[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] FBI cracked Tor security

On 7/15/2016 12:34 AM, Jon Tullett wrote:
On 15 July 2016 at 01:23, Joe Btfsplk <joebtfsplk@xxxxxxx> wrote:
On 7/14/2016 2:34 PM, Jon Tullett wrote:

Thanks Jon.  I agree w/ most that you said.  Again, semantics. Whether they
cracked Tor or Tor Browser won't change if the brutal dictator has you shot
in the front or back of the head. :)
Again, remember that this conversation was in the context of Freedom Hosting.

Absolutely agree that the same style of investigation could (and
probably does) happen in a more brutal political regime. Users there,
being at greater risk, have a greater need to take further steps to
protect themselves.

Unless one is using Tor w/ their own internet browsing application, an
exploited weakness in Tor Browser - modified Firefox - has the same effect
on users.  They're a package deal.
Well, no. Tor does make it clear you need to do more than just
downloading TBB to be anonymous and secure. If you think TBB is a
single-solution prepackaged silver bullet, you are at risk.

I don't think there's any debate whether Tor should try to be such a
silver bullet - clearly it can't and shouldn't - the question seems to
be around whether Tor should give more clear guidance/warnings. I'm
always in favour of that.

You're not really suggesting that users under hostile dictatorships or ones
trying to expose democratic government unconstitutional actions,  take full
responsibility for the ongoing modifying, patching & constant reading about
weaknesses of Tor Browser "for their own security?"
Yeah, I kinda am. Users in such hostile environments absolutely need
to take more care to keep themselves secure, and not just online. If
you are relying on any product to keep you alive, you definitely
should be constantly reading about it.
Respectfully, you're dreaming if you think whistle blowers, political activists or citizens under brutal regimes are *necessarily,* or even mostly computer geeks. :) You may be correct that only very advanced geeks or (sane) persons w/ unlimited access to one, _should_ use TBB in dangerous situations, if they don't understand every detail about what can go wrong & how to fix it themselves.

Very few people meet those criteria. I don't & I've been studying Tor & TBB for yrs. People that might have interests in whistle blowing or activism, *also* having the knowledge & ability to troubleshoot, modify or patch TBB on an ongoing basis are almost nil. Except for those w/ no concept of the extreme risk they're taking, that leaves very few people to do any blowin' or activatin'. People under brutal regimes don't need to be activists to have a real need for reliable anonymity (no unpatched browser bugs). They just need to safely access info besides governmental propaganda or to pass info to similar minded persons. Do we think they're all going to be coders that can patch browsers? That's a dream. :)

If the only people (in dangerous situations) that should use Tor / Tor Browser are geeks, it doesn't have a very wide audience. Regardless of whose job it is to make something like TBB "as secure as possible," there just aren't many people like E. Snowden w/ extreme computer talent - to do what you're suggesting - & desire (possibly stupidity) to go after top officials or their government.

Many of things mentioned in "what else you need to remain anonymous" type articles - don't use Flash, plugins, file sharing, etc., are easy. It's all the other things that can go, or are, wrong that most people wouldn't understand. For years, Tor devs weren't even sure how to report TBB screen size & many other unresolved issues. I filed various bugs on many things, but had no idea how to fix them. How can even advanced users be expected to fix these & more problems when it sometimes takes extremely talented Tor devs years to find solutions? Again, a pipe dream.

The sage advice under "List of Warnings:" "Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse <https://www.torproject.org/about/torusers.html.en> their interests, the less dangerous it will be that you are one of them." L I'll B. Unless sites you're visiting or your exact ISP server are known to have 100's of TBB users - at once, that doesn't help much.

I'm not too sure about trusting one's life to a system based in part on pure guesstimating how many entry & exit relays are enemy controlled. Calculating statistical odds of being identified, based on unknown of numbers of enemy controlled nodes; the number of times & frequency entry guards change, number of sites visited, etc. :D

That Tor Project is saying Tor is relatively anonymous; as for Tor Browser,
everyone's on their own.
It's saying that the Tor network will help you stay anonymous, and the
browser bundle will help facilitate that, but you also need to take
further steps to stay anonymous and secure. I think that's realistic
and reasonable.

Also, remember there is no such thing as 100% security, and the
incremental usability/security tradeoffs become more severe the
further you go. Everyone has to decide for themselves where to draw
the line - how secure they want to be and how much compromise they can
accept. All a third party like Tor (or you and I) can do is educate.


tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to