On Mon, Jan 13, 2014 at 11:43 AM, Marc A. Pelletier <marc(a)uberbox.org> wrote:
On 01/13/2014 11:32 AM, Zack Weinberg wrote:
Assume a person under continual surveillance.
If they have to reveal their true IP address to Wikipedia in order to
register their editor account, the adversary will learn it as well,
and can then attribute all subsequent edits by that handle to that
person *whether or not* those edits are routed over an anonymity
network.
If you start with that assumption, then it is unreasonable to assume
that the endpoints aren't /also/ compromised or under surveillance.
Not true. Tor's threat model already includes protecting clients
against malicious exit nodes. The client endpoint can be secured by
using trusted hardware (Snowden notwithstanding, I feel relatively
comfortable assuming that attacks on the integrity of computers bought
off the shelf and never let out of one's sight since are rare and
expensive, even for nation-state adversaries) and a canned Tor-centric
client operating system executing from read-only media (e.g. Tails).
What TOR may be good at is to protect your privacy
from casual or
economic spying; in which case going to some random Internet access
point to create an account protects you adequately.
That is exactly the wrong advice to give the sort of people who want
to be able to edit Wikipedia over Tor (you should be thinking of
democracy activists in totalitarian states). Random
publicly-accessible internet access points are *more* likely to be
under aggressive surveillance, including thoroughly-bugged client OSes
which one may not supplant.
zw