[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TOR bundle on hostile platforms: why?



On 08/07/2013 08:05 PM, Ralf-Philipp Weinmann wrote:
> 
> On Aug 7, 2013, at 9:06 PM, Ivan Zaigralin wrote:
> 
>>> Using Tor protects you against a common form of Internet
>>> surveillance known as "traffic analysis."
>> 
>> It doesn't, since Microsoft can survey all outgoing and incoming 
>> traffic in plain text.
>> 
>>> Tor also makes it possible for users to hide their locations
>>> while offering various kinds of services, such as web publishing
>>> or an instant messaging server.
>> 
>> On the contrary, Microsoft has the capability to survey all
>> Windows-powered TOR nodes and make a complete table of who is
>> hosting what.
>> 
>>> As Tor's usability increases, it will attract more users, which
>>> will increase the possible sources and destinations of each
>>> communication, thus increasing security for everyone.
>> 
>> Each Windows host added to the network is a TOR node which is
>> directly under control of Microsoft. Thus adding more Windows hosts
>> decreases the security for everyone.
> 
> Hi Ivan,
> 
> may I ask what you base these claims on exactly? The capability of
> Microsoft to perform auto-updates or is there anything else?

It's hard to know what Windows systems and Microsoft etc are
communicating about. Much of it's encrypted. Maybe that's for user
protection, but assumptions can be dangerous ;) Worst-case assumptions
are most prudent, no?

I've read that, in Windows 8.x, Microsoft can monitor installed apps,
and can remove those it deems dangerous. If that's true, it could
readily determine who's running Tor. Maybe it could even modify the Tor
client. Do we know that it couldn't?

> If we're talking about auto updates, you have the same problem with
> essentially every Linux distro that you don't audit and compile
> yourself.

The money trail is a fundamental distinction between Windows and OSX,
versus Linux and other free operating systems. If I choose, I can
readily download and update Ubuntu, for example, through whatever arcane
combination of VPNs and Tor that suits me.

Doing that with Windows or OSX is much, much harder. Unless one uses
cracked versions, there's a money trail. Cracking takes some skill, and
third-party cracked versions are arguably even more dangerous.

> If not, I'd love to hear what angle you're going for here.
> 
> Cheers, Ralf
> 
> p.s.: I'm a reverse-engineer. the argument "you get binaries, not
> source code" doesn't convince me.
> 

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk