[tor-talk] Verifying signatures
jude at 10equals2.me
Wed Mar 21 11:46:55 UTC 2012
On 03/20/2012 01:46 AM, Achter Lieber wrote:
> Hullo (',')
> In light of some fairly recent postings about making it easier to verify signatures on new Tor downloads,
> I was wondering if anyone has any knowledge of a percentage (if there is at all) of new downloads that are, indeed,
> or have been, compromised Tor Browser Bundles?
> And also, what could, would or can a compromised bundle be used to do - against the client?
> I have to use internet cafe computers and cannot install GPG on them to help me even learn how to verify the sigs,
> so all I have available is getting the new version onto a USB and running it from there with my fingers crossed.
> tanks everywhere just like https everywhere
> tor-talk mailing list
> tor-talk at lists.torproject.org
Sorry if this has been responded to, I've lost a few emails...
I don't believe the TBB has been high-jacked, but the TorButton Firefox
extension certainly has.
(Forgive my faulty memory
"Anonymous" apparently convinced firefox (or someone at FireFox? No one
was ever clear on this..) to upload a modified version.
They logged and tracked Tor users to find pedophiles. Which they then
logged and posted the IPs.
They even used a geoip database to map where the users were coming from.
So yeah. They got IPs, they got information on pretty much all Websites
If someone managed to do this to a reasonable number of people, you
could get enough information to positively identify people.
Someone is bound to eventually visit one of their normal websites, and
then you have access time, IP, and potentially the cookie.
"Anonymous is the modern equivalent of hysterical mob justice. I thought
that was pretty obvious. Sometimes they throw rocks at assholes who
deserve it, sometimes they throw rocks at people who got caught kicking
a kitty and don't deserve to be stoned." -
^ That quote isn't about this particular case, but Anonymous in
general. Those logs could have easily fallen into the wrong hands and
potentially gotten someone killed. For what? two seconds of fame where
they proudly tell the world "These IP address may have potentially
accessed CP!! Or not. I mean it's not like anyone can actually DO
anything with this information... Since we don't tell you positively
what computer it's coming from... Hell could be hundreds of people using
that IP... For the Lulz!!"
More information about the tor-talk