1) Freedom Hosting owner arrested and TorMail appears to be distributing
FBI malware specifically targeting the Tor Browser Bundle.
Deets:
https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste
2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody
want t
Tor's official response is here,
https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting
--
Andrew
http://tpo.is/contact
pgp 0x6B4D6475
--
Liberationtech list is public and archives are searchable on Google. Too many
emails? Unsubscribe, change to digest, or change pa
There are really two separate issues here, and I just want to separate them
briefly.
1) Tormail and other sites were hosting malicious js code that attempts to
break firefox 17.
2) Freedom Hosting was shut off after its host was arrested.
I will say from personal experience that most hidden se
Forgive me, but I'd like to ask a question here.
Tor is a tool that is undeniably, directly marketed toward activists in
high-risk environments. Tor's presentations at conferences centre around how
Tor obtains increased usage in Arab Spring countries that matches the timeline
of revolutionary a
discussion).
gpg --keyserver pgp.mit.edu --search-keys
EEE5A447http://pgp.mit.edu:11371/pks/lookup?search=0xEEE5A447&op=vindex
From: na...@nadim.cc
Date: Mon, 5 Aug 2013 10:15:20 +0200
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech] Freedom Hosting, Tormail Compromised
On 05.08.2013 10:15, Nadim Kobeissi wrote:
> Now, we find out that the FBI has been sitting on an exploit since an unknown
> amount of time that can compromise the Tor Browser Bundle
is that really so? See:
https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
On 2013-08-05, at 10:46 AM, Georg Koppen wrote:
> On 05.08.2013 10:15, Nadim Kobeissi wrote:
>> Now, we find out that the FBI has been sitting on an exploit since an
>> unknown amount of time that can compromise the Tor Browser Bundle
>
> is that really so? See:
> https://blog.mozilla.org/secu
On Mon, Aug 05, 2013 at 10:46:35AM +0200, Georg Koppen wrote:
> On 05.08.2013 10:15, Nadim Kobeissi wrote:
> > Now, we find out that the FBI has been sitting on an exploit since an
> > unknown amount of time that can compromise the Tor Browser Bundle
>
> is that really so? See:
> https://blog.moz
EEE5A447http://pgp.mit.edu:11371/pks/lookup?search=0xEEE5A447&op=vindex
From: na...@nadim.cc
Date: Mon, 5 Aug 2013 10:46:58 +0200
To: liberationtech@lists.stanford.edu
Subject: Re: [liberationtech] Freedom Hosting, Tormail Compromised //
OnionCloud
On 2013-08-05, at 10:46 AM, Georg Ko
On Mon, Aug 5, 2013 at 9:46 AM, Nadim Kobeissi wrote:
>
>
> Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser
> security advisory in that case.
I'm not sure how long the Tor bundle goes without actively complaining
to the user about things being out of date. Out of curi
On 2013-08-05, at 11:04 AM, Michael Owen wrote:
> On Mon, Aug 5, 2013 at 9:46 AM, Nadim Kobeissi wrote:
>>
>>
>> Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser
>> security advisory in that case.
>
> I'm not sure how long the Tor bundle goes without actively comp
On 2013-08-05, at 11:41 AM, Nadim Kobeissi wrote:
>
> On 2013-08-05, at 11:04 AM, Michael Owen wrote:
>
>> On Mon, Aug 5, 2013 at 9:46 AM, Nadim Kobeissi wrote:
>>>
>>>
>>> Hmm. So it's more of a 38-day. Perhaps there should have been a Tor Browser
>>> security advisory in that case.
>>
The fog of OHM hasn't yet lifted for me, so I'm sorry if I'm not entirely
poetic in thought…
Before people jump in and say "the tor network is inherently flawed!" I just
want to try to put it in perspective. As I understand it, an .onion got owned,
probably by some poorly written or installed s
On Mon, 5 Aug 2013 10:15:20 +0200
Nadim Kobeissi wrote:
> Now, we find out that the FBI has been sitting on an exploit since an
> unknown amount of time that can compromise the Tor Browser Bundle,
> which is currently the main way to download Tor and the only way to
> download Tor for the average
On Mon, 5 Aug 2013 10:04:02 +0100
Michael Owen wrote:
> I'm not sure how long the Tor bundle goes without actively complaining
> to the user about things being out of date.
TBB notifies the user within an hour of releasing the new version. The
hour lag is because our cronjob runs hourly.
--
A
On Mon, Aug 05, 2013 at 09:19:01AM -0400, liberationt...@lewman.us wrote:
> Please cite first person sources on this. It's not clear the FBI did
> anything or is involved at all. There is a reddit thread implying this,
> but no statement (as of yet) from the FBI or anyone claiming
> responsibility
On 05.08.2013 10:15, Nadim Kobeissi wrote:
> Now, we find out that the FBI has been sitting on an exploit since an unknown
> amount of time that can compromise the Tor Browser Bundle
is that really so? See:
https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
On 2013-08-05, at 4:19 PM, liberationt...@lewman.us wrote:
> On Mon, 5 Aug 2013 10:15:20 +0200
> Nadim Kobeissi wrote:
>
>> Now, we find out that the FBI has been sitting on an exploit since an
>> unknown amount of time that can compromise the Tor Browser Bundle,
>> which is currently the main
On Mon, Aug 05, 2013 at 04:54:00AM -0400, Roger Dingledine wrote:
> Specifically, it would appear that the TBB updates we put out on
> June 26 addressed this vulnerability:
https://lists.torproject.org/pipermail/tor-announce/2013-August/89.html
has some more details now.
Or see
https://blog.t
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/05/2013 05:00 PM, Nadim Kobeissi wrote:
>
> On 2013-08-05, at 4:19 PM, liberationt...@lewman.us wrote:
>
>> On Mon, 5 Aug 2013 10:15:20 +0200 Nadim Kobeissi
>> wrote:
>>
>>> Now, we find out that the FBI has been sitting on an exploit
>>> sin
Il 8/4/13 10:31 PM, liberationt...@lewman.us ha scritto:
> Tor's official response is here,
> https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting
>
After a quick check at a random Tor2web server, it seems that there's no
specific pattern of traffic-drop.
Who knows,
On 2013-08-05, at 6:38 PM, Roger Dingledine wrote:
> On Mon, Aug 05, 2013 at 04:54:00AM -0400, Roger Dingledine wrote:
>> Specifically, it would appear that the TBB updates we put out on
>> June 26 addressed this vulnerability:
>
> https://lists.torproject.org/pipermail/tor-announce/2013-August
Fabio Pietrosanti (naif) wrote:
> After a quick check at a random Tor2web server, it seems that there's no
> specific pattern of traffic-drop.
>
> Who knows, maybe the amount of TorHS that has been takendown are just a
> few.
Yeah, it seems like people are vastly overestimating the number of
> Mozilla posted the advisory on June 25th.
> https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a
> TBB update was provided 5 days later:
> https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
> - and uses a version of FF that the advisory says fixes the issue.
>
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
Firstly: this is not a anti-Tor/pro-anything/anti-developer comment. If
anything it's "pro-have_some_understanding_for_people" point-of-view. I
contribute to Tor as I believe it can do a lot of good.
As I understand it, the issue was: a compromise a
Nadim expresses hurt because he feels, I think I echo him, he does not have
the same degree of confidence from his community that Tor has. But Nadim
is less well funded, one person, and his style is straight out of hacker
tradition, which means brash, direct, efficient, confrontational, frank --
"
Nadim certainly has a point about the disparity between how his efforts
were received and the overall level of respect/support Tor receives.
Hopefully, he will continue on and when his software accumulates the track
record that Tor has he will be suitably rewarded. He certainly writes
recently like
Bernard Tyers - ei8fdb wrote:
> By what Roger Dingledine from Tor has stated in a previous mail, The Tor
> Project provided the "you need to upgrade message" promptly. I don't know
> if that is enough. (But it is certainly a lot more that other providers of
> software would do.)
>
I can really
You realize Tor didn't know this vuln was an issue until two days ago?
The Tor Browser Bundle is based off of Firefox ESR releases. All the high
profile security issues fixed are listed on the Firefox ESR known
vulnerabilities web page. You want them to copy that page for you?
Al
--
Al Bill
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 5 Aug 2013, at 21:08, Al Billings wrote:
> You realize Tor didn't know this vuln was an issue until two days ago?
I presume thats directed at Griffin.
> The Tor Browser Bundle is based off of Firefox ESR releases. All the high
> profile securi
Why should they? Just make sure you're running the most recently released
version.
--
Al Billings
http://makehacklearn.org
On Monday, August 5, 2013 at 1:18 PM, Bernard Tyers - ei8fdb wrote:
> > The Tor Browser Bundle is based off of Firefox ESR releases. All the high
> > profile security i
Al,
We may have to disagree as to the way forward. I hate to be
contentious, but it seems unlikely that Tor applied a patch without
reading firefox's changelog. Two days ago I presented a talk which
emphasized how useful Tor is -- and I stand by that. Tor is still the
best option for maintaining o
I'm not sure what you're trying to say here exactly.
Tor doesn't "apply a patch" to TBB, AFAIK. They build on top of Firefox ESR.
The current Firefox ESR17 (and the current TBB) have the bug fixed that
everyone is talking about. If you're current, you're safe.
So, then the problem becomes: wh
Does anybody have any indication on how the alleged operator of Freedom
Hosting was identified. Everybody seems to be focusing on the javascript
exploit but from what I've read, it appears that was placed on the
server after the alleged operator was taken down and the operation
compromised, or
If my understanding of Mozilla's description of the vulnerability is
correct:
https://blog.mozilla.org/security/2013/08/04/investigating-security-vulnerability-report/
Users who are on the latest version of Firefox (version 22) or Firefox ESR
> (version 17.0.7) are not at risk. If a user is runni
No, "Mozilla" (I assume you mean "Firefox") wasn't used to insert anything into
any servers. It is the other way around. Someone had an exploit on the servers
that could be used to exploit older versions of the ESR17 branch of Firefox,
which the Tor Browser Bundle uses. (ESR is the "Extended Sup
ah, ok, thanks! Got it backwards...
So the server was hacked by some unknown method, by a state level opponent,
and this was then used to identify user activity using the Firefox 17
vulnerability announced by Mozilla, presumably, which allowed them to
monitor significant traffic and activity/cont
On Tue, Aug 06, 2013 at 12:09:48AM +0200, Griffin Boyce wrote:
> We may have to disagree as to the way forward. I hate to be
> contentious, but it seems unlikely that Tor applied a patch without
> reading firefox's changelog.
I'm still not clear on what you want Tor to have done. Should they do a
Griffin Boyce:
> Al,
>
> We may have to disagree as to the way forward. I hate to be
> contentious, but it seems unlikely that Tor applied a patch without
> reading firefox's changelog. Two days ago I presented a talk which
> emphasized how useful Tor is -- and I stand by that. Tor is still the
>
On Mon, Aug 05, 2013 at 06:18:02PM -0400, r...@privacymaverick.com wrote 0.6K
bytes in 0 lines about:
: Does anybody have any indication on how the alleged operator of
: Freedom Hosting was identified. Everybody seems to be focusing on
: the javascript exploit but from what I've read, it appears t
According to THN[0] and several linked supporting sites from there
(particularly notable are analyses from Kenneth Buckler[1] and Vlad
Tsyrklevich[2]), the payload delivered the MAC address and Windows
hostname to 65.222.202.54[3]. I've read in public sources that that
address is assigned to SAIC b
On 2013-08-06, at 3:19 AM, Jacob Appelbaum wrote:
> Griffin Boyce:
>> Al,
>>
>> We may have to disagree as to the way forward. I hate to be
>> contentious, but it seems unlikely that Tor applied a patch without
>> reading firefox's changelog. Two days ago I presented a talk which
>> emphasized
Nadim you seem confused by how this works. Tor doesn't need to issue advisories
for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link
to them clearly but if you want to know about security issues Mozilla fixes in
Firefox, you're best served by reading Mozilla advisories.
Nadim Kobeissi:
>
> On 2013-08-06, at 3:19 AM, Jacob Appelbaum
> wrote:
>
>> Griffin Boyce:
>>> Al,
>>>
>>> We may have to disagree as to the way forward. I hate to be
>>> contentious, but it seems unlikely that Tor applied a patch
>>> without reading firefox's changelog. Two days ago I presen
On 2013-08-06, at 11:46 AM, Al Billings wrote:
> Nadim you seem confused by how this works. Tor doesn't need to issue
> advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps
> they can link to them clearly but if you want to know about security issues
> Mozilla fixes in F
On Tue, Aug 6, 2013 at 12:30 PM, Jacob Appelbaum wrote:
> Please feel free to answer the question, we're happy to learn from an
> example. Are either of you involved in such an example? Might we learn
> from your example? If so, where might we see it?
>
Tails references upstream advisories, or at
Nadim Kobeissi:
>
> On 2013-08-06, at 11:46 AM, Al Billings
> wrote:
>
>> Nadim you seem confused by how this works. Tor doesn't need to
>> issue advisories for Firefox issues. We, at Mozilla, already issue
>> them. Perhaps they can link to them clearly but if you want to know
>> about security
On 2013-08-06, at 12:55 PM, Jacob Appelbaum wrote:
> Nadim Kobeissi:
>>
>> On 2013-08-06, at 11:46 AM, Al Billings
>> wrote:
>>
>>> Nadim you seem confused by how this works. Tor doesn't need to
>>> issue advisories for Firefox issues. We, at Mozilla, already issue
>>> them. Perhaps they can
Maxim Kammerer:
> On Tue, Aug 6, 2013 at 12:30 PM, Jacob Appelbaum wrote:
>
>> Please feel free to answer the question, we're happy to learn from an
>> example. Are either of you involved in such an example? Might we learn
>> from your example? If so, where might we see it?
>>
>
> Tails reference
Nadim Kobeissi:
>
> On 2013-08-06, at 12:55 PM, Jacob Appelbaum
> wrote:
>
>> Nadim Kobeissi:
>>>
>>> On 2013-08-06, at 11:46 AM, Al Billings
>>> wrote:
>>>
Nadim you seem confused by how this works. Tor doesn't need to
issue advisories for Firefox issues. We, at Mozilla, already
On Tue, Aug 6, 2013 at 1:07 PM, Jacob Appelbaum wrote:
> Somewhere there is a line and clearly, we failed to meet
> the high standards of a few folks on this list. I'm mostly curious if
> that high standard will be expressed in a cohesive manner where we might
> learn from it.
>
Well, in the end
I just hope people on LibTech read the kind of emails like the one Jacob just
wrote and see why I really think this guy has no place doing outreach at all.
Jesus.
NK
On 2013-08-06, at 1:23 PM, Jacob Appelbaum wrote:
> Nadim Kobeissi:
>>
>> On 2013-08-06, at 12:55 PM, Jacob Appelbaum
>> wrot
Jacob Appelbaum:
> Nadim Kobeissi:
>>
>> On 2013-08-06, at 11:46 AM, Al Billings
>> wrote:
>>
>>> Nadim you seem confused by how this works. Tor doesn't need to
>>> issue advisories for Firefox issues. We, at Mozilla, already issue
>>> them. Perhaps they can link to them clearly but if you want
Maxim Kammerer:
> On Tue, Aug 6, 2013 at 1:07 PM, Jacob Appelbaum wrote:
>
>> Somewhere there is a line and clearly, we failed to meet
>> the high standards of a few folks on this list. I'm mostly curious if
>> that high standard will be expressed in a cohesive manner where we might
>> learn from
Asa Rossoff:
> Jacob Appelbaum:
>> Nadim Kobeissi:
>>>
>>> On 2013-08-06, at 11:46 AM, Al Billings
>>> wrote:
>>>
Nadim you seem confused by how this works. Tor doesn't need to
issue advisories for Firefox issues. We, at Mozilla, already issue
them. Perhaps they can link to them cle
On 2013-08-06, at 1:23 PM, Jacob Appelbaum wrote:
> Nadim Kobeissi:
>>
>> On 2013-08-06, at 12:55 PM, Jacob Appelbaum
>> wrote:
>>
>>> Nadim Kobeissi:
On 2013-08-06, at 11:46 AM, Al Billings
wrote:
> Nadim you seem confused by how this works. Tor doesn't need to
>>
On 8/6/13 6:41 AM, Jacob Appelbaum wrote:
>> (2) Even have an RSS feed of them available through the TBB, as well as RSS
>> of TBB releases, and what security issues are covred including one advised
>> by Firefox. This could notify of stable, alpha and beta releases, so
>> everyone knows when sec
Hi,
Maxim Kammerer wrote (06 Aug 2013 09:52:36 GMT) :
> Tails references upstream advisories, or at least did so in the past.
> https://tails.boum.org/security/Numerous_security_holes_in_0.18/
Right, and we have no plan to stop doing this. What we've been doing
for years when releasing a new Tail
> Jacob Appelbaum:
> I like this idea - though I wonder how users would feel about it? Will
> they read it? Should it be our own RSS feed or an RSS feed of Mozilla's
> data?
I don't like the idea. You need to worry about the upgrading behavior of
casual users of TBB, who aren't going to bother to
Joseph Lorenzo Hall:
>
> On 8/6/13 6:41 AM, Jacob Appelbaum wrote:
>>> (2) Even have an RSS feed of them available through the TBB, as well as RSS
>>> of TBB releases, and what security issues are covred including one advised
>>> by Firefox. This could notify of stable, alpha and beta releases, s
Nadim Kobeissi:
> On 2013-08-06, at 1:23 PM, Jacob Appelbaum
> wrote:
>
>> Nadim Kobeissi:
>>>
>>> On 2013-08-06, at 12:55 PM, Jacob Appelbaum
>>> wrote:
>>>
Nadim Kobeissi:
>
> On 2013-08-06, at 11:46 AM, Al Billings
> wrote:
>
>> Nadim you seem confused by how thi
intrigeri:
> Hi,
>
> Maxim Kammerer wrote (06 Aug 2013 09:52:36 GMT) :
>> Tails references upstream advisories, or at least did so in the past.
>> https://tails.boum.org/security/Numerous_security_holes_in_0.18/
>
> Right, and we have no plan to stop doing this. What we've been doing
> for years
konfku...@riseup.net:
>> Jacob Appelbaum:
>> I like this idea - though I wonder how users would feel about it? Will
>> they read it? Should it be our own RSS feed or an RSS feed of Mozilla's
>> data?
>
> I don't like the idea. You need to worry about the upgrading behavior of
> casual users of TBB
But, this is the Firefox / Tor Browser Bundle exploit.
The question is how FBI gained access to Freedom Hosting? What kind of
exploits did they use?
Pavol
On Mon, Aug 05, 2013 at 09:08:49PM -0500, Kyle Maxwell wrote:
> According to THN[0] and several linked supporting sites from there
> (partic
In fact, I wrote the advisory in question and generally write all of them (with
input from Mozilla developers and other security team members).
Al
--
Al Billings
http://makehacklearn.org
On Tuesday, August 6, 2013 at 2:30 AM, Jacob Appelbaum wrote:
> Mozilla issued an updated blog post in
Except this issue was a Firefox issue, fixed in ESR 17.0.7 and which we had
posted an advisory for six weeks ago today. So, yes, you're asking Tor to copy
and paste Firefox advisories. The issue wasn't a Tor-specific issue except that
the way it was being spread targeted the TBB. It was a Firefo
Well, zero of two.
--
Al Billings
http://makehacklearn.org
On Tuesday, August 6, 2013 at 3:07 AM, Nadim Kobeissi wrote:
> I sound harsh, sure, but at least I'm being productive and not freaking out
> about my ego.
--
Liberationtech list is public and archives are searchable on Google. Too
Al, I'm not a developer, so please bear with me.
Do you disagree that TBB is forked software? If I fork Firefox and build my
own browser from there, do I have no responsibility to my users to fix bugs
that originated in your original code, now that my codebase is separate
from yours?
It seems the
On Tuesday, August 6, 2013 at 9:58 AM, Brian Conley wrote:
> Al, I'm not a developer, so please bear with me.
>
> Do you disagree that TBB is forked software?
That depends on your definition. They aren't taking a fork of Firefox and
running off with it for a year or two. They are (and I don't k
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/06/2013 10:18 AM, Pavol Luptak wrote:
> The question is how FBI gained access to Freedom Hosting? What kind
> of exploits did they use?
Freedom Hosting offered web hosting services to people that asked for
it, yes?
A hypothesis I've seen float
When the user's version is outdated you already display an update notice.
You could add those items from
https://www.mozilla.org/security/known-vulnerabilities/firefoxESR.html
that apply to the current version. Listing particular vulnerabilities makes
it clear that you actually should
update and th
Plausible and clever in it's simplicity. Moral of the story: host your
own server. Anybody know what ever happened to Publius[1]? Did that
concept ever go anywhere?
1 http://www.cs.nyu.edu/waldman/publius/
On 8/6/2013 1:38 PM, The Doctor wrote:
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On Tue, Aug 6, 2013 at 12:28 PM, R. Jason Cronk
wrote:
> ... Anybody know what ever happened to Publius[1]? Did that concept
> ever go anywhere?
>
> 1 http://www.cs.nyu.edu/waldman/publius/
wow, that takes me back. i remember running publius when it launched
back in the DeCSS days.
from what i
* Jacob Appelbaum:
> This is not accurate. We heard about attempts at exploitation and within
> ~24hrs we released an advisory - we had already released fixed code a
> ~month before exploitation was found in the wild. Please do not mix up
> the time-line. To restate:
> 2.3.25-10 (released June 26
On Tue, Aug 6, 2013 at 3:11 PM, Florian Weimer wrote:
> (Automated updates are a mixed blessing because they could invite
> court orders to roll out specific versions to certain users.)
No crap.
_please_ don't deploy automatic updates in a sensitive environment
like this without at least quorum
"We're understaffed, so we tend to pick the few things we might
accomplish and writing such advisory emails is weird unless there is an
exceptional event. Firefox bugs and corresponding updates are not
exceptional events. :("
Pardon me,
But it does seem that this one was.
No?
Sent with AquaMai
On Tue, Aug 06, 2013 at 01:50:31PM +0300, Nadim Kobeissi wrote:
> Yes, to be absolutely clear, I think Tor should issue advisories for
> confirmed security issues in Tor Browser, since Tor Browser is a fork
> of Firefox and is independently maintained. This is exactly what Tor
> did this time, exce
On Tue, Aug 6, 2013 at 10:19 PM, Andy Isaacson wrote:
> We have to move past the "bug the user again" model of security system
> deployment.
In the general sense, yes. Silent automatic updates are a truly good
thing in many use cases and environments.
However, in the case where the user has an
On 2013-08-06, at 4:49 PM, Jacob Appelbaum wrote:
> Nadim Kobeissi:
>> On 2013-08-06, at 1:23 PM, Jacob Appelbaum
>> wrote:
>>
>>> Nadim Kobeissi:
On 2013-08-06, at 12:55 PM, Jacob Appelbaum
wrote:
> Nadim Kobeissi:
>>
>> On 2013-08-06, at 11:46 AM, Al Billi
On Wed, Aug 07, 2013 at 07:20:21AM +0300, Nadim Kobeissi wrote:
> You will note that this was posted recently. However, 5 weeks ago,
>Mozilla posted a security advisory for Firefox and fixed the issue. Tor
>then updated the Tor Browser Bundle with the fix, 5 weeks ago, *without
>releasing a securit
But this data is not useful for any but most advanced user.
TBB should autoupdate for any nongeek user. I hope some safe way of this update
exists.
--
Jerzy Łogiewa -- jerz...@interia.eu
On Aug 6, 2013, at 5:11 PM, CodesInChaos wrote:
> When the user's version is outdated you already display a
Bbrewer:
> "We're understaffed, so we tend to pick the few things we might
> accomplish and writing such advisory emails is weird unless there is an
> exceptional event. Firefox bugs and corresponding updates are not
> exceptional events. :("
>
> Pardon me,
> But it does seem that this one was.
>
On 2013-08-07, at 12:44 PM, Jacob Appelbaum wrote:
> Bbrewer:
>> "We're understaffed, so we tend to pick the few things we might
>> accomplish and writing such advisory emails is weird unless there is an
>> exceptional event. Firefox bugs and corresponding updates are not
>> exceptional events.
Nadim Kobeissi:
>
> On 2013-08-07, at 12:44 PM, Jacob Appelbaum wrote:
>
>> Bbrewer:
>>> "We're understaffed, so we tend to pick the few things we might
>>> accomplish and writing such advisory emails is weird unless there is an
>>> exceptional event. Firefox bugs and corresponding updates are n
On 2013-08-07, at 12:58 PM, Jacob Appelbaum wrote:
> Nadim Kobeissi:
>>
>> On 2013-08-07, at 12:44 PM, Jacob Appelbaum wrote:
>>
>>> Bbrewer:
"We're understaffed, so we tend to pick the few things we might
accomplish and writing such advisory emails is weird unless there is an
Nadim Kobeissi:
>
> On 2013-08-07, at 12:58 PM, Jacob Appelbaum wrote:
>
>> Nadim Kobeissi:
>>>
>>> On 2013-08-07, at 12:44 PM, Jacob Appelbaum wrote:
>>>
Bbrewer:
> "We're understaffed, so we tend to pick the few things we might
> accomplish and writing such advisory emails is wei
On 2013-08-07, at 1:05 PM, Jacob Appelbaum wrote:
> Nadim Kobeissi:
>>
>> On 2013-08-07, at 12:58 PM, Jacob Appelbaum wrote:
>>
>>> Nadim Kobeissi:
On 2013-08-07, at 12:44 PM, Jacob Appelbaum wrote:
> Bbrewer:
>> "We're understaffed, so we tend to pick the few things
>>
>> The advisory was about bug being exploited in the wild, so, yes.
>> That was covered well in Roger's last email.
>
> I'm aware, I did read his email. I was just under the impression that
> you publish advisories about *vulnerabilities*, not about *exploits*.
> But perhaps you're teaching me
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA1
On 08/07/2013 12:35 PM, Jacob Appelbaum wrote:
>>>
>>> The advisory was about bug being exploited in the wild, so,
>>> yes. That was covered well in Roger's last email.
>>
>> I'm aware, I did read his email. I was just under the impression
>> that yo
On 8/7/13 9:22 AM, Claudio wrote:
>
> How about we stop this nonsense repetitive blame game and get back at
> proposing good practices for the future?
> Nadim, since you clearly admitted on the other thread from Shava that
> you're just campaigning a personal attack against Jacob, I'm not even
>
Although I agree in principle (in the sense of "friendly advice to
Nadim"), let's all just remember this same advice the next time
Applebaum goes on one of *his* tirades, shall we?
Now returning to your regularly scheduled rants against The Man.
On Wed, Aug 7, 2013 at 8:29 AM, Joseph Lorenzo Hall
On 8/7/2013 8:29 AM, Joseph Lorenzo Hall wrote:
>
>
> On 8/7/13 9:22 AM, Claudio wrote:
>>
>> How about we stop this nonsense repetitive blame game and get back at
>> proposing good practices for the future?
>> Nadim, since you clearly admitted on the other thread from Shava that
>> you're just c
"little girls"?!
WTF
On Wed Aug 7 09:37:55 2013, Crypto wrote:
> On 8/7/2013 8:29 AM, Joseph Lorenzo Hall wrote:
> I add my vote also. If you two want to fight like little girls that it
> off list. Continuing to SPAM the list with your constant bickering only
> increases your lack of credibility
Yay casual sexism... okay, everybody's had their say. I agree with
Nadim's point, but he's made it already, and I agree with those who
say it's time for us all to get back to work.
It's a beautiful day here in Texas and I hope for the same for you
all, wherever you are. I'll be getting back to bei
On 8/7/2013 8:49 AM, Kyle Maxwell wrote:
> Yay casual sexism... okay, everybody's had their say. I agree with
> Nadim's point, but he's made it already, and I agree with those who
> say it's time for us all to get back to work.
>
> It's a beautiful day here in Texas and I hope for the same for you
No and no.
It was an issue found by a external security researcher who has submitted a lot
of issues to us over time. He found it through his process of investigation and
reported it directly to us (responsible disclosure and such). It was a problem
and we fixed it. The first indications of an
OK, everyone, let's try to cool it a bit. This discussion is extremely
important, so let's not let it deteriorate into bickering. Otherwise, I'll
have to moderate it, a task I don't enjoy.
Kudos to all of you who have already expressed a similar sentiment,
Yosem, one of the moderators
On Wed
I composed the following SOME TIME back! (must have been around the time of
the Freedom Hosting initial revalations)
-- it was never sent, so here it is.
I don't have the dates, but this reply should get threaded properly...
My reply is "dated" in the sense that it was based on info at the t
98 matches
Mail list logo
