[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Nadim Kobeissi nadim at nadim.cc
Wed Aug 7 03:15:47 PDT 2013 

On 2013-08-07, at 1:05 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:

> Nadim Kobeissi:
>> 
>> On 2013-08-07, at 12:58 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>> 
>>> Nadim Kobeissi:
>>>> 
>>>> On 2013-08-07, at 12:44 PM, Jacob Appelbaum <jacob at appelbaum.net> wrote:
>>>> 
>>>>> Bbrewer:
>>>>>> "We're understaffed, so we tend to pick the few things we might
>>>>>> accomplish and writing such advisory emails is weird unless there is an
>>>>>> exceptional event. Firefox bugs and corresponding updates are not
>>>>>> exceptional events. :("
>>>>>> 
>>>>>> Pardon me,
>>>>>> But it does seem that this one was.
>>>>>> 
>>>>>> No?
>>>>> 
>>>>> Yeah, this was such a case - a month ago, we didn't know it was such a
>>>>> case - no one did, not even Mozilla.
>>>> 
>>>> That's funny — didn't Mozilla issue a security advisory for it a month ago? That would imply that they actually did know that it was such a case.
>>>> 
>>> 
>>> The exploit is the exceptional event. Roger just covered this with
>>> exceptional clarity.
>>> 
>>> Al - did Mozilla know it was being exploited in the wild, a month ago?
>>> Was there a known difference at the time between this bug and say, the
>>> others which were fixed in the ESR17 release cycle?
>> 
>> Does an exploit need to exist in the wild and be discovered first in order to warrant a security advisory? I didn't know this!
>> 
> 
> The advisory was about bug being exploited in the wild, so, yes. That
> was covered well in Roger's last email.

I'm aware, I did read his email. I was just under the impression that you publish advisories about *vulnerabilities*, not about *exploits*. But perhaps you're teaching me (and the rest of the community) something new here! ;-)

> 
> I'd encourage you to read Roger's email (again, or for the first time).
> Specifically the part where we encouraged users to upgrade, notified
> every browser user that there was a security update and so on.

That's pretty great, but it doesn't count as an advisory, no matter how hard you seem to want it to.
THIS is an advisory: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html

NK

> 
> All the best,
> Jacob
> --
> Liberationtech list is public and archives are searchable on Google. Too many emails? Unsubscribe, change to digest, or change password by emailing moderator at companys at stanford.edu or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech

More information about the liberationtech mailing list