people upset and not listen.

I would love for Google and CloudFlare to do better in this space.  CF did
at least _try_ with a crazy proof-of-work scheme (which is a popular way of
identifying scrapers, btw) but that's a category error because Tor is a
network stack not a browser-access-solution.  But the Tor activist
community just totally savaged CF, with the entirely predictable result of
both sides hunkering down into a war of attrition.

Let's not repeat that?

-a

-- 
http://dropsafe.crypticide.com/aboutalecm
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk