Forgive me, but I'd like to ask a question here. Tor is a tool that is undeniably, directly marketed toward activists in high-risk environments. Tor's presentations at conferences centre around how Tor obtains increased usage in Arab Spring countries that matches the timeline of revolutionary action. It's incredibly direct. Tor's own spokespeople encourage people in Iran, Egypt and so on to use Tor and only Tor as the most secure tool for activist anonymity, and privacy.
Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle, which is currently the main way to download Tor and the only way to download Tor for the average end-user, and is deploying it en-masse to the visitors of what seems to be around half of all Tor hidden services, which have also been compromised I've gotten quite some flak from certain people at Tor for supposedly marketing Cryptocat to activists, which is not something I do, but that the media did last year. We know for a fact that Tor does in fact market to activists. And yet, I have a feeling that the flak towards Tor, for something this incredibly huge, will be quite small, on this mailing list and on other discussion forums, especially compared to the kind of vitriol Cryptocat receives. I would like an explanation as to why this is the case. NK On 2013-08-04, at 10:56 PM, Griffin Boyce <[email protected]> wrote: > There are really two separate issues here, and I just want to separate them > briefly. > > 1) Tormail and other sites were hosting malicious js code that attempts to > break firefox 17. > > 2) Freedom Hosting was shut off after its host was arrested. > > I will say from personal experience that most hidden services are > *extremely* permeable. Not because Tor sucks, but because people making them > aren't very good webmasters. They don't upgrade/patch the software running > their websites, and that leads to big hacks. Freedom Hosting was itself taken > down on at least three occasions due to poor maintenance. > > It's also not particularly difficult to script up a scanner that tests > hidden services for vulnerabilities, then launches malicious code. This has > happened again and again. But this cannot really be Tor's fault anymore than > it's Apache's fault. People who host hidden services must maintain their code > just like other websites. > > If a hidden service webhost is imperfectly set up, it's possible to upload > a malicious file and broadcast the IP address of the server. (Again, this > relies on various configuration issues and 0day, but similar has happened to > Freedom Hosting before). > > What does everyone else think about this? > > best, > Griffin > > PS: it seems a little too ambitious to set up your own anonymity network > without having a solid team of scientists and cryptographers > > On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones <[email protected]> wrote: > 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI > malware specifically targeting the Tor Browser Bundle. > > Deets: > https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste > > > 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody > want to help with the sketches? > > Deets: https://github.com/Miserlou/OnionCloud > > R > > -- > Liberationtech list is public and archives are searchable on Google. Too many > emails? Unsubscribe, change to digest, or change password by emailing > moderator at [email protected] or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech > > > > -- > Just another hacker in the City of Spies. > #Foucault / PGP: 0xAE792C97 / OTR: [email protected] > > My posts, while frequently amusing, are not representative of the thoughts of > my employer. > -- > Liberationtech list is public and archives are searchable on Google. Too many > emails? Unsubscribe, change to digest, or change password by emailing > moderator at [email protected] or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
