Features Download
From: Nadim Kobeissi <nadim <at> nadim.cc>
Subject: Re: Freedom Hosting, Tormail Compromised // OnionCloud
Newsgroups: gmane.technology.liberationtech
Date: Tuesday 6th August 2013 08:28:56 UTC (over 4 years ago)
On 2013-08-06, at 3:19 AM, Jacob Appelbaum  wrote:

> Griffin Boyce:
>> Al,
>> We may have to disagree as to the way forward. I hate to be
>> contentious, but it seems unlikely that Tor applied a patch without
>> reading firefox's changelog. Two days ago I presented a talk which
>> emphasized how useful Tor is -- and I stand by that. Tor is still the
>> best option for maintaining one's anonymity.
> Hi Griffin,
> Do you plan to release security advisories for all updates to the Linux
> kernel, GNU user space utilities and other dependences in the commotion
> router firmware?

How is this, in any way, shape or form, relevant? Are you seriously opening
up Commotion's bug handling in order to sort of justify this Tor situation?

Tor had forked Firefox into its own browser, which is called Tor Browser.
Mozilla issued an advisory for Firefox the day the bug was discovered,
about five weeks ago. Tor should have issued a similar advisory for Tor
Browser and consequently the Tor Browser Bundle, especially considering
that the Tor Browser Bundle is by far *the* most visible way for end-users
to download and use Tor these days.

> I suppose no but perhaps I'm mistaken? Has anyone done so with new
> commotion releases? I don't see[0][1] such notes, am I missing something?
> It seems impractical to note every change from downstream projects.
> Clearly you seem to disagree but I do wonder where you draw the line?
> Do your projects have some example where we might see the line in
> action, so to speak?
> As far as I can tell, we issued a security advisory within twenty-four
> hours.

Actually, Tor issued a security advisory for Tor Browser a full 39 days
after Mozilla did for Firefox.

> We spent more than a full day of multiple people's time working
> non-stop to understand the scope, the impact and the outcomes of this
> issue. We were already working on this task when you and another decided
> to jump up and down to let us know that we were failures by any other
> name. I'd say thanks but that isn't the word that comes to mind…

"I'd say thanks but that isn't the word that comes to mind…"
Dude, you're supposed to be Tor's outreach guy! Come on!

> The Tor Project does not triage every single Mozilla Firefox bug. We do
> try to understand which bugs are security critical. We do aim to track
> and put our energy into ensuring our browser uses the latest ESR
> releases. This generally includes lots of code fixes, security as well
> as other kinds of fixes, though we may not always fully understand every
> issue - we tend to trust Mozilla's lead on this topic. TBB requires lots
> of effort to forward port our privacy preserving patches as they are not
> in the mainline Mozilla repositories. We did this as we always do with
> TBB releases and we released patched versions of the software before we
> ever even learned of the exploit discovered this weekend that targets
> old, unpatched users:
> 2.3.25-10 (released June 26 2013)
> 2.4.15-alpha-1 (released June 26 2013)
> 2.4.15-beta-1 (released July 8 2013)
> 3.0alpha2 (released June 30 2013)
> By a general count, it was around a month ago that we released patched
> versions. We normally just note that we've bumped the included projects
> to their latest stable versions - though in the case of our latest
> alpha, we specifically said[2]:
> "In addition to providing important security updates to Firefox and Tor,
> these release binaries should now be exactly reproducible from the
> source code by anyone."
> Do you think that we should include that text with every single release?
> ie: "This update provides important security updates to Firefox and Tor"
> or something along those lines? Shall we just put that in every single
> release note? Is that really helpful?

Actually, isn't that exactly what you've said I should do with my own
project, Cryptocat, numerous times? It's actually really illuminating that
you in fact are committing the exact same outreach and mitigation blunders
that you keep criticizing other projects for.

> If you have a suggestion for how we might improve, I'm open to hearing
> it - though as far as I am able to tell - there isn't much to be done
> except to say "security update" next to "firefox update" in our normal
> release notes. That isn't very helpful as nearly every Firefox update in
> ESR is a security or stability related release.
> Please do feel free to suggest something constructive - if we have room
> for improvement, we're happy to make it!

I think your entire email is not constructive. Roger's email with the
actual advisory was awesome. Maybe he should represent Tor on this list
from now on.


> All the best,
> Jacob
> [0] https://commotionwireless.net/download/openwrt
> [1]
> https://commotionwireless.net/blog/new-commotion-release-dr1-ready-testing
> [2] https://blog.torproject.org/blog/tor-browser-bundle-30alpha2-released
> --
> Liberationtech list is public and archives are searchable on Google. Too
many emails? Unsubscribe, change to digest, or change password by emailing
moderator at [email protected] or changing your settings at https://mailman.stanford.edu/mailman/listinfo/liberationtech
CD: 3ms