[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: 25 tbreg relays in directory

I resend this since it was deleted by greylisting.

-------- Original Message --------
Subject: Re: 25 tbreg relays in directory
Date: Wed, 01 Jul 2009 17:19:34 +0200
From: Niels Elgaard Larsen <elgaard@xxxxxxx>
To: or-talk@xxxxxxxxxxxxx
References: <200906290445.n5T4joLj007535@xxxxxxxxxxxxx> <4A48A211.1C087950@xxxxxxxxxx>

Jim McClanahan wrote:
> Scott Bennett wrote:
>>      Ouch.  This provides another example in support of having a way
>> for the directory authorities to render insecure versions ... 
>> and only usable as clients to connect to the tor project's web site to
>> download a current version of tor.
> This kind of thinking baffles me.  It seems diametrically opposed to the
> notion of free software.  I could understand if the outdated client was
> endangering the Tor network (which was discussed in the portion of the
> comment I skipped over with the ellipsis).  And I would have no problem
> with a friendly advisory as long is it wasn't incessant nagware that
> couldn't be disabled. 

I agree.
And I object to assuming that someone running an old version is necessarily uninformed.

There can be circumstances where a user have to choose between and old TOR client or no
anonymity at all, or even no internet.

E.g. We do try to make up-to-date versions of the Polippix CD. But someone may be stuck in
a hotel room somewhere, wanting to be anonymous and remembering putting a Polippix CD in
the suitcase years ago, or an USB-stick with TBB. Yes, it is possible to upgrade TOR
through TOR given a lot of time and RAM, but then again we do not know if there is enough
time and RAM.

I run an TOR-access-point. Users have no way of upgrading TOR on it. They probably do not
even know that they are using TOR. If I fail to upgrade the access-point at we lock it
out, the users loose the internet connection. And the users are not that anonymous anyway.
The wireless traffic is not through TOR.

> But I don't understand the desire to dictate to
> people or some nanny viewpoint of trying to save people from
> themselves.  (Before somebody makes an argument of keeping the Internet
> free of compromised machines, I rather imagine the number of machines
> compromised because of Tor software would be lost in the statistical
> noise of all the other ways machines get compromised.  And I don't think
> the unsavory purpose these "tbreg" instances are put to is a relevant
> factor.)

Why should a client even provide its version? (of the code, not versions of protocols it
If someone ship 100000 CD's/USB-keys to eg Iran they will all have the same version, which
in a year could be almost unique. You can already trach IP-numbers to e.g. Iran, but why
make it easy to detect when e.g. a new shipment arrives or how people move around.