SoylentNews is people
SoylentNews
from the the-user-is-the-weakest-link dept.
From the Wired article, "Instead of going for the easy bust, the FBI spent a solid year surveilling McGrath, while working with Justice Department lawyers on the legal framework for what would become Operation Torpedo. Finally, on November 2012, the feds swooped in on McGrath, seized his servers and spirited them away to an FBI office in Omaha.
A federal magistrate signed three separate search warrants: one for each of the three hidden services. The warrants authorized the FBI to modify the code on the servers to deliver the NIT to any computers that accessed the sites. The judge also allowed the FBI to delay notification to the targets for 30 days."
The FBI modified the .onion sites to serve a malicious script which was used to de-anonymize users. It's worth noting that only those using Tor improperly would be vulnerable. The FBI tracking payload required scripting to be enabled in the browser--a common blunder among inexperienced Tor users.
(Score: 3, Insightful) by kaszz on Wednesday August 06 2014, @05:55PM
Bottom line seems to be that HTML and Javascript doesn't go well with security. You could just extend the FONT tag and get a stack overflow that gives you shell etc. And Javascript rats you out right away. If this pile-of-shit needs to be run then use a tight sandbox which don't know it's own location (IP) and has enforced endpoint in the middle of the onions so it can't be used to tell which entry server is used either.
In the beginning HTML produced structured information. Now it provides heat generation and smeared privacy. Oh and plenty of bugs of course.
Tip to any site operators: Install a logic agent that fucks up the server if it's meddled with or moved etc in any way.