

Users of hidden net advised to ditch Windows - timetraveler
http://www.bbc.co.uk/news/technology-23587620

======
computer
That [title] is a weird thing to take as main message from that advisory. The
Firefox exploit that was used would have worked on Linux just as well; it was
simply only targeted at Windows this time.

I agree that switching away from Windows is generally a good idea, but only a
hardware-based router, or a software based VM isolation solution like Whonix
or Qubes OS would have defended the user in this case. Even Tails, the Tor
live USB distribution could have gotten owned by this exploit, had the
NSA/FBI/hackers chosen to target them.

~~~
rmrfrmrf
I was surprised that Windows was the target OS -- I had figured that most Tor
users were using Tails at this point. I'm sure that whoever targeted the user
group they meant to capture, though, had a good idea of their general usage
patterns.

Wouldn't disabling JavaScript have also prevented this exploit? I don't know
if FireFox still runs JavaScript through an interpreter if the user has
disabled it; I'd assume not, but it wouldn't come as a shock to me if it did.

~~~
computer
Disabling javascript would have prevented the exploit. The Tor browser bundle
contains NoScript, but has it set to allow javascript by default. I think this
is because it makes it more accessible to non-technical users.

Before this issue they even advised _not_ to disable javascript, since that
would make you stand out more amongst Tor users.

~~~
mseidl
Noscript blocks by default in the browser bundle...

~~~
jlgaddis
Not in recent versions (the idea being that users w/ JavaScript disabled
"stand out" more from typical users).

~~~
mseidl
My noscript is on by default on the linux version. I _never_ touched it.

~~~
jlgaddis
"Why is NoScript configured to allow JavaScript by default in the Tor Browser
Bundle? Isn't that unsafe?"

[https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEna...](https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled)

------
negativity
Does this mean that Linux, and other Unix variants (but not Mac OS of course,
because Apple plays ball), will be classified as a "Hacker Tool" in the eyes
of the law?

~~~
sobkas
In the "eyes of the law" wget is a "Hacker Tool".

~~~
aclevernickname
Why hasn't anyone made the case that "Hacker Tools" are simply arms, covered
under the 2nd Amendment?

~~~
RobAley
Perhaps because "foreign" countries (i.e. most of the rest of us in the world
outside the US and a few other select countries) and much of their populations
(me included) see arms as something to be tightly regulated, and so it would
fly in the face of what you are trying to achieve for "hacker tools". Internet
issues tend towards being global, with notable exceptions.

~~~
aclevernickname
Right, but Murkins are special. There's this very real culture of "you can
take my guns from my cold dead hands" that the rest of the world doesn't quite
grok. While the 2nd Amendment argument wouldn't hold much water in, say,
Denmark, You could probably get a bunch of NRA members to champion the cause
of your friendly neighborhood script kiddie if you sold it to them correctly.
And americans only support what's been sold to them.

Now, would the world be a better or worse place if someone got SCOTUS to agree
that DC v Heller applied to 0-day exploits? Personally, I don't know if I
could answer that.

------
conexions
The actual Tor Security advisory. [https://lists.torproject.org/pipermail/tor-
announce/2013-Aug...](https://lists.torproject.org/pipermail/tor-
announce/2013-August/000089.html)

------
shmerl
Windows should be ditched by any user who cares about privacy. This has
nothing to do with Tor specifically.

