On Tue, Jun 10, 2008 at 2:38 AM, MadAtTorHackers <
madathackers@xxxxxxxxx> wrote:
I read that hackers are breaking Tor and turning into a trojan/rootkit? Is this possible? How can they do this?
In post: http://www.wilderssecurity.com/showpost.php?p=1257878&postcount=722
says XeroBank:
I saw something about a Tor exploit talk being planned for Defcon. I'll
assume that's where the s%*t is scheduled to hit the fan?
The one scheduled so far isn't going to be anything I don't think. I
have serious doubts, considering the wording. Ours, if accepted, will
truly unmask tor users and turn tor into a trojan/rootkit.
Is this XeroBank spreading fear to Tor without cause?
No. Are you spreading fear without cause.
Or did hackers break Tor and create it a Trojan / Rootkit?
Yes I am, because giving away free software doesn't pay the bills, and users maybe donate $50 (USD) a month, which is not enough to live on.
Is JanusVM not being maintained because of XeroBank taking over?
Absolutely not!
Re-read that URL please. I said it has been removed because of the Debian OpenSSL vulnerability.
Please try to refrain from taking the situation out of context.
Yes, I haven't update JanusVM to use the newest version of Tor, yet. Soon though.
No, it has not been dead since 2007. It's been down for a couple of weeks, tops.
Oct. 19, 2007 was the last time we updated JanusVM because it's fairly low maintenance and the security model is solid.
Even the ControlPort vulnerability from last year didn't affect JanusVM, and we had the ControlPort enabled just like everyone else.
How can Tor become Trojan / Rootkit, this seems not possible?
Again,
http://www.janusvm.com/goldy/vuln/tor-controlport.htmlNow I know, this problem has been long solved. BTW, I was the one who told the Tor developers how to fix it.
They listened and the problem was solved.
If some evil "hacker" gets your controlport, they could:
- Revealing the clients true IP address (anonymity).
- Mapping hidden services to the clients own computer (security)
- Mapping hidden services to other computers in the clients local network (security)
- Mapping hidden services to other services on the Internet (security)
- Moving the client from the public Tor network to a privately controlled Tor network (privacy)
(
http://blog.xerobank.com/2008/06/security-and-osi-model.html )
How are hackers allowed to break user computers and not be illegal?
If the test are in a controlled environment on systems that the "hacker" owns, then there is nothing to worry about and nothing you can do about it.
It's called Research and Development. Research vulnerabilities, and develop defenses to those vulnerabilities.
Why is JanusVM working for XeroBank?
Because the world requires money to live a good life and I don't want to be like the homeless hacker.
Plus, I spent all of 2007 very poor while I worked on R&D. I'm sick of being poor and now working my ass off at two jobs.
Is there a safe Tor Virtual Machine to use?
Yes. Before you loose sleep over the issue, just disable Tor's ControlPort and you can worry a lot less.
Or use Firefox + TorButton 1.2.0 is you so choose.
I have many questions. Thank you!