Being one of the JanusVM developers, I can answer these questions for you.<br><br><div class="gmail_quote">On Tue, Jun 10, 2008 at 2:38 AM, MadAtTorHackers <<a href="mailto:madathackers@gmail.com" target="_blank">madathackers@gmail.com</a>> wrote:<br>
<blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><font size="4">I read that hackers are breaking Tor and turning into a trojan/rootkit? Is this possible? How can they do this?<br>
<br>In post: <a href="http://www.wilderssecurity.com/showpost.php?p=1257878&postcount=722" target="_blank">http://www.wilderssecurity.com/showpost.php?p=1257878&postcount=722</a><br>
says XeroBank:<br><br></font><blockquote style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;" class="gmail_quote"><div style="margin-left: 40px;"><i>
I saw something about a Tor exploit talk being planned for Defcon. I'll
assume that's where the s%*t is scheduled to hit the fan? </i>
<br>
The one scheduled so far isn't going to be anything I don't think. I
have serious doubts, considering the wording. Ours, if accepted, will
truly unmask tor users and turn tor into a trojan/rootkit.</div></blockquote><div> <br><font size="4">Is this XeroBank spreading fear to Tor without cause? </font></div></blockquote><div><br>No. Are you spreading fear without cause.<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><font size="4">Or did hackers break Tor and create it a Trojan / Rootkit?<br></font></div>
</blockquote><div><br>Yes. <a href="http://www.janusvm.com/goldy/vuln/tor-controlport.html" target="_blank">http://www.janusvm.com/goldy/vuln/tor-controlport.html</a><br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><font size="4"><br>
I see also JanusVM developer are working for XeroBank:<br><a href="http://xerobank.com/team.php" target="_blank">http://xerobank.com/team.php</a><br></font></div></blockquote><div><br>Yes I am, because giving away free software doesn't pay the bills, and users maybe donate $50 (USD) a month, which is not enough to live on.<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><font size="4"><br>Is JanusVM not being maintained because of XeroBank taking over? </font></div>
</blockquote><div><br>Absolutely not!<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><font size="4">It is dead since 2007. They say download removed for Debian, but keep donations request and link to current Oct-19-2007:<br>
<a href="http://www.janusvm.com/download.html" target="_blank">http://www.janusvm.com/download.html</a><br></font></div></blockquote><div><br>Re-read that URL please. I said it has been removed because of the Debian OpenSSL vulnerability. <br>
Please try to refrain from taking the situation out of context. <br>
<br>Yes, I haven't update JanusVM to use the newest version of Tor, yet. Soon though. <br>No, it has not been dead since 2007. It's been down for a couple of weeks, tops.<br>Oct. 19, 2007 was the last time we updated JanusVM because it's fairly low maintenance and the security model is solid.<br>
Even the ControlPort vulnerability from last year didn't affect JanusVM, and we had the ControlPort enabled just like everyone else.<br>
</div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><font size="4"><br>How can Tor become Trojan / Rootkit, this seems not possible? </font></div>
</blockquote><div><br>Again, <a href="http://www.janusvm.com/goldy/vuln/tor-controlport.html" target="_blank">http://www.janusvm.com/goldy/vuln/tor-controlport.html</a><br>Now I know, this problem has been long solved. BTW, I was the one who told the Tor developers how to fix it.<br>
They listened and the problem was solved.<br><br>If some evil "hacker" gets your controlport, they could: <br>- Revealing the clients true IP address (anonymity).<br>- Mapping hidden services to the clients own computer (security)<br>
- Mapping hidden services to other computers in the clients local network (security)<br>- Mapping hidden services to other services on the Internet (security)<br>- Moving the client from the public Tor network to a privately controlled Tor network (privacy)<br>
( <a href="http://blog.xerobank.com/2008/06/security-and-osi-model.html" target="_blank">http://blog.xerobank.com/2008/06/security-and-osi-model.html</a> )<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><font size="4">How are hackers allowed to break user computers and not be illegal? </font></div></blockquote><div><br>If the test are in a controlled environment on systems that the "hacker" owns, then there is nothing to worry about and nothing you can do about it.<br>
It's called Research and Development. Research vulnerabilities, and develop defenses to those vulnerabilities.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><font size="4">Why is JanusVM working for XeroBank? </font></div></blockquote><div><br>Because the world requires money to live a good life and I don't want to be like the homeless hacker.<br>Plus, I spent all of 2007 very poor while I worked on R&D. I'm sick of being poor and now working my ass off at two jobs.<br>
<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;"><div><font size="4">Is there a safe Tor Virtual Machine to use?<br>
</font></div></blockquote><div><br>Yes. Before you loose sleep over the issue, just disable Tor's ControlPort and you can worry a lot less.<br>Or use Firefox + TorButton 1.2.0 is you so choose.<br> </div><blockquote class="gmail_quote" style="border-left: 1px solid rgb(204, 204, 204); margin: 0pt 0pt 0pt 0.8ex; padding-left: 1ex;">
<div><font size="4"><br>I have many questions. Thank you!<br></font></div>
</blockquote></div><br>And I have many answers!<br><br>Thank you for your concern, but don't worry about it too much. <br><br>