×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

TOR Wants You To Stop Using Windows, Disable JavaScript

timothy posted about 8 months ago | from the so-say-we-all dept.

Security 341

itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."

cancel ×
This is a preview of your comment

No Comment Title Entered

Anonymous Coward 1 minute ago

No Comment Entered

341 comments

Firefox (0, Troll)

colinrichardday (768814) | about 8 months ago | (#44485885)

As firefox disallows the disabling of javascript, perhaps TOR users should avoid firefox.

Re:Firefox (4, Informative)

The MAZZTer (911996) | about 8 months ago | (#44485909)

Firefox allows it, as does every major browser. But it is not the default, because it is incredibly inconvenient considering how many websites rely on it. There are tools to make it easier for Firefox and Chrome but it is still a bit of a bother.

Security professionals generally missing the point (4, Insightful)

FriendlyLurker (50431) | about 8 months ago | (#44486079)

Recommend switching away from windows, a few will do so and a lot more will just not bother - and so the pool of people using Tor (and other encryption privacy "enhancing" services) shrinks just a little bit more. If the whistleblower Snowden revelations have taught us nothing else, it is that if you are one of the few that use encryption/VPN/privacy enhancing solutions then you attract extra unwanted attention to yourself. For everyone to enjoy privacy, security professionals need to be coding solutions and encouraging more people, including Windows users, to adopt always on default encryption - not the opposite. Are they really that clueless?

Re:Security professionals generally missing the po (2)

intermodal (534361) | about 8 months ago | (#44486207)

Some of them are exactly that clueless. They tend to let perfect become the enemy of pretty good.

Re:Security professionals generally missing the po (2, Interesting)

Anonymous Coward | about 8 months ago | (#44486277)

Agree - SSL/https is the shining example of how completely the security professionals have failed the Internet users. That and the sorry state of always unencrypted email all the time, by default. Perhaps most "security professionals" are really trying to keep the status quo - no encryption by default. No prizes for guessing who is the biggest employer and sponsor of security researchers...

Re:Security professionals generally missing the po (5, Interesting)

pr0nbot (313417) | about 8 months ago | (#44486249)

If encryption is a "please investigate me" red flag, then we need to find ways to hide the encryption (i.e. steganography).

Re:Security professionals generally missing the po (4, Interesting)

FriendlyLurker (50431) | about 8 months ago | (#44486293)

Not if the majority or dare I say everyone raises the red flag, we dont.

Re:Security professionals generally missing the po (5, Insightful)

nine-times (778537) | about 8 months ago | (#44486407)

Well I think part of the problem is that security experts are experts, and they don't understand that if they really want to encourage better security, they need to make it easy for non-experts. It's funny, because you'd think security experts would know this. One of the key things about security is that a great security measure that nobody uses and everyone circumvents is actually a terrible security measure.

Encryption implementations need to be so well designed and foolproof that they're enabled by default. Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications. We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA. We don't enable encryption on email because it requires plugins and complicated setups. We don't use TOR because it's not quite brain-dead simple.

The experts will respond, "But it *is* brain-dead simple. Just download this plugin, drop into the command line and type [insert command here], compile this binary, change this configuration file in /etc. Oh wait, you're on Windows? Sorry, then you need to download these other files. Get GPG v1 because v2 is completely different and doesn't work with the plugins. Then when you get this error, hit 'ignore'..." And all that makes sense to the experts because they're experts, and they understand what's going on. People won't start using encryption en masse until it's so brain-dead simple that they don't even know they're using it.

Re:Security professionals generally missing the po (4, Insightful)

FriendlyLurker (50431) | about 8 months ago | (#44486527)

You are right - how do we change the situation? I think "Off The Record" (OTR [wikipedia.org]) is a step in the right direction and possible example to learn from. It just works out of the box for a lot of chat clients zero configuration needed providing 100% encrypted chat sessions by default for all users that use those chat clients that ship with it enabled by default. A security "professional" will be quick to sprout that it is open to MITM blah blah blah but fail to recognize that 100% adoption always on encryption is achieved - the hard part. From there it is a small extra step for those that could be bothered to check fingerprints out of band, or even add extra services that help the clueless/not interested do that part automatically. It is like security professionals cant get past the "it is not flawless" stage... and so we are all stuck with nothing or something very good, that nobody else uses or can interact with (PGP as one of many examples).

Re:Security professionals generally missing the po (0, Troll)

landofcleve (1959610) | about 8 months ago | (#44486423)

It's going to be a crushing blow to people when we find out Linus Torvalds was a government plant from the beginning

Re:Security professionals generally missing the po (1)

router (28432) | about 8 months ago | (#44486483)

Are you kidding me? Why in hell would you even say something like this....

Linus wouldn't fill out the 17 forms required to get a check from the feds, much less submit the monthly progress reports or sign the forms, in triplicate, each month to receive the paper check to be deposited. Goddamn 7 digits, no understanding of the system at all...

Much less participate in a system he would find grossly inefficient and horribly flawed. The man respects greatness, not whatever this is.

You are an idiot. If this was a joke its not funny, even once.

andy

Re:Security professionals generally missing the po (2, Informative)

Anonymous Coward | about 8 months ago | (#44486513)

They're being rather disingenuous too: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
Since the vulnerability isn't limited to Windows machines, it's just that they believe that only Windows machines were targeted.

WHO IS AFFECTED:
    In principle, all users of all Tor Browser Bundles earlier than
    the above versions are vulnerable. But in practice, it appears that
    only Windows users with vulnerable Firefox versions were actually
    exploitable by this attack.

    (If you're not sure what version you have, click on "Help -> About
    Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7])

    To be clear, while the Firefox vulnerability is cross-platform, the
    attack code is Windows-specific. It appears that TBB users on Linux
    and OS X, as well as users of LiveCD systems like Tails, were not
    exploited by this attack.

IMPACT:
    The vulnerability allows arbitrary code execution, so an attacker
    could in principle take over the victim's computer. However, the
    observed version of the attack appears to collect the hostname and MAC
    address of the victim computer, send that to a remote webserver over
    a non-Tor connection, and then crash or exit [8]. The attack appears
    to have been injected into (or by) various Tor hidden services [9],
    and it's reasonable to conclude that the attacker now has a list of
    vulnerable Tor users who visited those hidden services.

    We don't currently believe that the attack modifies anything on the
    victim computer.

So what makes them so sure that only Windows machines were targeted? Sure only paranoid people would think that way, but lot of people using Tor are paranoid, and many using Tor SHOULD be that paranoid.

Re:Firefox (1, Informative)

Ubi_NL (313657) | about 8 months ago | (#44486105)

This is incorrect, the latest versions of firefox do not allow javascript to be turned off. It is a valid complaint

Re:Firefox (2, Informative)

Anonymous Coward | about 8 months ago | (#44486349)

This is incorrect, the latest version of firefox do allow javascript to be turned off. It is an invalid complaint.

Don't give me bullshit about it not being in the "UI" either, since I have a bookmark with the address about:config?filter=javascript.enabled right there in my bookmarks toolbar.

Re:Firefox (0)

Anonymous Coward | about 8 months ago | (#44486359)

So why do I have Firefox 22 with an enable/disable Javascript option? I downloaded this from Mozilla so you are saying they built a special version just for me? How nice of them.. Or perhaps Firefox still allows the user to enable/disable Javascript at this time.

Re:Firefox (2)

intermodal (534361) | about 8 months ago | (#44486179)

v23 of Firefox removed that feature. It might be buried in about:config somewhere, but I have heard some comments to the contrary. Still on 22 here.

Re:Firefox (1)

Anonymous Coward | about 8 months ago | (#44486259)

javascript.enabled, toggle the value.

Re:Firefox (1)

Anonymous Coward | about 8 months ago | (#44486235)

I think the GP was referring to this: http://www.i-programmer.info/news/86-browsers/6049-firefox-23-makes-javascript-obligatory.html

However that headline and several others like it were misleading as you can still disable javascript from the "about:config" page - you just can't disable it by unchecking a checkbox in preferences anymore.

https://bugzilla.mozilla.org/show_bug.cgi?id=873709

Proper Summary (3, Informative)

Freshly Exhumed (105597) | about 8 months ago | (#44485961)

FTA: 'The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle.'

Geeez, this is all about running old TOR on old Windows... who knew something could possibly go wrong with that?

Re:Proper Summary (0)

Anonymous Coward | about 8 months ago | (#44486159)

Linux, the kiddie porn OS.

Re:Proper Summary (2)

ciderbrew (1860166) | about 8 months ago | (#44486223)

thats what they want you to think. You've added nothing.

Re:Proper Summary (0, Funny)

Anonymous Coward | about 8 months ago | (#44486445)

"They". Good grief. Shave your neckbeard and throw your fedora away. You're a parody of yourself.

Re:Proper Summary (5, Interesting)

pipatron (966506) | about 8 months ago | (#44486213)

Yeah, and next week when the next javascript exploit is found, the excuse will be the same. "Just upgrade your browser and it will be ok, javascript is safe!" No one in their right mind would enable vbscript by default when opening spreadsheet files, but javascript on websites doesn't seem to be a problem.

Re:Proper Summary (1)

slashmydots (2189826) | about 8 months ago | (#44486525)

You bet! And what it failed to mention is that your tor browser bundle would have to be at least 6 months old since every monthly Firefox release is followed by a new Tor browser bundle release containing the new version. Plus, every time you open the Tor browser version of Firefox, it warns you if it's out of date in gigantic colored letters.
Hey, remember that article stating you won't be able to turn Javascript off in an upcoming version of Firefox? Hopefully this incident is enough to get them to pull their heads out of their asses. Also, this proves what everyone knew to be true; that Firefox's alleged "corporate stable release" is just a meaningless title and you're running a version with a bunch of unpatched vulnerabilities.

Re: Firefox (1)

hodet (620484) | about 8 months ago | (#44485971)

say wuuuuuttt? tools options content disable javascript

Re: Firefox (0)

Anonymous Coward | about 8 months ago | (#44486055)

Wrong.
Edit. Preferences. Content....

Re: Firefox (0)

Anonymous Coward | about 8 months ago | (#44486205)

Actually for Firefox on OS X you're wrong too.

Firefox > Preferences > Content >
deselect "Enable Javascript"

Re: Firefox (1)

Anonymous Coward | about 8 months ago | (#44486421)

Actually for Firefox 23 you're wrong too. It's nowhere in any settings dialog.
Never fear, for you can bookmark about:config?filter=javascript.enabled and put that right in your bookmarks toolbar.

Re:Firefox (3, Informative)

Anonymous Coward | about 8 months ago | (#44485989)

Firefox is apparently opting to remove the option from their settings and for a good reason - no one wants to globally disable JS these days. A default off with allowed sites is workable though, but there are extensions like NoScript to add that functionality.

Re:Firefox (3, Insightful)

Anonymous Coward | about 8 months ago | (#44486089)

Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.

Re:Firefox (0)

Anonymous Coward | about 8 months ago | (#44486245)

Getting rid of windows operating systems just makes sense! How many more computers must suffer from this nightmare called windows? Crap Crap Crap...

Wrong, it can be easily done (3, Interesting)

feranick (858651) | about 8 months ago | (#44486313)

1. Go to about: config. 2. Search for javascript.enabled. 3. Toggle off. 4. No javascript. Alternatively, install no script. 5. Stop spreading nonsense.

Re:Firefox (3, Informative)

Krojack (575051) | about 8 months ago | (#44486323)

URL about:config then enter 'javascript.enabled' into the search bar. Double click that setting in the list below to toggle back and forth.

I'm convinced (0)

Anonymous Coward | about 8 months ago | (#44485895)

I'll no longer use Windows, even though I don't use it now. Then again, I don't use TOR either.

duh? (0)

Anonymous Coward | about 8 months ago | (#44485899)

Quote: 'Really, switching away from Windows is probably a good security move for many reasons,'

I thought this was pretty common knowledge?

Why not stop using firefox and Java (1, Insightful)

Anonymous Coward | about 8 months ago | (#44485917)

So the vulnerability is in firefox and java, but they propose to stop using Windows?

Re:Why not stop using firefox and Java (0)

Anonymous Coward | about 8 months ago | (#44485939)

javascript != java

Re:Why not stop using firefox and Java (2)

hawkinspeter (831501) | about 8 months ago | (#44485951)

The firefox and java problems can be worked around, but if the FBI is interested in stopping anonimity through TOR, then Windows will most likely be compromised as well. This particular attack only worked on Windows, so avoiding Windows prevents the current attack and may provide more protection against future attacks.

Re:Why not stop using firefox and Java (1)

Impy the Impiuos Imp (442658) | about 8 months ago | (#44486009)

But games are keepng me tied to Windows! All these MOBAs and DOTAs and Action RPGs where the RPG depth is removed so you only have to deal with 3 powers and...

Wait.

n/m

Re:Why not stop using firefox and Java (1)

vistapwns (1103935) | about 8 months ago | (#44486131)

You don't care about games and whatever else is windows specific, but others do. Hell I don't give a spit about what you do with your PC probably. Switching to Linux is a stop-gap measure, if most tor users used Linux, they could change the malware package to work on Linux, and the same bug would have worked in exactly the same way in either case.

Re:Why not stop using firefox and Java (0)

Anonymous Coward | about 8 months ago | (#44486125)

I no longer believe for a second that Windows and OSX haven't already been compromised. Do I think that a 3-letter agency is in my computer right now? probably not. I do think they've probably got trivial back-door entry if they want it though.

Deep down I don't truly think gnu/linux is secure either, but I WANT to believe... Sure by its very nature Linux should be transparent, but I didn't compile every single last executable, library, system bit, etc. myself, nor did I read millions upon millions upon millions of lines of code either.

Re:Why not stop using firefox and Java (3, Insightful)

vistapwns (1103935) | about 8 months ago | (#44486367)

They really don't need to have backdoors, and that would present problems if MS and Apple allowed it. They could face lawsuits and what not, and hackers could find them and use the backdoors. Most likely what these 3 letter agencies do, is hire people to find 0-days in all the OSes and all the browsers. Modern OSes and browsers are so complicated, that this is probably easy to do. If a 0-day gets fixed, they can just always find more. It's the same effect as having a backdoor, but without the legal problems for the companies involved, and it works for all OSes/browsers. Hackers find 0-days all the time, and these 3 letter guys are probably much better and more funded, so..

Re:Why not stop using firefox and Java (2)

hawkinspeter (831501) | about 8 months ago | (#44486387)

Security is a process rather than an end product. Linux is not "secure" as there will always by holes/exploits/bugs etc. However, open source development provides more opportunities to improve security. Whether or not it is currently more or less secure than Windows or OSX is debatable (and almost impossible to accurately measure).

Re:Why not stop using firefox and Java (2)

vistapwns (1103935) | about 8 months ago | (#44485965)

"So the vulnerability is in firefox and java, but they propose to stop using Windows?" Exactly. This could have happened in any OS, they just targeted Windows because that's what most users use. Ironically IE10 run in x64 mode probably would not have this problem, since it uses vastly more address space for ASLR. It's like getting a flat tire, then the guy you hire to change your tire tells you to buy his favorite brand of car to fix it.

Re:Why not stop using firefox and Java (1)

djupedal (584558) | about 8 months ago | (#44485975)

The tires are not safe when used on that brand of automobile. Stop using that brand of car.

Re:Why not stop using firefox and Java (2)

vistapwns (1103935) | about 8 months ago | (#44486071)

Yea, that would make sense, except this vulnerability existed in, and was just as exploitable in Linux versions of FF as far as I know. Even if it was Windows specific, that's just coincidence since the Linux versions of firefox have vulnerabilities all the time that are just as exploitable. Do you actually know anything about computer security?

Re:Why not stop using firefox and Java (3, Informative)

RedHackTea (2779623) | about 8 months ago | (#44485985)

FTFA:

The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.

People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. "This wasn't the first Firefox vulnerability, nor will it be the last," The TOR Project warned.

Re:Why not stop using firefox and Java (-1)

jellomizer (103300) | about 8 months ago | (#44486183)

Sure, that is what the Open Source Zealots want. Problem with the Open Source App on a closed source OS... That means the Closed Source software MUST BE BAD.

Open Source doesn't have Any Problems it is perfect! Any problems is because of those greedy closed source programs.

Mmmm. KoolAid

Car / Caramel = Java / Javascript (3, Informative)

raymorris (2726007) | about 8 months ago | (#44486459)

To clarify what AC posted, the words "Java" and "Javascript" are like "car" and "caramel", or "ear" and "early" - they are completely unrelated. They just have some letters in common.

Netscape had an interpreted scripting language called LiveScript. It wasn't used a whole lot.
Later, Sun released a virtual machine and a compiled language to program it in called Java. Java got a lot of press.
Seeing all the press that Java was getting, Netscape renamed Livescript "Javascript", to ride the coat-tails of the
completely different system, called Java.

They were developed completely separately, by different companies, for different purposes, and based on different principles.
It's exactly as if the BETAMAX were renamed DroidVideo.

NSA owned netblocks (5, Informative)

NynexNinja (379583) | about 8 months ago | (#44485967)

Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ [arstechnica.com] ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.

Re: NSA owned netblocks (0)

Anonymous Coward | about 8 months ago | (#44486029)

So is linux. You just don't hear about them.

Re:NSA owned netblocks (1)

sociocapitalist (2471722) | about 8 months ago | (#44486177)

Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ [arstechnica.com] ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.

Because no other operating systems or applications have zero day bugs....

Users can not secure themselves against invasive hacking by the US Government.

The best that can be done is probably a VM that's been stripped down to essentials and does nothing but TOR but even that isn't going to keep the NSA out if they want in.

Re:NSA owned netblocks (0)

Anonymous Coward | about 8 months ago | (#44486383)

Unfortunately, I know too many fools like you who refuse to even bother with basic security steps, and leave their work networks vulnerable to the most elementary attacks. I try to get them fired, ASAP, because they lead to the environment being corrupted by the constant security attacks. And they're often merely suggesting this tomake their L33t War3z 3kriPt Kyddi toolktis free to cause havoc and burn my time cleaning up after their abuse.

Re:NSA owned netblocks (0)

Anonymous Coward | about 8 months ago | (#44486495)

Boo Fucking Hoo, they can hack PCs all over the world, big fucking deal!

NSA, CIA, FBI can't do shit about the real problem...
Al Qaeda makes them shit their pants even after Bin Ladens death...

Mission Accomplished my ass.

Re:NSA owned netblocks (2)

slashmydots (2189826) | about 8 months ago | (#44486475)

From TFA:
"People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. This wasn't the first Firefox vulnerability, nor will it be the last."
So....no. It wasn't even a Windows exploit, actually. It was a firefox exploit that happened to only work on Windows but it's equally likely any future flaws will not be platform dependent. What you should do is stay on Windows and just update your damn Tor browser bundle when a new one is released.

Sure thing! (1)

Anonymous Coward | about 8 months ago | (#44485993)

Let me go put Linux on my grandmother's computer and then field questions for her about why everything's different and why none of her programs are there...

TAILS (0)

Anonymous Coward | about 8 months ago | (#44485997)

The simplest thing to do is to migrate to TAILS. It's a great little OS for all your Tor browsing. And it's non-persistent. So even if some JS vulnerability effects you, you can start fresh by just rebooting. (But why do you have JS on in the first place?!)

If a majority of sites require JavaScript (1)

tepples (727027) | about 8 months ago | (#44486271)

But why do you have JS on in the first place?

Because 51 percent of web applications that someone uses require JavaScript.

Very poor advice (4, Insightful)

metrix007 (200091) | about 8 months ago | (#44486017)

Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.

Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?

Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.

Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?

Re:Very poor advice (0)

Anonymous Coward | about 8 months ago | (#44486203)

Windows is actually one of the better operating systems security wise these days

Compared to what? OS X has had Java/Flash vulns, but OS vulns? Linux?

Re:Very poor advice (0)

Anonymous Coward | about 8 months ago | (#44486211)

> Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows.

Scaping from Windows is not a luxury but an obligation.

No matter how "good security" you might have in your Microsoft platform, it is an obviously juicy target for
NSA et al, you don't even need technical reasons.

Btw, what "broken implementation" you are refering to? As I see it, all the technologies you mention are nothing
more than markething bullshit.

Re:Very poor advice (3, Interesting)

sociocapitalist (2471722) | about 8 months ago | (#44486231)

Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.

Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?

Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.

Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?

http://www.zdnet.com/blog/btl/microsoft-certificate-used-to-sign-flame-malware-issues-warning/78980 [zdnet.com]

It would be interesting to know how the 'state' that developed Flame acquired the MS certificate in question.
  - compromised using tech that the NSA has that we don't know about?
  - bought off the black market after being stolen by some other entity?
  - or just given by MS to the 'state'..?

Re:Very poor advice (0)

Anonymous Coward | about 8 months ago | (#44486337)

I thought the certificate they were using was really week -- like 512 bit RSA or something.

Re:Very poor advice (3, Informative)

CAIMLAS (41445) | about 8 months ago | (#44486251)

It's trivial to use Tor in a secure fashion. In fact, if you need the security provided by Tor, chances are you're better off doing it this way instead:

1) Download Tails [boum.org]
2) Burn to CD
3) Boot disk
4) Use Tor

How hard was that?

(Personally, I use IE5 and Windows 2000 for Tor. Nobody's going to try to exploit that... and yes, I'm kidding.)

Re:Very poor advice (2)

AHuxley (892839) | about 8 months ago | (#44486297)

Re:Very poor advice (3, Insightful)

couchslug (175151) | about 8 months ago | (#44486353)

"Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don't, they won't necessarily know how."

Anyone can create bootable media with a short time spent practicing.

If you are at war you need to learn how to fight, not expect the rules to change for you. If that's not convenient, tough shit.

What one man can learn, another can learn. Plenty of Syrians didn't know how to kill tanks and APCs before "current events" either.

All I can say is... (0)

ilsaloving (1534307) | about 8 months ago | (#44486061)

As someone who's preferred platforms are Mac and Linux anyway, all I can say is.... what? Riiiiiiiiiiight....

Yeah, the whole world is going to just up and stop using Windows. I'd love to know what goes through the minds of people who make such mindbogglingly stupid recommendations.

Air pollution is bad for you! So, just stop breathing!

Re:All I can say is... (1)

Speare (84249) | about 8 months ago | (#44486265)

For those who depend on TOR for their safety, more than they depend on a specific tool for their convenience, the following a safety advisory seems pretty rational. Air pollution in LA is bad on Tuesday! Young people and elderly should please remain indoors if possible!

I think that one solution..... (1)

mark-t (151149) | about 8 months ago | (#44486075)

... would be for web browsers to have some javascript configuration settings, allowing them to specify, for instance, what values these particular queries (hostname and mac address) should actually return, if not the defaults, much like how some browsers allow you to configure what it reports as a user-agent header in an http request.

Oh sure... (1)

sanjacguy (908392) | about 8 months ago | (#44486095)

Of course it's more secure! The only way in left is the door!

Of course it's more secure! I also hear that DEATH is a great way to lose weight. Die, and the pounds just melt away!

Can we please have a serious suggestion other than changing your OS? This is like saying "That them thar wood house is no good. Better replace it all with brick."

So much for TOR (1)

kheldan (1460303) | about 8 months ago | (#44486103)

If you've been reading here regularly you know that TOR is compromised now anyway, as is pretty much all internet usage. I don't even personally believe that any form of encryption available to the general public is even safe from prying eyes anymore.

Tor needs to encourage more users/usage. (3, Insightful)

ron_ivi (607351) | about 8 months ago | (#44486133)

Another problem is Tor's has tiny enough usage that it's easy for a handful of governments to run a critical mass of exit nodes and relays to do traffic analysis. Instead of discouraging things like bittorrent - I think the Tor project should encourage it, along with encouraging people to contribute back enough bandwidth to make up for their downloads (i.e. contribute about 3X the bandwidth they download). That way Tor could grow to the scale where it'd be much harder to monitor or take down.

Re:Tor needs to encourage more users/usage. (1)

CAIMLAS (41445) | about 8 months ago | (#44486295)

Yep. In light of these windows nodes getting exploited, I decided last night that I'm going to set up a tor node VM, with limited bandwidth, just for the purposes of providing an additional hop.

Tor use is likely to increase significantly due to all the domestic spying everyone has become aware of here in the West. This is both an opportunity for Tor as well as a challenge: there will be more users, and more people who were iffy about running high bandwidth nodes will likely do so, but there will also be more clueless users and more governmental targeting of this 'darknet' to try to monitor everyone.

It poses another opportunity for Tor: improve the design and architecture, or even just the distribution, to make it easier for non-savvy users to be secure. Pre-packaged installers that jail up a minimal Linux install from which to run Tor? Who knows.

The Child Porn Angle (3, Insightful)

BenEnglishAtHome (449670) | about 8 months ago | (#44486147)

How long will it be before the FBI goes publicly on the attack?

Freedom Hosting was, from what I've been reading over the last couple of days, not only taken over by the FBI and used to inject this code but it also probably hosted half of all child porn *.onion sites extant.

Demonizing the pervs seems like a good way to distract people from the fact that a state entity is now actively running malware that attacks everybody. I'm surprised it hasn't started already.

Re:The Child Porn Angle (2)

Joining Yet Again (2992179) | about 8 months ago | (#44486289)

"Terror" worked as an excuse for a while, but then with all the Manning etc. revelations, people realised that war on a military strategy was just a bit of clever spin.

Now we're onto the child porn angle, which easier as both the hawks and the pacifists can be seduced into a think-of-the-children argument. Never mind that driving the producers of child sex abuse images further underground is the worst possible thing - I say that such *evidence* of child sex abuse should be out in the open, so that humans are fully exposed to its horror and demand that resources are focussed on the abusers, i.e. those who actually force children to pose or to have sex with them.

Lots of people are titillated by all sorts of exploitation right up to gore, but we don't censor all those images because we pretend that there's something uniquely sacred about the innocence of a child. Well, there's nothing "sacred" about anything except in the imagination of humans.

Re:The Child Porn Angle (0)

Anonymous Coward | about 8 months ago | (#44486327)

Guess it depends on how they intend to use what data they collected. IPs and MACs of people that only accessed the servers seems a bit flimsy to start knocking down doors, but now that everyone knows about it they'd want to act soon to prevent evidence being destroyed. On the other hand they could be using this to justify surveillance on anyone they collected, but again now that everyone knows how useful is that going to be?

And if the rumor that this is the NSA, can the FBI use data collected by them domestically? Isn't the NSA military?

Hey ho, (0)

Anonymous Coward | about 8 months ago | (#44486171)

javascript has got to go!

privacy advocates want you to... (5, Insightful)

Joining Yet Again (2992179) | about 8 months ago | (#44486209)

...stop using a system developed and partly sanctioned by the US military if you want actually want to preserve your privacy. Actually, lack of privacy is a social problem, alland technical solutions are based simply on not your doing anything important enough for someone to engage in an arms race with you (which you will lose).

If you want privacy, you need to have exclusive control of a great deal of the network and intermediate nodes, plus the exact content of the traffic. And then you need to make sure that merely the raw content isn't a giveaway. Otherwise stochastic methods will attack all of the above and identify who you are, before an exploit's even been planted on your home machine.

Or foster a society that refuses to allocate the resources to fuck you over. Remember, anyone can be taught skills - but values are much harder to instil.

More secure, equally silly recommendation (1)

neminem (561346) | about 8 months ago | (#44486257)

Why not just tell people to stop using the internet completely? Unplug their computers from the internet, then they'd be completely safe. And they might as well, too, if they disable javascript, given that basically everything uses it these days...

Firefox is crap (0)

Anonymous Coward | about 8 months ago | (#44486269)

They even didn't implement Low Integrity Level like IE and Chrome.

Sandbox TOR activity to hell and back (0)

Anonymous Coward | about 8 months ago | (#44486347)

Step one: Virtual machine software - Virtualbox
Step two: Encrypted volume - Truecrypt. Store the virtual machine disk file inside your encrypted volume.
Step three: Install your favorite linux distro in your VM. Use an encrypted volume, and an encrypted home directory.
Step four: Use the Tor browser package that has a pre-setup version of Tor and a customized version of firefox designed to guard against data leakage. It's a simple download and it's self contained. No external configuration needed. Make sure you grab the latest version frequently.

Of course this isnt going to protect you if your windows host is compromised while the VM is running (But if the VM is offline good luck getting through 3 different pass-phrases), but it should reasonably prevent identifiable data from leaking between your tor VM and host system.

It's "Tor", FFS. (0)

Anonymous Coward | about 8 months ago | (#44486355)

Is Slashdot run by complete morons? These "editors" seem to have gone full retard as of late.

Don't use Firefox bundled by TOR (1)

feranick (858651) | about 8 months ago | (#44486391)

I use tor and firefox. But I don't use firefox that is bundled with Tor (v1.7ESR), but my own (v22). I run private mode, and I use the convenient FoxyProxy extension to redirect my network connection to either tor or for a direct connection. FoxyProxy allows me to specify what sites I would need to redirect to Tor and what not. Fairly simple, really.

not even remotely related (1, Insightful)

slashmydots (2189826) | about 8 months ago | (#44486419)

From what I heard, the flaw affects Firefox 17 and the latest browser bundle is 22 and javascript has to be on, which is technically isn't because of noscript being on by default. Also, since it's Firefox and javscript and cookies, it's actually platform independent so switching off of Windows will do absolutely nothing to prevent this type of attack. Great article!

TOR should be integrated with a browser (2)

crow (16139) | about 8 months ago | (#44486435)

Yes, I know that you can get a web browser that is specifically set up to route everything through TOR. What I want is a simple setting in browsers to use TOR for all private browsing sessions.

So which is it, Firefox or Windows? (3, Insightful)

wonkey_monkey (2592601) | about 8 months ago | (#44486467)

The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox

Stop using Firefox (this particular version, on Windows) surely?

Sounds like someone at TOR was hankering for an excuse to rail against Windows.

The technological agenda (1)

operagost (62405) | about 8 months ago | (#44486491)

Mingling security concerns with zealotry doesn't serve anyone. TOR team has discredited themselves with an immature response to a routine security issue, based not on an actual technological issue but on fanboyism. TOR favors Linux and the Mac OS over Windows, and uses this security issue as an opportunity to attack Windows rather than stick to the facts and keep their users safe. This is an issue to which both Firefox and Windows are to blame, yet they don't tell us to stop using Firefox, even while acknowledging that it is technically possible for a future exploit to affect Firefox running on platforms other than Windows.

If the proper response to a security issue involving TOR is to stop using my operating system, that might just as well justify a user to stop using TOR.

collect enough data... (2)

Joining Yet Again (2992179) | about 8 months ago | (#44486507)

...and you have something on EVERYONE, in advance.

Then regularly select people at random, to keep the rest of the population in fear.

And specifically target any inconveniences.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Sign up for Slashdot Newsletters
Create a Slashdot Account

Loading...