Delivery-Date: Mon, 21 Jul 2014 19:11:45 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.9 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id C12191E0240
	for <archiver@seul.org>; Mon, 21 Jul 2014 19:11:43 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id CA0E430400;
	Mon, 21 Jul 2014 23:11:41 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 364E030399
 for <tor-talk@lists.torproject.org>; Mon, 21 Jul 2014 22:58:47 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id weziDdsciXYA for <tor-talk@lists.torproject.org>;
 Mon, 21 Jul 2014 22:58:47 +0000 (UTC)
Received: from khazad-dum.seul.org (khazad-dum.csail.mit.edu [128.31.0.47])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "moria.seul.org", Issuer "moria.seul.org" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 1A3DE301C7
 for <tor-talk@lists.torproject.org>; Mon, 21 Jul 2014 22:58:47 +0000 (UTC)
Received: by khazad-dum.seul.org (Postfix, from userid 501)
 id 926791E0CB9; Mon, 21 Jul 2014 18:58:44 -0400 (EDT)
Date: Mon, 21 Jul 2014 18:58:44 -0400
From: Roger Dingledine <arma@mit.edu>
To: tor-talk@lists.torproject.org
Message-ID: <20140721225844.GO7408@moria.seul.org>
References: <20140721211130.GN7408@moria.seul.org>
 <53CD8EA6.2050500@bitmessage.ch>
MIME-Version: 1.0
Content-Disposition: inline
In-Reply-To: <53CD8EA6.2050500@bitmessage.ch>
User-Agent: Mutt/1.5.20 (2009-12-10)
Subject: Re: [tor-talk] Cancelled black hat talk
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On Mon, Jul 21, 2014 at 10:05:26PM +0000, Nusenu wrote:
> > 1) We did not ask Black Hat or CERT to cancel the talk. We did (and
> > still do) have questions for the presenter and for CERT about some
> > aspects of the research
> 
> Does that imply that the exploited "weakness" is not yet fully
> understood by you (core developers)? (which also would imply that
> there is no "fix" yet)

I think I have a handle on what they did, and how to fix it. We've been
trying to find delicate ways to explain that we think we know what they
did, but also it sure would have been smoother if they'd opted to tell
us everything. The main reason for trying to be delicate is that I don't
want to discourage future researchers from telling us about neat things
that they find. I'm currently waiting for them to answer their mail so
I can proceed.

> Also (if you can anticipate that ahead of the coordinated disclosures):
> 
> Should relay ops get ready to deploy a critical patch?
> Should users get ready to update their Tor Browser Bundles soon?
> Will there be a "fix" at all?

Based on our current plans, we'll be putting out a fix that relays can
apply that should close the particular bug they found. The bug is a nice
bug, but it isn't the end of the world. And of course these things are
never as simple as "close that one bug and you're 100% safe".

Less vague sentences soon I hope,
--Roger

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

