[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [tor-talk] FBI cracked Tor security



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 07/14/2016 01:34 PM, Jon Tullett wrote:
> On 14 July 2016 at 21:17, Joe Btfsplk <joebtfsplk@gmx.com> wrote:
>> On 7/14/2016 1:23 AM, Jon Tullett wrote:

<SNIP>

>> 2.  Aren't statements (from anyone) like, "... generally crack
>> the servers hosting the illicit material, not Tor itself," sort
>> of a matter of semantics?
> 
> Depends on the context, I guess. To the user, maybe, but in the 
> context of this (Tor) community, the distinction matters. Browser 
> vulns and server exploits are common. Tor's crypto is not, AFAIK, 
> known to be compromised.

The CMU team did exploit the relay early bug. But there haven't been
many tor bugs as serious as that.

> If a law enforcement agency cracked Tor, it would be a very
> significant development indeed. The same agency using browser
> exploits doesn't move the security needle at all; we already know
> they do that.

Sure, browser exploits are common. And yes, Freedom Hosting and
PlayPen users got pwned through Firefox bugs. However, the FBI malware
that deanonymized them exploited a trivial vulnerability in all
default Tor installs: there is no management of Internet traffic that
bypasses the Tor network.

> The issue of who should be responsible for alerting a user to
> possible risks is debatable. Tor's job, after all, is not to keep
> users secure; it's to keep them anonymous. I don't speak for the
> Tor project, but I expect the assumption is that users should take
> responsibility for their own security, just as they should take
> responsibility for antivirus, patching, and brushing their teeth
> :)

Making Tor browser available without warning about leaks is just plain
irresponsible. About five years ago, Metasploit hosted the NIT used in
the Freedom Hosting attack, as a test for proxy leaks. It was easy to
pass, using firewall rules and/or VM compartmentalization.

One could argue that anyone using Tor for critical stuff should know
that. But obviously, many of them don't. We hear about the ones that
the FBI takes down. But what about the ones who just get killed?

Is it too much to ask for a warning? Maybe a link to Whonix?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJXiFo5AAoJEGINZVEXwuQ+RpwH/icXiSs2TyI5M1MwwExxTZby
PlPECRM+/zAcoA/RA/mYS04wVbIOkJWYxnNGzLm8ITpvXINyzTrF/+MGoKDoEQfY
QOcihEgDaI76oIamxHNCVX70FXYoPqsK19lZ0v/5fMROjEq+ytvBMsr+xmv/zdmk
ODQot4Tow1OtqzwuhVf+KpA3c7YwwebFQ24HMe3O6xeIKsZov5z1tr1C6KHheubx
tkPWTCSXwM+xma0lykIHiFbwl21BaNVwGBpeuIyDKkzqKnkprU3nx60LL4Fv82/o
2IAI/P+hCMz7CNQKt7N+hfS5PqNc8wv+BiewFGzTYKDkkWlq9wMXwkTg1OBlFtc=
=3+xd
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk