TOR Wants You To Stop Using Windows, Disable JavaScript

itwbennett writes "The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox that undermined the main advantages of the privacy-centered network. The zero-day vulnerability allowed as-yet-unknown interlopers to use a malicious piece of JavaScript to collect crucial identifying information on computers visiting some websites using The Onion Router (TOR) network. 'Really, switching away from Windows is probably a good security move for many reasons,' according to a security advisory posted Monday by The TOR Project."

NSA owned netblocks

[NynexNinja]

Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ [arstechnica.com] ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.

Re:

[sociocapitalist]

Looks like the NSA is up to their old dirty tricks: http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/ [arstechnica.com] ... And yes, I second the motion to stop using Windows -- its full of zero day bugs like this. Not a day goes by where you don't hear about a new zero day attack focused on Windows, and its been that way for decades.

Because no other operating systems or applications have zero day bugs....

Users can not secure themselves against invasive hacking by the US Government.

The best that can be done is probably a VM that's been stripped down to essentials and does nothing but TOR but even that isn't going to keep the NSA out if they want in.

Re:NSA owned netblocks

[rmstar]

Users can not secure themselves against invasive hacking by the US Government.

Sure.

Now, if instead of engaging in this selfdefeating every-man-to-himself canned-goods-and-ammo mentality users would actually stand up for their rights actively, which means, engaging in politics - that could work.

Re:

[slashmydots]

From TFA:
"People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. This wasn't the first Firefox vulnerability, nor will it be the last."
So....no. It wasn't even a Windows exploit, actually. It was a firefox exploit that happened to only work on Windows but it's equally likely any future flaws will not be platform dependent. What you should do is stay on Windows and just update your damn Tor browser bundle when a new one is released.

Very poor advice

[metrix007]

Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.

Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?

Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.

Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?

Re:Very poor advice

[sociocapitalist]

Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don, they won't necessarily know how.

Secondly, it's poor advice. The vulnerability affects Firefox 17....and Firefox is up to 22 now I think. Wouldn't it make more sense for them to make sure the tor browser is hardened and recommend people to use that?

Finally, Using a more recent windows version is actually good for security. ASLR, DEP, a rudimentary MAC implementation, UAC...despite what people say, Windows is actually one of the better operating systems security wise these days. Not just because of the preventive technology that most other OS's don't have (OS X has a lacking and broken implementation, most linux distros are not as complete in their implementations..), but because Microsoft started taking security seriously and vulnerabilities are rare these days.

Whatever, bring on the irrational arguments and Microsoft hate. Is it really too much for a forum of tech nerds to be objective in their analysis?

http://www.zdnet.com/blog/btl/microsoft-certificate-used-to-sign-flame-malware-issues-warning/78980 [zdnet.com]

It would be interesting to know how the 'state' that developed Flame acquired the MS certificate in question.
  - compromised using tech that the NSA has that we don't know about?
  - bought off the black market after being stolen by some other entity?
  - or just given by MS to the 'state'..?

Re:Very poor advice

[CAIMLAS]

It's trivial to use Tor in a secure fashion. In fact, if you need the security provided by Tor, chances are you're better off doing it this way instead:

1) Download Tails [boum.org]
2) Burn to CD
3) Boot disk
4) Use Tor

How hard was that?

(Personally, I use IE5 and Windows 2000 for Tor. Nobody's going to try to exploit that... and yes, I'm kidding.)

Re:

[AHuxley]

If they helped get your plain text http://www.theguardian.com/world/2013/jul/11/microsoft-nsa-collaboration-user-data [theguardian.com] and
http://news.cnet.com/8301-13578_3-57593339-38/nsa-docs-boast-now-we-can-wiretap-skype-video-calls/ [cnet.com]
to Android software and..."remotely activate the microphones in phones"..
http://online.wsj.com/article_email/SB10001424127887323997004578641993388259674-lMyQjAxMTAzMDAwMTEwNDEyWj.html [wsj.com]
The tame, low cost, US OS are they way in.
Tor exit nodes and colluding fun back in the day:
http://them [wordpress.com]

Re:Very poor advice

[couchslug]

"Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows. Even if they don't, they won't necessarily know how."

Anyone can create bootable media with a short time spent practicing.

If you are at war you need to learn how to fight, not expect the rules to change for you. If that's not convenient, tough shit.

What one man can learn, another can learn. Plenty of Syrians didn't know how to kill tanks and APCs before "current events" either.

Re:

[HeckRuler]

Wut?

Many of the people using Tor in restrictive countries won't have the luxury of switching away from Windows

Which country are you specifically talking about? Is it illegal to run Linux somewhere? To the best of my knowledge the only people working on keeping people from installing Linux are the ones trying to push secureboot and UEFI. That's Microsoft and friends. The whole "war on general computing" thing seems either overblown or in it's infancy. Seriously, who don't have the luxury of switching away from Windows? Are you talking about wage-slaves or something? Who would use TOR at work?

Secondly, yeah, it'

I think that one solution.....

[mark-t]

... would be for web browsers to have some javascript configuration settings, allowing them to specify, for instance, what values these particular queries (hostname and mac address) should actually return, if not the defaults, much like how some browsers allow you to configure what it reports as a user-agent header in an http request.

So much for TOR

[kheldan]

If you've been reading here regularly you know that TOR is compromised now anyway, as is pretty much all internet usage. I don't even personally believe that any form of encryption available to the general public is even safe from prying eyes anymore.

Re:

[AHuxley]

One time pad to your family, tribe, gang, cult, freedom fighters, friends, new friends or fellow travellers.
Geolocation and electronic chatter seems to be the focus of the surveillance structure that was build up... ie you have to keep feeding the machines, phones or mail.

Tor needs to encourage more users/usage.

[ron_ivi]

Another problem is Tor's has tiny enough usage that it's easy for a handful of governments to run a critical mass of exit nodes and relays to do traffic analysis. Instead of discouraging things like bittorrent - I think the Tor project should encourage it, along with encouraging people to contribute back enough bandwidth to make up for their downloads (i.e. contribute about 3X the bandwidth they download). That way Tor could grow to the scale where it'd be much harder to monitor or take down.

Re:

[CAIMLAS]

Yep. In light of these windows nodes getting exploited, I decided last night that I'm going to set up a tor node VM, with limited bandwidth, just for the purposes of providing an additional hop.

Tor use is likely to increase significantly due to all the domestic spying everyone has become aware of here in the West. This is both an opportunity for Tor as well as a challenge: there will be more users, and more people who were iffy about running high bandwidth nodes will likely do so, but there will also be mor

Re:

[Burz]

I2P encourages bittorrent and has been growing for years. Its also designed to be less exploitable than Tor (its less centralized) and hidden I2P sites generally assume you have Javascript turned off.

I think the best solution ...

[PPH]

... is to stop using the NSA.

The Child Porn Angle

[BenEnglishAtHome]

How long will it be before the FBI goes publicly on the attack?

Freedom Hosting was, from what I've been reading over the last couple of days, not only taken over by the FBI and used to inject this code but it also probably hosted half of all child porn *.onion sites extant.

Demonizing the pervs seems like a good way to distract people from the fact that a state entity is now actively running malware that attacks everybody. I'm surprised it hasn't started already.

Re:

[Joining Yet Again]

"Terror" worked as an excuse for a while, but then with all the Manning etc. revelations, people realised that war on a military strategy was just a bit of clever spin.

Now we're onto the child porn angle, which easier as both the hawks and the pacifists can be seduced into a think-of-the-children argument. Never mind that driving the producers of child sex abuse images further underground is the worst possible thing - I say that such *evidence* of child sex abuse should be out in the open, so that humans ar

privacy advocates want you to...

[Joining Yet Again]

...stop using a system developed and partly sanctioned by the US military if you want actually want to preserve your privacy. Actually, lack of privacy is a social problem, alland technical solutions are based simply on not your doing anything important enough for someone to engage in an arms race with you (which you will lose).

If you want privacy, you need to have exclusive control of a great deal of the network and intermediate nodes, plus the exact content of the traffic. And then you need to make sure that merely the raw content isn't a giveaway. Otherwise stochastic methods will attack all of the above and identify who you are, before an exploit's even been planted on your home machine.

Or foster a society that refuses to allocate the resources to fuck you over. Remember, anyone can be taught skills - but values are much harder to instil.

More secure, equally silly recommendation

[neminem]

Why not just tell people to stop using the internet completely? Unplug their computers from the internet, then they'd be completely safe. And they might as well, too, if they disable javascript, given that basically everything uses it these days...

Ooh I Wouldn't do THAT

[Greyfox]

Not using the Internet is a HUGE red flag to the NSA. They'll be all up in your shit if you do that. You know who doesn't use the Internet? Terrorists. Which kind of makes you wonder why they feel they have to monitor the WHOLE FUCKING THING.

Stop using Windows. Disable Javascript.

[gestalt_n_pepper]

Well, you could hardly argue with either suggestion, even before TOR was known to be compromised.

Don't use Firefox bundled by TOR

[feranick]

I use tor and firefox. But I don't use firefox that is bundled with Tor (v1.7ESR), but my own (v22). I run private mode, and I use the convenient FoxyProxy extension to redirect my network connection to either tor or for a direct connection. FoxyProxy allows me to specify what sites I would need to redirect to Tor and what not. Fairly simple, really.

Re:Don't use Firefox bundled by TOR

[Burz]

This is a sure way to reveal your IP address to an attacker. The only proxy switcher ever deemed safe to use with Tor was TorButton... the rest allowed cache and history-based attacks. Even so, Tor project recommends the entire browser now be customized for Tor and not used for any in-the-clear web access.

not even remotely related

[slashmydots]

From what I heard, the flaw affects Firefox 17 and the latest browser bundle is 22 and javascript has to be on, which is technically isn't because of noscript being on by default. Also, since it's Firefox and javscript and cookies, it's actually platform independent so switching off of Windows will do absolutely nothing to prevent this type of attack. Great article!

TOR should be integrated with a browser

[crow]

Yes, I know that you can get a web browser that is specifically set up to route everything through TOR. What I want is a simple setting in browsers to use TOR for all private browsing sessions.

Re:

[niftydude]

You can kind of use the foxyproxy add-on in firefox to get what you want - it is a bit fiddly to set up, but once it is running, it is very easy to switch on and off.

A rough guide to setting it up is here [ehow.com].

So which is it, Firefox or Windows?

[wonkey_monkey]

The TOR Project is advising that people stop using Windows after the discovery of a startling vulnerability in Firefox

Stop using Firefox (this particular version, on Windows) surely?

Sounds like someone at TOR was hankering for an excuse to rail against Windows.

Firefox not part of PRISM

[Anonymous Coward]

Mozilla were not listed as NSA PRISM aiding and abetting companies. Microsoft was listed as an active participant, helping NSA bypass the search warrant requirements on their outlook products and providing technical assistance on Skype.

One company picked sides, and its not the side with the Constitution on it.

So yes, he's probably right.
NSA broke TOR on the excuse of kiddy diddlers but they broke TOR mainly to prevent leakers from the NSA from using it to leak. Why else would they use their own IP address c

collect enough data...

[Joining Yet Again]

...and you have something on EVERYONE, in advance.

Then regularly select people at random, to keep the rest of the population in fear.

And specifically target any inconveniences.

The post-cryptography security world ...

[Wrath0fb0b]

As Adi Shamir (the S in RSA) has been trying to point out [theregister.co.uk], cryptography is a method for transferring data between two trusted hosts. So the F-16 zooming above Washington can get some radar data from the airbase in Virginia and no one listening in can decrypt it. At the point where some luser picks up a USB drive [arstechnica.com] off the parking lot floor and plugs it into a computer inside the airbase, all the encryption in the world matters not one whit.

It's a massive change to the model we use to conceptualize the threat -- instead of Alice and Bob trying to communicate with each other and keep Charles from decrypting, we have Alice and Bob trying (a) to protect their machines from Charles compromising it and (b) trying to limit the data done if he does compromise it. This isn't your father's security any more.

What is also means is that we are going to need a lot fewer secrets that are really worth keeping or else spend much more time partitioning our virtual worlds. As BEAST/CRIME show, if you treat your Facebook login cookie as a secret, then you need to access it from a partitioned browser where a malicious page cannot make requests using it.

Re:Firefox

[The MAZZTer]

Firefox allows it, as does every major browser. But it is not the default, because it is incredibly inconvenient considering how many websites rely on it. There are tools to make it easier for Firefox and Chrome but it is still a bit of a bother.

Security professionals generally missing the point

[FriendlyLurker]

Recommend switching away from windows, a few will do so and a lot more will just not bother - and so the pool of people using Tor (and other encryption privacy "enhancing" services) shrinks just a little bit more. If the whistleblower Snowden revelations have taught us nothing else, it is that if you are one of the few that use encryption/VPN/privacy enhancing solutions then you attract extra unwanted attention to yourself. For everyone to enjoy privacy, security professionals need to be coding solutions and encouraging more people, including Windows users, to adopt always on default encryption - not the opposite. Are they really that clueless?

Re:

[intermodal]

Some of them are exactly that clueless. They tend to let perfect become the enemy of pretty good.

Re:

[Anonymous Coward]

Agree - SSL/https is the shining example of how completely the security professionals have failed the Internet users. That and the sorry state of always unencrypted email all the time, by default. Perhaps most "security professionals" are really trying to keep the status quo - no encryption by default. No prizes for guessing who is the biggest employer and sponsor of security researchers...

Re:Security professionals generally missing the po

[MechaStreisand]

Take a look at all the certificate authorities your browser trusts sometime. Any one of those can issue a certificate for ANY website, not just those in the area where that authority. If any ONE of those authorities issues a certificate for, say, the NSA, then they can MITM your communication with any website if they're in a position to do so (and the NSA most definitely is), regardless of that website's original certificate. By default, the browser doesn't give a shit if the certificate changes. All of this makes SSL useless against a determined attacker.

Re:Security professionals generally missing the po

[pr0nbot]

If encryption is a "please investigate me" red flag, then we need to find ways to hide the encryption (i.e. steganography).

Re:Security professionals generally missing the po

[FriendlyLurker]

Not if the majority or dare I say everyone raises the red flag, we dont.

Re:Security professionals generally missing the po

[Anonymous Coward]

Yeah! I mean, they can't be watching ALL of us, right?

Re:

[Anonymous Coward]

All my email employment applications are encoded in pictures of cats.

Re:Security professionals generally missing the po

[joe_frisch]

Doesn't really help. Steganography tools will be considered suspicious and there will be versions with backdoors out there. I don't think this can be fought with technology - the large government organizations will have the resources to get the data they want, either by hacks, or by rubber-hose decryption. A tiny percentage of really expert users may be able to find ways to communicate securely, but the vast majority of people will not have the skill to do so. Since the "experts" need to communicate with non-experts this really doesn't solve much of the problem anyway.

If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.

Re:Security professionals generally missing the po

[Applekid]

If we want the government to stop snooping we need to change the LAWS. If there aren't enough votes to change the law, then we just need to suck it up, same as for any other decision by the majority.

What good are laws if government ignores them?

Re:Security professionals generally missing the po

[joe_frisch]

In the US they are not quite "ignored". They are twisted and redefined. Still remember that the #1 goal of most politicians is to get re-elected, so they do in some ways respond to what voters want. I mostly blame a cowardly public that is willing to give up its rights and freedoms for a bit of extra safety.

Re:

[RoknrolZombie]

The public is not "willing to give up its rights", it is smart enough to know it didn't have them to begin with.

Minor quibble: The public is too stupid to know that they aren't GIVEN rights, but that if they want them, they have to TAKE them. The Government isn't interested in letting you be free...you have to do that for yourself.

Re:

[RoknrolZombie]

So which part of 'self-evident' makes you think that people need to be GIVEN their rights? The whole point to the Bill of Rights was to enumerate rights that human beings have, regardless of who they are or where they were born. Notice how it says that it's the Governments role to secure the people's rights (NOT to grant them).

Re:

[Dins]

What good are laws if government ignores them?

If the government ignores the laws, then we change the government!

Wait... I'm on a list now, aren't I?

Re:Security professionals generally missing the po

[nine-times]

Well I think part of the problem is that security experts are experts, and they don't understand that if they really want to encourage better security, they need to make it easy for non-experts. It's funny, because you'd think security experts would know this. One of the key things about security is that a great security measure that nobody uses and everyone circumvents is actually a terrible security measure.

Encryption implementations need to be so well designed and foolproof that they're enabled by default. Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications. We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA. We don't enable encryption on email because it requires plugins and complicated setups. We don't use TOR because it's not quite brain-dead simple.

The experts will respond, "But it *is* brain-dead simple. Just download this plugin, drop into the command line and type [insert command here], compile this binary, change this configuration file in /etc. Oh wait, you're on Windows? Sorry, then you need to download these other files. Get GPG v1 because v2 is completely different and doesn't work with the plugins. Then when you get this error, hit 'ignore'..." And all that makes sense to the experts because they're experts, and they understand what's going on. People won't start using encryption en masse until it's so brain-dead simple that they don't even know they're using it.

Re:Security professionals generally missing the po

[FriendlyLurker]

You are right - how do we change the situation? I think "Off The Record" (OTR [wikipedia.org]) is a step in the right direction and possible example to learn from. It just works out of the box for a lot of chat clients zero configuration needed providing 100% encrypted chat sessions by default for all users that use those chat clients that ship with it enabled by default. A security "professional" will be quick to sprout that it is open to MITM blah blah blah but fail to recognize that 100% adoption always on encryption is achieved - the hard part. From there it is a small extra step for those that could be bothered to check fingerprints out of band, or even add extra services that help the clueless/not interested do that part automatically. It is like security professionals cant get past the "it is not flawless" stage... and so we are all stuck with nothing or something very good, that nobody else uses or can interact with (PGP as one of many examples).

Re:

[danbuter]

I'd mod you up if I had the points. Computer geeks are terrible at making things work for non-geeks. And if you say anything about this, you often get attacked. Just mention how a lot of linux programs are hard to use and see them freak out.

Re:Security professionals generally missing the po

[blueg3]

It's funny, because you'd think security experts would know this.

Actually, they do know it. Often, making security, and encryption in particular, usable is a hard problem. There's also often not interest or support for it, in which case it doesn't get done. Hard problems take time and money to solve.

Right now, we don't usually turn on full-drive encryption because it may cause unexpected problems and complications.

That's pretty rare. A lot of people do use full-drive encryption: like people with iOS devices, newer versions of Mac OS X, and many versions of Ubuntu. It's because on those systems, it's been engineered to work well and it's very easy to turn on.

We don't enable encryption on email because it requires plugins and complicated setups.

This is more difficult because that's not the hard part of e-mail encryption. In fact, there are some fairly simple e-mail encryption systems and clients that have it built in. The hard part is that effective e-mail encryption basically boils down to running a public-key infrastructure. Almost any security problem that ends with "...then you just need to distribute public keys" has a hard time being widely adopted and scalable.

We don't enable SSL on all of our web servers because it's an annoying and expensive process to get a cert from a CA.

Nonsense. Buying a cert from a CA is simpler than setting up a web server, by a long shot. If you're not running your own web server (very reasonable these days), most half-decent hosting companies will do all the work of getting a cert and configuring your server for you. All it takes is money -- and it's so inexpensive that the only people that can't afford it are private individuals hosting websites that don't make money.

We don't use TOR because it's not quite brain-dead simple.

It's basically braindead simple now if you use the Tor Browser Bundle, which is what this exploit is targeting.

One of the major reasons the exploit works is that Security Is Hard, both for experts and non-experts.

Re:

[FuzzNugget]

Yes and no.

TrueCrypt is extremely simple to use and it holds your hand tightly through the entire process. It is really one of the best examples of good open software, where it makes an otherwise complex task very simple. There are no usability gaps typically seen in open source software and it's very well documented.

SSL works fine without a CA cert, but browsers have actually gotten a lot worse at making it a clear process to accept self-signed cert. They used to just allow it through and give you a di

Re:

[Anonymous Coward]

They're being rather disingenuous too: https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
Since the vulnerability isn't limited to Windows machines, it's just that they believe that only Windows machines were targeted.

WHO IS AFFECTED:
In principle, all users of all Tor Browser Bundles earlier than
the above versions are vulnerable. But in practice, it appears that
only Windows users with vulnerable Firefox versions were actually
exploitable by this attack.

(If you're not sure what version you have, click on "Help -> About
Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7])

To be clear, while the Firefox vulnerability is cross-platform, the
attack code is Windows-specific. It appears that TBB users on Linux
and OS X, as well as users of LiveCD systems like Tails, were not
exploited by this attack.

IMPACT:
The vulnerability allows arbitrary code execution, so an attacker
could in principle take over the victim's computer. However, the
observed version of the attack appears to collect the hostname and MAC
address of the victim computer, send that to a remote webserver over
a non-Tor connection, and then crash or exit [8]. The attack appears
to have been injected into (or by) various Tor hidden services [9],
and it's reasonable to conclude that the attacker now has a list of
vulnerable Tor users who visited those hidden services.

We don't currently believe that the attack modifies anything on the
victim computer.

So what makes them so sure that only Windows machines were targeted? Sure only paranoid people would think that way, but lot of people using Tor are paranoid, and many using Tor SHOULD be that paranoid.

Re:

[neonKow]

Mainly, it's the title and summary that's getting it wrong. The only thing they said was that switching off of Windows is a good idea for the security minded, which it is. They awknowledged that the zero-day affected firefox across the board and that the exploit only targetted Windows, but they never used that as the reasoning to switch OS's.

Re:

[router]

Are you kidding me? Why in hell would you even say something like this....

Linus wouldn't fill out the 17 forms required to get a check from the feds, much less submit the monthly progress reports or sign the forms, in triplicate, each month to receive the paper check to be deposited. Goddamn 7 digits, no understanding of the system at all...

Much less participate in a system he would find grossly inefficient and horribly flawed. The man respects greatness, not whatever this is.

You are an idiot. If this was a

Re:Security professionals generally missing the po

[Sloppy]

Linus wouldn't fill out the 17 forms required to get a check from the feds, much less submit the monthly progress reports or sign the forms, in triplicate, each month to receive the paper check to be deposited. Goddamn 7 digits, no understanding of the system at all...

Looks like they've got you fooled. For a century, the feds have cultivated the appearance of being a highly inefficient organization that nobody wants to have anything to do with. The reality is that there are no forms or time-wasting meetings, all the people who work there are actually highly motivated and competent, they do things with 5% of budget and then just throw away the other 395% to maintain deception, and they have to hire entire buildings of decoy employees to keep anyone from figuring out how small their core team really is. That Torvalds turned his back on that, just proves that he was too dumb to see through the smokescreen and is therefore too dumb to work for them.

Re:

[Ubi_NL]

This is incorrect, the latest versions of firefox do not allow javascript to be turned off. It is a valid complaint

Re:

[Anonymous Coward]

This is incorrect, the latest version of firefox do allow javascript to be turned off. It is an invalid complaint.

Don't give me bullshit about it not being in the "UI" either, since I have a bookmark with the address about:config?filter=javascript.enabled right there in my bookmarks toolbar.

Re:Firefox

[danbuter]

NoScript works for me...

Re:

[Anonymous Coward]

And that's an important point a lot of people, and most of the news media, have gotten wrong about this story. Download any TorProject Browser and NoScript is included by default and specific browser settings changed. As is it's relatively safe to use but if users even temporarily disable those protection measures because they can't do something like download a file or participate in some commenting page because a script is being prevented from running than it's not a fault with Tor, it's a user issue. TorP

Re:

[VGPowerlord]

So why do I have Firefox 22 with an enable/disable Javascript option? I downloaded this from Mozilla so you are saying they built a special version just for me? How nice of them.. Or perhaps Firefox still allows the user to enable/disable Javascript at this time.

You'll be unpleasantly surprised when you download Firefox 23 and find out it's gone. Which was released today, btw.

Re:

[Common Joe]

FYI, I just compared Firefox 22 and 23. The about:config?filter=javascript.enabled option is still there.

Re:

[intermodal]

v23 of Firefox removed that feature. It might be buried in about:config somewhere, but I have heard some comments to the contrary. Still on 22 here.

Re:

[Hentes]

It doesn't have to be inconvenient, Opera allows me to turn off Javascript based on a whitelist or blacklist.

Proper Summary

[Freshly Exhumed]

FTA: 'The vulnerability was patched by Mozilla in later versions of Firefox, but some people may still be using the older versions of the TOR Browser Bundle.'

Geeez, this is all about running old TOR on old Windows... who knew something could possibly go wrong with that?

Re:Proper Summary

[pipatron]

Yeah, and next week when the next javascript exploit is found, the excuse will be the same. "Just upgrade your browser and it will be ok, javascript is safe!" No one in their right mind would enable vbscript by default when opening spreadsheet files, but javascript on websites doesn't seem to be a problem.

Re:

[Score Whore]

Actually they can. Just that the content producers don't want them to be. But there comes a point where the graphic designer's desire to make bling bling websites intrudes on my privacy and security. If the content delivery chain can't get their shit together... well fuck 'em.

Re:

[slashmydots]

You bet! And what it failed to mention is that your tor browser bundle would have to be at least 6 months old since every monthly Firefox release is followed by a new Tor browser bundle release containing the new version. Plus, every time you open the Tor browser version of Firefox, it warns you if it's out of date in gigantic colored letters.
Hey, remember that article stating you won't be able to turn Javascript off in an upcoming version of Firefox? Hopefully this incident is enough to get them to pull

Re:

[ciderbrew]

thats what they want you to think. You've added nothing.

Re:Proper Summary

[mrclisdue]

I threw fedora away and went with slackware.

As for the neckbeard, it's chest hair, you insensitive clod.

cheers,

Re: Firefox

[hodet]

say wuuuuuttt? tools options content disable javascript

Re: Firefox

[hodet]

wrong os friend. we are talking about windows.

Re:

[Anonymous Coward]

Firefox is apparently opting to remove the option from their settings and for a good reason - no one wants to globally disable JS these days. A default off with allowed sites is workable though, but there are extensions like NoScript to add that functionality.

Re:

[lgw]

But maybe it shouldn't be.

There will always be some JS 0-day. Maybe I'd like to bank online without an attacker previously having executing arbitrary code on my machine? Is that an oddball requirement?

I'm sure JS makes it all the more appealing to punch the monkey, but unless my intent is to run an application delivered over the web, I shouldn't need JS at all. If I'm just reading content, or doing simple forms-based interaction like a forum, why would I need JS again?

Re:

[lgw]

Nobody wants a pure forms based internet experience. It's horribly inefficient and awkward.

Do you write JS for a living? Have you ever put thought and effort into making a nice forms-based site? Few interactions requires constant chatter between the UI and the server behind the scenes.

If I'm just reading, a nicely laid-out page is all I need. If I'm doing simple interaction, like posting to Slashdot, why do I need JS? As long the needed UI controls are simple (and, you know, they usually are if you're not being complicated for the sake of showing off), why drag JS into it?

So much of the web th

Re:

[Anonymous Coward]

Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.

Re:

[Applekid]

Since they are advocating throwing away an entire OS due to a flaw in Firefox, I'll go one step further. Throw out your entire PC and you'll be 100% secure.

But but but they can go through your garbage!

Wrong, it can be easily done

[feranick]

1. Go to about: config. 2. Search for javascript.enabled. 3. Toggle off. 4. No javascript. Alternatively, install no script. 5. Stop spreading nonsense.

Re:Firefox

[Krojack]

URL about:config then enter 'javascript.enabled' into the search bar. Double click that setting in the list below to toggle back and forth.

Re:

[hawkinspeter]

The firefox and java problems can be worked around, but if the FBI is interested in stopping anonimity through TOR, then Windows will most likely be compromised as well. This particular attack only worked on Windows, so avoiding Windows prevents the current attack and may provide more protection against future attacks.

Re:

[vistapwns]

You don't care about games and whatever else is windows specific, but others do. Hell I don't give a spit about what you do with your PC probably. Switching to Linux is a stop-gap measure, if most tor users used Linux, they could change the malware package to work on Linux, and the same bug would have worked in exactly the same way in either case.

Re:Why not stop using firefox and Java

[vistapwns]

They really don't need to have backdoors, and that would present problems if MS and Apple allowed it. They could face lawsuits and what not, and hackers could find them and use the backdoors. Most likely what these 3 letter agencies do, is hire people to find 0-days in all the OSes and all the browsers. Modern OSes and browsers are so complicated, that this is probably easy to do. If a 0-day gets fixed, they can just always find more. It's the same effect as having a backdoor, but without the legal problems for the companies involved, and it works for all OSes/browsers. Hackers find 0-days all the time, and these 3 letter guys are probably much better and more funded, so..

Re:

[hawkinspeter]

Security is a process rather than an end product. Linux is not "secure" as there will always by holes/exploits/bugs etc. However, open source development provides more opportunities to improve security. Whether or not it is currently more or less secure than Windows or OSX is debatable (and almost impossible to accurately measure).

Re:

[vistapwns]

"So the vulnerability is in firefox and java, but they propose to stop using Windows?" Exactly. This could have happened in any OS, they just targeted Windows because that's what most users use. Ironically IE10 run in x64 mode probably would not have this problem, since it uses vastly more address space for ASLR. It's like getting a flat tire, then the guy you hire to change your tire tells you to buy his favorite brand of car to fix it.

Re:

[djupedal]

The tires are not safe when used on that brand of automobile. Stop using that brand of car.

Re:

[vistapwns]

Yea, that would make sense, except this vulnerability existed in, and was just as exploitable in Linux versions of FF as far as I know. Even if it was Windows specific, that's just coincidence since the Linux versions of firefox have vulnerabilities all the time that are just as exploitable. Do you actually know anything about computer security?

Re:

[J'raxis]

More like, "using this brand of tires reveals a safety issue with that brand of car. As do a few hundred other products combined with that brand of car. Even safe products combined with that brand of car. So stop using that brand of car."

Re:Why not stop using firefox and Java

[RedHackTea]

FTFA:

The TOR Project's reasoning comes from the characteristics of the malicious JavaScript that exploited the zero-day vulnerability. The script was written to target Windows computers running Firefox 17 ESR (Extended Support Release), a version of the browser customized to view websites using TOR.

People using Linux and OS X were not affected, but that doesn't mean they couldn't be targeted in the future. "This wasn't the first Firefox vulnerability, nor will it be the last," The TOR Project warned.

Car / Caramel = Java / Javascript

[raymorris]

To clarify what AC posted, the words "Java" and "Javascript" are like "car" and "caramel", or "ear" and "early" - they are completely unrelated. They just have some letters in common.

Netscape had an interpreted scripting language called LiveScript. It wasn't used a whole lot.
Later, Sun released a virtual machine and a compiled language to program it in called Java. Java got a lot of press.
Seeing all the press that Java was getting, Netscape renamed Livescript "Javascript", to ride the coat-tails of the
completely different system, called Java.

They were developed completely separately, by different companies, for different purposes, and based on different principles.
It's exactly as if the BETAMAX were renamed DroidVideo.

Re:

[Skarecrow77]

Even TAILS has JS on by default. never really understood why.

If a majority of sites require JavaScript

[tepples]

But why do you have JS on in the first place?

Because 51 percent of web applications that someone uses require JavaScript.

Re:

[VGPowerlord]

But why do you have JS on in the first place?

Because 51 percent of web applications that someone uses require JavaScript.

Only 51%? Isn't that estimate a bit low?

Re:

[lister king of smeg]

tails is good.

Re:

[Speare]

For those who depend on TOR for their safety, more than they depend on a specific tool for their convenience, the following a safety advisory seems pretty rational. Air pollution in LA is bad on Tuesday! Young people and elderly should please remain indoors if possible!

Huff and puff and blow your house down

[tepples]

This is like saying "That them thar wood house is no good. Better replace it all with brick."

That sounds exactly like something one pig might warn another about [wikipedia.org], especially living on the edge of wolf country.

Re:

[idontgno]

"Now Gramma, I've told you this before... 'sudo apt-get update; sudo apt-get install " and then the name of your package.

You don't know the name of the package? If you can't be troubled to look that up, how can I possibly help you?"

Re:

[Sloppy]

Don't you go through the same thing every n years anyway, with Windows upgrades?

Re:

[Burz]

Or you could just add the TorVM package to QubesOS where all apps are transparently virtualized. [qubes-os.org]

Re:

[Larryish]

I would like to add an additional step:

After you tweak the guest OS install to your liking and ensure that it is fully working, take a snapshot and then restore from that snapshot every time.

Had this exact setup using DamnSmallLinux and it worked great. Low memory usage, also.

Re:

[HeckRuler]

Maybe they remember when it was a acronym. Learn some history, kid.