[tor-talk] Verifying signatures

Jude Young jude at 10equals2.me
Wed Mar 21 11:46:55 UTC 2012

On 03/20/2012 01:46 AM, Achter Lieber wrote:
> Hullo (',')
>   In light of some fairly recent postings about making it easier to verify signatures on new Tor downloads,
>   I was wondering if anyone has any knowledge of a percentage (if there is at all) of new downloads that are, indeed,
>   or have been, compromised Tor Browser Bundles?
>   And also, what could, would or can a compromised bundle be used to do - against the client?
>   I have to use internet cafe computers and cannot install GPG on them to help me even learn how to verify the sigs,
>   so all I have available is getting the new version onto a USB and running it from there with my fingers crossed.
>   tanks everywhere just like https everywhere
> _______________________________________________
> tor-talk mailing list
> tor-talk at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
Sorry if this has been responded to, I've lost a few emails...
I don't believe the TBB has been high-jacked, but the TorButton Firefox 
extension certainly has.
(Forgive my faulty memory  
"Anonymous" apparently convinced firefox (or someone at FireFox? No one 
was ever clear on this..) to upload a modified version.
They logged and tracked Tor users to find pedophiles.  Which they then 
logged and posted the IPs.
They even used a geoip database to map where the users were coming from.

So yeah.  They got IPs, they got information on pretty much all Websites 
If someone managed to do this to a reasonable number of people, you 
could get enough information to positively identify people.

Someone is bound to eventually visit one of their normal websites, and 
then you have access time, IP, and potentially the cookie.

"Anonymous is the modern equivalent of hysterical mob justice. I thought 
that was pretty obvious. Sometimes they throw rocks at assholes who 
deserve it, sometimes they throw rocks at people who got caught kicking 
a kitty and don't deserve to be stoned." -
     - Anonymous

^ That quote isn't about this particular case, but Anonymous in 
general.  Those logs could have easily fallen into the wrong hands and 
potentially gotten someone killed.  For what? two seconds of fame where 
they proudly tell the world "These IP address may have potentially 
accessed CP!!  Or not.  I mean it's not like anyone can actually DO 
anything with this information... Since we don't tell you positively 
what computer it's coming from... Hell could be hundreds of people using 
that IP... For the Lulz!!"



More information about the tor-talk mailing list