I resend this since it was deleted by greylisting. -------- Original Message -------- Subject: Re: 25 tbreg relays in directory Date: Wed, 01 Jul 2009 17:19:34 +0200 From: Niels Elgaard Larsen <[email protected]> To: [email protected] References: <[email protected]> <[email protected]>
Jim McClanahan wrote: > Scott Bennett wrote: > >> Ouch. This provides another example in support of having a way >> for the directory authorities to render insecure versions ... >> and only usable as clients to connect to the tor project's web site to >> download a current version of tor. > > This kind of thinking baffles me. It seems diametrically opposed to the > notion of free software. I could understand if the outdated client was > endangering the Tor network (which was discussed in the portion of the > comment I skipped over with the ellipsis). And I would have no problem > with a friendly advisory as long is it wasn't incessant nagware that > couldn't be disabled. I agree. And I object to assuming that someone running an old version is necessarily uninformed. There can be circumstances where a user have to choose between and old TOR client or no anonymity at all, or even no internet. E.g. We do try to make up-to-date versions of the Polippix CD. But someone may be stuck in a hotel room somewhere, wanting to be anonymous and remembering putting a Polippix CD in the suitcase years ago, or an USB-stick with TBB. Yes, it is possible to upgrade TOR through TOR given a lot of time and RAM, but then again we do not know if there is enough time and RAM. I run an TOR-access-point. Users have no way of upgrading TOR on it. They probably do not even know that they are using TOR. If I fail to upgrade the access-point at we lock it out, the users loose the internet connection. And the users are not that anonymous anyway. The wireless traffic is not through TOR. > But I don't understand the desire to dictate to > people or some nanny viewpoint of trying to save people from > themselves. (Before somebody makes an argument of keeping the Internet > free of compromised machines, I rather imagine the number of machines > compromised because of Tor software would be lost in the statistical > noise of all the other ways machines get compromised. And I don't think > the unsavory purpose these "tbreg" instances are put to is a relevant > factor.) Why should a client even provide its version? (of the code, not versions of protocols it understand). If someone ship 100000 CD's/USB-keys to eg Iran they will all have the same version, which in a year could be almost unique. You can already trach IP-numbers to e.g. Iran, but why make it easy to detect when e.g. a new shipment arrives or how people move around. -- Niels

