<html><body><div style="color:#000; background-color:#fff; font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px"><div><span>Hi Rob,</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>     I made a scathing criticism of a poor UI decision in the TBB, and it came out the other end of your euphemism carwash as "really hard to figure out".</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style:
 normal;"><span>I have a very hard time believing you'd be as gracious in describing some aspect of Facebook's UI that "(advises)" to check some configuration box for enhanced security which isn't default behavior.  Furthermore, if users of Facebook ended up getting pwned time and again, I also doubt you'd blame the set of all users who fail to check that optional box.</span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span><br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>So why is it the hidden service ops' responsibility to refrain from using javascript as a default design decision when the developers of the overlay aren't even willing to do it
 for TBB?  Those ops are users of the Tor overlay, and they are obviously catering to the TBB users who don't disable Javascript.<br></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><br><span></span></div><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;"><span>I don't fault you for implicitly distrusting Facebook, but it's even worse to implicitly soften criticism of TBB.  If you truly believe that using javascript with Tor is bad, then please imagine that Facebook develops and funds the TBB and direct your criticism and patches to TBB accordingly.<br></span></div><br><div style="color: rgb(0, 0, 0); font-size: 16px; font-family: HelveticaNeue,Helvetica
 Neue,Helvetica,Arial,Lucida Grande,sans-serif; background-color: transparent; font-style: normal;">-Jonathan<br><span></span></div><div class="qtdSeparateBR"><br><br></div><div style="display: block;" class="yahoo_quoted"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div style="font-family: HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif; font-size: 16px;"> <div dir="ltr"> <font face="Arial" size="2"> On Friday, October 31, 2014 1:47 PM, Robert W. Gehl <lists@robertwgehl.org> wrote:<br> </font> </div>  <br><br> <div class="y_msg_container"><div id="yiv1255925079"><div>
    <div class="yiv1255925079moz-cite-prefix">Hi, Jonathan -- <br clear="none">
      <br clear="none">
      I do know the default, and I did change them to allow for
      first-party scripts. I agree that TBB's NoScript defaults are
      really hard to figure out (in comparison to NoScript in vanilla
      Firefox -- which admittedly is still a complicated setup).
      However, I assumed that if Facebook wanted to have a hidden
      service, they'd account for the fact that at the very least
      third-party JS is a no-no (and many Tor users also don't want to
      allow any scripts). <br clear="none">
      <br clear="none">
      From what I could tell, the verification system I went to to
      confirm my ID relied on third party scripts (it looked like Google
      scripts). It was a system in which I had to identify pictures of
      "friends". No pictures loaded. <br clear="none">
      <br clear="none">
      Moreover, the .onion Facebook will probably always say that the
      account is locked due to logging in from a "strange" location, so
      there will be that issue.<br clear="none">
      <br clear="none">
      In the end, I don't get why FB is doing this, other than to look
      hip.<br clear="none">
      <br clear="none">
      - Rob<br clear="none">
      <br clear="none">
      <br clear="none">
      <br clear="none">
      On 10/31/2014 11:40 AM, Jonathan Wilkes wrote:<br clear="none">
    </div>
    <div class="yiv1255925079yqt0361972682" id="yiv1255925079yqt44410"><blockquote type="cite">
      <div style="color:#000;background-color:#fff;font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
        <div><span>Hi Rob,</span></div>
        You do know TBB's defaults regarding scripts, right?  If it's a
        conundrum with no easy answer for Tor devs, it's a conundrum for
        Facebook as well.  So please do get on Tor Talk list and
        criticise TBB for having an "(advised)" yet non-default setting
        for blocking all scripts.<br clear="none">
        <br clear="none">
        I understand the conundrum, and I agree that there isn't an easy
        answer, but that default setting in TBB is batshit insane.  It
        is _the_ source of the conundrum.  If script-blocking were
        turned on by default Facebook wouldn't even waste time trying to
        design a hidden service like this.<br clear="none">
        <br clear="none">
        -Jonathan<br clear="none">
        <div class="yiv1255925079qtdSeparateBR"><br clear="none">
          <br clear="none">
        </div>
        <div class="yiv1255925079yahoo_quoted" style="display:block;">
          <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
            <div style="font-family:HelveticaNeue, Helvetica Neue, Helvetica, Arial, Lucida Grande, sans-serif;font-size:16px;">
              <div dir="ltr"> <font face="Arial" size="2"> On Friday,
                  October 31, 2014 12:13 PM, Robert W. Gehl
                  <a href="" rel="nofollow" shape="rect" class="yiv1255925079moz-txt-link-rfc2396E removed-link" ymailto="mailto:lists@robertwgehl.org" target="_blank"><lists@robertwgehl.org></a> wrote:<br clear="none">
                </font> </div>
              <br clear="none">
              <br clear="none">
              <div class="yiv1255925079y_msg_container">
                <div id="yiv1255925079">
                  <div>
                    <div class="yiv1255925079moz-cite-prefix">I tried to
                      login (with a fake account I maintain for just
                      such a purpose). "Your account is temporarily
                      locked," it says. I get that; it appears I'm
                      trying to login from a strange location.<br clear="none">
                      <br clear="none">
                      To proceed, I have to ID pictures of friends. Ok,
                      I say. But the page with friends' photos doesn't
                      load, probably because I have Javascript off
                      (common practice with the Tor Browser). Fail.<br clear="none">
                      <br clear="none">
                      Let's say people take this seriously -- to do so,
                      they will have to use Javascript, which is a bad
                      move when using Tor.<br clear="none">
                      <br clear="none">
                      It seems to me that this would just inculcate bad
                      security habits for any would-be Dark Web users.<br clear="none">
                      <br clear="none">
                      - Rob<br clear="none">
                      <br clear="none">
                      On 10/31/2014 08:14 AM, Steve Weis wrote:<br clear="none">
                    </div>
                    <blockquote type="cite">
                      <div dir="ltr">Facebook is now available as a Tor
                        hidden service at this .onion address:<br clear="none">
                        <a href="" rel="nofollow" shape="rect" class="yiv1255925079removed-link removed-link">https://facebookcorewwwi.onion/</a>
                        <div><br clear="none">
                        </div>
                        <div>Blog post is here:<br clear="none">
                          <div><a href="" rel="nofollow" shape="rect" class="yiv1255925079removed-link removed-link">https://www.facebook.com/notes/protect-the-graph/making-connections-to-facebook-more-secure/1526085754298237</a><br clear="none">
                          </div>
                          <div><br clear="none">
                          </div>
                        </div>
                      </div>
                      <br clear="none">
                      <fieldset class="yiv1255925079mimeAttachmentHeader"></fieldset>
                      <br clear="none">
                    </blockquote>
                    <br clear="none">
                  </div>
                </div>
                <br clear="none">
                -- <br clear="none">
                Liberationtech is public & archives are searchable
                on Google. Violations of list guidelines will get you
                moderated: <a href="" rel="nofollow" shape="rect" class="yiv1255925079removed-link removed-link">https://mailman.stanford.edu/mailman/listinfo/liberationtech.
                </a>Unsubscribe, change to digest, or change password by
                emailing moderator at <a href="" rel="nofollow" shape="rect" class="yiv1255925079removed-link removed-link">companys@stanford.edu.</a><br clear="none">
                <br clear="none">
              </div>
            </div>
          </div>
        </div>
      </div>
      <br clear="none">
      <fieldset class="yiv1255925079mimeAttachmentHeader"></fieldset>
      <br clear="none">
    </blockquote></div>
    <br clear="none">
  </div></div><br><div class="yqt0361972682" id="yqt38519">-- <br clear="none">Liberationtech is public & archives are searchable on Google. Violations of list guidelines will get you moderated: <a href="" class="removed-link" shape="rect" target="_blank">https://mailman.stanford.edu/mailman/listinfo/liberationtech. </a>Unsubscribe, change to digest, or change password by emailing moderator at <a href="" class="removed-link" shape="rect" ymailto="mailto:companys@stanford.edu.">companys@stanford.edu.</a></div><br><br></div>  </div> </div>  </div> </div></body></html>