[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

[Jacob Appelbaum]

>> 
>> The advisory was about bug being exploited in the wild, so, yes.
>> That was covered well in Roger's last email.
> 
> I'm aware, I did read his email. I was just under the impression that
> you publish advisories about *vulnerabilities*, not about *exploits*.
> But perhaps you're teaching me (and the rest of the community)
> something new here! ;-)

The purpose of an advisory is to alert users about various kinds of
information.

We covered the vulnerability and the exploit details that we knew at
various times. We first published a blog post that detailed that we
didn't yet have all information about what we'd heard rumored. We then
published a second blog post detailing the new information. We also sent
an email about it.

I'd say that all three are advisory in nature - they literally advise
users of what we know. The final email to tor-announce was an advisory
about a specific vulnerability that was being exploited in the wild.

> 
>> 
>> I'd encourage you to read Roger's email (again, or for the first
>> time). Specifically the part where we encouraged users to upgrade,
>> notified every browser user that there was a security update and so
>> on.
> 
> That's pretty great, but it doesn't count as an advisory, no matter
> how hard you seem to want it to. THIS is an advisory:
> https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
>

A CVE is what most consider the standard way of discussing an issue
regardless of format or medium. We could probably improve by referencing
CVEs of Mozilla's ESR security page rather than simply referencing the
MFSA alone. As it is we referenced mfsa2013-53 but we didn't directly
reference CVE-2013-1690. Part of the reason is that the MFSA is more
specific than the CVE which details the most likely information relevant
to a Firefox/Tor Browser user.

All the best,
Jacob