FBI Is Classifying Its Tor Browser Exploit Because 'National Security'

Joseph Cox, reporting for Motherboard:Defense teams across the US have been trying to get access to a piece of malware the FBI used to hack visitors of a child pornography site. None have been successful at obtaining all of the malware's code, and the government appears to have no intention of handing it over. Now, the FBI is classifying the Tor Browser exploit for reasons of national security, despite the exploit already being used in normal criminal investigations well over a year ago. Experts say it indicates a lack of organization or technical capabilities within the FBI. "The FBI has derivatively classified portions of the tool, the exploits used in connection with the tool, and some of the operational aspects of the tool in accordance with the FBI's National Security Information Classification Guide," government attorneys wrote in a filing earlier this month. It came in response to the defense of Gerald Andrew Darby, who is charged with child pornography offenses.

Re:Javascript exploit

[tnk1]

Tor can only protect you if your machine can't be made to report back information about it. It doesn't help you very much to have an anonymous end point if the server on the other end can simply ask your browser to fetch the actual IP address of your host and other information about it.

Javascript allows calls like that to make your browser turn over that information. The reliable only way to prevent those calls is to turn JS off totally in your browser that is being used for Tor.

And the way you know that is by installing Tor and running tests against a site created to test those vulnerabilities. Or you could simply heed all of the giant warnings that Tor tends to have about turning off Javascript and just trusting them on that.

Re:Javascript exploit

[evolutionary]

Problem is, many websites are designed to not function/give content without it. I've always been against this, but in attempt to sell to marketers, JS is all the rage. At the expensive of security, which most people don't seem to pay much mind anyway at least until they become a victim.