[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Jacob Appelbaum jacob at appelbaum.net
Tue Aug 6 03:23:33 PDT 2013 

Nadim Kobeissi:
> 
> On 2013-08-06, at 12:55 PM, Jacob Appelbaum <jacob at appelbaum.net>
> wrote:
> 
>> Nadim Kobeissi:
>>> 
>>> On 2013-08-06, at 11:46 AM, Al Billings <albill at openbuddha.com> 
>>> wrote:
>>> 
>>>> Nadim you seem confused by how this works. Tor doesn't need to 
>>>> issue advisories for Firefox issues. We, at Mozilla, already
>>>> issue them. Perhaps they can link to them clearly but if you
>>>> want to know about security issues Mozilla fixes in Firefox,
>>>> you're best served by reading Mozilla advisories. There's not
>>>> much point in duplicating them on a second site. Tor would be
>>>> better served by writing advisories for its own, unique,
>>>> security fixes.
>>> 
>>> Tor doesn't need to issue advisories for Firefox issues. Tor
>>> needs to issue advisories for Tor Browser issues, and not five
>>> weeks later when s**t hits the fan. I really don't think one can
>>> reasonably disagree with the above statement. Tor Browser is a
>>> Firefox fork.
>> 
>> Should we issue a single advisory for each possible security issue
>> that Firefox has already noted in their change log? Each confirmed
>> security issue? Should we ask for a second CVE to cover each CVE
>> they receive?
> 
> What's the alternative, Jake? 

That was a list of choices and you didn't choose one. Please choose one
or more - though not all of them make sense when put together. It was a
question and well, your answer isn't much of an answer.

> Wait until the NSA exploits an
> innumerable amount of Tor users and then quickly write an advisory
> for a bug that was quietly fixed without a warning from Tor five
> weeks but still exploited?

This is not accurate. We heard about attempts at exploitation and within
~24hrs we released an advisory - we had already released fixed code a
~month before exploitation was found in the wild. Please do not mix up
the time-line. To restate:


2.3.25-10 (released June 26 2013)
2.4.15-alpha-1 (released June 26 2013)
2.4.15-beta-1 (released July 8 2013)
3.0alpha2 (released June 30 2013)


The exploit was found in the wild on last weekend, I learned about it on
or around August 4th. Please note that our patched versions were
released nearly a month before this was found in the wild. There is no
reason to support the conclusion that we "silently" fixed anything in
response to an exploit. Please consider that your statement is entirely
unsupported by evidence, Nadim.

>  Because that is exactly what happened this
> time. Tor can just go on doing this again and again, or yes, you
> could issue advisories. You are maintaining your own browser called
> Tor Browser. Stop shifting blame onto Firefox. You're the guy who
> told me to never shift blame when you have a security vulnerability
> in the software you yourself are shipping. Practice what you preach.
> 

Your assessment of this situation is incorrect.

We regularly release updates that include updates to included code and
often, we make note of the fact that the upstream code has security
fixes included. There is no blame shifting, only a question of how to
best share that information in a way that users will understand. I have
asked repeatedly for examples and for details of how to improve things -
you seem only interested in slinging mud. Perhaps this isn't the most
useful way forward?

> I sound harsh, sure, but at least I'm being productive and not
> freaking out about my ego.

I don't think you are being productive at this point in the
conversation. You are correct and I agree with you - you are harsh -
I'll extend this commentary: it reflects poorly on you(r ego) and very
little is gained by such behavior.

All the best,
Jacob

More information about the liberationtech mailing list