Tor Developers, Privacy Wonks Desperately Searching To Figure Out How The Feds Broke Tor To Find Hidden Servers
from the the-hunt-is-on dept
As we mentioned in last week’s post on the arrest of Blake Benthall, the alleged operator behind Silk Road 2.0, the arrest was actually part of a larger global effort to take down around two dozen “darknet” websites. While the Benthall indictment does talk about an undercover Homeland Security employee who infiltrated Silk Road 2.0 to gather evidence, a key part of the evidence gathering is left vague: how did officials find the actual servers that were supposedly hidden by Tor? In the past few days, a big effort has been undertaken by a bunch of folks, including key Tor developers to try to work out how all of this happened:
Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.
But, more to the point, the recent publications call the targeted hidden services seizures “Operation Onymous” and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.
Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?
The Tor post lists out a number of possible scenarios under which the hidden servers were located, including bad operational security (opsec), SQL injections (because, of course), Bitcoin deanonymization and attacks on the Tor network. That last one is getting a lot of attention for a variety of reasons. Kashmir Hill over at Forbes has an interesting post exploring the possible connection with the cancelled Black Hat talk from this summer about identifying Tor users, which was done by some Carnegie Mellon researchers. Around that time, Tor also revealed that its network had been compromised, and asked everyone to upgrade to patch vulnerabilities. Many assume these two things were connected.
If you control enough of the Tor network, it?s possible to get a kind of bird?s eye view of the traffic being routed through it. It was clear that Tor thought the Carnegie Mellon researchers were responsible. The researchers refused to talk to the press, but a conference spokesperson told Reuters the talk was canceled because the researchers hadn?t cleared the release of their work through their department, the Software Engineering Institute, which receives funding from the Defense Department. At the time, many assumed that the university pulled the plug on the talk because of academic ethics considerations and the gray legal zone it was in, with the researchers casually intercepting Web traffic. But maybe it got pulled because the researchers were revealing a law enforcement technique that the government did not want publicized. If nothing else, it?s highly likely the information the researchers collected about ?drug dealers and child pornographers? made its way into law enforcement hands. McCord said he was ?unable to comment on the matter.? Carnegie Mellon?s SEI declined comment about the canceled talk and about whether it had provided information from the research to law enforcement.
Hill also quotes Nicholas Weaver with some thoughts on what happened:
?I am 95% certain that law enforcement did a mass de-anonymization attack on Tor hidden services,? says Nicholas Weaver, a researcher at the International Computer Science Institute. He called any link to the earlier research ?circumstantial.? But he points out that the work the researchers did was expensive. A ?back of the envelope estimate suggests that whoever was running the attack on Tor at the beginning of the year using [Amazon hosting services] spent at least $50,000 in computer time,? says Weaver. That?s not the kind of money an academic can spend on a hobby project.
Meanwhile, one of the (still free) operators of a Tor hidden site that was taken down by the feds, Doxbin, has stepped forward to release a bunch of log files and related information to potentially track down how it was discovered (he posted on a mailing list using the amusing subject line of “yes hello, internet supervillain here.” This has resulted in much more speculation on what kind of attack was being run.
As it stands, no one (other than law enforcement) knows exactly how this came down, but I would imagine that it won’t be long until people have figured out what likely happened, and fixes are put in place. This, of course, is the nature of any sort of anonymization effort. People will always break it for some reason or another, and then it’s just an ongoing back and forth to fix holes and improve the system…