Update your Tors - Tor security advisory: "relay early" traffic confirmation attack

rysiek rysiek at hackerspace.pl
Tue Aug 5 15:19:17 PDT 2014


Dnia poniedziaƂek, 4 sierpnia 2014 20:33:29 Cathal Garvey pisze:
> A less controversial reading of the (US Govt Money) >>= Tor "thing" is
> that, while the Tor devs may be doing their best, Tor is ultimately an
> asset to the US Intelligence apparatus rather than a liability. That is,
> perhaps they haven't convinced the Tor devs to insert backdoors in
> anything, but Tor remains something that helpfully concentrates
> dissidents while not overly inhibiting the government's ability to round
> them up and imprison them when needed.

Yeah, that's a legitimate worry, but one that is far from being black or white 
(as in: it's really hard to assess the net impact of such a tactic, and how 
effective it really is).

> Part of this is plausible because endpoint security; 'nuff said,
> especially as JS is enabled by default in the TBB.

I would love to see JS disabled by default (blocked via NoScript, which is 
installed by default in TBB).

> Part of this is plausible because there are plenty of NSA docs in the
> wild suggesting that while they can't anonymise everyone at once, they
> also don't feel the need to as they can usually anonymise the subset
> they care about eventually.

Thing is: even with that taken into account, Tor is of great value, as it 
actually *raises the costs* of surveillance; consider:
http://smarimccarthy.is/blog/2014/05/28/engineering-our-way-out-of-fascism/

> While the Tor devs seem to have a callous disregard for this line of
> inquiry (which in itself is worrying), to me it's a healthy thing to
> bear in mind. The bottom line is that we're dealing with a piece of
> software that purports to blind the world's biggest and most politically
> powerful surveillance state, yet receives virtually all of its funding
> from that same surveillance state.

One of the things I have learnt during the years of my brushing shoulders with 
Teh Gummint (public consultations, conferences, etc) is that a huge 
bureaucracy like a government is bound to have conflicting interests and 
fund/take conflicting actions.

Governments are not homogeneous, to say the least.

So I can see how a government can fund a tool that is useful for one of the 
departments or agencies, and which at the same time is detrimental to actions 
of some other department or agency.

There's no Huge Plan Or Conspiracy behind it. Just Hanlon's razor, if 
anything.

> Draw your own conclusions based on a weighting of (ability of
> individuals to hide traffic from the state) / (ability of the state to
> obfuscate intelligence traffic) and taking into consideration how much
> smaller the threat model is for a state apparatus with known trusted
> servers and alternative traffic routes through compromised botnets and
> embassies around the world.

Yup.

> Me, I'm more hopeful for i2p; it's just a pity that it's so oddly put
> together right now.

Care to elaborate on the "oddly put together" part?

-- 
Pozdr
rysiek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 316 bytes
Desc: This is a digitally signed message part.
URL: <https://lists.cpunks.org/pipermail/cypherpunks/attachments/20140806/13cb61fe/attachment-0002.sig>


More information about the cypherpunks mailing list