Slashdot Mirror
Tor Project Mulls How Feds Took Down Hidden Websites
HughPickens.com writes: Jeremy Kirk writes at PC World that in the aftermath of U.S. and European law enforcement shutting down more than 400 websites (including Silk Road 2.0) which used technology that hides their true IP addresses, Tor users are asking: How did they locate the hidden services? "The first and most obvious explanation is that the operators of these hidden services failed to use adequate operational security," writes Andrew Lewman, the Tor project's executive director. For example, there are reports of one of the websites being infiltrated by undercover agents and one affidavit states various operational security errors." Another explanation is exploitation of common web bugs like SQL injections or RFIs (remote file inclusions). Many of those websites were likely quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem says Lewman adding that there are also ways to link transactions and deanonymize Bitcoin clients even if they use Tor. "Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks."
However the number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. "Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks (PDF), but these defenses do not solve all known issues and there may even be attacks unknown to us." Another possible Tor attack vector could be the Guard Discovery attack. The guard node is the only node in the whole network that knows the actual IP address of the hidden service so if the attacker manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. "We've been discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated."
According to Lewman, the task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved. "In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries."
However the number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. "Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks (PDF), but these defenses do not solve all known issues and there may even be attacks unknown to us." Another possible Tor attack vector could be the Guard Discovery attack. The guard node is the only node in the whole network that knows the actual IP address of the hidden service so if the attacker manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. "We've been discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated."
According to Lewman, the task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved. "In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries."
If you DDOS a site using TOR it'll saturate all possible exit nodes.
Inevitably one of these exit nodes will be owned by the feds.
Would changing Tor to use exclusively IPv6 help at any level? Does IPv6 provide any benefits here, other than being 128-bit addresses?
Jumpstart the tartan drive.
They say in bold that low latency services are specifically difficult to hide and they don't know how to go about it, but why would anyone be using TOR for low latency applications? Is that important for transactional security somehow?
I wonder if they're doing their tracking by just sending traffic the servers in question from multiple places and with control over a few exit nodes. They'd basically be sending seismic waves through Tor and timing the responses. After a while and with enough exit nodes you could start figuring out where the other nodes are. With enough traffic analysis from ISPs or whatever you could find out where the TOR nodes actually are. At that point it becomes easier to figure out physically where they are.
This is theoretical, but it would be fun to try.
Seems like a lot of these .onion sites are hosted on hosting sites that accept bitcoin. Well, how many of those are around? Kinda easy to whittle down after you get that list.
If you were me, you'd be good lookin'. - six string samurai
anyone who has done IT or t-Comm work knows how they did this...
if you're not a CCNA, then this analogy may help:
your data in transmission is like a swimming pool
if you want to keep people out, you can fence it, protect it, lock it down any number of ways...
but as long as you can use it, others can gain access as well...
Thank you Dave Raggett
According to Lewman, the task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly.
You can make it harder by using heterogeneous networks in series. For example, you can run a private encrypted digital network (not necessarily IPv4-based) over a modem and an international phone call. Keep that "link" filled with white noise or throwaway data when it's not being fully utilized for your communications channel. Stick that link between your "real" server and the box that is acting as the TOR hidden server. Even better, don't: Instead, have the "hidden server" talk to a proxy over the modem, and have that proxy use whatever method it wants, such as a non-TOR darknet, to talk to the "real" server.
There are of course downsides to this, not the least of which is that there are many more "static" points of vulnerability and at least two places where money is changing hands with a local telephone monopoly, which means someone can be found and subpoenaed or thumb-screwed into telling what they know. But if the hidden service only needs to stay up a few hours or days, this can introduce enough delay to make finding it difficult enough that the site will be taken down by its operators before it is discovered.
Ya think?
Tor will never work over the corporate wire. That is as absolute as the speed of light or any other natural law. Unregistered use of encryption will simply be blocked. Only with this in mind can any method of possibly successful circumvention emerge.
“He’s not deformed, he’s just drunk!”
It is also possible that after the identified Dread Pirate Roberts of Silk Road 1.0 they traced a connection from him to the Silk Road 2.0 DPR says that only he knew the identity... but when did he set it up how often did they communicate and did he leave any trace?
I never believed the story of how DPR was originally identified. It is standard practice for intelligence agencies and sometimes police to hide their sources through parallel construction. They really find something out one way- then, after the fact, figure out all the ways they could plausibly have gotten the same information and say that is how they got the information. To make it more believable they can actually run the script and gather the info a second time in a manner that doesn't reveal their sources.
Uh --- newbie fella --- if you have the budget, everything has always been open source.
...
Ultimately, everything is assembly language and this means everything is open source and the US government sure has the budget.
With a single kind of exception, but being a newbie fella, you'd never guess
Priest: "Universe from nothing, no laws of physics, sped up time"+ huge discrepancies. Creationism? No. Big Bang Theory
why would anyone be using TOR for low latency applications?
I think by "low latency" they mean "less than a few seconds" vs. "long enough to get a cup of coffee" transactions such as "please wait while XYZ downloads and installs the latest update."
hiding the location of low-latency web services
Wait... I thought we were talking about Tor.
Tor was written by the federal government. Enough said.
Only the State obtains its revenue by coercion. - Murray Rothbard
If you're running a secret drug website that makes tens of thousands of dollars a month in commissions, who gives a shit if your physical server gets seized? Full disk encrypt that fucker, host it on a -real physical- server, and pay the $100 a month to your host with a burner card (or in bitcoins). If/when it gets seized, flip your hidden service over to the hot spare you got running. Eventually, they'll tire of playing whack-a-mole.
Seriously, thinking about how to run this shit securely isn't hard.
pretty easily done.
As I understand the Tor process, every tine I fire up Tor it randomly chooses an exit node(*).
Suppose I am running some exit nodes (as the NSA is suspected of doing). If I want to find the location of a hidden service I just fire up Tor and access an onion website with a specific tempo. If one of my exit nodes shows traffic with that tempo, then I know that's the exit node for this onion connection and I can trace the exit connection(**).
If you access the site many times, eventually the statistical nature of the tempo (in your own exit node) will be apparent among the random noise of other traffic. If you do the process many times, eventually you'll find a strong statistical evidence for the target IP address.
How many Tor exit nodes does the FBI run? How much time can they put into discovering each site? Can tempo-based access be automated?
See here for more info. From a paper published in 2011 comes the quote:
This would be my guess.
(*) For the onion protocol it's listed as a rendezvous point and there's some protocol negotiation, but it's essentially an exit node.
(**) Actually it's even simpler. Tor reports the IP address of your exit node - just keep starting Tor until the exit node is a system you control.
There are no privileged routers (or 'guard' nodes) on I2P, and from the perspective of "relays" I2P has many times the number Tor has.
Its way better than Tor when you're looking mainly to communicate with other anon sites/users. Comes with bittorrent and an option for decentralized (serverless) securemail.
If you have so much resources as government of USA, what's the problem to get for example 500 servers in different places around the world with lets say 1 gigabit each. I assure you that they would know everything while standing in front and at the exit, sometimes even whole road. Tor client is picking those servers with best throughput first logically, it's not really random. Maybe even they already did that, maybe NSA and they are feeding public with exploit version. I would do that if i were them...
"she can launch a traffic confirmation attack"? OMFG...seriously? Are we so PC now that we have to refer to "attackers" as "she" lest we offend someone? Give me a break. Anita Sarkeesian would be so proud, I'm sure. Yes, women can be hackers. Great. And women can be rapists too (apparently). But, seriously, what are the @#$! odds? If there's a 0.1% chance a woman might do something, do we suddenly have to tiptoe through every article we write on the subject making sure to carefully balance the use of "he" with "she" in equal allotments?
The world has lost its freaking mind.
Judging by the file names on iMule when I decided to look into it, it *LITERALLY IS* all CP in the search results, even for mundane keywords like 'anime' and 'japanese'. I imagine it is full of either really stupid CP sharers or government honeypots, so consider yourself warned.
That said, I2P tends to be more finicky to access sites over. The default (but reconfigurable) route settings are basically the same as Tor (3 hop, no variation.) There is a recommendation to leave a torrent, any torrent, running which will cause the i2p router to keep data tunnels open and make it faster to resolve sites accessable over i2p. Assuming they can get the sort of auditing that the Tor project has, it does however seem like a technically superior alternative to Tor, given that it supports both stream and datagram packet types and can potentially be used to carry both major forms of internet packets without needing a TCP-based VPN to a remote site.
That said: Both need more implementations, more routers, and most of all: more technical scrutiny. The attack surfaces of software in general have become too large, and combined with packet analysis are going to require extremely motivated, creative, and/or detail oriented contributors to stay ahead of global surveillance, at home or conspired abroad.
That's actually a major problem, all data is transported via government visible networks.
How would I do it ? .. bingo
As a LEO I would try to get warrants for a full take loging of all entry guards/relays(unknowing facilitators) that were in between my request and the site and those that are under my jurisdiction. (now I know with which computers the tor-relay/entry guard communicates) I would obtain full take / warrants for those / and another round
now I can do traffic confirmation attacks, download the same data-size again and again and again, and perhaps uploading same data of specfic size again and again and again.
Due to the full takes I will be able to correlate what path my data took, over all three levels. There will be misses, as not all traffic will go through the U.S. & UK
but at a certain point in time there will be enough ip-data, where I can identify a location and a person.
And then I need to do parallel construction (infiltration) as I now know who the person is I can generate a personality profile and figure out the best way to come in contact with the operator.
It's a common fallacy to assume that you, on the side of Right and Truth, are clever and intelligent while The Other Guys (standing for all that is Wrong and False) are a bunch of bumbling idiots.
That's a really easy way to get surprised and metaphorically spanked, in any context.
Of COURSE the feds have been working on ways to de-anonymize Tor! What did you expect them to do? Go "Oh Golly-Gosh-Darn! A bunch of people have figured out a way to do things we don't like in a way that's difficult to track. I guess I'll simply sit around and eat donuts all day and wait for my dept. to get cut when it's noticed at the next budget hearing that my electronic surveillance dept. isn't actually surveilling anything!"
Just like people within Tor do work to plug de-anonymizing holes, people that would like to de-anonymize Tor do work to find the loopholes first. Shocker.
The truth that you nerds must accept is this: the Government has more money, more and better technology, more manpower (and of greater quality that you basement dwellers can even dream of) and practically limitless resources. You can't win against them. It's that simple. "Your rights online" do not exist. What exists is an ever shorter list of what you are allowed to do. Accept those limits and admit you have lost. The battle has been over since a long time and it has always been one-sided. Get over it.
Tor anonymous services sound quite similar to Freenet, but the latter is built for this from the bottom up rather than having it added on later. In Freenet, files are stored as encrypted blocks distributed across all freenet nodes, and files are retrieved by hashes. I don't think there's anything like gatekeeper nodes here - the only nodes that know that they host a given block is that node itself (and even it doesn't know what that block contains). Since blocks are stored redundantly, both storage and distribution is robust against the removal of nodes (or hostile nodes).
Freenet is a pretty neat idea. But the last time I tried it (many years ago now) the latency was as high as to make it pretty much unusable. I also didn't find anything worthwhile on it, since it doesn't act like an internet gateway like Tor does. But perhaps Tor can learn something from it?
The way I see it, the idea of TOR is excellent. But it is still too reliant on more or less central servers, namely exit nodes.
Instead of trying to fix the unfixable, go the only secure route: Make each user a potential exit node!
With one important feature: let the user also decide who they accept as users of their exit node!
As in: I whitelist my family and trusted friends based on my sole discretion and now they can use my connection as exit node. That I offer them this capability would somehow be communicated to their, as well as intermediate, clients directly.
So instead of Mom -> TORNODES -> TOREXITNODE -> Destination, it'd be like MOM -> BROTHER -> GOOD FRIEND -> ME -> Destination.
Now, this does likely not offer the same security as a world-wide massively used network. But then, it probably doesn't have to either for most people. Obfuscation may be enough for most, as opposed to rock-hard anonymity.
The same principle should also be applied to emails, btw.. Instead of central Remailers, use trusted other users as relay.
i'm not saying anyone with a CCNA can hack Tor
i'm saying that anything that exists that can be transmitted and decoded can also be accessed by a third party
if it exists, it's not "secure"
maybe my analogy is awkward, but it's valid and accurate
Thank you Dave Raggett
i said this in another comment:
i'm not saying anyone with a CCNA can hack Tor
i'm saying that anything that exists that can be transmitted and decoded can also be accessed by a third party
if it exists, it's not "secure"
maybe my analogy is awkward, but it's valid and accurate
what i'm really trying to say is, if you can access it, so can someone else
Thank you Dave Raggett
See http://en.wikipedia.org/wiki/Tor_(anonymity_network)#History
Keep telling yourself that
paid , bribed, threatened people for the info.
I think I have read before (and it would seem to make logical sense) that if the Feds run more than 50% of the Tor nodes, they can start to reliably trace traffic? If this is the case, I have no doubt that the US gov't has the computing power. The "drug war" is very well funded.
without specific knowledge, the FBI is very good at perseverance in investigation meaning they could identify the IP of every single bitcoin client and identify clustering by geography compared to all of the Tor exit nodes, for example. They are not particularly hi tech savvy but they are relentless in sorting through the minutiae.
Even they have to follow natural law, e.g., inefficiency in factoring large primes. The protectors of information have this natural advantage if we care to use it.
So, look at this through the eyes of the defender, in the context of breaches of other sites. Put aside ethics, right/wrong, law, etc.; what this comes down to is a security breach when viewed from the defender's perspective, right?
Okay, so when you look at past breaches, what do you find...breakdowns in basic security. Sony wasn't patching, Home Depot wasn't watching their security monitoring, etc. While many vendors and researchers are trying to come up with novel security products and solutions to solve exotic problems in unique ways, what's actually happening is entities aren't following Security 101.
There are signs that this has happened with Tor as well. Silk Road 2.0, for example, was registered using "Blake@Benthall.net," which is about as NON-anonymous as you can possibly get. It's not only giving up the name, it's the name as it's tied to a very specific "Blake Benthall," so that law enforcement wouldn't even have to set about figuring out which Blake Benthall it was. A quick warrant request, a fax to the hosting provider behind "Benthall.net," and the guy is toast. This is not very fucking good security, at a fundamental level. And even worse, it was what got Ulbricht, the original operator of Silk Road, caught.
The argument could be made that only some domains were hit because others were out of reach due to where they were hosted; I don't buy this. In the past, it's been possible to get significant disruption of even the most unreachable systems through a number of means. This is why the RBL "broke up" and went to ground; even being out of the reach of law enforcement didn't mean their IP space couldn't get blackholed by ICANN, for example, or domains ignored by upstream TLD resolvers in the DNS hierarchy. I do believe that this "out of reach" potential was why hundreds of domains were shut down, but only 17 people were arrested. But if there were a fundamental issue with TOR itself, I don't see why they couldn't (and wouldn't) take down all of the sites they would want to hit at one blow. But now three of the top six drug-sale sites are still up, including the one that was second-largest, Agora.
So this looks more to me like the variability of operational security among the operators of the different domains, and poor security by those that got hit.
For your security, this post has been encrypted with ROT-13, twice.
I'm surprised you got a -1 on that comment. It doesnt seem out of line to me.
"...the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service..."
I'm sure "she" is really the one launching an attack... Why assume he is a female? It makes more sense to assume he is a male, especially considering the proportion of men to women in the industry.
inefficiency in factoring large primes
Did you mean "inefficiency in factoring the product of two large primes"?
I'm sure "she" is really the one launching an attack... Why assume he is a female? It makes more sense to assume he is a male, especially considering the proportion of men to women in the industry.
Women are under-represented in computer science. By over-using the female gender when referring to people of an unknown gender or at least using it about half the time, we hope that girls will say "hey, I can do that too someday, if I study hard and go to college".
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
They have a traitor in their midst. An inside man. Humint. Been a while now too.
Why do women have to be "represented" equally? What's the benefit to anyone?
Diversity is a false ideology, and does not support "the best person for the job". Women are different emotionally, intellectually, and physically from men. If they don't want to enter STEM, then they don't want to. Who cares?
Let's not try to downplay mens' presence or importance in the industry.
Equality is the freedom to choose, not the equal representation of of certain minority segments..
Isn't this a great attack vector anyway? Impersonate the directory and show the clients only your nodes.
@guards: does the guard know, its the guard of a hidden service? Maybe someone used tor nodes in the hope to become guard of the services, maybe renewed the node-ids often and then uncloaked them?
If I may be so bold to paraphrase Bruce Schneier, nothing says "Investigate Me" like using TOR.
Tracy Johnson
Old fashioned text games hosted below:
http://empire.openmpe.com/
BT