[tor-talk] FBI cracked Tor security
Mirimir
mirimir at riseup.net
Mon Jul 18 12:57:50 UTC 2016
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/18/2016 06:11 AM, Jon Tullett wrote:
> On 17 July 2016 at 05:11, Mirimir <mirimir at riseup.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>
>> On 07/16/2016 08:21 PM, Jonathan Wilkes wrote:
>>>> I'm hardly asking for perfection. Just a little heads up for
>>>> the sheep.
>>> You're unwilling to even describe non-technical users as human
>>> beings, yet you want Tor to suggest a vastly more complex
>>> alternative for them?
>>
>> OK, they're naive and trusting. For which "sheep" is common
>> metaphor.
>>
>> Running VirtualBox and Whonix is hardly "vastly more complex".
>
> It is, you know. More complex, and probably not suitable.
More complex? Sure. But vastly so? That's debatable.
> Haroon Meer, who I greatly respect in the security space, describes
> UX complexity in terms of his mum. As in, "could my mum do this?"
> and if the answer is no, it's too complex for the average user. I
> like that.
His mum probably shouldn't be using Tor.
> Fact is, security is a spectrum. "No security consideration at all"
> is at one end of that spectrum. Tor, the TBB and the associated
> documentation, is someway further along the spectrum, Whonix is
> somewhat further still, but there's a lot more room beyond that.
> Even that's a gross oversimplification - "no browser security
> except NoScript" is more secure but less private than TBB in its
> default configuration.
I agree.
> Because of that, I don't think it's possible, much less desirable,
> to describe the entire spectrum of use-cases. And even less
> possible to actually document the toolset appropriate for every
> point.
I'm not calling for that.
> It's probably far more meaningful to help users understand that
> spectrum, self-assess where they fall on it and what their risk
> profile may look like as a result, and pointers to resources which
> would align with that.
That sounds good to me. Except that there's nothing on the Tor Project
site about Whonix, and virtually nothing about proxy-bypass leaks.
> "Just use VirtualBox and Whonix" is not meaningful advice. It's a
> great fit for a very specific subset of users, but many (I would
> guess "most") users are not in that subset, and for everyone else
> it'd just be some combination of confusing, overwhelming,
> unnecessary, or insufficient.
I'm not arguing that all Tor users should use Whonix. I'm arguing that
the Tor Project ought to mention that as an option.
> The key question to you, as someone advocating that specific
> toolset, would be: for what type of user is VirtualBox+Whonix the
> optimum solution, and how would Joe Random identify if he is that
> sort of user?
1) Specify how much ones time is worth: X USD/hr.
2) Estimate pwnage cost (lost income, legal fees, prison, etc): Y USD.
3) Divide Y by X to get time investment justified to avoid pwnage.
Anyway, what does Tor Project gain by not mentioning Whonix?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
iQEcBAEBAgAGBQJXjNJMAAoJEGINZVEXwuQ+9vsIALLJepTnQQoCqFCglOZPokIm
sWPFkvUJBPRwjOR+L5l9KpjPMZDf+qfRqIJURIjd5Gn/3BXADDbNB0wYDe+HNJNI
lTHf5cO4RnMMGxADvhfmjMNxAhG6rJytkNXwa8OC3pvbw69+yHPuLc16pDzBvquY
a/QeHuAV4kjtCA/rYoTuy6ibU8UMrn1fnk4RyyWQRF3au20/XTlAOPNwtOMO0jKR
tB/i16Phey28UL+I61aCMB0wjokXvG4LAYMYQku891QTJePesLExhnFsoT7qxJHL
MYeaGh1LVwz4ozh3kZPldWryrqSoNl0SsfqM6QnT05jAR5d+YWRGSgbBHKr4A3k=
=Tnck
-----END PGP SIGNATURE-----
More information about the tor-talk
mailing list