Slashdot Mirror
TOR Wants You To Stop Using Windows, Disable JavaScript
itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."
Firefox allows it, as does every major browser. But it is not the default, because it is incredibly inconvenient considering how many websites rely on it. There are tools to make it easier for Firefox and Chrome but it is still a bit of a bother.
The firefox and java problems can be worked around, but if the FBI is interested in stopping anonimity through TOR, then Windows will most likely be compromised as well. This particular attack only worked on Windows, so avoiding Windows prevents the current attack and may provide more protection against future attacks.
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
FTA: 'The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle.'
Geeez, this is all about running old TOR on old Windows... who knew something could possibly go wrong with that?
I deny that I have not avoided attaining the opposite of that which I do not want.
"So the vulnerability is in firefox and java, but they propose to stop using Windows?" Exactly. This could have happened in any OS, they just targeted Windows because that's what most users use. Ironically IE10 run in x64 mode probably would not have this problem, since it uses vastly more address space for ASLR. It's like getting a flat tire, then the guy you hire to change your tire tells you to buy his favorite brand of car to fix it.
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.
The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.
People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. "This wasn't the first Firefox vulnerability, nor will it be the last," The TOR Project warned.
The G
Firefox is apparently opting to remove the option from their settings and for a good reason - no one wants to globally disable JS these days. A default off with allowed sites is workable though, but there are extensions like NoScript to add that functionality.
Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.
Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?
Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.
Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?
If you ignore ACs because they are anonymous - you're an idiot.
Yea, that would make sense, except this vulnerability existed in, and was just as exploitable in Linux versions of FF as far as I know. Even if it was Windows specific, that's just coincidence since the Linux versions of firefox have vulnerabilities all the time that are just as exploitable. Do you actually know anything about computer security?
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Recommend switching away from windows, a few will do so and a lot more will just not bother - and so the pool of people using Tor (and other encryption privacy "enhancing" services) shrinks just a little bit more. If the whistleblower Snowden revelations have taught us nothing else, it is that if you are one of the few that use encryption/VPN/privacy enhancing solutions then you attract extra unwanted attention to yourself. For everyone to enjoy privacy, security professionals need to be coding solutions and encouraging more people, including Windows users, to adopt always on default encryption - not the opposite. Are they really that clueless?
Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.
tails is good.
---Saying gnome 3 is better than windows 8 not so much a compliment as it is damning with light praise.
Another problem is Tor's has tiny enough usage that it's easy for a handful of governments to run a critical mass of exit nodes and relays to do traffic analysis. Instead of discouraging things like bittorrent - I think the Tor project should encourage it, along with encouraging people to contribute back enough bandwidth to make up for their downloads (i.e. contribute about 3X the bandwidth they download). That way Tor could grow to the scale where it'd be much harder to monitor or take down.
Have gnu, will travel.
How long will it be before the FBI goes publicly on the attack?
Freedom Hosting was, from what I've been reading over the last couple of days, not only taken over by the FBI and used to inject this code but it also probably hosted half of all child porn *.onion sites extant.
Demonizing the pervs seems like a good way to distract people from the fact that a state entity is now actively running malware that attacks everybody. I'm surprised it hasn't started already.
v23 of Firefox removed that feature. It might be buried in about:config somewhere, but I have heard some comments to the contrary. Still on 22 here.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
Some of them are exactly that clueless. They tend to let perfect become the enemy of pretty good.
In SOVIET RUSSIA... erm...NSA AMERICA, the Internet logs onto YOU!
...stop using a system developed and partly sanctioned by the US military if you want actually want to preserve your privacy. Actually, lack of privacy is a social problem, alland technical solutions are based simply on not your doing anything important enough for someone to engage in an arms race with you (which you will lose).
If you want privacy, you need to have exclusive control of a great deal of the network and intermediate nodes, plus the exact content of the traffic. And then you need to make sure that merely the raw content isn't a giveaway. Otherwise stochastic methods will attack all of the above and identify who you are, before an exploit's even been planted on your home machine.
Or foster a society that refuses to allocate the resources to fuck you over. Remember, anyone can be taught skills - but values are much harder to instil.
If encryption is a "please investigate me" red flag, then we need to find ways to hide the encryption (i.e. steganography).
Agree - SSL/https is the shining example of how completely the security professionals have failed the Internet users. That and the sorry state of always unencrypted email all the time, by default. Perhaps most "security professionals" are really trying to keep the status quo - no encryption by default. No prizes for guessing who is the biggest employer and sponsor of security researchers...
Not if the majority or dare I say everyone raises the red flag, we dont.
This is like saying "That them thar wood house is no good. Better replace it all with brick."
That sounds exactly like something one pig might warn another about, especially living on the edge of wolf country.
1. Go to about: config. 2. Search for javascript.enabled. 3. Toggle off. 4. No javascript. Alternatively, install no script. 5. Stop spreading nonsense.
URL about:config then enter 'javascript.enabled' into the search bar. Double click that setting in the list below to toggle back and forth.
This is incorrect, the latest version of firefox do allow javascript to be turned off. It is an invalid complaint.
Don't give me bullshit about it not being in the "UI" either, since I have a bookmark with the address about:config?filter=javascript.enabled right there in my bookmarks toolbar.
They really don't need to have backdoors, and that would present problems if MS and Apple allowed it. They could face lawsuits and what not, and hackers could find them and use the backdoors. Most likely what these 3 letter agencies do, is hire people to find 0-days in all the OSes and all the browsers. Modern OSes and browsers are so complicated, that this is probably easy to do. If a 0-day gets fixed, they can just always find more. It's the same effect as having a backdoor, but without the legal problems for the companies involved, and it works for all OSes/browsers. Hackers find 0-days all the time, and these 3 letter guys are probably much better and more funded, so..
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Security is a process rather than an end product. Linux is not "secure" as there will always by holes/exploits/bugs etc. However, open source development provides more opportunities to improve security. Whether or not it is currently more or less secure than Windows or OSX is debatable (and almost impossible to accurately measure).
You're a temporary arrangement of matter sliding towards oblivion in a cold, uncaring universe
Well I think part of the problem is that security experts are experts, and they don't understand that if they really want to encourage better security, they need to make it easy for non-experts. It's funny, because you'd think security experts would know this. One of the key things about security is that a great security measure that nobody uses and everyone circumvents is actually a terrible security measure.
Encryption implementations need to be so well designed and foolproof that they're enabled by default. Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications. We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA. We don't enable encryption on email because it requires plugins and complicated setups. We don't use TOR because it's not quite brain-dead simple.
The experts will respond, "But it *is* brain-dead simple. Just download this plugin, drop into the command line and type [insert command here], compile this binary, change this configuration file in /etc. Oh wait, you're on Windows? Sorry, then you need to download these other files. Get GPG v1 because v2 is completely different and doesn't work with the plugins. Then when you get this error, hit 'ignore'..." And all that makes sense to the experts because they're experts, and they understand what's going on. People won't start using encryption en masse until it's so brain-dead simple that they don't even know they're using it.
Yes, I know that you can get a web browser that is specifically set up to route everything through TOR. What I want is a simple setting in browsers to use TOR for all private browsing sessions.
To clarify what AC posted, the words "Java" and "Javascript" are like "car" and "caramel", or "ear" and "early" - they are completely unrelated. They just have some letters in common.
Netscape had an interpreted scripting language called LiveScript. It wasn't used a whole lot.
Later, Sun released a virtual machine and a compiled language to program it in called Java. Java got a lot of press.
Seeing all the press that Java was getting, Netscape renamed Livescript "Javascript", to ride the coat-tails of the
completely different system, called Java.
They were developed completely separately, by different companies, for different purposes, and based on different principles.
It's exactly as if the BETAMAX were renamed DroidVideo.
The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox
Stop using Firefox (this particular version, on Windows) surely?
Sounds like someone at TOR was hankering for an excuse to rail against Windows.
systemd is Roko's Basilisk.
...and you have something on EVERYONE, in advance.
Then regularly select people at random, to keep the rest of the population in fear.
And specifically target any inconveniences.
They're being rather disingenuous too: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
Since the vulnerability isn't limited to Windows machines, it's just that they believe that only Windows machines were targeted.
WHO IS AFFECTED:
In principle, all users of all Tor Browser Bundles earlier than
the above versions are vulnerable. But in practice, it appears that
only Windows users with vulnerable Firefox versions were actually
exploitable by this attack.
(If you're not sure what version you have, click on "Help -> About
Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7])
To be clear, while the Firefox vulnerability is cross-platform, the
attack code is Windows-specific. It appears that TBB users on Linux
and OS X, as well as users of LiveCD systems like Tails, were not
exploited by this attack.
IMPACT:
The vulnerability allows arbitrary code execution, so an attacker
could in principle take over the victim's computer. However, the
observed version of the attack appears to collect the hostname and MAC
address of the victim computer, send that to a remote webserver over
a non-Tor connection, and then crash or exit [8]. The attack appears
to have been injected into (or by) various Tor hidden services [9],
and it's reasonable to conclude that the attacker now has a list of
vulnerable Tor users who visited those hidden services.
We don't currently believe that the attack modifies anything on the
victim computer.
So what makes them so sure that only Windows machines were targeted? Sure only paranoid people would think that way, but lot of people using Tor are paranoid, and many using Tor SHOULD be that paranoid.
You are right - how do we change the situation? I think "Off The Record" (OTR) is a step in the right direction and possible example to learn from. It just works out of the box for a lot of chat clients zero configuration needed providing 100% encrypted chat sessions by default for all users that use those chat clients that ship with it enabled by default. A security "professional" will be quick to sprout that it is open to MITM blah blah blah but fail to recognize that 100% adoption always on encryption is achieved - the hard part. From there it is a small extra step for those that could be bothered to check fingerprints out of band, or even add extra services that help the clueless/not interested do that part automatically. It is like security professionals cant get past the "it is not flawless" stage... and so we are all stuck with nothing or something very good, that nobody else uses or can interact with (PGP as one of many examples).
All my email employment applications are encoded in pictures of cats.
I'd mod you up if I had the points. Computer geeks are terrible at making things work for non-geeks. And if you say anything about this, you often get attacked. Just mention how a lot of linux programs are hard to use and see them freak out.
NoScript works for me...
This is a sure way to reveal your IP address to an attacker. The only proxy switcher ever deemed safe to use with Tor was TorButton... the rest allowed cache and history-based attacks. Even so, Tor project recommends the entire browser now be customized for Tor and not used for any in-the-clear web access.
Mainly, it's the title and summary that's getting it wrong. The only thing they said was that switching off of Windows is a good idea for the security minded, which it is. They awknowledged that the zero-day affected firefox across the board and that the exploit only targetted Windows, but they never used that as the reasoning to switch OS's.
Not using the Internet is a HUGE red flag to the NSA. They'll be all up in your shit if you do that. You know who doesn't use the Internet? Terrorists. Which kind of makes you wonder why they feel they have to monitor the WHOLE FUCKING THING.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
I would like to add an additional step:
After you tweak the guest OS install to your liking and ensure that it is fully working, take a snapshot and then restore from that snapshot every time.
Had this exact setup using DamnSmallLinux and it worked great. Low memory usage, also.
Doesn't really help. Steganography tools will be considered suspicious and there will be versions with backdoors out there. I don't think this can be fought with technology - the large government organizations will have the resources to get the data they want, either by hacks, or by rubber-hose decryption. A tiny percentage of really expert users may be able to find ways to communicate securely, but the vast majority of people will not have the skill to do so. Since the "experts" need to communicate with non-experts this really doesn't solve much of the problem anyway.
If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.
Mozilla were not listed as NSA PRISM aiding and abetting companies. Microsoft was listed as an active participant, helping NSA bypass the search warrant requirements on their outlook products and providing technical assistance on Skype.
One company picked sides, and its not the side with the Constitution on it.
So yes, he's probably right.
NSA broke TOR on the excuse of kiddy diddlers but they broke TOR mainly to prevent leakers from the NSA from using it to leak. Why else would they use their own IP address clearly and publicly in the breach??
It's to scare any potential NSA employees from leaking how far NSA has gone over the line.
Yeah! I mean, they can't be watching ALL of us, right?
And that's an important point a lot of people, and most of the news media, have gotten wrong about this story. Download any TorProject Browser and NoScript is included by default and specific browser settings changed. As is it's relatively safe to use but if users even temporarily disable those protection measures because they can't do something like download a file or participate in some commenting page because a script is being prevented from running than it's not a fault with Tor, it's a user issue. TorProject's site has always had a very clearly warning for their users about javascript as being a security issue to pay attention to.
If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.
What good are laws if government ignores them?
More Twoson than Cupertino
As Adi Shamir (the S in RSA) has been trying to point out, cryptography is a method for transferring data between two trusted hosts. So the F-16 zooming above Washington can get some radar data from the airbase in Virginia and no one listening in can decrypt it. At the point where some luser picks up a USB drive off the parking lot floor and plugs it into a computer inside the airbase, all the encryption in the world matters not one whit.
It's a massive change to the model we use to conceptualize the threat -- instead of Alice and Bob trying to communicate with each other and keep Charles from decrypting, we have Alice and Bob trying (a) to protect their machines from Charles compromising it and (b) trying to limit the data done if he does compromise it. This isn't your father's security any more.
What is also means is that we are going to need a lot fewer secrets that are really worth keeping or else spend much more time partitioning our virtual worlds. As BEAST/CRIME show, if you treat your Facebook login cookie as a secret, then you need to access it from a partitioned browser where a malicious page cannot make requests using it.
Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.
But but but they can go through your garbage!
More Twoson than Cupertino
Looks like they've got you fooled. For a century, the feds have cultivated the appearance of being a highly inefficient organization that nobody wants to have anything to do with. The reality is that there are no forms or time-wasting meetings, all the people who work there are actually highly motivated and competent, they do things with 5% of budget and then just throw away the other 395% to maintain deception, and they have to hire entire buildings of decoy employees to keep anyone from figuring out how small their core team really is. That Torvalds turned his back on that, just proves that he was too dumb to see through the smokescreen and is therefore too dumb to work for them.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
Don't you go through the same thing every n years anyway, with Windows upgrades?
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
In the US they are not quite "ignored". They are twisted and redefined. Still remember that the #1 goal of most politicians is to get re-elected, so they do in some ways respond to what voters want. I mostly blame a cowardly public that is willing to give up its rights and freedoms for a bit of extra safety.
What good are laws if government ignores them?
If the government ignores the laws, then we change the government!
Wait... I'm on a list now, aren't I?
FYI, I just compared Firefox 22 and 23. The about:config?filter=javascript.enabled option is still there.
It doesn't have to be inconvenient, Opera allows me to turn off Javascript based on a whitelist or blacklist.
But maybe it shouldn't be.
There will always be some JS 0-day. Maybe I'd like to bank online without an attacker previously having executing arbitrary code on my machine? Is that an oddball requirement?
I'm sure JS makes it all the more appealing to punch the monkey, but unless my intent is to run an application delivered over the web, I shouldn't need JS at all. If I'm just reading content, or doing simple forms-based interaction like a forum, why would I need JS again?
Socialism: a lie told by totalitarians and believed by fools.
Do you always use your grandmother's computer to browse the darkwebs?
The public is not "willing to give up its rights", it is smart enough to know it didn't have them to begin with.
Minor quibble: The public is too stupid to know that they aren't GIVEN rights, but that if they want them, they have to TAKE them. The Government isn't interested in letting you be free...you have to do that for yourself.
It's funny, because you'd think security experts would know this.
Actually, they do know it. Often, making security, and encryption in particular, usable is a hard problem. There's also often not interest or support for it, in which case it doesn't get done. Hard problems take time and money to solve.
Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications.
That's pretty rare. A lot of people do use full-drive encryption: like people with iOS devices, newer versions of Mac OS X, and many versions of Ubuntu. It's because on those systems, it's been engineered to work well and it's very easy to turn on.
We don't enable encryption on email because it requires plugins and complicated setups.
This is more difficult because that's not the hard part of e-mail encryption. In fact, there are some fairly simple e-mail encryption systems and clients that have it built in. The hard part is that effective e-mail encryption basically boils down to running a public-key infrastructure. Almost any security problem that ends with "...then you just need to distribute public keys" has a hard time being widely adopted and scalable.
We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA.
Nonsense. Buying a cert from a CA is simpler than setting up a web server, by a long shot. If you're not running your own web server (very reasonable these days), most half-decent hosting companies will do all the work of getting a cert and configuring your server for you. All it takes is money -- and it's so inexpensive that the only people that can't afford it are private individuals hosting websites that don't make money.
We don't use TOR because it's not quite brain-dead simple.
It's basically braindead simple now if you use the Tor Browser Bundle, which is what this exploit is targeting.
One of the major reasons the exploit works is that Security Is Hard, both for experts and non-experts.
Take a look at all the certificate authorities your browser trusts sometime. Any one of those can issue a certificate for ANY website, not just those in the area where that authority. If any ONE of those authorities issues a certificate for, say, the NSA, then they can MITM your communication with any website if they're in a position to do so (and the NSA most definitely is), regardless of that website's original certificate. By default, the browser doesn't give a shit if the certificate changes. All of this makes SSL useless against a determined attacker.
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.
Yes and no.
TrueCrypt is extremely simple to use and it holds your hand tightly through the entire process. It is really one of the best examples of good open software, where it makes an otherwise complex task very simple. There are no usability gaps typically seen in open source software and it's very well documented.
SSL works fine without a CA cert, but browsers have actually gotten a lot worse at making it a clear process to accept self-signed cert. They used to just allow it through and give you a different padlock icon or something, now it's this big warning that prompts a bunch of reading and clicks to bypass. In other words, it used to be passive notification, now it's an active one.
Email encryption is a problem of coordination and logistics. It's not possible to make a one-click "Encrypt this Email" button because there's the offline factor of key exchange. I haven't even met a lot of people I email, how is this supposed to work?
TOR isn't simple? Download the standalone TOR bundle, open when done. Anyone for whom that is difficult is someone who barely uses computers at all.
So, it's a matter of both. Some have dealt well with the ease-of-use barrier, some haven't. But the problem nearly all of them still face is a lack of public awareness and an excess of apathy towards personal privacy.
Nobody wants a pure forms based internet experience. It's horribly inefficient and awkward.
Do you write JS for a living? Have you ever put thought and effort into making a nice forms-based site? Few interactions requires constant chatter between the UI and the server behind the scenes.
If I'm just reading, a nicely laid-out page is all I need. If I'm doing simple interaction, like posting to Slashdot, why do I need JS? As long the needed UI controls are simple (and, you know, they usually are if you're not being complicated for the sake of showing off), why drag JS into it?
So much of the web these days looks like some web designer shouting "hey, everyone, look at why I can do!"
Socialism: a lie told by totalitarians and believed by fools.
So which part of 'self-evident' makes you think that people need to be GIVEN their rights? The whole point to the Bill of Rights was to enumerate rights that human beings have, regardless of who they are or where they were born. Notice how it says that it's the Governments role to secure the people's rights (NOT to grant them).