On Mon, Aug 05, 2013 at 09:19:01AM -0400, liberationt...@lewman.us wrote: > Please cite first person sources on this. It's not clear the FBI did > anything or is involved at all. There is a reddit thread implying this, > but no statement (as of yet) from the FBI or anyone claiming > responsibility for the javascript injection.
The press is treating it as a likelihood. That's no proof, of course, but the narrative is internally consistent and most alternatives seem quite unlikely. http://www.wired.com/threatlevel/2013/08/freedom-hosting/ > Second, it's not clear this exploit or malware has actually compromised > current versions of Tor Browser (as released on June 26, 2013). Please > show a working exploit against the current TBBs. In fact it seems quite clear that the 65.222.202.54 malware does *not* affect 17.0.7esr per http://tsyrklevich.net/tbb_payload.txt Every claim I've seen is that this single payload was the only deployed malware in this incident. As I understand it, TBB users who installed or upgraded after June 26 are not vulnerable, and users of old versions got a notice at startup that an upgrade is required. Is that correct? If the above is correct, then only TBB users on Windows who installed TBB before June 26 and ignored the warnings would be affected. Does TBB have usage statistics breaking out the upgrade rate per platform? Are we talking about 90% upgrade rates after 30 days, or 15% upgrade rates? > Third, please show data that "half of all Tor hidden services" have > been compromised. We don't have this data because we don't track hidden > services. If you do, please share your metrics. Indeed, it's difficult to measure. Half by count? Half by users? Half by circuits? Half by bandwidth? But the forum analysis indicates that there's been significant impact, so saying "half" seems reasonable. Better stats would be great, but in the absence, a rough estimate isn't unreasonable. Seems to me the Tor project's response was about right; the only potential improvement I can think of would be automatically downloading the upgrade in the background, to improve update rates. (But I hate software that does that ... but I am currently running a vulnerable Firefox myself due to not getting reminded about upgrades, so I'm evidence that "hate automatic upgrades" equals "is more vulnerable".) One larger improvement would be to have the TBB browser sandboxed and set to trigger an alarm on non-Tor outbound traffic. Running Tails in a suitably configured VM system can provide this capability, but platform-specific application sandboxes can do it as well; Chrome provides some prior art. Developing this capability is a nontrivial task... Nadim's criticism of the Tor project seems a bit too strong given the facts, and even given the unknowns when the news first broke. Andrew's response to the criticism seems a bit overly harsh, but I'm inclined to cut some slack for folks who've probably been working long hard hours over the past days to understand the impact of these events. Thanks, -andy -- Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at compa...@stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
