[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Jason Gulledge]

The fog of OHM hasn't yet lifted for me, so I'm sorry if I'm not entirely poetic in thought…

Before people jump in and say "the tor network is inherently flawed!" I just want to try to put it in perspective. As I understand it, an .onion got owned, probably by some poorly written or installed software on their site. That happens, and it isn't tor's fault.  Once it got owned, it was easy to put an iframe in and target a specific version of the tor browser, an old one for which vulns are well-known. 

Mozilla posted the advisory on June 25th. https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a TBB update was provided 5 days later: https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released - and uses a version of FF that the advisory says fixes the issue.

If you're interested, this is supposed to be the exploit: http://pastebin.com/96htM60z

The take home message of the day: keep your shit up to date.

The only question I have is -- is there anything more that can be done to warn users their stuff is out of date? We're already visited with a warning that our browser or other tor-related software is out of date upon launching it. Do we need scrolling text? blinky lights? Should it be disabled once it is out of date? Maybe that can be an option set by default.  Thoughts?


Best, 

-Jason Gulledge
@ramdac



On Aug 5, 2013, at 10:15 AM, Nadim Kobeissi <nadim at nadim.cc> wrote:

> Forgive me, but I'd like to ask a question here.
> 
> Tor is a tool that is undeniably, directly marketed toward activists in high-risk environments. Tor's presentations at conferences centre around how Tor obtains increased usage in Arab Spring countries that matches the timeline of revolutionary action. It's incredibly direct. Tor's own spokespeople encourage people in Iran, Egypt and so on to use Tor and only Tor as the most secure tool for activist anonymity, and privacy.
> 
> Now, we find out that the FBI has been sitting on an exploit since an unknown amount of time that can compromise the Tor Browser Bundle, which is currently the main way to download Tor and the only way to download Tor for the average end-user, and is deploying it en-masse to the visitors of what seems to be around half of all Tor hidden services, which have also been compromised
> 
> I've gotten quite some flak from certain people at Tor for supposedly marketing Cryptocat to activists, which is not something I do, but that the media did last year. We know for a fact that Tor does in fact market to activists. And yet, I have a feeling that the flak towards Tor, for something this incredibly huge, will be quite small, on this mailing list and on other discussion forums, especially compared to the kind of vitriol Cryptocat receives.
> 
> I would like an explanation as to why this is the case.
> 
> NK
> 
> On 2013-08-04, at 10:56 PM, Griffin Boyce <griffinboyce at gmail.com> wrote:
> 
>> There are really two separate issues here, and I just want to separate them briefly.
>> 
>> 1) Tormail and other sites were hosting malicious js code that attempts to break firefox 17.
>> 
>> 2) Freedom Hosting was shut off after its host was arrested.
>> 
>>  I will say from personal experience that most hidden services are *extremely* permeable. Not because Tor sucks, but because people making them aren't very good webmasters. They don't upgrade/patch the software running their websites, and that leads to big hacks. Freedom Hosting was itself taken down on at least three occasions due to poor maintenance.
>> 
>>  It's also not particularly difficult to script up a scanner that tests hidden services for vulnerabilities, then launches malicious code. This has happened again and again. But this cannot really be Tor's fault anymore than it's Apache's fault. People who host hidden services must maintain their code just like other websites.
>> 
>>  If a hidden service webhost is imperfectly set up, it's possible to upload a malicious file and broadcast the IP address of the server. (Again, this relies on various configuration issues and 0day, but similar has happened to Freedom Hosting before).
>> 
>>  What does everyone else think about this?
>> 
>> best,
>> Griffin
>> 
>> PS: it seems a little too ambitious to set up your own anonymity network without having a solid team of scientists and cryptographers
>> 
>> On Sun, Aug 4, 2013 at 9:20 PM, Rich Jones <miserlou at gmail.com> wrote:
>> 1) Freedom Hosting owner arrested and TorMail appears to be distributing FBI malware specifically targeting the Tor Browser Bundle.
>> 
>> Deets: https://openwatch.net/i/200/anonymous-web-host-freedom-hosting-owner-arreste
>> 
>> 
>> 2) I'm considering using Docker/Flynn to build an anonymous PaaS. Anybody want to help with the sketches?
>> 
>> Deets: https://github.com/Miserlou/OnionCloud
>> 
>> R
>> 
>> --
>> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> 
>> 
>> 
>> -- 
>> Just another hacker in the City of Spies.
>> #Foucault / PGP: 0xAE792C97 / OTR: saint at jabber.ccc.de
>> 
>> My posts, while frequently amusing, are not representative of the thoughts of my employer.
>> --
>> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech