[liberationtech] Freedom Hosting, Tormail Compromised // OnionCloud

Wed Aug 7 06:22:53 PDT 2013

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 08/07/2013 12:35 PM, Jacob Appelbaum wrote:
>>> 
>>> The advisory was about bug being exploited in the wild, so,
>>> yes. That was covered well in Roger's last email.
>> 
>> I'm aware, I did read his email. I was just under the impression
>> that you publish advisories about *vulnerabilities*, not about
>> *exploits*. But perhaps you're teaching me (and the rest of the
>> community) something new here! ;-)
> 
> The purpose of an advisory is to alert users about various kinds
> of information.
> 
> We covered the vulnerability and the exploit details that we knew
> at various times. We first published a blog post that detailed that
> we didn't yet have all information about what we'd heard rumored.
> We then published a second blog post detailing the new information.
> We also sent an email about it.
> 
> I'd say that all three are advisory in nature - they literally
> advise users of what we know. The final email to tor-announce was
> an advisory about a specific vulnerability that was being exploited
> in the wild.
> 
>> 
>>> 
>>> I'd encourage you to read Roger's email (again, or for the
>>> first time). Specifically the part where we encouraged users to
>>> upgrade, notified every browser user that there was a security
>>> update and so on.
>> 
>> That's pretty great, but it doesn't count as an advisory, no
>> matter how hard you seem to want it to. THIS is an advisory: 
>> https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
>>
>
>> 
> A CVE is what most consider the standard way of discussing an
> issue regardless of format or medium. We could probably improve by
> referencing CVEs of Mozilla's ESR security page rather than simply
> referencing the MFSA alone. As it is we referenced mfsa2013-53 but
> we didn't directly reference CVE-2013-1690. Part of the reason is
> that the MFSA is more specific than the CVE which details the most
> likely information relevant to a Firefox/Tor Browser user.
> 
> All the best, Jacob

How about we stop this nonsense repetitive blame game and get back at
proposing good practices for the future?
Nadim, since you clearly admitted on the other thread from Shava that
you're just campaigning a personal attack against Jacob, I'm not even
gonna argument against your position (which I find practically,
logistically and technically meaningless by the way).
If you want to keep having an ego fight with Jacob, please continue it
privately (or better don't continue it at all), this is tedious to
read and it's killing a thread that could be beneficial for everybody.

Best,
Claudio
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJSAkotAAoJEDmTLM1sbEdvHrcQAMD4cUV21BaMpf3xW/HkHVkx
fJGXbRzDwvzUsJfyyWTc/14vjvmPovvV8tRFdWfH97wfzgdPqPRYsjsnW5NUSP0p
7/DlK9t+RKFNam+aIZGRKsETGYkgz75Q7PHKRmzY/xtqbHSrHivJcVSMdYKQI6iN
Qdbh8LI/9mtZ0X7bASDcr47bqIDJkoSsbCYScPuYrN4mfh29i9GdHFCEN9utd2ze
lUqUpfO1DrCPhRDHkL7imyRfbgyV2Sz99k+xoNNW2m+rwmUyjT/pWbVKKmxPyIxp
tmJKpSaH1w5GnYK4bmDJJYR7J9Ik59rxQiQWiw6S/Q+QGGao4bQQUjbeLjQ7o25g
eEmcfwf9hE+Bt6kThoYXribiBPAbosp6OTeCtfX6IibvdkwyfNfQYukN5e0Oq8GG
AgvvPDtbgUcx4QZ1ekN6kwUBWq40KOsPW+XpGOlbLXltzXUMX6KanNumjuaw0wNq
i5PrxSN6qJCFxFg11JNKVd3fPV65DSgjWgS9k94SPLEct03n0b5EZNjEk/bF6Ib4
6oFC/KjAx8INezLJFH/nNqrc4ke0WxkL2AxPGfaRhkPp494yz/OwOXp3uUwR5ZrC
7ZDOsCKU6OGC/9sMwpbt+0FyyWvD13qXR+8Iz2Yi09xJEqRAqi92SLqLydQ1oNpt
8GkdxmL8rtn4UO5KO/6r
=Eodm
-----END PGP SIGNATURE-----