SoylentNews is people
SoylentNews
Little is known about how U.S. and European law enforcement shut down more than 400 websites, including Silk Road 2.0, which used technology that hides their true IP addresses. The websites were set up using a special feature of the Tor network, which is designed to mask people’s Internet use using special software that routes encrypted browsing traffic through a network of worldwide servers.
The Tor Project, is a nonprofit that relies in part on donations. The project “currently doesn’t have funding for improving the security of hidden services,” wrote Andrew Lewman, the project’s executive director, in a blog post on Sunday. ( https://blog.torproject.org/blog/thoughts-and-concerns-about-operation-onymous )
It is possible that a remote-code execution vulnerability has been found in Tor’s software, or that the individual sites had flaws such as SQL injection vulnerabilities. But Lewman wrote The Tor Project had little information on the methods used by law enforcement in the latest action.
“Tor is most interested in understanding how these services were located and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents,” he wrote.
http://www.pcworld.com/article/2845352/tor-project-mulls-how-feds-took-down-hidden-websites.html
[Related]: https://blog.torproject.org/blog/hidden-services-need-some-love
Can anybody help Andrew Lewman understand what happened ?
(Score: 2) by cykros on Wednesday November 12 2014, @01:43AM
Outside of the issue of delivering physical products, it'd seem most of the "resources" required actually boil down to being willing to take a pass on a lot of the web 2.0 features and keep things a bit more spartan than many have bothered with.
They're convenient...and like most convenient things, should probably be given a pass when security above all else is the goal. That big company hosted captchas (or indeed, any offsite content from the clearnet is being loaded at all) are used is a real head scratcher that has me expecting that some of these folks are sampling their product a bit too much while building their services.
I have to wonder if there'd be room for improvement by ditching web interfaces altogether and opting for something like a service that is connected to via SSH. Obviously this isn't a magic bullet, but it'd seem like the web trying to encompass anything and everything makes it perhaps the most attackable of all majorly used protocols. Folks like sdf.lonestar.org have been hosting various interesting services over SSH (the big example with them is a bulletin board accessible right from the command line) for a good while now, and it'd seem to me that securing OpenSSH would be a lot easier than Apache...