Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday November 10 2014, @06:14PM   Printer-friendly
from the your-help-is-needed dept.

Little is known about how U.S. and European law enforcement shut down more than 400 websites, including Silk Road 2.0, which used technology that hides their true IP addresses. The websites were set up using a special feature of the Tor network, which is designed to mask people’s Internet use using special software that routes encrypted browsing traffic through a network of worldwide servers.

The Tor Project, is a nonprofit that relies in part on donations. The project “currently doesn’t have funding for improving the security of hidden services,” wrote Andrew Lewman, the project’s executive director, in a blog post on Sunday. ( https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-onymous )

It is possible that a remote-code execution vulnerability has been found in Tor’s software, or that the individual sites had flaws such as SQL injection vulnerabilities. But Lewman wrote The Tor Project had little information on the methods used by law enforcement in the latest action.

“Tor is most interested in understanding how these services were located and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents,” he wrote.

http://www.pcworld.com/article/2845352/tor-project-mulls-how-feds-took-down-hidden-websites.html

[Related]: https://blog.torproject.org/blog/hidden-services-need-some-love

Can anybody help Andrew Lewman understand what happened ?

Related Stories

Huge Raid to Shut Down 400-plus DarkNet Sites 31 comments

Silk Road 2.0 and 400 other sites believed to be selling illegal items including drugs and weapons have been shut down. The sites operated on the Tor network - a part of the internet unreachable via traditional search engines. The joint operation between 16 European countries and the US saw 17 arrests.

Although details of how the sites were identified are not given, it does suggest that software now exists that removes the veil that behind which the DarkNet once hid. Any Soylentils have any ideas of how this might be achieved? This story might be the clue.

More information can be found here : http://www.bbc.co.uk/news/technology-29950946

Is Tor a Honeypot? 26 comments

In July, Yasha Levine reported on a number of apparent conflicts of interest concerning the Tor project and those who promote it as a means of protecting one's anonymity online. In addition, evidence is presented that Tor users are actively being surveiled by the NSA, including a leaked NSA document noting the opportunity presented by this "critical mass" of targets. A follow up article reveals the hostile response from some Tor advocates.

Recently we saw law enforcement exercise their capability to identify and shutdown sites hidden via Tor.

Tor Says Feds Paid Carnegie Mellon $1M to Help Unmask Users 28 comments

Wired and others are reporting on a Tor blog post claiming that Carnegie Mellon University researchers were paid by the Federal Bureau of Investigation to help attack Tor hidden services:

"Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes," Dingledine writes. "Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users."

Tor's statement all but confirms that Carnegie Mellon's attack was used in the late 2014 law enforcement operation known as Operation Onymous, carried out by the FBI and Europol. That dark web purge took down dozens of Tor hidden services, including several of the most popular Tor-based black markets for drugs including the Silk Road 2, and led to at least 17 arrests. Tor, for its part, has made efforts to subsequently block the attack, which it says it first detected in July of 2014.

When WIRED contacted Carnegie Mellon, it didn't deny the Tor Project's accusations, but pointed to a lack of evidence. "I'd like to see the substantiation for their claim," said Ed Desautels, a staffer in the public relations department of the university's Software Engineering Institute. "I'm not aware of any payment," he added, declining to comment further.

Tor's Dingledine responded to that call for evidence by telling WIRED that it identified Carnegie Mellon as the origin of the attack by pinpointing servers running on Tor's network that were used in the de-anonymization technique. When it asked Carnegie Mellon if the servers were being run by its researchers—a suspicion based on the canceled Black Hat conference presentation—the anomalous servers disappeared from the network and the university offered no response. The $1 million payment, Dingledine says, was revealed to Tor by "friends in the security community."

Previously:

July 26, 2014: Russia Offers $111,000 to Break TOR Anonymity Network
September 30, 2014: Tor Executive Hints at Firefox Integration
November 8, 2014: Huge Raid to Shut Down 400-plus DarkNet Sites
November 10, 2014: Tor Project Mulls How Feds Took Down Hidden Websites
November 17, 2014: Is Tor a Honeypot?
December 22, 2014: Servers Seized After Tor Developers Warn of Potential Government Attempt To Take Down Network


Original Submission

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by cafebabe on Monday November 10 2014, @06:36PM

    by cafebabe (894) on Monday November 10 2014, @06:36PM (#114580) Journal

    I'm glad that they acknowledge Zooko's Triangle (a variant of "Good, fast, cheap: choose any two." but with "Meaningful, decentralized, secure: choose any two."). Unfortunately, as people discovered this week, having hashes, public keys and oblique names does not imply secure.

    --
    1702845791×2
  • (Score: 0) by Anonymous Coward on Monday November 10 2014, @06:47PM

    by Anonymous Coward on Monday November 10 2014, @06:47PM (#114584)

    They probably signed up as users on SR2 and tricked folks into clicking malicious links...which used browser vulnerabilities to inject code which called home.

    Gotta be a lot easier than looking for Tor client bugs.

    • (Score: 2) by jasassin on Monday November 10 2014, @09:02PM

      by jasassin (3566) <jasassin@gmail.com> on Monday November 10 2014, @09:02PM (#114624) Homepage Journal

      They probably signed up as users on SR2 and tricked folks into clicking malicious links...which used browser vulnerabilities to inject code which called home.

      This gives the IP address of Silk Road 2.0 how? Identifying a stupid user of Silk Road 2.0 yes. Finding the IP address of Silk Road 2.0 itself, no.

      --
      jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
      • (Score: 0) by Anonymous Coward on Monday November 10 2014, @09:21PM

        by Anonymous Coward on Monday November 10 2014, @09:21PM (#114630)

        the user that ran the site could have been a victim?

        • (Score: 2) by cykros on Wednesday November 12 2014, @01:27AM

          by cykros (989) on Wednesday November 12 2014, @01:27AM (#115030)

          Sure...if he was browsing from the server that SR2 was hosted on.

          The guard discovery attack seems a pretty likely method, especially considering that this wasn't a single server that was popped, but several (though not 400+, as some sources have mistakenly reported...it was 400+ URL's on ~27 actual sites). Good news here is that this only really affects those hosting hidden services, rather than those using Tor as a client. Bad news is, there's not really anything that can be done to prevent it against a determined attacker.

          I'm curious if I2P has any similar problem, or it it'd be for now a much better approach to hosting darknet services, while suggesting the use of Tor more for browsing the open Internet anonymously. My basic understanding seems to suggest this makes sense, but by all means, I'd love to hear if anyone has any insight on the matter.

          • (Score: 2) by urza9814 on Wednesday November 12 2014, @04:25PM

            by urza9814 (3954) on Wednesday November 12 2014, @04:25PM (#115245) Journal

            I would expect Freenet would be even more secure than I2P...although it has its own drawbacks as well.

            The difference is, you don't run servers on Freenet. You insert data, which gets broken up and distributed to other nodes. How are you going to bust the server when *there is no server*?

            • (Score: 2) by cykros on Thursday November 13 2014, @09:56PM

              by cykros (989) on Thursday November 13 2014, @09:56PM (#115676)

              There are definitely some pros and cons to consider, but at least in terms of making sure the content you're hosting stays up, I'd say you're absolutely right. It won't help necessarily keep the armed men from kicking down your door if they can deobfuscate the source of the data, but it will at least make sure it stays up.

              On the other hand, I've yet to encounter any instances of the kind of interactive marketplace type sites like the Silk Road on Freenet. It's been quite awhile since I last looked at it, but perhaps someone a little more clear on the mechanisms of it can illuminate whether or not it's even feasible to have such a similar system. Based on my admittedly limited understanding of how it works, it seems to me there may very well be some technical obstacles for this specific use case, which I2P may be more suited for due to architecture. Though, it is of course worth pointing out that even on I2P, there is the problem of BTC not actually being compatible...but Anoncoin and potentially others would be an option (even if they aren't particularly recognized by any particularly large userbase, making them a bit problematic at this stage to be relying on, even far moreso than the well documented potential issues that arise from the use of Bitcoin or cryptocoins in general).

              At the end of the day, this stuff is all experimental software...user beware!

              • (Score: 2) by urza9814 on Friday November 14 2014, @01:19PM

                by urza9814 (3954) on Friday November 14 2014, @01:19PM (#115885) Journal

                Yeah, I used to do some development related to Freenet, but that was a long time ago. I haven't really used it since the 0.5/0.7 split, so at this point most of my knowledge about it is largely theoretical, and based on running the network on old hardware on a 6megabit connection -- so hopefully it's a bit better now ;)

                However, at the time that I used it, there were already a few attempts to have set up something like Craigslist. The biggest problem was payment though -- this was years before Bitcoin. There was a lot of talk about how to design a crypto-currency and how that would enable Freenet marketplaces, but obviously none really took off without that.

                With Bitcoin now...you could make it work, but it would probably be pretty slow to make and confirm transactions. You can't really have anything that's interactive, but payments don't necessarily need to be. Seller posts what they've got and what the price is, buyer messages them and provides bitcoin data, seller ships the goods. With the price fluctuations on Bitcoin it'd probably be marked up even more than Silk Road already is though, since your payment could be in transit for as long as several hours.

                • (Score: 2) by cykros on Monday November 17 2014, @03:39PM

                  by cykros (989) on Monday November 17 2014, @03:39PM (#116761)

                  Other than the time delay, that sounds better than what people have been doing on Tor in quite a few ways. The less interactivity, at least when it comes to the web, generally means the smaller the attack surface. Scripting in general is best left for the clear net. I'd be curious if Bitcoin would work with Freenet, or if it'd need its own cryptocoin like I2P does, due to network design, as that would definitely pose an issue with getting the ball rolling (if you think Bitcoin is unstable with a small userbase, just think about how fun doing business with Anoncoin must be...).

  • (Score: 2) by VLM on Monday November 10 2014, @07:29PM

    by VLM (445) Subscriber Badge on Monday November 10 2014, @07:29PM (#114591)

    I wonder how much latency there is between networks. What I mean is somebody buys something, spike on tor network, a bitcoin activity spike, then the a package arrives the next day from the same post office in the Netherlands. Given an infinite amount of surveillance I wonder how hard this is to perform the giant SQL JOIN.

    • (Score: 3, Interesting) by Covalent on Monday November 10 2014, @07:37PM

      by Covalent (43) on Monday November 10 2014, @07:37PM (#114594) Journal

      This is what I thought, too. This is the NSA we're talking about here...they have access to all sorts of resources.

      They might be able to use power supply, too. Running servers and routers requires some juice. Assuming these guys hosted their own stuff (probably), it's not an infinitely small thing. Lots of marijuana growers are spotted using heat signatures and electric bills. Might be the same kind of thing.

      Or maybe it's just good old-fashioned "police work". Talk to people on the ground, grease a few palms, ask a few neighbors...people love to gab.

      --
      You can't rationally argue somebody out of a position they didn't rationally get into.
      • (Score: 2) by jimshatt on Monday November 10 2014, @10:26PM

        by jimshatt (978) on Monday November 10 2014, @10:26PM (#114652) Journal
        If SR2 was operated by the same guys as SR1, they might've gotten the guy they arrested the first time to talk.
      • (Score: 0) by Anonymous Coward on Monday November 10 2014, @10:44PM

        by Anonymous Coward on Monday November 10 2014, @10:44PM (#114657)

        Or maybe it's just good old-fashioned "police work".

        Are you really so naive as to believe that's still a thing now that they brag about using "parallel construction"?

      • (Score: 2) by urza9814 on Wednesday November 12 2014, @04:52PM

        by urza9814 (3954) on Wednesday November 12 2014, @04:52PM (#115261) Journal

        They might be able to use power supply, too. Running servers and routers requires some juice. Assuming these guys hosted their own stuff (probably), it's not an infinitely small thing. Lots of marijuana growers are spotted using heat signatures and electric bills. Might be the same kind of thing.

        Highly doubtful. You can do that for marijuana because the guys are trying to replicate *the sun*. Those grow lights are probably hundred watt bulbs, and the operations they bust would have dozens or even hundreds of lights. We're talking several kilowatts of power usage.

        How much power do you really think Silk Road servers used? A cheap VPS solution (Digital Ocean, $5/month) gives half a gig of RAM, one CPU core, and 20GB space. My laptop has 12GB of RAM, 4 CPU cores, and 1.25TB of space. My laptop uses under 100W. The increased draw from running Silk Road 2.0 would probably be about equal to the increased draw from leaving a single lightbulb running. There are infinitely many things that could cause that kind of increase. New laptop, new TV, a guest staying over, replacing a lightbulb that burnt out months ago, cooking a few extra meals at home (electric stove or oven.) Hell, try that this month where I live (Rhode Island) and you'd probably bust a few dozen people who have started pulling space heaters out of the closet for the winter. Those things can draw a couple kilowatts each.

    • (Score: 4, Interesting) by Hairyfeet on Monday November 10 2014, @11:30PM

      by Hairyfeet (75) <{bassbeast1968} {at} {gmail.com}> on Monday November 10 2014, @11:30PM (#114673) Journal

      From what I read (sorry don't have time to Bing it, but it shouldn't be hard to find) the guy that ran the Doxxing onion site said he had gotten several DDoS in a short period of time which was followed by it disappearing completely and what he figured is that they DDoSed the network so that the only nodes not getting pounded were ones in their control so they could then trace the location. Considering we are talking about members of five eyes [wikipedia.org] this is probably pretty easy for them to pull off, which means if true Tor is worth exactly jack and squat when it comse to protecting you from western crackdowns as only the smaller nation states without the number of allies required to pull this off would be unable to trace. Considering what snowden showed us and the "Do as we say, not as we do" attitude of the US? Sadly it really doesn't surprise me that those at the forefront of attacking free speech networks would be the USA.

      Oh and before somebody says "But but but criminals!" I'd remind you that criminal is whatever the government wants it to be and that it wasn't so long ago that being labeled communist or fighting for civil rights was treated as worthy of investigation, hell we even have evidence that the occupy movement had double agents. remember that they ALWAYS use the scumbags as an excuse to curtial freedoms, they then simply add to the definition of what equals a scumbag.

      --
      ACs are never seen so don't bother. Always ready to show SJWs for the racists they are.
      • (Score: 0) by Anonymous Coward on Tuesday November 11 2014, @01:42PM

        by Anonymous Coward on Tuesday November 11 2014, @01:42PM (#114821)

        can this country be over now

        we had a great run but it's way too big and things are starting to stink hardcore

        • (Score: 0) by Anonymous Coward on Tuesday November 11 2014, @02:35PM

          by Anonymous Coward on Tuesday November 11 2014, @02:35PM (#114836)
          Speaking on behalf of the rest of the world. No. Too dangerous. The USA still has a lot of nukes.
  • (Score: 2) by DECbot on Monday November 10 2014, @07:30PM

    by DECbot (832) on Monday November 10 2014, @07:30PM (#114592) Journal

    GET /.nsa-phone-home.php?host=home.nsa.gov HTTP/1.1
    Host: www.silkroad2-point-oh.com
    User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1 NSA Edition)

    --
    cats~$ sudo chown -R us /home/base
    • (Score: 2) by jasassin on Monday November 10 2014, @09:09PM

      by jasassin (3566) <jasassin@gmail.com> on Monday November 10 2014, @09:09PM (#114627) Homepage Journal

      GET /.nsa-phone-home.php?host=home.nsa.gov HTTP/1.1
      Host: www.silkroad2-point-oh.com
      User-Agent: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1 NSA Edition)

      I have no idea what the hell you are talking about. How does that give the IP address of a hidden service? Sure if the feds post a link and you click on a link, it might give your IP address, but how does it give Silk Road 2.0's IP address?

      --
      jasassin@gmail.com GPG Key ID: 0xE6462C68A9A3DB5A
      • (Score: 3, Interesting) by DECbot on Monday November 10 2014, @09:27PM

        by DECbot (832) on Monday November 10 2014, @09:27PM (#114634) Journal

        The joke is that apache, IIS, etc are universally compromised. GET the super secret php file with the right user agent string and the server spits out its IP address, bypassing the anonymization of Tor. The question is, is it easier for the NSA to capture enough exit nodes to map the tor network, or to ddos the tor network, or to compromise the guys responsible for compiling the binaries for the distros, Microsoft, and tor?

        --
        cats~$ sudo chown -R us /home/base
    • (Score: 2, Interesting) by KiloByte on Monday November 10 2014, @11:24PM

      by KiloByte (375) on Monday November 10 2014, @11:24PM (#114670)

      Which on any properly configured secret service will give you only a RFC1918 address. The first rule for secret services is to compartmentalize external network access away from the service itself. This means, the Tor daemon must be on a different box (physical or VM) than your web server.

      Too bad, I see some common hidden service HOWTOs [github.com] lacking this critical step.

      As the Tor daemon must be able to access a good part of the Net to contact other Tor nodes, any other process on the machine will be able to either do that (from your real IP), query that IP, query some other means of identification, etc. No matter how much you try to secure it, you won't get everything -- the NSA and FBI know bugs in Apache, lighthttpd, Nginx, the kernel and whatever else you're using better than you.

      But if your secret machine doesn't know its own IP address, it can't leak it.

      --
      Ceterum censeo systemd esse delendam.
      • (Score: 2) by cykros on Wednesday November 12 2014, @01:33AM

        by cykros (989) on Wednesday November 12 2014, @01:33AM (#115031)

        While I appreciate the detail you put into this, I have to wonder if it'd not just be easier to run it all on a NAT'ed host (because, like in your example, said host will again not know it's own public IP address and thus, as far as I can tell anyway, not be able to leak it).

        I'd love to know why I'm wrong though, if so.

  • (Score: 1) by DMS on Monday November 10 2014, @08:02PM

    by DMS (4349) on Monday November 10 2014, @08:02PM (#114604)

    Speculative, but (IMHO) well-reasoned article at Ars Technica:

    http://arstechnica.com/security/2014/11/silk-road-other-tor-darknet-sites-may-have-been-decloaked-through-ddos/ [arstechnica.com]

  • (Score: 2, Insightful) by jmorris on Monday November 10 2014, @08:47PM

    by jmorris (4844) on Monday November 10 2014, @08:47PM (#114618)

    People think they can run a 'secret' network with all of the fail of the public net. Same captchas, webbugs, cookies, ad networks, javascript infested pages. And buy physical products and not be tracked. Even knowing the Feds can walk right in and buy stuff so they can track the whole thing. Now consider most Tor users are on Windows and typically have multiple infestations and are subject to Fed hosted scam sites to infect them and use their PC to explore the Tor space by watching where they go.

    Security is hard. Law enforcement has vastly more resources to throw at the problem than the criminal underground is going to be able to invest in countermeasures. No magic crypto pixie dust is going to fix that problem.

    • (Score: 2) by mrchew1982 on Tuesday November 11 2014, @01:02AM

      by mrchew1982 (3565) on Tuesday November 11 2014, @01:02AM (#114691)

      Your post Makes me wonder if it would be possible to make up secure USB sticks and mail them to potential users, and if that would bypass any of the surveillance systems in place. Of course the physical distribution of the stick would open another vulnerability... Maybe a pass along system with each stick able to make an exact byte-level copy of itself?

      I also wonder if fragmentation might be a good thing in this case, instead of having one silk road server with thousands of users, make hundreds of servers with less than a thousand users each. Of course that would ruin the bazaar model so there would have to either be some kind of reputation system to give you access to more servers or some kind of back end to distribute the listings, once again making potential vulnerabilities.

      Idk if its possible to outsmart/outwit the law enforcement systems in place, going up against someone with unlimited power and almost limited budget seems foolhardy at best.

    • (Score: 2) by cykros on Wednesday November 12 2014, @01:43AM

      by cykros (989) on Wednesday November 12 2014, @01:43AM (#115035)

      Outside of the issue of delivering physical products, it'd seem most of the "resources" required actually boil down to being willing to take a pass on a lot of the web 2.0 features and keep things a bit more spartan than many have bothered with.

      They're convenient...and like most convenient things, should probably be given a pass when security above all else is the goal. That big company hosted captchas (or indeed, any offsite content from the clearnet is being loaded at all) are used is a real head scratcher that has me expecting that some of these folks are sampling their product a bit too much while building their services.

      I have to wonder if there'd be room for improvement by ditching web interfaces altogether and opting for something like a service that is connected to via SSH. Obviously this isn't a magic bullet, but it'd seem like the web trying to encompass anything and everything makes it perhaps the most attackable of all majorly used protocols. Folks like sdf.lonestar.org have been hosting various interesting services over SSH (the big example with them is a bulletin board accessible right from the command line) for a good while now, and it'd seem to me that securing OpenSSH would be a lot easier than Apache...

  • (Score: 0) by Anonymous Coward on Monday November 10 2014, @09:21PM

    by Anonymous Coward on Monday November 10 2014, @09:21PM (#114631)

    ...requires multi-user keyboards

    https://www.youtube.com/watch?v=u8qgehH3kEQ [youtube.com]

  • (Score: 3, Funny) by pogostix on Tuesday November 11 2014, @12:16AM

    by pogostix (1696) on Tuesday November 11 2014, @12:16AM (#114683)

    How does one set up an online marketplace on tor?
    Hypothetically :)

  • (Score: 2) by Sir Finkus on Tuesday November 11 2014, @01:37AM

    by Sir Finkus (192) on Tuesday November 11 2014, @01:37AM (#114698) Journal

    There's an interesting thread on the Tor mailing lists where one of the admins of a seized site posted their logs.
    ahref=https://lists.torproject.org/pipermail/tor-dev/2014-November/007731.html [soylentnews.org]" rel="url2html-31842">https://lists.torproject.org/pipermail/tor-dev/2014-November/007731.html>

    It looks to me that there are a few possible attacks on the site that could have been law enforcement prodding for weaknesses. In the case of SR 2.0, that just seems like a case of bad opsec by the admins. The site had been compromised by undercovers since May. The head admin was also administrating the site over clearnet, and any of the other admins could see access logs with his real ip. I'd imagine it's pretty easy to pwn a site if you're an admin on it.