Tor Developers, Privacy Wonks Desperately Searching To Figure Out How The Feds Broke Tor To Find Hidden Servers
from the the-hunt-is-on dept
As we mentioned in last week's post on the arrest of Blake Benthall, the alleged operator behind Silk Road 2.0, the arrest was actually part of a larger global effort to take down around two dozen "darknet" websites. While the Benthall indictment does talk about an undercover Homeland Security employee who infiltrated Silk Road 2.0 to gather evidence, a key part of the evidence gathering is left vague: how did officials find the actual servers that were supposedly hidden by Tor? In the past few days, a big effort has been undertaken by a bunch of folks, including key Tor developers to try to work out how all of this happened:The Tor post lists out a number of possible scenarios under which the hidden servers were located, including bad operational security (opsec), SQL injections (because, of course), Bitcoin deanonymization and attacks on the Tor network. That last one is getting a lot of attention for a variety of reasons. Kashmir Hill over at Forbes has an interesting post exploring the possible connection with the cancelled Black Hat talk from this summer about identifying Tor users, which was done by some Carnegie Mellon researchers. Around that time, Tor also revealed that its network had been compromised, and asked everyone to upgrade to patch vulnerabilities. Many assume these two things were connected.Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.
But, more to the point, the recent publications call the targeted hidden services seizures "Operation Onymous" and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.
Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?
If you control enough of the Tor network, it’s possible to get a kind of bird’s eye view of the traffic being routed through it. It was clear that Tor thought the Carnegie Mellon researchers were responsible. The researchers refused to talk to the press, but a conference spokesperson told Reuters the talk was canceled because the researchers hadn’t cleared the release of their work through their department, the Software Engineering Institute, which receives funding from the Defense Department. At the time, many assumed that the university pulled the plug on the talk because of academic ethics considerations and the gray legal zone it was in, with the researchers casually intercepting Web traffic. But maybe it got pulled because the researchers were revealing a law enforcement technique that the government did not want publicized. If nothing else, it’s highly likely the information the researchers collected about “drug dealers and child pornographers” made its way into law enforcement hands. McCord said he was “unable to comment on the matter.” Carnegie Mellon’s SEI declined comment about the canceled talk and about whether it had provided information from the research to law enforcement.Hill also quotes Nicholas Weaver with some thoughts on what happened:
“I am 95% certain that law enforcement did a mass de-anonymization attack on Tor hidden services,” says Nicholas Weaver, a researcher at the International Computer Science Institute. He called any link to the earlier research “circumstantial.” But he points out that the work the researchers did was expensive. A “back of the envelope estimate suggests that whoever was running the attack on Tor at the beginning of the year using [Amazon hosting services] spent at least $50,000 in computer time,” says Weaver. That’s not the kind of money an academic can spend on a hobby project.Meanwhile, one of the (still free) operators of a Tor hidden site that was taken down by the feds, Doxbin, has stepped forward to release a bunch of log files and related information to potentially track down how it was discovered (he posted on a mailing list using the amusing subject line of "yes hello, internet supervillain here." This has resulted in much more speculation on what kind of attack was being run.
As it stands, no one (other than law enforcement) knows exactly how this came down, but I would imagine that it won't be long until people have figured out what likely happened, and fixes are put in place. This, of course, is the nature of any sort of anonymization effort. People will always break it for some reason or another, and then it's just an ongoing back and forth to fix holes and improve the system...
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: attacks, hidden services, hidden sites, privacy, tor
Companies: tor project
Reader Comments
Subscribe: RSS
View by: Time | Thread
Story as old as human history...
[ link to this | view in thread ]
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Getting more and more difficult to spot Poe's these days...
...
Wait a tic, you're posting anonymously... hmm, better have the SWAT team bust up your house and interrogate you just to be sure.
[ link to this | view in thread ]
And given the number of governments involved, one could safely assume they had control of enough nodes.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re: Getting more and more difficult to spot Poe's these days...
[ link to this | view in thread ]
http://soylentnews.org/article.pl?sid=14/11/10/1510242
http://soylentnews.org/article.pl?s id=14/11/08/154250&tid=15
Here is something I wrote
You guys are over complicating it. When you order something over these networks someone has to pay for these items. How do they plan tp pay, by credit card, cash, money order? The feds can order something and track where that money goes and find someone to arrest. Additionally they can attempt to track the packages and their place of origin via the mail system. IOW, good old investigative work.
[ link to this | view in thread ]
Re: Re: Getting more and more difficult to spot Poe's these days...
When you've got freakin' government officials talking about encryption like it's this unholy grail of evil, and something that only the worst of the worst would ever want, while it would be disappointing if others started believing such laughable fearmongering and lies, it would't be impossible to imagine such happening.
[ link to this | view in thread ]
Re:
Never heard of bitcoin?
[ link to this | view in thread ]
Re: Re:
[ link to this | view in thread ]
Re: Re:
--------------------
by hemocyanin (186) Subscriber Badge on Sunday November 09, @10:21AM (#114268)
I'm pretty sure the favored currency is bitcoin. I'm not a bitcoin user so I don't know the various ways a user could be traced through the coin's transaction history, but I'm pretty certain there is no place to send a subpoena to for account information, unlike visa, banks, etc.
-----------------
my response
While Bitcoin is another payment option you are still missing the big picture.
Bitcoins can, to some extent, be traced. But the point is that even if these guys are using bitcoins at some point those coins must either be converted to cash, credit card funds, or to something physical that can be purchased. If you try to buy a house with it the feds are going to investigative where you got the money to buy this nice property with no job. Furthermore they can purchase items themselves with bitcoins and try to trace where their expected packages are coming from and how their coins are being turned into cash and things someone can buy.
And the way to do this is relatively easy. They set up an address that wouldn't otherwise receive mail and they order their items to be sent to that address. They then alert USPS, UPS, etc... to tell them if they receive a package intended for this destination. If they do it pops up on the computer and the feds get alerted about which post office first received the package. Then they know that whoever dropped that package off did so within the jurisdiction of this post office. They then order another package and continue their investigation from there.
What the online drug cartels might be able to do is try to drop their packages at different locations. Then it becomes a game of cat and mouse
-------------
by urza9814 (3954) on Monday November 10, @12:13PM (#114531) Journal
Yeah, they really don't have to do anything special there. I too get alerted whenever UPS picks up a package destined for my address. Doesn't cost me anything, just have to register with their app. When my dad sent me his laptop to fix a while back, it popped right up with the UPS store where he made the shipment. Then the cops just go to that store and ask for a record of who made the purchase. If they paid cash, you pull up the store surveillance video. How hard is that?
Of course, that all depends what's being ordered. If it's small enough to fit in a regular mail envelope that can be dropped in any box on the street...that might need something more complicated.
But that's just to track the sellers. My understanding was that Silk Road was more of a marketplace for others to sell stuff. Unless the admin was stupid enough to be selling things themselves (which is not at all unlikely) those tricks wouldn't work to shut down the site as a whole.
----------
My response
True but how are the admins making money? Bitcoins? Even if so bitcoins can be traced to some extent. At some point those bitcoins need to eventually be turned into real money or property or something valuable and they can trace that.
and who's paying the admins their money? Advertisers? They can trace who advertisers are sending money to and investigate from there.
Do the users or sellers pay the admins a fee? How is that money being paid? They can trace that. Even if it's through bitcoins they can trace who's exchanging bitcoins for bank funds or cash (if you are exchanging bitcoins directly for cash then who's giving you the cash? A fed? Someone working or being subpenaed by the feds?). It's not like you can buy a house with bitcoins and no one will notice. The feds will notice if you suddenly have a nice house in your name with no job. How are you paying for this? Bitcoins? Where are you getting these bitcoins and what are you doing to get them?
and if the sellers pay an admin fee the feds can set themselves up as a seller and try to trace where the funds are going. They can send themselves a package, pay for it, and continue their investigation from there.
[ link to this | view in thread ]
[ link to this | view in thread ]
djb
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
[ link to this | view in thread ]
Winny, Share, Perfect Dark
If anything, it should teach us that it's always going to be an uphill battle trying to stay anonymous whenever a major government entity (with it's virtually unlimited resources) is intent on hunting you down.
[ link to this | view in thread ]
This leads me to draw a few assumptions about the administrators running hidden services which are still reachable online.
1. The administrators are deploying above average operational security measures, such as the "Isolating Proxy Concept". In which case, even if the entire web server is compromised through SQL injection and full root access is granted to the intruder. No identifiable information would be leaked because it's virtually impossible to gather any public IP address data, or route around Tor in a properly deployed isolating proxy setup. If the isolating proxy is run in a virtual machine, even the machine's hardware serial numbers and MAC addresses are obscured.
2. Perhaps the administrators of the remaining operational hidden services are leasing servers in countries that are less than hospitable to US and EU nations. After the Ukraine debacle and the DOJ trying to prosecute Chinese military servicemen on hacking charges. I really don't see those two nations' cyber security agencies snuggling up to to each other and singing songs around the campfire.
Personally, if I were looking to host servers on privacy networks such as Tor and I2P. I'd probably go with I2P. Simply because I2P is a packet switched network, not a circuit switched network like Tor.
This means instead of data being sent and received through a fixed 3-hop circuit like Tor. Data being sent and received through I2P's packet switched network can take multiple different routes to the destination, and take multiple different routes back to the source. In other words. I2P is more like modern day IP packet switched networks, and Tor is more like the plain old telephone system's circuit based network. Roughly speaking of course.
I2P seems more decentralized and built from the ground up to be a privacy network. Tor seems more focused on being a mixed network, trying to build a privacy network on top of surveillance networks (.com .net .org) etc.
Another thing worth mentioning is running a hidden service allows anyone connecting to that hidden service to force the web server to generate a bunch of traffic. I personally believe sending the least amount of traffic possible over a privacy network helps prevent correlation attacks. Running a hidden service makes controlling the amount of traffic being sent over the privacy network impossible. Anyone can request a 500 megabyte download from the hidden web server, or run a wget script to continuously download all the server's webpages over and over again.
[ link to this | view in thread ]
Re: Winny, Share, Perfect Dark
All the programs are closed source, and there was no peer review or security audit.
[ link to this | view in thread ]
Re: Re: Winny, Share, Perfect Dark
Share and Perfect Dark were supposed to correct many of the known security breaches in Winny. And even then, users still got busted. But of course there can never be permanent 100% perfect security. Only a never-ending cat-and-mouse arms race.
[ link to this | view in thread ]
Re: Re:
If they can't dupe you into joining their impossible-without-them terrorist plot, they just move on.
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
[ link to this | view in thread ]
Re:
Because that is part of Tor's ten minute interval circuit rotation where your Tor client selects a new circuit with three new nodes, including a new exit node.
The fact that the exit node is in the UK is irrelevant. Onion routing was specifically built so that control over an exit node, for example, isn't enough to expose your IP-address.
You are spreading misinformation because you know just enough to get yourself in trouble.
[ link to this | view in thread ]