[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Meeting Snowden in Princeton



benjamin barber <barberb@xxxxxxxxxxx> writes:

> I dislike the notion of the central directory auth, while not a SINGLE
> point of failure, relying on someone else to know who to trust, is great
> until you discover that the trust was underserved.

You're welcome to dislike it, but as str4d just confirmed,
there's currently no decentralized solution that offers an equivalent ability
to prevent takeovers of the network by dumping bandwidth onto the network.
It was interesting to hear about some of the alternatives
that don't rely on a directory authority concept,
but it sounds like none are as mature yet.

> Operational security also seems to be glossed over to laypersons,

I agree, but the basic problem is that threat modelling is hard.
I think Tor (in its FAQ and other documents) is open as to its limitations,
which has not always been the case with other technologies/networks.
And of course even exhaustive documentation of opsec
(which would somehow have to foresee every application Tor was put to)
won't stop people motivated by profit or blinded by hubris from cutting corners.

https://ssd.eff.org/en/module/introduction-threat-modeling
is a nice introductory text, but it's just that, an introduction.
Ultimately the advice has to be tailored to the particular user(s).

> which is why I use to a solar powered computers running tor, that I
> network with a private VPN server that I have running in germany.

This for example sounds like doing some stuff that sounded good at the time,
absent any particular threat model.

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk