Yes, we know about the Guardian article
And also the Washington Post article.
We're planning to write up a more detailed analysis later, but for now here's a place to centralize all the "hey did you know about this article" blog comments.
And for the journalists out there who want a statement, here's my quote from the article:
"The good news is that they went for a browser exploit, meaning there's no indication they can break the Tor protocol or do traffic analysis on the Tor network. Infecting the laptop, phone, or desktop is still the easiest way to learn about the human behind the keyboard.
Tor still helps here: you can target individuals with browser exploits, but if you attack too many users, somebody's going to notice. So even if the NSA aims to surveil everyone, everywhere, they have to be a lot more selective about which Tor users they spy on.
Just using Tor isn't enough to keep you safe in all cases. Browser exploits, large-scale surveillance, and general user security are all challenging topics for the average internet user. These attacks make it clear that we, the broader internet community, need to keep working on better security for browsers and other internet-facing applications."
I love TOR, all developers
I love TOR, all developers and contributors of TOR and all the fine projects that continue to grow from it and from other our freedom expanding and supporting ideas.
I love all who are for TOR as well all folks in the NSA, including those who are against it – yes, I love them too - I love them unconditionally.
Yes, I love all folks, no matter whether they are my family or friends or as most may choose to call them “foes”, - I love everybody deeply and unconditionally no matter what they do or say or think.
Please understand that those who are against Tor and free internet do it because of
their fears and powerlessness that they experience pushing against free will that everyone have not only in our world but in all of the our Galaxy, our Universe as well as other Universes:To be Free, to live in Joy while seeking Growth. (and there are uncountable numbers of worlds and civilizations. Creation is always expanding and growing each moment of NOW)Hi, Isnt the
Hi,
Isnt the "check.torproject.org" web page an HUGE security problem?
1) it gets loaded at the Tor startup, with javascript and cookies *enabled*
2)Drones could exploit TEMPEST to have a snapshot with the IP address of the exit node the user is using. (that's why i immediatly press Ctrl+T and then i move the window to an edge so that i cant see the IP but i can only see if the text is green and then i close the tab ;)
3) Since the NSA wants to infect the most Tor users' PC, couldn't it be reasonable to think that "check.torproject.org" could be a nice target to use? or maybe their *MAIN* target?
They are probably already using one of theirs fast servers to inject traffic, impersonating the real server. They probably are injecting javascript malicious code, to be able to infect a TBB at the very first link visited (check.torbrowser.org).
Someone could argue: "hey, but it's an HTTPS website"
But if i recall right the CA are private enterprises and maybe they're also forced to be collaborationists with the NSA.
So the only way to mitigate just a bit could be:
1)press ESC immegiately when the Tor-browser appears
2)Use Alt+F and then press "w" to go in Offline mode.
3)Disable javascript, cookies, and images ( remember: the check page is the ONLY page they're 100 sure you'll visit via Tor!! )
4)press Ctrl+N and then Ctrl+T
5)Now use the "anti-TEMPEST" remedy i proposed some lines ago. (move the window so that it's possible to check if the text in the check page is *GREEN* )
6)close the tab containing the check page.
7)Have a nice browsing (eventually, you can re-enable the images at this point)
oh, recently there's an extra page (aka "extra target" for the NSA). I'm referring to the "HTTPS everywhere page".
Maybe the right way to do this documentation thing could be to include that html file in the TBB so that this extra page gets loaded from the *local* file instead.
check.torproject.org is no
check.torproject.org is no longer used in TBB 3.x:
https://blog.torproject.org/category/tags/tbb-30
Try it, you'll like it! (Unless you're on Win XP or you need pluggable transports -- those are still in progress.)
it cuts the vidalia
it cuts the vidalia support... baaaad!!! :((( fix it pls, make it not mandatory but readd it pllssssss!!!
No, the Vidalia support is
No, the Vidalia support is already long gone. We're shipping obsolete unmaintained garbage in TBB 2.x. I'm sorry we're still doing that to you. Soon it will be solved I hope!
ok but in which way can i
ok but in which way can i see my open circuits or where my connections really goes?
We'll probably end up with
We'll probably end up with instructions on how to hook up an old obsolete garbage Vidalia onto your TBB 3.x if you want to. And by "we" I mean folks like you will cobble the instructions together for yourselves I hope.
Or you should use Tails (or other Linux) and then the arm controller will work for you.
this is my last question:
this is my last question: why the choise of dont see the circuits and dont see where everything goes you think that is a good choise?
Because we haven't built
Because we haven't built that functionality into Tor Launcher yet. I'm not sure if we will. (Maybe you should build it?)
As Vidalia fades away,
As Vidalia fades away, PLEASE, PLEASE, make some new way of visualizing the Tor circuits in real time. Running the circuits blindly is not wise.
Those of us who exclude the nodes by the country letter codes rely on that feedback to fine-tune the torrc config. Oftentimes something missed is caught by doing the visual inspection.
For instance, this is how the bug allowing the unidentified relays (having the the {??} country flag) from the normally excluded countries was nailed and reported earlier this year.
Thank you.
(And sorry, myself is not a programmer.)
thanks! and what do you
thanks!
and what do you think about the text-only-browser proposal? couldnt it be a nice idea?
I bet 1000 people would be
I bet 1000 people would be overjoyed. And the other million users would never touch it or even understand what it is.
So, sounds great if somebody wants to work on it. Probably not the best use of our time. Also, remember that unless you get enough users using it, the fact that you're using it at all will contribute greatly to making you recognizable (the fact that you're using this thing rather than Tor Browser acts as a sort of cookie).
Isnt it simply all about
Isnt it simply all about headers? I mean, if i replicate the TBB headers with elinks or lynx or whatever, an eavesdropped will think it's a the firefox of TBB right?
If you're talking about disabling javascript , well .. it's something that many people do also on TBB. Many other people also disable the images (to go faster, and also because images are possible *attack* vectors)
What other aspects remains? css files? headers order? gz compression?
https://www.torproject.org/to
https://www.torproject.org/torbutton/en/design/
https://www.torproject.org/projects/torbrowser/design/
Those are the starting points for coming up with an answer.
Does running Tor in
Does running Tor in Sandboxie help prevent 'agencies' from affecting my computer?
Yes, maybe. Can't hurt I
Yes, maybe. Can't hurt I think. Might help.
Did anyone test the scenario
Did anyone test the scenario where the Tor circuits used 4 nodes instead of 3? Perhaps it would make hacking via the bulk node ownership more difficult while the CPU load increase were still acceptable?