Yes, we know about the Guardian article

by arma | October 04, 2013

And also the Washington Post article.

We're planning to write up a more detailed analysis later, but for now here's a place to centralize all the "hey did you know about this article" blog comments.

And for the journalists out there who want a statement, here's my quote from the article:

"The good news is that they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network. Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard.

Tor still helps here: you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice. So even if the NSA aims to surveil everyone, everywhere, they have to be a lot more selective about which Tor users they spy on.

Just using Tor isn't enough to keep you safe in all cases. Browser exploits, large-scale surveillance, and general user security are all challenging topics for the average internet user. These attacks make it clear that we, the broader internet community, need to keep working on better security for browsers and other internet-facing applications."

Tags
nsa
gchq

That said, we're still on Firefox 17-ESR right now because of the many major privacy problems in Firefox 24-ESR.

I do not understand why Tor developers have to keep up with Mozilla's releases of Firefox.

The adage "If it ain't broke, don't fix it" should apply to TBB.

If Firefox 17-ESR is able to provide 100% anonymity and without any vulnerabilities/exploits, I will use it over any most recent version of Firefox.

Perhaps arma could explain to us the need for Tor developers to always use the latest version of Firefox for TBB. And perhaps Mike would be free to focus on other more urgent and important tasks.

right
i think there's no need to strictly follow Firefox new versions' features.

Why cant Tor simply take a Firefox version and stick with that, repairing its bugs each time they appears?

New version = New bugs.

and also:
New version = New features

I'd really prefer less "New features", if it comes with less bugs!

The trouble is that Mozilla drops support for them. It's a forced upgrade path, since they keep dumping new features in and they barely have time to keep up with the vulnerabilities introduced.

So, FF17 will soon be obsolete and vulnerable to known attacks that nobody has fixed. Just like FF10 is already that way.

We'd love to find a browser that normal people like to use that doesn't suffer from this problem. By 'normal people' I mean that we're aiming to have something useful for millions of people, not something that only thousands find usable. But the simple fact is that browser security is a disaster yet you need one for the web.

To be even clearer, we're *already* using the "stay behind as much as we can while still having it be supported" approach. Firefox puts out a new version every six weeks, and we stick to the old one as long as we can. You can read about ESR here:
http://www.mozilla.org/en-US/firefox/organizations/faq/

To quote beloved arma, "Application-level security is a disaster these days."
There is no "forced upgrade path." The longer Tordevs stick with, refine and make more secure ONE unbloated FF version, the LESS work it is for them to keep up and the more secure the TBB will be. Debian security repos have always taken this approach and it's not because they are dim. Also arma, the US military takes the approach I suggest. Any military officer loading constantly new, untestable bloat-browsers into the closed network would be fired, then shot..not maybe in that order.

Debian gave up on that model, because Firefox gives them no other choice.

Also, the military certified Windows for use in these situations, and nobody got fired/shot over that.

Anyway. I guess the constructive way to say it is that dealing with all the new bugs in new Firefox releases is still less work than maintaining the old obsolete Firefox, by ourselves, with all of its bugs.

Windows and Linux are EAL 4+ certified... they can defend against "inadvertent and casual" security breach attempts (Chandler). The military here, for all critical systems applications is using INTEGRITY-178B RTOS (from Green Hills) operating systems. They never use Windows in work-or-die applications.

Anonymous

Anonymous (not verified) said:

October 05, 2013

Permalink

But the FH servers were exploited after they located its owner through non-technical means, or is that just parallel reconstruction? Either way the exploit was OLD and had already been patched by the time they released it, i would hardly call that some sort of military super weapon.

Yeah, I think it's safe to assume that the FBI can contract to some dude in SAIC or wherever to scrape together a web exploit for a vulnerability that's been known for a month. Application-level security is a disaster these days.

As for parallel reconstruction on the FH case, who the heck knows. They gave us just the facts they wanted to give us. Maybe it'll become clearer over the coming years.

Anonymous

Anonymous (not verified) said:

October 05, 2013

Permalink

Excuse me, i've a question: if we disable all the scripts through NoScript, we are ipotetically safe from browser attacks, right?

I'm sorry, but I think it isn't right. JavaScript is just one road to attack through a browser, perhaps the broadest one, but there is more code that can be searched for weaknesses, for example the libraries used to render images. What I mean is that there can be vulnerabilities everywhere, but disabling JavaScript certainly closes a door. I'm not so sure about how can it affect your anonymity, though. I'm afraid that this cold lead to two identifiable groups of Tor users: the group with JavaScript enabled and the one with JavaScript disabled, thus reducing the number of people you can blend with. I'm just guessing, though.

NoScript secures also other features, not only javascript (IMO)

Maybe a better approach could be:
1) leave NoScript as it is. (leave the default setting)
2) disable javascript via menu (Edit->Preferences->Content)

But if you decide to disable "all" scripts through NoScript keep in mind that Noscript has a whitelist that contains youtube/google/mozilla and some other domains. You'll probably want to disable (delete 'em from the whitelist) them as well.

Anonymous

Anonymous (not verified) said:

October 05, 2013

Permalink

It is interesting that the NSA specifically mentioned using javascript and cookies as ways to get what they want. If one had javascript disabled, "torsploit" wouldn't have executed.

We have known for years that in order to surf safe, one has to disable javascript and cookies, and even referrers. Seems that got lost along the way.

Are you sure?

javascript/cookies -less browsers are *not* vulnerable? I dount it.

Btw i think it could be a nice idea to have a sort of TBB-textonly based on some text-only browser (like elinks, for example).
Maybe it's easier to implement and it could be much more secure if compared to Firefox.

elinks has no java/javascript support. It also doesnt load images (you decide what image you want to view and then it gets downloaded and opened by your preferred image viewer , like "feh" or "xli" or "fbi" etcetera), elinks is also *very* fast and customizable.

Anonymous

Anonymous (not verified) said:

October 05, 2013

Permalink

I've got a question concerning this article: http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-onli…

There it says: 'FoxAcid servers also have sophisticated capabilities to avoid detection and to ensure successful infection of its targets. One of the top-secret documents provided by Snowden demonstrates how FoxAcid can circumvent commercial products that prevent malicious software from making changes to a system that survive a reboot process.'

'malicious software that survives a reboot process' sounds bad. Imagine the following scenario: A user with windows uses TBB for his everyday tasks and for sensible research or communications, he uses Tails on the same machine. Imagine his windows was infected by such malicious code. Is it possible that the malware is leaking through the freshly rebooted Tails or any other live system?

"survive a reboot process" simply means that the infected OS (or, rare/unverified case, the MBR) load the virus code during the next reboot.

Usually, once an attack is done your PC will have the malicious code in memory.
"persistent" means that che malicious code "saves" itself on the hard disk, mainly to be able to execute again during the next reboot.

If by "using Tails" you mean "using CD or USB to boot Tails", then you're not going to load that virus again.

the safest way ever? simple, keep the virus code unavailable to Tails:
1)poweroff the pc.
2)remove the battery and current cable
3)press 2 or 3 times the power button (to discarge it)
4)leave the PC alone for 6 or (better) 10 minutes, (so that the RAM loses all its data)
5)while waiting the 6 (or 10) minutes, you can physically disconnect your hard disk (remove its cables), so that if it's infected you'll not risk to access it while using Tails.

this is a good (and maybe eccesively precautious) way.
Anyway, Tails usually doesn't automatically mount the internal hard-disks.

In the 90% of cases, the normal users can simply reboot and insert the USB/CD Tails and it's ok ....
... but if you think the Nsa considers YOU as an enemy(**) ... maybe you've better following the "long procedure" i described ;)

(**) "enemy", in the case of the NSA means: all people that disapprove the Gestapo-like mass-surveillance made by the NSA.
By this definition, if you are an antifascist be aware they consider you an enemy.

Sure, RAM can be powered off, and the hard drive untouched. But what about the trick of storing of the virus code in the video adapter? It was a university research project using the Nvidia hardware. Sorry I don't remember the details or the URL - do your own web search.

While here... if you had a significant budget and the unlimited "national security" pressure on the vendors, why not using some other hardware (i.e., a popular BIOS brand) to develop a way of storing there something small that survives the reboot?

On the similar near-paranoia subject, sometime ago I was playing with a simple radio scanner near my Intel-made Core i7 system. When the scanner is near, it picks up some definite periodic radio broadcasts. Go figure what's in your hardware nowadays. :-)

Anonymous

Anonymous (not verified) said:

October 05, 2013

Permalink

Based on my limited understanding (I am not IT trained) of the FoxAcid system as described in The Guardian

http://www.theguardian.com/world/2013/oct/04/tor-attacks-nsa-users-onli…

it would seem that the best way for the Firefox in TBB to avoid being "exploited", "compromised" is to use Tails Live DVD (write-once DVD media)

Correct me if I am wrong: the NSA is unable to inject malware into TBB's Firefox if the latter is on a Live DVD such as Tails.

Anonymous

Anonymous (not verified) said:

October 05, 2013

Permalink

Hey arma, what you can do right now is produce an easy how-to guide for making your own internal Tor and bridge relays to encourage more people to do so. The slides revealed they are unwilling to attack existing relays and would prefer to just flood the Tor network with their own relays that redirect traffic into the GCHQ network for analysis. If you are unlucky enough to connect to one of their relays as the first hop it's game over, so we should all be making our own.

Torservers.net has a step by step guide to doing this for an exit relay but not a bridge or internal relay. Could also use puppet config to automatically deploy relays on VPSs not located in US, UK, or other "5 eyes alliance" countries.

As for TBB you are in a privacy arms race to keep up with ~70,000 professional crypto engineers and exploit writers who are employed by those 5 agencies you can't win. Distro a text shell browser maybe you can hold them off and activists can use it to sign up for email instead of getting blasted with java/javascript vulnerabilities.

i agree.

A text browser (like lynx/elinks/xlinks ecc) could be the real (and long term) solution.

I'd like to find some instruction to modify, for example, the elinks config so that it appears and act basically like the TBB without javascript and images.

Changing the UserAgent is trivial, but there's also the problem of the headers' order and some headers to omitt or to add.

Maybe later this day i try to post a config here if i find the way to config it right ;)

Anonymous

Anonymous (not verified) said:

October 05, 2013

Permalink

All I can say is use TAILS without a hard drive, surf with Javascript turned OFF, all the while sitting in a van at McDonald's using free wireless, and NEVER giving out personal info. What could be safer?

lol you made me laugh cause I do pretty much the same thing. Just buy a USB wifi modem to increase the range, change you mac address, dont have any important stuff on your persistence volume and your sweet as

avoiding MacDonald's wireless.
That, would be safer. (always avoid corporation apparate, they're part of the surveillance)

You could also buy a good directional antenna and sit on your sofa using the wifi network of some unknown neightboor ;)

or, why not, a free wireless network. (but it's way too booring :! )

Anonymous

Anonymous (not verified) said:

October 05, 2013

Permalink

"Proposed eventual change will kill identification!

- Each Tor node will generate random-ish signatures in a volatile
way specifically designed to look like normal website TLS traffic!"

Is this change already in unstable version?

Anonymous

Anonymous (not verified) said:

October 05, 2013

Permalink

check.torproject.org server has been unreachable for a few hours. All those "is it down or is it just me?" websites confirm it. I was expecting something on here about it.

I'm sure its all perfectly innocent and nothing is wrong. can anyone else confirm or deny it?

i can only confirm that i had the same problem.

But I cant say if it was down or if it was the NSA blocking/altering access to it.

The message i've read on that page was something like "you dont appear to be connected through the Tor network"
and then there was "my" Tor-IP address (an IP from Bulgaria)

Anonymous

Anonymous (not verified) said:

October 05, 2013

Permalink

I am unable to use tor, when it tries to check TOR, I get a timeout error and a message that my version of TOR (the latest version) cannot be confirmed to be a TOR Node, a timeout error, or HTML 500 error. Is TOR down? Was it shut down by the US Government similar to Lavabit when the Guardian reported that it was used by Edward Snowden and had emails stored in encrypted form on their server for privacy?

Anonymous

Anonymous (not verified) said:

October 06, 2013

Permalink

What if that document is a big-big FAKE? We know TOR since 2002, and they can't make an exploit for already 11 years? O_o

Anonymous

Anonymous (not verified) said:

October 06, 2013

Permalink

Arma,

Please be honest, do you really think some "interns" at the NSA, can, in theory, undermine TOR? Is TOR that fragile? I hate to say it, considering all the effort that has been put into this project, but you are starting to sound like Richard Christman (http://quicksilvermail.net/). Is TOR now as vulnerable as qsl, qs, and JBN2 (panta` mod) and JBN original from RProces? I'd TRULY appreciate your comment arma. Should I open port 9000 for Flashproxy? That sounds like a great idea (https://crypto.stanford.edu/flashproxy/).

Still awaiting arma's response. FYI no response is also a response. Blame it on the "interns" That's a good one. I'll be sure to open as many ports as TOR requests. Port 9000 for Flashproxy - maybe you'd like root access too.

Sorry, I've been busy doing actual work and haven't made time for accusatory blog comments.

Maybe I answered your questions at
https://blog.torproject.org/blog/yes-we-know-about-guardian-article#com…
?

As for setting yourself up as a Flash Proxy client, if you need to use Flash Proxy in order to reach the Tor network, yes; otherwise you don't need it (but feel free to experiment with it -- as always we need help making everything in the Tor ecosystem better).

Anonymous

Anonymous (not verified) said:

October 06, 2013

Permalink

At this pace TOR will be toast and join history if there is no drastic change to catch up.

It might have been history already, who knows. These leaks are just the tip of the iceberg.

Anonymous

Anonymous (not verified) said:

October 06, 2013

Permalink

Arma,
I recently downloaded the Tor Browser Bundle and was surprised to see that it seems to be disabling Javascript. I read in the Tor Project FAQ that it disables all scripts BUT Javascript, by default. When I go to the same websites in regular Firefox, they work fine. Do you know why TBB seems to be disabling Javascript? Did I misinterpret the FAQ or is it out-of-date? Please forgive my ignorance I am trying to learn. Thanks for your time.

Anonymous

Anonymous (not verified) said:

October 06, 2013

Permalink

The paper "Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization" was released in May 2013:
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf

It describes how to get the IP of a Hidden Service in the chapter:
"VI. OPPORTUNISTIC DEANONYMISATION OF HIDDEN SERVICES"

I would like a response from someone in Tor-project about this.
Could this be how they got Silk Road and Freedom Hosting?

It is a real attack. It's the same attack as described in these two papers:
http://freehaven.net/anonbib/#wpes12-cogs
http://freehaven.net/anonbib/#ccs2013-usersrouted

I wrote a background blog post here:
https://blog.torproject.org/blog/lifecycle-of-a-new-relay
and stay tuned for my upcoming blog post to explain more what we need to do to solve it. (It keeps getting delayed because I'm distracted doing other work.)

And oh, you asked whether this attack was used to find Freedom Hosting or Silk Road. As far as we can tell, no -- they were vulnerable to even easier (out of band) attacks. See e.g. https://blog.torproject.org/blog/tor-and-silk-road-takedown#comment-356… for more thoughts.

Anonymous

Anonymous (not verified) said:

October 06, 2013

Permalink

Basic Vidalia feature is missing..a quick lockout for any nodes or exits user deems unsavory. Thanks.

note: the CAPTCHA was wrong. Pi are round, not square.
Also, why are you requiring installing cookies on my box to verify captchas?

Anonymous

Anonymous (not verified) said:

October 07, 2013

Permalink

Proven Facts:

1. You can copy cookies and parse form data and map them to domains from any TOR node, yes the very middle one even. In fact any data that comes across in any node is vulnerable unless TLS is used, and even then you're talking about the worlds most powerful security agency, you just can't map client IP data unless on first&last, but who cares. Remember that cookies and host data are just HTTP headers..

2. There is a gaping security hole that allows cookie access to system installs of FF.. somebody cut corners in TOR dev..

3.TOR "portable" FF isn't portable, buffer overflows write outside of any hook system with no special code..

4. TOR encryption is worthless,,, why you ask? each node can decrypt and encrypt and even manipulate routing by design

Anonymous

Anonymous (not verified) said:

October 07, 2013

Permalink

Would it be possible to protect the Tor/Tails website with an Extended Validation (EV) Cert as described here https://www.grc.com/fingerprints.htm ?

At least then, when visiting the site with Firefox or Chrome users could be sure that they're not subject to a MITM attack and the website/downloads are less likely to have been tampered with (obviously this excludes the possibility that someone has gained access to the server and altered the data there but I imagine this would be caught fairly quickly).

We'd still need to verify the signatures of downloads, which is problematic as we have to do that by downloading another file but again, with the elimination of the possibility of a MITM attack it would reduce the risk of that being tampered with too.

Anonymous

Anonymous (not verified) said:

October 07, 2013

Permalink

Where can I find out how to inspect my computer to see if it has any NSA malware on it? Will regular anti-virus get the job done?

Anonymous

Anonymous (not verified) said:

October 07, 2013

Permalink

Let's not forget one thing. Tor itself is a project to deliver military grade anonymity and encryption, isn't it?

It was initially started by United States Naval Research Laboratory, a branch of the Navy. They developed Onion Routing and financed it some years ago. Which means the military started Tor, secure communication is crucial for them. But we need it too.

So, is it a wonder it isn't easy for the nsa to identify tor-users?

No, if you read that blog you will realize how screwed everybody is on the Internet.

Tor still helps -- they have to resort to attacks like that one, and they have to target individual Tor flows without knowing who they're targeting.

Without Tor, the attacks are even easier.