-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Ok, let's try to find our what's going in here. I checksummed some files:
- ---- ++ The directory I found yesterday evening. https://www.torproject.org/dist/torbrowser/3.6.3/ - -> This was the old download directory for the Torbrowser v3.6.3 - -> Not accessible via web browser - -> There is no signature "torbrowser-install-3.6.3_en-US.exe.asc" in this directory. Files: https://www.torproject.org/dist/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe - -> Filesize 323 b. This file is a little bit too small to be the Torbrowser. I did not remark that yesterday evening, sorry for the confusion. jacksum-hashes MD5 and SHA256 for *.exe: c8eb88324526d718b937b616c75d33a8 5610cff753b8263367d8324b07452f6b6ad6a068134ca11991fbacd692d684ef GtkHash-hashes MD5 and SHA256 for *.exe: c8eb88324526d718b937b616c75d33a8 5610cff753b8263367d8324b07452f6b6ad6a068134ca11991fbacd692d684ef - ---- ++ The official Tor archive (thanks Lee) https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/ Files: https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe Filesize 27 239 623 b https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe.asc Filesize 473 b jacksum-hashes MD5 and SHA256 for *.exe: 9529c5a633cf0cf6201662ca12630a04 52681848358365482ce2b0922d7c6453e9e1ae8f27b302d3cd3ca1ad876b0d3d GtkHash-hashes MD5 and SHA256 for *.exe: 9529c5a633cf0cf6201662ca12630a04 52681848358365482ce2b0922d7c6453e9e1ae8f27b302d3cd3ca1ad876b0d3d - -> MD5 matches the checksum from BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY at bitmessage.ch and all the others. GPG Signature $ gpg --verify torbrowser-install-3.6.3_en-US.exe{.asc,} gpg: Signature made Fri 25 Jul 2014 19:19:46 CEST using RSA key ID 63FEE659 gpg: Good signature from "Erinn Clark <[email protected]>" gpg: aka "Erinn Clark <[email protected]>" gpg: aka "Erinn Clark <[email protected]>" => This is the correct old Torbrowser v3.6.3 - ---- There are actually two directories on torproject.org including a file "torbrowser-install-3.6.3_en-US.exe": 1) https://www.torproject.org/dist/torbrowser/3.6.3/ and 2) https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/ 1) is the old download path, but somehow a wrong file with a correct name remained there ?? >> http //www.datafilehost com/d/dfb201d8 or https //www.sendspace >> com/file/6ygdl3 > > Both of the files are broken or corrupted. They can't be opened as > an archive on my end. The first source tries to make one download > an .exe file. Well you can download the zip file, without it. > > How can we be sure that your upload is safe? I did not touch the files, because the whole story made me mistrustful. When you look at some subjects of yesterday "Third-parties tracking me on Tor" "TOR tried to take a snapshot of my screen" Perhaps somebody is trolling this list and tries to seed confusion. Best regards and stay wiretapped! Anton - -- no.thing_to-hide at cryptopathie dot eu 0x30C3CDF0, RSA 2048, 24 Mar 2014 0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0 Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC On 23/08/14 09:18, Sebastian G. <bastik.tor> wrote: > 22.08.2014, 23:38 > [email protected]: >> Hi, >> >> I have TOR 3.6.3 installed in a Windows XP computer that is used >> almost just for it with very few additional software installed. >> My understanding is that a potential attacker will test his >> exploit/approach against most of the security software available, >> but possibly will not be able to test against ALL of them, so I >> have a miscelaneous of popular and not popular security software >> installed in the same computer; among them is a not so common >> anti spyware called Zemana. >> >> I am using TOR browser and Zemana for years and I am familiar >> with the behaviour of both. The TOR I am running has just the >> extensions that comes with it; no additional extension was >> installed; no plug-in is installed. >> >> I have proper licenses to run all the software, including Zemana, >> so no crack or other suspicious tool was ever used. Zemana is a >> quiet software and I can not remember about any single fake >> alert. >> >> >> Few days ago, while browsing with TOR, I got a shocking alert >> from Zemana: TOR TRIED TO TAKE A SNAPSHOT OF MY SCREEN. > > Was it a website you trusted you browsed to? Did the software > attempt to do anything without a website loaded? > >> As Zemana allow me, I did block such screen capture and TOR >> crashed immediatly. By this crash I understand that TOR really >> tried to capture my screen. >> >> I restarted TOR with a new identity, changed the identity many >> times but TOR repeated the same behaviour a number of times with >> the screen capture try-Zemana block-TOR crash. Change the >> identity just does not works for such attacker. >> >> The script funcions were always blocked by NoScript 2.6.8.36. >> >> On the following days I used TOR again, without any change in my >> system or software, accessing the same web sites but the attack >> no longer took place. > > Looks, like the website(s) did something. > > Maybe trying to access canvas, what the TorBrowser tried to > prevent. Maybe this triggered the alert. > >> >> I verified the MD5 signature for the TOR browser (firefox.exe) >> and it is unchanged, i.e, it is as distributed by torproject.org >> >> The TOR 3.6.3 was downloaded from the TOR project web site, and >> not from other servers. The install package >> torbrowser-install-3.6.3_en-US.exe has the MD5 signature: >> 9529C5A633CF0CF6201662CA12630A04 I have the installer in my files >> for any forensic work. >> >> I am sending some screens with the Zemana log, where is possible >> to see the TOR MD5 signature (firefox.exe; >> FC19E4AFB0E68BD4D25745A57AE14047) and the logged behaviour >> ("screenlogger"), the TOR version, TOR button and the Zemana >> version screens, and the extensions and plug-ins existing in my >> TOR install (just to confirm that nothing strange is there). They >> are available to download here: >> http://www.datafilehost.com/d/dfb201d8 or >> https://www.sendspace.com/file/6ygdl3 > > Both of the files are broken or corrupted. They can't be opened as > an archive on my end. The first source tries to make one download > an .exe file. Well you can download the zip file, without it. > > How can we be sure that your upload is safe? > > >> Seems that TOR has hidden server capabilities, a back door that >> allow a remote operator take snap shot of the screen and possible >> perform other actions (record mic, turn on the webcam, ...). > > I'm unaware of Firefox being able to activate the mic, Chrome can > do that. Both can access the webcam. Firefox will eventfully be > able to activate the mic. > > It has to be ensured that those are not accessed without the users > permission. > > The remote operator claim would require evidence of some sort. > > Considerably attackers want to get into systems worth getting > into. > >> I think TOR can protect the users from many enemies, but at the >> same time it is a perfect tool to attract, identify and log very >> specific (users) targets. This may explain also the, until now, >> unclear role and objectives of the US goverment by funding the >> TOR Project. > > I think they use Tor for many purposes themselves. > >> Seems that hardly will be possible to identify suck attacker as >> it probably comes from the TOR network itself, but I am >> considering a trap/honney pot just in case this repeats. >> >> >> I am an entusiast of privacy tools and TOR is not used for any >> kind of unlawful purposes, is unlikely that I will attract >> attention from public authorities and I am not worried with any >> data such attacker eventually may have had access. > > If someone would exploit against the TorBrowser he might be trying > to get as many hits as possible to see if someone is a target. > >> Hope this information may help to improve the TOR community >> security and in some point in the future we will able to find a >> solution for this back door. >> > > I hope this can be resolved. > > Regards, Sebastian G. > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Icedove - http://www.enigmail.net/ iQEcBAEBAgAGBQJT+H6yAAoJEMwm4aUww83w7hcH/04HitX6mZ4i3qaXJHeDvAUU lBxtplQeSwky+jH+W5Ykf8JPpcFsBd/MUfwMCsjbUqkU3tToCg7P+k2C+7HDKSxJ YogC/5AdgXfGJ9HYwgm+PpjuxS0g7sC84cGu1RuwVhetH3L45TXFF6YYDEppUFAN 0U5TSHV8xgCMTERJ8VtCyz93DbvKGUN5kUvNuGQk/G13rndKMHmfw+UGW9fdCQU7 ypL0/LQxVkZw5/aYPCcRe0krXz2xyCJMr9xs5gQU1Mi+UBUSF9zzxen/Ls+B+sdV jGp6Q9JyXAQ46YbnIZWNv7BLrxK5BSrOyVhrSoy+lnihnoPJu6dJq/ZyCnreAOg= =r5p5 -----END PGP SIGNATURE----- -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
