[tor-relays] Recommendation for DUMB COMPUTING devices for Tor Relays

Tristan supersluether at gmail.com
Fri Oct 21 12:15:31 UTC 2016 

Wouldn't it just be easier to use Tails?

On Oct 21, 2016 7:08 AM, "Dan Michaels" <danmichaels8876 at gmail.com> wrote:

> The Tor Project website recommends various security setups for people
> running Tor relays.
>
> Such as, don't run a web browser on the same machine as your Tor relay,
> otherwise the browser could get hacked, and then if Tor relays are hacked,
> it compromises the entire concept of Tor.
>
> In the age of FBI mass hacking, the FBI will attempt to hack all Tor
> relays, and thus, they can trace traffic throughout the entire proxy chain.
>
> According to NSA documents, all it takes is "one page load" to infect a
> browser, because they re-direct you to a fake website that hosts browser
> exploits, known as QUANTUM INSERT. The FBI will use this to take over all
> Tor relays that are running web browsers.
>
> So, I have a suggestion that I would like Tor Project to recommend.
>
> Tor Project needs to tell people.. use DUMB COMPUTING devices for running
> Tor relays.
>
> If your computer gets hacked, it can be deeply exploited in the firmware,
> such as BIOS, GPU, WiFi chip, etc.
>
> There are devices on the market, such as Raspberry Pi, or similar, which
> have NO WRITABLE FIRMWARE.
>
> This is known as being "stateless".
>
> It does not "hold state" across reboots.
>
> All firmware/drivers are stored on the SD card on the Raspberry Pi, and
> only loaded in on boot time. No component on the entire Pi holds state.
> NONE. There will likely be other similar devices.
>
> Therefore, it is truly possible to wipe a dumb computing device completely
> clean.
>
> If you try to wipe a regular laptop or desktop, you may have all this
> deeply infected firmware, such as BIOS, so you keep getting re-infected
> upon startup.
>
> Some people say, once deeply infected, it's near-impossible to clean it
> out, and you should just throw away your entire laptop and start again.
>
> Everyone running a Tor relay should be told to use a DUMB COMPUTING DEVICE.
>
> Another advantage is that these devices are often very cheap. Raspberry Pi
> is very cheap to buy. Other devices may be even cheaper.
>
> The instructions should be as follows...
>
> (1) Wipe your device clean, i.e. wipe clean the SD card which holds the OS
> + all firmware/drivers.
>
> (2) Then, re-install the OS clean, install Tor, and set up the relay.
>
> (3) Tor should be installed from the command line or from a
> previously-downloaded version on USB stick. Do not install Tor using the
> web browser, otherwise you could get infected.
>
> (4) Do not run anything else on the machine, other than the Tor relay.
> Using other programs, especially the web browser, could compromise the
> entire machine.
>
> And that's it.
>
> Tor Project should send out a message telling all people running Tor
> relays to follow these instructions.
>
> Let me know what you think.
>
> _______________________________________________
> tor-relays mailing list
> tor-relays at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161021/24e77d87/attachment.html>

More information about the tor-relays mailing list