TOR Wants You To Stop Using Windows, Disable JavaScript

itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."

Re:Proper Summary

[pipatron]

Yeah, and next week when the next javascript exploit is found, the excuse will be the same. "Just upgrade your browser and it will be ok, javascript is safe!" No one in their right mind would enable vbscript by default when opening spreadsheet files, but javascript on websites doesn't seem to be a problem.

Re:Very poor advice

[sociocapitalist]

Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.

Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?

Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.

Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?

http://www.zdnet.com/blog/btl/microsoft-certificate-used-to-sign-flame-malware-issues-warning/78980 [zdnet.com]

It would be interesting to know how the 'state' that developed Flame acquired the MS certificate in question.
  - compromised using tech that the NSA has that we don't know about?
  - bought off the black market after being stolen by some other entity?
  - or just given by MS to the 'state'..?

Re:Security professionals generally missing the po

[pr0nbot]

If encryption is a "please investigate me" red flag, then we need to find ways to hide the encryption (i.e. steganography).

Re:Security professionals generally missing the po

[Anonymous Coward]

Agree - SSL/https is the shining example of how completely the security professionals have failed the Internet users. That and the sorry state of always unencrypted email all the time, by default. Perhaps most "security professionals" are really trying to keep the status quo - no encryption by default. No prizes for guessing who is the biggest employer and sponsor of security researchers...

Re:Security professionals generally missing the po

[FriendlyLurker]

Not if the majority or dare I say everyone raises the red flag, we dont.

Wrong, it can be easily done

[feranick]

1. Go to about: config. 2. Search for javascript.enabled. 3. Toggle off. 4. No javascript. Alternatively, install no script. 5. Stop spreading nonsense.

Firefox not part of PRISM

[Anonymous Coward]

Mozilla were not listed as NSA PRISM aiding and abetting companies. Microsoft was listed as an active participant, helping NSA bypass the search warrant requirements on their outlook products and providing technical assistance on Skype.

One company picked sides, and its not the side with the Constitution on it.

So yes, he's probably right.
NSA broke TOR on the excuse of kiddy diddlers but they broke TOR mainly to prevent leakers from the NSA from using it to leak. Why else would they use their own IP address clearly and publicly in the breach??

It's to scare any potential NSA employees from leaking how far NSA has gone over the line.

The post-cryptography security world ...

[Wrath0fb0b]

As Adi Shamir (the S in RSA) has been trying to point out [theregister.co.uk], cryptography is a method for transferring data between two trusted hosts. So the F-16 zooming above Washington can get some radar data from the airbase in Virginia and no one listening in can decrypt it. At the point where some luser picks up a USB drive [arstechnica.com] off the parking lot floor and plugs it into a computer inside the airbase, all the encryption in the world matters not one whit.

It's a massive change to the model we use to conceptualize the threat -- instead of Alice and Bob trying to communicate with each other and keep Charles from decrypting, we have Alice and Bob trying (a) to protect their machines from Charles compromising it and (b) trying to limit the data done if he does compromise it. This isn't your father's security any more.

What is also means is that we are going to need a lot fewer secrets that are really worth keeping or else spend much more time partitioning our virtual worlds. As BEAST/CRIME show, if you treat your Facebook login cookie as a secret, then you need to access it from a partitioned browser where a malicious page cannot make requests using it.

Re:NSA owned netblocks

[rmstar]

Users can not secure themselves against invasive hacking by the US Government.

Sure.

Now, if instead of engaging in this selfdefeating every-man-to-himself canned-goods-and-ammo mentality users would actually stand up for their rights actively, which means, engaging in politics - that could work.