Did you hear that story about how ISIS is so sophisticated with encryption that they have a special "opsec" manual on computer security protocols? You might have, because last week it was all over the internet. Yahoo kicked it off with a story, claiming it was the secret manual ISIS "uses to teach its soldiers about encryption." Wired followed up with its own story, as did The Telegraph. The "manual" was "discovered" by analysts at the Combating Terrorism Center, based out of the US Military Academy at West Point. Thankfully, Buzzfeed has the details, noting that the guide, created by a cybersecurity firm in Kuwait, named Cyberkov, is actually a guide for journalists and activists to protect their communications from oppressive governments. And there's nothing particularly secret about it, as apparently it's basically just repurposed stuff from the EFF's website:
“Our guide is based on publicly available tools, instructions and best practices. The guidelines in our manual are sourced from the EFF [Electronic Frontier Foundation] and other sources of privacy organizations,” wrote CyberKov CEO Abdullah AlAli to BuzzFeed News in an email. He said his organization had no idea its guide had been repurposed by ISIS. He was surprised to see it cited in articles, many of which have been updated since they were originally posted to note the document’s origin, and “even more shocked to see the Combating Terrorism Center at West Point simply Google-Translated it and claimed it as ISIS’s.”
Now, it does appear that some folks in ISIS may have sent around versions of the guide, but it sort of undermines the idea that they had created their own special set of guidelines to avoid being tracked, when all they're doing is picking up publicly available information on security best practices.
First, let's go back a year or so. A few weeks before the big Black Hat Conference in 2014, it was announced that a planned presentation from two Carnegie Mellon University researchers (Michael McCord and Alexander Volynkin), entitled "You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget" was pulled from the program, leading to lots and lots of speculation about what happened. Soon after this, the Tor Project announced it had discovered a group of relays that appeared to trying to deanonymize Tor users who were operating Tor hidden services.
A few months after this, the FBI and Europol suddenly took down a bunch of darknet sites and arrested people accused of running them (calling it "Operation Onymous") -- including arresting a guy named Blake Benthall for running Silk Road 2.0. At the time, we pointed out something odd in the criminal complaint against Benthall. While the complaint noted that the FBI had found the server that was running Silk Road 2.0 (in an unnamed foreign country) and imaged it, nowhere was it explained how.
A couple months after that (at the beginning of this year), the FBI announced the arrest of Brian Farrell, who the FBI claims was a close assistant to Benthall in running Silk Road 2.0.
Fast forward to last week -- and Farrell's lawyer filed a motion with the district court hearing his case, noting that, just last month, the Justice Department revealed to Farrell's legal team that some of the evidence came from a "university-based research institute" and that Farrell's defense team had requested additional discovery to get more info. From the motion (which oddly, none of the other press reports on this story published):
On October 13, 2015, the government provided defense counsel a letter indicating that Mr. Farrell’s involvement with Silk Road 2.0 was identified based on information obtained by a “university-based research institute” that operated its own computers on the anonymous network used by Silk Road 2.0. In response to this letter, undersigned counsel requested additional discovery from the government to determine the relationship between the “university-based research institute” and the federal government, as well as the means used to identify Mr. Farrell on what was supposed to operate as an anonymous website. To date, the government has declined to produce any additional discovery.
Farrell's lawyers asked for more time, noting that there was another case in the same court (more on that below), seeking the same discovery, and Ferrell's lawyers would like his case put on hold until the issue of discovery over the "university-based research institute" was settled in the other case. Vice then reported on this filing... leading the Tor Project itself to announce that it was pretty sure not just that the Carnegie Mellon research project from last year was the project in question, but that the FBI had paid CMU $1 million for that information, though the claim is from an anonymous source.
The Tor Project has learned more about last year's attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes....
We have been told that the payment to CMU was at least $1 million.
There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.
When WIRED contacted Carnegie Mellon, it didn’t deny the Tor Project’s accusations, but pointed to a lack of evidence. “I’d like to see the substantiation for their claim,” said Ed Desautels, a staffer in the public relations department of the university’s Software Engineering Institute. “I’m not aware of any payment,” he added, declining to comment further.
This whole complicated scenario raises some pretty serious questions -- including whether or not the federal government paid a university to do research in a manner that would almost certainly violate university ethics rules on research on human subjects, but also which would allow the FBI to get all sorts of information on people without a warrant. As the director of the Tor Project, Roger Dingledine, told Wired:
“This attack…sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute,” Dingledine writes. “We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor–but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people’s privacy, and certainly cannot give it the color of ‘legitimate research.'”
“Whatever academic security research should be in the 21st century,” he concludes, “it certainly does not include ‘experiments’ for pay that indiscriminately endanger strangers without their knowledge or consent.”
And now... this issue moves over to the other case that Farrell's lawyers pointed out, which is a criminal case against someone named Gabriel Peterson-Siler, who was arrested earlier this year for child porn -- and whose lawyers learned from the Justice Department that some of the evidence against him, similarly came from this "university-based research institute." That's not directly said in the filings in that case, but Peterson-Siler's lawyer did make clear that something was up:
This case involves a national operation targeting users of a child pornography website on a network known as the Onion Router (TOR), commonly termed the darknet. The government and the defense recently discussed a potential discovery issue which involves highly sensitive investigative materials regarding the investigation into the users of the child pornography TOR website. This potential discovery issue has involved extensive consultation with multiple Department of Justice components in Washington, D.C., and, despite the diligence of the government, took time to resolve. Defense counsel was notified of the resolution of that consultation process on the same day, October 13, 2015, and the government and defense counsel have been in regular contact regarding next steps. Any ongoing discovery issues related to this matter may also require coordination with multiple Department of Justice components in Washington, D.C.
The date, October 13 when this was revealed, was the same date that Farrell's lawyers learned the same information. So, now, all eyes should turn to the Peterson-Siler case, to determine whether or not the details are going to come out about how the FBI got this info and whether or not it was legal. Unfortunately, Gabriel Peterson-Siler is anything but a sympathetic defendant here. He's facing charges for child porn, and, according to the detention order in this case, this is not the first time Peterson-Siler has been in court over such an issue:
Defendant is charged by Complaint with possessing matter containing visual depictions of minors engaging in sexually explicit conduct that had been transported in interstate and foreign commerce. He has a prior conviction for possession of child pornography, for which he served 14 months of confinement, and two years of sexual deviancy treatment. Defendant was on state court supervision at the time of some of the alleged offense conduct charged in this case, some of which was during or soon after the conclusion of the sexual deviancy treatment.
One hopes that this fact won't cloud the issue over whether or not the FBI should be allowed to pay university researchers to break Tor's anonymity and spy on people in large groups. But, that may be asking a lot...
Last week, we posted the story of how the Kilton Public Library in Lebanon, New Hampshire, had been pressured to turn off its Tor relay after the Department of Homeland Security (DHS) had reached out to the local police department to express concern over the library's decision, and freaking out because "criminals can use Tor." After being approached by the police, the library agreed to shut down the relay, while setting up a meeting to discuss if the library should turn it back on. Apparently, last week's press attention helped bring out lots of folks who very strongly supported turning Tor back on.
Boston librarian Alison Macrina, who runs the Library Freedom Project and helped the library set up Tor in the first place, was tweeting up a storm last night, and it sounded like a lot of people showed up to make it clear that (1) the DHS could go pound sand and (2) the library should turn its Tor node back on:
Multiple people apparently spoke about how this is absolutely the kind of project that libraries should support, and that protecting anonymous browsing was an important thing to have in the world. And, in the end, success:
Since Edward Snowden exposed the extent of online surveillance by the U.S. government, there has been a surge of initiatives to protect users' privacy.
But it hasn't taken long for one of these efforts — a project to equip local libraries with technology supporting anonymous Internet surfing — to run up against opposition from law enforcement.
In July, the Kilton Public Library in Lebanon, New Hampshire, was the first library in the country to become part of the anonymous Web surfing service Tor. The library allowed Tor users around the world to bounce their Internet traffic through the library, thus masking users' locations.
Soon after state authorities received an email about it from an agent at the Department of Homeland Security.
"The Department of Homeland Security got in touch with our police department," said Sean Fleming, the library director of the Lebanon Public Libraries.
After a meeting at which local police and city officials discussed how Tor could be exploited by criminals, the library pulled the plug on the project.
"Right now we're on pause," said Fleming. "We really weren't anticipating that there would be any controversy at all."
He said that the library board of trustees will vote on whether to turn the service back on at its meeting on Sept. 15.
Used in repressive regimes by dissidents and journalists, Tor is considered a crucial tool for freedom of expression and counts the State Department among its top donors. But Tor has been a thorn in the side of law enforcement; National Security Agency documents made public by Snowden have revealed the agency's frustration that it could only identify a "very small fraction" of Tor users.
The idea to install Tor services in libraries emerged from Boston librarian Alison Macrina's Library Freedom Project, which aims to teach libraries how to "protect patrons' rights to explore new ideas, no matter how controversial or subversive, unfettered by the pernicious effects of online surveillance." (The Library Freedom Project is funded by Knight Foundation, which also provides funding to ProPublica.)
After Macrina conducted a privacy training session at the Kilton library in May, she talked to the librarian about also setting up a Tor relay, the mechanism by which users across the Internet can hide their identity.
A special agent in a Boston DHS office forwarded the article to the New Hampshire police, who forwarded it to a sergeant at the Lebanon Police Department.
DHS spokesman Shawn Neudauer said the agent was simply providing "visibility/situational awareness," and did not have any direct contact with the Lebanon police or library. "The use of a Tor browser is not, in [or] of itself, illegal and there are legitimate purposes for its use," Neudauer said, "However, the protections that Tor offers can be attractive to criminal enterprises or actors and HSI [Homeland Security Investigations] will continue to pursue those individuals who seek to use the anonymizing technology to further their illicit activity."
When the DHS inquiry was brought to his attention, Lt. Matthew Isham of the Lebanon Police Department was concerned. "For all the good that a Tor may allow as far as speech, there is also the criminal side that would take advantage of that as well," Isham said. "We felt we needed to make the city aware of it."
Deputy City Manager Paula Maville said that when she learned about Tor at the meeting with the police and the librarians, she was concerned about the service's association with criminal activities such as pornography and drug trafficking. "That is a concern from a public relations perspective and we wanted to get those concerns on the table," she said.
Faced with police and city concerns, library director Fleming agreed to turn off the Tor relay temporarily until the board could reconsider. "We need to find out what the community thinks," he said. "The only groups that have been represented so far are the police department and city hall."
Fleming said that he is now realizing the downside of being the first test site for the Tor initiative.
"There are other libraries that I've heard that are interested in participating but nobody else wanted to be first," he said. "We're lonesome right now."
As the government continues to play Whac-a-Mole with darknet drug bazaars, one of the Silk Road's leading darknet market replacements says it has temporarily suspended service over Tor vulnerability concerns. In an encrypted post to the site's buyers and dealers (copied over to PasteBin and over at the /r/darknetmarkets subReddit), Agora's administrators say the darknet market is nervous about law enforcement's ability to take advantage of recent Tor vulnerabilities, and as such are pulling the market offline for an undisclosed amount of time to protect the site:
"Recently research had come that shed some light on vulnerabilities in Tor Hidden Services protocol which could help to deanonymize server locations. Most of the new and previously known methods do require substantial resources to be executed, but the new research shows that the amount of resources could be much lower than expected, and in our case we do believe we have interested parties who possess such resources. We have a solution in the works which will require big changes into our software stack which we believe will mitigate such problems, but unfortunately it will take time to implement."
While the post doesn't specify which Tor vulnerability the market's responding to, a paper recently published by researchers from Qatar University and MIT (pdf) argued that it was possible to use a Tor vulnerability to identify Tor hidden services with as much as 88% accuracy. Tor director Roger Dingledine responded to these findings in a blog post back in July. Dingledine downplayed the ability of the vulnerability to be exploited in the wild, while pointing out that researchers have long over-estimated the ease of such fingerprinting methods in the real world.
To succeed in the fingerprinting process, the attacker needs to control the Tor entry point for the server hosting the hidden service, and have previously collected unique network identifiers allowing for the fingerprinting for that particular service. Still, Agora itself strongly hints that they've seen some (presumably law enforcement) behavior in the wild already attempting to take advantage of the vulnerability, and wasn't willing to take the risk:
"...We have recently been discovering suspicious activity around our servers which led us to believe that some of the attacks described in the research could be going on and we decided to move servers once again, however this is only a temporary solution. At this point, while we don't have a solution ready it would be unsafe to keep our users using the service, since they would be in jeopardy. Thus, and to our great sadness we have to take the market offline for a while, until we can develop a better solution. This is the best course of action for everyone involved."
"We noticed the strange happenings early on. We KNOW that TOR devs are the best of the best. This is only theoretical paper from MIT students. TOR updates daily on a development level, they would fix any vulnerabilities from any theoretical paper. Emphasis: Theoretical Paper, Not Successful Tests. We have covered all bases."
While the Agora shutdown combined with dropping Bitcoin value (due to the potential forking of currency development by those concerned about scalability) have Bitcoin advocates and Darknet market users sweating a bit, Agora's shutdown would seem to be only a temporarily bump in the road to future darknet opsec skirmishes. Agora already had survived last November's Operation Onymous, which took down Silk Road 2 and 400 other websites. It's still debated whether those seizures were thanks to a Tor vulnerability or old-fashioned detective work (law enforcement obviously isn't keen on being illuminating).
Even if Agora doesn't return, there's a half-dozen or more already established Darknet markets happy to fill the void and satiate the globe's inexhaustible supply of drug buyers and dealers, those entertained by the endless game of opsec cat and mouse, and the government's insatiable need to fill its mole-whacking quota.
There have been plenty of discussions on the possible "risks" of running a tor exit node, where clueless law enforcement might confuse traffic that comes out of that node as being from the person who actually manages the node. And, indeed, last year we wrote about an absolutely ridiculous case in which a tor exit node operator in Austria was found guilty as an "accomplice" because someone used his node to commit a crime. Thankfully, it appears that the US isn't going quite down that road yet. It appears that a month and a half ago, of all places, the website Boing Boing received a subpoena concerning the tor exit node that the site hosts, demanding an appearance before a federal grand jury in New Jersey.
Except, Boing Boing's lawyer, Lauren Gelman, quickly shot off a note explaining "tor exit node" to the FBI... and the FBI understood what was going on and moved on. Really. Here's the note that Gellman sent:
Special Agent XXXXXX.
I represent Boing Boing. I just received a Grand Jury Subpoena to Boing Boing dated June 12, 2015 (see attached).
The Subpoena requests subscriber records and user information related to an IP address. The IP address you cite is a TOR exit node hosted by Boing Boing (please see: http://tor-exit.boingboing.net/). As such, Boing Boing does not have any subscriber records, user information, or any records at all related to the use of that IP address at that time, and thus cannot produce any responsive records.
I would be happy to discuss this further with you if you have any questions.
They didn't have any questions. They understood the situation and (one assumes) continued the investigation through other means. As Cory Docotorow writes:
The FBI agent did his homework, realized we had no logs to give him, and no one had to go to New Jersey. Case closed. For us, anyway. Not sure what went down with the grand jury.
We write plenty of stories about "clueless" law enforcement and politicians overreacting to things by not understanding the technology. Because that's newsworthy. But it is worthwhile, every once in a while, to remember that there are some in these jobs who do understand technology and are perfectly willing to understand what is happening and continue to do their jobs without going overboard.
And, as Cory notes, perhaps this story of nothing actually happening will be useful in convincing a few more people that maybe the "risks" of running a tor exit node aren't quite as high as some have made them out to be. Yes, you may receive a subpoena, but hopefully it's from law enforcement willing to understand how tor actually works and what it means.
We have been tracking for some time the increasingly repressive measures that the Russian authorities have brought in to censor and control the Internet. Of course, Techdirt readers know that an easy way to circumvent both censorship and control is to use tools like VPNs and Tor. Unfortunately, the Russian authorities also know this, and are now calling for action against them, as TorrentFreak reports:
Speaking at Infoforum-2015, Russian MP Leonid Levin, who is deputy head of the Duma Committee on information politics, indicated that access to anonymization and circumvention tools such as TOR, VPNs and even web proxies, needs to be restricted.
Describing the Tor network as a "den of criminals" and "ghouls, all gathered in one place", Ampelonskogo said Roskomnadzor would find a solution to block anonymous networks if it was supported by a relevant regulatory framework.
What's troubling about this latest call for even tighter control is that it was entirely predictable. Once governments start blocking sites and restricting freedom of speech online, people inevitably respond by using VPNs and Tor to circumvent these measures. And that means that if governments want their laws to be effective, at some point they will take direct action against circumvention tools. That's why it's particularly worrying that Western governments have started down this road: it implies that they, too, might one day try to ban VPNs and Tor.
Anything that makes law enforcement's job slightly more difficult is swiftly turned into a pariah. And usually the worst kind of pariah: a child molestor.
Apple and Google both announced encryption-by-default going forward on their mobile phone operating systems. Law enforcement officials swiftly gathered to talk loudly about all of the dead and molested children that would result from this decision.
The same goes for Tor. The use of Tor can obscure criminal activity -- by hiding the perpetrator and the activity itself. There are plenty of legitimate reasons to use Tor (like many internet services and platforms hoovering up tons of data themselves), but because it makes chasing "bad guys" a little harder, it too must go.
The best way for government agencies to get rid of something they don't like is legislation. When a law enforcement official says something like the following, they're not hoping to sway the intelligent and informed members of the public. They're saying it to sway those who can actually do something about it: tech-clueless legislators and those who vote for them.
At the State of the Net conference in Washington on Tuesday, US assistant attorney general Leslie Caldwell discussed what she described as the dangers of encryption and cryptographic anonymity tools like Tor, and how those tools can hamper law enforcement…
“Tor obviously was created with good intentions, but it’s a huge problem for law enforcement,” Caldwell said in comments reported by Motherboard and confirmed to me by others who attended the conference. “We understand 80 percent of traffic on the Tor network involves child pornography.”
That's a scary number. And it's not even close to accurate.
Wired's Andy Greenberg explains how Caldwell took a statistic from Tor research and twisted it to further the government's agenda.
Which is a big difference. "Hidden services" is not just another term for "Tor traffic." Caldwell conflated the two to further the DOJ's push for the end of anything that presents an obstacle to easy access.
The real number is much lower. Greenberg says that most Tor traffic doesn't route to darknet sites. Only about 1.5% of Tor traffic accesses hidden services, and 80% of 1.5% is a number that wouldn't even trouble the most tech-addled Congressperson or the retirement community that repeatedly votes him or her back into office.
At most, a little over 1% of Tor traffic is related to child pornography. That very low number would seem resistant to improvement. How much money and effort should be thrown at 1% of a service in limited use? The answer would appear to be "not very much," but that doesn't tear down Tor's walls or approve budget requests. So, "80% of all Tor traffic" it is, according to the DOJ.
A Tor client makes a hidden service directory request the first time it visits a hidden service that it has not been to in a while. (If you spend hours at one hidden service, you make about 1 hidden service directory request. But if you spend 1 second each at 100 hidden services, you make about 100 requests.) Therefore, obsessive users who visit many sites in a session account for many more of the requests that this study measures than users who visit a smaller number of sites with equal frequency...
The greater the number of distinct hidden services a person visits, and the less reliable those sites are, the more hidden service directory requests they will trigger.
He breaks this down later with a hypothetical situation. 1000 people use Tor to access chat rooms while 10 conspiracy theorists use it to dig for information. Chat users may only log in once or twice a day and hang out at the same handful of venues. The ten conspiracy theorists may visit dozens of sites looking for more crazy, while entering and exiting multiple times. To an outside observer, this activity would appear to indicate that 10 conspiracy theorists make up a larger portion of Tor traffic than 1000 chat room users.
Child porn, like regular porn, is generally not one-stop shopping, unlike a favorite chatroom. Multiple site visits and multiple entrances/exits would inflate the percentage of child porn-related traffic relative to the (observable) whole.
Users who use it for obsessive behavior that spans multiple unreliable hidden services will be far overrepresented in the count of hidden service directory requests than users who use it for activities done less frequently and across fewer services. So any comparison of hidden service directory request counts will say more about the behavioral differences of different types of users than about their relative numbers, or the amount of traffic they generated.
In addition, law enforcement and anti-child porn agencies' own investigative efforts could very well be adding to this 1.2% figure.
Also, a very large number of hidden service directory requests are probably not made by humans! See bug 13287: We don't know what's up with that. Could this be caused by some kind of anti-abuse organization running an automated scanning tool?
So, there's a good chance that the non-scary 1.2% number is too high. Sure, the ideal would be 0.0% but law enforcement agencies should actually be pleasantly surprised the number is so low, rather than misquoting stats to make it appear as though anonymization services are child porn enthusiasts' playgrounds.
It isn't just child porn the government is after. There's a whole host of darkweb activities it wants to indict people for. But child porn "sells" better than drugs or prostitution or even the US's latest public enemy no. 1: terrorism. The number the DOJ is using to sell its attack on Tor is blatantly false, as anyone with a minimal amount of Google skills would quickly discover. But the DOJ doesn't care whether you or I believe it. It only needs enough people in Washington DC to believe it. The DOJ doesn't speak to the citizens. It only speaks to those who can assist it in stripping away what minimal personal data-shielding options we have left.
Late last week, the Tor Project blog posted a somewhat vague warning about the possibility of an upcoming attempt to disable the Tor network by going after and seizing specialized directory authority servers that are the key to making Tor work.
The Tor Project has learned that there may be an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities. (Directory authorities help Tor clients learn the list of relays that make up the Tor network.) We are taking steps now to ensure the safety of our users, and our system is already built to be redundant so that users maintain anonymity even if the network is attacked. Tor remains safe to use.
We hope that this attack doesn't occur; Tor is used by many good people. If the network is affected, we will immediately inform users via this blog and our Twitter feed @TorProject, along with more information if we become aware of any related risks to Tor users.
Given that, it seemed especially noteworthy that over the weekend a bunch of Tor exit nodes were apparently quietly seized, according to Thomas White, who ran those servers:
Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken.
While he initially suggested that the way it was done made it seem likely that law enforcement was behind it, he later toned down that suggestion, saying he thought it was less likely that law enforcement was involved than he originally believed. Update: And now the servers have been returned and while there's still some confusion, it looks like nothing nefarious happened here.
Tor, itself, isn't compromised -- and pretty much all experts agree that it remains safe -- but it's at least troubling to see that there's at least some possible attempt to compromise parts of the network.
As we mentioned in last week's post on the arrest of Blake Benthall, the alleged operator behind Silk Road 2.0, the arrest was actually part of a larger global effort to take down around two dozen "darknet" websites. While the Benthall indictment does talk about an undercover Homeland Security employee who infiltrated Silk Road 2.0 to gather evidence, a key part of the evidence gathering is left vague: how did officials find the actual servers that were supposedly hidden by Tor? In the past few days, a big effort has been undertaken by a bunch of folks, including key Tor developers to try to work out how all of this happened:
Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.
But, more to the point, the recent publications call the targeted hidden services seizures "Operation Onymous" and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.
Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?
The Tor post lists out a number of possible scenarios under which the hidden servers were located, including bad operational security (opsec), SQL injections (because, of course), Bitcoin deanonymization and attacks on the Tor network. That last one is getting a lot of attention for a variety of reasons. Kashmir Hill over at Forbes has an interesting post exploring the possible connection with the cancelled Black Hat talk from this summer about identifying Tor users, which was done by some Carnegie Mellon researchers. Around that time, Tor also revealed that its network had been compromised, and asked everyone to upgrade to patch vulnerabilities. Many assume these two things were connected.
If you control enough of the Tor network, it’s possible to get a kind of bird’s eye view of the traffic being routed through it. It was clear that Tor thought the Carnegie Mellon researchers were responsible. The researchers refused to talk to the press, but a conference spokesperson told Reuters the talk was canceled because the researchers hadn’t cleared the release of their work through their department, the Software Engineering Institute, which receives funding from the Defense Department. At the time, many assumed that the university pulled the plug on the talk because of academic ethics considerations and the gray legal zone it was in, with the researchers casually intercepting Web traffic. But maybe it got pulled because the researchers were revealing a law enforcement technique that the government did not want publicized. If nothing else, it’s highly likely the information the researchers collected about “drug dealers and child pornographers” made its way into law enforcement hands. McCord said he was “unable to comment on the matter.” Carnegie Mellon’s SEI declined comment about the canceled talk and about whether it had provided information from the research to law enforcement.
Hill also quotes Nicholas Weaver with some thoughts on what happened:
“I am 95% certain that law enforcement did a mass de-anonymization attack on Tor hidden services,” says Nicholas Weaver, a researcher at the International Computer Science Institute. He called any link to the earlier research “circumstantial.” But he points out that the work the researchers did was expensive. A “back of the envelope estimate suggests that whoever was running the attack on Tor at the beginning of the year using [Amazon hosting services] spent at least $50,000 in computer time,” says Weaver. That’s not the kind of money an academic can spend on a hobby project.
Meanwhile, one of the (still free) operators of a Tor hidden site that was taken down by the feds, Doxbin, has stepped forward to release a bunch of log files and related information to potentially track down how it was discovered (he posted on a mailing list using the amusing subject line of "yes hello, internet supervillain here." This has resulted in much more speculation on what kind of attack was being run.
As it stands, no one (other than law enforcement) knows exactly how this came down, but I would imagine that it won't be long until people have figured out what likely happened, and fixes are put in place. This, of course, is the nature of any sort of anonymization effort. People will always break it for some reason or another, and then it's just an ongoing back and forth to fix holes and improve the system...