Hidden Services, Current Events, and Freedom Hosting
Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.
EDIT: See our next blog post for more details about the attack.
Comments
Please note that the comment area below has been archived.
Time to move to Qubes on
Time to move to Qubes on LiveCD/DVD!
http://www.twitlonger.com/show/n_1rlo0uu ?
My antivirus didn't detect anything weird going on. Does that say anything about the security of the system? The browser seemed to work normally afterwards...
You AntiVirus will not
You AntiVirus will not protect you against new exploits or malware.
Anonymous, unless you are
Anonymous, unless you are totally protecting yourself, like with VPN and TOR it does not matter, if that exploit does show your true IP. That is why you use VPN to encrypt all your traffic.
Read this excellent post from the Grugq http://grugq.github.io/blog/2013/06/14/you-cant-get-there-from-here/
Whonix?
Whonix?
Whonix is neither Window,
Whonix is neither Window, nor does it know your home IP, so in theory the VM should not be able to disclose it through this security issue. The code is still beging examined at the time of me writing this though, so I suppose we cannot be 100% sure of what this could affect.
The vulnerability being
The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53
People who are on the latest supported versions of Firefox are not at risk.
Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack.
This does appear to be
This does appear to be correct.
See https://blog.mozilla.org/security/2013/08/04/investigating-security-vul… for Mozilla's statement.
And see https://vbdvexcmqi.oedi.net/blog/new-tor-browser-bundles-and-tor-02414-… (dated June 26) for when we put out the patched bundles.
TOR gave in to the internet
TOR gave in to the internet cops.
wouldn't you for a few million dollars???
TOR IS NOT SECURE.
they only shut down the
they only shut down the biggest pedo host in the tor world.
No they didn't there are
No they didn't there are sites that have more GB's than everything combined on "Freedom Hosting" and "Freedom Hosting" had also a lot of legit sites like TorMail.
Oh really?
Oh really?
I think they targeted FH
I think they targeted FH because it would inflict the most noticible, immediate damage on the Tor network.
I hope my Tormail address is not gone permanently.
wate when will these
wate when will these websites be back up like tormail & also will the cops see everything?
So what does this mean for
So what does this mean for the people who legitimately used TOR mail for social purposes, and had nothing to do with the criminality in question?
That's probably why FH had
That's probably why FH had so much of it. They used TorMail and other legit sites as a cover if you will. (Sorta like Prohibition-era mobs running speakeasies beneath, say, bookstores)
They have also revealed a
They have also revealed a Firefox exploit which presumably affects the tor browser bundle. That's the relevant news here. We've got to know about that exploit, so now we can expect that bug in Firefox to be fixed.
Also it's a nice reminder: web browsers tend to have critical bugs in them. JavaScript engines are becoming more and more complex, and thereby the number of critical bugs in them grows continuously.
Of course, there is nothing really surprising in this. Like most developers, the guys developing Firefox tend to focus more on implementing new features and improving performance than on making their product as secure as they can make it. It is just more fun to do something that has some effect on the user experience than to review lots of code.
100% agreed
100% agreed
> It is just more fun to do
> It is just more fun to do something that has some effect on the user experience than to review lots of code.
Yup. As funny as running firefox on 512MB-machine with slow CPU, or even building\installing 100+ dependencies. And with no alternative, since rendering engines nowadays are also complex and fat, which automatically increases entropy, i.e. increases probability of a bug.
Firefox binary is larger than my system kernel.
What about Midori and
What about Midori and QupZilla?
Anyone who's used these delightfully fast and light browsers would surely understand my wishing that one of them could be adopted for Tor use (as well as be made to be at least as secure as Firefox for ordinary browsing; offer NoScript functionality, etc.)
So the canary died. And you
So the canary died. And you sit in your coal mine with a smug grin on your face lighting your cigarette? Quite narrow minded if you ask me.
The canary did its job. Now,
The canary did its job. Now, to work out how the canary might not have died, and adjust designs / practices accordingly. That's how these things work.
I'm minded to think that if an anonymous community arises such as the Tor hidden services community, that community can either police itself, or expect to be policed. We didn't bother worrying about the fact that Tor hidden services were being used for the distribution of child pornography, so someone else worried about it for us. Is everyone really that surprised by this?
I think it's more that we
I think it's more that we didn't worry that it *could* be policed... Time to change infrastructures to one they don't own.
/r/darknetplan
Best comment, by now! The
Best comment, by now!
The crux of the matter is the fact that many gullible people here and elsewhere haven't been caring about who runs, funds and developed Tor in the first place, and how those people are not what they pretend to be.
Remember the interesting
Remember the interesting experiment that was Bianca.com?
And silk road is probably
And silk road is probably next, and after that, maybe whatever you use tor for.
KP is an excuse. They just
KP is an excuse. They just want to "regulate", and unless there will be sever push back, today is the first day of Tor's demise. So unless it will be fortified ten fold, Tor is done for, and it is time to develop new, secure, free world, detached from oppression of thugs.
How dare the they identify
How dare the they identify and take down a site that knowingly stored and served child porn!
It's much better now that
It's much better now that they can't find the evidence of the child abuse that keeps happening, don't you agree?
Except in all likelyhood;
Except in all likelyhood; the child porn servers were being run by the FBI themselves to discredit Freedom Hosting. It's not as if it has not happened time and time before:
http://www.breitbart.com/InstaBlog/2013/05/30/FBI-Ran-Pedophile-Ring-to…
It's a simple tactic; you try to pubically accuse person/company x of doing something society overwhelmingly condemn. In order to trash their public reputation; no one will then dare criticise the actions and the huge holes in the flawed accusation. For they will fear they will themselves be accused of condoning such activities person/company x was accused of.
Anyone can find what you are
Anyone can find what you are talking about in the torrent.
it's attack of vulnerability
"Anyone can find what you
"Anyone can find what you are talking about in the torrent."
What torrent?
No, the demise of Tor is not
No, the demise of Tor is not imminent. The Office of Naval Intelligence developed it, and the State Department uses it for diplomatic traffic. The U.S. government also promotes its use to oppressed populations (at least those we support) internationally. Tor is not going anywhere. Tor mail is another matter. That was probably the target.
Gnovalis
Absolutely. If Tor services
Absolutely. If Tor services can be compromised and shut down because of some illegal child porn activity that someone doesn't like and with it simultaneously shut down a lot of other sites not involved in child porn... then the Tor network can no longer be considered a safe option for whistle blowers, reporters, activists and others. This week, its child porn, next week it may be a whitle blower or an activist...
Basically, you're all
Basically, you're all morons.
Tor sights have never been immune to some of the most common attacks, such as DDoS attacks, and the fact you're connecting your web services (Apache+PHP+MySQL+Whatever else) to the clients via Tor does not automatically make those more secure, nor does it make the clients more secure.
Tor itself did its job. There is no reason to suspect that Tor is in any danger of compromise. The problem lies on both sides of the Tor connection.
Maybe "[we're] all morons"
Maybe "[we're] all morons" but at least we know:
Sites = Websites,
Sights = What you can see with your eyes.
that is a has nothing to do
that is a has nothing to do with the argument at hand...try and stay focused
Oh hey, this reminds me of
Oh hey, this reminds me of the last time we had this thread:
https://lists.torproject.org/pipermail/tor-talk/2011-September/thread.h…
Tor did its job? The sole
Tor did its job?
The sole purpose of Tor is to provide anonymity, to both users and hidden service providers.
Now we know that users of Tor can be identified, and hidden servers aren't hidden after all.
I'd call that a big fat FAIL.
Pardon my french, but why do
Pardon my french, but why do you assume that it is TOR that got compromised ?
For all we know, the feds might have broken into FH's servers (and out of any VMs FH might have employed for security) and leveraged this position to bypass TOR.
It's actually not even that hard - there's probably a lot of heterogenous code on any shared hosting, some of it less secure than other.
Or, and in my opinion, most likely, they just had a rat in the datacenter. The weakest link is usually the one made of meat.
There are now law and rules
There are now law and rules when it comes to track down pedofiles . They do not deserve to be protected by the law . FBI done an amazing job , and saved many kids from EVIL sick molesters.
Roger, Jacob, Karen, Tom,
Roger, Jacob, Karen, Tom, Andrew, or whoever reads this comment section: We can't trust exit nodes and/or hidden services. These guys are injecting javascript and using 0-day exploits against the browser bundle.
Right now, the noscript in the browser bundle is setup to allow javascript. In the past, it blocked it. It's a pity we have to block it again, but it seems there is no way around this.
Have to be honest, having
Have to be honest, having followed Tor off and on for about ten years, I'm quite surprised to hear that the Torbrowser was shipping with javascript enabled. What drove that decision?
User-friendliness, the more
User-friendliness, the more people who use tor, the more anonymous it is.
Not very anonymous when you
Not very anonymous when you are rooted by FBI 0 day. Tor developers need to wake up and see that we want a fucking anonymity network and anonymity and security software, not something that slows down our internet while we watch cat videos on youtube. Unfortunately they have been more and more going in the direction of user friendlyness even at the significant expense of user security and anonymity, and I just wonder how friendly it will be in prison for all of the people who just were deanonymized because of user friendly software.
With all due respect, up
With all due respect, up until recently, Javascript WITHOUT Flash and/or Java was through to be safe.
Actually, I would have to say it still IS safe unless there is a big freaking hole in Javascript somewhere.
Right. There are a lot of
Right. There are a lot of parts of Firefox that are potential attack surfaces. Javascript is one big one, but there are other big ones. We shouldn't focus solely on Javascript or we'll end up surprised by the next vulnerability.
Thought to be safe? By
Thought to be safe? By whom? JavaScript is indeed safer than Flash, and probably Java, but that's not saying much! JavaScript has historically been a source of *innumerable* security bugs in *every* browser I know of that has implemented it. Not to mention all of the subtle ways that intentional JavaScript features (as opposed to bugs) may be used to compromise your anonymity, because they simply weren't designed with anonymity in mind.
It is, in my view, foolish in the extreme not to assume that "the bad guys", whoever they are, have frequent access to 0-day vulnerabilities in the major JS implementations. This seems likely to continue for the forseeable future, especially given how much browser makers have been focusing lately on improving JS performance (which almost inevitably results in the introduction of new vulnerabilities.)
^ This. JavaScript is
^ This.
JavaScript is considered THE number one reason of virus infections.
Virtually EVERY exploit kit worldwide uses JS to see if the target is vulnerable in the first place, even if the actual exploit doesn't use a JS vulnerability.
Activating it is batshit insane crazy with suicidal tendencies.
If you browse the clearnet without NoScript, you are a risk to yourself and the rest of the internet,
if you do illegal stuff with JS enabled, you are a risk to yourself and the rest of the internet and are asking to be put into prison.
"If you browse the clearnet
"If you browse the clearnet without NoScript, you are a risk to yourself and the rest of the internet,"
Isn't it about time that at least /some/ of the most basic protections that NoScript offers, such as against XSS, be incorporated into Firefox itself? (and, for that matter, other browsers as well)
What about people in Iran
What about people in Iran and China who want to watch cat videos and the like on YouTube?
If that's the case Tor needs
If that's the case Tor needs to become practical for p2p traffic and other video traffic that makes up most of internet traffic. Can you imagine the 3 letter agencies trying to sort through all internet traffic? It also needs to be clear that these are our papers and they are protected by the 4th amendment among other protections.
The right of the people to be _secure _in their persons, houses, _papers_, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized
More importantly it needs to be technically impossible to seize your papers and consequences to attempting to seize them. They've shown again and again that the moment it becomes technically feasible they will make the attempt. The issue of pedophiles is irrelevant they will find another reason if you take that issue away.
Remember Martin Niemöller.
Also true security protects in layers with the assumption that one or more layers will become compromised. We need more physical hardware level protection and more Network address translation boxes with dhcp to hide ip addresses. Ideally we should be doing lily pad networking as well. Make it feasible to wirelessly connect anywhere
/r/darknetplan
/r/darknetplan
It's hard to know where to
It's hard to know where to start.
You don't have any 4th Amendment protections for international communications. You need to go back to ... hmm ... high school? Grade school? Learn what "sovereignty" means! You may live in a country that affords you certain civil rights, including the right to be free from unreasonable searches and seizures without a warrant. Several important points:
1. These rights that your country might afford you end at the country's border. Outside of that border, you are no longer in that country. You are outside of its area of sovereignty. Depending on where you are, you are subject either to the sovereignty of another country, which is unlikely to afford you the same rights, or you are floating on the ocean and only subject to whatever rights international law gives you. Even your own country does not have to afford you the same rights outside of its borders.
2. Even within your country, there are limits to the rights that you might have. In the U.S., for example, your 4th Amendment rights require the government to get a warrant based upon probable cause to enter your home and seize your "papers and effects." Your rights outside of your home - for example, traveling on an Interstate highway, or using a public communications network (paid for by the taxpayers - in the case of the Internet, the Defense Advanced Research Projects Agency, the major research universities (funded with federal tax money), and, oh yeah, Al Gore), are much more limited if they exist at all. If you want privacy for your electronic communications, pay AT&T to set up a totally private network on private property for you to use, and the chances that you will get your privacy improve dramatically.
3. Even assuming that government violates your 4th Amendment rights in the U.S., as a practical matter, the only legal remedy available to you is to prevent the government from using the information obtained without a warrant against you in a criminal proceeding. No criminal prosecution? No harm, no foul. They can collect all of the information they want. [One of the reasons I don't get too excited about NSA is that the revelations involving DEA using the same software (see discussion, below) to collect information on citizens without warrants, and then covering up the illegal collection of evidence and using it in criminal trials, a legal violation that is much more serious.]
4. Your 4th Amendment only applies to the government of the U.S. Now, think about it: If you were the head of sigint (signals intelligence) or elinit (electronic intelligence) at GCHQ in the U.K., F.S.B in Russia, Mossad in Israel, etc., where is the first place you would put a covert agent? Hmm. My guess is you'd put a covert software engineer at MSFT and every other major software company. Why do you think there are so many updates to fix security vulnerabilities? You'd think they'd have found them all by now! No. N.S.A. puts one in, Mossad finds it, takes it out, puts theirs in, F.S.B. finds it, takes it out, puts theirs in, GCHQ finds it, takes it out, puts theirs in, and on and on. And, your computer reboots every night with yet another update fixing yet another problem. The point here is that even if N.S.A, C.I.A., F.B.I. legally are prohibited from invading your privacy, the foreign intelligence services are not. When you hear on the news that, "The threat risk has been increased based upon credible intelligence received by U.S. intelligence officials." what is usually being said (if the threat involves something in the U.S.) is, "Some foreign intelligence service monitoring communications inside the U.S. that our agencies could not legally monitor tipped us off." Look at Snowden's grant of conditional asylum in Russia. He can only stay so long as he does not "reveal any additional information harmful to our American friends." Why did Putin include that? What could Snowden possibly reveal? Maybe that F.S.B. cooperates with the U.S. to a much greater degree than we are aware? You think we have a problem with Islamic terrorism?. When you get back to school, look at a stinking map! Russia has Islamic republics all along its borders. Everything that you have heard of N.S.A. collecting - and more - is available to every major intelligence service in the world.
5. The only legal issues here - and they are extremely serious - are the use of "general warrants" by the U.S. intelligence community (I.C.) before the F.I.S.A. court, and the blatantly illegal conduct of D.E.A, which nobody seems to care about.
6. You want it to be technically impossible "to seize your papers and consequences" for trying? In your dreams! First, the U.S. I.C. has a company, In-Q-Tel, Inc., in Reston Va. that provides venture capital to entrepreneurs developing (among other things) software of value to intelligence gathering. In-Q-Tel is NOT the only venture capital company in this business. (You didn't think PRISM, XKEYHOLE, etc. were written by entry-level government employees, did you?) There are companies spending hundreds of millions, even billions, developing these technologies. It is never going to be "technically impossible" to conduct surveillance. As for imposing consequence on those who try to do so, you might find that locating all of the "sleeper agents" sent here by K.G.B. - predecessor to F.S.B. - is not going to be easy. F.B.I. counterintelligence is working on it, and they caught about 10 of them a couple years ago, but many remain. The "consequences" for these folks is prosecution for espionage and imprisonment, until of course Russia grabs a few U.S. tourists, charges them as spies, and we have to arrange a swap. As for the Mossad, these are not nice people. They make your average U.S. criminal sociopath look like an alter boy. Israel believes it is always at war and, therefore, is not subject to restraints on murder, kidnapping or other conduct that virtually all other countries, even those hostile to us, deem beyond the bounds of civilized conduct. Any attempt to impose "consequences" on them is likely to backfire.
7. I know you are going to find this hard to believe, but entrepreneurs who rely on venture capital companies for funding tend to be single-minded. They only want to sell their products whenever it is legal to do so to anyone with the money to buy them. They just want to become profitable as soon as possible, so that they can buy out the venture capitalists (often referred to as "vulture" capitalists). They are not terribly discerning about whom they sell to. So, not only is every governmental intelligence agency with funding - probably including North Korea - gathering the same information as the N.S.A., but private companies, lots of them, are customers of Google, Facebook, Twitter, and all those social sites you love so much. Ancestry.com scares the hell out of me! If they can trace the addresses of my great grandparents, what can they report about me? These social networking sites are not funded by the government like National Public Radio, and they are not charities. You're not paying them, so how are they making money? By selling every word you write to private companies that prepare personality profiles on you. They have access to and use the same software as N.S.A. and all the intelligence agencies. You can find your teenager's car by geolocating his/her cell phone in real time if you have the money. So can pedophiles, other low-lifes, schools, employers, and anybody else nosy enough to want to know. No, the 4th Amendment does not apply to private conduct.
8. You think universal "wireless" connectivity is the way to go, huh? A basic legal principle - codified in the Communications Act of 1934 - is that "the airwaves belong to the people." And, those "people" include the government, that government famously, "of the people, by the people and for the people." This means that anything you put out on the airwaves belonging to the people is the property of the people. I have radio frequency scanners, and I can listen to police, fire, F.B.I., C.I.A., air traffic control, virtually anything. The frequencies they use are published in public documents. They sometimes try to use trunked systems or encryption, but if I can track it or decrypt it, I can listen to it. [Yes, there are statutes that prohibit listening to cell phone traffic or selling scanners with that capability. But, those scanners can be purchased in Canada, and the Constitutionality of those statutes is questionable.] Fedora ships Linux with utilities that crack WiFi. Why would you promote wireless? Anybody, including the government, who can hack it is free to do so on the people's airwaves! And, you wouldn't want it any other way. If they can stop you from listening to police, fire, F.B.I., C.I.A., air traffic control or your neighbor's WiFi, it is only a very short step to stop you from watching BBC or receiving TV or radio broadcasts government deems "dangerous" or of value to "terrorists."
Stop dreaming. Learn something. Get a life.
Gnovalis
[Yes, by education and historical avocation I am a lawyer. And, I studied constitutional law under Arthur Kinoy, one of the nation's most brilliant constitutional scholars and a founder of the Center for Constitutional Rights in New York. I've practiced at world class law firms, served two NYSE companies as a senior legal executive, and been an international entrepreneur.]
Well said. But how should we
Well said.
But how should we feel about a policy that basically says the government will prosecute infringements on its privacy while at the same time denying ours? Do you think that's overstating it?
"You can find your
"You can find your teenager's car by geolocating his/her cell phone in real time if you have the money. So can pedophiles, other low-lifes,"
Not to take away from your points and arguments but it should probably be noted that children and teens are said to be at far greater risk from family members and others who are close to them in real life, than from random, mysterious, distant stalkers.
"Fedora ships Linux with
"Fedora ships Linux with utilities that crack WiFi."
The tool of choice for that sort of thing seems to have been BackTrack Linux, now re-branded as "Kali Linux".
I have seen speculation that the producer/distributor has less-than-harmless motivations but I have no idea how credible such suspicions are.
"If they can stop you from listening to police, fire, F.B.I., C.I.A., air traffic control or your neighbor's WiFi, it is only a very short step to stop you from watching BBC or receiving TV or radio broadcasts government deems "dangerous" or of value to "terrorists.""
That argument sounds troublingly like that advanced in support of completely unfettered, unrestricted access to firearms. Or any number of other things that enjoy support only from those on fringes of any given ideology or camp.
In the USA, according to the
In the USA, according to the 2nd and 9th amendments, everyone not in prison (see 13th amendment) ARE allowed to have guns, despite any supreme court decisions or state laws. This includes felons, wife beaters, etc.
The problem is that the courts are corrupt, politically motivates, tyrants.
You could try to fight the law in court, but you don't have enough money and even f you did they won't let you win/
You do not need to be a constitutional scholar to understand what is written there.
All laws are subordinate to the bill of rights. IF any law violates them then that law is unconstitutional.
The 9th amendment implies that our rights are subject to old common law - no right to kill, cheat, lie, maim, similar.
A right is not a right if you cannot freely exercise it with impunity.
Anything else is just a privilege.
If TOR used Quantum encryption or even 3 dimensional encryption, no one could decode the transmissions except the recipient of the transmission.
I recent read that the feds cracked HTTPS now. Even that is no longer a safe avenue.
"the Center for
"the Center for Constitutional Rights in New York"
Are you, by any chance, familiar with the radio program "Law and Disorder"?
"I've practiced at world class law firms, served two NYSE companies as a senior legal executive, and been an international entrepreneur."
Have you any regrets or moral qualms, at least about the latter two roles?
(I am fairly convinced that "socially responsible" or "ethical" corporation is an oxymoron.)
Word bro!
Word bro!
I am absolutely forced to
I am absolutely forced to chime in that just because things are hashed out in a court and deemed a certain way, does not mean that they live up to a true constitutional legal standard. An example is that the 1st amendment is freedom to say whatever you want, courts have ruled and most people accept not screaming fire in a movie theater. But I believe that most references to amendment rights in the abysmal world you pointed out are to the idealistic forms. ie: the ability to scream fire in a theater regardless of all the legalize one could throw at it is still technically your right.
Internationally speaking our Commander in Chief and all our military personnel swear an oath to put a whooping on anyone who would infringe upon the constitutional rights of its citizens. In real life it may not happen, but idealistically speaking you tell an American on a boat in the ocean he can't be a religion and you would be explaining that to a host of wonderful US Navy vessels shortly thereafter.
Usability and increasing the
Usability and increasing the Tor user base.
NSA coercion.
NSA coercion.
Not as ironic as I expected.
Not as ironic as I expected.
Anonymity. Read
Anonymity. Read https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled
Well, that's bullshit. If
Well, that's bullshit. If you would want to hide the fact that you're using Tor, you would have to get rid of Tor Exit Nodes that are known to everyone anyways.
This all just boils down to that short sighted resolve to rather put users in danger than to lose them.
No, that's not it. The fact
No, that's not it. The fact that your browser is disallowing JS acts as a further filter criterion, on top of the fact that you are a Tor user.
Of course, if the majority of Tor users disabled JS, this metric would change and become ineffective..
"Well, that's bullshit." No,
"Well, that's bullshit."
No, it is not.
"Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."
Using NoScript with a specific list of white-listed domains might identify you.
Using NoScript with a zero white-listed domains is just not very practical.
"that short sighted resolve to rather put users in danger than to lose them."
No, YOU are short sighted: any user that stops using Tor because it is not working properly is less protected.
Pure stupidity. It is so
Pure stupidity. It is so obvious that Javascript should not be enabled for security. But the Tor developers would rather that your browser fingerprint blends in with 500,000 other rooted people rather than blend in with 10,000 non-rooted people. It doesn't make any sense to me either, and they have been warned months and even years ago not to allow javascript by default, but they didn't listen and now thousands of their users are compromised. I hope it was worth letting retards watch cat videos on youtube.
With all due respect, too
With all due respect, too many sites on the regular internet will not work correctly without Javascript. So, disabling Javascript by default is bad ju-ju in the real world.
Maybe it's time to start thinking less about disabling Javascript (which from what I have seen is only a vulnerability when paired with Flash or Java) and start focusing on disabling certain functionalities of Javascript.
" start focusing on
" start focusing on disabling certain functionalities of Javascript. "
like, which?
" it was worth letting
" it was worth letting retards watch cat videos on youtube "
If you think JS is only for playing videos, then YOU ARE THE RETARDED ONE.
This is why Tor needs to be
This is why Tor needs to be less user friendly.
I don't know about that
I don't know about that anon, I just updated my bundle a few days ago and my noscript is set to disable Java, although the firefox settings say that it is enabled. A quick check on a Java website test shows that it is infact still disabled, Javascripts are not running!
To anyone that are under these circumstances, the code didn't get injected. Unless it's magical unicorn NSA pony hax. Anyone care to add/detract from the Java enabled in options/disabled on noscript default question? I'm pretty sure Noscript is overriding options anywhere else on the Firefox Tor Browser Bundle.
Java and Javascript are two
Java and Javascript are two different things. Java is disabled by default. Javascript is controlled by NoScript.
But then you're still
But then you're still confirming that it's covered.
Question is, how in the
Question is, how in the world would this hack get your real IP address when it is supposed to be impossible without Flash and Java also being installed to do that?
I'm calling BS on this and I think that we should wait until some real, verifiable information comes out.
According to some FF
According to some FF developers on their site, the exploit used was MFSA-2013-53, so not a 0-day. It was fixed a month ago. If you updated the Tor bundle within a month (if it has FF ver. 17.07), had js disabled, was using an OS other than Windows, the js exploit should not have worked.
The reason they could get your ip is simple, with this exploit they can execute any binary code they want. People on the net have already looked at the so called payload, or shellcode, that the attacker is trying to execute. Instead of installing a keylogger their binary code (shellcode) "just" checks your hostname, MAC and sends it to their server over clearnet, so they get your ip as well.
Slashdot is also mentioning something about a cookie. I haven't researched this part.
It appears that this was
It appears that this was 'aimed' at the first Alpha version of the "No Vidalia necessary" TBB.
So, if you had updated your Alpha version (is it setup to notify you if there is a new version?) you were golden.
The second part is true
The second part is true (3.0alpha2 is safe from this particular attack), the first part is not (there's no reason to think this was aimed at 3.0alpha1).
Do you think if we are using
Do you think if we are using Linux that we are prone to this malware? Or should I format? I just want to be reassured, I only used TorMail and i tried to logon today and was unable to see anything exept a pink background with a small box, it seems as if nothing loaded...How can I be sure that I am not infected, if I am on a linux box?
Very interesting that Tor
Very interesting that Tor "just happened" to enable JavaScript in their Browser Bundle so that LE could exploit it. What a incredible unfortunate "coincidence".
+1
+1
While we're playing the
While we're playing the conspiracy theory game: can you point at the version of Tor Browser Bundle that shipped with Javascript disabled? I believe this is a myth and it is confusing many people.
To the two FBI agents who
To the two FBI agents who are posting in this thread anonymously: Congratulations. You've succeeded in setting us at each other's throats rather than thinking rationally with the evidence your contractors left behind. Go to the Keurig at the canteen and toast to yourselves with crappy coffee.
To everybody else, it would be wise to actually look at the evidence at hand before commenting. There seems to be a lot of people here who are more interested in seeing their words appear in the comments than using their brains.
To the two FBI agents who
To the two FBI agents who are posting in this thread anonymously suck my big hairy cock!!!!!!!!!!!!
"To the two FBI agents who
"To the two FBI agents who are posting in this thread anonymously suck my big hairy cock!!!!!!!!!!!!"
People who say this (i.e., extend invitations to perform fellatio upon them) almost invariably are the same people who then turn around and expect the one(s) whom they claim to love to perform the same act upon them.
Ever think about that?
Either fellatio is a sordid, degrading, dishonorable act (as the insult would imply) or a wholesome, legitimate form of intimacy between people who love each other. It can't be both, now, can it?
Nice that someone thinks
Nice that someone thinks about the logical implications of insults. When I used to drive a delivery van in traffic all day, I'd often hold back yelling at someone for the same reason.
Thanks! Nice to see someone
Thanks! Nice to see someone appreciate my post.
I think it can be both.
I think it can be both.
I believe its better for
I believe its better for world see dead agents
Or otherwise employed rather.
Or otherwise employed rather.
As long as javascript is
As long as javascript is enabled this kind of thing will happen.
That waznt a 0-day exploit.
That waznt a 0-day exploit. The xploit was disklosed & patchd months ago.
@previous > Does that say
@previous
> Does that say anything about the security of the system? The browser seemed to work normally afterwards...
No. Your browser should have acted normally. Nothing changed. The malicious JS set a cookie and visited some Washington-based IP address, so when non-Tor browsing your IP would be logged using that cookie, or something. It was not malware in the sense that your AV/Anti-malware would detect it.
Everyone: disable JS on Tor, and FFS use NoScript!
This is only half the story.
This is only half the story. It also employed an javascript heap spraying attack of which the details aren't currently know yet, but presumably use an exploit in Firefox to phone home circumventing Tor altogether.
If you visited one of the hidden services hosted by Freedom Hosting on Firefox on Windows (or at least the Tor Browser Bundle) these past few days, you should assume your anonymity has probably been compromised.
>If you visited one of the
>If you visited one of the hidden services hosted by Freedom Hosting on Firefox on Windows (or at least the Tor Browser Bundle) these past few days
With javascript enabled.
How far back is "the past
How far back is "the past few days?"
Since July 29 when they
Since July 29 when they first went down. August 2 is when the malicious javascript first appeared.
Are you absolutely sure
Are you absolutely sure about this?
How in the world would it be
How in the world would it be possible to be absolutely sure about something like that?
I don't know how TOR would
I don't know how TOR would have been 'circumvented entirely' by this, when Firefox disallows connections except to the proxy being used.
Nah.... something doesn't sound right about your explanation.
Some of these javascript functions I have been reading about are a bad idea to have in the first place, so maybe this will start a discussion about paring down on/removing some javascript calls.
With an exploit like that,
With an exploit like that, they can execute arbitrary code so what Firefox allows or disallows isn't important. Once an attacker can execute arbitrary code on your system, you have to assume your identity and system have been compromised.
I'm not sure what removing certain javascript calls would accomplice. You should disable Javascript anyway when using Tor.
1) TOR has NOT been
1) TOR has NOT been attacked.
2) The attack was directed against the Windows version of Firefox v17 (version 17.0.7 excluded). It seems that versions: 18,19,20,21 were (and still are) vulnerable but have not been attacked.
3) The attack can only be successful if JavaScript is enabled, i.e.: not blocked by noscript or not turned off within the Firefox settings.
3) The attack is immediately effective, i.e. you IP is submitted by the shell code by the use of Windows-API which does not use the TOR sockets proxy. Again you ip is send in the very moment in which the exploit is successful. There is no need to wait for you until you visit the clearnet.
4) Linux, Android, MacOS, ... seem to have not been affected so far.
Is this proven? If we are
Is this proven? If we are running any OS other then Windows we are fine? I am running Linux should i format, and start over?
No, the attack wasn't
No, the attack wasn't against the client browsers, it was against the hidden servers, which has to have the javascript exploit planted on them first.
Why all the focus on the attack on the client browser, when it was the hidden servers that had to be unhidden, identified, and compromised first?
The attack on the browser is secondary.
If the servers had not been identified and compromised, we wouldn't even be having this discussion, so lets focus there.
I think the code was or is
I think the code was or is broken, they also modified the injected code a couple of times. It changed from a cleannet IP to an onion address and back again, after that they obfuscated the code and encoded the URL.
The code can be found here: http://pastebin.mozilla.org/2777139
That code is strange because
That code is strange because it only runs if the userAgent browser version is between 17 and 18. The current Tor Browser comes up as 10.0, even though the blog post says it's based on Firefox 17 ESR. I think if you're using Tor Browser the malicious code will think it's version 10 and load "content_1.html" which is not shown.
Mine shows up as
Mine shows up as "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0" and the code returns 17 not 10.
Are you running the 3.0
Are you running the 3.0 alpha of Tor Browser? What version comes up for you in help/about tor browser?
Firefox ESR 17.0.7,
Firefox ESR 17.0.7, downloaded it yesterday from the main website.
Mine shows "Mozilla/5.0
Mine shows "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17" and I am running current stable release, which by the way have been based on ESR17 for a while.
Using User-agent switcher
Using User-agent switcher helps tremendouly...you can be a chrome or IE browser and malware targeting your os/browser by user agent wouldn't work...
https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/
False. This exploit in
False. This exploit in particular sniffs for Firefox-specific features.
function isFF() {
return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));
}
Unless, of course, your UA switcher also disables document.getBoxObjectFor and window.mozInnerScreenX, which most don't. Not sure why they check for multiple signs of Firefox, when just checking for window.mozInnerScreenX would do.
I use Proxomitron, which can
I use Proxomitron, which can both spoof the UA, and filter arbitrary bits of javascript, or turn it off entirely. Gutting javascript isn't however as secure as turning it off entirely.
That looks like it targets
That looks like it targets the Tor Browser 3.0 alpha build (which is based on Firefox 17 ESR). The latest Tor Browser identifies as version 10 in which case it loads "content_1.html" that is not shown in your link.
Same version which JonDoFox
Same version which JonDoFox uses - no surprise here.
The exploit seems to work on Windows only and may be limited to FF v17 because of a JS update on new Firefox versions or because the FF codebase changed to much. The exploitation of payload delivery by heapspraying is relatively strong bound to the targeted executable so again no surprise here.
A few sites were warning
A few sites were warning about the bad script in TORmail. Also, not the dude you're responding to, though I'm interested in hearing their response as well.
The fallout from the
The fallout from the captured data should be entertaining, depending on your point of view. The plain text data and relationships found in tormail will generate a huge number of links to real people.
If you consider hundreds of
If you consider hundreds of destroyed lives to be entertainment, then yes.
I truely hope a number of non pedos are caught up by this, perhaps those people will have hated pedos too, but will now get to feel what it's like to be one. Perhaps they'll also realise why its never a good idea to support the persecution of minorities. One day, they might just come knocking on your door.
Freedom took a great blow today, in the name of *saving the children*, the battlecry of oppressive governments for a long time. You will not rid the world of people you hate, by ostracising them and destroying small numbers of them. If you bought the line that this has anything to do with hunting pedos, I feel sorry for your misunderstanding of their push to control all information, using this as their get out clause.
I suggest you look up Rick Falkvinges excellent piece on why possession/distribution of CP should be decriminalised (not production mind you). http://falkvinge.net/2012/09/11/child-porn-laws-arent-as-bad-as-you-thi…
This attack has helped no one, harmed many, and damaged one of the last areas people can be free from government control. Having known one person destroyed by laws like these, I can tell you it doesn't just harm the convicted, but their families and friends too. It creates homeless, jobless and hopeless people, new burdens on the state where once productive individuals existed. In the worst cases, it creates corpses, suicide is a common outcome from CP raids, usually because the people caught were perfectly decent, honest and hardworking individuals, now faced with no future and no hope, essentially a social death penalty.
So by all means, continue to support the criminalisation of possession, watch as your freedoms are eroded away with that as the excuse, watch as people you know and love are destroyed by the laws you support and finally, watch as censorship becomes the default stance of the web, as is happening in some EU locations right now. But at least it was entertaining to watch, right?
fuckoff w/ your pedos! its
fuckoff w/ your pedos! its real war with terrorist state. as in any war part of it is propaganda.
I tested the shellcode in an
I tested the shellcode in an isolated VM and faked the connect() call to succeed. But it crashes after gethostbyname. Did someone examine this any further? To which IP is the UUID forwarded?
Was your VM on linux ? A
Was your VM on linux ? A lot of people are saying it's only windows based, but on my ubuntu machine the user agent and version matched to run the exploit.
It maybe passed the
It maybe passed the server-side injected script, but the iframe script it loads specifically checks your useragent for "Windows NT" so I doubt it ran.
Can someone varify this? I
Can someone varify this? I am using an ubuntu machine and used TBB to just access TorMail and was instead given a pink background with a table and it showed me the exclamation mark, and seemed like something was wrong. I dont do anything wrong on tormail so i tried to access tormail through the onionsite.onion.to (that web2tor site- obviously i would never unless its to check if tormail is down) on google chrome and got the site is down message...Do you think I should format, using a linux machine?
I'm sure the parameters are
I'm sure the parameters are filled in elsewhere, which could be why it's crashing. Did you run all of the script or just the code in variable magneto? Because magneto is appended to a bunch of other random hex strings, then copied into the big array view[] and then various globals are copied into various offsets in view[].
I only ran magneto and
I only ran magneto and stepped through with OllyDbg in a VM.
I actually came across the IP, i just forgot to cast to sockaddr_in of the connect() call. The IP is: 65.222.202.54 and they used the port 5000. It makes 5 tries to connect.
Then it gets the hostname with gethostname().
Then it gets all the local IPs and associated hostnames with gethostbyname.
Since i have no network adapter, i dont know how all this info was used in the following.
Then it cooks cooks up a HTTP GET String with the UUID provided by the javascript as parameter and it appends the local hostname in the Host: field.
Then it tries to get the MAC-Adress with SendARP() and puts it in a cookie field named "ID", which i faked the return to confirm.
Then it sends everything away with send().
And after that it even does a closesocket(). After that it probably tries to gracefully exit the shellcode somehow without crashing the target, i can't really tell.
Maybe i'll try to examine this in a real exploiting situation with all the javascript stuff and the vulnerable tor browser.
Really good info, I think
Really good info, I think you're on to something. That IP is one digit off from an earlier version of the server-side javascript that opened an iframe and sent the UUID to 65.222.202.53. Both the IP's belong to a Verizon business account in the western Washington D.C. suburbs. Where both FBI and CIA headquarters are located.
Are you sure it's port 5000?
Are you sure it's port 5000? I looked at the same block of code earlier and vaguely remember it being 0x00 0x50, i.e. port 80 in network byte order.
Oh, you're right. My bad. I
Oh, you're right. My bad. I just looked at sin_port and saw 0x5000, which is of course htons(80)
I don't understand WHY in
I don't understand WHY in the world the default setting on the TOR bundle is to "Allow global scripts". Since JavaScript is the most common mechanism for privacy-busting exploits, it should be disabled by default, don't you think?
No, it isn't. Javascript in
No, it isn't. Javascript in concert with Flash and/or Java is the most common mechanism for privacy-busting exploits.
"Since JavaScript is the
"Since JavaScript is the most common mechanism for privacy-busting exploits"
Source?
"it should be disabled by default, don't you think?"
No, it doesn't follow.
You might as well say that a web browser is the "most common mechanism for privacy-busting exploits" so you should not use one.
You have to consider what you lose by disabling JS. And you lose a lot.
That code is strange because
That code is strange because it only runs if the userAgent version is between 17 and 18. The current Tor Browser comes up as 10.0 in the user agent, even though the blog post says it's based on 17 ESR. I think if you're using Tor Browser the malicious code will think it's version 10 and load "content_1.html" which is not shown.
The current TorBrowserBundle
The current TorBrowserBundle comes up as 17.0 in the user agent.
> Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0
Tested with "tor-browser-gnu-linux-...-2.3.25-10-dev.tar.gz"
Before FH went down i was
Before FH went down i was already wondering what the future of Tor is after the Snowden revelations. How secure is the Tor network if the USA en UK are buffering the whole internet transit for days and can inspect traffic passing between nodes, shouldn't the project avoid relays and nodes in those countries? Can the nodes be changed to insert random traffic to make it mode difficult to snoopers? And now that FH went down it is important to understand what happened, even if FH has been hacked the admin could take it down but hasn't. There is speculation that the admin has been arrested, if it is true it would be even more important to understand what happened and how. I'm surprides that there hasn't been any statements from the Tor Project about all the illegal snooping that USA and UK are doing and how it affects the project and if there are any risks.
Doesn't seem Tor Project has
Doesn't seem Tor Project has been taking things all that seriously. Not even since Snowden, and now this. We need a whole new international project run by some people much more serious about privacy and internet freedom. Tor is dead! Now let's replace it with something better!
There is nobody on the
There is nobody on the planet better at what they do, then the people behind the Tor project. If you want better tools, stop fucking crying and start do peer review & develop or stfu.
It is you, who piss on his own privacy for so long, not Tor project.
"How secure is the Tor
"How secure is the Tor network if the USA en UK are buffering the whole internet transit for days and can inspect traffic passing between nodes, shouldn't the project avoid relays and nodes in those countries?"
They aren't buffering traffic "for days," if they were TCP connections would never complete. They'd time out all the time.
"...shouldn't the project avoid relays and nodes in those countries?"
Several of the Snowden docs have evidence that the NSA is sharing COMINT with the intelligence agencies of other countries in an agreement of reciprocity. On the chance that the NSA missed some traffic, a friendly intel agency may have grabbed it instead and given it to them. So, this wouldn't help.
"Can the nodes be changed to insert random traffic to make it mode difficult to snoopers?"
That is in the Tor FAQ.
I can't help but wonder if this is part of an effort to dissuade people using Tor and other such services by a) inducing learned helplessness and b) mistrust of any and all providers of such services because most people don't seem to understand that there is no such thing as perfect security.
> They aren't buffering
> They aren't buffering traffic "for days,"
Actually he certainly means:
they are keeping a copy of the whole traffic for a few days
If wonder if the exploit got
If wonder if the exploit got around the bundled NoScript Add-on if it's set up properly? If so, how?
Also, what happened to the Tor button I used to see near the top-left of the browser? That's been gone from the Tor firefox browser since 2.3.25-10.
I still see it on linux
I still see it on linux version, latest bundle.
No, it doesn't. I modified
No, it doesn't. I modified the Java Script that tries to load that site into the IFrame by replacing the original address by one of my own server. Then I watched tail -f -n 10 /var/log/apache2/access.log.
When Java Script was enabled in NoScript, a GET request showed up. When I deactivated Java Script in NoScript, it didn't. And yes. I emptied the cache and even restarted TBB so it wouldn't load from cache.
So what do you guys have to
So what do you guys have to say about having NoScript allow all Scripts globally in the default settings? Isn't now the time to see and accept that this was a really really stupid decision on your side?
A lot of users trust you and think JS is deactivated by default while you ignore that fact and betray them.
Same here, I guess I looked
Same here, I guess I looked for it briefly to deactivate it the first time but didn't see it since I'm not used to the setting, and thought it wouldn't matter or forgot about it later.
I bet their answer is
I bet their answer is this,
https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled
You could set up NoScript to
You could set up NoScript to have JS disabled by default. Then when visiting a Website with Java Script for the first time, let a message pop up informing the user and then ask what to do. Keep JS disabled for better anonymity or enable JS for the price of anonymity.
But as it is now, it is utterly dangerous. I'm quite tech savvy, but even I forgot to disable JS in NoScript for one or two days after I updated my TBB every now and then. Now imagine Average Joe who doesn't even know the difference between Java and JS, stumbling over all sorts of sites in the world, assuming that he'll be safe because he thought the Tor Project guys knew best what's the safest possible config.
Perhaps it would be more
Perhaps it would be more secure, but it wold be bad for the user's anonymity because after a few days of browsing with TBB and making exceptions in NoScript, people would have a very distinct whitelists which an exit node could use to fingerprint every user. Besides, I'm sure that people accessing FH (for example, but it would be the same for any site) would have JavaScript whitelisted for that site and the exploit would have succeeded anyway.
Only if the whitelists were
Only if the whitelists were sent to the websites AND the cookies and other things were allowed to stay between 'visits'.
Which, in the default setup of TBB, it's in private mode, which clears all that stuff between closings and openings of the browser.
Private mode would not
Private mode would not prevent exit nodes and web site admins, for example, from being able to observe distinct patterns with regard to which sites were allowed to execute scripts and which were not.
Cookies and cache are all but irrelevant here.
related to
related to this?
http://www.reddit.com/r/onions/comments/1guiav/we_have_analyzed_tor_hid…
The lesson? Centralization,
The lesson?
Centralization, even on an ostensibly P2P darknet, is BAD.
@ Anonymous Disabling poor
@ Anonymous
Disabling poor wittle Javascript would likely buy little additional security when dealing with something like FBI.
It's not unreasonable to assume they can develop capabilities for penetration of browsers with JS disabled, or already have such ability.
A more robust approach would be to get a goddamn Raspberry Pi and this https://github.com/grugq/PORTALofPi (assuming you have to seriously worry about FBI), and / or a really thorough VM setup (though it's not like there aren't any VM escape exploits out there, amrite? =) )
Exactly. Javascript is only
Exactly. Javascript is only one attack vector, and is usually considered safe - this was an extreme case, otherwise you'd be hearing about Javascript exploits all the time.
Even loading images can be dangerous, depending on the image-loading code. A PHP script that returns an image mimetype could be used to exploit any weakness in that code. Should we look at the entire internet in plaintext, given the possibility that there's a vulnerability in that code? How many other attack vectors have opened up recently?
I distinctly recall that
I distinctly recall that there was a time (early 2000s) when there was a windoze bug that allowed to deliver and execute code via nothing but an image
Ah. Here it is:
http://technet.microsoft.com/en-us/security/bulletin/ms04-028
This is hardly the only
This is hardly the only image rendering bug that can inject code...
http://www.hacktheipodtouch.com/2007/10/04/flaw-in-mobilesafari-may-lea…
Sorry, but JavaScript is not that big a deal.
So: -Evil cookies -HTTP
So:
-Evil cookies
-HTTP requests
in:
-Through Tor?
-Around Tor?
-Using desktop Firefox?
And will people be arrested for using services with no proof of anything close to borderline illegal, just for using encrypted services?
I'm using Qubes+TorVM from now on.
I am shocked anyone uses
I am shocked anyone uses Javascript with Tor. One is owned by Adobe and is used to all manner of malicious ends, while Tor is precisely the opposite.
You don't understand what
You don't understand what people are using. Java and Javascript are different. Both are potentially bad. One version of Java is owned by Oracle although there are others. openjdk as an example of a non-Oracle Java. Then there is Javascript which is completely different technology and not owned by Oracle.
OpenJDK is owned and
OpenJDK is owned and developed by Oracle.
So Oracle owns a piece of
So Oracle owns a piece of OPEN SOURCE software released under the GPL? That's weird.
FYI: Oracle develops OpenJDK but it's open source so anyone can fork it, no one owns it.
How does this exploit fare
How does this exploit fare against anonymous live distros?
It wouldn't really matter on
It wouldn't really matter on a live distro since you're still connected to some internet connection and the Javascript was enabled...
Guys i think this malicious
Guys i think this malicious code could be a hoax. They say it is on all of the sites that were on freedom hosting but I only found it on one onion site. That site claims to be hosted by freedom hosting but clearly isn't because it is still up even days after the raid on freedom hosting.
Why would anyone want to
Why would anyone want to shut down something like Tormail? It's a damn webmail service, if it was the FBI or anyone from the government that took FH and in extension Tormail down then the responsible persons must be fired immediately and taken to justice for abuse of power. They are doing the same they did with Megaupload, they shut everything down and everyone must suffer even if they didn't do any wrong or anything illegal. What a shame of agency, and what a waste of money giving them a single penny
They want to shut down
They want to shut down everything they cannot control. That's all. They will not stop before absolute control of everything.
More potentially
More potentially incriminating evidence that you can shake Edward Snowden at. Tormail is ostensibly shady, so it makes sense to seize the entire site rather than try to partner with it.
Think about it. This is
Think about it.
This is coming right on the heels of the Snowden NSA mass spying and data mining revelations. I myself had just decided to "go deep and dark" because of it, as I am sure millions of others have, and tens of millions more, if only they knew how.
I just opened a Tormail account that day and had sent myself one lousy test message. Now, I might have to worry about the FBI and SWAT team coming to my house, just for opening a damned anonymous and encrypted email account!
It is no coincidence that this is happening now, right when it could be easily foreseen that a great number of people would be migrating to the "deep web" to get away from the pervasive NSA spying.
This is clearly a "psy-op" to prevent that, much more than a shutting down and prosecution of those hosting illegal data, which is window dressing. After all, the U.S. government are the biggest child sex traffickers in the world, the real stuff, not just images, though that is where many of them come from. The NSA itself plants child porn on the computers of politicians and government workers in order to blackmail them and buy their obedience and their silence. It is a powerful tool of control that they do not hesitate for one second to use.
I have no doubt they will also use the IP and MAC address data to go on "fishing expeditions" against those who didn't even do anything illegal. They will use it as their "probable cause" This will allow them to tear people's houses apart looking for anything and everything they can use as evidence.
We all need to get real and get serious, because this isn't America anymore, and the stakes of forgetting that are getting very high.
This is why Tor Browser needs to come "locked down" to its highest security mode. Screw convenience. It isn't convenient living in a tyranny, and anyone who is the least bit in touch with reality knows that is where we are now at, and where we are going. No more play time! I didn't decide to go to TOR for entertainment.
On another note, I am more interested in HOW these JS exploits were put on the servers, since we know exactly how they got put on the clients.
Maybe NSA owned those servers all along.
Did this exploit get
Did this exploit get installed on TorMail or any other hidden service? What hidden services had this exploit running? Is it still running there? Did anyone post the code + shellcode for the exploit?
well tor is dead now , good
well tor is dead now , good job dipshits devlopers to include the genius idea of globally allowing scripts
Yes. Totally.
Yes. Totally.
It seems the dipshit is you.
It seems the dipshit is you.
https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled
Oh look! You can post a
Oh look! You can post a link. 'atta boy! Let me pat you on the head.
Still doesn't change, that their reasoning is bullshit. As I said in another comment, your Tor usage is identifiable anyways, because most of the Exit Nodes are well known. So anonymity is no argument at all.
And sure. For some people it may be a hard choice between losing users or putting them in danger. And danger there obviously is, as we've seen now.
If there are not enough Tor
If there are not enough Tor users there is a danger of being identified too. This would also defeat the purpose of Tor. It's not just a matter of the developers wanting to attract more users. Now you can argue that having javascript enabled is not worth the risks to users vs the anonymity gained from a larger user base.
There might be or have been a solution to reduce the significance of this problem. The Tor project could expect onion operators to be more cautious and not use javascript while allowing non-onion sites to use javascript. This would ensure every Tor Browser Bundle setup remained the same and at the same time allowed non-tech savvy users to visit non-onion sites easily that are dependent on javascript.
Another feature that might be worth adding is something which alerts users to possible dangers. For instance while there may not have been a fix to the problem it might have been possible to cause all Tor Browser Bundle sessions to pop up a warning that notified the user of a possible unfix compromise in Tor/Tor Browser Bundle/etc. This way there would have only been a small number of people (those on between 6am and whenever the issue became known).
I have to agree with the
I have to agree with the individual who posted the link. He provided a relevant link for those who would like to learn why javascript is enabled by default — to encourage users to consider TOR. If websites don't work with TOR browser then no one would use it.
You are certainly geek enough to know this.
No. Stop. Calm down.
No. Stop. Calm down.
Would you please kindly
Would you please kindly consider the fact that there were, in the past, exploits that ran arbitrary code from a goddamn .jpeg image?
So, what makes you think that there are no other .jpeg / gif / png exploits out there?
Besides, the exploit used in FH attack is OLD. O - L - D. Not a 0day. Latest tor browser bundles were IMMUNE.
So the only dipshits are the people who FAILED (F-A-I-L-E-D) to update (U-P-D-A-T-E) their bundles.
"So the only [fools] are the
"So the only [fools] are the people who FAILED (F-A-I-L-E-D) to update (U-P-D-A-T-E) their bundles."
Whether or not they are the only ones, people who fail to update certainly are fools.
And what about the "genius
And what about the "genius idea" of using an OUTDATED, DEPRECATED version of TBB, with known vulns, that had been REPLACED OVER A MONTH AGO?
(Not that I'm saying that allowing scripts globally was a good idea.)
I have norton.
I have norton.
And? AntiVirus program will
And? AntiVirus program will not protect you against new malware and exploits.
The latest Norton Antivirus
The latest Norton Antivirus does protect you.
LOL no it doesn't. do you
LOL no it doesn't. do you even know what a 0-day attack is???
No it doesn't try it out
No it doesn't try it out before post nonsense.
No, because the latest
No, because the latest norton is still older than the exploit.
look up magic
look up magic lantern!
Norton and McAfee install it it tunles thru fire walls to report to the NSA
+100
+100
How to tell if you got
How to tell if you got infected by this i was poking around tor a few days ago just to see what it was all about. know i here about this WTF how can i tell if i got this shit bug?. needless to say fuck i'm glad i deleted Tor as it was to slow for me. But know i might have a fucking bug in my system because i used it.
I wouldn't worry. It doesn't
I wouldn't worry. It doesn't appear to be an infection, it's just code that's run in your browser if you visit certain hidden sites, which sends your real IP to a server near Washington, DC. It appears the hackers/government were targeting child porn sites only, which were hosted by Freedom Hosting, to try to gather the real IP's of anybody going to those sites.
Oh, yeah, then I suppose
Oh, yeah, then I suppose they'll just let activists and whistle blowers go??
Yea- it doesn't matter who
Yea- it doesn't matter who the victims are. This attack effects every Tor user. You can't say we don't like party x and are glad they're gone because then its on to the next victim and that victim is you.
Regardless of OS? I use
Regardless of OS? I use Linux, I do not care about being exposed for using TorMail for non illegal purposes, but I do not like the idea that they can continue to download more malware and code.
Do you think I should format my Linux box?
Oh, yeah, then I suppose
Oh, yeah, then I suppose they'll just let activists and whistle blowers go??
TorMail wasn't even a child
TorMail wasn't even a child porn site! It had nothing at all to do with them.
I had just opened an account there, sent myself one lousy test message, and now TorMail is gone, and the friggin FBI and NSA could have my IP and probably MAC address too.
These days, with government tyranny and paranoia at an all time high, just being a known user of anonymous and encrypted services is enough to get you branded by NSA/DHS/FBI as a "domestic terrorist", or worse. That makes this some serious shit.
I can't tell you how angry and resentful this is making me.
There HAS to be a better way. If not, this country is DEAD.
How about services like
How about services like Tails? Would they be safe?
Presumably. The exploit
Presumably. The exploit appears to target Windows systems and Tails is Linux based.
Tails uses the Windows NT
Tails uses the Windows NT useragent.
As I understand it there is
As I understand it there is two reasons the exploit as published will not work on Linux (Tails):
1. The web browsers is compiled with a different compilers, with different compilerflags, against different system libraries and syscalls. An exploit made to inject shellcode in one compiled version of the browser most likely will not work in another. This published code tries to inject the shellcode in some version of Firefox 17 compiled for Windows.
2. The shellcode itself will use library calls or syscalls for the Windows NT platform. The library calls and syscalls differs between Windows and Linux, for the same reason you usually cannot run Windows exe files on Linux. The shellcode should fail to execute.
In addition to this the Iceweasel browser in Tails is compiled with stack smash protection and other 0-day exploit prevention measures. But of course it might still be possible to make a new version of the exploit that works in Tails and other Linuxes as well, the source of the problem is in Firefox 17 ESR (and maybe other versions too) after all.
The US gov finances 80% of
The US gov finances 80% of TOR development costs. Who'd you think would know how it works - and doesn't?
Everyone who is legitimately using TOR for non-criminal privacy reasons is being hurt because of the actions of a few. If you invite The Wrath you can expect to get smacked.
For the latest year
For the latest year available (2012) 60% came from the US government. Now if you ignored donated services then you could argue 73% came from the US government. I think 80% is a stretch of the imagination.
This is based on info from page 6 of the Tor Project Annual Report (income):
https://decvnxytmk.oedi.net/about/findoc/2012-TorProject-Annual-Report.p…
Another thing to note is that the project is aware of the fact a large part of its funding is coming from a single source. There have been efforts to raise money and diversify the projects sources of income.
"The Tor Project's diversity of users means we have a diversity of funding sources too — and we're eager to diversify even further!"
https://decvnxytmk.oedi.net/about/sponsors.html.en
I forget (or maybe it isn't up any more) where the page is that documents this campaign. It met its target goals for this year or last year which would explain it's lack of prevalence on the front page, etc.
"For the latest year
"For the latest year available (2012) 60% came from the US government. Now if you ignored donated services then you could argue 73% came from the US government. I think 80% is a stretch of the imagination."
So, at most, only 73% of the Tor Project's funding comes from Uncle Sam and maybe even as little as 60%?
Well, that makes all the difference now, doesn't it?
I feel completely reassured now.
Freedom is dirty
Freedom is dirty business.
It is not sanitary, never has been, never will be, and any misguided attempt to make it so will destroy it. History has proven this repeatedly.
Also, collective punishment is not justice, because it punishes the innocent along with the guilty.
Whatever happened to the bedrock American principle that it was better to let 10 guilty go free, than for one innocent to be wrongly punished?
Freedom demands that we tolerate a certain degree of unsavory messiness in life, as the attempt to eliminate it eliminates freedom itself.
What was the purpose of
What was the purpose of including NoScript in the bundle and then globally allowing scripts, flash, silverlight, font-face etc?
Why on earth would you enable javascript by default?
These are not the settings TBB used to have.
I'm guessing because they
I'm guessing because they figure most Tor users just want to visit mainstream clearnet sites anonymously, and most mainstream sites use the simpler functions in javascript. So it makes sense to allow javascript, but also use NoScript to also block out any potentially dangerous parts (like iframe).
The default settings in
The default settings in NoScript on the tor BB block nothing. "Allow Scripts Globally" and all browser plugins are allowed. It literally does nothing to keep you safe from a malicious attack when used in the default settings, which Vidalia seems to tout so much.
Not all Javascript is
Not all Javascript is allowed, the Tor Browser have some patches against the real version of Firefox that blocks or modifies some known dangerous Javascript. Also, most (all?) external plugins should be blocked by a patch too.
Now, after seeing that real exploits against Firefox over and over again uses Javascript, I believe blocking Javascript by default is something the Tor developers should consider.
I agree. Please help
I agree. Please help with
https://trac.torproject.org/projects/tor/ticket/9387
I'm not sure which is more
I'm not sure which is more baffling and disturbing:
a) The fact that neither you (arma*) nor any of your colleagues have addressed the glaring, utter CONTRADICTION between what you have been posting here regarding JavaScript and what is stated at
https://decvnxytmk.oedi.net/docs/faq.html.en#TBBJavaScriptEnabled,
or,
b) The fact that no one besides myself seems to be bothered by a) (or even /noticed/ it)
https://trac.torproject.org/projects/tor/ticket/9387
I skimmed and did a Ctrl-f for "faq". Nothing.
Incredible. Absolutely incredible.
*BTW, I apologize for referring to you in the feminine in previous posts. I had you confused with a female colleague.
Even with scripts allowed
Even with scripts allowed globally, NoScript still provides certain protections, such as blocking cross-site scripting (XSS) attacks.
(Obviously, allowing scripts globally cannot provide (anywhere near) the same level of protection as the selective whitelisting model that is the normal default behavior of NoScript.)
Why the fuck have you
Why the fuck have you delivered TOR Browser Bundle with NoScript and JS enabled by default? Stupid motherfuckers!
I guess the NSA is operating the TOR shit and if not: Congratulations, you have ruined its reputation!
How long have YOU worked for
How long have YOU worked for the NSA comrade?
It's probably too late once
It's probably too late once you got it, but what would you have to do to make sure it's not still infecting your system? Just delete cookies?!
Disable Javascript -- in
Disable Javascript -- in TorBrowser click bug orange TorBrowser button at top-left, then Options, Options, click "Content" button at top, and uncheck "Enable Javascript"
Or better, click the blue S
Or better, click the blue S (beside the green onion) and select to disallow scripts globally.
I used your text in the
I used your text in the advisory (see next blog post). Thanks!
What systems did the
What systems did the shellcode execute on? Windows? Linux?
I noticed the names of two
I noticed the names of two windows DLLs in the shellcode so I assume it runs on windows. Who knows if it can run on any other operating systems.
Windows only, the exploit
Windows only, the exploit only runs if it finds "Windows NT" in the userAgent property.
TBB identifies as Windows
TBB identifies as Windows NT. Even on Linux machines.
The question is rather if the payload would work on Linux as well.
I can't imagine this could
I can't imagine this could affect anything in Linux. The exploit looks like a buffer overrun that messes up the memory heap which is handled completely different between Windows and Linux. It is targeted to Windows.
Windows.
Windows.
Good timing FBI. Just when
Good timing FBI. Just when Tor was going mainstream.
All press is good press.
All press is good press. This will just raise the profile of Tor more.
Precisely why they did
Precisely why they did it.
Unfortunately, they also screwed their own agents that use Tor every day, but that's a small price to pay for keeping those damned net.nerds in line.
Lol wut? What are you people
Lol wut? What are you people whining about the dev's? Half of the torproject website deals with how to correctly use TOR. If you do not take the time to read it then you would be caught by one of the other methods available. There is not a single statement which says: "Download the TOR Browser Bundle and feel save!" but quite the opposite of that. BTW the exploit did not break TOR it just tried to find away around TOR. If you were affected then it is probably already too late.
The exploit does indeed
The exploit does indeed break the Tor Browser Bundle.
If the exploit now worked at all, haven't seen any definite report of that yet...
The REAL question, which NO
The REAL question, which NO ONE seems to want to address, is how supposedly "hidden" servers could be identified, targeted, and then infected with the exploit.
If no "hidden" services are really "hidden", then none are safe.
It's not that hard, just
It's not that hard, just make sure to have javascript disabled by installing noscript.
that it wasnt on by default
that it wasnt on by default speaks volumes about how obivious it is that tor is basically a nsa honeypot
Nope. Javascript cannot be
Nope. Javascript cannot be exploited if implemented properly, so there isn't much reason to block Javascript at all if you think that way. And javascript does greatly improve the web experience.
Now, it have turned out over and over again that javascript is not implemented properly, and this time it might have been a real exploit against the Tor Browser. Maybe time to reconsider a few possible bad design choices.
No, it doesn't. They have
No, it doesn't. They have explained NUMEROUS times why Javascript is on by default in TBB, because Javascript being DISABLED breaks too damned many sites.
NoScript is already
NoScript is already installed. It is the blue S beside the green onion.
>Javascript is enabled for
>Javascript is enabled for anonymity
If I read the FAQ correctly, it seems to say that if script were disabled by default for everyone again, then it would improve anonymity? It seems to be saying that it was only enabled because some users wouldn't be able to figure out how to enable it. I agree that it was a bad idea to enable script by default.
>Javascript is owned by Adobe
That's incorrect... Are you thinking of Flash?
>Not an infection, just for revealing your IP
If an attacker only wanted your IP, couldn't they have just injected an image instead?
agreed, using an exploit
agreed, using an exploit simply to reveal your IP sounds like an overkill, but an injected image or anything that runs in-browser wouldn't work, so the exploit may well be the minimum effort path.
No, they can't inject an
No, they can't inject an image, because the browser would retrieve it using the Tor IP. The exploit uses OS system calls to get your IP, i.e bypassing the browser bundle entirely.
No, the exploit does not
No, the exploit does not need to query the computer IP address - which would be pointless about 99 % of the time when the computer does not even have an Internet address.
The exploit just opens a TCP connection to some external host using the OS connect call (not through the browser network engine).
Help how i tell if i have
Help how i tell if i have this this shit i was just looking at Tor a few days ago first time using it and was browsing the .onion i ran into a few wired sites and not sure what they were. and i went to Tor mail as well. dose this only effect Tor browser or dose it effect whole system?. I seen some pretty dodgy shit and i did not like what i saw so i deleted Tor. but how do i know if i deleted this as well if i got it?.
If there is evidence of a
If there is evidence of a crime on the computer and a raid happens chances are your life is over. The only way you might be able to avoid this is by getting rid of the system before they raid.
If he did anything illegal
If he did anything illegal at all, which is not apparent from his post.
A crime of information
A crime of information (computer crime), a crime dealing with speech or images, means your life is over.
This world belief system that the USA has foisted upon the world is disgusting.
And if you don't obey it's system, as a country, you get invaded and bombed.
As an individual you get sent to their rape jails.
I hate them.
First of, Tor can be used
First of, Tor can be used for so much more than .onion sites. It is (if used properly) an anonymous way to reach the whole internet, the very same internet you use your normal non-anonymous web browser for today.
About the exploit, from the reports seen, it seems to not install itself or modify your system in any way, so you should not have to worry about it still being there, if you got infected at all.
Exploits like this happen all software that uses the internet, expecially web browsers. In a few weeks at the worst a fix will have been released, and Tor Browser will be safe to use again. You are welcome back then.
So I wonder what makes a
So I wonder what makes a modern, security friendly website? Could be a new best seller.. But seriously, I'd like to have a site that was available in secure and anonymous ways, and that didn't rely on js for client side code or on other insecure things, but on some other tech that was more user friendly . Maybe we need to work on a secure js subset or something we can accept or checksum against??! Maybe a mozilla or chromium plugin is the way forward for a proper site/web app with onion or i2p counterparts then?
html only, all ports closed,
html only, all ports closed, build from sources with each release of nginx, no php or javascript, read only file system and NO SWAP. Hosting a .onion site is risky, but if done right, the chances of having your ass handed to you are near nil. Also, never have physical access to the server or have any identifying information on said box that can be linked to you (this includeds pushing stuff remotely).
" that didn't rely on js for
" that didn't rely on js for client side code or on other insecure things, "
JS is not "insecure".
" Maybe we need to work on a secure js subset "
There is such thing as an insecure JS feature.
There are security bugs in BROWSERS.
Not in JS.
Excuse me, but yes, this is
Excuse me, but yes, this is a bug or unnecessary function in JavaScript that shouldn't have been included in the first place.
I'm coming to the opinion that JavaScript should be exceptionally limited in TBB and perhaps it's time for an extension that 'blocks' some of the more insane functions in Javascript.
NoScript is fine, however it only blocks EVERYTHING on a site and doesn't block some of the more dangerous functions in JavaScript if you allow a website to use JavaScript, which on a lot of sites on the internet today you HAVE to allow JavaScript or the sites don't work correctly.
https://twitter.com/VUPEN/sta
https://twitter.com/VUPEN/status/364129838426107904
TOR Browser 0day in the wild exploits a use-after-free in JavaScript module & bypasses ASLR with advanced heap manipulation!
http://www.twitlonger.com/sho
http://www.twitlonger.com/show/n_1rlo0uu <------------ this guy pulled the exploit apart