A message to the character who is creating new characters all the time, with the TOR browser

Ok yeah I see the issue. I guess this is a non trivial problem that even big guys like Google have a hard time solving.

I don’t see a problem with people signing up using a TOR browser. (Spamming the forum is of course a different thing.) A DOS attack towards a TOR gateway will have a lot of collateral damage so let’s not do that.

Or maybe we have a new private pilot member from North Korea, I don’t think he will get away alive while surfing on Google Chrome ;)

Ps: still spamming/hacking is nasty !

Peter wrote:

I don’t think any browser helps if you are in N Korea because your “ISP” there knows all about your activities… It protects you only at the other end.

Tor is designed to protect you at both ends. AFAIK (but I’ve been out of touch with this kind of security and crypto stuff for a few years now) seriously breaking its anonymity needs observing the traffic at both ends to make correlations. So, actually, for an X being a “bad place”, assuming

1. Tor is not blocked in X
2. Neither EuroGA, EuroGA’s ISP, EuroGA’s hosting, nor the Tor exit node, nor its ISP, nor anybody that can observe their traffic collaborate with either of ISP at X or the Tor entry node or its ISP or anybody that can observe their traffic
3. The TLS crypto used by Tor is not broken as such

Tor will protect you against network attacks (not breaking in into your computer, not a camera pointed at your screen, not power analysis of your computer, not Tempest leaks from your computer, etc). In other words, it protects against EuroGA knowing your IP and it protects against your ISP knowing you visit EuroGA.

Note that number 2 above also means that you can’t have the same ISP than EuroGA, or that ISP can break your Tor anonymity, because it sits at both ends.

Peter wrote:

a system designed for lack of traceability while carrying out seriously illegal activities

Tor is not designed “for lack of traceability while carrying out seriously illegal activities”. It is designed for anonymity, the bulk of its funding has come from the USA federal government. It is useful for, and is used for (among many others)

1. Checking out a public website without the people running the website identifying you. Variants:
   1. You are an academic, reviewing a paper for a journal or conference. You are not supposed to identify yourself to the authors. The data whose analysis is the result prepared in the paper is available on the author’s website. You use Tor to download the data and check it.
   2. You work for your state’s intelligence agency. You want to look around posted publicly by another state, but without them seeing that you are interested.
   3. You want to browse your competitor’s website, see his pricing, etc.
2. Escaping your ISPs restrictions. Variants:
   1. You are a teenager in school. Possibly a boarding school. You’d like to get on with your term paper on JFK’s assassination, or medieval siege machines. But your school’s network insists that you must read about “JFK’s buttbuttination” because they decided your delicate under-18 mind cannot possibly survive seeing the horrible world “ass”, or about “medireview siege machines” because “eval” might be you trying to exploit a Javascript security hole. These are infernal working conditions. Tor is a solution.
   2. Your country’s big firewall. Helping people pierce China’s big firewall was, at some point, a specific battle, with ever-changing, not completely publicly listed entry points called “bridges”, to make blocking Tor more difficult.
3. Escaping the restrictions that the destination web site puts. Variants:
   1. Geoblocking,
   2. Different content being served to different geographies.
4. Discussing online, finding like-minded people to confide in, whatever topic is taboo in your environment. Homosexuality. Seropositivity. Atheism (that carries an actual physical death sentence in some countries, and a “social death sentence” even in some parts of the “Free World” like the Western World likes to call itself).
5. And yes, it can also be used for more nefarious stuff. Like astroturfing. Like “seriously illegal activities”. But saying it is designed (only) for that is, frankly, completely wrong.

Peter wrote:

let’s face it, what normal person really has a reason to care whether his/her security services can see their browsing history, when their phone is reporting back to Apple, Samsung, or China

1. People attached to any of democracy, freedom, rule of law. Knowing the exact details of what anybody says, thinks, does, allows the “security services” to selectively enforce “laws that everyone breaks sometimes” against political opponents and allows the group in power some level of security against losing the next election. Allows targeted crowd manipulation, this century’s propaganda.
2. People attached to social or scientific progress. Living in a panopticon stifles creative thought.
3. People with a human brain and a distinct taste for using it. Living in a panopticon stifles creative thought.

Their smartphone should not report back to Apple, Samsung or China either. That the situation is bad on one side is no reason to let it go bad on another other side, too.

Don’t try to get back to this character by focusing on TOR, and trying to block or DDoS that. It doesn’t work. TOR is designed to obfuscate the origin of a connection and very good at that. You will not get back to the original IP, so you’ll just be causing a nuisance to others who may have a legitimate reason to use TOR. Plus, what you would do could possibly be seen as illegal.

Get higher in the protocol stack. It’s been a while since I signed up, but I assume that in order to sign up you need to supply a legitimate e-mail address, and this e-mail address is validated during the process. Does the character use throw-away e-mail addresses for this? If not, sign that e-mail address up for as many mailing lists as possible. And if he does, then there’s usually some commonality between them which may be exploited. And if you are lucky, you can maybe come up with a home address and perform an Alan Ralsky on him. https://en.wikipedia.org/wiki/Alan_Ralsky

But more back to earth, for “dubious” users such as this, you may require re-validation of the e-mail address every X days or weeks. That forces that user to keep on reading the e-mail that arrives on that address, so a one-time-use throwaway e-mail address would not work.

And on top of that, some forums have a system of reputation points, where you have to have a certain number of legitimate posts, likes or whatever, before you gain full privileges (like starting your own thread, uploading photos or something else).

Or simply ignore him, trust the existing countermeasures and move on. Life is too short.