[tor-talk] is it me or did tor talk get really quiet?
Griffin Boyce
griffin at cryptolab.net
Thu Sep 22 13:03:32 UTC 2016
tortalk at arcor.de wrote:
> It depends on what you want to read. If you want some scary rants
> about Tor and 0 days you might want to read:
>
> http://arstechnica.com/security/2016/09/bug-that-hit-firefox-and-tor-browsers-was-hard-to-spot-now-we-know-why/
> "Bug that hit Firefox and Tor browsers was hard to spot now we know
> why"
His bug was interesting in a few ways. For one, it appeared weeks
after he claimed to have it. Perhaps most surprising was that senior
engineers needed to walk him through the problem he was interested in
reporting (by Erinn Atwater & Ryan Duff [2]) before he could articulate
it in any meaningful way. His insistence that it was a Tor-exclusive
bug also cost him a bug bounty from Mozilla (their chart would appear to
indicate $10k+ for a bug like that).
It's also worth noting that Tor released a patch the same day the bug
was finally reported. Rotor Browser (jmprcx/movrcx's project) hasn't
patched the issue [1], even though Mozilla and Tor both did.
> or you follow this discussion.
> https://trac.torproject.org/projects/tor/wiki/org/meetings/2016WinterDevMeeting/Notes/TakeBackCommunityChannels
> "Take back community channels...High-level report-out notes from Roger"
That discussion happened in Feb/March of this year as part of the
Winter meeting. The upcoming Seattle meeting is the Summer meeting (I
know, I know). The link above shows the outcome of the discussion --
hence "report-out".
[2] https://twitter.com/errorinn/status/778012774416777216
[1] https://github.com/IndependentOnion/rotor-browser
--
Accept what you cannot change, and change what you cannot accept.
PGP: 0x03cf4a0ab3c79a63
More information about the tor-talk
mailing list