How are hackers breaking Tor and trojan users?

Kyle Williams kyle.kwilliams at gmail.com
Tue Jun 10 18:22:33 UTC 2008


Being one of the JanusVM developers, I can answer these questions for you.

On Tue, Jun 10, 2008 at 2:38 AM, MadAtTorHackers <madathackers at gmail.com>
wrote:

> I read that hackers are breaking Tor and turning into a trojan/rootkit?  Is
> this possible?  How can they do this?
>
> In post:
> http://www.wilderssecurity.com/showpost.php?p=1257878&postcount=722
> says XeroBank:
>
> * I saw something about a Tor exploit talk being planned for Defcon. I'll
>> assume that's where the s%*t is scheduled to hit the fan? *
>> The one scheduled so far isn't going to be anything I don't think. I have
>> serious doubts, considering the wording. Ours, if accepted, will truly
>> unmask tor users and turn tor into a trojan/rootkit.
>>
>
> Is this XeroBank spreading fear to Tor without cause?
>

No.  Are you spreading fear without cause.


> Or did hackers break Tor and create it a Trojan / Rootkit?
>

Yes.  http://www.janusvm.com/goldy/vuln/tor-controlport.html


>
> I see also JanusVM developer are working for XeroBank:
> http://xerobank.com/team.php
>

Yes I am, because giving away free software doesn't pay the bills, and users
maybe donate $50 (USD) a month, which is not enough to live on.


>
> Is JanusVM not being maintained because of XeroBank taking over?
>

Absolutely not!


> It is dead since 2007.  They say download removed for Debian, but keep
> donations request and link to current Oct-19-2007:
> http://www.janusvm.com/download.html
>

Re-read that URL please.  I said it has been removed because of the Debian
OpenSSL vulnerability.
Please try to refrain from taking the situation out of context.

Yes, I haven't update JanusVM to use the newest version of Tor, yet.  Soon
though.
No, it has not been dead since 2007.  It's been down for a couple of weeks,
tops.
Oct. 19, 2007 was the last time we updated JanusVM because it's fairly low
maintenance and the security model is solid.
Even the ControlPort vulnerability from last year didn't affect JanusVM, and
we had the ControlPort enabled just like everyone else.


>
> How can Tor become Trojan / Rootkit, this seems not possible?
>

Again, http://www.janusvm.com/goldy/vuln/tor-controlport.html
Now I know, this problem has been long solved.  BTW, I was the one who told
the Tor developers how to fix it.
They listened and the problem was solved.

If some evil "hacker" gets your controlport, they could:
- Revealing the clients true IP address (anonymity).
- Mapping hidden services to the clients own computer (security)
- Mapping hidden services to other computers in the clients local network
(security)
- Mapping hidden services to other services on the Internet (security)
- Moving the client from the public Tor network to a privately controlled
Tor network (privacy)
( http://blog.xerobank.com/2008/06/security-and-osi-model.html )


> How are hackers allowed to break user computers and not be illegal?
>

If the test are in a controlled environment on systems that the "hacker"
owns, then there is nothing to worry about and nothing you can do about it.
It's called Research and Development.  Research vulnerabilities, and develop
defenses to those vulnerabilities.


> Why is JanusVM working for XeroBank?
>

Because the world requires money to live a good life and I don't want to be
like the homeless hacker.
Plus, I spent all of 2007 very poor while I worked on R&D.  I'm sick of
being poor and now working my ass off at two jobs.



> Is there a safe Tor Virtual Machine to use?
>

Yes.  Before you loose sleep over the issue, just disable Tor's ControlPort
and you can worry a lot less.
Or use Firefox + TorButton 1.2.0 is you so choose.


>
> I have many questions.  Thank you!
>

And I have many answers!

Thank you for your concern, but don't worry about it too much.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.torproject.org/pipermail/tor-talk/attachments/20080610/9a70ddf6/attachment.htm>


More information about the tor-talk mailing list