|
Home > Archive > Anonymous Servers > January 2005 > Tor network question
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
Tor network question
|
|
| George Orwell 2005-01-04, 8:45 pm |
| Has the operation of this network yielded any insight into its vulnerabilities?
Has anyone had any luck in finding real, rather than theoretical, weaknesses
which might lead to design/implementation improvements? There doesn't seem
to be a public developer's forum.
Anonymous
| |
| Nick Mathewson 2005-01-05, 2:45 am |
| In article < 15f6889f8eef95372c2e835fc041d45e@mixmast
er.it>, George Orwell wrote:
> Has the operation of this network yielded any insight into its vulnerabilities?
> Has anyone had any luck in finding real, rather than theoretical, weaknesses
> which might lead to design/implementation improvements? There doesn't seem
> to be a public developer's forum.
There is; see http://archives.seul.org/or/dev/ .
| |
| Thomas J. Boschloo 2005-01-08, 7:45 am |
| -----BEGIN PGP SIGNED MESSAGE-----
George Orwell wrote:
| Has the operation of this network yielded any insight into its
vulnerabilities?
| Has anyone had any luck in finding real, rather than theoretical,
weaknesses
| which might lead to design/implementation improvements? There doesn't seem
| to be a public developer's forum.
|
|
| Anonymous
Version 0.0.8 had this bug, that could potentionally result in taking
over the machine running it:
"Thanks to auditing work from Ilja van Sprundel, we've fixed a remote
crash bug. We also took this opportunity to back-port (from 0.0.9pre)
several other fixes to improve stability."
[TOR announce list, Subject: Tor 0.0.8.1 is out, Date: 14-10-2004 12:34]
IIRC, they (the TOR team) crashed servers that didn't upgrade so they
wouldn't be vulnerable anymore.
"I talked to Ilja and Ben Laurie more about this, and we've decided that
this remote overflow could be exploited by a sufficiently clever attacker.
So I recommend that everybody upgrade right now, to 0.0.8.1 if you want
a stable version, or 0.0.9pre3 if you don't mind paying more attention
and following the development upgrade cycle.
I'll be sending out mail to servers that are vulnerable, and then taking
them down remotely.
- --Roger"
[TOR dev list, Subject: Re: Tor 0.0.8.1 is out, Date: 16-10-2004 1:45]
Thomas
- --
The Thraddash: "So, what's this? SNORT! An unknown alien species?"
"How wonderful! Someone new to fight!"
Full Game Win/Mac/Linux: <http://sc2.sourceforge.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQB5AwUBQd/DaQEP2l8iXKAJAQG40gMfewVT7aTOp//HiIZvNKu6dnmkIJCxHDN4
eek46MUrd3JbJRc8VP+GyaEfW3Zuiy3GRHQ7ZdGU
1DitmKj+WWTh/exyx4Iat5am
KnPghwvhUng7/bjvvhH82mHj2fDhVZ8oQIBDBg==
=ETc2
-----END PGP SIGNATURE-----
| |
| Thrasher - The Anonymous Remailer 2005-01-08, 5:45 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
In article <41dfc401$0$774$3a628fcd@reader10.nntp.hccnet.nl>, Thomas J.
Boschloo wrote:
>=====BEGIN PGP SIGNED MESSAGE=====
>Signature: 0x225CA009
>Date:
>Status: INVALID (Unknown)
>
>George Orwell wrote:
>| Has the operation of this network yielded any insight into its
>vulnerabilities?
>| Has anyone had any luck in finding real, rather than theoretical,
>weaknesses
>| which might lead to design/implementation improvements? There doesn't seem
>| to be a public developer's forum.
>|
>|
>| Anonymous
>
>Version 0.0.8 had this bug, that could potentionally result in taking
>over the machine running it:
>
>"Thanks to auditing work from Ilja van Sprundel, we've fixed a remote
>crash bug. We also took this opportunity to back-port (from 0.0.9pre)
>several other fixes to improve stability."
>
>[TOR announce list, Subject: Tor 0.0.8.1 is out, Date: 14-10-2004 12:34]
>
>IIRC, they (the TOR team) crashed servers that didn't upgrade so they
>wouldn't be vulnerable anymore.
>
>"I talked to Ilja and Ben Laurie more about this, and we've decided that
>this remote overflow could be exploited by a sufficiently clever attacker.
>
>So I recommend that everybody upgrade right now, to 0.0.8.1 if you want
>a stable version, or 0.0.9pre3 if you don't mind paying more attention
>and following the development upgrade cycle.
>
>I'll be sending out mail to servers that are vulnerable, and then taking
>them down remotely.
>--Roger"
>
>[TOR dev list, Subject: Re: Tor 0.0.8.1 is out, Date: 16-10-2004 1:45]
>
>Thomas
>--
>The Thraddash: "So, what's this? SNORT! An unknown alien species?"
>"How wonderful! Someone new to fight!"
>Full Game Win/Mac/Linux: <http://sc2.sourceforge.net>
>=====END PGP SIGNATURE=====
current win32 is tor-0.0.9.2-win32.exe
-----BEGIN PGP SIGNATURE-----
Version: N/A
iQEVAwUBQd8igTzX1EYjC/ u5AQHTbwgAn2fnnz+E7cHhtwEr3SIoWeV4oZKEqR
xx
lHGARgFuQHhFgv2ONmK4ml6T7loUX+ux9jPeFzsO
DICsYrXesQwzkZ8Qft73QMmC
2b5CZ5O5kPYe9OX+QaZr521cF5RdN2k32Z/h3UpoHegAronC4/l6epKeZuC9/BrS
QpWV1LJ/ ziUG5L+hRkcpLK10SBBxkm9VcQNB5jYluc+PSdAO
A7awm/ZRiaMUkUFh
0FxpDfxjySkzlwzuaJckDSBj607THFmXmfqUPtBW
83i0GqSie6FPPUH0Lv5vapUq
p7+Ry+/IPSmH1j5FWSfHAF8vakrI7o15tUJ/Qba0cowGZWJPy+VPJw==
=cbem
-----END PGP SIGNATURE-----
~~~~~~~~~~~~~~~~~~~~~
This message was posted via one or more anonymous remailing services.
The original sender is unknown. Any address shown in the From header
is unverified. You need a valid hashcash token to post to groups other
than alt.test and alt.anonymous.messages. Visit www.panta-rhei.dyndns.org
for abuse and hashcash info.
| |
| Thomas J. Boschloo 2005-01-08, 5:45 pm |
| -----BEGIN PGP SIGNED MESSAGE-----
Thrasher - The Anonymous Remailer wrote:
| In article <41dfc401$0$774$3a628fcd@reader10.nntp.hccnet.nl>, Thomas J.
| Boschloo wrote:
<snip>
|>Version 0.0.8 had this bug, that could potentionally result in taking
|>over the machine running it:
<snip>
| current win32 is tor-0.0.9.2-win32.exe
But there could still be unresolved exploits lurking inside the source.
New exploits for software are discovered on a daily basis
<http://www.us-cert.gov/cas/bulletins/SB05-005.html> (December
29th-Januari 4th, ~50 items). Take Microsoft's Windowsupdate. You need
to download patches every couple of weeks and linux isn't off much
better (except maybe the default install of OpenBSD, but I am told it
isn't really workable in the default install and you need to 'activate'
lots of other software before OpenBSD is anywhere useful
<www.openbsd.org>; even Microsoft Office XP Pro that my father uses has
lots of patches applied to it (by me)).
Also note that the TOR 0.0.8 vulnerability was not listed on cert, so
you are probably off worse, using lots of software that never gets
patched but still has holes in them. Especially security software such
as JBN2 or Quicksilver or DriveCrypt..
So take care out there,
Thomas
- --
The Thraddash: "So, what's this? SNORT! An unknown alien species?"
"How wonderful! Someone new to fight!"
Full Game Win/Mac/Linux: <http://sc2.sourceforge.net>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org
iQB5AwUBQeAzfwEP2l8iXKAJAQHR2QMeO5bVRFhw
YYpGItJc99/dGZXQh+w0ju0U
KvWY2gzBIPyNl7ckfVWN0SRJgDK1X6VhInOscvdr
SMmVyEO+djyQEs0TrrUZpbRS
hm+BSr+KISvjRMi/zHy7dYkQyVl3WrMXWGbjXw==
=TPIX
-----END PGP SIGNATURE-----
|
|
|
|
|