Tor Developers, Privacy Wonks Desperately Searching To Figure Out How The Feds Broke Tor To Find Hidden Servers

from the the-hunt-is-on dept

As we mentioned in last week’s post on the arrest of Blake Benthall, the alleged operator behind Silk Road 2.0, the arrest was actually part of a larger global effort to take down around two dozen “darknet” websites. While the Benthall indictment does talk about an undercover Homeland Security employee who infiltrated Silk Road 2.0 to gather evidence, a key part of the evidence gathering is left vague: how did officials find the actual servers that were supposedly hidden by Tor? In the past few days, a big effort has been undertaken by a bunch of folks, including key Tor developers to try to work out how all of this happened:

Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.

But, more to the point, the recent publications call the targeted hidden services seizures “Operation Onymous” and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.

Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?

The Tor post lists out a number of possible scenarios under which the hidden servers were located, including bad operational security (opsec), SQL injections (because, of course), Bitcoin deanonymization and attacks on the Tor network. That last one is getting a lot of attention for a variety of reasons. Kashmir Hill over at Forbes has an interesting post exploring the possible connection with the cancelled Black Hat talk from this summer about identifying Tor users, which was done by some Carnegie Mellon researchers. Around that time, Tor also revealed that its network had been compromised, and asked everyone to upgrade to patch vulnerabilities. Many assume these two things were connected.

If you control enough of the Tor network, it?s possible to get a kind of bird?s eye view of the traffic being routed through it. It was clear that Tor thought the Carnegie Mellon researchers were responsible. The researchers refused to talk to the press, but a conference spokesperson told Reuters the talk was canceled because the researchers hadn?t cleared the release of their work through their department, the Software Engineering Institute, which receives funding from the Defense Department. At the time, many assumed that the university pulled the plug on the talk because of academic ethics considerations and the gray legal zone it was in, with the researchers casually intercepting Web traffic. But maybe it got pulled because the researchers were revealing a law enforcement technique that the government did not want publicized. If nothing else, it?s highly likely the information the researchers collected about ?drug dealers and child pornographers? made its way into law enforcement hands. McCord said he was ?unable to comment on the matter.? Carnegie Mellon?s SEI declined comment about the canceled talk and about whether it had provided information from the research to law enforcement.

Hill also quotes Nicholas Weaver with some thoughts on what happened:

?I am 95% certain that law enforcement did a mass de-anonymization attack on Tor hidden services,? says Nicholas Weaver, a researcher at the International Computer Science Institute. He called any link to the earlier research ?circumstantial.? But he points out that the work the researchers did was expensive. A ?back of the envelope estimate suggests that whoever was running the attack on Tor at the beginning of the year using [Amazon hosting services] spent at least $50,000 in computer time,? says Weaver. That?s not the kind of money an academic can spend on a hobby project.

Meanwhile, one of the (still free) operators of a Tor hidden site that was taken down by the feds, Doxbin, has stepped forward to release a bunch of log files and related information to potentially track down how it was discovered (he posted on a mailing list using the amusing subject line of “yes hello, internet supervillain here.” This has resulted in much more speculation on what kind of attack was being run.

As it stands, no one (other than law enforcement) knows exactly how this came down, but I would imagine that it won’t be long until people have figured out what likely happened, and fixes are put in place. This, of course, is the nature of any sort of anonymization effort. People will always break it for some reason or another, and then it’s just an ongoing back and forth to fix holes and improve the system…

Filed Under: , , , ,
Companies: tor project

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Tor Developers, Privacy Wonks Desperately Searching To Figure Out How The Feds Broke Tor To Find Hidden Servers”

Subscribe: RSS Leave a comment
Anonymous Coward says:

Re: Re:

You can raid me. I used it. I’ve undergone several b/g checks by ICE and FBI, being a US person not of US origin. I used it to check out Walmart & Amazon prices without giving my zip code. I’ve also used VPNs and proxies. But you’re welcome anytime. Wasted time is not my problem. Go ahead.

That One Guy (profile) says:

Re: Re: Re: Getting more and more difficult to spot Poe's these days...

Like I said, it’s hard to tell these days.

When you’ve got freakin’ government officials talking about encryption like it’s this unholy grail of evil, and something that only the worst of the worst would ever want, while it would be disappointing if others started believing such laughable fearmongering and lies, it would’t be impossible to imagine such happening.

Anonymous Coward says:

There was an interesting discussion about this on Soylentnews

Here is something I wrote

You guys are over complicating it. When you order something over these networks someone has to pay for these items. How do they plan tp pay, by credit card, cash, money order? The feds can order something and track where that money goes and find someone to arrest. Additionally they can attempt to track the packages and their place of origin via the mail system. IOW, good old investigative work.

Anonymous Coward says:

Re: Re: Re:

Here, now that I’m finally not on a tablet I’ll just copy and paste it.


by hemocyanin (186) Subscriber Badge on Sunday November 09, @10:21AM (#114268)

I’m pretty sure the favored currency is bitcoin. I’m not a bitcoin user so I don’t know the various ways a user could be traced through the coin’s transaction history, but I’m pretty certain there is no place to send a subpoena to for account information, unlike visa, banks, etc.

my response

While Bitcoin is another payment option you are still missing the big picture.

Bitcoins can, to some extent, be traced. But the point is that even if these guys are using bitcoins at some point those coins must either be converted to cash, credit card funds, or to something physical that can be purchased. If you try to buy a house with it the feds are going to investigative where you got the money to buy this nice property with no job. Furthermore they can purchase items themselves with bitcoins and try to trace where their expected packages are coming from and how their coins are being turned into cash and things someone can buy.

And the way to do this is relatively easy. They set up an address that wouldn’t otherwise receive mail and they order their items to be sent to that address. They then alert USPS, UPS, etc… to tell them if they receive a package intended for this destination. If they do it pops up on the computer and the feds get alerted about which post office first received the package. Then they know that whoever dropped that package off did so within the jurisdiction of this post office. They then order another package and continue their investigation from there.

What the online drug cartels might be able to do is try to drop their packages at different locations. Then it becomes a game of cat and mouse

by urza9814 (3954) on Monday November 10, @12:13PM (#114531) Journal

Yeah, they really don’t have to do anything special there. I too get alerted whenever UPS picks up a package destined for my address. Doesn’t cost me anything, just have to register with their app. When my dad sent me his laptop to fix a while back, it popped right up with the UPS store where he made the shipment. Then the cops just go to that store and ask for a record of who made the purchase. If they paid cash, you pull up the store surveillance video. How hard is that?

Of course, that all depends what’s being ordered. If it’s small enough to fit in a regular mail envelope that can be dropped in any box on the street…that might need something more complicated.

But that’s just to track the sellers. My understanding was that Silk Road was more of a marketplace for others to sell stuff. Unless the admin was stupid enough to be selling things themselves (which is not at all unlikely) those tricks wouldn’t work to shut down the site as a whole.


My response

True but how are the admins making money? Bitcoins? Even if so bitcoins can be traced to some extent. At some point those bitcoins need to eventually be turned into real money or property or something valuable and they can trace that.

and who’s paying the admins their money? Advertisers? They can trace who advertisers are sending money to and investigate from there.

Do the users or sellers pay the admins a fee? How is that money being paid? They can trace that. Even if it’s through bitcoins they can trace who’s exchanging bitcoins for bank funds or cash (if you are exchanging bitcoins directly for cash then who’s giving you the cash? A fed? Someone working or being subpenaed by the feds?). It’s not like you can buy a house with bitcoins and no one will notice. The feds will notice if you suddenly have a nice house in your name with no job. How are you paying for this? Bitcoins? Where are you getting these bitcoins and what are you doing to get them?

and if the sellers pay an admin fee the feds can set themselves up as a seller and try to trace where the funds are going. They can send themselves a package, pay for it, and continue their investigation from there.

Anonymous Coward says:

First I heard it was one of those captcha things that busted the servers located in Iceland. Was browsing with TOR very recently and at the beginning of my session I checked my IP address as usual, the location was a country in Eastern Europe. At the end of my browsing I went to the VPN Gate sight hosted by a University in Japan and my browser was listed in Great Britain. Went back to the original check your IP address sight to double check and sure enough I had exited in Great Britain. I didn’t change my ID during the session, so how did my IP change from Eastern Europe to Great Britain? Sorry, but I don’t appreciate anyone ease dropping on my correspondence so I will stick with a VPN or Tails in the foreseeable future. I also hear the Russians are messing with TOR connections too, so I’ll stay away for now. Seems everyone is a terrorist today, the Internet should be gone from our home by years end, the phone is gone already. If they feel they can fornicate with my privacy then they can keep their stinking hands out of my wallet. As for the guy up top pointing fingers and spouting off with false accusations, he is probably the one who needs watching. Yes I wish to remain anonymous at times, I reserve that privilige as a right, as in the Bill Of Rights. Yes I am sending this to the Techdirt sight using a VPN.

IT guy says:

Re: Re:

Went back to the original check your IP address sight to double check and sure enough I had exited in Great Britain. I didn’t change my ID during the session, so how did my IP change from Eastern Europe to Great Britain?

Because that is part of Tor’s ten minute interval circuit rotation where your Tor client selects a new circuit with three new nodes, including a new exit node.

The fact that the exit node is in the UK is irrelevant. Onion routing was specifically built so that control over an exit node, for example, isn’t enough to expose your IP-address.

You are spreading misinformation because you know just enough to get yourself in trouble.

Anonymous Coward says:

Winny, Share, Perfect Dark

For some background, we should look at how the Japanese authorities over the last decade were able to crack successive “anonymous” P2P networks — Winny, Share, and Perfect Dark — each one supposedly more secure than the last.

If anything, it should teach us that it’s always going to be an uphill battle trying to stay anonymous whenever a major government entity (with it’s virtually unlimited resources) is intent on hunting you down.

Anonymous Coward says:

An interesting article with lots of useful links for further reading! I read in the Tor Blog comments about Evo and Agora black markets still being online. Yet Silk Road 2.0 was taken down. I also read multiple child abuse hidden services are still online.

This leads me to draw a few assumptions about the administrators running hidden services which are still reachable online.

1. The administrators are deploying above average operational security measures, such as the “Isolating Proxy Concept”. In which case, even if the entire web server is compromised through SQL injection and full root access is granted to the intruder. No identifiable information would be leaked because it’s virtually impossible to gather any public IP address data, or route around Tor in a properly deployed isolating proxy setup. If the isolating proxy is run in a virtual machine, even the machine’s hardware serial numbers and MAC addresses are obscured.

2. Perhaps the administrators of the remaining operational hidden services are leasing servers in countries that are less than hospitable to US and EU nations. After the Ukraine debacle and the DOJ trying to prosecute Chinese military servicemen on hacking charges. I really don’t see those two nations’ cyber security agencies snuggling up to to each other and singing songs around the campfire.

Personally, if I were looking to host servers on privacy networks such as Tor and I2P. I’d probably go with I2P. Simply because I2P is a packet switched network, not a circuit switched network like Tor.

This means instead of data being sent and received through a fixed 3-hop circuit like Tor. Data being sent and received through I2P’s packet switched network can take multiple different routes to the destination, and take multiple different routes back to the source. In other words. I2P is more like modern day IP packet switched networks, and Tor is more like the plain old telephone system’s circuit based network. Roughly speaking of course.

I2P seems more decentralized and built from the ground up to be a privacy network. Tor seems more focused on being a mixed network, trying to build a privacy network on top of surveillance networks (.com .net .org) etc.

Another thing worth mentioning is running a hidden service allows anyone connecting to that hidden service to force the web server to generate a bunch of traffic. I personally believe sending the least amount of traffic possible over a privacy network helps prevent correlation attacks. Running a hidden service makes controlling the amount of traffic being sent over the privacy network impossible. Anyone can request a 500 megabyte download from the hidden web server, or run a wget script to continuously download all the server’s webpages over and over again.

Anonymous Coward says:

Winny, Share, Perfect Dark

If I understand the Japanese situation correctly, the police did not outright ‘crack’ the networks, but rather found a flaw in the software which sometimes allowed them to locate an uploader’s IP address.

All the programs are closed source, and there was no peer review or security audit.

Anonymous Coward says:

Re: Winny, Share, Perfect Dark

Only some of the Japanese file sharers were nabbed due to (often well-known) flaws, such as Winny users who posted messages on the bulletin board, not knowing that in doing so they were revealing their true IP address.

Share and Perfect Dark were supposed to correct many of the known security breaches in Winny. And even then, users still got busted. But of course there can never be permanent 100% perfect security. Only a never-ending cat-and-mouse arms race.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...