subject:"Re\: \[liberationtech\] Freedom Hosting, Tormail Compromised \/\/ OnionCloud"


On 2013-08-06, at 3:19 AM, Jacob Appelbaum ja...@appelbaum.net wrote:

 Griffin Boyce:
 Al,
 
 We may have to disagree as to the way forward. I hate to be
 contentious, but it seems unlikely that Tor applied a patch without
 reading firefox's changelog. Two days ago I presented a talk which
 emphasized how useful Tor is -- and I stand by that. Tor is still the
 best option for maintaining one's anonymity.
 
 
 Hi Griffin,
 
 Do you plan to release security advisories for all updates to the Linux
 kernel, GNU user space utilities and other dependences in the commotion
 router firmware?

How is this, in any way, shape or form, relevant? Are you seriously opening up 
Commotion's bug handling in order to sort of justify this Tor situation?

Tor had forked Firefox into its own browser, which is called Tor Browser. 
Mozilla issued an advisory for Firefox the day the bug was discovered, about 
five weeks ago. Tor should have issued a similar advisory for Tor Browser and 
consequently the Tor Browser Bundle, especially considering that the Tor 
Browser Bundle is by far *the* most visible way for end-users to download and 
use Tor these days.

 
 I suppose no but perhaps I'm mistaken? Has anyone done so with new
 commotion releases? I don't see[0][1] such notes, am I missing something?
 
 It seems impractical to note every change from downstream projects.
 
 Clearly you seem to disagree but I do wonder where you draw the line?
 
 Do your projects have some example where we might see the line in
 action, so to speak?
 
 As far as I can tell, we issued a security advisory within twenty-four
 hours.

Actually, Tor issued a security advisory for Tor Browser a full 39 days after 
Mozilla did for Firefox.

 We spent more than a full day of multiple people's time working
 non-stop to understand the scope, the impact and the outcomes of this
 issue. We were already working on this task when you and another decided
 to jump up and down to let us know that we were failures by any other
 name. I'd say thanks but that isn't the word that comes to mind…

I'd say thanks but that isn't the word that comes to mind…
Dude, you're supposed to be Tor's outreach guy! Come on!

 
 The Tor Project does not triage every single Mozilla Firefox bug. We do
 try to understand which bugs are security critical. We do aim to track
 and put our energy into ensuring our browser uses the latest ESR
 releases. This generally includes lots of code fixes, security as well
 as other kinds of fixes, though we may not always fully understand every
 issue - we tend to trust Mozilla's lead on this topic. TBB requires lots
 of effort to forward port our privacy preserving patches as they are not
 in the mainline Mozilla repositories. We did this as we always do with
 TBB releases and we released patched versions of the software before we
 ever even learned of the exploit discovered this weekend that targets
 old, unpatched users:
 
 2.3.25-10 (released June 26 2013)
 2.4.15-alpha-1 (released June 26 2013)
 2.4.15-beta-1 (released July 8 2013)
 3.0alpha2 (released June 30 2013)
 
 By a general count, it was around a month ago that we released patched
 versions. We normally just note that we've bumped the included projects
 to their latest stable versions - though in the case of our latest
 alpha, we specifically said[2]:
 
 In addition to providing important security updates to Firefox and Tor,
 these release binaries should now be exactly reproducible from the
 source code by anyone.
 
 Do you think that we should include that text with every single release?
 ie: This update provides important security updates to Firefox and Tor
 or something along those lines? Shall we just put that in every single
 release note? Is that really helpful?

Actually, isn't that exactly what you've said I should do with my own project, 
Cryptocat, numerous times? It's actually really illuminating that you in fact 
are committing the exact same outreach and mitigation blunders that you keep 
criticizing other projects for.

 
 If you have a suggestion for how we might improve, I'm open to hearing
 it - though as far as I am able to tell - there isn't much to be done
 except to say security update next to firefox update in our normal
 release notes. That isn't very helpful as nearly every Firefox update in
 ESR is a security or stability related release.
 
 Please do feel free to suggest something constructive - if we have room
 for improvement, we're happy to make it!

I think your entire email is not constructive. Roger's email with the actual 
advisory was awesome. Maybe he should represent Tor on this list from now on.

NK

 
 All the best,
 Jacob
 
 [0] https://commotionwireless.net/download/openwrt
 [1]
 https://commotionwireless.net/blog/new-commotion-release-dr1-ready-testing
 [2] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Nadim Kobeissi:
 
 On 2013-08-06, at 3:19 AM, Jacob Appelbaum ja...@appelbaum.net
 wrote:
 
 Griffin Boyce:
 Al,
 
 We may have to disagree as to the way forward. I hate to be 
 contentious, but it seems unlikely that Tor applied a patch
 without reading firefox's changelog. Two days ago I presented a
 talk which emphasized how useful Tor is -- and I stand by that.
 Tor is still the best option for maintaining one's anonymity.
 
 
 Hi Griffin,
 
 Do you plan to release security advisories for all updates to the
 Linux kernel, GNU user space utilities and other dependences in the
 commotion router firmware?
 
 How is this, in any way, shape or form, relevant? Are you seriously
 opening up Commotion's bug handling in order to sort of justify this
 Tor situation?

I'm asking for the clear line. Simple enough. Firefox's advisory seems
fine to me but Griffin and you seem to suggest otherwise.

I don't see an example of this suggestion being carried out by other
projects - so either I misunderstand or we're exceptional. Either is
fine with me, or another option which I'm not aware of - I'm sure that
one of those is the case...

This has nothing to do with 'justifying' anything - it has to do with
asking for a clear example of what seems reasonable and is *already*
done by someone.

Please feel free to answer the question, we're happy to learn from an
example. Are either of you involved in such an example? Might we learn
from your example? If so, where might we see it?

 
 Tor had forked Firefox into its own browser, which is called Tor
 Browser. Mozilla issued an advisory for Firefox the day the bug was
 discovered, about five weeks ago. Tor should have issued a similar
 advisory for Tor Browser and consequently the Tor Browser Bundle,
 especially considering that the Tor Browser Bundle is by far *the*
 most visible way for end-users to download and use Tor these days.
 

I think Tails is perhaps more popular but that is a side note, I suppose.

 
 I suppose no but perhaps I'm mistaken? Has anyone done so with new 
 commotion releases? I don't see[0][1] such notes, am I missing
 something?
 
 It seems impractical to note every change from downstream
 projects.
 
 Clearly you seem to disagree but I do wonder where you draw the
 line?
 
 Do your projects have some example where we might see the line in 
 action, so to speak?
 
 As far as I can tell, we issued a security advisory within
 twenty-four hours.
 
 Actually, Tor issued a security advisory for Tor Browser a full 39
 days after Mozilla did for Firefox.
 

Mozilla issued an updated blog post in the last day or so because of us
contacting them. They clarified the specific issue around the same time
as us. Al has already pointed this out - he works at Mozilla, so I
suppose he seems to agree that we don't need to copy every advisory they
write into our release notes.

 We spent more than a full day of multiple people's time working 
 non-stop to understand the scope, the impact and the outcomes of
 this issue. We were already working on this task when you and
 another decided to jump up and down to let us know that we were
 failures by any other name. I'd say thanks but that isn't the word
 that comes to mind…
 
 I'd say thanks but that isn't the word that comes to mind… Dude,
 you're supposed to be Tor's outreach guy! Come on!
 

I've asked for specific clarity on the level of granularity, I have yet
to see a reply that addresses my question.

 
 The Tor Project does not triage every single Mozilla Firefox bug.
 We do try to understand which bugs are security critical. We do aim
 to track and put our energy into ensuring our browser uses the
 latest ESR releases. This generally includes lots of code fixes,
 security as well as other kinds of fixes, though we may not always
 fully understand every issue - we tend to trust Mozilla's lead on
 this topic. TBB requires lots of effort to forward port our privacy
 preserving patches as they are not in the mainline Mozilla
 repositories. We did this as we always do with TBB releases and we
 released patched versions of the software before we ever even
 learned of the exploit discovered this weekend that targets old,
 unpatched users:
 
 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26
 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June
 30 2013)
 
 By a general count, it was around a month ago that we released
 patched versions. We normally just note that we've bumped the
 included projects to their latest stable versions - though in the
 case of our latest alpha, we specifically said[2]:
 
 In addition to providing important security updates to Firefox and
 Tor, these release binaries should now be exactly reproducible from
 the source code by anyone.
 
 Do you think that we should include that text with every single
 release? ie: This update provides important security updates to
 Firefox and Tor or something along those lines? Shall we just put
 that in every single release

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud


On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com wrote:

 Nadim you seem confused by how this works. Tor doesn't need to issue 
 advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps 
 they can link to them clearly but if you want to know about security issues 
 Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. 
 There's not much point in duplicating them on a second site. Tor would be 
 better served by writing advisories for its own, unique, security fixes.

Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue 
advisories for Tor Browser issues, and not five weeks later when s**t hits the 
fan.
I really don't think one can reasonably disagree with the above statement. Tor 
Browser is a Firefox fork.

NK

 
 Al
 
 -- 
 Al Billings
 http://makehacklearn.org
 
 On Tuesday, August 6, 2013 at 1:28 AM, Nadim Kobeissi wrote:
 
 
 On 2013-08-06, at 3:19 AM, Jacob Appelbaum ja...@appelbaum.net wrote:
 
 Griffin Boyce:
 Al,
 
 We may have to disagree as to the way forward. I hate to be
 contentious, but it seems unlikely that Tor applied a patch without
 reading firefox's changelog. Two days ago I presented a talk which
 emphasized how useful Tor is -- and I stand by that. Tor is still the
 best option for maintaining one's anonymity.
 
 Hi Griffin,
 
 Do you plan to release security advisories for all updates to the Linux
 kernel, GNU user space utilities and other dependences in the commotion
 router firmware?
 
 How is this, in any way, shape or form, relevant? Are you seriously opening 
 up Commotion's bug handling in order to sort of justify this Tor situation?
 
 Tor had forked Firefox into its own browser, which is called Tor Browser. 
 Mozilla issued an advisory for Firefox the day the bug was discovered, about 
 five weeks ago. Tor should have issued a similar advisory for Tor Browser 
 and consequently the Tor Browser Bundle, especially considering that the Tor 
 Browser Bundle is by far *the* most visible way for end-users to download 
 and use Tor these days.
 
 
 I suppose no but perhaps I'm mistaken? Has anyone done so with new
 commotion releases? I don't see[0][1] such notes, am I missing something?
 
 It seems impractical to note every change from downstream projects.
 
 Clearly you seem to disagree but I do wonder where you draw the line?
 
 Do your projects have some example where we might see the line in
 action, so to speak?
 
 As far as I can tell, we issued a security advisory within twenty-four
 hours.
 
 Actually, Tor issued a security advisory for Tor Browser a full 39 days 
 after Mozilla did for Firefox.
 
 We spent more than a full day of multiple people's time working
 non-stop to understand the scope, the impact and the outcomes of this
 issue. We were already working on this task when you and another decided
 to jump up and down to let us know that we were failures by any other
 name. I'd say thanks but that isn't the word that comes to mind…
 
 I'd say thanks but that isn't the word that comes to mind…
 Dude, you're supposed to be Tor's outreach guy! Come on!
 
 
 The Tor Project does not triage every single Mozilla Firefox bug. We do
 try to understand which bugs are security critical. We do aim to track
 and put our energy into ensuring our browser uses the latest ESR
 releases. This generally includes lots of code fixes, security as well
 as other kinds of fixes, though we may not always fully understand every
 issue - we tend to trust Mozilla's lead on this topic. TBB requires lots
 of effort to forward port our privacy preserving patches as they are not
 in the mainline Mozilla repositories. We did this as we always do with
 TBB releases and we released patched versions of the software before we
 ever even learned of the exploit discovered this weekend that targets
 old, unpatched users:
 
 2.3.25-10 (released June 26 2013)
 2.4.15-alpha-1 (released June 26 2013)
 2.4.15-beta-1 (released July 8 2013)
 3.0alpha2 (released June 30 2013)
 
 By a general count, it was around a month ago that we released patched
 versions. We normally just note that we've bumped the included projects
 to their latest stable versions - though in the case of our latest
 alpha, we specifically said[2]:
 
 In addition to providing important security updates to Firefox and Tor,
 these release binaries should now be exactly reproducible from the
 source code by anyone.
 
 Do you think that we should include that text with every single release?
 ie: This update provides important security updates to Firefox and Tor
 or something along those lines? Shall we just put that in every single
 release note? Is that really helpful?
 
 Actually, isn't that exactly what you've said I should do with my own 
 project, Cryptocat, numerous times? It's actually really illuminating that 
 you in fact are committing the exact same outreach and mitigation blunders 
 that you keep criticizing other projects for.
 
 
 If you have a

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Maxim Kammerer

On Tue, Aug 6, 2013 at 12:30 PM, Jacob Appelbaum ja...@appelbaum.netwrote:

 Please feel free to answer the question, we're happy to learn from an
 example. Are either of you involved in such an example? Might we learn
 from your example? If so, where might we see it?


Tails references upstream advisories, or at least did so in the past.
https://tails.boum.org/security/Numerous_security_holes_in_0.18/

I actually think they are going overboard with those, but it's an example.

The whole situation is pretty funny, by the way, since Mike Perry (TBB dev)
was accused of maintaining Freedom Hosting by those OpDarknet clowns two
years ago:
http://pastebin.com/qWHDWCre

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Nadim Kobeissi:
 
 On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com
 wrote:
 
 Nadim you seem confused by how this works. Tor doesn't need to
 issue advisories for Firefox issues. We, at Mozilla, already issue
 them. Perhaps they can link to them clearly but if you want to know
 about security issues Mozilla fixes in Firefox, you're best served
 by reading Mozilla advisories. There's not much point in
 duplicating them on a second site. Tor would be better served by
 writing advisories for its own, unique, security fixes.
 
 Tor doesn't need to issue advisories for Firefox issues. Tor needs to
 issue advisories for Tor Browser issues, and not five weeks later
 when s**t hits the fan. I really don't think one can reasonably
 disagree with the above statement. Tor Browser is a Firefox fork.

Should we issue a single advisory for each possible security issue that
Firefox has already noted in their change log? Each confirmed security
issue? Should we ask for a second CVE to cover each CVE they receive?

Your point is unclear in practice. Please do spell it out and if
possible, please demonstrate how you do so in your own projects?

All the best,
Jacob
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud


On 2013-08-06, at 12:55 PM, Jacob Appelbaum ja...@appelbaum.net wrote:

 Nadim Kobeissi:
 
 On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com
 wrote:
 
 Nadim you seem confused by how this works. Tor doesn't need to
 issue advisories for Firefox issues. We, at Mozilla, already issue
 them. Perhaps they can link to them clearly but if you want to know
 about security issues Mozilla fixes in Firefox, you're best served
 by reading Mozilla advisories. There's not much point in
 duplicating them on a second site. Tor would be better served by
 writing advisories for its own, unique, security fixes.
 
 Tor doesn't need to issue advisories for Firefox issues. Tor needs to
 issue advisories for Tor Browser issues, and not five weeks later
 when s**t hits the fan. I really don't think one can reasonably
 disagree with the above statement. Tor Browser is a Firefox fork.
 
 Should we issue a single advisory for each possible security issue that
 Firefox has already noted in their change log? Each confirmed security
 issue? Should we ask for a second CVE to cover each CVE they receive?

What's the alternative, Jake? Wait until the NSA exploits an innumerable amount 
of Tor users and then quickly write an advisory for a bug that was quietly 
fixed without a warning from Tor five weeks but still exploited? Because that 
is exactly what happened this time. Tor can just go on doing this again and 
again, or yes, you could issue advisories. You are maintaining your own browser 
called Tor Browser. Stop shifting blame onto Firefox. You're the guy who told 
me to never shift blame when you have a security vulnerability in the software 
you yourself are shipping. Practice what you preach.

I sound harsh, sure, but at least I'm being productive and not freaking out 
about my ego.

NK

 
 Your point is unclear in practice. Please do spell it out and if
 possible, please demonstrate how you do so in your own projects?
 
 All the best,
 Jacob
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Maxim Kammerer:
 On Tue, Aug 6, 2013 at 12:30 PM, Jacob Appelbaum ja...@appelbaum.netwrote:
 
 Please feel free to answer the question, we're happy to learn from an
 example. Are either of you involved in such an example? Might we learn
 from your example? If so, where might we see it?

 
 Tails references upstream advisories, or at least did so in the past.
 https://tails.boum.org/security/Numerous_security_holes_in_0.18/
 

I agree - Tails does a pretty good job of referencing upstream but they
don't email out an advisory for each issue in each upstream project. Nor
do they do a specific analysis of each bug spending many days of people
time per bug. Somewhere there is a line and clearly, we failed to meet
the high standards of a few folks on this list. I'm mostly curious if
that high standard will be expressed in a cohesive manner where we might
learn from it.

 I actually think they are going overboard with those, but it's an example.
 

Where do you draw the line? I guess with release notes that bump
versions, mention that users should upgrade and so on?

I tend to like the Tails way of doing things - I have advocated for a
little more linkage to security advisories. Still, I think it is not as
critical as a secure updater or packaging TBB for various packaging
systems. We're understaffed, so we tend to pick the few things we might
accomplish and writing such advisory emails is weird unless there is an
exceptional event. Firefox bugs and corresponding updates are not
exceptional events. :(

Also, I'll note even Tails doesn't reference sub-modules of the specific
projects - they are just linking to DSA and related pages.

 The whole situation is pretty funny, by the way, since Mike Perry (TBB dev)
 was accused of maintaining Freedom Hosting by those OpDarknet clowns two
 years ago:
 http://pastebin.com/qWHDWCre

It is awful for Mike and I can't even begin to find it funny in the
least. Though I'll take your point that it is rich with awful irony.

All the best,
Jacob
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Nadim Kobeissi:
 
 On 2013-08-06, at 12:55 PM, Jacob Appelbaum ja...@appelbaum.net
 wrote:
 
 Nadim Kobeissi:
 
 On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com 
 wrote:
 
 Nadim you seem confused by how this works. Tor doesn't need to 
 issue advisories for Firefox issues. We, at Mozilla, already
 issue them. Perhaps they can link to them clearly but if you
 want to know about security issues Mozilla fixes in Firefox,
 you're best served by reading Mozilla advisories. There's not
 much point in duplicating them on a second site. Tor would be
 better served by writing advisories for its own, unique,
 security fixes.
 
 Tor doesn't need to issue advisories for Firefox issues. Tor
 needs to issue advisories for Tor Browser issues, and not five
 weeks later when s**t hits the fan. I really don't think one can
 reasonably disagree with the above statement. Tor Browser is a
 Firefox fork.
 
 Should we issue a single advisory for each possible security issue
 that Firefox has already noted in their change log? Each confirmed
 security issue? Should we ask for a second CVE to cover each CVE
 they receive?
 
 What's the alternative, Jake? 

That was a list of choices and you didn't choose one. Please choose one
or more - though not all of them make sense when put together. It was a
question and well, your answer isn't much of an answer.

 Wait until the NSA exploits an
 innumerable amount of Tor users and then quickly write an advisory
 for a bug that was quietly fixed without a warning from Tor five
 weeks but still exploited?

This is not accurate. We heard about attempts at exploitation and within
~24hrs we released an advisory - we had already released fixed code a
~month before exploitation was found in the wild. Please do not mix up
the time-line. To restate:


2.3.25-10 (released June 26 2013)
2.4.15-alpha-1 (released June 26 2013)
2.4.15-beta-1 (released July 8 2013)
3.0alpha2 (released June 30 2013)


The exploit was found in the wild on last weekend, I learned about it on
or around August 4th. Please note that our patched versions were
released nearly a month before this was found in the wild. There is no
reason to support the conclusion that we silently fixed anything in
response to an exploit. Please consider that your statement is entirely
unsupported by evidence, Nadim.

  Because that is exactly what happened this
 time. Tor can just go on doing this again and again, or yes, you
 could issue advisories. You are maintaining your own browser called
 Tor Browser. Stop shifting blame onto Firefox. You're the guy who
 told me to never shift blame when you have a security vulnerability
 in the software you yourself are shipping. Practice what you preach.
 

Your assessment of this situation is incorrect.

We regularly release updates that include updates to included code and
often, we make note of the fact that the upstream code has security
fixes included. There is no blame shifting, only a question of how to
best share that information in a way that users will understand. I have
asked repeatedly for examples and for details of how to improve things -
you seem only interested in slinging mud. Perhaps this isn't the most
useful way forward?

 I sound harsh, sure, but at least I'm being productive and not
 freaking out about my ego.

I don't think you are being productive at this point in the
conversation. You are correct and I agree with you - you are harsh -
I'll extend this commentary: it reflects poorly on you(r ego) and very
little is gained by such behavior.

All the best,
Jacob
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Maxim Kammerer

On Tue, Aug 6, 2013 at 1:07 PM, Jacob Appelbaum ja...@appelbaum.net wrote:

 Somewhere there is a line and clearly, we failed to meet
 the high standards of a few folks on this list. I'm mostly curious if
 that high standard will be expressed in a cohesive manner where we might
 learn from it.


Well, in the end, it's all done for the users. Keeping software up-to-date
is easier than following advisories, even more so if there is an
auto-update functionality. So I don't understand the big deal about not
reissuing advisories for upstream projects, which takes a lot of time for
dubious effect.

Although the point becomes moot once you are talking about libraries that
are not directly used, unlike major Firefox-level applications. E.g.:
https://blog.torproject.org/blog/new-openssl-vulnerability-tor-not-affected

 http://pastebin.com/qWHDWCre

 It is awful for Mike and I can't even begin to find it funny in the
 least. Though I'll take your point that it is rich with awful irony.


I don't think anyone took those guys seriously back then (or anyone whose
opinion matters, at least).

-- 
Maxim Kammerer
Liberté Linux: http://dee.su/liberte
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Asa Rossoff

Jacob Appelbaum:
 Nadim Kobeissi:
 
 On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com
 wrote:
 
 Nadim you seem confused by how this works. Tor doesn't need to
 issue advisories for Firefox issues. We, at Mozilla, already issue
 them. Perhaps they can link to them clearly but if you want to know
 about security issues Mozilla fixes in Firefox, you're best served
 by reading Mozilla advisories. There's not much point in
 duplicating them on a second site. Tor would be better served by
 writing advisories for its own, unique, security fixes.
 
 Tor doesn't need to issue advisories for Firefox issues. Tor needs to
 issue advisories for Tor Browser issues, and not five weeks later
 when s**t hits the fan. I really don't think one can reasonably
 disagree with the above statement. Tor Browser is a Firefox fork.

 Should we issue a single advisory for each possible security issue that
 Firefox has already noted in their change log? Each confirmed security
 issue? Should we ask for a second CVE to cover each CVE they receive?

 Your point is unclear in practice. Please do spell it out and if
 possible, please demonstrate how you do so in your own projects?

Just a couple friendly concepts.
Your message wasn't addressed to me.  By the way, it didn't occur to me to
blame the Tor Project.

I don't know about every average Josphine, Josue, and Tsu, Anu, etc. on the
streets of the world, but it is obvious to me from my user standpoint that
the TBB is a patched verion of Firefox (admittedly, one has to dig a bit to
determine which version of the underlying Firefox it is based on, which I
wouldn't expect the average user do to or know.).  Ther average user of
neither software likely doesn't see or read security adviseries, although I
think they happily allow the latest versions o Firefox to automatically
update themselves.


TBB users are at special risk of being targeted for spying (according to
recent news reports), hacking/exploits (as is the case in this instance),
and this may be increasingly true in the future.

Oops. I'm a slow typist (just getting up):

From Jacob Applebaum's next mail to a mail:
 I tend to like the Tails way of doing things - I have advocated for a
 little more linkage to security advisories. Still, I think it is not as
 critical as a secure updater or packaging TBB for various packaging
 systems. We're understaffed, so we tend to pick the few things we might
 accomplish and writing such advisory emails is weird unless there is an
 exceptional event. Firefox bugs and corresponding updates are not
 exceptional events. :(
 
 Also, I'll note even Tails doesn't reference sub-modules of the specific
 projects - they are just linking to DSA and related pages.

The point I was getting to is that several parrallel strategies come to
mind:
(1) It would not be a bad idea to post applicable Firefox-issued security
avisories to one of your lists
(2) Even have an RSS feed of them available through the TBB, as well as RSS
of TBB releases, and what security issues are covred including one advised
by Firefox.  This could notify of stable, alpha and beta releases, so
everyone knows when security updates are available, possibly at the cost of
stability.
(3) When you get an update mechanism going, for stability reasons, you
probably want it to automatically only update to stable or beta releases[?].
However, you could have a parrallel release schedule to get these upstream
patches out ASAP.   I realize labor is involved here; but if at all
possible, updating your last stable patch to work with the latest Firefox
release ASAP and releasing it as a stable/beta while continuuing development
on a more major/feature-related update that will start as an alpha release
when ready. (possibly backporting some TBB-only-security fixes only to your
last patch when it makes sense).

Obviously, this is free software, and you must work ithin the constraints of
your resources.  The frequent security updates would have the most tangible
benefit for most users, but it would be a decent user service to notify of
security issues that apply/could apply to the TBB as well.

Thanks for your invaluable work.

Asa

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Maxim Kammerer:
 On Tue, Aug 6, 2013 at 1:07 PM, Jacob Appelbaum ja...@appelbaum.net wrote:
 
 Somewhere there is a line and clearly, we failed to meet
 the high standards of a few folks on this list. I'm mostly curious if
 that high standard will be expressed in a cohesive manner where we might
 learn from it.

 
 Well, in the end, it's all done for the users. Keeping software up-to-date
 is easier than following advisories, even more so if there is an
 auto-update functionality. So I don't understand the big deal about not
 reissuing advisories for upstream projects, which takes a lot of time for
 dubious effect.

I tend to agree.

 
 Although the point becomes moot once you are talking about libraries that
 are not directly used, unlike major Firefox-level applications. E.g.:
 https://blog.torproject.org/blog/new-openssl-vulnerability-tor-not-affected
 

We wrote that because people asked us about those specific OpenSSL
issues, if I remember correctly...

 http://pastebin.com/qWHDWCre

 It is awful for Mike and I can't even begin to find it funny in the
 least. Though I'll take your point that it is rich with awful irony.

 
 I don't think anyone took those guys seriously back then (or anyone whose
 opinion matters, at least).
 

Sadly, Mike took their harassment seriously. It was awful.

All the best,
Jacob
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Asa Rossoff:
 Jacob Appelbaum:
 Nadim Kobeissi:

 On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com
 wrote:

 Nadim you seem confused by how this works. Tor doesn't need to
 issue advisories for Firefox issues. We, at Mozilla, already issue
 them. Perhaps they can link to them clearly but if you want to know
 about security issues Mozilla fixes in Firefox, you're best served
 by reading Mozilla advisories. There's not much point in
 duplicating them on a second site. Tor would be better served by
 writing advisories for its own, unique, security fixes.

 Tor doesn't need to issue advisories for Firefox issues. Tor needs to
 issue advisories for Tor Browser issues, and not five weeks later
 when s**t hits the fan. I really don't think one can reasonably
 disagree with the above statement. Tor Browser is a Firefox fork.

 Should we issue a single advisory for each possible security issue that
 Firefox has already noted in their change log? Each confirmed security
 issue? Should we ask for a second CVE to cover each CVE they receive?

 Your point is unclear in practice. Please do spell it out and if
 possible, please demonstrate how you do so in your own projects?
 
 Just a couple friendly concepts.
 Your message wasn't addressed to me.  By the way, it didn't occur to me to
 blame the Tor Project.

Thanks for your response!

 
 I don't know about every average Josphine, Josue, and Tsu, Anu, etc. on the
 streets of the world, but it is obvious to me from my user standpoint that
 the TBB is a patched verion of Firefox (admittedly, one has to dig a bit to
 determine which version of the underlying Firefox it is based on, which I
 wouldn't expect the average user do to or know.).  Ther average user of
 neither software likely doesn't see or read security adviseries, although I
 think they happily allow the latest versions o Firefox to automatically
 update themselves.
 

Understood.

 
 TBB users are at special risk of being targeted for spying (according to
 recent news reports), hacking/exploits (as is the case in this instance),
 and this may be increasingly true in the future.
 

Probably, yes. I think that is a fair assessment - though it applies to
anyone who uses privacy, security and anonymity software, I think.

 Oops. I'm a slow typist (just getting up):
 
From Jacob Applebaum's next mail to a mail:
 I tend to like the Tails way of doing things - I have advocated for a
 little more linkage to security advisories. Still, I think it is not as
 critical as a secure updater or packaging TBB for various packaging
 systems. We're understaffed, so we tend to pick the few things we might
 accomplish and writing such advisory emails is weird unless there is an
 exceptional event. Firefox bugs and corresponding updates are not
 exceptional events. :(

 Also, I'll note even Tails doesn't reference sub-modules of the specific
 projects - they are just linking to DSA and related pages.
 
 The point I was getting to is that several parrallel strategies come to
 mind:
 (1) It would not be a bad idea to post applicable Firefox-issued security
 avisories to one of your lists

Part of the issue - from my perspective - is that 'applicable' is a bit
nebulous. Nearly every bug *might* turn into an anonymity destroying bug
with some engineering effort.

 (2) Even have an RSS feed of them available through the TBB, as well as RSS
 of TBB releases, and what security issues are covred including one advised
 by Firefox.  This could notify of stable, alpha and beta releases, so
 everyone knows when security updates are available, possibly at the cost of
 stability.

I like this idea - though I wonder how users would feel about it? Will
they read it? Should it be our own RSS feed or an RSS feed of Mozilla's
data?

 (3) When you get an update mechanism going, for stability reasons, you
 probably want it to automatically only update to stable or beta releases[?].

I tend to prefer 'secure' update over 'automatic' update.

 However, you could have a parrallel release schedule to get these upstream
 patches out ASAP.   I realize labor is involved here; but if at all
 possible, updating your last stable patch to work with the latest Firefox
 release ASAP and releasing it as a stable/beta while continuuing development
 on a more major/feature-related update that will start as an alpha release
 when ready. (possibly backporting some TBB-only-security fixes only to your
 last patch when it makes sense).

Sure, that seems reasonable.

 
 Obviously, this is free software, and you must work ithin the constraints of
 your resources.  The frequent security updates would have the most tangible
 benefit for most users, but it would be a decent user service to notify of
 security issues that apply/could apply to the TBB as well.
 

I think there is a balance here and I think adding more specific data to
release notes is a reasonable improvement. I also think an RSS feed is a
really good idea, thanks for that! I'll pass it on to those

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

On 2013-08-06, at 1:23 PM, Jacob Appelbaum ja...@appelbaum.net wrote:

 Nadim Kobeissi:
 
 On 2013-08-06, at 12:55 PM, Jacob Appelbaum ja...@appelbaum.net
 wrote:
 
 Nadim Kobeissi:
 
 On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com 
 wrote:
 
 Nadim you seem confused by how this works. Tor doesn't need to 
 issue advisories for Firefox issues. We, at Mozilla, already
 issue them. Perhaps they can link to them clearly but if you
 want to know about security issues Mozilla fixes in Firefox,
 you're best served by reading Mozilla advisories. There's not
 much point in duplicating them on a second site. Tor would be
 better served by writing advisories for its own, unique,
 security fixes.
 
 Tor doesn't need to issue advisories for Firefox issues. Tor
 needs to issue advisories for Tor Browser issues, and not five
 weeks later when s**t hits the fan. I really don't think one can
 reasonably disagree with the above statement. Tor Browser is a
 Firefox fork.
 
 Should we issue a single advisory for each possible security issue
 that Firefox has already noted in their change log? Each confirmed
 security issue? Should we ask for a second CVE to cover each CVE
 they receive?
 
 What's the alternative, Jake? 
 
 That was a list of choices and you didn't choose one. Please choose one
 or more - though not all of them make sense when put together. It was a
 question and well, your answer isn't much of an answer.

Yes, to be absolutely clear, I think Tor should issue advisories for confirmed 
security issues in Tor Browser, since Tor Browser is a fork of Firefox and is 
independently maintained. This is exactly what Tor did this time, except next 
time you shouldn't wait five weeks for the situation to explode.

 
 Wait until the NSA exploits an
 innumerable amount of Tor users and then quickly write an advisory
 for a bug that was quietly fixed without a warning from Tor five
 weeks but still exploited?
 
 This is not accurate. We heard about attempts at exploitation and within
 ~24hrs we released an advisory - we had already released fixed code a
 ~month before exploitation was found in the wild. Please do not mix up
 the time-line. To restate:
 
 
 2.3.25-10 (released June 26 2013)
 2.4.15-alpha-1 (released June 26 2013)
 2.4.15-beta-1 (released July 8 2013)
 3.0alpha2 (released June 30 2013)
 
 
 The exploit was found in the wild on last weekend, I learned about it on
 or around August 4th. Please note that our patched versions were
 released nearly a month before this was found in the wild. There is no
 reason to support the conclusion that we silently fixed anything in
 response to an exploit. Please consider that your statement is entirely
 unsupported by evidence, Nadim.

I could be mistaken. Where's the advisory that was issued the day after, that 
mentions that a critical Tor Browser vulnerability was fixed?

 
 Because that is exactly what happened this
 time. Tor can just go on doing this again and again, or yes, you
 could issue advisories. You are maintaining your own browser called
 Tor Browser. Stop shifting blame onto Firefox. You're the guy who
 told me to never shift blame when you have a security vulnerability
 in the software you yourself are shipping. Practice what you preach.
 
 
 Your assessment of this situation is incorrect.
 
 We regularly release updates that include updates to included code and
 often, we make note of the fact that the upstream code has security
 fixes included. There is no blame shifting, only a question of how to
 best share that information in a way that users will understand. I have
 asked repeatedly for examples and for details of how to improve things -
 you seem only interested in slinging mud. Perhaps this isn't the most
 useful way forward?

How am I only interested in slinging mud?! How are you even allowed to adopt a 
tone like this while doing your job as an advocate for Tor? I'm simply trying 
to advocate for Tor not waiting five weeks before releasing an advisory next 
time! Comments like this are really just not acceptable, Jake.

NK

 
 I sound harsh, sure, but at least I'm being productive and not
 freaking out about my ego.
 
 I don't think you are being productive at this point in the
 conversation. You are correct and I agree with you - you are harsh -
 I'll extend this commentary: it reflects poorly on you(r ego) and very
 little is gained by such behavior.
 
 All the best,
 Jacob
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread intrigeri

Hi,

Maxim Kammerer wrote (06 Aug 2013 09:52:36 GMT) :
 Tails references upstream advisories, or at least did so in the past.
 https://tails.boum.org/security/Numerous_security_holes_in_0.18/

Right, and we have no plan to stop doing this. What we've been doing
for years when releasing a new Tails that fixes security issues (that
is, basically every single one we've put out) is:

 1. Users are told your version of Tails has known security issue on
startup if needed; this one has a link to a security announce like
the one Maxim pointed to.

 2. We issue a release announcement, such as
https://tails.boum.org/news/version_0.19/, that starts with All
users must upgrade as soon as possible, but doesn't point to the
corresponding security advisory. After reading this thread,
I wonder if we should perhaps change this, and have this sentence
link to the security advisory.

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread konfkukor

 Jacob Appelbaum:
 I like this idea - though I wonder how users would feel about it? Will
 they read it? Should it be our own RSS feed or an RSS feed of Mozilla's
 data?

I don't like the idea. You need to worry about the upgrading behavior of
casual users of TBB, who aren't going to bother to read advisories.
Republishing advisories takes a lot of your valuable time. Added to that,
every fucking tiny crash-bug in Firefox may grow to a full-blown exploit
like we've seen.

The people that do read the advisories, can find them at the Firefox ESR
advisory page
(https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html).
I do think you might want to bother to link to that list of
vulnerabilities when releasing a new version of TBB with an
security-updated Firefox. I also like the approach of the TAILS project.
They just start every single release announcement with 'Numerous security
bugs found in TAILS X.XX', which makes it crystal clear for the average
user they need to upgrade. Every time.

Also: please make separate blog posts for regular and alpha releases. It's
been confusing before. Make sure the regular release sits on top on the
blog listing.

Let me propose the announcement of June 26th as I would've
(retrospectively) liked to see it:

Subject: Security release. New Tor Browser Bundles.

Body: All of the Tor Browser Bundles have been updated with the new
Firefox 17.0.7esr. This includes fixes to a
href=https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html;8
vulnerabilities/a, of which 4 have critical impact, and 4 have high
impact. We bstrongly/b urge you to update to the latest version of the
Tor Browser Bundle (2.3.25-10) as soon as possible.

[continue with download-easy link and list of updates]

 Nadim Kobeissi:
 How am I only interested in slinging mud?! How are you even allowed to
 adopt a tone like this while doing your job as an advocate for Tor? I'm
 simply trying to advocate for Tor not waiting five weeks before releasing
 an advisory next time! Comments like this are really just not acceptable,
 Jake.

Nadim, you need to calm the fuck down. Take a deep breath, re-read your
own emails, and consider whether you need to apologize for your
unproductive stampede.

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Joseph Lorenzo Hall:
 
 On 8/6/13 6:41 AM, Jacob Appelbaum wrote:
 (2) Even have an RSS feed of them available through the TBB, as well as RSS
 of TBB releases, and what security issues are covred including one advised
 by Firefox.  This could notify of stable, alpha and beta releases, so
 everyone knows when security updates are available, possibly at the cost of
 stability.

 I like this idea - though I wonder how users would feel about it? Will
 they read it? Should it be our own RSS feed or an RSS feed of Mozilla's
 data?
 
 Not sure if this is practical but the TBB splash screen could give some
 notion of the implications of using an old specific TBB... e.g., with
 the version check return one or more critical vulns that have been
 patched, to warn the user and encourage immediate update?

We do have an update indicator - soon, we'll have an updater as well, I
think. We had a few discussions about it at the TorDev meeting in Munich
last month.

 
 Frankly, I'm not sure this is solving a problem Tor/TBB has, but it
 strikes me that a warning along the lines of the following for old TBB
 would not be bad: Holy shit, this TBB is from 12 months ago! You're
 crazy to use such an outdated version. Please update!
 

We do put a fairly large message on the splash page. We could probably
improve the warning page based on elapsed time - currently it is just
one page locally stored, I think.

All the best,
Jacob
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Nadim Kobeissi:
 On 2013-08-06, at 1:23 PM, Jacob Appelbaum ja...@appelbaum.net
 wrote:
 
 Nadim Kobeissi:
 
 On 2013-08-06, at 12:55 PM, Jacob Appelbaum
 ja...@appelbaum.net wrote:
 
 Nadim Kobeissi:
 
 On 2013-08-06, at 11:46 AM, Al Billings
 alb...@openbuddha.com wrote:
 
 Nadim you seem confused by how this works. Tor doesn't need
 to issue advisories for Firefox issues. We, at Mozilla,
 already issue them. Perhaps they can link to them clearly
 but if you want to know about security issues Mozilla fixes
 in Firefox, you're best served by reading Mozilla
 advisories. There's not much point in duplicating them on a
 second site. Tor would be better served by writing
 advisories for its own, unique, security fixes.
 
 Tor doesn't need to issue advisories for Firefox issues. Tor 
 needs to issue advisories for Tor Browser issues, and not
 five weeks later when s**t hits the fan. I really don't think
 one can reasonably disagree with the above statement. Tor
 Browser is a Firefox fork.
 
 Should we issue a single advisory for each possible security
 issue that Firefox has already noted in their change log? Each
 confirmed security issue? Should we ask for a second CVE to
 cover each CVE they receive?
 
 What's the alternative, Jake?
 
 That was a list of choices and you didn't choose one. Please choose
 one or more - though not all of them make sense when put together.
 It was a question and well, your answer isn't much of an answer.
 
 Yes, to be absolutely clear, I think Tor should issue advisories for
 confirmed security issues in Tor Browser, since Tor Browser is a fork
 of Firefox and is independently maintained. This is exactly what Tor
 did this time, except next time you shouldn't wait five weeks for the
 situation to explode.
 

This is where the confusion comes into play, I think. Please note the
advisory we released this week:


https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html

We specifically address the one thing we *know* that is being exploited
and we note that there are other issues, though we don't go into depth
as upgrading is the only path forward.

Now note the Mozilla security issues for the Firefox ESR releases:

  https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

You're on the one hand saying that we did the right thing and on the
other, you're saying that we should issue an advisory for *confirmed*
security issues. Mozilla confirmed a handful. Doesn't that imply that
our advisory should have covered every thing Firefox fixed between
versions? And if so, should we note everything, even if it doesn't
*appear* to be a security issue? Just in case?

Now on the one hand, you're saying we waited five weeks - when in fact
we didn't, we released an advisory within a day of discovering that TBB
was being targeted, which is different from Firefox generally I might
add. We did also note with the release of 3.0alpha2 that it included
security and stability fixes as we often do when we bump Firefox.

So clearly between hey, upgrade and exploit discovered there is a
middle ground. I'm confused by the middle ground you have chosen. It
doesn't seem that we should wait until exploits are in the wild to note
the security features of new releases (which we didn't, but we didn't
issue an advisory for every Firefox issue), and yet, if an exploit is
discovered, we should post an advisory that specifically addresses what
we know about it, no?

 
 Wait until the NSA exploits an innumerable amount of Tor users
 and then quickly write an advisory for a bug that was quietly
 fixed without a warning from Tor five weeks but still exploited?
 
 This is not accurate. We heard about attempts at exploitation and
 within ~24hrs we released an advisory - we had already released
 fixed code a ~month before exploitation was found in the wild.
 Please do not mix up the time-line. To restate:
 
 
 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26
 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June
 30 2013)
 
 
 The exploit was found in the wild on last weekend, I learned about
 it on or around August 4th. Please note that our patched versions
 were released nearly a month before this was found in the wild.
 There is no reason to support the conclusion that we silently
 fixed anything in response to an exploit. Please consider that your
 statement is entirely unsupported by evidence, Nadim.
 
 I could be mistaken. Where's the advisory that was issued the day
 after, that mentions that a critical Tor Browser vulnerability was
 fixed?
 

Once we triaged the bug with Mozilla - both Tor and Mozilla posted updates:


https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/


https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable

We even posted a blog before we had all the details:


https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting

We also

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

intrigeri:
 Hi,
 
 Maxim Kammerer wrote (06 Aug 2013 09:52:36 GMT) :
 Tails references upstream advisories, or at least did so in the past.
 https://tails.boum.org/security/Numerous_security_holes_in_0.18/
 
 Right, and we have no plan to stop doing this. What we've been doing
 for years when releasing a new Tails that fixes security issues (that
 is, basically every single one we've put out) is:
 
  1. Users are told your version of Tails has known security issue on
 startup if needed; this one has a link to a security announce like
 the one Maxim pointed to.
 

Seems reasonable.

  2. We issue a release announcement, such as
 https://tails.boum.org/news/version_0.19/, that starts with All
 users must upgrade as soon as possible, but doesn't point to the
 corresponding security advisory. After reading this thread,
 I wonder if we should perhaps change this, and have this sentence
 link to the security advisory.

I tend to think that cross linking is a good idea.

All the best,
Jacob
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

konfku...@riseup.net:
 Jacob Appelbaum:
 I like this idea - though I wonder how users would feel about it? Will
 they read it? Should it be our own RSS feed or an RSS feed of Mozilla's
 data?
 
 I don't like the idea. You need to worry about the upgrading behavior of
 casual users of TBB, who aren't going to bother to read advisories.
 Republishing advisories takes a lot of your valuable time. Added to that,
 every fucking tiny crash-bug in Firefox may grow to a full-blown exploit
 like we've seen.
 

I tend to agree with this problem - almost any little bug can turn into
an anonymity or security issue. :(

 The people that do read the advisories, can find them at the Firefox ESR
 advisory page
 (https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html).
 I do think you might want to bother to link to that list of
 vulnerabilities when releasing a new version of TBB with an
 security-updated Firefox. I also like the approach of the TAILS project.
 They just start every single release announcement with 'Numerous security
 bugs found in TAILS X.XX', which makes it crystal clear for the average
 user they need to upgrade. Every time.

I think linking to
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
is a good idea. I've emailed some people about it - I think it should go
into the ChangeLog.

 Also: please make separate blog posts for regular and alpha releases. It's
 been confusing before. Make sure the regular release sits on top on the
 blog listing.

Good idea.

 
 Let me propose the announcement of June 26th as I would've
 (retrospectively) liked to see it:
 
 Subject: Security release. New Tor Browser Bundles.
 
 Body: All of the Tor Browser Bundles have been updated with the new
 Firefox 17.0.7esr. This includes fixes to a
 href=https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html;8
 vulnerabilities/a, of which 4 have critical impact, and 4 have high
 impact. We bstrongly/b urge you to update to the latest version of the
 Tor Browser Bundle (2.3.25-10) as soon as possible.
 
 [continue with download-easy link and list of updates]

Sounds very reasonable.

 
 Nadim Kobeissi:
 How am I only interested in slinging mud?! How are you even allowed to
 adopt a tone like this while doing your job as an advocate for Tor? I'm
 simply trying to advocate for Tor not waiting five weeks before releasing
 an advisory next time! Comments like this are really just not acceptable,
 Jake.
 
 Nadim, you need to calm the fuck down. Take a deep breath, re-read your
 own emails, and consider whether you need to apologize for your
 unproductive stampede.
 

Our interactions don't need to be so stressful. Perhaps we'll all be
calmer in the future...

All the best,
Jacob
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Pavol Luptak

But, this is the Firefox / Tor Browser Bundle exploit.

The question is how FBI gained access to Freedom Hosting? What kind of 
exploits did they use?

Pavol

On Mon, Aug 05, 2013 at 09:08:49PM -0500, Kyle Maxwell wrote:
 According to THN[0] and several linked supporting sites from there
 (particularly notable are analyses from Kenneth Buckler[1] and Vlad
 Tsyrklevich[2]), the payload delivered the MAC address and Windows
 hostname to 65.222.202.54[3]. I've read in public sources that that
 address is assigned to SAIC but I have not seen any hard data on that.
 
 [0]: 
 http://thehackernews.com/2013/08/Firefox-Exploit-Tor-Network-child-pornography-Freedom-Hosting.html
 [1]: 
 https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting/
 [2]: http://tsyrklevich.net/tbb_payload.txt
 
 On Mon, Aug 5, 2013 at 8:22 PM,  liberationt...@lewman.us wrote:
  On Mon, Aug 05, 2013 at 06:18:02PM -0400, r...@privacymaverick.com wrote 
  0.6K bytes in 0 lines about:
  : Does anybody have any indication on how the alleged operator of
  : Freedom Hosting was identified. Everybody seems to be focusing on
  : the javascript exploit but from what I've read, it appears that was
  : placed on the server after the alleged operator was taken down and
  : the operation compromised, or is my timing off?
 
  This is far more interesting to me than anything else. I've been
  wondering the same thing.
 
 --
 @kylemaxwell
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

-- 
__
[Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542]
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Al Billings

In fact, I wrote the advisory in question and generally write all of them (with 
input from Mozilla developers and other security team members). 

Al 

-- 
Al Billings
http://makehacklearn.org


On Tuesday, August 6, 2013 at 2:30 AM, Jacob Appelbaum wrote:

 Mozilla issued an updated blog post in the last day or so because of us
 contacting them. They clarified the specific issue around the same time
 as us. Al has already pointed this out - he works at Mozilla, so I
 suppose he seems to agree that we don't need to copy every advisory they
 write into our release notes.


--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Al Billings

Except this issue was a Firefox issue, fixed in ESR 17.0.7 and which we had 
posted an advisory for six weeks ago today. So, yes, you're asking Tor to copy 
and paste Firefox advisories. The issue wasn't a Tor-specific issue except that 
the way it was being spread targeted the TBB. It was a Firefox security issue, 
fixed in the last release. The people affected are those who hadn't gotten 
current. 

Al 

-- 
Al Billings
http://makehacklearn.org


On Tuesday, August 6, 2013 at 2:45 AM, Nadim Kobeissi wrote:

  Nadim you seem confused by how this works. Tor doesn't need to issue 
  advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps 
  they can link to them clearly but if you want to know about security issues 
  Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. 
  There's not much point in duplicating them on a second site. Tor would be 
  better served by writing advisories for its own, unique, security fixes.
 
 
 Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue 
 advisories for Tor Browser issues, and not five weeks later when s**t hits 
 the fan.
 I really don't think one can reasonably disagree with the above statement. 
 Tor Browser is a Firefox fork.
 
 
 
 
 
 
 
 
 
 
 
 

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Al Billings

On Tuesday, August 6, 2013 at 9:58 AM, Brian Conley wrote:
 Al, I'm not a developer, so please bear with me.
 
 Do you disagree that TBB is forked software?

 That depends on your definition. They aren't taking a fork of Firefox and 
running off with it for a year or two. They are (and I don't know the process) 
either forking each ESR release or applying our ongoing ESR patches to an ESR 
line. In either case, I think of it as Firefox ESR + Tor patches, not really as 
a fork.
 
 If I fork Firefox and build my own browser from there, do I have no 
 responsibility to my users to fix bugs that originated in your original code, 
 now that my codebase is separate from yours?
 
 
 


Except they did that and do that. That isn't the issue here. The bug was fixed 
six weeks ago. TBB took that fix. The users that got exploited were *not* 
running the current version. Firefox assigns CVEs and issues advisories for any 
externally reported security issue we fix and for internally reported issues 
that are not simply memory corruption or crashes. There is no point in the Tor 
folks cutting and pasting our advisories onto their site. They *may* wish to 
link to our advisories on our site but that's up to them.

Al--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread The Doctor

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/06/2013 10:18 AM, Pavol Luptak wrote:

 The question is how FBI gained access to Freedom Hosting? What kind
 of exploits did they use?

Freedom Hosting offered web hosting services to people that asked for
it, yes?

A hypothesis I've seen floating around (without evidence, that's all
it is) is this: The FBI asked for and received web space on Freedom
Hosting.  They uploaded an app that they knew had a couple of
vulnerabilities that allowed for server side code execution and used
them to compromise other sites on that machine.  No need to send
ninjas to raid the cookie jar when you can say, Mother, may I?

- -- 
The Doctor [412/724/301/703] [ZS]
Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

Livin' la vida alpha test.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIBNJAACgkQO9j/K4B7F8GoOgCg6tLxg4LDf08CX64XsLTBQvlj
kmQAn34OwraBqPwY8EH+rt2O1QLd6zC8
=eZ9N
-END PGP SIGNATURE-
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread CodesInChaos

When the user's version is outdated you already display an update notice.
You could add those items from
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
that apply to the current version. Listing particular vulnerabilities makes
it clear that you actually should
update and that it isn't just a superfluous notice that's just for annoying
the user.

I wouldn't duplicate the actual advisories, but listing them is a good idea
IMO.

Perhaps something like:

---
This version of TOR Browser is based on Firefox ESR 17.0.6. You need to
upgrade to fix the following security issues:

Fixed in Firefox ESR 17.0.7
MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a
privileged context
MFSA 2013-56 PreserveWrapper has inconsistent behavior
MFSA 2013-55 SVG filters can lead to information disclosure
MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks
MFSA 2013-53 Execution of unmapped memory through onreadystatechange event
MFSA 2013-51 Privileged content access and execution via XBL
MFSA 2013-50 Memory corruption found using Address Sanitizer
MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7)
-
(With links to Mozilla's advisories and red-orange-yellow highlighting just
like in the original page)
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread R. Jason Cronk

Plausible and clever in it's simplicity.  Moral of the story: host your 
own server.  Anybody know what ever happened to Publius[1]? Did that 
concept ever go anywhere?


1 http://www.cs.nyu.edu/waldman/publius/

On 8/6/2013 1:38 PM, The Doctor wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/06/2013 10:18 AM, Pavol Luptak wrote:


The question is how FBI gained access to Freedom Hosting? What kind
of exploits did they use?

Freedom Hosting offered web hosting services to people that asked for
it, yes?

A hypothesis I've seen floating around (without evidence, that's all
it is) is this: The FBI asked for and received web space on Freedom
Hosting.  They uploaded an app that they knew had a couple of
vulnerabilities that allowed for server side code execution and used
them to compromise other sites on that machine.  No need to send
ninjas to raid the cookie jar when you can say, Mother, may I?

- -- 
The Doctor [412/724/301/703] [ZS]

Developer, Project Byzantium: http://project-byzantium.org/

PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F  DD89 3BD8 FF2B 807B 17C1
WWW: https://drwho.virtadpt.net/

Livin' la vida alpha test.

-BEGIN PGP SIGNATURE-
Version: GnuPG v2.0.20 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlIBNJAACgkQO9j/K4B7F8GoOgCg6tLxg4LDf08CX64XsLTBQvlj
kmQAn34OwraBqPwY8EH+rt2O1QLd6zC8
=eZ9N
-END PGP SIGNATURE-
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech




*R. Jason Cronk, Esq., CIPP/US*
/Privacy Engineering Consultant/, *Enterprivacy Consulting Group* 
enterprivacy.com


 * phone: (828) 4RJCESQ
 * twitter: @privacymaverick.com
 * blog: http://blog.privacymaverick.com

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread coderman

On Tue, Aug 6, 2013 at 12:28 PM, R. Jason Cronk r...@privacymaverick.com 
wrote:
 ... Anybody know what ever happened to Publius[1]? Did that concept
 ever go anywhere?

 1 http://www.cs.nyu.edu/waldman/publius/


wow, that takes me back. i remember running publius when it launched
back in the DeCSS days.

from what i recall there was a subsequent tangler censorship
resistance project, then nothing.

curious if anyone else know more...
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Florian Weimer

* Jacob Appelbaum:

 This is not accurate. We heard about attempts at exploitation and within
 ~24hrs we released an advisory - we had already released fixed code a
 ~month before exploitation was found in the wild. Please do not mix up
 the time-line. To restate:

 2.3.25-10 (released June 26 2013)

This was released with the following announcement (there wasn't a
posting to the tor-announce mailing list):

| All of the Tor Browser Bundles have been updated with the new
| Firefox 17.0.7esr. There is also a new Tor 0.2.4.14-alpha release
| and all of the packages have been updated with that as well.
|
| https://www.torproject.org/download/download-easy
| 
| Tor Browser Bundle (2.3.25-10)
| 
| Update Firefox to 17.0.7esr
| Update zlib to 1.2.8
| Update HTTPS Everywhere to 3.2.2
| Update NoScript to 2.6.6.6

https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages

I'm not sure if Tor Browser Bundle users (or even Firefox users)
realize that for some time now, almost all Firefox updates from
Mozilla contain security-relevant fixes.  But noting the security
aspect each time your switch to a newer Firefox ESR version can't
hurt.  On the other hand, those who don't already know this are
probably difficult to reach without automated updates.

(Automated updates are a mixed blessing because they could invite
court orders to roll out specific versions to certain users.)
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Gregory Maxwell

On Tue, Aug 6, 2013 at 3:11 PM, Florian Weimer f...@deneb.enyo.de wrote:
 (Automated updates are a mixed blessing because they could invite
 court orders to roll out specific versions to certain users.)

No crap.

_please_ don't deploy automatic updates in a sensitive environment
like this without at least quorum signatures (like gitian downloader)
and timed quarantine with negative signatures (harder to make strong
absent a jamming proof network).
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Bbrewer


We're understaffed, so we tend to pick the few things we might
accomplish and writing such advisory emails is weird unless there is an
exceptional event. Firefox bugs and corresponding updates are not
exceptional events. :(

Pardon me,
But it does seem that this one was.

No?


Sent with AquaMail for Android
http://www.aqua-mail.com


--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Andy Isaacson

On Tue, Aug 06, 2013 at 01:50:31PM +0300, Nadim Kobeissi wrote:
 Yes, to be absolutely clear, I think Tor should issue advisories for
 confirmed security issues in Tor Browser, since Tor Browser is a fork
 of Firefox and is independently maintained. This is exactly what Tor
 did this time, except next time you shouldn't wait five weeks for the
 situation to explode.

This is insane advice.  Every ESR point release of firefox 17 has fixed
multiple CVEs.  Your advice would have them doing a RED BLINKING LETTERS
blogpost on *every* TBB release.  This is not sustainable and will
create security fatigue in users, exactly similar to how SSL warning
dialogs trained everybody to just click accept back in the ninetys and
the bad old oughties.

We have to move past the bug the user again model of security system
deployment.

-andy
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Kyle Maxwell

On Tue, Aug 6, 2013 at 10:19 PM, Andy Isaacson a...@hexapodia.org wrote:

 We have to move past the bug the user again model of security system
 deployment.

In the general sense, yes. Silent automatic updates are a truly good
thing in many use cases and environments.

However, in the case where the user has an explicitly more detailed
threat model - the sort of case where Tor may be an important
component of the overall infrastructure - requiring said user to
exercise some situational awareness is de rigeur. Tor itself
recognizes this principle quite clearly on its download page:

Want Tor to really work? You need to change some of your habits, as
some things won't work exactly as you are used to.

This is proper and correct, because use cases that involve using Tor
as more than just a poor man's VPN[0] require correspondingly greater
thought and practice of solid operational security principles. This
means, yes, taking active steps to safeguard your browser, from
patching to not using Javascript to thinking about when and what you
write.

I don't want to delve too far into victim-blaming here, but it's clear
that users caught by this *particular* operation were relatively
low-hanging fruit.

-- 
@kylemaxwell
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

On 2013-08-06, at 4:49 PM, Jacob Appelbaum ja...@appelbaum.net wrote:

Nadim Kobeissi:
On 2013-08-06, at 1:23 PM, Jacob Appelbaum ja...@appelbaum.net
wrote:

Nadim Kobeissi:

On 2013-08-06, at 12:55 PM, Jacob Appelbaum
ja...@appelbaum.net wrote:

Nadim Kobeissi:

On 2013-08-06, at 11:46 AM, Al Billings
alb...@openbuddha.com wrote:

Nadim you seem confused by how this works. Tor doesn't need
to issue advisories for Firefox issues. We, at Mozilla,
already issue them. Perhaps they can link to them clearly
but if you want to know about security issues Mozilla fixes
in Firefox, you're best served by reading Mozilla
advisories. There's not much point in duplicating them on a
second site. Tor would be better served by writing
advisories for its own, unique, security fixes.

Tor doesn't need to issue advisories for Firefox issues. Tor
needs to issue advisories for Tor Browser issues, and not
five weeks later when s**t hits the fan. I really don't think
one can reasonably disagree with the above statement. Tor
Browser is a Firefox fork.

Should we issue a single advisory for each possible security
issue that Firefox has already noted in their change log? Each
confirmed security issue? Should we ask for a second CVE to
cover each CVE they receive?

What's the alternative, Jake?

That was a list of choices and you didn't choose one. Please choose
one or more - though not all of them make sense when put together.
It was a question and well, your answer isn't much of an answer.

Yes, to be absolutely clear, I think Tor should issue advisories for
confirmed security issues in Tor Browser, since Tor Browser is a fork
of Firefox and is independently maintained. This is exactly what Tor
did this time, except next time you shouldn't wait five weeks for the
situation to explode.

This is where the confusion comes into play, I think. Please note the
advisory we released this week:

https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html

We specifically address the one thing we *know* that is being exploited
and we note that there are other issues, though we don't go into depth
as upgrading is the only path forward.

Now note the Mozilla security issues for the Firefox ESR releases:

https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

You're on the one hand saying that we did the right thing and on the
other, you're saying that we should issue an advisory for *confirmed*
security issues. Mozilla confirmed a handful. Doesn't that imply that
our advisory should have covered every thing Firefox fixed between
versions? And if so, should we note everything, even if it doesn't
*appear* to be a security issue? Just in case?

Now on the one hand, you're saying we waited five weeks - when in fact
we didn't, we released an advisory within a day of discovering that TBB
was being targeted, which is different from Firefox generally I might
add. We did also note with the release of 3.0alpha2 that it included
security and stability fixes as we often do when we bump Firefox.

So clearly between hey, upgrade and exploit discovered there is a
middle ground. I'm confused by the middle ground you have chosen. It
doesn't seem that we should wait until exploits are in the wild to note
the security features of new releases (which we didn't, but we didn't
issue an advisory for every Firefox issue), and yet, if an exploit is
discovered, we should post an advisory that specifically addresses what
we know about it, no?

Wait until the NSA exploits an innumerable amount of Tor users
and then quickly write an advisory for a bug that was quietly
fixed without a warning from Tor five weeks but still exploited?

This is not accurate. We heard about attempts at exploitation and
within ~24hrs we released an advisory - we had already released
fixed code a ~month before exploitation was found in the wild.
Please do not mix up the time-line. To restate:

2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26
2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June
30 2013)

The exploit was found in the wild on last weekend, I learned about
it on or around August 4th. Please note that our patched versions
were released nearly a month before this was found in the wild.
There is no reason to support the conclusion that we silently
fixed anything in response to an exploit. Please consider that your
statement is entirely unsupported by evidence, Nadim.

I could be mistaken. Where's the advisory that was issued the day
after, that mentions that a critical Tor Browser vulnerability was
fixed?

Once we triaged the bug with Mozilla - both Tor and Mozilla posted updates:

https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/

https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable

You will note that this was

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-06 Thread Roger Dingledine

On Wed, Aug 07, 2013 at 07:20:21AM +0300, Nadim Kobeissi wrote:
 You will note that this was posted recently. However, 5 weeks ago,
Mozilla posted a security advisory for Firefox and fixed the issue. Tor
then updated the Tor Browser Bundle with the fix, 5 weeks ago, *without
releasing a security advisory.* You released the security advisory after
shit hit the fan, this week

Just to clarify: the security advisory I wrote this week was telling
users that an exploit had been seen in the wild, and explaining what
we knew about that. This was not intended to be a five-weeks-late
by-the-way-there-was-a-vulnerability announcement. We already told people,
five weeks ago, to upgrade, and set the TBB homepage to tell them There
is a security update available for the Tor Browser Bundle. Click here
to go to the download page. The novel thing here was that a potential
vulnerability, which Mozilla had described as This crash is potentially
exploitable when they put out their fix, was actually exploitable in
practice and was being actively exploited. The advisory was intended to
make people aware of the new situation, and also collect some facts into
one place.

 The advisory you released this week should have
been released 5 weeks ago for Tor Browser, on the day Mozilla released
an advisory for Firefox, and on the day you updated Tor Browser.
 
 I spoke with Roger and he in fact confirmed that no advisory was
released by Tor five weeks ago when Tor fixed the vulnerability. Tor
waited until the exploit was in the wild.

We did in fact wait until the exploit was in the wild to tell people
that the exploit was in the wild.

How we (including the broader community) can keep users informed
about the security state of their software is indeed a fine question
to ponder. But it's not clear to me that this you didn't tell them
yes we did well you should have told them differently format is
the right way to make progress.

(And we should also listen to folks like Andy, who point out that
there's never going to be a simple answer. I've been involved in too
many I wonder if that bug we just fixed is really exploitable, and how
we should classify it discussions to believe that the predictions are
always accurate -- and they can be inaccurate either by overestimating
or by underestimating.)

--Roger

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Forgive me, but I'd like to ask a question here.

Tor is a tool that is undeniably, directly marketed toward activists in 
high-risk environments. Tor's presentations at conferences centre around how 
Tor obtains increased usage in Arab Spring countries that matches the timeline 
of revolutionary action. It's incredibly direct. Tor's own spokespeople 
encourage people in Iran, Egypt and so on to use Tor and only Tor as the most 
secure tool for activist anonymity, and privacy.

Now, we find out that the FBI has been sitting on an exploit since an unknown 
amount of time that can compromise the Tor Browser Bundle, which is currently 
the main way to download Tor and the only way to download Tor for the average 
end-user, and is deploying it en-masse to the visitors of what seems to be 
around half of all Tor hidden services, which have also been compromised

I've gotten quite some flak from certain people at Tor for supposedly marketing 
Cryptocat to activists, which is not something I do, but that the media did 
last year. We know for a fact that Tor does in fact market to activists. And 
yet, I have a feeling that the flak towards Tor, for something this incredibly 
huge, will be quite small, on this mailing list and on other discussion forums, 
especially compared to the kind of vitriol Cryptocat receives.

I would like an explanation as to why this is the case.

NK

On 2013-08-04, at 10:56 PM, Griffin Boyce griffinbo...@gmail.com wrote:

 There are really two separate issues here, and I just want to separate them 
 briefly.
 
 1) Tormail and other sites were hosting malicious js code that attempts to 
 break firefox 17.
 
 2) Freedom Hosting was shut off after its host was arrested.
 
   I will say from personal experience that most hidden services are 
 *extremely* permeable. Not because Tor sucks, but because people making them 
 aren't very good webmasters. They don't upgrade/patch the software running 
 their websites, and that leads to big hacks. Freedom Hosting was itself taken 
 down on at least three occasions due to poor maintenance.
 
   It's also not particularly difficult to script up a scanner that tests 
 hidden services for vulnerabilities, then launches malicious code. This has 
 happened again and again. But this cannot really be Tor's fault anymore than 
 it's Apache's fault. People who host hidden services must maintain their code 
 just like other websites.
 
   If a hidden service webhost is imperfectly set up, it's possible to upload 
 a malicious file and broadcast the IP address of the server. (Again, this 
 relies on various configuration issues and 0day, but similar has happened to 
 Freedom Hosting before).
 
   What does everyone else think about this?
 
 best,
 Griffin
 
 PS: it seems a little too ambitious to set up your own anonymity network 
 without having a solid team of scientists and cryptographers
 
 On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones miser...@gmail.com wrote:
 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI 
 malware specifically targeting the Tor Browser Bundle.
 
 Deets: 
 https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste
 
 
 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody 
 want to help with the sketches?
 
 Deets: https://github.com/Miserlou/OnionCloud
 
 R
 
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 
 
 -- 
 Just another hacker in the City of Spies.
 #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de
 
 My posts, while frequently amusing, are not representative of the thoughts of 
 my employer.
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Albert López

Maybe because of the difficulty on finding those vulnerabilities to exploit the 
system. 
Being bulletproof against everything, as we know, is impossible, therefore if 
you notice that the government (with a huge amount of resources) have found a 
vulnerability in your software you can accept that, solve it and feel raped. 
The problem is much critical when just one guy (and not even being his job) has 
reviewed the code of an application and have found a huge bug :)

You cannot blame someone because the government has been exploiting his 
software, because governments use to have kind of unlimited resources to do 
that.
What I mean is that if cryptocat had been hacked by government (exploiting some 
kind of sophisticated bug -  btw, I don't know which bug is being exploited in 
tor), I don't think it would have had all that feeling of weakness (and by 
consequence, all that discussion).


gpg --keyserver pgp.mit.edu --search-keys 
EEE5A447http://pgp.mit.edu:11371/pks/lookup?search=0xEEE5A447op=vindex


From: na...@nadim.cc
Date: Mon, 5 Aug 2013 10:15:20 +0200
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech] Freedom Hosting,  Tormail Compromised // 
OnionCloud

Forgive me, but I'd like to ask a question here.
 
Tor is a tool that is undeniably, directly marketed toward activists in 
high-risk environments. Tor's presentations at conferences centre around how 
Tor obtains increased usage in Arab Spring countries that matches the timeline 
of revolutionary action. It's incredibly direct. Tor's own spokespeople 
encourage people in Iran, Egypt and so on to use Tor and only Tor as the most 
secure tool for activist anonymity, and privacy.
 
Now, we find out that the FBI has been sitting on an exploit since an unknown 
amount of time that can compromise the Tor Browser Bundle, which is currently 
the main way to download Tor and the only way to download Tor for the average 
end-user, and is deploying it en-masse to the visitors of what seems to be 
around half of all Tor hidden services, which have also been compromised
 
I've gotten quite some flak from certain people at Tor for supposedly marketing 
Cryptocat to activists, which is not something I do, but that the media did 
last year. We know for a fact that Tor does in fact market to activists. And 
yet, I have a feeling that the flak towards Tor, for something this incredibly 
huge, will be quite small, on this mailing list and on other discussion forums, 
especially compared to the kind of vitriol Cryptocat receives.
 
I would like an explanation as to why this is the case.
 
NK
 
On 2013-08-04, at 10:56 PM, Griffin Boyce griffinbo...@gmail.com wrote:
 
 There are really two separate issues here, and I just want to separate them 
 briefly.
 
 1) Tormail and other sites were hosting malicious js code that attempts to 
 break firefox 17.
 
 2) Freedom Hosting was shut off after its host was arrested.
 
   I will say from personal experience that most hidden services are 
 *extremely* permeable. Not because Tor sucks, but because people making them 
 aren't very good webmasters. They don't upgrade/patch the software running 
 their websites, and that leads to big hacks. Freedom Hosting was itself taken 
 down on at least three occasions due to poor maintenance.
 
   It's also not particularly difficult to script up a scanner that tests 
 hidden services for vulnerabilities, then launches malicious code. This has 
 happened again and again. But this cannot really be Tor's fault anymore than 
 it's Apache's fault. People who host hidden services must maintain their code 
 just like other websites.
 
   If a hidden service webhost is imperfectly set up, it's possible to upload 
 a malicious file and broadcast the IP address of the server. (Again, this 
 relies on various configuration issues and 0day, but similar has happened to 
 Freedom Hosting before).
 
   What does everyone else think about this?
 
 best,
 Griffin
 
 PS: it seems a little too ambitious to set up your own anonymity network 
 without having a solid team of scientists and cryptographers
 
 On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones miser...@gmail.com wrote:
 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI 
 malware specifically targeting the Tor Browser Bundle.
 
 Deets: 
 https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste
 
 
 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody 
 want to help with the sketches?
 
 Deets: https://github.com/Miserlou/OnionCloud
 
 R
 
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 
 
 -- 
 Just another hacker in the City of Spies.
 #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de
 
 My posts, while frequently amusing

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Georg Koppen

On 05.08.2013 10:15, Nadim Kobeissi wrote:
 Now, we find out that the FBI has been sitting on an exploit since an unknown 
 amount of time that can compromise the Tor Browser Bundle

is that really so? See:
https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
first comment.

Georg

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud


On 2013-08-05, at 10:46 AM, Georg Koppen g.kop...@jondos.de wrote:

 On 05.08.2013 10:15, Nadim Kobeissi wrote:
 Now, we find out that the FBI has been sitting on an exploit since an 
 unknown amount of time that can compromise the Tor Browser Bundle
 
 is that really so? See:
 https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
 first comment.

Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser 
security advisory in that case.

NK

 
 Georg
 
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Roger Dingledine

On Mon, Aug 05, 2013 at 10:46:35AM +0200, Georg Koppen wrote:
 On 05.08.2013 10:15, Nadim Kobeissi wrote:
  Now, we find out that the FBI has been sitting on an exploit since an 
  unknown amount of time that can compromise the Tor Browser Bundle
 
 is that really so? See:
 https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
 first comment.

Specifically, it would appear that the TBB updates we put out on
June 26 addressed this vulnerability:
https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages

My preference here is increasingly that we should finish
https://trac.torproject.org/projects/tor/ticket/9387
and then make TBB 3.x the new default:
https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released

(Apparently this means breaking support for Win XP until somebody fixes
that:
https://trac.torproject.org/projects/tor/ticket/9084
But hey, there are worse things to do than that.)

--Roger

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Albert López


BTW (same comment in two pages :P):
The vulnerability being exploited by this attack was fixed in Firefox 22 and 
Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53People who are on the 
latest supported versions of Firefox are not at risk.Although the vulnerability 
affects users of Firefox 21 and below the exploit targets only ESR-17 users. 
Since this attack was found on Tor hidden services presumably that is because 
the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most 
recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were 
also not at risk from this attack.
So it means that the vulnerability exploited was not even a 0day and tor users 
using updated software were not affected. 
In fact, it has been to much discussion for someone (FBI) exploiting a 
patched vulnerability...



gpg --keyserver pgp.mit.edu --search-keys 
EEE5A447http://pgp.mit.edu:11371/pks/lookup?search=0xEEE5A447op=vindex


From: na...@nadim.cc
Date: Mon, 5 Aug 2013 10:46:58 +0200
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech] Freedom Hosting,  Tormail Compromised // 
OnionCloud

 
On 2013-08-05, at 10:46 AM, Georg Koppen g.kop...@jondos.de wrote:
 
 On 05.08.2013 10:15, Nadim Kobeissi wrote:
 Now, we find out that the FBI has been sitting on an exploit since an 
 unknown amount of time that can compromise the Tor Browser Bundle
 
 is that really so? See:
 https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
 first comment.
 
Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser 
security advisory in that case.
 
NK
 
 
 Georg
 
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech
  --
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Michael Owen

On Mon, Aug 5, 2013 at 9:46 AM, Nadim Kobeissi na...@nadim.cc wrote:


 Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser 
 security advisory in that case.

I'm not sure how long the Tor bundle goes without actively complaining
to the user about things being out of date. Out of curiosity I
reloaded a 48-day old beta of 3.0 last night, and it immediately
complained that it was out of date and should be upgraded to the
latest version.

Mike
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud


On 2013-08-05, at 11:04 AM, Michael Owen mich...@theramparts.com wrote:

 On Mon, Aug 5, 2013 at 9:46 AM, Nadim Kobeissi na...@nadim.cc wrote:
 
 
 Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser 
 security advisory in that case.
 
 I'm not sure how long the Tor bundle goes without actively complaining
 to the user about things being out of date. Out of curiosity I
 reloaded a 48-day old beta of 3.0 last night, and it immediately
 complained that it was out of date and should be upgraded to the
 latest version.

Yeah, Tor's update notifications are definitely legit. I'm just wondering why 
there wasn't an actual advisory. I mean, all this time there seems to have been 
a .js file that could compromise any Tor users accessing a website which loads 
it.

NK

 
 Mike
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Jason Gulledge

The fog of OHM hasn't yet lifted for me, so I'm sorry if I'm not entirely 
poetic in thought…

Before people jump in and say the tor network is inherently flawed! I just 
want to try to put it in perspective. As I understand it, an .onion got owned, 
probably by some poorly written or installed software on their site. That 
happens, and it isn't tor's fault.  Once it got owned, it was easy to put an 
iframe in and target a specific version of the tor browser, an old one for 
which vulns are well-known. 

Mozilla posted the advisory on June 25th. 
https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a TBB 
update was provided 5 days later: 
https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released - and 
uses a version of FF that the advisory says fixes the issue.

If you're interested, this is supposed to be the exploit: 
http://pastebin.com/96htM60z

The take home message of the day: keep your shit up to date.

The only question I have is -- is there anything more that can be done to warn 
users their stuff is out of date? We're already visited with a warning that our 
browser or other tor-related software is out of date upon launching it. Do we 
need scrolling text? blinky lights? Should it be disabled once it is out of 
date? Maybe that can be an option set by default.  Thoughts?


Best, 

-Jason Gulledge
@ramdac



On Aug 5, 2013, at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote:

 Forgive me, but I'd like to ask a question here.
 
 Tor is a tool that is undeniably, directly marketed toward activists in 
 high-risk environments. Tor's presentations at conferences centre around how 
 Tor obtains increased usage in Arab Spring countries that matches the 
 timeline of revolutionary action. It's incredibly direct. Tor's own 
 spokespeople encourage people in Iran, Egypt and so on to use Tor and only 
 Tor as the most secure tool for activist anonymity, and privacy.
 
 Now, we find out that the FBI has been sitting on an exploit since an unknown 
 amount of time that can compromise the Tor Browser Bundle, which is currently 
 the main way to download Tor and the only way to download Tor for the average 
 end-user, and is deploying it en-masse to the visitors of what seems to be 
 around half of all Tor hidden services, which have also been compromised
 
 I've gotten quite some flak from certain people at Tor for supposedly 
 marketing Cryptocat to activists, which is not something I do, but that the 
 media did last year. We know for a fact that Tor does in fact market to 
 activists. And yet, I have a feeling that the flak towards Tor, for something 
 this incredibly huge, will be quite small, on this mailing list and on other 
 discussion forums, especially compared to the kind of vitriol Cryptocat 
 receives.
 
 I would like an explanation as to why this is the case.
 
 NK
 
 On 2013-08-04, at 10:56 PM, Griffin Boyce griffinbo...@gmail.com wrote:
 
 There are really two separate issues here, and I just want to separate them 
 briefly.
 
 1) Tormail and other sites were hosting malicious js code that attempts to 
 break firefox 17.
 
 2) Freedom Hosting was shut off after its host was arrested.
 
  I will say from personal experience that most hidden services are 
 *extremely* permeable. Not because Tor sucks, but because people making them 
 aren't very good webmasters. They don't upgrade/patch the software running 
 their websites, and that leads to big hacks. Freedom Hosting was itself 
 taken down on at least three occasions due to poor maintenance.
 
  It's also not particularly difficult to script up a scanner that tests 
 hidden services for vulnerabilities, then launches malicious code. This has 
 happened again and again. But this cannot really be Tor's fault anymore than 
 it's Apache's fault. People who host hidden services must maintain their 
 code just like other websites.
 
  If a hidden service webhost is imperfectly set up, it's possible to upload 
 a malicious file and broadcast the IP address of the server. (Again, this 
 relies on various configuration issues and 0day, but similar has happened to 
 Freedom Hosting before).
 
  What does everyone else think about this?
 
 best,
 Griffin
 
 PS: it seems a little too ambitious to set up your own anonymity network 
 without having a solid team of scientists and cryptographers
 
 On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones miser...@gmail.com wrote:
 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI 
 malware specifically targeting the Tor Browser Bundle.
 
 Deets: 
 https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste
 
 
 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody 
 want to help with the sketches?
 
 Deets: https://github.com/Miserlou/OnionCloud
 
 R
 
 --
 Liberationtech list is public and archives are searchable on Google. Too 
 many emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread liberationtech

On Mon, 5 Aug 2013 10:15:20 +0200
Nadim Kobeissi na...@nadim.cc wrote:

 Now, we find out that the FBI has been sitting on an exploit since an
 unknown amount of time that can compromise the Tor Browser Bundle,
 which is currently the main way to download Tor and the only way to
 download Tor for the average end-user, and is deploying it en-masse
 to the visitors of what seems to be around half of all Tor hidden
 services, which have also been compromised

Please cite first person sources on this. It's not clear the FBI did
anything or is involved at all. There is a reddit thread implying this,
but no statement (as of yet) from the FBI or anyone claiming
responsibility for the javascript injection.

Second, it's not clear this exploit or malware has actually compromised
current versions of Tor Browser (as released on June 26, 2013). Please
show a working exploit against the current TBBs.

Third, please show data that half of all Tor hidden services have
been compromised. We don't have this data because we don't track hidden
services. If you do, please share your metrics.

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread liberationtech

On Mon, 5 Aug 2013 10:04:02 +0100
Michael Owen mich...@theramparts.com wrote:

 I'm not sure how long the Tor bundle goes without actively complaining
 to the user about things being out of date. 

TBB notifies the user within an hour of releasing the new version. The
hour lag is because our cronjob runs hourly.

-- 
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Andy Isaacson

On Mon, Aug 05, 2013 at 09:19:01AM -0400, liberationt...@lewman.us wrote:
 Please cite first person sources on this. It's not clear the FBI did
 anything or is involved at all. There is a reddit thread implying this,
 but no statement (as of yet) from the FBI or anyone claiming
 responsibility for the javascript injection.

The press is treating it as a likelihood.  That's no proof, of course,
but the narrative is internally consistent and most alternatives seem
quite unlikely.

http://www.wired.com/threatlevel/2013/08/freedom-hosting/

 Second, it's not clear this exploit or malware has actually compromised
 current versions of Tor Browser (as released on June 26, 2013). Please
 show a working exploit against the current TBBs.

In fact it seems quite clear that the 65.222.202.54 malware does *not*
affect 17.0.7esr per

http://tsyrklevich.net/tbb_payload.txt

Every claim I've seen is that this single payload was the only deployed
malware in this incident.

As I understand it, TBB users who installed or upgraded after June 26
are not vulnerable, and users of old versions got a notice at startup
that an upgrade is required.  Is that correct?

If the above is correct, then only TBB users on Windows who installed
TBB before June 26 and ignored the warnings would be affected.

Does TBB have usage statistics breaking out the upgrade rate per
platform?  Are we talking about 90% upgrade rates after 30 days, or 15%
upgrade rates?

 Third, please show data that half of all Tor hidden services have
 been compromised. We don't have this data because we don't track hidden
 services. If you do, please share your metrics.

Indeed, it's difficult to measure.  Half by count?  Half by users?  Half
by circuits?  Half by bandwidth?  But the forum analysis indicates that
there's been significant impact, so saying half seems reasonable.
Better stats would be great, but in the absence, a rough estimate isn't
unreasonable.


Seems to me the Tor project's response was about right; the only
potential improvement I can think of would be automatically downloading
the upgrade in the background, to improve update rates.  (But I hate
software that does that ... but I am currently running a vulnerable
Firefox myself due to not getting reminded about upgrades, so I'm
evidence that hate automatic upgrades equals is more vulnerable.)

One larger improvement would be to have the TBB browser sandboxed and
set to trigger an alarm on non-Tor outbound traffic.  Running Tails in a
suitably configured VM system can provide this capability, but
platform-specific application sandboxes can do it as well; Chrome
provides some prior art.  Developing this capability is a nontrivial
task...

Nadim's criticism of the Tor project seems a bit too strong given the
facts, and even given the unknowns when the news first broke.

Andrew's response to the criticism seems a bit overly harsh, but I'm
inclined to cut some slack for folks who've probably been working long
hard hours over the past days to understand the impact of these events.

Thanks,
-andy
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Georg Koppen

On 05.08.2013 10:15, Nadim Kobeissi wrote:
 Now, we find out that the FBI has been sitting on an exploit since an unknown 
 amount of time that can compromise the Tor Browser Bundle

is that really so? See:
https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
first comment

Georg

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud


On 2013-08-05, at 4:19 PM, liberationt...@lewman.us wrote:

 On Mon, 5 Aug 2013 10:15:20 +0200
 Nadim Kobeissi na...@nadim.cc wrote:
 
 Now, we find out that the FBI has been sitting on an exploit since an
 unknown amount of time that can compromise the Tor Browser Bundle,
 which is currently the main way to download Tor and the only way to
 download Tor for the average end-user, and is deploying it en-masse
 to the visitors of what seems to be around half of all Tor hidden
 services, which have also been compromised
 
 Please cite first person sources on this. It's not clear the FBI did
 anything or is involved at all. There is a reddit thread implying this,
 but no statement (as of yet) from the FBI or anyone claiming
 responsibility for the javascript injection.

As Andy Isaacson said:
The press is treating it as a likelihood.  That's no proof, of course,
but the narrative is internally consistent and most alternatives seem
quite unlikely. http://www.wired.com/threatlevel/2013/08/freedom-hosting/;

 
 Second, it's not clear this exploit or malware has actually compromised
 current versions of Tor Browser (as released on June 26, 2013). Please
 show a working exploit against the current TBBs.

With my own project, we fixed a critical vulnerability months before it was 
publicized, and we still treated the situation as critical during publication 
due to the fact that there may have been users who may have already been 
compromised or who may not have updated. I feel that your response ignores 
those possibilities and is defensive to a fault.

Since the bug this malware exploits was fixed in previous version of the Tor 
Browser, why was no advisory issued? What if this exploit had been known, and 
used, for a whole year by malicious parties?

 
 Third, please show data that half of all Tor hidden services have
 been compromised. We don't have this data because we don't track hidden
 services. If you do, please share your metrics.

Honestly your email feels really unproductive.

NK

 
 -- 
 Andrew
 http://tpo.is/contact
 pgp 0x6B4D6475
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Roger Dingledine

On Mon, Aug 05, 2013 at 04:54:00AM -0400, Roger Dingledine wrote:
 Specifically, it would appear that the TBB updates we put out on
 June 26 addressed this vulnerability:

https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html
has some more details now.

Or see
https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable
if you prefer blog posts. :)

--Roger

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Claudio

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

On 08/05/2013 05:00 PM, Nadim Kobeissi wrote:
 
 On 2013-08-05, at 4:19 PM, liberationt...@lewman.us wrote:
 
 On Mon, 5 Aug 2013 10:15:20 +0200 Nadim Kobeissi na...@nadim.cc
 wrote:
 
 Now, we find out that the FBI has been sitting on an exploit
 since an unknown amount of time that can compromise the Tor
 Browser Bundle, which is currently the main way to download Tor
 and the only way to download Tor for the average end-user, and
 is deploying it en-masse to the visitors of what seems to be
 around half of all Tor hidden services, which have also been
 compromised
 
 Please cite first person sources on this. It's not clear the FBI
 did anything or is involved at all. There is a reddit thread
 implying this, but no statement (as of yet) from the FBI or
 anyone claiming responsibility for the javascript injection.
 
 As Andy Isaacson said: The press is treating it as a likelihood.
 That's no proof, of course, but the narrative is internally
 consistent and most alternatives seem quite unlikely.
 http://www.wired.com/threatlevel/2013/08/freedom-hosting/;
 
 
 Second, it's not clear this exploit or malware has actually
 compromised current versions of Tor Browser (as released on June
 26, 2013). Please show a working exploit against the current
 TBBs.
 
 With my own project, we fixed a critical vulnerability months
 before it was publicized, and we still treated the situation as
 critical during publication due to the fact that there may have
 been users who may have already been compromised or who may not
 have updated. I feel that your response ignores those possibilities
 and is defensive to a fault.
 
 Since the bug this malware exploits was fixed in previous version
 of the Tor Browser, why was no advisory issued? What if this
 exploit had been known, and used, for a whole year by malicious
 parties?

I'm really not sure I understand what you expected out of it. With TBB
being based on an underlying software that was the origin of the bug,
is Tor people expected to keep track of every commit and ticket being
closed in Firefox and ship security bulletins just as Mozilla does?
Are you doing the same with Crypto.cat for the browsers you have
extensions for?

-BEGIN PGP SIGNATURE-
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIbBAEBAgAGBQJR/8caAAoJEDmTLM1sbEdvwJYP+KPERuQqk1BlgQvetfNX4xQg
8u2yHGrInRTHfRLd5MhSheeQCA+Fag17XEG18bGL3CEhZQuNe3cCTcvInaLpIGRZ
R5B12e+YIUobWehmeHE+2zWqiUEY9sukF/sJ+iVB4n7fw8nEkg6lHmPkBvthuGjK
OpT/Vg+i8y8WiQWqTjbkg8qp0AqksxW7igsghzVCksY3GDS5ciARsvnBR8PEw5um
ZS3nW6d4Emo1n73syg1/Fl851r5soWLcfN8+ZgWnF9uqmdfusINxkHajTdyuMg8y
yUZfy/Kl6jVQQ3Bo/OuqFKFYbZZddP6V+qTZTcd9orfxa+7l6qaEvxML/5RSqZHe
yzb0RnVaUqdotWBaPqTgTT9t8ujCiAB4MUypJjgVDXTkPdkp0Hh7jrTC9xop/KX2
pv2Zmq23lbldi8twHYbyt1UpmeLq5rlSAT4ol5rMNkqArbHEdS1s+e1mynYPoJWn
UNjfpZa8NlOdVIyeqKibKu8Ozsmf84ltSes8/SLMjIO47z5zR1Dlm0T7tL/YS8SH
t6QCZPQbwZpX232QSiXRKvN+S91heNiMlaGyPRq4jvUFzTakDo6+DK0/Y1XrcpQC
0uXSnEphftJjahoeZn7LdYJ5R88/ffIAvYNoDXw/9qY0Xm8uh3z0QDIz/D7GL+j2
T4xfNXf9ZoLEIzKy2aE=
=x9H/
-END PGP SIGNATURE-
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Fabio Pietrosanti (naif)

Il 8/4/13 10:31 PM, liberationt...@lewman.us ha scritto:
 Tor's official response is here,
 https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting

After a quick check at a random Tor2web server, it seems that there's no
specific pattern of traffic-drop.

Who knows, maybe the amount of TorHS that has been takendown are just a few.

-- 
Fabio Pietrosanti (naif)
HERMES - Center for Transparency and Digital Human Rights
http://logioshermes.org - http://globaleaks.org - http://tor2web.org

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud


On 2013-08-05, at 6:38 PM, Roger Dingledine a...@mit.edu wrote:

 On Mon, Aug 05, 2013 at 04:54:00AM -0400, Roger Dingledine wrote:
 Specifically, it would appear that the TBB updates we put out on
 June 26 addressed this vulnerability:
 
 https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html
 has some more details now.
 
 Or see
 https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable
 if you prefer blog posts. :)

Awesome! :-)
This is one of those situations that, frustratingly, could have been dealt with 
better, but Roger and co. deliver in the end, as is tradition.

Tor remains an awesome project. The FBI is the likely perpetrator of the 
exploit and this should really wake up the privacy community.

NK

 
 --Roger
 
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Griffin Boyce

Fabio Pietrosanti (naif) li...@infosecurity.ch wrote:

 After a quick check at a random Tor2web server, it seems that there's no
 specific pattern of traffic-drop.

 Who knows, maybe the amount of TorHS that has been takendown are just a
 few.


  Yeah, it seems like people are vastly overestimating the number of hidden
services affected.  Freedom Hosting was the largest free HS host, but
estimating them at half of all hidden services is a bit much. The last time
they went down, the majority of hidden services remained unaffected.  My
belief is that most hidden services are actually self-hosted.

  Tor has maintained for quite a while that attacks that break out of
firefox's sandboxing are their biggest concern in terms of deanonymization.
And they really should be. Since the switch to TBB vs
Vidalia+Torbutton+Manual config, users are more likely to be using the same
version of firefox.  In some ways this is great, the goal being to make Tor
users look identical and therefore bypass fingerprinting. In other ways,
perhaps not ideal. A userbase that is unified in this way is far more
likely to be susceptible to a given exploit than a diverse one.  My
understanding is that they are looking for more/better ways to sandbox the
whole shebang.

  I do wish that Vidalia were still being actively developed though =/

~Griffin
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread h0ost

 Mozilla posted the advisory on June 25th.
 https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a
 TBB update was provided 5 days later:
 https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
 - and uses a version of FF that the advisory says fixes the issue.
 

So what's the problem that Nadim Kobeissi is pointing to? The
vulnerability was patched by Mozilla, then subsequently incorporated in
the TBB.
If TBB is updated, and a user doesn't upgrade their TBB bundle, that's
the user's fault, not Tor.

No?
Yes, I think.

 
 The take home message of the day: keep your shit up to date.

Exactly.  Nothing more, nothing less.  It's like brushing one's teeth,
you learn that you have to do it for your own good, and then you just do it.


 The only question I have is -- is there anything more that can be
 done to warn users their stuff is out of date? We're already visited
 with a warning that our browser or other tor-related software is out
 of date upon launching it. Do we need scrolling text? blinky lights?
 Should it be disabled once it is out of date? Maybe that can be an
 option set by default.  Thoughts?


I don't think so.  TBB already warns when there is an updated version of
the TBB, so I really think it's a culture change on part of people who
don't upgrade immediately.  Hard thing to fight against, but maybe such
events will make people more cautious in this way.

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Bernard Tyers - ei8fdb

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1

Firstly: this is not a anti-Tor/pro-anything/anti-developer comment. If 
anything it's pro-have_some_understanding_for_people point-of-view. I 
contribute to Tor as I believe it can do a lot of good.

As I understand it, the issue was: a compromise affected older TB Bundles, 
based on a previous version of Firefox. TBB prompted users to update to newer 
versions of within $X days of release.

It wasn't the Tor network that was compromised, it was *some* software running 
to provide a Tor Hidden Service. Which we still don't know exactly what that 
was? (It would be nice to know)

Neither do I think you can expect the Tor Project to follow every commit to 
Firefox. (Although using any software, based on trust, in this world is not the 
best idea.)

If anyone should get blamed, it's the operators of the THS (currently it seems 
it was Freedom Hosting and Eric Eoin Marques?) that were the cause of this 
compromise. They are the douches in this shitstorm.

All good so far.

On 5 Aug 2013, at 18:45, h0ost wrote:

 Mozilla posted the advisory on June 25th.
 https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a
 TBB update was provided 5 days later:
 https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
 - and uses a version of FF that the advisory says fixes the issue.
 
 
 So what's the problem that Nadim Kobeissi is pointing to? The
 vulnerability was patched by Mozilla, then subsequently incorporated in
 the TBB.
 If TBB is updated, and a user doesn't upgrade their TBB bundle, that's
 the user's fault, not Tor.
 
 No?
 Yes, I think.

If you want to find fault with some party, then sure it's the users fault. But 
that's not very helpful in a case like this. If it was MS Word, or Mail.app, 
blame the user.

Tor and TBB is not the easiest of privacy protection tools to understand, even 
for some trained technology people. 

It would be nice to know the percentage of technical experts using TBB. You 
*cannot* expect someone who is not an expert in cryptography, comp.sci, or 
computer technology in general to fully understand the consequences of using 
software tools. If you have a problem with that, then go and design software 
for developers. 

I know your comment was off the cuff, but this is one of the reasons why this 
shit is so bad. It needs to be designed with _real_ people (not cryptographers, 
or comp.sci or telecoms) in mind. Real people who use these tools to 
communicate. Everybody in some case, is just a user. 

It wasn't essentially The Tor Project's fault, but they are dealing with it 
now. Shitty I know.

 The take home message of the day: keep your shit up to date.
 
 Exactly.  Nothing more, nothing less.  It's like brushing one's teeth,
 you learn that you have to do it for your own good, and then you just do it.
 

I don't think you can compare tooth decay with your security getting 
compromised. Really.

 The only question I have is -- is there anything more that can be
 done to warn users their stuff is out of date? We're already visited
 with a warning that our browser or other tor-related software is out
 of date upon launching it. Do we need scrolling text? blinky lights?
 Should it be disabled once it is out of date? Maybe that can be an
 option set by default.  Thoughts?
 
 
 I don't think so.  TBB already warns when there is an updated version of
 the TBB, so I really think it's a culture change on part of people who
 don't upgrade immediately.  Hard thing to fight against, but maybe such
 events will make people more cautious in this way.



By what Roger Dingledine from Tor has stated in a previous mail, The Tor 
Project provided the you need to upgrade message promptly. I don't know if 
that is enough. (But it is certainly a lot more that other providers of 
software would do.) 

Maybe disabling out of date software would not be a bad thing? (Personally I 
don't know if thats a good approach, as users may use less secure methods to 
carry out their tasks)

My point is, there should be some research into finding an answer as opposed to 
apportioning blame.

Flame-retardent suit on.

Bernard

- --
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org
-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJR//l0AAoJENsz1IO7MIrrZs4H/j1b4vZj17cgFdMb5LcGcZz3
YcNKktzRhcD92mmFQo+XyIY1Mp0gas592y5Ah/Q+yXTWQpjZkNgMS/uZXWOgXnf5
tBVHYL9pIOc5BoTMIXukuYhevnVXb+KORZiUpYgL7wncIqjC7N5oor4np53tp3pk
KxQRDHZ4eYpDveLPs4vntECRiR2gfQygKNAuTDxUQgef8OjKG0NyOJGqMj31snee
R4pqkcszyLyqTlc+q2FVaB4VtsU6LTStG/dt57ts9ZiMxIiuhOAtfc53j6t1cguh
1pgs6NxWzcOdUTPOhySxLjRguiO/oT2iNq2UB69YhEp3SDkecrW/Yu2/KjDTmjY=
=Mr+D
-END PGP SIGNATURE-
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Doug Chamberlin

Nadim certainly has a point about the disparity between how his efforts
were received and the overall level of respect/support Tor receives.
Hopefully, he will continue on and when his software accumulates the track
record that Tor has he will be suitably rewarded. He certainly writes
recently like someone who has been resilient and forward thinking. More
power to him!

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Griffin Boyce

Bernard Tyers - ei8fdb ei8...@ei8fdb.org wrote:

 By what Roger Dingledine from Tor has stated in a previous mail, The Tor
 Project provided the you need to upgrade message promptly. I don't know
 if that is enough. (But it is certainly a lot more that other providers of
 software would do.)


  I can really only speak for me, but I think that a larger part is what
constitutes full disclosure? Is it a broad advisory? Is it a blog post? Is
it tweets? What constitutes a bug big enough to warrant that type of
announcement? Every software project has to come up with answers to these
questions. FWIW, I keep up with Tor news far more than an average user, and
still did not know about this vuln until a couple of days ago.

  I would like to see Tor broadcasting recent
vulnerabilities/issues/enhancements on the check.torproject.org page.
Ironically (or not) Nadim and I had already been working on a different
TorCheck page when this news came out.
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

You realize Tor didn't know this vuln was an issue until two days ago? 

The Tor Browser Bundle is based off of Firefox ESR releases. All the high 
profile security issues fixed are listed on the Firefox ESR known 
vulnerabilities web page. You want them to copy that page for you?

Al 

-- 
Al Billings
http://makehacklearn.org


On Monday, August 5, 2013 at 12:55 PM, Griffin Boyce wrote:

 Bernard Tyers - ei8fdb ei8...@ei8fdb.org (mailto:ei8...@ei8fdb.org) wrote:
  By what Roger Dingledine from Tor has stated in a previous mail, The Tor 
  Project provided the you need to upgrade message promptly. I don't know 
  if that is enough. (But it is certainly a lot more that other providers of 
  software would do.) 
 
   I can really only speak for me, but I think that a larger part is what 
 constitutes full disclosure? Is it a broad advisory? Is it a blog post? Is 
 it tweets? What constitutes a bug big enough to warrant that type of 
 announcement? Every software project has to come up with answers to these 
 questions. FWIW, I keep up with Tor news far more than an average user, and 
 still did not know about this vuln until a couple of days ago. 
 
   I would like to see Tor broadcasting recent 
 vulnerabilities/issues/enhancements on the check.torproject.org 
 (http://check.torproject.org) page. Ironically (or not) Nadim and I had 
 already been working on a different TorCheck page when this news came out. 
 --
 Liberationtech list is public and archives are searchable on Google. Too many 
 emails? Unsubscribe, change to digest, or change password by emailing 
 moderator at compa...@stanford.edu or changing your settings at 
 https://mailman.stanford.edu/mailman/listinfo/liberationtech
 
 


--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Bernard Tyers - ei8fdb

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1


On 5 Aug 2013, at 21:08, Al Billings wrote:

 You realize Tor didn't know this vuln was an issue until two days ago?

I presume thats directed at Griffin. 

 The Tor Browser Bundle is based off of Firefox ESR releases. All the high 
 profile security issues fixed are listed on the Firefox ESR known 
 vulnerabilities web page. You want them to copy that page for you?

How many TBB users will go to the Firefox ESR vulns. page to research the 
potential and found vulns in a piece of software they don't know they use?

Bernard

- --
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org

-BEGIN PGP SIGNATURE-
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJSAAiCAAoJENsz1IO7MIrrzu8H/iXWJoVySQgfF3j6lPfiYqH1
qYQUuBhz1qOThuwWpZZOgbLfUICY0uSBU5cxD1AP3efzLrXXF3cUg3d6oUWjZg8G
tS7DRM4Yay5NBI9YgHWolkSaOpK/0qvL1/LOcjGzbrIswbVNVvXQQUDCHL/0Le/1
Kv+1ErF0TC/WVUfSPwk87H2XBOoA0CPDVn4afXLXWHVgIenbVCat/MROG7UpicTc
k+2fGoRc9nWjo5MEEmPmeTEA2NCztpKN+A8qZOsemc4Pa7EJX4naJlbc5sj9vbZV
RLIIfocaTTWGW1M0VIeQTaSx9ZHcUHuY3THiyRa9Q1zu2WhD+bkWFX7Mq+kDjMM=
=h6KP
-END PGP SIGNATURE-
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Why should they? Just make sure you're running the most recently released 
version. 

-- 
Al Billings
http://makehacklearn.org


On Monday, August 5, 2013 at 1:18 PM, Bernard Tyers - ei8fdb wrote:

  The Tor Browser Bundle is based off of Firefox ESR releases. All the high 
  profile security issues fixed are listed on the Firefox ESR known 
  vulnerabilities web page. You want them to copy that page for you?
 
 
 How many TBB users will go to the Firefox ESR vulns. page to research the 
 potential and found vulns in a piece of software they don't know they use?
 

--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Griffin Boyce

Al,

We may have to disagree as to the way forward. I hate to be
contentious, but it seems unlikely that Tor applied a patch without
reading firefox's changelog. Two days ago I presented a talk which
emphasized how useful Tor is -- and I stand by that. Tor is still the
best option for maintaining one's anonymity.

I use Tor. I teach people how to use Tor. I run relays and hidden
services. I code on Tor-related projects. And I tell large crowds why
they should do all of that too. It's not like I'm some hater.

~Griffin

On 8/5/13, Al Billings alb...@openbuddha.com wrote:
 Why should they? Just make sure you're running the most recently released
 version.

 --
 Al Billings
 http://makehacklearn.org


 On Monday, August 5, 2013 at 1:18 PM, Bernard Tyers - ei8fdb wrote:

  The Tor Browser Bundle is based off of Firefox ESR releases. All the
  high profile security issues fixed are listed on the Firefox ESR known
  vulnerabilities web page. You want them to copy that page for you?


 How many TBB users will go to the Firefox ESR vulns. page to research the
 potential and found vulns in a piece of software they don't know they
 use?





-- 
Just another hacker in the City of Spies.
#Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de

My posts, while frequently amusing, are not representative of the thoughts
of my employer.
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

I'm not sure what you're trying to say here exactly. 

Tor doesn't apply a patch to TBB, AFAIK. They build on top of Firefox ESR. 
The current Firefox ESR17 (and the current TBB) have the bug fixed that 
everyone is talking about. If you're current, you're safe. 

So, then the problem becomes: why aren't people running the current version?

As to the rest of what you said, that has nothing to do with anything I said. I 
didn't comment on Tor, its usefulness, or anything else. My comments were about 
the current situation with a Javascript exploit and the TBB. If you want to 
talk about this other thing, enjoy but it has nothing to do with me. My focus 
is Firefox.

Al 

-- 
Al Billings
http://makehacklearn.org


On Monday, August 5, 2013 at 3:09 PM, Griffin Boyce wrote:

 We may have to disagree as to the way forward. I hate to be
 contentious, but it seems unlikely that Tor applied a patch without
 reading firefox's changelog. Two days ago I presented a talk which
 emphasized how useful Tor is -- and I stand by that. Tor is still the
 best option for maintaining one's anonymity.


--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread R. Jason Cronk

Does anybody have any indication on how the alleged operator of Freedom 
Hosting was identified. Everybody seems to be focusing on the javascript 
exploit but from what I've read, it appears that was placed on the 
server after the alleged operator was taken down and the operation 
compromised, or is my timing off?


Jason Cronk
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

2013-08-05 Thread Shava Nerad

If my understanding of Mozilla's description of the vulnerability is
correct:

https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/

Users who are on the latest version of Firefox (version 22) or Firefox ESR
 (version 17.0.7) are not at risk. If a user is running an outdated of
 Firefox, then this vulnerability could be used by an attacker to execute
 malicious software on a victim’s machine. Mozilla has been alerted that
 this issue is being actively exploited in the wild and urges all users to
 make sure their Firefox is up to date.


Then what happened could have happened to any ISP on hidden services or
not.  A browser connected to the ISP, used a browser vulnerability to
infect the host server, and proceeded from there to do whatever to the
hosting complex at the hidden service site.

They were hacked.  They got pwned.  And apparently, they had no measures in
place to have noticed that it was happening, in terms of image monitoring
and so on -- although admittedly we are talking about a state-level
opponent.  They could have been rootkitted straight off, and the opponent
had their way with them and so on.

However, my understanding is that this vulnerability -- did I hear
somewhere? -- is to windows hosting.  Now maybe it's me, and I'm old
fashioned, but I still think of that as more vulnerable, but I've been out
of the field for a while.

Regardless,

This has nothing to do with Tor or Tor hidden services.  It could have
happened on the open internet with an apache server with the same version
of Mozilla.  Or am I misunderstanding something?

So, essentially, Mozilla was used as the Trojan Horse to insert the payload
into the servers.  It wouldn't have made a difference at all if they were
hidden or not, only that they were using web services and allowing any
version of Mozilla to attach.

yrs,
-- 

Shava Nerad
shav...@gmail.com
--
Liberationtech list is public and archives are searchable on Google. Too many 
emails? Unsubscribe, change to digest, or change password by emailing moderator 
at compa...@stanford.edu or changing your settings at 
https://mailman.stanford.edu/mailman/listinfo/liberationtech

Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud