On Mon, Jan 13, 2014 at 11:43 AM, Marc A. Pelletier marc@uberbox.org wrote:
On 01/13/2014 11:32 AM, Zack Weinberg wrote:
Assume a person under continual surveillance. If they have to reveal their true IP address to Wikipedia in order to register their editor account, the adversary will learn it as well, and can then attribute all subsequent edits by that handle to that person *whether or not* those edits are routed over an anonymity network.
If you start with that assumption, then it is unreasonable to assume that the endpoints aren't /also/ compromised or under surveillance.
Not true. Tor's threat model already includes protecting clients against malicious exit nodes. The client endpoint can be secured by using trusted hardware (Snowden notwithstanding, I feel relatively comfortable assuming that attacks on the integrity of computers bought off the shelf and never let out of one's sight since are rare and expensive, even for nation-state adversaries) and a canned Tor-centric client operating system executing from read-only media (e.g. Tails).
What TOR may be good at is to protect your privacy from casual or economic spying; in which case going to some random Internet access point to create an account protects you adequately.
That is exactly the wrong advice to give the sort of people who want to be able to edit Wikipedia over Tor (you should be thinking of democracy activists in totalitarian states). Random publicly-accessible internet access points are *more* likely to be under aggressive surveillance, including thoroughly-bugged client OSes which one may not supplant.
zw