Slashdot Mirror
Tor Project Mulls How Feds Took Down Hidden Websites
HughPickens.com writes: Jeremy Kirk writes at PC World that in the aftermath of U.S. and European law enforcement shutting down more than 400 websites (including Silk Road 2.0) which used technology that hides their true IP addresses, Tor users are asking: How did they locate the hidden services? "The first and most obvious explanation is that the operators of these hidden services failed to use adequate operational security," writes Andrew Lewman, the Tor project's executive director. For example, there are reports of one of the websites being infiltrated by undercover agents and one affidavit states various operational security errors." Another explanation is exploitation of common web bugs like SQL injections or RFIs (remote file inclusions). Many of those websites were likely quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem says Lewman adding that there are also ways to link transactions and deanonymize Bitcoin clients even if they use Tor. "Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks."
However the number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. "Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks (PDF), but these defenses do not solve all known issues and there may even be attacks unknown to us." Another possible Tor attack vector could be the Guard Discovery attack. The guard node is the only node in the whole network that knows the actual IP address of the hidden service so if the attacker manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. "We've been discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated."
According to Lewman, the task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved. "In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries."
However the number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. "Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks (PDF), but these defenses do not solve all known issues and there may even be attacks unknown to us." Another possible Tor attack vector could be the Guard Discovery attack. The guard node is the only node in the whole network that knows the actual IP address of the hidden service so if the attacker manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. "We've been discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated."
According to Lewman, the task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved. "In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries."
If you DDOS a site using TOR it'll saturate all possible exit nodes.
Inevitably one of these exit nodes will be owned by the feds.
I wonder if they're doing their tracking by just sending traffic the servers in question from multiple places and with control over a few exit nodes. They'd basically be sending seismic waves through Tor and timing the responses. After a while and with enough exit nodes you could start figuring out where the other nodes are. With enough traffic analysis from ISPs or whatever you could find out where the TOR nodes actually are. At that point it becomes easier to figure out physically where they are.
This is theoretical, but it would be fun to try.
Seems like a lot of these .onion sites are hosted on hosting sites that accept bitcoin. Well, how many of those are around? Kinda easy to whittle down after you get that list.
If you were me, you'd be good lookin'. - six string samurai
You have no idea how Tor works.
Youtube is your friend.
You'd need a hell of a lot more than the entry level cisco cert to figure out a way to break it.
As I understand the Tor process, every tine I fire up Tor it randomly chooses an exit node(*).
Suppose I am running some exit nodes (as the NSA is suspected of doing). If I want to find the location of a hidden service I just fire up Tor and access an onion website with a specific tempo. If one of my exit nodes shows traffic with that tempo, then I know that's the exit node for this onion connection and I can trace the exit connection(**).
If you access the site many times, eventually the statistical nature of the tempo (in your own exit node) will be apparent among the random noise of other traffic. If you do the process many times, eventually you'll find a strong statistical evidence for the target IP address.
How many Tor exit nodes does the FBI run? How much time can they put into discovering each site? Can tempo-based access be automated?
See here for more info. From a paper published in 2011 comes the quote:
This would be my guess.
(*) For the onion protocol it's listed as a rendezvous point and there's some protocol negotiation, but it's essentially an exit node.
(**) Actually it's even simpler. Tor reports the IP address of your exit node - just keep starting Tor until the exit node is a system you control.
Except that Ulbricht actually did use an email or username that they traced back to him when he set up the onion server, and on top of that they caught him accessing the admin section of Silk Road when he got arrested in a library.
It's a mix of hubris and carelessness that brings these people down. If he'd paid more attention to OpSec, he'd be a free man.
This Sig does not Exist.
There are no privileged routers (or 'guard' nodes) on I2P, and from the perspective of "relays" I2P has many times the number Tor has.
Its way better than Tor when you're looking mainly to communicate with other anon sites/users. Comes with bittorrent and an option for decentralized (serverless) securemail.
No. And if you do it wrong, it creates a problem, as IPv6 may leak hardware MAC addresses.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
That is utter BS. You should look up the "Dunning-Kruger Effect" sometime. You are on the left end of the curve.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
That's actually a major problem, all data is transported via government visible networks.
How would I do it ? .. bingo
As a LEO I would try to get warrants for a full take loging of all entry guards/relays(unknowing facilitators) that were in between my request and the site and those that are under my jurisdiction. (now I know with which computers the tor-relay/entry guard communicates) I would obtain full take / warrants for those / and another round
now I can do traffic confirmation attacks, download the same data-size again and again and again, and perhaps uploading same data of specfic size again and again and again.
Due to the full takes I will be able to correlate what path my data took, over all three levels. There will be misses, as not all traffic will go through the U.S. & UK
but at a certain point in time there will be enough ip-data, where I can identify a location and a person.
And then I need to do parallel construction (infiltration) as I now know who the person is I can generate a personality profile and figure out the best way to come in contact with the operator.
Actually, newbie fail yourself. The complexity of analyzing software grows exponentially in size, and it is possible to add some rather large constants by obfuscation. The point where there are nt enough competent people available that can do the analysis is entirely reachable in practice.
What makes software OSS is that it is designed to be read, not that in some theoretical, irrelevant sense it can be read.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
It's a common fallacy to assume that you, on the side of Right and Truth, are clever and intelligent while The Other Guys (standing for all that is Wrong and False) are a bunch of bumbling idiots.
That's a really easy way to get surprised and metaphorically spanked, in any context.
Of COURSE the feds have been working on ways to de-anonymize Tor! What did you expect them to do? Go "Oh Golly-Gosh-Darn! A bunch of people have figured out a way to do things we don't like in a way that's difficult to track. I guess I'll simply sit around and eat donuts all day and wait for my dept. to get cut when it's noticed at the next budget hearing that my electronic surveillance dept. isn't actually surveilling anything!"
Just like people within Tor do work to plug de-anonymizing holes, people that would like to de-anonymize Tor do work to find the loopholes first. Shocker.