On Tue, Aug 6, 2013 at 10:19 PM, Andy Isaacson <[email protected]> wrote:
> We have to move past the "bug the user again" model of security system > deployment. In the general sense, yes. Silent automatic updates are a truly good thing in many use cases and environments. However, in the case where the user has an explicitly more detailed threat model - the sort of case where Tor may be an important component of the overall infrastructure - requiring said user to exercise some situational awareness is de rigeur. Tor itself recognizes this principle quite clearly on its download page: "Want Tor to really work? You need to change some of your habits, as some things won't work exactly as you are used to." This is proper and correct, because use cases that involve using Tor as more than just a poor man's VPN[0] require correspondingly greater thought and practice of solid operational security principles. This means, yes, taking active steps to safeguard your browser, from patching to not using Javascript to thinking about when and what you write. I don't want to delve too far into victim-blaming here, but it's clear that users caught by this *particular* operation were relatively low-hanging fruit. -- @kylemaxwell -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
