[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] TOR bundle on hostile platforms: why?



Thomas.Hluchnik@xxxxxxxxxxxxx:> Am Donnerstag 08 August 2013 schrieb
adrelanos:
>> > Thomas Hluechnik:
>>> > > My opinion: to be honest we all assume under normal
circumstances that a piece
>>> > > of software is trustworthy until it is proofed that it contains
a weakness or
>>> > > backdoor.
>>> > >
>>> > > With regard of security the opposite is true: we have to assume
a piece of
>>> > > software to be broken until the opposite can be proofed.
>> >
>> > How can one proof the absence of backdoors/vulnerabilities? How can one
>> > ever proof a negative?
> I think you dont get the point. I somebody wears glasses which make
hin blind he will very likely stumble. And if such a guy (who loves his
foolish glasses) goes hiking in dangerous terrain you can imagine what
will happen to him.
>
> I he is willing to put off his wonderful blind-making glasses it is
much more likely that he will not stumple even in dangerous terrain but
this is no guarantee. You know you can be very prudent while hiking and
stumble nevertheless.
>
> After this is clear, would you say "you crazy guy can keep on wearing
your silly glasses because there is no guarantee to not stumble when you
put them off" ?
>
> Using open source is like putting off the silly blind-making glasses.
You have the change to not stumple but no guarantee.
>
>

I think such analogies aren't of help here.

Aainst the threat model you have in mind here (which is fine!),
backdoors, Open Source operating systems won't work. I am all for Open
Source, but we shouldn't pretend Open Source operating systems are safe
against backdoors.

There are no operating systems deterministically[1] build yet. There is
also no answer to the trusting trust issue [2]. Sad to say, its not much
harder to hide a backdoor in an open source operating system where you
only download binaries.

>>> I was really happy when finding tails. This should be considered
>>> as the future for TOR: it doesnt matter if any DAU (german word
>>> for computer beginner) has its Windows computer full of backdoors
>>> and viruses. He just starts from USB or CD having an acceptable
>>> level of security.
>> 
>> This needs trusted distributors shipping Tails on USB or CD. With
>> a strong threat model you have in mind, you can't use a version of
>> Windows infected with trojans and backdoors to securely get Tails.
>> [Oh, that of course also goes for any other Linux distribution.
>> Whonix isn't an exception.]
> 
> Thats true. Lets found a company selling such hardened CD's.

> But from
> a view of our customers: can they trust in us? > Will we distribute
> them with backdoors or not? Maybe we are even members of the NSA?
> This must be clear since Orwell's book 1984. Security is a relative
> thing.

They can't trust. One reason to have multiple companies selling such
CD's. And those CD's should be built deterministically, so others can
rebuild them and check if they contain backdoors.

Anyhow. Your questions are valid. And how can customers trust the
hardware others sell them not contain backdoors? The diversity of
hardware and especially CPU producers is awful. CPU backdoors... [3]
With your threat model in mind (which is again fine!), we have already lost.

> Others are more interested but have no technical background. They
> were willing to protect themselves but are dependent of experts help.
> In their eyes WE are the experts and we show them: you can use
> Windows in a secure way. In effect we are betraying those people
> inadvertedly.

> I think our goal should not be convincing people using Linux in first
> order. It might be an acceptable scenario that Windows lovers use
> their Windows by default but when they want privacy they reboot their
> host into LiveCD or USB mode containing tails or something equal.

Your arguments are valid. Whether they are right is another question. We
can't settle this with discussions. We can't talk people helping to
secure Windows in not doing that anymore. We all have intuitions, but
that doesn't mean they reflect reality. Maybe "popularity first" is more
effective, maybe "no help with closed-source anything" is. We need
science to get answers to these questions and to convince us from either
thing. If you can come up with an experiment that shows that "no help
with closed-source anything" is more effective to pull users away from
closed-source platforms, I am the first to drop support for
windows-anything.

[1] For definition, see:
https://mailman.stanford.edu/pipermail/liberationtech/2013-June/009257.html
[2] http://cm.bell-labs.com/who/ken/trust.html
[3]
http://theinvisiblethings.blogspot.de/2009/06/more-thoughts-on-cpu-backdoors.html
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsusbscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk