Tor Users Urged To Update After Security Breach 161
An anonymous reader writes "If you use Tor, you're cautioned to update now due to a security breach. In a message on the Tor mailing list dated Jan 20, 2010, Tor developer Roger Dingledine outlines the issue and why you should upgrade to Tor 0.2.1.22 or 0.2.2.7-alpha now: 'In early January we discovered that two of the seven directory authorities were compromised (moria1 and gabelmoo), along with metrics.torproject.org, a new server we'd recently set up to serve metrics data and graphs. The three servers have since been reinstalled with service migrated to other servers.' Tor users should visit the download page and update ASAP."
From: Anonymous Coward (Score:5, Interesting)
Anyone else find it so funny that a news story about anonymity is suggested to slashdot by anonymous coward?
I think it's the best form of joke... one with an epic amount of unexpected expectedness.
Tor weaknesses (Score:5, Interesting)
The problem with Tor is that there's no way to detect compromises -- every node on the network could be compromised and you'd never know. Authors of botnets have greater anonymity than we do -- ironically because it's run by a central authority. An illegal and immoral one, yes, but one that comes with a measure of anonymity. Few botnet authors are actually caught even with the most primitive security methods. They don't even use encryption and they often can't be found...
US Intelligence almost certainly monitors TOR (Score:4, Interesting)
I mean. That's where I'd go fishing for people trying to communicate secrets,
if I was them.
Now I don't want to spread paranoia, but
did you know that the patent on Onion Routing was filed by the US Department of the Navy?
Look it up.
Remember kiddies. Always use your own encryption layer.
New Tor attacks and anonimity attacks all the time (Score:1, Interesting)
Attacking Tor at the Application Layer
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-gregory_fleischer-attacking_tor.pdf [defcon.org]
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Video%20and%20Slides.m4v [defcon.org]
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Slides.m4v [defcon.org]
https://media.defcon.org/dc-17/audio/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Gregory%20Fleischer%20-%20Attacking%20Tor%20and%20the%20Application%20Layer%20-%20Audio.m4b [defcon.org]
Sniff Keystrokes With Lasers/Voltmeters - Side Channel Attacks Using Optical Sampling Of Mechanical Energy And Power Line
Leakage:
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-barisani-bianco-sniff_keystrokes.pdf [defcon.org]
http://www.defcon.org/images/defcon-17/dc-17-presentations/Andrea_Barisani-Daniele_%20Bianco/defcon-17-barisani-bianco-sniff_keystrokes-wp.pdf [defcon.org]
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20Andrea%20Barisani%20and%20Daniele%20Bianco%20-%20Sniffing%20Keystrockes%20with%20Lasers%20and%20Voltmeters%20-%20Video%20and%20Slides.m4v [defcon.org]
Router Exploitation
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-fx-wp.pdf [defcon.org]
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20FX%20-%20Router%20Exploitation%20-%20Video%20and%20Slides.m4v [defcon.org]
https://media.defcon.org/dc-17/video/DEFCON%2017%20Hacking%20Conference%20Presentation%20By%20FX%20-%20Router%20Exploitation%20-%20Slides.m4v [defcon.org]
Unmasking You
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-abraham-hansen-unmasking_you.pdf [defcon.org]
Tactical Fingerprinting Using Metadata, Hidden Info and Lost Data
http://www.defcon.org/images/defcon-17/dc-17-presentations/defcon-17-alonso-palazon-tactical_fingerprinting.pdf [defcon.org]
Down the R
Re:first (Score:3, Interesting)
Technically, it can't be. But since most of the exit points are pretty well known, it's not all that hard. If more people made themselves exit points, rather than just taking advantage of the network, that problem would go away.
I've tried Slashdot. It's been a matter of switching exit points until you find one that isn't forbidden. Google is really on top of it though. I suspect they may have a tie-in with the network map, so they know the exit points as they come and go.
Re:Sooo...... (Score:3, Interesting)
People with sexual urges will eventually create an opportunity act on them, and readily available pornographic content simply encourages them by giving them validation and a sense of moral acceptance.
Hmm... then how about homosexuality? It's not hard to find stories of people who denied attraction to the same sex their whole life in order to avoid being socially stigmatized.
As for the effects of pornography, does masturbating calm your sexual urges, or does it inflame them?
Re:Tor weaknesses (Score:3, Interesting)
The fun begins when they start noting illegal commands and retaliating. Fun.
Re:US Intelligence almost certainly monitors TOR (Score:2, Interesting)
Re:Further Details From Roger (Score:3, Interesting)
"A friendly anonymous sponsor has provided a pile of new servers, and git and svn are now up
in their new locations"
I read this to mean that tor are hosting git and svn on the new, anonymously-donated servers. I expect that if they were hardware-compromised, that could be used, in turn, to compromise the source-repositories. Please correct me if I'm wrong tho...
Having said all that - I'd also expect a project like tor to be pretty careful with security! Also, it's quite possible that although the servers were anonymously-donated, they may still have been sourced by the tor project - it's hard to imagine a guy in a trench-coat and dark glasses knocking on their door, handing them a server before fading into the shadows, and them welcoming it with open arms!
What was the cause of the breach? (Score:3, Interesting)
The links are not very informative about what allowed the breach to happen. Was a security model vulnerability? man-in-the-middle attack? buffer overflow?