Scientists detect “spoiled onions” trying to sabotage Tor privacy network

The structure of a three-hop Tor circuit.

Computer scientists have identified almost two dozen computers that were actively working to sabotage the Tor privacy network by carrying out attacks that can degrade encrypted connections between end users and the websites or servers they visit.

The "spoiled onions," as the researchers from Karlstad University in Sweden dubbed the bad actors, were among the 1,000 or so volunteer computers that typically made up the final nodes that exited the Tor—short for The Onion Router—network at any given time in recent months. Because these exit relays act as a bridge between the encrypted Tor network and the open Internet, the egressing traffic is decrypted as it leaves. That means operators of these servers can see traffic as it was sent by the end user. Any data the end user sent unencrypted, as well as the destinations of servers receiving or responding to data passed between an end user and server, can be monitored—and potentially modified—by malicious volunteers. Privacy advocates have long acknowledged the possibility that the National Security Agency and spy agencies across the world operate such rogue exit nodes.

The paper—titled Spoiled Onions: Exposing Malicious Tor Exit Relays—is among the first to document the existence of exit nodes deliberately working to tamper with end users' traffic (a paper with similar findings is here). Still, it remains doubtful that any of the 25 misconfigured or outright malicious servers were operated by NSA agents. Two of the 25 servers appeared to redirect traffic when end users attempted to visit pornography sites, leading the researchers to suspect they were carrying out censorship regimes required by the countries in which they operated. A third server suffered from what researchers said was a configuration error in the OpenDNS server.

Read 8 remaining paragraphs | Comments


“TrustyCon” security counter-convention planned for RSA refusniks

A growing number of security and privacy technology experts, disillusioned by news that security firm RSA was paid by the National Security Agency to use an exploitable algorithm in its encryption technology, feel they can no longer trust the company. They've called for a boycott of RSA’s annual conference in San Francisco in February, and now a group of them has taken this effort a step further—creating their own “trust-based” conference just a few blocks from RSA’s event.

"TrustyCon" will be held on February 27 at the AMC Metreon Theater in San Francisco. That's the same day as the RSA's event, and the location is a multiplex cinema just around the corner from the Moscone Convention Center. To add fuel to this dissenting fire, TrustyCon has already picked up sponsorships from Microsoft, Cloudflare, and security firm iSEC Partners.

The RSA concerns started with documents leaked by Edward Snowden and published by the New York Times in December. These indicated that the NSA had worked with the National Institute of Standards and Technology to create a “backdoor” in the Dual Elliptic Curve Deterministic Random Bit Generator (Dual_EC_DRBG), a pseudorandom number generator designated as a standard for encryption. Reuters reported last month that in 2004—even before NIST approved it as a standard—the NSA paid RSA $10 million to use Dual EC DRGB as part of its RSA BSAFE cryptographic library. If the allegation is true, much of the encryption software sold by RSA would allow the NSA to break the encryption using the known backdoor. RSA, for its part, has denied that it took money to put a backdoor in its encryption software. The company said that it followed NIST’s guidance on use of the code. But that hasn’t been enough to convince many security experts who believe the Snowden documents that state the RSA conspired with the NSA.

Read 3 remaining paragraphs | Comments


Magento Releases PHP 5.4 Patches for Magento

Last month we discussed Magento’s lack of official support for PHP 5.4 despite the fact that web hosts had been making the move to at least that version and questions raised by that. Magento has now released patches to make Magento compatible with PHP 5.4.  You can get the patches on the Magento Download page in the Magento Community Edition Patches section of the page.

All of the patches modify the following files:

All of the patches except for the one modify:
/app/code/core/Mage/Install/etc/config.xml app/code/core/Mage/Install/etc/config.xml

A new file is added at:

In our previous post we mentioned that we still found that Magento 1.3 would work with PHP 5.4, so older versions can still could probably be used, though you could run into an issue.

For those who can’t use the patches we will be putting out a set of patched files, as we do with the Magento security patches, soon you can use the patched files we have put together.