-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/18/2016 06:11 AM, Jon Tullett wrote: > On 17 July 2016 at 05:11, Mirimir <miri...@riseup.net> wrote: >> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 >> >> On 07/16/2016 08:21 PM, Jonathan Wilkes wrote: >>>> I'm hardly asking for perfection. Just a little heads up for >>>> the sheep. >>> You're unwilling to even describe non-technical users as human >>> beings, yet you want Tor to suggest a vastly more complex >>> alternative for them? >> >> OK, they're naive and trusting. For which "sheep" is common >> metaphor. >> >> Running VirtualBox and Whonix is hardly "vastly more complex". > > It is, you know. More complex, and probably not suitable.
More complex? Sure. But vastly so? That's debatable. > Haroon Meer, who I greatly respect in the security space, describes > UX complexity in terms of his mum. As in, "could my mum do this?" > and if the answer is no, it's too complex for the average user. I > like that. His mum probably shouldn't be using Tor. > Fact is, security is a spectrum. "No security consideration at all" > is at one end of that spectrum. Tor, the TBB and the associated > documentation, is someway further along the spectrum, Whonix is > somewhat further still, but there's a lot more room beyond that. > Even that's a gross oversimplification - "no browser security > except NoScript" is more secure but less private than TBB in its > default configuration. I agree. > Because of that, I don't think it's possible, much less desirable, > to describe the entire spectrum of use-cases. And even less > possible to actually document the toolset appropriate for every > point. I'm not calling for that. > It's probably far more meaningful to help users understand that > spectrum, self-assess where they fall on it and what their risk > profile may look like as a result, and pointers to resources which > would align with that. That sounds good to me. Except that there's nothing on the Tor Project site about Whonix, and virtually nothing about proxy-bypass leaks. > "Just use VirtualBox and Whonix" is not meaningful advice. It's a > great fit for a very specific subset of users, but many (I would > guess "most") users are not in that subset, and for everyone else > it'd just be some combination of confusing, overwhelming, > unnecessary, or insufficient. I'm not arguing that all Tor users should use Whonix. I'm arguing that the Tor Project ought to mention that as an option. > The key question to you, as someone advocating that specific > toolset, would be: for what type of user is VirtualBox+Whonix the > optimum solution, and how would Joe Random identify if he is that > sort of user? 1) Specify how much ones time is worth: X USD/hr. 2) Estimate pwnage cost (lost income, legal fees, prison, etc): Y USD. 3) Divide Y by X to get time investment justified to avoid pwnage. Anyway, what does Tor Project gain by not mentioning Whonix? -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBAgAGBQJXjNJMAAoJEGINZVEXwuQ+9vsIALLJepTnQQoCqFCglOZPokIm sWPFkvUJBPRwjOR+L5l9KpjPMZDf+qfRqIJURIjd5Gn/3BXADDbNB0wYDe+HNJNI lTHf5cO4RnMMGxADvhfmjMNxAhG6rJytkNXwa8OC3pvbw69+yHPuLc16pDzBvquY a/QeHuAV4kjtCA/rYoTuy6ibU8UMrn1fnk4RyyWQRF3au20/XTlAOPNwtOMO0jKR tB/i16Phey28UL+I61aCMB0wjokXvG4LAYMYQku891QTJePesLExhnFsoT7qxJHL MYeaGh1LVwz4ozh3kZPldWryrqSoNl0SsfqM6QnT05jAR5d+YWRGSgbBHKr4A3k= =Tnck -----END PGP SIGNATURE----- -- tor-talk mailing list - tor-talk@lists.torproject.org To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
