[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Claudio]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/05/2013 05:00 PM, Nadim Kobeissi wrote:
> 
> On 2013-08-05, at 4:19 PM, liberationtech at lewman.us wrote:
> 
>> On Mon, 5 Aug 2013 10:15:20 +0200 Nadim Kobeissi <nadim at nadim.cc>
>> wrote:
>> 
>>> Now, we find out that the FBI has been sitting on an exploit
>>> since an unknown amount of time that can compromise the Tor
>>> Browser Bundle, which is currently the main way to download Tor
>>> and the only way to download Tor for the average end-user, and
>>> is deploying it en-masse to the visitors of what seems to be
>>> around half of all Tor hidden services, which have also been
>>> compromised
>> 
>> Please cite first person sources on this. It's not clear the FBI
>> did anything or is involved at all. There is a reddit thread
>> implying this, but no statement (as of yet) from the FBI or
>> anyone claiming responsibility for the javascript injection.
> 
> As Andy Isaacson said: "The press is treating it as a likelihood.
> That's no proof, of course, but the narrative is internally
> consistent and most alternatives seem quite unlikely.
> http://www.wired.com/threatlevel/2013/08/freedom-hosting/"
> 
>> 
>> Second, it's not clear this exploit or malware has actually
>> compromised current versions of Tor Browser (as released on June
>> 26, 2013). Please show a working exploit against the current
>> TBBs.
> 
> With my own project, we fixed a critical vulnerability months
> before it was publicized, and we still treated the situation as
> critical during publication due to the fact that there may have
> been users who may have already been compromised or who may not
> have updated. I feel that your response ignores those possibilities
> and is defensive to a fault.
> 
> Since the bug this malware exploits was fixed in previous version
> of the Tor Browser, why was no advisory issued? What if this
> exploit had been known, and used, for a whole year by malicious
> parties?

I'm really not sure I understand what you expected out of it. With TBB
being based on an underlying software that was the origin of the bug,
is Tor people expected to keep track of every commit and ticket being
closed in Firefox and ship security bulletins just as Mozilla does?
Are you doing the same with Crypto.cat for the browsers you have
extensions for?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIbBAEBAgAGBQJR/8caAAoJEDmTLM1sbEdvwJYP+KPERuQqk1BlgQvetfNX4xQg
8u2yHGrInRTHfRLd5MhSheeQCA+Fag17XEG18bGL3CEhZQuNe3cCTcvInaLpIGRZ
R5B12e+YIUobWehmeHE+2zWqiUEY9sukF/sJ+iVB4n7fw8nEkg6lHmPkBvthuGjK
OpT/Vg+i8y8WiQWqTjbkg8qp0AqksxW7igsghzVCksY3GDS5ciARsvnBR8PEw5um
ZS3nW6d4Emo1n73syg1/Fl851r5soWLcfN8+ZgWnF9uqmdfusINxkHajTdyuMg8y
yUZfy/Kl6jVQQ3Bo/OuqFKFYbZZddP6V+qTZTcd9orfxa+7l6qaEvxML/5RSqZHe
yzb0RnVaUqdotWBaPqTgTT9t8ujCiAB4MUypJjgVDXTkPdkp0Hh7jrTC9xop/KX2
pv2Zmq23lbldi8twHYbyt1UpmeLq5rlSAT4ol5rMNkqArbHEdS1s+e1mynYPoJWn
UNjfpZa8NlOdVIyeqKibKu8Ozsmf84ltSes8/SLMjIO47z5zR1Dlm0T7tL/YS8SH
t6QCZPQbwZpX232QSiXRKvN+S91heNiMlaGyPRq4jvUFzTakDo6+DK0/Y1XrcpQC
0uXSnEphftJjahoeZn7LdYJ5R88/ffIAvYNoDXw/9qY0Xm8uh3z0QDIz/D7GL+j2
T4xfNXf9ZoLEIzKy2aE=
=x9H/
-----END PGP SIGNATURE-----