Can anyone from the Tor Project jump in to say whether these guys have reached out or not?
We should be concerned about another CCC-style "0-day" presentation where they find a legitimate vulnerability that could have been patched prior, but are using it as a PR stunt to boost book sales as opposed to responsible disclosure. Alexander Volynkin [1] and the grad student Michael McCord, [2] both stand to benefit professionally/financially from disclosing a vulnerability in as dramatic form as possible.. and of course picked up and misinterpreted by the media. I'm raising this concern based solely on the negative phrasing in the description. > ...It has also been used for distribution of child pornography, illegal drugs, and malware. Anyone > with minimal skills and resources can participate on the Tor network. Anyone can become a > part of the network. As a participant of the Tor network, you can choose to use it to > communicate anonymously or contribute your resources for others to use. There is very little to > limit your actions on the Tor network. There is nothing that prevents you from using your > resources to de-anonymize the network's users instead by exploiting fundamental flaws in Tor > design and implementation. And you don't need the NSA budget to do so. Looking for the IP > address of a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. > We know because we tested it, in the wild... Worst case stated, I don't want to hate on researchers -- the two should be praised for their research if they have something new and they've already been working with the Tor Project team to get it resolved. If I were a betting person, a beer says that they will be summarizing the current issues with hidden services, and as Adrian said, doing a client side disbanding attack (e.g. Java + DNS) [1] https://www.blackhat.com/us-14/speakers/Alexander-Volynkin.html [2] https://www.blackhat.com/us-14/speakers/Michael-McCord.html On Thu, Jul 3, 2014 at 7:58 PM, Seth David Schoen <[email protected]> wrote: > Adrian Crenshaw writes: > > > Best guess, many client side and web app attacks Tor can't do much about. > > (My talk at Defcon will cover a bunch of folks that got Deanonymized, but > > in every case it was not Tor that was really broke) > > The description on the Black Hat site refers "a handful of powerful > servers and a couple gigabit links" that are operated for "a couple > of months", which sounds like this involves actually running nodes and > getting the attack targets to build circuits through them. > > -- > Seth Schoen <[email protected]> > Senior Staff Technologist https://www.eff.org/ > Electronic Frontier Foundation https://www.eff.org/join > 815 Eddy Street, San Francisco, CA 94109 +1 415 436 9333 x107 > -- > tor-talk mailing list - [email protected] > To unsubscribe or change other settings go to > https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk > -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
