Tor security advisory: Old Tor Browser Bundles vulnerable

by arma | August 5, 2013

An attack that exploits a Firefox vulnerability in JavaScript has been observed in the wild. Specifically, Windows users using the Tor Browser Bundle (which includes Firefox plus privacy patches) appear to have been targeted.

This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

Tor Browser Bundle users should ensure they're running a recent enough bundle version, and consider taking further security precautions.

Read the full advisory here:
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…

Comments

Please note that the comment area below has been archived.

If you ran NSA, GCHQ, Mossad, where is the first place you'd put a covert agent? MSFT, right? Ever wonder why they keep finding all those vulnerabilities that require update after update? Many of their employees work for intelligence agencies from all over the world. The Russians put something in, we take it out and put something else in, the U.K. agent finds it and takes it out and puts something else in. With apologies to Disney, "the circle of surveillance continues." It always will with software that does not have source code openly available.
Gnovalis

"It always will with software that does not have source code openly available."

Gene Spafford, from circa 2000-2002:

http://spaf.cerias.purdue.edu/openvsclosed.html

"the nature of whether code is produced in an open or proprietary manner is largely orthogonal to whether the code (and encompassing system) should be highly trusted."

"From this standpoint, few current offerings, whether open or proprietary, are really trustworthy, and this includes both Windows and Linux, the two systems that consistently have the most security vulnerabilities and release the most security-critical patches."

How many people, who actually possess the requisite expertise, actually examine ALL of the code?

think they wouldn't spend the few hours kissing up to governments that could shut them down or make their life hard _-_ US just goes after people's privacy

Spoken like an individual who be lives in the rule of law. Have they ever had the opportunity to see the inside workings of governmental systems. Well, in governmental/sovereign both of these there exist something called "summary judgement". A summary J is what happens when you p** off a "social worker" & they tell you your average spend down has been cut by $1,100 a month. On the top end we have the Feds who "regulate" (some saw fix) the market. A city may decide to improve their coffers by taking your property. Of course in the latter you may under federal statute fight it but to we who are slaves to systems that never existed a month ago ( & we bloody well better wake the hell up, sorry for the out burst) all ready know that what ever BAR we reach they will make higher. What are people saying? OK, remember the housing problems 8+ years ago where your home mortgage was sliced & diced? Well that's what's going to happen to your entire lifespan. Just one wrong entry & kiss your savings, car, home, + your retirement & if you need electricity for medical equipment by-by . So it's not just the collection of all your bits & parts but finding yourself rearranged like Frankenstein's "Monster" & shoved into a "no-fly list". I'm really not sure if you will get it until you one day find situation in a preterminal state or worse a slave till you die. Hope being frank is tolerated. Otherwise ta.

August 05, 2013

Permalink

So basically if someone had JS enabled but had updated their TBB within the last month they wouldn't have been affected by the malicious JS?

Theoretically, at least.

August 05, 2013

In reply to arma

Permalink

And TBB would have shown a red or yellow warning on the home page in the last month telling us to update?

Yep, although there is one specific build of TBB with FF version 10 that for some reason did not mention that.. But part of this Javascript attack was that it checked to see if you were running version 17.xx (this was a vulnerability associated with this version).

Look around to verify if version 10 was affected by this malicious script.

That is purely wrong and misinformation from people who cant read the code!

The script checks for "document.getBoxObjectFor != null"
Which is a function removed in FF3.6(!!).

It also checks as an OR for "window.mozInnerScreenX != null", which is implemented in every browser using the mozilla engine.

So the script doesnt give a damn what version you have. Every mozilla-based browser is targeted (not only firefox). It works for every single FF version under the updated one.

That's only the injected javascript. The javascript served up by the hacker/government's server parses navigator.userAgent for "Windows NT" (exiting if not found), "Firefox" (exiting if not found) and the version number. In function b() it says if(version <17){window.location.href="content_1.html";} in other words redirecting to a different page on the hacker's server that presumably contains a different exploit for versions < 17 (nobody seems to have a copy of that file so it may do nothing as well). if (version >=17 && version<18 ) it sets a global flag which it checks later to see if to proceed with the exploit (if the flag isn't set i.e. version >=18 it exits).

I'm sorry but I'm very tech illiterate (cant read code). Are you saying that the TBB released after June 26 are also vulnerable to the attack? This seems to go against everything I have read regarding this attack.

If I misinterpreted what you meant, I apologize.

You are half-correct. You are talking about the script that injects the iframe. The actual exploit loaded into the iframe only attacks Firefox 17.

August 05, 2013

In reply to arma

Permalink

To be redundant here, 17.0.7 looks to be safe from THIS particular attack even with global scripts allowed?

August 05, 2013

In reply to arma

Permalink

Well, that makes me feel much better. Don't surf CP websites but I did use TorMail and I was worried that I might have been 'pwn'd' by this exploit.

Thankfully, I installed the Alpha2 latest version of the Alpha TBB almost 4 weeks ago so I was covered and I was using a non-exploitable version of the TBB bundle before that.

Please tell me why any self-respecting Linux user use TBB instead of Tails??
Honestly, same goes for Windows users, why not use tails?

Like many others, I use Tails whenever possible. But, where I cannot boot from USB (such as at work), I have to use TBB, which is better than nothing.
Gnovalis

Simple enough to answer. Connections and bandwidth. Not everybody in the world, and especially in rural areas of one country in particular that prides itself on being a leader in technology, has access to broadband or even reasonably fast internet. Downloading an 800+MB ISO image, even as a torrent, is a painfully long process over dial-up! By the time the current version downloads, the 'Unlimited' (translate to 300 hours/month) dial-up account is exhausted for the month, and chances are you have to download a new version anyway as an update has been released.
Oh, when you have broadband, it's easy to say why would someone use the smaller option when the larger one is better, but look at the other side of the digital divide and the answer becomes quite clear.

The large developer and security analysis community around Tails, compared to the voice-in-the-wilderness aspect of Whonix?

The VM approach is better in theory, but not yet clear to be better in practice. Please help!

August 05, 2013

Permalink

Thank you very much for all the time and work you put in this.

At least now we can calm some people down a bit.

If only they would pull their heads out of their asses and disable javascript by default. They were warned, they just wouldn't listen, even now.

Spot on mate. It's minor annoyance for those of us who're happy to dive into noscripts settings, but potentially life changing for those out there who trust the bundle to have everything covered out of the box. Can't help but think that when there's no good reason to have it so, the reason for having it so must be 'no good'.

I believe Firefox 10 does not trigger the attack, but I also expect it's vulnerable if somebody were to attack it.

Firefox 10 is bad news. Don't run it.

August 05, 2013

In reply to arma

Permalink

I always forget to update Tor. It would be nice if Tor had an auto update option.
I click on some links with Firefox 10 EST that some people posted i really hope the vulnerable didn't work with Firefox 10 EST :-(

How sure are you of that, are you one of the experts who tried it themselves, or could you link a source please? Do you mean to say people actually used the older versions of the browser (or spoofed the version) and tried to get this page the same way content_2 was obtained? There are many people who are worried and very interested in this, from what I'm reading here and on other sites.

I'm not the same anon, but I've been trying for days to get content_1.html off their servers (both the direct IP's and their onion-ized version). In fact, get anything including index.html but the server was either down or the files weren't found. BTW version 17-18 will get content_2 and 3. Only if version < 17 does it do a complete redirect to content_1.html where then something happens -- nobody knows.

August 06, 2013

In reply to arma

Permalink

Yes, it does trigger the attack.
The function checks for:

"return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));"

document.getBoxObjectFor is a function removed in 3.6.
mozInnerScreenX is implemented in every mozilla-browser.
It does not specifically check for a version. It even executes on FF 22.
If the malware can go through though.. I dont think anyone can actually test that practically.

Cautiously assume all Firefox versions since 3.x have the vulnerable code. This particular malware possibly only worked for 17 ESR on Windows though, with JavaScript enabled.

Here's a simple rule-of-thumb for any piece of software that is subject to critical vulnerabilities (such as web browsers; email and chat clients, etc., and, of course, operating systems): Always keep it up to date:

Make sure that you:
- are checking for security updates (whether automatically or manually) at LEAST once-a-day
- are downloading and installing said updates as soon as they become available
- discontinue using anything as soon as security updates are no longer issued for it

August 05, 2013

Permalink

The Tor project should all but *force* users to install new updates each time they run Tor.

I'm not sure if automatic updates are the best strategy, but before the browser even opens you should check for updates, and if it finds any security updates, the user should have to click through an insane series of warnings before they can use the old version.

Also, updating should be a one-click affair. You shouldn't have to download a new app and install it (which I think is currently necessary on Mac at least).

This is going to keep happening, and given tor's usefulness, some of its users will not be very sophisticated, and won't understand the implications of not updating. You've got a duty to protect them.

Forced updates are very, very bad as they can be exploited. Just think somebody breaking into the update mechanism could then attack all users successfully. One-click is about as bad.

That said, a version check on start _via_ the TOR network, e.g. on the verification page may be a good idea.

Security comes with some effort you need to invest and some level of constant vigilance. Still, many people will still not update unless forced to, even if there are very clear warnings that are hard to overlook. But forcing upgrades will put everyone at risk and is hence unacceptable. There are people that will be careless under any circumstances and nothing can be done about that, it just has to be accepted that there are people that cannot be kept safe.

Forced updates when done properly are very very hard to exploit.... the trick is, like with anything else, in figuring out how to do them properly.

Please keep in mind that if you CAN do something then you can be REQUIRED to do it.
What i mean is this... if they set up automatic updates then the NSA (or the FBI) can REQUIRE them to send to their users trojans just as well.
This is nothing new... it happened for instance with Hushmail in the past http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/
Hushmail had to comply to a court order who forced them to send a keylogger to one of their users to catch the password he used to encrypt his email stored in Hushmail... and they could do nothing to resist it.

So... if you CAN do something, then you can be FORCED to do it.

I think the solution is to simply disable javascript and make a warning dialog popup whenever you try to enable it. If you are stupid enough to enable javascript even with a big red warning dialog that warns you that you are fucking yourself up then you just deserve it.

Also the program should warn the user that a new version is available but without links to automatic download any content. So the user has to go to the official website and download the official release.

"if you CAN do something, then you can be FORCED to do it."

"if they set up automatic updates then the NSA (or the FBI) can REQUIRE them to send to their users trojans just as well."

Couldn't a TLA or any savvy-enough adversary ALREADY sneak malicious code into TBB or other Tor packages?

How many people CAREFULLY READ-THROUGH ALL the code?

How many of those who do carefully read-through all the code are expert enough to detect anything rogue in it?

And, finally, how many of those who carefully read through all the code and are expert enough to detect anything rogue in it (and are looking for such) would ALSO report and publicize it should they find anything suspicious?

that is what cryptographic Hashes are for. I personally would love a hash checker that would check for several hashes. and then tell you if more than one checks out. It is much harder to fool several hashes than to only fool one by the length of one hash multiplied by the other(s) approximately..

Anyway I wish the load would generate the hash and allow you to check the hashes of other programs and check them with those found in whatever source(s) you wish to point them to.

Who was it that said that difficulty directly reduces security. That is why i really like the keep it as simple as running a TOASTER concept. Yes I would consider running an update button before I would download a new version for a number of reasons. 1stly I am a very new convert to lunux! (UBUNTU)

I had the problem of having two (apparently!) instances of TBB.

tor would not load!

So I was forced to go back to my download and start from the start TBB there.

It worked!!!

I have not seen this fix anywhere.

Anyway my point is that it is HARD to be secure!

TBB is great in that it makes a NUBIE like me able to get some security.

Also the more people who use NON_Back_Door_Encryption The more junk the NSA has to break the encryption for.

KEEP UP THE GREAT WORK!!!!!!!!!!!

THANKS!!!!!!!!!!!!!!!

Its not a case of doing it properly.
It wouldnt be the first time, an auto updater updates malware without you knowing.
And a company cant assure anyone that this wont happen any time. If they do, they simply lie to your face.

Especially for the TOR project, which is funded 80% from the US gov!!

Most of the updating process (including verifying signatures) can be easily automated, for example, using PowerShell, especially since TBB isn't really properly "installed" so much as "unzipped".

This really sounds dumb. First you want to "force" your ineptitude with technology on other users, and then want to blame Tor developers by accusing them of not fulfilling a duty to others. Man, you just love to play the blame game and evade responsibility for your own actions. These are decisions "you" make. Learn to live within your (technical) means, and let the rest of us live within ours.

You don't need to force people to upgrade, just have something on the homepage that tells them that the version is insecure and they should upgrade to reduce the risk of being exploited. Apparently javascript exploits have been around before, I didn't know they were possible, if more people knew they were possible and the risks they would upgrade without being forced.

And for goodness sake - disable javascript in noscript by default, and don't leave any sites in the whitelist. This is how I start off, and I then I make decisions on a site per site basis (eg. Do I really trust this site??)

https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled :

"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

(all emphasis mine)

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:
https://panopticlick.eff.org/index.php?action=log

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

The idea, I think, is that since TOR has javascript enabled by default, you can hide amongst all the other TOR users running their system on default by also keeping your JS enabled. Basically, you stay anonymous by hiding in a crowd. Keeping JS disabled everywhere makes you part of a smaller crowd of TOR users who have their JS disabled and selectively enabling for some sites and not for others makes your browser settings unique, giving you no crowd to hide in, which is very bad when you are trying to remain anonymous.

From an anonymity perspective, it makes sense. But I will agree, that definitely does not make you safer, especially if you are running a Windows OS on a privileged account. But that can also be avoided by running your OS on a low security setting, especially if that OS is not Windows. JS can deploy self-executing exploits all day long on a linux system running at a low security level and do nothing.

It doesn't matter how visible a notice or warning is, some people will completely ignore it and move on.

Source: I used to work tech support on a college campus. Also, retail.

"It doesn't matter how visible a notice or warning is, some people will completely ignore it and move on."

But once as much as can be reasonably expected has been done to warn, then the responsibility rests upon the user who ignores the warning.

"some of its users will not be very sophisticated, and won't understand the implications of not updating."

I don't recall sufficient details about the warning that flashes when a deprecated TBB opens.

If the warning:
a) is practically impossible to miss,
AND,
b) explicitly the conveys the danger of continuing to use the deprecated TBB,

well, then any user who ignored such a warning would have THEMSELVES to blame, don't you think?

The warning should read something like:

"A new version of TBB is now available. You are strongly urged to update immediately. The version you are reading this in has known critical *security vulnerabilities* that may be used to compromise the protections provided by Tor as well as harm your system in any other number of ways."

August 05, 2013

Permalink

So i am running 2.3.25-10 version from June 26 2013 but may have had java enabled and visited tormail ... am i covered by the fix in the latest version ?

August 05, 2013

In reply to arma

Permalink

thanks ... i meant javascript ... and thanks for keep our anonymity as secure as possible ...

August 05, 2013

Permalink

Interesting. So it took "them" about 4 weeks from the patch (Firefox was patched a day earlier) to an implemented larger-scale attack. Not too bad for a bureaucracy.

But this also clearly says the Tor project is not to blame. Being 4 weeks behind with security patches is unacceptable for something like Tor, and the mozilla folks called the vulnerability "critical". This vulnerability does not even really qualify as 0-day, even if the mozilla advisory just says "crash, can possibly be exploited".

August 05, 2013

Permalink

I use the Vidalia package form last year with a FF version 10x. Is my setup at risk from this exploit?

Your browser is vulnerable to this type of attack (and many others) indeed, but the attack implemented on Freedom Hosting sites specifically targets v17 of Firefox, thus it's likely that your identity has not been compromised if you've visited any of these sites with v10x.

August 05, 2013

Permalink

I still don't understand it all - sorry in advance :)

I've read several different things about the exploit, one mentioned a tracking cookie that could not only reveal your IP but also every other site visited while the cookie is active.

So for my question:
Does the script just tell the server the site you got it from (e.g. Tormail) and your real IP or does it track all the browsing of the current session?

August 05, 2013

Permalink

Sorry for the stupid question, but one thing would be interesting for me: I had an older version of TBB installed until friday, but JavaScript was globally disabled. Can i be affected?

August 05, 2013

Permalink

I wish Mozilla would take memory safety more seriously.
Almost all releases contain:
'Miscellaneous memory safety hazards'

Much JavaScript in Firefox codebase also violates sound practices and advice from Douglas Crockford in "JavaScript: The Good Parts".

It's sad to see that lots of JS code use the (bad) == equality operator, instead of the (good) === operator.

There are static checking tools available.

But I'm pleased to see that Tor is starting to take TDD seriously. Thanks for that!

The WWW in general has gotten way ahead of itself and should never have been allowed to get as far as it has with all of the numerous, multiple security threats, many never even /accounted/-for, much less adequately dealt with.

Critical infrastructure and at least a great deal of the critical data that has been placed onto the Internet should never have been.

Yet another example of what happens when you allow the "Free Market" to dictate; to be the arbiter, etc.

August 05, 2013

Permalink

I don't hear anything outside of the Tor Browser. What about the pluggable transport version obfsproxy for Tor? I believe that version of firefox is 17.0.6.

Is this safe, because there hasn't been an update or an announcement for this particular package?

Also, for us non-techs, would we actually know that the browser was affected, if something took place. Any explanation would help. Thanks!

August 05, 2013

Permalink

Question: In a German newspaper they say that you tor-developers suggest not to turn off javascript. The newspaper states that it would be more suspicous then protecting.

What can you say about javascript. I disabled it for all sites because of possible attacks like this.

Javascript on or off - what is the better way to surf safe?

Javascript on or off - what is the better way to surf safe?

That depends on what you mean by safe.

The Tor Bundle ships with Firefox as the browser, and includes the NoScript extension to Firefox that blocks scripting if the site is not in a user-maintained whitelist.

The problem is that disabling JavaScript by default breaks browsing for people who want to access sites that require JavaScript to work correctly. Most Tor users are simply concerned with anonymity, which means not having their actual IP address available to the site they are viewing. When you go through Tor, the origin address the other side sees is your Tor exit node, not your real IP.

The Tor Project chose to enable JavaScript globally to avoid problems for the majority of users who don't care if it's enabled.

I don't know of any way to get a real underlying IP address of a computer with just JavaScript. Getting the real IP address requires OS level operations JavaScript isn't allowed to do.

If you run the Tor bundle, click Addons. In the Addons window, select NoScipt, and click the Options button. Uncheck the "Scripts allowed globally" box.

JavaScript will now be off by default. NoScript will warn you if it has blocked JavaScript execution when you visit a site. If you trust the site, you can add it to NoScript's whitelist, and JavaScript will be permitted for that site in the future.

Great explanation, but one further note -- you say "if you trust the site", but if the site is giving you content over http, then you really mean "if you trust the site, and also the network connection between you and site". And whether you're using Tor or no, that decision gets quite complex. Even worse, we've seen evidence lately where state-level adversaries can fabricate https certificates for other sites -- so we need to append "and if you trust the 200 or so certificate authorities to all behave perfectly" to the list of if's. Rough world out there. (That said, raising the bar does help.)

Unfortunately those who trusted the sites hosted on Freedom Hosting, and added them to a white list, got caught by this exploit. After today, JavaScript must be off in TOR at all times, because new vulnerabilities like this will pop up in the future.

If you want to be private, you have to disable JS, no matter how trusted and secure a site may be. There is no way around it now. FH was a trusted, untraceable onion hidden service.. and yet it fell and was injected by malicious scripts. TOR must ban JS completely starting today.

If you use JS you can be caught by such buffer overflow exploits, and your real identity will be revealed. And if you don't care about protecting your identity, why use TOR?

One should consider if banning JS from all browsers is not the right thing to do. If any malicious executable code can be run at will by JS, imagine what this could do in the hands of criminals. It could install a keylogger on your pc with ease and gain access to your bank accounts, or worse.

It sure would be nice to have an easier interface than Noscript's, for enabling Javascript in a just-in-time way when you decide you want it.

That said, while Javascript is indeed a big vector for attacks, don't think you've solved everything by disabling it. Another enormous vector is svg and pngs -- it is absolute crazy-talk to just blindly accept images from websites and render them. No reasonable person would allow images to load in their browser. The number of recent vulnerabilities in libpng alone should be enough to convince you.

That said, I sound like a paranoid maniac in the above paragraph. But hopefully it will make you stop and think. How did we get to this point in browser security, and how do we recover from it?

August 05, 2013

In reply to arma

Permalink

Write a secure browser from scratch and don't bother cattering to people's retarded demands like being able to run the latest and stupidiest web 4.0 gizmo.

Problem is, you want a browser that the dumb masses can use in every dumb web site...Looks like your problem can't be solved.

August 07, 2013

In reply to arma

Permalink

Re: How do we recover from it?
The best defense is a good offense. It is probably impossible to prevent all hostile surveillance - either by government or the private sector. But, you might consider making it worthless.
I don't much about spam. Send me meaningless messages, and I will just ignore and delete them.
Suppose you developed an application that waited for your computer to be dormant for a certain period, then composed totally junk email using random words from a dictionary, and sent those messages to random people who use the application (by using the application, you would consent to randomly receiving a bunch of junk). You would clog surveillance servers with nonsense.
Develop another application, as above, that doesn't send anything, but simply goes from one "G" rated site to another, again randomly. Again, the surveillance folks would be clogged with junk.
Now, if you want to make things interesting, search "phony research papers" and you find a site at MIT where you can enter your name and it will crank out a phony technical research paper. Total nonsense. Use those for the email messages.
Want to make it more interesting, encrypt all the email with PGP.
For those - like me - who are truly malicious, generate the phony research paper, then use a word processor to change one of key words in the paper to "uranium deuteride," "virtual cathode oscillator," "high purity fluorine," "10 guage, high purity aluminum tubing, 3 inch ID," etc. Don't forget to encrypt it! (Also, be really familiar with the FBI's "triple threat" surveillance program IN ADVANCE! And, don't do this unless you enjoy excitement because you're going to get plenty.).
Gnovalis

So, just to make it "easier" to browse, TBB effectively facilitated this attack by having JS on my default despite cries for it to be disabled? Nearly all new major Firefox vulnerabilities involve breaking the sandbox with javascript, yet the TBB insisted that it had patched all *known* vulnerabilities and so users were supposed to believe running JS was some sort of acceptable risk!

I don't know how many people complained to both TBB and Tails that Javascript should be OFF BY DEFAULT but they kept coming back with this same old horseshit. Tails devs refused point blank to even add a bootcode to start Iceweasel with javascript off!

This all stinks to high hell.

It's not that simple. Did I not read above that if you had the most recent release of the TBB that you were immune to this attack? What it means is users should always make sure that they are using the latest release. It's pretty obvious too because the default home page for the TBB is https://check.torproject.org/‎. Now this isn't a perfect solution because the government could perform a mitm attack to make users think they had the latest version when they didn't. However if I'm not mistaken they are working on a better solution. Also- I'm not arguing javascript should be on by default although I think to say it should be off by default overlooks the issue that doing that would decrease the Tor user base which hampers security as well for all users.

It might be worth developing a plug-in with a big button that says 'secure mode' and one that says 'risky mode'. The secure mode would automatically be enabled for .onion sites where the onion sites would then be expected to comply with the 'secure mode' design (since all such sites for all intensive purposes must be compatible with it). The first thing you see when opening the TBB is an explanation of this 'secure mode' and the 'risky mode'. If you select the risky mode on non-Tor sites you should get a warning "Are you sure? There is a decent chance you will be putting yourself at risk" with continue, cancel options. This way it is a little more difficult to accidentally turn on 'risky mode' and at the same time non-technical users wouldn't find the TBB difficult to use.

"for all intensive purposes"

Yeah, a lot of those .onion sites can get pretty intensive...

( I think you meant 'for all intents and purposes')

The advice given in the final two paragraphs of the above post explicitly and completely contradicts that given in the Tor Project FAQ:
(all emphasis mine)
"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

( https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled )

I am absolutely appalled that arma not only effectively endorsed, in general, this post that so contradicts the FAQ maintained by her organization but actually went-on, in a subsequent post, to clearly imply endorsement, specifically, of selective enabling of JavaScript while using Tor:

"It sure would be nice to have an easier interface than Noscript's, for enabling Javascript in a just-in-time way when you decide you want it."

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:
https://panopticlick.eff.org/index.php?action=log

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

Sir,

I was merely QUOTING the Tor Project FAQ and noting the glaring contradiction between what it says and what "arma", a representative of that very same organization (The Tor Project) wrote here.

People should be demanding a response to this CONTRADICTION.

If majority of users have javascript on, and you have it off, you are suspicious.

It's far better to feed observers a made-up timzone, size, color depth, and system fonts.

I vaguely suspect there's a plugin for that.

August 05, 2013

Permalink

I use tor + privoxy and Firefox 22 as a browser, (and i don't use windows od course) am i safe? if not, what should id o? i am a journalist, sorry if my question is a stupid one

Privoxy? really? of course you're not safe. You probably won't have to be worried about this exploit but you understand privoxy can only provide HTTP proxy. right?
There's a reason Tor has dumped it ages ago.

August 05, 2013

Permalink

Noscript should be enabled by default or javascript should be disabled by default in tor browser bundle.

August 05, 2013

In reply to arma

Permalink

I would also say I thought the same thing but I realized something so now I am not so sure that this was true with the TBB, but it was true with Vidalia Bundle (which for some insane reason you no longer maintain and i have to add Polio in myself). I think that is the confusion.

I think the following should be done

1. The default home page already does detect if you are actually using TOR and if better versions are available. You could at least add a JavaScript add to detect and inform people that it is enabled. It can be easy to forget right after an update (yet could cost them dearly).

2. If they prefer it disabled then a simple how to could help (yes I know it takes about 2 clicks but many users are tech impaired).

3. Do include something like pre-configured Polipo (or Privoxy which was used formerly).

4. Having NoScript disabled by default does make a certain sense in that is more usable by the tech impaired, yet there is a disconnect here when you consider the current method of PGP checking (not that I recall noticing much good instruction on your site to begin with).

Sure it is easy enough for the technically inclined like myself, but what is the point of the average user getting into TOR while being so vulnerable to a compromised client?

Consider this when the stakes are higher - a whistle-blower/informer/activist. Not all these people will understand how to know the difference and good luck to the non-English speaking activists trying to figure out how to use PGP.

I am working on this myself - mentally at this point. I may slap something good together that will help the less tech adept. It would be better though (more trustworthy) if you guys handed this. It would not really be that hard.

Another thing you might consider is an installer which ASKS people if they prefer things more secure or more compatible with websites. Depending on the question, pre-configure TBB as they have chosen.

As for "it would not be that hard" for the PGP thing, consider that our current instructions for WIndows users start with "download gnupg.exe from this http website". Windows users are screwed at a very deep level. If you have good answers, the world wants to know them.

As for a configuration option for Javascript, keep an eye on
https://trac.torproject.org/projects/tor/ticket/9387

Oh, and you don't want Polipo -- the next code security vulnerability would exploit it.

Waaait a minute. You acknowledge that TBB never shipped with Javascript disabled, but then you say that the old Vidalia bundle did? The Vidalia bundle never included a browser! And the old Torbutton Firefox extension never shipped with Javascript disabled by default.

I think a lot of the confusion stems from people very long ago being confused between Java and Javascript. Also, very long ago (before Torbutton), there were open questions about what privacy-invasive things Javascript could (using the legitimate API, I mean) do to you. Torbutton addressed many of them. But we're talking 6+ years ago now.

https://gitweb.torproject.org/torbutton.git/blob/HEAD:/src/CHANGELOG
for those playing along at home.

August 05, 2013

In reply to arma

Permalink

im sorry for repeating hearsay without first verifying :(

"Noscript should be enabled by default"

NoScript is is enabled by default in both Tor Browser Bundle as well as Tails but set to allow scripts globally. Even in this configuration, NoScript still provides certain protections, such as blocking cross-site scripting (XSS) attacks[1].

Obviously, allowing scripts globally cannot provide (anywhere near) the same level of protection as the selective whitelisting model that is the normal default behavior of NoScript. So why do both Tails as well as TBB ship with this less-secure configuration of NoScript? This question has been asked and answered many times (both of/by Tails as well as Tor).

The primary reason that has been given is usability; the functionality of many-- if not most web sites-- is heavily dependent upon JavaScript, often critically so.

An additional reason that has been given (both by Tor as well as Tails officials) concerns "fingerprintability".

Here is the relevant part from the Tor Project FAQ:

(all emphasis mine)
"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

( https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled )

NOTES: [1] See, for example:
http://www.h-online.com/security/news/item/PayPal-vulnerable-to-cross-s…

I believe-- but am not certain-- that NoScript would protect against this threat-- even in the default Tails and TBB configuration where scripts are allowed globally.

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:
https://panopticlick.eff.org/index.php?action=log

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

August 05, 2013

Permalink

So if one had FF 17.0 to 17.06, AND had javascript enabled, they are probably compromised.

If javascript was disabled, probably GTG?

August 05, 2013

Permalink

If you're running off Firefox 10 (i.e. not the latest), there's no warnings on the check.torproject page (it says the usual congratulations), and if you check for updates through Options->Help, it says it's up to date! Please fix this because people who rely on this to find out if it's current won't know about this vulnerability.

Which bundle do you have exactly?

And unfortunately, 'check for updates' means 'go ask Firefox if there are updates', which we've disabled in TBB since that's not where your updates come from.

August 05, 2013

Permalink

As a general comment, all of this stuff has been going on for quite some time and it is my general reflection that the nature of the problem has to do with either Tor not having enough volunteers working on the problems / code updates / fixes, or not enough money / donations to do this. Not sure if I am right about this, but over the past few months, I have been closely watching the following conversations -- all quite public in vbdvexcmqi.oedi.net posts, with substantial discussions accompanying each post:

1) April 22, 2013: 'Hidden Services Need Some Love'
https://vbdvexcmqi.oedi.net/blog/hidden-services-need-some-love
(Notice the discussion of donations in the comments section, after the extensive post on keys / key length, attacks, hidden services, etc - did this ever materialize? Maybe there is a need for a public funding campaign, perhaps, to address certain ongoing security issues discussed in that post?)

2) June 8, 2013: 'Prism vs. Tor'
https://vbdvexcmqi.oedi.net/blog/prism-vs-tor
(See discussion of keys, donations, etc, in comments...)

3) August 4, 2013: 'Hidden Services, Current Events, and Freedom Hosting'
https://vbdvexcmqi.oedi.net/blog/hidden-services-current-events-and-fre…
(Kind of odd that part of the title was 'Current events' since a variety of these issues which led to this have been discussed and discussed and discussed for some time - but again, worth reading, and check out all the comments)

Supposedly Tor is looking for a lead software engineer and would like to hire more people. https://decvnxytmk.oedi.net/about/jobs.html.en
I am just guessing, but it seems to me that people would be willing to support crowdfunding positions for Tor bugfixing and development (such as through an indiegogo or crowdrise campaign) -- especially if there was a promise by Tor to divest itself of (that is, get rid of) any connection to DoD funding or staff now and in the future. People are asking questions about Tor's past and present funding. People ask questions about Dingledine. https://vbdvexcmqi.oedi.net/blog/trip-report-october-fbi-conference It is in people's nature to ask these kind of questions and to be skeptical. I think one way to address this meaningfully is for the Tor project to lean more on crowdfunding mechanisms to and more frequent appeals to the user base through social fora to participate in financing efforts to support and fix Tor.

In closing, I think it's good that Tor is working with Mozilla in an effort that could bundle Tor into Firefox, and is working towards a day when Tor could be incorporated into Chrome (( post on that here https://trac.torproject.org/projects/tor/wiki/doc/ImportantGoogleChrome… )) but it is obvious that all of this needs funding and support which implies a need for crowdfunding more positions (periodic / more frequent indiegogo campaigns, etc.) to address all of these security issues - or so it would seem.

Funding campaigns are needed.

Your post seems to completely overlook the fact that only those who were running OUTDATED, DEPRECATED versions of TBB were subject to this exploit.

Other than that, you raise some good points, particularly about funding sources.

Observing your other posts here (no I am not an admin, but I can read and see patterns), you seem to repeat the phrase "OUTDATED, DEPRECATED" in your post(s). Perhaps you think everyone is using OUTDATED, DEPRECATED versions of TBB in Windows and that is your issue? Or perhaps you did not read the context of my post above, which had nothing to do with whether or not someone is updating something and everything to do with the issues of torbugs of all kinds (and the problem of how to fund the fixing of them over time whenever they occur, whatever they are).

Also, I suggest reading this -- just for fun (relevant to both java and javascript issues, which I think will be a long running discussion and are in no way settled):

--> https://www.cyberguerrilla.org/blog/?p=15358

*** Notes:
What is Java? https://www.java.com/en/download/faq/whatis_java.xml

How is Javascript different than Java? https://www.java.com/en/download/faq/java_javascript.xml

Is Javascript Enabled In My Browser?
http://www.whatismybrowser.com/is-javascript-enabled

What is NoScript? http://noscript.net/ <-- Read this, if nothing else here.

Enjoy

Wait, what?

If you mean "I use Chrome for my non Tor browsing, and I use the Tor Browser Bundle for my Tor browsing", you should be fine. TBB is designed to be standalone and not care what else is on your system.

If you mean "I hacked up some Chrome thing and hooked it up to Tor, am I safe?" then you likely have other problems:
https://decvnxytmk.oedi.net/docs/faq#TBBOtherBrowser

"TBB is designed to be standalone and not care what else is on your system."

But a compromised system absolutely /can/ and is /likely/ to compromise/defeat TBB.

August 05, 2013

Permalink

I have the latest TBB. Since Friday (8/2/13) Tormail (RoundCube) is not reachable. Any idea what is going on?

August 05, 2013

Permalink

I have a 2.3.25-10_en version but it was downloaded and installed 6/21/13 per my computer - is this the same version with the bugfix that was said to have been released on 6/25/13 here?

August 05, 2013

In reply to arma

Permalink

I am a spaz. It was actually installed on 7/21/13 - I misread the file info. Thank you for your prompt reply and kind assistance

August 05, 2013

Permalink

Since Friday (8/2/13) can't reach Tormail (roundcube). There was a message up about server maintenance, but that is gone. Any idea what's going on?

August 05, 2013

Permalink

I read that the exploit only effected versions 17 and 18 of FF - I am running 19.0.2.
Is this a browser that would be effected by the exploit?

According to Dan Veditz's post, "The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7."

So your FF 19 has the vulnerability, but this particular attack code would not target it.

August 05, 2013

Permalink

It seems that the US police state has learned the ip addresses of people all over the world who committed the non-crime of visiting a bunch of websites.

From a technical point of view that's a big failure for the Tor project. They are responsible for the browser they bundle, aren't they?

Now, what's the legal side of things? The US police state has hacked into computers of people living all over the world. What is the US state planning to do with the information they stole?

Please somebody from the EFF chime in.Thank you.

We do try to keep up with browser updates for TBB, yes. You'll notice that we put out an update in June, and this was exploited in August. People who updated were fine.

As for the legal side of things, I don't think anybody has details on whether it was really the US police state? Not that I'm claiming it wasn't, but it's hard for anybody to proceed without details.

August 05, 2013

Permalink

Would EMET with Heapspray protection enabled on a vulnerable version have mitigated this attack?

Find the version you were using if you can, maybe its still hanging around somewhere - the compressed installer. Find those numbers attached to it and line them up with the content of this blog.

August 05, 2013

In reply to arma

Permalink

I'm sorry, I wrote that comment in a rush, I meant to say mid-to-late June, Early July.

August 05, 2013

Permalink

On or around July 30, 2013, while I was at a certain website, my Tor Browser displayed a yellow ribbon just below the menu bar.

It read as follows:

In order to implement a crucial fix, this update resets your HTTPS Everywhere rule preferences to their default values

Question: Has anyone encountered such a situation?

The version of the TBB that I was using at the time is the latest version. My OS is Microsoft Windows 8, 64-bit.

absolute the same here my friend. i did nothing when that message appears as a bar below original bar but it was first time when i saw it. probably im fucked. time to buy another laptop i will burn this one

I got the same message! But I had never fiddled with the settings of HTTPS Everywhere. Why the need to "reset to default values"?

arma, why no comment from you??

I did, on in both my copy of the TBB as well as my untrusted (regular) copy of Firefox and my copy of Portable Firefox. A new version of HTTPS-E came out that day, but required reconfiguration almost from scratch.

August 05, 2013

Permalink

What should one do if they cant remember whether or not they used TOR over the last couple of weeks?

No there isnt any way. Tor is designed not to keep logs for your own safety. But seriously. If you cant remember whether or not you have used tor in the last week you should see a doctor. Alzheimer's can be slowed down if it's detected early.

That depends. If you are using Windows then... maybe. Windows uses an NTFS file system. NTFS has something called Last Access Update. Assuming this is turned on, it will update with the last time you accessed a file. Right click on a file and choose properties.

If it is turned off - the date will be the same as the created date. If it is turned on, it will be the last time you accessed the file. In the case of TBB, the last time you ran it. That can tell you(or anyone with access to your computer) when it was last ran.

This is turned on by default in XP and I cannot remember if this is true of later versions of Windows. Mine is turned off though and I suggest everyone turn theirs off. It is not hard - Google NtfsDisableLastAccessUpdate and you will see how.

It is better that someone getting a hold of your computer does not know when the last time you access files is. But disabling this "feature" also improves Hard Drive performance and longevity since you are cutting out a write operation from every file read operation! I expect disabling this would also help laptop battery life to some extent. It is a terrible "feature."

I will add one more thing. If you use Truecrypt to protect sensitive information and you also utilize keyfiles (music files are good but random recorded radio noise is better) then this "feature" makes it very, very easy to figure out your keyfiles. Disable it NOW.

Last Access Time is disabled on NTFS for windows > XP and Windows Server > 2003 unless you cleverly re-enabled the feature. It's disabled for performance reasons. It may even be disabled on those named OS's with the last service packs, but I am only surmising.

I think Last Access Date (no time recorded) is still enabled by default on FAT volumes, but I could be wrong.

You can show the column in Windows Explorer and see if it is useful...

August 05, 2013

Permalink

Great Tor I never even thought about jailbait before I found Tor but then I got curious and looked at freedom hosting site and now I go to jail and get ass raped. Thanks for entrapment asshole.

why would not naked hot teenagers spike curiosity in you? Tor promised me hot teenage action and all I got was raided by the feds!

Who couldn't be mesmerized by the undeniable lure of tender, smooth, taut, voluptuous youth?

Who could corrupt, exploit, bugger, sodomize, defile, desecrate, deflower, etc.?

It depends on their age you dirty bastard! you need a rope around your neck if it were young girls! I have no sympathy for sick fuckers who get ass raped in prison for seeking child porn, not everyone who uses TOR is into this shit

Have you not noticed that a lot of 13 year old girls look like hot 20 year old sluts? When will the pretending that they are not attractive end? When will it end putting people in prison just for looking at such hotties showing off? Let's get some sanity in this issue!

Those are your thoughts in your own head and not what the actual child of 13 is thinking! idiot!
Girls that age throw tantrums, bitch a lot, cry a lot, they are mouthy and like boys around their own age. Do us all a favour and use your brain when you look at youngsters

maybe because only fools accept someone else's opinion about something they never saw for themselves? why do YOU hate child porn? because someone told you it's all evil and disgusting rape and torture of babies correct? WRONG. A photo of a teenage boy model in underwear can, and has been called child porn. a video recorded by a underage school student and shared by him over the net is called child porn. if you view it, the government will tell you you abused that kid. did you really? does watching dexter make you a brutal killer? does watching news of 9/11 make you a terrorist responsible for the deaths of thousands? does looking at the footage of the first and second world war make you in any way responsible for the actions in it? are you that blind and compliant to believe anything you are told that you yourself did not research? that's why people are curious and go see things, even if the things are 'awful' and illegal - or are they?

perhaps 1% of the people caught in this exploit actually did any harm to a child. the 99% will be persecuted nevertheless. because people do not understand what child porn really is and that not even 0.1% of it is rape or torture. most of it is teenage kids masturbating on webcam or vintage videos from 30 years ago. hardly a reason to destroy lives by branding all of them rapists and molesters.

Thing is that there is really a big line between CP and JB. There is a ton of sick CP of toddlers and babies being raped and very underage kids being generally exploited. I find such things disgusting, but I don't care what other people get off to, I care only that they do not molest kids themselves. On the other hand there is also a ton of JB and it is considered CP only by legal technicality. In reality it consists almost entirely of teenagers taking pictures of themselves naked and uploading to the internet. Some small percent of them are blackmailed into doing so, some larger percent of them shared pictures with a boyfriend who shared it with the internet, but none of them are really raped and absued and a lot of them willingly and knowingly uploaded their own pictures. The biggest problem with Tor is that sites that host JB mix it in with tons of very disturbing and disgusting other shit that very few people who care about JB even want to look at. There are tons of clearnet sites for JB and the feds totally ignore them, but the people looking at JB on Tor are all going to be fucked by this operation because the feds cannot tell them apart from the people looking at 6 month old getting brutally raped. Personally I don't really care if people look at picture of 6 month old getting brutally raped though, looking at pictures is very far from doing the things in the pictures, or else everyone who looks at holocaust picture is then guilty of war crimes. Anybody with any fucking logic in their mind at all knows this, but these emotional thinking idiots control the world.

Jailbait is very addictive. It is best to never look at it even one time. Once you see fresh young teenagers you never want to go back to looking at old generally very rough looking adults in legal pornography. I have many friends who use Tor for various reasons not related to CP at all, and many of them have claimed to become addicted to jailbait after first finding it on Tor.

Beauty depends on the specific woman, as it does at any age, and also involves who she is as a person. Since I'm much older I see a 14-year-old as a kid without any real life experience. As my wife ages I still find her very attractive. She isn't 90 yet but I think I'll feel the same then.

I have to agree with this. Not only are jailbait girls typically at the peak of their sexual attraction, but the feeling of doing something so illegal is very addictive as well. It reminds me of being young looking at porn for the first part of my life, trying to hide it from my parents. Something forbidden and secret but so attractive and good feeling. I think the forbidden aspect is half the fun with jailbait, but most surely it is not all of it because I do find actual child pornography to be very disgusting and would not look at it even though it is also forbidden. Peak sexual attraction, plus bringing the rush back to pornography....a very addictive combination.

you are both right, yet i (being young adult) don't think i will live enough to see this being acknowledged by the "masses" not even mentioning the lawmakers.
Internet "pedophiles" - no matter if they fap to toddlers being gang raped or pictures of topless 16 year olds - are way to convenient scapegoats for powers that be, who can gain political capital and sympathy points literally out of nothing by cracking down on internet CP, instead of helping children that are actually being abused (which would require much more effort and $$, but won't make any big headlines)

Also censorship. Whenever you want to impose some restrictions on internet-users, just do it "for the children" and accuse your opponents of supporting pedophilia. Works like a charm.

posting this over tor because FBI lol

Scapegoat is the right thing to called pedophiles/pedosexuals (I feel the latter is more true) in the real world. The whole anti-pedosexual thing started when homosexuals were beginning to be accepted by society, as the new 'boogie man' for society created by feminists/religious leaders who hate that learning that sex is a wonderful and pleasurable thing early is the biggest buster of their bunkus in the world.

"The love between men and boys is at the foundation of homosexuality. For the gay community to imply that boy-love is not homosexual love is ridiculous." - "No Place for Homo-Homophobia.", San Francisco Sentinel, March 26, 1992

"Shame on us if our lesbian/gay voices remain silent while our
NAMBLA brothers are persecuted once again, and shame on those
lesbians and gay men who will raise their voices to condemn NAMBLA,
insisting that boy lovers (and presumably the boys they love and who
love them) are not part of this thing called the lesbian/gay
community."
- Steve Hanson, "Shame on Us.", Bay Area Reporter, January 23, 1992

"NAMBLA is by no means on the fringe of the "gay rights" movement. For years, it was a member in good standing of the International Lesbian and Gay Association (ILGA), and was only jettisoned by ILGA when the parent organization applied for United Nations consultative status in 1993. Years earlier, the ILGA itself had resolved that "Young people have the right to sexual and social self-determination and that age of consent laws often operate to oppress and not to protect." "
- http://www.lifeissues.net/writers/clo/clo_09homosexuality.html

Note that the "love" being referred-to in the above quotes is little more than an Orwellian euphemism for the buggering and sodomizing of tender youth by adult males.

(This is particularly disturbing when one considers the distinct physical as well as psychological disadvantage that the *receptive* partner in anal penetration is placed at: The bulk of the considerable risk of deadly infection as well as injury, ALL of the pain, discomfort and inconvenience that are endemic to this act, etc. )

you are both right, yet i (being young adult) don't think i will live enough to see this being acknowledged by the "masses" not even mentioning the lawmakers.
Internet "pedophiles" - no matter if they fap to toddlers being gang raped or pictures of topless 16 year olds - are way to convenient scapegoats for powers that be, who can gain political capital and sympathy points literally out of nothing by cracking down on internet CP, instead of helping children that are actually being abused (which would require much more effort and $$, but won't make any big headlines)

Also censorship. Whenever you want to impose some restrictions on internet-users, just do it "for the children" and accuse your opponents of supporting pedophilia. Works like a charm.

posting this over tor because FBI lol

I as young adult find that young adults like jailbait and old ass adults think it is horrible. Hardly any of my IRL male friends have not made comments about being attracted to under 18 year old teenagers, many of my internet friends who know about Tor have said they have looked at jailbait on it. But for most old people they seem to think it is totally horrible. Total disconnection between age groups, the same as it is for drugs.

If you are innocently looking at girls your own age, why do you have to do it on the TOR browser??? makes no sense.
Most of us old ass people have children and idiots like you are a threat to them, when you grow up and have children of your own, only then will you understand.
Please stick to the normal web where you can happily watch naked 18yr olds and not young teens who are being exploited, used and abused for your own selfish needs.

"Internet "pedophiles" - no matter if they fap to toddlers being gang raped or pictures of topless 16 year olds - are way to convenient scapegoats for powers that be, who can gain political capital and sympathy points literally out of nothing by cracking down on internet CP, instead of helping children that are actually being abused (which would require much more effort and $$, but won't make any big headlines)"

You raise some valid points that are worthy, if not /requiring/, of consideration and discussion.

Nonetheless:
1.) Wouldn't you say that working to /prevent/ abuse from occurring in the first place is no less important than helping the victims of abuse?

2.) Wouldn't you say that an individual who derives /pleasure/ from images/descriptions/fantasies of the likes of "toddlers being gang raped" is considerably more likely to pose a threat to society than the average or typical random individual? (Considering that the vast, overwhelming majority of the population-at-large in just about any society finds such imagery nothing less than utterly repugnant, revolting, repulsive and deeply disturbing.)

3.) Accepting the premises outlined in #s 1 and 2 above, wouldn't you say that society has a legitimate interest-- if not /duty/-- in at least /flagging/ and /monitoring/ anyone who exhibits solid, convincing evidence of having an unhealthy interest in the type of imagery in question?

4.) This is not to say that the /MERE viewing/ or possessing of /images/--of /any sort/-- should, in and of itself, carry criminal penalties.

1.The problem is, is it really *scientifically* proven that watching CP facilitates child abuse, (comparable to what they call a "gateway drug", meaning first you watch pictures of 10 yo models in bikinis than you need stronger kick, you switch to harder and harder sex scenes, until just watching doesn't do it for you any longer and you go lure some real kids into your van). Or does it help people who might have those urges, relief them without acting upon them? Your first point seems to be built upon the first assumption, however if the 2nd is true, then what they are doing is not even wasting time/money, but using them to facilitate what they should be actually trying to prevent, since less CP = more people having sex with real kids. (btw. I'm talking about an absolute minority here that would actually act upon their sexual fantasies, I doubt they constitute a large percentage of people watching CP. Just like there are a lot of people into rape/rough sex, but only few of them would/do actually rape)

2. Well he might be. Same as with somebody who watches gore-videos or even Dexter. It's a very difficult question, that can't be properly addressed at our current lvl of technological development. Regardless of that what you are talking about here is thought crime. Just imagine US-government (or any government for that matter) being able to prosecute or even "flag" people for what they think. Imagine all sorts of power abuse that would then happen. And it would be even worse once they actually had the technology to read your thoughts. (and what the vast majority thinks shouldn't even matter, you know what vast majority of people thought/ and in many parts of the world still thinks about homosexuals.)

3. Only if it's proven beyond a doubt that those people would actually act upon their urges. Otherwise we are talking of pre-crime, minority report kind of situations, where innocent people potentially suffer consequences of actions they didn't do. And proving something like that beyond a doubt (i guess we are talking about preventive measures here, if somebody already raped a child and you have evidences, it's an easy game) is not feasible with our technology anyway. But even if it would be, we should really think about if it's worth the trade-offs (see 2nd point). Basically it's the same security vs freedom debate, but with stakes set very high. It was always possible (at least in theory) for people living in dictatorships to keep at least their thoughts free and overthrow the tyrants when the time was right. Open the powers that be the way into your thoughts and there will be no escape.

4. Agree.

1. It is scientifically proven that in all countries that legalize possession and viewing of child porn, there is a sharp drop in child molestation rates, in every single country ever studied

http://phys.org/news/2010-11-legalizing-child-pornography-linked-sex.ht…

Results from the Czech Republic showed, as seen everywhere else studied (Canada, Croatia, Denmark, Germany, Finland, Hong Kong, Shanghai, Sweden, USA), that rape and other sex crimes have not increased following the legalization and wide availability of pornography. And most significantly, the incidence of child sex abuse has fallen considerably since 1989, when child pornography became readily accessible – a phenomenon also seen in Denmark and Japan. Their findings are published online today in Springer's journal Archives of Sexual Behavior.

http://www.wnyc.org/shows/bl/2013/aug/21/crime-online/

Above commentator and some others here may wish to post there. No registration required, only valid email (try disposable).

Especially to respond to comments like this:
"The reason we punish those that possess and traffic is because they are now more than in the past the consumers that drive the creation of the child porn."

In agreement with you

A lot of people have failed to recognise that the pedo's are providing a service for the watchers, a child is being abused for their viewing and it will continue as long as they watch. I am cringing at the comments that looking at pictures isn't harmful?? are some of you really that dumb? of course its fucking harmful, its a child, abuse damages lives, its against their will and human rights. Too many Pedo's on here.

For the stupid person 2 above saying that the rates of rape and molestation have gone down ,you know why that is?? I can tell you, its online that's why and you watchers are keeping it alive.

this attack has nothing at all to do with CP or JB.

If not nothing, very little, I do believe that this is an example of the weakest exploit in their bag of tricks and they didn't much care that it was exposed as there will be new exploits aimed at de-anonyimizing TOR users.

I believe the feds are after the Darknet drug markets much more than CP. Feds foam at the mouth over Drug users and need to keep the Genocide against drug users going(it's not a war on drugs. only users and a war implies two sides fighting which is not the case) to keep the money flowing and prisons filled and CO's employed and on and on and on!!

It's about adults using drugs. :-(

Re-posting an apropos post.
______
Re: "drug sites":

-What about, for example, chemotherapy patients, many of whom are dying anyway?
Would you deny them the little respite and relief they claim that marijuana provides them?

Current drug policy in many places does just that, leaving such people-- in misery-- with no alternative but the very "black markets" that you refer-to.

- Alcohol is a DRUG that is at least as deadly and claims at least as many lives as any number of substances that don't enjoy the blessings of the law and social acceptance.

What about "taking down" some of the (legal, sanctioned, privileged) mega corporations that promote, glamorize and glorify this poison?

Re: "money laundering": Can whatever Tor may facilitate in this regard even hold a candle to the likes of the Wall Street banksters or even (or especially) the Federal Reserve, the World Bank, etc., et al?

Not that two wrongs make a right but perspective is needed.

And the prison-industrial complex; the ways in which a number of entities directly benefit from a drug policy that results in mass incarceration is an absolutely critical aspect that cannot be overlooked in any discussion of these matters.

Of course it doesn't, the pentagon are one of the biggest fan of CP.

Pentagon declined to investigate hundreds of purchases of child pornography
http://news.yahoo.com/blogs/upshot/pentagon-declined-investigate-hundre…

Why Was Pentagon Child Pornography Investigation Halted
http://www.thesleuthjournal.com/why-was-pentagon-child-pornography-inve…

Pentagon workers found to have downloaded child pornography
Dozens of staff and contractors with high-level security clearance put at risk of blackmail by their sex crimes

http://www.theguardian.com/world/2010/jul/24/pentagon-us-staff-download…

A typical post from a typical Tor user. "I do no wrong but I am so proficient in CP and JB[1] and know who exploits who etc" purely for educational purposes lol

[1] I can guess what CP is but JB? You are guys are really experts in this stuff. I am sorry you were hacked ;)

Yay free speech and all, but yeah, no kidding.

That said, I don't think this little sub-thread counts as typical Tor users. Or said another way, the larger and broader the Tor user base gets, the less relevant this little subset is.

Oh, I forgot, that's all besides the fact that you were running an OUTDATED, DEPRECATED version of TBB that had been replaced over a month ago!

August 05, 2013

Permalink

Does running TBB from a Windows based VM protect the host machine MAC address? Only the randomly generated VM MAC could be revealed by this exploit?

August 05, 2013

Permalink

So nobody has any idea if users of versions lower than 17 are affected, like version 10 for example, because nobody knows what was in content1_html. Why is that not mentioned in the article or in any articles for that matter? Why is this not investigated? There could have been another exploit, different from this one in that page, one that still works in the latest version.

javascript is the real issue. Yeah, it would be great if the exploit only works on v17 (for those using older versions), but if you had javascript disabled, probably doesn't matter which version one used. More data is needed.

August 05, 2013

In reply to arma

Permalink

I think most are concerned with this specific exploit on non-TBB FF versions under v17.

August 05, 2013

Permalink

Not to be paranoid but how do we not know that old Tor versions are safe and the new versions are actually planted with back doors ?

Well, you know that older Tor versions aren't safe: we give you detailed release notes for all stable releases:
https://gitweb.torproject.org/tor.git/blob/HEAD:/ReleaseNotes

As for whether newer versions have backdoors, see for example
https://decvnxytmk.oedi.net/docs/faq#Backdoor
https://vbdvexcmqi.oedi.net/blog/calea-2-and-tor
for some discussion of why it would be unwise for us to put backdoors in.

And if you want to be extra careful (besides reading all the source code of course), check out Mike's recent work on deterministic builds:
https://gitweb.torproject.org/builders/tor-browser-bundle.git/blob/HEAD…

It's open source, Get the code. Read it for yourself and see what it's doing. Reproduce the build environment and build it on your own machine.

If you don't know how to do any of that, learn.

The biggest threat to anonymity and online safety is ignorance,

Have /you/ carefully checked through all of the code for all of the software that you use?

Are you even sure that, should there be anything suspicious in the code, that you would recognize it?

August 05, 2013

Permalink

Browser versions less than 17 WERE exploited by this. It checks the version and if less than 17 redirects to content_1.html. Does anybody know the contents of that file?

Exactly, there is a lot of misinformation being spread on all official channels. Every expert review I've read so far specifically talks about version 17 being the only one targeted and affected. But that is clearly not the case if you read the code. Versions 0-16 inclusive are subjected to content_1 payload.

content_1, that nobody has seen so far, could have calls to content_4, 5, 6.. and do a lot more than just report the IP. I wonder why it was never obtained? And why is every news source trying to hide it's existence? Can it not be obtained the same way content_2 and 3 was?

August 05, 2013

Permalink

If my browser was safe but I had a separate instance of FF open elsewhere, can the malicious javascript bleed through and phone home to the FBI from there?

Can Javascript jump from one open browser to another or is that off the table?

- Just seeking clarification on all of the possibilities and I promise I'm only asking this once! -

In a correctly behaving browser, Javascript shouldn't be able to jump between browsers.

In a vulnerable browser, somebody could have written an exploit to take over your computer, and from there it could mess with any other running (or not yet running) applications.

Since malicious client side scripts have no direct access to the underlying filesystem or OS of the client, they can not be transmitted across browsers.

However, if you have malicious bookmarks or addons installed and voluntarily transfer them, perhaps in ignorance, then the other browser is also vulnerable.

And it depends if "malicious scripts installed" are at an OS level, or at a browser level. If something infects your OS, any application is vulnerable.

August 05, 2013

Permalink

So, with a older version of TBB with javascript disabled and ex on linux, a user would not be affected by this?

August 05, 2013

Permalink

Did the TBB notify on the start page of an update if you where running Firefox ESR 17.0.6 when 17.0.7 was released?

August 05, 2013

Permalink

Any knowledge as to whether EMET would have prevented the exploit from running? Nobody has talked about this but the enhanced mitigation features are useful under Windows and should be common practice.

August 09, 2013

In reply to arma

Permalink

Would the exploit affect Unix-based operating systems or just windows?

August 05, 2013

Permalink

i have to repeat the same message as a follower above:
on 30 july or 1st august i received this message as a sub-bar:

In order to implement a crucial fix, this update resets your HTTPS Everywhere rule preferences to their default values

what does it mean i shoulb be worried? it seems i use 1.7.6 version but with javascript off. the rest of browser is on default mode. did that "crucial fix" something wrong? it is known for sure that only javascript ON affected people and nothing else?

Did that bar pop up when you visited a know infected site? Or was it randomly some other time?

People know it affected us through Javascript, because specifically it was a Javascript attack when visiting those sites. Events happened in the order of

1. Visit infected site
2. Malicious Javascript code awaits you, it attempts to launch!
3. Blocked/Detected/Affected

Not sure about the crucial fix playing out on this stage. Seems unrelated.

hey. i really cant remember when that subbar shows up, if i tried to access a site or suddenly doing other thing. certainly is this was in tor, not in mozilla because i use chrome for clearnet. i had c/p that message on google and i can only find it on twitter on a enginner computer guy. it amaze me that this nobody else noticed than fellow above. it has appeared absolutely the same it was rerwritten by me now. does tor ever sent subbars like that?
thing is i did nothing on that because i didnt even know what was happening at that moment, nobody knows. 30 or 1 aug. very strage.

all i want to know if this was sent from TOR or because of this exploit. and if is because of malware, i should be calm using 17.6 at that moment with javascript off and a pretty old TBB(2-3 months)? i am very "lucky" day by day.. it seems legit why almost only me received that....

No, I saw the same message a couple of days ago and I was prodding around FH to see what was going on but noscript was always on. Thing is, I updated my TBB today to 17.0.7 and the message reappeared after the second launch of TBB. It says "to implement a crucial fix https has reset to default rules" or similar. This is 64bit linux.

A few days ago I also had this bar showing up. IIRC it was displayed as soon as the browser started and visited the check.torproject.org page. I also made screenshots of this event.

Quoting the poster before me: all i want to know if this was sent from TOR or because of this exploit. and if is because of malware....

That is what I wish to know too. Was the message "In order to implement a crucial fix, this update resets your HTTPS Everywhere rule preferences to their default values" sent by Tor?

I was using the latest version of TBB at the time when I received the above "crucial fix" message but with JavaScript enabled.

What I did next was to delete the TBB, re-downloaded the TBB from Tor's official website and re-launched the Tor browser.

I also ran a complete scan of my PC using the latest anti-virus software.

For Tor developers and people who are interested in investigating further whether the website has been infected with the JavaScript exploit, please surf to http://sammyboy.com

That is the website that forced my Tor browser to reset HTTPS Everywhere set of rules.

I am the first person who posted the "HTTPS Everywhere" crucial fix message.

In answer to your questions:

1. Did that bar pop up when you visited a know infected site? Or was it randomly some other time? I am unable to answer this question as there is no way for me to tell whether the site that gave me the "crucial fix" error has been infected or not.

2. At the time I received the "crucial fix" message, I was already using the latest version of TBB but with JavaScript enabled.

im paranoic i please OP to respond. was this message from tor browser or tricky scheme of infected sites i visited?
eearly this year i made $16 each donations on every service i love which is ad block, umusic and tor. i didnt expected this coming!!! please respond to my inquierii

August 07, 2013

In reply to arma

Permalink

Why not make an official post reassuring people about the HTTPS-Everywhere pop-up in question. Many people, myself included, were/are obviously concerned. Wasn't that only reasonable and to be expected?

I'm using HTTPS everywhere on two another browsers (one on Windows and one on Fedora) which are not being used for tor browsing at all, and received the same message on both recently. Probably it was part of the last update of the extension.

I got that popup after getting the newest TOR bundle today. I disabled JS and all the other things and did not visit the infected sites on this new bundle. It's most likely unrelated.

me too.. installed the new bundle, disabled javascript, visited only hidden wiki and this blog. after system restart and opening tor i see the same message on my firefox.

I also saw this message pop up. A little research reveals.

The latest tbb comes with HTTPS-Everywhere 3.2.2.
tbb has "update Add-ons automatically" selected by default so it gets updated to the latest version.

Latest version of HTTPS-Everywhere shows changes to code
https://gitweb.torproject.org/https-everywhere.git/blob/HEAD:/src/chrom…
In response to this ticket
https://trac.torproject.org/projects/tor/ticket/8776

It looks like this is normal behavior.

I got this message too! Am not sure i was visiting an FH site atm.

Was the update official or it was an attack? I even clicked it. I use FF 17.0.7 ESR on Win7 64bit.

As a translator of HTTPS Everywhere, I have seen and translated that very string, so it is an official part of the HTTPS Everywhere extension. It is not related to any exploit. It is not put there by any website one visited.

August 05, 2013

Permalink

Sorry if this has been asked already, but I only downloaded the Tor Browser Bundle a few days ago, so I presume I had the latest browser version, 17.07. I just checked, and Javascript was enabled.
For non-Tor browsing, I use Firefox 22.0. Am I safe from this exploit?

August 05, 2013

Permalink

So my Kaspersky marked malware in this file "C:\Documents and Settings\-name-\AppData\LocalLow\Sun\Java\Deployment\cache\6.0\22" and even labeled it "exploit, is this the same exploit?

August 05, 2013

Permalink

Would running Tails with Iceweasel 17.0.7 in VM within windows be safe from the attack as well?

August 07, 2013

In reply to arma

Permalink

Anon: "Would running Tails with Iceweasel 17.0.7 in VM within windows be safe from the attack as well?"

arma: "Yes. Even safer than on normal Windows."

Huh? Run Tails on Windows? How is that even possible /other/ than within a VM?

arma

August 05, 2013

In reply to by Anonymous (not verified)

Permalink

Not that I'm saying it's wrong, but I'd like more details than "somebody knows somebody else who has some database that said this netblock was once the NSA's".

August 05, 2013

In reply to arma

Permalink

domaintools.com shows the exploiter's server IP (65.222.202.53) belongs to the government contractor SAIC. They do work with NSA but also many other government agencies (source: I used to work for them!). The link in that article to the robtex.com page (pop.robtex.com/nsa.gov.html#records) doesn't seem to include that IP. So I can't see how they know it's been "assigned" to NSA. But that it's linked to SAIC means it likely is some kind of U.S. government project.

August 05, 2013

Permalink

Can Torproject please fix the check.torproject.org page that incorrectly informs users of 10.0.12 they are up to date? People who rely on that version check won't know to update.

August 05, 2013

Permalink

I last used Tor in early May, never did anything illegal but I probably visited a FH site if the whole 50% of the sites are hosted by FH is true. Have you got any ideas/guesses on a time frame for the attack?

Time frame was "a few days ago".

Also, the notion that half the hidden services were hosted by FH is likely bunk. Of course, they're hidden so it's hard to produce a concrete number.

August 07, 2013

In reply to arma

Permalink

Of all the sites hosted by Freedom Hosting, how many were/are dedicated to scabrous material involving underage subjects?

August 05, 2013

Permalink

This TOR exploit thingy. It supposedly gets your ip but what if you're on a home network behind a router? Will it grab the ip of your computer on that network, like 192.168.x.x?

It grabs your hostname (e.g. "John's PC"), your MAC address (the local hardware address), and then it sends those plus a unique number to the remote website. It's that last step where the attacker can learn your public IP address -- and where a firewall sure would be helpful, to block outgoing non-Tor connections (like how Tails does it).

August 05, 2013

In reply to arma

Permalink

The firewall wouldn't help with this exploit, because the malicious assembly code executes within the TorBrowser process space (the firewall would think it's the tor browser and let it through).

August 05, 2013

In reply to arma

Permalink

Is it another process (vidalia?) that actually makes the internet connection? If so, yes a firewall blocking tor browser outbound would be a really good idea. I was assuming Tor Browser itself makes the connection.

August 05, 2013

In reply to arma

Permalink

So to prevent future exploits of this type, could torproject maybe show downloaders how to set the Windows firewall properly to block all outgoing connections (it allows all by default) except allow tor.exe and the user's other trusted programs? And mention if a window ever pops up to allow tbb-firefox.exe to connect outbound (i.e. some exploit is running) to always deny it? Users who understand that would pretty much be safe from any future exploits like this, I'd think.

Maybe? We're all bad with Windows, so it would be great if somebody would volunteer to work on this.

(The other answer is to run Tails in a VM on Windows, if you really need to be running Windows in the first place.)

August 05, 2013

In reply to arma

Permalink

Wait, how does it get your ip from the hostname, MAC and the unique number?

August 05, 2013

Permalink

Hi,
Once again sorry for being redundant, but I thought I would ask a broader question hoping that it would answer a lot of questions.

If someone had Windows 7, Tor Browser Bundle 2.3.25.10 with Firefox 17.0.7 ESR, but NO SCRIPT set to "Allow ALL globally", would my Mac address and Ip address have been revealed by this "iFrame picture" exploit?

Also is the Mac address that is revealed, my MOTHERBOARD'S network jack address OR my internet service provider (ISP)'s Router modem?

Thanks

No, the exploit was fixed in 17.0.7. (And for those with earlier versions who were exploited, the MAC address would be your computer network adapter's).

17.0.7 means this exploit won't work, full stop.

As for which mac address, if I'm reading the exploit right, it is your first local address -- so if your Internet connection is through an ethernet connection on your motherboard, it's probably that.

August 05, 2013

Permalink

One question .. I have the ESR version 17.0.7 I installed on June 26, but I dont have the alpha version 3, I have tor 0.2.3.25, and I visited pages of Freedom Host (With Javascript, Disabled Globally). yesterday i visited Tormail, and I saw the message "Sorry Close for maintenece" (with javascript Disabled globally) that means the exploit worked? or I am at risk? please Help - thanks in advance

People these days are really fascinating, they seem to work like this: Don't want to invest (time for reading) anything but want to get (a prompt personal answer on a silver dish) everything - I CAN HAS PLZ???

August 05, 2013

Permalink

arma, thanks for all your updates and comments, even if it's "we don't know." Frequent communication is always good!

August 05, 2013

Permalink

So if one had turned off javascript on ones pre v 17 browser, that would have stopped the exploit from executing?

August 05, 2013

Permalink

Do we know 17.0.7 actually blocks this? Has somebody tested it against this particular exploit? I know as a programmer myself we like to indicate a bug is "fixed" but it really needs to be tested by others.

August 05, 2013

Permalink

why people keep saying Firefox ESR 17.0.7. is not effected

Firefox ESR 17.0.7 [3] is not effected notice the 3

August 05, 2013

Permalink

Any law experts around? Assuming this illegal exploit worked, what could they do with the IP list? Is a couple random visits to FH sites (like, exploring hidden wiki links) enough to warrant raids? Just wondering what exactly was the purpose of this illegal exploit, because clearly not all affected are guilty, even if they did visit some of the illegal sites once or twice by mistake or due to curiosity. A raid on them would destroy their lives nevertheless.

Can this list be used against international citizens? Would international agencies accept tips obtained this way? How can the list of addresses be used as evidence, if external, malicious executable code ran on the target PC's, one could easily argue that a version of this code could entrap people by opening illegal sites in the TOR browser. The code did change multiple times, did it not? And parts of it are not yet obtained.

Isn't the entire premise of this attack - pointless? Apart from branding all TOR users as molesters in the news due to sensationalist titles of course, so that people stop using it and the NSA/CIA/FBI has an easier task to play the Big Brother on everyone.

I am positive that this exploit is a small part of an overarching federal project. The NSA are doing the fishing in order to be able to connect the dots at a later date. It is unlikely that raids will result from this particular attack, as this exploit involves thousands of fished IP's. They are looking for a couple hundreds of big fish, not thousands of small fish.

August 05, 2013

Permalink

With respect to this PARTICULAR attack, is there any reason to think that it did not affect Windows computers running Firefox versions BELOW 17 ?

Thank you.

All versions under 17 were in fact subjected to another piece of malicious code contained in a page called content_1.html. Apparently nobody knows what was in it, because it was never obtained. Because the code did not exit but loaded this page, one has to assume another version of this, or another exploit was indeed executed on Firefox versions below 17. Therefore all the news and security reports that specifically claim this attack targeted version 17 only, are wrong.

August 05, 2013

Permalink

I use Request Policy with TBB, while NoScript is run in default Global JS On mode. Would Request Policy block this attack?

Thanks

Good question, but I think maybe no, since it's being served from the domain you're visiting? Or maybe Request Policy handled iframes differently than the main page? Somebody would need to investigate.

August 05, 2013

Permalink

For those of us just hearing about Tor for the first time, help me understand this in non computer tech terms.....what span of time did this attack occur? And if someone used Tor Bundle on windows during this time frame but had that little S in the top left corner clicked so a circle with a line was through it, are they still at risk? Or did that turn off their script stuff? Sorry

The presumable owner of Freedom Host was arrested July 29th and the malicious code was first noticed on August 4th. If you have the little "S" with a red slash through it, it is blocking scripts from executing and you are highly unlikely to have been affected.

August 05, 2013

Permalink

When 2.3.25-10 was released, were 2.3.25-9 browser bundles displaying that a update on TOR check within a time period of 1 week after the 10 release? I'm not very clear on this.

August 05, 2013

Permalink

How can you tell if the malicious software has been installed on your computer?

August 05, 2013

Permalink

I have noticed quite a few write ups in the press that state that Tor's reputation is badly damaged and I regret to say I agree. While the TBB may have made it easier for people to use Tor (a good thing) it has also made Tor into one big honeypot. I don't think that prior to TBB a hack like this would have been worth the FBI's time because there were so many different set-ups that writing the exploit to catch a decent number of IPs would have been a nightmare. By standardizing entry to Tor TBB changed the payout for a hack and thus the risk/reward ratio for the hacker.

Really? I admit I'm still not a huge fan of shipping a browser, but I think the alternative is clearly worse.

The situation before TBB was that Tor users had basically no chance to secure themselves against a wide array of known attacks at the browser level.

At least in this case we learned about the issue, and put out a patch that users could upgrade to, more than a month before it was exploited.

Take a look through
https://decvnxytmk.oedi.net/torbutton/en/design/index.html.en
and
https://decvnxytmk.oedi.net/projects/torbrowser/design/
and ask yourself if more than a very few of our users could have gotten things right on their own?

If we lived in a world where there existed a mainstream browser (Firefox, Chrome, Safari, IE, something) that actually addressed these application-level privacy attacks, I think this would be a worthwhile discussion to have. But see:
https://gitweb.torproject.org/torbrowser.git/tree/maint-2.4:/src/curren…
and
https://vbdvexcmqi.oedi.net/blog/google-chrome-incognito-mode-tor-and-f…

And currently Firefox and Chrome don't care to accept the patches. That sure would be nice to fix.

August 06, 2013

In reply to arma

Permalink

https://twitter.com/BrendanEich/status/364265592112414720

In any any event, you and I agree on the fundamentals. It's simply that prior to this hack the downsides of the TBB was mostly theoretical. Now they are real. To pretend that this doesn't impact of the psychology of the average (i.e, non-sophisticated) Tor user is to be in denial of reality.

While I think integrating FF and Tor would be an improvement it doesn't address the underlying problem: to whit, that a TBB enables unsophisticated users to get in over their heads. While one can argue that's their problem when I weigh the alternatives I do not see any of them as "clearly" superior. I see them as all equally bad.

August 05, 2013

Permalink

I'm afraid you are wrong about 17.0.7 being "safe" from the NSA attack. I am, and have been, running it for some time now.

A few days ago I was prompted for both a JAVA and a Flash update ... which I allowed. (Probably Unrelated, Huh).

Coincidentally, I realized later that day, that 94% of all of the Onion Hidden Service Sites had simply disappeared ... Took an entire day but I checked EVERY single one.

Whatever it was has also Killed my Relay setup entirely ... I've had to uninstall IT and even Reinstall my "client-only" 17.0.7 just to get the god-damned thing to stop crashing.

Perhaps worse than that, every time I attempt to access certain of the now defunct .onion addresses, INCLUDING TOR MAIL ...TOR goes semi-transparent, turns white and CRASHES, with a burst of activity on the bandwidth graph and a warning that TOR is not responding and is no longer connected ... WTF ?!?!?! ... So now I suppose I have to wonder if the NSA Vaporware is STILL on my computer ???

NOT TO PUT TOO FINE A POINT ON THE THING .... BUT: Are you folks Idiots or just Morons ?

The GDMF#*&^%$*^$% NSA hasn't just attacked a few perverts, drug and porn sites ... They have launched a totally successful and MASSIVE STRIKE against our entire command, control and communications infrastructure. In case you haven't noticed, That's called WAR.

The Most Serious Disappearance is that of TORMAIL's hidden service at http://jhiwjjlqpyawmpjx.onion/ and it seems that

TOR MAIL IS GONE ... leaving about a squillion people with impending losses of BILLIONS of bucks, NO secure communications And wondering if "just maybe" they're suddenly on the fast track to a Fema Camp ... WHY, in the living hell isn't anyone talking about THAT !!! ??? ... and why in the living hell haven't YOU or someone ELSE put a backup TORMAIL SERVER in place ... and why isn't it UP RIGHT NOW ???

I really need you guys to STFU, quit with the polite "conversation" and DO SOMETHING ABOUT IT.

TemplarKnight@tormail.org ... Oh, that's right ... I don't exist anymore.

A) "94% of all of the Onion Hidden Service Sites had simply disappeared" -- where is your statistic from? I guess you have some list that you think is the entirety of the Tor hidden service list, and not many of those are reachable for you? But at the same time, it sounds like your computer is broken in all sorts of ways? Sounds like you might want a reinstall, and maybe with a safer operating system.

B) "why [...] haven't YOU [...] put a backup TORMAIL SERVER in place" -- I am sorry to inform you that Tormail has nothing to do with Tor. They just took our name to try to trick people into thinking they were legitimate. And then they did a good enough job at never being reachable when we tried to contact them about it. We were exploring the process of asking ICANN to cancel their domain name, but 1) that's not very nice, and 2) it's not clear to me that it would really have done much anyway.

August 07, 2013

In reply to arma

Permalink

A) Computer is just fine and I did a Reinstall of TOR and HTTPS Everywhere. and the problem went away.

YES, I went through SIX lists and I do realize that they did not encompass the entirety of the Onion HS sites, but I have been doing this for several months on a weekly basis and my estimate is fairly accurate.

B) YES, I know that TOR has nothing to do with TorMail ...However:

The fact of the matter is that TOR Mail did work well enough that it became the accepted standard for secure email communications in the world.

With the known death of Freedom Hosting and the catastrophic (and permanent) demise of Tor Mail, it is incumbent upon some TRUSTWORTHY organization to reincarnate Tor Mail as quickly as possible and there is no reason that TOR couldn't run it's own hidden service in this regard.

That Trustworthy organization ... MUST BE TOR ITSELF.

There is NO OTHER anonymous email service in existence that can take it's place and there is NO service provider OTHER THAN TOR that will be TRUSTED to carry on the name, particularly since, should TORMAIL suddenly reappear on the Onion network, It will be assumed (correctly) to be controlled by the NSA and FBI.

TOR will never be compromised by the Intelligence Mega-plex, simply because they use it themselves ... a fact recently illustrated by the effective destruction of much of the Dot-Onion network NOT associated with TOR itself.

You can accomplish this in less than Two Weeks ... Kindly Consider Doing So.

That is correct. Tor has not and will not be compromised as long as big corporations, businesses and government agencies use it. I feel safe enough using Tor Browser Bundle by itself with scripts disabled.

August 05, 2013

Permalink

The update warning was the blinking yellow triangle?

I can't check now the version I used because I am in vacance. But I think I didn't have any update warnings (no yellow triangle ) . I think I downloaded tor within the dates in the advisory, but not sure.

Thank you.

The blinking yellow triangle is a new feature, in more recent TBBs.

The main update warning is the homepage of TBB saying in big letters "There is a security update available for the Tor Browser Bundle. Click here to go to the download page"

August 05, 2013

Permalink

I'm running 17.0.7, and have NoScript set to block all scripts, but did get a crash in Tor when visiting a possibly infected site on August 3rd. Is there any way that the exploit could still have run, as the advisory states that "the attack appears to collect the hostname and MAC address of the victim computer, send that to a remote webserver over a non-Tor connection, and then crash or exit."

The exploit does attempt to run on 17.0.7 (it checks for any version above 17.0 and less than 18.0). It's effects on 17.0.7 which supposedly fixed the vulnerability it uses are unknown until somebody can step through the source while it's running the exploit and see what it does exactly.

I need to report that five customers and counting have similar issues with tor-browser:
1. They had tor-browser crashes and windows reboots reported in early July. Why assume it is unrelated to the attacks in late July. All of these systems had up-to-date browsers with the most secure setting (script etc.)! at least 17.0.7

2. All show, after the window OS rebooted, MS was eager to send you a possible fix. If you report the error (checked MS’s server) it records your IP address along with a serial number. Is MS involved in this matter? Why not? Remember, the FEDS have full access, and they are the good guys.

3. Some/All show there were automatic SSL certificate updates prior to the browser crash? All via MS.

4. It is a fact that the FEDS have been logging the tor-browser downloads via MS IE. They know who might be using the tor browser, based on the Metadata gathered, and the OS used as well.

5. Some/All of my customers had unexplained AV services stopped errors prior to the event. None of them had this problem prior to using the tor-browser (back one year or more). All used the browser for the first time very recently, because of the Snowden leaks. They didn’t know what TOR was before that.

This might be a pattern.

August 06, 2013

Permalink

Dear FBI, I hijacked your exploit and started loading CP sites through Tor, each time I had the exploit code delivered but firewall rules and other mitigation techniques prevented it from phoning home, simultaneously with this I injected your exploit in users traffic through their clearnet exit nodes, framing them for viewing the CP. I did this a great many times, always taking care to clear cookies and use a new circuit to your compromised hidden services. I started doing this almost as soon as I recognized what was going on, and has added what I imagine must be significant noise to your database of suspected pedophiles.

Sneaky. If you didn't want to beat the "but exit relays can be bad" horse, you could instead (in this hypothetical world we're talking about) have bought some google adwords that included an image link to the .onion address -- non-Tor users would fail to load it (and not notice), whereas Tor users would autoload it (and also not notice).

sure and the manipulative mind games continue, it is typical behavior for suspects to try and say they were trying to catch a predator, a very common ploy to try to push the blame from their selves because the individual built his own little world inside his head, and therefore blatantly disregards the actual reality of his or her own actions in an attempt to cover his or her own actions.

Fact, many FBI or alike agents that work with cp all day end up with problems, and many of them end up getting caught with possession of cp!

August 06, 2013

Permalink

I would just like to clarify that I run multiple exit nodes, they are not part of a family and I will not name them. My exit nodes carry traffic for a great many Tor users every day, and I have randomly exposed them to your exploit during the duration of your operation. I am not going to reveal the exact way in which I did this, but suffice to say I have seriously contaminated your database of harvested IP addresses. That said I would also like to warn all users of Tor that you are very possibly in the database of the FBI even if you never loaded a child porn hidden service. I did this in order to confound their operation and provide plausible deniability to all targeted Tor users. I apologize in advance if the FBI kicks your doors down, but perhaps after they realize a great many of their targets are in fact not involved with CP, they will realize that their operation was a failure.

August 06, 2013

Permalink

If someone was always using the then most current version of TBB, would they have been at risk on any day?

Not from this exploit as we understand it to have been deployed.

But it's unclear who learned about this exploit first -- certainly back in June when Mozilla were looking at how to fix it, the vulnerability existed. (Mozilla's bug report is sekrit so we don't know the history of the report and fix.)

So, "no but yes".

August 10, 2013

In reply to arma

Permalink

my understanding of the exploit is that the TBB would crash after the exploit code ran. If a user was attempting to connect to an exploited site, the browser would crash, preventing them from 'perusing' the site.

Is my understanding correct?

August 06, 2013

Permalink

Hi.

I used the latest (ie "fixed") Tor bundle. JS was disabled in the FF options.

But I once got this notification in the bottom bar from HtppsEverywhere :

In order to implement a crucial fix, this update resets your HTTPS Everywhere

Is this related to the attack ? Was my IP compromised ?

Thanks for your help.

August 06, 2013

Permalink

As a user of Tormail, is there any way to find out if my real IP information has leaked out? Freedom of information request to the FBI? The real problem with this is that if your IP/machine name has been captured the FBI can know with, a simple req to the ISP , who we are. Name address, bank account and any other info that they have.
We have been royaly shafted.

August 06, 2013

Permalink

I've installed package 'tor-0.2.3.25-1702.fc17' under Fedora 17...

It's not mentioned in the above list, but 1702 seems higher than 10, right?

I'd check with your distribution (that's no rpm we've ever made).

And while 1702 does sound higher than 10, it also sounds lower than 1707. I'd be worried.

August 06, 2013

Permalink

A few questions for arma, if they'd be so kind as to answer
- I think I downloaded my TOR mid-late June/Early July, am I vulnerable?
-I only ever went to websites and clicked on pictures, can I still have had my IP traced?

August 06, 2013

Permalink

Unfortunately I have missed the update and used 17.0.6. But I have the script blocker activated an usually no script is carried out. Is there a risk that this attack can overcome this mechanism ? I remember (maybe I'm wrong) that at some point I saw the n_serv cookie in the cookie menu in the Tor browser. But I think cookies can be received without having script enabled.

If you really saw n_serv cookie, that's it Game over.
Because
v17.0.6->JS enabled->store n_serv cookie->shellcode execution->Your hostname/IP/MAC data goes to LEA
v17.0.6->JS disabled->NO n_serv cookie->NO shellcode execution->NO data travels to LEA

wouldnt the cookie expire after 30 mins like the code suggests? so even if you didnt see it, you could have had it at some point right? reloading pages would refresh it in theory, but it could still be overlooked

I also saw one cookie, under Torbutton cookie Protections, but it was maybe 2 or 3 weeks ago. I was checking everything in settings and so I saw one cookie there and I moved it. But... I was FOR SURE using 17.0.7 the latest 2.3.25-10 release when this happen, I am using that after it was available. I know that for sure by from the file modified date of when I extract it and checked the version.

Is it normal there ever be a cookie under the Torbutton cookie protections? In fixed version does the exploit only make the cookie but not send it?

August 06, 2013

Permalink

I have two questions for arma:
-If I downloaded my browser mid-late June, early July, would I still be vulnerable?
-If I only ever visited websites hidden service addresses, and only ever clicked on images on those sites, would I still be vulnerable?

August 06, 2013

Permalink

You should obviously have Javascript disabled by default in Tor browser.
I thought Security > Functionality was the obvious priority for Tor browser.

August 06, 2013

Permalink

Does anyone know when the freedom hosting sites were infected?

I know that before the time frame was a few days ago, but I wasnt sure if there had been any developments.

August 06, 2013

Permalink

What to do if you think you were hacked by the LEA
Time for DAMAGE LIMITATION advice - I suggest add any advice you have and post wide and far!

So the LEA have got 1000's of MAC codes and IP addresses of PCs that visited onion sites that contain illegal material. It will take time to process all that information and get court orders for addresses of IPs etc - so I should think everyone who was compromised has at least a week before their door is busted down and all their computer equipment seized. Probably months. USE THAT TIME WISELY

First, your IP address by itself is not worth much as evidence - could have come from someone using your WiFi or a visitor to your house. The MAC address is more compromising - your PC is the only one in the World with that MAC address and proves that the site access came from that particular PC. So first, change your PC and don't keep that one in your house. If you use a network card or network USB dongle on that PC, get rid of those also (they have unique MAC addresses).

Deleted files can be recovered. If you have *ever* had illegal material on your HDD, get rid of that HDD or, if you know what you are doing, wipe it. Any compromising files you *really* want to keep, copy to an encrypted container on a new, separate HDD (e.g. Truecrypt), unless your country can force you to give up the key (e.g. the UK).

The raid will still happen, but if the computer with the compromised MAC is not found and there is no illegal material found, there is no case against you and you will eventually get all your stuff back with no action taken (though it will probably take a year or so).

Finally and most importantly, if you are questioned by LEA, there is only one answer you MUST give to *every single* question. "NO COMMENT". Do not believe anyone who tells you that saying anything different will be better. It won't.

Nobody is going to get busted because he attempted to visit the front page of some kinky website. FBI is most likely going to distribute the collected list of IPs to local police departments for further surveillance. You will receive your knock years later and nobody is going to even mention this TorSploit then.

Agree, this is the most likely couse of action here. If you think you were infected, disposing of PC and evidence won't help you. You need to change your habits and be very careful what you say or do online and IRL from now till.. forever.

I disagree. It is sufficient to get a search warrant, same as happened with the Landslide bust. The LEA then hope to find a good percentage who have illegal material on their PCs - which is what they prosecute over. If you are right but take the precaution you have lost very little except time, if you are wrong and don't take the precaution it could be a life-changing event.

Contrary to what you say, I cannot see that any LEA is going to spend the resources on setting up years of surveillance on the probably thousands of households who were caught by the sting.

But in Landslide the feds had records of what the customers purchased and downloaded. Here all they know is the person went to the website, but not what they downloaded or looked at. It would seem similar to "this person was observed leaving a house of a known drug dealer." Is that probable cause to search that person's vehicle or house? Reasonable suspicion to stop and question them maybe, but enough probable cause to get a search warrant?

>>but enough probable cause to get a search warrant?

I would suggest yes. If they know (for instance) that you accessed a cp site, that would be a strong suggestion that you would have cp on your computer (after all, why would you be accessing the cp website if not to get cp?). Present that to a judge and I can't see any reason why a warrant/order wouldn't be issued.

According the Wikipedia, a Federal investigation into Texas based Landslide Productions yielded a user database with 300,00 names of which 35,000 were U.S residents. Of the 35,000, a portion were selected to receive invitations to purchase illegal material by mail. The results of this subsequent sting yielded 144 search warrants and 100 arrests. Note that the DOJ did not seek warrants based on the mere presence of names in the subscriber database, but only after the subsequent sting operated by ICAC and USPIS.

It would seem that an IP and MAC address are slight evidence when compared with the credit card and business records found in the Landslide investigations.

I think this server-side hack would be illegal so the FBI couldn't use it as a basis for anything. It would be like the FBI installing a hidden camera inside a suspected drug dealer's house to record everybody who entered, without a warrant. (On the other hand, is this exploit something a U.S. court could authorize? I'm not a lawyer).

I am a US lawyer (at least by education and historical avocation). First, forget the FBI if the server was outside the US. The NSA can (and does) intercept all international traffic. That's its legitimate job. Outside the US, you don't have any US constitutional protections; that's what international borders are about. We have a constitution in our country (the US), but outside the US different countries are organized under different rules. And, international communications are essentially subject to no rules.

It gets worse. Since the NSA can gather whatever it wants outside the US (German Enigma and Japanse JN-25 codes during WWII, Russian codes for traffic between the US and Moscow under project Venona, Russian codes generally under Project TICOM, etc.), it can do whatever it wants with the information, including giving it to the FBI. If they give information lawfully collected in an international communication to the FBI, the FBI can use it against you. Why would they need a warrant?

Earlier in this thread somebody mentioned WiFi. Are you nuts? Anything you put out using WiFi or other frequencies of the electomagnetic spectrum - including use of your cell phone and its geolocation - is fair game. While the FBI or NSA might go to the FISA court (you'll never know) for a warrant just to be sure, I can make a very strong argument that they don't have to, and shouldn't be required to.

The long-standing principle is that "the airwaves belong to the people" (codified in the Communications Act of 1934). And, you may remember a famous speech in US history about our government being "of the people, by the people, and for the people."

Thus, the government "of the people" should be able to listen to anything on the airwaves they own. [I oppose the legislation that prohibits ordinary citizens from listening to cell phone conversations on scanners. Sounds strange, huh?] If "the people" - which includes the government - cannot listen to WiFi (BTW: Every version of Fedora ships with an application that hacks it.) or the government is required to get a warrant (that is, conditional permission) to listen to your cell phone conversations, it is a very short step to general prohibitions on citizens listening to the BBC or programs the government determines might include information that is "dangerous" or potentially valuable to terrorists.

This is very different from breaking into the house of a suspect to install a surveillance device. That does require a warrant because the Fourth Amendment protects "the right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures" without a warrant. An off-shore server is not the "house, papers or effects" of a US citizen or a citizen then-subject to US law. (Try moving to Russia and setting up a server hosting comments critical of Vladimir Putin. See how far your protest for a US warrant gets you.)

Gnovalis

August 06, 2013

Permalink

Hi Arma,
Thanks for your replies.
You are amazing for replying so quickly in these trying times for privacy and anonymity.

Has TOR thought of adopting more advanced header analysis and inbuilt firewall system, that will actively parse and analyze for hack attempts.

Have you thought of upgrading the TOR Browser bundle so that it will act also as a comprehensive firewall like Comodo firewall?

ALSO is TOR safe from ICMP and IGMP exploits???

TOR does NOT Protect you from IGMP or ICMP!
You need to block this in your firewall!
If there is a IGMP Hack someday, even with TOR you are busted!

August 06, 2013

Permalink

Does this mean that if we have a tormail email account are emails can now be read. Will tor email ever be back?

You have to assume that all emails on Tormail are now in the hands of LEA. It could have been the primary target and all the sloppy CP bust exploit could be just a coverup. If that's the case, it worked perfectly. Nobody talks about Tormail - the real issue here, but everyone talks about a few busted pedos.

'Busted the biggest hoster of CP on the planet?" Bullshit, FH didn't host much, the biggest onion CP hosting site is still up and running and most of the CP allegedly hosted on FH were just links to files hosted on clearnet hosts, such as rapidshare, sendspace, mega.. these are the biggest CP hosters in the world.

What they really bust is Tormail, used by whistle blowers and activists. That's the real story here! They want to get to those who are anti government and pro people, like wiki-leaks supporters. Taking down a few CP sites that only had links and have already been partially restored on safe servers, is just a media attention catcher.

Yes the primary target of the NSA was tormail. This cannot be repeated enough! The purpose of that is to collect data on as many whistle blowers/leaks as possible. Of course there is the chance to find out lots of other potentially useful info that could come from nation actors of every nation who might happen to use tormail.

The secondary target was fear. They have aimed for some time (though using various stories of busts where TOR was not actually the determining factor) to scare people away from TOR and any other anonymous network. Projects like TOR are quite useful to their own people (and probably even more useful to the CIA) yet to them it is extremely dangerous in the hands of the average citizen (or a whistle-blower). Their position/mentality is that they should maintain total control while TOR is an obstacle to this end.

With this operation - they have achieved both major goals. Going after pedophiles is not and never was the NSA's mission. Much like the MPAA/RIAA - they do not care one bit about CP right up to the point it becomes useful to them as a cover to do whatever they want.

Just so everyone is clear - TOR isn't bulletproof but TOR works... and it is for this reason that the NSA would very much like you to believe otherwise.

Everybody talks about NSA, FBI and CP, when in fact it could be anybody. The U.S. intelligence community (I.C.) has a company, In-Q-Tel in Reston, Va. It is a venture capital company that funds start-up technology companies developing technology of value to intelligence gathering. Two things to keep in mind:

1. In-Q-Tel is NOT the only company in the venture capital world that invests in the information technology surveillance space. There are plenty of others.

2. I know this is hard to believe, but start-up enterprises desperate for sales are not terribly discerning about whom their customers are. They'll basically sell their products to anybody - in government or the private sector - who has the money.

[There are private companies will geolocate your cell phone for anybody with the money. They index every word you write and develop "personality profiles" on you that they'll sell to anybody (like 90% of hiring managers). If you have a Facebook account, why would you ever use Tor? You've already prostituted your mind to innumerable Johns.]

Tor mail was the target. I used it to communicate with my daughter studying last semester in ROK during the tension with PDRK. ROK censors the Internet, and censors the news. Except for information she received from me (some of which was classified and identified as such with instructions not to distribute it further), she knew very little. The international student organization that sponsored her study there was also kept apprised (with the classified intel left out).

[For those who are curious, no, the PDRK does not have any deliverable nuclear weapons, China is working very closely with the U.S. (closer than you could ever imagine), and Russia has essentially broken diplomatic relations with PDRK. There were a few hairy days. But, fortunately, they passed uneventfully.]

[BTW: I also use Tor mail to communicate with a troubled youth who does not want to be found. It would be nice to be able to confirm that she is safe.]

So, I am less worried about NSA than KCIA, which I'm sure has access to the same software and the same information. KCIA will want to get me, again. [Can't tell you about the first time. It's still classified.] Then there's the Chinese, the Libyans (also pissed at me for reasons I can't discuss), and my dear friends at Mossad. Show up at my door, you'd better be well-armed. I don't have visitors. Ever.

My NCIC is "unavailable," I can't get a passport, I can't get a job (if FBI won't acknowledge that you exist, you are unemployable), my $90K Jaguar disappeared (according to the insurance company, there was no record of it having been titled or registered in any jurisdiction, and no documentation that it was lawfully imported). As I recommended in an earlier message, if you are going to play in exciting games, know how the FBI "triple threat" surveillance program works IN ADVANCE. What I've described is the "managed aggression" component.

NSA and FBI would likely ignore my tor mail message traffic. But, KCIA will be pissed and demand that FBI turn up the heat again. I expect them any time. But, NSA, DEA, FBI, CIA are not my primary concerns. I have nothing to do with CP; wouldn't know where to find it (because I haven't made any effort to look). As for DEA, I used to hold a DEA registration, and I purchase all of my controlled substances legally.

The loss of tor mail is tragic. It does have legitimate uses.
Gnovalis

Yeah, maybe it does, but I stick with my assessment from tor-talk today:
https://lists.torproject.org/pipermail/tor-talk/2013-August/029320.html

"While I don't really have an opinion on whether this service should stay
dormant, I do hope they leave the TorMail name behind. Too many users got
confused about whether it was an official Tor service (it wasn't). And I
can't help but conclude that this confusion was intentional and welcome
on the part of the service operators -- which I confess makes me have
little sympathy for them disappearing."

August 06, 2013

Permalink

So I downloaded the TBB like 3 hours ago, with Javascript enabled... I shouldn't worry about anything right?

Anything at all? :)

You should worry about everything that you should normally worry about on the Internet. Most of the recommendations in the advisory still apply, now and in the future.

August 06, 2013

Permalink

Well tor is totally safe anymore. Who knows whats next on the javascript exploits list? You guys wouldn't have even known there was an exploit if it wasn't for the arrest of the FH admin and the sites hosted by FH going down. Best couple it with VPN's or VPS, exploits get nastier by the day. In the meantime, any alternatives to tormail are welcome, since tormail wont come back up anytime soon. Is the tor mail data center compromised now and is a LEA looking through those mails already?

August 06, 2013

In reply to by Anonymous (not verified)

Permalink

I'm pretty sure this script ignores your VPN entirely, because it's executed in your browser and gathers info locally. So it obtains your real IP/MAC - before any info even leaves your PC - and only then sends it over your VPN connection to the target port. So the FBI would see the incoming data coming from your VPN but the data would contain your real, naked IP/MAC. Am I correct?

Incorrect, the exploit code itself doesn't get your IP because the kernel functions the code can call only know your network adapter's IP which is pretty useless (i.e. if you're behind a router like most are it's probably a generic 192.168.x.x or similar). The server on their end gets the IP because your router strips the LAN IP and adds its WAN IP to the packet (your "real" IP). However if you're going through a VPN the VPN then strips that and adds its own. So the server would only know the VPN's IP. They would get your MAC address even through the VPN but that's no use to them without also knowing your real IP.

Wrong:

user machine -> tor proxy -> onion land / clearnet => SAVE
EXPLOIT WOULD YIELD AN EXITNODE IP

user machine -> vpn -> tor -> onion land / clearnet => SAVE
EXPLOIT WOULD YIELD A VPN EXTERNAL IP

Wrong, see post above. The script executes and collects data before it's obfuscated by VPN or TOR.

I fixed your diagram:

user machine (collected real IP) -> tor proxy -> onion land / clearnet => BUSTED
EXPLOIT WOULD YIELD YOUR REAL IP

user machine (collected real IP) -> vpn -> tor -> onion land / clearnet => BUSTED
EXPLOIT WOULD YIELD YOUR REAL IP

That is not how it works. If you have a dedicated tor proxy which only allows traffic to go over the tor network then there is no way that the script could have circumvented that. Same situation if you setup a vpn the api called respects the routing table and therefore would have used the vpn connection.

WTF guys, You don't realize or what?? Exploit reads Your adapters h_addr_list structure, all available IP's including tun/tap interface in case of VPN. So whatever You use VPN, Tor, spacecraft, lasergun or bla-bla-bla, this info package is delivered and stored in DB by adding Your uniq case UUID.

It reads it from Windows network stack, then sends it over browser-independent connection. If you use VPN, transparent Tor, etc it is just a communication channel for delivery. Like a raindrop, no matter how many clouds are in way, it reaches the ground.
Lucky people who used internal LAN/VM, and non ISP DHCP networks, then they got only 192.168.*,10.*,172.16.* for hunting.

CP, drug deals and financial fraud are only covers. They don't give a damn about any of it unless it suits their larger goals. Like catching whistleblowers who reveal their secret plans and illegal schemes. Like Snowden did with PRISM. They wanted access to Tormail, because it's likely that other heroes like Snowden were using it, and could be caught by reading the emails.

It's an attack on your freedom, don't let them fool you that it's all done to protect you. It's only protecting the interest of the government and those behind it, to stay in power.

What else can we use now to communicate without being spied upon? Tormail was the place to go.. now were redirected to gmail and other compromised email providers, that we know now are logged and read by the NSA.. welcome to the police state.

Today it's TOR. Soon they will call you a pedophile or terrorist, if you use PGP or any sort of encryption at all. We are loosing the War For Freedom, and even small victories like Wikileaks and Snowden don't seem to matter, because most of the population is spoonfed whatever lies the government wants them to swallow.

August 06, 2013

Permalink

TorMail is an interesting issue here. The almost certain fact is that existing accounts are in the hands of FBI. Also, AFAIK, TorMail is an enterprise not related to FreedomHosting, they merely rented a server there. So technically, TorMail could resume as soon as they find a new service provider. They could continue under the name of TorMail, or they could use any other name, in order to not be associated with the compromised old accounts. Now, FBI could launch their own little TorMail. Or FBI could start their own anonymous mail service under a different name.

Whatever. The crucial point is that we will have no way to tell which is true. In fact, I don't think that we even need to worry about that - when one uses someone else's service without seeing where it hides its brain, one should always assume that all his actions may be monitored by some hostile agent. TorMail could have been hostile, bribed, or hacked. Same about FH. Or, no matter how good were the intentions of TorMail and Freedom Hosting, there was always a chance that somebody would accidentally stumble upon the servers and read everyone's correspondence. Or knock the server owner against his head and then read everyone's correspondence.

So if (or rather, when) TorMail or something similar returns, we won't really know whether it's FBI or the original thing (unless they give back your old account, in which case it can only be FBI). But it doesn't really matter. As long as you stay in character, you can as well use the feds' servers for your shadowy actions. If you let your real-world id slip, you are doomed either way.

+1 for the Rowling. The fact that hidden services was constructed specifically to hide the identity of both ends of the connection makes it amazing that Torproject did not take steps to protect users from malicious hidden services by disabling javascript by default on onion domains. I keep looking for logical justifications for NoScript not being enabled, and it always comes back to the 'usability' nonsense. Privacy SHOULD trump usability, in this environment.

It should give more than a few people pause to consider that both torproject and TAILS, by default, do not enable javascript blocking AND both software suites direct the browser on load to a page that could be compromised in the exact same manner as site on FreedomHosting were. I understand that to a certain extent you must trust the project developers not to backdoor your software, but I see no reason why every time I load the software I am asked to trust their website.

No, NSA gathers electronic intel -- mostly tracking terrorists. Knowing the real users of TorMail would be of great interest to the NSA (presumably it's used by terrorists as well) and exactly the kind of intel they gather. This exploit would have allowed that if it weren't discovered. They wouldn't want it to be discovered because I'm sure they'd rather have terrorists think they're anonymous and safe and communicate openly rather than think they're being watched.

I'll believe the affiliation claims when somebody comes forward to claim responsibility.

IP-to-whatever databases are notorious for being inaccurate. I haven't seen anything at all to convince us that it's the NSA, or the FBI, or really anybody at all.

August 08, 2013

In reply to arma

Permalink

It was FBI or NSA. There is no doubt about that now. If it were hackers, they would announce it on day 1. They would also inject a virus with the payload.

But the government agencies don't have to announce anything. They can keep the collected data for years to come, watch the suspects, and strike at any time they see fit.

Especially if Tormail was the primary target, they will not issue any official announcements and everyone will forget about it. And they have a contingency in case the talk about this doesn't fade - they can simply raid the collected IP addresses and again shift all attention from their actual target.

All because the public is dumb enough to fall for one of two cliched reasons:

'We are the government and we can do what we want to you and your rights because... Child Porn!"

and

'We are the government and we can do what we want to you and your rights because... Terrorists!"

And the dumb populations says: "Oh that's right, noble goals, do what you have to!"

And here we are.

I wouldn't let them hack our computers even if Bin Laden and his ilk took down random two towers in the US each bloody week. It's not worth it in the long run. How about instead of treating everyone as a suspect, stop invading other countries and kill their children? Maybe that would reduce the amount of hate and terror aimed at you, 'Merica.

It's easy Obama, just tell your soldiers to move out and come home. It really is that simple. And stop spying on the world.

August 06, 2013

Permalink

Hi, quick question

If I had version 17.05 but NoScript set to block all scripts globally, would that still make me vulnerable?

Thanks in advance.

No, the exploit requires Javascript to work. If Javascript was disabled, as it should have been in the first place, there is no chance it could have worked.

August 06, 2013

Permalink

It is impossible to confirm that patched users of 17.0.7 were immune to the data mine.

For TBB 2.3.25-10 (17.0.7), which is what most of us are currently using, the exploit was fixed and delivered on or about June 26 (assuming you patched).

The exploit was REPORTED to have been executed in early August, so most with 17.0.7 would assume they are safe, however..

How do you know the exploit was not happening before June 26 ???

You do not.

Although it was patched on June 26, it may well have been happening for quite some time before that. Quite some time before you all updated to 17.0.7. Happily collecting your data, waiting for it's presence to be discovered by someone ('Nils' on June 25).

Yes you are safe NOW from this particular exploit if you have 17.0.7, but there is no way Mozilla/TOR can confirm you were not compromised before June 26.

If you did access a FH site before June 26, I think it would be safe to assume there is a significant chance your IP/Host/MAC is on file and currently being 'processed'.

I am not here to panic you. I am just thinking through this logically.

Sources on the reported exploit execution dates, please? I've read over a dozen news stories and forum threads on different sites about this, but so far i haven't seen much if any speculation regarding exact dates outside of this blog.

On a related sidenote, i understand most or at least many people who were subjected to this exploit experienced a browser crash. One would think these crashes would have been reported during all of July if the exploit had been in effect "silently" from way beyond the fixed update on the 26th of June. Have there been numerous unexplainable crash reports before this week/last weekend?

I have an interesting question. did anybody experience a crash who is sure they had javascript disabled? is it proven that only having it enabled could cause the browser to crash? I wonder if theres a possibility the browser could be comprimised and crash using iframe if enabled and/or something else even with javascript disabled.

There are a bunch of bugs in Firefox that can cause unrelated crashes. They're not particularly common, but once you have many hundreds of thousands of users (like TBB does), some users will encounter them.

Assuming you had javascript disabled, your crash was probably something unrelated. As far as we know currently that is.

(Also, it's not just Firefox. We add our own patches to Firefox to deal with privacy and security vulnerabilities that Mozilla doesn't care to fix. And one of those patches could have caused the crash too.)

yes after visiting the TM homepage. And... I was using Tails and the 1st thing I do is disable JS. Could have been something else as I've had a similar crash in past but not for a while. This happened on the 4 I believe. Also running the most recent Tails distro. ???

Don't know what to think but believe it has more to do with drugs than CP

August 06, 2013

Permalink

Would it make a difference if Javascript was enabled globally and Iframes were disabled on all sites via NoScript?

I don't think the exploit would work in that case, because it runs inside an iframe. The server-side code would write the cookie but the rest wouldn't run.

August 06, 2013

Permalink

Stupid question. But everytime I´ve used TOR, I've downloaded tbb, used it and then deleted it. So if I did this a few times over the last couple of weeks I should have used the last version every time, and should be safe even with JS enabled right?

The tbb that you download from the site is that always the latest version?

The website does in fact try to give you the latest version each time, yes.

Be sure to check the signature each time you download it. (And if you're on Windows, where it's hard to check the signature because you can't securely get any software to do it ... consider not being on Windows anymore.)

August 07, 2013

In reply to arma

Permalink

Not happening. It is a ridiculous suggestion. Plus PGP software for windows does exist, despite your comment suggesting otherwise.

It could be easier to use, but a particular piece of software for a platform is not indicative of any problems (or benefits) of that platform. Truth is we have more software choices for just about everything on Windows. Given the existence of VM software - a person can run multiple OS's on any computer at once anyhow so why does it matter?

You aren't doing TOR project any favors with your smug Windows-hating hipster attitude.

_______Begin Quoted Text_______

The thrust of my position is that security is an absolute property that must be designed in from the beginning, coded with care, and enforced throughout the software development lifecycle. This embodies a set of issues that are orthogonal to whether the source code is open or not -- it depends on training, design, and use of appropriate tools. Thus, the nature of whether code is produced in an open or proprietary manner is largely orthogonal to whether the code (and encompassing system) should be highly trusted.
[...]
We often hear debate about which is more secure: open source or proprietary source. Each side makes arguments and refutes the arguments of others. In truth, neither is correct (or both are). Whether or not source is proprietary does not determine if the software is better.
[...]
From this standpoint, few current offerings, whether open or proprietary, are really trustworthy, and this includes both Windows and Linux, the two systems that consistently have the most security vulnerabilities and release the most security-critical patches.

_________End Quote Text______________

- Gene Spafford (from circa 2000-2002)
http://spaf.cerias.purdue.edu/openvsclosed.html

A famous Spaf quote:
"The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."
(http://spaf.cerias.purdue.edu/quotes.html )

If you (the one hurt-by-Windows-criticism) had bothered to actually read Arma's comment word for word before huffing and puffing and taking offense, you would have seen
the word

"securely"

as in

" you can't securely get any software to do it".

If you want to rectify that, for starters please cite an URL that fits that criterion. Be constructive.

Thank you.

August 06, 2013

Permalink

Sorry but it still isn't 100% clear to me.

If I was using 2.3.25-10 with Javascript enabled (in Firefox settings), Forbidden Script Globally and visited Tormail. Was I injected?

August 06, 2013

Permalink

Switching away from windows because there is a security issue in the software YOU use. Forget it, I will no longer support you. You are nothing but Microsoft hating geeks.

Even if everyone switched to Macs, this exploit still would have worked because it allows execution of whatever code the exploiter wants to put in there. They could have written Mac specific code if they had wanted.

August 06, 2013

Permalink

I'm confused with regards to noscript - did blocking all scripts globally include javascript? I used a javascript test site to see if it was enabled with noscript blocking all scripts, and it wasn't enabled. Does that mean I'm safe?

August 06, 2013

Permalink

Would having only Tor allowed to access the net in my Windows firewall settings (not even DNS is allowed through) block this attack? How likely are the ramblings of the guy saying he runs exit nodes and embedded the exploit in random traffic? Would the n_serv cookie have still showed up in that case?

Yes you would have been save from this exploit. Make sure only a user with admin rights is able to turn the FW off. The payload itself was extremely strait forward - a 5 year old could have written it. Honestly, they could have done much more damage if they really wanted but they didn't for some reason (Lack of time?).

The injection story is a hoax imho, but is technically possible if and only if the UUID's were static. If they are dynamic and logged at the FH servers then it is not possible to "poison" the database.

Forgott to mention that as an exitnode operator he would not be able to "accuse" real tor users because he cannot know their ip addresses.
He could have spoofed random ip's but then it does not make sense to use an exitnode at all. So again 99% sure that this story is a hoax.

If Tor.exe is allowed but not tbb-firefox.exe (and your version was vulnerable), it would have failed trying to connect outbound because it ran within the tbb-firefox.exe process space.

The real solution is to install tor in a virtual machine with a new Windows installation, then take a snapshot after you install TBB on it, and have it restore to the snapshot after EACH use.

They can hack all they want, all they'll get is a clean system with nothing on it, and the system will be restored to its original state after each use.

Tips:
Set the DNS server to some bogus IP address so no legit domain names will ever get resolved to an IP unless they go through Tor.

Adjust the firewall so only the tor ports are opened.

Us the open sourced virtualbox instead of closed sourced vmware.

August 06, 2013

Permalink

So, I'm going to ask the question nobody seems to be asking. If you feel as if you may have been compromised, what should you do?

Well, it just means your IP and MAC address as well as proof of what exploited site (possibly page) you visited is on a U.S. government list along with probably thousands of others. Only you know what pages you visited and what would happen if the U.S. government knew you went there. Other than that, the exploit didn't leave a virus or install anything, just phoned home with that info.

Exactly ... if the javascipt exploit donwloaded malware on a users computer it should be possbile to scan for traces of this infection. So users need to have a way of finding out if they have been compromised... is there a scanner for this malware?

August 06, 2013

Permalink

Anybody else remember when the default settings for NoScript in TorPark had "allow scripts globally" set to on?

My question is who the hell got paid to turn that on for the bundle when nobody was looking?

As far as I know, there have been no Tor Browser Bundles where JavaScript was disabled globally by default. Please show me one.

Also, seriously, TorPark? That brings me back. I'm glad we have all the browser-level privacy and security fixes that people have developed since then.

August 06, 2013

Permalink

Hi - I was one of the unfortunate ones that tried to login to tormail and got the error system maintenance, please check back in a few hours. I got that error about 5-6 times as i kept trying to login. I had Javascript enabled and was running the torbrowser bundle with Firefox 17.0.7 does this mean i was not affected by this 0day exploit?

Can someone please confirm this as quite worried :( Thanks.

August 06, 2013

Permalink

hello. i little question if anyone is able to confirm.
v17.0.6 + JS off(unchecked from options) = compromised?
thanks.

If you weren't running any javascript, you should be ok against this exploit.

(But there are other vulnerabilities in 17.0.6 that mean someone could still attack it in a different way. Upgrade!)

August 06, 2013

Permalink

Question: in the advisory it is recommended to use RequestPolicy. Wouldn't that lead to browser fingerprinting because of the low amount of RP users, meaning my TBB browser would be pretty unique?

August 06, 2013

Permalink

I never used Tor on my actual machine; it was always on a virtual machine...which was only connected through a VPN...why make it easier on them?

August 06, 2013

Permalink

each time I update TBB, first thing I do is always use for good that damn noscript, people think it's there because it looks cool?

August 06, 2013

Permalink

I've been reading about this since the last two days... And I wonder...
- What if Tor and Tails are a part o NSA, FBI or CIA?
- What if Tor and Tails are a big fishnet to catch every stupid who thinks "Im using Tor, so I'm safe!!"?

Are you 100% sure that Tor is "gov-free"?

1st Rule to "be safe": never use your own connection!
2nd Rule to "be safe": macchanger -r.
3rd Rule to "be safe": Live system + encryption.

Use Kali or even wifiway (lame piece of cr*p) and get a "backup" connection. Yes, might be slower than your own connection, but FBI guys won't be shooting at your door.

Then, you can use java, flash, or wathever. They may reach your neighbour's ip, but even if they get the router, and take every pc on the neighborhood, including your's, you're safe. Your real mac never connected to the router, the live system leaves no trace, the encrypted flash unit is in your rectum, or another safe place.

PS= I don't need to say that you must use GNU/Linux. If you're stupid enough to use windows, you deserve to get caught.

"Use Kali or even wifiway (lame piece of cr*p) and get a "backup" connection. Yes, might be slower than your own connection,"

"They may reach your neighbour's ip,"

So you're encouraging people to /crack/ and use their neighbor's WiFi without permission?

Isn't that a form of /theft/?

How would you feel if someone were to do that to /you/?

"the encrypted flash unit is in your rectum"

Put what you want in /your own/ rectum but keep-out and away from the rectums (and other orifices, for that matter) of other people, /especially/ children and adolescents.

August 06, 2013

Permalink

Another noob question.
I removed Noscript and HTTPS Everywhere from the Tor bundle (2.3.25-10) I always surf with JavaScript disabled and cookies off, if I then went to Tormail, did my IP got uncovered ?

August 06, 2013

Permalink

If one had java turned off in fire fox in the options could it have been used to spoof your ip

August 06, 2013

Permalink

HELLO!

Have an older version of TBB (maybe updated last year) on my laptop I use only when my work computers are down. I am sure that it has the version exploit could run on. I last used it mid July but always set the button to no scripts (s tab with blue cross out) for fear of adware and viruses. Not sure if I visited any of those freedom host things, i know i didnt get anything sayingdown for maintenance. but nonetheless am I at risk?

Did the malware only take advantage of stupid people with their scripts left on or did effect those with even the no script turned to block all? Could someone with knowledge respond? Thanks

If you have scripts disabled, then as far as we know this exploit couldn't exploit you.

(But there are still other vulnerabilities in older Firefoxes that don't need scripting to work. Upgrade!)

August 06, 2013

Permalink

I know it says above that it was aimed at users with windows, so its that a 100% the attack wouldn't have happened on a mac?

The exploit payload used Windows-specific code. So it's pretty clear this exploit wouldn't have worked on OS X.

That doesn't mean there wasn't some alternative exploit out there (the vulnerability was cross-platform after all), but nobody has seen one.

August 06, 2013

Permalink

I always thought that any C/C++ based software is inherently unsafe.
The language is simply too complex and it is just too easy to fuck something up. This is not a matter of "being good coders", this is really a matter of a programming language that makes it too easy to screw something.

I do really think we should move on to newer/better languages. One of them is Go [ http://golang.org/ ]. By using a modern language such as Go which includes several improvements over C/C++ (goroutines, garbage collector, no pointers arithmetic, faster [and easier] compilation time, etc) we could really make our softwares much more robus and safe. It is clear by now that this is becoming an emergency... the more we surround ourselves with gadgets the more we will easily fall prey of hackers and shameful agencies working against their citizens.

What i propose here is to write a custom web browser (in go for instance) that supports only basic HTML and CSS and that relies only on go libraries and to make it the tor-browser. My proposal could be extended to Tor itself in order to prevent exploits in it too.

August 06, 2013

Permalink

Here is another scenario.
Let's say you want to avoid c*p and illegal stuff on deepweb so you turn off images.
But you need JS for some reason and forget to disable it again.

Then a few days ago you load up your now outdated and vulnerable TBB to find most FH sites are down or act weird.
You go to legal but infected onions on FH or Tormail with the maintenance message, and BAM they have your real ip, mac, host.

They know what site you have visited by sending not only MAC and hostname but also some sort of generated ID from the site.

August 06, 2013

Permalink

Confused here, just wondering, if you don't mess with Noscript options at all, but still go into options and disable Javascript, that still disables it right? Does it disable anything else?

August 07, 2013

In reply to arma

Permalink

I can confirm disabling javascript from the browser options, overrides noscript

Restoring NoScript to the default setting of blocking scripts globally may be the preferred option.

See:
http://noscript.net/faq#qa7_5

"Disabling JavaScript using your browser built-in settings (or the IE's < IFRAME SECURITY="restricted" > feature) actually disrupts any JavaScript-based anti-Clickjacking protection the target site may have deployed. The good news is that this limitation does not apply if you use NoScript, thanks to Frame Break Emulation: if a framed page which is not allowed to run JavaScript contains a “frame busting” script, the intention of the page author is honored by NoScript, i.e. the page replaces the topmost document. You can control this feature toggling the noscript.emulateFrameBreak about:config preference."

Restoring NoScript to the default setting of blocking scripts globally may be the preferred option.

I meant, of course, the actual NoScript default and not the TBB/Tails default that has NoScript set to allow scripts globally.

August 06, 2013

Permalink

If you have javascript OFF and still get a crash, could the malware still have been executed?

i wan to know this as well, I was using the most recent TBB with Javascript off and i got the crash since i kept refreshing the "down for maintenance" page...

August 06, 2013

Permalink

would this have displayed/sent back the MAC address for the wireless modem/router, or just the computer/wifi card on the motherboard?

Is there any reason to doubt that this MAC is sent along trunk fiber to all sorts of major destinations -- that are PRISM'd with taps (just before branch-off to their final destination reaching major company servers such as those named in recent weeks)?

Is anyone confident that Windows' Update software doesn't find and send the MAC over as part of Windows authentication and/or computer ID/fingerprinting? And similarly, many non-OS apps? Skype's rummaging around never uses the MAC for computer ID or any other unknown purposes?

And all these communications are all sent thru super-securely, PFS etc?

The idea that MAC correlation to IP and other fingerprint data is some closely guarded secret in this age....doesn't that seem strange ?

August 06, 2013

Permalink

Firefox 17.0.8 HAS BEEN RELEASED TODAY.

Fixed in Firefox ESR 17.0.8

MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

August 06, 2013

Permalink

Hi Arma,
So in confirming from the advisory, users on OSX running the latest version of TBB but had JS on were not affected regardless of JS being turned on?

I also assume that regardless of the exploit working or not, a person would still see the 'Outage' message on the page?

For example if an OSX user were running an older version of TBB, but had JS turned on they would still not be affected due to this being Windows based?

August 06, 2013

Permalink

What the fuck is torproject thinking still having javascript enabled by default?

The whole point of using tor is to stay anonymous, if people want easy access to the net they would use IE instead.

why the fuck would people want the biggest exploit enabled by default? Are they paid by you know who to keep the backdoor open?

https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled :

"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

(all emphasis mine)

What a load of bullshit excuses.

What they are saying is they recommend you to enable javascripts on all sites so they won't notice you're using tor, thus increase your anonymity.

These excuses may fool newbies, but not to anyone remotely tech savvy on browsers.

So what if they "uniquely identify your browser", as long as you never post personal information on tor they'll never know who is using that browser, and that is the whole point. Explain to me how all users have javascript disabled by default, and almost everyone enable javascript for youtube will 'very likely to uniquely identify your browser'?

Also it's not like it's hard to find out a visitor is from a tor exit node, hell the "Firefox 17.0.x" useragent alone is already a big sign someone is using tor.

Javascript expose so much more info about your browser and os (screen resolution, installed fonts, etc), now THAT is what is 'very likely to uniquely identify your browser', how do they explain that?

Anyone telling you having Javascript enabled is safer is sleeping with the FEDs, period.

Stop the lies and disable javascript by default, NOW.

The thing to know about Tor developers is that they have major hard ons for unlinkability and don't really care as much about untraceability. They think a win is if you go to website A and then website B, and 99% of the time the same attacker can not link you to both sessions. They don't care as much if 1% of the time any attacker can link you to either website A or website B. This is evidenced in a lot of the choices they have made: quick circuit rotation (even much quicker in the past at 30 seconds, raised only to reduce load on the network too), a suggestion to leave javascript enabled to reduce browser fingerprinting despite opening you up to an entire class of hacking techniques that could deanonymize you, etc. Tor developers have a different threat model in mind than a majority of their users do. You don't want to be traced ever even once, they don't want an attacker to determine that you went to Website A AND Website B.

They also are very concerned about getting as many people using the network as possible, and will sacrifice security for useability. This also contributed to their choice to leave javascript enabled. It also contributes to their choice to give you three entry guards even though you are much more secure with a single entry guard or possibly two. It is also why entry guards rotate so much. It is also why they bundle everything together and make it extremely hard to use individual components in custom configurations (oh we cannot ship Tor browser independently, some people might think it uses Tor even if it isn't configured to!).

So pretty much we have a few issues. The first issue is that our threat model is not the same threat model as the Tor people are focusing on. The second problem is that they have taken to pandering to idiots. The third problem is that they have taken to pandering to people who want to watch cat videos on youtube.

That doesn't make sense. Enabling javascript is EXACTLY what let them track you from website A to website B.

Let's take a look at torproject.org's frontpage, which states:
Anonymity Online - Protect your privacy. Defend yourself against network surveillance and traffic analysis.

Enabling javascript by default doesn't protect your privacy, period. Sugar coating it doesn't change the fact.

Many webs sites load javascripts from ajax.google.com and also from facebook.com for the 'like button' javascripts, and that gives them details to profile your browsing habbits. Combined with the 100s other tracking javascripts, and the http refer header, you're pretty much dead on the water as long as javascripts are on.

Tor was designed for privacy, I don't care what 'threat model' they are using, if they enable javascript by default then someone in that organization is sleeping with the FEDs. What is so hard to have it disabled by default and only enable it when you really need them? By enabling javascript by default they are tricking those non tech savvy people into leaking information to everyone out there.

More information on how 100s of companies are working together to track you online:
http://www.ibvpn.com/blog/2012/07/how-far-are-you-being-tracked-on-the-…

http://www.forbes.com/sites/kashmirhill/2012/02/29/heres-the-best-and-p…

http://www.alternet.org/story/153592/are_you_being_tracked_8_ways_your_…

Yeah you have a good point actually. The Tor developers reason for turning javascript on actually makes no sense at all. It doesn't protect you from linkability when you get fucking hacked through your browser and rooted. So pretty much their entire defense of turning javascript on has crumbled.

Right, Tor is a specialized tool to ensure privacy, that is its core function, its sole reason for existence.

The Torproject team should make it easy for people to maintain privacy, not make it easy for people to watch youtube. That means disabling javascript by default, not the other way around.

The Torproject team have lost their priorities and got it all backwards.

Something just isn't right.

You're right about what Tor is -- it's a proxy which, when used correctly, tries to anonymize the traffic flows going through it.

Using this proxy safely, for browsing, introduces a world of new headaches. We have tried to address them with TBB, but it's certainly not easy. And keep in mind that TBB is relatively new compared to the Tor program itself.

See the end of the advisory for links to approaches that can make this better. And then help us do it!

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:
https://panopticlick.eff.org/index.php?action=log

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

partners in crime? We've been screaming about it for a while and the Devs said , ...move on, nothing to worry about and now here we go, a successful JS exploit on TOR. Great job guys!!

August 06, 2013

Permalink

Hey retaaaaaards, if we wanted to surf the net easily we'd still be be using IE, make TBB turn off the damned javascript by default, NOW!

August 06, 2013

Permalink

The only safe way now is to install a new and clean windows in virtualbox, then install TBB, after that take a snapshot of the virtual machine, so you can restore it to a brand new state after each shutdown.

Set the DNS server to some bogus IP address also helps, no accidental connection to legit domains.

August 07, 2013

In reply to arma

Permalink

Tails has more holes than swiss cheese, it also enables javascript by default.

The user base for Tails is not large enough to detect hidden backdoors. At least with a new copy of windows you can have a firewall that lock things down PER PROCESS, you'd know exactly what program is making connection and block all processes except TBB. You can't do this with tails.

Suit yourself -- if you're a Windows expert, go for it. Not many Tor users are Windows experts I bet.

Alas, your approach doesn't scale: Windows isn't free software, so that "new copy of windows" you describe is tough to distribute legally.

As for the Tails user base, their June statistics see a Tails boot every 18 seconds on average:
https://tails.boum.org/news/report_2013_06/index.en.html
That would seem to be quite a few users.

August 06, 2013

Permalink

Stay away from PRISM, people, use the Snowden torrc

#The Snowden torrc config
#Skips major Prism countries and only from a Russia IP
ExcludeNodes {us},{gb},{ca},{au}
ExitNodes {ru}

A while ago I was talking to people in Sweden who were lamenting Sweden's new "we log everything that goes across our national border" surveillance approach. These same people also pointed out that much of Russia's Internet traffic transits Sweden. Careful with this more-centralized-than-you-think Internet we've got.

August 07, 2013

In reply to arma

Permalink

Oh well at least the Russians won't suck US's dick by raiding exit nodes every time the US chucks a fit.

August 06, 2013

Permalink

This is funny, the noscript button states:
Allow Scripts Globally (dangerous)

And these torproject idiots LEFT IT ON by default?

https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled :

"we recommend that even users who know how to use NoScript leave JavaScript enabled if possible, because a website or exit node can easily distinguish users who disable JavaScript from users who use Tor Browser bundle with its default settings (thus users who disable JavaScript are less anonymous).

Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

(all emphasis mine)

What a load of bullshit excuses.

What they are saying is they recommend you to enable javascripts on all sites so they won't notice you're using tor, thus increase your anonymity.

These excuses may fool newbies, but not to anyone remotely tech savvy on browsers.

So what if they "uniquely identify your browser", as long as you never post personal information on tor they'll never know who is using that browser, and that is the whole point. Explain to me how all users have javascript disabled by default, and almost everyone enable javascript for youtube will 'very likely to uniquely identify your browser'?

Also it's not like it's hard to find out a visitor is from a tor exit node, hell the "Firefox 17.0.x" useragent alone is already a big sign someone is using tor.

Javascript expose so much more info about your browser and os (screen resolution, installed fonts, etc), now THAT is what is 'very likely to uniquely identify your browser'.

Cut the BS and disable javascript by default, NOW.

BS, javascript expose your OS/Screen resolution/Installed Fonts.

Anyone telling you having javascript enabled is safer is sleeping with the FEDs.

Who wrote that anyway? It's time to name names.

BWAHAHAHA enabling javascript is safer? Crack pipe please!

Javascript exposes your system's Time zone/Screen size/Color depth/System fonts, without even using any hacks, test it yourself:
https://panopticlick.eff.org/index.php?action=log

How the fuck is that safer? That's before we even talk about all the javascript exploits.

If javascript is safer noscript wouldn't attach the (dangerous) warning sign to it now would it.

Stop lying.

These comments should be directed at the **TOR PROJECT** as I was merely **QUOTING** /their/ FAQ, found at:
https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled

and noting that the recent comments on the matter that were posted by "arma", an official representative of the very same Tor Project, glaringly contradict the statements in their FAQ that I quoted.

For this alone-- the glaring contradiction and the lack of any response to it thus far from anyone at the Tor Project (despite numerous other comments being posted by arma in the time since I pointed-out the contradiction)-- people should be alarmed and demanding an explanation, regardless of where anyone may stand on the question of JavaScript itself.

August 06, 2013

Permalink

Out of curiosity, are there plans for a completely sandboxed bundle using an encrypted virtual machine without direct network access? Basically, only TOR itself runs on the host, and everything in the VM is firewalled (by the host) to only be able to communicate with TOR. There are a number of open-source VMs, and you could run a very minimalist distribution of linux inside the VM to cut down on image size.

The only multi-platform code to maintain would be the TOR binary (already ported), the VM, and whatever network rules are used to refuse the VM external access.

The path to exploit that would be:

  • Browser exploit granting unpermissioned user access
  • Permission escalation allowing for root access
  • OS exploit granting the ability to run arbitrary ring-0 code
  • a VM exploit granting you unpermissioned access to the host OS
  • another permission escalation on the host OS to remove the firewall rules.

Given that the vast majority use windows, and the guest OS would probably be linux, you'd need a perfect storm of vulnarabilities in two operating systems, a browser and a virtual machine, all unpatched.

Being a single browser hole away from complete de-anonymization is a completely untenable situation.

Yes.

If you want to get the extra credit, you could run two VMs, and put the Tor client plus some good iptables rules in the second one.

See the references to Whonix and WiNoN at the end of the advisory.

August 06, 2013

Permalink

I'm actually kinda pissed that taking down **ONE** single hosting company could inflict this much damage on the .onion sites.

Why don't we all just host on unpatched windoze servers while we're at it?

Don't worry, people will adapt and something even more secure will surface. As long as the demand is there people will come up with something.

August 06, 2013

Permalink

Arma, whoever you are, thanks for being there and for bringing a little sanity to this issue. Your efforts are appreciated.

August 06, 2013

Permalink

Hi Arma,
Thanks for your replies.
So in confirming from the advisory, users on OSX or Linux running the latest version of TBB but had JS on were not affected?
I assume that regardless of the exploit working or not, a person would still see the 'Outage' message on the page?

Also, if an OSX or Linux user was running an older version of TBB, but had JS turned on they would still not be affected due to this being Windows based?

August 07, 2013

Permalink

Did investigate in cookie mechanisms because I remember to saw a cookie N-serv once without having any JS functionality enabled. This is possible as cookies can be generated via HTTP alone. (I remember some long time ago TOR BB did not allow any cookies and when I accessed google I had to fill out a captcha).

I can imagine that this cookie even with that name was generated maybe to track my browser history. But without JS enabled there is no known mechanism (yet) that the real IP can be sent out. So I'm safe for now.

What would make it less vulnerable (I think) if Tor - Firefox can be patched to only be able to send out requests through TOR. If I understand it correctly in this case the exploit did sent out info through clearnet.

I agree with others that your IP in a FBI database is not enough to justify a raid, so the question is: Can the ISP monitor the traffic between TOR and 1st node or is it encrypted to block further data analysis.

Definitely a wake up call to more think about where we browse and if it's worth the risk. But I think TOR is doing a good job and I want to thank all who are involved in this project!

Strange to hear that in GB the police can force you to reveal the PW of a container. How do they detect that a certain file is a container (I use TC) ? If yes, are there tools to further 'process' a container file to not get recognized (TC->PSR, PSR->TC) ?

August 07, 2013

Permalink

Hi Brand new question here.

If I had a Paid VPN running, and then ran TBB on top of that (Latest patched version with 17.0.7) BUT NO SCRIPT SET TO "ALLOW ALL GLOBALLY" have I been compromised??
Will the exploit by pass my VPN in addition to TBB???

Also is TOR safe from IGMP and ICMP exploits?
No one has a answer for that.
Does that mean TOR is vulnerable to ICMP and IGMP attacks?

Re the VPN, the connection made by the exploit would likely go over the VPN. So you would be sending your hostname and MAC address via the VPN. Whether that counts as "safer" depends on your VPN provider, but it's probably an improvement. See above comments about VPNs too.

Re the IGMP and ICMP attacks, can you provide details? I'm guessing the answer is either "what the heck, those aren't attacks" or "why did you think Tor defends against an attack on that level?"

August 07, 2013

Permalink

OH SHIT!
I do have the latest version of TOR and Firefox, but had No Script set to Allow ALL globally.

But I still remember my RAM peaking to its FULL capacity and browser wanting to shut down some days back!!!

Since this exploit works by overflowing browser's RAM, does that mean I'm fucked even if I had the latest version of TOR and FF????

The latest version of TOR and Firefox is unaffected by this specific Javascript
The Javascript does not fill all the RAM, it just go over an array (limited RAM size) bound.
The Javascript also make the browser crash and exit, after executing the payload.

I wouldn't have thought so. In the advisory:-

"This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

2.3.25-10 (released June 26 2013)
2.4.15-alpha-1 (released June 26 2013)
2.4.15-beta-1 (released July 8 2013)
3.0alpha2 (released June 30 2013)"

If you have Firefox 17.0.7 ESR then the exploit won't have worked. Period.

August 07, 2013

Permalink

Sooo, how can we tell which dark sites are hosted with Freedom Hosting before we click on them?
Say if they come back online under the FBi control and who knows what sort of codes injected into them for track and trace.

August 07, 2013

Permalink

A question please. I downloaded TBB version 2.3.25-10 some time in mid July, but I just checked and it apparently shipped with 17.0.6 ESR, not 17.0.7... yet this article seems to suggest all 2.3.25-10 versions included the 17.0.7 ESR fix, which in my case obviously isn't true. Please correct me if I missed something.

And is the 17.0.6 ESR vulnerable to this exploit? Clarification would be appreciated.

2.3.25-10 included Firefox 17.0.7 ESR.

What did you "just check"? It sounds like you are confused about which TBB version you have.

(17.0.6 ESR is vulnerable.)

August 10, 2013

In reply to arma

Permalink

Thanks for the reply Arma. To clarify, the TBB 7zip file name I downloaded (mid July) was 2.3.25-10_en-US. When I ran that browser, and clicked Help>About TorBrowser, it said Firefox ESR 17.0.06. I'm quite certain of that. So my conclusion is that not all TBB 2.3.25-10 versions included 17.0.07 ESR, as this article seems to suggest.

August 07, 2013

Permalink

so, Devs.... still think making users turn off JS every time a good idea???

We've all been yelling why JS was enabled by default and I've never seen a 1/2 way decent answer from you guys on that one. I make it through 98% of my computing w/JS off, why is it worth it to have it left on by default?
Honestly, I'm asking for real now that we've seen a successful JS based attack on TOR?

The real answer needs to be getting people off the "run an application in Windows and think it can possibly be secure" model.

Whether that's Tails in a VM, or getting them to boot Tails directly, or some other VM-based approach like WiNoN or Whonix... we need more help from the whole community here to get these things both usable and well-analyzed. Don't just sit back and wait for us to do it.

August 07, 2013

Permalink

For a bunch of people who surf onion sites, there seem to be an awful lot of paranoid people here. Me thinks perhaps your Tormail and surfing activities might be a little questionable huh? Particulartly if you used Freedom Hosting which was basically a disguise for CP.

August 07, 2013

Permalink

Hello everybody!

Well, there is a lot of fear flowing through every single post around this issue since it came out to light. This is causing doubleposting asking the same questions again and again ... and overall self answers in some cases trying to calm oneselves and others feeling dispair.

First, lets calm our minds ... if we do not we are losing it and the more fear the more mistakes we will commit and the less time to do whatever we can do to get back on our feet.

Second, lets stick to the source ... a LOT of speculations from being a hackattack to being a worldwide raid to stop Tor, that if the exploit installed a cookie, or that is a crash is an unmistakable proof one was compromised ... PLEASE ... Tor developers are our best source of information ... so I propose to stick to the info they are leaking ...

If it is said that using the latest bundle keeps us safe regardless of the javascript configuration on FireFox nor in the NoScript ... LETS STICK TO THAT! ... unless we have proof otherwise ... We need to avoid the path to the paranoia and in the way getting others paranoid ... we have to think with a COLD heart and even a COLDER mind ...

Third, people here are very worried since some of them were sneaking in illegal sites that they are unmistakably going to jail because of that ... WELL ... always reember the SURPRISE FACTOR is key to a successful legal raid ... here .. they dont have it anymore ... deducing and maybe i am not good at it but i will give it a shot , this exploit was inteded only to shut down TOR ... why ... well ...

Fourth, I CANNOT BUT FIND A PATTERN OF THE U.S. EVAQUATION OF EMBASSIES IN THE MIDDLE EAST BECAUSE THEY FOUND INFORMATION OF AN IMMINENT ATTACK ... that ... was days after FH was shutted down ... lemme speculate ... they found that information flowing somewhere in the FH sites, etc ... I cannot but see a pattern there ...

Fifth, yes ... if users are using TOR to cover illegal activites, satisfying illegal appetites ... yeah ... a goverment would be interested in detaiining some of you ... but ... i think all this was a terrorist counter intelligence of the NSA to stop some terrorist organizations that communicate through Tor ... they are hell more interested in THEM ... than in you ... unless you are dealing with tons of illegal substances and illegal material ... and i mean .. otherwise I dont think this will go further unless some of you are a big fish in the same scale of a terrorist organization... or even a terrorist.

Sixth, ... Tor has absorbed the hugest hit in its history ... but after Snowden revelations people has realized the need of doing whatever it takes to fight for our right to privacy ... I have less than a month using Tor and what brought me here is that i felt sick of the Snowden revelations about how the espionage has no limits ... when for somebody EVERYBODY else is a potential threat ... there is where the decomposition starts ... where the Republics become Empires ... and where the resistance starts... lets not forget that ... so ... i urge people that more now than never tor requires that we run RELAYS and not only clients ... Tor is under attack and depends on us this project suvivies ... if the fear startegy works and nobody keeps supporting running relays, ... they will succeed in geting rid of one of the latest places one can truely be private ... and they would have won ... lets keep runnng the relays and for the ones that are not running them is a good moment to start.

Hope nobody got upset with this post ... just trying to bring my 2 cents here.

Take care.

August 07, 2013

Permalink

Clarification required please - It says on this site that TBB 2.3.25-10 (released June 26 2013) uses FF 17.0.7 ESR. I downloaded 2.3-25-8 on 23 June, but when I check it uses FF ESR 17.0.7.
Is my TBB vulnerable?

August 07, 2013

Permalink

The advisory recommends ("you might like") the Request Policy add-in to improve security. The advice that appears on the download page, however, discourages us from installing add-ins to the Tor browser. These recommendations conflict; what's the resolution?

August 07, 2013

Permalink

I am running Firefox ESR 10.0.9. When I go to Help | About | and press the "Update" button, the message that returns says that I have the current version. Yet this advisory refers to a later version of the browser as the current one. What am I missing?

August 07, 2013

Permalink

Would enabling the NX bit for ALL the softwares in Windows have prevented this exploit from running?

If so, wouldn't be a good idea to warn the user about it when starting Tor and the Tor Browser? A message like "Your system seems to support the NX bit but it is currently enabled only for Windows Services, you should enable it for all the programs in order to avoid running exploits which could deanonymize you".

I remind everyone that to enable the NX bit on their Windows machines they can follow this tutorial: http://www.itechtalk.com/thread3591.html (usually you don't need to add anything to the exclusion list).

Renton Thurston

P.S.: Changing this setting requires you to reboot.

August 07, 2013

Permalink

At what date was the malicious code placed onto the Freedom Hosting sites? How long had it been there before it was detected?

August 07, 2013

Permalink

Quick question - isn't leaving Firefox behind and adopting Iceweasel like TAILS a better idea for TBB?

"Iceweasel is Firefox with a different logo and name. "

That's what I (and I would daresay /most/ people) always thought.

But then, some time back, one of the Tails devs made a post in the (no longer active) Tails forum stating that there were at least /some/ actual substantive differences between Iceweasel and Firefox. (Namely, certain "patches" in Iceweasel, IIRC)

As for the difference, if any, between Iceweasel and Gnu IceCat, I'm still at a complete loss.

August 07, 2013

Permalink

Could someone explain exactly what the exploit did? Did it just take over the browser, and deidentify the user, or did it compromise the machine completely? Also, I'm assuming that standard non .onion sites were not used as an attack vector (or am I wrong?).

The attack exploited a bug in Firefox's onstagechange handler, which allowed arbitrary code execution. In principle, if you were running Firefox older than 17.0.7 ESR, anyone could use this exploit to do anything they like as the user your browser was running under, regardless of what OS you use. In practice, in this specific case it seems that only Windows users were affected. The code that they chose to run was a program which grabbed the name of your computer and the MAC address of its network adapter, and sent these over a non-Tor connection to an as yet unknown server somewhere in the USA. It doesn't look like it did anything more than this.

Since at the same time the exploit installed a tracking cookie, anyone who was vulnerable to the exploit and who browsed Freedom Hosting sites while they were up should assume that whoever the attacker is has your IP address, the hostname of your computer, its MAC address, and a list of the pages you visited, and when.

It's unlikely that non-onion sites were targeted with this specific attack payload. However, you should be aware that the exploit code is now public, and in principle anyone could install it on their website and try to use it to unmask Tor users. Also, it's possible for malicious exit nodes to inject the exploit, including the malicious payload, into reponses from non-encrypted HTTP connections, thus exposing you to the attack without you knowing.

Advice: upgrade your browser, don't use Windows, and realize that this isn't the first or the last time that Firefox will fall victim to a security vulnerability.

August 07, 2013

Permalink

Oh dear, PLEASE help.

If someone had not updated TOR since May and erm java was enabled.
They also had some incriminating evidence on tormail.

Would advise them to get out of country if there country had not so friendly governments?

Again, please help.

I would tell that person not to worry at this point, because the exploit only tells the U.S. feds that person visited Tormail during the time the exploit was running (probably only the last week) and may correlate the time they visited with activity in Tormail server logs. However U.S. law enforcement is not allowed to examine the contents of the Tormail server without a proper warrant, and nothing has been shown so far that Tormail was a law enforcement target.

August 07, 2013

Permalink

I always use TBB latest version with JS off, so I don't worry about the recent upsets for me.

My concern is, however, whether my machine's obfsproxy bridge setting through the other port and the other Tor and privoxy's (polipo cannot handle obfsproxy smoothly-) job process that I aimed to assist dissidents' access from restricted countries to their necessities is safe or not.

If obfsproxy clients with TBB had been affected the exploit, did their requests to my machine bridging to Tor network expose my ip and MAC address?

You are asking whether vulnerable TBB users who configured their TBB to use your bridge would end up running code on your bridge? No, they won't.

August 09, 2013

In reply to arma

Permalink

Thanks for reply.
I meant exactly what you interpreted. I'll continue my machine's obfsproxy bridge to facilitate dissidents' accesses to Tor network.

August 07, 2013

Permalink

Hi you all there. I have two questions... of which, one is a bit off topic ...
What do you think about using tor not just with the bundle but route the whole pc traffic trough it? (Im on Gnu/linux of course...)What are cons and pros?
I mean ... as a solution for ordinary people and their daily browsing. So no whistleblowing, hidden services or something. People who have "nothing to hide" but are not so stupid to give away their privacy to some pigs.

And the second...would it be safer for bimbows users to route the internet traffic not in their machines but in the router? For example installing tor on dd-wrt router so all the OS build-in malware couldnt bypass tor so easily. Im no tech pro so maybe its a bit stupid question... but it makes me curious...

Tails used to route all traffic into Tor by default. They changed their policy a year or two back, to configure the proxy settings on all applications that they knew would talk safely through Tor, and set the firewall rules to drop all other connections. The idea is that if an application hasn't been specifically configured to use Tor correctly, it will probably use it incorrectly, so it's better to prevent it from talking to the network at all.

See https://vbdvexcmqi.oedi.net/blog/bittorrent-over-tor-isnt-good-idea for an example of how things can go wrong with an application that doesn't care about privacy.

August 09, 2013

In reply to arma

Permalink

I think I understand... So if I would like to use my day to day linux install with tor... I would need to set all applications to tor.

But what abut the idea setting my dd-wrt router to work with tor? I man... installing tor into the router ... so the router would route all the traffic trough tor network... Is something like this possible?

It is possible, but you're likely to screw up your privacy. See the "Bittorrent over Tor isn't a good idea" post for an example of how you'll lose -- your bittorrent application will end up "anonymously" sending out your IP address in its application-level traffic, and things will go downhill from there.

August 07, 2013

Permalink

So, I've been keeping my version of TBB up to date, but I haven't disabled javascript manually in Noscript. Am I compromised?

*Sigh* I don't know why you people seem unable to read before posting. It CLEARLY says in the advisory at the TOP OF THIS PAGE -

"This vulnerability was fixed in Firefox 17.0.7 ESR. The following versions of the Tor Browser Bundle include this fixed version:

2.3.25-10 (released June 26 2013)
2.4.15-alpha-1 (released June 26 2013)
2.4.15-beta-1 (released July 8 2013)
3.0alpha2 (released June 30 2013)"

So no, if you have Firefox 17.0.7 ESR the exploit will not have worked notwithstanding whether you had Javascript disabled or not.

August 07, 2013

Permalink

Quick question - I have the latest version of TBB, but I didn't have javascript disabled manually in Noscript. Am I compromised?

If maybe arma could confirm this, but from my understanding, in firefox 17.07. Visiting one of the infected web pages would produce a XML Parsing error, were if you had a vulnerable browser but had JS disable in either the browser settings or noscript. You would have saw "down for maintenance" page, but do to JS being off the code would not be able to run

August 07, 2013

Permalink

To: Webmaster/Website Admin

At the time of writing, I noticed there are 456 posts before mine.

I wonder why the webmaster of this web site did not consider asking users to register and post at http://torforum.org

The current display of posts on this web site appears clunky and disorganized.

Yeah, this blog is a poor forum, I agree.

And we do need a forum.

But we need one that competent Tor people will contribute to regularly, or it will just be a bunch of wrong users being wrong at each other. I have no idea what torforum.org is, or who runs it (hint: Tor doesn't), and that's not a good sign.

See also recent blog posts here about our stackexchange plans.

August 07, 2013

Permalink

Ashish Garg writes: If we disable javascript, there is no point using TOR because these days we can't open any website without javascript-enabled browsers; we can't log onto Facebook, yahoo etc.

Not all websites use Javascript (although I accept a lot do).

I hope you;re not suggesting that people use TOR to login to sites like Facebook, yahoo? You SHOULD NOT be accessing any clearnet sites through TOR!

Why not? Well... I dont care about FBshit... but for what purpose should one use Tor if not for anonymity? Why darknet only? Isnt the diversity of users the main pillar for privacy by design here? Really... why shouldnt I use Tor for clearnet?

Ignore the post above yours. Tor is designed to be used on clearnet to allow you to browse the internet anonymously. Probably the majority of users use it that way, to visit regular websites. That is why they leave javascript on by default.

Plenty of people use Tor to log in to Facebook. Even if they're ok telling Facebook what their account is, they still don't want Facebook (or somebody surveilling Facebook) to know where they're located currently, and they don't want their ISP to know where they're connecting.

Also, there are whole countries where Facebook is blocked, and many tens of thousands of people use Tor to reach it anyway.

There are many different angles to anonymity, and this diversity is part of what contributes to Tor's security.

August 07, 2013

Permalink

Do people think that an attack like this one could work against a system like TAILS? As I understand it, this code sends the collected information over a non-Tor connection to the internet, and TAILS supposedly blocks all non-Tor connections to the internet. Or would it be possible to get around that blocking?

In Tails it would have been blocked by iptables rules, however even if Tails is a lot more well structured for anonymity purposes than Windows no system is safe when an attacker can execute some arbitrary code on your machine.

August 07, 2013

Permalink

If you got the "Sorry, This server is currently offline for maintenance" message when visiting an infected site does that mean you have been exposed or would everyone have seen the message even if their setup was safe from the exploit?

Everyone would have seen the "offline for maintenance" message when the sites were down because, well they were down :-) no matter whether you had a vulnerable browser or not.

August 07, 2013

Permalink

not long time ago nvidia released new drivers which didnt like firefox (bsods and other stuff) - they blamed microsoft for some old bug or something. could there be a connection ?

August 07, 2013

Permalink

LOOK FOLKS;

Quit with the idiotic discussions related to Gosh, I'm a poor misunderstood pedophile ... Am I going to prison? ... and How? ... and Why? ... and how can I squirm out of it ??? etc., ad nauseum.

The simple answer is YES !!! if you're a God Damned Pedophile ... YOU ARE GOING TO PRISON ... So Just STFU and accept it.

Apparently nobody spent the time to teach you the basics of ABSOLUTE MORALITY ... a quaint custom Wherein Children are both innocent and worthy of Actual Love ... That means that you are almost certainly a Progressive Democrat, possessed of Relative Morality, which means that we can get along without your presence quite nicely.

As far as the rest of us are concerned, The REAL and only serious problem is the loss of TOR MAIL.

With the known death of Freedom Hosting and the catastrophic (and permanent) demise of Tor Mail, it is incumbent upon some TRUSTWORTHY organization to reincarnate Tor Mail as quickly as possible.

That organization ... MUST, ABSOLUTELY, BE TOR ITSELF.

There is NO OTHER anonymous email service in existence that can take it's place and there is NO service provider OTHER THAN TOR that will be TRUSTED to carry on the name, particularly since, should TORMAIL suddenly reappear on the Onion network, It will be assumed (correctly) to be controlled by the NSA and FBI.

TOR will never be compromised by the Intelligence Mega-plex, simply because they use it themselves ... a fact recently illustrated by the effective destruction of the Dot-Onion network NOT associated with TOR itself.

TOR can accomplish this in less than Two Weeks ... Kindly Do So.

TemplarKnight@tormail.org ... At least, that's who I used to be.

http://arstechnica.com/tech-policy/2012/06/fbi-halted-one-child-porn-in…

>wangstramedeous | Ars Praetorian Tue Jun 12, 2012 1:55 pm

>Child pornography is a symptom of a larger malaise in society, namely child abuse and exploitation. Simply putting so much emphasis on one medium of distribution (media delivered via the internet) suppresses and ignores what is going on all around us. Really, its a snap shot of a reality that is part of the fabric of society. Destroying the evidence of it in one aspect does nothing to address it.

>It is simply an act of making unseen what is clearly a problem more widespread and larger than people looking at videos and pictures. Even if we were to imagine that we wiped out every single cache available online, it ignores that one of the most vulnerable segments of our population is still being exploited. The lopsided nature of policies targeting people that consume the media vs people who actually engage in abuse belies this.
.......

http://news.cnet.com/8301-13578_3-9899151-38.html

>by PzkwVIb March 21, 2008 4:55 AM PDT

>If people are abusing children and producing child porn, then go after them. [...]downloading such material does not harm a hair on a child's head. [...]Making possession, which on the net can even mean hidden thumbnails on web pages, is just plain Stupid.
[...]

>but as a law enforcement official or a politician you get the same boost in popularity if you go after the easier to catch people than the ones actually harming children.
_________
It would seem to me that the more people who view "pedo/CP" material and sites, the more chances for predators to be exposed and their victims identified.

I am fairly certain that at least one child-rapist is now, finally, behind bars as a direct result of evidence I saw at a "pedo"-oriented site and acted-upon. Yet, both myself as well as the people who cooperated with me put ourselves at risk in coming forward and presenting the evidence.

"Sunlight is the best disinfectant."

"The love between men and boys is at the foundation of homosexuality. For the gay community to imply that boy-love is not homosexual love is ridiculous." - "No Place for Homo-Homophobia.", San Francisco Sentinel, March 26, 1992

"Shame on us if our lesbian/gay voices remain silent while our
NAMBLA brothers are persecuted once again, and shame on those
lesbians and gay men who will raise their voices to condemn NAMBLA,
insisting that boy lovers (and presumably the boys they love and who
love them) are not part of this thing called the lesbian/gay
community."
- Steve Hanson, "Shame on Us.", Bay Area Reporter, January 23, 1992

"NAMBLA is by no means on the fringe of the "gay rights" movement. For years, it was a member in good standing of the International Lesbian and Gay Association (ILGA), and was only jettisoned by ILGA when the parent organization applied for United Nations consultative status in 1993. Years earlier, the ILGA itself had resolved that "Young people have the right to sexual and social self-determination and that age of consent laws often operate to oppress and not to protect." "
- http://www.lifeissues.net/writers/clo/clo_09homosexuality.html

Note that the "love" being referred-to in the above quotes is little more than an Orwellian euphemism for the buggering and sodomizing of tender youth by adult males.

(This is particularly disturbing when one considers the distinct physical as well as psychological disadvantage that the *receptive* partner in anal penetration is placed at: The bulk of the considerable risk of deadly infection as well as injury, ALL of the pain, discomfort and inconvenience that are endemic to this act, etc. )

"Note that the "love" being referred-to in the above quotes is little more than an Orwellian euphemism for the buggering and sodomizing of tender youth by adult males."

What is your agenda here? Do you know all of the people in question personally and know for a fact it's all anal rape? Because you can't be more wrong, and that's a fact. Your claim is as silly and misinformed, as saying that all love between man and woman is limited exclusively to him sodomizing her and nothing else.

The love referred in the quotes above is what it should be - admiration, emotional comfort, having feelings to each other. What's wrong with that? Just because you can't imagine love without sex, doesn't mean everyone else is like that. And I don't claim sex can't be involved in this kind of relationship, but it can go both ways, with the younger partner being in charge. But sex is not required for love. You are taking the worst criminals, rapists and molesters, and project their deeds onto an entire group of people, because you don't understand them, and because they can't defend themselves, due to current laws. Try to say the same about black people or women, that they only rape each other and know no love.. let's see how you'll fare then.

What's disturbing is your comment and the way you twist facts to show other social groups as subhuman. Do you only rape your women/men? No? Neither do the people you accuse, in most of the cases. There are a few bad sheep, but aren't they common in all social groups?

I'm sorry for being off-topic here, but a voice of common sense, reason and simple human compassion was necessary. Even so so, my defense of those who deserve defending, will be seen as 'pedophile defense' so thanks God for TOR and the freedom of speech it enables.

August 07, 2013

Permalink

Sorry if it was already asked, i can't find it. Is there any reliable information on what date the exploit could have been online for the first time?

You mean either you didn't look at all, or you didn't look very hard as the answer is posted a mere 18 post above users...

"As far as I know from what I have been reading is that it could be no less than 1 week but likely closer to 2 weeks before Aug 4th."

Poster is asking for 'reliable information'. Where did 2 weeks before 4th august info come from? Can the original poster provide a link?

The exploit caused browsers to crash out, so I guess it cant have been too far in the past. When did Tormail users start spotting issues?

August 07, 2013

Permalink

Interesting coincidence that the big terror alert in Yemen coincided with the Tor exploit. All the talk is about CP sites. But was the exploit used against terror sites too? Or were they the real target and the CP sites "bonus"? Was the breach of Tormail related to the terror alerts???

If I had to pick my conspiracy theories, I'd be more inclined to guess that the timing of the Yemen publicity is more related to the "should we allow NSA to do this surveillance stuff" arguments that America is having right now.

August 09, 2013

In reply to arma

Permalink

I do not like that Vendetta movie but its really like "... and now we show you how really you need us"

August 07, 2013

Permalink

I've read through all of the above comments, and one of the questions I still have is in regards to the mechanism that this exploit uses to send the gathered information back out through clearnet. Does it have it's own means to access your internet connection? Or does it use your existing browser to send the information? If the latter, would running an updated version of FF (such as v.22) block this on the way out, or does the version only matter on the way into your system? TIA for anyone who answers.

Also, in spite of all of those who want to blame those of you at TOR for this, thank you for all the hard work you've done.

>>Or does it use your existing browser to send the information?

I am not a techie. However, my understanding is that this exploit sent this info back via the Firefox browser. It would not (and in fact could not) access your internet connection separately.

>>If the latter, would running an updated version of FF (such as v.22) block this on the way out, or does the version only matter on the way into your system?

The exploit does not work in in Firefox 17.0.7 ESR or Firefox 22.0. See here -

https://lists.torproject.org/pipermail/tor-announce/2013-August/000089…
https://www.mozilla.org/security/announce/2013/mfsa2013-53.html

The exploit was able to run its own machine code (like an .exe) and used Windows OS functions to make a direct connection the same any other software on your machine does (including browsers, email, etc). The updated versions would have blocked that code from running in the first place.

August 07, 2013

Permalink

From another forum.

It seems to me like there are two possible reasons for this attack. First I find it very plausible that the NSA already knew who owned Freedom Hosting. In fact I think the owner claimed he became worried when he read about the Snowden leaks and then started researching Russian Visa's thinking he might flee. Incredibly convenient time for the authorities to suddenly figure out who he was and make an arrest.

I think the NSA knows that what they're doing is very illegal and unconstitutional and perhaps they're going to go on a rampage using the system for all it's worth while they can. As usual, they'll just break the law as much as they want to get an arrest and then apologize for it after. But unless convictions are overturned and the parties responsible are put in jail for circumventing the constitution nothing will change. It'll just be a game of political musical chairs and all the people they screwed over will remain in prison. They figured out long ago that whether it's invading a country, overthrowing a government, bombing a thousand people to kill one suspect, or misapplying the law like at the G20 in Toronto it's all good so long as you're done what you needed to do by the time the truth catches up with you.

Secondly it seems this may have also been more of a pr campaign. "Yes we're invading everyone's privacy and turning the world into an Orwellian state but look at all the children we've saved from being exploited!" You've got a problem with using dirty tricks to go after pedo's?! Unfortunately this kind of propaganda works on an alarming number of people. Every time the American government does something awful they always find a boogeyman to garner public support.
I would also like to point out that this appears to be the second time that Firefox has "accidentally" done something that allowed their browser to be exploited by a third party in the name of fighting child porn. The fist time it was a little more targeted but also a little more obvious someone at Mozilla was in on it. This time it was an entire host rather then one website.

August 08, 2013

Permalink

Here's an interesting question that doesn't appear to have been raised (apologies if it has and I've missed it). - Does the "phone home" exploit identify which website(s) a person visited to get it?

August 08, 2013

Permalink

excuse me if this has been asked and answered already. is it safe to say that any browsing using tor prior to the date of marques's arrest (i.e. therefore prior to the appearance of the "down for maintenance" pages on FH-associated websites) was unaffected by the malware?

No.

Very little is known about how the exploit was deployed, or when, or if they knew about the Firefox issue before it was announced by Mozilla. They could have been capturing IP addresses for weeks before the arrest (but this is unlikely - exploit caused browser crashes).

People are assuming its just a recent thing and Firefox 17.0.7 ESR Windows users are safe.

Does anyone know better than this?

Well, Firefox 17.0.8 was released this week

Fixed in Firefox ESR 17.0.8

MFSA 2013-75 Local Java applets may read contents of local file system
MFSA 2013-73 Same-origin bypass with web workers and XMLHttpRequest
MFSA 2013-72 Wrong principal used for validating URI for some Javascript components
MFSA 2013-71 Further Privilege escalation through Mozilla Updater
MFSA 2013-69 CRMF requests allow for code execution and XSS attacks
MFSA 2013-68 Document URI misrepresentation and masquerading
MFSA 2013-66 Buffer overflow in Mozilla Maintenance Service and Mozilla Updater
MFSA 2013-63 Miscellaneous memory safety hazards (rv:23.0 / rv:17.0.8)

https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html

fair. any idea why the pages ould have all gone offline at the same time if it wasn't related to the deployment of the exploit? you'd think there wouldn't be a lot of incentive on the part of whoever as controlling them in marques's absence to have them go down.

August 08, 2013

Permalink

There is a list of all the sites affiliated by Freedom Hosting. If the gov's have access to the servers, would there also be logs on them? How much would be logged by FH?
Thanks.

>>would there also be logs on them? How much would be logged by FH

Who knows. There might be logs. However, even if there were logs so what. This is TOR remember. If, for instance, an oinion site logged the IP addresses of computers accessing said site, the IP addresses logged will be the last person in the TOR chain, not the IP address of the actual person getting their mail/drugs/cp. Therefore useless to LEA (or whoever else might want it)

August 08, 2013

Permalink

Lavabit mail is down for maintenance the whole day. The mail service isnt working. Can it be somehow related to this stuff? Did those nasty pigs went crazy? Are they going to shut down the whole internet because of bunch of another pigs?

August 09, 2013

In reply to arma

Permalink

Hi and thanks for reply.
The Lavabit shutdown really surprised me... as well as all the mess that happened recently. The more funny it seems when you go outside and you see happy people living their peaceful life in democracy. Its really depressing sight.

August 08, 2013

Permalink

Besides the obvious (disable Java, JS, flash, etc) the one big take away from this incident should be:

DO NOT HOST IN WESTERN NATIONS!!

Do not host anywhere that has extradition laws established with US/UK. Host in BRICs nations, nations hostile to the west or countries that have a history of snubbing copyright law.

August 08, 2013

Permalink

For everyone blaming TOR, the issue really wasn't TOR at fault but Firefox. In addition when you buy a deadbolt for your house, it ships as being unlocked. It's up to YOU to install it and LOCK IT. The option to turn off Javascript was always there for you before you went to an onion site, default on or default off. So stop your crying because you visited questionable content.

No, the fault was of whoever decided to enable javascript BY DEFAULT in TorBrowser. This was a very short-sighted decision and the Tor team should have really known better. You don't make a security software and then fuck everything up with bad choices like these. Ir some retards want to enable Javascript they can do so, at their own risk, exactly as they can disable Tor alltogether if they don't care about their privacy being compromised.

The "stop your crying because you visited questionable content" is just a dumb sentence since most people if not everyone who uses Tor wants to view and/or produce questionable or unlawful content and this does not automatically mean "right" or "wrong".

Bullshit, most people who use tor don't have a clue how things works. Just because it was always there doesn't mean it is ok, because torproject is claiming to protect people's privacy.

Remove these claims from the torproject frontpage and nobody would say shit.

Anonymity Online

Protect your privacy. Defend yourself against network surveillance and traffic analysis.

Tor prevents anyone from learning your location or browsing habits.

Tor is for web browsers, instant messaging clients, remote logins, and more.

Doesn't fucking work that way when you enable javascript by default now does it.

The content that people choose to browse is completely irrelevant. Tor developers changed the default setting of NoScript, encouraged all its users to browse with JavaScript enabled and justified it as making them more anonymous. Do you know how many past Tor exploits relied on JavaScript? Every single one of them.

When the torproject team openly lies, it makes you wonder what else they are doing behind your back and what else is hiding in their codes.

August 08, 2013

Permalink

At lease 1.1 to 1.2 are reportedly needed to access websites configured with Elliptic Curve Epermeral Diffie Hellman cipher suites needed to achieve perfect forward secrecy (PFS) access.

Firefox 23 just bumped TLS 1.0 to 1.1, and version 24 will have v1.2. It is distributed as 1.0 and you have to use about:config to manually set it because they removed the encryption select tab in advanced options in this version.

Is similar TLS upgrades planned for versions of Tor Browser? If not should they?

RT is reporting that Lavabit voluntarily shut down the site because they refused to give in to government pressure regarding the Snowden case. Apparently they new Snowden had an account there and went after the site owner. Gotta applaud him for not giving in. More then I can say for Skype, Hushmail, Hidemyass etc.

Now I'm wondering if the Freedom Hosting takedown was also related to Snowden. Hell of a coincidence.

August 08, 2013

Permalink

if someone uses IE/Firefox/whatever for "normal" browsing, and uses tor for anything that they want to be private (whatever that may be, banking, specific private correspondence, etc), and browses in tor with scripts disabled globally, is there any way in which the javascript exploit could have compromised the intended privacy? let's assume that this is with an outdated version of TBB. if when browsing using tor, all other browsers were closed and scripts were disabled, would there have been anything else that could have enabled the exploit to work? in task manager at any given time there are all sorts of items that communicate with the outside world (divxupdate.exe, as an example). when i use tor i try to take care to shut such items, but you never know. i understand that with scripts disabled technically the exploit probably didn't work, but is there any other way in which the computer could have been compromised in the process by the exploit?

Sounds like you should be ok, at least against this exploit.

(See higher up in the comments where I answered the same question.)

Please learn the difference between privacy and anonymity. Tor is not made to protect your privacy it is made to protect your identity i.e. provide anonymity for you. You may use it for private matters too but in that case you are trusting the ExitNode owner to not launch an man in the middle attack against you. In general: Do not use a Tor connection to do private stuff.

No, this is poor advice.

These words 'anonymity', 'privacy', and 'security' are basically synonyms -- you need to understand what the security properties are and what threats Tor defends against (and doesn't defend against).

You might like the explanation in my "Internet Days" talk: see item g at
https://decvnxytmk.oedi.net/docs/documentation#UpToSpeed

Using a Tor connection to do private stuff is totally reasonable. But if you're not using end-to-end encryption and authentication on today's Internet -- **whether you're using Tor or not** -- you are in for some surprises.

See also
https://svn.torproject.org/svn/projects/articles/circumvention-features…

August 08, 2013

Permalink

I'm not sure which is more baffling and disturbing:

a) The fact that neither arma nor any of his colleagues have addressed the glaring, utter CONTRADICTIONS between a number of his posts here regarding JavaScript and what is stated at
https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled ,
or,
b) The fact that no one besides myself seems to be bothered by a) (or even /noticed/ it)

https://trac.torproject.org/projects/tor/ticket/9387

I skimmed and did a Ctrl-f for "faq". Nothing.

Incredible. Absolutely incredible.

Yeah, we should fix the faq. It's outdated in a variety of ways. Plus there's an old FAQ on the wiki that still needs more love.

Help us make our documentation useful, accurate, and up-to-date!

August 08, 2013

Permalink

PEOPLE!

I CAN'T BELIEVE YOU'RE SO STUPID!

Please read why:

This is one of the methods how to trace back owners of tormail:

[root@bsd ~]# dig tormail.org MX

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 <<>> tormail.org MX
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54154
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;tormail.org. IN MX

;; ANSWER SECTION:
tormail.org. 2203 IN MX 15 backup.incoming.tormail.org.
tormail.org. 2203 IN MX 10 incoming.tormail.org.

;; Query time: 338 msec
;; SERVER: 255.255.255.0#53(255.255.255.0)
;; WHEN: Thu Aug 8 11:00:06 2013
;; MSG SIZE rcvd: 77

So if you had a legal power to use trace, you can trace owners of these 2 servers (for some reason they still respond to ping). So what feds had to do, is just go to those machines and install appropriate software and wait for the fish. Everybody knows that you can't keep server secure if someone has access to physical machine AND ESPECIALLY IF SOMEONE GOT ACCESS TO PHYSICAL MACHINE ON WHICH YOU NEVER HAD FULL ACCESS. So what I'm saying that I'm not surprised that they got caught. It was just a matter of time when this supposed to happen.

Yes, fucking feds and their ass kissers destroyed a lot of stuff, not just stuff, but lots of great and very useful and because of that I'm very very sad, but on the other hand, it is good that they raided them because YOU CAN'T RUN ONE OF THE MOST ILLEGAL STUFF ON THE PLAN ON -> SOMEONE ELSE'S RESPONSIBILITY <-. If you have a good plan and want to make it into real thing, then you need to learn how to do that yourself. As a person with 15 years of IT security I can only advice you to NOT run anything illegal on windows or linux. Choose OpenBSD. Go and read yourself why.

Also security of your server/servers should be higher than the one in banks or super secure government agencies. If there is a information leak - they could still survive, but what happens when someone will get your IP address - can you ?

Good luck

Good luck.

August 08, 2013

Permalink

I have version 10.0.10 ESR.

According to WhatIsMyBrowser.com, my Javascript is disabled. I have NoScript running to block scripts globally. However, I noticed that my Firefox still has the 'Enable Javascript' box clicked. Does NoScript override that? It would seem tht it does but I thought I should ask, anyway.

Yes, that is how it should work with NoScript. That lets NoScript allow through white listed sites that you want to be able to run scripts while blocking everything else. If Enable Javascript is unchecked, the whitelisted sites would get blocked too.

August 08, 2013

Permalink

Sometimes when you hit the S button to disable scripts globally, and you then move to a different page, there is a separate time that you have to tap the button to specify whether you are willing to allow "about: blank". of course, by the time you get that, you're already on the page where you need to specify it. Here's my question: does that limit the effectiveness of the block on this particular malware script? If you were using an earlier version of TBB, had selected the "forbid scripts globally" option, but still had this "allow about: blank" issue on various pages, does that somehow eliminate the protection that you were supposedly afforded by having selected the "forbid scripts globally" option in the first place? Thanks.

August 08, 2013

Permalink

hi, is there any difference between having checked "forbid scripts globally" on the "S" icon through noscripts and having disabled javascript through options? i ask since on "normal" firefox if you enable noscripts and then go to about:config and search for "java" it seems that javascripts are still enabled. does the noscripts function just serve as a redundant blocker of scripts, i.e. noscripts and disabling scripts through firefox are like having two separate locks on your door? or is one better/more secure than the other and did one offer better protection against this exploit than the other did?

August 08, 2013

Permalink

" Sorry, your query failed or an unexpected response was received."

Appreciate ur timely, and reasonable responses to all this chatter. Just launched TBB and received this reply. Tried to relaunch a couple of times, never seen it before. Your thoughts?

August 08, 2013

Permalink

If some one ran a relay in the tor net work would they be at risk exit nodes get raided all the time

August 09, 2013

Permalink

so LAVABIT was raided too ... and is down.
Those server shutdowns are really going nuts. This is not just about some CP on deep web. This is about ordinary people too and I think that its really time that those stupid masses already get it whats going on. In US is just forming new Nazi state with one race which is dominant. They have it written even in constitution.

This is on their website now:

My Fellow Users,

I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.

What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.

This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

Sincerely,
Ladar Levison
Owner and Operator, Lavabit LLC

Defending the constitution is expensive! Help us by donating to the Lavabit Legal Defense Fund here.

>>This is not just about some CP on deep web.

In view of the fact that Lavabit and Silent Circle have suspended operations it's looking increasingly likely that it was about getting access to TOR...

I red that about silent circle yesterday ... its just crazy. I questioned how it is possible that one country can do whatever it wants under the flag of empty words like democracy justice and blah blah blah... then I watched Jacob Appelbaum in some german Tv speaking with some political dudes and realized... that many countries are ruled by bunch of old and stupid cocks... and this is it. The most sophisticated answer on every question in the universe...

And another question is... what email service can I now use instead of lost lavabit?

August 09, 2013

Permalink

So, if I'm right, to clarify:

1. If you've been running TBB with NoScript set to block ALL scripts then you are safe regardless of TBB version.

2. If you've been using the latest TBB then you are safe since June 26th but we don't know how long prior to that the vunerability was being exploited and you may be at risk if you allowed Javascript

3. If you've been using an old pre June 26th version of TBB and had javascript
enabled then you have been compromised.

The assumption is that this vunerability has only been exploited recently because an ongoing exploitation (ie pre June 26th) would have been 'spotted' considering how quickly the community has unravelled it in the last few days.

1. Yes

2. If you updated your version of TBB then you'll be safe (from the date you updated it) even if you had javascript enabled.

3. Yes

Your assumption seems reasonable.

I'm not sure about the assumption. For quite a few months I've noticed that if I (stupidly) had left Javascript turned on and if I was on a Mac, then I would find some random browser crashes while surfing that I never noticed when on the PC.

Each time it would happen I would (a) curse at my stupidity for turning on, and then forgetting to turn off, Javascript, and (b) not grasp the significance of why I was having no troubles on Windows.

You don't say what operating system you're runing on your Mac. If it isn't a version of Windows then your crashes weren't caused by this exploit as it only targets the Windows operating system.

(Although you didn't specifically say so, I'm presuming that you only enabled javascript on your Mac and that's why you "grasp the significance of why I was having no troubles on Windows.")

When you say "random browser crashes while surfing" you are talking about using TOR here aren't yo? Not browsing the net normally using an ordinary browser outside of TOR?

Imo, if this exploit had been on the loose for sometime (and if it consistently causes browser crashes/closures when running) then the subject would have come up for public discussion as quite a lot of people would have been affected. And that's not the case.

August 09, 2013

Permalink

I'm glad I always used standalone Tor in conjunction with whatever networked apps I deem appropriate - not just browsers - rather than the so-called bundle. Yjis last attack report has only confirmed my views once more, as wekk as Tor devs' ill founded insistence on having users browsers default to scripting enabled, even after proven targetted attacks have emerged!

Please don't even start to say that I'm any less secure by configuring my own browser myself (no java no javscripts no scritps at all indeed, DNS properly guarded etc etc) than if I were merging with the flock. It's the exact opposite.

Tor once used to be nice innovative technology, but I feel the Torproject has been going the wrong way for too long now. Not that their people are bad, only, I think, somewhat misguided.

IMnshO the TBB should be stopped immediately and R & D should, again, focus on the core Tor system, including : - use of UDP , - decoy traffic, - fixed length cells , - randomized delays ...

--
Noino

August 09, 2013

Permalink

haha a bunch of ре dоs in this thread are scared to death. and you should be! 99% of all tor users use it for ILLEGAL stuff. otherwise why use it in the first place?

August 09, 2013

In reply to arma

Permalink

ok but if they are legit users like listed in the link, why would they be scared to death that they have been hacked.

I liked the way they phrased the answer in the NSA whistleblower talk at 29c3:
http://events.ccc.de/congress/2012/Fahrplan/events/5338.en.html

"What do you have to hide, because you haven't done anything wrong? You don't get to decide what counts as wrong. They do."

By your logic we should all be fine and happy that the NSA and other governments are building enormous databases about everything, because after all "we haven't done anything wrong." They get to decide *after the fact* what they want to look for and what counts as bad. And nowhere in the process do you get to try to explain to somebody why they are confused and actually you didn't do anything wrong.

If the government can build these databases then they WILL eventually abuse it (if they're not already).
Young people may blindly believe (as most do) that at any given moment the human race is at the height of fairness and enlightenment. It's just a matter of time before the next great "victimization" occurs.

This is a country that committed genocide against the native Americans, got rich off of kidnapping Africans and turning them into slaves, rounded up Japanese and put them in internment camps, made jailed people who didn't fight in various wars when conscripted, made it illegal to refuse to salute the flag or recite the pledge of allegiance and went on a witch hunt to persecute those who they suspected of being communists.

How do you think a presidential candidate is going to fare 10 years from now if his first order of business is going to be to cut the budget of the massive security complex once elected? This is the END of a democratically elected government in this country. Not that what we've had the last 14 years has been entirely on the up and up!

The other thing is even living in democracy... but what is democracy? Bunch of people and more than half of them chooses the leader. But there is no guarantee that this half is educated properly and cannot be manipulated by media for example. If you have some media, connections and money under your finger... its no problem to create alternative reality for those people. And democracy becomes a funny word. Formally it is democracy ... but it can be a tyrany simultanelosly. The biggest problem is people think that democracy is something magical ... but its just another system created by humans... and therefore it isnt perfect... as any other systems made by people.

"Bunch of people and more than half of them chooses the leader. [...] If you have some media, connections and money under your finger... Its no problem to create alternative reality for those people."

so true bro, thats the best way to describe what they are doing to ignorant people, an alternative reality

Agreed about the historical abuses of the US government - but you forgot to mention that *right now* the government is circumventing its *own laws* by holding hundreds (including children) captive in Cuba without trial - and many have already been shown to be innocent of any wrongdoing but were simply in the wrong place at the wrong time.

August 09, 2013

Permalink

Ok ... these are my facts:

1. I was running FireFox 17.0.7 and had JS allowed.

2. Had crashes visiting FH sites.

3. As far as I understand these crashes are unrelated to the exploit since i had the patched version of FireFox (17.0.7)

4. I am safe of the exploit regardless I had JS enabled since i was running FireFox 17.0.7.

Am I right?

Thank you.

Yep.

Now, you weren't magically safe from other potential vulnerabilities in Firefox. The crashes could have been from other attacks for all we know.

Speaking of which, you should upgrade your TBB (Firefox 17.0.8 is now out).

following on from this - I downloaded Tor on June 23, yet it was 17.0.7. But this seems to contradict the formal release date as 26 June.
When was 17.0.7 actually released?

Released on June 25, but the original directory was made on June 23.

I assume you didn't actually download it on June 23, but rather you're looking at the timestamp on your filesystem.

August 09, 2013

Permalink

One thing is still not clear to me.
The message "Server down due to maintenace. Please try again in a few hours" or something like that, is that generated by the NSA site?
I notices in the discussion here that a lot of people got that message even though they where running Firefox or Iceweasel 17.0.7 and wouldn't be affected.
But if that message comes from NSA then the exploit ran and succeeded, hence they are compromised, or am I missing something?

It appears that everyone visiting those sites received that message, whether they were, in actuality, compromised or not, There is a difference between seeing the message and being compromised, as users of the updated 17.0.7 version also saw that message, but were not vulnerable to the attack.

August 09, 2013

Permalink

So what are you all guys doing that you are so concerned about privacy. Let me guess, you are all freedom fighters from North Korea? Because I can't imagine you are using TOR to access illegal stuff!

Because you concern only about your own butt living in "free" country abiding laws that were made by some "chosen" dudes does not mean everybody has to be as your kind. Yeah its hard to understand that someone thinks different than you think so it MUST be something illegal. I know you feel as the bad one here therefore you must criminalize those other people so you will look as a good guy.
Yep there are some "bad guys" that are using tor services... and there are some "freedom fighters" but telling all tor users must be one of only those two groups tells us that you lack of wisdom and some logic too.

I would say ... instead of insulting people just because you do not understand world you live in... you could study a bit instead. You would be surprised how sometimes world isnt just "black" or "white". Even with those two colors things arent so clear if they exist. Go look at wikipedia (or better find some fancy book about colors :)).

So any and all invasions of privacy and mass surveillance is justified because it might catch people who like to look at child porn? Paedophiles have become the modern day witches, and we are all supposed to accept anything that is done in the name of sniffing them out. IMO *nobody* should be made a criminal simply because they looked at a picture or read an article. Consider that it is a crime to look at an image of a child having sex, but not at an image of a child having their legs blown off by a predator drone. If it's all about child protection, which image is depicting the worst harm to a child? And what harm is caused to *anyone* by the act of looking at a photographs of either event? If you enjoy watching movies that depict illegal acts of violence, should you be treated as a criminal?

August 09, 2013

Permalink

How is possible to know that the exploit affects only Windows users? I asking it because I read that all TBB is identified like "Windows NT". Does the code call a command that runs only on Windows?

August 09, 2013

Permalink

Before anyone gives me the "check earlier in the thread" stuff, I have, and as yet there still has not been clear data on this (and admittedly, maybe this can't be factually discerned), but when was this exploit initially implemented? End of July, first day of August, first day of January 1937, you know...I had been running the "safe" version since the middle of July, but I know there are many people who updated later and would have a concern.

Don't know is the short answer.

However, what little evidence there is seems to point to it being implmented at the last weekend when the Freedom Hosting sites were taken down.

The effected sites had a "down for maintenance" message. I'm not clear whether the exploit tried to run when that "down" page was visited or whether the sites were actually down for real and the exploit was only implmented once they were back up (assuming they are back up).

It appears that the exploit (IF it worked on a user's browser and my understanding is that it doesn't work on Firefox ESR 17.0.7) also caused the browser to close or crash and those crashes haven't (I don't think) been reported by anyone prior to last weekend.

Also, if the exploit had been out in the wild for some time (e.g. since mid July) I'm pretty certain it would have been discovered prior to now.

None of this is 100% though. It could be that the exploit has been out on the loose for weeks and weeks.

August 09, 2013

Permalink

Arma, I see you mentioned somewhere before something about users of TBB on Windows are "screwed"

I havent seen much mention of people using TBB on Windows so far, so;

I always used the latest TBB version on Windows Vista with JS disabled and saw the "down for maintenace" on Tormail, as others have.

Was I and others in a similar situation safe from this exploit?

Thanks in advance.

Probably?

It sure sounds like whoever broke into the hidden service changed the content to say "down for maintenance". Then when you visit the hidden service, you get the content it serves you. Which I guess included that text plus some javascript.

>>Probably?

From what I understand, IF the original poster was using Firefox ESR 17.0.7, they would have been safe from this exploit (even if they had Javasrcipt enabled) since the exploit wouldn't have worked on their browser.

Isn't that correct?

August 09, 2013

Permalink

Hey Arma

Some people said they had a white screen about 3 months ago that said that they was blocked and that their request had been logged when clicking on onion gateways.

Was this an IP grabbing exploit ??

August 09, 2013

Permalink

I've never visited any .onion addresses using TBB, but could this vulnerability have been exploited by clearnet sites like Google, Twitter, Facebook or other sites using tracking codes from Google Analytics or others or traffic analysis sites, etc. to expose the real IP address of the visitor or would that be illegal/unfeasible/easily detected?

August 10, 2013

In reply to arma

Permalink

So is it a bad idea of using tor with clearnet? Im really confused now.
I mean ... I have an updated browser and Gnu/linux distro and dont need/use FB, Google, Twitter ... just old fashioned browsing/reading...

Most Tor users use Tor to visit normal websites. Hidden services are a toy that we whipped up to show what you can do once you have an overlay network.

In short, keep your TBB up-to-date, and consider following the other advice in the advisory This whole episode had very little to do with whether it was a hidden service website or a 'normal' website.

August 09, 2013

Permalink

Question.. wouldn't it make sense to randomize the Tor Browser user agent some? It's not like picking a Firefox 17 user agent 'randomly' on the basis of a statistical distribution of the top 50 or so would break compatibility with any legit sites... heck given the way Firefox is now giving updates barely worthy of a new minor version a new major version number, why not use a pool from Firefox (3.)"10" up to version 133 or whatever they're calling it now?

Do you choose a new random user agent every time you fetch a new page? In that case you look weird pretty quickly, since no normal browsers do that.

Or do you pick from the pool and stick with your choice? In that case you've just made a little mini-cookie for yourself.

I like the idea in theory, but in practice it seems to have some big problems.

August 09, 2013

Permalink

NoScript not enabled by default on latest version of TAILS just released today (0.20). That is like shipping condoms with pinholes in them.

August 09, 2013

Permalink

I haven't used TOR within the last month but I haven't updated until today, would I still be affected by this exploit?

August 10, 2013

Permalink

ARMA please put back the link, why not to the https://trac.torproject.org/projects/tor/ticket/9391 (PT TBBs out-of-date)? There are links to the Pluggable Transports Tor Browser Bundles with new Firefox. So much days new compiled are there and people generally don't know. Imagine how much harm for these people are outdated browsers compared to non-automate builds. TOR DEVELOPERS! PLEASE! Users that need PT the most are arguably the most vulnerable people, they need more care than you are showing! Add every working version you can to the downloads and always note what version of components you are distributing there

August 11, 2013

In reply to arma

Permalink

Hello. I tried the upgrade after getting warning to do do, but I kept getting pop ups on certain sites. I keep No Script enabled but have Java working.

August 10, 2013

Permalink

can someone please tell me if there are security risks concerning some popular anti-virus programs out there? as i am new to TOR, i will need a basic list of certain companies plugins to avoid. if there are any to avoid. or a more simplified reason to avoid any downloads with plugins that could be used to identify my IP address. and also, is the TOR BUNDLE DOWNLOAD, the security update? the tor webpage didnt have anything called "security update"? please help.

August 10, 2013

Permalink

I opened "about:config" in Firefox and changed the user agent string to something completely different than Firefox and Windows NT. Went to whatismybrowser.com and it showed what I had typed in, not Firefox or Windows NT. I wonder if the exploit needed the original entry to execute and would not have executed with my changes.

August 10, 2013

Permalink

Ok, let me just start off by saying this is probably a really dumb question, so please forgive my ignorance! Anyway, I have never used Tor or the Browser Bundle before, and have never been to an onion website. I just read about this exploit online and was curious about the subject of Tor and the hidden internet (if that is the right thing to call it). So I was browsing through some articles and blogs online about the exploit and one of them had a list of onion sites that had supposedly been affected by the exploit. So while I am scrolling down the page on my iphone (running the normal Safari browser), my finger accidently hits one of the links to these onion sites (they were highlighted as links, so if you clicked one of them it would try to open). I immediately hit close, so it didn't have time to open anything. But I am just wondering if there is anything I need to worry about with this. From what I have read over the past couple days, my understanding is that you can't even get to these onion websites on a normal browser, such as Safari. Is that correct? If so, does that mean there is no way this exploit could have effected me? My javascript was enabled if that mattered, but I was obviously not using Windows or Firefox.

Right. .onion is a non-existant top level domain. If you type a domain name with it in the end in the address bar of a browser which isn't using the Tor network you will get a message from your browser (not a remote machine) saying something like non-existant domain. A domain name which ends in .onion just has sense inside the Tor network. You cannot be exploited because your browser isn't requesing any website. On the other hand, if you browse the Internet without using Tor, your real IP address is already sent to the server, no exploit is needed. This is just how the regular Internet works.

August 10, 2013

Permalink

Have yet to see a detailed description of the maintenance page. Was the text center-aligned / mid page or located at page top ? Did the reported crashes occur immediately after visit or later ?

August 10, 2013

Permalink

One of the things I find strange is why the attacker put the exploit on a generic "Down for maintenance" page. Surely, if they wanted to tie a specific Tormail account to a specific IP address, they would have injected the exploit after a login page. At the moment they might have something like Mr X tried to access Tormail, but so did Mr Y, Mr Z and a load of other people. What good is that for gathering intelligence? Something is off. Any thoughts?

1) the exploit code appeared to be in the webserver, attaching the code to every webpage the server sent out, including 'down for maintenance' pages.

2) The sites were down for a few days. Then there was a brief (perhaps 3 hours) period when the websites were reachable, then the 'down for maintenance' page was displayed.

I don't subscribe to the theory that the target was tormail for the reasons you state. I am under the assumption that the hex identifier was formulated to identify the website being visited, and then collect the mac/hostname/ip of the visit into a database for further action. The question is, what is that 'further action'?

August 10, 2013

Permalink

I am no great techo but neither am I new to Tor nor totally green about security and keeping private, so I hope this isnt a really dumb question...

First, I updated TBB to 17.0.7.4920 on the 29th July from 10.0.12.4752. and yes I updated a few hours ago to .8. This is the 1st time Ive used Tor since I knew about the attack.

It would be my assumption that if your main browser is the main FF (23), that TBB would be TOTALLY independent and different from it. Right? (to be clear, all the settings, plugins etc.) So, why is it my TBB had the same plugins and settings as my main FF including my whitelist in noscripts? When I just updated I checked these settings and they are now totally independent, so can anyone tell me whats going on or what I did wrong?

August 10, 2013

Permalink

It wasn't on the maintenance page. It was injected into the normal sites. The maintenance page started showing up after tehy were rumbled.

August 12, 2013

Permalink

I'm wondering if I was vulnerable...

I had NoScript fully active, but iframe was unchecked. Would a browser in that configuration have been compromised by this attack?

August 12, 2013

Permalink

While recently using Tails (0.19/0.20 now) under VirtualBox (yes, I know it is best under CD/DVD, USB) I have found that the real DNS server is listed in connection information as a secondary DNS server. That is, what DNS your host is using. This seemed like it might potentially be exploited for traffic analysis purposes so I reported it to the Tails project.

From looking at /etc/resolv.conf and seeing that it only contained the loopback address, 127.0.0.1, I was assured that everything was okay, unless one uses the unsafe browser in Tails which could make use of the real DNS. The reason for this appearance of the DNS server is due to VirtualBox's DHCP server returning the address to the DHCP client in Tails.

Even though it may not represent a serious security risk, I still find it a little bothersome to see this. You can find this information in Tails by opening "Connection Information" from the network dropdown menu at the top right.

Since I have two actual DNS set for my host, I tried first to get rid of the second one by removing it from the host configuration. But then Tails showed my first DNS as the secondary instead inside the connection information. Next, I went to "Edit Connection" in the same menu, and looking at IPv4 tab I found it set to use DHCP (automatic). I changed this to DHCP(addresses only) and saved the changes (Tails needs to be started with a root password for this). The network connection is immediately dropped and you have to force connection again in the the same menu for the device used. Then upon checking connection information again the secondary DNS is removed. Seems that Tails should come with DHCP set as I have it by default, unless some other reason can be given.

I'm looking into the options in VirtualBox to change DNS proxy/resolver under NAT to try to eliminate this from the start using the VBoxManage command. See http://www.virtualbox.org/manual/ch09.html#changenat for details.

Please feel free to spread this around, others can investigate, or be more paranoid ;)

On top of that, I have to say I'm not impressed that the new Tails still comes with IceWeasel set with JavaScript on, cookies on, and a few security parameters off, No Script didn't seem to be automatically on at one point or another. It could all be set to off or strict settings by default. Not sure why it isn't!

August 13, 2013

Permalink

no sooner does one download tor and the devs are urging users to upgrade citing security vulnerabilities. Wait one week and the current version of tor will be out of date, the bundle a security risk, tails no longer recommended. Of course using the latest version of software is not that smart either, you risk encountering bugs not realized yet.
My browser says "Sorry. You are not using Tor." So I put the ip address from check.torproject.org in the browser and find that it is a torservers.net exit node. go figure.
Tor bundle does not include firewall software which could block traffic which is not tor traffic. IMHO the browser and ALL OTHER SOFTWARE has no business retaining the ability to access the internet directly. Surely all non-tor traffic ought to be blocked for the session. How on earth did a javascript exploit allow packets to be sent outside of tor? And hidden services are how well hidden now that freedom hosting has gone down? How did this happen? If half the onion sites are on freedom hosting and the NSA is bulk capturing packets they're bound to figure it out aren't they?
And how the hell can one use tor and stay the fuck away from the USA? I have tried to figure this out, it ought to be straight forward. If tor can be easily configured to stop connecting to tor nodes in the USA I will use it again, otherwise I will not trust it again.

August 14, 2013

Permalink

So does anyone know for how long this attack went on? Couple of weeks, just a few days, or what? I heard the malicious code was discovered just a few days ago (during the weekend I think), but how do we know it hasn't been there prior to that as well? It could be that people who updated a couple of weeks ago and think they weren't affected actually were.

Here's the comment from only a few above yours:-

"Don't know is the short answer.

However, what little evidence there is seems to point to it being implmented at the last weekend when the Freedom Hosting sites were taken down.

The effected sites had a "down for maintenance" message. I'm not clear whether the exploit tried to run when that "down" page was visited or whether the sites were actually down for real and the exploit was only implmented once they were back up (assuming they are back up).

It appears that the exploit (IF it worked on a user's browser and my understanding is that it doesn't work on Firefox ESR 17.0.7) also caused the browser to close or crash and those crashes haven't (I don't think) been reported by anyone prior to last weekend.

Also, if the exploit had been out in the wild for some time (e.g. since mid July) I'm pretty certain it would have been discovered prior to now.

None of this is 100% though. It could be that the exploit has been out on the loose for weeks and weeks."

August 15, 2013

Permalink

hey i have tor bundle 2.3.25-8 and it says its running firefox 7.0.7 could i still have been effected??

August 15, 2013

Permalink

latest tor browser bundle appears fake, all nodes up matter of hours with ridiculous transfer speeds

August 21, 2013

In reply to arma

Permalink

latest release from here. 2.3.25-12 Basically all nodes have up-times of a few hours and the fastest nodes have very high transfer rates. 298mb/s

August 19, 2013

Permalink

No one's really answered this but put simply if your browser was old but hasn't had a crash you should be okay?

Secondly is there a point at which the has been cleansed server side. By that I mean could an ad vulnerable set up accessing tor mail be okay because the servers have been sorted. Or is the malicious code still active if certain links are clicked?

The Firefox exploit works on any OS, but the payload used in this case works only under Windows.
So Mac users are not affected just because the attacker is too lazy to write the code.

August 23, 2013

Permalink

I really do not understand why so many people are crying about shutting down javascript by default in the tor browser.

Just use the torbrowser default setting, for general use, making you hide in the cloud of same setting users.
And then when you plan to visit some virus laden URL, like for instance I like to trace virus upload sites for fun or when you want to do other secretive stuff, only then just for that occasion switch the browser to high defense mode iaw turn javascript off in noscript and of cause run Tor in Linux or a VM. Real scared people could also block images.
This way your traffic only looks unique for this special visit, and can only be finger printed for that exclusive visit not tying it to any other traffic that you did in default mode.

Problem solved.

August 24, 2013

Permalink

All this worrying, for nothing. If you had JS enabled you belong in crow bar motel. And also if you had JS enabled you would all ready be there. By it's self Tor is NOT safe, and never was. Come on the Gov designed this thing. I think a couple of months ago someone from the Tor project said flat out that they would help when ever needed, the Gov. You are living a false dream if you think Tor alone can protect you. One last thing if you don't know how to set up your computer, and change settings to make your life safer, you got no business on the internet, and that puts you right up there with all the script kiddies that call themselves Anon oh what ever, you become a danger to yourself and others.
Now for the real question, WHAT DID YOU DO TO TOR, with the new release, NOTHING WORKS, and I mean NOTHING.

August 24, 2013

Permalink

Why does TBB use such an outdated major version of Firefox in the first place? The current TBB uses FF version 17.0.8. The current version of FF is 23.0.1; obviously each new version of FF has patched various security issues.

August 24, 2013

Permalink

I suffered browser crashes / closures When running in Linux Virtual Box. Is there any problem?

August 26, 2013

Permalink

Hey arma. I am quite new on Tor, and have some doubts about this exploit issue. I´ll try to make YES or NO questions:

I have TBB 2.3.25-8 (17.0.6) running on a VM VMWare with WinXP.

1) In the TBB Tools->Options-> I have disabled the "Activate Javascript" item. ¿That means tha all javascript is disabled and the malware didn´t work if i was in a FH site?
2) I have also NOScript with this options: "Block all objects from no trusted sites" is enabled, and "Allow javascript globally" is disabled. ¿That options make a better block to this exploit? ¿Having the javascript disabled from Tools-Options makes NOScript useless because it is already blocking JS?
3) ¿The FF 22 that i have installed apart from TBB is totally independent? ¿If a have JS enabled on FF 22 that could let the malware rum on TBB or the options from TBB are independet from FF Mozilla 22?
4) If the exploit would worked: Having TBB in a VM, ¿the exploit sent the Host Name and Mac Adress from the VM insteaf of sending the Host and Mac from my real PC? I think that de IP is common to both, but the Host Name and the Mac Adress don´t.
5) The last time i´ve used Tor was mid july (i know from last modiffied date of the files of Tor). The exploit is supposed to have been planted on last days of july, right?
6) If in the future i want to uninstall Tor. ¿I deleted the folder? ¿It keeps files in some registry that i have to wipe?

A lot but easy question for someone how knows about it (i think this will help to others like me). Thanks to the one who answer this!!!

September 02, 2013

Permalink

I update promptly each time i receive update notice, but JS is automatically turned back on after each update, and i forgot to disarm it with the last few updates. Does this mean I have been compromised? Is there a way of checking whether my pc has the offending code (windows 7) and how do I get rid of it. I thank you for all the great work done on Tor but PLEASE SET IT UP SO JS IS AUTOMATICALLY DISABLED.

September 02, 2013

Permalink

Tor announcement says "We don't currently believe that the attack modifies anything on the victim computer." So there is now need to reinstall Windows to make sure the script is still reporting back to whoever?

If I updated promptly but forgot updates turn JS back on and neglected to disallow it, have I been compromised?

September 04, 2013

Permalink

Hi,
I was on the latest TBB on Tormail. My Vidalia control panel just disappeared leaving the TBB on. No trace in the task manager. Hope it wasn't exploit related.

October 02, 2013

Permalink

I first downloaded the TOR browser in August this year, the only reason I did was to see if the "Silk Road" website existed, I heard about it as an Urban legend, so curiosity got the better and I had a look, yes it sounds ridiculous but its true.
I was also given information that if you wanted to research subjects or ideas that are not mainstream the TOR browser doesn't filter out like other search engines do and you can obtain more info on your given topic.
Surely its not against the law to USE the TOR browser???
Why are people freaking out about the feds??

October 02, 2013

Permalink

if I run an old version of Tor browser, but I disable javascript am I safe?

What if I use a live distro?

Giacomo Casanova