Slashdot Mirror
TOR Wants You To Stop Using Windows, Disable JavaScript
itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."
So the vulnerability is in firefox and java, but they propose to stop using Windows?
Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.
Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?
Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.
Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?
If you ignore ACs because they are anonymous - you're an idiot.
Recommend switching away from windows, a few will do so and a lot more will just not bother - and so the pool of people using Tor (and other encryption privacy "enhancing" services) shrinks just a little bit more. If the whistleblower Snowden revelations have taught us nothing else, it is that if you are one of the few that use encryption/VPN/privacy enhancing solutions then you attract extra unwanted attention to yourself. For everyone to enjoy privacy, security professionals need to be coding solutions and encouraging more people, including Windows users, to adopt always on default encryption - not the opposite. Are they really that clueless?
Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.
Another problem is Tor's has tiny enough usage that it's easy for a handful of governments to run a critical mass of exit nodes and relays to do traffic analysis. Instead of discouraging things like bittorrent - I think the Tor project should encourage it, along with encouraging people to contribute back enough bandwidth to make up for their downloads (i.e. contribute about 3X the bandwidth they download). That way Tor could grow to the scale where it'd be much harder to monitor or take down.
Have gnu, will travel.
How long will it be before the FBI goes publicly on the attack?
Freedom Hosting was, from what I've been reading over the last couple of days, not only taken over by the FBI and used to inject this code but it also probably hosted half of all child porn *.onion sites extant.
Demonizing the pervs seems like a good way to distract people from the fact that a state entity is now actively running malware that attacks everybody. I'm surprised it hasn't started already.
...stop using a system developed and partly sanctioned by the US military if you want actually want to preserve your privacy. Actually, lack of privacy is a social problem, alland technical solutions are based simply on not your doing anything important enough for someone to engage in an arms race with you (which you will lose).
If you want privacy, you need to have exclusive control of a great deal of the network and intermediate nodes, plus the exact content of the traffic. And then you need to make sure that merely the raw content isn't a giveaway. Otherwise stochastic methods will attack all of the above and identify who you are, before an exploit's even been planted on your home machine.
Or foster a society that refuses to allocate the resources to fuck you over. Remember, anyone can be taught skills - but values are much harder to instil.
Well I think part of the problem is that security experts are experts, and they don't understand that if they really want to encourage better security, they need to make it easy for non-experts. It's funny, because you'd think security experts would know this. One of the key things about security is that a great security measure that nobody uses and everyone circumvents is actually a terrible security measure.
Encryption implementations need to be so well designed and foolproof that they're enabled by default. Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications. We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA. We don't enable encryption on email because it requires plugins and complicated setups. We don't use TOR because it's not quite brain-dead simple.
The experts will respond, "But it *is* brain-dead simple. Just download this plugin, drop into the command line and type [insert command here], compile this binary, change this configuration file in /etc. Oh wait, you're on Windows? Sorry, then you need to download these other files. Get GPG v1 because v2 is completely different and doesn't work with the plugins. Then when you get this error, hit 'ignore'..." And all that makes sense to the experts because they're experts, and they understand what's going on. People won't start using encryption en masse until it's so brain-dead simple that they don't even know they're using it.
From what I heard, the flaw affects Firefox 17 and the latest browser bundle is 22 and javascript has to be on, which is technically isn't because of noscript being on by default. Also, since it's Firefox and javscript and cookies, it's actually platform independent so switching off of Windows will do absolutely nothing to prevent this type of attack. Great article!
The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox
Stop using Firefox (this particular version, on Windows) surely?
Sounds like someone at TOR was hankering for an excuse to rail against Windows.
systemd is Roko's Basilisk.
You are right - how do we change the situation? I think "Off The Record" (OTR) is a step in the right direction and possible example to learn from. It just works out of the box for a lot of chat clients zero configuration needed providing 100% encrypted chat sessions by default for all users that use those chat clients that ship with it enabled by default. A security "professional" will be quick to sprout that it is open to MITM blah blah blah but fail to recognize that 100% adoption always on encryption is achieved - the hard part. From there it is a small extra step for those that could be bothered to check fingerprints out of band, or even add extra services that help the clueless/not interested do that part automatically. It is like security professionals cant get past the "it is not flawless" stage... and so we are all stuck with nothing or something very good, that nobody else uses or can interact with (PGP as one of many examples).
Doesn't really help. Steganography tools will be considered suspicious and there will be versions with backdoors out there. I don't think this can be fought with technology - the large government organizations will have the resources to get the data they want, either by hacks, or by rubber-hose decryption. A tiny percentage of really expert users may be able to find ways to communicate securely, but the vast majority of people will not have the skill to do so. Since the "experts" need to communicate with non-experts this really doesn't solve much of the problem anyway.
If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.
If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.
What good are laws if government ignores them?
More Twoson than Cupertino
In the US they are not quite "ignored". They are twisted and redefined. Still remember that the #1 goal of most politicians is to get re-elected, so they do in some ways respond to what voters want. I mostly blame a cowardly public that is willing to give up its rights and freedoms for a bit of extra safety.
I have a lock on my door to keep out casual attempts to get access to my data.
"First they came for the slanderers and i said nothing."
It's funny, because you'd think security experts would know this.
Actually, they do know it. Often, making security, and encryption in particular, usable is a hard problem. There's also often not interest or support for it, in which case it doesn't get done. Hard problems take time and money to solve.
Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications.
That's pretty rare. A lot of people do use full-drive encryption: like people with iOS devices, newer versions of Mac OS X, and many versions of Ubuntu. It's because on those systems, it's been engineered to work well and it's very easy to turn on.
We don't enable encryption on email because it requires plugins and complicated setups.
This is more difficult because that's not the hard part of e-mail encryption. In fact, there are some fairly simple e-mail encryption systems and clients that have it built in. The hard part is that effective e-mail encryption basically boils down to running a public-key infrastructure. Almost any security problem that ends with "...then you just need to distribute public keys" has a hard time being widely adopted and scalable.
We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA.
Nonsense. Buying a cert from a CA is simpler than setting up a web server, by a long shot. If you're not running your own web server (very reasonable these days), most half-decent hosting companies will do all the work of getting a cert and configuring your server for you. All it takes is money -- and it's so inexpensive that the only people that can't afford it are private individuals hosting websites that don't make money.
We don't use TOR because it's not quite brain-dead simple.
It's basically braindead simple now if you use the Tor Browser Bundle, which is what this exploit is targeting.
One of the major reasons the exploit works is that Security Is Hard, both for experts and non-experts.