Re: [tor-talk] Most Security Assertions Dangerous [Re: YouTube via Onion Services]

[mick <mbm@xxxxxxxxxx>]

On Thu, 6 Dec 2018 03:25:05 -0500
grarpamp <grarpamp@xxxxxxxxx> allegedly wrote:

[ some snippage throughout ]

> 
> > - Its free software and the code is available for install/checkup.  
> 
> That assertion is irrelevant in the security context
> of the thread so far, and it's dangerous advice.
> 
> As with protonmail and all the other fakeass encrypted email
> websites... the JS code is loaded by the browser from the web
> service itself, there is currently NO trusted way for the user to
> independantly audit that the code they end up executing in
> real time *from* the service matches the code *in* any repo,
> or for the user to choose to ignore the service code and load
> and execute any repo code of their choosing instead.
> 
> The current code load model is a nasty exploit waiting to happen,
> does happen (Hushmail, NIT's, etc), and simply should not be trusted,
> no more than GOOG and FB the dicks, themselves, indeed.
> Or Java, ActiveX, Flash, and whatever other "secure" crap some
> scam tries to push into your pathetically insecure and
> untrusted exec platform.
> 
> [1] You can't even say those for the release iso's of
> OpenBSD, FreeBSD, the Linux's, etc... back
> to their claimed source code repos... because
> either those repos have no internal cryptographic
> roots or hashes to sign over or with in the first place,
> or some process in the path from there to the iso's
> is not reproducible or cryptographically chained.
> Same goes for Apple, Microsoft, Intel, AMD, ARM,
> Government, etc...
> You're all still woefully fucked therein because you keep
> buying the Kool-Aid, and refusing to demand, fix,
> ignore, or eliminate them and their issues.
> 
> #OpenFabs , #OpenHW , #OpenSW , #OpenDev , #OpenBiz , #CryptoCurrency
> , #Anarchism
> 
> The list of requisites to even get close to improving
> the situation grows...

Thank you once again Grarpamp. You may be OTT occasionally, but
nevertheless it is worth reminding people that security is not an
absolute. We all make assumptions about who, or what is trustworthy
and in what context. But those assumptions should always take account of
our own particular threat models. 

Best 

Mick

---------------------------------------------------------------------
 Mick Morgan
 gpg fingerprint: FC23 3338 F664 5E66 876B  72C0 0A1F E60B 5BAD D312
 https://baldric.net/about-trivia
---------------------------------------------------------------------

-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk