Slashdot Mirror
Half of Tor Sites Compromised, Including TORMail
First time accepted submitter elysiuan writes "The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA. In a crackdown the FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network have been compromised, including the e-mail counterpart of TOR deep web, TORmail. The FBI has also embedded a 0-day Javascript attack against Firefox 17 on Freedom Hosting's server. It appears to install a tracking cookie and a payload that phones home to the FBI when the victim resumes non-TOR browsing. Interesting implications for The Silk Road and the value of Bitcoin stemming from this. The attack relies on two extremely unsafe practices when using TOR: Enabled Javascript, and using the same browser for TOR and non-TOR browsing. Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled are potentially compromised."
Looks very much like the three letter agencies decided it's time now to start playing hardball.
Computer Intrusion is illegal, and the FBI knows that.
So is spying on someone without a warrant, and given that they can't know who they're spying on, I don't see how they could possibly have obtained a warrant for this action.
I hope the TOR user community sues them. Very roughly. And with extreme prejudice.
The US has gotten way too fucking big for it's britches.
I used to think maybe there was justification for the anti-terrorism attitude that the US has.
I've changed my mind.
My sympathies now lie with those who rise up against these goddamn born-again Nazis in their attempt at world domination.
You go, Al Queda!
I do not fail; I succeed at finding out what does not work.
Put your Tor client in a Secure Linux VM, so none of your hardware information can be exposed. Go to https://check.torproject.org/ to check if Tor is working, and make sure NoScript or something similar is enabled.
Should have invited the feds to defcon after all. Seems they got bored this weekend.
So the FBI, with no particular target in mind, are using the Tor network as a line of beaters in the bush scaring out any kind of animal and hopefully only shooting the ones they are trying to find. Meanwhile, every animal is scared out of it's normal activities until the beaters have passed.
Yeah, that's not intrusive at all. No privacy compromised for anyone. And all it takes is the FBI actually infecting the Tor network with their own malware. Thank heavens they're the good guys. Oh, wait, the good guys wouldn't intentionally infect computers and networks, would they?
I wonder about the legality of FBI's action here. Ok, I guess they have some kind of search order/wiretap order for "investigating pedophiles" against one specific site, but what about collateral damage? I mean they shut down an email service used by normal people as well. They did track and spy on activities on normal law abiding citizens. Did they effectively break into a big number of law abiding citizen's machines against whom no search or writetap orders were issued?
Or can FBI hack anyone at will without any legal oversight? I don't remember getting the memo where such behaviour from a government agency is legal.
Well I guess we can stop pretending we live in a law-abiding democratic world. It's an oligarchy run by the banks, the rich, lobyists and professional politicans, and scew everyone else...
--Coder
So basically, if you're legally accessing a website while browsing with Tor, making use of legal services in a legal fashion... the FBI will install a wiretap on your computer, without a warrant, in order to monitor all your activities, on the off chance that you might be up to no good. This is rather like walking out into rush hour traffic, pointing at random cars, and saying "Search that car! We know terrorists use cars, so let's start searching them all."
Dear FBI,
Fuck you. That's a terrorist's mentality. You're worse than the lowly pieces of shit you hunt, because we expected you to uphold principles of integrity, honor, and those other words you got plastered on your slimy logo that used to mean something. You are, in fact, worse than a terrorist: You're a corrupt law enforcement organization with a bigger budget than any terrorist organization out there, and you are doing more harm to this country than catching a hundred Bin Ladens could accomplish.
-_- The internet is a global and international community and you need to show some restraint, otherwise you're going to create large amounts of resentment and anger throughout the world. No wait: You already have created this. You are endangering the infrastructure and the people you are oath-bound to protect with your actions. I don't give a flying fuck through a rolling doughnut what authority or law you think gives you the right to act in this fashion... you're a public menace. You're just giving everyone who doesn't like this country piles of ammunition and sympathy from the general public that can be used to attack MY country.
Knock it the fuck off. Now.
#fuckbeta #iamslashdot #dicemustdie
My fault, at least August 2nd. Potentially longer.
Exit nodes weren't involved in this since it's an attack against hidden services whose traffic by definition remains within the TOR network. It's not really an attack on TOR, it was an attack on the server software Freedom Hosting was running and clueless/idiot TOR users with javascript enabled and other unsafe TOR habits.
Totally agree with you on people thing that TOR is some anonymity panacea is shortsighted.
I'm starting to wish governments would just get it over with and declare a permanent state of emergency. A different arm band for each person's assessed threat level, embedded RFID with skin tattoo for redundancy and mandatory iris, DNA and fingerprint sampling for all citizens. Upgrade traffic cameras with RFID readers and facial recognition software, require RFID and cellular GPS transponders on all automobiles and motorcycles and perform mandatory searches of persons and vehicles for any traffic stop. Nationalizing all ISPs, search engines, telco providers and banks would also be a smart move. Frankly I'm disappointed the government is taking this long. Guess that's democracy for ya.
Buy your next Linux PC at eightvirtues.com
The "I don't like the government monitoring me" part of me objects to this, but the "Find every pedo and kill them slowly" part of me is currently winning out
You're part of the problem. Have fun getting groped at airports.
Filthy, filthy copyrapists!
With that said, why would you want to kill pedophiles? Not every pedophile is a child molester (nor is a child molester necessarily a pedophile), and not every pedophile even looks at child pornography.
Filthy, filthy copyrapists!
"Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled are potentially compromised."
That would include all the FBI computers used to deliver the poison, then?
Nah, they're probably using IE 6. Still.
Faster! Faster! Faster would be better!
First of all, use Whonix to access Tor, never the same browser you use for any other purpose.
Second, use Firefox with a JonDoFox profile which is not included in Whonix Workstation by default.
Third, go to ip-check.info and run the test on your browser. Everything should be green or yellow at the worst. If you see anything in red, fix it before you go to any questionable site. Finally, make sure you don't have any DNS Leaks in your host OS by running this test also from your regular host browser. Don't use or trust DNS from your ISP.
If you want to be extra-cautious, run the Whonix Gateway after you establish a VPN connection. Choose an offshore provider that has multi-hop technology to avoid traffic analysis. I'm using iVPN who is located in Malta.
You should had to be running Firefox 17 on windows afaik (that was the version included by the Tor Bundle).
You had be running the specific, modified Firefox version that's shipped with Tor.
Mozilla's Firefox 17 (ESR) has been patched for this vulnerability. (i.e. it's not a real 0-day)
They want to protect the children as much as they chasing terrorist, capture some people that sell/use drugs or catch (not very big) tax evaders, They will use those "wars" to show some results, but their main target is still the US population, the only ones capable to take them out of power.
Firefox 17.0.7 is still the latest in the ESR update channel.
I think I've read research showing that even most child molesters are not pedophiles. Also, I don't think it's technically illegal to be a pedophile in any country, but since sharing child pornography is illegal it's irrelevant if the perpetrator is a pedophile, child molester, or just some random guy.
c++;
Yesterday I made a posting on CNN regarding the story about the heightened terrorist threat alert. While it covers a different subject, I could re-write it to fit this situation, but I think the slashdot crowd will get my drift, here is a direct copy\paste:
I do not know who to trust or what to think anymore. If this threat is real or not, I imagine we are intended to suppose that it was the US governments blanket surveillance of the world, including domestic spying that tipped them off. On the other hand, the timing is such (Snowden/Manning) that for all I know they made the whole thing up to better justify government wrongdoing in the eyes of the people. Or perhaps al Qaeda made the whole thing up just to see if they can manipulate the movements of our government by taking advantage of info gathering with a campaign of false intel. I don't know who to trust or what to think anymore, with the exception that I know I don't trust my own government. They have proven themselves manipulative liars.
Brought to you by Carl's Junior.
I love hearing cases where the law makes no sense. A 16-year-old and his 16-year-old girlfriend have sex. Statutory rape charges are brought against the boyfriend, but are dismissed because the laws state that you have to be 18 to be charged. The girlfriend records it on her phone, and send a copy to the boyfriend. She gets charged with production of child porn, and he gets charged with having it. Welcome to the new world order.
I don't see how this affects Bitcoin at all. It's not an exploit of Bitcoin. Bitcoin isn't dependent on any onion sites, "Freedom Hosting", or Tor. The Silk Road are not the only users of Bitcoin.
Firefox 17 is Mozilla's Extended Support Release. I believe the 17.0.x branch still gets minor updates. The articles are vague about the zeroday and whether they affect the latest of that line (17.0.7, which is in the Tor Browser Bundle).
EFF in the White house, ASAP please.
I understand there's a legitimate need to conduct surveillance when justified. But having people from the EFF and/or ACLU running, or at least supervising things will likely act as a filter to prevent further abuses and level the playing field.
Nothing is enough for whom enough is too little - Confucius
Crazy libertarian conspiracy talk, Not real.
http://www.snopes.com/politics/guns/ssabullets.asp
Well.. maybe. Or Maybe not. But Definitely not sort of.
Why? The FBI hasn't found child pornography on this server. I'd be surprised if they didn't but I notice a distinct lack of jack-booted thugs doing their usual circle-jerk.
Note the FBI allege the company had "facilitated the spread of child pornography". Which would of course include every router and tel-co between Ireland and the person downloading. The FBI hasn't claimed the company hosted the material or linked to it, or even hosted tracker files. It is far too soon to be claiming "think of the children" in this story.
Isn't it interesting how easily people are manipulated? For some it's terrorism, for some child porn. I wonder what it would be for me that I'd consider more important than my freedom.
Still taking suggestions.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
It's the freaking FBI. That's not exactly a secret rogue agency. FBI director Mueller briefs Obama directly. Technically, Clapper is Mulleur's boss, and Obama is Clapper's boss. That's ONE GUY in the chain of command between Obama and the FBI.
I think it is very hard to believe that TOR mistakenly released a single version of their TOR browser with javascript conveniently activated. I wouldn't be surprised there was a concerted operation with FBI to reduce child porn on the TOR network. Actually, they could be legally coerced into doing exactly that.
The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
Actually, these secret courts started in 1978
The "I don't like the government monitoring me" part of me objects to this, but the "Find every pedo and kill them slowly" part of me is currently winning out, because lets face it for every legitimate user of TOR, there was about 200 pedo's.
Have fun when FBI decides to make you a pedo by uploading crap using their malware.
Who logs in to gdm? Not I, said the duck.
FISA allows the executive, under the direction of the president, to apply for a secret search warrant from a confidential court. That's the extent of the "secrecy" there is any evidence of in the judicial branch.
That court, like any other, can approve the warrant requested by the administration. I've seen no evidence, or even any claim other than yours, that the courts in any way direct the executive agencies. Do you have anything, anything at all, to support your novel and extravagant claims? If not, doesn't it make much more sense to focus our energies on the well known and currently very visible fact that the executive is trampling the Constitution?
There's a pretty good unwrapping of the payload here, and it's a pretty creative exploit of the javascript interpreter to execute shellcode. Just from a glance at the shellcode, I see a hand-crafted HTTP header so at minimum they're using the OS network stack directly to give the tor-level UUID a public IP coorelation. Beyond that, they could be doing anything since they're already through the sandbox.
Thanks to the two-party system, we have a choice between different flavors of the same police state. Since we vote for individuals rather than parties, there is less room to enforce party policy.
In the US, you can throw away your vote on the US Constitution Party (aka the theocratists), the Green Party, the libertarians (who have nice-seeming objectives but rely on the innate goodness of people and free-market economies), or what have you. Or you can vote for a candidate who might be able to get into office. That pretty much limits you to choosing gay rights or not, and how quickly to erode abortion rights.
The main other difference between the two primary parties is how they campaign. The Republicans use more vitriol and lies about fact; the Democrats use more false promises.
I'm pretty sure the FBI was moved under the Director of National Intelligence in 2004. Has it changed since then? In any event, the point stands - the FBI isn't a secret agency. They report to Obama through one intermediate person.
OK, so why the hell doesn't someone take the five minutes to add some code to Tor that would strip out client-side scripting? It's not that hard; plenty of other secure networks do it (ex. Freenet) so why the hell doesn't Tor? I mean yeah, I get it, they give you ample warnings before you download, but is there any legitimate reason they don't do this or have they just decided they don't want to try to stop this kind of attack?
No no no, you don't understand. That 100% rate just proves how good and trustworthy the whole secret system is!
This is the most surprising story I've ever read. I'm all about the feds finally growing some balls and using whatever techniques necessary to arrest some scumbags but this could easily be the tip of the iceberg given all the NSA crap going on. If they feel like they can do anything, they will and it's a slippery slope. In this particular case, I'm glad they finally stopped letting those losers hide behind legal BS.
BUT, seriously, who the hell would use TOR on a browser and then use it for non-tor stuff? I didn't know that was even possible given how the tor browser bundle works. This is seriously going to catch like zero people, lol. But A+ for effort. Then again, some pedos are notoriously dumb.
I'm kinda mad that tormail is down though. That was a huge privacy/anti-NSA tool. Obviously they took that down on purpose as "collateral" just so it's gone. That sucks.
We're now in the age of Big Data crime enforcement, where to be abnormal, in the sense of deviating too far from the median/norm is all it takes to be flagged as a suspect. The danger I see in the future is that, in order to avoid being caught in the net of the federal surveillance agencies people will deliberately start acting within the "norm", like visiting the sites online, Facebook/Twitter/G-something for your communication needs, or CNN/Fox/BBC for your "news", or whatever local site is "popular" in your area. To have an opinion will be to choose from an approved list, much like a multiple-choice exam or, worse, like the presidential election.
It's not that much different if you have more than two parties to choose from. In Europe you can vote for the socialists, who promise you the sky and deliver ... umm... well, so far they haven't delivered. You can vote for the populists who threaten you with hell on earth and crime sprees if you don't vote for them, only to deliver ... umm... well, at least as much corruption as the socis. You can vote for the conservatives who'll promise you to protect your belongings, only to rip you off to stuff their cronies in the industry. Or you could vote for the liberals who promise you lower taxes (no, seriously, that's pretty much ALL they have been promising for the last few decades), to eventually pay the same or higher taxes so their friends can pay lower taxes, but in return you get to pay for services that used to be paid for by taxes.
Or you could vote for the former communists. Well, we already saw how well that goes down.
So don't think more choice gives you better options. Instead of only being able to choose between hanging and shooting, you now also get stoning, drowning and electrocution to the fold.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
The exploit transmits your identifying information to IP address 65.222.202.54. The information includes a unique tracking number generated by the exploit server, your computer's MAC address, your computer's host name, and any other IP addresses and host names visible on your local network.
This IP address traces back to a Verizon business account just outside Washington D.C., not far from FBI and CIA headquarters. You can see the IP location trace here, complete with a zoomable Google map. However note that the location trace is probably just an approximate location. Zooming all the way in shows a local shopping center, but that's probably just the location randomly landing at the "center" of a town or other service area.
-
- - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
I think there is a practical difference between a 2-party system and a n-party system where n > 2. It's not what you think, though, and I'm not sure which one is really better in practice.
At least from my observations, a two-party system produces heavy polarization. Nowhere have I seen such a polarization as the one in US between Democrats and Republicans. Everyone is sure that their POV is the good one and cannot comprehend how someone can possibly support the other party. As you say, you can choose your flavor of police state.
A system of three roughly equally big parties, however, seems to emphasize consensus. As none of the three parties can hope to form a government alone, they will need to secure the cooperation of at least one of the two other. None of them can afford to become the lone different party, because that would just result always in the other two parties forming a government (unless the winning party manages to persuade enough smaller parties to join a coalition government with the two other parties left out). The result is that you have three basically identical parties that are more or less only differentiated by how they market themselves. Of course there are politicians in the parties that would like to be different, but in order to secure a government with another of the parties, you will need to make concessions, which usually excludes the points of view that are unique to one party.
So, the end result is that you can choose from three flavors which are not really that different. Not that consensus policymaking would necessarily be bad - it's not.
In my country a fourth big party has recently emerged. It will be interesting to see how this affects the dynamics as we've only seen something like two elections where this was the case.
Of course it also depends on the system used in elections. I think the US-style "winner takes it all" system basically forces only two big parties to emerge.
Still, as someone who lives in a country with more than two big parties, I don't think I'd ever want to see a government effectively controlled by only a single party, not for any period of time.
This is already the case. If you write something which goes against government propaganda in Norway (and other NATO countries) then the government tortures you. It's already dangerous to have opinions different from the government approved list. I know a lot of people here will violently oppose this truth, but deal with it: we have to truthfully asses the current situation in order to improve it, and improvement really is needed. Free speech is a nice theory that I would like to see become practice.
9/11: Never forget it was a false-flag operation