[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TOR bundle on hostile platforms: why?



You want evidence? Are you serious? You are telling me you fully trust
Microsoft by default, until you are given evidence to their concrete
wrongdoing?

A built-in backdoor is quite likely, since no one believes they will
be prosecuted after the SONY rootkit fallout. But we don't have to
wage on that, we know exactly how they are doing this right now.

We all know Microsoft reports vulnerabilities to the feds. We all know
Microsoft takes years to fix vulnerabilities. So the feds, and anyone
with deep enough pockets can buy them. So we can safely assume that
every big police organization in every developed country has a Windows
remote. This kind of defeats the purpose of running TOR, eh?

I don't want to make a big deal out of this. I am just saying: what
TOR Bundle claims to do (hide the user from traffic analysis) cannot be done
on Windows with any reliability. So at the very least the project should
disclaim that. Indeed, it seems probable that the people
you would want to treat as the most dangerous adversaries (the law
enforcement) are in the best position to render TOR completely useless,
and probably already have. The list of "hidden" Windows hosts?
They have it now. These are the same people who were saving every
SMS and every email and every everything for more than 10 years now,
and will continue to do so for a while.

To drive the point even further: would you consider suggesting that users
should run TOR from a public terminal in an Internet cafe or a library?
If not, you should reconsider your position on Windows and OS X, since
they have the same exact problem: the user simply does not have complete
control over the machine, and the other parties with direct access
are rather hostile.

On 08/07/2013 04:05 PM, Ralf-Philipp Weinmann wrote:
> 
> On Aug 7, 2013, at 9:06 PM, Ivan Zaigralin wrote:
> 
>>> Using Tor protects you against a common form of Internet surveillance
>>> known as "traffic analysis."
>> 
>> It doesn't, since Microsoft can survey all outgoing and incoming traffic in
>> plain text.
>> 
>>> Tor also makes it possible for users to hide their locations while
>>> offering various kinds of services, such as web publishing or an instant
>>> messaging server.
>> 
>> On the contrary, Microsoft has the capability to survey all Windows-powered
>> TOR nodes and make a complete table of who is hosting what.
>> 
>>> As Tor's usability increases, it will attract more users, which will
>>> increase the possible sources and destinations of each communication,
>>> thus increasing security for everyone.
>> 
>> Each Windows host added to the network is a TOR node which is directly
>> under control of Microsoft. Thus adding more Windows hosts decreases the
>> security for everyone.
> 
> Hi Ivan,
> 
> may I ask what you base these claims on exactly? The capability of Microsoft
> to perform auto-updates or is there anything else?
> 
> If we're talking about auto updates, you have the same problem with
> essentially every Linux distro that you don't audit and compile yourself.
> 
> If not, I'd love to hear what angle you're going for here.
> 
> Cheers, Ralf
> 
> p.s.: I'm a reverse-engineer. the argument "you get binaries, not source
> code" doesn't convince me.
> 

Attachment: signature.asc
Description: OpenPGP digital signature

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk