[tor-talk] FBI cracked Tor security
Jon Tullett
jon.tullett at gmail.com
Mon Jul 18 12:11:34 UTC 2016
On 17 July 2016 at 05:11, Mirimir <mirimir at riseup.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/16/2016 08:21 PM, Jonathan Wilkes wrote:
>>> I'm hardly asking for perfection. Just a little heads up for the
>>> sheep.
>> You're unwilling to even describe non-technical users as human
>> beings, yet you want Tor to suggest a vastly more complex
>> alternative for them?
>
> OK, they're naive and trusting. For which "sheep" is common metaphor.
>
> Running VirtualBox and Whonix is hardly "vastly more complex".
It is, you know. More complex, and probably not suitable.
Haroon Meer, who I greatly respect in the security space, describes UX
complexity in terms of his mum. As in, "could my mum do this?" and if
the answer is no, it's too complex for the average user. I like that.
Fact is, security is a spectrum. "No security consideration at all" is
at one end of that spectrum. Tor, the TBB and the associated
documentation, is someway further along the spectrum, Whonix is
somewhat further still, but there's a lot more room beyond that. Even
that's a gross oversimplification - "no browser security except
NoScript" is more secure but less private than TBB in its default
configuration.
Because of that, I don't think it's possible, much less desirable, to
describe the entire spectrum of use-cases. And even less possible to
actually document the toolset appropriate for every point. It's
probably far more meaningful to help users understand that spectrum,
self-assess where they fall on it and what their risk profile may look
like as a result, and pointers to resources which would align with
that.
"Just use VirtualBox and Whonix" is not meaningful advice. It's a
great fit for a very specific subset of users, but many (I would guess
"most") users are not in that subset, and for everyone else it'd just
be some combination of confusing, overwhelming, unnecessary, or
insufficient.
The key question to you, as someone advocating that specific toolset,
would be: for what type of user is VirtualBox+Whonix the optimum
solution, and how would Joe Random identify if he is that sort of
user?
-J
More information about the tor-talk
mailing list