But the jscript malware was installed via remote compromise onto the Tor hidden web server. Being behind Tor does not particularly add any protection to your server, in terms of remote hacking. Probably static content is safer in general even if it doesnt make flashy cursor hover boxes and client-side form pre-validation. Ie instal and turn on noscript - 99% of jscript is of no particular use other than making your browser blink and show animated ads ;) Ideally you need Tor to be in a routing box, not your computer so that there is no way for your computer to connect to the non Tor network, so your computer doesnt even know its physical IP and has no power to disclose it. Or simulate that setup in software you need Tor on the main machine, and a VM that has access to and knowledge only of Tor network for connectivity. Do not put ANY identifying information inside the vm. That rules out vmware because they leak in your disk serial number as a result of a microsoft law suit. (Microsoft accused them of making it easy for people to share windows serial numbers, because the "is this the same machine" calculation based on various HW serial numbers always comes up with the same answer in a virtual machine at that level.) Similarly the VM must not know your physical network card MAC addresses etc. Thats the way to do it properly on the client side. There are Tor focused distros that let you boot into Tor only OS. For my taste the Tor connection and code and physical device identifiers (physical MAC addr, HD serial etc) should be OUTSIDE of a VM and all client software should be inside the VM. The VM should be open so you know they are not leaking physical MAC addr/serial into the the client in the name of copy-protection. (It was microsoft's fault, not vmware). Adam On Fri, Oct 04, 2013 at 01:16:52AM -0700, Andy Isaacson wrote:
On Wed, Oct 02, 2013 at 05:38:36PM -0700, Bill Stewart wrote:
At 12:37 PM 10/2/2013, Ted Smith wrote:
The "slip" in this case is that the services were hacked. Tor (neither TOR, nor ToR) wasn't compromised.
A surprising number of things *were* compromised, not even counting the known FBI malware attacks on the Tor network.
The FBI malware didn't attack the Tor network, it just caused vulnerable endpoints to connect (outside of Tor) to a tattle-tale network server.
If you read the indictment, there are a lot of email messages
Not email, but rather, private messages on the Silk Road platform. Which apparently stored more or less all messages, forever.
-andy