-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256
firmware of RPi can be changed: https://github.com/Hexxeh/rpi-update / https://github.com/Hexxeh/rpi-firmware
next to that the official firmware of RPi is closed source. you have no idea what it does
and RPi is build by a small company in the UK, very likely that they will accept a generous offer by the FBI/NSA/USA.
solder your own shit if you want to be protected on this level.
On 10/21/2016 02:08 PM, Dan Michaels wrote:
The Tor Project website recommends various security setups for people running Tor relays.
Such as, don't run a web browser on the same machine as your Tor relay, otherwise the browser could get hacked, and then if Tor relays are hacked, it compromises the entire concept of Tor.
In the age of FBI mass hacking, the FBI will attempt to hack all Tor relays, and thus, they can trace traffic throughout the entire proxy chain.
According to NSA documents, all it takes is "one page load" to infect a browser, because they re-direct you to a fake website that hosts browser exploits, known as QUANTUM INSERT. The FBI will use this to take over all Tor relays that are running web browsers.
So, I have a suggestion that I would like Tor Project to recommend.
Tor Project needs to tell people.. use DUMB COMPUTING devices for running Tor relays.
If your computer gets hacked, it can be deeply exploited in the firmware, such as BIOS, GPU, WiFi chip, etc.
There are devices on the market, such as Raspberry Pi, or similar, which have NO WRITABLE FIRMWARE.
This is known as being "stateless".
It does not "hold state" across reboots.
All firmware/drivers are stored on the SD card on the Raspberry Pi, and only loaded in on boot time. No component on the entire Pi holds state. NONE. There will likely be other similar devices.
Therefore, it is truly possible to wipe a dumb computing device completely clean.
If you try to wipe a regular laptop or desktop, you may have all this deeply infected firmware, such as BIOS, so you keep getting re-infected upon startup.
Some people say, once deeply infected, it's near-impossible to clean it out, and you should just throw away your entire laptop and start again.
Everyone running a Tor relay should be told to use a DUMB COMPUTING DEVICE.
Another advantage is that these devices are often very cheap. Raspberry Pi is very cheap to buy. Other devices may be even cheaper.
The instructions should be as follows...
(1) Wipe your device clean, i.e. wipe clean the SD card which holds the OS + all firmware/drivers.
(2) Then, re-install the OS clean, install Tor, and set up the relay.
(3) Tor should be installed from the command line or from a previously-downloaded version on USB stick. Do not install Tor using the web browser, otherwise you could get infected.
(4) Do not run anything else on the machine, other than the Tor relay. Using other programs, especially the web browser, could compromise the entire machine.
And that's it.
Tor Project should send out a message telling all people running Tor relays to follow these instructions.
Let me know what you think.
_______________________________________________ tor-relays mailing list tor-relays@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-relays