[tor-relays] Recommendation for DUMB COMPUTING devices for Tor Relays

[Dan Michaels]

The Tor Project website recommends various security setups for people
running Tor relays.

Such as, don't run a web browser on the same machine as your Tor relay,
otherwise the browser could get hacked, and then if Tor relays are hacked,
it compromises the entire concept of Tor.

In the age of FBI mass hacking, the FBI will attempt to hack all Tor
relays, and thus, they can trace traffic throughout the entire proxy chain.

According to NSA documents, all it takes is "one page load" to infect a
browser, because they re-direct you to a fake website that hosts browser
exploits, known as QUANTUM INSERT. The FBI will use this to take over all
Tor relays that are running web browsers.

So, I have a suggestion that I would like Tor Project to recommend.

Tor Project needs to tell people.. use DUMB COMPUTING devices for running
Tor relays.

If your computer gets hacked, it can be deeply exploited in the firmware,
such as BIOS, GPU, WiFi chip, etc.

There are devices on the market, such as Raspberry Pi, or similar, which
have NO WRITABLE FIRMWARE.

This is known as being "stateless".

It does not "hold state" across reboots.

All firmware/drivers are stored on the SD card on the Raspberry Pi, and
only loaded in on boot time. No component on the entire Pi holds state.
NONE. There will likely be other similar devices.

Therefore, it is truly possible to wipe a dumb computing device completely
clean.

If you try to wipe a regular laptop or desktop, you may have all this
deeply infected firmware, such as BIOS, so you keep getting re-infected
upon startup.

Some people say, once deeply infected, it's near-impossible to clean it
out, and you should just throw away your entire laptop and start again.

Everyone running a Tor relay should be told to use a DUMB COMPUTING DEVICE.

Another advantage is that these devices are often very cheap. Raspberry Pi
is very cheap to buy. Other devices may be even cheaper.

The instructions should be as follows...

(1) Wipe your device clean, i.e. wipe clean the SD card which holds the OS
+ all firmware/drivers.

(2) Then, re-install the OS clean, install Tor, and set up the relay.

(3) Tor should be installed from the command line or from a
previously-downloaded version on USB stick. Do not install Tor using the
web browser, otherwise you could get infected.

(4) Do not run anything else on the machine, other than the Tor relay.
Using other programs, especially the web browser, could compromise the
entire machine.

And that's it.

Tor Project should send out a message telling all people running Tor relays
to follow these instructions.

Let me know what you think.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20161021/c35e7846/attachment.html>