Stories
Slash Boxes
Comments

SoylentNews is people

posted by janrinok on Monday November 10 2014, @06:14PM   Printer-friendly
from the your-help-is-needed dept.

Little is known about how U.S. and European law enforcement shut down more than 400 websites, including Silk Road 2.0, which used technology that hides their true IP addresses. The websites were set up using a special feature of the Tor network, which is designed to mask people’s Internet use using special software that routes encrypted browsing traffic through a network of worldwide servers.

The Tor Project, is a nonprofit that relies in part on donations. The project “currently doesn’t have funding for improving the security of hidden services,” wrote Andrew Lewman, the project’s executive director, in a blog post on Sunday. ( https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-onymous )

It is possible that a remote-code execution vulnerability has been found in Tor’s software, or that the individual sites had flaws such as SQL injection vulnerabilities. But Lewman wrote The Tor Project had little information on the methods used by law enforcement in the latest action.

“Tor is most interested in understanding how these services were located and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents,” he wrote.

http://www.pcworld.com/article/2845352/tor-project-mulls-how-feds-took-down-hidden-websites.html

[Related]: https://blog.torproject.org/blog/hidden-services-need-some-love

Can anybody help Andrew Lewman understand what happened ?

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2, Insightful) by jmorris on Monday November 10 2014, @08:47PM

    by jmorris (4844) on Monday November 10 2014, @08:47PM (#114618)

    People think they can run a 'secret' network with all of the fail of the public net. Same captchas, webbugs, cookies, ad networks, javascript infested pages. And buy physical products and not be tracked. Even knowing the Feds can walk right in and buy stuff so they can track the whole thing. Now consider most Tor users are on Windows and typically have multiple infestations and are subject to Fed hosted scam sites to infect them and use their PC to explore the Tor space by watching where they go.

    Security is hard. Law enforcement has vastly more resources to throw at the problem than the criminal underground is going to be able to invest in countermeasures. No magic crypto pixie dust is going to fix that problem.

    Starting Score:    1  point
    Moderation   +1  
       Insightful=1, Total=1
    Extra 'Insightful' Modifier   0  

    Total Score:   2  
  • (Score: 2) by mrchew1982 on Tuesday November 11 2014, @01:02AM

    by mrchew1982 (3565) on Tuesday November 11 2014, @01:02AM (#114691)

    Your post Makes me wonder if it would be possible to make up secure USB sticks and mail them to potential users, and if that would bypass any of the surveillance systems in place. Of course the physical distribution of the stick would open another vulnerability... Maybe a pass along system with each stick able to make an exact byte-level copy of itself?

    I also wonder if fragmentation might be a good thing in this case, instead of having one silk road server with thousands of users, make hundreds of servers with less than a thousand users each. Of course that would ruin the bazaar model so there would have to either be some kind of reputation system to give you access to more servers or some kind of back end to distribute the listings, once again making potential vulnerabilities.

    Idk if its possible to outsmart/outwit the law enforcement systems in place, going up against someone with unlimited power and almost limited budget seems foolhardy at best.

  • (Score: 2) by cykros on Wednesday November 12 2014, @01:43AM

    by cykros (989) on Wednesday November 12 2014, @01:43AM (#115035)

    Outside of the issue of delivering physical products, it'd seem most of the "resources" required actually boil down to being willing to take a pass on a lot of the web 2.0 features and keep things a bit more spartan than many have bothered with.

    They're convenient...and like most convenient things, should probably be given a pass when security above all else is the goal. That big company hosted captchas (or indeed, any offsite content from the clearnet is being loaded at all) are used is a real head scratcher that has me expecting that some of these folks are sampling their product a bit too much while building their services.

    I have to wonder if there'd be room for improvement by ditching web interfaces altogether and opting for something like a service that is connected to via SSH. Obviously this isn't a magic bullet, but it'd seem like the web trying to encompass anything and everything makes it perhaps the most attackable of all majorly used protocols. Folks like sdf.lonestar.org have been hosting various interesting services over SSH (the big example with them is a bulletin board accessible right from the command line) for a good while now, and it'd seem to me that securing OpenSSH would be a lot easier than Apache...