[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Nadim Kobeissi nadim at nadim.cc
Tue Aug 6 02:45:03 PDT 2013 

On 2013-08-06, at 11:46 AM, Al Billings <albill at openbuddha.com> wrote:

> Nadim you seem confused by how this works. Tor doesn't need to issue advisories for Firefox issues. We, at Mozilla, already issue them. Perhaps they can link to them clearly but if you want to know about security issues Mozilla fixes in Firefox, you're best served by reading Mozilla advisories. There's not much point in duplicating them on a second site. Tor would be better served by writing advisories for its own, unique, security fixes.

Tor doesn't need to issue advisories for Firefox issues. Tor needs to issue advisories for Tor Browser issues, and not five weeks later when s**t hits the fan.
I really don't think one can reasonably disagree with the above statement. Tor Browser is a Firefox fork.

NK

> 
> Al
> 
> -- 
> Al Billings
> http://makehacklearn.org
> 
> On Tuesday, August 6, 2013 at 1:28 AM, Nadim Kobeissi wrote:
> 
>> 
>> On 2013-08-06, at 3:19 AM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>> 
>>> Griffin Boyce:
>>>> Al,
>>>> 
>>>> We may have to disagree as to the way forward. I hate to be
>>>> contentious, but it seems unlikely that Tor applied a patch without
>>>> reading firefox's changelog. Two days ago I presented a talk which
>>>> emphasized how useful Tor is -- and I stand by that. Tor is still the
>>>> best option for maintaining one's anonymity.
>>> 
>>> Hi Griffin,
>>> 
>>> Do you plan to release security advisories for all updates to the Linux
>>> kernel, GNU user space utilities and other dependences in the commotion
>>> router firmware?
>> 
>> How is this, in any way, shape or form, relevant? Are you seriously opening up Commotion's bug handling in order to sort of justify this Tor situation?
>> 
>> Tor had forked Firefox into its own browser, which is called Tor Browser. Mozilla issued an advisory for Firefox the day the bug was discovered, about five weeks ago. Tor should have issued a similar advisory for Tor Browser and consequently the Tor Browser Bundle, especially considering that the Tor Browser Bundle is by far *the* most visible way for end-users to download and use Tor these days.
>> 
>>> 
>>> I suppose no but perhaps I'm mistaken? Has anyone done so with new
>>> commotion releases? I don't see[0][1] such notes, am I missing something?
>>> 
>>> It seems impractical to note every change from downstream projects.
>>> 
>>> Clearly you seem to disagree but I do wonder where you draw the line?
>>> 
>>> Do your projects have some example where we might see the line in
>>> action, so to speak?
>>> 
>>> As far as I can tell, we issued a security advisory within twenty-four
>>> hours.
>> 
>> Actually, Tor issued a security advisory for Tor Browser a full 39 days after Mozilla did for Firefox.
>> 
>>> We spent more than a full day of multiple people's time working
>>> non-stop to understand the scope, the impact and the outcomes of this
>>> issue. We were already working on this task when you and another decided
>>> to jump up and down to let us know that we were failures by any other
>>> name. I'd say thanks but that isn't the word that comes to mind…
>> 
>> "I'd say thanks but that isn't the word that comes to mind…"
>> Dude, you're supposed to be Tor's outreach guy! Come on!
>> 
>>> 
>>> The Tor Project does not triage every single Mozilla Firefox bug. We do
>>> try to understand which bugs are security critical. We do aim to track
>>> and put our energy into ensuring our browser uses the latest ESR
>>> releases. This generally includes lots of code fixes, security as well
>>> as other kinds of fixes, though we may not always fully understand every
>>> issue - we tend to trust Mozilla's lead on this topic. TBB requires lots
>>> of effort to forward port our privacy preserving patches as they are not
>>> in the mainline Mozilla repositories. We did this as we always do with
>>> TBB releases and we released patched versions of the software before we
>>> ever even learned of the exploit discovered this weekend that targets
>>> old, unpatched users:
>>> 
>>> 2.3.25-10 (released June 26 2013)
>>> 2.4.15-alpha-1 (released June 26 2013)
>>> 2.4.15-beta-1 (released July 8 2013)
>>> 3.0alpha2 (released June 30 2013)
>>> 
>>> By a general count, it was around a month ago that we released patched
>>> versions. We normally just note that we've bumped the included projects
>>> to their latest stable versions - though in the case of our latest
>>> alpha, we specifically said[2]:
>>> 
>>> "In addition to providing important security updates to Firefox and Tor,
>>> these release binaries should now be exactly reproducible from the
>>> source code by anyone."
>>> 
>>> Do you think that we should include that text with every single release?
>>> ie: "This update provides important security updates to Firefox and Tor"
>>> or something along those lines? Shall we just put that in every single
>>> release note? Is that really helpful?
>> 
>> Actually, isn't that exactly what you've said I should do with my own project, Cryptocat, numerous times? It's actually really illuminating that you in fact are committing the exact same outreach and mitigation blunders that you keep criticizing other projects for.
>> 
>>> 
>>> If you have a suggestion for how we might improve, I'm open to hearing
>>> it - though as far as I am able to tell - there isn't much to be done
>>> except to say "security update" next to "firefox update" in our normal
>>> release notes. That isn't very helpful as nearly every Firefox update in
>>> ESR is a security or stability related release.
>>> 
>>> Please do feel free to suggest something constructive - if we have room
>>> for improvement, we're happy to make it!
>> 
>> I think your entire email is not constructive. Roger's email with the actual advisory was awesome. Maybe he should represent Tor on this list from now on.
>> 
>> NK
>> 
>>> 
>>> All the best,
>>> Jacob
>>> 
>>> [0] https://commotionwireless.net/download/openwrt
>>> [1]
>>> https://commotionwireless.net/blog/new-commotion-release-dr1-ready-testing
>>> [2] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
>>> --
>>> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
>> --
>> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
> 
> --
> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list