Forgot your password?
typodupeerror
Security Encryption

TOR Wants You To Stop Using Windows, Disable JavaScript 341

Posted by timothy
from the so-say-we-all dept.
itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."
This discussion has been archived. No new comments can be posted.

TOR Wants You To Stop Using Windows, Disable JavaScript

Comments Filter:
  • NSA owned netblocks (Score:5, Informative)

    by NynexNinja (379583) on Tuesday August 06, 2013 @10:22AM (#44485967)
    Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ [arstechnica.com] ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.
    • Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ [arstechnica.com] ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.

      Because no other operating systems or applications have zero day bugs....

      Users can not secure themselves against invasive hacking by the US Government.

      The best that can be done is probably a VM that's been stripped down to essentials and does nothing but TOR but even that isn't going to keep the NSA out if they want in.

      • by rmstar (114746) on Tuesday August 06, 2013 @11:57AM (#44487083)

        Users can not secure themselves against invasive hacking by the US Government.

        Sure.

        Now, if instead of engaging in this selfdefeating every-man-to-himself canned-goods-and-ammo mentality users would actually stand up for their rights actively, which means, engaging in politics - that could work.

    • From TFA:
      "People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. This wasn't the first Firefox vulnerability, nor will it be the last."
      So....no. It wasn't even a Windows exploit, actually. It was a firefox exploit that happened to only work on Windows but it's equally likely any future flaws will not be platform dependent. What you should do is stay on Windows and just update your damn Tor browser bundle when a new one is released.
  • Very poor advice (Score:4, Insightful)

    by metrix007 (200091) on Tuesday August 06, 2013 @10:26AM (#44486017)

    Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.

    Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?

    Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.

    Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?

    • Re:Very poor advice (Score:4, Interesting)

      by sociocapitalist (2471722) on Tuesday August 06, 2013 @10:44AM (#44486231)

      Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.

      Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?

      Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.

      Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?

      http://www.zdnet.com/blog/btl/microsoft-certificate-used-to-sign-flame-malware-issues-warning/78980 [zdnet.com]

      It would be interesting to know how the 'state' that developed Flame acquired the MS certificate in question.
        - compromised using tech that the NSA has that we don't know about?
        - bought off the black market after being stolen by some other entity?
        - or just given by MS to the 'state'..?

    • Re:Very poor advice (Score:4, Informative)

      by CAIMLAS (41445) on Tuesday August 06, 2013 @10:45AM (#44486251) Homepage

      It's trivial to use Tor in a secure fashion. In fact, if you need the security provided by Tor, chances are you're better off doing it this way instead:

      1) Download Tails [boum.org]
      2) Burn to CD
      3) Boot disk
      4) Use Tor

      How hard was that?

      (Personally, I use IE5 and Windows 2000 for Tor. Nobody's going to try to exploit that... and yes, I'm kidding.)

    • by AHuxley (892839)
      If they helped get your plain text http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data [theguardian.com] and
      http://news.cnet.com/8301-13578_3-57593339-38/nsa-docs-boast-now-we-can-wiretap-skype-video-calls/ [cnet.com]
      to Android software and..."remotely activate the microphones in phones"..
      http://online.wsj.com/article_email/SB10001424127887323997004578641993388259674-lMyQjAxMTAzMDAwMTEwNDEyWj.html [wsj.com]
      The tame, low cost, US OS are they way in.
      Tor exit nodes and colluding fun back in the day:
      http://them [wordpress.com]
    • by couchslug (175151) on Tuesday August 06, 2013 @10:55AM (#44486353)

      "Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don't, they won't necessarily know how."

      Anyone can create bootable media with a short time spent practicing.

      If you are at war you need to learn how to fight, not expect the rules to change for you. If that's not convenient, tough shit.

      What one man can learn, another can learn. Plenty of Syrians didn't know how to kill tanks and APCs before "current events" either.

    • Wut?

      Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows

      Which country are you specifically talking about? Is it illegal to run Linux somewhere? To the best of my knowledge the only people working on keeping people from installing Linux are the ones trying to push secureboot and UEFI. That's Microsoft and friends. The whole "war on general computing" thing seems either overblown or in it's infancy. Seriously, who don't have the luxury of switching away from Windows? Are you talking about wage-slaves or something? Who would use TOR at work?

      Secondly, yeah, it'

  • ... would be for web browsers to have some javascript configuration settings, allowing them to specify, for instance, what values these particular queries (hostname and mac address) should actually return, if not the defaults, much like how some browsers allow you to configure what it reports as a user-agent header in an http request.
  • If you've been reading here regularly you know that TOR is compromised now anyway, as is pretty much all internet usage. I don't even personally believe that any form of encryption available to the general public is even safe from prying eyes anymore.
    • by AHuxley (892839)
      One time pad to your family, tribe, gang, cult, freedom fighters, friends, new friends or fellow travellers.
      Geolocation and electronic chatter seems to be the focus of the surveillance structure that was build up... ie you have to keep feeding the machines, phones or mail.
  • by ron_ivi (607351) <sdotno AT cheapcomplexdevices DOT com> on Tuesday August 06, 2013 @10:35AM (#44486133)
    Another problem is Tor's has tiny enough usage that it's easy for a handful of governments to run a critical mass of exit nodes and relays to do traffic analysis. Instead of discouraging things like bittorrent - I think the Tor project should encourage it, along with encouraging people to contribute back enough bandwidth to make up for their downloads (i.e. contribute about 3X the bandwidth they download). That way Tor could grow to the scale where it'd be much harder to monitor or take down.
    • by CAIMLAS (41445)

      Yep. In light of these windows nodes getting exploited, I decided last night that I'm going to set up a tor node VM, with limited bandwidth, just for the purposes of providing an additional hop.

      Tor use is likely to increase significantly due to all the domestic spying everyone has become aware of here in the West. This is both an opportunity for Tor as well as a challenge: there will be more users, and more people who were iffy about running high bandwidth nodes will likely do so, but there will also be mor

    • by Burz (138833)

      I2P encourages bittorrent and has been growing for years. Its also designed to be less exploitable than Tor (its less centralized) and hidden I2P sites generally assume you have Javascript turned off.

  • by PPH (736903) on Tuesday August 06, 2013 @10:36AM (#44486139)

    ... is to stop using the NSA.

  • by BenEnglishAtHome (449670) on Tuesday August 06, 2013 @10:37AM (#44486147)

    How long will it be before the FBI goes publicly on the attack?

    Freedom Hosting was, from what I've been reading over the last couple of days, not only taken over by the FBI and used to inject this code but it also probably hosted half of all child porn *.onion sites extant.

    Demonizing the pervs seems like a good way to distract people from the fact that a state entity is now actively running malware that attacks everybody. I'm surprised it hasn't started already.

    • "Terror" worked as an excuse for a while, but then with all the Manning etc. revelations, people realised that war on a military strategy was just a bit of clever spin.

      Now we're onto the child porn angle, which easier as both the hawks and the pacifists can be seduced into a think-of-the-children argument. Never mind that driving the producers of child sex abuse images further underground is the worst possible thing - I say that such *evidence* of child sex abuse should be out in the open, so that humans ar

  • by Joining Yet Again (2992179) on Tuesday August 06, 2013 @10:43AM (#44486209)

    ...stop using a system developed and partly sanctioned by the US military if you want actually want to preserve your privacy. Actually, lack of privacy is a social problem, alland technical solutions are based simply on not your doing anything important enough for someone to engage in an arms race with you (which you will lose).

    If you want privacy, you need to have exclusive control of a great deal of the network and intermediate nodes, plus the exact content of the traffic. And then you need to make sure that merely the raw content isn't a giveaway. Otherwise stochastic methods will attack all of the above and identify who you are, before an exploit's even been planted on your home machine.

    Or foster a society that refuses to allocate the resources to fuck you over. Remember, anyone can be taught skills - but values are much harder to instil.

  • Why not just tell people to stop using the internet completely? Unplug their computers from the internet, then they'd be completely safe. And they might as well, too, if they disable javascript, given that basically everything uses it these days...

  • Well, you could hardly argue with either suggestion, even before TOR was known to be compromised.

  • I use tor and firefox. But I don't use firefox that is bundled with Tor (v1.7ESR), but my own (v22). I run private mode, and I use the convenient FoxyProxy extension to redirect my network connection to either tor or for a direct connection. FoxyProxy allows me to specify what sites I would need to redirect to Tor and what not. Fairly simple, really.
  • From what I heard, the flaw affects Firefox 17 and the latest browser bundle is 22 and javascript has to be on, which is technically isn't because of noscript being on by default. Also, since it's Firefox and javscript and cookies, it's actually platform independent so switching off of Windows will do absolutely nothing to prevent this type of attack. Great article!
  • by crow (16139) on Tuesday August 06, 2013 @11:01AM (#44486435) Homepage Journal

    Yes, I know that you can get a web browser that is specifically set up to route everything through TOR. What I want is a simple setting in browsers to use TOR for all private browsing sessions.

    • You can kind of use the foxyproxy add-on in firefox to get what you want - it is a bit fiddly to set up, but once it is running, it is very easy to switch on and off.

      A rough guide to setting it up is here [ehow.com].
  • by wonkey_monkey (2592601) on Tuesday August 06, 2013 @11:05AM (#44486467) Homepage

    The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox

    Stop using Firefox (this particular version, on Windows) surely?

    Sounds like someone at TOR was hankering for an excuse to rail against Windows.

    • by Anonymous Coward

      Mozilla were not listed as NSA PRISM aiding and abetting companies. Microsoft was listed as an active participant, helping NSA bypass the search warrant requirements on their outlook products and providing technical assistance on Skype.

      One company picked sides, and its not the side with the Constitution on it.

      So yes, he's probably right.
      NSA broke TOR on the excuse of kiddy diddlers but they broke TOR mainly to prevent leakers from the NSA from using it to leak. Why else would they use their own IP address c

  • ...and you have something on EVERYONE, in advance.

    Then regularly select people at random, to keep the rest of the population in fear.

    And specifically target any inconveniences.

  • by Wrath0fb0b (302444) on Tuesday August 06, 2013 @11:51AM (#44487023)

    As Adi Shamir (the S in RSA) has been trying to point out [theregister.co.uk], cryptography is a method for transferring data between two trusted hosts. So the F-16 zooming above Washington can get some radar data from the airbase in Virginia and no one listening in can decrypt it. At the point where some luser picks up a USB drive [arstechnica.com] off the parking lot floor and plugs it into a computer inside the airbase, all the encryption in the world matters not one whit.

    It's a massive change to the model we use to conceptualize the threat -- instead of Alice and Bob trying to communicate with each other and keep Charles from decrypting, we have Alice and Bob trying (a) to protect their machines from Charles compromising it and (b) trying to limit the data done if he does compromise it. This isn't your father's security any more.

    What is also means is that we are going to need a lot fewer secrets that are really worth keeping or else spend much more time partitioning our virtual worlds. As BEAST/CRIME show, if you treat your Facebook login cookie as a secret, then you need to access it from a partitioned browser where a malicious page cannot make requests using it.

It is not for me to attempt to fathom the inscrutable workings of Providence. -- The Earl of Birkenhead

Working...