[tor-talk] FBI cracked Tor security

Tempest tempest at bitmessage.ch
Tue Jul 19 13:24:00 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Jon Tullett:
> It is, you know. More complex, and probably not suitable.
> 
> Haroon Meer, who I greatly respect in the security space, describes
> UX complexity in terms of his mum. As in, "could my mum do this?"
> and if the answer is no, it's too complex for the average user. I
> like that.

while i'm entirely sympathetic to the "ease of use argument, i'd also
like to see setups like whonix mentioned. perhaps i'll give it a try
myself. for basic threat scenarios, it should be able to do a
comparison table on a web pageof what tor based tools are out there
and may be more desirable than just the browser (tails, whonix,
qubes+whonix, etc.).

as for the point about the mum, there is a long guide up at
http://yuxv6qujajqvmypv.onion that walks more novice/unexperienced
users towards a process of installing debian and whonix. it is
certainly not a "fast" process and is more complex than tbb alone.
However, if one's mum is willing to invest the time, they'll more than
likely install the system successfully.

> Because of that, I don't think it's possible, much less desirable,
> to describe the entire spectrum of use-cases. And even less
> possible to actually document the toolset appropriate for every
> point.

it doesn't have to be "all of them." but a few more details based on
experiences common enough to have been regularly covered by the media
certainly would not hurt.

> The key question to you, as someone advocating that specific
> toolset, would be: for what type of user is VirtualBox+Whonix the
> optimum solution, and how would Joe Random identify if he is that
> sort of user?

fairly simple actually. it's for anonymity focussed users who want to
add extra layers of protection against ip leaks while moderately
shrinking the attack surface for a persistent malware infection (if
configured correctly).  if one is simply using the browser to get
around a firewall and doesn't need the anonymity, probably not needed.

- -- 
gpg key - 0x2A49578A7291BB34
fingerprint - 63C4 E106 AC6A 5F2F DDB2 3840 2A49 578A 7291 BB34
-----BEGIN PGP SIGNATURE-----

iQJ8BAEBCgBmBQJXjin7XxSAAAAAAC4AKGlzc3Vlci1mcHJAbm90YXRpb25zLm9w
ZW5wZ3AuZmlmdGhob3JzZW1hbi5uZXQ2M0M0RTEwNkFDNkE1RjJGRERCMjM4NDAy
QTQ5NTc4QTcyOTFCQjM0AAoJECpJV4pykbs0l8UP/j3hVqE8QJNQ9SVd8wy0A2tn
t9901tKBxQU9UMqpiNYvLILxCAKNWXFK7qOLayGjrAWshUtkmgRSItqf5wXqV00O
vNzj60M9d08wOfXidbc68tXFU6HRYxNcqKU8ihRQeJQPsQKur/GtnB1NmeLJQ/iS
dy31u+IMtKxx5P/O5Jd8ImAWRXX4HPB+Zf0LQYp2TIOxs43DtrTE/FIpU9W3/SnT
bLKfwurT4cbQKdnbDqPzWEiZsPhf8S+3/5Oje4SAKs3ijpnAq5U3ndoES1cDReoP
Xy1YfUY//tpWncdyY/q1hmG6Yt+FOgAiVAsXI12HcMclKekdMJO8WwEraWKzm+Kt
YCI9SgcLy/8nFkKZSL2vAhwX3aoZ7sy2sgvE+v+8+QGMafG9AZBma3+lkv+oRhSh
3xEQWuqO4mqo86SCRGxEgov8JbUsgluE6ZBAaHY1XihzO/eBtDCL+1hdJspdWite
7qHua6CqfbI+sWmlvX04Pm1li3Xlfe7q7oewHWGnU5d0DK9srhXIXHXjkAXSNzwe
VOiosp0PZWAOAyKZF7rjC6XEnqhy0LuDO41MQWznOFw8ZZBl4TNiNni92qvVmqmp
KGwDZFZ3DbqDE+EBh2qSJTKV1/RF4Al/h1dZU5dFytc5HOUBfFRGzRYf0yITB8kg
RtpQ7/Fn5fV3N3/xYd2y
=BmJ7
-----END PGP SIGNATURE-----



More information about the tor-talk mailing list