On 2013-10-04 19:01, Adam Back wrote:
But the jscript malware was installed via remote compromise onto the Tor hidden web server. Being behind Tor does not particularly add any protection to your server, in terms of remote hacking. Probably static content is safer in general even if it doesnt make flashy cursor hover boxes and client-side form pre-validation. Ie instal and turn on noscript - 99% of jscript is of no particular use other than making your browser blink and show animated ads ;)
Noscript prevents the client from being hacked. You seem to be telling us that the Tor hidden web server was hacked by one of its clients, for which problem noscript is irrelevant. Two security failures: The feds were able to find the Tor hidden web server, and, having found it, there was information on the web server that should not have been there. My understanding is that they found a bunch of Tor machines, installed malware by means of rubber hoses, and thus located the Silk Road hidden web server.