Anonymous Web-host shut down, owner arrested; Tor users compromised by Javascript exploit

[Permalink]

Whatā€™s to keep the US government from forcing Mozilla to secretly add code to Firefox that spills all a userā€™s secrets? The same goes for Google, Apple, and Microsoft. Thereā€™s no such thing as real privacy on the Internet and anyone who thinks otherwise may be unpleasantly surprised one day.

My spouse is letting a full scan run on her machine over this. While I donā€™t fully trust Yahoo, Google, etc to keep my information private, however it is in their best business interest to keep the hackers at bay and keep things legal. The main problems are YOU HAVE TO TRUST SOMEONE (even yourself if you run your own box) and while you can encrypt things if the other end of the message is on an owned machine then oops. I learned long ago before the internet was known to me thanks to a grandparent who did work for the DIA that I already have a file and what they could find out before we had all this nice technology to help gather and filter evidence. I learned that if I donā€™t want it known donā€™t say it, donā€™t write it down and definitely not on the internet.

There fixed that for you.

1 Like

Not my kind of the fix.

Itā€™s kinda difficult to add ā€œsecret codeā€ to ā€œopen sourceā€. Not impossible of course, but the sneaking in of malicious code that masquerades as something perfectly innocous is a fine art onto itself.

4 Likes

Yeah, I am cynical about it. I just donā€™t know what the good options are. All are compromises and essentially trusting someone to not be a fink. I do know that my oh so wonderful US Government is not the only one playing the spy on everyone game and I am not sure where one can go and still have civilization to escape it. It sucks, It is a mess, it needs to change but I am not sure if enough of the hoi polloi will get up in arms enough over it to make a change.

Glad this was used on pedos, but itā€™s also great for governments to out dissidents/activists.

Doesnā€™t seem like this worked on Mac. Also, I wonder if the exploit got around the bundled NoScript Add-on if itā€™s set up properly?

This is what the Tor project is saying so far:

https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting

Thatā€™s why itā€™s important when using a service like Tor to also use no-script. It surprises me that JS was re-enabled in TorBrowser; the people responsible for that move are probably kicking themselves.

If I were someone seriously interested in my privacy, Iā€™d consider booting up a live CD/USB of Tails and connecting at a distant McDonalds. Luckily, Iā€™m not a pedo and I doubt Iā€™ll have to leak anything in the future.

My view may be colored by where Iā€™ve seen it; but my impression is that TorBrowser is a victim of trying to be too many different things to too many different people.

If you are interacting with Tor on a ā€˜this-is-serious-stuff-life-and/or-liberty-are-on-the-lineā€™ you really donā€™t want to be placing your trust in the whole blob of Firefox 17, much less with javascript enabled and conveniently packaged to run on the probably-compromised computer you use daily. Thatā€™s just a terrible plan. You want as little browser as you can possibly get away with, locked down as hard as it can be, on a minimal OS coming up from a read-only medium.

If, by contrast, you have learned that just dropping TorBrowser on a flash drive before you go to school/work is an easy way to punch through the firewall and get to Facebook, you donā€™t really care about any sophisticated attackers; but having contemporary web 2.0 fancy-features break will annoy you.

I donā€™t know how many people in the former category use TorBrowser; but a lot of people in the latter category do. In an ideal world, they wouldnā€™t drive decisionmaking; but they may represent enough sheer userbase to do so.

5 Likes

It would definitely help the gubmint get around all that pesky Tor/VPN obfuscation. The only thing stopping this type of collaboration is that any company that risked this would be sacrificing its brand if it ever became public knowledge. PRISM got Google and co. all up in a tizzy to claim they are not collaborating on that level. Yeah, I donā€™t believe it either. But I, and many others, have dropped google after this, and I hear their cloud services are sufferingā€¦ hereā€™s to continued suffering!

I really hope thereā€™s a typo lurking in there.

first they came for the paedophiles . . . and that was just fine.

2 Likes

People need to realize that TOR should not be treated as safe when using it in the same environment/system as non-secure ā€œnormalā€ web apps and connections. Unless you REALLY know what youā€™re doing, IMHO TOR should ONLY be accessed through a live OS such as TAILS, the users of which were not exposed to this vulnerability: https://tails.boum.org/

2 Likes

hey all i used Tor just for a few days and browsed some of .onion sites i saw some pretty sick stuff that to me should never be allowed on Tor but thatā€™s beside the point anyhow i did not like what i saw and i also looked at the Tor mail that was compromised. i since removed Tor and it folder can someone tell me dose this thing exploit the whole system?. or just Tor and how would i tell if i got it dam i new i should never looked at tor but curiosity killed the cat lol.

The FBI are on to you now. The SWAT teams will be there in 5 minutes. RUN! RUN FOR YOUR LIVES!

LOL your funny :slight_smile: no seriously though how would you tell if you had this shit on your PC. i looked at tor for a few days and slow as hell so i left it behind.

I see what youā€™re saying, thatā€™s probably what the devs were thinking.

I agree Tor should be run through something like Tails for people to really expect privacy. It really disturbs me that the devs would cater to the majority and put a minority* at enormous risk like this, especially considering anonymity was what the minority was promised. They really should be touting Tor Browser as a foolproof proxy, instead of anonymizer.

*There are definitely people who expect the tor browser to actually give them anonymity, they shouldnā€™t, but that is whatā€™s being advertised.

I, and many others, have dropped google after this, and I hear their
cloud services are sufferingā€¦ hereā€™s to continued suffering!

LOL

Dudeā€¦ Prism simply rips a fat upstream dump of whatā€™s comping across the line from your ISP meaning that no company is safe. What did you switch to? Is it any safer? Unless you did some security stuff yourself: probably not.

A full scan is probably pointless. This javascript exploit is simply aimed at getting a TOR userā€™s real IP, not for dumping malware on their machine. Anti-virus programs may eventually include the TOR Firefox javascript exploit in their virus/malware definitions but I would be massively surprised if theyā€™re there already.