<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 12pt;
font-family:Calibri
}
--></style></head>
<body class='hmmessage'><div dir='ltr'>Hmmmm,<div><br></div><div><br></div><div>And it's agreed, when using Tor don't enable javascript and don't use Flash. <br><br>The question remains with HTML 5 taking over the throne from Flash will HTML 5 video cough up your IP address the way Flash does? </div><div><br></div><div>-Joe <br><div>> Date: Wed, 24 Dec 2014 14:06:19 -0600<br>> From: freddymartinez9@gmail.com<br>> To: cryptoparty-chi@groups.sshchicago.org<br>> Subject: Re: [Crypto-chi] Tor at risk<br>> <br>> Well,<br>> <br>> This is a serious flaw in Flash (which is garbage software), not really Tor.<br>> <br>> Here is what we know. The FBI identified a web server in operation<br>> Torpedo (FWIW: that's a pretty clever portmanteau). Then they simply<br>> logged<br>> in to the webpage because the web server's admin username was "admin"<br>> and the password was .... wait for it... not set. From there, they<br>> installed an invisible iFrame that uses Flash to ping an FBI server<br>> with the real IP of the Tor user. Eventually users noticed this and<br>> quickly abandoned the webpage.<br>> <br>> What was vulnerable? Tor users using an old version of TBB that was<br>> outdated and allowed Flash to execute. (By default TBB ships with<br>> NoScript (but disabled) and does NOT allow Flash to execute. There<br>> have been discussions about shipping TBB with noscript enabled by<br>> default but that breaks a lot of webpages. However, Flash shouldn't<br>> have been able to execute anyways and the end-users allowed it to<br>> execute.)<br>> <br>> What remains to be decided / understood? Under what authority can the<br>> FBI hack into webpages? Notice this was against all visitors to a<br>> webpage. Related: the FBI is pushing the DoJ for greater latitude to<br>> install RATs [0] in laptops.<br>> <br>> tl;dr Keep your TBB up to date and don't run Flash<br>> <br>> (actually good advice for all web browsers, tor or not...), Also don't<br>> open PDFs while on Tor etc etc.<br>> <br>> Freddy<br>> <br>> [0] http://www.theatlantic.com/technology/archive/2014/12/the-webcam-hacking-epidemic/383998/<br>> <br>> On Wed, Dec 24, 2014 at 12:03 PM, joe fuentes <joseph.fuentes@live.com> wrote:<br>> > Especially today Christmas Eve day. Our rights to privacy at risk. Tor is<br>> > the target.<br>> ><br>> > First, FBI was able to obtain some user IP addresses from Tor. This uses<br>> > open source Metasploit from a security researcher Moore. See below<br>> ><br>> > http://www.wired.com/2014/12/fbi-metasploit-tor/?mbid=social_fb<br>> ><br>> > This in fact earned Moore a warning from law enforcement thus discouraging<br>> > security researchers from performing their work. See below<br>> ><br>> > http://www.theguardian.com/technology/2014/may/29/us-cybercrime-laws-security-researchers<br>> ><br>> > And if this wasn't enough an report shows the NSA keeps track on who looks<br>> > up Tor and visits website. Kinda like Santa Claus watching who's naughty or<br>> > nice. See below<br>> ><br>> > http://www.theverge.com/2014/7/3/5868159/new-report-says-the-nsa-is-checking-who-visits-tors-website<br>> ><br>> > Wot are your thoughts on this everybody??<br>> ><br>> > - Joe<br>> ><br>> > _______________________________________________<br>> > cryptoparty-chi mailing list<br>> > cryptoparty-chi@groups.sshchicago.org<br>> > http://groups.sshchicago.org/listinfo/cryptoparty-chi<br>> ><br>> _______________________________________________<br>> cryptoparty-chi mailing list<br>> cryptoparty-chi@groups.sshchicago.org<br>> http://groups.sshchicago.org/listinfo/cryptoparty-chi<br></div></div> </div></body>
</html>