Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Users Urged To Update After Security Breach

Posted by timothy on from the points-of-failure dept.

An anonymous reader writes "If you use Tor, you're cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: 'In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.' Tor users should visit the download page and update ASAP."

7 of 161 comments (clear)

  1. Re:Tor weaknesses by snowgirl · · Score: 4, Insightful

    The problem with Tor is that there's no way to detect compromises -- every node on the network could be compromised and you'd never know. Authors of botnets have greater anonymity than we do -- ironically because it's run by a central authority. An illegal and immoral one, yes, but one that comes with a measure of anonymity. Few botnet authors are actually caught even with the most primitive security methods. They don't even use encryption and they often can't be found...

    There's a lot to be said for hiding in a crowd though. While it is true that every node in the network could be compromised, and we'd never know, collecting all that data together to target you individually becomes more and more difficult the more people use the network... and we're not talking about big-O of n, we're talking at least big-O n squared or so.

    As with all forms of security, there's nothing you can do to guarantee security, you simply raise the burden of breaching that security until the opportunity to breach you is not worth the cost to breach you.

    --
    WARNING! This girl exceeds the MAXIMUM SAFE standards established by the FDA for BRATTINESS
  2. Re:Sooo...... by xous · · Score: 4, Insightful

    Hi,

    How did you collect your statistics when Tor is decentralized? Sure you could analyze the outbound traffic on a exit node but I doubt that this would be enough of a sampling to extrapolate a meaningful conclusion. Since you offer no supporting evidence your claim is irrelevant to the discussion.

    I also do not think that the number of child molesters could be large enough to represent a "vast majority" because I doubt the original content producers would distribute a such a high risk material for free. It is much more likely that pedophiles are distributing the material to other pedophiles. I think that it is important to note the difference because while I find either appalling I'd rather have them fapping to "old child pornography" instead of creating a demand for new material and reducing the profit margins of the people that are actually doing these horrible things to children. The lesser of of two evils is still evil but we don't live in a idealistic world.

    Unfortunately freedom has it's costs.

  3. Re:Sooo...... by trytoguess · · Score: 4, Insightful

    In short, people attracted to children will rape them? A bit like saying all men will rape women no? But that's not a perfect analogy, you can have sex with a man or woman without too much difficulty, whereas a pedophile can only masturbate. How about, would all slovenly, unattractive, misanthropes, who've zero chance of getting sex resort to rape? I rather doubt it, and even though pedophilia disturbs me, I don't think the sexual drive of that group is somehow stronger than your average male or female.

  4. Re:US Intelligence almost certainly monitors TOR by wiredlogic · · Score: 3, Insightful

    They probably do more than just monitor. They almost certainly run their own exit nodes so they can log everything flowing through what they pwn.

    --
    I am becoming gerund, destroyer of verbs.
  5. Re:Further Details From Roger by inviolet · · Score: 4, Insightful

    As explained in the last mail, it appears the attackers didn't realize what they broke into. We had already been slowly migrating Tor services off of moria (it runs too many services for too many different projects), so we took this opportunity to speed up that plan. A friendly anonymous sponsor has provided a pile of new servers, and git and svn are now up in their new locations.

    Mmmm, yes, free.

    And you will never, in a million years, detect the compromised hardware in those machines.

    The only way for tor (or wikileaks or other dangerous-to-the-authorities service) to buy hardware, is anonymously. If someone wants to donate servers, have them sell the servers and give you the cash.

    --
    FATMOUSE + YOU = FATMOUSE
  6. Re:Tor is going to get people killed. by Anonymous Coward · · Score: 3, Insightful

    I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.

    I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared right quick (hello China)... shouted down every time because it's not a POPULAR point of view.

    I see that I'm not the only one in this discussion with concerns. Thank god things are changing.

    Whoever these people you have met traveling from conference to conference are not the authors of tor:

    # tor --help
    Jan 21 22:48:35.191 [notice] Tor v0.2.1.22. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
    Copyright (c) 2001-2004, Roger Dingledine
    Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
    Copyright (c) 2007-2009, The Tor Project, Inc.

    tor -f [args]
    See man page for options, or https://www.torproject.org/ for documentation.

  7. Re:Sooo...... by Opportunist · · Score: 4, Insightful

    The price of freedom isn't vigilance in this time and age, it's having to deal with unpopular content.

    Is tor used by people who want to circumvent laws for whatever reason? Yes. Duh. Basically that's what it was created for. We deem it positive that tor allows dissidents to avoid their laws concerning the freedom of speech, but we don't deem it positive that it also allows the circumvention of our laws. That's very human, but also quite a bit of a double standard.

    I hope /. is a bit above the killer arguments of "think of the children" (honestly, if you think of the children all the time, you're prolly a pedo yourself) and we're able to look at it from a bit of a detached position. Because that's what we have to deal with here. Basically swapping child porn in the US is, at least from a purely content point of view, not different from swapping anti-government ideas in China: Both is illegal, and both requires additional security to be done without prosecution. The question is now whether we're willing to accept the existance of the former to enable the latter. You will only get them together. Is the freedom of the Chinese people (and, given the recent development in the west, probably ours soon, too) worth it, knowing that this will also allow communication of pedophiles, terrorists, spies and maybe even worse? Or should we toss both? That's basically the options we have.

    And before someone replies with "but tor doesn't allow chinese to discuss freely, isn't secure, etc": This isn't just about tor. That question affects all tools that allow free speech. The question is, is free speech worth dealing with the effects of free speech that you do not want to exist?

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.