Slashdot Mirror
TOR Wants You To Stop Using Windows, Disable JavaScript
itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."
Firefox allows it, as does every major browser. But it is not the default, because it is incredibly inconvenient considering how many websites rely on it. There are tools to make it easier for Firefox and Chrome but it is still a bit of a bother.
So the vulnerability is in firefox and java, but they propose to stop using Windows?
FTA: 'The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle.'
Geeez, this is all about running old TOR on old Windows... who knew something could possibly go wrong with that?
I deny that I have not avoided attaining the opposite of that which I do not want.
Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.
say wuuuuuttt? tools options content disable javascript
Firefox is apparently opting to remove the option from their settings and for a good reason - no one wants to globally disable JS these days. A default off with allowed sites is workable though, but there are extensions like NoScript to add that functionality.
Let me go put Linux on my grandmother's computer and then field questions for her about why everything's different and why none of her programs are there...
Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.
Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?
Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.
Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?
If you ignore ACs because they are anonymous - you're an idiot.
Even TAILS has JS on by default. never really understood why.
... would be for web browsers to have some javascript configuration settings, allowing them to specify, for instance, what values these particular queries (hostname and mac address) should actually return, if not the defaults, much like how some browsers allow you to configure what it reports as a user-agent header in an http request.
File under 'M' for 'Manic ranting'
Recommend switching away from windows, a few will do so and a lot more will just not bother - and so the pool of people using Tor (and other encryption privacy "enhancing" services) shrinks just a little bit more. If the whistleblower Snowden revelations have taught us nothing else, it is that if you are one of the few that use encryption/VPN/privacy enhancing solutions then you attract extra unwanted attention to yourself. For everyone to enjoy privacy, security professionals need to be coding solutions and encouraging more people, including Windows users, to adopt always on default encryption - not the opposite. Are they really that clueless?
Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.
Of course it's more secure! The only way in left is the door!
Of course it's more secure! I also hear that DEATH is a great way to lose weight. Die, and the pounds just melt away!
Can we please have a serious suggestion other than changing your OS? This is like saying "That them thar wood house is no good. Better replace it all with brick."
If you've been reading here regularly you know that TOR is compromised now anyway, as is pretty much all internet usage. I don't even personally believe that any form of encryption available to the general public is even safe from prying eyes anymore.
Are YOU using the TOOL, or is the TOOL using YOU? Think about it!
This is incorrect, the latest versions of firefox do not allow javascript to be turned off. It is a valid complaint
If an experiment works, something has gone wrong.
tails is good.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Another problem is Tor's has tiny enough usage that it's easy for a handful of governments to run a critical mass of exit nodes and relays to do traffic analysis. Instead of discouraging things like bittorrent - I think the Tor project should encourage it, along with encouraging people to contribute back enough bandwidth to make up for their downloads (i.e. contribute about 3X the bandwidth they download). That way Tor could grow to the scale where it'd be much harder to monitor or take down.
Have gnu, will travel.
How long will it be before the FBI goes publicly on the attack?
Freedom Hosting was, from what I've been reading over the last couple of days, not only taken over by the FBI and used to inject this code but it also probably hosted half of all child porn *.onion sites extant.
Demonizing the pervs seems like a good way to distract people from the fact that a state entity is now actively running malware that attacks everybody. I'm surprised it hasn't started already.
v23 of Firefox removed that feature. It might be buried in about:config somewhere, but I have heard some comments to the contrary. Still on 22 here.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Some of them are exactly that clueless. They tend to let perfect become the enemy of pretty good.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
...stop using a system developed and partly sanctioned by the US military if you want actually want to preserve your privacy. Actually, lack of privacy is a social problem, alland technical solutions are based simply on not your doing anything important enough for someone to engage in an arms race with you (which you will lose).
If you want privacy, you need to have exclusive control of a great deal of the network and intermediate nodes, plus the exact content of the traffic. And then you need to make sure that merely the raw content isn't a giveaway. Otherwise stochastic methods will attack all of the above and identify who you are, before an exploit's even been planted on your home machine.
Or foster a society that refuses to allocate the resources to fuck you over. Remember, anyone can be taught skills - but values are much harder to instil.
wrong os friend. we are talking about windows.
I think the GP was referring to this: http://www.i-programmer.info/news/86-browsers/6049-firefox-23-makes-javascript-obligatory.html
However that headline and several others like it were misleading as you can still disable javascript from the "about:config" page - you just can't disable it by unchecking a checkbox in preferences anymore.
https://bugzilla.mozilla.org/show_bug.cgi?id=873709
If encryption is a "please investigate me" red flag, then we need to find ways to hide the encryption (i.e. steganography).
Why not just tell people to stop using the internet completely? Unplug their computers from the internet, then they'd be completely safe. And they might as well, too, if they disable javascript, given that basically everything uses it these days...
javascript.enabled, toggle the value.
For those who depend on TOR for their safety, more than they depend on a specific tool for their convenience, the following a safety advisory seems pretty rational. Air pollution in LA is bad on Tuesday! Young people and elderly should please remain indoors if possible!
[
But why do you have JS on in the first place?
Because 51 percent of web applications that someone uses require JavaScript.
Agree - SSL/https is the shining example of how completely the security professionals have failed the Internet users. That and the sorry state of always unencrypted email all the time, by default. Perhaps most "security professionals" are really trying to keep the status quo - no encryption by default. No prizes for guessing who is the biggest employer and sponsor of security researchers...
Well, you could hardly argue with either suggestion, even before TOR was known to be compromised.
Please do not read this sig. Thank you.
Not if the majority or dare I say everyone raises the red flag, we dont.
This is like saying "That them thar wood house is no good. Better replace it all with brick."
That sounds exactly like something one pig might warn another about, especially living on the edge of wolf country.
1. Go to about: config. 2. Search for javascript.enabled. 3. Toggle off. 4. No javascript. Alternatively, install no script. 5. Stop spreading nonsense.
URL about:config then enter 'javascript.enabled' into the search bar. Double click that setting in the list below to toggle back and forth.
This is incorrect, the latest version of firefox do allow javascript to be turned off. It is an invalid complaint.
Don't give me bullshit about it not being in the "UI" either, since I have a bookmark with the address about:config?filter=javascript.enabled right there in my bookmarks toolbar.
I use tor and firefox. But I don't use firefox that is bundled with Tor (v1.7ESR), but my own (v22). I run private mode, and I use the convenient FoxyProxy extension to redirect my network connection to either tor or for a direct connection. FoxyProxy allows me to specify what sites I would need to redirect to Tor and what not. Fairly simple, really.
Well I think part of the problem is that security experts are experts, and they don't understand that if they really want to encourage better security, they need to make it easy for non-experts. It's funny, because you'd think security experts would know this. One of the key things about security is that a great security measure that nobody uses and everyone circumvents is actually a terrible security measure.
Encryption implementations need to be so well designed and foolproof that they're enabled by default. Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications. We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA. We don't enable encryption on email because it requires plugins and complicated setups. We don't use TOR because it's not quite brain-dead simple.
The experts will respond, "But it *is* brain-dead simple. Just download this plugin, drop into the command line and type [insert command here], compile this binary, change this configuration file in /etc. Oh wait, you're on Windows? Sorry, then you need to download these other files. Get GPG v1 because v2 is completely different and doesn't work with the plugins. Then when you get this error, hit 'ignore'..." And all that makes sense to the experts because they're experts, and they understand what's going on. People won't start using encryption en masse until it's so brain-dead simple that they don't even know they're using it.
From what I heard, the flaw affects Firefox 17 and the latest browser bundle is 22 and javascript has to be on, which is technically isn't because of noscript being on by default. Also, since it's Firefox and javscript and cookies, it's actually platform independent so switching off of Windows will do absolutely nothing to prevent this type of attack. Great article!
Actually for Firefox 23 you're wrong too. It's nowhere in any settings dialog.
Never fear, for you can bookmark about:config?filter=javascript.enabled and put that right in your bookmarks toolbar.
Yes, I know that you can get a web browser that is specifically set up to route everything through TOR. What I want is a simple setting in browsers to use TOR for all private browsing sessions.
To clarify what AC posted, the words "Java" and "Javascript" are like "car" and "caramel", or "ear" and "early" - they are completely unrelated. They just have some letters in common.
Netscape had an interpreted scripting language called LiveScript. It wasn't used a whole lot.
Later, Sun released a virtual machine and a compiled language to program it in called Java. Java got a lot of press.
Seeing all the press that Java was getting, Netscape renamed Livescript "Javascript", to ride the coat-tails of the
completely different system, called Java.
They were developed completely separately, by different companies, for different purposes, and based on different principles.
It's exactly as if the BETAMAX were renamed DroidVideo.
The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox
Stop using Firefox (this particular version, on Windows) surely?
Sounds like someone at TOR was hankering for an excuse to rail against Windows.
systemd is Roko's Basilisk.
Are you kidding me? Why in hell would you even say something like this....
Linus wouldn't fill out the 17 forms required to get a check from the feds, much less submit the monthly progress reports or sign the forms, in triplicate, each month to receive the paper check to be deposited. Goddamn 7 digits, no understanding of the system at all...
Much less participate in a system he would find grossly inefficient and horribly flawed. The man respects greatness, not whatever this is.
You are an idiot. If this was a joke its not funny, even once.
andy
Mingling security concerns with zealotry doesn't serve anyone. TOR team has discredited themselves with an immature response to a routine security issue, based not on an actual technological issue but on fanboyism. TOR favors Linux and the Mac OS over Windows, and uses this security issue as an opportunity to attack Windows rather than stick to the facts and keep their users safe. This is an issue to which both Firefox and Windows are to blame, yet they don't tell us to stop using Firefox, even while acknowledging that it is technically possible for a future exploit to affect Firefox running on platforms other than Windows.
If the proper response to a security issue involving TOR is to stop using my operating system, that might just as well justify a user to stop using TOR.
Gamingmuseum.com: Give your 3D accelerator a rest.
...and you have something on EVERYONE, in advance.
Then regularly select people at random, to keep the rest of the population in fear.
And specifically target any inconveniences.
They're being rather disingenuous too: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
Since the vulnerability isn't limited to Windows machines, it's just that they believe that only Windows machines were targeted.
WHO IS AFFECTED:
In principle, all users of all Tor Browser Bundles earlier than
the above versions are vulnerable. But in practice, it appears that
only Windows users with vulnerable Firefox versions were actually
exploitable by this attack.
(If you're not sure what version you have, click on "Help -> About
Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7])
To be clear, while the Firefox vulnerability is cross-platform, the
attack code is Windows-specific. It appears that TBB users on Linux
and OS X, as well as users of LiveCD systems like Tails, were not
exploited by this attack.
IMPACT:
The vulnerability allows arbitrary code execution, so an attacker
could in principle take over the victim's computer. However, the
observed version of the attack appears to collect the hostname and MAC
address of the victim computer, send that to a remote webserver over
a non-Tor connection, and then crash or exit [8]. The attack appears
to have been injected into (or by) various Tor hidden services [9],
and it's reasonable to conclude that the attacker now has a list of
vulnerable Tor users who visited those hidden services.
We don't currently believe that the attack modifies anything on the
victim computer.
So what makes them so sure that only Windows machines were targeted? Sure only paranoid people would think that way, but lot of people using Tor are paranoid, and many using Tor SHOULD be that paranoid.
You are right - how do we change the situation? I think "Off The Record" (OTR) is a step in the right direction and possible example to learn from. It just works out of the box for a lot of chat clients zero configuration needed providing 100% encrypted chat sessions by default for all users that use those chat clients that ship with it enabled by default. A security "professional" will be quick to sprout that it is open to MITM blah blah blah but fail to recognize that 100% adoption always on encryption is achieved - the hard part. From there it is a small extra step for those that could be bothered to check fingerprints out of band, or even add extra services that help the clueless/not interested do that part automatically. It is like security professionals cant get past the "it is not flawless" stage... and so we are all stuck with nothing or something very good, that nobody else uses or can interact with (PGP as one of many examples).
All my email employment applications are encoded in pictures of cats.
I'd mod you up if I had the points. Computer geeks are terrible at making things work for non-geeks. And if you say anything about this, you often get attacked. Just mention how a lot of linux programs are hard to use and see them freak out.
NoScript works for me...
Mainly, it's the title and summary that's getting it wrong. The only thing they said was that switching off of Windows is a good idea for the security minded, which it is. They awknowledged that the zero-day affected firefox across the board and that the exploit only targetted Windows, but they never used that as the reasoning to switch OS's.
Not using the Internet is a HUGE red flag to the NSA. They'll be all up in your shit if you do that. You know who doesn't use the Internet? Terrorists. Which kind of makes you wonder why they feel they have to monitor the WHOLE FUCKING THING.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Or you could just add the TorVM package to QubesOS where all apps are transparently virtualized.
I would like to add an additional step:
After you tweak the guest OS install to your liking and ensure that it is fully working, take a snapshot and then restore from that snapshot every time.
Had this exact setup using DamnSmallLinux and it worked great. Low memory usage, also.
Doesn't really help. Steganography tools will be considered suspicious and there will be versions with backdoors out there. I don't think this can be fought with technology - the large government organizations will have the resources to get the data they want, either by hacks, or by rubber-hose decryption. A tiny percentage of really expert users may be able to find ways to communicate securely, but the vast majority of people will not have the skill to do so. Since the "experts" need to communicate with non-experts this really doesn't solve much of the problem anyway.
If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.
Mozilla were not listed as NSA PRISM aiding and abetting companies. Microsoft was listed as an active participant, helping NSA bypass the search warrant requirements on their outlook products and providing technical assistance on Skype.
One company picked sides, and its not the side with the Constitution on it.
So yes, he's probably right.
NSA broke TOR on the excuse of kiddy diddlers but they broke TOR mainly to prevent leakers from the NSA from using it to leak. Why else would they use their own IP address clearly and publicly in the breach??
It's to scare any potential NSA employees from leaking how far NSA has gone over the line.
So why do I have Firefox 22 with an enable/disable Javascript option? I downloaded this from Mozilla so you are saying they built a special version just for me? How nice of them.. Or perhaps Firefox still allows the user to enable/disable Javascript at this time.
You'll be unpleasantly surprised when you download Firefox 23 and find out it's gone. Which was released today, btw.
GLaDOS for President 2016! "Well here we are again. It's always such a pleasure." -- GLaDOS, 2011
Maybe they remember when it was a acronym. Learn some history, kid.
Yeah! I mean, they can't be watching ALL of us, right?
And that's an important point a lot of people, and most of the news media, have gotten wrong about this story. Download any TorProject Browser and NoScript is included by default and specific browser settings changed. As is it's relatively safe to use but if users even temporarily disable those protection measures because they can't do something like download a file or participate in some commenting page because a script is being prevented from running than it's not a fault with Tor, it's a user issue. TorProject's site has always had a very clearly warning for their users about javascript as being a security issue to pay attention to.
The
Onion
Router.
It may have been lowercased in recent years, but all-caps is more informative.
If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.
What good are laws if government ignores them?
More Twoson than Cupertino
Like every Microsoft user who uses Remote Desktop? Or Xbox Live?
Railing against Windows seems counter-productive, since Microsoft *does* encrypt silently by default for products where it makes sense. It's the open source tools that generally don't.
Comment of the year
As Adi Shamir (the S in RSA) has been trying to point out, cryptography is a method for transferring data between two trusted hosts. So the F-16 zooming above Washington can get some radar data from the airbase in Virginia and no one listening in can decrypt it. At the point where some luser picks up a USB drive off the parking lot floor and plugs it into a computer inside the airbase, all the encryption in the world matters not one whit.
It's a massive change to the model we use to conceptualize the threat -- instead of Alice and Bob trying to communicate with each other and keep Charles from decrypting, we have Alice and Bob trying (a) to protect their machines from Charles compromising it and (b) trying to limit the data done if he does compromise it. This isn't your father's security any more.
What is also means is that we are going to need a lot fewer secrets that are really worth keeping or else spend much more time partitioning our virtual worlds. As BEAST/CRIME show, if you treat your Facebook login cookie as a secret, then you need to access it from a partitioned browser where a malicious page cannot make requests using it.
Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.
But but but they can go through your garbage!
More Twoson than Cupertino
Exactly. JavaScript is a basic requirement to use the modern web.
Looks like they've got you fooled. For a century, the feds have cultivated the appearance of being a highly inefficient organization that nobody wants to have anything to do with. The reality is that there are no forms or time-wasting meetings, all the people who work there are actually highly motivated and competent, they do things with 5% of budget and then just throw away the other 395% to maintain deception, and they have to hire entire buildings of decoy employees to keep anyone from figuring out how small their core team really is. That Torvalds turned his back on that, just proves that he was too dumb to see through the smokescreen and is therefore too dumb to work for them.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
In the US they are not quite "ignored". They are twisted and redefined. Still remember that the #1 goal of most politicians is to get re-elected, so they do in some ways respond to what voters want. I mostly blame a cowardly public that is willing to give up its rights and freedoms for a bit of extra safety.
Which is probably a good thing given the horrible consequences people can suffer in places like China--land of the not-quite-as-high-prison-count-because-of-summary-executions.
All the encryption in the world is useless if every message you send includes the decryption. All the anonymizing web browsing software in the world is (potentially) useless if the web browser hands over your IP, MAC, and/or geolocation. The simple fact is that while this exploit specifically targetted Windows and other OS users could have been made just as vulnerable, Windows itself is inherently unverifable--except by the very governments which Tor tries to protect against and some universities which are too limited in scope to deal with all potential threats (consider Wikipedia vs the various attempts to make an Expert-only wiki encyclopedia) and cannot ever be considered safe. And given the potential consequences of using Tor, it's wholly reasonable to recommend to not use Windows. Taken further, I'd say Tor on an openbsd vm image would likely be best as recommendations.
Yet, clearly they're still offering Tor for Windows and still using a bundle with Firefox even though Firefox is/was the main culpurate this time. Because the honest truth is that Tor developers aren't Firefox or Linux or Windows or whatever developers and are beholden to them to fix problems preemptive to actual attacks. But at least with Firefox or Linux (or OpenBSD), if they become aware of an attack vector they could potentially fix it even if such is not their forte.
Life and death decisions. A non-revocable action that leaves you discovered. A very binary point that lies outside the control of security experts. What would you recommend? What would you provide? Do you recognize the difference?
Eurohacker European paranoia, gun rights, and h
It was a firefox exploit that happened to only work on Windows but it's equally likely any future flaws will not be platform dependent.
Sorry, but that is bullshit.
In order to get a working vulnerability you have to find an exploit in Firefox, and an exploit on a platform. Let's call that work F + P1.
In order for there to be a vulnerability on even one other platform, you have to find a whole OTHER vulnerability. Let's call that work P2.
It's never, ever the case that F + P1 = F + P1 + P2 so there's no way in hell it's "equally likely" there will be vulnerabilities on more than one platform, each platform added adds a lot of work.
Furthermore both Mac, along with Unix platforms of all flavors are inherently more secure than Windows since you have a real user account to break out of - most Mac/Unix users are not running as the equivalent of root as most Windows users are.
The simple fact remains that Windows is the least secure platform, and you cannot just hand-wave that away. If you have any interest in real security for your own system you do not run Windows.
"There is more worth loving than we have strength to love." - Brian Jay Stanley
What good are laws if government ignores them?
If the government ignores the laws, then we change the government!
Wait... I'm on a list now, aren't I?
FYI, I just compared Firefox 22 and 23. The about:config?filter=javascript.enabled option is still there.
It doesn't have to be inconvenient, Opera allows me to turn off Javascript based on a whitelist or blacklist.
Relax Francis.
Whoever had two people taking that query seriously, you are currently ahead in the pool.
So if 'rights and freedoms' are illusions to begin with, are they giving anything up?
There was nothing Snowden told the world that was not pretty obvious to begin with. This concept that you ever had privacy in the first place is the actual BS.
And here is another clue; the protection offered by encryption you know of (unless you have security clearances) provides about exactly the same protection as the paper envelope you used to send your snail mail in, breakable by anyone with a pair of scissors. But, I bet you think encryption is secure, right?
The public is not "willing to give up its rights", it is smart enough to know it didn't have them to begin with.
slashdot troll = you make a compelling argument I do not like the implications of.
If you want reasonable protections, you need to run Tor and browsers on a completely separate machine, a machine where you carefully control the information you input into it (e.g., you may never want to input your real name) and that is never used without Tor.
Ideally, you use separate hardware on a separate network. But since that's a lot of effort, you may go for the next best thing, namely a separate virtual machine on your regular desktop.
Wait... I'm on a list now, aren't I?
Oh, you already were.
Socialism: a lie told by totalitarians and believed by fools.
Oh, I see. You probably believe Finland is a real place, too. You have no idea how deep the rabbit hole goes.
Forget about Linux - the NSA version of Linux makes that relation hardly a secret. The real trick is Git! It's the ultimate Thompson hack. Every time you build a security-related product from code pulled from Git, the NSA smiles.
Socialism: a lie told by totalitarians and believed by fools.
I don't get your point about HTTPS and SSL. In what way have they failed Internet users? If you're referring to BEAST/CRIME exploits, they can be mitigated by disabling compression.
Can't tell if you're trolling or sarcastic or just really really stupid....
I think you need to re-read my post if you think I was "railing against Microsoft".
Well, I hope you don't keep any sensitive/private information on your computer, then. Having it password protected at boot would keep out many casual attempts to get access to your data, but without encryption, it won't keep out anyone who knows what they're doing. Not having a password at all is fine, as long as you don't mind people accessing your data.
But maybe it shouldn't be.
There will always be some JS 0-day. Maybe I'd like to bank online without an attacker previously having executing arbitrary code on my machine? Is that an oddball requirement?
I'm sure JS makes it all the more appealing to punch the monkey, but unless my intent is to run an application delivered over the web, I shouldn't need JS at all. If I'm just reading content, or doing simple forms-based interaction like a forum, why would I need JS again?
Socialism: a lie told by totalitarians and believed by fools.
I have a lock on my door to keep out casual attempts to get access to my data.
"First they came for the slanderers and i said nothing."
You weren't, but the article we're all (presumably) discussing does.
Comment of the year
the protection offered by encryption you know of (unless you have security clearances) provides about exactly the same protection as the paper envelope
This is pretty untrue. State agencies have no real control over the injection of cryptographical algorithms into the literature, or even if they do now, they have well missed the bus, since the technologies out there in the literature are very sufficient and these days there are so many copies of the literature floating around that it cannot be effectively censored or corrupted. Math is a lot like physics -- when you actually go back and look at when certain things were discovered, you are often astounded at how long ago that was.
What is true is that using cryptography correctly is hard. It takes a lot of knowlege of the technology to get it right. It's harder than most people have patience for and probably harder than a good chunk of people can even mentally handle. That leaves most consumer use of cryptography delegated to trust in software, protocols, and institutions just based on how trustworthy those agents "feel" to the user, divided by how desperately the user wants to get something done -- now.
Those agents are what state agencies can, and sometimes do, influence, and even in the absence of interference by the state, the intrinsic trustworthiness of those agents varies due to a wide variability in the effectiveness of their quality control. The latter is actually the more common problem. Why resort to interfering with the development of crypto software and applications thereof when much of it is developed incompetently in the first place? Just sit back and exploit the pre-existing holes.
Someone had to do it.
The public is not "willing to give up its rights", it is smart enough to know it didn't have them to begin with.
Minor quibble: The public is too stupid to know that they aren't GIVEN rights, but that if they want them, they have to TAKE them. The Government isn't interested in letting you be free...you have to do that for yourself.
It's funny, because you'd think security experts would know this.
Actually, they do know it. Often, making security, and encryption in particular, usable is a hard problem. There's also often not interest or support for it, in which case it doesn't get done. Hard problems take time and money to solve.
Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications.
That's pretty rare. A lot of people do use full-drive encryption: like people with iOS devices, newer versions of Mac OS X, and many versions of Ubuntu. It's because on those systems, it's been engineered to work well and it's very easy to turn on.
We don't enable encryption on email because it requires plugins and complicated setups.
This is more difficult because that's not the hard part of e-mail encryption. In fact, there are some fairly simple e-mail encryption systems and clients that have it built in. The hard part is that effective e-mail encryption basically boils down to running a public-key infrastructure. Almost any security problem that ends with "...then you just need to distribute public keys" has a hard time being widely adopted and scalable.
We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA.
Nonsense. Buying a cert from a CA is simpler than setting up a web server, by a long shot. If you're not running your own web server (very reasonable these days), most half-decent hosting companies will do all the work of getting a cert and configuring your server for you. All it takes is money -- and it's so inexpensive that the only people that can't afford it are private individuals hosting websites that don't make money.
We don't use TOR because it's not quite brain-dead simple.
It's basically braindead simple now if you use the Tor Browser Bundle, which is what this exploit is targeting.
One of the major reasons the exploit works is that Security Is Hard, both for experts and non-experts.
Take a look at all the certificate authorities your browser trusts sometime. Any one of those can issue a certificate for ANY website, not just those in the area where that authority. If any ONE of those authorities issues a certificate for, say, the NSA, then they can MITM your communication with any website if they're in a position to do so (and the NSA most definitely is), regardless of that website's original certificate. By default, the browser doesn't give a shit if the certificate changes. All of this makes SSL useless against a determined attacker.
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.
Well, the problem is that most security professionals are not really independent. Many of them rely on government contracts, some of them even work for weapons manufacturers and arms dealers. Even the supposedly fully independent ones usually work at the university, i.e. they are government employees. Yet others work for large corporations who traditionally bend over for any government authority.
Just take a look at various cell phone and Wifi encryption standards to see the results...
You missed the most obvious option. Microsoft didn't 'give' that signature away to the state. They sold it at a very hefty price, boosting their bottom line without putting as much as a ding in our defense budget. That corporations would sell our sensitive secrets to a government that promises to protect them from any legal fallout is a given. Facebook, Google, Microsoft, Apple, everyone, they're going to sell out that data and trust without thinking twice.
I went to eat some animal crackers and the box said, "Do not eat if seal is broken." I opened the box and sure enough..
Yes and no.
TrueCrypt is extremely simple to use and it holds your hand tightly through the entire process. It is really one of the best examples of good open software, where it makes an otherwise complex task very simple. There are no usability gaps typically seen in open source software and it's very well documented.
SSL works fine without a CA cert, but browsers have actually gotten a lot worse at making it a clear process to accept self-signed cert. They used to just allow it through and give you a different padlock icon or something, now it's this big warning that prompts a bunch of reading and clicks to bypass. In other words, it used to be passive notification, now it's an active one.
Email encryption is a problem of coordination and logistics. It's not possible to make a one-click "Encrypt this Email" button because there's the offline factor of key exchange. I haven't even met a lot of people I email, how is this supposed to work?
TOR isn't simple? Download the standalone TOR bundle, open when done. Anyone for whom that is difficult is someone who barely uses computers at all.
So, it's a matter of both. Some have dealt well with the ease-of-use barrier, some haven't. But the problem nearly all of them still face is a lack of public awareness and an excess of apathy towards personal privacy.
Distribute Tor INSIDE of a prepackaged VM.
Then you don't care what OS the client system is running.
I've decided to stop wasting my time responding to AC trolls/sockpuppets... so if you want a response from me... login.
Tor should just use the vulnerability to scan for Windows users and exclude them necessarily.
After all I'm sure if you ask some people they will say that Windows users were probably how Tor got compromised in the first place.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Maybe Tor should write its own OS. It could be specifically purposed so they don't have to worry about telling their users what not to run while also using Tor.
It could be distributed in VM (as an ^- above comment suggested) or on a bootable media.
"Stratigraphically the origin of agriculture and thermonuclear destruction will appear essentially simultaneous" -- Lee
Certainly nobody who's serious about security should use ANY closed-source OS; and Windows, having spent its entire lifetime proving repeatedly that it's incredibly brittle and incapable of withstanding even rudimentary attacks without numerous add-ons, should be the first to go.
But, that said: nothing that's happened this week has altered the situation. That is, this was all true last month and last year and last decade. NOBODY should have been using Windows then; nobody should be using it now.
Of course that's not how it's played out. Too many peoople are too unwilling to learn, to change, to grow, to use something different. They're not even willing to make trivial changes like (say) IE to Firefox. They want they want, and even if using their Windows system set them on fire once a month, they'd still want it.
There's no hope for those people. We need to stop trying. They're a lost cause. They will inevitably be hacked and phished, spammed and compromised. There's nothing we can do about it except stay clear of the damage. Our efforts need to be focused on the superior people with open minds, the people who can actually (gasp!) LEARN and THINK, the people who will adapt to change -- and not just today's changes, which might be "switch to Linux" but tomorrow's changes, which will be...well, we don't know what they'll be yet since it hasn't arrived.
The sad part of all this is that the movie's not new. It's the same-old same-old. It always ends the same way, yet the stubborn keep doggedly replaying it hoping for some other outcome.
It's not a "please investigate me" red flag. Encryption doesn't hide who talks to whom and that's the bigger red flag for further investigation.
"Lack of speed can be overcome. In the worst case by patience." --Znork
Don't all the non-Microsoft email transfer agents (you know, sendmail, postfix, qmail, etc.) default to StartTLS over ESMTP at this point? I mean, RFC3207 is over a decade old now! Certainly the major distros I've used are shipping their MTAs that way, and auto-generate self-signed certs (which are perfectly useable for email) at install time.
That doesn't prevent [insert adversary here] from MITM'ing StartTLS/ESMTP connections, since the MTA will happily connect to anything with a self-signed cert (and certificate authorities are not necessarily trustworthy either). Sure, Sendmail will log whether certificates are valid or not, but SSL/TLS are of limited usefulness against a determined attacker, in email as much as on the web.
Oh, no! You have walked into the slavering fangs of a lurking grue!
Why resort to interfering with the development of crypto software and applications thereof when much of it is developed incompetently in the first place? Just sit back and exploit the pre-existing holes.
Indeed. Just look at how laughably inscure WEP turned out to be. WPA1 is almost as bad, and what good is WPA2 if your cell phone just sent your passphrases to Google to store in the cloud for "backup" purposes?
Granted, Wi-Fi is normally short-range, but why make it easy for someone else to break into your LAN?
Oh, no! You have walked into the slavering fangs of a lurking grue!
Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.
But but but they can go through your garbage!
That's ok, throw out your garbage too!
Oh.. wait.
There will always be some JS 0-day. Maybe I'd like to bank online without an attacker previously having executing arbitrary code on my machine? Is that an oddball requirement?
Then run a separate locked down computer on a separate locked down network. Or do you think JavaScript is the only vulnerable thing on a computer?
but unless my intent is to run an application delivered over the web
Which is pretty much everybody's intent that uses the internet. I bet you this banking you want to do online uses some javascript. Nobody wants a pure forms based internet experience. It's horribly inefficient and awkward.
Nobody wants a pure forms based internet experience. It's horribly inefficient and awkward.
Do you write JS for a living? Have you ever put thought and effort into making a nice forms-based site? Few interactions requires constant chatter between the UI and the server behind the scenes.
If I'm just reading, a nicely laid-out page is all I need. If I'm doing simple interaction, like posting to Slashdot, why do I need JS? As long the needed UI controls are simple (and, you know, they usually are if you're not being complicated for the sake of showing off), why drag JS into it?
So much of the web these days looks like some web designer shouting "hey, everyone, look at why I can do!"
Socialism: a lie told by totalitarians and believed by fools.
By becoming the largest child porn network on the planet which is why I closed my node two years ago.
If I'm doing simple interaction, like posting to Slashdot, why do I need JS?
Good example- let me tell you why Slashdot uses Javascript. You're reading along through X hundred posts and you see something you want to respond to. Now you try to comment and you have to reload the entire page including X hundred comments. And that's just to display a text box to type your comment into. Let's assume it uses hashlinks to scroll the window to the proper place. That's a tonne of data transfer just to get a text box (unless you think there should be a text box loaded under every single comment on first load. Talk about wasted space/time) Now you have to push a submit button and the entire X hundred comments have to be sent to you another time so you can see the comment preview. And then a third time to actually post the comment. Hope you didn't decide to revise the post at all or that's another 2 times the X hundred comments get sent down the pipe.
Here's what actually happens using Javascript: Click "reply", JS loads textbox in appropriate place, click preview, Javascript creates the preview in appropriate spot, click post, Javascript sends post to server for submission. All that without constantly reloading the other X hundred comments.
Which one do you think will give the better user experience? Your forms based solution will be slow, clunky and put a tonne of unnecessary load on the server. What kind of computer scientist would think that that is the best solution?
No real users want to use software like that. Users want things to looks nice; they want them to be fast, responsive and have animations. No rational computer scientist would think that UI should be calculated at 20 - 200ms latency away- it's absurd.
All this Javascript bashing is popular on slashdot and great for some good old fashioned karma whoring. But it falls flat on its face as soon as someone asks how to make the modern web without it. Javascript is a shit language but to claim that client side scripting should be abolished and is not needed is asinine and moronic.
Ugh, if he was a plant then part of his job would be to create impressions such as those, so you having those impressions and believing they mean anything shows that you probably shouldn't be calling other people "idiots".
The only relevant point is that his source code is open, so you don't HAVE to trust him. That's the whole point!!!
The revolution will not be televised... but it will have a page on Wikipedia
So what makes them so sure that only Windows machines were targeted?
Um... as it says, the exploit code is Windows specific... IOW, the code which collects the hostname and MAC address will be using Windows API calls.
They probably would have spotted if the exploit bundled WINE!
The revolution will not be televised... but it will have a page on Wikipedia
I approve of approval voting. Check all three boxes, if you want to.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
If you're going to go so far as disabling js, just use lynx on a *nix account like sdf.org or something. I agree that people should trust Windows with any private information. However, hardly a web site in existence functions at all without javascript. TOR will make itself irrelevant if it doesn't function with javascript. And anyway, js is client-side. There ought to be plugins that cause the browser to ask for explicit permission to allow asynchronous communications on a case-by-case basis. Disabling js is overkill.
It is not even close or similar.
It is a JavaScript problem.
You're reading along through X hundred posts and you see something you want to respond to. Now you try to comment and you have to reload the entire page including X hundred comments. And that's just to display a text box to type your comment into.
What? I'm still using the old UI. When I want to comment, it takes me to a new page where there's just this comment I'm replying to, subject and comment text boxes, a few HTML controls, and some static text.
It works great. Have you really never seen a good non-JS UI?
No rational computer scientist would think that UI should be calculated at 20 - 200ms latency away- it's absurd.
I'd odd, and perhaps telling, that you think this is the sort of thing "computer scientists" study. OK, I guess there is a discipline that studies human interaction (had a college roommate that did graduate work there), but that would still be an odd thing for him to say either way: heck, he wrote a paper early on about why having UI controls that move around is a bad plan (though he was looking at menus that move frequent actions up).
"Forms-based" UIs were the norm for about 30 years (how do you think mainframe-terminal interactions worked?). For the most part they were easier to work with than most current web UIs, though they could have a steeper learning curve.
"Ajaxy" UIs only add value if you can't figure out what to send the user ahead of time. But mostly they get used by "web designers" who just don't bother to figure that out, and so you get something slower to interact with, and less efficient server-side.
Socialism: a lie told by totalitarians and believed by fools.
The term Users does not mean Educated Users. Most people using a computer don't understand the magic that makes everything work past hitting the power button. That said, the idea that someone is asking people to stop using Windows because of an application with holes in the code is like asking people to stop driving automobiles because a specific brand of tires is unsafe. Get different tires.
http://www.archives.gov/exhibits/charters/declaration_transcript.html
Skip down to the "We hold these truths..." Ignore the talk of a "Creator" if you must.
So which part of 'self-evident' makes you think that people need to be GIVEN their rights? The whole point to the Bill of Rights was to enumerate rights that human beings have, regardless of who they are or where they were born. Notice how it says that it's the Governments role to secure the people's rights (NOT to grant them).
http://www.huffingtonpost.com/2013/08/08/lavabit-edward-snowden-email_n_3728005.html
Just wow. Mod my post a troll because you do not like what I say, but the fact is there is no privacy, and you can not do anything the authority, err US government does not like.
The US owns this planet, and will reach into whatever security they want, like a hot knife in butter. With an army 10 times the size of the next 12 countries combined, the US does WTF it wants.
I'm not taking a position about it being right or wrong, simply stating the facts.
There is no privacy, nor is there any reason to believe anything you can do can remain private, if the US wants to know about it. They got bin laden didn't they? You think any privacy measure you can come up with are better than what he had?
slashdot troll = you make a compelling argument I do not like the implications of.
If I am reading that right: "The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle." People who don't patch can really blame themselves.