Delivery-Date: Sat, 23 Aug 2014 07:45:09 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.4 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD,URI_OBFU_WWW autolearn=no version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 649A51E0938;
	Sat, 23 Aug 2014 07:45:07 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 0799930011;
	Sat, 23 Aug 2014 11:45:03 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 97B352FF9E
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 11:44:59 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id n5vMuZsCfzGa for <tor-talk@lists.torproject.org>;
 Sat, 23 Aug 2014 11:44:59 +0000 (UTC)
Received: from relay3-d.mail.gandi.net (relay3-d.mail.gandi.net
 [IPv6:2001:4b98:c:538::195])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client did not present a certificate)
 by eugeni.torproject.org (Postfix) with ESMTPS id 3E6A82E731
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 11:44:58 +0000 (UTC)
Received: from mfilter24-d.gandi.net (mfilter24-d.gandi.net [217.70.178.152])
 by relay3-d.mail.gandi.net (Postfix) with ESMTP id B2AA5A80BB
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 13:44:55 +0200 (CEST)
X-Virus-Scanned: Debian amavisd-new at mfilter24-d.gandi.net
Received: from relay3-d.mail.gandi.net ([217.70.183.195])
 by mfilter24-d.gandi.net (mfilter24-d.gandi.net [10.0.15.180]) (amavisd-new,
 port 10024)
 with ESMTP id Y5DYU0NpqrAb for <tor-talk@lists.torproject.org>;
 Sat, 23 Aug 2014 13:44:54 +0200 (CEST)
X-Originating-IP: 85.12.8.106
Received: from [10.10.12.18] (unknown [85.12.8.106])
 (Authenticated sender: no.thing_to-hide@cryptopathie.eu)
 by relay3-d.mail.gandi.net (Postfix) with ESMTPSA id 59464A80B8
 for <tor-talk@lists.torproject.org>; Sat, 23 Aug 2014 13:44:52 +0200 (CEST)
Message-ID: <53F87EB2.6090503@cryptopathie.eu>
Date: Sat, 23 Aug 2014 13:44:50 +0200
From: no.thing_to-hide@cryptopathie.eu
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:24.0) Gecko/20100101 Icedove/24.7.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <2fb56adafa60595fc1fd9d473a3c5012.squirrel@bitmessage.ch>
 <53F84049.6070401@googlemail.com>
In-Reply-To: <53F84049.6070401@googlemail.com>
X-Enigmail-Version: 1.6
Subject: Re: [tor-talk] TOR tried to take a snapshot of my screen
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Ok, let's try to find our what's going in here.
I checksummed some files:

- ----
++ The directory I found yesterday evening.
https://www.torproject.org/dist/torbrowser/3.6.3/

- -> This was the old download directory for the Torbrowser v3.6.3
- -> Not accessible via web browser
- -> There is no signature "torbrowser-install-3.6.3_en-US.exe.asc" in
this directory.

Files:
https://www.torproject.org/dist/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe
- -> Filesize 323 b. This file is a little bit too small to be the
Torbrowser. I did not remark that yesterday evening, sorry for the
confusion.

jacksum-hashes MD5 and SHA256 for *.exe:
c8eb88324526d718b937b616c75d33a8
5610cff753b8263367d8324b07452f6b6ad6a068134ca11991fbacd692d684ef

GtkHash-hashes MD5 and SHA256 for *.exe:
c8eb88324526d718b937b616c75d33a8
5610cff753b8263367d8324b07452f6b6ad6a068134ca11991fbacd692d684ef

- ----

++ The official Tor archive (thanks Lee)
https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/

Files:
https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe
  Filesize 27 239 623 b
https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/torbrowser-install-3.6.3_en-US.exe.asc
  Filesize 473 b

jacksum-hashes MD5 and SHA256 for *.exe:
9529c5a633cf0cf6201662ca12630a04
52681848358365482ce2b0922d7c6453e9e1ae8f27b302d3cd3ca1ad876b0d3d

GtkHash-hashes MD5 and SHA256 for *.exe:
9529c5a633cf0cf6201662ca12630a04
52681848358365482ce2b0922d7c6453e9e1ae8f27b302d3cd3ca1ad876b0d3d

- -> MD5 matches the checksum from BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY
at bitmessage.ch and all the others.

GPG Signature
$ gpg --verify torbrowser-install-3.6.3_en-US.exe{.asc,}
gpg: Signature made Fri 25 Jul 2014 19:19:46 CEST using RSA key ID
63FEE659
gpg: Good signature from "Erinn Clark <erinn@torproject.org>"
gpg:                 aka "Erinn Clark <erinn@debian.org>"
gpg:                 aka "Erinn Clark <erinn@double-helix.org>"

=> This is the correct old Torbrowser v3.6.3

- ----

There are actually two directories on torproject.org including a file
"torbrowser-install-3.6.3_en-US.exe":
1) https://www.torproject.org/dist/torbrowser/3.6.3/
and
2) https://archive.torproject.org/tor-package-archive/torbrowser/3.6.3/
1) is the old download path, but somehow a wrong file with a correct
name remained there ??

>> http //www.datafilehost com/d/dfb201d8 or https //www.sendspace
>> com/file/6ygdl3
> 
> Both of the files are broken or corrupted. They can't be opened as
> an archive on my end. The first source tries to make one download
> an .exe file. Well you can download the zip file, without it.
> 
> How can we be sure that your upload is safe?

I did not touch the files, because the whole story made me
mistrustful. When you look at some subjects of yesterday
"Third-parties tracking me on Tor"
"TOR tried to take a snapshot of my screen"
Perhaps somebody is trolling this list and tries to seed confusion.

Best regards and stay wiretapped!

Anton
- -- 
no.thing_to-hide at cryptopathie dot eu
0x30C3CDF0, RSA 2048, 24 Mar 2014
0FF8 A811 8857 1B7E 195B 649E CC26 E1A5 30C3 CDF0
Bitmessage (no metadata): BM-2cXixKZaqzJmTfz6ojiyLzmKg2JbzDnApC



On 23/08/14 09:18, Sebastian G. <bastik.tor> wrote:
> 22.08.2014, 23:38
> BM-2cVvnFWSftFx8dv12L8z8PjejmtrjYjnUY@bitmessage.ch:
>> Hi,
>> 
>> I have TOR 3.6.3 installed in a Windows XP computer that is used
>> almost just for it with very few additional software installed. 
>> My understanding is that a potential attacker will test his 
>> exploit/approach against most of the security software available,
>> but possibly will not be able to test against ALL of them, so I
>> have a miscelaneous of popular and not popular security software
>> installed in the same computer; among them is a not so common
>> anti spyware called Zemana.
>> 
>> I am using TOR browser and Zemana for years and I am familiar
>> with the behaviour of both. The TOR I am running has just the
>> extensions that comes with it; no additional extension was
>> installed; no plug-in is installed.
>> 
>> I have proper licenses to run all the software, including Zemana,
>> so no crack or other suspicious tool was ever used. Zemana is a
>> quiet software and I can not remember about any single fake 
>> alert.
>> 
>> 
>> Few days ago, while browsing with TOR, I got a shocking alert
>> from Zemana: TOR TRIED TO TAKE A SNAPSHOT OF MY SCREEN.
> 
> Was it a website you trusted you browsed to? Did the software
> attempt to do anything without a website loaded?
> 
>> As Zemana allow me, I did block such screen capture and TOR
>> crashed immediatly. By this crash I understand that TOR really
>> tried to capture my screen.
>> 
>> I restarted TOR with a new identity, changed the identity many
>> times but TOR repeated the same behaviour a number of times with
>> the screen capture try-Zemana block-TOR crash. Change the
>> identity just does not works for such attacker.
>> 
>> The script funcions were always blocked by NoScript 2.6.8.36.
>> 
>> On the following days I used TOR again, without any change in my
>> system or software, accessing the same web sites but the attack
>> no longer took place.
> 
> Looks, like the website(s) did something.
> 
> Maybe trying to access canvas, what the TorBrowser tried to
> prevent. Maybe this triggered the alert.
> 
>> 
>> I verified the MD5 signature for the TOR browser (firefox.exe)
>> and it is unchanged, i.e, it is as distributed by torproject.org
>> 
>> The TOR 3.6.3 was downloaded from the TOR project web site, and
>> not from other servers. The install package
>> torbrowser-install-3.6.3_en-US.exe has the MD5 signature:
>> 9529C5A633CF0CF6201662CA12630A04 I have the installer in my files
>> for any forensic work.
>> 
>> I am sending some screens with the Zemana log, where is possible
>> to see the TOR MD5 signature (firefox.exe;
>> FC19E4AFB0E68BD4D25745A57AE14047) and the logged behaviour
>> ("screenlogger"), the TOR version, TOR button and the Zemana
>> version screens, and the extensions and plug-ins existing in my
>> TOR install (just to confirm that nothing strange is there). They
>> are available to download here: 
>> http://www.datafilehost.com/d/dfb201d8 or 
>> https://www.sendspace.com/file/6ygdl3
> 
> Both of the files are broken or corrupted. They can't be opened as
> an archive on my end. The first source tries to make one download
> an .exe file. Well you can download the zip file, without it.
> 
> How can we be sure that your upload is safe?
> 
> 
>> Seems that TOR has hidden server capabilities, a back door that
>> allow a remote operator take snap shot of the screen and possible
>> perform other actions (record mic, turn on the webcam, ...).
> 
> I'm unaware of Firefox being able to activate the mic, Chrome can
> do that. Both can access the webcam. Firefox will eventfully be
> able to activate the mic.
> 
> It has to be ensured that those are not accessed without the users 
> permission.
> 
> The remote operator claim would require evidence of some sort.
> 
> Considerably attackers want to get into systems worth getting
> into.
> 
>> I think TOR can protect the users from many enemies, but at the
>> same time it is a perfect tool to attract, identify and log very
>> specific (users) targets. This may explain also the, until now,
>> unclear role and objectives of the US goverment by funding the
>> TOR Project.
> 
> I think they use Tor for many purposes themselves.
> 
>> Seems that hardly will be possible to identify suck attacker as
>> it probably comes from the TOR network itself, but I am
>> considering a trap/honney pot just in case this repeats.
>> 
>> 
>> I am an entusiast of privacy tools and TOR is not used for any
>> kind of unlawful purposes, is unlikely that I will attract
>> attention from public authorities and I am not worried with any
>> data such attacker eventually may have had access.
> 
> If someone would exploit against the TorBrowser he might be trying
> to get as many hits as possible to see if someone is a target.
> 
>> Hope this information may help to improve the TOR community
>> security and in some point in the future we will able to find a
>> solution for this back door.
>> 
> 
> I hope this can be resolved.
> 
> Regards, Sebastian G.
> 
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Icedove - http://www.enigmail.net/

iQEcBAEBAgAGBQJT+H6yAAoJEMwm4aUww83w7hcH/04HitX6mZ4i3qaXJHeDvAUU
lBxtplQeSwky+jH+W5Ykf8JPpcFsBd/MUfwMCsjbUqkU3tToCg7P+k2C+7HDKSxJ
YogC/5AdgXfGJ9HYwgm+PpjuxS0g7sC84cGu1RuwVhetH3L45TXFF6YYDEppUFAN
0U5TSHV8xgCMTERJ8VtCyz93DbvKGUN5kUvNuGQk/G13rndKMHmfw+UGW9fdCQU7
ypL0/LQxVkZw5/aYPCcRe0krXz2xyCJMr9xs5gQU1Mi+UBUSF9zzxen/Ls+B+sdV
jGp6Q9JyXAQ46YbnIZWNv7BLrxK5BSrOyVhrSoy+lnihnoPJu6dJq/ZyCnreAOg=
=r5p5
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

