Silk Road forums
Discussion => Security => Topic started by: CheapestCocaine on August 05, 2013, 09:55 am
-
So I am hoping many of you have heard the unfortunate news of the founder of Freedom Hosting being arrested, and the American government, I believe the FBI in particular, have compromised TOR to exploit Firefox 17 and up and Windows NT. I am by no means a hacker and frankly Im on the verge of shitting my pants because I dont know exactly what this means.
What the fuck do we do? Can we download an older version of the TOR browser bundle? Please everyone share your thoughts on this, all of our freedoms are at risk here.
I just unchecked the box in preferences>content that says "Enable Javascript." Is this sufficient??
-
So I am hoping many of you have heard the unfortunate news of the founder of Freedom Hosting being arrested, and the American government, I believe the FBI in particular, have compromised TOR to exploit Firefox 17 and up and Windows NT. I am by no means a hacker and frankly Im on the verge of shitting my pants because I dont know exactly what this means.
What the fuck do we do? Can we download an older version of the TOR browser bundle? Please everyone share your thoughts on this, all of our freedoms are at risk here.
I just unchecked the box in preferences>content that says "Enable Javascript." Is this sufficient??
They are after child porn sites. No doubt as some point they will go after SR but right now, their 'Operation DEFCON' is targeted towards paedophiles.
-
A) The latest version of ToR (17.0.7) has the exploit fixed. So if you have the latest version there is nothing to worry about.
B) In any case disable Javascript in ToR. It's very easy to do and anyway it makes no sense that the ToR bundle ships with Javascript enabled.
C) No, using an earlier version of ToR would be a REALLY BAD idea. Use the latest (btw also previous version earlier than 17 are affected, where do people got the thing that only 17 onward is?) and always update when ToR bundle tells you to do so because this step ensures the BEST security when using it.
Yes, this thing is not good, but I really think that only a small amount of users have been involved. If you don't use Windows you had no issue. If you had the latest version of ToR you had nothing to worry about no matter JS or not. If you had JS disabled (as many of the most security prone users here have) then you have nothing to worry about. The exploit is neither foolproof so in any case there's a chance that you got not affected anyway. If you encrypted your emails in Tormail then you are much probably safe in any case. And probably you are safe anyway because it can be that this bust was made appositely to catch some people and nothing more. So you see, as I said, I really think that just a very tiny amount of people have to worry about and actually probably only those they did specifically go against (that concern CP).
So, it's good to be attentive of the thing but let's not start a panic when not due. Actually I think this thing has given people a good "wake up" in matters of security so that many will start using measures to increase it and this is good. Sometimes you need these sort of things for people to act because when matters are only in the field of "theoretic danger" people are sometimes to lazy to do the proper steps; when instead some fact happens then people immediately jump on the proper steps to avoid it.
-
Is actually targeted toward Freedom Hosting, which hosts a lot more than CP. But just because the Nazis come for the Jews first doesn't mean they wont come for you next.
-
True, but starting a panic is counterproductive.
I actually consider this thing a good thing because finally it will make people much more concerned about their security. I don't really think many people have something to really worry about this (and I hope I'm right) but it's anyway a good "wake up" for people that this is not a joke.
I see people here that used very obsolete versions of ToR, people that didn't encrypt their sensible info and trusted a third-party site, people that didn't know the difference between having JS enabled or not, people (and even worse vendors) that just used ToR bundle and that's it thinking they are secure just for this etc. etc.
It is time that people start to gather their act and I think a fact as this is a best way for people to start understanding that security is VERY important and there are people that are always trying to exploit your weakness on those points.
-
I take it TorDir was also hosted there? It's down as well. Any other good directories?
-
True, but starting a panic is counterproductive.
I actually consider this thing a good thing because finally it will make people much more concerned about their security. I don't really think many people have something to really worry about this (and I hope I'm right) but it's anyway a good "wake up" for people that this is not a joke.
I see people here that used very obsolete versions of ToR, people that didn't encrypt their sensible info and trusted a third-party site, people that didn't know the difference between having JS enabled or not, people (and even worse vendors) that just used ToR bundle and that's it thinking they are secure just for this etc. etc.
It is time that people start to gather their act and I think a fact as this is a best way for people to start understanding that security is VERY important and there are people that are always trying to exploit your weakness on those points.
Just a few more posts and I'll be able to give you the karma points your post deserves.
-
+1 for Blackiris post!
-
I was MIA for a couple of days, and I come back to this. Stunned. That's all I can say.
Thank God I usually keep scripts disabled and I run Linux (the exploit appears to target Windows specifically). All you Tails users were safe, too.
BTW, I have argued multiple times on this forum that hidden services are just as capable of serving malicious code as clearnet sites, but they have more incentive to do so, because they know their users (and operators) want to be anonymous for fairly important reasons. You should enable NoScript at least on all hidden services, while I believe in general browsing large clearnet sites is safer.
The other take away from this is that we now know the FBI hasn't cracked Tor. They had to deliver an application-level exploit, and they were lucky that the FH admin was insecure enough to use Windows, which we know he did because of the version string in his PGP key.
-
So if I'm reading the reports correctly, the JavaScript exploit was only live for a few days, after they seized the FH server. That means they must have identified it some way (I thought they hacked the server to add the exploit). That is worrying, but I think it's still more likely they used application level exploits to identify Tormail and/or FH, rather than an attack on the Tor network.
-
So if I'm reading the reports correctly, the JavaScript exploit was only live for a few days, after they seized the FH server. That means they must have identified it some way (I thought they hacked the server to add the exploit). That is worrying, but I think it's still more likely they used application level exploits to identify Tormail and/or FH, rather than an attack on the Tor network.
I wondered why you hadn't posted about this. Hope you can come up with some countermeasures. we shall start by downloading the new Tor (17.0.7) and wait with abated breath.