On 5/15/06, Justin <justin-cypherpunks@soze.net> wrote:
On 2006-05-15T08:12:17-0700, coderman wrote:
ah, reputation and trust. my favorite crux
Uh-huh, or maybe le France is a haven for anonymous communications, and this FUD is a joint project of other western governments... governments that DO control all tor and remailer services within their borders.
i suppose my point was that trusting tor as it stands is a leap of faith. there is little visibility as far as node selection criteria for addition to the directory, the information and physical security aspects of the servers within the directory, and the reputation of the node operators with respect to "rubber hose / threatened incarceration" attacks and the associated trust level to assign in such a context. much better than nothing, but i still consider tor useful mainly for keeping your source IP out of webserver logs. any other government / malicious entity can compromise accordingly. (i know this isn't the situation overall, but i assume as much so i won't be surprised by a worst case) i used to run a peertech node on a dedicated server. this host was compromised by tech staff at the facility with physical access and ever since i've refused to operate a node until i could be sure physical security was assured. i tend to consider any service that relies on host integrity also reliant on a number of other prerequisites like: - physical security to prevent unauthorized access - hard disk encryption to prevent unauthenticated disclosure (esp. seizure of hardware) - infosec best practices to keep attack surface minimal (firewalls, chroot, VM's, POLA, etc) for the situation mentioned in parent thread, i'd like to know that if the TLA comes knockin' my key scrubbing loop-aes turns all disks into large entropy stores the moment power is killed upon any attempted seizure. most services currently assume the disk is private. if you want a private disk, you need full disk encryption (key scrubbing in RAM++) tied to strong authentication.