[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: critical security vulnaribility fixed in Tor 0.1.2.16



Quoting Roger Dingledine <arma@xxxxxxx>:

> On Sat, Aug 04, 2007 at 04:40:04PM +0200, vikingserver@xxxxxxxxx wrote:
> > Perhaps someone else has an answer for this.<br>
> > Nothing in coderman's short answers have made this clear to me. The
> > answers look rather confusing to me, sorry.<br>
> 
> (Typing on defcon network so will be quite brief)
> 
> The short answer is yes, this is an attack, and no, we're not going
> to tell you exactly how it works yet. That's because several hundred
> thousand people are vulnerable, and we're going to give them several
> weeks to upgrade before we arm random people on the Internet with the
> ability to launch this attack against them.
> 
> You should be one of the people who upgrades. :)
> 
> --Roger
> 

When I read the following post last month in a.p.a-s I just _assumed_ it was a
kid trolling.

 - Posting in the clear through Google with his Portland, OR Verizon IP flapping
in the breeze.

I now _assume_ this Usenet post is related to the subject at hand (?)


http://preview.tinyurl.com/2d5wzx

   _____________________________________________________________________

   Newsgroups: alt.privacy.anon-server
   Subject: Re: JanusVM
   Date: Fri, 13 Jul 2007 08:45:21 -0000
   Message-ID: <1184316321.217249.171350@xxxxxxxxxxxxxxxxxxxxxxxxxxx>


   On Jul 13, 12:25 am, Anonymous Sender
   <anonym...@xxxxxxxxxxxxxxxxxxxxx> wrote:
   > What do you think of this tor wrapper?
   >
   > http://janusvm.peertech.org/
   >
   > Has anyone tried it? Pros? Cons? Caveats?

   http://janusvm.peertech.org/Flash/JanusVM-SEC-Demo-1.html

   This is the only tool that prevents side channel attacks against Tor.
   This happens because JanusVM is transparently proxying ALL your TCP
   traffic through Tor.

   HD Moore had a very nice example of why you should NOT trust your
   applications to always use Tor correctly.  JanusVM doesn't have this
   problem because it catches everything at the Network Layer.

   Also, I am going to be releasing a 0-day against Tor @ DefCon15 this
   year that will reveal your true IP address. :-P
   Needless to say, the 0-day will not work against those using
   JanusVM.
   And no, I'm not releasing ANY details about it until Defcon.

   Enjoy!

   Kyle
   _____________________________________________________________________