back to article NSA using Firefox flaw to snoop on Tor users

An NSA presentation released by Edward Snowden contains mixed news for Tor users. The anonymizing service itself appears to have foxed US and UK government snoops, but instead they are using a zero-day flaw in the Firefox browser bundled with Tor to track users. "These documents give Tor a huge pat on the back," security guru …

COMMENTS

This topic is closed for new posts.

Page:

VMs are your friend

Time to start running your browsers in a VM that is deleted when your session is closed to avoid 'staining'

5
0
Silver badge

Re: VMs are your friend

@panhead20 - "Time to start running your browsers in a VM that is deleted when your session is closed to avoid 'staining'"

Like another commentard posted recently - be sure to hold your laptop over a barrel of saltwater while you browse the internet with that deletable VM, and don't forget to slowly roll the cyanide capsule around in your mouth.

10
4

Re: VMs are your friend

Reduce your threat surface, don't follow the Silk Road.

1
1
Anonymous Coward

Re: VMs are your friend

There is Tails - A Linux livecd (Linux was safe from the zero day attack..)

Tails is good as

- Its Linux so safer (the latest zero day attack just targeted Windows), Thanks to Snowden it is sensible to assume there are backdoors in closed source OS's.

- It forces ALL connections through the Tor network - i.e you can't accidentally open a PDF, Video file, etc and de-anonymise yourself (like you can if you just run the Tor bundle browser)

- you can run off live cd/usb - no data gets written to any storage (unless you want to) , only your computers RAM - this solves any cookie issue also - i.e the same cookie being used in clearweb

- Your RAM gets securely wiped on shutdown

- You could run it in a VM - however then you would leave traces on your PC..

7
1
Silver badge
Black Helicopters

Re: VMs are your friend

Make sure it's an open source VM.

0
0
Anonymous Coward

Re: VMs are your friend

Time to start running your browsers in a VM that is deleted when your session is closed to avoid 'staining'

Or just don't use the same browser for TOR and non-TOR activities.

0
0
Anonymous Coward

Re: VMs are your friend

Surely the way to do it would be to use a livecd for anything you didn't want sniffed.

Or a thumbdrive with something like grml booting to ram. (Plausable other usage such as rescuing servers).

Work out how to set tor up manually.

Then on everything else just behave normally.

Putting anything potentially incriminating on disk ever seems like a bad idea if you are doing something these guys care about.

0
0
Anonymous Coward

Re: VMs are your friend

As you wish...

0
0

Re: VMs are your friend

Currently I#m listening to "Moon Rise Over the Silk Road".

0
0
Go

Re: Tails

Go here to find out about Tails:

https://tails.boum.org/

For the personal or SOHO user, there is no better anonymity and security solution available.

0
0
Anonymous Coward

Re: VMs are your friend

Link >?

0
0
Silver badge

Re: Its Linux so safer

And just how many people out there know how to properly secure a linux box?

0
0
Silver badge

Simple answer...

..."They are using the kind of techniques that federal prosecutors send people to jail for decades for using," she said. "These are tools that are criminal, and I'm still wondering what's the authority? What kind of authority are they claiming that they can do this?"...

If you ask this you are not a patriotic American.

In fact, you are probably a Commie sympathiser. Or whatever the bogie-man is at the moment...oh, yes, a Muslim Terrorist.

So you are not allowed to ask any questions by law, and if you do, we'll ship you to the Gitmo that Obama was going to close down...

45
2
Silver badge

I would like to post a controversial opinion. It's not the truth...

...It's just conjecture. Please therefore do not take it to heart or hold it against me:

One of the things that the 'intelligence community' is supposedly particularly good at is 'non-linear' behaviour. What I mean is: devious schemes, e.g. playing games. Yet in recent months it seems this NSA has been completely laid bare by a single, brave young man, now hiding in Russia after a highly publicised jaunt around the world, during which he successfully ran the gauntlet of all the naughty acronyms - NSA, FBI, CIA, MI6, GCHQ.

He's been telling us all about the NSA. Thanks to him, we know exactly what they are up to. Every day, there's something new. Some things, we now know, they can do (shock horror, better watch our step). Other things, we've found out, they cannot do (so it's safe for us to do these things with total peace of mind). It helps that the young man is able to leak to us PowerPoint presentations in which NSA operatives candidly inform one another about what they can and cannot do about this or that technology. These fall into our lap and we smirk, knowing that we've found their weakness.

But doesn't it sound strange to you that it's so straight-forward, even a teenager could outfox these guys? Or rather: that now, thanks to this young man they failed to catch and to shut up, anybody can find easy solutions to keep the NSA at bay?

7
1
Devil

Re: I would like to post a controversial opinion. It's not the truth...

I call shenannigans on the Tech-Wizards of Oz theory, on the grounds that the bozos in charge of the US SIGINT securocracy couldn't shit on the back of their own shoes without assistance.

4
0
Silver badge

Re: I would like to post a controversial opinion. It's not the truth...

I don't think this is fully some kind of misdirection play to get everyone onto Tor. The NSA has taken a lot of hits domestically and internationally from this, including the cancellation of a summit with Brazil's president. There might also be significant reductions to the NSA's legal authorities to conduct surveillance within the U.S. And trust in government in general has suffered in the U.S. because of this, and the Obama administration's poll numbers have suffered noticeably from the NSA fallout.

I doubt Obama and company would endorse real damage to their poll numbers and their ability to get their legislative agenda passed in order to enable the NSA to get everyone onto a favored data communications platform.

2
0
Bronze badge

Re: I would like to post a controversial opinion. It's not the truth...

Are you suggesting Snowdon is an example of misinformation?

Interesting, but I think somewhat unlikely given the fallout which seems to have caught quite a few "players" by surprise.

0
0
Holmes

Re: I would like to post a controversial opinion. It's not the truth...

just another conjecture:

I agree with the point on "non-linear behaviour". This leads to the following conclusions:

1. Let's suppose that the leaked information is correct. In that case the NSA could try to dissuade people from using TOR by stipulating that the leak could have been intended.

2. On the other hand the information could have intentionally leaked. If people now start to conclude that this could have been the case and assume that using TOR could be unsafe then it would be advisable to get someone to publicly conclude my first point and so to assume that TOR is actually safe to use.

3. On the first foot (as I just ran out of hands): GOTO 1

0
0
Silver badge
Black Helicopters

Re: I would like to post a controversial opinion. It's not the truth...

He's been telling us all he knows about the NSA. Thanks to him, we know exactly more or less what they are up to. Every day, there's something new. Some things, we now know, they can do (shock horror, better watch our step). Other things, we've found out, they cannot do yet (so it's safeish for us for the moment to do these things with totalrelative peace of mind). It helps that the young man is able to leak to us PowerPoint presentations in which NSA operatives candidly inform one another about what they can and cannot do about this or that technology. These fall into our lap and we smirk, knowing that we've found part oftheir weakness.

0
0

Re: I would like to post a controversial opinion. It's not the truth...

Now you come to mention it... their compartmentalization looks very weak compared with what Peter Wright described in his memoir "Spycatcher". Unless, of course, there are some other departments to which Snowden never had any access.

0
0

Some criticial inaccuracies about Firefox

The exploit they used wasn't zero day. It was targeting users with outdated firefox based Tor Browsers. The vulnerabilities were already fixed in the latest Mozilla patches at the time of the exploits.

12
0
Anonymous Coward

Re: Some criticial inaccuracies about Firefox

I do find it somewhat incomprehensible that they based the TOR browser bundle on an ancient version of FF.

1
0
Bronze badge

Re: Some criticial inaccuracies about Firefox

They were using the ESR version which is reasonable, but never bothered to update it, which is not.

2
0
Anonymous Coward

Re: Some criticial inaccuracies about Firefox

NSA have got their people into a shoestring-funded Tor Project and created enough delays in upgrading the TBB's base Firefox, to buy time. From January until August, the NSA have has their fun and allowed the FBI one big final blowout to catch as many users as possible in the Freedom Hosting raid (and likely the Silk Road raid too, since they ditched cover on that one around the same time).

As Bruce Schneier says, not mathematics, but cheating (well not even tech, but cheating, in this case)...

1
0
Anonymous Coward

Re: Some criticial inaccuracies about Firefox

I do find it somewhat incomprehensible that they based the TOR browser bundle on an ancient version of FF.

The real mistake they made was re-enabling javascript (which had been blocked by NoScript in earlier releases of the bundle) for 'user convenience'. If there's one set of users anywhere, ever, whose priorities should value security over convenience, it's TOR users.

5
0
Silver badge

Re: Some criticial inaccuracies about Firefox

Perhaps it was zero-day when they NSA first started using it, but they passed the exploit on to the FBI for use on Freedom Hosting once the bug was fixed in the latest version, and thus unsuitable for higher value targets.

0
0
Silver badge
Big Brother

"What kind of authority are they claiming that they can do this?"

"We're the Good ol' US of A!"

Next?

6
0

trust no one, the truth is out there

You couldn't write a better spy novel...

Find it amazing that any of this can be legal, they are effectively hacking peoples computers and installing unauthorised software without a users knowledge of mass scale.

The more interesting part is the issues with huwaie and not allowing their equipment due to concerns china could spy using backdoors, from what's emerging about us companies collaboration its more likely huwaie wouldn't put in the back doors they wanted themselves.

12
0
Gold badge
Unhappy

Re: trust no one, the truth is out there

"Find it amazing that any of this can be legal, they are effectively hacking peoples computers and installing unauthorised software without a users knowledge of mass scale."

3 little words I'll keep repeating.

THE PATRIOT Act.

Your 360+ clause mechanism to dismantle the American Constitution without Americans realizing it.

9
0
Anonymous Coward

Quite

"You really have to question if there is a rule of law anymore?"

It does seem to have been missing for quite some time. In particular, during the Blair era, law seemed to take on whatever complexion the government, police, security services or business wanted it to on that particular day. If there was a symbolic low point, I think it was probably the Labour party conference where protesters outside were arrested for wearing tshirts bearing slogans that put the spin doctors noses out of joint, although arresting an 80 odd year old who'd fled the nazis from heckling Jack Straw might deserve equal billing.

It's seemingly lower key now, but what Snowden has given us a glimpse of suggests its much worse.

Abuse of power is what power, unchecked, does.

25
0
Anonymous Coward

Re: Quite

It does seem to have been missing for quite some time

Personally, my aha moment didn't come as much with the sexing up of the Iraq WMD report as the highly suspicious death of David Kelly. It demonstrated just how far some people were willing to go. The US is merely doing what it always does: take a concept and massively scale it up.

3
2
Bronze badge

The funniest part of the commentary...

"There are also indications that the NSA had been trying to influence the design of Tor to make it more crackable, a somewhat Kafkaesque approach given that Tor is primarily funded by the US government itself to provide anonymity to internet users operating under repressive governments."

4
0
Silver badge

Re: The funniest part of the commentary...

This was expected and the NSA have a clear history of this type of behavior. Now, start thinking about other products that they might have had more success with ... are you using a commercial router/firewall? And you are sure that it's good with no sneaky little backdoors?

Once a packet leaves your network I think you can assume they the NSA have a copy of it but you think that inside your network, behind your firewall you're safe? Probably not so if you bought your firewall from any of the major manufacturers in the USA.

4
0
Silver badge

Re: The funniest part of the commentary...

"bought your firewall from any of the major manufacturers in the USA"

Or, indeed, Israel.

3
1
Silver badge

Re: The funniest part of the commentary...

Or the UK, Australia, Canada or New Zealand. I'd bet France too.

0
0
Bronze badge
Black Helicopters

If it pisses off the Spooks

How do I host a Tor node??

I really have no interest in USING it, but if more nodes makes life more difficult for prying spooks I'll do it.

12
0
Anonymous Coward

Million Node Challenge

We just started the Tor Million Node challenge ! . Objective : add a million nodes to make NSA:s job harder.

I'm all for it :)

3
0
Silver badge

Re: If it pisses off the Spooks

Relay nodes are easy. Rent a VM somewhere, install software. Done. You don't need high amounts of memory, storage or processing power but you will need a host that is happy with you consuming large amounts of bandwidth both ways.

Exit nodes are a trickier thing, but something the network is in dire need of. The problem is that if you run an exit node there is a chance you will be falsely blamed for the actions of those who use it - which may include things like spaming, scams, hacking or downloading child pornography. You'll probably be able to counter any charges in court, but not without spending your life savings on legal fees and having your reputation shredded - plus you have next to no chance of ever getting back any of your data, as policy procedure is to sieze not only computers but everything on the property capable of storing information right down to games consoles and memory cards, and then hold on to it indefinitely.

So running an exit node requires either a dedication to the cause deep enough to place yourself in legal danger, or the recklessness to do so anyway.

7
1
Anonymous Coward

Re: If it pisses off the Spooks

https://www.torproject.org/docs/tor-doc-relay.html.en

0
0
Anonymous Coward

Re: If it pisses off the Spooks

Spoilsport. You can to go and warn them, it would be hilarious to watch the pirate-party script-kiddies fail in such a spectacular way,.

0
1

Re: If it pisses off the Spooks

It's difficult enough that someone that can't google "host tor node" probably shouldn't try it. Plus it's quite possible that hosting a Tor node will cause your ISP to cancel your account.

1
1
Silver badge

Re: If it pisses off the Spooks

Are there particular jurisdictions where you could host an exit node with less concern about the potential legal blowback?

2
0
Anonymous Coward

Re: If it pisses off the Spooks

If you're happy with a non-exit relay, you can probably run it at home. Obviously it's not going to be contributing a super high amount of bandwidth to the network, but having a large number of nodes should help anyway, even if they're not too fast. I did this and haven't had any complaints form my ISP, I guess some are stricter than others though.

I actually ran an exit node at home in the early days, but stopped because I ended up getting blocked on various websites, either specifically for being a proxy, or presumably because a spammer, troll or whatever used my exit at some point. Plus I started it realize there was at least a theoretical risk of more serious consequences. I don't think anyone's actually been raided due to Tor exit traffic in my country, but I wouldn't like to be the first.

1
0
Silver badge

Re: If it pisses off the Spooks

"Are there particular jurisdictions where you could host an exit node with less concern about the potential legal blowback?"

I don't really see any. The exit node problem is basically the same as the "trusted storage" problem: the authorities there can get access to the data in either case, and if it is against their law, BOBHIC.

In such a case, DTA seems to be the operative procedure. Anything that's friendly to the west is likely friendly to the US, which means friendly to the NSA. Out of what's left, you have (1) regimes even more oppressive or domineering like China and North Korea, (2) countries that, while not oppressive, still have their own rules you probably wouldn't like, or (3) countries whose internet is basically too weak to use.

0
0
Silver badge
Go

Re: If it pisses off the Spooks

Second idea. Since the NSA will probably eventually compromise Tor funding through the State Department in some manner (Which do you think the State Department values more--A) funding a platform used by dissidents or B) having the NSA bug other governments leadership and diplomatic communications for them. I'm betting option B. ) How about forming some kind of non-profit agency that funds Tor nodes and assumes the technical and legal liabilities of running those nodes.

I'd gladly donate to that organization, as long as it was unduly influenced by spammers and pornmeisters.....

0
0

Thanks for the read

Normally I abhor Snowden leaks, but I found this an interesting read and easily digestible. It's too late to fight this kind of thing. It's the new reality brought upon us by technology. I'm not a player or a user in this case, but the outcome of these new cyber wars will define my average existence none the less.

0
3
Silver badge

Re: Thanks for the read

" It's too late to fight this kind of thing."

I'm starting to get tired of this attitude.

Argue for your limitations, and sure enough, they are yours.

10
1

Re: Thanks for the read

Yeah right. What do you think you are going to do about it? Best devote your energies into something you DO have control over still.

1
11
Silver badge

Re: Thanks for the read

The only thing I actually have control over in any real sense is how I react and deal with things that occur to me in life.

To my mind, not rolling over and kissing the governments arse *is* something that is in my control.

To the properly prepared mind, opportunities to further your intentions will always present themselves. I have no illusions that I can somehow single-handedly put the world to rights, but I will do what I can, when I can.

If *everyone* did the same thing, I believe that might add up to slightly more than a hill of beans.

8
0
Silver badge
FAIL

Re: Thanks for the read

...Or hey, you can opt to at least strike a small, even rather passive role for freedom and justice. But perhaps it's easier to roll over and hope that the government runs out of surveillance and law enforcement bandwidth before they get to your ability to watch kitten videos and email your fantasy football league about the next season.

1
1

Page:

This topic is closed for new posts.

Forums