TOR Wants You To Stop Using Windows, Disable JavaScript

itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."

Why not stop using firefox and Java

[Anonymous Coward]

So the vulnerability is in firefox and java, but they propose to stop using Windows?

Very poor advice

[metrix007]

Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.

Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?

Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.

Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?

Security professionals generally missing the point

[FriendlyLurker]

Recommend switching away from windows, a few will do so and a lot more will just not bother - and so the pool of people using Tor (and other encryption privacy "enhancing" services) shrinks just a little bit more. If the whistleblower Snowden revelations have taught us nothing else, it is that if you are one of the few that use encryption/VPN/privacy enhancing solutions then you attract extra unwanted attention to yourself. For everyone to enjoy privacy, security professionals need to be coding solutions and encouraging more people, including Windows users, to adopt always on default encryption - not the opposite. Are they really that clueless?

Re:Firefox

[Anonymous Coward]

Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.

Tor needs to encourage more users/usage.

[ron_ivi]

Another problem is Tor's has tiny enough usage that it's easy for a handful of governments to run a critical mass of exit nodes and relays to do traffic analysis. Instead of discouraging things like bittorrent - I think the Tor project should encourage it, along with encouraging people to contribute back enough bandwidth to make up for their downloads (i.e. contribute about 3X the bandwidth they download). That way Tor could grow to the scale where it'd be much harder to monitor or take down.

I think the best solution ...

[PPH]

... is to stop using the NSA.

The Child Porn Angle

[BenEnglishAtHome]

How long will it be before the FBI goes publicly on the attack?

Freedom Hosting was, from what I've been reading over the last couple of days, not only taken over by the FBI and used to inject this code but it also probably hosted half of all child porn *.onion sites extant.

Demonizing the pervs seems like a good way to distract people from the fact that a state entity is now actively running malware that attacks everybody. I'm surprised it hasn't started already.

privacy advocates want you to...

[Joining Yet Again]

...stop using a system developed and partly sanctioned by the US military if you want actually want to preserve your privacy. Actually, lack of privacy is a social problem, alland technical solutions are based simply on not your doing anything important enough for someone to engage in an arms race with you (which you will lose).

If you want privacy, you need to have exclusive control of a great deal of the network and intermediate nodes, plus the exact content of the traffic. And then you need to make sure that merely the raw content isn't a giveaway. Otherwise stochastic methods will attack all of the above and identify who you are, before an exploit's even been planted on your home machine.

Or foster a society that refuses to allocate the resources to fuck you over. Remember, anyone can be taught skills - but values are much harder to instil.

Re:Very poor advice

[couchslug]

"Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don't, they won't necessarily know how."

Anyone can create bootable media with a short time spent practicing.

If you are at war you need to learn how to fight, not expect the rules to change for you. If that's not convenient, tough shit.

What one man can learn, another can learn. Plenty of Syrians didn't know how to kill tanks and APCs before "current events" either.

Re:Why not stop using firefox and Java

[vistapwns]

They really don't need to have backdoors, and that would present problems if MS and Apple allowed it. They could face lawsuits and what not, and hackers could find them and use the backdoors. Most likely what these 3 letter agencies do, is hire people to find 0-days in all the OSes and all the browsers. Modern OSes and browsers are so complicated, that this is probably easy to do. If a 0-day gets fixed, they can just always find more. It's the same effect as having a backdoor, but without the legal problems for the companies involved, and it works for all OSes/browsers. Hackers find 0-days all the time, and these 3 letter guys are probably much better and more funded, so..

Re:Security professionals generally missing the po

[nine-times]

Well I think part of the problem is that security experts are experts, and they don't understand that if they really want to encourage better security, they need to make it easy for non-experts. It's funny, because you'd think security experts would know this. One of the key things about security is that a great security measure that nobody uses and everyone circumvents is actually a terrible security measure.

Encryption implementations need to be so well designed and foolproof that they're enabled by default. Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications. We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA. We don't enable encryption on email because it requires plugins and complicated setups. We don't use TOR because it's not quite brain-dead simple.

The experts will respond, "But it *is* brain-dead simple. Just download this plugin, drop into the command line and type [insert command here], compile this binary, change this configuration file in /etc. Oh wait, you're on Windows? Sorry, then you need to download these other files. Get GPG v1 because v2 is completely different and doesn't work with the plugins. Then when you get this error, hit 'ignore'..." And all that makes sense to the experts because they're experts, and they understand what's going on. People won't start using encryption en masse until it's so brain-dead simple that they don't even know they're using it.

not even remotely related

[slashmydots]

From what I heard, the flaw affects Firefox 17 and the latest browser bundle is 22 and javascript has to be on, which is technically isn't because of noscript being on by default. Also, since it's Firefox and javscript and cookies, it's actually platform independent so switching off of Windows will do absolutely nothing to prevent this type of attack. Great article!

So which is it, Firefox or Windows?

[wonkey_monkey]

The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox

Stop using Firefox (this particular version, on Windows) surely?

Sounds like someone at TOR was hankering for an excuse to rail against Windows.

Re:Security professionals generally missing the po

[FriendlyLurker]

You are right - how do we change the situation? I think "Off The Record" (OTR [wikipedia.org]) is a step in the right direction and possible example to learn from. It just works out of the box for a lot of chat clients zero configuration needed providing 100% encrypted chat sessions by default for all users that use those chat clients that ship with it enabled by default. A security "professional" will be quick to sprout that it is open to MITM blah blah blah but fail to recognize that 100% adoption always on encryption is achieved - the hard part. From there it is a small extra step for those that could be bothered to check fingerprints out of band, or even add extra services that help the clueless/not interested do that part automatically. It is like security professionals cant get past the "it is not flawless" stage... and so we are all stuck with nothing or something very good, that nobody else uses or can interact with (PGP as one of many examples).

Re:Security professionals generally missing the po

[joe_frisch]

Doesn't really help. Steganography tools will be considered suspicious and there will be versions with backdoors out there. I don't think this can be fought with technology - the large government organizations will have the resources to get the data they want, either by hacks, or by rubber-hose decryption. A tiny percentage of really expert users may be able to find ways to communicate securely, but the vast majority of people will not have the skill to do so. Since the "experts" need to communicate with non-experts this really doesn't solve much of the problem anyway.

If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.

Re:Security professionals generally missing the po

[Applekid]

If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.

What good are laws if government ignores them?

Re:Security professionals generally missing the po

[joe_frisch]

In the US they are not quite "ignored". They are twisted and redefined. Still remember that the #1 goal of most politicians is to get re-elected, so they do in some ways respond to what voters want. I mostly blame a cowardly public that is willing to give up its rights and freedoms for a bit of extra safety.

Re:Security professionals generally missing the po

[phantomfive]

I have a lock on my door to keep out casual attempts to get access to my data.

Re:Security professionals generally missing the po

[blueg3]

It's funny, because you'd think security experts would know this.

Actually, they do know it. Often, making security, and encryption in particular, usable is a hard problem. There's also often not interest or support for it, in which case it doesn't get done. Hard problems take time and money to solve.

Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications.

That's pretty rare. A lot of people do use full-drive encryption: like people with iOS devices, newer versions of Mac OS X, and many versions of Ubuntu. It's because on those systems, it's been engineered to work well and it's very easy to turn on.

We don't enable encryption on email because it requires plugins and complicated setups.

This is more difficult because that's not the hard part of e-mail encryption. In fact, there are some fairly simple e-mail encryption systems and clients that have it built in. The hard part is that effective e-mail encryption basically boils down to running a public-key infrastructure. Almost any security problem that ends with "...then you just need to distribute public keys" has a hard time being widely adopted and scalable.

We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA.

Nonsense. Buying a cert from a CA is simpler than setting up a web server, by a long shot. If you're not running your own web server (very reasonable these days), most half-decent hosting companies will do all the work of getting a cert and configuring your server for you. All it takes is money -- and it's so inexpensive that the only people that can't afford it are private individuals hosting websites that don't make money.

We don't use TOR because it's not quite brain-dead simple.

It's basically braindead simple now if you use the Tor Browser Bundle, which is what this exploit is targeting.

One of the major reasons the exploit works is that Security Is Hard, both for experts and non-experts.