[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Tor and Financial Transparency




Hey Juan. I feel like I have something to add to this discussion, even though generally, as others have said, this is not a new discussion.

Juan Garofalo <juan.g71@xxxxxxxxx> wrote:
>Tor cannot protect individuals from organizations that can monitor
>'big' parts of the internet. Organizations such as the US government,
>for instance. In that sense Tor is flawed. 

This is the same as saying that any safe or vault can be opened by someone with a powerful enough laser or explosive, yet we still use safes and vaults to safeguard precious possessions and sensitive documents, don't we?

This is a basic security metaphor that must be understood. There are no absolutes. It is about how hard you make your adversary work. This is the real world of humans trying to get some digital advantage against very real, well funded adversaries.

For combating mass dragnet activities, Tor is fantastic. For circumvention, Tor is fantastic. For always defending 100% against the alpha dog surveillance organization on the entire planet? Maybe Tor has some trouble there, but I don't consider it a flaw, unless you can show me 100% total correlation of all in and outbound traffic, such that it is *worse* to use Tor than not to.

With my work on Tor for Android, there are obviously a million horrible eventualities that could come about by expecting privacy on a smartphone with a SIM card. Yet, many people use Orbot, and are very happy with the protection and freedom provides, even though they understand Google may know something about them, or that the telcomms do know many things. Tor gives them a small window of freedom, and if configured properly on a secure phone, a great deal of freedom.


>I understand that the flaw is an inherent limitation of the way Tor
>works and it hasn't been put there 'on purpose'. But the fact remains,
>it is a bug, or feature, of Tor's design.

Tor is used by a wide variety of people, and it is designed with many user stories in mind.

Yes one user story is "I want to remain anonymous from the US government" for sure.

Another one though is "I want to access a website blocked in my country" and "I want to make sure the admin of the network I am on cannot intercept or track my email traffic, so they won't be alerted that I work for X human Rights group".

When you get out into the real world, the antiseptic stance you are taking doesn't matter quite so much. Saying Tor is flawed because it doesn't withstand the worse case scenario crypto-armageddon is just not an interesting a discussion to have for the fourth or fifth time.

Finally, one of the most promising uses of Tor are around whistleblowing services like Globaleaks, which require a Tor hidden service to access. In that case, the global adversary problem does not exist, as the Tor exit and the web service are on the same box.

Best,
    Nathan
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk