[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Nadim Kobeissi nadim at nadim.cc
Mon Aug 5 01:15:20 PDT 2013 

Forgive me, but I'd like to ask a question here.

Tor is a tool that is undeniably, directly marketed toward activists in high-risk environments. Tor's presentations at conferences centre around how Tor obtains increased usage in Arab Spring countries that matches the timeline of revolutionary action. It's incredibly direct. Tor's own spokespeople encourage people in Iran, Egypt and so on to use Tor and only Tor as the most secure tool for activist anonymity, and privacy.

Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle, which is currently the main way to download Tor and the only way to download Tor for the average end-user, and is deploying it en-masse to the visitors of what seems to be around half of all Tor hidden services, which have also been compromised

I've gotten quite some flak from certain people at Tor for supposedly marketing Cryptocat to activists, which is not something I do, but that the media did last year. We know for a fact that Tor does in fact market to activists. And yet, I have a feeling that the flak towards Tor, for something this incredibly huge, will be quite small, on this mailing list and on other discussion forums, especially compared to the kind of vitriol Cryptocat receives.

I would like an explanation as to why this is the case.

NK

On 2013-08-04, at 10:56 PM, Griffin Boyce <griffinboyce at gmail.com> wrote:

> There are really two separate issues here, and I just want to separate them briefly.
> 
> 1) Tormail and other sites were hosting malicious js code that attempts to break firefox 17.
> 
> 2) Freedom Hosting was shut off after its host was arrested.
> 
>   I will say from personal experience that most hidden services are *extremely* permeable. Not because Tor sucks, but because people making them aren't very good webmasters. They don't upgrade/patch the software running their websites, and that leads to big hacks. Freedom Hosting was itself taken down on at least three occasions due to poor maintenance.
> 
>   It's also not particularly difficult to script up a scanner that tests hidden services for vulnerabilities, then launches malicious code. This has happened again and again. But this cannot really be Tor's fault anymore than it's Apache's fault. People who host hidden services must maintain their code just like other websites.
> 
>   If a hidden service webhost is imperfectly set up, it's possible to upload a malicious file and broadcast the IP address of the server. (Again, this relies on various configuration issues and 0day, but similar has happened to Freedom Hosting before).
> 
>   What does everyone else think about this?
> 
> best,
> Griffin
> 
> PS: it seems a little too ambitious to set up your own anonymity network without having a solid team of scientists and cryptographers
> 
> On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones <miserlou at gmail.com> wrote:
> 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI malware specifically targeting the Tor Browser Bundle.
> 
> Deets: https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste
> 
> 
> 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody want to help with the sketches?
> 
> Deets: https://github.com/Miserlou/OnionCloud
> 
> R
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> 
> 
> -- 
> Just another hacker in the City of Spies.
> #Foucault / PGP: 0xAE792C97 / OTR: saint at jabber.ccc.de
> 
> My posts, while frequently amusing, are not representative of the thoughts of my employer.
> --
> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list