[tor-talk] WSJ- Google- Sonic Mr. Applebaum

Jeroen Massar jeroen at unfix.org
Tue Oct 11 15:07:32 UTC 2011 

On 2011-10-11 16:42 , Eugen Leitl wrote:
> On Tue, Oct 11, 2011 at 12:48:53PM +0100, Julian Yon wrote:
> 
>> I think you missed the point Jeroen was making there. If Mallory
>> *really* wants to compromise your server, there will be a level of
>> security beyond which a gun to your children's heads is the most
> 
> I think he missed my point: there is a wide spread in threat
> scenarios and capabilities.

We actually fully agree with that and it is also what I am writing.

Though with the added point that the deeper you dig yourself in, the
quicker your adversary might just use the mighty rubber hose technique
instead to get to your so dearly protected secrets, depends all on your
adversary of course and how valuable that data is for them and you.

> What we care most is preventing
> easy, undetectable and hence scalable information vacuuming 
> by way of forcing cloud operators to provide convenient access 
> APIs. This is what dominates the volume.

Thus your threat model involves not trusting any service where software
is running of an external organization.

Though as stated before, I do really hope you verify 100% of your code,
including the compiler, not forgetting about the microcode in CPUs

According to the above statement having a box in a co-lo thus is mostly
fine unless you don't trust the hardware that is.

Why are you then arguing for live video streams and glueing everything
tight?

Then again, if you think you need to do all of that, go ahead.

> None such are available at the co-lo hosting own hardware or
> freedom boxes on home broadband. Sure Shabak ninjas could 
> abseil through the skylights, garotte the cat and compromise 
> my NIC, but if I'm worried about these I shouldn't be relying 
> on Tor, anyway.

Speaking of that NIC, ever wondered how much code runs inside that PHY
in there? :) *wink*

>> cost-effective attack. In most people's threat models, they'd rather
>> take their chances with compromised data than with their kids' lives. In
>> such a model, making the server too secure can itself be a risk.
> 
> This is not the threat model we're looking for. Move along.

Of course that is not the one you or anyone else wants as it will
inflict personal injury. Fortunately it tends to be the last resort and
you must have pissed off the adversary first before they take this step.

Greets,
 Jeroen

More information about the tor-talk mailing list