[tor-talk] FBI cracked Tor security

Mirimir mirimir at riseup.net
Tue Jul 19 10:38:13 UTC 2016


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/19/2016 04:18 AM, Jon Tullett wrote:
> On 19 July 2016 at 12:01, Mirimir <mirimir at riseup.net> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>> 
>> On 07/19/2016 03:50 AM, Jon Tullett wrote:
>>> On 19 July 2016 at 08:31, Mirimir <mirimir at riseup.net> wrote:
>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>>> 
>>>> On 07/18/2016 07:08 PM, Jon Tullett wrote:
>>>>> On 18 July 2016 at 16:17, Mirimir <mirimir at riseup.net>
>>>>> wrote:
>>>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
>>> 
>>>>>> A few years ago, I wrote 
>>>>>> <https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me>.
>>>>>
>>>>>
>>>>>> 
Have you updated it to account for subverted VPN providers?
>>>>> Advising people to use VPNs which may have been subject to 
>>>>> national security letters is arguably bad.
>>>> 
>>>> Which VPNs have received NSLs?
>>> 
>>> I take it that's a no, then?
>> 
>> I account for it by distributing trust, just as Tor does.
> 
> But your guide does not. It doesn't even mention them. Why are you 
> concealing the truth from users?!?11

This gets at the trust issue:

| Using VPN services obscures online activity from local observers,
| and it also obscures location and identity from remote observers
| on the Internet. However, users are entirely vulnerable to
| betrayal by the VPN provider. With a second VPN service tunneled
| through the first, trust has been distributed, in that compromise
| would require collusion between the two providers.

That comes pretty close, I think. NSLs are really irrelevant in risk
assessment. Because NSL or not, you have no way to know who you can
trust. So you can't trust anyone.

> The point I'm trying to make is that you can't cover every base.
> Too often, attempts to do so just end up with unusable rambling
> essays on security which no one will read and which still fail to
> cover a lot of ground. You're accusing Tor of something that you
> yourself can't avoid. That's not a criticism - just a reflection of
> reality.

Say what you will, this is misleading:

| Tor prevents people from learning your location or browsing habits.

<SNIP>

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJXjgMTAAoJEGINZVEXwuQ+P4UH/3zyjj3FmgZTjH0Qe7pijN5s
ETxHDAK5gZoGA/8VVeYIEG3SNg2rnNSc6cvD9aW5pdebdZfirtvuwY++vVrFw3P/
y5zqt+MQAdfcPlsFmpty5qkzKAAuO37/4m6yAEAxuTkJvfCpY/ThWVFy8xXk+OeV
p2naoo5GFboRP3r4+N1nxY7DsgzwRfhkxVZQSxmPjJhEFxTvNiq2crAnvUHLrBJe
46QiWn+agldN54LxkPVasAUgd7RWirl4O+H9UhZumA2ZrBHNa4I5YYoOw28zc4Am
/G2+Kdgst3Ua8em3D6LvNmQnMAUXi7NS5tAazl5IYpQsuj1G/jfkDnUtYeTJN1s=
=+aIe
-----END PGP SIGNATURE-----


More information about the tor-talk mailing list