[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Jacob Appelbaum jacob at appelbaum.net
Tue Aug 6 02:30:16 PDT 2013 

Nadim Kobeissi:
> 
> On 2013-08-06, at 3:19 AM, Jacob Appelbaum <jacob at appelbaum.net>
> wrote:
> 
>> Griffin Boyce:
>>> Al,
>>> 
>>> We may have to disagree as to the way forward. I hate to be 
>>> contentious, but it seems unlikely that Tor applied a patch
>>> without reading firefox's changelog. Two days ago I presented a
>>> talk which emphasized how useful Tor is -- and I stand by that.
>>> Tor is still the best option for maintaining one's anonymity.
>>> 
>> 
>> Hi Griffin,
>> 
>> Do you plan to release security advisories for all updates to the
>> Linux kernel, GNU user space utilities and other dependences in the
>> commotion router firmware?
> 
> How is this, in any way, shape or form, relevant? Are you seriously
> opening up Commotion's bug handling in order to sort of justify this
> Tor situation?

I'm asking for the clear line. Simple enough. Firefox's advisory seems
fine to me but Griffin and you seem to suggest otherwise.

I don't see an example of this suggestion being carried out by other
projects - so either I misunderstand or we're exceptional. Either is
fine with me, or another option which I'm not aware of - I'm sure that
one of those is the case...

This has nothing to do with 'justifying' anything - it has to do with
asking for a clear example of what seems reasonable and is *already*
done by someone.

Please feel free to answer the question, we're happy to learn from an
example. Are either of you involved in such an example? Might we learn
from your example? If so, where might we see it?

> 
> Tor had forked Firefox into its own browser, which is called Tor
> Browser. Mozilla issued an advisory for Firefox the day the bug was
> discovered, about five weeks ago. Tor should have issued a similar
> advisory for Tor Browser and consequently the Tor Browser Bundle,
> especially considering that the Tor Browser Bundle is by far *the*
> most visible way for end-users to download and use Tor these days.
> 

I think Tails is perhaps more popular but that is a side note, I suppose.

>> 
>> I suppose no but perhaps I'm mistaken? Has anyone done so with new 
>> commotion releases? I don't see[0][1] such notes, am I missing
>> something?
>> 
>> It seems impractical to note every change from downstream
>> projects.
>> 
>> Clearly you seem to disagree but I do wonder where you draw the
>> line?
>> 
>> Do your projects have some example where we might see the line in 
>> action, so to speak?
>> 
>> As far as I can tell, we issued a security advisory within
>> twenty-four hours.
> 
> Actually, Tor issued a security advisory for Tor Browser a full 39
> days after Mozilla did for Firefox.
> 

Mozilla issued an updated blog post in the last day or so because of us
contacting them. They clarified the specific issue around the same time
as us. Al has already pointed this out - he works at Mozilla, so I
suppose he seems to agree that we don't need to copy every advisory they
write into our release notes.

>> We spent more than a full day of multiple people's time working 
>> non-stop to understand the scope, the impact and the outcomes of
>> this issue. We were already working on this task when you and
>> another decided to jump up and down to let us know that we were
>> failures by any other name. I'd say thanks but that isn't the word
>> that comes to mind…
> 
> "I'd say thanks but that isn't the word that comes to mind…" Dude,
> you're supposed to be Tor's outreach guy! Come on!
> 

I've asked for specific clarity on the level of granularity, I have yet
to see a reply that addresses my question.

>> 
>> The Tor Project does not triage every single Mozilla Firefox bug.
>> We do try to understand which bugs are security critical. We do aim
>> to track and put our energy into ensuring our browser uses the
>> latest ESR releases. This generally includes lots of code fixes,
>> security as well as other kinds of fixes, though we may not always
>> fully understand every issue - we tend to trust Mozilla's lead on
>> this topic. TBB requires lots of effort to forward port our privacy
>> preserving patches as they are not in the mainline Mozilla
>> repositories. We did this as we always do with TBB releases and we
>> released patched versions of the software before we ever even
>> learned of the exploit discovered this weekend that targets old,
>> unpatched users:
>> 
>> 2.3.25-10 (released June 26 2013) 2.4.15-alpha-1 (released June 26
>> 2013) 2.4.15-beta-1 (released July 8 2013) 3.0alpha2 (released June
>> 30 2013)
>> 
>> By a general count, it was around a month ago that we released
>> patched versions. We normally just note that we've bumped the
>> included projects to their latest stable versions - though in the
>> case of our latest alpha, we specifically said[2]:
>> 
>> "In addition to providing important security updates to Firefox and
>> Tor, these release binaries should now be exactly reproducible from
>> the source code by anyone."
>> 
>> Do you think that we should include that text with every single
>> release? ie: "This update provides important security updates to
>> Firefox and Tor" or something along those lines? Shall we just put
>> that in every single release note? Is that really helpful?
> 
> Actually, isn't that exactly what you've said I should do with my own
> project, Cryptocat, numerous times? It's actually really illuminating
> that you in fact are committing the exact same outreach and
> mitigation blunders that you keep criticizing other projects for.
> 

It wasn't a rhetorical question when I asked. The question is about
phrasing. I feel like we've done a reasonable job, so how is it that we
might improve the communication for the job we've done?

>> 
>> If you have a suggestion for how we might improve, I'm open to
>> hearing it - though as far as I am able to tell - there isn't much
>> to be done except to say "security update" next to "firefox update"
>> in our normal release notes. That isn't very helpful as nearly
>> every Firefox update in ESR is a security or stability related
>> release.
>> 
>> Please do feel free to suggest something constructive - if we have
>> room for improvement, we're happy to make it!
> 
> I think your entire email is not constructive. Roger's email with the
> actual advisory was awesome. Maybe he should represent Tor on this
> list from now on.

Thanks for the feedback Nadim and thanks again for helping to improve
the Tor Browser. We appreciate your positive contributions and your
youthful enthusiasm.

Sincerely,
Jacob

More information about the liberationtech mailing list