Story 2014-07-30

Tor network confirms attempt of hackers to deanonymize users

by
Anonymous Coward
in security on (#3S2)
The Tor network has published the following advisory on the tor-announce mailing list:
SUMMARY
On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.

The attacking relays joined the network on January 30 2014, and we removed them from the network on July 4. While we don't know when they started doing the attack, users who operated or accessed hidden services from early February through July 4 should assume they were affected.
The Tor folks confess it's still unclear what "affected" includes:
We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don't know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.
Relays should upgrade to a recent Tor release (0.2.4.23 or 0.2.5.6-alpha), to close the particular protocol vulnerability the attackers used - but remember that preventing traffic confirmation in general remains an open research problem. Clients that upgrade (once new Tor Browser releases are ready) will take another step towards limiting the number of entry guards that are in a position to see their traffic, thus reducing the damage from future attacks like this one. Hidden service operators should consider changing the location of their hidden service."

Nadella steering Microsoft back towards software for economic reasons

by
in microsoft on (#3S1)
Microsoft sold more physical devices than Apple did last year - due largely to its purchase of Nokia - and still managed to lose $700M last quarter. No wonder Nadella is steering Microsoft away from hardware and turning his back on Ballmer's mantra of "devices and services."
Microsoft's quarterly financials are out, and they paint a startlingly clear picture of why new CEO Satya Nadella is in such a hurry to scuttle away from the "devices and services" mantra rolled out by former honcho Steve Ballmer just last year: Microsoft's hardware efforts just aren't making much money. In fact, they're actually losing money hand over fist.

The next big thing: smart garbage

by
in environment on (#3S0)
Given the huge evolution and expansion of the consumer electronics market, we are generating a lot of discarded, electronic devices. The New York Times ponders Is smart garbage the next booming category of electronic waste?
By some measures, we are witnessing a rapid change in computing and the swift evolution of relationships between humans and automated helpers. A vision of the future is materializing before our very eyes, the development of networked helper bots that will manage every aspect of our lives, automating it and, theoretically, improving it by simplifying it.

But what happens when those devices go into disrepair - or worse, obsolescence - and their sleeker, faster successors go on sale, as part of the relentless cycle common among most major hardware companies?