On 2013-08-06, at 1:23 PM, Jacob Appelbaum <ja...@appelbaum.net> wrote:
> Nadim Kobeissi: >> >> On 2013-08-06, at 12:55 PM, Jacob Appelbaum <ja...@appelbaum.net> >> wrote: >> >>> Nadim Kobeissi: >>>> >>>> On 2013-08-06, at 11:46 AM, Al Billings <alb...@openbuddha.com> >>>> wrote: >>>> >>>>> Nadim you seem confused by how this works. Tor doesn't need to >>>>> issue advisories for Firefox issues. We, at Mozilla, already >>>>> issue them. Perhaps they can link to them clearly but if you >>>>> want to know about security issues Mozilla fixes in Firefox, >>>>> you're best served by reading Mozilla advisories. There's not >>>>> much point in duplicating them on a second site. Tor would be >>>>> better served by writing advisories for its own, unique, >>>>> security fixes. >>>> >>>> Tor doesn't need to issue advisories for Firefox issues. Tor >>>> needs to issue advisories for Tor Browser issues, and not five >>>> weeks later when s**t hits the fan. I really don't think one can >>>> reasonably disagree with the above statement. Tor Browser is a >>>> Firefox fork. >>> >>> Should we issue a single advisory for each possible security issue >>> that Firefox has already noted in their change log? Each confirmed >>> security issue? Should we ask for a second CVE to cover each CVE >>> they receive? >> >> What's the alternative, Jake? > > That was a list of choices and you didn't choose one. Please choose one > or more - though not all of them make sense when put together. It was a > question and well, your answer isn't much of an answer. Yes, to be absolutely clear, I think Tor should issue advisories for confirmed security issues in Tor Browser, since Tor Browser is a fork of Firefox and is independently maintained. This is exactly what Tor did this time, except next time you shouldn't wait five weeks for the situation to explode. > >> Wait until the NSA exploits an >> innumerable amount of Tor users and then quickly write an advisory >> for a bug that was quietly fixed without a warning from Tor five >> weeks but still exploited? > > This is not accurate. We heard about attempts at exploitation and within > ~24hrs we released an advisory - we had already released fixed code a > ~month before exploitation was found in the wild. Please do not mix up > the time-line. To restate: > > > 2.3.25-10 (released June 26 2013) > 2.4.15-alpha-1 (released June 26 2013) > 2.4.15-beta-1 (released July 8 2013) > 3.0alpha2 (released June 30 2013) > > > The exploit was found in the wild on last weekend, I learned about it on > or around August 4th. Please note that our patched versions were > released nearly a month before this was found in the wild. There is no > reason to support the conclusion that we "silently" fixed anything in > response to an exploit. Please consider that your statement is entirely > unsupported by evidence, Nadim. I could be mistaken. Where's the advisory that was issued the day after, that mentions that a critical Tor Browser vulnerability was fixed? > >> Because that is exactly what happened this >> time. Tor can just go on doing this again and again, or yes, you >> could issue advisories. You are maintaining your own browser called >> Tor Browser. Stop shifting blame onto Firefox. You're the guy who >> told me to never shift blame when you have a security vulnerability >> in the software you yourself are shipping. Practice what you preach. >> > > Your assessment of this situation is incorrect. > > We regularly release updates that include updates to included code and > often, we make note of the fact that the upstream code has security > fixes included. There is no blame shifting, only a question of how to > best share that information in a way that users will understand. I have > asked repeatedly for examples and for details of how to improve things - > you seem only interested in slinging mud. Perhaps this isn't the most > useful way forward? How am I only interested in slinging mud?! How are you even allowed to adopt a tone like this while doing your job as an advocate for Tor? I'm simply trying to advocate for Tor not waiting five weeks before releasing an advisory next time! Comments like this are really just not acceptable, Jake. NK > >> I sound harsh, sure, but at least I'm being productive and not >> freaking out about my ego. > > I don't think you are being productive at this point in the > conversation. You are correct and I agree with you - you are harsh - > I'll extend this commentary: it reflects poorly on you(r ego) and very > little is gained by such behavior. > > All the best, > Jacob > -- > Liberationtech list is public and archives are searchable on Google. Too many > emails? Unsubscribe, change to digest, or change password by emailing > moderator at compa...@stanford.edu or changing your settings at > https://mailman.stanford.edu/mailman/listinfo/liberationtech
-- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
