Delivery-Date: Fri, 22 Aug 2014 18:20:22 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.5 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,TRACKER_ID autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 6BC0F1E0B88;
	Fri, 22 Aug 2014 18:20:20 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id CF8C03047C;
	Fri, 22 Aug 2014 22:20:16 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id DB98B2FD7F
 for <tor-talk@lists.torproject.org>; Fri, 22 Aug 2014 22:20:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 0a74t14AGjFR for <tor-talk@lists.torproject.org>;
 Fri, 22 Aug 2014 22:20:13 +0000 (UTC)
Received: from slow1-d.mail.gandi.net (slow1-d.mail.gandi.net [217.70.178.86])
 by eugeni.torproject.org (Postfix) with ESMTP id 846C42FD62
 for <tor-talk@lists.torproject.org>; Fri, 22 Aug 2014 22:20:13 +0000 (UTC)
Received: from relay5-d.mail.gandi.net (relay5-d.mail.gandi.net
 [217.70.183.197])
 by slow1-d.mail.gandi.net (Postfix) with ESMTP id 8FB5D47A924
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 00:18:01 +0200 (CEST)
Received: from mfilter26-d.gandi.net (mfilter26-d.gandi.net [217.70.178.154])
 by relay5-d.mail.gandi.net (Postfix) with ESMTP id AA89441C060
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 00:17:02 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter26-d.gandi.net
Received: from relay5-d.mail.gandi.net ([217.70.183.197])
 by mfilter26-d.gandi.net (mfilter26-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id ir70qqen3suq for <tor-talk@lists.torproject.org>;
 Sat, 23 Aug 2014 00:17:01 +0200 (CEST)
X-Originating-IP: 67.213.212.246
Received: from [10.8.12.18] (unknown [67.213.212.246])
 (Authenticated sender: no.thing_to-hide@cryptopathie.eu)
 by relay5-d.mail.gandi.net (Postfix) with ESMTPSA id 5DE5E41C067
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 00:17:00 +0200 (CEST)
Message-ID: <53F7C159.1030303@cryptopathie.eu>
Date: Sat, 23 Aug 2014 00:16:57 +0200
From: no.thing_to-hide@cryptopathie.eu
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:24.0) Gecko/20100101 Icedove/24.7.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <2fb56adafa60595fc1fd9d473a3c5012.squirrel@bitmessage.ch>
In-Reply-To: <2fb56adafa60595fc1fd9d473a3c5012.squirrel@bitmessage.ch>
X-Enigmail-Version: 1.6
Subject: Re: [tor-talk] TOR tried to take a snapshot of my screen
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I just downloaded the old version 3.6.3, the download link on
http://www.neowin.net/news/tor-browser-bundle-363
still works and leads to the file
https://www.torproject.org/dist/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe

When I use jacksum on this file, the result is

c8eb88324526d718b937b616c75d33a8 torbrowser-install-3.6.3_en-US.exe

This is another MD5 checksum than from the mentioned installer package

9529C5A633CF0CF6201662CA12630A04

I was not able to download the PGP signature of the file to verify its
integrity.

One of us downloaded a wrong Tor installer package ...

Best regards

Anton
- -- 
no.thing_to-hide at cryptopathie dot eu
0x30C3CDF0, RSA 2048, 24 Mar 2014
0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0
Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC



On 22/08/14 23:38, BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY@bitmessage.ch
wrote:
> Hi,
> 
> I have TOR 3.6.3 installed in a Windows XP computer that is used
> almost just for it with very few additional software installed. My
> understanding is that a potential attacker will test his 
> exploit/approach against most of the security software available,
> but possibly will not be able to test against ALL of them, so I
> have a miscelaneous of popular and not popular security software
> installed in the same computer; among them is a not so common anti
> spyware called Zemana.
> 
> I am using TOR browser and Zemana for years and I am familiar with
> the behaviour of both. The TOR I am running has just the extensions
> that comes with it; no additional extension was installed; no
> plug-in is installed.
> 
> I have proper licenses to run all the software, including Zemana,
> so no crack or other suspicious tool was ever used. Zemana is a
> quiet software and I can not remember about any single fake alert.
> 
> 
> Few days ago, while browsing with TOR, I got a shocking alert from
> Zemana: TOR TRIED TO TAKE A SNAPSHOT OF MY SCREEN.
> 
> 
> As Zemana allow me, I did block such screen capture and TOR
> crashed immediatly. By this crash I understand that TOR really
> tried to capture my screen.
> 
> I restarted TOR with a new identity, changed the identity many
> times but TOR repeated the same behaviour a number of times with
> the screen capture try-Zemana block-TOR crash. Change the identity
> just does not works for such attacker.
> 
> The script funcions were always blocked by NoScript 2.6.8.36.
> 
> On the following days I used TOR again, without any change in my
> system or software, accessing the same web sites but the attack no
> longer took place.
> 
> 
> I verified the MD5 signature for the TOR browser (firefox.exe) and
> it is unchanged, i.e, it is as distributed by torproject.org
> 
> The TOR 3.6.3 was downloaded from the TOR project web site, and not
> from other servers. The install package
> torbrowser-install-3.6.3_en-US.exe has the MD5 signature:
> 9529C5A633CF0CF6201662CA12630A04 I have the installer in my files
> for any forensic work.
> 
> I am sending some screens with the Zemana log, where is possible to
> see the TOR MD5 signature (firefox.exe;
> FC19E4AFB0E68BD4D25745A57AE14047) and the logged behaviour
> ("screenlogger"), the TOR version, TOR button and the Zemana
> version screens, and the extensions and plug-ins existing in my
> TOR install (just to confirm that nothing strange is there). They
> are available to download here: 
> http://www.datafilehost.com/d/dfb201d8 or 
> https://www.sendspace.com/file/6ygdl3
> 
> 
> 
> Seems that TOR has hidden server capabilities, a back door that
> allow a remote operator take snap shot of the screen and possible
> perform other actions (record mic, turn on the webcam, ...).
> 
> 
> I think TOR can protect the users from many enemies, but at the
> same time it is a perfect tool to attract, identify and log very
> specific (users) targets. This may explain also the, until now,
> unclear role and objectives of the US goverment by funding the TOR
> Project.
> 
> Seems that hardly will be possible to identify suck attacker as it 
> probably comes from the TOR network itself, but I am considering a 
> trap/honney pot just in case this repeats.
> 
> 
> I am an entusiast of privacy tools and TOR is not used for any kind
> of unlawful purposes, is unlikely that I will attract attention
> from public authorities and I am not worried with any data such
> attacker eventually may have had access.
> 
> 
> Hope this information may help to improve the TOR community
> security and in some point in the future we will able to find a
> solution for this back door.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQEcBAEBAgAGBQJT98FZAAoJEMwm4aUww83w+xUH/iUhYY2HTDWDmUEbK4H5T75G
Zhb66G6i+fYslT1WxFT6nSi2Ks4j1uonpB6l0ZIa8kwBrNU7jT9OhyLqYgnRrMT3
jCld59B8VDJxrBNrjw8N9I/zQ7aHBYzla5v5daqa5d1gMBG0h7OBm/F4t46ZHtu/
NyssqaTh9p0SbbgunevjCNJUELUH9/i9Os4VsOlvoA4mKl6mNH4Conck7fFoCtKn
dHW9hFSTM82lUXVo34IUqtMI4COiEosSBiyzErk0YWurQXIeF9IEQB1dGXWftY9/
35ecqy8gxqt4Q/pQBFkKAb11fip5zqaWL82HaeEyeIFOP1rxzCjWvzN6Yyvf9VI=
=mEfz
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

