[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]
Re: critical security vulnaribility fixed in Tor 0.1.2.16
Quoting Roger Dingledine <arma@xxxxxxx>:
> On Sat, Aug 04, 2007 at 04:40:04PM +0200, vikingserver@xxxxxxxxx wrote:
> > Perhaps someone else has an answer for this.<br>
> > Nothing in coderman's short answers have made this clear to me. The
> > answers look rather confusing to me, sorry.<br>
> (Typing on defcon network so will be quite brief)
> The short answer is yes, this is an attack, and no, we're not going
> to tell you exactly how it works yet. That's because several hundred
> thousand people are vulnerable, and we're going to give them several
> weeks to upgrade before we arm random people on the Internet with the
> ability to launch this attack against them.
> You should be one of the people who upgrades. :)
When I read the following post last month in a.p.a-s I just _assumed_ it was a
- Posting in the clear through Google with his Portland, OR Verizon IP flapping
in the breeze.
I now _assume_ this Usenet post is related to the subject at hand (?)
Subject: Re: JanusVM
Date: Fri, 13 Jul 2007 08:45:21 -0000
On Jul 13, 12:25 am, Anonymous Sender
> What do you think of this tor wrapper?
> Has anyone tried it? Pros? Cons? Caveats?
This is the only tool that prevents side channel attacks against Tor.
This happens because JanusVM is transparently proxying ALL your TCP
traffic through Tor.
HD Moore had a very nice example of why you should NOT trust your
applications to always use Tor correctly. JanusVM doesn't have this
problem because it catches everything at the Network Layer.
Also, I am going to be releasing a 0-day against Tor @ DefCon15 this
year that will reveal your true IP address. :-P
Needless to say, the 0-day will not work against those using
And no, I'm not releasing ANY details about it until Defcon.