[tor-talk] Tor no longer works with win2K ??
    Jacob Appelbaum 
    jacob at appelbaum.net
       
    Sun Nov 13 23:47:46 UTC 2011
    
    
  
On 11/13/2011 03:15 PM, Anon Mus wrote:
> Sebastian Hahn wrote:
>> I'll pretend you didn't insult me and the rest of the Tor dev team, and
>> try and get your question answered. I've snipped the useless
>> allegations.
>>
>>   
> 
> I made no allegations WHAT SO EVER, I asked questions, that was all. I
> seem to have hit a raw nerve.
That's obviously not what Sebastian is experiencing.
> 
>> On Nov 12, 2011, at 12:52 PM, Anon Mus wrote:
>>  
>>> Jacob Appelbaum wrote:
>>>    
>>>> On 11/10/2011 02:39 AM, Anon Mus wrote:
>>>>      
>>>>> I got a message to upgrade my Tor version..
>>>>>
>>>>> Nov 10 10:20:45.953 [Warning] Please upgrade! This version of Tor
>>>>> (0.2.1.30) is obsolete, according to the directory authorities.
>>>>> Recommended versions are:
>>>>> 0.2.1.31,0.2.2.34,0.2.3.6-alpha,0.2.3.7-alpha
>>>>>
>>>>> But (as before) the latest versions of the expert install do not work.
>>>>>
>>>>>
>>>>> Here's the stable..
>>>>>
>>>>> Nov 10 10:17:10.093 [Notice] Tor v0.2.2.34 (git-c4eae752f0d157ce).
>>>>> This
>>>>> is experimental software. Do not rely on it for strong anonymity.
>>>>> (Running on Windows 2000 Service Pack 4 [workstation])
>>>>>         
>>>> Just as a general warning, I suspect the Random Number Generator on
>>>> Windows 2000 is not so great. I would seriously consider installing a
>>>> recent Operating system or booting a tails live CD.
>>>>
>>>> All the best,
>>>> Jacob
>>>>
>>>>  
>>>>       
>>> As I understand it the random number generator in win2k is the same
>>> as the one in WinNT, Win2003, WinXP and Windows Vista.
>>>
>>> http://www.theregister.co.uk/2007/11/13/windows_random_number_gen_flawed/
>>>
>>> http://www.computerworld.com/s/article/9048438/Microsoft_confirms_that_XP_contains_random_number_generator_bug
>>>
>>> http://www.segobit.com/rng.htm
>>>
>>> Does this mean support for these Windows OSes is also to be withdrawn?
>>>     
>>
>> Nobody said anything about withdrawing support because of this.
> 
> NOTE: I made no such statement, I asked the question, "was it still
> supported?", DON'T put words into someone else's mouth so YOU can make
> FALSE allegations.
>>  Note
>> that Jake spoke of suspicion.
> 
> Yes the "suspicion" as you call it (I would say it was advice/excuse),
> is well documented, Israeli (Mossad??) researchers published the
> weakness, its also in WinXP's that have not been updated.
> 
Is that published fact?
> To let people know to update would have been sensible considering how
> "Jake" was so concerned about it.
> 
> But REALLY, the attack requires access to the machine and must be on one
> that is kept  running 24/7 (frequent reboots defeat the attack), I boot
> my Win2k every time I use Tor via it.. I don't run a Tor node nowadays
> so its no a risk to others. But of course there may be WinXP (not
> updated) Tor nodes out there who are, but you seem to be unconcerned
> about that, otherwise you'd have seen my point about alerting the Tor
> community to update their WinXPs, wouldn't you.
> 
Your understanding of the issue might not be the full picture. If you're
using an old and unsupported Windows OS such as Win2k, I think you're
totally doomed.
>>  Recommending against the use of Operating
>> Systems that have reached their end of life and no longer have security
>> support is also just common sense, and it isn't surprising that WinNT
>> or WinXP pre-SP have extremely bad security problems. Does this really
>> surprise you at all?
>>   
> 
> I think I've covered most of this above.
Yep and you dismissed it. You're running a EOL OS - install a new OS
already!
> 
> Win2k is still a fairly popular OS (0.17%), when compared with most
> versions of Linux (e.g. Ubuntu > 0.1%) where all the versions of Linux
> have only 1.2%. (one seriously wonders why so much effort goes into the
> support for that OS.
> 
[citation needed]
> Win2K is also very stable. I love using it, and it has my old dev stuff
> on it (I still have Win98, WinNT, WinSBS PC's and even Win95, Win 3.x &
> OS2 on disk).
It is one of the most exploitable systems around  - it lacks security
patches for many issues and it is without nearly any of the modern
protections available in other versions of (supported) Windows.
> 
> Blah..  Snip because its OT argumentative..
>>> Perhaps you can ensure a full explanation is placed a warning on the
>>> Torproject web site otherwise lots of users will be using Windows
>>> operating systems which are vulnerable.
>>>     
>>
>> It's not entirely clear what the implications are, from what I
>> understand.
>>
>>   
> Uhhh ??, so why would "Jake" write Tor-talk a message like that?
>>> Obviously my questions are still NOT being answered, I QUOTE,
>>>     
>>
>> Maybe that is because you demand a fully qualified answer within six
>> hours, while you fail to provide a good bug report?
> I asked my question on the 10/11/2011 at 10:39 , get your facts straight
> before you make such slanderous allegations.
>>  Typically, bugs
>> get reported to https://bugs.torproject.org, where the developers
>> actually expect them.
>>
>>   
> I was not reporting the bug as such, I was asking if (as there was a bug
> and at the same time my old running version was telling me it needed
> replacing), it was being supported still, but I got curious replies, so
> I asked why, simple.
> 
If a binary runs on an old OS - great - however, I think it's important
to note that if you use an EOL OS - you should probably consider that
the support that matters is not Tor but Microsoft.
>>> I re-iterate, can I get a reply from someone on the tor dev team
>>> about this ERROR and whether Win2k is being supported now or not?
>>>     
>>
>> Here's the reply from someone on the tor dev team: "Exciting! It seems
>> you've found a bug on Windows 2000 systems, we should totally debug that
>> and see if we can get it fixed! Unfortunately, we don't have a windows
>> 2000 system around to debug this ourselves, and this is the only report
>> we've gotten about trouble so far. Please try and provide more input
>> about your system, the other software that you run, and if you have any
>> experience debugging software so we may help you get this issue
>> resolved.
>>
>>   
> Perhaps you should have tested to see if it at least ran (sigh up) first
> (as is normal release practise) BEFORE you released it for use as
> stable, no?
> 
We do the best that we are able to do with the resources that we have
available. We do not have a patched Windows 2000 system because windows
2000 is EOL.
> Otherwise you should not have released it for use on Win2k, it is highly
> unprofessional,
That's a creative way to frame it.
> after all the Tor project is getting paid Tax Dollars to
> develop it, and its certainly NOT being developed for free, just free to
> use.
> 
Crazy - did you receive money for your incomplete bug report that is
part of the development cycle?
>> If we have to conclude that the expert Bundle doesn't work on Windows
>> 2000 anymore for whatever reason, I'm afraid we'll have to drop support
>> for it unless someone else steps in to provide the necessary fixes."
>>
>>
>>   
> It sounds like, sadly, you'll never know if it does or not, so why not
> just remove the claim that it still works on Win2k (with all SP's and
> rollups)?
> 
User feedback?
> I have a more "professional" solution to suggest, if you cannot get
> yourselves a copy of Win2k (all updates are still on MS site) from ebay
> (you'll need a pc with a boot manager also).
> 
> Try pointing me to the place (exact link - I don/t want access to dev
> suite/tools/sources) where I can download all the unstable tor.exe's
> that have been produced since the stable version that I am running
> (which still works - just), see my original post for details. Then I can
> test the exe's and  let you know where it changed to fail with this
> error message. Then you can do a diff on the code and take a look if you
> can fix.
If you want to help, great. If not, please stop harassing people who are
working very hard on the modern operating systems that are supported by
both the vendor and by the Tor community.
> 
> Personally. I don't give a fig what you do, but I do expect software to
> work with the OSES it says it should work on and as a user I don't
> expect to be dissed about by dev teams.
> 
We expect technically skilled users to help us when we stumble. If
you're going to help great, if you're just going to attack us, please
understand that it isn't helpful.
All the best,
Jacob
    
    
More information about the tor-talk
mailing list