Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
I composed the following SOME TIME back! (must have been around the time of the Freedom Hosting initial revalations) -- it was never sent, so here it is. I don't have the dates, but this reply should get threaded properly... My reply is dated in the sense that it was based on info at the time, of which there is much more now. I believe I intended to add to this message before sending, likely to respond to more of Jacob's comments. For posterity, here is my reply as drafted to Jacob Applebaum (Sincerely,Asa): Jacob Appelbaum: Asa Rossoff: Jacob Appelbaum: Asa Rossoff: ... Thanks for your response! Surely. I hope it adds value. The rights to privacy and security are important to me, especially as they apply to all people. Although I have some technical know-how, I am new to Tor and don't know a lot about cryptography. ... TBB users are at special risk of being targeted for spying (according to recent news reports), hacking/exploits (as is the case in this instance), and this may be increasingly true in the future. Probably, yes. I think that is a fair assessment - though it applies to anyone who uses privacy, security and anonymity software, I think. Yes, I would think so too. I saw no evidence that indicated a specific interest in Tor. In particular in terms of monitoring/spying, encryption can draw attention, and has often provoked blocking or dropping of connections in certain regions. I think China recently blocked all SSL access to Wikipedia, for example. The most pertinent reference re. encryption provoking spying or attention might be Exhibit B from the NSA docs, in regards to collecting data on US persons: http://www.theguardian.com/world/interactive/2013/jun/20/exhibit-b-nsa-proce dures-document relaying FISA sec. 701/702 minimization procedures. I haven't read Exhibit A which I believe is about communications that are known to involve non-US persons. Ironically, most of what that document describes sound like maximization procedures to me. The general rule of thumb seems to be that communications can be kept for 5 years (or more--a sufficient duration). A sufficient duration for enciphered data or data believed to contain secret meaning is indefinite, though -- at least until the meaning is clear they can keep enciphered or secret meaning data forever. My references to the above document by section, paraphrased in brackets (not so much for your personal benefit as much as for the record)--- Section: 5.(3)(a)[Domestic Communications-retention conditions(believed to contain technical data base information)(enciphered/secret meaning)] 6.(a)(1)(a) [Foreign Communications of or Concerning United States Persons(Retention conditions)(necessary for maintenance of technical data bases)(enciphered/secret meaning)]. 7. [if the communication is of or concerning non-US people there are no special restrictions] 8. [Foreign governments can be provided unminimized and/or enciphered/coded data for assistance in analysis or deciphering with the proviso that the foreign governments aren't allowed to retain, disseminate, or do anything with the data except give it back to the US--yeah, right--although the US may give some of it back to them under other procedures]. Further, if they find anything incriminating in any way during their analyses, they can keep/disseminate it without regard to most of the other procedures outlined. ... The point I was getting to is that several parrallel strategies come to mind: (1) It would not be a bad idea to post applicable Firefox-issued security avisories to one of your lists Part of the issue - from my perspective - is that 'applicable' is a bit nebulous. Nearly every bug *might* turn into an anonymity destroying bug with some engineering effort. (2) Even have an RSS feed of them available through the TBB, as well as RSS of TBB releases, and what security issues are covred including one advised by Firefox. This could notify of stable, alpha and beta releases, so everyone knows when security updates are available, possibly at the cost of stability. I like this idea - though I wonder how users would feel about it? Will they read it? Should it be our own RSS feed or an RSS feed of Mozilla's data? (3) When you get an update mechanism going, for stability reasons, you probably want it to automatically only update to stable or beta releases[?]. I tend to prefer 'secure' update over 'automatic' update. However, you could have a parrallel release schedule to get these upstream patches out ASAP. I realize labor is involved here; but if at all possible, updating your last stable patch to work with the latest Firefox release ASAP and releasing it as a stable/beta while continuuing development on a more major/feature-related update that will start as an alpha release when ready. (possibly backporting some TBB-only-security fixes only to your last patch when it makes sense). Sure, that seems
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
But this data is not useful for any but most advanced user. TBB should autoupdate for any nongeek user. I hope some safe way of this update exists. -- Jerzy Łogiewa -- jerz...@interia.eu On Aug 6, 2013, at 5:11 PM, CodesInChaos wrote: When the user's version is outdated you already display an update notice. You could add those items from https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html that apply to the current version. Listing particular vulnerabilities makes it clear that you actually should update and that it isn't just a superfluous notice that's just for annoying the user. I wouldn't duplicate the actual advisories, but listing them is a good idea IMO. Perhaps something like: --- This version of TOR Browser is based on Firefox ESR 17.0.6. You need to upgrade to fix the following security issues: Fixed in Firefox ESR 17.0.7 MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context MFSA 2013-56 PreserveWrapper has inconsistent behavior MFSA 2013-55 SVG filters can lead to information disclosure MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks MFSA 2013-53 Execution of unmapped memory through onreadystatechange event MFSA 2013-51 Privileged content access and execution via XBL MFSA 2013-50 Memory corruption found using Address Sanitizer MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7) - -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-07, at 12:44 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Bbrewer: We're understaffed, so we tend to pick the few things we might accomplish and writing such advisory emails is weird unless there is an exceptional event. Firefox bugs and corresponding updates are not exceptional events. :( Pardon me, But it does seem that this one was. No? Yeah, this was such a case - a month ago, we didn't know it was such a case - no one did, not even Mozilla. That's funny — didn't Mozilla issue a security advisory for it a month ago? That would imply that they actually did know that it was such a case. NK All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-07, at 12:58 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-07, at 12:44 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Bbrewer: We're understaffed, so we tend to pick the few things we might accomplish and writing such advisory emails is weird unless there is an exceptional event. Firefox bugs and corresponding updates are not exceptional events. :( Pardon me, But it does seem that this one was. No? Yeah, this was such a case - a month ago, we didn't know it was such a case - no one did, not even Mozilla. That's funny — didn't Mozilla issue a security advisory for it a month ago? That would imply that they actually did know that it was such a case. The exploit is the exceptional event. Roger just covered this with exceptional clarity. Al - did Mozilla know it was being exploited in the wild, a month ago? Was there a known difference at the time between this bug and say, the others which were fixed in the ESR17 release cycle? Does an exploit need to exist in the wild and be discovered first in order to warrant a security advisory? I didn't know this! NK All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Nadim Kobeissi: On 2013-08-07, at 12:58 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-07, at 12:44 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Bbrewer: We're understaffed, so we tend to pick the few things we might accomplish and writing such advisory emails is weird unless there is an exceptional event. Firefox bugs and corresponding updates are not exceptional events. :( Pardon me, But it does seem that this one was. No? Yeah, this was such a case - a month ago, we didn't know it was such a case - no one did, not even Mozilla. That's funny — didn't Mozilla issue a security advisory for it a month ago? That would imply that they actually did know that it was such a case. The exploit is the exceptional event. Roger just covered this with exceptional clarity. Al - did Mozilla know it was being exploited in the wild, a month ago? Was there a known difference at the time between this bug and say, the others which were fixed in the ESR17 release cycle? Does an exploit need to exist in the wild and be discovered first in order to warrant a security advisory? I didn't know this! The advisory was about bug being exploited in the wild, so, yes. That was covered well in Roger's last email. I'd encourage you to read Roger's email (again, or for the first time). Specifically the part where we encouraged users to upgrade, notified every browser user that there was a security update and so on. All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-07, at 1:05 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-07, at 12:58 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-07, at 12:44 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Bbrewer: We're understaffed, so we tend to pick the few things we might accomplish and writing such advisory emails is weird unless there is an exceptional event. Firefox bugs and corresponding updates are not exceptional events. :( Pardon me, But it does seem that this one was. No? Yeah, this was such a case - a month ago, we didn't know it was such a case - no one did, not even Mozilla. That's funny — didn't Mozilla issue a security advisory for it a month ago? That would imply that they actually did know that it was such a case. The exploit is the exceptional event. Roger just covered this with exceptional clarity. Al - did Mozilla know it was being exploited in the wild, a month ago? Was there a known difference at the time between this bug and say, the others which were fixed in the ESR17 release cycle? Does an exploit need to exist in the wild and be discovered first in order to warrant a security advisory? I didn't know this! The advisory was about bug being exploited in the wild, so, yes. That was covered well in Roger's last email. I'm aware, I did read his email. I was just under the impression that you publish advisories about *vulnerabilities*, not about *exploits*. But perhaps you're teaching me (and the rest of the community) something new here! ;-) I'd encourage you to read Roger's email (again, or for the first time). Specifically the part where we encouraged users to upgrade, notified every browser user that there was a security update and so on. That's pretty great, but it doesn't count as an advisory, no matter how hard you seem to want it to. THIS is an advisory: https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html NK All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
The advisory was about bug being exploited in the wild, so, yes. That was covered well in Roger's last email. I'm aware, I did read his email. I was just under the impression that you publish advisories about *vulnerabilities*, not about *exploits*. But perhaps you're teaching me (and the rest of the community) something new here! ;-) The purpose of an advisory is to alert users about various kinds of information. We covered the vulnerability and the exploit details that we knew at various times. We first published a blog post that detailed that we didn't yet have all information about what we'd heard rumored. We then published a second blog post detailing the new information. We also sent an email about it. I'd say that all three are advisory in nature - they literally advise users of what we know. The final email to tor-announce was an advisory about a specific vulnerability that was being exploited in the wild. I'd encourage you to read Roger's email (again, or for the first time). Specifically the part where we encouraged users to upgrade, notified every browser user that there was a security update and so on. That's pretty great, but it doesn't count as an advisory, no matter how hard you seem to want it to. THIS is an advisory: https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html A CVE is what most consider the standard way of discussing an issue regardless of format or medium. We could probably improve by referencing CVEs of Mozilla's ESR security page rather than simply referencing the MFSA alone. As it is we referenced mfsa2013-53 but we didn't directly reference CVE-2013-1690. Part of the reason is that the MFSA is more specific than the CVE which details the most likely information relevant to a Firefox/Tor Browser user. All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/07/2013 12:35 PM, Jacob Appelbaum wrote: The advisory was about bug being exploited in the wild, so, yes. That was covered well in Roger's last email. I'm aware, I did read his email. I was just under the impression that you publish advisories about *vulnerabilities*, not about *exploits*. But perhaps you're teaching me (and the rest of the community) something new here! ;-) The purpose of an advisory is to alert users about various kinds of information. We covered the vulnerability and the exploit details that we knew at various times. We first published a blog post that detailed that we didn't yet have all information about what we'd heard rumored. We then published a second blog post detailing the new information. We also sent an email about it. I'd say that all three are advisory in nature - they literally advise users of what we know. The final email to tor-announce was an advisory about a specific vulnerability that was being exploited in the wild. I'd encourage you to read Roger's email (again, or for the first time). Specifically the part where we encouraged users to upgrade, notified every browser user that there was a security update and so on. That's pretty great, but it doesn't count as an advisory, no matter how hard you seem to want it to. THIS is an advisory: https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html A CVE is what most consider the standard way of discussing an issue regardless of format or medium. We could probably improve by referencing CVEs of Mozilla's ESR security page rather than simply referencing the MFSA alone. As it is we referenced mfsa2013-53 but we didn't directly reference CVE-2013-1690. Part of the reason is that the MFSA is more specific than the CVE which details the most likely information relevant to a Firefox/Tor Browser user. All the best, Jacob How about we stop this nonsense repetitive blame game and get back at proposing good practices for the future? Nadim, since you clearly admitted on the other thread from Shava that you're just campaigning a personal attack against Jacob, I'm not even gonna argument against your position (which I find practically, logistically and technically meaningless by the way). If you want to keep having an ego fight with Jacob, please continue it privately (or better don't continue it at all), this is tedious to read and it's killing a thread that could be beneficial for everybody. Best, Claudio -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIcBAEBAgAGBQJSAkotAAoJEDmTLM1sbEdvHrcQAMD4cUV21BaMpf3xW/HkHVkx fJGXbRzDwvzUsJfyyWTc/14vjvmPovvV8tRFdWfH97wfzgdPqPRYsjsnW5NUSP0p 7/DlK9t+RKFNam+aIZGRKsETGYkgz75Q7PHKRmzY/xtqbHSrHivJcVSMdYKQI6iN Qdbh8LI/9mtZ0X7bASDcr47bqIDJkoSsbCYScPuYrN4mfh29i9GdHFCEN9utd2ze lUqUpfO1DrCPhRDHkL7imyRfbgyV2Sz99k+xoNNW2m+rwmUyjT/pWbVKKmxPyIxp tmJKpSaH1w5GnYK4bmDJJYR7J9Ik59rxQiQWiw6S/Q+QGGao4bQQUjbeLjQ7o25g eEmcfwf9hE+Bt6kThoYXribiBPAbosp6OTeCtfX6IibvdkwyfNfQYukN5e0Oq8GG AgvvPDtbgUcx4QZ1ekN6kwUBWq40KOsPW+XpGOlbLXltzXUMX6KanNumjuaw0wNq i5PrxSN6qJCFxFg11JNKVd3fPV65DSgjWgS9k94SPLEct03n0b5EZNjEk/bF6Ib4 6oFC/KjAx8INezLJFH/nNqrc4ke0WxkL2AxPGfaRhkPp494yz/OwOXp3uUwR5ZrC 7ZDOsCKU6OGC/9sMwpbt+0FyyWvD13qXR+8Iz2Yi09xJEqRAqi92SLqLydQ1oNpt 8GkdxmL8rtn4UO5KO/6r =Eodm -END PGP SIGNATURE- -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 8/7/13 9:22 AM, Claudio wrote: How about we stop this nonsense repetitive blame game and get back at proposing good practices for the future? Nadim, since you clearly admitted on the other thread from Shava that you're just campaigning a personal attack against Jacob, I'm not even gonna argument against your position (which I find practically, logistically and technically meaningless by the way). If you want to keep having an ego fight with Jacob, please continue it privately (or better don't continue it at all), this is tedious to read and it's killing a thread that could be beneficial for everybody. +1 -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Although I agree in principle (in the sense of friendly advice to Nadim), let's all just remember this same advice the next time Applebaum goes on one of *his* tirades, shall we? Now returning to your regularly scheduled rants against The Man. On Wed, Aug 7, 2013 at 8:29 AM, Joseph Lorenzo Hall j...@cdt.org wrote: On 8/7/13 9:22 AM, Claudio wrote: How about we stop this nonsense repetitive blame game and get back at proposing good practices for the future? Nadim, since you clearly admitted on the other thread from Shava that you're just campaigning a personal attack against Jacob, I'm not even gonna argument against your position (which I find practically, logistically and technically meaningless by the way). If you want to keep having an ego fight with Jacob, please continue it privately (or better don't continue it at all), this is tedious to read and it's killing a thread that could be beneficial for everybody. +1 -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- @kylemaxwell -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 8/7/2013 8:29 AM, Joseph Lorenzo Hall wrote: On 8/7/13 9:22 AM, Claudio wrote: How about we stop this nonsense repetitive blame game and get back at proposing good practices for the future? Nadim, since you clearly admitted on the other thread from Shava that you're just campaigning a personal attack against Jacob, I'm not even gonna argument against your position (which I find practically, logistically and technically meaningless by the way). If you want to keep having an ego fight with Jacob, please continue it privately (or better don't continue it at all), this is tedious to read and it's killing a thread that could be beneficial for everybody. +1 I add my vote also. If you two want to fight like little girls that it off list. Continuing to SPAM the list with your constant bickering only increases your lack of credibility. -- Crypto Keywords: terrorism, bombs, jogging, suntan lotion, nails, pellets, knives, shoes, underwear, milk, socks, hair, toenails, masturbation, gasoline, cooking oil, mayonnaise, bananas, Obama, Clinton, EFF, NSA, FBI, PGP, USA, pressure cooker, marathon, fertilizer Keywords are not necessarily in order of importance -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
little girls?! WTF On Wed Aug 7 09:37:55 2013, Crypto wrote: On 8/7/2013 8:29 AM, Joseph Lorenzo Hall wrote: I add my vote also. If you two want to fight like little girls that it off list. Continuing to SPAM the list with your constant bickering only increases your lack of credibility. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Yay casual sexism... okay, everybody's had their say. I agree with Nadim's point, but he's made it already, and I agree with those who say it's time for us all to get back to work. It's a beautiful day here in Texas and I hope for the same for you all, wherever you are. I'll be getting back to being seriously productive now myself. On Wed, Aug 7, 2013 at 8:42 AM, Joseph Lorenzo Hall j...@cdt.org wrote: little girls?! WTF On Wed Aug 7 09:37:55 2013, Crypto wrote: On 8/7/2013 8:29 AM, Joseph Lorenzo Hall wrote: I add my vote also. If you two want to fight like little girls that it off list. Continuing to SPAM the list with your constant bickering only increases your lack of credibility. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- @kylemaxwell -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 8/7/2013 8:49 AM, Kyle Maxwell wrote: Yay casual sexism... okay, everybody's had their say. I agree with Nadim's point, but he's made it already, and I agree with those who say it's time for us all to get back to work. It's a beautiful day here in Texas and I hope for the same for you all, wherever you are. I'll be getting back to being seriously productive now myself. On Wed, Aug 7, 2013 at 8:42 AM, Joseph Lorenzo Hall j...@cdt.org wrote: little girls?! My apologies for sounding sexist. Actually I *DO* have 2 little girls ages 4 and 5. They can start bickering about something and it can last for hours! If you ask either one of them what the original argument was about neither one of them remembers! It's just that this thread was starting to remind me of my two girls. -- Crypto Keywords: terrorism, bombs, jogging, suntan lotion, nails, pellets, knives, shoes, underwear, milk, socks, hair, toenails, masturbation, gasoline, cooking oil, mayonnaise, bananas, Obama, Clinton, EFF, NSA, FBI, PGP, USA, pressure cooker, marathon, fertilizer Keywords are not necessarily in order of importance -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
No and no. It was an issue found by a external security researcher who has submitted a lot of issues to us over time. He found it through his process of investigation and reported it directly to us (responsible disclosure and such). It was a problem and we fixed it. The first indications of any exploit using it at all were when things happened with Tor this last weekend. If an unfixed bug is being used in the wild, that's a 0 Day and we'll scramble to fix it if the bug is severe enough to merit it. If it is a bug that we've already fixed, we'll investigate to see if further mitigation is necessary and if there is anything further to be done. We had people spend their Sundays looking at the bug in question before it was completely narrowed down, double-checked, and confirmed to be the older issue that had been fixed in the current release of the time (we actually had another normal release yesterday as it is that time on the six week clock). Al -- Al Billings http://makehacklearn.org On Wednesday, August 7, 2013 at 2:58 AM, Jacob Appelbaum wrote: Al - did Mozilla know it was being exploited in the wild, a month ago? Was there a known difference at the time between this bug and say, the others which were fixed in the ESR17 release cycle? -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
OK, everyone, let's try to cool it a bit. This discussion is extremely important, so let's not let it deteriorate into bickering. Otherwise, I'll have to moderate it, a task I don't enjoy. Kudos to all of you who have already expressed a similar sentiment, Yosem, one of the moderators On Wed, Aug 7, 2013 at 9:50 AM, Al Billings alb...@openbuddha.com wrote: No and no. It was an issue found by a external security researcher who has submitted a lot of issues to us over time. He found it through his process of investigation and reported it directly to us (responsible disclosure and such). It was a problem and we fixed it. The first indications of any exploit using it at all were when things happened with Tor this last weekend. If an unfixed bug is being used in the wild, that's a 0 Day and we'll scramble to fix it if the bug is severe enough to merit it. If it is a bug that we've already fixed, we'll investigate to see if further mitigation is necessary and if there is anything further to be done. We had people spend their Sundays looking at the bug in question before it was completely narrowed down, double-checked, and confirmed to be the older issue that had been fixed in the current release of the time (we actually had another normal release yesterday as it is that time on the six week clock). Al -- Al Billings http://makehacklearn.org On Wednesday, August 7, 2013 at 2:58 AM, Jacob Appelbaum wrote: Al - did Mozilla know it was being exploited in the wild, a month ago? Was there a known difference at the time between this bug and say, the others which were fixed in the ESR17 release cycle? -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-06, at 3:19 AM, Jacob Appelbaum ja...@appelbaum.net wrote: Griffin Boyce: Al, We may have to disagree as to the way forward. I hate to be contentious, but it seems unlikely that Tor applied a patch without reading firefox's changelog. Two days ago I presented a talk which emphasized how useful Tor is -- and I stand by that. Tor is still the best option for maintaining one's anonymity. Hi Griffin, Do you plan to release security advisories for all updates to the Linux kernel, GNU user space utilities and other dependences in the commotion router firmware? How is this, in any way, shape or form, relevant? Are you seriously opening up Commotion's bug handling in order to sort of justify this Tor situation? Tor had forked Firefox into its own browser, which is called Tor Browser. Mozilla issued an advisory for Firefox the day the bug was discovered, about five weeks ago. Tor should have issued a similar advisory for Tor Browser and consequently the Tor Browser Bundle, especially considering that the Tor Browser Bundle is by far *the* most visible way for end-users to download and use Tor these days. I suppose no but perhaps I'm mistaken? Has anyone done so with new commotion releases? I don't see[0][1] such notes, am I missing something? It seems impractical to note every change from downstream projects. Clearly you seem to disagree but I do wonder where you draw the line? Do your projects have some example where we might see the line in action, so to speak? As far as I can tell, we issued a security advisory within twenty-four hours. Actually, Tor issued a security advisory for Tor Browser a full 39 days after Mozilla did for Firefox. We spent more than a full day of multiple people's time working non-stop to understand the scope, the impact and the outcomes of this issue. We were already working on this task when you and another decided to jump up and down to let us know that we were failures by any other name. I'd say thanks but that isn't the word that comes to mind… I'd say thanks but that isn't the word that comes to mind… Dude, you're supposed to be Tor's outreach guy! Come on! The Tor Project does not triage every single Mozilla Firefox bug. We do try to understand which bugs are security critical. We do aim to track and put our energy into ensuring our browser uses the latest ESR releases. This generally includes lots of code fixes, security as well as other kinds of fixes, though we may not always fully understand every issue - we tend to trust Mozilla's lead on this topic. TBB requires lots of effort to forward port our privacy preserving patches as they are not in the mainline Mozilla repositories. We did this as we always do with TBB releases and we released patched versions of the software before we ever even learned of the exploit discovered this weekend that targets old, unpatched users: 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June 30 2013) By a general count, it was around a month ago that we released patched versions. We normally just note that we've bumped the included projects to their latest stable versions - though in the case of our latest alpha, we specifically said[2]: In addition to providing important security updates to Firefox and Tor, these release binaries should now be exactly reproducible from the source code by anyone. Do you think that we should include that text with every single release? ie: This update provides important security updates to Firefox and Tor or something along those lines? Shall we just put that in every single release note? Is that really helpful? Actually, isn't that exactly what you've said I should do with my own project, Cryptocat, numerous times? It's actually really illuminating that you in fact are committing the exact same outreach and mitigation blunders that you keep criticizing other projects for. If you have a suggestion for how we might improve, I'm open to hearing it - though as far as I am able to tell - there isn't much to be done except to say security update next to firefox update in our normal release notes. That isn't very helpful as nearly every Firefox update in ESR is a security or stability related release. Please do feel free to suggest something constructive - if we have room for improvement, we're happy to make it! I think your entire email is not constructive. Roger's email with the actual advisory was awesome. Maybe he should represent Tor on this list from now on. NK All the best, Jacob [0] https://commotionwireless.net/download/openwrt [1] https://commotionwireless.net/blog/new-commotion-release-dr1-ready-testing [2] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Nadim Kobeissi: On 2013-08-06, at 3:19 AM, Jacob Appelbaum ja...@appelbaum.net wrote: Griffin Boyce: Al, We may have to disagree as to the way forward. I hate to be contentious, but it seems unlikely that Tor applied a patch without reading firefox's changelog. Two days ago I presented a talk which emphasized how useful Tor is -- and I stand by that. Tor is still the best option for maintaining one's anonymity. Hi Griffin, Do you plan to release security advisories for all updates to the Linux kernel, GNU user space utilities and other dependences in the commotion router firmware? How is this, in any way, shape or form, relevant? Are you seriously opening up Commotion's bug handling in order to sort of justify this Tor situation? I'm asking for the clear line. Simple enough. Firefox's advisory seems fine to me but Griffin and you seem to suggest otherwise. I don't see an example of this suggestion being carried out by other projects - so either I misunderstand or we're exceptional. Either is fine with me, or another option which I'm not aware of - I'm sure that one of those is the case... This has nothing to do with 'justifying' anything - it has to do with asking for a clear example of what seems reasonable and is *already* done by someone. Please feel free to answer the question, we're happy to learn from an example. Are either of you involved in such an example? Might we learn from your example? If so, where might we see it? Tor had forked Firefox into its own browser, which is called Tor Browser. Mozilla issued an advisory for Firefox the day the bug was discovered, about five weeks ago. Tor should have issued a similar advisory for Tor Browser and consequently the Tor Browser Bundle, especially considering that the Tor Browser Bundle is by far *the* most visible way for end-users to download and use Tor these days. I think Tails is perhaps more popular but that is a side note, I suppose. I suppose no but perhaps I'm mistaken? Has anyone done so with new commotion releases? I don't see[0][1] such notes, am I missing something? It seems impractical to note every change from downstream projects. Clearly you seem to disagree but I do wonder where you draw the line? Do your projects have some example where we might see the line in action, so to speak? As far as I can tell, we issued a security advisory within twenty-four hours. Actually, Tor issued a security advisory for Tor Browser a full 39 days after Mozilla did for Firefox. Mozilla issued an updated blog post in the last day or so because of us contacting them. They clarified the specific issue around the same time as us. Al has already pointed this out - he works at Mozilla, so I suppose he seems to agree that we don't need to copy every advisory they write into our release notes. We spent more than a full day of multiple people's time working non-stop to understand the scope, the impact and the outcomes of this issue. We were already working on this task when you and another decided to jump up and down to let us know that we were failures by any other name. I'd say thanks but that isn't the word that comes to mind… I'd say thanks but that isn't the word that comes to mind… Dude, you're supposed to be Tor's outreach guy! Come on! I've asked for specific clarity on the level of granularity, I have yet to see a reply that addresses my question. The Tor Project does not triage every single Mozilla Firefox bug. We do try to understand which bugs are security critical. We do aim to track and put our energy into ensuring our browser uses the latest ESR releases. This generally includes lots of code fixes, security as well as other kinds of fixes, though we may not always fully understand every issue - we tend to trust Mozilla's lead on this topic. TBB requires lots of effort to forward port our privacy preserving patches as they are not in the mainline Mozilla repositories. We did this as we always do with TBB releases and we released patched versions of the software before we ever even learned of the exploit discovered this weekend that targets old, unpatched users: 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June 30 2013) By a general count, it was around a month ago that we released patched versions. We normally just note that we've bumped the included projects to their latest stable versions - though in the case of our latest alpha, we specifically said[2]: In addition to providing important security updates to Firefox and Tor, these release binaries should now be exactly reproducible from the source code by anyone. Do you think that we should include that text with every single release? ie: This update provides important security updates to Firefox and Tor or something along those lines? Shall we just put that in every single release
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com wrote: Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes. Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan. I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork. NK Al -- Al Billings http://makehacklearn.org On Tuesday, August 6, 2013 at 1:28 AM, Nadim Kobeissi wrote: On 2013-08-06, at 3:19 AM, Jacob Appelbaum ja...@appelbaum.net wrote: Griffin Boyce: Al, We may have to disagree as to the way forward. I hate to be contentious, but it seems unlikely that Tor applied a patch without reading firefox's changelog. Two days ago I presented a talk which emphasized how useful Tor is -- and I stand by that. Tor is still the best option for maintaining one's anonymity. Hi Griffin, Do you plan to release security advisories for all updates to the Linux kernel, GNU user space utilities and other dependences in the commotion router firmware? How is this, in any way, shape or form, relevant? Are you seriously opening up Commotion's bug handling in order to sort of justify this Tor situation? Tor had forked Firefox into its own browser, which is called Tor Browser. Mozilla issued an advisory for Firefox the day the bug was discovered, about five weeks ago. Tor should have issued a similar advisory for Tor Browser and consequently the Tor Browser Bundle, especially considering that the Tor Browser Bundle is by far *the* most visible way for end-users to download and use Tor these days. I suppose no but perhaps I'm mistaken? Has anyone done so with new commotion releases? I don't see[0][1] such notes, am I missing something? It seems impractical to note every change from downstream projects. Clearly you seem to disagree but I do wonder where you draw the line? Do your projects have some example where we might see the line in action, so to speak? As far as I can tell, we issued a security advisory within twenty-four hours. Actually, Tor issued a security advisory for Tor Browser a full 39 days after Mozilla did for Firefox. We spent more than a full day of multiple people's time working non-stop to understand the scope, the impact and the outcomes of this issue. We were already working on this task when you and another decided to jump up and down to let us know that we were failures by any other name. I'd say thanks but that isn't the word that comes to mind… I'd say thanks but that isn't the word that comes to mind… Dude, you're supposed to be Tor's outreach guy! Come on! The Tor Project does not triage every single Mozilla Firefox bug. We do try to understand which bugs are security critical. We do aim to track and put our energy into ensuring our browser uses the latest ESR releases. This generally includes lots of code fixes, security as well as other kinds of fixes, though we may not always fully understand every issue - we tend to trust Mozilla's lead on this topic. TBB requires lots of effort to forward port our privacy preserving patches as they are not in the mainline Mozilla repositories. We did this as we always do with TBB releases and we released patched versions of the software before we ever even learned of the exploit discovered this weekend that targets old, unpatched users: 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June 30 2013) By a general count, it was around a month ago that we released patched versions. We normally just note that we've bumped the included projects to their latest stable versions - though in the case of our latest alpha, we specifically said[2]: In addition to providing important security updates to Firefox and Tor, these release binaries should now be exactly reproducible from the source code by anyone. Do you think that we should include that text with every single release? ie: This update provides important security updates to Firefox and Tor or something along those lines? Shall we just put that in every single release note? Is that really helpful? Actually, isn't that exactly what you've said I should do with my own project, Cryptocat, numerous times? It's actually really illuminating that you in fact are committing the exact same outreach and mitigation blunders that you keep criticizing other projects for. If you have a
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Tue, Aug 6, 2013 at 12:30 PM, Jacob Appelbaum ja...@appelbaum.netwrote: Please feel free to answer the question, we're happy to learn from an example. Are either of you involved in such an example? Might we learn from your example? If so, where might we see it? Tails references upstream advisories, or at least did so in the past. https://tails.boum.org/security/Numerous_security_holes_in_0.18/ I actually think they are going overboard with those, but it's an example. The whole situation is pretty funny, by the way, since Mike Perry (TBB dev) was accused of maintaining Freedom Hosting by those OpDarknet clowns two years ago: http://pastebin.com/qWHDWCre -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Nadim Kobeissi: On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com wrote: Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes. Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan. I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork. Should we issue a single advisory for each possible security issue that Firefox has already noted in their change log? Each confirmed security issue? Should we ask for a second CVE to cover each CVE they receive? Your point is unclear in practice. Please do spell it out and if possible, please demonstrate how you do so in your own projects? All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-06, at 12:55 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com wrote: Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes. Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan. I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork. Should we issue a single advisory for each possible security issue that Firefox has already noted in their change log? Each confirmed security issue? Should we ask for a second CVE to cover each CVE they receive? What's the alternative, Jake? Wait until the NSA exploits an innumerable amount of Tor users and then quickly write an advisory for a bug that was quietly fixed without a warning from Tor five weeks but still exploited? Because that is exactly what happened this time. Tor can just go on doing this again and again, or yes, you could issue advisories. You are maintaining your own browser called Tor Browser. Stop shifting blame onto Firefox. You're the guy who told me to never shift blame when you have a security vulnerability in the software you yourself are shipping. Practice what you preach. I sound harsh, sure, but at least I'm being productive and not freaking out about my ego. NK Your point is unclear in practice. Please do spell it out and if possible, please demonstrate how you do so in your own projects? All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Maxim Kammerer: On Tue, Aug 6, 2013 at 12:30 PM, Jacob Appelbaum ja...@appelbaum.netwrote: Please feel free to answer the question, we're happy to learn from an example. Are either of you involved in such an example? Might we learn from your example? If so, where might we see it? Tails references upstream advisories, or at least did so in the past. https://tails.boum.org/security/Numerous_security_holes_in_0.18/ I agree - Tails does a pretty good job of referencing upstream but they don't email out an advisory for each issue in each upstream project. Nor do they do a specific analysis of each bug spending many days of people time per bug. Somewhere there is a line and clearly, we failed to meet the high standards of a few folks on this list. I'm mostly curious if that high standard will be expressed in a cohesive manner where we might learn from it. I actually think they are going overboard with those, but it's an example. Where do you draw the line? I guess with release notes that bump versions, mention that users should upgrade and so on? I tend to like the Tails way of doing things - I have advocated for a little more linkage to security advisories. Still, I think it is not as critical as a secure updater or packaging TBB for various packaging systems. We're understaffed, so we tend to pick the few things we might accomplish and writing such advisory emails is weird unless there is an exceptional event. Firefox bugs and corresponding updates are not exceptional events. :( Also, I'll note even Tails doesn't reference sub-modules of the specific projects - they are just linking to DSA and related pages. The whole situation is pretty funny, by the way, since Mike Perry (TBB dev) was accused of maintaining Freedom Hosting by those OpDarknet clowns two years ago: http://pastebin.com/qWHDWCre It is awful for Mike and I can't even begin to find it funny in the least. Though I'll take your point that it is rich with awful irony. All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Nadim Kobeissi: On 2013-08-06, at 12:55 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com wrote: Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes. Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan. I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork. Should we issue a single advisory for each possible security issue that Firefox has already noted in their change log? Each confirmed security issue? Should we ask for a second CVE to cover each CVE they receive? What's the alternative, Jake? That was a list of choices and you didn't choose one. Please choose one or more - though not all of them make sense when put together. It was a question and well, your answer isn't much of an answer. Wait until the NSA exploits an innumerable amount of Tor users and then quickly write an advisory for a bug that was quietly fixed without a warning from Tor five weeks but still exploited? This is not accurate. We heard about attempts at exploitation and within ~24hrs we released an advisory - we had already released fixed code a ~month before exploitation was found in the wild. Please do not mix up the time-line. To restate: 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June 30 2013) The exploit was found in the wild on last weekend, I learned about it on or around August 4th. Please note that our patched versions were released nearly a month before this was found in the wild. There is no reason to support the conclusion that we silently fixed anything in response to an exploit. Please consider that your statement is entirely unsupported by evidence, Nadim. Because that is exactly what happened this time. Tor can just go on doing this again and again, or yes, you could issue advisories. You are maintaining your own browser called Tor Browser. Stop shifting blame onto Firefox. You're the guy who told me to never shift blame when you have a security vulnerability in the software you yourself are shipping. Practice what you preach. Your assessment of this situation is incorrect. We regularly release updates that include updates to included code and often, we make note of the fact that the upstream code has security fixes included. There is no blame shifting, only a question of how to best share that information in a way that users will understand. I have asked repeatedly for examples and for details of how to improve things - you seem only interested in slinging mud. Perhaps this isn't the most useful way forward? I sound harsh, sure, but at least I'm being productive and not freaking out about my ego. I don't think you are being productive at this point in the conversation. You are correct and I agree with you - you are harsh - I'll extend this commentary: it reflects poorly on you(r ego) and very little is gained by such behavior. All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Tue, Aug 6, 2013 at 1:07 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Somewhere there is a line and clearly, we failed to meet the high standards of a few folks on this list. I'm mostly curious if that high standard will be expressed in a cohesive manner where we might learn from it. Well, in the end, it's all done for the users. Keeping software up-to-date is easier than following advisories, even more so if there is an auto-update functionality. So I don't understand the big deal about not reissuing advisories for upstream projects, which takes a lot of time for dubious effect. Although the point becomes moot once you are talking about libraries that are not directly used, unlike major Firefox-level applications. E.g.: https://blog.torproject.org/blog/new-openssl-vulnerability-tor-not-affected http://pastebin.com/qWHDWCre It is awful for Mike and I can't even begin to find it funny in the least. Though I'll take your point that it is rich with awful irony. I don't think anyone took those guys seriously back then (or anyone whose opinion matters, at least). -- Maxim Kammerer Liberté Linux: http://dee.su/liberte -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Jacob Appelbaum: Nadim Kobeissi: On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com wrote: Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes. Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan. I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork. Should we issue a single advisory for each possible security issue that Firefox has already noted in their change log? Each confirmed security issue? Should we ask for a second CVE to cover each CVE they receive? Your point is unclear in practice. Please do spell it out and if possible, please demonstrate how you do so in your own projects? Just a couple friendly concepts. Your message wasn't addressed to me. By the way, it didn't occur to me to blame the Tor Project. I don't know about every average Josphine, Josue, and Tsu, Anu, etc. on the streets of the world, but it is obvious to me from my user standpoint that the TBB is a patched verion of Firefox (admittedly, one has to dig a bit to determine which version of the underlying Firefox it is based on, which I wouldn't expect the average user do to or know.). Ther average user of neither software likely doesn't see or read security adviseries, although I think they happily allow the latest versions o Firefox to automatically update themselves. TBB users are at special risk of being targeted for spying (according to recent news reports), hacking/exploits (as is the case in this instance), and this may be increasingly true in the future. Oops. I'm a slow typist (just getting up): From Jacob Applebaum's next mail to a mail: I tend to like the Tails way of doing things - I have advocated for a little more linkage to security advisories. Still, I think it is not as critical as a secure updater or packaging TBB for various packaging systems. We're understaffed, so we tend to pick the few things we might accomplish and writing such advisory emails is weird unless there is an exceptional event. Firefox bugs and corresponding updates are not exceptional events. :( Also, I'll note even Tails doesn't reference sub-modules of the specific projects - they are just linking to DSA and related pages. The point I was getting to is that several parrallel strategies come to mind: (1) It would not be a bad idea to post applicable Firefox-issued security avisories to one of your lists (2) Even have an RSS feed of them available through the TBB, as well as RSS of TBB releases, and what security issues are covred including one advised by Firefox. This could notify of stable, alpha and beta releases, so everyone knows when security updates are available, possibly at the cost of stability. (3) When you get an update mechanism going, for stability reasons, you probably want it to automatically only update to stable or beta releases[?]. However, you could have a parrallel release schedule to get these upstream patches out ASAP. I realize labor is involved here; but if at all possible, updating your last stable patch to work with the latest Firefox release ASAP and releasing it as a stable/beta while continuuing development on a more major/feature-related update that will start as an alpha release when ready. (possibly backporting some TBB-only-security fixes only to your last patch when it makes sense). Obviously, this is free software, and you must work ithin the constraints of your resources. The frequent security updates would have the most tangible benefit for most users, but it would be a decent user service to notify of security issues that apply/could apply to the TBB as well. Thanks for your invaluable work. Asa -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Maxim Kammerer: On Tue, Aug 6, 2013 at 1:07 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Somewhere there is a line and clearly, we failed to meet the high standards of a few folks on this list. I'm mostly curious if that high standard will be expressed in a cohesive manner where we might learn from it. Well, in the end, it's all done for the users. Keeping software up-to-date is easier than following advisories, even more so if there is an auto-update functionality. So I don't understand the big deal about not reissuing advisories for upstream projects, which takes a lot of time for dubious effect. I tend to agree. Although the point becomes moot once you are talking about libraries that are not directly used, unlike major Firefox-level applications. E.g.: https://blog.torproject.org/blog/new-openssl-vulnerability-tor-not-affected We wrote that because people asked us about those specific OpenSSL issues, if I remember correctly... http://pastebin.com/qWHDWCre It is awful for Mike and I can't even begin to find it funny in the least. Though I'll take your point that it is rich with awful irony. I don't think anyone took those guys seriously back then (or anyone whose opinion matters, at least). Sadly, Mike took their harassment seriously. It was awful. All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Asa Rossoff: Jacob Appelbaum: Nadim Kobeissi: On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com wrote: Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes. Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan. I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork. Should we issue a single advisory for each possible security issue that Firefox has already noted in their change log? Each confirmed security issue? Should we ask for a second CVE to cover each CVE they receive? Your point is unclear in practice. Please do spell it out and if possible, please demonstrate how you do so in your own projects? Just a couple friendly concepts. Your message wasn't addressed to me. By the way, it didn't occur to me to blame the Tor Project. Thanks for your response! I don't know about every average Josphine, Josue, and Tsu, Anu, etc. on the streets of the world, but it is obvious to me from my user standpoint that the TBB is a patched verion of Firefox (admittedly, one has to dig a bit to determine which version of the underlying Firefox it is based on, which I wouldn't expect the average user do to or know.). Ther average user of neither software likely doesn't see or read security adviseries, although I think they happily allow the latest versions o Firefox to automatically update themselves. Understood. TBB users are at special risk of being targeted for spying (according to recent news reports), hacking/exploits (as is the case in this instance), and this may be increasingly true in the future. Probably, yes. I think that is a fair assessment - though it applies to anyone who uses privacy, security and anonymity software, I think. Oops. I'm a slow typist (just getting up): From Jacob Applebaum's next mail to a mail: I tend to like the Tails way of doing things - I have advocated for a little more linkage to security advisories. Still, I think it is not as critical as a secure updater or packaging TBB for various packaging systems. We're understaffed, so we tend to pick the few things we might accomplish and writing such advisory emails is weird unless there is an exceptional event. Firefox bugs and corresponding updates are not exceptional events. :( Also, I'll note even Tails doesn't reference sub-modules of the specific projects - they are just linking to DSA and related pages. The point I was getting to is that several parrallel strategies come to mind: (1) It would not be a bad idea to post applicable Firefox-issued security avisories to one of your lists Part of the issue - from my perspective - is that 'applicable' is a bit nebulous. Nearly every bug *might* turn into an anonymity destroying bug with some engineering effort. (2) Even have an RSS feed of them available through the TBB, as well as RSS of TBB releases, and what security issues are covred including one advised by Firefox. This could notify of stable, alpha and beta releases, so everyone knows when security updates are available, possibly at the cost of stability. I like this idea - though I wonder how users would feel about it? Will they read it? Should it be our own RSS feed or an RSS feed of Mozilla's data? (3) When you get an update mechanism going, for stability reasons, you probably want it to automatically only update to stable or beta releases[?]. I tend to prefer 'secure' update over 'automatic' update. However, you could have a parrallel release schedule to get these upstream patches out ASAP. I realize labor is involved here; but if at all possible, updating your last stable patch to work with the latest Firefox release ASAP and releasing it as a stable/beta while continuuing development on a more major/feature-related update that will start as an alpha release when ready. (possibly backporting some TBB-only-security fixes only to your last patch when it makes sense). Sure, that seems reasonable. Obviously, this is free software, and you must work ithin the constraints of your resources. The frequent security updates would have the most tangible benefit for most users, but it would be a decent user service to notify of security issues that apply/could apply to the TBB as well. I think there is a balance here and I think adding more specific data to release notes is a reasonable improvement. I also think an RSS feed is a really good idea, thanks for that! I'll pass it on to those
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-06, at 1:23 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-06, at 12:55 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com wrote: Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes. Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan. I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork. Should we issue a single advisory for each possible security issue that Firefox has already noted in their change log? Each confirmed security issue? Should we ask for a second CVE to cover each CVE they receive? What's the alternative, Jake? That was a list of choices and you didn't choose one. Please choose one or more - though not all of them make sense when put together. It was a question and well, your answer isn't much of an answer. Yes, to be absolutely clear, I think Tor should issue advisories for confirmed security issues in Tor Browser, since Tor Browser is a fork of Firefox and is independently maintained. This is exactly what Tor did this time, except next time you shouldn't wait five weeks for the situation to explode. Wait until the NSA exploits an innumerable amount of Tor users and then quickly write an advisory for a bug that was quietly fixed without a warning from Tor five weeks but still exploited? This is not accurate. We heard about attempts at exploitation and within ~24hrs we released an advisory - we had already released fixed code a ~month before exploitation was found in the wild. Please do not mix up the time-line. To restate: 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June 30 2013) The exploit was found in the wild on last weekend, I learned about it on or around August 4th. Please note that our patched versions were released nearly a month before this was found in the wild. There is no reason to support the conclusion that we silently fixed anything in response to an exploit. Please consider that your statement is entirely unsupported by evidence, Nadim. I could be mistaken. Where's the advisory that was issued the day after, that mentions that a critical Tor Browser vulnerability was fixed? Because that is exactly what happened this time. Tor can just go on doing this again and again, or yes, you could issue advisories. You are maintaining your own browser called Tor Browser. Stop shifting blame onto Firefox. You're the guy who told me to never shift blame when you have a security vulnerability in the software you yourself are shipping. Practice what you preach. Your assessment of this situation is incorrect. We regularly release updates that include updates to included code and often, we make note of the fact that the upstream code has security fixes included. There is no blame shifting, only a question of how to best share that information in a way that users will understand. I have asked repeatedly for examples and for details of how to improve things - you seem only interested in slinging mud. Perhaps this isn't the most useful way forward? How am I only interested in slinging mud?! How are you even allowed to adopt a tone like this while doing your job as an advocate for Tor? I'm simply trying to advocate for Tor not waiting five weeks before releasing an advisory next time! Comments like this are really just not acceptable, Jake. NK I sound harsh, sure, but at least I'm being productive and not freaking out about my ego. I don't think you are being productive at this point in the conversation. You are correct and I agree with you - you are harsh - I'll extend this commentary: it reflects poorly on you(r ego) and very little is gained by such behavior. All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Hi, Maxim Kammerer wrote (06 Aug 2013 09:52:36 GMT) : Tails references upstream advisories, or at least did so in the past. https://tails.boum.org/security/Numerous_security_holes_in_0.18/ Right, and we have no plan to stop doing this. What we've been doing for years when releasing a new Tails that fixes security issues (that is, basically every single one we've put out) is: 1. Users are told your version of Tails has known security issue on startup if needed; this one has a link to a security announce like the one Maxim pointed to. 2. We issue a release announcement, such as https://tails.boum.org/news/version_0.19/, that starts with All users must upgrade as soon as possible, but doesn't point to the corresponding security advisory. After reading this thread, I wonder if we should perhaps change this, and have this sentence link to the security advisory. Cheers, -- intrigeri | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Jacob Appelbaum: I like this idea - though I wonder how users would feel about it? Will they read it? Should it be our own RSS feed or an RSS feed of Mozilla's data? I don't like the idea. You need to worry about the upgrading behavior of casual users of TBB, who aren't going to bother to read advisories. Republishing advisories takes a lot of your valuable time. Added to that, every fucking tiny crash-bug in Firefox may grow to a full-blown exploit like we've seen. The people that do read the advisories, can find them at the Firefox ESR advisory page (https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html). I do think you might want to bother to link to that list of vulnerabilities when releasing a new version of TBB with an security-updated Firefox. I also like the approach of the TAILS project. They just start every single release announcement with 'Numerous security bugs found in TAILS X.XX', which makes it crystal clear for the average user they need to upgrade. Every time. Also: please make separate blog posts for regular and alpha releases. It's been confusing before. Make sure the regular release sits on top on the blog listing. Let me propose the announcement of June 26th as I would've (retrospectively) liked to see it: Subject: Security release. New Tor Browser Bundles. Body: All of the Tor Browser Bundles have been updated with the new Firefox 17.0.7esr. This includes fixes to a href=https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html;8 vulnerabilities/a, of which 4 have critical impact, and 4 have high impact. We bstrongly/b urge you to update to the latest version of the Tor Browser Bundle (2.3.25-10) as soon as possible. [continue with download-easy link and list of updates] Nadim Kobeissi: How am I only interested in slinging mud?! How are you even allowed to adopt a tone like this while doing your job as an advocate for Tor? I'm simply trying to advocate for Tor not waiting five weeks before releasing an advisory next time! Comments like this are really just not acceptable, Jake. Nadim, you need to calm the fuck down. Take a deep breath, re-read your own emails, and consider whether you need to apologize for your unproductive stampede. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Joseph Lorenzo Hall: On 8/6/13 6:41 AM, Jacob Appelbaum wrote: (2) Even have an RSS feed of them available through the TBB, as well as RSS of TBB releases, and what security issues are covred including one advised by Firefox. This could notify of stable, alpha and beta releases, so everyone knows when security updates are available, possibly at the cost of stability. I like this idea - though I wonder how users would feel about it? Will they read it? Should it be our own RSS feed or an RSS feed of Mozilla's data? Not sure if this is practical but the TBB splash screen could give some notion of the implications of using an old specific TBB... e.g., with the version check return one or more critical vulns that have been patched, to warn the user and encourage immediate update? We do have an update indicator - soon, we'll have an updater as well, I think. We had a few discussions about it at the TorDev meeting in Munich last month. Frankly, I'm not sure this is solving a problem Tor/TBB has, but it strikes me that a warning along the lines of the following for old TBB would not be bad: Holy shit, this TBB is from 12 months ago! You're crazy to use such an outdated version. Please update! We do put a fairly large message on the splash page. We could probably improve the warning page based on elapsed time - currently it is just one page locally stored, I think. All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Nadim Kobeissi: On 2013-08-06, at 1:23 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-06, at 12:55 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com wrote: Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes. Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan. I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork. Should we issue a single advisory for each possible security issue that Firefox has already noted in their change log? Each confirmed security issue? Should we ask for a second CVE to cover each CVE they receive? What's the alternative, Jake? That was a list of choices and you didn't choose one. Please choose one or more - though not all of them make sense when put together. It was a question and well, your answer isn't much of an answer. Yes, to be absolutely clear, I think Tor should issue advisories for confirmed security issues in Tor Browser, since Tor Browser is a fork of Firefox and is independently maintained. This is exactly what Tor did this time, except next time you shouldn't wait five weeks for the situation to explode. This is where the confusion comes into play, I think. Please note the advisory we released this week: https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html We specifically address the one thing we *know* that is being exploited and we note that there are other issues, though we don't go into depth as upgrading is the only path forward. Now note the Mozilla security issues for the Firefox ESR releases: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html You're on the one hand saying that we did the right thing and on the other, you're saying that we should issue an advisory for *confirmed* security issues. Mozilla confirmed a handful. Doesn't that imply that our advisory should have covered every thing Firefox fixed between versions? And if so, should we note everything, even if it doesn't *appear* to be a security issue? Just in case? Now on the one hand, you're saying we waited five weeks - when in fact we didn't, we released an advisory within a day of discovering that TBB was being targeted, which is different from Firefox generally I might add. We did also note with the release of 3.0alpha2 that it included security and stability fixes as we often do when we bump Firefox. So clearly between hey, upgrade and exploit discovered there is a middle ground. I'm confused by the middle ground you have chosen. It doesn't seem that we should wait until exploits are in the wild to note the security features of new releases (which we didn't, but we didn't issue an advisory for every Firefox issue), and yet, if an exploit is discovered, we should post an advisory that specifically addresses what we know about it, no? Wait until the NSA exploits an innumerable amount of Tor users and then quickly write an advisory for a bug that was quietly fixed without a warning from Tor five weeks but still exploited? This is not accurate. We heard about attempts at exploitation and within ~24hrs we released an advisory - we had already released fixed code a ~month before exploitation was found in the wild. Please do not mix up the time-line. To restate: 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June 30 2013) The exploit was found in the wild on last weekend, I learned about it on or around August 4th. Please note that our patched versions were released nearly a month before this was found in the wild. There is no reason to support the conclusion that we silently fixed anything in response to an exploit. Please consider that your statement is entirely unsupported by evidence, Nadim. I could be mistaken. Where's the advisory that was issued the day after, that mentions that a critical Tor Browser vulnerability was fixed? Once we triaged the bug with Mozilla - both Tor and Mozilla posted updates: https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable We even posted a blog before we had all the details: https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting We also
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
intrigeri: Hi, Maxim Kammerer wrote (06 Aug 2013 09:52:36 GMT) : Tails references upstream advisories, or at least did so in the past. https://tails.boum.org/security/Numerous_security_holes_in_0.18/ Right, and we have no plan to stop doing this. What we've been doing for years when releasing a new Tails that fixes security issues (that is, basically every single one we've put out) is: 1. Users are told your version of Tails has known security issue on startup if needed; this one has a link to a security announce like the one Maxim pointed to. Seems reasonable. 2. We issue a release announcement, such as https://tails.boum.org/news/version_0.19/, that starts with All users must upgrade as soon as possible, but doesn't point to the corresponding security advisory. After reading this thread, I wonder if we should perhaps change this, and have this sentence link to the security advisory. I tend to think that cross linking is a good idea. All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
konfku...@riseup.net: Jacob Appelbaum: I like this idea - though I wonder how users would feel about it? Will they read it? Should it be our own RSS feed or an RSS feed of Mozilla's data? I don't like the idea. You need to worry about the upgrading behavior of casual users of TBB, who aren't going to bother to read advisories. Republishing advisories takes a lot of your valuable time. Added to that, every fucking tiny crash-bug in Firefox may grow to a full-blown exploit like we've seen. I tend to agree with this problem - almost any little bug can turn into an anonymity or security issue. :( The people that do read the advisories, can find them at the Firefox ESR advisory page (https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html). I do think you might want to bother to link to that list of vulnerabilities when releasing a new version of TBB with an security-updated Firefox. I also like the approach of the TAILS project. They just start every single release announcement with 'Numerous security bugs found in TAILS X.XX', which makes it crystal clear for the average user they need to upgrade. Every time. I think linking to https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html is a good idea. I've emailed some people about it - I think it should go into the ChangeLog. Also: please make separate blog posts for regular and alpha releases. It's been confusing before. Make sure the regular release sits on top on the blog listing. Good idea. Let me propose the announcement of June 26th as I would've (retrospectively) liked to see it: Subject: Security release. New Tor Browser Bundles. Body: All of the Tor Browser Bundles have been updated with the new Firefox 17.0.7esr. This includes fixes to a href=https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html;8 vulnerabilities/a, of which 4 have critical impact, and 4 have high impact. We bstrongly/b urge you to update to the latest version of the Tor Browser Bundle (2.3.25-10) as soon as possible. [continue with download-easy link and list of updates] Sounds very reasonable. Nadim Kobeissi: How am I only interested in slinging mud?! How are you even allowed to adopt a tone like this while doing your job as an advocate for Tor? I'm simply trying to advocate for Tor not waiting five weeks before releasing an advisory next time! Comments like this are really just not acceptable, Jake. Nadim, you need to calm the fuck down. Take a deep breath, re-read your own emails, and consider whether you need to apologize for your unproductive stampede. Our interactions don't need to be so stressful. Perhaps we'll all be calmer in the future... All the best, Jacob -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
But, this is the Firefox / Tor Browser Bundle exploit. The question is how FBI gained access to Freedom Hosting? What kind of exploits did they use? Pavol On Mon, Aug 05, 2013 at 09:08:49PM -0500, Kyle Maxwell wrote: According to THN[0] and several linked supporting sites from there (particularly notable are analyses from Kenneth Buckler[1] and Vlad Tsyrklevich[2]), the payload delivered the MAC address and Windows hostname to 65.222.202.54[3]. I've read in public sources that that address is assigned to SAIC but I have not seen any hard data on that. [0]: http://thehackernews.com/2013/08/Firefox-Exploit-Tor-Network-child-pornography-Freedom-Hosting.html [1]: https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting/ [2]: http://tsyrklevich.net/tbb_payload.txt On Mon, Aug 5, 2013 at 8:22 PM, liberationt...@lewman.us wrote: On Mon, Aug 05, 2013 at 06:18:02PM -0400, r...@privacymaverick.com wrote 0.6K bytes in 0 lines about: : Does anybody have any indication on how the alleged operator of : Freedom Hosting was identified. Everybody seems to be focusing on : the javascript exploit but from what I've read, it appears that was : placed on the server after the alleged operator was taken down and : the operation compromised, or is my timing off? This is far more interesting to me than anything else. I've been wondering the same thing. -- @kylemaxwell -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- __ [Pavol Luptak, Nethemba s.r.o.] [http://www.nethemba.com] [tel: +421905400542] -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
In fact, I wrote the advisory in question and generally write all of them (with input from Mozilla developers and other security team members). Al -- Al Billings http://makehacklearn.org On Tuesday, August 6, 2013 at 2:30 AM, Jacob Appelbaum wrote: Mozilla issued an updated blog post in the last day or so because of us contacting them. They clarified the specific issue around the same time as us. Al has already pointed this out - he works at Mozilla, so I suppose he seems to agree that we don't need to copy every advisory they write into our release notes. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Except this issue was a Firefox issue, fixed in ESR 17.0.7 and which we had posted an advisory for six weeks ago today. So, yes, you're asking Tor to copy and paste Firefox advisories. The issue wasn't a Tor-specific issue except that the way it was being spread targeted the TBB. It was a Firefox security issue, fixed in the last release. The people affected are those who hadn't gotten current. Al -- Al Billings http://makehacklearn.org On Tuesday, August 6, 2013 at 2:45 AM, Nadim Kobeissi wrote: Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes. Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan. I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Tuesday, August 6, 2013 at 9:58 AM, Brian Conley wrote: Al, I'm not a developer, so please bear with me. Do you disagree that TBB is forked software? That depends on your definition. They aren't taking a fork of Firefox and running off with it for a year or two. They are (and I don't know the process) either forking each ESR release or applying our ongoing ESR patches to an ESR line. In either case, I think of it as Firefox ESR + Tor patches, not really as a fork. If I fork Firefox and build my own browser from there, do I have no responsibility to my users to fix bugs that originated in your original code, now that my codebase is separate from yours? Except they did that and do that. That isn't the issue here. The bug was fixed six weeks ago. TBB took that fix. The users that got exploited were *not* running the current version. Firefox assigns CVEs and issues advisories for any externally reported security issue we fix and for internally reported issues that are not simply memory corruption or crashes. There is no point in the Tor folks cutting and pasting our advisories onto their site. They *may* wish to link to our advisories on our site but that's up to them. Al-- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/06/2013 10:18 AM, Pavol Luptak wrote: The question is how FBI gained access to Freedom Hosting? What kind of exploits did they use? Freedom Hosting offered web hosting services to people that asked for it, yes? A hypothesis I've seen floating around (without evidence, that's all it is) is this: The FBI asked for and received web space on Freedom Hosting. They uploaded an app that they knew had a couple of vulnerabilities that allowed for server side code execution and used them to compromise other sites on that machine. No need to send ninjas to raid the cookie jar when you can say, Mother, may I? - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Livin' la vida alpha test. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIBNJAACgkQO9j/K4B7F8GoOgCg6tLxg4LDf08CX64XsLTBQvlj kmQAn34OwraBqPwY8EH+rt2O1QLd6zC8 =eZ9N -END PGP SIGNATURE- -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
When the user's version is outdated you already display an update notice. You could add those items from https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html that apply to the current version. Listing particular vulnerabilities makes it clear that you actually should update and that it isn't just a superfluous notice that's just for annoying the user. I wouldn't duplicate the actual advisories, but listing them is a good idea IMO. Perhaps something like: --- This version of TOR Browser is based on Firefox ESR 17.0.6. You need to upgrade to fix the following security issues: Fixed in Firefox ESR 17.0.7 MFSA 2013-59 XrayWrappers can be bypassed to run user defined methods in a privileged context MFSA 2013-56 PreserveWrapper has inconsistent behavior MFSA 2013-55 SVG filters can lead to information disclosure MFSA 2013-54 Data in the body of XHR HEAD requests leads to CSRF attacks MFSA 2013-53 Execution of unmapped memory through onreadystatechange event MFSA 2013-51 Privileged content access and execution via XBL MFSA 2013-50 Memory corruption found using Address Sanitizer MFSA 2013-49 Miscellaneous memory safety hazards (rv:22.0 / rv:17.0.7) - (With links to Mozilla's advisories and red-orange-yellow highlighting just like in the original page) -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Plausible and clever in it's simplicity. Moral of the story: host your own server. Anybody know what ever happened to Publius[1]? Did that concept ever go anywhere? 1 http://www.cs.nyu.edu/waldman/publius/ On 8/6/2013 1:38 PM, The Doctor wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/06/2013 10:18 AM, Pavol Luptak wrote: The question is how FBI gained access to Freedom Hosting? What kind of exploits did they use? Freedom Hosting offered web hosting services to people that asked for it, yes? A hypothesis I've seen floating around (without evidence, that's all it is) is this: The FBI asked for and received web space on Freedom Hosting. They uploaded an app that they knew had a couple of vulnerabilities that allowed for server side code execution and used them to compromise other sites on that machine. No need to send ninjas to raid the cookie jar when you can say, Mother, may I? - -- The Doctor [412/724/301/703] [ZS] Developer, Project Byzantium: http://project-byzantium.org/ PGP: 0x807B17C1 / 7960 1CDC 85C9 0B63 8D9F DD89 3BD8 FF2B 807B 17C1 WWW: https://drwho.virtadpt.net/ Livin' la vida alpha test. -BEGIN PGP SIGNATURE- Version: GnuPG v2.0.20 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlIBNJAACgkQO9j/K4B7F8GoOgCg6tLxg4LDf08CX64XsLTBQvlj kmQAn34OwraBqPwY8EH+rt2O1QLd6zC8 =eZ9N -END PGP SIGNATURE- -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech *R. Jason Cronk, Esq., CIPP/US* /Privacy Engineering Consultant/, *Enterprivacy Consulting Group* enterprivacy.com * phone: (828) 4RJCESQ * twitter: @privacymaverick.com * blog: http://blog.privacymaverick.com -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Tue, Aug 6, 2013 at 12:28 PM, R. Jason Cronk r...@privacymaverick.com wrote: ... Anybody know what ever happened to Publius[1]? Did that concept ever go anywhere? 1 http://www.cs.nyu.edu/waldman/publius/ wow, that takes me back. i remember running publius when it launched back in the DeCSS days. from what i recall there was a subsequent tangler censorship resistance project, then nothing. curious if anyone else know more... -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
* Jacob Appelbaum: This is not accurate. We heard about attempts at exploitation and within ~24hrs we released an advisory - we had already released fixed code a ~month before exploitation was found in the wild. Please do not mix up the time-line. To restate: 2.3.25-10 (released June 26 2013) This was released with the following announcement (there wasn't a posting to the tor-announce mailing list): | All of the Tor Browser Bundles have been updated with the new | Firefox 17.0.7esr. There is also a new Tor 0.2.4.14-alpha release | and all of the packages have been updated with that as well. | | https://www.torproject.org/download/download-easy | | Tor Browser Bundle (2.3.25-10) | | Update Firefox to 17.0.7esr | Update zlib to 1.2.8 | Update HTTPS Everywhere to 3.2.2 | Update NoScript to 2.6.6.6 https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages I'm not sure if Tor Browser Bundle users (or even Firefox users) realize that for some time now, almost all Firefox updates from Mozilla contain security-relevant fixes. But noting the security aspect each time your switch to a newer Firefox ESR version can't hurt. On the other hand, those who don't already know this are probably difficult to reach without automated updates. (Automated updates are a mixed blessing because they could invite court orders to roll out specific versions to certain users.) -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Tue, Aug 6, 2013 at 3:11 PM, Florian Weimer f...@deneb.enyo.de wrote: (Automated updates are a mixed blessing because they could invite court orders to roll out specific versions to certain users.) No crap. _please_ don't deploy automatic updates in a sensitive environment like this without at least quorum signatures (like gitian downloader) and timed quarantine with negative signatures (harder to make strong absent a jamming proof network). -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
We're understaffed, so we tend to pick the few things we might accomplish and writing such advisory emails is weird unless there is an exceptional event. Firefox bugs and corresponding updates are not exceptional events. :( Pardon me, But it does seem that this one was. No? Sent with AquaMail for Android http://www.aqua-mail.com -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Tue, Aug 06, 2013 at 01:50:31PM +0300, Nadim Kobeissi wrote: Yes, to be absolutely clear, I think Tor should issue advisories for confirmed security issues in Tor Browser, since Tor Browser is a fork of Firefox and is independently maintained. This is exactly what Tor did this time, except next time you shouldn't wait five weeks for the situation to explode. This is insane advice. Every ESR point release of firefox 17 has fixed multiple CVEs. Your advice would have them doing a RED BLINKING LETTERS blogpost on *every* TBB release. This is not sustainable and will create security fatigue in users, exactly similar to how SSL warning dialogs trained everybody to just click accept back in the ninetys and the bad old oughties. We have to move past the bug the user again model of security system deployment. -andy -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Tue, Aug 6, 2013 at 10:19 PM, Andy Isaacson a...@hexapodia.org wrote: We have to move past the bug the user again model of security system deployment. In the general sense, yes. Silent automatic updates are a truly good thing in many use cases and environments. However, in the case where the user has an explicitly more detailed threat model - the sort of case where Tor may be an important component of the overall infrastructure - requiring said user to exercise some situational awareness is de rigeur. Tor itself recognizes this principle quite clearly on its download page: Want Tor to really work? You need to change some of your habits, as some things won't work exactly as you are used to. This is proper and correct, because use cases that involve using Tor as more than just a poor man's VPN[0] require correspondingly greater thought and practice of solid operational security principles. This means, yes, taking active steps to safeguard your browser, from patching to not using Javascript to thinking about when and what you write. I don't want to delve too far into victim-blaming here, but it's clear that users caught by this *particular* operation were relatively low-hanging fruit. -- @kylemaxwell -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-06, at 4:49 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-06, at 1:23 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-06, at 12:55 PM, Jacob Appelbaum ja...@appelbaum.net wrote: Nadim Kobeissi: On 2013-08-06, at 11:46 AM, Al Billings alb...@openbuddha.com wrote: Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes. Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan. I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork. Should we issue a single advisory for each possible security issue that Firefox has already noted in their change log? Each confirmed security issue? Should we ask for a second CVE to cover each CVE they receive? What's the alternative, Jake? That was a list of choices and you didn't choose one. Please choose one or more - though not all of them make sense when put together. It was a question and well, your answer isn't much of an answer. Yes, to be absolutely clear, I think Tor should issue advisories for confirmed security issues in Tor Browser, since Tor Browser is a fork of Firefox and is independently maintained. This is exactly what Tor did this time, except next time you shouldn't wait five weeks for the situation to explode. This is where the confusion comes into play, I think. Please note the advisory we released this week: https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html We specifically address the one thing we *know* that is being exploited and we note that there are other issues, though we don't go into depth as upgrading is the only path forward. Now note the Mozilla security issues for the Firefox ESR releases: https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html You're on the one hand saying that we did the right thing and on the other, you're saying that we should issue an advisory for *confirmed* security issues. Mozilla confirmed a handful. Doesn't that imply that our advisory should have covered every thing Firefox fixed between versions? And if so, should we note everything, even if it doesn't *appear* to be a security issue? Just in case? Now on the one hand, you're saying we waited five weeks - when in fact we didn't, we released an advisory within a day of discovering that TBB was being targeted, which is different from Firefox generally I might add. We did also note with the release of 3.0alpha2 that it included security and stability fixes as we often do when we bump Firefox. So clearly between hey, upgrade and exploit discovered there is a middle ground. I'm confused by the middle ground you have chosen. It doesn't seem that we should wait until exploits are in the wild to note the security features of new releases (which we didn't, but we didn't issue an advisory for every Firefox issue), and yet, if an exploit is discovered, we should post an advisory that specifically addresses what we know about it, no? Wait until the NSA exploits an innumerable amount of Tor users and then quickly write an advisory for a bug that was quietly fixed without a warning from Tor five weeks but still exploited? This is not accurate. We heard about attempts at exploitation and within ~24hrs we released an advisory - we had already released fixed code a ~month before exploitation was found in the wild. Please do not mix up the time-line. To restate: 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June 30 2013) The exploit was found in the wild on last weekend, I learned about it on or around August 4th. Please note that our patched versions were released nearly a month before this was found in the wild. There is no reason to support the conclusion that we silently fixed anything in response to an exploit. Please consider that your statement is entirely unsupported by evidence, Nadim. I could be mistaken. Where's the advisory that was issued the day after, that mentions that a critical Tor Browser vulnerability was fixed? Once we triaged the bug with Mozilla - both Tor and Mozilla posted updates: https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable You will note that this was
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Wed, Aug 07, 2013 at 07:20:21AM +0300, Nadim Kobeissi wrote: You will note that this was posted recently. However, 5 weeks ago, Mozilla posted a security advisory for Firefox and fixed the issue. Tor then updated the Tor Browser Bundle with the fix, 5 weeks ago, *without releasing a security advisory.* You released the security advisory after shit hit the fan, this week Just to clarify: the security advisory I wrote this week was telling users that an exploit had been seen in the wild, and explaining what we knew about that. This was not intended to be a five-weeks-late by-the-way-there-was-a-vulnerability announcement. We already told people, five weeks ago, to upgrade, and set the TBB homepage to tell them There is a security update available for the Tor Browser Bundle. Click here to go to the download page. The novel thing here was that a potential vulnerability, which Mozilla had described as This crash is potentially exploitable when they put out their fix, was actually exploitable in practice and was being actively exploited. The advisory was intended to make people aware of the new situation, and also collect some facts into one place. The advisory you released this week should have been released 5 weeks ago for Tor Browser, on the day Mozilla released an advisory for Firefox, and on the day you updated Tor Browser. I spoke with Roger and he in fact confirmed that no advisory was released by Tor five weeks ago when Tor fixed the vulnerability. Tor waited until the exploit was in the wild. We did in fact wait until the exploit was in the wild to tell people that the exploit was in the wild. How we (including the broader community) can keep users informed about the security state of their software is indeed a fine question to ponder. But it's not clear to me that this you didn't tell them yes we did well you should have told them differently format is the right way to make progress. (And we should also listen to folks like Andy, who point out that there's never going to be a simple answer. I've been involved in too many I wonder if that bug we just fixed is really exploitable, and how we should classify it discussions to believe that the predictions are always accurate -- and they can be inaccurate either by overestimating or by underestimating.) --Roger -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Forgive me, but I'd like to ask a question here. Tor is a tool that is undeniably, directly marketed toward activists in high-risk environments. Tor's presentations at conferences centre around how Tor obtains increased usage in Arab Spring countries that matches the timeline of revolutionary action. It's incredibly direct. Tor's own spokespeople encourage people in Iran, Egypt and so on to use Tor and only Tor as the most secure tool for activist anonymity, and privacy. Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle, which is currently the main way to download Tor and the only way to download Tor for the average end-user, and is deploying it en-masse to the visitors of what seems to be around half of all Tor hidden services, which have also been compromised I've gotten quite some flak from certain people at Tor for supposedly marketing Cryptocat to activists, which is not something I do, but that the media did last year. We know for a fact that Tor does in fact market to activists. And yet, I have a feeling that the flak towards Tor, for something this incredibly huge, will be quite small, on this mailing list and on other discussion forums, especially compared to the kind of vitriol Cryptocat receives. I would like an explanation as to why this is the case. NK On 2013-08-04, at 10:56 PM, Griffin Boyce griffinbo...@gmail.com wrote: There are really two separate issues here, and I just want to separate them briefly. 1) Tormail and other sites were hosting malicious js code that attempts to break firefox 17. 2) Freedom Hosting was shut off after its host was arrested. I will say from personal experience that most hidden services are *extremely* permeable. Not because Tor sucks, but because people making them aren't very good webmasters. They don't upgrade/patch the software running their websites, and that leads to big hacks. Freedom Hosting was itself taken down on at least three occasions due to poor maintenance. It's also not particularly difficult to script up a scanner that tests hidden services for vulnerabilities, then launches malicious code. This has happened again and again. But this cannot really be Tor's fault anymore than it's Apache's fault. People who host hidden services must maintain their code just like other websites. If a hidden service webhost is imperfectly set up, it's possible to upload a malicious file and broadcast the IP address of the server. (Again, this relies on various configuration issues and 0day, but similar has happened to Freedom Hosting before). What does everyone else think about this? best, Griffin PS: it seems a little too ambitious to set up your own anonymity network without having a solid team of scientists and cryptographers On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones miser...@gmail.com wrote: 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI malware specifically targeting the Tor Browser Bundle. Deets: https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody want to help with the sketches? Deets: https://github.com/Miserlou/OnionCloud R -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Just another hacker in the City of Spies. #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts, while frequently amusing, are not representative of the thoughts of my employer. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Maybe because of the difficulty on finding those vulnerabilities to exploit the system. Being bulletproof against everything, as we know, is impossible, therefore if you notice that the government (with a huge amount of resources) have found a vulnerability in your software you can accept that, solve it and feel raped. The problem is much critical when just one guy (and not even being his job) has reviewed the code of an application and have found a huge bug :) You cannot blame someone because the government has been exploiting his software, because governments use to have kind of unlimited resources to do that. What I mean is that if cryptocat had been hacked by government (exploiting some kind of sophisticated bug - btw, I don't know which bug is being exploited in tor), I don't think it would have had all that feeling of weakness (and by consequence, all that discussion). gpg --keyserver pgp.mit.edu --search-keys EEE5A447http://pgp.mit.edu:11371/pks/lookup?search=0xEEE5A447op=vindex From: na...@nadim.cc Date: Mon, 5 Aug 2013 10:15:20 +0200 To: liberationtech@lists.stanford.edu Subject: Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud Forgive me, but I'd like to ask a question here. Tor is a tool that is undeniably, directly marketed toward activists in high-risk environments. Tor's presentations at conferences centre around how Tor obtains increased usage in Arab Spring countries that matches the timeline of revolutionary action. It's incredibly direct. Tor's own spokespeople encourage people in Iran, Egypt and so on to use Tor and only Tor as the most secure tool for activist anonymity, and privacy. Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle, which is currently the main way to download Tor and the only way to download Tor for the average end-user, and is deploying it en-masse to the visitors of what seems to be around half of all Tor hidden services, which have also been compromised I've gotten quite some flak from certain people at Tor for supposedly marketing Cryptocat to activists, which is not something I do, but that the media did last year. We know for a fact that Tor does in fact market to activists. And yet, I have a feeling that the flak towards Tor, for something this incredibly huge, will be quite small, on this mailing list and on other discussion forums, especially compared to the kind of vitriol Cryptocat receives. I would like an explanation as to why this is the case. NK On 2013-08-04, at 10:56 PM, Griffin Boyce griffinbo...@gmail.com wrote: There are really two separate issues here, and I just want to separate them briefly. 1) Tormail and other sites were hosting malicious js code that attempts to break firefox 17. 2) Freedom Hosting was shut off after its host was arrested. I will say from personal experience that most hidden services are *extremely* permeable. Not because Tor sucks, but because people making them aren't very good webmasters. They don't upgrade/patch the software running their websites, and that leads to big hacks. Freedom Hosting was itself taken down on at least three occasions due to poor maintenance. It's also not particularly difficult to script up a scanner that tests hidden services for vulnerabilities, then launches malicious code. This has happened again and again. But this cannot really be Tor's fault anymore than it's Apache's fault. People who host hidden services must maintain their code just like other websites. If a hidden service webhost is imperfectly set up, it's possible to upload a malicious file and broadcast the IP address of the server. (Again, this relies on various configuration issues and 0day, but similar has happened to Freedom Hosting before). What does everyone else think about this? best, Griffin PS: it seems a little too ambitious to set up your own anonymity network without having a solid team of scientists and cryptographers On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones miser...@gmail.com wrote: 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI malware specifically targeting the Tor Browser Bundle. Deets: https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody want to help with the sketches? Deets: https://github.com/Miserlou/OnionCloud R -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Just another hacker in the City of Spies. #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts, while frequently amusing
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 05.08.2013 10:15, Nadim Kobeissi wrote: Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle is that really so? See: https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ first comment. Georg -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-05, at 10:46 AM, Georg Koppen g.kop...@jondos.de wrote: On 05.08.2013 10:15, Nadim Kobeissi wrote: Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle is that really so? See: https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ first comment. Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser security advisory in that case. NK Georg -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Mon, Aug 05, 2013 at 10:46:35AM +0200, Georg Koppen wrote: On 05.08.2013 10:15, Nadim Kobeissi wrote: Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle is that really so? See: https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ first comment. Specifically, it would appear that the TBB updates we put out on June 26 addressed this vulnerability: https://blog.torproject.org/blog/new-tor-browser-bundles-and-tor-02414-alpha-packages My preference here is increasingly that we should finish https://trac.torproject.org/projects/tor/ticket/9387 and then make TBB 3.x the new default: https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released (Apparently this means breaking support for Win XP until somebody fixes that: https://trac.torproject.org/projects/tor/ticket/9084 But hey, there are worse things to do than that.) --Roger -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
BTW (same comment in two pages :P): The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53People who are on the latest supported versions of Firefox are not at risk.Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack. So it means that the vulnerability exploited was not even a 0day and tor users using updated software were not affected. In fact, it has been to much discussion for someone (FBI) exploiting a patched vulnerability... gpg --keyserver pgp.mit.edu --search-keys EEE5A447http://pgp.mit.edu:11371/pks/lookup?search=0xEEE5A447op=vindex From: na...@nadim.cc Date: Mon, 5 Aug 2013 10:46:58 +0200 To: liberationtech@lists.stanford.edu Subject: Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud On 2013-08-05, at 10:46 AM, Georg Koppen g.kop...@jondos.de wrote: On 05.08.2013 10:15, Nadim Kobeissi wrote: Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle is that really so? See: https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ first comment. Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser security advisory in that case. NK Georg -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Mon, Aug 5, 2013 at 9:46 AM, Nadim Kobeissi na...@nadim.cc wrote: Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser security advisory in that case. I'm not sure how long the Tor bundle goes without actively complaining to the user about things being out of date. Out of curiosity I reloaded a 48-day old beta of 3.0 last night, and it immediately complained that it was out of date and should be upgraded to the latest version. Mike -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-05, at 11:04 AM, Michael Owen mich...@theramparts.com wrote: On Mon, Aug 5, 2013 at 9:46 AM, Nadim Kobeissi na...@nadim.cc wrote: Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser security advisory in that case. I'm not sure how long the Tor bundle goes without actively complaining to the user about things being out of date. Out of curiosity I reloaded a 48-day old beta of 3.0 last night, and it immediately complained that it was out of date and should be upgraded to the latest version. Yeah, Tor's update notifications are definitely legit. I'm just wondering why there wasn't an actual advisory. I mean, all this time there seems to have been a .js file that could compromise any Tor users accessing a website which loads it. NK Mike -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
The fog of OHM hasn't yet lifted for me, so I'm sorry if I'm not entirely poetic in thought… Before people jump in and say the tor network is inherently flawed! I just want to try to put it in perspective. As I understand it, an .onion got owned, probably by some poorly written or installed software on their site. That happens, and it isn't tor's fault. Once it got owned, it was easy to put an iframe in and target a specific version of the tor browser, an old one for which vulns are well-known. Mozilla posted the advisory on June 25th. https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a TBB update was provided 5 days later: https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released - and uses a version of FF that the advisory says fixes the issue. If you're interested, this is supposed to be the exploit: http://pastebin.com/96htM60z The take home message of the day: keep your shit up to date. The only question I have is -- is there anything more that can be done to warn users their stuff is out of date? We're already visited with a warning that our browser or other tor-related software is out of date upon launching it. Do we need scrolling text? blinky lights? Should it be disabled once it is out of date? Maybe that can be an option set by default. Thoughts? Best, -Jason Gulledge @ramdac On Aug 5, 2013, at 10:15 AM, Nadim Kobeissi na...@nadim.cc wrote: Forgive me, but I'd like to ask a question here. Tor is a tool that is undeniably, directly marketed toward activists in high-risk environments. Tor's presentations at conferences centre around how Tor obtains increased usage in Arab Spring countries that matches the timeline of revolutionary action. It's incredibly direct. Tor's own spokespeople encourage people in Iran, Egypt and so on to use Tor and only Tor as the most secure tool for activist anonymity, and privacy. Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle, which is currently the main way to download Tor and the only way to download Tor for the average end-user, and is deploying it en-masse to the visitors of what seems to be around half of all Tor hidden services, which have also been compromised I've gotten quite some flak from certain people at Tor for supposedly marketing Cryptocat to activists, which is not something I do, but that the media did last year. We know for a fact that Tor does in fact market to activists. And yet, I have a feeling that the flak towards Tor, for something this incredibly huge, will be quite small, on this mailing list and on other discussion forums, especially compared to the kind of vitriol Cryptocat receives. I would like an explanation as to why this is the case. NK On 2013-08-04, at 10:56 PM, Griffin Boyce griffinbo...@gmail.com wrote: There are really two separate issues here, and I just want to separate them briefly. 1) Tormail and other sites were hosting malicious js code that attempts to break firefox 17. 2) Freedom Hosting was shut off after its host was arrested. I will say from personal experience that most hidden services are *extremely* permeable. Not because Tor sucks, but because people making them aren't very good webmasters. They don't upgrade/patch the software running their websites, and that leads to big hacks. Freedom Hosting was itself taken down on at least three occasions due to poor maintenance. It's also not particularly difficult to script up a scanner that tests hidden services for vulnerabilities, then launches malicious code. This has happened again and again. But this cannot really be Tor's fault anymore than it's Apache's fault. People who host hidden services must maintain their code just like other websites. If a hidden service webhost is imperfectly set up, it's possible to upload a malicious file and broadcast the IP address of the server. (Again, this relies on various configuration issues and 0day, but similar has happened to Freedom Hosting before). What does everyone else think about this? best, Griffin PS: it seems a little too ambitious to set up your own anonymity network without having a solid team of scientists and cryptographers On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones miser...@gmail.com wrote: 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI malware specifically targeting the Tor Browser Bundle. Deets: https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody want to help with the sketches? Deets: https://github.com/Miserlou/OnionCloud R -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Mon, 5 Aug 2013 10:15:20 +0200 Nadim Kobeissi na...@nadim.cc wrote: Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle, which is currently the main way to download Tor and the only way to download Tor for the average end-user, and is deploying it en-masse to the visitors of what seems to be around half of all Tor hidden services, which have also been compromised Please cite first person sources on this. It's not clear the FBI did anything or is involved at all. There is a reddit thread implying this, but no statement (as of yet) from the FBI or anyone claiming responsibility for the javascript injection. Second, it's not clear this exploit or malware has actually compromised current versions of Tor Browser (as released on June 26, 2013). Please show a working exploit against the current TBBs. Third, please show data that half of all Tor hidden services have been compromised. We don't have this data because we don't track hidden services. If you do, please share your metrics. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Mon, 5 Aug 2013 10:04:02 +0100 Michael Owen mich...@theramparts.com wrote: I'm not sure how long the Tor bundle goes without actively complaining to the user about things being out of date. TBB notifies the user within an hour of releasing the new version. The hour lag is because our cronjob runs hourly. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Mon, Aug 05, 2013 at 09:19:01AM -0400, liberationt...@lewman.us wrote: Please cite first person sources on this. It's not clear the FBI did anything or is involved at all. There is a reddit thread implying this, but no statement (as of yet) from the FBI or anyone claiming responsibility for the javascript injection. The press is treating it as a likelihood. That's no proof, of course, but the narrative is internally consistent and most alternatives seem quite unlikely. http://www.wired.com/threatlevel/2013/08/freedom-hosting/ Second, it's not clear this exploit or malware has actually compromised current versions of Tor Browser (as released on June 26, 2013). Please show a working exploit against the current TBBs. In fact it seems quite clear that the 65.222.202.54 malware does *not* affect 17.0.7esr per http://tsyrklevich.net/tbb_payload.txt Every claim I've seen is that this single payload was the only deployed malware in this incident. As I understand it, TBB users who installed or upgraded after June 26 are not vulnerable, and users of old versions got a notice at startup that an upgrade is required. Is that correct? If the above is correct, then only TBB users on Windows who installed TBB before June 26 and ignored the warnings would be affected. Does TBB have usage statistics breaking out the upgrade rate per platform? Are we talking about 90% upgrade rates after 30 days, or 15% upgrade rates? Third, please show data that half of all Tor hidden services have been compromised. We don't have this data because we don't track hidden services. If you do, please share your metrics. Indeed, it's difficult to measure. Half by count? Half by users? Half by circuits? Half by bandwidth? But the forum analysis indicates that there's been significant impact, so saying half seems reasonable. Better stats would be great, but in the absence, a rough estimate isn't unreasonable. Seems to me the Tor project's response was about right; the only potential improvement I can think of would be automatically downloading the upgrade in the background, to improve update rates. (But I hate software that does that ... but I am currently running a vulnerable Firefox myself due to not getting reminded about upgrades, so I'm evidence that hate automatic upgrades equals is more vulnerable.) One larger improvement would be to have the TBB browser sandboxed and set to trigger an alarm on non-Tor outbound traffic. Running Tails in a suitably configured VM system can provide this capability, but platform-specific application sandboxes can do it as well; Chrome provides some prior art. Developing this capability is a nontrivial task... Nadim's criticism of the Tor project seems a bit too strong given the facts, and even given the unknowns when the news first broke. Andrew's response to the criticism seems a bit overly harsh, but I'm inclined to cut some slack for folks who've probably been working long hard hours over the past days to understand the impact of these events. Thanks, -andy -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 05.08.2013 10:15, Nadim Kobeissi wrote: Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle is that really so? See: https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ first comment Georg -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-05, at 4:19 PM, liberationt...@lewman.us wrote: On Mon, 5 Aug 2013 10:15:20 +0200 Nadim Kobeissi na...@nadim.cc wrote: Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle, which is currently the main way to download Tor and the only way to download Tor for the average end-user, and is deploying it en-masse to the visitors of what seems to be around half of all Tor hidden services, which have also been compromised Please cite first person sources on this. It's not clear the FBI did anything or is involved at all. There is a reddit thread implying this, but no statement (as of yet) from the FBI or anyone claiming responsibility for the javascript injection. As Andy Isaacson said: The press is treating it as a likelihood. That's no proof, of course, but the narrative is internally consistent and most alternatives seem quite unlikely. http://www.wired.com/threatlevel/2013/08/freedom-hosting/; Second, it's not clear this exploit or malware has actually compromised current versions of Tor Browser (as released on June 26, 2013). Please show a working exploit against the current TBBs. With my own project, we fixed a critical vulnerability months before it was publicized, and we still treated the situation as critical during publication due to the fact that there may have been users who may have already been compromised or who may not have updated. I feel that your response ignores those possibilities and is defensive to a fault. Since the bug this malware exploits was fixed in previous version of the Tor Browser, why was no advisory issued? What if this exploit had been known, and used, for a whole year by malicious parties? Third, please show data that half of all Tor hidden services have been compromised. We don't have this data because we don't track hidden services. If you do, please share your metrics. Honestly your email feels really unproductive. NK -- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Mon, Aug 05, 2013 at 04:54:00AM -0400, Roger Dingledine wrote: Specifically, it would appear that the TBB updates we put out on June 26 addressed this vulnerability: https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html has some more details now. Or see https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable if you prefer blog posts. :) --Roger -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 08/05/2013 05:00 PM, Nadim Kobeissi wrote: On 2013-08-05, at 4:19 PM, liberationt...@lewman.us wrote: On Mon, 5 Aug 2013 10:15:20 +0200 Nadim Kobeissi na...@nadim.cc wrote: Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle, which is currently the main way to download Tor and the only way to download Tor for the average end-user, and is deploying it en-masse to the visitors of what seems to be around half of all Tor hidden services, which have also been compromised Please cite first person sources on this. It's not clear the FBI did anything or is involved at all. There is a reddit thread implying this, but no statement (as of yet) from the FBI or anyone claiming responsibility for the javascript injection. As Andy Isaacson said: The press is treating it as a likelihood. That's no proof, of course, but the narrative is internally consistent and most alternatives seem quite unlikely. http://www.wired.com/threatlevel/2013/08/freedom-hosting/; Second, it's not clear this exploit or malware has actually compromised current versions of Tor Browser (as released on June 26, 2013). Please show a working exploit against the current TBBs. With my own project, we fixed a critical vulnerability months before it was publicized, and we still treated the situation as critical during publication due to the fact that there may have been users who may have already been compromised or who may not have updated. I feel that your response ignores those possibilities and is defensive to a fault. Since the bug this malware exploits was fixed in previous version of the Tor Browser, why was no advisory issued? What if this exploit had been known, and used, for a whole year by malicious parties? I'm really not sure I understand what you expected out of it. With TBB being based on an underlying software that was the origin of the bug, is Tor people expected to keep track of every commit and ticket being closed in Firefox and ship security bulletins just as Mozilla does? Are you doing the same with Crypto.cat for the browsers you have extensions for? -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iQIbBAEBAgAGBQJR/8caAAoJEDmTLM1sbEdvwJYP+KPERuQqk1BlgQvetfNX4xQg 8u2yHGrInRTHfRLd5MhSheeQCA+Fag17XEG18bGL3CEhZQuNe3cCTcvInaLpIGRZ R5B12e+YIUobWehmeHE+2zWqiUEY9sukF/sJ+iVB4n7fw8nEkg6lHmPkBvthuGjK OpT/Vg+i8y8WiQWqTjbkg8qp0AqksxW7igsghzVCksY3GDS5ciARsvnBR8PEw5um ZS3nW6d4Emo1n73syg1/Fl851r5soWLcfN8+ZgWnF9uqmdfusINxkHajTdyuMg8y yUZfy/Kl6jVQQ3Bo/OuqFKFYbZZddP6V+qTZTcd9orfxa+7l6qaEvxML/5RSqZHe yzb0RnVaUqdotWBaPqTgTT9t8ujCiAB4MUypJjgVDXTkPdkp0Hh7jrTC9xop/KX2 pv2Zmq23lbldi8twHYbyt1UpmeLq5rlSAT4ol5rMNkqArbHEdS1s+e1mynYPoJWn UNjfpZa8NlOdVIyeqKibKu8Ozsmf84ltSes8/SLMjIO47z5zR1Dlm0T7tL/YS8SH t6QCZPQbwZpX232QSiXRKvN+S91heNiMlaGyPRq4jvUFzTakDo6+DK0/Y1XrcpQC 0uXSnEphftJjahoeZn7LdYJ5R88/ffIAvYNoDXw/9qY0Xm8uh3z0QDIz/D7GL+j2 T4xfNXf9ZoLEIzKy2aE= =x9H/ -END PGP SIGNATURE- -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Il 8/4/13 10:31 PM, liberationt...@lewman.us ha scritto: Tor's official response is here, https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting After a quick check at a random Tor2web server, it seems that there's no specific pattern of traffic-drop. Who knows, maybe the amount of TorHS that has been takendown are just a few. -- Fabio Pietrosanti (naif) HERMES - Center for Transparency and Digital Human Rights http://logioshermes.org - http://globaleaks.org - http://tor2web.org -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On 2013-08-05, at 6:38 PM, Roger Dingledine a...@mit.edu wrote: On Mon, Aug 05, 2013 at 04:54:00AM -0400, Roger Dingledine wrote: Specifically, it would appear that the TBB updates we put out on June 26 addressed this vulnerability: https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html has some more details now. Or see https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-bundles-vulnerable if you prefer blog posts. :) Awesome! :-) This is one of those situations that, frustratingly, could have been dealt with better, but Roger and co. deliver in the end, as is tradition. Tor remains an awesome project. The FBI is the likely perpetrator of the exploit and this should really wake up the privacy community. NK --Roger -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Fabio Pietrosanti (naif) li...@infosecurity.ch wrote: After a quick check at a random Tor2web server, it seems that there's no specific pattern of traffic-drop. Who knows, maybe the amount of TorHS that has been takendown are just a few. Yeah, it seems like people are vastly overestimating the number of hidden services affected. Freedom Hosting was the largest free HS host, but estimating them at half of all hidden services is a bit much. The last time they went down, the majority of hidden services remained unaffected. My belief is that most hidden services are actually self-hosted. Tor has maintained for quite a while that attacks that break out of firefox's sandboxing are their biggest concern in terms of deanonymization. And they really should be. Since the switch to TBB vs Vidalia+Torbutton+Manual config, users are more likely to be using the same version of firefox. In some ways this is great, the goal being to make Tor users look identical and therefore bypass fingerprinting. In other ways, perhaps not ideal. A userbase that is unified in this way is far more likely to be susceptible to a given exploit than a diverse one. My understanding is that they are looking for more/better ways to sandbox the whole shebang. I do wish that Vidalia were still being actively developed though =/ ~Griffin -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Mozilla posted the advisory on June 25th. https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a TBB update was provided 5 days later: https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released - and uses a version of FF that the advisory says fixes the issue. So what's the problem that Nadim Kobeissi is pointing to? The vulnerability was patched by Mozilla, then subsequently incorporated in the TBB. If TBB is updated, and a user doesn't upgrade their TBB bundle, that's the user's fault, not Tor. No? Yes, I think. The take home message of the day: keep your shit up to date. Exactly. Nothing more, nothing less. It's like brushing one's teeth, you learn that you have to do it for your own good, and then you just do it. The only question I have is -- is there anything more that can be done to warn users their stuff is out of date? We're already visited with a warning that our browser or other tor-related software is out of date upon launching it. Do we need scrolling text? blinky lights? Should it be disabled once it is out of date? Maybe that can be an option set by default. Thoughts? I don't think so. TBB already warns when there is an updated version of the TBB, so I really think it's a culture change on part of people who don't upgrade immediately. Hard thing to fight against, but maybe such events will make people more cautious in this way. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 Firstly: this is not a anti-Tor/pro-anything/anti-developer comment. If anything it's pro-have_some_understanding_for_people point-of-view. I contribute to Tor as I believe it can do a lot of good. As I understand it, the issue was: a compromise affected older TB Bundles, based on a previous version of Firefox. TBB prompted users to update to newer versions of within $X days of release. It wasn't the Tor network that was compromised, it was *some* software running to provide a Tor Hidden Service. Which we still don't know exactly what that was? (It would be nice to know) Neither do I think you can expect the Tor Project to follow every commit to Firefox. (Although using any software, based on trust, in this world is not the best idea.) If anyone should get blamed, it's the operators of the THS (currently it seems it was Freedom Hosting and Eric Eoin Marques?) that were the cause of this compromise. They are the douches in this shitstorm. All good so far. On 5 Aug 2013, at 18:45, h0ost wrote: Mozilla posted the advisory on June 25th. https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a TBB update was provided 5 days later: https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released - and uses a version of FF that the advisory says fixes the issue. So what's the problem that Nadim Kobeissi is pointing to? The vulnerability was patched by Mozilla, then subsequently incorporated in the TBB. If TBB is updated, and a user doesn't upgrade their TBB bundle, that's the user's fault, not Tor. No? Yes, I think. If you want to find fault with some party, then sure it's the users fault. But that's not very helpful in a case like this. If it was MS Word, or Mail.app, blame the user. Tor and TBB is not the easiest of privacy protection tools to understand, even for some trained technology people. It would be nice to know the percentage of technical experts using TBB. You *cannot* expect someone who is not an expert in cryptography, comp.sci, or computer technology in general to fully understand the consequences of using software tools. If you have a problem with that, then go and design software for developers. I know your comment was off the cuff, but this is one of the reasons why this shit is so bad. It needs to be designed with _real_ people (not cryptographers, or comp.sci or telecoms) in mind. Real people who use these tools to communicate. Everybody in some case, is just a user. It wasn't essentially The Tor Project's fault, but they are dealing with it now. Shitty I know. The take home message of the day: keep your shit up to date. Exactly. Nothing more, nothing less. It's like brushing one's teeth, you learn that you have to do it for your own good, and then you just do it. I don't think you can compare tooth decay with your security getting compromised. Really. The only question I have is -- is there anything more that can be done to warn users their stuff is out of date? We're already visited with a warning that our browser or other tor-related software is out of date upon launching it. Do we need scrolling text? blinky lights? Should it be disabled once it is out of date? Maybe that can be an option set by default. Thoughts? I don't think so. TBB already warns when there is an updated version of the TBB, so I really think it's a culture change on part of people who don't upgrade immediately. Hard thing to fight against, but maybe such events will make people more cautious in this way. By what Roger Dingledine from Tor has stated in a previous mail, The Tor Project provided the you need to upgrade message promptly. I don't know if that is enough. (But it is certainly a lot more that other providers of software would do.) Maybe disabling out of date software would not be a bad thing? (Personally I don't know if thats a good approach, as users may use less secure methods to carry out their tasks) My point is, there should be some research into finding an answer as opposed to apportioning blame. Flame-retardent suit on. Bernard - -- Bernard / bluboxthief / ei8fdb IO91XM / www.ei8fdb.org -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJR//l0AAoJENsz1IO7MIrrZs4H/j1b4vZj17cgFdMb5LcGcZz3 YcNKktzRhcD92mmFQo+XyIY1Mp0gas592y5Ah/Q+yXTWQpjZkNgMS/uZXWOgXnf5 tBVHYL9pIOc5BoTMIXukuYhevnVXb+KORZiUpYgL7wncIqjC7N5oor4np53tp3pk KxQRDHZ4eYpDveLPs4vntECRiR2gfQygKNAuTDxUQgef8OjKG0NyOJGqMj31snee R4pqkcszyLyqTlc+q2FVaB4VtsU6LTStG/dt57ts9ZiMxIiuhOAtfc53j6t1cguh 1pgs6NxWzcOdUTPOhySxLjRguiO/oT2iNq2UB69YhEp3SDkecrW/Yu2/KjDTmjY= =Mr+D -END PGP SIGNATURE- -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Nadim certainly has a point about the disparity between how his efforts were received and the overall level of respect/support Tor receives. Hopefully, he will continue on and when his software accumulates the track record that Tor has he will be suitably rewarded. He certainly writes recently like someone who has been resilient and forward thinking. More power to him! -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Bernard Tyers - ei8fdb ei8...@ei8fdb.org wrote: By what Roger Dingledine from Tor has stated in a previous mail, The Tor Project provided the you need to upgrade message promptly. I don't know if that is enough. (But it is certainly a lot more that other providers of software would do.) I can really only speak for me, but I think that a larger part is what constitutes full disclosure? Is it a broad advisory? Is it a blog post? Is it tweets? What constitutes a bug big enough to warrant that type of announcement? Every software project has to come up with answers to these questions. FWIW, I keep up with Tor news far more than an average user, and still did not know about this vuln until a couple of days ago. I would like to see Tor broadcasting recent vulnerabilities/issues/enhancements on the check.torproject.org page. Ironically (or not) Nadim and I had already been working on a different TorCheck page when this news came out. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
You realize Tor didn't know this vuln was an issue until two days ago? The Tor Browser Bundle is based off of Firefox ESR releases. All the high profile security issues fixed are listed on the Firefox ESR known vulnerabilities web page. You want them to copy that page for you? Al -- Al Billings http://makehacklearn.org On Monday, August 5, 2013 at 12:55 PM, Griffin Boyce wrote: Bernard Tyers - ei8fdb ei8...@ei8fdb.org (mailto:ei8...@ei8fdb.org) wrote: By what Roger Dingledine from Tor has stated in a previous mail, The Tor Project provided the you need to upgrade message promptly. I don't know if that is enough. (But it is certainly a lot more that other providers of software would do.) I can really only speak for me, but I think that a larger part is what constitutes full disclosure? Is it a broad advisory? Is it a blog post? Is it tweets? What constitutes a bug big enough to warrant that type of announcement? Every software project has to come up with answers to these questions. FWIW, I keep up with Tor news far more than an average user, and still did not know about this vuln until a couple of days ago. I would like to see Tor broadcasting recent vulnerabilities/issues/enhancements on the check.torproject.org (http://check.torproject.org) page. Ironically (or not) Nadim and I had already been working on a different TorCheck page when this news came out. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On 5 Aug 2013, at 21:08, Al Billings wrote: You realize Tor didn't know this vuln was an issue until two days ago? I presume thats directed at Griffin. The Tor Browser Bundle is based off of Firefox ESR releases. All the high profile security issues fixed are listed on the Firefox ESR known vulnerabilities web page. You want them to copy that page for you? How many TBB users will go to the Firefox ESR vulns. page to research the potential and found vulns in a piece of software they don't know they use? Bernard - -- Bernard / bluboxthief / ei8fdb IO91XM / www.ei8fdb.org -BEGIN PGP SIGNATURE- Version: GnuPG/MacGPG2 v2.0.17 (Darwin) Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJSAAiCAAoJENsz1IO7MIrrzu8H/iXWJoVySQgfF3j6lPfiYqH1 qYQUuBhz1qOThuwWpZZOgbLfUICY0uSBU5cxD1AP3efzLrXXF3cUg3d6oUWjZg8G tS7DRM4Yay5NBI9YgHWolkSaOpK/0qvL1/LOcjGzbrIswbVNVvXQQUDCHL/0Le/1 Kv+1ErF0TC/WVUfSPwk87H2XBOoA0CPDVn4afXLXWHVgIenbVCat/MROG7UpicTc k+2fGoRc9nWjo5MEEmPmeTEA2NCztpKN+A8qZOsemc4Pa7EJX4naJlbc5sj9vbZV RLIIfocaTTWGW1M0VIeQTaSx9ZHcUHuY3THiyRa9Q1zu2WhD+bkWFX7Mq+kDjMM= =h6KP -END PGP SIGNATURE- -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Why should they? Just make sure you're running the most recently released version. -- Al Billings http://makehacklearn.org On Monday, August 5, 2013 at 1:18 PM, Bernard Tyers - ei8fdb wrote: The Tor Browser Bundle is based off of Firefox ESR releases. All the high profile security issues fixed are listed on the Firefox ESR known vulnerabilities web page. You want them to copy that page for you? How many TBB users will go to the Firefox ESR vulns. page to research the potential and found vulns in a piece of software they don't know they use? -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Al, We may have to disagree as to the way forward. I hate to be contentious, but it seems unlikely that Tor applied a patch without reading firefox's changelog. Two days ago I presented a talk which emphasized how useful Tor is -- and I stand by that. Tor is still the best option for maintaining one's anonymity. I use Tor. I teach people how to use Tor. I run relays and hidden services. I code on Tor-related projects. And I tell large crowds why they should do all of that too. It's not like I'm some hater. ~Griffin On 8/5/13, Al Billings alb...@openbuddha.com wrote: Why should they? Just make sure you're running the most recently released version. -- Al Billings http://makehacklearn.org On Monday, August 5, 2013 at 1:18 PM, Bernard Tyers - ei8fdb wrote: The Tor Browser Bundle is based off of Firefox ESR releases. All the high profile security issues fixed are listed on the Firefox ESR known vulnerabilities web page. You want them to copy that page for you? How many TBB users will go to the Firefox ESR vulns. page to research the potential and found vulns in a piece of software they don't know they use? -- Just another hacker in the City of Spies. #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts, while frequently amusing, are not representative of the thoughts of my employer. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
I'm not sure what you're trying to say here exactly. Tor doesn't apply a patch to TBB, AFAIK. They build on top of Firefox ESR. The current Firefox ESR17 (and the current TBB) have the bug fixed that everyone is talking about. If you're current, you're safe. So, then the problem becomes: why aren't people running the current version? As to the rest of what you said, that has nothing to do with anything I said. I didn't comment on Tor, its usefulness, or anything else. My comments were about the current situation with a Javascript exploit and the TBB. If you want to talk about this other thing, enjoy but it has nothing to do with me. My focus is Firefox. Al -- Al Billings http://makehacklearn.org On Monday, August 5, 2013 at 3:09 PM, Griffin Boyce wrote: We may have to disagree as to the way forward. I hate to be contentious, but it seems unlikely that Tor applied a patch without reading firefox's changelog. Two days ago I presented a talk which emphasized how useful Tor is -- and I stand by that. Tor is still the best option for maintaining one's anonymity. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Does anybody have any indication on how the alleged operator of Freedom Hosting was identified. Everybody seems to be focusing on the javascript exploit but from what I've read, it appears that was placed on the server after the alleged operator was taken down and the operation compromised, or is my timing off? Jason Cronk -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
If my understanding of Mozilla's description of the vulnerability is correct: https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/ Users who are on the latest version of Firefox (version 22) or Firefox ESR (version 17.0.7) are not at risk. If a user is running an outdated of Firefox, then this vulnerability could be used by an attacker to execute malicious software on a victim’s machine. Mozilla has been alerted that this issue is being actively exploited in the wild and urges all users to make sure their Firefox is up to date. Then what happened could have happened to any ISP on hidden services or not. A browser connected to the ISP, used a browser vulnerability to infect the host server, and proceeded from there to do whatever to the hosting complex at the hidden service site. They were hacked. They got pwned. And apparently, they had no measures in place to have noticed that it was happening, in terms of image monitoring and so on -- although admittedly we are talking about a state-level opponent. They could have been rootkitted straight off, and the opponent had their way with them and so on. However, my understanding is that this vulnerability -- did I hear somewhere? -- is to windows hosting. Now maybe it's me, and I'm old fashioned, but I still think of that as more vulnerable, but I've been out of the field for a while. Regardless, This has nothing to do with Tor or Tor hidden services. It could have happened on the open internet with an apache server with the same version of Mozilla. Or am I misunderstanding something? So, essentially, Mozilla was used as the Trojan Horse to insert the payload into the servers. It wouldn't have made a difference at all if they were hidden or not, only that they were using web services and allowing any version of Mozilla to attach. yrs, -- Shava Nerad shav...@gmail.com -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
No, Mozilla (I assume you mean Firefox) wasn't used to insert anything into any servers. It is the other way around. Someone had an exploit on the servers that could be used to exploit older versions of the ESR17 branch of Firefox, which the Tor Browser Bundle uses. (ESR is the Extended Support Release and ESR17 is Firefox 17 + important security updates since 17 was shipped. ESR is meant for corporate users and others who want longterm stability but security fixes as well.) -- Al Billings http://makehacklearn.org On Monday, August 5, 2013 at 4:00 PM, Shava Nerad wrote: So, essentially, Mozilla was used as the Trojan Horse to insert the payload into the servers. It wouldn't have made a difference at all if they were hidden or not, only that they were using web services and allowing any version of Mozilla to attach. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
ah, ok, thanks! Got it backwards... So the server was hacked by some unknown method, by a state level opponent, and this was then used to identify user activity using the Firefox 17 vulnerability announced by Mozilla, presumably, which allowed them to monitor significant traffic and activity/content on the hidden service from there out. I think there is at least one paper out there on how to defeat a hidden service already, and Tor has an appeal out for help with hidden services in general -- it's not the primary focus of the project, as it isn't a focus of funding, just on a pragmatic basis. (reminder: I do not speak for the project. I volunteer a bit. I used to work there. I am not a programmer, but I used to be one in the previous century, but since then I have tended increasingly to herd geeks and write words and raise cash. I am also fighting a migraine but not as big a headache as Andrew has today, heh...;) It is such an arms race... I still wonder about insufficient paranoia and/or resourcing on the part of the service providers. I wonder if they had image monitoring, pentesting, all the sort of security regime going on that an enterprise ISP would have with sensitive info on it? If your freedom (either in terms of freedom-fighting or just-freedom-from-jail -- this is a bit like the liberation-vs-criminal version of freedom or beer, yes?) depended on it, what would you do to secure your hosting or your machine/mobile? It's more and more relevant. We are an interesting list in interesting times. yrs, SN On Mon, Aug 5, 2013 at 7:13 PM, Al Billings alb...@openbuddha.com wrote: No, Mozilla (I assume you mean Firefox) wasn't used to insert anything into any servers. It is the other way around. Someone had an exploit on the servers that could be used to exploit older versions of the ESR17 branch of Firefox, which the Tor Browser Bundle uses. (ESR is the Extended Support Release and ESR17 is Firefox 17 + important security updates since 17 was shipped. ESR is meant for corporate users and others who want longterm stability but security fixes as well.) -- Al Billings http://makehacklearn.org On Monday, August 5, 2013 at 4:00 PM, Shava Nerad wrote: So, essentially, Mozilla was used as the Trojan Horse to insert the payload into the servers. It wouldn't have made a difference at all if they were hidden or not, only that they were using web services and allowing any version of Mozilla to attach. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Shava Nerad shav...@gmail.com -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Tue, Aug 06, 2013 at 12:09:48AM +0200, Griffin Boyce wrote: We may have to disagree as to the way forward. I hate to be contentious, but it seems unlikely that Tor applied a patch without reading firefox's changelog. I'm still not clear on what you want Tor to have done. Should they do a RED FLASHING LETTERS blog post every time a security-critical bug gets fixed in a new release? News flash, there are security-critical bugs fixed in *every* release. Many of them aren't even *identified* as security-critical bugs when they're fixed. Users *have* to be up to date if they are going to try to do things in this threat landscape. (Of course updates introduce their *own* can of security worms, but far better to kill off the bugs we *know* are being exploited than to worry overmuch about APTs burning backdoored developers slipping malware into our reproducibly built cryptographically hashed auditable source trail DVCS managed applications.) -andy -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Griffin Boyce: Al, We may have to disagree as to the way forward. I hate to be contentious, but it seems unlikely that Tor applied a patch without reading firefox's changelog. Two days ago I presented a talk which emphasized how useful Tor is -- and I stand by that. Tor is still the best option for maintaining one's anonymity. Hi Griffin, Do you plan to release security advisories for all updates to the Linux kernel, GNU user space utilities and other dependences in the commotion router firmware? I suppose no but perhaps I'm mistaken? Has anyone done so with new commotion releases? I don't see[0][1] such notes, am I missing something? It seems impractical to note every change from downstream projects. Clearly you seem to disagree but I do wonder where you draw the line? Do your projects have some example where we might see the line in action, so to speak? As far as I can tell, we issued a security advisory within twenty-four hours. We spent more than a full day of multiple people's time working non-stop to understand the scope, the impact and the outcomes of this issue. We were already working on this task when you and another decided to jump up and down to let us know that we were failures by any other name. I'd say thanks but that isn't the word that comes to mind... The Tor Project does not triage every single Mozilla Firefox bug. We do try to understand which bugs are security critical. We do aim to track and put our energy into ensuring our browser uses the latest ESR releases. This generally includes lots of code fixes, security as well as other kinds of fixes, though we may not always fully understand every issue - we tend to trust Mozilla's lead on this topic. TBB requires lots of effort to forward port our privacy preserving patches as they are not in the mainline Mozilla repositories. We did this as we always do with TBB releases and we released patched versions of the software before we ever even learned of the exploit discovered this weekend that targets old, unpatched users: 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June 30 2013) By a general count, it was around a month ago that we released patched versions. We normally just note that we've bumped the included projects to their latest stable versions - though in the case of our latest alpha, we specifically said[2]: In addition to providing important security updates to Firefox and Tor, these release binaries should now be exactly reproducible from the source code by anyone. Do you think that we should include that text with every single release? ie: This update provides important security updates to Firefox and Tor or something along those lines? Shall we just put that in every single release note? Is that really helpful? If you have a suggestion for how we might improve, I'm open to hearing it - though as far as I am able to tell - there isn't much to be done except to say security update next to firefox update in our normal release notes. That isn't very helpful as nearly every Firefox update in ESR is a security or stability related release. Please do feel free to suggest something constructive - if we have room for improvement, we're happy to make it! All the best, Jacob [0] https://commotionwireless.net/download/openwrt [1] https://commotionwireless.net/blog/new-commotion-release-dr1-ready-testing [2] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
On Mon, Aug 05, 2013 at 06:18:02PM -0400, r...@privacymaverick.com wrote 0.6K bytes in 0 lines about: : Does anybody have any indication on how the alleged operator of : Freedom Hosting was identified. Everybody seems to be focusing on : the javascript exploit but from what I've read, it appears that was : placed on the server after the alleged operator was taken down and : the operation compromised, or is my timing off? This is far more interesting to me than anything else. I've been wondering the same thing. -- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
According to THN[0] and several linked supporting sites from there (particularly notable are analyses from Kenneth Buckler[1] and Vlad Tsyrklevich[2]), the payload delivered the MAC address and Windows hostname to 65.222.202.54[3]. I've read in public sources that that address is assigned to SAIC but I have not seen any hard data on that. [0]: http://thehackernews.com/2013/08/Firefox-Exploit-Tor-Network-child-pornography-Freedom-Hosting.html [1]: https://code.google.com/p/caffsec-malware-analysis/source/browse/trunk/TorFreedomHosting/ [2]: http://tsyrklevich.net/tbb_payload.txt On Mon, Aug 5, 2013 at 8:22 PM, liberationt...@lewman.us wrote: On Mon, Aug 05, 2013 at 06:18:02PM -0400, r...@privacymaverick.com wrote 0.6K bytes in 0 lines about: : Does anybody have any indication on how the alleged operator of : Freedom Hosting was identified. Everybody seems to be focusing on : the javascript exploit but from what I've read, it appears that was : placed on the server after the alleged operator was taken down and : the operation compromised, or is my timing off? This is far more interesting to me than anything else. I've been wondering the same thing. -- @kylemaxwell -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
Tor's official response is here, https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting -- Andrew http://tpo.is/contact pgp 0x6B4D6475 -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
Re: [liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud
There are really two separate issues here, and I just want to separate them briefly. 1) Tormail and other sites were hosting malicious js code that attempts to break firefox 17. 2) Freedom Hosting was shut off after its host was arrested. I will say from personal experience that most hidden services are *extremely* permeable. Not because Tor sucks, but because people making them aren't very good webmasters. They don't upgrade/patch the software running their websites, and that leads to big hacks. Freedom Hosting was itself taken down on at least three occasions due to poor maintenance. It's also not particularly difficult to script up a scanner that tests hidden services for vulnerabilities, then launches malicious code. This has happened again and again. But this cannot really be Tor's fault anymore than it's Apache's fault. People who host hidden services must maintain their code just like other websites. If a hidden service webhost is imperfectly set up, it's possible to upload a malicious file and broadcast the IP address of the server. (Again, this relies on various configuration issues and 0day, but similar has happened to Freedom Hosting before). What does everyone else think about this? best, Griffin PS: it seems a little too ambitious to set up your own anonymity network without having a solid team of scientists and cryptographers On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones miser...@gmail.com wrote: 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI malware specifically targeting the Tor Browser Bundle. Deets: https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody want to help with the sketches? Deets: https://github.com/Miserlou/OnionCloud R -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech -- Just another hacker in the City of Spies. #Foucault / PGP: 0xAE792C97 / OTR: sa...@jabber.ccc.de My posts, while frequently amusing, are not representative of the thoughts of my employer. -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech