Re: relay tidbits...

[phobos@xxxxxxxxxx]

On Tue, Jun 03, 2008 at 10:44:00PM -0700, kyle.kwilliams@xxxxxxxxx wrote 3.1K bytes in 67 lines about:
: phobos@xxxxxxxxxxxxx wrote:

Another phobos, hi.

: If Tor operators were protected by law, I would run a dozen Tor nodes. 
: However, that is not the case in this day and age.

I believe Tor operators are prorected by US law.  In fact, we have a FAQ
about this, https://www.torproject.org/eff/tor-legal-faq.html.en.

: Oh, I encourage people all the time to use Tor, but along with that I 
: encourage them to be secure and use the best Tor implementation 
: possible.  I don't want my friends and family being affected by some new 
: bug.

My interpretation of what you said, and apparently others as well, was
that you were telling everyone Tor is too risky and therefore people
shouldn't be running nodes.  As for bugs, sure, bugs exist.  They exist
in everything.  My car has a bug where the cruise control won't disable,
so stepping on the brakes to stop results in a surprising outcome.  I'm
sure some bugs exist in Tor, too.  Good privacy and anonymity practices
online help mitigate the effects of bugs in Tor (and firefox and
torbutton, and remote sites).

: get a patch out.  By adapting Tor in layer 3 or layer 1 of the OSI 
: model, or by putting into a completely separate OSI environment (VM), we 
: can reduce the surface area of attacks on our anonymity from 0-days 
: dramatically.

We're happy to accept patches. ;)

: And for the record, I do fight for anonymity online by providing the 
: most secure and 0-day resistant Tor implementation out there.  Likewise, 
: I've contributed my fair share of security bugs to Mike Perry, Roger, 
: and Nick in a responsible manner.
:
: I'm starting to feel like the anti-hero of Tor.  I change my views from 
: full disclosure to responsible disclosure.  I've helped in projects of 
: others.  I've given Roger my honest opinion when he asks for it.  I've 
: given away free software that is way more secure than all the other 
: implementations out there.

This is great.  I encourage you to continue to do these things.

: <sarcasm with an angry tone>
: WHAT THE FUCK MORE DO YOU WANT FROM ME?! Another 0-day?!
: </sarcasm with an angry tone>

From reading the thread again, I'm confused as to the point of your
post.  This is probably a better conversation to be had off-list.

As for your second point, we disagree.  As a volunteer service provider, I
shouldn't be liable for what content passes through my service.  In my
own experience of running Tor exit nodes, this has been the case.
Spending a few hours with local law enforcement explaining Tor and why
my IP showed up in their case is worth the cost of providing online
anonymity to me.  

We're working to reduce the "cost of Tor", which is these few hours, by
talking to law enforcement around the world as much as possible.  Many
of these people realize the value of Tor in their own roles.  As Roger
and Nick said in their paper a few years ago, anonymity loves company.

-- 
Andrew