[tor-talk] FBI cracked Tor security

Jon Tullett jon.tullett at gmail.com
Tue Jul 19 01:08:18 UTC 2016 

On 18 July 2016 at 16:17, Mirimir <mirimir at riseup.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/18/2016 07:33 AM, Jon Tullett wrote:
>> On 18 July 2016 at 14:57, Mirimir <mirimir at riseup.net> wrote:
>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>
>>> On 07/18/2016 06:11 AM, Jon Tullett wrote:
>>>
>>>> Haroon Meer, who I greatly respect in the security space,
>>>> describes UX complexity in terms of his mum. As in, "could my
>>>> mum do this?" and if the answer is no, it's too complex for the
>>>> average user. I like that.
>>>
>>> His mum probably shouldn't be using Tor.
>>
>> Why not? Are you able to say with certainty that they are not at
>> risk and shouldn't be using Tor? Sounds like a risky assumption.
>> Not that it's applicable here, but activists' families are not
>> uncommonly at high risk. I'd caution against assuming you know
>> someone's risk profile better than they do. And that, in a
>> nutshell, is why I don't think Tor should be making such an
>> assumption in its recommendations to users in general.
>
> Giving clueless folk an illusion of safety is arguably bad.

Now you're back to "sheep". Don't assume that "technically
inexperienced" equates to "clueless".

Security theatre is generally not positive, but again, security is
never absolute and you will always be able to find an argument for
doing more, and someone who will argue that failing to do so is, yes,
arguably bad. Everyone has to draw the line somewhere. Tor has done
so.

We're going in circles on this now, so this will be my last repetition
of that particular argument. As I've said, I think we agree there's
room for better education, but just differ on details.


>>>> It's probably far more meaningful to help users understand
>>>> that spectrum, self-assess where they fall on it and what their
>>>> risk profile may look like as a result, and pointers to
>>>> resources which would align with that.
>>>
>>> That sounds good to me. Except that there's nothing on the Tor
>>> Project site about Whonix, and virtually nothing about
>>> proxy-bypass leaks.
>>
>> Why should there be mention of Whonix? It's an independent
>> project.
>
> What about <https://www.torproject.org/projects/projects.html.en>?

That's a list of projects Tor is involved with. It's interesting but
there's no context - someone who knows they need the tool is already
most of the way there. Helping people identify that the need the tool
at all is the part I'm interesting in.


(snip)
> Tails is on <https://www.torproject.org/projects/projects.html.en> but
> not Whonix. Why is that?

At a guess, it's because Tor is more actively involved in Tails than
in Whonix. But that is just a guess. Have you asked the maintainers?



>> Proxy bypass, maybe, but that's in there with all the other
>> potential risks, and again, Tor can't document all of them.
>
> Tor Project has made a huge deal over the PlayPen pwnage. Demanding
> that the FBI release information about its NIT. But they can't be
> bothered to actually explain how users could have been protected?

Very different issues, I think. I'm sure you disagree; I'm not going
to debate it.


>> That's a rhetorical question - I'm sure there are pros and cons
>> either way and it could be argued at length without conclusion. I'm
>> not convinced Tor should be promoting either; same way I'm not
>> convinced Tor should be promoting any specific tools. There will
>> always be others, and they may be better suited to users depending
>> on their circumstances.
>
> Sure. Except that proxy bypass has been a major fail. Do you disagree?

Yes, I do. Systems get attacked, and are updated to thwart attacks.
Tor does this - that is not a fail, that's the normal security dev
process. Don't assume that nothing is happening - it's not like Tor is
not actively researched and developed.


> A few years ago, I wrote
> <https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me>.

Have you updated it to account for subverted VPN providers? Advising
people to use VPNs which may have been subject to national security
letters is arguably bad.

-J

More information about the tor-talk mailing list