This whole post is a mess. Someone distributes an exploit via a popular hosting provider for onion sites (and it's curious why anyone with a serious interest in privacy would outsource onion site hosting anyway) and suddenly Tor is damaged? There's a link to a paper that claims people can do things you're not supposed to be able to do with onion sites, but I don't see how that's relevant -- this post is conflating at least a few things.
So here's what I can grok from it:
* "Freedom Hosting" founder has been arrested; presumably, many people were using "Freedom Hosting" to host onion sites (is this where "half of all Tor sites compromised" comes from?). No charges listed, article slightly hints at child pornography charges.
* Someone, presumably the FBI, has set up an exploit to be distributed through Freedom Hosting sites that will phone home and reveal your non-Tor IP address (solution: seven proxies). "Freedom Hosting" founder was probably coerced into allowing distribution of this exploit.
* Author claims that said exploit only affects Firefox >= 17 on Windows.
* There's a link to a paper about possible problems with hidden services, which is apparently not relevant to any of this other than the fact that there was just a shakedown on a big onion site provider.
I'm flagging this article because it is utterly incoherent and the headline is sensationalist. There is no evidence of a fundamental flaw in Tor being related to any of the events mentioned. Hopefully someone will write a comprehensible piece soon and put it out there.
The exploit is targeted at the version of Firefox in the Tor Browser Bundle on Windows, which means most Tor users are vulnerable. While you can use a different browser the Tor developers have generally recommended that people don't; it's hard to lock down browsers against information leaks, and the fact that someone's using an unusual browser helps an attacker track them.
It's specifically targeting Firefox 17 for Windows. Versions less than 17 seem to be targeted as well, but the resource (content_1.html) doesn't seem to have ever been available. It does not target anything above 17.
They make note that the vulnerability used is only in Firefox 17--the current ESR (extended support release).
What they do not mention is that the Tor Browser Bundle[1]--created so users can simply download one executable and feel protected by Tor--is based on this very release.
Among all internet users, Firefox 17 is probably rare, but among Tor users? My bet is that it owns a significantly higher chunk of the market.
The quote in the article claims that the exploit affects 17 and higher, only on NT-based platforms.
Furthermore, Tor Browser Bundle disallows JavaScript by default, and one should be cautious while allowing execution of arbitrary client-side code whilst intent on keeping their direct IP address secret. You have to take at least a couple of steps to be affected by this bug.
EDIT: The author has updated the OP and now claims that he believes Firefox 17 is the only affected version. His language is ambiguous such that it is unclear whether the exploit only affects Windows or if the code distributed by FH is simply not attempting to exploit any non-Windows environments (perhaps they were trying to get specific players).
To be honest, I tried to use TOR without the bundle and couldn't figure out how to make it work. The software appears only be available as the bundle to a cursory look.
I use Tor, but I don't use the Tor Browser Bundle... It's simple enough to configure my browser to use Tor without relying on yet another executable to do it for me.
It's not just that they're stealing everyone's privacy. They're acting like "it's foreigners, so we don't have to care" - even the latests attempts to rein in NSA make no effort to cut back its international misbehavior.
Basically, I think most civilized people have been operating on the premise that democratic western states are behaving in a vaguely civilized way towards people in other such states. But it's clear that America at least is behaving like the purest sociopath, where "friends" just means "easier to manipulate". They are breaking the unspoken international social contract, and it is going to have worse repercussions than they yet understand.
Taking over? You should probably realize by now that what you see in the media about classified government ops is just the tip of the iceberg.
Considering the inherently insecure nature of computer systems, and the heavy reliance of security mechanisms on trusted authorities, you need to realized that, in fact, you've lost any privacy online a long time ago.
you're from latvia? i suspect it seems worse to you at the moment because of the extradition case. and in many ways the uk is as bad (or worse, at least the americans are in trouble for spying on americans) (and they're vaguely european).
We should be clear that this isn't a vulnerability in the Tor software or network, but an (apparent) vulnerability in this unrelated "Freedom Hosting" company's site:
"In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization"
And possibly in Firefox (!), with some sort of JavaScript exploit. This is the most worrying part for me--does anyone have any info on what the payload does?
Am I the only one who is f*cking tired of FBI and other violence based organizations using pedophilia as their excuse to raid and bust people ?
Think of the children! Yes .. a good front to make it so that they can just bust anything using SWAT forces.
Is pedophilia such a big problem? Really ? I would like to see one study about pedophilia and the problems it creates, instead of what the problems that NSA and FBI are facing when people start encrypting their traffic and we actually have some freedom of speech in some areas.
Yes, paedophilia really is such a Big problem; you want to see a study to understand that? are you serious? further to police efforts I would support any independent effort to get these people and hand them over to the police when it comes to this matter.
Paedos will be paedos no matter whether privacy exists or does not exist, and it is not an issue related to privacy and freedom, do not link it as such; freedom ceases to be freedom when it violates another individual's freedom(=abuse or product of abuse) so the abuser has to be stopped from further violating it. As the previous poster said, you could argue around consent and/or having an inclination, but as to the actual abuse taking place there can be no question about it.
In a truly anonymous internet that respects privacy, it would be up to individuals to find, isolate and condemn these people, much like Anonymous did in 2011.
Abuse of freedom and privacy can only lead to and justify not having any freedom and privacy, it fuels the whole pro Big Brother argument; if there was a way to demonstrate that Internet self regulation/regulation by the people works, then this would be a major blow to all kinds of 'higher authority' monitoring and fear mongering.
...perhaps you could argue that there's nothing wrong with pedophilia per se, but there is definitely something wrong with child abuse, and I shouldn't need to link you to a study to convince you of that.
By shutting down child pornography rings, police are preventing further abuse. How else would you propose they go about it?
I think this type of thread is what tptacek meant by "these threads [that question whether CP is a big deal] are always repellant." I must say, this one certainly is.
I encourage everyone to chill out, leave your emotions at the door, and give the topic a thorough and dispassionate treatment.
"I'm fucking tired of X" is an unreasonable way to conduct ourselves. It's a sure way not to change anyone's opinion.
> The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn't get deleted. Presumably it reports the victim's IP back to the FBI.
"in some way", "probably", "presumably" = I have no idea what's going on.
It's more that we know very well that up to the transmission point, it creates a unique identifier. If we're following the most likely guess (that this is targeting distribution of Child Pornography), then it seems like a reasonable goal to simply identify and fingerprint Tor users.
That being said, there is always a point that this could be used for something else entirely, though. Compromising Tor mail is a lot less of a targeted attack.
It's not really 0-day: since it only affects Firefox 17, it was apparently fixed long ago. But see this comment regarding why it may be of interest to lots of TOR users:
The idea of having JS enabled is directly at odds with a secure system, too. All TOR sites should have non-JS friendly interaction. There's really negligible benefit compared to exploits like the on in TFA.
The browser provides much more control over what's happening than executing the code directly on the OS. You can block JavaScript, you can easily analyze the executed source code before you allow its execution, you can manipulate the page as you see fit, you can use extensions to alter your experience in many other ways, and you get the browser's default security sandboxing stuff that prevents it from accessing external domains, your filesystem, or otherwise interrupting non-browsing related tasks.
It'd be crazy to download a full local client for something as shady as SilkRoad or many other hidden services. The browser is the safest place for that kind of thing.
I'm afraid to comment out of fear being picked on?
I didn't read the article very well(depressed about
things, and what the Internet is morphing into), but
didn't the U.S. federal government put money into TOR?
Since I've never been an .onion site user, I've not noticed any issues with my Tor connections to the "regular" net.
It's my understanding that one can host a .onion "hidden" site without having to go through any such provider as Freedom Hosting, so I don't see how my privacy is being affected by this situation.
As of now there is some guy stating that some hoster has been pwnd and uploaded some JS that expoloited something that might be FF17 that might have been shipped with the tor browser bundle.
Why exactly does he thing FBI/NSA is involved?
If he has the exploit code why didn't he upload it?
Lots of conclusions based on assumptions. As of now I'd think it's more likely someone just pwnd the largest TOR hidden host provider, uploaded a sploit that will affect most of the users (tor browser bundle) and called it a day.
Sure there MIGHT be some GOV/whatever involvment. But wouldn't it be time to wait with such accusations until we got some actual proof? Not even uploading the alleged exploit doesn't really help his position.
I would think that since about 60% of TOR projects funding comes from the .gov[0], that they have an incencitive to keep it online. I could imagine they have some nodes for which they wouldn't want to reveal the physical location. I don't know warhead controllers or something. Of course that only works if the're are enough nodes involved so you can hide yourself. That's why I think this might not have been a .gov action.
Anyone who was using Windows for TOR browsing was already asking for trouble. Anyone browsing outside a "sealed" VM setup such as Whonix was also asking for trouble.
I think there is a large insight to be had by all this.
State can and will use computer exploits in military and law enforcement. Like with PRISM, its no longer just the tinfoil - Its confirmed. The businesses model for a few companies are to hoard zero-day exploits, and sell it on the market. The military, police, "business intelligence" a.k.a industry spying, and criminals are their customers. In contrast to disease research, software virus research are not regulated or illegal, so both good and bad is the result. It is good when independent research find vulnerabilities in software we use, and less so when its hoarded and sold to be used against us.
This has given us a pretty rare chance to look at a 0-day exploit being used in the wild by the US government. Has anyone traced the code enough to know how it works?
I have a question for Tor users.
Would such an exploit to the system encourage you to transition to similar darknet services such as I2P, or will you be sticking with Tor with greater caution?
I wouldn't think too much of it. It could be a bit of wishful thinking, or an attempt to manipulate the price of Bitcoins by spreading rumors. Both are fairly popular among Bitcoin speculators.
I must yet again point to a company like Endgame Systems[1] as being a likely contractor for this service rendered for the FBI.
Some of Endgame's products used by the likes of the NSA:
"There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year. The Cayman botnet-analytics package gets you access to a database of Internet addresses, organization names, and worm types for hundreds of millions of infected computers, and costs $1.5 million."
Exploiting an unknowable amount of users of a service as to hunt them. Using illegally harvested data from botnets, while others get hunted and prosecuted for coding them.
This tiered society where the legally immune can profit off acts that get others jailed. The market manipulation that comes with bribing companies for data access, the government giving less regulatory oversight to companies it has secret 'deals' with.
For the sake of society, economy, basic morality. It must end.
"Exploiting an unknowable amount of users of a service as to hunt them. Using illegally harvested data from botnets, while others get hunted and prosecuted for coding them.
This tiered society where the legally immune can profit off acts that get others jailed."
Not that I disagree with this sentiment, but how is this different from the fact the government is "legally immune" from using/possessing weapons and firearms that the average person can't possess or use?
Software that creates randomly TBs of fake email, voice (skype) and other communication daily to disrupt NSA. Possible? Helpful?
I.e. billions of emails created daily originating from millions of email accounts created daily that contain random words including the ones the NSA is looking for.
I mean, they went on the path of the least resistance with this whole PRISM thing. Kind of blatantly stupid approach of "just listen to everything". That can possibly be derailed by simple creating tons and tons of "everything" daily to feed their stupid programs.
Even if I don't see why you are saying it on this specific thread, it actually came to my mind few days ago. I think it is a good, simple idea. No technical difficulties, just spamming and make the whole thing unanalyzable.
This has been discussed before, in the context of network security. You can read about efficacy/bandwidth constraints, but basically to provide any strong security you need to spend an overwhelming amount of bandwidth on noise. You must always operate at peak bandwidth to everyone. It becomes prohibitively slow and expensive.
cookiecaper|12 years ago
So here's what I can grok from it:
* "Freedom Hosting" founder has been arrested; presumably, many people were using "Freedom Hosting" to host onion sites (is this where "half of all Tor sites compromised" comes from?). No charges listed, article slightly hints at child pornography charges.
* Someone, presumably the FBI, has set up an exploit to be distributed through Freedom Hosting sites that will phone home and reveal your non-Tor IP address (solution: seven proxies). "Freedom Hosting" founder was probably coerced into allowing distribution of this exploit.
* Author claims that said exploit only affects Firefox >= 17 on Windows.
* There's a link to a paper about possible problems with hidden services, which is apparently not relevant to any of this other than the fact that there was just a shakedown on a big onion site provider.
I'm flagging this article because it is utterly incoherent and the headline is sensationalist. There is no evidence of a fundamental flaw in Tor being related to any of the events mentioned. Hopefully someone will write a comprehensible piece soon and put it out there.
secure|12 years ago
https://blog.torproject.org/blog/hidden-services-current-eve...
makomk|12 years ago
syncerr|12 years ago
http://pastebin.mozilla.org/2777139
aqme28|12 years ago
lelf|12 years ago
tormail.org amongst them it seems. It's used at times by users of one famous online store of particular substances.
Just info. It's their problem if db leaked and they didn't use encryption of course.
RivieraKid|12 years ago
duaneb|12 years ago
Is it possible to route TOR traffic over TOR?
__float|12 years ago
Among all internet users, Firefox 17 is probably rare, but among Tor users? My bet is that it owns a significantly higher chunk of the market.
[1] Tor Browser Bundle: https://www.torproject.org/projects/torbrowser.html.en
cookiecaper|12 years ago
Furthermore, Tor Browser Bundle disallows JavaScript by default, and one should be cautious while allowing execution of arbitrary client-side code whilst intent on keeping their direct IP address secret. You have to take at least a couple of steps to be affected by this bug.
EDIT: The author has updated the OP and now claims that he believes Firefox 17 is the only affected version. His language is ambiguous such that it is unclear whether the exploit only affects Windows or if the code distributed by FH is simply not attempting to exploit any non-Windows environments (perhaps they were trying to get specific players).
duaneb|12 years ago
D9u|12 years ago
iM8t|12 years ago
JulianMorrison|12 years ago
Basically, I think most civilized people have been operating on the premise that democratic western states are behaving in a vaguely civilized way towards people in other such states. But it's clear that America at least is behaving like the purest sociopath, where "friends" just means "easier to manipulate". They are breaking the unspoken international social contract, and it is going to have worse repercussions than they yet understand.
keyme|12 years ago
ghostdiver|12 years ago
andrewcooke|12 years ago
but yes.
n09n|12 years ago
unknownian|12 years ago
[deleted]
cjbprime|12 years ago
https://blog.torproject.org/blog/hidden-services-current-eve...
pygy_|12 years ago
"In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization"
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf
mintplant|12 years ago
inDigiNeous|12 years ago
Think of the children! Yes .. a good front to make it so that they can just bust anything using SWAT forces.
Is pedophilia such a big problem? Really ? I would like to see one study about pedophilia and the problems it creates, instead of what the problems that NSA and FBI are facing when people start encrypting their traffic and we actually have some freedom of speech in some areas.
gts|12 years ago
Paedos will be paedos no matter whether privacy exists or does not exist, and it is not an issue related to privacy and freedom, do not link it as such; freedom ceases to be freedom when it violates another individual's freedom(=abuse or product of abuse) so the abuser has to be stopped from further violating it. As the previous poster said, you could argue around consent and/or having an inclination, but as to the actual abuse taking place there can be no question about it.
In a truly anonymous internet that respects privacy, it would be up to individuals to find, isolate and condemn these people, much like Anonymous did in 2011.
Abuse of freedom and privacy can only lead to and justify not having any freedom and privacy, it fuels the whole pro Big Brother argument; if there was a way to demonstrate that Internet self regulation/regulation by the people works, then this would be a major blow to all kinds of 'higher authority' monitoring and fear mongering.
abrichr|12 years ago
By shutting down child pornography rings, police are preventing further abuse. How else would you propose they go about it?
bobbydavid|12 years ago
The argument I've heard is that a frictionless child pornography market effects an increased financial incentive to traffic children.
sillysaurus|12 years ago
I encourage everyone to chill out, leave your emotions at the door, and give the topic a thorough and dispassionate treatment.
"I'm fucking tired of X" is an unreasonable way to conduct ourselves. It's a sure way not to change anyone's opinion.
makomk|12 years ago
Previous discussion of malicious Javascript: https://news.ycombinator.com/item?id=6154246
kaoD|12 years ago
"in some way", "probably", "presumably" = I have no idea what's going on.
Shank|12 years ago
That being said, there is always a point that this could be used for something else entirely, though. Compromising Tor mail is a lot less of a targeted attack.
galapago|12 years ago
http://pastebin.mozilla.org/2777139
edit: Maybe is a good idea to submit this link (or another related) to discuss about it in a new HN thread.
greenyoda|12 years ago
https://news.ycombinator.com/item?id=6156779
popee|12 years ago
People should stop using web/browsers for everything.
duaneb|12 years ago
cookiecaper|12 years ago
It'd be crazy to download a full local client for something as shady as SilkRoad or many other hidden services. The browser is the safest place for that kind of thing.
andrewcooke|12 years ago
marincounty|12 years ago
brador|12 years ago
D9u|12 years ago
It's my understanding that one can host a .onion "hidden" site without having to go through any such provider as Freedom Hosting, so I don't see how my privacy is being affected by this situation.
lawl|12 years ago
As of now there is some guy stating that some hoster has been pwnd and uploaded some JS that expoloited something that might be FF17 that might have been shipped with the tor browser bundle.
Why exactly does he thing FBI/NSA is involved? If he has the exploit code why didn't he upload it?
Lots of conclusions based on assumptions. As of now I'd think it's more likely someone just pwnd the largest TOR hidden host provider, uploaded a sploit that will affect most of the users (tor browser bundle) and called it a day.
Sure there MIGHT be some GOV/whatever involvment. But wouldn't it be time to wait with such accusations until we got some actual proof? Not even uploading the alleged exploit doesn't really help his position.
I would think that since about 60% of TOR projects funding comes from the .gov[0], that they have an incencitive to keep it online. I could imagine they have some nodes for which they wouldn't want to reveal the physical location. I don't know warhead controllers or something. Of course that only works if the're are enough nodes involved so you can hide yourself. That's why I think this might not have been a .gov action.
[0] https://www.torproject.org/about/findoc/2012-TorProject-Annu...
duaneb|12 years ago
Paul12345534|12 years ago
quotemstr|12 years ago
belorn|12 years ago
State can and will use computer exploits in military and law enforcement. Like with PRISM, its no longer just the tinfoil - Its confirmed. The businesses model for a few companies are to hoard zero-day exploits, and sell it on the market. The military, police, "business intelligence" a.k.a industry spying, and criminals are their customers. In contrast to disease research, software virus research are not regulated or illegal, so both good and bad is the result. It is good when independent research find vulnerabilities in software we use, and less so when its hoarded and sold to be used against us.
joshfraser|12 years ago
http://pastebin.mozilla.org/2777139
synchronise|12 years ago
Zuider|12 years ago
>3. Bitcoin and all crypto currenecies set to absolutely CRASH as a result since the feds can not completely control this currency as they please.
dlitz|12 years ago
Amarok|12 years ago
denzil_correa|12 years ago
ToothlessJake|12 years ago
Some of Endgame's products used by the likes of the NSA: "There are even target packs for democratic countries in Europe and other U.S. allies. Maui (product names tend toward alluring warm-weather locales) is a package of 25 zero-day exploits that runs clients $2.5 million a year. The Cayman botnet-analytics package gets you access to a database of Internet addresses, organization names, and worm types for hundreds of millions of infected computers, and costs $1.5 million."
Exploiting an unknowable amount of users of a service as to hunt them. Using illegally harvested data from botnets, while others get hunted and prosecuted for coding them.
This tiered society where the legally immune can profit off acts that get others jailed. The market manipulation that comes with bribing companies for data access, the government giving less regulatory oversight to companies it has secret 'deals' with.
For the sake of society, economy, basic morality. It must end.
[1] http://wiki.echelon2.org/wiki/Endgame_Systems
jenandre|12 years ago
Not that I disagree with this sentiment, but how is this different from the fact the government is "legally immune" from using/possessing weapons and firearms that the average person can't possess or use?
dictum|12 years ago
LekkoscPiwa|12 years ago
I.e. billions of emails created daily originating from millions of email accounts created daily that contain random words including the ones the NSA is looking for.
I mean, they went on the path of the least resistance with this whole PRISM thing. Kind of blatantly stupid approach of "just listen to everything". That can possibly be derailed by simple creating tons and tons of "everything" daily to feed their stupid programs.
badfile|12 years ago
bobbydavid|12 years ago
losethos|12 years ago
[deleted]
vertis|12 years ago
rogerthis|12 years ago