ryonaloli 2017-02-26 20:51:36
amnet: and the "non-private" definitions i was used to did not consider anonymity to mean membership concealment.
amnet 2017-02-26 20:52:03
Right, but that's what the common definition refers to.
ryonaloli 2017-02-26 20:52:06
so when you said tor does not provide anonymity (membership concealment) by default, i disagreed, because what i heard was that tor did not provide anonymity (location anonymity)
amnet 2017-02-26 20:52:32
Location and given name and so on and so forth are just proxies for someone who wants privacy.
ryonaloli 2017-02-26 20:52:48
privacy is an entirely different thing, as well :P
amnet 2017-02-26 20:53:05
People can vary in terms of what type of information they're most afraid to expose, but they all want privacy to protect them from that.
amnet 2017-02-26 20:53:18
ryonaloli: Shh!
ryonaloli 2017-02-26 20:53:19
anonymity, privacy, and security are completely different. in the technical sphere, they are unambiguous. when laymen use it, the meanings differ depending on who uses it.
ryonaloli 2017-02-26 20:53:43
even security is not one, uniform thing. it splits into confidentiality, availability, and integrity!
amnet 2017-02-26 20:54:48
Right, but I don't care about that.
amnet 2017-02-26 20:56:02
Because I like to be able to explain this stuff to people in a way that actually equips them to react.
ryonaloli 2017-02-26 20:56:10
so the first thing i have to do is ask someone what they mean by "i want more security for X". if they say "well i mean security by security. don't use technical terms on me!", i'll tell them what i tell you - that the technical terms are necessary to avoid ambiguities.
amnet 2017-02-26 20:56:11
For my purposes, I want actual anonymity, beyond privacy.
ryonaloli 2017-02-26 20:56:11
amnet: how does it equip them to react if your use of anonymity != their use of anonymity?
amnet 2017-02-26 20:56:11
Most people just want anonymity for privacy's sake.
ryonaloli 2017-02-26 20:56:11
i have a friend over on oftc. he does not give a damn about whether or not his isp knows he uses tor.
amnet 2017-02-26 20:56:11
They WILL share name and location and other identity information with "approved apps" and friends.
ryonaloli 2017-02-26 20:56:11
by your definition of anonymity, he is not anonymous.
ryonaloli 2017-02-26 20:56:11
by his definition, he is.
ryonaloli 2017-02-26 20:56:11
how could you possibly proscribe a solution to him if he asked for advice, if you used your own definition of the term?
ryonaloli 2017-02-26 20:56:11
and he used his?
amnet 2017-02-26 20:56:11
The technical terms are NOT necessary to avoid ambiguity. They are *YOUR* convention for diagnosing use-cases.
ryonaloli 2017-02-26 20:58:25
but clearly the layman terms are ambiguous.
amnet 2017-02-26 21:02:54
ryonaloli: They aren't ambiguous. They just refer to a lot of different software techniques.
amnet 2017-02-26 21:03:12
The end goal is the same for most people: Privacy.
ryonaloli 2017-02-26 21:03:30
the friend i refered to on oftc doesn't care one bit about privacy.
ryonaloli 2017-02-26 21:03:40
he just doesn't want his actions to be connected to him.
ryonaloli 2017-02-26 21:04:05
but the things he does do, he does in the open. doesn't seem to care about encryption, or even using good passwords.
amnet 2017-02-26 21:04:07
ryonaloli: I don't *have* a private definition of anonymity. You do by prescribing to a professional lexicon.
amnet 2017-02-26 21:04:20
Use-cases differ, terms don't.
amnet 2017-02-26 21:04:36
You have your diagnostic method, I have mine.
amnet 2017-02-26 21:05:15
I never need to tell someone how I think about anonymity to address their use-case and prescribe a technology.
ryonaloli 2017-02-26 21:05:48
that was not a professional or "private" definition. that was just a slightly more accurate use.
ryonaloli 2017-02-26 21:06:08
it still didn't differentiate the many types of anonymity and their use-cases. it just didn't use them in quite such an ambiguous way.
ryonaloli 2017-02-26 21:15:27
other than that, there's the more trivial issue where ipv4 is more likely to give you a dynamic ip, but you should never rely on a dynamic ip for anonymity.
eviladmin 2017-02-26 21:15:33
sidenote: you could always do random mac
amnet 2017-02-26 21:15:36
ryonaloli: Layman's terms can be used accurately & precisely.
Speiros 2017-02-26 21:15:44
ryonaloli VMware though,
amnet 2017-02-26 21:15:57
(Bitwise AND.)
ryonaloli 2017-02-26 21:16:05
sigh
Speiros 2017-02-26 21:16:05
eviladmin Yeah, I was thinking of that with VMware etc
eviladmin 2017-02-26 21:16:11
thing is, it is pretty easy to track people based on behaviour etc regardless of what technical solutions they use to try to hide
amnet 2017-02-26 21:16:25
^
Speiros 2017-02-26 21:16:39
eviladmin If they're using it for bad purposes, then they hopefully will be caught. Serves them right.
ryonaloli 2017-02-26 21:16:42
eviladmin: that's unfortunately true. you need good opsec if you're going to go up against someone who has an idea of what they're doing.
ryonaloli 2017-02-26 21:16:55
as thegruq repeatedly says.
amnet 2017-02-26 21:17:09
ryonaloli: When I speak to laymen, I prepare them to react to people who know what they're doing.
amnet 2017-02-26 21:17:23
I don't need to protect them from people who don't know what they're doing.
ryonaloli 2017-02-26 21:17:29
when i speak to laymen, the first thing i do is ensure that i am on the same page as i am.
amnet 2017-02-26 21:17:51
That's usually guaranteed by the law of identity.
amnet 2017-02-26 21:18:06
(Typo, I know.)
ryonaloli 2017-02-26 21:18:30
when giving consultation to a layman who i know nothing about (no prior contact or details), often the first thing i'll ask is "what is your threat model?", and if they ask what that is, i'll explain it. that's the only way to break the ice and explain to them how they need to see the world.
ryonaloli 2017-02-26 21:18:52
the entire security community is plagued with people who get screwed over because they use layman's terms, and even worse, *think* in layman's ways.
ryonaloli 2017-02-26 21:19:04
in exactly a way you promoted, thinking everything boils down to privacy.
amnet 2017-02-26 21:19:05
ryonaloli: I can seek rapidly on layman input. It's not hard for me to jump 134.2 pages, exactly, to find where they are.
ryonaloli 2017-02-26 21:19:17
which is well known to be one of the very worst mindsets you can have.
amnet 2017-02-26 21:19:36
ryonaloli: That's not the ONLY way. That's YOUR professional diagnostic convention.
ryonaloli 2017-02-26 21:19:38
"i just want privacy" and "i just want security" is about the worst thing you can hear, because you know "oh jeez, this person knows nothing"
ryonaloli 2017-02-26 21:19:50
amnet: it's *the* professional convention in infosec
amnet 2017-02-26 21:20:13
ryonaloli: I can protect people who know nothing better than you can.
ryonaloli 2017-02-26 21:20:46
is this your profession? i'm not assuming anything, because i know nothing about you.
amnet 2017-02-26 21:20:48
Mostly because I prepare them for the actual threat of a competent opponent.
amnet 2017-02-26 21:21:11
What you do is more akin to combat training.
amnet 2017-02-26 21:21:19
My tactic is more like abstinence.
amnet 2017-02-26 21:21:38
I can guarantee you that unplugging your computer will work.
ryonaloli 2017-02-26 21:21:54
that violates one third of the entire point of security - availability
amnet 2017-02-26 21:21:56
You can't actually guarantee that IP addresses won't be sniffed by NSA dragnets.
amnet 2017-02-26 21:22:03
Even with Tor.
ryonaloli 2017-02-26 21:22:09
if your adversary is a huge botnet with 100 gbps DDoS power, you've just done their job for them
amnet 2017-02-26 21:22:23
You can't guarantee metadata privacy through software the way I can through hardware.
ryonaloli 2017-02-26 21:22:45
but you can - VT-x exists :P
ryonaloli 2017-02-26 21:22:59
(exagerating a little - i know there are plenty of nasty side-channel attacks)
amnet 2017-02-26 21:23:29
ryonaloli: Security as you understand it isn't privacy. If my user wants privacy, I can literally tell them to unplug their computer and 70% of them will learn something new as a result.
amnet 2017-02-26 21:24:22
ryonaloli: There's *always* a side-channel attack except for the very limited use-case of someone who desires anonymity.
ryonaloli 2017-02-26 21:24:28
infosec can include some aspects of privacy (confidentiality). and sure, telling people to unplug their computer does help them understand.
amnet 2017-02-26 21:24:47
Meatspace is the go-to side-channel attack for someone who wants privacy, for instance.
ryonaloli 2017-02-26 21:24:50
heh, you'd be surprised. you see that paper recently which was *all* about using side-channel attacks for fingerprinting devices to break anonymity?
amnet 2017-02-26 21:25:01
(Hence why unplugging the device *sometimes* works.)
ryonaloli 2017-02-26 21:25:06
99.something% accuracy
ryonaloli 2017-02-26 21:25:21
(doesn't work on tor browser, though, primarily since webgl is disabled)
amnet 2017-02-26 21:26:04
I haven't read the paper but I'm familiar with the material.
Speiros 2017-02-26 21:26:11
webgl can be disabled on the tor browser with noscript though, yes?
ryonaloli 2017-02-26 21:26:23
Speiros: it's disabled by default
Speiros 2017-02-26 21:26:29
Yep, okay:)
ryonaloli 2017-02-26 21:26:46
even with noscript not set to the highest setting, it's disabled because it's so nasty
amnet 2017-02-26 21:26:47
"Disabled by default" is a strong security measure.
ryonaloli 2017-02-26 21:26:51
yup
eviladmin 2017-02-26 21:26:52
better off running a vm with all traffic routed trough tor than using the tor browser
eviladmin 2017-02-26 21:27:09
way to many security issues with firefox
ryonaloli 2017-02-26 21:27:09
eviladmin: depends on threat model. your anonymity set will be... like one person.
ryonaloli 2017-02-26 21:27:39
so that browser, even if it's very secure (chromium, locked down, running on an isolated computer, say), will have a completely unique fingerprint.
Speiros 2017-02-26 21:27:43
I'm according to one website, 1 in 68 users or something.
Speiros 2017-02-26 21:28:01
Obviously, that depends on whether I'm using it or not too.
ryonaloli 2017-02-26 21:28:02
Speiros: those sites are not particularly accurate, especially given new and more advanced techniques.
ryonaloli 2017-02-26 21:28:18
with new techniques, it will effectively always say "1 in millions"
ryonaloli 2017-02-26 21:28:30
assuming you are not using tor browser
Speiros 2017-02-26 21:28:32
I see. It was this one. https://panopticlick.eff.org/tracker-nojs
Speiros 2017-02-26 21:28:36
Ah.
amnet 2017-02-26 21:28:40
PPM accuracy should scare more people than it currently does.
amnet 2017-02-26 21:29:15
But I guess there are also people who work on countermeasures.
ryonaloli 2017-02-26 21:29:34
audiocontext fingerprinting should be the scarriest
ryonaloli 2017-02-26 21:29:56
since there are no current mitigations (i can think of a few ideas, but nothing has been implemented short of "prevent your browser from ever accessing audio device nodes")
amnet 2017-02-26 21:29:57
Of course the population size of skilled tech departments for large corporations is way bigger than the patcher population.
amnet 2017-02-26 21:33:29
UX is the antithesis of security, privacy, and anonymity in the browser market.
ryonaloli 2017-02-26 21:33:44
well 1) raw access to the oscilator and such are fundamentally *needed* for the attack to work, as well as for the feature to work. 2) even if that weren't true, that's firefox, what do you expect? :P
ryonaloli 2017-02-26 21:33:51
firefox has 10, 11 year old bugs *still* open
ryonaloli 2017-02-26 21:34:00
some moderately security-related
ryonaloli 2017-02-26 21:34:15
such as the inability to disable images (disabling images in firefox is trivial for a site to bypass)
amnet 2017-02-26 21:34:17
It's not just Firefox.
ryonaloli 2017-02-26 21:34:33
chromium is far better, in that respect. i can't speak for other browsers.
amnet 2017-02-26 21:34:34
UX reaches every non-UNIX browser.
ryonaloli 2017-02-26 21:35:05
oh i'm talking about lower level stuff, as in "can't be disabled, even when patching it"
amnet 2017-02-26 21:35:20
Yeah.
amnet 2017-02-26 21:35:35
Hardware acceleration is just beyond the limit of UX into new technology.
ryonaloli 2017-02-26 21:35:59
luckily all browsers have gpu hardware accel checkboxes.
ryonaloli 2017-02-26 21:36:55
but for audio? there's no such thing as software audio.
ryonaloli 2017-02-26 21:37:54
simply because there was never a time when the browser ran on a system where lack of an audio chip would still allow something to come out of the speakers
ryonaloli 2017-02-26 21:37:54
so if you had speakers, you also had a hardware oscilator, compressor, etc
amnet 2017-02-26 21:38:46
Well you've gone and depressed me for the night.
amnet 2017-02-26 21:38:47
Thanks.
ryonaloli 2017-02-26 21:40:31
(in)security tends to do that
amnet 2017-02-26 21:40:58
If it's not ubiquitous, it doesn't exist.
