Ok yeah I see the issue. I guess this is a non trivial problem that even big guys like Google have a hard time solving.
I don’t see a problem with people signing up using a TOR browser. (Spamming the forum is of course a different thing.) A DOS attack towards a TOR gateway will have a lot of collateral damage so let’s not do that.
I don’t see a problem with people signing up using a TOR browser
Many would agree on abstract civil liberties grounds (to establish solid EFF credentials I was one of the earliest users of PGP ) but anyone browsing a pilot forum via a system designed for lack of traceability while carrying out seriously illegal activities (stuff like child p0rn; let’s face it, what normal person really has a reason to care whether his/her security services can see their browsing history, when their phone is reporting back to Apple, Samsung, or China) is prob99 going to be doing something pretty strange.
Also a high level of anonymity comes with a cost. It’s all out there to read, how one can slip up and reveal one’s real IP. You have to do it just right and be very careful. For a pilot forum??
Or maybe we have a new private pilot member from North Korea, I don’t think he will get away alive while surfing on Google Chrome ;)
Ps: still spamming/hacking is nasty !
I don’t think any browser helps if you are in N Korea because your “ISP” there knows all about your activities… It protects you only at the other end.
Peter wrote:
I don’t think any browser helps if you are in N Korea because your “ISP” there knows all about your activities… It protects you only at the other end.
Tor is designed to protect you at both ends. AFAIK (but I’ve been out of touch with this kind of security and crypto stuff for a few years now) seriously breaking its anonymity needs observing the traffic at both ends to make correlations. So, actually, for an X being a “bad place”, assuming
Tor will protect you against network attacks (not breaking in into your computer, not a camera pointed at your screen, not power analysis of your computer, not Tempest leaks from your computer, etc). In other words, it protects against EuroGA knowing your IP and it protects against your ISP knowing you visit EuroGA.
Note that number 2 above also means that you can’t have the same ISP than EuroGA, or that ISP can break your Tor anonymity, because it sits at both ends.
Peter wrote:
a system designed for lack of traceability while carrying out seriously illegal activities
Tor is not designed “for lack of traceability while carrying out seriously illegal activities”. It is designed for anonymity, the bulk of its funding has come from the USA federal government. It is useful for, and is used for (among many others)
Peter wrote:
let’s face it, what normal person really has a reason to care whether his/her security services can see their browsing history, when their phone is reporting back to Apple, Samsung, or China
Their smartphone should not report back to Apple, Samsung or China either. That the situation is bad on one side is no reason to let it go bad on another other side, too.
This topic is like PGP in 1990 Nowadays, almost nobody uses secure email, so those who do are easily watched and traffic analysis is usually easy too. That site on TOR more or less says that. You would be relatively hidden from traffic analysis only if almost everybody attached to your ISP was on it. In the old days of anon remailers, it was a lot easier to avoid traffic analysis because emails could be randomly delayed by hours before being sent on to the next mixmaster node. With web browsing, it is real time end to end. It’s a good civil liberties illusion. Especially with almost nobody using it, making the user(s) extra visible.
Don’t try to get back to this character by focusing on TOR, and trying to block or DDoS that. It doesn’t work. TOR is designed to obfuscate the origin of a connection and very good at that. You will not get back to the original IP, so you’ll just be causing a nuisance to others who may have a legitimate reason to use TOR. Plus, what you would do could possibly be seen as illegal.
Get higher in the protocol stack. It’s been a while since I signed up, but I assume that in order to sign up you need to supply a legitimate e-mail address, and this e-mail address is validated during the process. Does the character use throw-away e-mail addresses for this? If not, sign that e-mail address up for as many mailing lists as possible. And if he does, then there’s usually some commonality between them which may be exploited. And if you are lucky, you can maybe come up with a home address and perform an Alan Ralsky on him. https://en.wikipedia.org/wiki/Alan_Ralsky
But more back to earth, for “dubious” users such as this, you may require re-validation of the e-mail address every X days or weeks. That forces that user to keep on reading the e-mail that arrives on that address, so a one-time-use throwaway e-mail address would not work.
And on top of that, some forums have a system of reputation points, where you have to have a certain number of legitimate posts, likes or whatever, before you gain full privileges (like starting your own thread, uploading photos or something else).
Or simply ignore him, trust the existing countermeasures and move on. Life is too short.
If you are just selling fake passports, etc, like so many spammers who managed to get in in the past (it used to be really easy), then just use any of the Russian proxy sites.
So whoever this is, he’s trying to post something which would get him into serious trouble if he succeeded