Heads up all Tor users there has been a breach of anonimity of users visiting certain .onion sites.

It centres around sites hosted by Freedom Hosting and uses a Java exploit to reveal the true IP address of visitors to those sites which is then sent to a server in the US owned by the FBI. Looks like only those with Java and cookies enabled on early versions of Firefox and who visited Freedom hosted sites are affected.

The owner of Freedom Hosting has been arrested and is awaiting extradition to the US on charges of allowing access to illegal materials on the internet. Freedom hosts most of the nasty porn and drug sites on Tor but also hosts tormail and BitCoin.

Storys here ;
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html

https://blog.torproject.org/category/tags/freedom-hosting

http://nakedsecurity.sophos.com/2013/08/05/freedom-hosting-arrest-and-takedown-linked-to-tor-privacy-compromise/

Who the fuck would run Java over Tor? :?

Ok, so upon reading it has nothing to do with Java. :/ The exploit is/was Windows-only and Firefox-only (before 22 or 17.0.7) and required JavaScript to be enabled - i.e. having NoScript sets to blocked globally without exceptions means you're not at risk.

What about people who run it from their router?  I sometimes enable it but haven't done my homework to see if it's actually secure.  I do know it changes my exit point to the internet though, a lot of times I end up with pages in foreign languages because of the ip I'm assigned.  

Isn't it considered slightly bad form to use Tor for everyday browsing? Using up too much of the available bandwidth unnecessarily, sort of thing?

I don't leave it on, I maybe use it 10-15 minutes at a time and probably only used it twice in 6 months.  But to answer the question, I have no idea.  I thought you became part of the node when you joined and then became an exit point?

Dunno. Haven't really looked into it that much. I just vaguely remember reading that somewhere.

What about people running it from their router?

If you were browsing with Windows on an out-of-date Firefox with JS enabled, you were vulnerable to the exploit.

If you visited certain Tor hidden services (*.onion sites) during that period, [bad stuff] would have happened. I haven't seen reports of the exploit being done outside Tor, but probably theoretically it could have been elsewhere.

I can't remember or be bothered to check if [bad stuff] was more severe than revealing your IP address (which is the main point of Tor; to hide your IP and other identifying details from the server you're visiting, hence why this is a big deal, but potentially not if you weren't doing anything where knowing your identity matters).

If you don't use the Tor browser bundle, there's a good chance your specific browser configuration already makes you pretty identifiable - especially if you have Flash/Java/Silverlight plugins installed.

Nope.

Some Tor nodes will block BitTorrent and similar because the way it works cause lots of traffic, but for general everyday browsing it's fine, and the the only reason not to it is because it's slower.

If everyone used Tor it would make identification through traffic analysis more difficult to perform (needles/haystacks), which of course helps with the goal of hiding identity.

Gotcha.  Since I think FF is still a pile of shit I most definitely wasn't using it! And I refuse to install Java on my personal computers.

Being an exit node and using Tor are two distinct things - you don't become an exit node just by using it (unless you've specifically got software setup that way).

Being an exit node is a good thing though - again, it helps to spread the load. makes it faster, makes traffic analysis harder and so on - and if you have the bandwidth to spare it's easy to setup:

https://www.torproject.org/docs/tor-doc-relay.html.en

I'll have to do some checking, there aren't any options in Tomato other than turn it on and a few others.

I don't know what Tomato is, but that doesn't look like an exit node config - check the link I posted for what the Vidalia UI for it looks like... completely different options.

Tomato is open sauce router firmware, like DD-WRT.  It has TOR and OpenVPN built in.  It's very good and turns a cheap router into a beast!

I tried using Tor once out of curiosity but it couldn't even load a page, everything just timed out. I hope the Feds don't say anything bad on me.

They already have!  When I've used it it's very usable!

shit! what did they say?

Maybe I should try it again. Although the government honestly can know that I look at about six different websites ever, anyway. I don't mind.

(Worth bearing in mind that (in the UK at least and wouldn't be surprised if it's the same in the US) if you run a Tor exit node you're legally responsible for what passes through it. Which, with Tor, is going to be a lot of very dodgy shit. (I don't think this has been legally tested yet but I believe it's the current interpretation of how things stand))

I would think that that's how it would go, which makes me wonder who would ever be an exit node?

Brave, selfless people who're willing to challenge bullshit laws in court :Y

(And/or people in places without ridiculous laws)