This whole post is a mess. Someone distributes an exploit via a popular hosting provider for onion sites (and it's curious why anyone with a serious interest in privacy would outsource onion site hosting anyway) and suddenly Tor is damaged? There's a link to a paper that claims people can do things you're not supposed to be able to do with onion sites, but I don't see how that's relevant -- this post is conflating at least a few things.
So here's what I can grok from it:
* "Freedom Hosting" founder has been arrested; presumably, many people were using "Freedom Hosting" to host onion sites (is this where "half of all Tor sites compromised" comes from?). No charges listed, article slightly hints at child pornography charges.
* Someone, presumably the FBI, has set up an exploit to be distributed through Freedom Hosting sites that will phone home and reveal your non-Tor IP address (solution: seven proxies). "Freedom Hosting" founder was probably coerced into allowing distribution of this exploit.
* Author claims that said exploit only affects Firefox >= 17 on Windows.
* There's a link to a paper about possible problems with hidden services, which is apparently not relevant to any of this other than the fact that there was just a shakedown on a big onion site provider.
I'm flagging this article because it is utterly incoherent and the headline is sensationalist. There is no evidence of a fundamental flaw in Tor being related to any of the events mentioned. Hopefully someone will write a comprehensible piece soon and put it out there.
The exploit is targeted at the version of Firefox in the Tor Browser Bundle on Windows, which means most Tor users are vulnerable. While you can use a different browser the Tor developers have generally recommended that people don't; it's hard to lock down browsers against information leaks, and the fact that someone's using an unusual browser helps an attacker track them.
It's specifically targeting Firefox 17 for Windows. Versions less than 17 seem to be targeted as well, but the resource (content_1.html) doesn't seem to have ever been available. It does not target anything above 17.
The headline implies that the "compromise" is an inherent failure in the protocol (or else how could "half" of all sites be infected?) instead of the reality that the hosting provider intentionally placed an exploit in all of their pages.
A better title may be like: "major .onion hosting service infiltrated by feds, all sites converted to honeypots; founder arrested". This does not imply any fundamental flaws in Tor itself or the technology in use, it does not falsely attribute a specific portion of .onion sites as infected, it does not communicate uncertainty into which sites are damaged (only sites hosted by Freedom Hosting were affected afawk), and it correctly reflects the events.
> The headline implies that the "compromise" is an inherent failure in the protocol
Personally, I didn't read it that way at all. My first assumption was a hack, because it's more likely that a website was hacked than that the Tor protocol was so severely compromised.
> or else how could "half" of all sites be infected?
To me it sounded like a possible major law enforcement operation against 'rogue' sites. If someone was able to compromise Tor so completely, the idea that they would turn around and just hack half of the hidden sites doesn't make sense. Such an exploit would be worth major cash on the exploit market (mostly due to governments bidding against each other to get it).
'infiltrated by feds' is a presumption based on speculation at this point. Assumptions dont 'correctly reflect events'. If you want to fix something, fix it entirely.
It correctly reflects events as detailed by the post. The post clearly assumes that "the FBI" originated the exploit code and has been using it to harvest visitor IP addresses. I believe "infiltrated" is a fine summarization for that.
I suppose it's possible that the founder had a change of heart two days prior to his arrest and started collecting everyone's IP and sending it to the FBI based on nothing but a sense of personal moral obligation, but it doesn't seem too likely, and it's irrelevant either way because again, the proposed title is an accurate description of the posted article, even if the posted article is an inaccurate depiction of Real Life(tm).
It's just misleading. It's like if there was an exploit for iPhones and the headline was "Half of Verizon network hacked". It's not some arbitrary half of the Tor network, it's 100% of Freedom Hosting's clients.
They make note that the vulnerability used is only in Firefox 17--the current ESR (extended support release).
What they do not mention is that the Tor Browser Bundle[1]--created so users can simply download one executable and feel protected by Tor--is based on this very release.
Among all internet users, Firefox 17 is probably rare, but among Tor users? My bet is that it owns a significantly higher chunk of the market.
The quote in the article claims that the exploit affects 17 and higher, only on NT-based platforms.
Furthermore, Tor Browser Bundle disallows JavaScript by default, and one should be cautious while allowing execution of arbitrary client-side code whilst intent on keeping their direct IP address secret. You have to take at least a couple of steps to be affected by this bug.
EDIT: The author has updated the OP and now claims that he believes Firefox 17 is the only affected version. His language is ambiguous such that it is unclear whether the exploit only affects Windows or if the code distributed by FH is simply not attempting to exploit any non-Windows environments (perhaps they were trying to get specific players).
TBB does not disallow javascript by default. In fact they recommend you do not disable javascript because it makes your browser fingerprint more traceable.
Checking on this now. I find it dubious, but possible. I haven't used the Tor Browser Bundle for quite a while, but last I recall they definitely had a mechanism to keep JavaScript from executing. It seems ridiculous that they wouldn't, given their long history of advocacy for NoScript et al. Will edit when done installing/checking.
EDIT: So it seems that NoScript is installed as part of the package, but that scripts are enabled globally by default. I just experienced this with a fresh install. Here's the answer confirming it: https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEna... .
Personally I think that's a horrible compromise, and it's obviously something that's changed since last time I used it. This should be undone ASAP. Some education is required to use Tor properly even without considering things like JavaScript, so teaching someone to enable JS only when prudent should be fine to include as part of that educational package. It seems like there is some nefarious force at work here trying to trick people who really shouldn't be using Tor into using Tor. I know, for instance, that I had to stop several of my friends from using Tor after they heard about it from the news or whatever after the PRISM leaks. Do NOT use Tor if you don't fully understand the implications, like that all data you send through it is going to be decrypted to plaintext at a random exit node that could be run by literally anyone with a modern computer and internet connection.
Fortunately, NoScript continues to warn pretty blatantly with a big red exclamation point that scripts should not be allowed globally, and an educated Tor user will automatically forbid all scripts despite the awful default, so this is probably only a problem for people who are just dinking around anyway.
[EDIT: edited typo, clarified what TAILS was] I had mentioned (split between a couple other posts) that even with JS enabled, Noscript will prevent many XSS/CSRF and clickjacking attempts, which has been explained to me as the reason for its inclusion. And That disabling Javascript actually makes you more fingerprintable because it's rare for browsers to do this.
I am guessing that the payload that article mentions s/he does not have included a Windows (or Windows Firefox)-specific exploit which bypassed the tor tunnel so that they could then match the cookie in and out of Tor to identify the traffic origin. Otherwise, just having the cookie through Tor would be pretty worthless.
Other people that could be dinged by this would be anybody usuing that specific version of Firefox, without Torbutton. Torbutton wipes cookies when you switch between Tor and not-Tor, but Torbutton as a separate tool has been discontinued and TBB promoted, because to be safe you really need to have a separate browser profile.
On Linux (not targeted by this exploit, but maybe someday) you could avoid this using an Apparmor/SeLinux profile that prevented TBB Firefox from even making a network connection that's not to the Tor tunnel, or possibly even prevent Firefox from knowing it's own IP. Dunno if something like this is even possible on Windows. For traveling, I currently have been experimenting with a VM with TBB and an apparmor profile, and an iptables rule to prevent ANY outside traffic, except Tor. It works but it's a pain in the ass and nobody could be expected to install all that shit. That's what they made TAILS (A bootable disc image with only Tor, saves nothing to your machine, contains no known exploitable extraneous apps) for, people could check that out. Even running TAILS in a VM would have prevented this, though they recommend for maximum security you burn it and boot it.
No sympathy for child pornographers, but obv. this could be used against anybody seeking anonymity.
>prevented TBB Firefox from even making a network connection that's not to the Tor tunnel, or possibly even prevent Firefox from knowing it's own IP. Dunno if something like this is even possible on Windows.
I don't currently use Tor, but I've thought about it and this is how I would do it. This can be done on windows using a virtual machine that disallows internet connections. Have the VM only able to network with the host OS, which is running the Tor app. That way the VM doesn't have an internet IP to leak, and if firefox itself is compromised there isn't anything on the VM that could give you away.
They do include noscript, but with JS globally enabled. Noscript will cleanse XSS/CSRF requests and prevent some sorts of clickjacking (according to noscript.)
To be honest, I tried to use TOR without the bundle and couldn't figure out how to make it work. The software appears only be available as the bundle to a cursory look.
I use Tor, but I don't use the Tor Browser Bundle... It's simple enough to configure my browser to use Tor without relying on yet another executable to do it for me.
The concept is that it's actually not as simple as it may seem. You're using the same cookie jar -- what if you inadvertently send back a cookie with the session ID of your public profile? You'll have flagged yourself as a Tor user and this can be tied back to your public IP. You're using the exact same browser fingerprint, which is more unique than you imagine -- it's not just a matter of useragent, but the combination of all information that can be obtained by a site about your browser. The EFF runs a demo site that shows this can be practically unique in many instances. You've probably enabled scripts on certain sites that may not need to execute JavaScript when you're viewing them through Tor. You probably have less restrictive rules around the injection of plugins that may expose your interface IP address, like Flash. You may do something shady and forget to cleanse it from your history (and/or enter private browsing mode). You may have an extension running that shares more information than you'd like, with either the site or the extension provider.
For all these reasons, TBB exists, and is the safest way (short of a live environment) to ensure you have a sanitized environment. At the very least, you should use a separate browser profile before you switch to an activity that mandates the usage of Tor, unless you're using it only for very rudimentary circumventions.
It's not just that they're stealing everyone's privacy. They're acting like "it's foreigners, so we don't have to care" - even the latests attempts to rein in NSA make no effort to cut back its international misbehavior.
Basically, I think most civilized people have been operating on the premise that democratic western states are behaving in a vaguely civilized way towards people in other such states. But it's clear that America at least is behaving like the purest sociopath, where "friends" just means "easier to manipulate". They are breaking the unspoken international social contract, and it is going to have worse repercussions than they yet understand.
The word 'sociopath' describes these actions very well.
Considering that the United States is in a state of enduring war, and considering that all of the effort to monitor the internet comes from a desire to strengthen national security (which is a vital concern), it makes sense for the United States to behave this way.
After all, what is war other than purely sociopathic behavior? The monitoring of the internet is just an extension of these behaviors which manifest themselves during wartime.
The nature of the war on terror has legitimized this type of behavior. Specifically, the nature of terrorism seems to motivate the United States government to go to great lengths in order to cause damage to an enemy that is largely immune to defeat, for cultural and religious reasons. Drones are a great example of how far they will go.
The use of nuclear bombs signaled the end of world war two. Maybe the Obama administration is hopeful that surveillance of all communication is the final step towards a resolution of this war. That's not legitimate in my eyes, but oh well (i certainly don't know the solution). On top of everything else that has happened, zero expectation of privacy seems to be the equivalent of the nuclear option at this point.
For us foreigners, knowing that America has strong democratic roots, it is obvious (and worrying) that the majority of american citizens actually agree with that.
And yet, the vast majority of US citizens still agrees. I mean, they have the right to bear arms so that when they strongly disagree with their government, they can form an army and overthrow it (or something, whatever that amendment is for). If not that, at the very least they can strongly protest against the decisions and policy made, vote for a third party and break the two-party system, or vote / demand the voting and government system to be upturned to stop having to choose for the lesser or two evils in the form of a single man who will get most of the blame and responsibility for poor governmental decisions.
That's because it is exactly the situation. Nobody is "held ransom" by anybody. But voters that think like you - low-information voters that can vote for anybody provided that he is "our guy" because "their guy" is The Devil himself - are exactly the reason why it happens again and again. And will happen until the majority abandons such mentality - which I personally wouldn't expect happening any time soon.
Voters that think like me live in a multipolar democracy that currently has a minority government in power. It's a tacit weakness of the US system that there can only be two viable parties. "If everyone changed and voted for a third person" is not a retort, because it still requires everyone jumping on the same bandwagon to effect a win; it'll just be a different brand of wagon.
It's a two party system, but the two parties don't have to be the same ones that are their now.
I don't understand the "viable alternative" arguement. You are saying "I won't vote for who I really want to vote, because they'll never win, because everyone else won't vote for them" <--- Is that what you mean? That seems self defeating.
If you had rapid iteration - elections every month - then a tertiary party would have something of a chance. As it stands, the iterations are so slow, that with FPTP voting, the two main parties will just move slightly to diminish the threat - the incumbent edifice carries on.
With preferential voting (or similar), you actually have the realistic probability of more than one party being in power. Here in Australia, the current government is formed from one major party, one minor party, and a couple of independents. It's not just 'mathematically possible', but a plausible outcome. That can't really happen with FPTP voting. Well, it can happen, but it's an oddity - see the current situation in the UK with the lib dems.
"I won't vote for who I really want to vote, because they'll never win, because everyone else won't vote for them"
The problem here is that by voting for someone whom you slightly prefer, you split the vote in a FPTP system, making them both lose out to the third person you didn't want in. If 60% of the population want a left-wing candidate, and they're split evenly-ish, they'll still lose out to the single right-wing candidate who only has 40%. It sounds self-defeating on paper, but in real terms it's more like self-preservation.
Two viable parties are plenty enough if they are real parties and not a collection of people that use different-colored jerseys to play the same game. Unfortunately, right now majority of voter will vote for "their guy" almost no matter what, which lets "their guy" very broad license on any bad behavior. If the voters would say "either you put a leash on NSA or we're not voting for you, period" - then things may have been going in different direction. But voters don't do that - if you see, for example, how many voters of party A supported government surveillance when party A is in power and when party B is in power, the difference is depressingly significant. Because if "our guys" do it, it must be good, but if "their guys" do it, it must be bad. That's how we get into such a mess.
Two parties aren't enough by any stretch, given how varied and multi-headed politics are. There are so many different facets and foci, that there's no way you can do a representative bipolar split across them all.
The other problem with systems that settle to two-party systems is that swing voters hold a disproportionate amount of power... which is ironic, given that the swing voters are usually not as politically interested as bloc supporters.
People do not vote for parties - at least technically - they vote for people.
>>> that swing voters hold a disproportionate amount of power
How is it a bad thing? You say people that actually look at the issues at hand and not just mindlessly pull the lever for "our guy" whoever he is hold "disproportionate amount of power". I say they should hold 100% of the power - or 100% of the voters should be like this. The fact that they aren't is exactly the problem!
>>> given that the swing voters are usually not as politically interested as bloc supporters.
"Politically interested" can mean different thing. If bloc voters' only interest is getting "their guy" in power, and keep him there whatever happens, I don't have any sympathy for such kind of political interest. And if you want to see how well it works for those bloc voters, see how well it worked for voters in Detroit or Chicago, who are constantly voting in crooks and mob men.
The problem is Obama needs swing voters, and swing voters tend to vote kneejerk on national security. If he follows his personal values, he'll alienate them. It's a mess.
Well, as a republic, the government is usually about 2 years out of sync with the public: we won't actually get a chance to yell at them until next election.
Taking over? You should probably realize by now that what you see in the media about classified government ops is just the tip of the iceberg.
Considering the inherently insecure nature of computer systems, and the heavy reliance of security mechanisms on trusted authorities, you need to realized that, in fact, you've lost any privacy online a long time ago.
AFAIK, the European parliament is so far reasonable regarding the Internet and privacy.
However, the Commission (the executive branch, and especially the Trade Commisioner, Karel De Gucht) has been pushing hard for ACTA, going as far as lying, several times, to the Parliament. When the Parliament rejected ACTA, De Gucht said he would look for other means to bypass the decision.
I didn't know that. It plugs a hole in the targeted surveillance programs, at the expense of all prepaid users.
The target demographics for prepaid is mostly kids and teens, poor people, and people concerned about their privacy, split between sensitized geeks, unfaithful lovers and criminals.
For the first two demographics cheap monthly plans are now emerging (in France, Free offers two hours of talk and infinite SMS for 2€ per month and unlimited talk, SMS and 3GB of data for 20€ per month).
It sucks for the last three.
On a slightly related topic, in demonstrations, people caught without a cell phone during an ID check often end up arrested for "administrative reasons".
> On a slightly related topic, in demonstrations, people caught without a cell phone during an ID check often end up arrested for "administrative reasons".
So the likely reason for this is so that they can get an accounting of who was there, right? Where are you referring to?
Funny, I just realized that I never think of the UK when reading about Europe. In a surveillance context it certainly feels closer to the US. And then I watched this far to often a couple of years ago ... in a desperate wish to find some humanizing qualities ... https://www.youtube.com/watch?v=SdlT7v476qY
you're from latvia? i suspect it seems worse to you at the moment because of the extradition case. and in many ways the uk is as bad (or worse, at least the americans are in trouble for spying on americans) (and they're vaguely european).
We should be clear that this isn't a vulnerability in the Tor software or network, but an (apparent) vulnerability in this unrelated "Freedom Hosting" company's site:
"In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization"
The author never explained how the contents of that paper were related to the js attack on freedomhost users. It just seemed like an aside about the security of the Tor network in general. Since they (allegedly) found the guy running freedomhosting, maybe they were using those cookies to do a traffic correlation attack to find the host?
And possibly in Firefox (!), with some sort of JavaScript exploit. This is the most worrying part for me--does anyone have any info on what the payload does?
Doesn't have to do much. Once you execute pretty much any (non-sandboxed) code on a machine, you can bypass something like TOR easily. From this point, any network packet sent by the payload to the feds effectively de-anonymizes the user completely.
Also, by including a tracking cookie in the JS, they can cross reference all user activity on the compromised websites with the newly discovered IP address.
I still don't understand this concept. Any iframe or JS executed is still going through Tor. They'd need to load up Chrome or start another Firefox process.
The point is the iframe/JS is used to break out of the browser sandbox, due to a bug in the browser, with techniques like heap spraying (mentioned in the article).
Once you manage to get arbitrary code running in the context of the browser, you can do anything the browser can, including (presumably) making raw non-TOR connections to anywhere, identifying the TOR user and correlating that with what they were doing over TOR.
Among other things like installing arbitrary malware kits that completely compromise the machine.
> Once you execute pretty much any (non-sandboxed) code on a machine, you can bypass something like TOR easily. From this point, any network packet sent by the payload to the feds effectively de-anonymizes the user completely.
One partial solution would be to run the Tor client on a physically separate machine which acts as a transparent proxy for your browsing/internet box, and blocks any direct contact with the public internet via iptables trickery. I dunno what the processing overhead of running tor client is, but in theory you might be able to do so on a router running openWRT or similar.
I actually use a setup that involves a bunch of VMs for pretty good separation. It's a bit of a complicated setup, so I won't elaborate here. The main thing about it, is that even if an attacker runs with root privs on the "anonymous" VM, they'll need a 0-day in the Virtualization engine itself to de-anonymize the machine.
I make sure that the VMs are as isolated from the host machine as they can be, so the attack surface is indeed minimized to the VM engine itself.
Some "VM busting" attacks did occur in the past, but I believe very few (if any) attacked the VM engine itself. Most used the wider attack surface provided by stuff like the "VMWare tools" API (which for "isolated" VMs should be disabled).
Edit: come to think of it, I should probably write up my method and post it to HN at some point...
Am I the only one who is f*cking tired of FBI and other violence based organizations using pedophilia as their excuse to raid and bust people ?
Think of the children! Yes .. a good front to make it so that they can just bust anything using SWAT forces.
Is pedophilia such a big problem? Really ? I would like to see one study about pedophilia and the problems it creates, instead of what the problems that NSA and FBI are facing when people start encrypting their traffic and we actually have some freedom of speech in some areas.
Yes, paedophilia really is such a Big problem; you want to see a study to understand that? are you serious? further to police efforts I would support any independent effort to get these people and hand them over to the police when it comes to this matter.
Paedos will be paedos no matter whether privacy exists or does not exist, and it is not an issue related to privacy and freedom, do not link it as such; freedom ceases to be freedom when it violates another individual's freedom(=abuse or product of abuse) so the abuser has to be stopped from further violating it. As the previous poster said, you could argue around consent and/or having an inclination, but as to the actual abuse taking place there can be no question about it.
In a truly anonymous internet that respects privacy, it would be up to individuals to find, isolate and condemn these people, much like Anonymous did in 2011.
Abuse of freedom and privacy can only lead to and justify not having any freedom and privacy, it fuels the whole pro Big Brother argument; if there was a way to demonstrate that Internet self regulation/regulation by the people works, then this would be a major blow to all kinds of 'higher authority' monitoring and fear mongering.
...perhaps you could argue that there's nothing wrong with pedophilia per se, but there is definitely something wrong with child abuse, and I shouldn't need to link you to a study to convince you of that.
By shutting down child pornography rings, police are preventing further abuse. How else would you propose they go about it?
By shutting down child pornography rings, police are preventing further abuse.
Maybe, maybe not. Probably in some or even many cases, but certainly not all.
But, it also provides an unquestionable excuse to not care about "accidental" overreach or collateral damage. Someone's hosting something they don't like on a shared server? Guess what happens when they "discover" kiddie porn hosted by someone else on that same server?
I think this type of thread is what tptacek meant by "these threads [that question whether CP is a big deal] are always repellant." I must say, this one certainly is.
I encourage everyone to chill out, leave your emotions at the door, and give the topic a thorough and dispassionate treatment.
"I'm fucking tired of X" is an unreasonable way to conduct ourselves. It's a sure way not to change anyone's opinion.
> The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn't get deleted. Presumably it reports the victim's IP back to the FBI.
"in some way", "probably", "presumably" = I have no idea what's going on.
It's more that we know very well that up to the transmission point, it creates a unique identifier. If we're following the most likely guess (that this is targeting distribution of Child Pornography), then it seems like a reasonable goal to simply identify and fingerprint Tor users.
That being said, there is always a point that this could be used for something else entirely, though. Compromising Tor mail is a lot less of a targeted attack.
It's not really 0-day: since it only affects Firefox 17, it was apparently fixed long ago. But see this comment regarding why it may be of interest to lots of TOR users:
Firefox 17 is their most recent ESR release for enterprises that want a more stable platform, and at least in theory it's still receiving security updates.
The idea of having JS enabled is directly at odds with a secure system, too. All TOR sites should have non-JS friendly interaction. There's really negligible benefit compared to exploits like the on in TFA.
I remember a bit over ten years ago, "javascript is annoying" was a mainstream position among hacker types. That seems to be long gone by now.
I guess hardware catching up with resource requirements took away one of the biggest reasons against it. And most people really embraced the web as more than a document platform. I think part of me still misses the old way of thinking about it.
I don't have any base issue with javascript; I think it's a wonderful way to build web applications. However, TOR and the dark net has entirely different considerations, and the cost of letting unvetted code run without asking you from a site you know nothing about is far, far greater. I wouldn't be surprised if just being on TOR would be convincing evidence for an unknowledgable jury, even if the site was about something legal but connotative (activism targeting the federal government, for example).
I see the first two sentences of your reply as inextricably linked and contradictory. You don't think it's the culture of it being acceptable to make sites that won't work without JS that is ultimately forcing the Tor folks to enable it? For instance, reading up on this subject I found this:
> Why is NoScript configured to allow JavaScript by default in the Tor Browser Bundle? Isn't that unsafe?
> We configure NoScript to allow JavaScript by default in the Tor Browser Bundle because many websites will not work with JavaScript disabled. Most users would give up on Tor entirely if a website they want to use requires JavaScript, ...
I see the purposes of the internet serving content-rich web apps and the purposes of TOR as different. They may have compatible protocols, but if GMail ran on TOR nobody would even use it. Why bother? It's slow and it's gonna leak information like a watering hose.
The browser provides much more control over what's happening than executing the code directly on the OS. You can block JavaScript, you can easily analyze the executed source code before you allow its execution, you can manipulate the page as you see fit, you can use extensions to alter your experience in many other ways, and you get the browser's default security sandboxing stuff that prevents it from accessing external domains, your filesystem, or otherwise interrupting non-browsing related tasks.
It'd be crazy to download a full local client for something as shady as SilkRoad or many other hidden services. The browser is the safest place for that kind of thing.
Apparently people have just readily forgotten about the time where computing everywhere was done using terminals. Just pure input/output with some special characters for fancy things.
I'm afraid to comment out of fear being picked on?
I didn't read the article very well(depressed about
things, and what the Internet is morphing into), but
didn't the U.S. federal government put money into TOR?
Since I've never been an .onion site user, I've not noticed any issues with my Tor connections to the "regular" net.
It's my understanding that one can host a .onion "hidden" site without having to go through any such provider as Freedom Hosting, so I don't see how my privacy is being affected by this situation.
As of now there is some guy stating that some hoster has been pwnd and uploaded some JS that expoloited something that might be FF17 that might have been shipped with the tor browser bundle.
Why exactly does he thing FBI/NSA is involved?
If he has the exploit code why didn't he upload it?
Lots of conclusions based on assumptions. As of now I'd think it's more likely someone just pwnd the largest TOR hidden host provider, uploaded a sploit that will affect most of the users (tor browser bundle) and called it a day.
Sure there MIGHT be some GOV/whatever involvment. But wouldn't it be time to wait with such accusations until we got some actual proof? Not even uploading the alleged exploit doesn't really help his position.
I would think that since about 60% of TOR projects funding comes from the .gov[0], that they have an incencitive to keep it online. I could imagine they have some nodes for which they wouldn't want to reveal the physical location. I don't know warhead controllers or something. Of course that only works if the're are enough nodes involved so you can hide yourself. That's why I think this might not have been a .gov action.
Indeed. Many people seem to misunderstand the purpose of the tor network. It is designed to conceal the sourcing node of a packet. That's it. Nothing more, nothing less. The only guarantee you get --and the only one you really need to remain anonymous-- is that your IP isn't stamped on the packets coming out of the exit node. You're not supposed to trust the exit node --or anything else you connect to through it-- for anything else. That's why you don't send login credentials in the clear over the exit node. It's why you don't send plaintext email over tor, or sign into services that are ever touched by a non-tor connection, or engage in plaintext conversation on IRC and have any expectation of privacy. Tor guarantees a different IP on the network packet, and that is it. And so far, it seems that the Tor project has made good on this guarantee. I've yet to hear about a deanonymization incident that can't be traced back to mistakes such as the ones above.
The government is allowed to create fake identities and corporations, use private facilities and infrastructure, etc. in order to run sting operations against sophisticated criminals. That's exactly the sort of "real police work" they should be doing, rather than surveillance.
Where is there ever a "degree" of visibility as to whether something is a government honeypot?
Anyone who was using Windows for TOR browsing was already asking for trouble. Anyone browsing outside a "sealed" VM setup such as Whonix was also asking for trouble.
If you just run tor inside the VM, the above is true. If all the traffic out of the VM is routed through tor, then the IP address they will get is a tor (not clearnet) IP address. In order to get a clearnet IP address off a VM, you'll need to exploit the VM itself, a task clearly much harder than misusing javascript in a browser.
I think there is a large insight to be had by all this.
State can and will use computer exploits in military and law enforcement. Like with PRISM, its no longer just the tinfoil - Its confirmed. The businesses model for a few companies are to hoard zero-day exploits, and sell it on the market. The military, police, "business intelligence" a.k.a industry spying, and criminals are their customers. In contrast to disease research, software virus research are not regulated or illegal, so both good and bad is the result. It is good when independent research find vulnerabilities in software we use, and less so when its hoarded and sold to be used against us.
This has given us a pretty rare chance to look at a 0-day exploit being used in the wild by the US government. Has anyone traced the code enough to know how it works?
I have a question for Tor users.
Would such an exploit to the system encourage you to transition to similar darknet services such as I2P, or will you be sticking with Tor with greater caution?
I wouldn't think too much of it. It could be a bit of wishful thinking, or an attempt to manipulate the price of Bitcoins by spreading rumors. Both are fairly popular among Bitcoin speculators.
I must yet again point to a company like Endgame Systems[1] as being a likely contractor for this service rendered for the FBI.
Some of Endgame's products used by the likes of the NSA:
"There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year. The Cayman botnet-analytics package gets you access to a database of Internet addresses, organization names, and worm types for hundreds of millions of infected computers, and costs $1.5 million."
Exploiting an unknowable amount of users of a service as to hunt them. Using illegally harvested data from botnets, while others get hunted and prosecuted for coding them.
This tiered society where the legally immune can profit off acts that get others jailed. The market manipulation that comes with bribing companies for data access, the government giving less regulatory oversight to companies it has secret 'deals' with.
For the sake of society, economy, basic morality. It must end.
"Exploiting an unknowable amount of users of a service as to hunt them. Using illegally harvested data from botnets, while others get hunted and prosecuted for coding them.
This tiered society where the legally immune can profit off acts that get others jailed."
Not that I disagree with this sentiment, but how is this different from the fact the government is "legally immune" from using/possessing weapons and firearms that the average person can't possess or use?
It's more like the government hiring non-government forces that can then legally possess arms that other "non-affiliated" people (i.e. civilians) can't, and being given legal immunity for killing random people, some of which might turn out to be criminals. I.e. Batman, with a bit less moral compass.
Software that creates randomly TBs of fake email, voice (skype) and other communication daily to disrupt NSA. Possible? Helpful?
I.e. billions of emails created daily originating from millions of email accounts created daily that contain random words including the ones the NSA is looking for.
I mean, they went on the path of the least resistance with this whole PRISM thing. Kind of blatantly stupid approach of "just listen to everything". That can possibly be derailed by simple creating tons and tons of "everything" daily to feed their stupid programs.
Even if I don't see why you are saying it on this specific thread, it actually came to my mind few days ago. I think it is a good, simple idea. No technical difficulties, just spamming and make the whole thing unanalyzable.
This has been discussed before, in the context of network security. You can read about efficacy/bandwidth constraints, but basically to provide any strong security you need to spend an overwhelming amount of bandwidth on noise. You must always operate at peak bandwidth to everyone. It becomes prohibitively slow and expensive.
So here's what I can grok from it:
* "Freedom Hosting" founder has been arrested; presumably, many people were using "Freedom Hosting" to host onion sites (is this where "half of all Tor sites compromised" comes from?). No charges listed, article slightly hints at child pornography charges.
* Someone, presumably the FBI, has set up an exploit to be distributed through Freedom Hosting sites that will phone home and reveal your non-Tor IP address (solution: seven proxies). "Freedom Hosting" founder was probably coerced into allowing distribution of this exploit.
* Author claims that said exploit only affects Firefox >= 17 on Windows.
* There's a link to a paper about possible problems with hidden services, which is apparently not relevant to any of this other than the fact that there was just a shakedown on a big onion site provider.
I'm flagging this article because it is utterly incoherent and the headline is sensationalist. There is no evidence of a fundamental flaw in Tor being related to any of the events mentioned. Hopefully someone will write a comprehensible piece soon and put it out there.