[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: Warnings on the download page

Thus spake Roger Dingledine (arma@xxxxxxx):

> On Thu, Mar 08, 2007 at 04:12:10PM -0600, H D Moore wrote:
> > I am in the process of updating the decloak 
> > demonstration to explain each of the tests and provide source code for 
> > the components. What may not be obvious (especially from the ZDNet 
> > article), is that I believe in the Tor project's goals and am not 
> > developing these types of tests to damage the project. 
> Hi HD,
> Thanks for joining the discussion, and welcome. We (the Tor developers)
> have been working mostly on making Tor itself work, and hoping that
> other people would step up to help us figure out how to safely configure
> the supporting applications (web browsers, etc). We could sure use some
> help. :)
> The current simplest advice I can give people is to remove all plugins:
> http://tor.eff.org/download.html.en#Warning
> Do you have any suggestions on safe ways to back off from that?

I have a couple more points - the second browser phrase should link to
http://portableapps.com/apps/internet/firefox_portable because
otherwise it's not really easy to have a second firefox installed.
I think we should also mention that we do scan the exits to try to
verify they are behaving well, but we may miss some. 

While developing the next generation of my scanner I still do scan for
matching MD5s inside/outside Tor from time to time, and the next
generation scanning script itself will examine script+embedded tags to
handle odd content/URLS in dynamic pages, but the main danger though
is in people targeting small segments of the population that I do not
speak the language of to issue queries for..  Tibetan sympathizers in
China come to mind..  Well, pretty much everyone in China comes to
mind, and I'm sure there are plenty of other marginal groups this
applies to as well (other than child porn "viewers").

Scanning doesn't help Moore's point 3, but hopefully some statement of
vigilance on our part will help Tor seem a little less like a
perpetual connection through the wireless net at Defcon.. Though
unfortunately that is the level of precaution Tor users should
probably be ready to take.

Mike Perry
Mad Computer Scientist
fscked.org evil labs