How would anyone know with confidence that this provides real anonymity, or any kind of security? In the crypto world, we are used to using algorithms that are well known, publicly available, preferably that large numbers of experts have looked at over the course of years, and we still don’t fully trust them even then there’s always that little voice saying ‘we may not know everything, don’t rely on this as a single point of failure’. I’m always curious about these sorts of posts. It’s not as if zero day exploits are cost prohibitive to purchase on the open market when governments interests are at stake.Īug3:00 police “If you want to whistleblow should look into Jondo live CD with it’s install of mixminion Type III Anonymous remailer instead of trusting Tor browser devs who insanely activated javascript by default allowing this to happen.” Because if the USA can do this to Tor there is nothing stopping the security services of any of the other nations from doing it too. One thing for sure is that Tor’s reputation is badly damaged. There is also an on-going debate as to whether this was really a child porn hit or whether the child porn was just a cover for the take down of Tormail, which apparently has been quite popular with critics of the US Government. They could have been exploiting it for months in the wild and only after it had been identified by a third party and patched that they finally arrested the guy because the utility of that exploit had become less valuable to them. Just because the vulnerability was reported to Mozilla on Day X does not mean that was the day the FBI or whoever first became aware of it. There is simply so much we do not know about this… There is a rumor that the people caught also used the same browser for Tor and normal browsing, but my take from the analysis is that this is wrong and the exploit just contacted an external server directly while the Tor session was still running. I would suggest that this means checking for updates at least once a week is mandatory. Still, knowing that it takes the NSA and accomplices about 4 weeks from a reported potential vulnerability to a deployed attack is interesting. So lets call it a “zero-day if you have no clue”. injection of invalid code) that still strongly suggests that working exploit code could be injected instead. Sure, the person that found the problem did not have an exploit, but only a crash (i.e. I have some issues with calling this a zero-day vulnerability, as it and the patch for it was out there for 4 weeks. Also note that mozilla classified the vulnerability as “critical” and everybody caught did not update for more than 4 weeks and was running Windows.
0 kommentar(er)
