Slashdot Mirror
TOR Wants You To Stop Using Windows, Disable JavaScript
itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."
As firefox disallows the disabling of javascript, perhaps TOR users should avoid firefox.
I'll no longer use Windows, even though I don't use it now. Then again, I don't use TOR either.
Quote: 'Really, switching away from Windows is probably a good security move for many reasons,'
I thought this was pretty common knowledge?
Use Whonix and you're set.
So the vulnerability is in firefox and java, but they propose to stop using Windows?
FTA: 'The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle.'
Geeez, this is all about running old TOR on old Windows... who knew something could possibly go wrong with that?
I deny that I have not avoided attaining the opposite of that which I do not want.
Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.
Let me go put Linux on my grandmother's computer and then field questions for her about why everything's different and why none of her programs are there...
The simplest thing to do is to migrate to TAILS. It's a great little OS for all your Tor browsing. And it's non-persistent. So even if some JS vulnerability effects you, you can start fresh by just rebooting. (But why do you have JS on in the first place?!)
Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.
Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?
Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.
Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?
If you ignore ACs because they are anonymous - you're an idiot.
As someone who's preferred platforms are Mac and Linux anyway, all I can say is.... what? Riiiiiiiiiiight....
Yeah, the whole world is going to just up and stop using Windows. I'd love to know what goes through the minds of people who make such mindbogglingly stupid recommendations.
Air pollution is bad for you! So, just stop breathing!
... would be for web browsers to have some javascript configuration settings, allowing them to specify, for instance, what values these particular queries (hostname and mac address) should actually return, if not the defaults, much like how some browsers allow you to configure what it reports as a user-agent header in an http request.
File under 'M' for 'Manic ranting'
Recommend switching away from windows, a few will do so and a lot more will just not bother - and so the pool of people using Tor (and other encryption privacy "enhancing" services) shrinks just a little bit more. If the whistleblower Snowden revelations have taught us nothing else, it is that if you are one of the few that use encryption/VPN/privacy enhancing solutions then you attract extra unwanted attention to yourself. For everyone to enjoy privacy, security professionals need to be coding solutions and encouraging more people, including Windows users, to adopt always on default encryption - not the opposite. Are they really that clueless?
Of course it's more secure! The only way in left is the door!
Of course it's more secure! I also hear that DEATH is a great way to lose weight. Die, and the pounds just melt away!
Can we please have a serious suggestion other than changing your OS? This is like saying "That them thar wood house is no good. Better replace it all with brick."
If you've been reading here regularly you know that TOR is compromised now anyway, as is pretty much all internet usage. I don't even personally believe that any form of encryption available to the general public is even safe from prying eyes anymore.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
Another problem is Tor's has tiny enough usage that it's easy for a handful of governments to run a critical mass of exit nodes and relays to do traffic analysis. Instead of discouraging things like bittorrent - I think the Tor project should encourage it, along with encouraging people to contribute back enough bandwidth to make up for their downloads (i.e. contribute about 3X the bandwidth they download). That way Tor could grow to the scale where it'd be much harder to monitor or take down.
Ok!
Have gnu, will travel.
How long will it be before the FBI goes publicly on the attack?
Freedom Hosting was, from what I've been reading over the last couple of days, not only taken over by the FBI and used to inject this code but it also probably hosted half of all child porn *.onion sites extant.
Demonizing the pervs seems like a good way to distract people from the fact that a state entity is now actively running malware that attacks everybody. I'm surprised it hasn't started already.
javascript has got to go!
Some of them are exactly that clueless. They tend to let perfect become the enemy of pretty good.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
...stop using a system developed and partly sanctioned by the US military if you want actually want to preserve your privacy. Actually, lack of privacy is a social problem, alland technical solutions are based simply on not your doing anything important enough for someone to engage in an arms race with you (which you will lose).
If you want privacy, you need to have exclusive control of a great deal of the network and intermediate nodes, plus the exact content of the traffic. And then you need to make sure that merely the raw content isn't a giveaway. Otherwise stochastic methods will attack all of the above and identify who you are, before an exploit's even been planted on your home machine.
Or foster a society that refuses to allocate the resources to fuck you over. Remember, anyone can be taught skills - but values are much harder to instil.
If encryption is a "please investigate me" red flag, then we need to find ways to hide the encryption (i.e. steganography).
Why not just tell people to stop using the internet completely? Unplug their computers from the internet, then they'd be completely safe. And they might as well, too, if they disable javascript, given that basically everything uses it these days...
They even didn't implement Low Integrity Level like IE and Chrome.
But why do you have JS on in the first place?
Because 51 percent of web applications that someone uses require JavaScript.
Agree - SSL/https is the shining example of how completely the security professionals have failed the Internet users. That and the sorry state of always unencrypted email all the time, by default. Perhaps most "security professionals" are really trying to keep the status quo - no encryption by default. No prizes for guessing who is the biggest employer and sponsor of security researchers...
Well, you could hardly argue with either suggestion, even before TOR was known to be compromised.
Please do not read this sig. Thank you.
Not if the majority or dare I say everyone raises the red flag, we dont.
This is like saying "That them thar wood house is no good. Better replace it all with brick."
That sounds exactly like something one pig might warn another about, especially living on the edge of wolf country.
1. Go to about: config. 2. Search for javascript.enabled. 3. Toggle off. 4. No javascript. Alternatively, install no script. 5. Stop spreading nonsense.
Step one: Virtual machine software - Virtualbox
Step two: Encrypted volume - Truecrypt. Store the virtual machine disk file inside your encrypted volume.
Step three: Install your favorite linux distro in your VM. Use an encrypted volume, and an encrypted home directory.
Step four: Use the Tor browser package that has a pre-setup version of Tor and a customized version of firefox designed to guard against data leakage. It's a simple download and it's self contained. No external configuration needed. Make sure you grab the latest version frequently.
Of course this isnt going to protect you if your windows host is compromised while the VM is running (But if the VM is offline good luck getting through 3 different pass-phrases), but it should reasonably prevent identifiable data from leaking between your tor VM and host system.
Is Slashdot run by complete morons? These "editors" seem to have gone full retard as of late.
I use tor and firefox. But I don't use firefox that is bundled with Tor (v1.7ESR), but my own (v22). I run private mode, and I use the convenient FoxyProxy extension to redirect my network connection to either tor or for a direct connection. FoxyProxy allows me to specify what sites I would need to redirect to Tor and what not. Fairly simple, really.
Well I think part of the problem is that security experts are experts, and they don't understand that if they really want to encourage better security, they need to make it easy for non-experts. It's funny, because you'd think security experts would know this. One of the key things about security is that a great security measure that nobody uses and everyone circumvents is actually a terrible security measure.
Encryption implementations need to be so well designed and foolproof that they're enabled by default. Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications. We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA. We don't enable encryption on email because it requires plugins and complicated setups. We don't use TOR because it's not quite brain-dead simple.
The experts will respond, "But it *is* brain-dead simple. Just download this plugin, drop into the command line and type [insert command here], compile this binary, change this configuration file in /etc. Oh wait, you're on Windows? Sorry, then you need to download these other files. Get GPG v1 because v2 is completely different and doesn't work with the plugins. Then when you get this error, hit 'ignore'..." And all that makes sense to the experts because they're experts, and they understand what's going on. People won't start using encryption en masse until it's so brain-dead simple that they don't even know they're using it.
From what I heard, the flaw affects Firefox 17 and the latest browser bundle is 22 and javascript has to be on, which is technically isn't because of noscript being on by default. Also, since it's Firefox and javscript and cookies, it's actually platform independent so switching off of Windows will do absolutely nothing to prevent this type of attack. Great article!
It's going to be a crushing blow to people when we find out Linus Torvalds was a government plant from the beginning
Yes, I know that you can get a web browser that is specifically set up to route everything through TOR. What I want is a simple setting in browsers to use TOR for all private browsing sessions.
To clarify what AC posted, the words "Java" and "Javascript" are like "car" and "caramel", or "ear" and "early" - they are completely unrelated. They just have some letters in common.
Netscape had an interpreted scripting language called LiveScript. It wasn't used a whole lot.
Later, Sun released a virtual machine and a compiled language to program it in called Java. Java got a lot of press.
Seeing all the press that Java was getting, Netscape renamed Livescript "Javascript", to ride the coat-tails of the
completely different system, called Java.
They were developed completely separately, by different companies, for different purposes, and based on different principles.
It's exactly as if the BETAMAX were renamed DroidVideo.
The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox
Stop using Firefox (this particular version, on Windows) surely?
Sounds like someone at TOR was hankering for an excuse to rail against Windows.
systemd is Roko's Basilisk.
Are you kidding me? Why in hell would you even say something like this....
Linus wouldn't fill out the 17 forms required to get a check from the feds, much less submit the monthly progress reports or sign the forms, in triplicate, each month to receive the paper check to be deposited. Goddamn 7 digits, no understanding of the system at all...
Much less participate in a system he would find grossly inefficient and horribly flawed. The man respects greatness, not whatever this is.
You are an idiot. If this was a joke its not funny, even once.
andy
Mingling security concerns with zealotry doesn't serve anyone. TOR team has discredited themselves with an immature response to a routine security issue, based not on an actual technological issue but on fanboyism. TOR favors Linux and the Mac OS over Windows, and uses this security issue as an opportunity to attack Windows rather than stick to the facts and keep their users safe. This is an issue to which both Firefox and Windows are to blame, yet they don't tell us to stop using Firefox, even while acknowledging that it is technically possible for a future exploit to affect Firefox running on platforms other than Windows.
If the proper response to a security issue involving TOR is to stop using my operating system, that might just as well justify a user to stop using TOR.
Gamingmuseum.com: Give your 3D accelerator a rest.
...and you have something on EVERYONE, in advance.
Then regularly select people at random, to keep the rest of the population in fear.
And specifically target any inconveniences.
They're being rather disingenuous too: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
Since the vulnerability isn't limited to Windows machines, it's just that they believe that only Windows machines were targeted.
WHO IS AFFECTED:
In principle, all users of all Tor Browser Bundles earlier than
the above versions are vulnerable. But in practice, it appears that
only Windows users with vulnerable Firefox versions were actually
exploitable by this attack.
(If you're not sure what version you have, click on "Help -> About
Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7])
To be clear, while the Firefox vulnerability is cross-platform, the
attack code is Windows-specific. It appears that TBB users on Linux
and OS X, as well as users of LiveCD systems like Tails, were not
exploited by this attack.
IMPACT:
The vulnerability allows arbitrary code execution, so an attacker
could in principle take over the victim's computer. However, the
observed version of the attack appears to collect the hostname and MAC
address of the victim computer, send that to a remote webserver over
a non-Tor connection, and then crash or exit [8]. The attack appears
to have been injected into (or by) various Tor hidden services [9],
and it's reasonable to conclude that the attacker now has a list of
vulnerable Tor users who visited those hidden services.
We don't currently believe that the attack modifies anything on the
victim computer.
So what makes them so sure that only Windows machines were targeted? Sure only paranoid people would think that way, but lot of people using Tor are paranoid, and many using Tor SHOULD be that paranoid.
You are right - how do we change the situation? I think "Off The Record" (OTR) is a step in the right direction and possible example to learn from. It just works out of the box for a lot of chat clients zero configuration needed providing 100% encrypted chat sessions by default for all users that use those chat clients that ship with it enabled by default. A security "professional" will be quick to sprout that it is open to MITM blah blah blah but fail to recognize that 100% adoption always on encryption is achieved - the hard part. From there it is a small extra step for those that could be bothered to check fingerprints out of band, or even add extra services that help the clueless/not interested do that part automatically. It is like security professionals cant get past the "it is not flawless" stage... and so we are all stuck with nothing or something very good, that nobody else uses or can interact with (PGP as one of many examples).
All my email employment applications are encoded in pictures of cats.
See how deep the conspiracy goes? It created a perfect public persona that NO one would suspect... one so pro-merit and anti-bureaucracy that collabaration with the Powers would be absolutely anathema. The perfect mole.
Plus a loud chorus of sock puppets extolling his anti-bullshit rep and hacker cred, and attacking anything and anyone that risks exposing the TRUTH.
Amazing.
Whoosh. Also, fnord.
I'd mod you up if I had the points. Computer geeks are terrible at making things work for non-geeks. And if you say anything about this, you often get attacked. Just mention how a lot of linux programs are hard to use and see them freak out.
Mainly, it's the title and summary that's getting it wrong. The only thing they said was that switching off of Windows is a good idea for the security minded, which it is. They awknowledged that the zero-day affected firefox across the board and that the exploit only targetted Windows, but they never used that as the reasoning to switch OS's.
Not using the Internet is a HUGE red flag to the NSA. They'll be all up in your shit if you do that. You know who doesn't use the Internet? Terrorists. Which kind of makes you wonder why they feel they have to monitor the WHOLE FUCKING THING.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Doesn't really help. Steganography tools will be considered suspicious and there will be versions with backdoors out there. I don't think this can be fought with technology - the large government organizations will have the resources to get the data they want, either by hacks, or by rubber-hose decryption. A tiny percentage of really expert users may be able to find ways to communicate securely, but the vast majority of people will not have the skill to do so. Since the "experts" need to communicate with non-experts this really doesn't solve much of the problem anyway.
If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.
Mozilla were not listed as NSA PRISM aiding and abetting companies. Microsoft was listed as an active participant, helping NSA bypass the search warrant requirements on their outlook products and providing technical assistance on Skype.
One company picked sides, and its not the side with the Constitution on it.
So yes, he's probably right.
NSA broke TOR on the excuse of kiddy diddlers but they broke TOR mainly to prevent leakers from the NSA from using it to leak. Why else would they use their own IP address clearly and publicly in the breach??
It's to scare any potential NSA employees from leaking how far NSA has gone over the line.
Yeah! I mean, they can't be watching ALL of us, right?
I didn't compile every single last executable, library, system bit, etc. myself,
This is why everyone should use Gentoo!
If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.
What good are laws if government ignores them?
More Twoson than Cupertino
Like every Microsoft user who uses Remote Desktop? Or Xbox Live?
Railing against Windows seems counter-productive, since Microsoft *does* encrypt silently by default for products where it makes sense. It's the open source tools that generally don't.
Comment of the year
Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications.
I don't do that because I have no need for it. It's a pain to type in a password every time the computer boots, and no real reason to do it.
"First they came for the slanderers and i said nothing."
As Adi Shamir (the S in RSA) has been trying to point out, cryptography is a method for transferring data between two trusted hosts. So the F-16 zooming above Washington can get some radar data from the airbase in Virginia and no one listening in can decrypt it. At the point where some luser picks up a USB drive off the parking lot floor and plugs it into a computer inside the airbase, all the encryption in the world matters not one whit.
It's a massive change to the model we use to conceptualize the threat -- instead of Alice and Bob trying to communicate with each other and keep Charles from decrypting, we have Alice and Bob trying (a) to protect their machines from Charles compromising it and (b) trying to limit the data done if he does compromise it. This isn't your father's security any more.
What is also means is that we are going to need a lot fewer secrets that are really worth keeping or else spend much more time partitioning our virtual worlds. As BEAST/CRIME show, if you treat your Facebook login cookie as a secret, then you need to access it from a partitioned browser where a malicious page cannot make requests using it.
Look at the source, you can find out for yourself.
"First they came for the slanderers and i said nothing."
We don't use TOR because it's not quite brain-dead simple.
Another reason why people don't use TOR is it harms performance. Getting relayed through a bunch of countries/servers that are not on your route increases network congestion and latency. If the majority of users adopted TOR, these users would experience higher latency and network operators would have to provision for higher bandwidth utilization. Also, wide adoption of TOR would break a lot of things like region lock codes. I think most users would prioritize having fast internet access and less subscription/DRM hiccups over always-on encryption with the primary advantage of the much-simpler HTTPS being a degree of anonymization. It seems that TOR will always be an easy signal for governments or others to say, "Hey, who is this user and why are their priorities different than the average Internet user?"
Looks like they've got you fooled. For a century, the feds have cultivated the appearance of being a highly inefficient organization that nobody wants to have anything to do with. The reality is that there are no forms or time-wasting meetings, all the people who work there are actually highly motivated and competent, they do things with 5% of budget and then just throw away the other 395% to maintain deception, and they have to hire entire buildings of decoy employees to keep anyone from figuring out how small their core team really is. That Torvalds turned his back on that, just proves that he was too dumb to see through the smokescreen and is therefore too dumb to work for them.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Convince a billion Windows users to stop using Windows or convince 535 elected representatves of The People to end the violations of our rights by government agencies.
Block 65.222.202.54:80 (port 80) along with javascript in the TOR firefox browser (& it's other 7 .exe files to be safest) BOTH inbound & outbound using custom firewall rules. Should do the job on Windows or any OS with a firewall (per http://tsyrklevich.net/tbb_payload.txt from /. article http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail & its source http://www.ehackingnews.com/2013/08/almost-half-of-tor-sites-compromised-by.html )
In the US they are not quite "ignored". They are twisted and redefined. Still remember that the #1 goal of most politicians is to get re-elected, so they do in some ways respond to what voters want. I mostly blame a cowardly public that is willing to give up its rights and freedoms for a bit of extra safety.
Which is probably a good thing given the horrible consequences people can suffer in places like China--land of the not-quite-as-high-prison-count-because-of-summary-executions.
All the encryption in the world is useless if every message you send includes the decryption. All the anonymizing web browsing software in the world is (potentially) useless if the web browser hands over your IP, MAC, and/or geolocation. The simple fact is that while this exploit specifically targetted Windows and other OS users could have been made just as vulnerable, Windows itself is inherently unverifable--except by the very governments which Tor tries to protect against and some universities which are too limited in scope to deal with all potential threats (consider Wikipedia vs the various attempts to make an Expert-only wiki encyclopedia) and cannot ever be considered safe. And given the potential consequences of using Tor, it's wholly reasonable to recommend to not use Windows. Taken further, I'd say Tor on an openbsd vm image would likely be best as recommendations.
Yet, clearly they're still offering Tor for Windows and still using a bundle with Firefox even though Firefox is/was the main culpurate this time. Because the honest truth is that Tor developers aren't Firefox or Linux or Windows or whatever developers and are beholden to them to fix problems preemptive to actual attacks. But at least with Firefox or Linux (or OpenBSD), if they become aware of an attack vector they could potentially fix it even if such is not their forte.
Life and death decisions. A non-revocable action that leaves you discovered. A very binary point that lies outside the control of security experts. What would you recommend? What would you provide? Do you recognize the difference?
Eurohacker European paranoia, gun rights, and h
It's pretty much come down to use Linux in a VM and use TOR there, and then don't access services using your identity. I don't have anything that I particularly want to keep from the government, I'd just prefer to keep them out of my business. However, the hassle of doing this for casual internet usage is greater than the security you actually gain.
It was a firefox exploit that happened to only work on Windows but it's equally likely any future flaws will not be platform dependent.
Sorry, but that is bullshit.
In order to get a working vulnerability you have to find an exploit in Firefox, and an exploit on a platform. Let's call that work F + P1.
In order for there to be a vulnerability on even one other platform, you have to find a whole OTHER vulnerability. Let's call that work P2.
It's never, ever the case that F + P1 = F + P1 + P2 so there's no way in hell it's "equally likely" there will be vulnerabilities on more than one platform, each platform added adds a lot of work.
Furthermore both Mac, along with Unix platforms of all flavors are inherently more secure than Windows since you have a real user account to break out of - most Mac/Unix users are not running as the equivalent of root as most Windows users are.
The simple fact remains that Windows is the least secure platform, and you cannot just hand-wave that away. If you have any interest in real security for your own system you do not run Windows.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What good are laws if government ignores them?
If the government ignores the laws, then we change the government!
Wait... I'm on a list now, aren't I?
I think most users would gladly have no region locks and no DRM.
Because Linux software is perfect. No vulnerabilities there.
Relax Francis.
Whoever had two people taking that query seriously, you are currently ahead in the pool.
So if 'rights and freedoms' are illusions to begin with, are they giving anything up?
There was nothing Snowden told the world that was not pretty obvious to begin with. This concept that you ever had privacy in the first place is the actual BS.
And here is another clue; the protection offered by encryption you know of (unless you have security clearances) provides about exactly the same protection as the paper envelope you used to send your snail mail in, breakable by anyone with a pair of scissors. But, I bet you think encryption is secure, right?
The public is not "willing to give up its rights", it is smart enough to know it didn't have them to begin with.
slashdot troll = you make a compelling argument I do not like the implications of.
If you want reasonable protections, you need to run Tor and browsers on a completely separate machine, a machine where you carefully control the information you input into it (e.g., you may never want to input your real name) and that is never used without Tor.
Ideally, you use separate hardware on a separate network. But since that's a lot of effort, you may go for the next best thing, namely a separate virtual machine on your regular desktop.
Wait... I'm on a list now, aren't I?
Oh, you already were.
Socialism: a lie told by totalitarians and believed by fools.
Oh, I see. You probably believe Finland is a real place, too. You have no idea how deep the rabbit hole goes.
Forget about Linux - the NSA version of Linux makes that relation hardly a secret. The real trick is Git! It's the ultimate Thompson hack. Every time you build a security-related product from code pulled from Git, the NSA smiles.
Socialism: a lie told by totalitarians and believed by fools.
I don't get your point about HTTPS and SSL. In what way have they failed Internet users? If you're referring to BEAST/CRIME exploits, they can be mitigated by disabling compression.
Can't tell if you're trolling or sarcastic or just really really stupid....
I think you need to re-read my post if you think I was "railing against Microsoft".
In sorry, but the RC4 encryption in RDP barely counts.
Well, I hope you don't keep any sensitive/private information on your computer, then. Having it password protected at boot would keep out many casual attempts to get access to your data, but without encryption, it won't keep out anyone who knows what they're doing. Not having a password at all is fine, as long as you don't mind people accessing your data.
Problem is between the chair and keyboard.
VERY SIMPLE. You either boot clean to with a boot cd that includes TOR, or you run that same boot cd in a VM and use that. That's the only way to guarantee you're not leaving any identifying marks and your session is clean between each use.
I have a lock on my door to keep out casual attempts to get access to my data.
"First they came for the slanderers and i said nothing."
You weren't, but the article we're all (presumably) discussing does.
Comment of the year
the protection offered by encryption you know of (unless you have security clearances) provides about exactly the same protection as the paper envelope
This is pretty untrue. State agencies have no real control over the injection of cryptographical algorithms into the literature, or even if they do now, they have well missed the bus, since the technologies out there in the literature are very sufficient and these days there are so many copies of the literature floating around that it cannot be effectively censored or corrupted. Math is a lot like physics -- when you actually go back and look at when certain things were discovered, you are often astounded at how long ago that was.
What is true is that using cryptography correctly is hard. It takes a lot of knowlege of the technology to get it right. It's harder than most people have patience for and probably harder than a good chunk of people can even mentally handle. That leaves most consumer use of cryptography delegated to trust in software, protocols, and institutions just based on how trustworthy those agents "feel" to the user, divided by how desperately the user wants to get something done -- now.
Those agents are what state agencies can, and sometimes do, influence, and even in the absence of interference by the state, the intrinsic trustworthiness of those agents varies due to a wide variability in the effectiveness of their quality control. The latter is actually the more common problem. Why resort to interfering with the development of crypto software and applications thereof when much of it is developed incompetently in the first place? Just sit back and exploit the pre-existing holes.
Someone had to do it.
The public is not "willing to give up its rights", it is smart enough to know it didn't have them to begin with.
Minor quibble: The public is too stupid to know that they aren't GIVEN rights, but that if they want them, they have to TAKE them. The Government isn't interested in letting you be free...you have to do that for yourself.
So it was caused by a javascript exploit in various versions of Firefox for Windows (since repaired)... so by association Windows is to blame?
That's a bit of a stretch, isn't it?
By that rationale, you could blame TOR for the security issue because they bundled that version of Firefox to begin with. Of course we won't do that though, because that's ridiculous. And so is blaming Windows for the bugs in a 3rd party application.
It's funny, because you'd think security experts would know this.
Actually, they do know it. Often, making security, and encryption in particular, usable is a hard problem. There's also often not interest or support for it, in which case it doesn't get done. Hard problems take time and money to solve.
Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications.
That's pretty rare. A lot of people do use full-drive encryption: like people with iOS devices, newer versions of Mac OS X, and many versions of Ubuntu. It's because on those systems, it's been engineered to work well and it's very easy to turn on.
We don't enable encryption on email because it requires plugins and complicated setups.
This is more difficult because that's not the hard part of e-mail encryption. In fact, there are some fairly simple e-mail encryption systems and clients that have it built in. The hard part is that effective e-mail encryption basically boils down to running a public-key infrastructure. Almost any security problem that ends with "...then you just need to distribute public keys" has a hard time being widely adopted and scalable.
We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA.
Nonsense. Buying a cert from a CA is simpler than setting up a web server, by a long shot. If you're not running your own web server (very reasonable these days), most half-decent hosting companies will do all the work of getting a cert and configuring your server for you. All it takes is money -- and it's so inexpensive that the only people that can't afford it are private individuals hosting websites that don't make money.
We don't use TOR because it's not quite brain-dead simple.
It's basically braindead simple now if you use the Tor Browser Bundle, which is what this exploit is targeting.
One of the major reasons the exploit works is that Security Is Hard, both for experts and non-experts.
There was a company once who boasted that their operating system was safe and secure, simply because there weren't many exploits for it available on the market. Once that company gained some attention and improved their market share, magic happened - hackers and crackers and all sorts of bad guys started flocking to this now not-so-obscure platform to exploit the shit out of it, and the company was forced to abandon its security assurances and hire some people to actually improve the safety of said platform.
And yes - I'm talking about Apple.
So lets all start using Linux-based systems so that hackers can finally find an excuse to write exploits for it. Brilliant idea! And when all the hackers and crackers abandon Windows for Linux, lets start calling for people to go back to Windows as a safer alternative. And so on, and on, and on...
Don't all the non-Microsoft email transfer agents (you know, sendmail, postfix, qmail, etc.) default to StartTLS over ESMTP at this point? I mean, RFC3207 is over a decade old now! Certainly the major distros I've used are shipping their MTAs that way, and auto-generate self-signed certs (which are perfectly useable for email) at install time.
And if you hate standards compliance enough to run a performance pig like Microsoft Exchange, you should be putting an Ironport or something of that sort between your mail hub and the Internet anyway, and those appliances default to StartTLS too.
So while yes, there is lots of stupidly unencrypted email flying around, and most MTAs will by default fall back to plain SMTP if the other node doesn't support StartTLS, you're overstating the problem when you say "always unencrypted email all the time, by default". The default is encrypted email in any minimally competently run infrastructure. The problem is that nearly all mailservers will cheerfully fall back to unencrypted email every time they encounter a badly configured system, without the end users being aware of this at all.
Also, a pony. But what was your point, again?
Take a look at all the certificate authorities your browser trusts sometime. Any one of those can issue a certificate for ANY website, not just those in the area where that authority. If any ONE of those authorities issues a certificate for, say, the NSA, then they can MITM your communication with any website if they're in a position to do so (and the NSA most definitely is), regardless of that website's original certificate. By default, the browser doesn't give a shit if the certificate changes. All of this makes SSL useless against a determined attacker.
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.
Well, the problem is that most security professionals are not really independent. Many of them rely on government contracts, some of them even work for weapons manufacturers and arms dealers. Even the supposedly fully independent ones usually work at the university, i.e. they are government employees. Yet others work for large corporations who traditionally bend over for any government authority.
Just take a look at various cell phone and Wifi encryption standards to see the results...
Please mod parent up. They are watching everyone and their cell phone and their crappy home router.
You missed the most obvious option. Microsoft didn't 'give' that signature away to the state. They sold it at a very hefty price, boosting their bottom line without putting as much as a ding in our defense budget. That corporations would sell our sensitive secrets to a government that promises to protect them from any legal fallout is a given. Facebook, Google, Microsoft, Apple, everyone, they're going to sell out that data and trust without thinking twice.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Yes and no.
TrueCrypt is extremely simple to use and it holds your hand tightly through the entire process. It is really one of the best examples of good open software, where it makes an otherwise complex task very simple. There are no usability gaps typically seen in open source software and it's very well documented.
SSL works fine without a CA cert, but browsers have actually gotten a lot worse at making it a clear process to accept self-signed cert. They used to just allow it through and give you a different padlock icon or something, now it's this big warning that prompts a bunch of reading and clicks to bypass. In other words, it used to be passive notification, now it's an active one.
Email encryption is a problem of coordination and logistics. It's not possible to make a one-click "Encrypt this Email" button because there's the offline factor of key exchange. I haven't even met a lot of people I email, how is this supposed to work?
TOR isn't simple? Download the standalone TOR bundle, open when done. Anyone for whom that is difficult is someone who barely uses computers at all.
So, it's a matter of both. Some have dealt well with the ease-of-use barrier, some haven't. But the problem nearly all of them still face is a lack of public awareness and an excess of apathy towards personal privacy.
Your incarceration numbers are orders of magnitude off, and as the GP post states: Your missing the point. Your one of a handful that use Tor then you stick out like a sore thumb no matter what country your in. FYI: https://en.wikipedia.org/wiki/United_States_incarceration_rate
Distribute Tor INSIDE of a prepackaged VM.
Then you don't care what OS the client system is running.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Tor should just use the vulnerability to scan for Windows users and exclude them necessarily.
After all I'm sure if you ask some people they will say that Windows users were probably how Tor got compromised in the first place.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
what kind of moron suggest to move away from windows, only snobs would say that. Linux isn't as secure as some people seem to think.. And the problem wasn't Windows, it was firefox.. and in the end the problem is the user him/herself...
Certainly nobody who's serious about security should use ANY closed-source OS; and Windows, having spent its entire lifetime proving repeatedly that it's incredibly brittle and incapable of withstanding even rudimentary attacks without numerous add-ons, should be the first to go.
But, that said: nothing that's happened this week has altered the situation. That is, this was all true last month and last year and last decade. NOBODY should have been using Windows then; nobody should be using it now.
Of course that's not how it's played out. Too many peoople are too unwilling to learn, to change, to grow, to use something different. They're not even willing to make trivial changes like (say) IE to Firefox. They want they want, and even if using their Windows system set them on fire once a month, they'd still want it.
There's no hope for those people. We need to stop trying. They're a lost cause. They will inevitably be hacked and phished, spammed and compromised. There's nothing we can do about it except stay clear of the damage. Our efforts need to be focused on the superior people with open minds, the people who can actually (gasp!) LEARN and THINK, the people who will adapt to change -- and not just today's changes, which might be "switch to Linux" but tomorrow's changes, which will be...well, we don't know what they'll be yet since it hasn't arrived.
The sad part of all this is that the movie's not new. It's the same-old same-old. It always ends the same way, yet the stubborn keep doggedly replaying it hoping for some other outcome.
It's not a "please investigate me" red flag. Encryption doesn't hide who talks to whom and that's the bigger red flag for further investigation.
"Lack of speed can be overcome. In the worst case by patience." --Znork
Don't all the non-Microsoft email transfer agents (you know, sendmail, postfix, qmail, etc.) default to StartTLS over ESMTP at this point? I mean, RFC3207 is over a decade old now! Certainly the major distros I've used are shipping their MTAs that way, and auto-generate self-signed certs (which are perfectly useable for email) at install time.
That doesn't prevent [insert adversary here] from MITM'ing StartTLS/ESMTP connections, since the MTA will happily connect to anything with a self-signed cert (and certificate authorities are not necessarily trustworthy either). Sure, Sendmail will log whether certificates are valid or not, but SSL/TLS are of limited usefulness against a determined attacker, in email as much as on the web.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Maybe try reading into the details a little before rushing to correlate two unrelated events. The actors used md5 collisions in a pretty ingenious way to make their own cert, then collide it with the existing MS one.
Why resort to interfering with the development of crypto software and applications thereof when much of it is developed incompetently in the first place? Just sit back and exploit the pre-existing holes.
Indeed. Just look at how laughably inscure WEP turned out to be. WPA1 is almost as bad, and what good is WPA2 if your cell phone just sent your passphrases to Google to store in the cloud for "backup" purposes?
Granted, Wi-Fi is normally short-range, but why make it easy for someone else to break into your LAN?
Oh, no! You have walked into the slavering fangs of a lurking grue!
But the "startling" vulnerability was already discovered and patched.
Lets take a step back from the OMG NSA PRIZZIM ledge.
FBI busts CP operator and takes over hosting org. Presumably they now have access to http access logs of CP clients.
FBI plants an iframe targeted to exploit a very specific version of firefox making you phone home your real ip and mac address to NSA server.
This just seems like smart investigation to me. You see in the logs that some big hitters to the site use the vulnerable UA, so grab an expoit that gets em to cough up their ip address to send em off to prison.
Posting anonymous because..
The CIA has HUGE money invested in monitoring TOR. TOR is not safe, and is not anonymous. If you use TOR you can be found. There is CIA/NSA technology that allows this.
They covertly promote TOR as a way of anonymity, when in fact they want higher tech people to use it because they can monitor them even easier.
If encryption is a "please investigate me" red flag, then we need to find ways to hide the encryption (i.e. steganography).
Wrong, wrong, WRONG!
Wrong.
If encryption is a "please investigate me" red flag, you need to bitch slap the investigators.
We have seen code execution move from the OS layer into the application, since if the application has access to the user content, that's all that really matters. Heck, Adobe Reader can now render 3D graphics, as can Firefox for that matter. The more functionality and ability (which is cross platform since it's in the application container), the more that can be exploited. The rumours say that agencies have collections of such exploits, and it would be naive to assume that some are not cross platform.
All OS's and applications are vulnerable to attack, and need regular patching and updates. Don't expose them to the internet as much as you can, and don't run untrusted code. The basics have not changed in many decades. If you're using Tor, then I agree you'd want to use a stripped down, minimum OS with as little surface as possible. Heck, if you're doing it right, and really need Tor for some of the original reasons it was built, then you'd be going for BBS style, sftp and basic text to just get files around. Things that you can inspect properly, and don't trust to execute online. You don't need all the whizz bang features to get messages about, but for convenience it seems more and more features have been pushed into the set. Pull the content from trusted locations, push it to storage, isolate it away from your "browsing" machine, then execute (if it's say a video or PDF). There's a reason top secret stuff is as much about information compartmentalizing, handling and discipline as it is the technology that makes it easier.
The results of pwn2own speak for themselves - all platforms are equally a target out there. The results of hacking contests show OS and application get broken into just as easily by someone dedicated. And agencies pay for even more dedicated folk who never enter such contents...
By becoming the largest child porn network on the planet which is why I closed my node two years ago.
http://dee.su/liberte
Disable Java!
Ugh, if he was a plant then part of his job would be to create impressions such as those, so you having those impressions and believing they mean anything shows that you probably shouldn't be calling other people "idiots".
The only relevant point is that his source code is open, so you don't HAVE to trust him. That's the whole point!!!
The revolution will not be televised... but it will have a page on Wikipedia
It's unwise to steer more people towards Linux because once it gains the majority share of the desktop market, then hackers will find ways to exploit it.
If you think that's impossible, look at Android. 70% of exploits in mobile phones are Android-based, and Android is a Linux derivative. Linux is not bullet proof. Any architecture can be exploited. The reason why there are so few Linux exploits now is because it's not worth the effort to write viruses for such a small slice of the desktop market. Obscurity is a great first line of defense, so don't ruin it for yourselves.
So what makes them so sure that only Windows machines were targeted?
Um... as it says, the exploit code is Windows specific... IOW, the code which collects the hostname and MAC address will be using Windows API calls.
They probably would have spotted if the exploit bundled WINE!
The revolution will not be televised... but it will have a page on Wikipedia
About time - nobody should use JS or Windows!
We all know this - well, except PHBs and other people's grandmas (my Grandma, Mom, and inlaws have been using Linux for 5 yrs) after 1 got hacked.
It is just to inconvenient for 99% of the world. Heck, even Mac and Linux users almost always have Windows "somewhere."
I use Windows for video editing, TV recording, Quicken and pretty much nothing else. I had Quicken working great under WINE for a few years, but Q2012 was too hard to get working. I gave up.
I approve of approval voting. Check all three boxes, if you want to.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If you're going to go so far as disabling js, just use lynx on a *nix account like sdf.org or something. I agree that people should trust Windows with any private information. However, hardly a web site in existence functions at all without javascript. TOR will make itself irrelevant if it doesn't function with javascript. And anyway, js is client-side. There ought to be plugins that cause the browser to ask for explicit permission to allow asynchronous communications on a case-by-case basis. Disabling js is overkill.
It is not even close or similar.
It is a JavaScript problem.
You're seriously asking that ?
Laws serve the one purpose of giving government perceived legitimacy. Money trumps laws, connections trump laws, and the government ignores the laws. Like this is something new ?
The term Users does not mean Educated Users. Most people using a computer don't understand the magic that makes everything work past hitting the power button. That said, the idea that someone is asking people to stop using Windows because of an application with holes in the code is like asking people to stop driving automobiles because a specific brand of tires is unsafe. Get different tires.
This may be a coincidence, but the JS attack came a couple of weeks after I posted this. The netblock was actually owned by SAIC, who are one of the likely suspects.
I sound so paranoid, but I think you have to be.
Oh, and that attempt at an attack was never going to work.
http://www.archives.gov/exhibits/charters/declaration_transcript.html
Skip down to the "We hold these truths..." Ignore the talk of a "Creator" if you must.
So which part of 'self-evident' makes you think that people need to be GIVEN their rights? The whole point to the Bill of Rights was to enumerate rights that human beings have, regardless of who they are or where they were born. Notice how it says that it's the Governments role to secure the people's rights (NOT to grant them).
http://www.huffingtonpost.com/2013/08/08/lavabit-edward-snowden-email_n_3728005.html
Just wow. Mod my post a troll because you do not like what I say, but the fact is there is no privacy, and you can not do anything the authority, err US government does not like.
The US owns this planet, and will reach into whatever security they want, like a hot knife in butter. With an army 10 times the size of the next 12 countries combined, the US does WTF it wants.
I'm not taking a position about it being right or wrong, simply stating the facts.
There is no privacy, nor is there any reason to believe anything you can do can remain private, if the US wants to know about it. They got bin laden didn't they? You think any privacy measure you can come up with are better than what he had?
slashdot troll = you make a compelling argument I do not like the implications of.
Well f'n said.
If I am reading that right: "The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle." People who don't patch can really blame themselves.
This commenter is quite ignorant about the viability of using alternatives to Microsoft Windows, even in countries where the government is very restrictive, since Operating Systems (OS) Software like GNU/Linux is readily available in these places and ultimately more secure than MS Window, as well as being Free! as in costs.
Much of the populations in USA and UK in particular, know only of the commercial software technologies that dominated in the twentieth century, where-as in several European, South American countries and on other continents, the significant advantages and protections of GNU/Linux are well known and documented.
Yes but I think the original point is that if we all use encryption all the time, then we are all raising "red flags" - and they are unable to watch all of us all the time when we are all encrypted!