[tor-talk] Metrics in Iran and other countries

Joe Btfsplk joebtfsplk at gmx.com
Sat Sep 10 05:11:05 UTC 2016 

On 9/7/2016 9:40 PM, Mirimir wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 09/07/2016 11:05 AM, Joe Btfsplk wrote:
>
> <SNIP>
>
>
>> #4  The Tor Project is pretty clear that Tor Browser by itself is
>> probably not enough to provide reasonably reliable anonymity.
>>
> Tor Project doesn't make that clear enough, in my opinion.
True.  I said they make it clear that Tor Browser probably isn't enough 
- especially against powerful adversaries.  I didn't say they explain in 
logical order, what else is required.
Possible the instructions to make it as anonymous as humanly possible is 
reserved for the people that mostly pay for it.
> Putting tor daemon and userland in separate VMs would have prevented
> user compromise. Whonix does that, but there's no mention of Whonix on
> Tor Project's site. If you dig around there, you can find old stuff
> about the TorBOX project, which Whonix developed from. I have no clue
> why Tor Project refuses to even mention Whonix. It's very strange.
It's not that surprising since Whonix isn't part of Tor Project. They do 
mention it in blogs.  But, they mention NoScript, depend on its 
functionality - and it's not connected with Tor Project.  Lots of things 
they don't mention.
 From minimal knowledge, Whonix allows Tor to retain entry guard 
selection across sessions.
But could allow certain things to remain in the OS between sessions that 
theoretically could identify them.  Probably very low risk compared to 
other OSes, considering benefits gained.  Still, Tails & Whonix have 
very small staffs and tiny budgets compared to OS X, mobile OSes or most 
Linux distros.  If it was life or death situation, it'd be hard to trust 
Tails or Whonix completely.

Where Tails is amnesic across sessions, but loses the entry guard. They 
do discuss Tails quite a bit.
I'm not sure about any network that depends almost totally on unknown 
relay operators & no way to check the operators out.  As if any 
government couldn't plant agents as relay operators, that could pass the 
most rigorous, face to face interview, interrogation or background check 
by Tor Project.

Since it's supposed common knowledge the US Navy or military still uses 
the network, seems like it'd be very risky for them unless they were 
*positive* that their enemies - or group - aren't running a substantial 
number of entry and exit nodes.

One theoretical way they could be sure that aspect is not a huge risk 
is, if they're positive US agencies are running a substantial number of 
the relays.  Otherwise, aren't they're taking as big a chance as average 
users?  Leaving things to chance doesn't sound like modern military 
tactics of super powers.  I'm sure I missed something.

More information about the tor-talk mailing list