Vague Warnings Of Pending Tor Attack, While Exit Nodes Are Being Seized

from the stay-safe-everyone dept

Mon, Dec 22nd 2014 11:21am — Mike Masnick

Late last week, the Tor Project blog posted a somewhat vague warning about the possibility of an upcoming attempt to disable the Tor network by going after and seizing specialized directory authority servers that are the key to making Tor work.

The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.
We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

Given that, it seemed especially noteworthy that over the weekend a bunch of Tor exit nodes were apparently quietly seized, according to Thomas White, who ran those servers:

Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken.

While he initially suggested that the way it was done made it seem likely that law enforcement was behind it, he later toned down that suggestion, saying he thought it was less likely that law enforcement was involved than he originally believed. Update: And now the servers have been returned and while there's still some confusion, it looks like nothing nefarious happened here.

Tor, itself, isn't compromised -- and pretty much all experts agree that it remains safe -- but it's at least troubling to see that there's at least some possible attempt to compromise parts of the network.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: attack, directory authorities, thomas white, tor, tor project

26 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

DannyB (profile), 22 Dec 2014 @ 11:26am

What can be done?
What can be done to stop terrorists from interfering with the Tor network?

Also, how can we stop cybercriminals who seize domain names without any kind of due process?
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 11:34am

Re: What can be done?
Find a way to get them out of the alphabet agencies.
[ link to this | view in thread ]
Justin Johnson (JJJJust) (profile), 22 Dec 2014 @ 11:42am

The computers that were supposedly "seized" have since been returned.

https://lists.torproject.org/pipermail/tor-talk/2014-December/036084.html
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 11:57am

Re:
Would you trust them after unknown agents have had control over them?
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 12:24pm

so the question remains then, if it wasn't 'Law Enforcement', who else would be interested in Tor and why? particularly why have a usb attached if only for a short few seconds, to achieve what? a time bomb of malware? destroyer of information or the PCs themselves? something doesn't add up
[ link to this | view in thread ]
Ailanthus (profile), 22 Dec 2014 @ 12:40pm

News Flash: Tor is fine--and safe to use.
Tor just posted a tweet saying that the Tor network is up and fine (and has been fine all along). See twitter.com/torproject
[ link to this | view in thread ]
Michael, 22 Dec 2014 @ 12:44pm

Re: News Flash: Tor is fine--and safe to use.
I'm sure the FBI agent that sent that tweet really means it...
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 12:47pm

Re: Re:
From one of the links above:

"The servers have been blacklisted and pose no danger to the Tor network or the users of it. I will refrain from putting these servers back online until a proper vetting and analysis of events has happened."

https://lists.torproject.org/pipermail/tor-talk/2014-December/036078.html
[ link to this | view in thread ]
DannyB (profile), 22 Dec 2014 @ 12:51pm

Re: Re: What can be done?
Find a way to stop these terrorists and cyber criminals from giving money to congress.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 1:06pm

Re: What can be done?
What can be done to stop the terroists in government from interfering with the Tor network?

Also, how can we stop the cybercriminals in the FBI who seize domain names without any kind of due process?

The answer is simple; kill the Batman*.

*'Batman,' in this instance, is the Alphabetti Spaghetti of interlinked "Intelligence" agencies across the globe.
[ link to this | view in thread ]
Whoever, 22 Dec 2014 @ 1:08pm

Re:
if it wasn't 'Law Enforcement', who else would be interested in Tor and why? particularly why have a usb attached if only for a short few seconds, to achieve what? a time bomb of malware? destroyer of information or the PCs themselves? something doesn't add up

Don't forget the missing log entries: that's a clear indication of tampering. My guess would be something like the equivalent of the NSA is responsible. Or perhaps there is something more like the Secret Service, which is not law enforcement.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 1:30pm

Re: Re: Re:
That vetting would have to include all flash memory, such as the BIOS and inbuilt controllers, and that is far from simple to do reliably, as physical access to the internals has been detected. Simpler to replace them, so long as the purchase channels can be trusted.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 1:36pm

Re:
"particularly why have a usb attached if only for a short few seconds, "

KVM switch to a headless server. Could do a manual graceful shutdown/restart that way, but that should be in the logs and the ISP ought to be able to say why they did it, but they haven't. Seems like it is hosted somewhere that does not have video of all access to server rooms since there is no mention of missing video.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 1:44pm

There was also this post a couple of days before:
Solidarity against online harassment

I don't condone online harassment, but it's still a somewhat odd post. The tone of it sort of worries me that they might be planning to put in a backdoor or something as a way to try and strike back at trolls that use TOR. (I trust I don't need to explain to anyone how that would cause major security issues.)
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 2:33pm

Re: Re:
...the Secret Service, which is not law enforcement...

Uhhh...yes they are. It's just the laws they are charged with enforcing are few.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 2:56pm

Re: Re: Re: Re:
At this point, even if the flash memory is intact, there's no telling if some other piece of hardware was replaced, modified, or otherwise tampered with.

Better to assume they're toast, burn them and setup some new servers in an anonymous location to prevent interdiction.
[ link to this | view in thread ]
John Fenderson (profile), 22 Dec 2014 @ 3:56pm

Re: Re: Re: Re: Re:
That's what I would do. Hardware is cheap. Donate the servers to charity and buy new ones.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 4:09pm

Re: Re: Re: Re: Re: Re:
"Donate the servers to charity and buy new ones."

Not my choice in case they are infected and the charity sells them on to an unsuspecting ebay buyer. Destroy the USB controller chips and recycle the rest.
[ link to this | view in thread ]
That One Guy (profile), 22 Dec 2014 @ 4:42pm

Re: Re: Re: Re: Re: Re:
Better idea: Donate the servers to computer security researchers. They would know what to look for, and I'm sure they could discover some interesting stuff poking around through the hardware.

This would have the secondary bonus of potentially flushing out just who fiddled with the servers in the first place, as they tried to reclaim the servers and keep the researchers from poking around inside.
[ link to this | view in thread ]
Anonymous Coward, 22 Dec 2014 @ 4:48pm

Any connection with NKora going down?
Looks like NSA, perhaps with SKorea's help, may have just taken down NKorea's internet:

http://www.nytimes.com/2014/12/23/world/asia/attack-is-suspected-as-north-korean-internet-c ollapses.html

NKorea's Internet now looks like their nighttime satellite view from space, not that it was particularly bright b4.
[ link to this | view in thread ]
Anonymous Coward, 23 Dec 2014 @ 6:02am

Even if North Korea is an issue for many these people chose to live life the way they do until , its proven that they are actually behind the sony oops I'll hold judgement , North Korea has a right to exist, it's not up to us to intervene its up to its people We need to make sure our house is in order.
[ link to this | view in thread ]
John Fenderson (profile), 23 Dec 2014 @ 7:18am

Re: Re: Re: Re: Re: Re: Re:
Well, perhaps, but there is a compelling argument that it would be better to allow the compromised servers to operate in an environment that will do little harm. Keeping them running increases the amount of noise.
[ link to this | view in thread ]
John Fenderson (profile), 23 Dec 2014 @ 7:19am

Re: Re: Re: Re: Re: Re: Re:
That counts as charity. :)
[ link to this | view in thread ]
EMF-Gain, 23 Dec 2014 @ 8:10am

the meaning of seized keys
So if your running keys for security on a server that gets seized it's the same as saying "destroyed." IF all your keys are now compromised, and you can't tell if the hardware, firmware, or software was tampered with.

Perhaps it's time for the Judge, cops and what not to get SUED for destroying such key-servers.

Such a payout would have to be monetary since, you can't just hand out more hardware, firmware, or software from the same source who seized it in the first place.

All local/remote exploits aside, ultimately you either keep your key-servers away from these oath breaking insects or you can't.
[ link to this | view in thread ]
Anonymous Coward, 23 Dec 2014 @ 9:32am

Re: Re: Re: Re:
And do not forget to check all soldering points for replaced and/or newly inserted stuff.

Maybe it is better to donate them to the Guardian newspaper, to be destroyed when MI5 or MI6 wants another computer physically destroyed.
[ link to this | view in thread ]
That One Guy (profile), 23 Dec 2014 @ 4:37pm

Re:
Uh, no, the vast majority of people living in North Korea do so because they have no other alternative. They're born there, and that's where they'll die, whether they want to leave or not.

You can absolutely judge the government over there, and it's corrupt, insane, and tyrannical as hell.
[ link to this | view in thread ]