[tor-talk] FBI cracked Tor security

[Joe Btfsplk]

On 7/15/2016 12:34 AM, Jon Tullett wrote:
> On 15 July 2016 at 01:23, Joe Btfsplk <joebtfsplk at gmx.com> wrote:
>> On 7/14/2016 2:34 PM, Jon Tullett wrote:
>>
>> Thanks Jon.  I agree w/ most that you said.  Again, semantics. Whether they
>> cracked Tor or Tor Browser won't change if the brutal dictator has you shot
>> in the front or back of the head. :)
> Again, remember that this conversation was in the context of Freedom Hosting.
>
> Absolutely agree that the same style of investigation could (and
> probably does) happen in a more brutal political regime. Users there,
> being at greater risk, have a greater need to take further steps to
> protect themselves.
>
>
>> Unless one is using Tor w/ their own internet browsing application, an
>> exploited weakness in Tor Browser - modified Firefox - has the same effect
>> on users.  They're a package deal.
> Well, no. Tor does make it clear you need to do more than just
> downloading TBB to be anonymous and secure. If you think TBB is a
> single-solution prepackaged silver bullet, you are at risk.
>
> I don't think there's any debate whether Tor should try to be such a
> silver bullet - clearly it can't and shouldn't - the question seems to
> be around whether Tor should give more clear guidance/warnings. I'm
> always in favour of that.
>
>
>> You're not really suggesting that users under hostile dictatorships or ones
>> trying to expose democratic government unconstitutional actions,  take full
>> responsibility for the ongoing modifying, patching & constant reading about
>> weaknesses of Tor Browser "for their own security?"
> Yeah, I kinda am. Users in such hostile environments absolutely need
> to take more care to keep themselves secure, and not just online. If
> you are relying on any product to keep you alive, you definitely
> should be constantly reading about it.
Respectfully, you're dreaming if you think whistle blowers, political 
activists or citizens under brutal regimes are *necessarily,* or even 
mostly computer geeks. :)
You may be correct that only very advanced geeks or (sane) persons w/ 
unlimited access to one, _should_ use TBB in dangerous situations, if 
they don't understand every detail about what can go wrong & how to fix 
it themselves.

Very few people meet those criteria.  I don't  & I've been studying Tor 
& TBB for yrs.   People that might have interests in whistle blowing or 
activism, *also* having the knowledge & ability to troubleshoot, modify 
or patch TBB on an ongoing basis are almost nil.  Except for those w/ no 
concept of the extreme risk they're taking, that leaves very few people 
to do any blowin' or activatin'.   People under brutal regimes don't 
need to be activists to have a real need for reliable anonymity (no 
unpatched browser bugs).  They just need to safely access info besides 
governmental propaganda or to pass info to similar minded persons.  Do 
we think they're all going to be coders that can patch browsers?  That's 
a dream.  :)

If the only people (in dangerous situations) that should use Tor / Tor 
Browser are geeks, it doesn't have a very wide audience. Regardless of 
whose job it is to make something like TBB "as secure as possible," 
there just aren't many people like E. Snowden w/ extreme computer talent 
- to do what you're suggesting -  & desire (possibly stupidity) to go 
after top officials or their government.

Many of things mentioned in "what else you need to remain anonymous" 
type articles - don't use Flash, plugins, file sharing, etc., are easy.  
It's all the other things that can go, or are, wrong that most people 
wouldn't understand.  For years, Tor devs weren't even sure how to 
report TBB screen size & many other unresolved issues.  I filed various 
bugs on many things, but had no idea how to fix them.   How can even 
advanced users be expected to fix these & more problems when it 
sometimes takes extremely talented Tor devs years to find solutions?  
Again, a pipe dream.

The sage advice under "List of Warnings:"  "Ultimately the best 
protection is a social approach: the more Tor users there are near you 
and the more diverse <https://www.torproject.org/about/torusers.html.en> 
their interests, the less dangerous it will be that you are one of 
them."  L I'll B.  Unless sites you're visiting  or your exact ISP 
server are known to have 100's of TBB users - at once, that doesn't help 
much.

I'm not too sure about trusting one's life to a system based in part on 
pure guesstimating how many entry & exit relays are enemy controlled.  
Calculating statistical odds of being identified, based on unknown of 
numbers of enemy controlled nodes; the number of times & frequency entry 
guards change, number of sites visited, etc. :D



>
>
>> That Tor Project is saying Tor is relatively anonymous; as for Tor Browser,
>> everyone's on their own.
> It's saying that the Tor network will help you stay anonymous, and the
> browser bundle will help facilitate that, but you also need to take
> further steps to stay anonymous and secure. I think that's realistic
> and reasonable.
>
> Also, remember there is no such thing as 100% security, and the
> incremental usability/security tradeoffs become more severe the
> further you go. Everyone has to decide for themselves where to draw
> the line - how secure they want to be and how much compromise they can
> accept. All a third party like Tor (or you and I) can do is educate.
>
> -J