Tor: How a military project became a lifeline for privacy
81 comments
·August 8, 2025neilv
RGamma
> selecting appropriate Tor exit nodes for each regional site
So, a proxy? Onion routing doesn't really play a role for this use case.
neilv
> So, a proxy? Onion routing doesn't really play a role for this use case.
The onion routing obscured our identity from the "proxy" exit nodes.
Separately, Tor was also a convenient way to get a lot of arbitrary country-specific "proxies", without dealing with the sometimes sketchy businesses that are behind residential IP proxies.
(Counterfeiting/graymarket operations can be organized crime. I'd rather just fire up Tor, and trust math a little, than to try to vet the legitimacy and intentions of a residential IP broker.)
wslh
The Tor exit nodes are public.
sidewndr46
Why would you need to obscure your identity from the exit nodes?
trod1234
Honestly what he describes sounds like Raptor (Princeton Report, 2015)
neilv
How is this related to Princeton's Raptor, other than having the keywords "Tor" and "surveillance"?
https://www.princeton.edu/~pmittal/publications/raptor-USENI...
(Strange coincidence: We also had different key tech with the codename of Raptor, but it had nothing to do with Tor nor Web scraping. It was for discreet smartphone-based field auditing of physical product, in global physical retail and other locations. The codename was the result of a great morale-boosting impromptu brainstorming session between engineering and marketing people ("can you help think of a cool codename for this..."), and the resulting name highly apt, at least for the movie velociraptors. I built it, and, until Covid disrupted our F500 customers and investors, I was looking forward to hiring engineers to do further work on something cool-sounding like "Raptor", rather than "internal-app" or whatever first came to mind when creating the Git repo. :)
cedws
What was the scraper gathering specifically?
neilv
Listings of items for sale (for ~100 brands), and how that changed over time. With the marketplace having a pretty rich schema to reconstruct from their server-side rendering.
One of the purposes was cold sales outreaches to an exec at a brand, maybe something like, "Here's a report about graymarket/counterfeit of your brand online, using data you probably haven't seen before; we have a solution we'd like to tell you about".
woadwarrior01
If I could wager a guess, it sounds like the startup was in the business of scraping Amazon.
neilv
No. And when people share info on HN, I don't like to see speculation in the comments about things they obviously intentionally didn't say (assuming that they seem to be speaking in good faith). That person, and other people who see the dynamic, presumably are less likely to share in the future.
vhcr
You won't be able to scrape Amazon using Tor.
anarbadalov
For anyone interested in this author’s book on Tor, it’s available for free download! https://direct.mit.edu/books/oa-monograph/5761/TorFrom-the-D... (full disclosure: i work for MIT Press)
dannyobrien
It's a really good book! I was on the very edges of this scene for a chunk of the time described, and I thought it managed to catch a lot of the complexities without picking one possible narrative over another.
Plus I learned a lot -- it came out of some academic research that pursued a unique angle: finding and talking to the Tor exit node operators about their experiences, rather than just say the developers, the executives, or the funders.
anarbadalov
I'll share your kind words with the author!
bauruine
You can also buy it if you want to support the autor. https://mitpress.mit.edu/9780262548182/tor/
TMWNN
Thanks for that. Is it available as epub? I would like to read it on Kindle.
ricardo81
I'd never used Tor, though had to scrape a bunch of things that required different IPs. I figured their endpoints were already tarred.
With the porn block in the UK though, the "New Private Window with Tor" in Brave is very convenient.
Maybe not for long, or maybe not. I guess websites don't need to comply beyond a certain point.
There are tons of "residential proxy" and whatnot type services available, IP being a source of truth doesn't seem to matter much in 2025. The Perplexity 'bot' recent topic being an example of that.
Basically if you want to access any resource on the web for a dollar a GB or so you can use millions of IPs.
freedomben
Indeed, I've investigated some cyber attacks recently that came from residential IPs in California and NY, though investigation turned up the real origins as coming from India. It's pretty easy to pull off nowadays
trod1234
The problem with most infrastructure is that there's a big gap in security where it centralizes, and its transparent.
To understand how, you should review the Princeton Report's Raptor attack, and understand how it works (2015).
lenerdenator
I've never felt like I knew how to use Tor correctly, or trusted anyone to be able to guide me on that.
abdullahkhalids
Simply download the Tor Browser [1], which is simply a hardened version of Firefox that connects to the Tor network.
Don't install addons in this browser. Don't resize the browser window. All tor browsers instances have the same default window size, which prevents websites from tracking you. Obviously don't login into websites with your regular email or provide websites with your PII.
If you are in a country or on a network that blocks the basic Tor network, the FAQ explains how to get around this by using Tor bridges or other techniques [2].
That's pretty much all you need to know.
lenerdenator
> All tor browsers instances have the same default window size, which prevents websites from tracking you.
Wouldn't that in and of itself be a possible clue that someone was using Tor?
qualeed
Figuring out someone is using Tor is trivial (e.g. list of exit node IPs https://www.dan.me.uk/torlist/?exit).
This mitigation helps protect the individual Tor user (e.g. with a unique 1726x907 px window) being fingerprinted across multiple sessions / sites.
bauruine
The list of Tor nodes is public so it's trivial to detect a user is using Tor you just have to check the IP.
keysdev
Or a computer of that window size, and there a lot browsers that dont support js.
sorenjan
Is window size visible to web sites when java script is turned off? It's off by default in Tor browser.
qualeed
It's on by default in Tor browser.
You have to explicitly switch to "Safest" mode to turn it off completely.
>Why does Tor Browser ship with JavaScript enabled?
We configure NoScript to allow JavaScript by default in Tor Browser because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if we disabled JavaScript by default because it would cause so many problems for them. Ultimately, we want to make Tor Browser as secure as possible while also making it usable for the majority of people, so for now, that means leaving JavaScript enabled by default.
ignoramous
> That's pretty much all you need to know.
Depends on the level of anonymity the end-user desires. That rabbit hole is deep, but not that deep: https://www.ivpn.net/privacy-guides/advanced-privacy-and-ano... / https://archive.today/9DhtT (by u/mirmir)
qualeed
For a guide that goes into so much detail (as far as suggesting enterprise-grade drives, recommended RAID configurations, etc.), not even a passing mention of Tails or Qubes-Whonix is a really interesting choice (read: discouraging omission)!
sherr
I sympathise with a bit of paranoia about this. Personally, I'd use a platform like "Tails" (do your own research) which wraps Tor up in a USB bootable Linux OS.
jandrese
The generally recommended way is to download Tails to a USB thumb drive and boot off of that. This is safer than just using the TOR browser and if something does attack your system none of your actual data is on the OS.
hnuser123456
Back when I tried, it was a modified Firefox build.
burnt-resistor
That's just a browser form of it: https://www.torproject.org/download/
apopapo
Tor is nice, but I still prefer i2p.
keysdev
But it is more difficult to run
Synaesthesia
It's all about trust
NoSalt
Especially as the internet, itself, started as a military project. [DARPA]
taminka
i wish they were also a lifeline for censorship too, tor is effectively non functional in many countries :(
markasoftware
tor tries very hard to bypass censorship. Have you tried the numerous Tor bridges, or the new Snowflake p2p bridge?
ezbie
"A lifeline for privacy" reads more like a "hub for pedophilia and other gross, unspeakable crimes".
Just use a VPN for fuck's sake.
jmclnx
I ran a bridge until recently, but the server died a heat death after I moved to another apartment :(
I have not yet had time to find a suitable replacement machine. But running a bridge is a cheap, safe low network volume method people can help out from home. I had it going to help people in 'bad' countries to get out to the rest of the world.
notxjosh
[flagged]
zwnow
Isn't Tor dead? Wasn't it infiltrated long ago?
markasoftware
It depends on your threat model. Tor is focused on hiding from small-scale passive adversaries (eg, you're in Iran and don't want the Iranian government to see what you're doing. Or your ISP. Or any single node operator). Even the original Tor paper makes it clear that Tor isn't secure against a "global passive adversary" that can observe a large portion of global internet traffic, like the five eyes likely can today.
If you want to avoid global passive adversaries, a mixnet like Nym can work. I'm also working on a related project which takes a different approach of building your own circuit of proxy servers manually with lots of traffic padding: https://github.com/markasoftware/i405-tunnel
zwnow
I just use it to get books for free so idk about all the state regulation stuff.
bevr1337
It's been assumed that three-letter agencies operate many exit nodes for a hot minute. I don't know if this is a special case of infiltration because it's TOR SOP.
HDThoreaun
This isnt necessarily malicious. As the OP states TOR only works if a lot of people use it for regular browsing. The government wants it to work for the covert stuff so they need buy in from regulars and improving the service is how to do that.
impossiblefork
I personally can't see how it can be secure without dummy messages.
8organicbits
What makes you believe that?
zwnow
Read some story about some authority having set up tons of servers within the tor network to bust some criminal activity effectively making it not anonymous anymore. Was a while back on HN
thewebguyd
The feds and other equivalent agencies in other countries have been running exit nodes for years, but its still better than most solutions even if not perfect. Anyone who has gotten caught though likely wasn't because of any flaws in Tor (or said exit nodes) but because of other lapses in OpSec.
That being said, yes, feds can de-anonymize traffic, probably reliably at this point. There are only about 7-8000 active nodes, most in data centers. The less nodes you hop through, the more likely that traffic can be traced back to the entry point (guard node), and combined with timing can be reasonably traced back to the user. Tor works best with many, many nodes, and a minimum of three. There's not as many nodes as there needs to be so quite often it's only 3 you are going through (guard node/entry point, middle node, exit node)
Plus browsing habits can also be revealing. Just because someone is using Tor doesn't mean they also have disabled javascript, blocked cookies, aren't logging into accounts, etc.
8kingDreux8
I believe this is the thread you're talking about https://news.ycombinator.com/item?id=41584428
chews
It was always that way, Ross Ulbrect was connected to his dark website by tracing via exit nodes.
Tor was always a government tool.
Ray20
The observable world around us.
In a world where Tor is not a honeypot of some three letter agency, there are implementations of projects like Jim Bell's Assassination Politics. In a world where Tor is not a honeypot its use would be banned, much like the use of Tornado Cash was banned and shut down until the secret services took control of it.
And we obviously don't live in such world.
8organicbits
> its use would be banned
There are many places in the world where direct access to Tor is blocked. There are many countries where use of a VPN is illegal, VPNs are required to log by law, etc. I disagree with this premise.
yieldcrv
Its not a binary thing, Tor updates all the time
Many comments talk about exit nodes for surveillance, but there is a totally different vector of use and considerations that dint apply when you aren't trying to access clearnet
And even on darknet it depends on what you’re doing
Reading the NY Times’ darknet site or forum or even nuet browsing darknet markerplace from Tor Browser, whereas I would use a Tor OS like Tails or dual gated VM like Whonix for doing something illicit
fsckboy
>Tor: How a military project became a lifeline for privacy
Arpanet: How a military project gutted personal privacy, destabilized self esteem and strangled attention spans
I used Tor for surveillance. But an appropriate kind, IMHO.
I used Tor as a small part of one of the capabilities of a supply chain integrity startup. I built a fancy scraper/crawler to discreetly monitor a major international marketplace (mainstream, not darknet), including selecting appropriate Tor exit nodes for each regional site, to try to ensure that we were seeing the same site content that people from those regions were seeing.
Tor somehow worked perfectly for those needs. So my only big concern was making sure everyone in the startup knew not to go bragging about this unusually good data we had. Since we were one C&D letter away from not being able to get the data at all.
(Unfortunately, this had to be a little adversarial with the marketplace, not done as a data-sharing partnership, since the marketplace benefited from a cut of all the counterfeit and graymarket sales that we were trying to fight. But I made sure the scraper was gentle yet effective, both to not be a jerk, and also to not attract attention.)
(I can talk about it now, since the startup ran out of runway during Covid investor skittishness.)