Hacker News new | past | comments | ask | show | jobs | submit login
[flagged] Chinese Hackers Circumvent Popular Web Privacy Tools (nytimes.com)
34 points by braythwayt on June 15, 2015 | hide | past | favorite | 19 comments



Ok so VPN's and Tor aren't compromised. It's China's web services servers that are. Please refrain from making clickbait-y styled topic titles.


Although the method of the attack didn't directly break Tor/VPN, the nature of it has compromised confidence in those technologies.

What good is using Tor or a VPN if I can't be sure any web page I load will compromise me? Suddenly every single link becomes a potential land mine... is the web server compromised? Is it safe?

You could argue that, of course, loading a malicious web page will do malicious things. But in this case, the malicious code is compromising all further web activity as well from the sounds of it.


AIUI the issue only occurs when you're browsing through tor with a browser profile that also contains logins to chinese websites linked to your identity.

This is why you shouldn't run your regular browser session through TOR for critical work and use the tor browser bundle instead, with a separate profile, with a as-paranoid-as-possible configuration (minimal cross-site requests! use µMatrix, not just noscript) if you really want to information leakage.

Tor itself can only do so much, it doesn't magically prevent your browser from telling the world that you're person X.


Tor Browser protects against these sorts of attacks very well. Just don't use Tor with a regular browser. https://twitter.com/torproject/status/610542145305464832


@dang: if one flags such a click-baity headline, will the account get banned/shadowed for that task? How do I know if my account has crossed the invisible line? Who can check that? The karma ratio indicator vanished from the profile page.

HN title reads: China has now compromised VPNs and Tor


I'm not sure I understand your question, but we don't ban accounts for either flagging or producing clickbaity headlines.

I only saw your question by chance. To reliably get a response, please email hn@ycombinator.com.


If one must click-bait, go all-in: "The Shockingly Disturbing and Weirdly Beautiful Chinese Compromise of VPNs and Tor"


To be fair, it's the NYT that has the "clickbait-y styled topic title".


The NYT title, "Chinese Hackers Circumvent Popular Web Privacy Tools", is more accurate than the HN title. China has not "compromised" TOR and VPNs, they've circumvented them. They remain intact and working as designed. "Compromosed" is the wrong word here. "Circumvent" is the correct word.


TL;DR: Tor and VPN are safe. What they did is hack some big Chinese websites (or force them to be vulnerable or something). Then when a Tor or VPN user visits one of these websites they can be unmasked somehow. It's unclear to me what malicious code is used, whether you need to be logged into one of these websites, whether it can then unmask you when you visit other (not one of the hacked) websites, etc.

Another point of interest in the article might be the fact that they blocked VPN protocols to prevent people from using them. And, in case you missed it, the Chinese government tried to knock Github offline by hijacking a Chinese website's traffic (Baidu).

---

This is a really terrible article. It doesn't really explain how it works, claims a government cracked things that are uncracked, claims it's the Chinese government while that's only assumed (based on "who else would go to such extensive lengths" mentioned by someone), and misnames things. For example:

> The vulnerability, known as JSONP

Uhm, no. This is JSONP:

> JSONP [is] a communication technique used in JavaScript

(From Wikipedia.)


I'm going to assume that the "JSONP vulnerability" is actually Rosetta Flash: https://miki.it/blog/2014/7/8/abusing-jsonp-with-rosetta-fla...


Isn't flash disabled by default in tor browser bundle (TBB)? I assume most reasonable Tor users rely on TBB.


"What made the attacks particularly serious, Mr. Blasco said, was that as long as the victims were logged into China’s 15 top web services — including major portals like Baidu, Taobao, QQ, Sina, Sohu, Ctrip and RenRen — the attackers could identify them and siphon off their personal digital information, even if their victims were logged into Tor or a VPN.

They did this with the aid of a particularly serious vulnerability that 15 web services in China apparently never patched."

Asteriks for emphasis. No shit, sherlock.


What does any of this mean? I really can't figure it out. I thought it was standard advice to never, NEVER log into anything which can identify you while you're using Tor (which is why the best way to do it is from Linux distributions on a stick). And the talk about Facebook fixing this "gaping whole" in their security... If someone could clarify all of this, or maybe provide a better link, I would be grateful.


The interesting take away here is that Chinese web services deliberately delay/don't patch their services to accommodate Chinese spoofing. In this case the JSONP vulnerability from 2013 allows them to hack a users computer, thereby compromising any data on that computer.

Neither tor nor Vpn is compromised.


This is a good article, but the HN guidelines ask you not to editorialize titles. Submitted title was "China has now compromised VPNs and Tor".

(If this was just the NYT changing its own title as it is wont to do, then ignore the above. But it doesn't sound like an NYT title.)


Sounds like incorrect use of Tor? I suppose while using it you still must take care to not send stuff along that could compromise you, like your Facebook login cookie?


It's considered insecure to browse the web with TOR while having Javascript enabled. This is not news.


Virtual methods and functions behave very differently from an extensibility point of view. I much prefer using named parameters or replacing the bool with an enum.

http://c2.com/cgi/wiki?ExpressionProblem




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: