Slashdot Mirror

Tor was blocked by China. They've since added bridges intended to bypass the firewall. It's always been a cat and mouse game with China. Always will be. But right now, Tor works in China. Tomorrow, who knows.

The scary part is that they may intentionally allow it (after a token cat & mouse game) in order to perform ISP-wide deep packet inspection. Then they find out who's using Tor, assume they're trying to bypass censorship, and charge them with crimes.

Tor was blocked by China. They've since added bridges intended to bypass the firewall. It's always been a cat and mouse game with China. Always will be. But right now, Tor works in China. Tomorrow, who knows.

The only thing Google is in control of as far as you are concerned is what you allow them to control. I'm not even sure that's actually true as how are they "controlling" you anyway? As far as them having you under surveillance, just turn them off. It's pretty easy just log out and shut your account down then never use their products again and if you just can't help it, don't run any personally identifying information through their system. Try this if you think it's what you need. And if you're worried about somebody wearing a Glass and getting picture/video of you then you should demand that nobody take a picture of you at all as many people's cell phones automatically upload to dropbox/flicker/faceboot/Google+ these days. Lobby your MP or congressman if it really offends you. Or stay in the house. Whatever floats your boat. But railing against people online that don't have as big a problem with the loss of privacy as you do is pretty pointless as you come across as an extremist. Catch flies with honey and so forth.

Remember to enable encryption in your torrent client. Use TOR for web downloading (Don't use it for torrents, unfortunately).

And I'm sure within a year or less there'll be even better solutions for evading the eye of your ISP. Prohibition didn't stop alcohol sales, it just drove it underground. That'll happen here, too.

Switch to a different ISP and stop funding these companies. Don't complain about "monopolies"---none of these ISPs have a monopoly in providing Internet services; they have at most a monopoly in the specific kind of service they provide (e.g., only DSL provider in town, only cable company). Satellite is available everywhere, as is dialup. In many places, if Verizon is providing DSL service, there are also often other small companies providing DSL as CLECs. All that these big ISPs may have "monopolies" on is speed or convenience, and if you keep paying for their services, you're part of the problem.

https://www.torproject.org/

Wikipedia bans offensive exit nodes from *editing*, not *viewing* their site.

Oh, and use bridges, always:

https://bridges.torproject.org/

for reasons mentioned in the Tor OPSEC document.

For sites which ban a lot of Tor exit nodes (like godlikeproductions), Startpage's free web proxy evades 99% of these bans, but you can't post with Startpage's proxy, just read.

Using Tor, you can also run through a lot of free web proxies to evade bans on Tor exit node IPs.

Some exit nodes remain for awhile (though your circuit is not the same all of the time) others are up one day and down the next.

PS: two hidden services message boards:

http://tinyurl.com/hackbbonion
http://tinyurl.com/onionforum2

I'm just a random Tor exit node, up one day, down the next, replaced by another random exit node.

Use the Tor Browser Bundle:
- https://www.torproject.org/

Read the Tor OPSEC article:
- http://cryptome.org/0005/tor-opsec.htm
- https://www.schneier.com/blog/archives/2012/01/tor_opsec.html

"HUGE Security Resource" - enjoy a smart selection of Security
Blogs and other security related information
- http://pastebin.com/Cm2ZHuz3

It's not that easy.

https://www.torproject.org/about/overview.html.en

Tor clients are just that. Clients. They connect to servers that forward encrypted traffic to an outbound proxy server.

There are ways to try and catch Tor users. They could run there own forwarding servers, and look for connections to them from inside the country. They couldn't decrypt the data, but they could at least see who was using the software. They could also monitor traffic going to the database that keeps track of all the servers. Another way would be to run an exit node, and hope that the tor user sends personal identifiable data over an unencrypted connection. All of this is without touching DPI.

There are mitigation option available. Blacklisting IP blocks from the server database is an easy one to implement, but it can quickly turn into a game of whack-a-mole. When a user first runs the Tor software it asks if tor is blocked in your country. If you say yes then it won't connect to the central database. There are other ways to get a list of good servers to connect to. It's more of a hassle, but it's one less attack vector.

So, no they do not have to run DPI to detect at least a portion of Tor users. They also probably don't need to run DPI to see if someone is even trying to use Skype or VoIp. However, most countries want good spying capabilities and that requires at least some DPI. If they can afford it then it is often well worth the cost to just use DPI for everything.

You just use it to surf like you always do.

But if you surf exactly like you always do you're not going to use tor efficiently.

Tor full list of warnings

Tor Browser Bundles Switched To Firefox 10.0.5 ESR!

Today's entry on Tor's Blog, details the release of new Tor Browser Bundles:

https://blog.torproject.org/blog/new-tor-browser-bundles-19

A major change being the switch of Firefox to 10.0.5 ESR! A brief discussion with the Tor developers details why, and possible bumps in the road with this switch:

https://trac.torproject.org/projects/tor/ticket/5737

Tor users, how do you feel about this massive change?

Tor Browser Bundles Switched To Firefox 10.0.5 ESR!

Today's entry on Tor's Blog, details the release of new Tor Browser Bundles:

https://blog.torproject.org/blog/new-tor-browser-bundles-19

A major change being the switch of Firefox to 10.0.5 ESR! A brief discussion with the Tor developers details why, and possible bumps in the road with this switch:

https://trac.torproject.org/projects/tor/ticket/5737

Tor users, how do you feel about this massive change?

On (rooted) Android, you can easily route all your network traffic through Tot with Orbot:

Orbot contains Tor, libevent and privoxy. Orbot provides a local HTTP proxy and the standard SOCKS4A/SOCKS5 proxy interfaces into the Tor network. Orbot has the ability to transparently torify all of the TCP traffic on your Android device when it has the correct permissions and system libraries.

1. Use IxQuick for search.
2. Use it through TOR.
3. Profit.

This appears to be the Justice department budget request for the project.

http://www.justice.gov/jmd/2012factsheets/docs/fy12-national-security.pdf

Time to spend more time improving Tor

https://www.torproject.org/

TOR, TOR, TOR! The more people who use The Onion Router, the better. There will need to be some brave souls out there to run Exit Nodes as they will be the ones targeted if, or when, accusations begin flying.

If they try to ban TOR in the United States, we _ALL_ simply stand up to our government and say "WHAT?!? I was under the impression the United States government espoused a belief in Freedom and Democracy for all people. Why do you think I run TOR? I do it to support those people who wish to communicate freely and throw off their oppressors! Since you are trying to ban TOR in the United States, , I presume you no longer support the struggles of those people who are being crushed by oppressive regimes? It seems to me, , that you actually want to turn the United States into an oppressive police state where the individual is much less important than a corporation, in violation of the Constitution of these United States. Didn't you swear an oath to uphold and defend said document?"

Never give them a chance to bullshit their way out of it. Hit them hard, hit them fast, and keep hitting them with the "So, you work for the corporations now? You certainly are no longer representing the People." and so on. Hey, if they can use "Think of the children??" then we, the People, can damn well use all of the above to get them to back down.

This is still a free country... right?

I cleared the browser cache and history and did everything I could to scrub every trace of those bytes from my machine.

Turn off your browser cache and history. Every browser nowadays has a "private" mode that temporarily disables these features, which you should always use when browsing any sort of sketchy sites. Tor is also useful to mask your IP.

Firefox security bug (proxy-bypass) in current TBBs

https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs

"A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).

To fix this dns leak/security hole, follow these steps:

Type âoeabout:configâ (without the quotes) into the Firefox URL bar. Press Enter.
Type âoewebsocketâ (again, without the quotes) into the search bar that appears below "about:config".
Double-click on âoenetwork.websocket.enabledâ. That line should now show âoefalseâ in the âValueâ(TM) column.

See Tor bug 5741 for more details.
(https://bugs.torproject.org/5741)
We are currently working on new bundles with a better fix."

- http://pastebin.com/xajsbiyh

#
Anonymous comments:
#
On May 2nd, 2012 Anonymous said:

Oh dear :(

Does anyone know if IP addresses leaked to Twitter when (through NoScript) I enabled javascript for that site?

If yes, I may be in trouble.
#
On May 2nd, 2012 Anonymous said:

@anon, AFAIK Twitter does not use web sockets, so even if you enabled Javascript on Twitter it should not be an issue. I could be wrong or there could be other issues.
#
On May 2nd, 2012 Anonymous said:

Theoretically, an exit node can embed a websocket into your traffic stream if you are using HTTP.
#
On May 2nd, 2012 Anonymous said:

As long as you weren't doing anything illegal in the United States you should be fine. Tor has never been about hiding illegal activity. And since Twitter is in the US and doesn't respond to foreign court orders⦠wellâ¦
#
On May 2nd, 2012 Anonymous said:

Ah right, maybe Anonymous "Oh dear" is a fucking communist, or even a dirty whistle blower like Maning! Brave, law abide citizens haven't got anything, that must be hidden, so maybe you want to forbid TOR, Mr. McCarthy?
#
On May 2nd, 2012 Anonymous said:

Oh great, so all my Pastebins are belong to the Feds?
#

THE DRAMA CONTINUES...

TBB proxy bypass: Some DNS requests not going through Tor
Ticket #5741 (closed defect: fixed)
https://trac.torproject.org/projects/tor/ticket/5741

"This is not the first time some rarely triggered bug in Firefox causes Tor to be bypassed, and certainly will not be the last one. Since these bugs have a very high security impact I propose they are guarded against. How about running Firefox inside some kind of firewall that drops all network packets not going to Tor?"
#
Comments:
#
by mikeperry

Good catch Robert. Disabling about:config pref network.websocket.enabled prevents it from happening for me... I'm now grepping through the Firefox WebSocket code looking for the issue..

#
by mikeperry

This is fixed and pushed to all TBB branches. I fixed it by blocking all DNS requests while socks_remote_dns is enabled, so we don't end up with this showing up in new components in the future.

Interested folks can review the patch here: https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0018-Prevent-WebSocket-DNS-leak.patch
#
Additional Reference:

[tor-talk] Firefox security bug (proxy-bypass

Firefox security bug (proxy-bypass) in current TBBs

https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs

"A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).

To fix this dns leak/security hole, follow these steps:

Type âoeabout:configâ (without the quotes) into the Firefox URL bar. Press Enter.
Type âoewebsocketâ (again, without the quotes) into the search bar that appears below "about:config".
Double-click on âoenetwork.websocket.enabledâ. That line should now show âoefalseâ in the âValueâ(TM) column.

See Tor bug 5741 for more details.
(https://bugs.torproject.org/5741)
We are currently working on new bundles with a better fix."

- http://pastebin.com/xajsbiyh

#
Anonymous comments:
#
On May 2nd, 2012 Anonymous said:

Oh dear :(

Does anyone know if IP addresses leaked to Twitter when (through NoScript) I enabled javascript for that site?

If yes, I may be in trouble.
#
On May 2nd, 2012 Anonymous said:

@anon, AFAIK Twitter does not use web sockets, so even if you enabled Javascript on Twitter it should not be an issue. I could be wrong or there could be other issues.
#
On May 2nd, 2012 Anonymous said:

Theoretically, an exit node can embed a websocket into your traffic stream if you are using HTTP.
#
On May 2nd, 2012 Anonymous said:

As long as you weren't doing anything illegal in the United States you should be fine. Tor has never been about hiding illegal activity. And since Twitter is in the US and doesn't respond to foreign court orders⦠wellâ¦
#
On May 2nd, 2012 Anonymous said:

Ah right, maybe Anonymous "Oh dear" is a fucking communist, or even a dirty whistle blower like Maning! Brave, law abide citizens haven't got anything, that must be hidden, so maybe you want to forbid TOR, Mr. McCarthy?
#
On May 2nd, 2012 Anonymous said:

Oh great, so all my Pastebins are belong to the Feds?
#

THE DRAMA CONTINUES...

TBB proxy bypass: Some DNS requests not going through Tor
Ticket #5741 (closed defect: fixed)
https://trac.torproject.org/projects/tor/ticket/5741

"This is not the first time some rarely triggered bug in Firefox causes Tor to be bypassed, and certainly will not be the last one. Since these bugs have a very high security impact I propose they are guarded against. How about running Firefox inside some kind of firewall that drops all network packets not going to Tor?"
#
Comments:
#
by mikeperry

Good catch Robert. Disabling about:config pref network.websocket.enabled prevents it from happening for me... I'm now grepping through the Firefox WebSocket code looking for the issue..

#
by mikeperry

This is fixed and pushed to all TBB branches. I fixed it by blocking all DNS requests while socks_remote_dns is enabled, so we don't end up with this showing up in new components in the future.

Interested folks can review the patch here: https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0018-Prevent-WebSocket-DNS-leak.patch
#
Additional Reference:

[tor-talk] Firefox security bug (proxy-bypass

Firefox security bug (proxy-bypass) in current TBBs

https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs

"A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).

To fix this dns leak/security hole, follow these steps:

Type âoeabout:configâ (without the quotes) into the Firefox URL bar. Press Enter.
Type âoewebsocketâ (again, without the quotes) into the search bar that appears below "about:config".
Double-click on âoenetwork.websocket.enabledâ. That line should now show âoefalseâ in the âValueâ(TM) column.

See Tor bug 5741 for more details.
(https://bugs.torproject.org/5741)
We are currently working on new bundles with a better fix."

- http://pastebin.com/xajsbiyh

#
Anonymous comments:
#
On May 2nd, 2012 Anonymous said:

Oh dear :(

Does anyone know if IP addresses leaked to Twitter when (through NoScript) I enabled javascript for that site?

If yes, I may be in trouble.
#
On May 2nd, 2012 Anonymous said:

@anon, AFAIK Twitter does not use web sockets, so even if you enabled Javascript on Twitter it should not be an issue. I could be wrong or there could be other issues.
#
On May 2nd, 2012 Anonymous said:

Theoretically, an exit node can embed a websocket into your traffic stream if you are using HTTP.
#
On May 2nd, 2012 Anonymous said:

As long as you weren't doing anything illegal in the United States you should be fine. Tor has never been about hiding illegal activity. And since Twitter is in the US and doesn't respond to foreign court orders⦠wellâ¦
#
On May 2nd, 2012 Anonymous said:

Ah right, maybe Anonymous "Oh dear" is a fucking communist, or even a dirty whistle blower like Maning! Brave, law abide citizens haven't got anything, that must be hidden, so maybe you want to forbid TOR, Mr. McCarthy?
#
On May 2nd, 2012 Anonymous said:

Oh great, so all my Pastebins are belong to the Feds?
#

THE DRAMA CONTINUES...

TBB proxy bypass: Some DNS requests not going through Tor
Ticket #5741 (closed defect: fixed)
https://trac.torproject.org/projects/tor/ticket/5741

"This is not the first time some rarely triggered bug in Firefox causes Tor to be bypassed, and certainly will not be the last one. Since these bugs have a very high security impact I propose they are guarded against. How about running Firefox inside some kind of firewall that drops all network packets not going to Tor?"
#
Comments:
#
by mikeperry

Good catch Robert. Disabling about:config pref network.websocket.enabled prevents it from happening for me... I'm now grepping through the Firefox WebSocket code looking for the issue..

#
by mikeperry

This is fixed and pushed to all TBB branches. I fixed it by blocking all DNS requests while socks_remote_dns is enabled, so we don't end up with this showing up in new components in the future.

Interested folks can review the patch here: https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0018-Prevent-WebSocket-DNS-leak.patch
#
Additional Reference:

[tor-talk] Firefox security bug (proxy-bypass

Firefox security bug (proxy-bypass) in current TBBs

https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs

"A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).

To fix this dns leak/security hole, follow these steps:

Type âoeabout:configâ (without the quotes) into the Firefox URL bar. Press Enter.
Type âoewebsocketâ (again, without the quotes) into the search bar that appears below "about:config".
Double-click on âoenetwork.websocket.enabledâ. That line should now show âoefalseâ in the âValueâ(TM) column.

See Tor bug 5741 for more details.
(https://bugs.torproject.org/5741)
We are currently working on new bundles with a better fix."

- http://pastebin.com/xajsbiyh

#
Anonymous comments:
#
On May 2nd, 2012 Anonymous said:

Oh dear :(

Does anyone know if IP addresses leaked to Twitter when (through NoScript) I enabled javascript for that site?

If yes, I may be in trouble.
#
On May 2nd, 2012 Anonymous said:

@anon, AFAIK Twitter does not use web sockets, so even if you enabled Javascript on Twitter it should not be an issue. I could be wrong or there could be other issues.
#
On May 2nd, 2012 Anonymous said:

Theoretically, an exit node can embed a websocket into your traffic stream if you are using HTTP.
#
On May 2nd, 2012 Anonymous said:

As long as you weren't doing anything illegal in the United States you should be fine. Tor has never been about hiding illegal activity. And since Twitter is in the US and doesn't respond to foreign court orders⦠wellâ¦
#
On May 2nd, 2012 Anonymous said:

Ah right, maybe Anonymous "Oh dear" is a fucking communist, or even a dirty whistle blower like Maning! Brave, law abide citizens haven't got anything, that must be hidden, so maybe you want to forbid TOR, Mr. McCarthy?
#
On May 2nd, 2012 Anonymous said:

Oh great, so all my Pastebins are belong to the Feds?
#

THE DRAMA CONTINUES...

TBB proxy bypass: Some DNS requests not going through Tor
Ticket #5741 (closed defect: fixed)
https://trac.torproject.org/projects/tor/ticket/5741

"This is not the first time some rarely triggered bug in Firefox causes Tor to be bypassed, and certainly will not be the last one. Since these bugs have a very high security impact I propose they are guarded against. How about running Firefox inside some kind of firewall that drops all network packets not going to Tor?"
#
Comments:
#
by mikeperry

Good catch Robert. Disabling about:config pref network.websocket.enabled prevents it from happening for me... I'm now grepping through the Firefox WebSocket code looking for the issue..

#
by mikeperry

This is fixed and pushed to all TBB branches. I fixed it by blocking all DNS requests while socks_remote_dns is enabled, so we don't end up with this showing up in new components in the future.

Interested folks can review the patch here: https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0018-Prevent-WebSocket-DNS-leak.patch
#
Additional Reference:

[tor-talk] Firefox security bug (proxy-bypass

Firefox security bug (proxy-bypass) in current TBBs

https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs

"A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).

To fix this dns leak/security hole, follow these steps:

Type âoeabout:configâ (without the quotes) into the Firefox URL bar. Press Enter.
Type âoewebsocketâ (again, without the quotes) into the search bar that appears below "about:config".
Double-click on âoenetwork.websocket.enabledâ. That line should now show âoefalseâ in the âValueâ(TM) column.

See Tor bug 5741 for more details.
(https://bugs.torproject.org/5741)
We are currently working on new bundles with a better fix."

- http://pastebin.com/xajsbiyh

#
Anonymous comments:
#
On May 2nd, 2012 Anonymous said:

Oh dear :(

Does anyone know if IP addresses leaked to Twitter when (through NoScript) I enabled javascript for that site?

If yes, I may be in trouble.
#
On May 2nd, 2012 Anonymous said:

@anon, AFAIK Twitter does not use web sockets, so even if you enabled Javascript on Twitter it should not be an issue. I could be wrong or there could be other issues.
#
On May 2nd, 2012 Anonymous said:

Theoretically, an exit node can embed a websocket into your traffic stream if you are using HTTP.
#
On May 2nd, 2012 Anonymous said:

As long as you weren't doing anything illegal in the United States you should be fine. Tor has never been about hiding illegal activity. And since Twitter is in the US and doesn't respond to foreign court orders⦠wellâ¦
#
On May 2nd, 2012 Anonymous said:

Ah right, maybe Anonymous "Oh dear" is a fucking communist, or even a dirty whistle blower like Maning! Brave, law abide citizens haven't got anything, that must be hidden, so maybe you want to forbid TOR, Mr. McCarthy?
#
On May 2nd, 2012 Anonymous said:

Oh great, so all my Pastebins are belong to the Feds?
#

THE DRAMA CONTINUES...

TBB proxy bypass: Some DNS requests not going through Tor
Ticket #5741 (closed defect: fixed)
https://trac.torproject.org/projects/tor/ticket/5741

"This is not the first time some rarely triggered bug in Firefox causes Tor to be bypassed, and certainly will not be the last one. Since these bugs have a very high security impact I propose they are guarded against. How about running Firefox inside some kind of firewall that drops all network packets not going to Tor?"
#
Comments:
#
by mikeperry

Good catch Robert. Disabling about:config pref network.websocket.enabled prevents it from happening for me... I'm now grepping through the Firefox WebSocket code looking for the issue..

#
by mikeperry

This is fixed and pushed to all TBB branches. I fixed it by blocking all DNS requests while socks_remote_dns is enabled, so we don't end up with this showing up in new components in the future.

Interested folks can review the patch here: https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0018-Prevent-WebSocket-DNS-leak.patch
#
Additional Reference:

[tor-talk] Firefox security bug (proxy-bypass

Firefox security bug (proxy-bypass) in current TBBs

https://blog.torproject.org/blog/firefox-security-bug-proxy-bypass-current-tbbs

"A user has discovered a severe security bug in Firefox related to websockets bypassing the SOCKS proxy DNS configuration. This means when connecting to a websocket service, your Firefox will query your local DNS resolver, rather than only communicating through its proxy (Tor) as it is configured to do. This bug is present in current Tor Browser Bundles (2.2.35-9 on Windows; 2.2.35-10 on MacOS and Linux).

To fix this dns leak/security hole, follow these steps:

Type âoeabout:configâ (without the quotes) into the Firefox URL bar. Press Enter.
Type âoewebsocketâ (again, without the quotes) into the search bar that appears below "about:config".
Double-click on âoenetwork.websocket.enabledâ. That line should now show âoefalseâ in the âValueâ(TM) column.

See Tor bug 5741 for more details.
(https://bugs.torproject.org/5741)
We are currently working on new bundles with a better fix."

- http://pastebin.com/xajsbiyh

#
Anonymous comments:
#
On May 2nd, 2012 Anonymous said:

Oh dear :(

Does anyone know if IP addresses leaked to Twitter when (through NoScript) I enabled javascript for that site?

If yes, I may be in trouble.
#
On May 2nd, 2012 Anonymous said:

@anon, AFAIK Twitter does not use web sockets, so even if you enabled Javascript on Twitter it should not be an issue. I could be wrong or there could be other issues.
#
On May 2nd, 2012 Anonymous said:

Theoretically, an exit node can embed a websocket into your traffic stream if you are using HTTP.
#
On May 2nd, 2012 Anonymous said:

As long as you weren't doing anything illegal in the United States you should be fine. Tor has never been about hiding illegal activity. And since Twitter is in the US and doesn't respond to foreign court orders⦠wellâ¦
#
On May 2nd, 2012 Anonymous said:

Ah right, maybe Anonymous "Oh dear" is a fucking communist, or even a dirty whistle blower like Maning! Brave, law abide citizens haven't got anything, that must be hidden, so maybe you want to forbid TOR, Mr. McCarthy?
#
On May 2nd, 2012 Anonymous said:

Oh great, so all my Pastebins are belong to the Feds?
#

THE DRAMA CONTINUES...

TBB proxy bypass: Some DNS requests not going through Tor
Ticket #5741 (closed defect: fixed)
https://trac.torproject.org/projects/tor/ticket/5741

"This is not the first time some rarely triggered bug in Firefox causes Tor to be bypassed, and certainly will not be the last one. Since these bugs have a very high security impact I propose they are guarded against. How about running Firefox inside some kind of firewall that drops all network packets not going to Tor?"
#
Comments:
#
by mikeperry

Good catch Robert. Disabling about:config pref network.websocket.enabled prevents it from happening for me... I'm now grepping through the Firefox WebSocket code looking for the issue..

#
by mikeperry

This is fixed and pushed to all TBB branches. I fixed it by blocking all DNS requests while socks_remote_dns is enabled, so we don't end up with this showing up in new components in the future.

Interested folks can review the patch here: https://gitweb.torproject.org/torbrowser.git/blob/maint-2.2:/src/current-patches/firefox/0018-Prevent-WebSocket-DNS-leak.patch
#
Additional Reference:

[tor-talk] Firefox security bug (proxy-bypass

They don't make any profits, it's a non-profit; they are not allowed to.

It is likely that all this code is free and open software, as is everything else they have released. This makes it difficult to hide their intentions. I have not verified this since the website seemed to be slashdotted.

Vuln references:

- http://www.openssl.org/news/secadv_20120419.txt
- http://it.slashdot.org/story/12/04/19/1351203/major-openssl-security-issue-found-and-fixed

From the tor mailing list url below, they don't sound imo too concerned over it, but imo they really should be and so
should you if you use Tor! Monitor your logs in Tor and be aware of any bad entries highlighted in Vidalia in yellow related
to this vuln!

This message was posted to the most recent Tor Blog post comments area, awaiting approval. Please share this information with others and add this IP's fingerprint into your torrc file's block list. They could change their fingerprint at any time, so check the tor router list ( at http://torstatus.blutmagie.de/ ) for this IP or an IP within the range listed below for any new fingerprints and add them to your blocked section of your torrc file.

OFF TOPIC :

Please update the TBB with the newest version of OpenSSL.

Today I received my first ever SSL cert error within Vidalia, using the latest TBB version for my platform of choice.

I have never witnessed this error in the past. The error in the logs showcased several lines of errors, around 4, I believe, and it was directly related to the OpenSSL vuln, in my guess.

I regret not saving the error logs, but at the time I shrugged it off.

I do recall the IP associated with the error:

Router Name: whywouldiwanna
IP: 69.55.55.93
FP: $9e1dd7c6fa7f72b9473daf3f0780bbc7c1ce670f

Detail:

http://torstatus.blutmagie.de/router_detail.php?FP=9e1dd7c6fa7f72b9473daf3f0780bbc7c1ce670f

I'm familiar with the related discussion here:

https://lists.torproject.org/pipermail/tor-talk/2012-April/024031.html

but I believe it to be incorrect.

I strongly believe an updated release of all TBB versions' OpenSSL should be updated AT ONCE.

Let's not speculate, put this update into motion!

OrgTechEmail: abuse@realitychecknetwork.com

So.

What can we do which is bigger than the blackout?

I don't want to believe we don't stand a chance. We have to keep fighting.

Start by signing the petitions on EFF and avaaz.org sites. Then spread the word.

Also, you may want to consider setting up a Tor bridge using Amazon free tier (if you can't afford to pay $30 a month to sponsor a more permanent one)... just in case.

How would you like your Tor traffic dumped to plain text on your hard drive in REAL TIME?

Don't let yourself get FUCKED IN THE ASS!

*
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
*
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
*
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

*
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

*
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

How would you like your Tor traffic dumped to plain text on your hard drive in REAL TIME?

Don't let yourself get FUCKED IN THE ASS!

*
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
*
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
*
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

*
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

*
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

How would you like your Tor traffic dumped to plain text on your hard drive in REAL TIME?

Don't let yourself get FUCKED IN THE ASS!

*
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
*
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
*
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

*
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

*
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

#
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
#
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
#
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

#
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

#
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

% ln -sf /dev/null /path/to/vidalia-debug-log
% ls -l /path/to/vid

#
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
#
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
#
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

#
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

#
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

% ln -sf /dev/null /path/to/vidalia-debug-log
% ls -l /path/to/vid

#
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
#
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
#
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

#
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

#
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

% ln -sf /dev/null /path/to/vidalia-debug-log
% ls -l /path/to/vid

#
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
#
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
#
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

#
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

#
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

% ln -sf /dev/null /path/to/vidalia-debug-log
% ls -l /path/to/vid

#
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
#
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
#
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

#
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

#
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

% ln -sf /dev/null /path/to/vidalia-debug-log
% ls -l /path/to/vid

#
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
#
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
#
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

#
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

#
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

% ln -sf /dev/null /path/to/vidalia-debug-log
% ls -l /path/to/vid

##
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
#
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
#
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

#
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

#
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

% ln -sf /dev/null /path/to/vidalia-debug-log
% ls -l /path/to/vi

##
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
#
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
#
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

#
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

#
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

% ln -sf /dev/null /path/to/vidalia-debug-log
% ls -l /path/to/vi

##
Tor Browser Bundle for Linux (2.2.35-8) "EVIL bug"
*** NEVER FORGET ***
#
- http://seclists.org/bugtraq/2012/Mar/85
- http://www.securityfocus.com/archive/1/522003/30/0/threaded
#
"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

#
Thank you for the warning. I expected something like this to happen, given the last slip up with a mistake in FF versions. This, "error", if you wish to call it such, shouldn't have happened. Again, this is a lack of testing.

I hope no one in Iran, China, or other freedom starved regions were screwed because of this.

I hope a fix is released and quickly.

These mistakes should be posted in the Tor announcements mailing list (no announcements at all since Dec/11 is pathetic) and on the blog.

It would help Tor users even more if you were to actually create web forums for discussions (but I doubt you will, we've only been asking for this for years!) where you could sticky-pin these types of mistakes and communicate better with the broad range of users.

A large number of people will never use a bug tracker, and/or never use mailing lists. They are simpler minded people or too busy, this is where web based discussion forums come in. Users should not have to scramble to unofficial .onion forums which are up one day and down the next and which may (and have in the past!) contain malicious posts/threads to target the user's browser and/or Tor itself.

With errors like this, perhaps you should let Mickey Mouse sign the future Linux release bundles with his fictional GPG key. He couldn't do any worse.

I've also noticed FF crashing more often since the last few releases.

I guess it's time for us Linux bundle users to run W.I.N.E. and the Windows version of the bundle on Linux so we know we are not getting borked with some new fantastic bug or lack of oversight like this again.

But will this post be approved for others to see, or swept under the rug like one previous post about a similar issue.

Now I'm looking forward to the next release, not for use, but just to see what type of bug(s) it may contain. THANKS!

#
Nick Mathewson
Mon, 19 Mar 2012 09:40:43 -0700

It seems that a fix was merged yesterday: see
https://trac.torproject.org/projects/tor/ticket/5417 and
https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
.

I bet there will be new TBBs out very soon.

In the meantime, Linux users should delete vidalia-debug-log and
symlink it to /dev/null. (Haven't tested that, but it should work:

% ln -sf /dev/null /path/to/vidalia-debug-log
% ls -l /path/to/vi

"There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things
like domain names to a file in the root of the browser bundle."

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on
RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

CONFIRMED! "EVIL bug" Linux Tor Browser Bundle (2.2.35-8)

        https://lists.torproject.org/pipermail/tor-talk/2012-March/023685.html

        On Mon, Mar 19, 2012 at 10:51 AM, wrote:
        > https://blog.torproject.org/blog/new-tor-browser-bundles-16
        >
        > On March 18th, 2012 Anonymous said:
        >
        > "There is an EVIL bug in at least the Linux start-tor-browser script. See
        > https://trac.torproject.org/projects/tor/ticket/5417
        >
        > A simple error with a simple fix.
        >
        > It will log things like domain names to a file in the root of the browser
        > bundle."
        >
        >
        > Wow, Anonymous! Wow, what an amazing, "bug".
        >
        > Linux users, check your Tor Browser Bundle install directory for the file:
        > "vidalia-debug-log" and examine it.
        >
        > Is a new version with a fix in the works?

        "It seems that a fix was merged yesterday: see
        https://trac.torproject.org/projects/tor/ticket/5417 and
        https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
        .

        I bet there will be new TBBs out very soon.

        In the meantime, Linux users should delete vidalia-debug-log and
        symlink it to /dev/null. (Haven't tested that, but it should work:

            % ln -sf /dev/null /path/to/vidalia-debug-log
            % ls -l /path/to/vidalia-debug-log

            lrwxr-xr-x 1 username username 9 Mar 19 11:53 vidalia-debug-log
        -> /dev/null .)

        IMO, this is a really good reason for us to move to getting enough
        automation done so we can have nightly TBB builds and catch this kind
        of thing *before* actual releases come out.

        --
        Nick"

CONFIRMED! "EVIL bug" Linux Tor Browser Bundle (2.2.35-8)

        https://lists.torproject.org/pipermail/tor-talk/2012-March/023685.html

        On Mon, Mar 19, 2012 at 10:51 AM, wrote:
        > https://blog.torproject.org/blog/new-tor-browser-bundles-16
        >
        > On March 18th, 2012 Anonymous said:
        >
        > "There is an EVIL bug in at least the Linux start-tor-browser script. See
        > https://trac.torproject.org/projects/tor/ticket/5417
        >
        > A simple error with a simple fix.
        >
        > It will log things like domain names to a file in the root of the browser
        > bundle."
        >
        >
        > Wow, Anonymous! Wow, what an amazing, "bug".
        >
        > Linux users, check your Tor Browser Bundle install directory for the file:
        > "vidalia-debug-log" and examine it.
        >
        > Is a new version with a fix in the works?

        "It seems that a fix was merged yesterday: see
        https://trac.torproject.org/projects/tor/ticket/5417 and
        https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
        .

        I bet there will be new TBBs out very soon.

        In the meantime, Linux users should delete vidalia-debug-log and
        symlink it to /dev/null. (Haven't tested that, but it should work:

            % ln -sf /dev/null /path/to/vidalia-debug-log
            % ls -l /path/to/vidalia-debug-log

            lrwxr-xr-x 1 username username 9 Mar 19 11:53 vidalia-debug-log
        -> /dev/null .)

        IMO, this is a really good reason for us to move to getting enough
        automation done so we can have nightly TBB builds and catch this kind
        of thing *before* actual releases come out.

        --
        Nick"

CONFIRMED! "EVIL bug" Linux Tor Browser Bundle (2.2.35-8)

        https://lists.torproject.org/pipermail/tor-talk/2012-March/023685.html

        On Mon, Mar 19, 2012 at 10:51 AM, wrote:
        > https://blog.torproject.org/blog/new-tor-browser-bundles-16
        >
        > On March 18th, 2012 Anonymous said:
        >
        > "There is an EVIL bug in at least the Linux start-tor-browser script. See
        > https://trac.torproject.org/projects/tor/ticket/5417
        >
        > A simple error with a simple fix.
        >
        > It will log things like domain names to a file in the root of the browser
        > bundle."
        >
        >
        > Wow, Anonymous! Wow, what an amazing, "bug".
        >
        > Linux users, check your Tor Browser Bundle install directory for the file:
        > "vidalia-debug-log" and examine it.
        >
        > Is a new version with a fix in the works?

        "It seems that a fix was merged yesterday: see
        https://trac.torproject.org/projects/tor/ticket/5417 and
        https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
        .

        I bet there will be new TBBs out very soon.

        In the meantime, Linux users should delete vidalia-debug-log and
        symlink it to /dev/null. (Haven't tested that, but it should work:

            % ln -sf /dev/null /path/to/vidalia-debug-log
            % ls -l /path/to/vidalia-debug-log

            lrwxr-xr-x 1 username username 9 Mar 19 11:53 vidalia-debug-log
        -> /dev/null .)

        IMO, this is a really good reason for us to move to getting enough
        automation done so we can have nightly TBB builds and catch this kind
        of thing *before* actual releases come out.

        --
        Nick"

CONFIRMED! "EVIL bug" Linux Tor Browser Bundle (2.2.35-8)

        https://lists.torproject.org/pipermail/tor-talk/2012-March/023685.html

        On Mon, Mar 19, 2012 at 10:51 AM, wrote:
        > https://blog.torproject.org/blog/new-tor-browser-bundles-16
        >
        > On March 18th, 2012 Anonymous said:
        >
        > "There is an EVIL bug in at least the Linux start-tor-browser script. See
        > https://trac.torproject.org/projects/tor/ticket/5417
        >
        > A simple error with a simple fix.
        >
        > It will log things like domain names to a file in the root of the browser
        > bundle."
        >
        >
        > Wow, Anonymous! Wow, what an amazing, "bug".
        >
        > Linux users, check your Tor Browser Bundle install directory for the file:
        > "vidalia-debug-log" and examine it.
        >
        > Is a new version with a fix in the works?

        "It seems that a fix was merged yesterday: see
        https://trac.torproject.org/projects/tor/ticket/5417 and
        https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
        .

        I bet there will be new TBBs out very soon.

        In the meantime, Linux users should delete vidalia-debug-log and
        symlink it to /dev/null. (Haven't tested that, but it should work:

            % ln -sf /dev/null /path/to/vidalia-debug-log
            % ls -l /path/to/vidalia-debug-log

            lrwxr-xr-x 1 username username 9 Mar 19 11:53 vidalia-debug-log
        -> /dev/null .)

        IMO, this is a really good reason for us to move to getting enough
        automation done so we can have nightly TBB builds and catch this kind
        of thing *before* actual releases come out.

        --
        Nick"

CONFIRMED! "EVIL bug" Linux Tor Browser Bundle (2.2.35-8)

        https://lists.torproject.org/pipermail/tor-talk/2012-March/023685.html

        On Mon, Mar 19, 2012 at 10:51 AM, wrote:
        > https://blog.torproject.org/blog/new-tor-browser-bundles-16
        >
        > On March 18th, 2012 Anonymous said:
        >
        > "There is an EVIL bug in at least the Linux start-tor-browser script. See
        > https://trac.torproject.org/projects/tor/ticket/5417
        >
        > A simple error with a simple fix.
        >
        > It will log things like domain names to a file in the root of the browser
        > bundle."
        >
        >
        > Wow, Anonymous! Wow, what an amazing, "bug".
        >
        > Linux users, check your Tor Browser Bundle install directory for the file:
        > "vidalia-debug-log" and examine it.
        >
        > Is a new version with a fix in the works?

        "It seems that a fix was merged yesterday: see
        https://trac.torproject.org/projects/tor/ticket/5417 and
        https://lists.torproject.org/pipermail/tor-commits/2012-March/041036.html
        .

        I bet there will be new TBBs out very soon.

        In the meantime, Linux users should delete vidalia-debug-log and
        symlink it to /dev/null. (Haven't tested that, but it should work:

            % ln -sf /dev/null /path/to/vidalia-debug-log
            % ls -l /path/to/vidalia-debug-log

            lrwxr-xr-x 1 username username 9 Mar 19 11:53 vidalia-debug-log
        -> /dev/null .)

        IMO, this is a really good reason for us to move to getting enough
        automation done so we can have nightly TBB builds and catch this kind
        of thing *before* actual releases come out.

        --
        Nick"

There is an EVIL bug in at least the Linux (2.2.35-8) Tor Browser Bundle start-tor-browser script. It will log things like domain names to a file in the root of the browser bundle.

https://trac.torproject.org/projects/tor/ticket/5417

Ticket #5417 (new defect)

RelativeLink.sh in Tor browser bundle has small typo causing debug mode to be always turned on

Reported by: cypherpunks
Priority: critical
Component: Tor bundles/installation

Description

TBB starts in debug mode disregardless of --debug switch used or not. This is caused by small bug on line 208 on RelativeLink.sh, where it says

if [ "${debug}" ];

where it should say

if [ "${debug}" == 1];

or

if [ ${debug} -eq 1 ];

Perhaps try adding that to your hosts file?

Tor should also help you bypass censorship.

They run a TOR exit enclave, and if you're already using TOR, you can reach their search engine without exiting the onion by using their hidden service

No they don't, and no you can't.

DDG's hidden service address is http://3g2upl4pq6kufc4m.onion/ Go there, enter a search, and check the address on your results page: https://duckduckgo.com/html

DDG's .onion address delivers nothing but the landing page. Check the source, that page is fairly bristling with URIs that pull content from, and deliver your form submit data to, the normal IP network. TOR will anonymize this traffic, duh, but the .onion landing page at DDG is nothing but a cheap gimmick.

Seriously, DuckDuckGo has the friendliest privacy policy around. They don't track you or bubble you. They run a TOR exit enclave, and if you're already using TOR, you can reach their search engine without exiting the onion by using their hidden service.

...and I'll say it again: Why do these centralized, single-point-of-failure websites even exist? I thought people learned from Napster back in the early 2000s that decentralized, peer-to-peer was a lot more resilient? And as p2p networks have been disrupted by the cartels and governments, people have further moved to encrypted p2p networks and the so-called "dark web."

What you're seeing here is someone losing a battle because they went up against a modern military... using a longbow. Or maybe even just a sharpened stick. It's 2012, censorship tools and techniques have evolved significantly, as have anti-censorship countermeasures. These guys were stuck in 2001.

Hopefully all the copies of the content that library.nu and ifile.it amassed haven't been seized, and they or someone else can upload all this stuff to a safer place. :)

TOR has some definite vulnerabilities when used for BitTorrents:

https://blog.torproject.org/blog/bittorrent-over-tor-isnt-good-idea

Personally, I'm old and cynical and believed these threats would come as the internet [well, the web mainly] became more dominated by commercial forces. So I think the answer for 'us' is encryption everywhere and structures and tools like Tor: https://www.torproject.org/ and Freenet: http://freenetproject.org/ I know that many people on here know about these, but links for those that don't.

It's no accident that the USA tried and tries to place export limits on encryption methods and tools.