Yes, The FBI Used Malware To Try To Reveal Tor Users
from the confirmed dept
While some reports had suggested that it was the NSA involved, it seemed much more likely (as we predicted) that the FBI was behind the attempt to control Freedom Hosting’s servers and effectively insert a bit of malware designed to identify users of the Tor Browser, who thought they were anonymous. And, now the FBI has more or less admitted it as part of its effort to extradite Eric Eoin Marques, the owner of Freedom Hosting from Ireland. The FBI has been known to use malware like this, though it had repeatedly tried to keep it away from investigations involving more technically savvy folks, who might discover it and reveal it to the world. Too late for that now, of course.
Freedom Hosting clearly hosted some very bad stuff, and there’s nothing wrong with law enforcement looking to find and arrest those who are involved in criminal activities — but when it reaches the level of installing effective malware and re-identifiying a ton of people who chose to be anonymous, many of whom are not criminals at all, it begins to raise questions about how appropriate (or legal) the activity really is. Taking control over all Freedom Hosting servers and inserting some code really seems like an incredibly questionable move.
Filed Under: doj, fbi, malware, privacy, tor
Companies: freedom hosting
Comments on “Yes, The FBI Used Malware To Try To Reveal Tor Users”
“…seems like an incredibly questionable move.”
Now standard practice for the US government.
Moral VS Legal
The FBI needs to be careful when it comes to things like this. Even if it is legal, and I’m not saying it is, it certainly sets a double standard.
Any time you have something along the lines of “Normal people can’t do this, but the government can,” you run into tricky balance of power issues. Even worse, if the government does something too often or particularly bad people start asking “Why can’t I do this. If the government is doing it then it might be illegal, but it’s probably not immoral.”
This doesn’t even get into the abuse of power issues. Just compare the Lori Drew case to what the government has admitted to doing here. In the first they tried to twist a hacking law to apply to violating a websites Terms of Service. In the second, they deliberately hacked potentially innocent third party computers. This clear abuse of power is why many people don’t trust the government, and are beginning to believe that laws have lost touch with their moral roots.
Re: Moral VS Legal
“… laws have lost touch with their moral roots.”
It’s a lot worse than just the laws losing touch with their moral roots but those making them losing touch. Feinstein is a prime example.
Re:
It wasn’t exploitation of a users computer.
It wasn’t “malware” as usually defined.
It used a javascript to locate an item from outside tor, then the real IP was logged.
Yes you can say it’s malware. But it’s maliciousness is revealing an original IP. Not exactly real malware in my book.
Also.. “normal people” can do this. It’s not illegal.
eg…
Hosted image on your server.
Use that image as your profile image on a forum.
You log IP of anyone requesting that image.
Hence… anyone that visits your profile on that forum. You will have their IP.
Completely justified tactic imho. It’s what they do with the ip addresses after they get them that is important.
Re: Re: Re:
to add…
If it was illegal then all third party advertising is also illegal. They get your IP address from visiting an unrelated site. They even track cookies and other sites you have been to. They do a hell of a lot more than just log your IP.
Not to say there are not double standards. There are plenty of occasions were the “power” can do whatever they want and the “powerless” would get punished for the same actions. This is not one of those cases though.
Re: Re: Re:
You’d think that by now people would be smart enough to disable javascript, cookies, etc..
Re: Re: Re: Re:
yeah…
I would disable JS when browsing hidden services on tor… which I rarely do (nothing there of interest to me). But when using tor just for anonymous signups etc.. on the clearnet, I just enable JS. JS is enabled everywhere else.
Cookies/trackers/ads on the other hand. Disabled by default. only allow the needed ones.
Re: Re: Re:2 Re:
There’s no point in bothering with disabling cookies if you’re leaving Javascript enabled. Why not just leave it disabled all the time?
Or, if you’re using one of those brain-dead sites that require Javascript to function, use NoScript so that you can allow just the specific JS code that’s required to make the page work while still disallowing the code that’s used for tracking and advertising.
Re: Re: Re:
disregard… I was wrong
It was malware in the classic sense. Ran code on windows box via exploitation.
Re: Re: follow the links dumbass...
Not just the IP address, but also the victims MAC address and Windows hostname, bypassing tor over standard http which allowed anyone sniffing traffic to also snag this info.
Additionally, it issued a serial number labeling said visit.
Re: Re: Re: follow the links dumbass...
I see you recanted. My apologies.
Re: Moral VS Legal
Laws have no morals, they are just words. Rather it is the lawmakers and enforcers who have misplaced their moral compasses…….
Re: Moral VS Legal
What would be absolutely hilarious, is if one of those hack-back bills eventually passes…without language making it clear you’re not allowed to hack-back governments.
FBI hacks someone, the next day the entire US .gov network goes down…and no crime has been committed.
Damn Irish, why don’t they just follow the laws Congress passes?
You’d think that if the government can do this, they could use this techinique against Silk Road, since it operates as a hidden service on the Tor network. But why would they, if they’re the ones who run it?
“Marques allegedly dove for his laptop when the police raided him, in an effort to shut it down.”
Sounds like someone was using full disk encryption, without wiring up a panic button.
I use the ‘clapper’ as my panic button. Clap on (clap clap)… Clap off (clap clap)… the clapper 🙂
I’m joking. I don’t have a panic button.
Re: Re:
One would think a clapper commercial would also set it off. If anything James Clapper needs wired to a Clapper.
Re: Re: Re:
All this talk of Clapper makes me want to go watch a few episodes of “Rags To Riches”.
Why isn’t Marques being prosecuted in Ireland? Isn’t child porn illegal there?
Sure, the FBI was the agency that found him, but why does he need to be extradited to the US to face punishment? Is the US afraid that Ireland won’t give him a hefty enough sentence?
As far as I can see, he has no ties to the US other than having used a US bank, so why is he going to be tried in the US? I know the US likes to think so, but is the US officially now the world’s internet enforcer? All crimes involving the net must now be handled by the US?
I just don’t understand why all the evidence wasn’t handed off to Ireland’s authorities so that he could be arrested and tried there.
Re: Re:
Because the US government owns the world!
Everytime I wanted to unmask someone I at least had the courtesy of sending him a nude photo or something so only him/her would get infected.
What they did there was the napalm option, instead of the cruise missile.
oh well
You should have and can presume privacy in your bathroom and bedroom. When you step into public, outside your home, browse through the mall, drive a car (the law rightfully classifies a car as a dangerous instrumentality), you should have NO presumption of privacy. You didn’t construct the net, rocket satellites into space, develop tactical satellites and craft to defend those satellites, maintain the spectra by which the communications are sent, etc., etc., – In fact the government does much of that. If you go outside your bathroom and bedroom and decide to conduct your life/lives in public: You have NO presumption of privacy – Period. When are some folks going to grow up out of their distorted fantasies and GET this? If you think joining some double-SSL-encrypted pscho-net to practice pedaphilia, or associating with like browsers will leave you unscathed, think again. Yeah!! Someone’s willing to protect the public from socio-paths. GO FBI! !
Re: oh well
You’re missing the point entirely. The laws and morals be damned mentality much of the government today operates under is indicative of an organization that simply has no respect for the people it supposedly exists to represent. And when you have a powerful organization that self-justifies it’s every action, not even your bathroom or bedroom is safe anymore. If this government could remotely activate cameras and/or microphones in your house and record your life 24/7, THEY WOULD. Consider the number of Web cams, video game systems and now cable boxes coming with cameras.
So go on praising the government’s actions, John. Just remember it when they render the places YOU think should be private no longer so. Maybe you won’t feel quite so smug then.
Re: oh well
Nice try… as if “somehow” one should not expect privacy in ones kitchen, living room, basement, hallway, foyer, garage, etc. – only in one’s “bathroom and bedroom”…
You calling tor a “psycho net” is not only intellectually unjustifiable, but in addition, using Tor does not “associate” one with other Tor users any more than YOU using a telephone associates YOU with some goddamned psycho who also used a telephone.
Re: oh well
So I can’t expect privacy in my yard, my living room, my kitchen, when at a friend’s house, etc? I can’t expect privacy with my encrypted data? Methinks your analysis is far, far too simplified.
But who’s going to protect the public from the sociopathic FBI?
Oh Well
Maybe we didn’t do all those things but we did pay for much of it(taxes).
and i dont suppose anyone in charge of these so-called ‘security agencies’ can see anything wrong with what has happened? if it had of been an ordinary person that did this, even if just to prove that it could be done, not for any malicious reason, they would have been banged up straight away, just like others have been in the USA who have discovered, then reported flaws in software. what the hell has happened to the simple ‘thanks for telling us about that. you have saved a lot of ****whatever? why is it now so much worse to make a government, company, person feel embarrassed because of something that has failed, than to be grateful??
Our government at work. Welcome to the Police State of America where the only real revenue comes from locking people up. There is no more parole. Why would a private prison company let you go when they can make money from you? Prisoners are huge business. So lock up everyone that even smells wrong.
targeted Windows machines... for now.
Another example of why you shouldn’t use Windows.
Lamers.
Schmucks
Read the legal docs, the custom code only targeted the end users looking for child porn and those particular sites hosting it.
Any stupid fuck who thinks law enforcement should these means to find pedaphiles to reevaluate reality
re: Schmucks
should= shouldn’t, and your missing a ‘needs’?
Everything I’ve read says it targeted the entirety of sites hosted on freedom hosting, including Tormail.
Please site your source on these legal documents, I’m sure I wouldn’t be the only one interested. I think most anyone would agree there’s a huge difference between targeting pedo’s, and targeting everyone.
The means justify the ends. We need to find one criminal (fair, noble goal that should be pursued) but to do so we are gonna spy on 3 billion people. Sounds fair.
Re: Re:
The tighter your grip, the darker the head will turn.
The tighter your grip! The more star systems will slip through your fingers.