Privacy threat due to 2 out-of-the-box bugs in ubuntu 13.10 Unity Tor Browser

[Damico]

Are the ubuntu 13.10 Unity developers aware of these two security bug that shows up when using Tor?
How do we properly report such anonymitythreats, that only show up on Ubuntu?

1. The Tor Browser launcher is confusingly mixed up with Firefox.
2. The Vidalia Control Panal doesn't get its own launcher.

Both these bugs only show up in Ubuntu as there are no known reports of them occurring on any other operating system.

The first bug results in inevitable privacy violations (because the Unity desktop doesn't distinguish between the non-secure Firefox and the secure Tor browser).
The second bug prevents necessary changes to the Vidalia settings (except on the very first invocation of the Tor Browser Bundle at installation time).

The main workaround is to use another operating system when anonymity is desired.

A secondary workaround is to modify the *.desktop settings, but that will only partially disengages the (secure) Tor Browser from the (insecure) Firefox browser.
And, that still doesn't help with the Vidalia control panel problem.

The problem is that I'm almost certainly not the technical guy to report these two bugs - but - since they clearly exist, someone has to report them.
How do we know whether the developers are aware of these two bugs?

[QIII]

Verbiage sounds familiar ...

Here maybe?

[cariboo]

I'm almost certainly not the technical guy to report these horrid bugs - but - since they haven't been fixed since Ubuntu 13.10 came out, someone has to report them.
Do we know whether the developers are aware of these two bugs?

You don't have to have a lot of technical knowledge to report Ubuntu bugs, the developers have made bug reporting fairly easy for everyone, no matter what your skill level. To report a bug against vidalia for example, just press Alt-F2 and type:

Code:

apport-bug vidalia

and follow the prompts. You will have to have a Launchpad account, which you can register quite easily by going to http://launchpad.net, and click the Login or create an account link in the upper right.

[Damico]

You don't have to have a lot of technical knowledge to report Ubuntu bugs

I appreciate your confidence in me, but, I only know what the bug 'is' and its repercussions. I don't know WHERE the bug lies.
Is it in the desktop? In Unity? In Ubuntu 13.10 only? In Nautilus? In Tor? In Vidalia?

Luckily, the bug happens to EVERYONE on Ubuntu (and nobody on any other operating system), so, I can "assume" (although we all know what that means) that it's an Ubuntu problem alone.

Moving on, and searching on my Windows laptop for tor browser bugs in the suggested location (https://bugs.launchpad.net), I see bugs when I search for "Tor" or for "Vidalia"; but I don't see this bug reported.
I grepped for both "Tor" and "Vidalia" in the Saucy Salamander Release Known Issues, with similar negative results.

I can only assume one of three things:
a) Everyone is too busy with more important things to worry about than privacy issues, or,
b) I'm the only one on the planet who cares about such privacy issues, or, more likely,
c) I'm doing the search incorrectly.

Rather than just assuming my search was bad and giving up, I'll file the bug report from my Windows computer, but, I'm really not the guy to provide technical details to Ubuntu developers.
I just know usability issues, as they relate to privacy.
What I know, for sure, is that it doesn't work right on Ubuntu 13.10, such that, any user using the Tor Browser Bundle on Ubuntu 13.10 is taking an additional risk that is not found in all other operating systems for which the tor browser bundle is available.

EDIT:
I'm logged into Launchpad, but, at least on Windows (which is all I have right now), pressing Alt+F2 does nothing.
All I need is a link to file a bug report.

EDIT:
OK. That was a royal waste of time. I gave up trying to find the bug reporting button in Launchpad at the suggested URL.

EDIT:
Resorting to Google, and typing the obvious: "how to file a bug in ubuntu", this comes up first:
How to file a bug in Ubuntu (but I don't have flash installed on the Windows work computer I'm at).

Next on google is bug-reporting etiquette, and How do I report a bug, both of which seem to contain the detailed steps to report the bug (but, that strange Alt+F2 shows up again, which, again, doesn't do anything while logged into Launchpad).

EDIT: Woo hoo. I finally found a link to file a bug report on Launchpad!

I filed the bug report:
Title: Privacy leak ONLY on Ubuntu 13.10/Unity using default official Tor Browser Bundle (including Vidalia)

[cariboo]

Apport-bug only works when running an Ubuntu distribution, I assumed that seeing as you are posting here that you are at least running Ubuntu.

[Damico]

Apport-bug only works when running an Ubuntu distribution, I assumed that seeing as you are posting here that you are at least running Ubuntu.

I have multiple computers. Not all operating systems at all locations. When I was reporting the bug, I wasn't on ubuntu. Probably 10% of the time I'm on Ubuntu, the rest on Windows.
Of course, EXACTLY what I thought would happen to the bug, happened.
A bot appended that I didn't add enough information, even though I painstakingly explained every single bit of information that I knew.
Here's what the bot said:

Thank you for taking the time to report this bug and helping to make Ubuntu better. It seems that your bug report is not filed about a specific source package though, rather it is just filed against Ubuntu in general. It is important that bug reports be filed about source packages so that people interested in the package can find the bugs about it. You can find some hints about determining what package your bug might be about at https://wiki.ubuntu.com/Bugs/FindRightPackage. You might also ask for help in the #ubuntu-bugs irc channel on Freenode.
To change the source package that this bug is filed about visit https://bugs.launchpad.net/ubuntu/+b...25/+editstatus and add the package name in the text box next to the word Package.

So, do any security experts know which PACKAGE to file the bug against?

[QIII]

Did you install the tor Browser Bundle from the Canonical repo?

[Damico]

Did you install the tor Browser Bundle from the Canonical repo?

Well, that's an interesting question, if only, the answer was assumed to be that it doesn't exist in the Canonical repo.
Does a Tor Browser Bundle actually EXIST in the Canonical repo?
(If so, that's new welcome news to me - because it would indicate that Canonical is interested in protecting their user's privacy - and - if so - that's a great step forward for Canonical - but I've never seen it.)

---

Note: The Tor Browser Bundle is not just an assemblage of Tor, Privoxy, Firefox, and Vidalia.

[QIII]

That is exactly my point. It doesn't exist in the Canonical repos. And I know that the TBB is not just several things assembled. I know exactly what it is and where it comes from.

Did you install it from a PPA from some place like webupd8.org? Did you install it after getting it from torproject.org?

[Damico]

That is exactly my point. It doesn't exist in the Canonical repos. And I know that the TBB is not just several things assembled. I know exactly what it is and where it comes from.

Did you install it from a PPA from some place like webupd8.org? Did you install it after getting it from torproject.org?

How it was installed was described in the bug report but I'll repeat here, the installation procedure is simply to untar the package.
That's it.

Nothing more than that, is all you should EVER need to "install" the Tor Browser Bundle, since it's DESIGNED to be portable, from the start.

• So, on Windows, to install it, you simply unpack it and then run it.
• Likewise, on Apple, you simply unpack it, and run it.
• It works the same way on Linux (all but Ubuntu).

Here's the web page with those simple instructions:
https://www.torproject.org/download/...d-easy.html.en