On 19 July 2016 at 12:01, Mirimir <[email protected]> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > On 07/19/2016 03:50 AM, Jon Tullett wrote: >> On 19 July 2016 at 08:31, Mirimir <[email protected]> wrote: >>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >>> >>> On 07/18/2016 07:08 PM, Jon Tullett wrote: >>>> On 18 July 2016 at 16:17, Mirimir <[email protected]> wrote: >>>>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >>>>> A few years ago, I wrote >>>>> <https://www.ivpn.net/privacy-guides/will-a-vpn-protect-me>. >>>> >>>> Have you updated it to account for subverted VPN providers? >>>> Advising people to use VPNs which may have been subject to >>>> national security letters is arguably bad. >>> >>> Which VPNs have received NSLs? >> >> I take it that's a no, then? > > I account for it by distributing trust, just as Tor does.
But your guide does not. It doesn't even mention them. Why are you concealing the truth from users?!?11 The point I'm trying to make is that you can't cover every base. Too often, attempts to do so just end up with unusable rambling essays on security which no one will read and which still fail to cover a lot of ground. You're accusing Tor of something that you yourself can't avoid. That's not a criticism - just a reflection of reality. >> Point being, not only do we now know which operators have received >> letters, we _can't_ know. The first rule of NSL club is you don't >> talk about NSL club. I have yet to see much evidence that warrant >> canaries help. And that's not the only risk; operators can be >> coerced, hacked, suborned, or otherwise compromised. Belgacom, for >> example. > > What Tor relays have received NSLs? Which part of "we can't know" wasn't clear? We don't know - can't know - which relays are compromised, but we have to assume that at least some are (MIT et al). Ditto for exit nodes. Again, don't fixate on NSLs. That's one form of compromise but there are many more. The only safe assumption is that the environment is hostile - just how hostile and what is a reasonable response will vary from one user to the next. >> We mitigate that by layering services, but that's back to the >> question of how complex an environment suits your risk profile. Not >> everyone has the same nut; not everyone needs the same size >> hammer. > > The NSA is a pretty big nutcracker ;) The threat of the NSA is not evenly spread, and does not warrant identical countermeasures. Some people aren't concerned at all. Some are concerned about privacy in a theoretical way and use Tor because they have a vague sense that it's messing with The Man. Some are active targets and know they need to substantially strengthen their opsec, and will use Tor as part of a much broader toolset. Different strokes for different folks, and the advice I'd give them would be very different in each case. -J -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
