[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: critical security vulnaribility fixed in Tor 0.1.2.16

To: or-talk@xxxxxxxxxxxxx
Subject: Re: critical security vulnaribility fixed in Tor 0.1.2.16
From: torqued@xxxxxxxxxxxxx
Date: Sat, 4 Aug 2007 20:58:37 -0400
Delivered-to: archiver@xxxxxxxx
Delivered-to: or-talk-outgoing@xxxxxxxx
Delivered-to: or-talk@xxxxxxxx
Delivery-date: Sat, 04 Aug 2007 21:07:46 -0400
In-reply-to: <20070804182312.GX11269@xxxxxxxxxxxxxx>
References: <20070802221918.GF20786@xxxxxxxxxxxxxx> <46B44F87.7000902@xxxxxxxxx> <4ef5fec60708040425q51472a84m9e7be3255df9d99d@xxxxxxxxxxxxxx> <46B468DF.9030100@xxxxxxxxx> <4ef5fec60708040504x40df49deh418fa5a103261da1@xxxxxxxxxxxxxx> <46B473F6.4010604@xxxxxxxxx> <4ef5fec60708040548u28846a3agc155044a90486d6c@xxxxxxxxxxxxxx> <46B48FC4.8000404@xxxxxxxxx> <20070804182312.GX11269@xxxxxxxxxxxxxx>
Reply-to: or-talk@xxxxxxxxxxxxx
Sender: owner-or-talk@xxxxxxxxxxxxx
User-agent: Internet Messaging Program (IMP) 3.2.2

Quoting Roger Dingledine <arma@xxxxxxx>:

> On Sat, Aug 04, 2007 at 04:40:04PM +0200, vikingserver@xxxxxxxxx wrote:
> > Perhaps someone else has an answer for this.<br>
> > Nothing in coderman's short answers have made this clear to me. The
> > answers look rather confusing to me, sorry.<br>
> 
> (Typing on defcon network so will be quite brief)
> 
> The short answer is yes, this is an attack, and no, we're not going
> to tell you exactly how it works yet. That's because several hundred
> thousand people are vulnerable, and we're going to give them several
> weeks to upgrade before we arm random people on the Internet with the
> ability to launch this attack against them.
> 
> You should be one of the people who upgrades. :)
> 
> --Roger
> 

When I read the following post last month in a.p.a-s I just _assumed_ it was a
kid trolling.

 - Posting in the clear through Google with his Portland, OR Verizon IP flapping
in the breeze.

I now _assume_ this Usenet post is related to the subject at hand (?)

http://preview.tinyurl.com/2d5wzx

   _____________________________________________________________________

   Newsgroups: alt.privacy.anon-server
   Subject: Re: JanusVM
   Date: Fri, 13 Jul 2007 08:45:21 -0000
   Message-ID: <1184316321.217249.171350@xxxxxxxxxxxxxxxxxxxxxxxxxxx>

   On Jul 13, 12:25 am, Anonymous Sender
   <anonym...@xxxxxxxxxxxxxxxxxxxxx> wrote:
   > What do you think of this tor wrapper?
   >
   > http://janusvm.peertech.org/
   >
   > Has anyone tried it? Pros? Cons? Caveats?

   http://janusvm.peertech.org/Flash/JanusVM-SEC-Demo-1.html

   This is the only tool that prevents side channel attacks against Tor.
   This happens because JanusVM is transparently proxying ALL your TCP
   traffic through Tor.

   HD Moore had a very nice example of why you should NOT trust your
   applications to always use Tor correctly.  JanusVM doesn't have this
   problem because it catches everything at the Network Layer.

   Also, I am going to be releasing a 0-day against Tor @ DefCon15 this
   year that will reveal your true IP address. :-P
   Needless to say, the 0-day will not work against those using
   JanusVM.
   And no, I'm not releasing ANY details about it until Defcon.

   Enjoy!

   Kyle
   _____________________________________________________________________

References:
- critical security vulnaribility fixed in Tor 0.1.2.16
  - From: vikingserver@xxxxxxxxx
- Re: critical security vulnaribility fixed in Tor 0.1.2.16
  - From: coderman
- Re: critical security vulnaribility fixed in Tor 0.1.2.16
  - From: vikingserver@xxxxxxxxx
- Re: critical security vulnaribility fixed in Tor 0.1.2.16
  - From: coderman
- Re: critical security vulnaribility fixed in Tor 0.1.2.16
  - From: vikingserver@xxxxxxxxx
- Re: critical security vulnaribility fixed in Tor 0.1.2.16
  - From: coderman
- Re: critical security vulnaribility fixed in Tor 0.1.2.16
  - From: vikingserver@xxxxxxxxx
- Re: critical security vulnaribility fixed in Tor 0.1.2.16
  - From: Roger Dingledine

Prev by Author: [hermetix] tor network status mirror
Next by Author: contradicting log entries regarding ExcludeNodes
Previous by thread: Re: critical security vulnaribility fixed in Tor 0.1.2.16
Next by thread: tor servers communicating to wrong ports
Index(es):
- Author
- Thread