Tor Developers, Privacy Wonks Desperately Searching To Figure Out How The Feds Broke Tor To Find Hidden Servers

from the the-hunt-is-on dept

As we mentioned in last week's post on the arrest of Blake Benthall, the alleged operator behind Silk Road 2.0, the arrest was actually part of a larger global effort to take down around two dozen "darknet" websites. While the Benthall indictment does talk about an undercover Homeland Security employee who infiltrated Silk Road 2.0 to gather evidence, a key part of the evidence gathering is left vague: how did officials find the actual servers that were supposedly hidden by Tor? In the past few days, a big effort has been undertaken by a bunch of folks, including key Tor developers to try to work out how all of this happened:

Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.

But, more to the point, the recent publications call the targeted hidden services seizures "Operation Onymous" and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.

Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?

The Tor post lists out a number of possible scenarios under which the hidden servers were located, including bad operational security (opsec), SQL injections (because, of course), Bitcoin deanonymization and attacks on the Tor network. That last one is getting a lot of attention for a variety of reasons. Kashmir Hill over at Forbes has an interesting post exploring the possible connection with the cancelled Black Hat talk from this summer about identifying Tor users, which was done by some Carnegie Mellon researchers. Around that time, Tor also revealed that its network had been compromised, and asked everyone to upgrade to patch vulnerabilities. Many assume these two things were connected.
If you control enough of the Tor network, it’s possible to get a kind of bird’s eye view of the traffic being routed through it. It was clear that Tor thought the Carnegie Mellon researchers were responsible. The researchers refused to talk to the press, but a conference spokesperson told Reuters the talk was canceled because the researchers hadn’t cleared the release of their work through their department, the Software Engineering Institute, which receives funding from the Defense Department. At the time, many assumed that the university pulled the plug on the talk because of academic ethics considerations and the gray legal zone it was in, with the researchers casually intercepting Web traffic. But maybe it got pulled because the researchers were revealing a law enforcement technique that the government did not want publicized. If nothing else, it’s highly likely the information the researchers collected about “drug dealers and child pornographers” made its way into law enforcement hands. McCord said he was “unable to comment on the matter.” Carnegie Mellon’s SEI declined comment about the canceled talk and about whether it had provided information from the research to law enforcement.
Hill also quotes Nicholas Weaver with some thoughts on what happened:
“I am 95% certain that law enforcement did a mass de-anonymization attack on Tor hidden services,” says Nicholas Weaver, a researcher at the International Computer Science Institute. He called any link to the earlier research “circumstantial.” But he points out that the work the researchers did was expensive. A “back of the envelope estimate suggests that whoever was running the attack on Tor at the beginning of the year using [Amazon hosting services] spent at least $50,000 in computer time,” says Weaver. That’s not the kind of money an academic can spend on a hobby project.
Meanwhile, one of the (still free) operators of a Tor hidden site that was taken down by the feds, Doxbin, has stepped forward to release a bunch of log files and related information to potentially track down how it was discovered (he posted on a mailing list using the amusing subject line of "yes hello, internet supervillain here." This has resulted in much more speculation on what kind of attack was being run.

As it stands, no one (other than law enforcement) knows exactly how this came down, but I would imagine that it won't be long until people have figured out what likely happened, and fixes are put in place. This, of course, is the nature of any sort of anonymization effort. People will always break it for some reason or another, and then it's just an ongoing back and forth to fix holes and improve the system...

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Matthew A. Sawtell, 10 Nov 2014 @ 2:47pm

    Story as old as human history...

    ... people on two different sides of game board attempt to move and counter-move, with the stakes ever shifting. Figure it will make for an interesting movie in a decade or so.

    reply to this | link to this | view in chronology ]

  • identicon
    Berriun, 10 Nov 2014 @ 4:02pm

    The only people who use Tor are criminals and pedophiles. Raid them all, I say.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Nov 2014 @ 4:11pm

      Re:

      You can raid me. I used it. I've undergone several b/g checks by ICE and FBI, being a US person not of US origin. I used it to check out Walmart & Amazon prices without giving my zip code. I've also used VPNs and proxies. But you're welcome anytime. Wasted time is not my problem. Go ahead.

      reply to this | link to this | view in chronology ]

      • identicon
        Michael, 11 Nov 2014 @ 9:34am

        Re: Re:

        Why would you assume that ICE or the FBI doing background checks on you clears you of being a criminal or a pedophile?

        If they can't dupe you into joining their impossible-without-them terrorist plot, they just move on.

        reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 10 Nov 2014 @ 4:16pm

      Getting more and more difficult to spot Poe's these days...

      Indeed, the only people who could possibly desire anonymity are criminals and scum!

      ...

      Wait a tic, you're posting anonymously... hmm, better have the SWAT team bust up your house and interrogate you just to be sure.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Nov 2014 @ 5:23pm

        Re: Getting more and more difficult to spot Poe's these days...

        I am pretty sure that post was sarcasm.

        reply to this | link to this | view in chronology ]

        • icon
          That One Guy (profile), 10 Nov 2014 @ 5:44pm

          Re: Re: Getting more and more difficult to spot Poe's these days...

          Like I said, it's hard to tell these days.

          When you've got freakin' government officials talking about encryption like it's this unholy grail of evil, and something that only the worst of the worst would ever want, while it would be disappointing if others started believing such laughable fearmongering and lies, it would't be impossible to imagine such happening.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Nov 2014 @ 5:00pm

      Re:

      And the only people that say this are either trolls or talking stooges for the police state.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Nov 2014 @ 10:52pm

      Re:

      And what about the whistleblowers proving criminal malfeasance? Are they just criminals, too? The world isn't as black and white as you want it to be.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Nov 2014 @ 2:37pm

      Re:

      Obvious troll is obvious

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Nov 2014 @ 4:36pm

    Two fixed points, one known(enforcement), the other unknown but fixed. With enough nodes under control, wouldn't think it difficult to monitor and time traffic to narrow down locations.
    And given the number of governments involved, one could safely assume they had control of enough nodes.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Nov 2014 @ 5:44pm

    There was an interesting discussion about this on Soylentnews

    http://soylentnews.org/article.pl?sid=14/11/10/1510242

    http://soylentnews.org/article.pl?s id=14/11/08/154250&tid=15

    Here is something I wrote

    You guys are over complicating it. When you order something over these networks someone has to pay for these items. How do they plan tp pay, by credit card, cash, money order? The feds can order something and track where that money goes and find someone to arrest. Additionally they can attempt to track the packages and their place of origin via the mail system. IOW, good old investigative work.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 10 Nov 2014 @ 9:06pm

      Re:

      "How do they plan tp pay, by credit card, cash, money order?"

      Never heard of bitcoin?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Nov 2014 @ 9:07pm

        Re: Re:

        Follow the rest of the discussion.

        reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 10 Nov 2014 @ 9:13pm

        Re: Re:

        Here, now that I'm finally not on a tablet I'll just copy and paste it.

        --------------------

        by hemocyanin (186) Subscriber Badge on Sunday November 09, @10:21AM (#114268)

        I'm pretty sure the favored currency is bitcoin. I'm not a bitcoin user so I don't know the various ways a user could be traced through the coin's transaction history, but I'm pretty certain there is no place to send a subpoena to for account information, unlike visa, banks, etc.

        -----------------
        my response

        While Bitcoin is another payment option you are still missing the big picture.

        Bitcoins can, to some extent, be traced. But the point is that even if these guys are using bitcoins at some point those coins must either be converted to cash, credit card funds, or to something physical that can be purchased. If you try to buy a house with it the feds are going to investigative where you got the money to buy this nice property with no job. Furthermore they can purchase items themselves with bitcoins and try to trace where their expected packages are coming from and how their coins are being turned into cash and things someone can buy.

        And the way to do this is relatively easy. They set up an address that wouldn't otherwise receive mail and they order their items to be sent to that address. They then alert USPS, UPS, etc... to tell them if they receive a package intended for this destination. If they do it pops up on the computer and the feds get alerted about which post office first received the package. Then they know that whoever dropped that package off did so within the jurisdiction of this post office. They then order another package and continue their investigation from there.

        What the online drug cartels might be able to do is try to drop their packages at different locations. Then it becomes a game of cat and mouse

        -------------
        by urza9814 (3954) on Monday November 10, @12:13PM (#114531) Journal

        Yeah, they really don't have to do anything special there. I too get alerted whenever UPS picks up a package destined for my address. Doesn't cost me anything, just have to register with their app. When my dad sent me his laptop to fix a while back, it popped right up with the UPS store where he made the shipment. Then the cops just go to that store and ask for a record of who made the purchase. If they paid cash, you pull up the store surveillance video. How hard is that?

        Of course, that all depends what's being ordered. If it's small enough to fit in a regular mail envelope that can be dropped in any box on the street...that might need something more complicated.

        But that's just to track the sellers. My understanding was that Silk Road was more of a marketplace for others to sell stuff. Unless the admin was stupid enough to be selling things themselves (which is not at all unlikely) those tricks wouldn't work to shut down the site as a whole.

        ----------

        My response


        True but how are the admins making money? Bitcoins? Even if so bitcoins can be traced to some extent. At some point those bitcoins need to eventually be turned into real money or property or something valuable and they can trace that.

        and who's paying the admins their money? Advertisers? They can trace who advertisers are sending money to and investigate from there.

        Do the users or sellers pay the admins a fee? How is that money being paid? They can trace that. Even if it's through bitcoins they can trace who's exchanging bitcoins for bank funds or cash (if you are exchanging bitcoins directly for cash then who's giving you the cash? A fed? Someone working or being subpenaed by the feds?). It's not like you can buy a house with bitcoins and no one will notice. The feds will notice if you suddenly have a nice house in your name with no job. How are you paying for this? Bitcoins? Where are you getting these bitcoins and what are you doing to get them?

        and if the sellers pay an admin fee the feds can set themselves up as a seller and try to trace where the funds are going. They can send themselves a package, pay for it, and continue their investigation from there.

        reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Nov 2014 @ 9:59pm

    First I heard it was one of those captcha things that busted the servers located in Iceland. Was browsing with TOR very recently and at the beginning of my session I checked my IP address as usual, the location was a country in Eastern Europe. At the end of my browsing I went to the VPN Gate sight hosted by a University in Japan and my browser was listed in Great Britain. Went back to the original check your IP address sight to double check and sure enough I had exited in Great Britain. I didn't change my ID during the session, so how did my IP change from Eastern Europe to Great Britain? Sorry, but I don't appreciate anyone ease dropping on my correspondence so I will stick with a VPN or Tails in the foreseeable future. I also hear the Russians are messing with TOR connections too, so I'll stay away for now. Seems everyone is a terrorist today, the Internet should be gone from our home by years end, the phone is gone already. If they feel they can fornicate with my privacy then they can keep their stinking hands out of my wallet. As for the guy up top pointing fingers and spouting off with false accusations, he is probably the one who needs watching. Yes I wish to remain anonymous at times, I reserve that privilige as a right, as in the Bill Of Rights. Yes I am sending this to the Techdirt sight using a VPN.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Nov 2014 @ 2:41pm

      Re:

      Your route through the TOR network changes every ten minutes.

      reply to this | link to this | view in chronology ]

    • identicon
      IT guy, 11 Nov 2014 @ 10:14pm

      Re:

      Went back to the original check your IP address sight to double check and sure enough I had exited in Great Britain. I didn't change my ID during the session, so how did my IP change from Eastern Europe to Great Britain?


      Because that is part of Tor's ten minute interval circuit rotation where your Tor client selects a new circuit with three new nodes, including a new exit node.

      The fact that the exit node is in the UK is irrelevant. Onion routing was specifically built so that control over an exit node, for example, isn't enough to expose your IP-address.

      You are spreading misinformation because you know just enough to get yourself in trouble.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Nov 2014 @ 10:03pm

    Seems this sight has gone candy-ass too. It was nice while it lasted.
    djb

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 10 Nov 2014 @ 11:00pm

    Tor needs to turn all users into nodes.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Nov 2014 @ 2:12am

    Winny, Share, Perfect Dark

    For some background, we should look at how the Japanese authorities over the last decade were able to crack successive "anonymous" P2P networks -- Winny, Share, and Perfect Dark -- each one supposedly more secure than the last.

    If anything, it should teach us that it's always going to be an uphill battle trying to stay anonymous whenever a major government entity (with it's virtually unlimited resources) is intent on hunting you down.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Nov 2014 @ 2:18am

    An interesting article with lots of useful links for further reading! I read in the Tor Blog comments about Evo and Agora black markets still being online. Yet Silk Road 2.0 was taken down. I also read multiple child abuse hidden services are still online.

    This leads me to draw a few assumptions about the administrators running hidden services which are still reachable online.

    1. The administrators are deploying above average operational security measures, such as the "Isolating Proxy Concept". In which case, even if the entire web server is compromised through SQL injection and full root access is granted to the intruder. No identifiable information would be leaked because it's virtually impossible to gather any public IP address data, or route around Tor in a properly deployed isolating proxy setup. If the isolating proxy is run in a virtual machine, even the machine's hardware serial numbers and MAC addresses are obscured.

    2. Perhaps the administrators of the remaining operational hidden services are leasing servers in countries that are less than hospitable to US and EU nations. After the Ukraine debacle and the DOJ trying to prosecute Chinese military servicemen on hacking charges. I really don't see those two nations' cyber security agencies snuggling up to to each other and singing songs around the campfire.

    Personally, if I were looking to host servers on privacy networks such as Tor and I2P. I'd probably go with I2P. Simply because I2P is a packet switched network, not a circuit switched network like Tor.

    This means instead of data being sent and received through a fixed 3-hop circuit like Tor. Data being sent and received through I2P's packet switched network can take multiple different routes to the destination, and take multiple different routes back to the source. In other words. I2P is more like modern day IP packet switched networks, and Tor is more like the plain old telephone system's circuit based network. Roughly speaking of course.

    I2P seems more decentralized and built from the ground up to be a privacy network. Tor seems more focused on being a mixed network, trying to build a privacy network on top of surveillance networks (.com .net .org) etc.

    Another thing worth mentioning is running a hidden service allows anyone connecting to that hidden service to force the web server to generate a bunch of traffic. I personally believe sending the least amount of traffic possible over a privacy network helps prevent correlation attacks. Running a hidden service makes controlling the amount of traffic being sent over the privacy network impossible. Anyone can request a 500 megabyte download from the hidden web server, or run a wget script to continuously download all the server's webpages over and over again.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 11 Nov 2014 @ 4:55am

    Re: Winny, Share, Perfect Dark

    If I understand the Japanese situation correctly, the police did not outright 'crack' the networks, but rather found a flaw in the software which sometimes allowed them to locate an uploader's IP address.

    All the programs are closed source, and there was no peer review or security audit.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 11 Nov 2014 @ 5:25am

      Re: Re: Winny, Share, Perfect Dark

      Only some of the Japanese file sharers were nabbed due to (often well-known) flaws, such as Winny users who posted messages on the bulletin board, not knowing that in doing so they were revealing their true IP address.

      Share and Perfect Dark were supposed to correct many of the known security breaches in Winny. And even then, users still got busted. But of course there can never be permanent 100% perfect security. Only a never-ending cat-and-mouse arms race.

      reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.