TrackerSmacker: philosophical considerations

[cryptostorm_admin]

I've taken the liberty of opening this parallel thread, in order to split off more philosophically-driven discussions of TrackerSmacker from the technical/bugfix side of things. Because, well, the main thread is almost as active as the least-active old boring threads on XDE Forums - yikes!

Anyhow, when someone has time, hopefully we'll do a split/merge of existing posts from there, into here. For now, at least there's a dedicated home for such deep critique.

Also, here's a link to some of TealC's well-reasoned push-back on TrackerSmacker, in our main twitter thread. It's worth a look, eh?

[parityboy]

I suppose the real crux of the question is: how far is too far?

Network users are quite happy for CS staff to face off against LEOs and intelligence agencies in order to protect their identities and browsing habits, but are suddenly up in arms at a mechanism that could quite literally save their hides from the latest crypto-ransomware (or worse), which is now starting to be deployed through ad-networks.

Don't get me wrong, I see the other side of the argument as well. "We do this to keep you safe" is a line trotted out far often by malicious state actors whose every intention is to do the opposite. By definition, "a free and open Internet" is exactly that - driven by open specifications, (ideally) open source code and free of unnecessary meddling and interference.

So let me ask this: if - instead of refusing to resolve ad-network FQDNs in the first place - the CS team resolved those FQDNs and then implemented an exit-side anti-virus scanner which would quarantine any malware coming from those domains, would you cry about that as well? Would you rather that malware make its way safely onto your (more than likely Windows) O.S. install?

I certainly didn't hear anyone screaming when the CS team rolled out WebRTC protection. Why not? Surely you didn't want your network traffic blocked, did you?

So, I ask again: how far is too far?

Bear in mind (as was pointed out in the main thread), 99% of CS users are a) NOT power users and b) will most likely be Windows users. So that's 1) not tech-savvy and 2) highly vulnerable: a poor combination. Also consider that there will also be an increasing number of Android (including smart TVs) and iOS devices using the CryptoStorm network. Those devices are just as vulnerable as any Windows install, if not more so.

Also bear in mind that these ad-networks are a pretty good platform for CINs, at least to my way of thinking. It's a pointless exercise having cryptographically-validated OpenVPN and HTTPS sessions if you're only going to transport zero-day malware along them anyway.

Maybe Cryptostorm users don't realise how important this network is, what it can support and what it means for the future. Maybe Cryptostorm users don't realise what they are getting access to for $6/month. There's a level of vision and technical skill here that I have not seen present in the offerings of other VPN providers.

I guess what I'm saying here is this: rather than blindly raging that your traffic is being interfered with, take the time to evaluate what exactly is being done, and why.

So one more time: how far is too far?

[wpaschukat]

I suppose the real crux of the question is: how far is too far?

..are suddenly up in arms..

Hi parityboy,

I'm sorry if I came across as being 'up in arms'. As said, I appreciate the ethics and the works put into cs. But you do agree that a civil discussion is not only ok, but useful and healthy? We all should refrain from rhetorics that sound like "either you're with us or against us" but keep it civil and polite

Tada.

[parityboy]

@wpaschukat

I agree 100%, and if I sounded like "my way or the highway", that wasn't intended.

This is precisely the kind of topic that can easily polarize opinions. What is surprising though is that this thread still isn't particularly active. I would have expected more people to be venting.

[sysfu]

I'm not going to get too worked up about it as long as there in as option for power users to opt-out of the filtering via a checkbox on the connection widget options, or perhaps a special password in the password field for cross platform support.

Would be re-assuring if the cryptostorm team will commit to making that knob available.

[username is too long]

'Packet agnosticism', deeply knowledgeable admins, and a whiff of anti-establishment is why I choose to funnel all my household traffic through this service. I'm just not sure where all this fits into that first one. Now I know not all users are me (with my low-to-mediocre linux skills, and desire to struggle with how it all works), and just want to mash their stubby fingers on an 'I'm ok now' button and get on with things...but is giving them that the best way to keep them 'safe'? Is this the same people who just click yes to get warnings out of the way, and think nothing of giving apps everything? They may need it, like the one I married to...but..is it not a little close to the concept of 'security theatre' that you yourselves have railed against, in that context? Now, I know when balanced against the 'harm' that the shit being blocked is causing makes all this a bit...wanky. And fuck advertising, Bill Hicks had it spot on. But...give a man a fish and he eats only 1 day, teach him about /hosts and...erm, y'know. In my ideal world it's all education and empowerment (and smiling and skipping), not protection. Molly coddling your children does not prepare them for the real world, does it?

By the way. I don't know if I'm right.

[sysfu]

A little required reading directly related to this topic...

Software Defaults as De Facto Regulation: The Case of Wireless APs ," Rajiv Shah and Christian Sandvig, TPRC'07, September 2005,

Our results show that default settings play a powerful role in how people use technology. People are hesitant to change the manufacturer's default settings and defer to them. While this argument is well known to scholars in this area, this study found empirical evidence to quantify this effect using multiple measures from two very different sources of data (one of them very large). In our empirical study, we found that most people do not change default settings.

[hashtable]

I don't see any downside to this. It's the right thing to do - if someone wants access to ads or whatever shit is being blocked they just use turn cryptostorm off or use a different service. I think it's good to have this protection on by default and I don't know why anyone would want this turned off?

[mart-e]

I don't know why anyone would want this turned off?

The main reason would be because the site I am visiting is broken. When I end up on a broken page, I now get the habit to, one by one, disable µBlock, ghostery, greasemonky, httpseverywhere,... (and last resort: blame Flash) supposing one is blocking an essential part of the crappy side I am trying to load.
Not sure I want to add CS in the list of stuffthatmaybreakawebsite.

[hashtable]

that makes sense

[turbz]

Came here to cry and whine about the blocking, received enlightenment instead.

Though is it just me or is SourceForge on the blacklist, I can't seem to be able to access their site :/

It could be nice to land on an error page telling me Cryptostorm blocked the site if it does, so that I know how to proceed instead of landing on some generic error page which gives me no clues why something doesn't work and I need to go through all kinds of diagnostics.

[parityboy]

@turbz

SF loads fine for me, this is while also running Ghostery. NoScript and uBlock Origin in the browser. Which exit were you using?