>From Nathan Suchy, September 07, 2013 4:20 PM UTC: > You can check the source code. No back doors. Plus people at the FBI have
> used it for anonymity... A back door is not always easy to spot. Especially for people who are not experts in all the technologies involved. And Tor, and the technologies it depends on, are not fault-proof, as we know. So any fault could be declared a backdoor if assumed intentional. ... > On Sep 6, 2013 8:14 PM, < <mailto:[email protected]> [email protected]> > wrote: > >> <http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/06/the-feds-pays- for-60-percent-of-tors-development-can-users-trust-it/> http://www.washingtonpost.com/blogs/the-switch/wp/2013/09/06/the-feds-pays-f or-60-percent-> of-tors-development-can-users-trust-it/ Tor funding is always an interesting point, no doubt. If you use the official binaries, certainly, even checking the hashes, and you personally review and understand the code, you have to trust that the people compiling the code used unmodified open source code (if the exact compile process they are using is documented, this could be verified independently). Keeping it open source offers a level of security, but still requires actual scrutiny, esp. now that we know just how much the Feds are interested in decrypting traffic and focusing attention on those who encrypt their traffic. Trust is involved. Speaking of which, do we have bios of all Tor contributors, esp. those that authorize code changes and those that compile code? Do we have public ongoing accounting of who gets paid how much and for what? Redundant compilations by parties we could consider independent, if they are identical, could provide a check on that. Linux distribution binaries are another question. If security is of great import, you need to have a chain of trust, careful custody, and secure transfer of source code and binaries all around. And of course install it on a secure system that doesn't already have some kind of backdoors. Does Tor automatically validate its executable upon running and refuse to start if modified? That would be a good feature. Not sure the most secure way to implement such a feature, but I know some software already does that. I have no conspiracy, but I do think transparency is really important. As we can see from this article and the list poster who posed a very reasonable public interest question, even for public relations and Tor's ability to increase userbase and trust. Tor has the option of refusing funding from any government entity, but obviously, literally at a cost. And thank you very much to those working hard for great ideals on this project. Asa Rossoff -- I signed this message with an X.509 certificate ... hahha hahaha ha! -- tor-talk mailing list - [email protected] To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
