Uh-oh, you're part of The Cabal now, coderman!
On Mon, Feb 15, 2016 at 5:45 PM, coderman <coderman@xxxxxxxxx> wrote:
On 2/14/16, Malcolm Matalka <mmatalka@xxxxxxxxx> wrote:
Can you go into some detail on this? I was always under the impression
that the Tor code was open source and heavily audited. Is the critique
that this is not true or something else?
clarification in order.
1) government funding of Tor means they get dibs on development
priorities. censorship circumvention over dead-easy Tor Routers.
Translations in Tor Browser over endpoint-hardened solutions like
Whonix-Qubes around your Tor Browser. etc, etc. this does not imply
the Tor code itself is made vulnerable. For example, 8 hour patch on
control port vuln, and first to force disable RDRAND-sole-source in
OpenSSL. not the behavior of group at behest of NSA and IC...
2) critique of existing hardware and software in terms of strong
security against well resourced attackers. there is serious
vulnerability across the entire spectrum of technology. the assumption
that your malware laden WinXP box can run "Tor Browser" and be secure,
is laughable. we're finding more than ever that personal security,
operational security, and information security are all tied up in
complex interdependence. Tor doesn't even try to address this, because
frankly, no one has! it's the constantly evolving terrain of
specialized experts, long bought over to $Private or $Gov not Public
3) Tor made trade-offs for end-user adoption and wide applicability.
we don't have have a fancy UDP Tor with traffic analysis resistance,
and some argue such a thing can't exist. this would be great to get
funded, but even past efforts have yielded detail around how much
remains to be researched, let alone implemented in proof-of-concept.
Tor well deserves their reputation for solid development in the public
interest, and their behavior regarding serious vulnerabilities is
exceptional across industry. actions above words, and they walk the
walk. i am also glad to see their first fund raiser to diversify
sources of support haul in hundreds of thousands for use without
strings attached. more of this!