Re: [tor-talk] "drop all vulnerable relays from the consensus"

2011-05-16 Thread Marsh Ray 

On 05/15/2011 03:38 PM, tagnaq wrote:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Hi,

"If someone publishes or demonstrates a code-exec exploit [...] we
should drop all vulnerable relays from the consensus" [1]

- - Does Tor provide Authority Directories with an easy way to reject/drop
relays from the consensus based on the platform string or is this only
possible based on FP or IP?

- - How will Directory Authorities determine if a relay is "vulnerable"?
(inspecting the platform string only)?


Once the attacker has code execution he can patch it to emit whatever 
version string is necessary.


We see this with Windows botnets which will sometimes, immediately after 
infection, patch the vulnerability they used to come in on. They may 
also un-patch some other vulnerability (reinstalling the original 
vulnerable signed code) in such a way that the OS still thinks it's 
applied the update.


Of course, none of this is an argument against kicking off 
known-vulnerable clients.


- Marsh
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

[tor-talk] Fwd: [guardian-dev] Orbot 1.0.5.2 now in the Android Market

2011-05-16 Thread Nathan Freitas 
fyi - we'll be updating the download on the tor website shortly, but
otherwise, Orbot 1.0.5.2 is now available, with Tor 0.2.2.25.

The primary new Tor feature is that we've included UI support in the
Settings screen for configuring Exit/Entry/Exclude nodes, and setting
StrictNodes setting.

 Original Message 
Subject: [guardian-dev] Orbot 1.0.5.2 now in the Android Market
Date: Mon, 16 May 2011 23:29:23 -0400
From: Nathan of Guardian 
Organization: The Guardian Project
To: guardian-dev ,
guardian-al...@lists.mayfirst.org

Happy to announce that after a few glitches and at least one last minute
layout tweak, Orbot 1.0.5.2 is now in the Android Market.

It is also available here:
https://guardianproject.info/downloads/0.2.2.25-orbot-alpha-1.0.5.2.apk
(,asc file as well for gpg verification against my email/key)

and will shortly be available through the torproject.org site.

Let us know how your upgrade or install from the market goes. Remember,
if you installed any development test build, you will need to uninstall
it first, since it is signed with a different developer key.

+n8fr8
___
Guardian-dev mailing list

Post: guardian-...@lists.mayfirst.org
List info: https://lists.mayfirst.org/mailman/listinfo/guardian-dev

To Unsubscribe
Send email to:  guardian-dev-unsubscr...@lists.mayfirst.org
Or visit:
https://lists.mayfirst.org/mailman/options/guardian-dev/nathan%40guardianproject.info

You are subscribed as: nat...@guardianproject.info
___
tor-talk mailing list
tor-talk@lists.torproject.org
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk