Vague Warnings Of Pending Tor Attack, While Exit Nodes Are Being Seized
from the stay-safe-everyone dept
Late last week, the Tor Project blog posted a somewhat vague warning about the possibility of an upcoming attempt to disable the Tor network by going after and seizing specialized directory authority servers that are the key to making Tor work.
The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.
We hope that this attack doesn’t occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.
Given that, it seemed especially noteworthy that over the weekend a bunch of Tor exit nodes were apparently quietly seized, according to Thomas White, who ran those servers:
Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken.
While he initially suggested that the way it was done made it seem likely that law enforcement was behind it, he later toned down that suggestion, saying he thought it was less likely that law enforcement was involved than he originally believed. Update: And now the servers have been returned and while there’s still some confusion, it looks like nothing nefarious happened here.
Tor, itself, isn’t compromised — and pretty much all experts agree that it remains safe — but it’s at least troubling to see that there’s at least some possible attempt to compromise parts of the network.
Filed Under: attack, directory authorities, thomas white, tor, tor project
Comments on “Vague Warnings Of Pending Tor Attack, While Exit Nodes Are Being Seized”
What can be done?
What can be done to stop terrorists from interfering with the Tor network?
Also, how can we stop cybercriminals who seize domain names without any kind of due process?
Re: What can be done?
Find a way to get them out of the alphabet agencies.
Re: Re: What can be done?
Find a way to stop these terrorists and cyber criminals from giving money to congress.
Re: What can be done?
What can be done to stop the terroists in government from interfering with the Tor network?
Also, how can we stop the cybercriminals in the FBI who seize domain names without any kind of due process?
The answer is simple; kill the Batman.
‘Batman,’ in this instance, is the Alphabetti Spaghetti of interlinked “Intelligence” agencies across the globe.
The computers that were supposedly “seized” have since been returned.
https://lists.torproject.org/pipermail/tor-talk/2014-December/036084.html
Re: Re:
Would you trust them after unknown agents have had control over them?
Re: Re: Re:
From one of the links above:
“The servers have been blacklisted and pose no danger to the Tor network or the users of it. I will refrain from putting these servers back online until a proper vetting and analysis of events has happened.”
https://lists.torproject.org/pipermail/tor-talk/2014-December/036078.html
Re: Re: Re: Re:
That vetting would have to include all flash memory, such as the BIOS and inbuilt controllers, and that is far from simple to do reliably, as physical access to the internals has been detected. Simpler to replace them, so long as the purchase channels can be trusted.
Re: Re: Re:2 Re:
At this point, even if the flash memory is intact, there’s no telling if some other piece of hardware was replaced, modified, or otherwise tampered with.
Better to assume they’re toast, burn them and setup some new servers in an anonymous location to prevent interdiction.
Re: Re: Re:3 Re:
That’s what I would do. Hardware is cheap. Donate the servers to charity and buy new ones.
Re: Re: Re:4 Re:
“Donate the servers to charity and buy new ones.”
Not my choice in case they are infected and the charity sells them on to an unsuspecting ebay buyer. Destroy the USB controller chips and recycle the rest.
Re: Re: Re:5 Re:
Well, perhaps, but there is a compelling argument that it would be better to allow the compromised servers to operate in an environment that will do little harm. Keeping them running increases the amount of noise.
Re: Re: Re:4 Re:
Better idea: Donate the servers to computer security researchers. They would know what to look for, and I’m sure they could discover some interesting stuff poking around through the hardware.
This would have the secondary bonus of potentially flushing out just who fiddled with the servers in the first place, as they tried to reclaim the servers and keep the researchers from poking around inside.
Re: Re: Re:5 Re:
That counts as charity. 🙂
Re: Re: Re:2 Re:
And do not forget to check all soldering points for replaced and/or newly inserted stuff.
Maybe it is better to donate them to the Guardian newspaper, to be destroyed when MI5 or MI6 wants another computer physically destroyed.
so the question remains then, if it wasn’t ‘Law Enforcement’, who else would be interested in Tor and why? particularly why have a usb attached if only for a short few seconds, to achieve what? a time bomb of malware? destroyer of information or the PCs themselves? something doesn’t add up
Re: Re:
Don’t forget the missing log entries: that’s a clear indication of tampering. My guess would be something like the equivalent of the NSA is responsible. Or perhaps there is something more like the Secret Service, which is not law enforcement.
Re: Re: Re:
…the Secret Service, which is not law enforcement…
Uhhh…yes they are. It’s just the laws they are charged with enforcing are few.
Re: Re:
“particularly why have a usb attached if only for a short few seconds, “
KVM switch to a headless server. Could do a manual graceful shutdown/restart that way, but that should be in the logs and the ISP ought to be able to say why they did it, but they haven’t. Seems like it is hosted somewhere that does not have video of all access to server rooms since there is no mention of missing video.
News Flash: Tor is fine--and safe to use.
Tor just posted a tweet saying that the Tor network is up and fine (and has been fine all along). See twitter.com/torproject
Re: News Flash: Tor is fine--and safe to use.
I’m sure the FBI agent that sent that tweet really means it…
There was also this post a couple of days before:
Solidarity against online harassment
I don’t condone online harassment, but it’s still a somewhat odd post. The tone of it sort of worries me that they might be planning to put in a backdoor or something as a way to try and strike back at trolls that use TOR. (I trust I don’t need to explain to anyone how that would cause major security issues.)
Any connection with NKora going down?
Looks like NSA, perhaps with SKorea’s help, may have just taken down NKorea’s internet:
http://www.nytimes.com/2014/12/23/world/asia/attack-is-suspected-as-north-korean-internet-collapses.html
NKorea’s Internet now looks like their nighttime satellite view from space, not that it was particularly bright b4.
Even if North Korea is an issue for many these people chose to live life the way they do until , its proven that they are actually behind the sony oops I’ll hold judgement , North Korea has a right to exist, it’s not up to us to intervene its up to its people We need to make sure our house is in order.
Re: Re:
Uh, no, the vast majority of people living in North Korea do so because they have no other alternative. They’re born there, and that’s where they’ll die, whether they want to leave or not.
You can absolutely judge the government over there, and it’s corrupt, insane, and tyrannical as hell.
the meaning of seized keys
So if your running keys for security on a server that gets seized it’s the same as saying “destroyed.” IF all your keys are now compromised, and you can’t tell if the hardware, firmware, or software was tampered with.
Perhaps it’s time for the Judge, cops and what not to get SUED for destroying such key-servers.
Such a payout would have to be monetary since, you can’t just hand out more hardware, firmware, or software from the same source who seized it in the first place.
All local/remote exploits aside, ultimately you either keep your key-servers away from these oath breaking insects or you can’t.