Vague Warnings Of Pending Tor Attack, While Exit Nodes Are Being Seized

from the stay-safe-everyone dept

Late last week, the Tor Project blog posted a somewhat vague warning about the possibility of an upcoming attempt to disable the Tor network by going after and seizing specialized directory authority servers that are the key to making Tor work.
The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.

We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.

Given that, it seemed especially noteworthy that over the weekend a bunch of Tor exit nodes were apparently quietly seized, according to Thomas White, who ran those servers:
Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken.
While he initially suggested that the way it was done made it seem likely that law enforcement was behind it, he later toned down that suggestion, saying he thought it was less likely that law enforcement was involved than he originally believed. Update: And now the servers have been returned and while there's still some confusion, it looks like nothing nefarious happened here.

Tor, itself, isn't compromised -- and pretty much all experts agree that it remains safe -- but it's at least troubling to see that there's at least some possible attempt to compromise parts of the network.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    DannyB (profile), 22 Dec 2014 @ 11:26am

    What can be done?

    What can be done to stop terrorists from interfering with the Tor network?

    Also, how can we stop cybercriminals who seize domain names without any kind of due process?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Dec 2014 @ 11:34am

      Re: What can be done?

      Find a way to get them out of the alphabet agencies.

      reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Dec 2014 @ 1:06pm

      Re: What can be done?

      What can be done to stop the terroists in government from interfering with the Tor network?

      Also, how can we stop the cybercriminals in the FBI who seize domain names without any kind of due process?

      The answer is simple; kill the Batman*.

      *'Batman,' in this instance, is the Alphabetti Spaghetti of interlinked "Intelligence" agencies across the globe.

      reply to this | link to this | view in chronology ]

  • icon
    Justin Johnson (JJJJust) (profile), 22 Dec 2014 @ 11:42am

    The computers that were supposedly "seized" have since been returned.

    https://lists.torproject.org/pipermail/tor-talk/2014-December/036084.html

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Dec 2014 @ 11:57am

      Re:

      Would you trust them after unknown agents have had control over them?

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Dec 2014 @ 12:47pm

        Re: Re:

        From one of the links above:

        "The servers have been blacklisted and pose no danger to the Tor network or the users of it. I will refrain from putting these servers back online until a proper vetting and analysis of events has happened."

        https://lists.torproject.org/pipermail/tor-talk/2014-December/036078.html

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 22 Dec 2014 @ 1:30pm

          Re: Re: Re:

          That vetting would have to include all flash memory, such as the BIOS and inbuilt controllers, and that is far from simple to do reliably, as physical access to the internals has been detected. Simpler to replace them, so long as the purchase channels can be trusted.

          reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 22 Dec 2014 @ 2:56pm

            Re: Re: Re: Re:

            At this point, even if the flash memory is intact, there's no telling if some other piece of hardware was replaced, modified, or otherwise tampered with.

            Better to assume they're toast, burn them and setup some new servers in an anonymous location to prevent interdiction.

            reply to this | link to this | view in chronology ]

            • icon
              John Fenderson (profile), 22 Dec 2014 @ 3:56pm

              Re: Re: Re: Re: Re:

              That's what I would do. Hardware is cheap. Donate the servers to charity and buy new ones.

              reply to this | link to this | view in chronology ]

              • identicon
                Anonymous Coward, 22 Dec 2014 @ 4:09pm

                Re: Re: Re: Re: Re: Re:

                "Donate the servers to charity and buy new ones."



                Not my choice in case they are infected and the charity sells them on to an unsuspecting ebay buyer. Destroy the USB controller chips and recycle the rest.

                reply to this | link to this | view in chronology ]

                • icon
                  John Fenderson (profile), 23 Dec 2014 @ 7:18am

                  Re: Re: Re: Re: Re: Re: Re:

                  Well, perhaps, but there is a compelling argument that it would be better to allow the compromised servers to operate in an environment that will do little harm. Keeping them running increases the amount of noise.

                  reply to this | link to this | view in chronology ]

              • icon
                That One Guy (profile), 22 Dec 2014 @ 4:42pm

                Re: Re: Re: Re: Re: Re:

                Better idea: Donate the servers to computer security researchers. They would know what to look for, and I'm sure they could discover some interesting stuff poking around through the hardware.

                This would have the secondary bonus of potentially flushing out just who fiddled with the servers in the first place, as they tried to reclaim the servers and keep the researchers from poking around inside.

                reply to this | link to this | view in chronology ]

          • identicon
            Anonymous Coward, 23 Dec 2014 @ 9:32am

            Re: Re: Re: Re:

            And do not forget to check all soldering points for replaced and/or newly inserted stuff.

            Maybe it is better to donate them to the Guardian newspaper, to be destroyed when MI5 or MI6 wants another computer physically destroyed.

            reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Dec 2014 @ 12:24pm

    so the question remains then, if it wasn't 'Law Enforcement', who else would be interested in Tor and why? particularly why have a usb attached if only for a short few seconds, to achieve what? a time bomb of malware? destroyer of information or the PCs themselves? something doesn't add up

    reply to this | link to this | view in chronology ]

    • identicon
      Whoever, 22 Dec 2014 @ 1:08pm

      Re:

      if it wasn't 'Law Enforcement', who else would be interested in Tor and why? particularly why have a usb attached if only for a short few seconds, to achieve what? a time bomb of malware? destroyer of information or the PCs themselves? something doesn't add up


      Don't forget the missing log entries: that's a clear indication of tampering. My guess would be something like the equivalent of the NSA is responsible. Or perhaps there is something more like the Secret Service, which is not law enforcement.

      reply to this | link to this | view in chronology ]

      • identicon
        Anonymous Coward, 22 Dec 2014 @ 2:33pm

        Re: Re:

        ...the Secret Service, which is not law enforcement...


        Uhhh...yes they are. It's just the laws they are charged with enforcing are few.

        reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Dec 2014 @ 1:36pm

      Re:

      "particularly why have a usb attached if only for a short few seconds, "



      KVM switch to a headless server. Could do a manual graceful shutdown/restart that way, but that should be in the logs and the ISP ought to be able to say why they did it, but they haven't. Seems like it is hosted somewhere that does not have video of all access to server rooms since there is no mention of missing video.

      reply to this | link to this | view in chronology ]

  • icon
    Ailanthus (profile), 22 Dec 2014 @ 12:40pm

    News Flash: Tor is fine--and safe to use.

    Tor just posted a tweet saying that the Tor network is up and fine (and has been fine all along). See twitter.com/torproject

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Dec 2014 @ 1:44pm

    There was also this post a couple of days before:
    Solidarity against online harassment

    I don't condone online harassment, but it's still a somewhat odd post. The tone of it sort of worries me that they might be planning to put in a backdoor or something as a way to try and strike back at trolls that use TOR. (I trust I don't need to explain to anyone how that would cause major security issues.)

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Dec 2014 @ 4:48pm

    Any connection with NKora going down?

    Looks like NSA, perhaps with SKorea's help, may have just taken down NKorea's internet:

    http://www.nytimes.com/2014/12/23/world/asia/attack-is-suspected-as-north-korean-internet-c ollapses.html

    NKorea's Internet now looks like their nighttime satellite view from space, not that it was particularly bright b4.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 23 Dec 2014 @ 6:02am

    Even if North Korea is an issue for many these people chose to live life the way they do until , its proven that they are actually behind the sony oops I'll hold judgement , North Korea has a right to exist, it's not up to us to intervene its up to its people We need to make sure our house is in order.

    reply to this | link to this | view in chronology ]

    • icon
      That One Guy (profile), 23 Dec 2014 @ 4:37pm

      Re:

      Uh, no, the vast majority of people living in North Korea do so because they have no other alternative. They're born there, and that's where they'll die, whether they want to leave or not.

      You can absolutely judge the government over there, and it's corrupt, insane, and tyrannical as hell.

      reply to this | link to this | view in chronology ]

  • identicon
    EMF-Gain, 23 Dec 2014 @ 8:10am

    the meaning of seized keys

    So if your running keys for security on a server that gets seized it's the same as saying "destroyed." IF all your keys are now compromised, and you can't tell if the hardware, firmware, or software was tampered with.

    Perhaps it's time for the Judge, cops and what not to get SUED for destroying such key-servers.

    Such a payout would have to be monetary since, you can't just hand out more hardware, firmware, or software from the same source who seized it in the first place.

    All local/remote exploits aside, ultimately you either keep your key-servers away from these oath breaking insects or you can't.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Techdirt Gear
Shop Now: I Invented Email
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.