Scott Bennett:
Alison Macrina alison@torproject.org wrote:
Scott Bennet> If he discovers that neither his campus library nor the university as a
whole is already officially running at least one relay, this may be a better way to teach them. If, rather than going for a relay, which is quite likely to scare them until they understand more and better about tor, AJ were instead to campaign to get the library to install the tor browser bundle onto its publicly available computers, that alone would be a terrific coup and might engender a great deal of student support for tor on campus over time. (The library would, of course, need to find a way to lock down the settings of the installed bundle, so that it couldn't be turned into a relay by users, but that should not be difficult to do.) If he succeeded in getting the tor browser bundle added to the library's most likely tightly limited list of applications available on its public machines, he could then wait a while to see what the staff members thought of it. If they decided after watching it in use for a while that it was a good thing to have made available to their users, you might then approach another department that operates a student computer lab to try to get TBB installed there. If the library employees liked it, they might give the prospective department a positive recommendation. If AJ played it right and it usually turned out well, he might eventually cover much of the campus with TBB installations. In any case, getting the TBB installed would educate far more people about anonymity and privacy issues than merely getting a relay installed that most people would never be aware of.
This is a great idea, and the slides I shared in my last email could help get this conversation started (the slides cover Tor Browser as well as relays and other Tor stuff). If AJ is interested I can connect him with other libraries I've worked with that have installed Tor Browser on all of their public computers.
I, for one, am very happy to know that Alison and her organization aremaking those materials available. They have the potential to assist many people like AJ in making the public more aware of the issues and of the tools available to help it protect/recover its privacy and anonymity.
Thanks!
Alison, do you also have materials on using HTTPS where availableinstead of HTTP? The dangers inherent in allowing Java or JavaScript to be enabled in one's web browser? Cookies? Tools like the HTTPSeverywhere and NoScript plug-ins for Firefox?
Yes, I do a basic training which includes HTTPS, cookies, software updates, passwords, and the like. It's both to educate the librarians into better practices and to help them teach classes to their patrons.
The reasons for avoiding the use of telnet clients and which tools to use instead for remote logins? If not, they would make great additions, particularly pages that explain how to convince librarians about these matters?
Typically I don't cover remote login security because it's not something that most librarians have a direct need for, and there's so much else to cover.
Let me give an example. I have for at least ten years asked my localpublic library to provide a) a secure shell client, b) a secure web browser for ordinary use where anonymity is not a concern, c) a secure FTP client, and d) the TBB for use by those who desire anonymity. They have always refused to budge. They run an unsecurable OS on their public computers. They provide only Internet Explorer for web access. I'm unsure whether they still allow any FTP access at all. As you can imagine, they have severely limited the usefulness of their computers to the library patrons they claim to serve. I could not, for example, submit my on-line application to renew my flight instructor certificate via the library's computers.
Sadly, the situation you describe is fairly common in libraries. I have had a lot of success helping many libraries make significant changes, but it takes a lot of work building the relationship and convincing their stakeholders that these things are important. I am a former librarian too, and so I think they are more likely to listen to me.
That said, my organization has trained thousands of librarians on privacy and security issues, and thanks to our work you'll now find Tor discussed at major (and minor) library conferences, Tor Browser on public computers, libraries teaching privacy classes to their patrons, and the like. So I think things are improving.
They have refused to let me speak with those making the decisions aboutwhat is provided on their public computers, much less to make an organized presentation to them. I was told that the decisions about software on the computers are made by the library board, not even by the IT staff. What is a good approach to get better results? I am at a loss as to how to get the library to emerge from the stone age into the age of the Cheka, much less that of the NSA, FSB, search engine profilers, botnets, packet sniffers, spyware, etc.
Public library board meetings are required to be open for public comment. You should go to the board meeting and give them a presentation about the abysmal state of their computers. Feel free to give them an introduction to Library Freedom Project: https://libraryfreedomproject.org/wp-content/uploads/2015/03/join-LFP.pdf
Disclaimer: I confess that I have no idea how prevalent my publiclibrary's attitudes and policies are among public libraries in the U.S. today, so I can't make any claims about widespread need for the sort of materials I'm asking about.
Scott Bennett, Comm. ASMELG, CFIAG
- Internet: bennett at sdf.org *xor* bennett at freeshell.org *
*--------------------------------------------------------------------*
- "A well regulated and disciplined militia, is at all times a good *
- objection to the introduction of that bane of all free governments *
- -- a standing army." *
- -- Gov. John Hancock, New York Journal, 28 January 1790 *
tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays