Slashdot Mirror
TOR Wants You To Stop Using Windows, Disable JavaScript
itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."
Firefox allows it, as does every major browser. But it is not the default, because it is incredibly inconvenient considering how many websites rely on it. There are tools to make it easier for Firefox and Chrome but it is still a bit of a bother.
FTA: 'The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle.'
Geeez, this is all about running old TOR on old Windows... who knew something could possibly go wrong with that?
I deny that I have not avoided attaining the opposite of that which I do not want.
Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.
The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.
People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. "This wasn't the first Firefox vulnerability, nor will it be the last," The TOR Project warned.
The G
Firefox is apparently opting to remove the option from their settings and for a good reason - no one wants to globally disable JS these days. A default off with allowed sites is workable though, but there are extensions like NoScript to add that functionality.
Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.
Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?
Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.
Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?
If you ignore ACs because they are anonymous - you're an idiot.
Recommend switching away from windows, a few will do so and a lot more will just not bother - and so the pool of people using Tor (and other encryption privacy "enhancing" services) shrinks just a little bit more. If the whistleblower Snowden revelations have taught us nothing else, it is that if you are one of the few that use encryption/VPN/privacy enhancing solutions then you attract extra unwanted attention to yourself. For everyone to enjoy privacy, security professionals need to be coding solutions and encouraging more people, including Windows users, to adopt always on default encryption - not the opposite. Are they really that clueless?
Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.
Another problem is Tor's has tiny enough usage that it's easy for a handful of governments to run a critical mass of exit nodes and relays to do traffic analysis. Instead of discouraging things like bittorrent - I think the Tor project should encourage it, along with encouraging people to contribute back enough bandwidth to make up for their downloads (i.e. contribute about 3X the bandwidth they download). That way Tor could grow to the scale where it'd be much harder to monitor or take down.
How long will it be before the FBI goes publicly on the attack?
Freedom Hosting was, from what I've been reading over the last couple of days, not only taken over by the FBI and used to inject this code but it also probably hosted half of all child porn *.onion sites extant.
Demonizing the pervs seems like a good way to distract people from the fact that a state entity is now actively running malware that attacks everybody. I'm surprised it hasn't started already.
...stop using a system developed and partly sanctioned by the US military if you want actually want to preserve your privacy. Actually, lack of privacy is a social problem, alland technical solutions are based simply on not your doing anything important enough for someone to engage in an arms race with you (which you will lose).
If you want privacy, you need to have exclusive control of a great deal of the network and intermediate nodes, plus the exact content of the traffic. And then you need to make sure that merely the raw content isn't a giveaway. Otherwise stochastic methods will attack all of the above and identify who you are, before an exploit's even been planted on your home machine.
Or foster a society that refuses to allocate the resources to fuck you over. Remember, anyone can be taught skills - but values are much harder to instil.
If encryption is a "please investigate me" red flag, then we need to find ways to hide the encryption (i.e. steganography).
Not if the majority or dare I say everyone raises the red flag, we dont.
1. Go to about: config. 2. Search for javascript.enabled. 3. Toggle off. 4. No javascript. Alternatively, install no script. 5. Stop spreading nonsense.
URL about:config then enter 'javascript.enabled' into the search bar. Double click that setting in the list below to toggle back and forth.
They really don't need to have backdoors, and that would present problems if MS and Apple allowed it. They could face lawsuits and what not, and hackers could find them and use the backdoors. Most likely what these 3 letter agencies do, is hire people to find 0-days in all the OSes and all the browsers. Modern OSes and browsers are so complicated, that this is probably easy to do. If a 0-day gets fixed, they can just always find more. It's the same effect as having a backdoor, but without the legal problems for the companies involved, and it works for all OSes/browsers. Hackers find 0-days all the time, and these 3 letter guys are probably much better and more funded, so..
"...I think the Microsoft hatred is a disease." - Linus Torvalds
Well I think part of the problem is that security experts are experts, and they don't understand that if they really want to encourage better security, they need to make it easy for non-experts. It's funny, because you'd think security experts would know this. One of the key things about security is that a great security measure that nobody uses and everyone circumvents is actually a terrible security measure.
Encryption implementations need to be so well designed and foolproof that they're enabled by default. Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications. We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA. We don't enable encryption on email because it requires plugins and complicated setups. We don't use TOR because it's not quite brain-dead simple.
The experts will respond, "But it *is* brain-dead simple. Just download this plugin, drop into the command line and type [insert command here], compile this binary, change this configuration file in /etc. Oh wait, you're on Windows? Sorry, then you need to download these other files. Get GPG v1 because v2 is completely different and doesn't work with the plugins. Then when you get this error, hit 'ignore'..." And all that makes sense to the experts because they're experts, and they understand what's going on. People won't start using encryption en masse until it's so brain-dead simple that they don't even know they're using it.
To clarify what AC posted, the words "Java" and "Javascript" are like "car" and "caramel", or "ear" and "early" - they are completely unrelated. They just have some letters in common.
Netscape had an interpreted scripting language called LiveScript. It wasn't used a whole lot.
Later, Sun released a virtual machine and a compiled language to program it in called Java. Java got a lot of press.
Seeing all the press that Java was getting, Netscape renamed Livescript "Javascript", to ride the coat-tails of the
completely different system, called Java.
They were developed completely separately, by different companies, for different purposes, and based on different principles.
It's exactly as if the BETAMAX were renamed DroidVideo.
The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox
Stop using Firefox (this particular version, on Windows) surely?
Sounds like someone at TOR was hankering for an excuse to rail against Windows.
systemd is Roko's Basilisk.
You are right - how do we change the situation? I think "Off The Record" (OTR) is a step in the right direction and possible example to learn from. It just works out of the box for a lot of chat clients zero configuration needed providing 100% encrypted chat sessions by default for all users that use those chat clients that ship with it enabled by default. A security "professional" will be quick to sprout that it is open to MITM blah blah blah but fail to recognize that 100% adoption always on encryption is achieved - the hard part. From there it is a small extra step for those that could be bothered to check fingerprints out of band, or even add extra services that help the clueless/not interested do that part automatically. It is like security professionals cant get past the "it is not flawless" stage... and so we are all stuck with nothing or something very good, that nobody else uses or can interact with (PGP as one of many examples).
All my email employment applications are encoded in pictures of cats.
NoScript works for me...
This is a sure way to reveal your IP address to an attacker. The only proxy switcher ever deemed safe to use with Tor was TorButton... the rest allowed cache and history-based attacks. Even so, Tor project recommends the entire browser now be customized for Tor and not used for any in-the-clear web access.
Not using the Internet is a HUGE red flag to the NSA. They'll be all up in your shit if you do that. You know who doesn't use the Internet? Terrorists. Which kind of makes you wonder why they feel they have to monitor the WHOLE FUCKING THING.
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Doesn't really help. Steganography tools will be considered suspicious and there will be versions with backdoors out there. I don't think this can be fought with technology - the large government organizations will have the resources to get the data they want, either by hacks, or by rubber-hose decryption. A tiny percentage of really expert users may be able to find ways to communicate securely, but the vast majority of people will not have the skill to do so. Since the "experts" need to communicate with non-experts this really doesn't solve much of the problem anyway.
If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.
Mozilla were not listed as NSA PRISM aiding and abetting companies. Microsoft was listed as an active participant, helping NSA bypass the search warrant requirements on their outlook products and providing technical assistance on Skype.
One company picked sides, and its not the side with the Constitution on it.
So yes, he's probably right.
NSA broke TOR on the excuse of kiddy diddlers but they broke TOR mainly to prevent leakers from the NSA from using it to leak. Why else would they use their own IP address clearly and publicly in the breach??
It's to scare any potential NSA employees from leaking how far NSA has gone over the line.
Yeah! I mean, they can't be watching ALL of us, right?
If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.
What good are laws if government ignores them?
More Twoson than Cupertino
As Adi Shamir (the S in RSA) has been trying to point out, cryptography is a method for transferring data between two trusted hosts. So the F-16 zooming above Washington can get some radar data from the airbase in Virginia and no one listening in can decrypt it. At the point where some luser picks up a USB drive off the parking lot floor and plugs it into a computer inside the airbase, all the encryption in the world matters not one whit.
It's a massive change to the model we use to conceptualize the threat -- instead of Alice and Bob trying to communicate with each other and keep Charles from decrypting, we have Alice and Bob trying (a) to protect their machines from Charles compromising it and (b) trying to limit the data done if he does compromise it. This isn't your father's security any more.
What is also means is that we are going to need a lot fewer secrets that are really worth keeping or else spend much more time partitioning our virtual worlds. As BEAST/CRIME show, if you treat your Facebook login cookie as a secret, then you need to access it from a partitioned browser where a malicious page cannot make requests using it.
Looks like they've got you fooled. For a century, the feds have cultivated the appearance of being a highly inefficient organization that nobody wants to have anything to do with. The reality is that there are no forms or time-wasting meetings, all the people who work there are actually highly motivated and competent, they do things with 5% of budget and then just throw away the other 395% to maintain deception, and they have to hire entire buildings of decoy employees to keep anyone from figuring out how small their core team really is. That Torvalds turned his back on that, just proves that he was too dumb to see through the smokescreen and is therefore too dumb to work for them.
As copyright owner of this comment, I authorize everyone to defeat any technological measure which limits access to it.
In the US they are not quite "ignored". They are twisted and redefined. Still remember that the #1 goal of most politicians is to get re-elected, so they do in some ways respond to what voters want. I mostly blame a cowardly public that is willing to give up its rights and freedoms for a bit of extra safety.
It's funny, because you'd think security experts would know this.
Actually, they do know it. Often, making security, and encryption in particular, usable is a hard problem. There's also often not interest or support for it, in which case it doesn't get done. Hard problems take time and money to solve.
Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications.
That's pretty rare. A lot of people do use full-drive encryption: like people with iOS devices, newer versions of Mac OS X, and many versions of Ubuntu. It's because on those systems, it's been engineered to work well and it's very easy to turn on.
We don't enable encryption on email because it requires plugins and complicated setups.
This is more difficult because that's not the hard part of e-mail encryption. In fact, there are some fairly simple e-mail encryption systems and clients that have it built in. The hard part is that effective e-mail encryption basically boils down to running a public-key infrastructure. Almost any security problem that ends with "...then you just need to distribute public keys" has a hard time being widely adopted and scalable.
We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA.
Nonsense. Buying a cert from a CA is simpler than setting up a web server, by a long shot. If you're not running your own web server (very reasonable these days), most half-decent hosting companies will do all the work of getting a cert and configuring your server for you. All it takes is money -- and it's so inexpensive that the only people that can't afford it are private individuals hosting websites that don't make money.
We don't use TOR because it's not quite brain-dead simple.
It's basically braindead simple now if you use the Tor Browser Bundle, which is what this exploit is targeting.
One of the major reasons the exploit works is that Security Is Hard, both for experts and non-experts.
Take a look at all the certificate authorities your browser trusts sometime. Any one of those can issue a certificate for ANY website, not just those in the area where that authority. If any ONE of those authorities issues a certificate for, say, the NSA, then they can MITM your communication with any website if they're in a position to do so (and the NSA most definitely is), regardless of that website's original certificate. By default, the browser doesn't give a shit if the certificate changes. All of this makes SSL useless against a determined attacker.
Disclaimer: IANAL. This post is, however, legal advice, and creates an attorney-client relationship.