Anonymous Living

Vidalia is the most popular graphical user interface for the trafic analysis resistance security tool Tor (The Onion Router). It has long been able to show all the Tor routers in the world on a flat map.

Matt Edman has now added support for the QT-based Marble widget made by the KDE education project. This gives Vidalia a 3D network map with a round spinning cube.

Marble is designed to be a geography educational tool. This means that the network map looks great when you zoom in:

You can even click on the servers (indicated with yellow dots) and get all sorts of incriminating information about them:

Possible thanks to free software

Marbles technology could be integrated into Vidalia because both projects are free software licensed under the GNU GPL license. The tyrannical corporate structures who plague our beloved planet do not want you to have access to such technology without paying them a unfairly high price. Free software licenses such as the GNU GPL grants all access to study, use and modify the source. This frequently results in very cool technology such as Vidalias new Marble widget support.

Still some rought edges to be smoothed out

The widget integration still needs a few more details to be smoothed out before official Vidalia builds with the Marble technology become available for Windows and Mac OS X users. It is possible to build Vidalia with the new fancy network map on GNU/Linux systems.

The trick to building Vidalia with Marble is to check out and build a special trimmed-down version of the Marble widget.

It is available from https://svn.vidalia-project.net/svn/marble/trunk

Then get the latest vidalia from https://svn.vidalia-project.net/vidalia/trunk/

Run cmake with -DUSE_MARBLE=1 (mkdir build && cd build && cmake -DUSE_MARBLE .. && make) and make and install as usual.

If you wish to view the number of frames per second then just add SetShowFrameRate to tormapwidget.cpp:

When can we expect to see Windows and Mac OS X builds of Vidalia with the network map displayed using the QT Marble widget? Who knows. Probably sooner rather than in ages.

Security researcher Ilja van Sprundel discovered a remotely triggerable heap-corruption bug in Tor which is now fixed in the latest alpha release. The fix has also been backported to the stable branch as of v0.2.0.33. The bug could potentially be dangerous. Official story is that users “should” upgrade. The truth is probably closer to “should really upgrade ASAP”.

Full official story is:

Tor 0.2.1.11-alpha finishes fixing the “if your Tor is off for a week it
will take a long time to bootstrap again” bug. It also fixes an important
security-related bug reported by Ilja van Sprundel. You should upgrade.
(We’ll send out more details about the bug once people have had some
time to upgrade.)

 https://www.torproject.org/download.html…

Changes in version 0.2.1.11-alpha – 2009-01-20
o Security fixes:
- Fix a heap-corruption bug that may be remotely triggerable on
some platforms. Reported by Ilja van Sprundel.

o Major bugfixes:
- Discard router descriptors as we load them if they are more than
five days old. Otherwise if Tor is off for a long time and then
starts with cached descriptors, it will try to use the onion
keys in those obsolete descriptors when building circuits. Bugfix
on 0.2.0.x. Fixes bug 887.

o Minor features:
- Try to make sure that the version of Libevent we’re running with
is binary-compatible with the one we built with. May address bug
897 and others.
- Make setting ServerDNSRandomizeCase to 0 actually work. Bugfix
for bug 905. Bugfix on 0.2.1.7-alpha.
- Add a new –enable-local-appdata configuration switch to change
the default location of the datadir on win32 from APPDATA to
LOCAL_APPDATA. In the future, we should migrate to LOCAL_APPDATA
entirely. Patch from coderman.

o Minor bugfixes:
- Make outbound DNS packets respect the OutboundBindAddress setting.
Fixes the bug part of bug 798. Bugfix on 0.1.2.2-alpha.
- When our circuit fails at the first hop (e.g. we get a destroy
cell back), avoid using that OR connection anymore, and also
tell all the one-hop directory requests waiting for it that they
should fail. Bugfix on 0.2.1.3-alpha.
- In the torify(1) manpage, mention that tsocks will leak your
DNS requests.

A service called Freedom Hosting has showed up among Tors location hidden services and they offer free webhosting with PHP & Mysql support.

It must be mentioned that the service does NOT allow “illegal” files. This may forbid all sorts of interesting content since nothing at the site indicates which country the service is locaed in. This means that it is impossible to know which countries laws apply, and this in turn makes it impossible to know what is and what is not “legal”.

The service offers it’s users their own .onion domain(s), ftp access, a mysql database and resource-restricted PHP scripting.

Check out http://xqz3u5drneuzhaeo.onion/ for more information.

Tor allows people to run location hidden services. These are services who run on Tor-clients (running as a bridge or server is not required) who allow people to conenct to them through servers in the Tor-network.

The location of the services are location hidden in a way which makes it extremely hard to figure out where in the world they are actually located. This means that they can be run anonymously. How secure they really are is still a subject of debate, and many groups are doing research on this subject. It is pretty safe to assume that it is very very hard to locate a location hidden Tor-service, even thoughthere are research papers who debate how it could, in theory, be done given control of enough Tor-servers, time and resources.

The state of the .onion

The location hidden services have addresses who look very much like normal domains, except that they are random text strings (actually a hash of the services private key) who end with the special Tor-domain .onion. You must connect tusing a Tor-client to be able to access these sites. So what kind of .onion sites are there, as of today? What kind of sites do those who want to hide who runs the sites and where in the world they make available?

Pr0n!

Pornography seems to be a very popular subject on the .onion, just
like it is on the normal Internet.

The Another Porn Exchange (APE) and Yet Another Porn Exchange (YAPE) seems to be very popular.

Forums

The various forums are also quite popular. Like The Onionforum. People go there and talk about all kinds of things, mostly normal things like politics and the various other subjects who are popular on the normal Internet. There are also some post on subjects who I assume nobody would dare talk about without being anonymous, but this is actually less frequently the case. Most people go there and talk about the same things they talk about in other forums, except that they happen to be anonymous when using this service and happen to not be able to find out who is running the forum.

There’s also http://xiwayy2kn32bo3ko.onion/tor/, a forum where people write using small drawings who look like houses, squares, circles and other odd things. There are rumors that people in Asia understand these drawings.

Documents, books, etc

Alex Jones of Infowars.com and PrisonPlanet.com has “read the federal documents, and know their TOTAL PLAN”. He is a pretty popular guy because of it, and is even mentioned is various posts the core.onion because of is knowledge of such documents. Many interesting documents are available on various onion sites. The Tor Library has a quite a few. Bebop’s Home in Onionspace has a great collection of cyberpunk (and other) documents. You may also want to read Thomas Paine’s Common Sense and The Federalist papers, which were originally published anonymously. There are also Tor mirrors of sites on the normal Internet, such as textfiles.com. A interesting document leaked out of the German police is also worth reading. Orwell’s 1984, and other books, are available at a text files at http://2evy5quvwdyiyuqr.onion/mirrors/

Blogs!

Blogs, like this one, are read by many people. There are, naturally, many onion blogs too. Like http://balrqba4×57ofa6s.onion/, which is mostly about Tor-related software. Monster warns that the Ice-Age is Coming.

Videos

Some people do not like WTO, which is understandable since they are powertripping tyrants who want dictatorial control over you and your family. A mirror of quite a few WTO protest videos exist within in onion-land.

Chat and talk about how your day was

People like to talk about their day anonymously. There are many onoin IRC servers. There’s even a web based chat.

Software

The masked operating system can (only?) be downloaded using Tor. There are also various attack and defend tools available. If you find yourself under computer attack by commie nazi then perhaps you should go there and find out what they are using to attack you and how to defend yourself. http://gdos2zurqy7miigj.onion/pub/ allows you to download GnuPG and other nice things.

Files…

Sites such as sTORage and the Anonymous Upload Center allow people to upload and download files. All sorts of things are available that those kind of services. All they have in common is that the content serviced as files…

Games!

There are also some pirated consolegames for the MAME arcade machine emulator floating around. I guess it is a good idea to hide who you are when you are making hundres of pirated MAME ROMS available to the general public – even though there are actually quite a few sites offering the same games on the regular Internet.

Search

You can use Torgle to search.

Gone with the wind…

It appears that many of the previously popular .onion sites are now gone with the wind. Which is understandable, it is hard to maximise profits now by running these services: How do you get anyone to pay you when the visitors of you site are all Tor-users who are unwilling to tell you who or where they are?

nnqtnsoohprzqcke.onion was a popular .onion-only search-engine based on the datapark motor. It’s now gone with the wind, just like many other onion sites.

Interesting? not really..

Some onions are just plain uninteresting. Like http://metaq3ayddzzcfzc.onion/, which only tells you that “It works!”. That’s probably great, but it’s really not that interesting.

Starting points

The http://anegvjpd77xuxo45.onion/services/ services list periodically checks onion-sites it knows about and lists which are up and which are down. Many people like to add their sites to core.onion, since that is listed in the Tor-page on the heavily-censored NATO (=nazi) propaganda vessle “Wikipedia”. There are “HiddenServices” pages here, here and here. The Torgle search engine is also a nice starting point, just type in what you are looking for and it will (mostly) find something about that.

Have fun in onion-land! And remember, think before posting in forums and such. What you say can be used to identify who you are, or where you are, what your interests are and so on regardless of the connection being anonymous or not. If you post your phone number then everybody knows who you are, regardless of how you post it…

A video of the not-so-secret (as A.Y. pointed out) presenation on the future of Tor and the Torproject at the 24c3 conference in Berlin are now available on the various mirrors where the videos from the presenations at that conference can be downloaded. Look for “24c3-2325-en-current_events_in_tor_development” on the mirrors listed at 24c3’s “Conference Recordings” page if you are interested. The also-not-so-secret slides from the presentation are available at http://freehaven.net/~arma/slides-24c3.pdf.

Older Tor-presentations (From 23c3 and WTH) can be downloaded from The TorrentChannel’s Technology page.

Nick Mathewson, one of Torproject’s leading developers has spent the holliday’s “beating the heck out of the buffer implementation”. Examples of this can be seen both in the code and on Firespray. This has lead to better RAM management and overall performance improvements in the trunk development version of the Tor software compared to the latest 0.2.15 release.

In other related news, Roger Dingledine has now prepared and posted secret Tor-presentation slides from the 24th Chaos Communication Congress which was held in Berlin, Germany this week.

These secret slides are now available for your studying pleasure at http://freehaven.net/~arma/slides-24c3.p…

One last thing: Happy new year!

Official story is:

From: Roger Dingledine <arma@mit.edu>
To:  or-talk at freehaven.net
Date: Today 02:00:48

Tor 0.2.0.10-alpha adds a third v3 directory authority run by Mike Perry,
adds most of Karsten Loesing’s new hidden service descriptor format, fixes
a bad crash bug and new bridge bugs introduced in 0.2.0.9-alpha, fixes
many bugs with the v3 directory implementation, fixes some minor memory
leaks in previous 0.2.0.x snapshots, and addresses many more minor issues.

Tor 0.2.0.11-alpha fixes some build problems with the previous
snapshot. It also includes a more secure-by-default exit policy for
relays, fixes an enormous memory leak for exit relays, and fixes another
bug where servers were falling out of the directory list.

Tor 0.2.0.12-alpha fixes some more build problems as well as a few
minor bugs.

 https://www.torproject.org/download.html

Changes in version 0.2.0.12-alpha – 2007-11-16
This twelfth development snapshot fixes some more build problems as
well as a few minor bugs.

o Compile fixes:
- Make it build on OpenBSD again. Patch from tup.
- Substitute BINDIR and LOCALSTATEDIR in scripts. Fixes
package-building for Red Hat, OS X, etc.

o Minor bugfixes (on 0.1.2.x):
- Changing the ExitPolicyRejectPrivate setting should cause us to
rebuild our server descriptor.

o Minor bugfixes (on 0.2.0.x):
- When we’re lacking a consensus, don’t try to perform rendezvous
operations. Reported by Karsten Loesing.
- Fix a small memory leak whenever we decide against using a
newly picked entry guard. Reported by Mike Perry.
- When authorities detected more than two relays running on the same
IP address, they were clearing all the status flags but forgetting
to clear the “hsdir” flag. So clients were being told that a
given relay was the right choice for a v2 hsdir lookup, yet they
never had its descriptor because it was marked as ‘not running’
in the consensus.
- If we’re trying to fetch a bridge descriptor and there’s no way
the bridge authority could help us (for example, we don’t know
a digest, or there is no bridge authority), don’t be so eager to
fall back to asking the bridge authority.
- If we’re using bridges or have strictentrynodes set, and our
chosen exit is in the same family as all our bridges/entry guards,
then be flexible about families.

o Minor features:
- When we negotiate a v2 link-layer connection (not yet implemented),
accept RELAY_EARLY cells and turn them into RELAY cells if we’ve
negotiated a v1 connection for their next step. Initial code for
proposal 110.

Changes in version 0.2.0.11-alpha – 2007-11-12
This eleventh development snapshot fixes some build problems with
the previous snapshot. It also includes a more secure-by-default exit
policy for relays, fixes an enormous memory leak for exit relays, and
fixes another bug where servers were falling out of the directory list.

o Security fixes:
- Exit policies now reject connections that are addressed to a
relay’s public (external) IP address too, unless
ExitPolicyRejectPrivate is turned off. We do this because too
many relays are running nearby to services that trust them based
on network address. Bugfix on 0.1.2.x.

o Major bugfixes:
- Fix a memory leak on exit relays; we were leaking a cached_resolve_t
on every successful resolve. Reported by Mike Perry; bugfix
on 0.1.2.x.
- On authorities, never downgrade to old router descriptors simply
because they’re listed in the consensus. This created a catch-22
where we wouldn’t list a new descriptor because there was an
old one in the consensus, and we couldn’t get the new one in the
consensus because we wouldn’t list it. Possible fix for bug 548.
Also, this might cause bug 543 to appear on authorities; if so,
we’ll need a band-aid for that. Bugfix on 0.2.0.9-alpha.

o Packaging fixes on 0.2.0.10-alpha:
- We were including instructions about what to do with the
src/config/fallback-consensus file, but we weren’t actually
including it in the tarball. Disable all of that for now.

o Minor features:
- Allow people to say PreferTunnelledDirConns rather than
PreferTunneledDirConns, for those alternate-spellers out there.

o Minor bugfixes:
- Don’t reevaluate all the information from our consensus document
just because we’ve downloaded a v2 networkstatus that we intend
to cache. Fixes bug 545; bugfix on 0.2.0.x.

Changes in version 0.2.0.10-alpha – 2007-11-10
This tenth development snapshot adds a third v3 directory authority
run by Mike Perry, adds most of Karsten Loesing’s new hidden service
descriptor format, fixes a bad crash bug and new bridge bugs introduced
in 0.2.0.9-alpha, fixes many bugs with the v3 directory implementation,
fixes some minor memory leaks in previous 0.2.0.x snapshots, and
addresses many more minor issues.

o New directory authorities:
- Set up ides (run by Mike Perry) as the third v3 directory authority.

o Major features:
- Allow tunnelled directory connections to ask for an encrypted
“begin_dir” connection or an anonymized “uses a full Tor circuit”
connection independently. Now we can make anonymized begin_dir
connections for (e.g.) more secure hidden service posting and
fetching.
- More progress on proposal 114: code from Karsten Loesing to
implement new hidden service descriptor format.
- Raise the default BandwidthRate/BandwidthBurst to 5MB/10MB, to
accommodate the growing number of servers that use the default
and are reaching it.
- Directory authorities use a new formula for selecting which nodes
to advertise as Guards: they must be in the top 7/8 in terms of
how long we have known about them, and above the median of those
nodes in terms of weighted fractional uptime.
- Make “not enough dir info yet” warnings describe *why* Tor feels
it doesn’t have enough directory info yet.

o Major bugfixes:
- Stop servers from crashing if they set a Family option (or
maybe in other situations too). Bugfix on 0.2.0.9-alpha; reported
by Fabian Keil.
- Make bridge users work again — the move to v3 directories in
0.2.0.9-alpha had introduced a number of bugs that made bridges
no longer work for clients.
- When the clock jumps forward a lot, do not allow the bandwidth
buckets to become negative. Bugfix on 0.1.2.x; fixes bug 544.

o Major bugfixes (v3 dir, bugfixes on 0.2.0.9-alpha):
- When the consensus lists a router descriptor that we previously were
mirroring, but that we considered non-canonical, reload the
descriptor as canonical. This fixes bug 543 where Tor servers
would start complaining after a few days that they don’t have
enough directory information to build a circuit.
- Consider replacing the current consensus when certificates arrive
that make the pending consensus valid. Previously, we were only
considering replacement when the new certs _didn’t_ help.
- Fix an assert error on startup if we didn’t already have the
consensus and certs cached in our datadirectory: we were caching
the consensus in consensus_waiting_for_certs but then free’ing it
right after.
- Avoid sending a request for “keys/fp” (for which we’ll get a 400 Bad
Request) if we need more v3 certs but we’ve already got pending
requests for all of them.
- Correctly back off from failing certificate downloads. Fixes
bug 546.
- Authorities don’t vote on the Running flag if they have been running
for less than 30 minutes themselves. Fixes bug 547, where a newly
started authority would vote that everyone was down.

o New requirements:
- Drop support for OpenSSL version 0.9.6. Just about nobody was using
it, it had no AES, and it hasn’t seen any security patches since
2004.

o Minor features:
- Clients now hold circuitless TLS connections open for 1.5 times
MaxCircuitDirtiness (15 minutes), since it is likely that they’ll
rebuild a new circuit over them within that timeframe. Previously,
they held them open only for KeepalivePeriod (5 minutes).
- Use “If-Modified-Since” to avoid retrieving consensus
networkstatuses that we already have.
- When we have no consensus, check FallbackNetworkstatusFile (defaults
to $PREFIX/share/tor/fallback-consensus) for a consensus. This way
we start knowing some directory caches.
- When we receive a consensus from the future, warn about skew.
- Improve skew reporting: try to give the user a better log message
about how skewed they are, and how much this matters.
- When we have a certificate for an authority, believe that
certificate’s claims about the authority’s IP address.
- New –quiet command-line option to suppress the default console log.
Good in combination with –hash-password.
- Authorities send back an X-Descriptor-Not-New header in response to
an accepted-but-discarded descriptor upload. Partially implements
fix for bug 535.
- Make the log message for “tls error. breaking.” more useful.
- Better log messages about certificate downloads, to attempt to
track down the second incarnation of bug 546.

o Minor features (bridges):
- If bridge users set UpdateBridgesFromAuthority, but the digest
they ask for is a 404 from the bridge authority, they now fall
back to trying the bridge directly.
- Bridges now use begin_dir to publish their server descriptor to
the bridge authority, even when they haven’t set TunnelDirConns.

o Minor features (controller):
- When reporting clock skew, and we know that the clock is _at least
as skewed_ as some value, but we don’t know the actual value,
report the value as a “minimum skew.”

o Utilities:
- Update linux-tor-prio.sh script to allow QoS based on the uid of
the Tor process. Patch from Marco Bonetti with tweaks from Mike
Perry.

o Minor bugfixes:
- Refuse to start if both ORPort and UseBridges are set. Bugfix
on 0.2.0.x, suggested by Matt Edman.
- Don’t stop fetching descriptors when FetchUselessDescriptors is
set, even if we stop asking for circuits. Bugfix on 0.1.2.x;
reported by tup and ioerror.
- Better log message on vote from unknown authority.
- Don’t log “Launching 0 request for 0 router” message.

o Minor bugfixes (memory leaks):
- Stop leaking memory every time we parse a v3 certificate. Bugfix
on 0.2.0.1-alpha.
- Stop leaking memory every time we load a v3 certificate. Bugfix
on 0.2.0.1-alpha. Fixes Bug 536.
- Stop leaking a cached networkstatus on exit. Bugfix on
0.2.0.3-alpha.
- Stop leaking voter information every time we free a consensus.
Bugfix on 0.2.0.3-alpha.
- Stop leaking signed data every time we check a voter signature.
Bugfix on 0.2.0.3-alpha.
- Stop leaking a signature every time we fail to parse a consensus or
a vote. Bugfix on 0.2.0.3-alpha.
- Stop leaking v2_download_status_map on shutdown. Bugfix on
0.2.0.9-alpha.
- Stop leaking conn->nickname every time we make a connection to a
Tor relay without knowing its expected identity digest (e.g. when
using bridges). Bugfix on 0.2.0.3-alpha.

- Minor bugfixes (portability):
- Run correctly on platforms where rlim_t is larger than unsigned
long, and/or where the real limit for number of open files is
OPEN_FILES, not rlim_max from getrlimit(RLIMIT_NOFILES). In
particular, these may be needed for OS X 10.5.

Official website: https://www.torproject.org/

From OR-Talk,

0.1.2.18 is getting close to ready; please test it
From: Roger Dingledine
To: or-talk
Date: 2007-10-16 06:32

Hi folks,

We’re getting close to having 0.1.2.18 ready. I’ve put snapshots at

 https://tor.eff.org/dist/tor-0.1.2.17-de…
 https://tor.eff.org/dist/tor-0.1.2.17-de…

 https://tor.eff.org/dist/vidalia-bundles…
 https://tor.eff.org/dist/vidalia-bundles…

 https://tor.eff.org/dist/vidalia-bundles…
 https://tor.eff.org/dist/vidalia-bundles…

 https://tor.eff.org/dist/win32/tor-0.1.2…
 https://tor.eff.org/dist/win32/tor-0.1.2…

 https://tor.eff.org/dist/osx/Tor-0.1.2.1…
 https://tor.eff.org/dist/osx/Tor-0.1.2.1…

Please grab it, try it out, and let us know whether we broke anything.

Thanks,
–Roger

Partial list of changes in version 0.1.2.18 – 2007-10-??

• Major bugfixes (crashes):
  •     – If a connection is shut down abruptly because of something that
  •       happened inside connection_flushed_some(), do not call
  •       connection_finished_flushing(). Should fix bug 451:
  •       “connection_stop_writing: Assertion conn->write_event failed”
  •       Bugfix on 0.1.2.7-alpha.
  •     – Fix possible segfaults in functions called from
  •       rend_process_relay_cell().
•   o Major bugfixes (other):
  •     – Stop publishing a new server descriptor just because we get a
  •       HUP signal. This led (in a roundabout way) to some servers getting
  •       dropped from the networkstatus lists for a few hours each day.
  •     – Hidden services were choosing introduction points uniquely by
  •       hexdigest, but when constructing the hidden service descriptor
  •       they merely wrote the (potentially ambiguous) nickname.
  •     – Clients now use the v2 intro format for hidden service
  •       connections: they specify their chosen rendezvous point by identity
  •       digest rather than by (potentially ambiguous) nickname. These
  •       changes could speed up hidden service connections dramatically.
  •     – When looking for a circuit to cannibalize, consider family as well
  •       as identity. Fixes bug 438. Bugfix on 0.1.0.x (which introduced
  •       circuit cannibalization).
• Minor bugfixes:
  • Don’t try to access (or alter) the state file when running –list-fingerprint or –verify-config or –hash-password. (Resolves bug 499.)
  • When generating information telling us how to extend to a given router, do not try to include the nickname if it is absent. (Resolves bug 467.)
  • Fix a user-triggerable segfault in expand_filename(). (There isn’t a way to trigger this remotely.)
  • When sending a status event to the controller telling it that an OR address is readable, set the port correctly. (Previously we were reporting the dir port.)
  • Fix a minor memory leak whenever a controller sends the PROTOCOLINFO command. Bugfix on 0.1.2.17.
  • When loading bandwidth history, do not believe any information in the future. Fixes bug 434.
  • When loading entry guard information, do not believe any information in the future.
  • When we have our clock set far in the future and generate an onion key, then re-set our clock to be correct, we should not stop the onion key from getting rotated.
  • On some platforms, accept() can return a broken address. Detect this more quietly, and deal accordingly. Fixes bug 483.
  • It’s not actually an error to find a non-pending entry in the DNS cache when canceling a pending resolve. Don’t log unless stuff is fishy. Resolves bug 463.

On 3 October 2007, Sun announced several critical security updates for
the Java Runtime Environment. In particular, describes how network access restrictions can be circumvented to connect to arbitrary hosts by utilizing DNS rebinding. The paper at Stanford University’s Protecting Browsers from DNS Rebinding Attacks page summarizes some of the current research into the issues of DNS rebinding.

Java exposes a programmatic sockets interface, and a malicious applet can construct properly formed control port commands. If the control port is enabled with the NULL authentication and accessible to the web browser, the malicious applet can authenticate and send arbitrary commands.

To summarize, Tor users with the following conditions may be at risk:

• vulnerable version of Java enabled in web browser
• control port enabled with NULL authentication and accessible

Use of proxy switching browser add-ons (e.g., Torbutton, FoxyProxy)
may increase this risk if the Java Virtual Machine can perform
arbitrary DNS resolution through the native operating system resolver.

Possible workarounds:

• disable Tor control port
• if control port is required, use ‘HashedControlPassword’ option
• disable Java in the web browser and/or uninstall from OS
• If Java is required, consider a virtual machine solution such as JanusVM or firewalled environment that only allows DNS requests through web browser

The latest Java downloads are available at http://java.com/ or http://pseudo-flaw.net/tor/attacking-tor-control-port-with-java/.

The developers of the network security tool Tor issued a warning telling all users to upgrade early August 2007. Tor-developer Roger Dingledine has now disclosed what was wrong with previous version of Tor in regard to basic security. It turns out that evil attacker running a Tor exit node or a website could simply POST to Tor’s controlport and thereby completely destroy the users security.Official story as admitted in OR-Talk confession Tor security advisory: cross-protocol http form attack is this:

# Subject: Tor security advisory: cross-protocol http form attack
# From: Roger Dingledine
# Date: Sat, 1 Sep 2007 14:31:54 -0400

On Thu, Aug 02, 2007 at 06:19:18PM -0400, Roger Dingledine wrote:
> Tor 0.1.2.16 fixes a critical security vulnerability that allows a
> remote attacker in certain situations to rewrite the user’s torrc
> configuration file. This can completely compromise anonymity of users
> in most configurations, including those running the Vidalia bundles,
> TorK, etc. Or worse.

Here are the further details that we promised:

In a nutshell, a malicious website or Tor exit node can give the Tor
user a page that includes a POST element directed to Tor’s control port
(localhost:9051). Tor binds its control port only to localhost to avoid
letting untrusted people send it commands, but the attacker skips past
this protection by making the browser do the connection. And the user
doesn’t even have to click on anything if she’s got javascript enabled.

This particular attack worked because Tor’s control protocol gave an
error message on unrecognized commands but didn’t hang up. So all the
http headers from the POST were unrecognized commands, and eventually
we got to the payload — which contains recognized commands — and it
went bad from there.

Jochen Topf wrote a fine paper describing this attack in 2001:
 http://www.remote.org/jochen/sec/hfpa/in…
Thanks to Kyle Williams and Martin Peck who independently rediscovered
the attack in the context of Tor.

The 0.1.2.16 and 0.2.0.4-alpha versions of Tor patched this particular
problem by hanging up if the first command wasn’t a successful
‘authenticate’ command. The recently released 0.1.2.17 and 0.2.0.6-alpha
versions of Tor now enable application-level authentication by default
in the Windows and OS X bundles, which should stop a broad class of
related attacks. Everyone should upgrade.

Yay full disclosure,
–Roger

The evidence is overwhelming and can not be denied: Using old versions of the free software network security package “Tor” is bad for you and gives you lousy security. It is admitted. You really should download a new version from https://tor.eff.org/ and upgrade and share this free software with all your friends.