[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Bernard Tyers - ei8fdb ei8fdb at ei8fdb.org
Mon Aug 5 12:13:55 PDT 2013 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Firstly: this is not a anti-Tor/pro-anything/anti-developer comment. If anything it's "pro-have_some_understanding_for_people" point-of-view. I contribute to Tor as I believe it can do a lot of good.

As I understand it, the issue was: a compromise affected older TB Bundles, based on a previous version of Firefox. TBB prompted users to update to newer versions of within $X days of release.

It wasn't the Tor network that was compromised, it was *some* software running to provide a Tor Hidden Service. Which we still don't know exactly what that was? (It would be nice to know)

Neither do I think you can expect the Tor Project to follow every commit to Firefox. (Although using any software, based on trust, in this world is not the best idea.)

If anyone should get blamed, it's the operators of the THS (currently it seems it was Freedom Hosting and Eric Eoin Marques?) that were the cause of this compromise. They are the douches in this shitstorm.

All good so far.

On 5 Aug 2013, at 18:45, h0ost wrote:

>> Mozilla posted the advisory on June 25th.
>> https://www.mozilla.org/security/announce/2013/mfsa2013-53.html and a
>> TBB update was provided 5 days later:
>> https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
>> - and uses a version of FF that the advisory says fixes the issue.
>> 
> 
> So what's the problem that Nadim Kobeissi is pointing to? The
> vulnerability was patched by Mozilla, then subsequently incorporated in
> the TBB.
> If TBB is updated, and a user doesn't upgrade their TBB bundle, that's
> the user's fault, not Tor.
> 
> No?
> Yes, I think.

If you want to find fault with some party, then sure it's the users fault. But that's not very helpful in a case like this. If it was MS Word, or Mail.app, blame the user.

Tor and TBB is not the easiest of privacy protection tools to understand, even for some trained technology people. 

It would be nice to know the percentage of "technical experts" using TBB. You *cannot* expect someone who is not an expert in cryptography, comp.sci, or "computer technology in general" to fully understand the consequences of using software tools. If you have a problem with that, then go and design software for developers. 

I know your comment was off the cuff, but this is one of the reasons why this shit is so bad. It needs to be designed with _real_ people (not cryptographers, or comp.sci or telecoms) in mind. Real people who use these tools to communicate. Everybody in some case, is "just a user". 

It wasn't essentially The Tor Project's fault, but they are dealing with it now. Shitty I know.

>> The take home message of the day: keep your shit up to date.
> 
> Exactly.  Nothing more, nothing less.  It's like brushing one's teeth,
> you learn that you have to do it for your own good, and then you just do it.
> 

I don't think you can compare tooth decay with your security getting compromised. Really.

>> The only question I have is -- is there anything more that can be
>> done to warn users their stuff is out of date? We're already visited
>> with a warning that our browser or other tor-related software is out
>> of date upon launching it. Do we need scrolling text? blinky lights?
>> Should it be disabled once it is out of date? Maybe that can be an
>> option set by default.  Thoughts?
> 
> 
> I don't think so.  TBB already warns when there is an updated version of
> the TBB, so I really think it's a culture change on part of people who
> don't upgrade immediately.  Hard thing to fight against, but maybe such
> events will make people more cautious in this way.



By what Roger Dingledine from Tor has stated in a previous mail, The Tor Project provided the "you need to upgrade message" promptly. I don't know if that is enough. (But it is certainly a lot more that other providers of software would do.) 

Maybe disabling out of date software would not be a bad thing? (Personally I don't know if thats a good approach, as users may use less secure methods to carry out their tasks)

My point is, there should be some research into finding an answer as opposed to apportioning blame.

Flame-retardent suit on.

Bernard

- --------------------------------------
Bernard / bluboxthief / ei8fdb

IO91XM / www.ei8fdb.org
-----BEGIN PGP SIGNATURE-----
Version: GnuPG/MacGPG2 v2.0.17 (Darwin)
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJR//l0AAoJENsz1IO7MIrrZs4H/j1b4vZj17cgFdMb5LcGcZz3
YcNKktzRhcD92mmFQo+XyIY1Mp0gas592y5Ah/Q+yXTWQpjZkNgMS/uZXWOgXnf5
tBVHYL9pIOc5BoTMIXukuYhevnVXb+KORZiUpYgL7wncIqjC7N5oor4np53tp3pk
KxQRDHZ4eYpDveLPs4vntECRiR2gfQygKNAuTDxUQgef8OjKG0NyOJGqMj31snee
R4pqkcszyLyqTlc+q2FVaB4VtsU6LTStG/dt57ts9ZiMxIiuhOAtfc53j6t1cguh
1pgs6NxWzcOdUTPOhySxLjRguiO/oT2iNq2UB69YhEp3SDkecrW/Yu2/KjDTmjY=
=Mr+D
-----END PGP SIGNATURE-----

More information about the liberationtech mailing list