Re: [tor-talk] FBI cracked Tor security
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/18/2016 07:08 PM, Jon Tullett wrote:
On 18 July 2016 at 16:17, Mirimir <mirimir@riseup.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/18/2016 07:33 AM, Jon Tullett wrote:
On 18 July 2016 at 14:57, Mirimir <mirimir@riseup.net> wrote:
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 07/18/2016 06:11 AM, Jon Tullett wrote:
Haroon Meer, who I greatly respect in the security space, describes UX complexity in terms of his mum. As in, "could my mum do this?" and if the answer is no, it's too complex for the average user. I like that.
His mum probably shouldn't be using Tor.
Why not? Are you able to say with certainty that they are not at risk and shouldn't be using Tor? Sounds like a risky assumption. Not that it's applicable here, but activists' families are not uncommonly at high risk. I'd caution against assuming you know someone's risk profile better than they do. And that, in a nutshell, is why I don't think Tor should be making such an assumption in its recommendations to users in general.
Giving clueless folk an illusion of safety is arguably bad.
Now you're back to "sheep". Don't assume that "technically inexperienced" equates to "clueless".
Well, say "technically inexperienced" if you like. In my world, we call that "clueless". I'm more or less clueless in many areas, and am not ashamed to admit it.
Security theatre is generally not positive, but again, security is never absolute and you will always be able to find an argument for doing more, and someone who will argue that failing to do so is, yes, arguably bad. Everyone has to draw the line somewhere. Tor has done so.
Well, given what we know of TLA capabilities, what Tor Project says at <https://www.torproject.org/> is tantamount to false advertising: | Anonymity Online | | Protect your privacy. Defend yourself against network surveillance | and traffic analysis. Maybe so against local adversaries. But clearly not against global adversaries. Cynical folk note that so far, the US and its allies are the only known global adversary. And claim that this is self-serving bullshit. | Tor prevents people from learning your location or browsing habits. It for sure hasn't stopped FBI, with their honeypots that drop malware. And I doubt that it stops NSA/GCHQ. But Tor Project just postures about "bad FBI". They don't give naive users, who may be at risk, even a brief heads up about proxy leakage, and how to prevent it. Two or three years ago, even after the Freedom Hosting debacle, I was willing to cut Tor Project some slack. But after the PlayPen attack, it's becoming harder to escape the conclusion that Tor Project either doesn't want to mitigate this risk, or doesn't have the contractual freedom to do so.
We're going in circles on this now, so this will be my last repetition of that particular argument. As I've said, I think we agree there's room for better education, but just differ on details.
Fair enough :)
It's probably far more meaningful to help users understand that spectrum, self-assess where they fall on it and what their risk profile may look like as a result, and pointers to resources which would align with that.
That sounds good to me. Except that there's nothing on the Tor Project site about Whonix, and virtually nothing about proxy-bypass leaks.
Why should there be mention of Whonix? It's an independent project.
What about <https://www.torproject.org/projects/projects.html.en>?
That's a list of projects Tor is involved with. It's interesting but there's no context - someone who knows they need the tool is already most of the way there. Helping people identify that the need the tool at all is the part I'm interesting in.
It's my general impression that Whonix project has been actively rebuffed. But I have no inside knowledge.
(snip)
Tails is on <https://www.torproject.org/projects/projects.html.en> but not Whonix. Why is that?
At a guess, it's because Tor is more actively involved in Tails than in Whonix. But that is just a guess. Have you asked the maintainers?
Yes, that does seem to be the case. But asking hasn't gotten me anywhere. Maybe some fly on the wall will dump some evidence ;)
Proxy bypass, maybe, but that's in there with all the other potential risks, and again, Tor can't document all of them.
Tor Project has made a huge deal over the PlayPen pwnage. Demanding that the FBI release information about its NIT. But they can't be bothered to actually explain how users could have been protected?
Very different issues, I think. I'm sure you disagree; I'm not going to debate it.
I don't disagree that they're different issues. My point is that warning users about proxy bypass takes but a few words on a website, and maybe a link. And given that it's such an easy fix, I suspect that Tor Project either doesn't want to admit the risk so clearly, or is somehow being prevented from doing so.
That's a rhetorical question - I'm sure there are pros and cons either way and it could be argued at length without conclusion. I'm not convinced Tor should be promoting either; same way I'm not convinced Tor should be promoting any specific tools. There will always be others, and they may be better suited to users depending on their circumstances.
Sure. Except that proxy bypass has been a major fail. Do you disagree?
Yes, I do. Systems get attacked, and are updated to thwart attacks. Tor does this - that is not a fail, that's the normal security dev process. Don't assume that nothing is happening - it's not like Tor is not actively researched and developed.
It's been at least five years! The relay early bug got fixed in months. Maybe devs are working on some integrated firewall or whatever. That would be cool. But Whonix isn't vulnerable, has been available for years, and gets no love. And it's not just Whonix. Other approaches that separate tor process and userland have also been largely ignored.
A few years ago, I wrote <https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me>.
Have you updated it to account for subverted VPN providers? Advising people to use VPNs which may have been subject to national security letters is arguably bad.
Which VPNs have received NSLs? Anyway, I don't assume that a particular VPN operator can be trusted any more than a particular Tor relay operator can. Just as Tor uses three-relay circuits, I recommend using nested VPN chains, with at least three different VPNs, operating in different jurisdictions. Some useful links: IVPN privacy guides: https://www.ivpn.net/privacy-guides VPN info/ratings: https://thatoneprivacysite.net/ VPN test results: https://vpntesting.info/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXjck/AAoJEGINZVEXwuQ+2hgH/38KYdqwRmjIoz/CnfVyizHv c6c0KnouGRfxXqMfC8wuIPG5rptIx22k0fZScv+vt+1OHJts6kzol2SUPMQKRnmo f6oBS7z7MBAJR+JEJ02LfPRMihl5/FzY4CupTE+kIQlg2cPj83jnmu1Ywdg+gLpi o21YNt9RdZhYjFPwtp7/4c70f6QBnNV/lNXLapBKciXbVhw+WClhanXnbqwgXZHr C8BkPnQ6M3KruNYueAD0lb0HSDBqd1l9lQmn5arRjpKbJctCP5joOOlXOMYHmugA 0/caDabgdG76rZE9l/9nFrE2mFvPfBSNHjjaWns8YNH0U0J54G1CEfCD6wJB0R4= =AA9M -----END PGP SIGNATURE-----
On 7/19/16, Mirimir <mirimir@riseup.net> wrote:
Well, given what we know of TLA capabilities, what Tor Project says at <https://www.torproject.org/> is tantamount to false advertising:
| Anonymity Online | | Protect your privacy. Defend yourself against network surveillance | and traffic analysis. ... | Tor prevents people from learning your location or browsing habits.
I never liked those statements. I don't expect the user to know why I or we don't, that takes an investment. But at least give them a damn link right there alongside them that says "Learn about the limitations of Tor" or something similar, out to a nice open wiki page on the subject so they can start. Not just "Learn more about Tor" out to an overview containing a tiny "staying anonymous" section with no links, docs or text to further support itself. Even in there "fast enough for web browsing" is a bad qualifier. Creating concise correct current text that holds up to parsing is work, and there are degrees involved. But in a leading "privacy" and "anonymity" app with certain remarked use cases beyond surfing example.com all day, not doing so as an integrated project component is kinda unexcusable.
Cynical folk note that so far, the US and its allies are the only known global adversary. And claim that this is self-serving bullshit. ... it's becoming harder to escape the conclusion that Tor Project either doesn't want to mitigate this risk, or doesn't have the contractual freedom to do so.
Interesting to note that because former reasonably well known and accepted decades of humanitarian investment by some of these states has been reinvested into decades of things like drone strikes... it makes it harder for projects like Tor to freely make the case that their project existance and use case is even valid for human rights and so on when states are trending bashing those rights and their validity. Right of anonymity and privacy, let alone legal and technical extant versions of same, seems a very tenuous thing. And the latter especially, is not something you can just brush on a frontpage and say it exists.
participants (2)
-
grarpamp
-
Mirimir