[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] wake up tor devs



> scrib tedks:
> Not really, in 2004 onion routing was well-researched.

All the projects have milestone dates, knock another five years off
if that one doesn't make you happy.

> Tor is very incrementalist

So is any other project, you can't just wish project/code into
being. And everyone has their own maps.
https://geti2p.net/en/get-involved/roadmap

> Dropping something like i2p, with zero
> academic background

https://geti2p.net/en/papers/

In general: blah blah blah, we all started somewhere from the exact
same position, zero. Including Tor.


> Tails *just* got burned by i2p and wisely disabled it.

For you to be able to successfully bash any other network project,
you need to be able to show that their whitepaper design fundamentals
[1] are broken.

Pointing out cute little javascript [2] XSS holes [3] that root
your configuration system, while surely unwanted holes, is childish
for a comparative reviewer to do. They are not architectural flaws
in the overall fundamental design of the darknet itself. They are
issues in the periphery that everyone makes and that will be
fixed/rewritten in time. Tor is no stranger to this either, go look
through the security and other sections of the Tor changelog.

Further, Tor has known and unfixed de-anonymization attacks against
its hidden services, and by extension possibly out to the client
as well if the guard is evil. That's not a cute hole. And being
fair, other networks likely have similar current weaknesses.

[1] For example lacking better terms, Tor uses circuit switching
over onion routing with fixed human directory authorties at the
top, I2P uses packet switching over garlic routing with no such
central authorities.

[2] You could just as easily bash Tails or TBB here for leaving
javascript turned on.

[3] http://blog.exodusintel.com/2014/08/25/tails-from-the-cri2p/
"The approach utilizes cross-site scripting vulnerabilities along
with Javascript to reach into the internal I2P router configuration
intranet."


> Sometimes questions just have simple answers.

Some questions defeat themselves ie...

> * i2p should have attracted academics to the low-hanging fruit of
>  showing their unique routing system correct

Current trends award more rockstar for proving brokenness and treat
proving correct as academic. BTW, no one has shown Tor correct,
some show it weak to various things.

> * i2p should have attracted developers to the relatively popular
>   project of helping defeat censorship and protect privacy (there
>   are probably an order of magnitude more Java developers than C
>  developers, so i2p even has an advantage here!)

These are likely human factors, you have coders, you have salesmen,
they don't usually come in one group/person. I2P just added salesmen
by redoing their website and launching an umbrella. It's also not
so easy to say there are more java developers skilled in this
particular application space.

> * i2p should have hosted security-critical sites like the Silk
>  Road

You've clearly not spent any time in, and cataloging the contents
of, the various darknets.

> * i2p should have been used by botnets for c&c

Botherders historically think in terms of clearnet and needed exits.
There is no proof i2p is not in such use. And being a simple binary,
Tor is much easier to package and run as part of an exploit.

> * i2p should have been mentioned in some leak from some shadowy
>  security agency

Whatever. Lack != Fact.

> * The major selling point of i2p should be "proven security over
>   alterantives" rather than "developed by anonymous people" and "not
>   funded by the american government", which are secondary rather
>   than primary advantages of the software and are respectively
>   entirely uncorrelated and only weakly correlated with the
>   security of the software

Tor should as well be able to say the first quote, the third quote,
and since anyone can be on the take, even the second as well... but
it doesn't. Here's what these two projects actually say...

https://geti2p.net/en/
https://www.torproject.org/


> Further, i2p just isn't worth that treatment because it's shoddily
> developed
> ...
> the aggregate intelligence of your developer base. Unless you can argue
> the 5 contributors to i2p are geniuses

Insults do not enhance your arguments, or your friend count.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk