Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

malware in tor

Name: Anonymous 2013-08-04 19:30

Name: Anonymous 2013-08-04 19:33

https://www.google.com.au/search?q=tor+budget+sponsor
As of 2012, 80% of the Tor Project's $2M annual budget comes from the United ...

Name: Anonymous 2013-08-04 19:48

It'll be me e/g/ing with my /g/ros.

Name: Anonymous 2013-08-04 20:00

Name: Anonymous 2013-08-04 20:08

if the surface web roughly represents the public image of the  american government...

Name: Anonymous 2013-08-04 20:15

Not me. CP is bad - lolies shouldn't be hurt. I've been telling you this for a while now.

>>4
`Anonymous' ran a script to get the usernames of people on Lolita City. It was a rather pathetic action given how much they bragged about it. The FBI took over all of Freedom Host, then injected every site it hosted with a JS exploit to phone home to their servers with the real IP address. Something actually effective.

Still, this is not going to end well. Potentially thousands of people looking only for a link to the Silk Road are going to end up in prison with sentences exceeding that for actual child rape. And taking down TorMail seems uncalled for.

Also interesting how they timed this to coincide with DEFCON. Maybe they were upset about being snubbed and decided to strike when the people most likely to notice (let's face it, most pedos are not that bright) were away.

I'd be happier if they could get the places where new CP is posted, like a certain Russian site that's been up for 15 years. Those people are the really scummy ones who need to go away for life.

Name: Anonymous 2013-08-04 20:15

what does tor tell you?

Name: Anonymous 2013-08-04 20:39

It seems FBI was jelly of NSA's massive surveilance popularity and they wanted to show their 1337 skillz. I hope they'll start the rivalry and start hacking each other, it'd be lulz.

Name: Anonymous 2013-08-04 20:46

>>8
jelly
lulz

Do you have a Reddit account? I seriously want to subscribe to your posts, up/b/oat the shit out of everything you make, and lel with you.

Name: Anonymous 2013-08-04 20:48

What happened is that PRISM's existence was leaked.
The guys up top are doing damage control now. "BRING ME SOME COMPUTER CRIMINALS SO WE CAN JUSTIFY THIS SHIT!"

Name: Anonymous 2013-08-04 20:52

in a way that it injects some sort of JavaScript exploit in the Web pages delivered to users,"  Lewman wrote. "This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based.
Why you are NOT supposed to be running JS, or any programs on hidden services that you cannot look at the code. Are these people that stupid?

This has nothing to do with tor, but user stupidity.

Name: Anonymous 2013-08-04 20:59

>>11
It has something to do with Tor actually.
Torbrowser has noscript installed, but by default scripts are allowed globally.
If you block scripts globally, but then selectively allow some scripts to run you can create a uniquely identifying configuration that could be used to reduce your anonymity by attackers.
And blocking scripts globally, no exceptions, means that many websites simply won't work.

Name: Anonymous 2013-08-04 21:04

>>11
JS is enabled by default in the Tor browser bundle. They did it that way to make it more `usable', and recommend against disabling it, because it makes the browser look different that others. Also, they use an old version of FF.

A lot of blame does lay with the Tor Project.

Name: Anonymous 2013-08-04 21:08

>>8
Yeah, they're pretty jealous, as are every other agency with even a the most tangential relation to `National Security'.
http://www.nytimes.com/2013/08/04/us/other-agencies-clamor-for-data-nsa-compiles.html?ref=nationalsecurityagency&_r=0
Agencies working to curb drug trafficking, cyberattacks, money laundering, counterfeiting and even copyright infringement complain that their attempts to exploit the security agency’s vast resources have often been turned down because their own investigations are not considered a high enough priority, current and former government officials say.
The security agency’s spy tools are attractive to other agencies for many reasons. Unlike traditional, narrowly tailored search warrants, those granted by the intelligence court often allow searches through records and data that are vast in scope. The standard of evidence needed to acquire them may be lower than in other courts, and the government may not be required to disclose for years, if ever, that someone was the focus of secret surveillance operations.
But privately, intelligence officials at the drug agency and elsewhere have complained that they feel shut out of the process by the N.S.A. and the F.B.I. from start to finish, with little input on what groups are targeted with surveillance and only sporadic access to the classified material that is ultimately collected.

Name: can't handle all the 2013-08-04 21:43

>>12
The tor browser is one application of the tor network. It has real exploits which have yet to be patched:
https://trac.torproject.org/projects/tor/query

But that article is talking about how the FBI exploited a server that was initially breached (meaning they had all the server logs), to get IP addressed of the users that had enabled Javascript (out of all things). That is called user stupidity, not a problem with tor, not a problem with the tor browser, which both have many exploits available.

Knowledgeable users know that they should not be running anything at all anonymous networks, and if they have to, they should review it. If what you want is UI for the user on HTTP, don't do it in JS, just use html meta refresh with forms or WebDAV. Then again, that is what they get for using HTTP, and not implementing REST. You want something anonymous and UI friendly in a tor network, use things like CVS, NNTP, STOMP, SSH/telnet clients, gopher?, and Freenet clients, and have all the CRUD you ever need for your data, with minor configuration to remove logs. And with Journalling file systems, you can have a self healing system if a binary application, which should be isolated from other applications, gets altered or removed. I'd assume the owner of Freedom Hosting knows nothing about system administration to had it breached before it was shutdown, unless it was a honey pot service since inception. Did the owner even have backups on other servers, spread across the globe? 

The only props I yield to OP is that he reposted the blog post:
https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting

JS, out of all things. Sigh.

Name: Anonymous 2013-08-04 21:49

>>15
You know nothing.

Name: Anonymous 2013-08-04 22:07

>>15
The way of browsing the internet using Tor that is recommended by the Tor project is to use their browser as is, no configuration modifications.
This recommended configuration is easily defeated by a dishonest webserver.
The Tor project even warns against disabling javascript.
It has plenty to do with them because they were promoting insecure practices amongst users who trusted them.

That being said I think they're working on a "security slider" for the torbrowser to fix this by allowing the user to select from several different pre-configured levels of security.

Name: Anonymous 2013-08-04 22:53

this looks pretty bad. What are the benefits of everyone using the same settings regardless? Aren't consistent browsing habits alone enough to establish a pseudo identity?

Name: Anonymous 2013-08-04 23:33

>>18
>Aren't consistent browsing habits alone enough to establish a pseudo identity?
That's actually a pretty good point.

Name: Anonymous 2013-08-05 0:31

>>17
Then update their wiki, and mention it. The title of this thread should be called: exploit with JS on Tor browser, or malware in JS. This is also why I use I2P and Freenet for my hidden services, not that Tor shit. Yes, even a Socks proxy hidden gateway.

>>18
For general public, not yet ready. And yeah, the way browsers are being built to send client information in HTTP is pretty much a killer in identifying an user, even if in a firewall/proxy. Why often I bark at most HTTP servers requesting shit they should not have to, and client giving information they shouldn't. Since the inception of HTTP, it's purpose was not anonymity. Actually, tor does not even qualify for that thread level:
https://www.torproject.org/projects/torbrowser/design/

Name: Anonymous 2013-08-05 2:04

>>20
I've always been afraid of running i2p because it's written in pig java and is less popular than tor (which means less auditing).

Name: Anonymous 2013-08-05 2:10

Tor was never meant to have hidden services. It was a hack from the beginning. If you want a real hidden service method, then get rid of HTTP entirely.

Name: Anonymous 2013-08-05 2:26

>>22
okay, then find me a non-shit HTTP alternative (assuming JS disabled).

Name: Anonymous 2013-08-05 2:40

>>23
TFTP.

Name: Anonymous 2013-08-05 2:53

>>21
Then help me make it in sane languages like Haskell, OCaml, StandardML, Scheme, Common LISP, Erlang, etc.

>>22
THANK YOU. BECAUSE OF THAT POST, I WILL GIVE YOU A GIFT I FOUND WHILE SEARCHING STUFF:
http://en.wikipedia.org/wiki/N.EX.T
https://www.youtube.com/results?search_query=n.e.x.t+korean+band
THEY ARE AMAZING. I CANNOT BELIEVE I MISSED THEM. I AM CRYING LISTENING TO:
https://www.youtube.com/watch?v=YmK8hhH5yKU

>>23
I think I gave you more than enough:
https://dis.4chan.org/read/prog/1375659016/15,20

>>24
LOL!

Name: Anonymous 2013-08-05 3:00

>>22
This hasn't anything to do with the implementation or design of hidden services, it's all to do with the implementation and design of HTML.

Name: Anonymous 2013-08-05 3:01

>>25
I wouldn't exactly call Haskell sane, but I agree for the rest.

Name: Anonymous 2013-08-05 3:05

>>22
Bretty sure It's not limited to HTTP.
It's limited to TCP.
Herpaderp.

Name: Anonymous 2013-08-05 3:16

>>26
implementation and design of Javashit
FTFY.
I would also include HTTP, but hey, it up to the HTTP server to ask the UserAgent information or not. And definitely of the sys-admin not allowing anything to be executed on the client that can not be screened by both parties before execution. Doing such is analogous to doing the follow in RL: "Let me give my hang my wallet open around my neck, go to the store bare, and let the front door clerks take care of it from me while I shop."

>>27
If not Haskell, then what do you pick? I rather not work on this alone, since I am busier than a mule.

>>22
THEY EVEN MADE THE MUSIC FOR GUILTY GEAR XX #RELOAD! HOLY SHIT, HOW DID I MISS THEM‽

Name: Anonymous 2013-08-05 3:52

>>23

Gopher is actually pretty good and doesn't need javascript. It is a much more structured and sane protocol than http.

Name: Anonymous 2013-08-05 4:03

I'm bothered that people will be going to jail due to an exploit in firefox.

Name: Anonymous 2013-08-05 4:09

>>31
either jail your processes or you will be.

Name: Anonymous 2013-08-05 4:13

>>32
That would have done nothing in this case. What it appears to do is get around the proxy configuration and contact FBI servers, so it never needs to leave FF.

Name: Anonymous 2013-08-05 4:21

>>33
There was something that could have helped, but I forget the name of it now. It connected a virtual machine to tor, and you would run your applications within the virtual machine. So they would have had to first exploit firefox, get control of the virtual machine, and then exploit the virtualization software, and then phone home.

Name: Anonymous 2013-08-05 4:25

never trust software.

Name: Anonymous 2013-08-05 4:28

>>34
I think that's called ``iptables''.

Name: Anonymous 2013-08-05 4:31

>>36
That's not quite the same strength. If you got root control of the virtual machine you still wouldn't be able to escape tor without exploiting the virtualization software.

Name: Anonymous 2013-08-05 4:32

>>37
Who said iptables was running in the VM?

Name: Anonymous 2013-08-05 4:32

>>36
lel.

Name: Anonymous 2013-08-05 4:39

>>35
At some point you have to trust software. Whether you are a consumer transferring a credit card number, or a government worker trying to keep their data safe from enemy hands, or a pedo trying to view cp in a country where it is illegal. The only other option is to not use software for your purpose, or not use it at all, which is becoming less of an option. Pedos have the obvious solution of just not seeking cp. The difference here is the pedos go to jail, while the consumer with the stolen identity just go through some trouble to straighten out the confusion. We are used to security loss being an inconvenience, but to some it could be life and death.

Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List