[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Nadim Kobeissi nadim at nadim.cc
Mon Aug 5 08:00:58 PDT 2013 

On 2013-08-05, at 4:19 PM, liberationtech at lewman.us wrote:

> On Mon, 5 Aug 2013 10:15:20 +0200
> Nadim Kobeissi <nadim at nadim.cc> wrote:
> 
>> Now, we find out that the FBI has been sitting on an exploit since an
>> unknown amount of time that can compromise the Tor Browser Bundle,
>> which is currently the main way to download Tor and the only way to
>> download Tor for the average end-user, and is deploying it en-masse
>> to the visitors of what seems to be around half of all Tor hidden
>> services, which have also been compromised
> 
> Please cite first person sources on this. It's not clear the FBI did
> anything or is involved at all. There is a reddit thread implying this,
> but no statement (as of yet) from the FBI or anyone claiming
> responsibility for the javascript injection.

As Andy Isaacson said:
"The press is treating it as a likelihood.  That's no proof, of course,
but the narrative is internally consistent and most alternatives seem
quite unlikely. http://www.wired.com/threatlevel/2013/08/freedom-hosting/"

> 
> Second, it's not clear this exploit or malware has actually compromised
> current versions of Tor Browser (as released on June 26, 2013). Please
> show a working exploit against the current TBBs.

With my own project, we fixed a critical vulnerability months before it was publicized, and we still treated the situation as critical during publication due to the fact that there may have been users who may have already been compromised or who may not have updated. I feel that your response ignores those possibilities and is defensive to a fault.

Since the bug this malware exploits was fixed in previous version of the Tor Browser, why was no advisory issued? What if this exploit had been known, and used, for a whole year by malicious parties?

> 
> Third, please show data that "half of all Tor hidden services" have
> been compromised. We don't have this data because we don't track hidden
> services. If you do, please share your metrics.

Honestly your email feels really unproductive.

NK

> 
> -- 
> Andrew
> http://tpo.is/contact
> pgp 0x6B4D6475
> --
> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list