[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Nadim Kobeissi nadim at nadim.cc
Tue Aug 6 03:07:00 PDT 2013 

On 2013-08-06, at 12:55 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:

> Nadim Kobeissi:
>> 
>> On 2013-08-06, at 11:46 AM, Al Billings <albill at openbuddha.com>
>> wrote:
>> 
>>> Nadim you seem confused by how this works. Tor doesn't need to
>>> issue advisories for Firefox issues. We, at Mozilla, already issue
>>> them. Perhaps they can link to them clearly but if you want to know
>>> about security issues Mozilla fixes in Firefox, you're best served
>>> by reading Mozilla advisories. There's not much point in
>>> duplicating them on a second site. Tor would be better served by
>>> writing advisories for its own, unique, security fixes.
>> 
>> Tor doesn't need to issue advisories for Firefox issues. Tor needs to
>> issue advisories for Tor Browser issues, and not five weeks later
>> when s**t hits the fan. I really don't think one can reasonably
>> disagree with the above statement. Tor Browser is a Firefox fork.
> 
> Should we issue a single advisory for each possible security issue that
> Firefox has already noted in their change log? Each confirmed security
> issue? Should we ask for a second CVE to cover each CVE they receive?

What's the alternative, Jake? Wait until the NSA exploits an innumerable amount of Tor users and then quickly write an advisory for a bug that was quietly fixed without a warning from Tor five weeks but still exploited? Because that is exactly what happened this time. Tor can just go on doing this again and again, or yes, you could issue advisories. You are maintaining your own browser called Tor Browser. Stop shifting blame onto Firefox. You're the guy who told me to never shift blame when you have a security vulnerability in the software you yourself are shipping. Practice what you preach.

I sound harsh, sure, but at least I'm being productive and not freaking out about my ego.

NK

> 
> Your point is unclear in practice. Please do spell it out and if
> possible, please demonstrate how you do so in your own projects?
> 
> All the best,
> Jacob
> --
> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list