[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: critical security vulnaribility fixed in Tor

Quoting Roger Dingledine <arma@xxxxxxx>:

> On Sat, Aug 04, 2007 at 04:40:04PM +0200, vikingserver@xxxxxxxxx wrote:
> > Perhaps someone else has an answer for this.<br>
> > Nothing in coderman's short answers have made this clear to me. The
> > answers look rather confusing to me, sorry.<br>
> (Typing on defcon network so will be quite brief)
> The short answer is yes, this is an attack, and no, we're not going
> to tell you exactly how it works yet. That's because several hundred
> thousand people are vulnerable, and we're going to give them several
> weeks to upgrade before we arm random people on the Internet with the
> ability to launch this attack against them.
> You should be one of the people who upgrades. :)
> --Roger

When I read the following post last month in a.p.a-s I just _assumed_ it was a
kid trolling.

 - Posting in the clear through Google with his Portland, OR Verizon IP flapping
in the breeze.

I now _assume_ this Usenet post is related to the subject at hand (?)



   Newsgroups: alt.privacy.anon-server
   Subject: Re: JanusVM
   Date: Fri, 13 Jul 2007 08:45:21 -0000
   Message-ID: <1184316321.217249.171350@xxxxxxxxxxxxxxxxxxxxxxxxxxx>

   On Jul 13, 12:25 am, Anonymous Sender
   <anonym...@xxxxxxxxxxxxxxxxxxxxx> wrote:
   > What do you think of this tor wrapper?
   > http://janusvm.peertech.org/
   > Has anyone tried it? Pros? Cons? Caveats?


   This is the only tool that prevents side channel attacks against Tor.
   This happens because JanusVM is transparently proxying ALL your TCP
   traffic through Tor.

   HD Moore had a very nice example of why you should NOT trust your
   applications to always use Tor correctly.  JanusVM doesn't have this
   problem because it catches everything at the Network Layer.

   Also, I am going to be releasing a 0-day against Tor @ DefCon15 this
   year that will reveal your true IP address. :-P
   Needless to say, the 0-day will not work against those using
   And no, I'm not releasing ANY details about it until Defcon.