[tor-talk] FBI cracked Tor security

Mirimir mirimir at riseup.net
Tue Jul 19 07:30:37 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2016 12:02 AM, grarpamp wrote:
> On 7/18/16, Mirimir <mirimir at riseup.net> wrote:
>> Anyway, what does Tor Project gain by not mentioning Whonix?
> 
> That's a bit sideways, but in the interest of sideways eventually 
> moving forward...

I'd say "meta" rather than "sideways", but hey ;)

> 1) Funding of sorts, which spreads around, to develop TBB, a
> sizable prioject, to do decent things a browser should do,
> hopefully feeding back to Mozilla. Were certain elements of
> security left uninvestigated and just punted to Whonix+FF, well
> that's a incomplete partial approach too. If you want funds, you
> might not want to publish other partial solutions.

Well, Whonix uses stock Tor browser, with a tweak to keep it from
launching its own local tor process. It also enforces stream
separation for other apps. But the key thing here is that it prevents
proxy bypass.

> Securing the browser and browser meta is a fine project. And as has
> been said, it's still needed to pair the app with defense in depth
> and a known line around application land. Just remember TBB and Tor
> are not and cannot be that line.

Yes, they are for sure not that line. So why not acknowledge that?

Maybe key funders have said no to that.

> 2) Captured audience dependency. As with publishing, this is
> corporate 101. Giving someone an app is well... welcome to apps,
> and a torbox to run them on. Like iTunes on iPhone.

Right. For most, Tor browser on Windows. Pwnage waiting to happen.

But why does Tor Project care about captured audience dependency?
People using Whonix, like people using Tails, are still using Tor. And
still using stock Tor browser.

Maybe goals of key funders are driving this. Deliver lots of Tor
relays and users to hide our agents. But make sure that users can't
hide from our TLAs. That's what language in Graham's appropriations
bill says. Maybe that's been the backroom deal for years, and Tor
Project has been pushing back. One does get that sense from the leaked
IRC logs.

> Giving someone unix is like airdropping a great big box of freedom
> their way. Here, have some free beer...
> 
> https://www.freebsd.org/ https://www.openbsd.org/ 
> https://torbsd.github.io/
> 
> Or whatever it is penquins drink... https://www.whonix.org/ 
> https://www.whonix.org/wiki/Qubes https://www.qubes-os.org/
> 
> Or a fine Javanese app... https://geti2p.net/
> 
> 3) Like I said, the real reason is probably a bit more mundane... 
> nobody signed on to update the content. Tor has money, go hire
> yourself.

I doubt that they hire anons :(

But damn, I'd do it for free, if they let me :)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJXjdcZAAoJEGINZVEXwuQ+G24IAKZTOZVxidiX2qEnOokfKh1T
pg8BsXRgyMx7395mMc3WDFx16zc1Ylbh14z+YUq+1TOenO2wURjtTT9OCjCAjnOI
IL1GRXjM23QLTI0qkRCwiEB04HZsu5t1jq1sJ7F23BUX/UjSBuK1osmtK3Ve3ucb
qMTgZVIgmnWwdFkEM1l5fcDltnIYzOxF5VR0jHo5KTQ63l7E/xcNaWD/Y92yUu5C
ZLeCYgVc+KdngHhVPDzhphCeWXwrVdpwRO0zqqLiR8ijn/dW0fFA7gOfZzTI1YTw
VmVymrDWBfr6RjZ0FVeSIrvhewVRPjHIepTHwOuQQsAde5UGhtNv9lnXt+P7Rq4=
=w5Ab
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list