Forgot your password?
typodupeerror
Privacy Security Upgrades

Tor Users Urged To Update After Security Breach 161

Posted by timothy
from the points-of-failure dept.
An anonymous reader writes "If you use Tor, you're cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: 'In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.' Tor users should visit the download page and update ASAP."
This discussion has been archived. No new comments can be posted.

Tor Users Urged To Update After Security Breach

Comments Filter:
  • Re:Tor weaknesses (Score:5, Insightful)

    by snowgirl (978879) on Thursday January 21, 2010 @11:12PM (#30855874) Journal

    The problem with Tor is that there's no way to detect compromises -- every node on the network could be compromised and you'd never know. Authors of botnets have greater anonymity than we do -- ironically because it's run by a central authority. An illegal and immoral one, yes, but one that comes with a measure of anonymity. Few botnet authors are actually caught even with the most primitive security methods. They don't even use encryption and they often can't be found...

    There's a lot to be said for hiding in a crowd though. While it is true that every node in the network could be compromised, and we'd never know, collecting all that data together to target you individually becomes more and more difficult the more people use the network... and we're not talking about big-O of n, we're talking at least big-O n squared or so.

    As with all forms of security, there's nothing you can do to guarantee security, you simply raise the burden of breaching that security until the opportunity to breach you is not worth the cost to breach you.

  • Re:Sooo...... (Score:1, Insightful)

    by Anonymous Coward on Thursday January 21, 2010 @11:24PM (#30855942)

    Not that I'm defending pedophilia, but the fact that you're conflating pedophiles and child molesters makes me suspect your statistics.

  • Re:Sooo...... (Score:1, Insightful)

    by Anonymous Coward on Thursday January 21, 2010 @11:32PM (#30855988)

    Sounds like anonymity projects are suffering the same problem as encryption in general -- it's too hard to use unless you're pretty sure you have a need for it.

    With the casual farming of information that goes on by Internet ad networks, the lack of security of public Wi-Fi, and the push for deep packet inspection by ISPs, I think we've reached a point where attacks on the privacy of innocent users justifies a need for average folks to have access to these sorts of products (and associated education.)

    But until it's as simple as hitting a button in Firefox to use Tor, of course it's only going to be the enthusiasts and scumbag fringes that'll put the time into researching and securing their privacy online.

  • Re:Sooo...... (Score:5, Insightful)

    by xous (1009057) on Thursday January 21, 2010 @11:42PM (#30856042) Homepage

    Hi,

    How did you collect your statistics when Tor is decentralized? Sure you could analyze the outbound traffic on a exit node but I doubt that this would be enough of a sampling to extrapolate a meaningful conclusion. Since you offer no supporting evidence your claim is irrelevant to the discussion.

    I also do not think that the number of child molesters could be large enough to represent a "vast majority" because I doubt the original content producers would distribute a such a high risk material for free. It is much more likely that pedophiles are distributing the material to other pedophiles. I think that it is important to note the difference because while I find either appalling I'd rather have them fapping to "old child pornography" instead of creating a demand for new material and reducing the profit margins of the people that are actually doing these horrible things to children. The lesser of of two evils is still evil but we don't live in a idealistic world.

    Unfortunately freedom has it's costs.

  • Re:Sooo...... (Score:5, Insightful)

    by trytoguess (875793) on Thursday January 21, 2010 @11:52PM (#30856094)

    In short, people attracted to children will rape them? A bit like saying all men will rape women no? But that's not a perfect analogy, you can have sex with a man or woman without too much difficulty, whereas a pedophile can only masturbate. How about, would all slovenly, unattractive, misanthropes, who've zero chance of getting sex resort to rape? I rather doubt it, and even though pedophilia disturbs me, I don't think the sexual drive of that group is somehow stronger than your average male or female.

  • by wiredlogic (135348) on Thursday January 21, 2010 @11:57PM (#30856126)

    They probably do more than just monitor. They almost certainly run their own exit nodes so they can log everything flowing through what they pwn.

  • Re:Sooo...... (Score:3, Insightful)

    by Runaway1956 (1322357) on Friday January 22, 2010 @12:07AM (#30856192) Homepage Journal

    I don't know where to find good citations - but you can research easily enough.

    Download not just TOR, but I2P, freenet, anonnet - search for more if you like. You WILL BE exposed to child porn. No questions asked, you'll be exposed.

    It's safe to say that 2/3 to 3/4 of all the sites out there are trash that you don't even want to see. But - there are also some interesting things that are NOT pornography.

    You can go explore, or not. It's slow, it's aggravating because all the CP gets in the way, there's not a whole LOT OF good stuff to find, but, go explore all the same. Make sure you read the documentation - you don't want to broadcast your IP across the dark web, with all your personal details. You think the regular internet is bad? LMAO

  • Re:Sooo...... (Score:1, Insightful)

    by Anonymous Coward on Friday January 22, 2010 @12:19AM (#30856252)
    Anyway, ephibophilia is illegal, but arguably medically normal, and ephibophiles and pedophiles make up separate populations.

    No, it's not illegal. For that matter, neither is pedophilia. ACTING on ephibophilia or pedophilia is illegal.
  • by inviolet (797804) <<gro.rettamsaedi> <ta> <todhsals>> on Friday January 22, 2010 @12:22AM (#30856266) Journal

    As explained in the last mail, it appears the attackers didn't realize what they broke into. We had already been slowly migrating Tor services off of moria (it runs too many services for too many different projects), so we took this opportunity to speed up that plan. A friendly anonymous sponsor has provided a pile of new servers, and git and svn are now up in their new locations.

    Mmmm, yes, free.

    And you will never, in a million years, detect the compromised hardware in those machines.

    The only way for tor (or wikileaks or other dangerous-to-the-authorities service) to buy hardware, is anonymously. If someone wants to donate servers, have them sell the servers and give you the cash.

  • Re:Sooo...... (Score:1, Insightful)

    by Anonymous Coward on Friday January 22, 2010 @12:45AM (#30856402)

    I dislike how the second party gets abused though and don't say that they can consent to the pictures. You leave the child pretty twisted and the molesters don't care. It is just not fair to the child. It might not be fair to the molester as he can't help it, but it is not a victim less act. What they need is help understanding and managing. There is just so much social taboo around it that it is a real struggle for them.

  • by BitZtream (692029) on Friday January 22, 2010 @01:33AM (#30856650)

    Yes, the government created it, this is well known. They created it so they could securely communicate by bouncing signals off of unsecured ships, like your random cruise ship or an allied warship.

    They were involved with its creation, of course the watch it. So do lots of other people.

    As a general rule, people hiding their activities DO HAVE SOMETHING TO HIDE. The minority use something like this for legitimate uses. However, our founding fathers had the opinion that until we know you're hiding something bad, you can hide it so no one can come after your for something you do in private that doesn't bother anyone else. This helps to prevent people from having a bad opinion of you, prejudice and hate.

    It doesn't however change the fact that it will be used, primarily by people using it to hide illegal activities. It would be retarded if they DIDN'T watch it and as a tax payer I'd be pissed if they didn't.

    Reality says that most people have no need to use this sort of protection and that its of very little use to the majority of the people on the planet, even those doing minor illegal activities.

    I've talked about plenty of things over the phone, email and hell, even posted on bulletin boards (the real ones, cork board and paper with pushpins) at grocery stores about illegal activities. None of it was anything major of course, minor little crap, all of which were misdemeanors. There are 2 reasons why nothing ever came of it.

    A. It was minor crap, no one actually cares about what I did unless I was stupid enough to do it in front of an ON DUTY cop.

    B. Hiding in plain site and blending in with the crowd makes you a lot less obviously a target than the person hiding things, regardless of what you are hiding.

    So yes, when you make it obvious you're trying to hide something people are going to pay attention to try and figure out what you're hiding, thats being a good detective and what I expect from people who's job is to detect stuff.

  • by DNS-and-BIND (461968) on Friday January 22, 2010 @01:41AM (#30856682) Homepage
    A joke? How, exactly, is it funny? I'm curious to know. Who cares who submits the stories, anyway? Half of them turn out to be fakes or misleading anyway.

    The real TOR way to do it would not be anonymously, but instead giving it to another person's slashdot account, who submits it for you. But go ahead with the "funny" "jokes".

  • Re:first (Score:3, Insightful)

    by JWSmythe (446288) <<moc.ehtymswj> <ta> <ehtymswj>> on Friday January 22, 2010 @02:19AM (#30856844) Homepage Journal

        Ideally, everyone that runs a client is an exit node too. But, much like an open AP on your network, when the police come knocking at your door, just saying "But, I was just connected to Tor" isn't going to be much of a defense. It may work in court, but you may be waiting a long time for that day to come.

  • by Anonymous Coward on Friday January 22, 2010 @02:52AM (#30856978)

    I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.

    I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared right quick (hello China)... shouted down every time because it's not a POPULAR point of view.

    I see that I'm not the only one in this discussion with concerns. Thank god things are changing.

    Whoever these people you have met traveling from conference to conference are not the authors of tor:

    # tor --help
    Jan 21 22:48:35.191 [notice] Tor v0.2.1.22. This is experimental software. Do not rely on it for strong anonymity. (Running on Linux x86_64)
    Copyright (c) 2001-2004, Roger Dingledine
    Copyright (c) 2004-2006, Roger Dingledine, Nick Mathewson
    Copyright (c) 2007-2009, The Tor Project, Inc.

    tor -f [args]
    See man page for options, or https://www.torproject.org/ [torproject.org] for documentation.

  • by jyoull (512280) <jimNO@SPAMmedia.mit.edu> on Friday January 22, 2010 @03:47AM (#30857234)

    TOR apologists, no fair modding down these comments just because you don't like them.

    I wish the holier than thous behind the Tor movement would stop with their outrageous and indefensible claims about the protections Tor allegedly provides.

    I tried to have this discussion with, among others, people who've made "names for themselves" traveling from conference to conference blustering about how Tor is making the Internet safe for unpopular opinions in places where an unpopular opinion can get you disappeared right quick (hello China)... shouted down every time because it's not a POPULAR point of view.

    I see that I'm not the only one in this discussion with concerns. Thank god things are changing.

  • Re:Sooo...... (Score:5, Insightful)

    by Opportunist (166417) on Friday January 22, 2010 @07:23AM (#30858036)

    The price of freedom isn't vigilance in this time and age, it's having to deal with unpopular content.

    Is tor used by people who want to circumvent laws for whatever reason? Yes. Duh. Basically that's what it was created for. We deem it positive that tor allows dissidents to avoid their laws concerning the freedom of speech, but we don't deem it positive that it also allows the circumvention of our laws. That's very human, but also quite a bit of a double standard.

    I hope /. is a bit above the killer arguments of "think of the children" (honestly, if you think of the children all the time, you're prolly a pedo yourself) and we're able to look at it from a bit of a detached position. Because that's what we have to deal with here. Basically swapping child porn in the US is, at least from a purely content point of view, not different from swapping anti-government ideas in China: Both is illegal, and both requires additional security to be done without prosecution. The question is now whether we're willing to accept the existance of the former to enable the latter. You will only get them together. Is the freedom of the Chinese people (and, given the recent development in the west, probably ours soon, too) worth it, knowing that this will also allow communication of pedophiles, terrorists, spies and maybe even worse? Or should we toss both? That's basically the options we have.

    And before someone replies with "but tor doesn't allow chinese to discuss freely, isn't secure, etc": This isn't just about tor. That question affects all tools that allow free speech. The question is, is free speech worth dealing with the effects of free speech that you do not want to exist?

  • Re:first (Score:3, Insightful)

    by NotBornYesterday (1093817) on Friday January 22, 2010 @10:12AM (#30858904) Journal

    I concluded that most of the traffic on TOR was child pornography and shared music/films.

    Please explain how you arrived at this conclusion. Did you actually survey TOR traffic to see what it contained, or are you simply assuming that the only reason most people want anonymity is CP & file sharing? I was under the the impression that TOR encrypted its traffic, except for what entered/exited at the exit nodes.

The best way to avoid responsibility is to say, "I've got responsibilities."

Working...