Whatās to keep the US government from forcing Mozilla to secretly add code to Firefox that spills all a userās secrets? The same goes for Google, Apple, and Microsoft. Thereās no such thing as real privacy on the Internet and anyone who thinks otherwise may be unpleasantly surprised one day.
My spouse is letting a full scan run on her machine over this. While I donāt fully trust Yahoo, Google, etc to keep my information private, however it is in their best business interest to keep the hackers at bay and keep things legal. The main problems are YOU HAVE TO TRUST SOMEONE (even yourself if you run your own box) and while you can encrypt things if the other end of the message is on an owned machine then oops. I learned long ago before the internet was known to me thanks to a grandparent who did work for the DIA that I already have a file and what they could find out before we had all this nice technology to help gather and filter evidence. I learned that if I donāt want it known donāt say it, donāt write it down and definitely not on the internet.
There fixed that for you.
Not my kind of the fix.
Itās kinda difficult to add āsecret codeā to āopen sourceā. Not impossible of course, but the sneaking in of malicious code that masquerades as something perfectly innocous is a fine art onto itself.
Yeah, I am cynical about it. I just donāt know what the good options are. All are compromises and essentially trusting someone to not be a fink. I do know that my oh so wonderful US Government is not the only one playing the spy on everyone game and I am not sure where one can go and still have civilization to escape it. It sucks, It is a mess, it needs to change but I am not sure if enough of the hoi polloi will get up in arms enough over it to make a change.
Glad this was used on pedos, but itās also great for governments to out dissidents/activists.
Doesnāt seem like this worked on Mac. Also, I wonder if the exploit got around the bundled NoScript Add-on if itās set up properly?
This is what the Tor project is saying so far:
https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting
Thatās why itās important when using a service like Tor to also use no-script. It surprises me that JS was re-enabled in TorBrowser; the people responsible for that move are probably kicking themselves.
If I were someone seriously interested in my privacy, Iād consider booting up a live CD/USB of Tails and connecting at a distant McDonalds. Luckily, Iām not a pedo and I doubt Iāll have to leak anything in the future.
My view may be colored by where Iāve seen it; but my impression is that TorBrowser is a victim of trying to be too many different things to too many different people.
If you are interacting with Tor on a āthis-is-serious-stuff-life-and/or-liberty-are-on-the-lineā you really donāt want to be placing your trust in the whole blob of Firefox 17, much less with javascript enabled and conveniently packaged to run on the probably-compromised computer you use daily. Thatās just a terrible plan. You want as little browser as you can possibly get away with, locked down as hard as it can be, on a minimal OS coming up from a read-only medium.
If, by contrast, you have learned that just dropping TorBrowser on a flash drive before you go to school/work is an easy way to punch through the firewall and get to Facebook, you donāt really care about any sophisticated attackers; but having contemporary web 2.0 fancy-features break will annoy you.
I donāt know how many people in the former category use TorBrowser; but a lot of people in the latter category do. In an ideal world, they wouldnāt drive decisionmaking; but they may represent enough sheer userbase to do so.
It would definitely help the gubmint get around all that pesky Tor/VPN obfuscation. The only thing stopping this type of collaboration is that any company that risked this would be sacrificing its brand if it ever became public knowledge. PRISM got Google and co. all up in a tizzy to claim they are not collaborating on that level. Yeah, I donāt believe it either. But I, and many others, have dropped google after this, and I hear their cloud services are sufferingā¦ hereās to continued suffering!
I really hope thereās a typo lurking in there.
first they came for the paedophiles . . . and that was just fine.
People need to realize that TOR should not be treated as safe when using it in the same environment/system as non-secure ānormalā web apps and connections. Unless you REALLY know what youāre doing, IMHO TOR should ONLY be accessed through a live OS such as TAILS, the users of which were not exposed to this vulnerability: https://tails.boum.org/
hey all i used Tor just for a few days and browsed some of .onion sites i saw some pretty sick stuff that to me should never be allowed on Tor but thatās beside the point anyhow i did not like what i saw and i also looked at the Tor mail that was compromised. i since removed Tor and it folder can someone tell me dose this thing exploit the whole system?. or just Tor and how would i tell if i got it dam i new i should never looked at tor but curiosity killed the cat lol.
The FBI are on to you now. The SWAT teams will be there in 5 minutes. RUN! RUN FOR YOUR LIVES!
LOL your funny 
no seriously though how would you tell if you had this shit on your PC. i looked at tor for a few days and slow as hell so i left it behind.
I see what youāre saying, thatās probably what the devs were thinking.
I agree Tor should be run through something like Tails for people to really expect privacy. It really disturbs me that the devs would cater to the majority and put a minority* at enormous risk like this, especially considering anonymity was what the minority was promised. They really should be touting Tor Browser as a foolproof proxy, instead of anonymizer.
*There are definitely people who expect the tor browser to actually give them anonymity, they shouldnāt, but that is whatās being advertised.
I, and many others, have dropped google after this, and I hear their
cloud services are sufferingā¦ hereās to continued suffering!
LOL
Dudeā¦ Prism simply rips a fat upstream dump of whatās comping across the line from your ISP meaning that no company is safe. What did you switch to? Is it any safer? Unless you did some security stuff yourself: probably not.
A full scan is probably pointless. This javascript exploit is simply aimed at getting a TOR userās real IP, not for dumping malware on their machine. Anti-virus programs may eventually include the TOR Firefox javascript exploit in their virus/malware definitions but I would be massively surprised if theyāre there already.
