On Mon, Feb 15, 2016 at 5:45 PM, coderman wrote:
the assumption that your malware laden WinXP box can run "Tor Browser" and be secure, is laughable. we're finding more than ever that personal security, operational security, and information security are all tied up in complex interdependence. Tor doesn't even try to address this, because frankly, no one has...
The biggest security risk by far is the user... With social network engineering techniques they can even get you to believe you've done something illegal when you haven't. "Creating false memories of criminal activities using suggestive interviews." PDF, 11pgs: https://nebula.wsimg.com/ce2babe46721a32c861f1a646c2836aa?AccessKeyId=AF62ECFBCD8F6D95BACE&disposition=0&alloworigin=1 -- RR "Revolutionaries are dead men on furlough" Michael Best wrote:
Uh-oh, you're part of The Cabal now, coderman!
On Mon, Feb 15, 2016 at 5:45 PM, coderman <coderman@gmail.com <mailto:coderman@gmail.com>> wrote:
On 2/14/16, Malcolm Matalka <mmatalka@gmail.com <mailto:mmatalka@gmail.com>> wrote: >... > Can you go into some detail on this? I was always under the impression > that the Tor code was open source and heavily audited. Is the critique > that this is not true or something else?
clarification in order.
1) government funding of Tor means they get dibs on development priorities. censorship circumvention over dead-easy Tor Routers. Translations in Tor Browser over endpoint-hardened solutions like Whonix-Qubes around your Tor Browser. etc, etc. this does not imply the Tor code itself is made vulnerable. For example, 8 hour patch on control port vuln, and first to force disable RDRAND-sole-source in OpenSSL. not the behavior of group at behest of NSA and IC...
2) critique of existing hardware and software in terms of strong security against well resourced attackers. there is serious vulnerability across the entire spectrum of technology. the assumption that your malware laden WinXP box can run "Tor Browser" and be secure, is laughable. we're finding more than ever that personal security, operational security, and information security are all tied up in complex interdependence. Tor doesn't even try to address this, because frankly, no one has! it's the constantly evolving terrain of specialized experts, long bought over to $Private or $Gov not Public work.
3) Tor made trade-offs for end-user adoption and wide applicability. we don't have have a fancy UDP Tor with traffic analysis resistance, and some argue such a thing can't exist. this would be great to get funded, but even past efforts have yielded detail around how much remains to be researched, let alone implemented in proof-of-concept.
Tor well deserves their reputation for solid development in the public interest, and their behavior regarding serious vulnerabilities is exceptional across industry. actions above words, and they walk the walk. i am also glad to see their first fund raiser to diversify sources of support haul in hundreds of thousands for use without strings attached. more of this!
best regards,