Re: [tor-talk] FBI cracked Tor security

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/19/2016 12:02 AM, grarpamp wrote:

On 7/18/16, Mirimir wrote:

...

Anyway, what does Tor Project gain by not mentioning Whonix?

That's a bit sideways, but in the interest of sideways eventually moving forward...

I'd say "meta" rather than "sideways", but hey ;)

1) Funding of sorts, which spreads around, to develop TBB, a sizable prioject, to do decent things a browser should do, hopefully feeding back to Mozilla. Were certain elements of security left uninvestigated and just punted to Whonix+FF, well that's a incomplete partial approach too. If you want funds, you might not want to publish other partial solutions.

Well, Whonix uses stock Tor browser, with a tweak to keep it from launching its own local tor process. It also enforces stream separation for other apps. But the key thing here is that it prevents proxy bypass.

Securing the browser and browser meta is a fine project. And as has been said, it's still needed to pair the app with defense in depth and a known line around application land. Just remember TBB and Tor are not and cannot be that line.

Yes, they are for sure not that line. So why not acknowledge that? Maybe key funders have said no to that.

2) Captured audience dependency. As with publishing, this is corporate 101. Giving someone an app is well... welcome to apps, and a torbox to run them on. Like iTunes on iPhone.

Right. For most, Tor browser on Windows. Pwnage waiting to happen. But why does Tor Project care about captured audience dependency? People using Whonix, like people using Tails, are still using Tor. And still using stock Tor browser. Maybe goals of key funders are driving this. Deliver lots of Tor relays and users to hide our agents. But make sure that users can't hide from our TLAs. That's what language in Graham's appropriations bill says. Maybe that's been the backroom deal for years, and Tor Project has been pushing back. One does get that sense from the leaked IRC logs.

Giving someone unix is like airdropping a great big box of freedom their way. Here, have some free beer...

https://www.freebsd.org/ https://www.openbsd.org/ https://torbsd.github.io/

Or whatever it is penquins drink... https://www.whonix.org/ https://www.whonix.org/wiki/Qubes https://www.qubes-os.org/

Or a fine Javanese app... https://geti2p.net/

3) Like I said, the real reason is probably a bit more mundane... nobody signed on to update the content. Tor has money, go hire yourself.

I doubt that they hire anons :( But damn, I'd do it for free, if they let me :) -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXjdcZAAoJEGINZVEXwuQ+G24IAKZTOZVxidiX2qEnOokfKh1T pg8BsXRgyMx7395mMc3WDFx16zc1Ylbh14z+YUq+1TOenO2wURjtTT9OCjCAjnOI IL1GRXjM23QLTI0qkRCwiEB04HZsu5t1jq1sJ7F23BUX/UjSBuK1osmtK3Ve3ucb qMTgZVIgmnWwdFkEM1l5fcDltnIYzOxF5VR0jHo5KTQ63l7E/xcNaWD/Y92yUu5C ZLeCYgVc+KdngHhVPDzhphCeWXwrVdpwRO0zqqLiR8ijn/dW0fFA7gOfZzTI1YTw VmVymrDWBfr6RjZ0FVeSIrvhewVRPjHIepTHwOuQQsAde5UGhtNv9lnXt+P7Rq4= =w5Ab -----END PGP SIGNATURE-----