Slashdot Mirror

← Back to Stories (view on slashdot.org)

Tor Eyes Crowdfunding Campaign To Upgrade Its Hidden Services

Posted by samzenpus on from the price-of-privacy dept.

apexcp writes The web's biggest anonymity network is considering a crowdfunding campaign to overhaul its hidden services. From the article: "In the last 15 months, several of the biggest anonymous websites on the Tor network have been identified and seized by police. In most cases, no one is quite sure how it happened. The details of such a campaign have yet to be revealed. With enough funding, Tor could have developers focusing their work entirely on hidden services, a change in developer priorities that many Tor users have been hoping for in recent years."

106 comments

  1. Special Thanks by Anonymous Coward · · Score: 3, Funny

    To our contributors, even though we don't know who you are *wink wink*

  2. Nothing I'd like better... by DumbSwede · · Score: 4, Insightful

    ..than to have the FBI wondering why I'm contributing money to this cause. I applaud the goal, but I'll let someone more altruistic than me step up to bat.

    Save me the "When Good Men Do Nothing," I have family and other considerations outside Slashdot idealism.

    --
    Letter To Iran
    1. Re:Nothing I'd like better... by Anonymous Coward · · Score: 1

      As a Swede, presumably living in Sweden, why would you be afraid of the FBI? Is the FBI something people should be afraid of? And, is anonymity a crime all of a sudden?

    2. Re:Nothing I'd like better... by Anonymous Coward · · Score: 1

      "Is the FBI something people should be afraid of?"

      Yes.

      "And, is anonymity a crime all of a sudden?"

      Not all of a sudden.
      http://en.wikipedia.org/wiki/Boiling_frog#Cultural_usage

    3. Re:Nothing I'd like better... by Nutria · · Score: 1

      As a Swede, presumably living in Sweden

      There are 8 metric ass-loads of people of Swedish descent living is the US.

      --
      "I don't know, therefore Aliens" Wafflebox1
    4. Re:Nothing I'd like better... by Anonymous Coward · · Score: 1

      ..than to have the FBI wondering why I'm contributing money to this cause.

      Does it even matter anymore? They've already declared you to be an enemy and a terrorist in their eyes. Why else would they see you as guilty until proven innocent?

      Make no mistake, the police state is here. Sitting idly by and thinking it would blow over didn't work for the Germans, and it won't work here.

    5. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      Did you forget what they* did to Assange in SWEDEN ?

      * U.S.G.

    6. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      This nonsense again? If even a quarter of your conspiracy theories about his time in Sweden were true, he'd already be dead by "suicide" with a final confession that no one can seem to get a copy of the "definitely his handwriting" original that confesses to making up half the stuff on wikileaks.

    7. Re:Nothing I'd like better... by visionsofmcskill · · Score: 1

      Im no braver than you, and will not get anywhere near this for the same reasons.

      But that is the actual point of "when good men do nothing"... its when people WITH families and other considerations (something to lose) are NOT brave enough to act on what may very well be dangerous, its when they dont act evil is allowed to thrive.

      What rational white person from the 50's in the dixey south with a family and kids, a small business and the protection of the community would brave the wrath of their neighbors and the KKK to protect some relatively unknown (to them) and anonymous black people?

      As i said before, im no braver - and the point of that statement was to ellucidate that sometimes horrible things thrive because "good men" like you and i have good reasons not to shed our cowardice.

      --
      --Idiots, Every single one of YOU, A flaming mass of conglomerated morons, hey wait a second, isnt that how RAID works?
    8. Re:Nothing I'd like better... by burni2 · · Score: 1

      I think you are on the best way to find out about the meaning of "freedom of choice" you exercised your right to "freedom of speech" because good men did many things.

      But the best solution if you have nothing to say.

      Just shut up and ignore it.

      But you would make the headlines:

      "Father of two daughters indicted for giving funding to U.S. government backed anti censor operation. - President Obama faces impeachment over funding of pro american value anti censor ship program."

      He was soo pro american and all over the bill of rights .. that he overlooked the 10th amendment .. "If you ever take these words serious you are a fool."

    9. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      Save me the "When Good Men Do Nothing," I have family and other considerations outside Slashdot idealism.

      How about just simply paranoia? It's not illegal to donate to Tor, a project originally created by the US Navy, and is used for people in repressive countries to communicate freely. If the FBI can locate hidden services, so can Russia and China.

      So stop being paranoid. The FBI isn't going to after every donor to a project like this.

    10. Re:Nothing I'd like better... by N1AK · · Score: 1

      Save me the "When Good Men Do Nothing," I have family and other considerations outside Slashdot idealism.

      It's a shame you don't see the irony in that statement. If anyone can afford to throw some money at Tor it is the people who don't do anything overly contentious, it's a shame that your cowardice is stopping you from doing relatively safe things now that could protect your freedoms later, at which point doing something about it would be far more dangerous.

    11. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      They charged him for the rape he committed? Heaven forfend!!

    12. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      Since you call him a coward where is your donation? Put up or shut up.

    13. Re:Nothing I'd like better... by DerekLyons · · Score: 1

      Save me the "When Good Men Do Nothing," I have family and other considerations outside Slashdot idealism.

      The problem isn't "When good men do nothing". It's your tinfoil chapeau and paranoia. If you seriously care about your family, seek professional help as soon as possible.

    14. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      Metric? You non-US communist!

      What's that in good-old US imperial ass-loads?

    15. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      So what? Did you really feel the need to expose your mediocrity? Who asked for your opinion? Just live your meaningless life and shut up.

    16. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      They need to have a "safe" physical address for cash donations. Or a group of "safe" transmitters willing to accept cash and deliver it (or some % of it...).

      Hard currency acceptance is critical.

      It's not hard, at least from the US, to send packages quickly with unverified sender information.

    17. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      8.8

    18. Re:Nothing I'd like better... by hodet · · Score: 1

      4.6 fucktonnes

    19. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      I will not comment on Sweden but Australians ought to be concerned.
      After all the US did interfere in Australia 's internal affairs during the events leading to the dismissal of a rightfully elected Prime Minister (Whitlam).
      I, for one, do not trust the gathering of any information about me, that would then be held and made available to any government with fascist or lunatic inclination, like for instance, a tea party one.

    20. Re:Nothing I'd like better... by Hognoxious · · Score: 1

      Being of Swedish descent doesn't automatically make you a Swede.

      --
      Confucius say, "Find worm in apple - bad. Find half a worm - worse."
    21. Re: Nothing I'd like better... by Anonymous Coward · · Score: 0

      And acting would have absolutely no other result than getting you and your family in the way of grievous harm and possibly death. There is, at this point in history and for all the foreseeable future, no way to undo what is done. Learn to adapt, there's nothing else you can ever do.

    22. Re: Nothing I'd like better... by Anonymous Coward · · Score: 0

      Better to live a meaningless life (meaningless to whom, to you Big Matrix V for Vendetta Hero?) than having your life destroyed. I know, you have no family, no friends, you give no value to the sweetness of everyday life and you can't know the thousands little joys that make living so good. You're waiting for your Big Moment, when everybody will look up at you and marvel at your heroic deeds. Guess what, that moment will never come. Get over yourself.

    23. Re:Nothing I'd like better... by AHuxley · · Score: 1

      Re "So stop being paranoid. The FBI isn't going to after every donor to a project like this."
      Recall "The NSA Is Targeting Users of Privacy Services, Leaked Code Shows" (07.03.14)
      http://www.wired.com/2014/07/n...
      "The rules indicate that the NSA tracks any IP address that connects to the Tor web site or any IP address that contacts a server that is used for an anonymous email service..."
      "The NSA is also tracking anyone who visits the popular online Linux publication, ....., which the NSA refers to as an “extremist forum” in the source code."

      --
      Domestic spying is now "Benign Information Gathering"
    24. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      They made another country didn't charge him the sex crime he might have committed.

    25. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      Dude, I know I'm in late and posting as AC, but I think it is important to note that Tor has had a number of US government sponsors in its past including:

      US Department of State Bureau of Democracy, Human Rights, and Labor (2013-2015)
      National Science Foundation joint with Georgia Tech and Princeton University (2012-2016)
      Naval Research Laboratory (2006-2010)
      DARPA and ONR via Naval Research Laboratory (2001-2006)

      Tor accepts anonymous donations as well.

      Stop with the hyperbole. Stop using your family as a lame excuse. Donating to the Tor Project is not going to put you on a watch list. If you aren't interested that's fine, but stop spreading the BS.

      Make A Donation

    26. Re: Nothing I'd like better... by Anonymous Coward · · Score: 0

      Why did you suddenly stop using your nickname and switch to AC?
      Anyways, FYI I do have friends as everybody else and I was born in an upper-middle class family. That doesn't mean that I would feel satisfied being a coward like you.

    27. Re:Nothing I'd like better... by AmiMoJo · · Score: 1

      You should stand up to your oppressors and not let chilling effects stop you promoting and protecting freedom. If people give up due to chilling effects, let alone specific threats, we lose.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    28. Re:Nothing I'd like better... by TheCarp · · Score: 1

      Its easy to forget, especially when many of us talk so much about large policy issues, that the US government is NOT a single org but a very large umbrella collection of many interdependent orgs, each with their own agenda.

      Sometimes these agendas align, sometimes, they diverge and work at cross purposes.

      The NSA has no operational need for tor, they are likely 100% focused on breaking it. Likewise the DEA, and FBI similarly. However, you start getting to DARPA, and parts of the State Department, and a strong tor is actually an asset for some of them or the people they support.

      --
      "I opened my eyes, and everything went dark again"
    29. Re:Nothing I'd like better... by Anonymous Coward · · Score: 0

      It's because of crap like this that I regularly use TOR for my basic, mundane browsing activities. If anonymity is only sought by those with something to hide, then the very act of seeking to remain anonymous becomes suspicious. The attitude toward anonymity should not be about having something to hide, but rather a matter of "none of your damn business". The more anonymized traffic exists, the less suspicious anonymity becomes.

      If the NSA want's to consider every single anonymized connection suspicious, then we need to waste their time. Let them sort through logs of me anonymously browsing webcomics and funny cat pictures. Hell, maybe this weekend, I'll stop by the local senior center, install the TOR browser bundle, and set up a desktop shortcut using the IE icon. Let the NSA keep tabs on septuagenarians checking up with their grandkids' facebook posts.

  3. 3 hops? by mrspoonsi · · Score: 1

    If tor has 3 hops from source to hidden service, and perhaps there are 10,000 nodes, how hard is it for a government to have 25% of those nodes under its control? and if you own all the hops, you know where the hidden server is.

    1. Re:3 hops? by OverlordQ · · Score: 1

      DoS the hidden site, see where the traffic ends up. Rinse, repeat.

      --
      Your hair look like poop, Bob! - Wanker.
    2. Re:3 hops? by hairyfeet · · Score: 1

      If you use TOR or Freenet and have a family or are not a millionaire who can afford to throw away hundreds of thousands on lawyers you are a fool, simple as that. As my friend in the state crime lab pointed out the ways the laws are written when it comes to distribution and facilitation mean that anybody that runs an exit node or has a Freenet cache can be busted as a child pornographer and what do ya know, some countries are already doing just that.

      Thanks to the vague as fuck ways these laws are written it DOES NOT MATTER that you can't see the files you cache on Freenet, that you aren't scanning the TOR traffic coming through your exit node or that you don't even see so much as a single jpg, it doesn't even matter if your PC is obviously hijacked by somebody else because at the end of the day ALL that matters is that CP passed through your router. That is all the court cares about, the cops who get increased federal funding for more CP busts sure has no fucks to give and the prosecutor? look at the virus link, even when shown proof that when the unit is connected to the net it is instantly controlled by another party he comes up with a "I bet he did that on purpose to cover up his crimes!" BS excuse. Why? Because I have no doubt he'll be running for public office and CP busts sell to the soccer mom set.

      So you can believe its a honeypot (which is what I believe, too many "advocates" banging the "TOR is for freedom and privacy!" drum are getting their checks from the likes of Radio Free Asia and other CIA fronts. I seriously doubt any less than 90% of the money going into TOR isn't coming from 3 letter agencies and fronts for the same like RFA) or a bastion of freedom, doesn't matter, all that matters is the current laws as written mean you can spend the rest of your life behind bars for using it. I don't know about anybody else but I have no desire to spend the rest of my life rotting in a cell, especially if it turns out to be a giant honeypot for alphabet agencies to run spook shit overseas while giving them plenty of targets to bust.

      --
      ACs don't waste your time replying, your posts are never seen by me.
    3. Re:3 hops? by Ingenium13 · · Score: 1

      Hidden services actually use 7 hops. The hidden service picks several relays at random and makes them the "introduction points" and pushes this along with the hidden service descriptor. These introduction points are at the end of a normal Tor circuit (ie 3 hops). When a client wants to access the site, it connects to the introduction point also over a Tor circuit. The client and hidden service then randomly pick a relay as a rendezvous point, because you don't want the introduction points overloaded.

      At that point, both client and server connect to the rendezvous point over regular Tor circuits, for 7 total hops. All further communication is done over this 7 hop circuit.

  4. It's not a secret by Anonymous Coward · · Score: 2, Insightful

    The government connects to the kiddy porn site and downloads a 500mb video, they have PRISM tell them the computer that transferred 500mb of data to their computer, the computer that transferred 500mb of data to that computer, and so on. It's metadata all the way back to the actual hidden service where the 500mb file came from. As a bonus, they can have PRISM tell them everyone else that connected to a computer that connected to a computer that connected to a computer that connected to the kiddy porn site, too. Works for data of any size and type, not just kiddy porn, as long as the filesize is unique enough or you don't give a shit about false positives or perjury.

    Tor has to do something about the timing and metadata attacks if it is to remain relevant. The only issue is whether they can do something about it without making it even slower than it already is.

    1. Re:It's not a secret by Anonymous Coward · · Score: 0

      Whoa, it's not quite that simple, but there's likely more truth to your statement that there should be. Your call to arms regarding targeting timing and metadata (as well as frequency analysis) is definitely noteworthy.

      More to the point, all a site operator would have to do to hide this traffic would be to operate a Tor exit node, which would provide plenty of noise.

  5. A good idea by Kevin+Fishburne · · Score: 3, Insightful

    Finally the world has a way to give their respective government a mighty middle finger after all the bullshit that's been going on lately. I hope they get millions from every corner of Earth.

    --
    Buy your next Linux PC at eightvirtues.com
    1. Re:A good idea by Nutria · · Score: 1

      Bwahahahahahahahahahahahaha!

      The FBI, GCHQ, BND, etc are going to tear apart the finances of every person that donates to this project.

      --
      "I don't know, therefore Aliens" Wafflebox1
    2. Re:A good idea by Anonymous Coward · · Score: 0

      Easy solution: use bitcoins!

    3. Re:A good idea by Kevin+Fishburne · · Score: 1

      The FBI, GCHQ, BND, etc are going to tear apart the finances of every person that donates to this project.

      Under what pretense? Funding terrorism? Tor, Ter, not too much a stretch I guess. Seriously, they can't do a thing to stop Tor funding without resorting to breaking or seriously misapplying their own laws. I don't think they'll go that far.

      --
      Buy your next Linux PC at eightvirtues.com
    4. Re:A good idea by Anonymous Coward · · Score: 0

      He's saying the new developers that are hired will include plants from GCHQ, NSA, UAESS, etc.

    5. Re:A good idea by Anonymous Coward · · Score: 0

      The FBI, GCHQ, BND, etc are going to tear apart the finances of every person that donates to this project.

      Under what pretense? Funding terrorism? Tor, Ter, not too much a stretch I guess. Seriously, they can't do a thing to stop Tor funding without resorting to breaking or seriously misapplying their own laws. I don't think they'll go that far.

      Stranger things have happened so it would be incredibly naive to put it past them.

    6. Re:A good idea by Anonymous Coward · · Score: 0

      You do realize the US military already funds it, right?

    7. Re:A good idea by mars-nl · · Score: 1

      Not very long ago a website called Wikileaks had quite some trouble receiving funds because Paypal, Visa and Mastercard refused to cooperate.

    8. Re:A good idea by Nutria · · Score: 1

      Under what pretense?

      A high-enough percentage of Tor users are there for drugs and child porn that a clever FBI attorney could convince a friendly judge that donating to Tor is Probable Cause. GCHQ probably doesn't even clever word smithing to investigate them.

      --
      "I don't know, therefore Aliens" Wafflebox1
    9. Re:A good idea by Anonymous Coward · · Score: 0

      too bad they didnt know about bitcoin!

    10. Re: A good idea by Anonymous Coward · · Score: 0

      Donate and the torrorists win.

      Think of the fucking children

    11. Re:A good idea by Anonymous Coward · · Score: 0

      Those lovely human beings who've published training manuals educating agents in the practice of systematically perjuring themselves to uphold false narratives? Or maybe those jovial policemen who budget for hypothetical asset forfeitures years from now?

      They'd never go that far.

  6. Who is actually behind "TOR" ? by Anonymous Coward · · Score: 0

    ... In the last 15 months, several of the biggest anonymous websites on the Tor network have been identified and seized by police. In most cases, no one is quite sure how it happened ...

    No one is quite sure how it happened??

    Oh, c'mon, guys!

    Who is actually behind the "TOR" project?

    The Fed, specifically, the spooks !

    TOR is a tool created and funded by the spooks to trick you guys in believing that it is something that you guys can hide yourself under, that no one can find you, that your identity is totally hidden

    But it is not

    "TOR" is a honeypot, man, a very well executed honeypot!

    1. Re:Who is actually behind "TOR" ? by Anonymous Coward · · Score: 2, Interesting

      Tor is centered on one single tech: onion routing.
      They seem to refuse to consider adding or adopting other techs, like using chaff in the network and trivial delay/random queues to at least defeat some timing and observation attacks.
      It's like they're hooked and stuck on their unilateral approach.
      And when people bring up alternatives they point to anonbib and disclaim them.
      Well yeah, nothing's a total solution, but what some people voice is helpful.
      They're also way too quiet about their position whether personal or corporate or project about being for or against govt surveillance, the fact of where they get their funds, all these quiet LEA liasons they must be interacting with.
      Come on guys, everyone has opinions, show some balls, vent a little.
      Anymore I'd bet I2P and some other networks are in a better position anonymous-service wise.

    2. Re:Who is actually behind "TOR" ? by Anonymous Coward · · Score: 0

      Anyone have any concrete evidence for it being a honeypot?

    3. Re:Who is actually behind "TOR" ? by Anonymous Coward · · Score: 0

      Care to share the systemic differences of I2P and TOR ?

    4. Re:Who is actually behind "TOR" ? by Anonymous Coward · · Score: 0

      Watch this: The Tor Network [30c3]

      They are not too quiet, you are not listening. Which brings to the bigger question: why on earth would someone miss the talks in c3???

    5. Re:Who is actually behind "TOR" ? by mars-nl · · Score: 1

      As I understand it Tor is between you and some other place on the public internet. I2P is not made to go out to the internet. It's more like Tor without exit and only hidden sites, like a secret internet on top of the public internet.

    6. Re:Who is actually behind "TOR" ? by Anonymous Coward · · Score: 0

      Alright, here's an opinion for you.

      TOR is backed by US government funding, it was originally created by the Navy (I believe) to obscure the original location of internet traffic coming from ships that were out at sea.

      Since then it's become a go-to tool for people who want to create anonymous services on the Internet... Up until now. All of a sudden hidden services are being shut down left and right, or busted for having nasty content (the latter I can't say I feel sorry for). Who are they being busted by? The US government. What a coincidence. I'm sure it's also a coincidence that the second download link for the browser bundle happens to be the Arabic version. As if the people plotting terrorist attacks would be stupid enough to use an American-backed piece of software to do it.

      My opinion? The real purpose of TOR is to try and _convince_ people that it's secure. All of a sudden you have a whole lot of questionable traffic travelling through a common "network" of sorts, and has been demonstrated by all of these busts and shutdowns, none of them are anonymous as they think.

      Anyone who wants real anonymity on the internet, drop TOR like the plague. It's just an intelligence gathering tool for the Americans and they already have enough of those.

    7. Re:Who is actually behind "TOR" ? by Anonymous Coward · · Score: 0

      I think rather than look for evidence of a honeypot, pick a current stable version, and audit it, top to bottom. See what it's capable of doing/leaking. If the code is good, the code is good, regardless of who sponsors it. I'd rather trust a thorough audit than speculation.

      If the code is indeed solid, it may then be time to fork it. Else, it might be time to write something new.

    8. Re:Who is actually behind "TOR" ? by JakeBurn · · Score: 1

      Why are people over looking the money?I thought silk road went down because Roberts wasn't careful where his money went.

  7. confusion about what TOR is for by Anonymous Coward · · Score: 2, Informative

    Traffic analysis and other techniques make you trivially de-anonymized by the NSA.

    TOR is NOT anonymous, and anyone who thinks it is deserves what they get. But what it IS good for is hiding from non-5-eyes countries. Say you are in the middle east and your third world government doesn't like you reading pr0n. No problem, the NSA isn't gonna hang your ass out to dry for that, and they certainly wont compromise their capabilities for stupid political shit. So TOR away all you want, to keep yourself safe from your local tinpot dictator.

    That's what TOR is for. It's NOT for somehow magically keeping your identity secret from the people who invented it and own much of the network.

    1. Re:confusion about what TOR is for by Anonymous Coward · · Score: 0

      It's TOR as in T.O.R. as in The Onion Router.
      But they keep trying to call it Tor as if it is some cutesy j-pop thing.
      And they love to threaten anyone who uses the three letter combination tor on their website or in their project.
      It's stupid pompous arrogant marketroid behaviour and no one cares, yet they still do it.
      That triggers dislike, distaste and distrust.

      Also, for location anonymous services, I2P is where it's at. Not to mention all the free anonymous torrents they have.

  8. Its a good thing they are lawyers by Bob_Who · · Score: 1

    ...Because now they'll need a few good tax attorneys.

  9. I need Bennet Haselton to analyze this by Anonymous Coward · · Score: 0

    I have become addicted to Bennet Haselton's reasoned argument and mastery of science, business, algorithms and statistics. I find that without him, I no longer have the ability to form thoughts on any subject.

    I was going to email Bennet to ask him to weigh in on this, but then I realized why he never comments. He is the Chuck Norris of armchair science. Once he comments, he will say everything there is to be said, ever. The website we all love will die because there will be no more discussion, just a final singularity-inducing comment from frequent Slashdot contributor Bennet Haselton.

    1. Re: I need Bennet Haselton to analyze this by Anonymous Coward · · Score: 1

      Bennett Hasselton was once bitten by a snake. After 3 hours of excruciating pain, the snake died.

    2. Re: I need Bennet Haselton to analyze this by Anonymous Coward · · Score: 0

      Love it how you obsess over this no-name guy so much that you can't help but post about him in every, single fucking thread.

      Grow a pair you fucking faggot. Either that or take your fucking meds because you've obviously got a serious problem between the earholes. Empty air would be my guess.

    3. Re: I need Bennet Haselton to analyze this by KJSwartz · · Score: 1

      I'm sure we all are thinking the exact same thing at this moment.

      Spare a second and join us.

  10. One has to wonder by Opportunist · · Score: 1

    The feds had no problem ferreting out the Silk Road operators, but it seems they're completely unable to do anything against the cryptolocker extortionists. Despite the damage being by some margin bigger.

    One really has to wonder where the priorities are...

    --
    We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    1. Re:One has to wonder by Anonymous Coward · · Score: 1

      Feds protect the NY criminals. The cryptolocker guys know which kind of thing goes unpunished, very much like the NY banksters know. You can massively mess with people's lifes by means of finance fraud, put PLEASE dont use drugs for that end.

      We know that drugs do nasty things while the NY banksters only made folks like Hitler and Mussolini happen. See the rationality ?

    2. Re:One has to wonder by Anonymous Coward · · Score: 0

      The CIA makes billions every year in the illegal drug trade. That is, they are involved in the buying and selling of it, not in the stopping of it.

      Can't have someone else taking up their market share.

    3. Re:One has to wonder by Dutch+Gun · · Score: 1

      The Cryptlocker guys, unfortunately, did a near perfect job implementing their ransom-ware and command/control net. Both the US Justice Dept and Interpol did go after them, and ultimately took down the Zeus botnet controlling the malware, even getting back all the keys for the encrypted files. Don't think for a second that the Justice Dept wouldn't have loved to catch those guys and splash it all over the front page if they could have, though.

      I don't buy the conspiracy theories. You can bet the feds are still trying to track Cryptolocker guys with considerable zeal, given how much damage that software caused. I think they just hid their tracks better than the Silk Road operators.

      --
      Irony: Agile development has too much intertia to be abandoned now.
    4. Re:One has to wonder by Anonymous Coward · · Score: 0

      Maybe the TLAs are using Cryptolocker revenue to fund black projects.

    5. Re:One has to wonder by Anonymous Coward · · Score: 0

      The CIA makes billions every year in the illegal drug trade. That is, they are involved in the buying and selling of it, not in the stopping of it.

      Can't have someone else taking up their market share.

      That's why the 'war on drugs' will never end, it allows the military/industrial complex to provide weapons to local police (usually via DHS 'donations' of equipment) to profit off the raiding of low-level civilians with drugs, while the higher-ups and their controllers in the Cocaine Importation Agency (CIA) walk away with all the real money.

  11. People have short memory by Trachman · · Score: 1

    These were US agencies that have funded creation of TOR; CIA and NSA, you name it.

    Obviously, the decision has been made that if encryption and anonymity cannot be controlled, then it needs to be led, and there are many ways to stay on top:
    a) controlled nodes b) code flaws

    1. Re:People have short memory by Anonymous Coward · · Score: 0

      Citation required.

    2. Re:People have short memory by Anonymous Coward · · Score: 0

      A good start would be to look at their sponsors page, then see if you can determine how many of their sponsors run .gov or .mil domains or are government contractors or are corporate entities which tend to be in cahoots with said government:
      https://www.torproject.org/abo...

      Or, if you want more specifics, their financial statements, to see how much the major donors have given:
      https://www.torproject.org/abo...

      Of course, where I to be put on a jury, I'd be quite convinceable that any defendant running tor is at least guilty of aiding criminals by forwarding and anonymizing their traffic (in the same sense that the driver of a get-away van would be, where he to be caught serving bank robbers). Not that I'd expect to see such a charge, given who the sponsors are...

    3. Re:People have short memory by AHuxley · · Score: 1

      http://pando.com/2014/07/16/to... (JULY 16, 2014)

      --
      Domestic spying is now "Benign Information Gathering"
    4. Re:People have short memory by Anonymous Coward · · Score: 0

      You called it "CIA". Again, Citation please.

    5. Re:People have short memory by Anonymous Coward · · Score: 0

      http://pando.com/2014/07/16/to... (JULY 16, 2014)

      Pretty sad how they reacted to this article also.

  12. Separate the hidden service from the tor daemon by KiloByte · · Score: 1

    Rule #1 that should be enforced: contrary to all popular docs, the hidden service should never, ever, be on the same logical machine as the tor daemon. The latter needs connectivity to arbitrary IPs, which means as soon as any part of the service is pwned -- or just sports a data leak -- the bad guys can learn who you are. If the hidden service machine doesn't know its IP nor other kinds of data that can be used to identify it, it can't leak that.

    This won't avoid traffic analysis, but (most likely) the majority of hidden service breaches so far has been done by exploiting some bug in a http daemon and making it query http://home.spooks.gov/ outside tor.

    --
    The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
    1. Re:Separate the hidden service from the tor daemon by mSparks43 · · Score: 1

      agree with that.

      hidden service operators should be running a separate "last mile" service.

      Something like sticking it on a I2P network with no internet access and routing out through tor on another section of the network.

  13. To be revealed... by Anonymous Coward · · Score: 1

    In most cases, no one is quite sure how it happened. The details of such a campaign have yet to be revealed.

    Could it have been the Fed's control of the whole network? Or perhaps it was an analysis of router traffic flow records, which supposedly reveals 81% of tor users, according to researchers...

    1. Re:To be revealed... by mSparks43 · · Score: 1

      More likely they were all running on webservers with standard internet access.

      Pretty straight forward to get a webserver or other service to identify itself if the machine it is on can resolve a standard url.

      plain jane simple post shellshock bug.

  14. Re:tor = honeypot by Anonymous Coward · · Score: 0

    I thought it was well known by now. Tor is a honeypot. The exit nodes are more than half owned by the FBI and cooperating agencies around the world, and they're very good at de-anonymizing people on there. They won't bother for petty stuff, though.

    That, and using it gets you flagged for "special attention".

    Most of it is funded by the government also. People who are complaining about the government that work on this project, are getting paid by the government. Well, that's what I heard anyways.
    http://pando.com/2014/11/14/tor-smear/

  15. Secure by darkain · · Score: 3, Interesting

    No matter how much effort goes into securing the transport layer, it means absolutely nothing if the end nodes themselves are insecure. Something as simple as a SQL injection or remote code execution could easily deanonymize an end node. With how quickly many of those sites sprung up, one of the current theories is lack of security on the end-points themselves is what was attacked, not the Tor network itself.

    1. Re:Secure by Anonymous Coward · · Score: 0

      Yes. The odds that it was a poorly secured website is much higher than someone having broken Tor. The only semi-secure way to run a hidden service is to wrap it in a VM which is only allowed out to the internet via Tor, so you can't leak the IP address directly even if it's pwned unless your attacker has a VM-escaping exploit.

      Which, well, if they're the NSA, they probably do have...

    2. Re:Secure by slashmydots · · Score: 1

      I was thinking the same thing but in addition, how are you supposed to give money to common hidden services? They're hidden. What are they going to do, ask nicely for them to give a paypal e-mail address? I don't think so. They could go the bitcoin route but seriously, throwing money at better servers doesn't mean there's a smarter person running it. You "zoom out" to just reserach and development on better Tor protocols and it still leaves it wide open to stupid people. You can't just throw money at stupid people running hidden services so oh well.

      There are three options. First, run a hand-written HTML non-interactive page. Nobody is likely to hack that.

      Two, run a canned PHP solution like phpBB and get hacked.

      Three, write a flawless interactive, database-driven site all yourself from scratch and then never use that code at any job or on any resume or any semblance of the same thing on the open web which is a giant waste.

    3. Re:Secure by Anonymous Coward · · Score: 0

      Crappy corps like that HBGary one had a VMWare exploit plus an OS exploit for sale. NSA apparently was not too much interested - because they already had plenty of those (my reasoning).

      See the hacked emails.
       

    4. Re:Secure by Anonymous Coward · · Score: 1

      You can almost guarantee the safety of your protocol, but you'll never guarantee the safety of someone's personal PC. Almost all attacks on Tor users that we know about have been through shit like malware and 'unsecure' things being on Tor that are easy to track.

      You can make a car that's immune to mechanical failure, but you'll never be able to guarantee the driver isn't dumb and that other people aren't looking to run into them for insurance scams or that other people's cars won't have mechanical failures.

    5. Re:Secure by Anonymous Coward · · Score: 1

      Yet nobody seems to be considering the possibility that TOR simply isn't providing the anonymity that it claims, or that, being a US-government funded project, it isn't just a means of tempting people into using it for their "secure" *nudge nudge wink wink* communications. There was an article on Slashdot or Arstechnica, I'm almost positive, where some researchers demonstrated that by using Cisco's "Netflow" package they were able to successfully identify about 81% of the TOR users at the other end...100% in a closed, "laboratory" setting.

      Oh, I'm sure that a number of them really did get caught by having bad site security, that's practically a given. Most people who truly want to remain anonymous aren't using TOR any longer though, they're using Freenet, I2P, disparate other packages... In the meantime all sorts of TOR hidden services are disappearing, not just the nasty ones, because 1) better safe than sorry and 2), there's been so many recent stories about TOR hidden services being busted that anyone who wants to truly remain anonymous on the Internet no longer takes the TOR project seriously.

    6. Re:Secure by Anonymous Coward · · Score: 0

      > Something as simple as a SQL injection or remote code execution could easily deanonymize an end node.

      Virtual machine says what?

    7. Re:Secure by mSparks43 · · Score: 1

      Yet nobody seems to be considering the possibility that TOR simply isn't providing the anonymity that it claims

      Well, yeah, because:
      http://www.dailydot.com/politi...

      However, upon further examination, no one could quite figure out where all supposedly seized hidden services were. After all, the biggest Dark Net markets are still in operation. The biggest child pornography sites are still running. In fact, the seized websites represent less than a third of Dark Net commerce.

      Update Nov. 8, 8:31am: Far from the original number of 414 seized hidden services and lower even than the number 50 provided to the New York Times, the FBI told Forbes that it had seized 27 actual sites but 414 .onion addresses that all go to the same sites.

      ___
      Seems pretty obvious that it was 27 websites all hit by the shellshock bug to give up their real IP.

    8. Re:Secure by mSparks43 · · Score: 1

      If it has access to the wider internet other than through tor, the IP address of the host network.

      A lot of those taken down seem to be on VPS hosts, which provide virtually zero opsec for the actual server being identified. Since you don't need to get the IP address of the server, just the name of the VPS service provider (e.g. from a 404 page)

    9. Re:Secure by Anonymous Coward · · Score: 0

      ... end nodes are not anonymized. Of course their IP is available to the 'clear net'

      The one "method" they were referring to is de-anonymizing people by owning the first node you attach and the exit node. Slapping a "known tag" on before it entered the network and looking for it on the exit node they also controlled (or could see the network traffic). This would verify you were the same person. They are still unclear on how they were able to de-anonymize the "hidden service", though current speculation is bad opsec.

      Of course, they could have gotten lucky. Tracing generic TOR traffic to an ISP, slapping it with a general/generic search, cloning all the servers showing Tor traffic, and luckily getting several DMs who all were at the same ISP.

  16. BINGO by Anonymous Coward · · Score: 0

    They dont need to use TOR weaknesses, when the web browser and the web servers are chock-full of exploitable bugs.

    Having said that, if they really, really* want to get you, NSA will throttle traffic in order to imprint a meta-signal** onto the packet flow so that they can correlate that signal with all end-user traffic flows.

    *imagine publishing military secrets

    ** a side channel using either packet size modulation or packet flow rate modulation as the "signal". Mixnets CAN combat this, it is just that TOR is rather simplistic in this aspect.

    1. Re:BINGO by Anonymous Coward · · Score: 0

      You need a web server bug as well as an exploit that can escape whatever container you've put the webserver in. That container doesn't know its own IP address, and malicious code can only phone home via Tor so that doesn't help. The baddies need to escape the container, which is going to be a lot harder than breaking into a crappy PHP website. Doable if you really, really want to, but a lot harder.

    2. Re:BINGO by Anonymous Coward · · Score: 0

      Crappy corps like that HBGary one had a VMWare exploit plus an OS exploit for sale. NSA apparently was not too much interested - because they already had plenty of those (my reasoning).

      See the hacked emails.

      You better lock your Covert Server behind a chain of Libre firewals and dont forget Daily Praying,

  17. TOR Alternatives by Anonymous Coward · · Score: 0

    http://www.idigitaltimes.com/best-alternatives-tor-12-programs-use-nsa-hackers-compromised-tor-project-376976

  18. I See by Anonymous Coward · · Score: 0

    ...you consume too much craptastic Hollywood stuff. Let me say this as a practitioner: They make your life miserable but they dont easily knock over people. For some reason, police would rip a second opening into them*, if they did.

    Their tactic is to let you hurt yourself in one of 275 ways. That usually works, as we have seen with Assange. It did certainly work with myself, but you know what ? You only learn from real combat.

    *including the top guy who ordered it.

  19. MIXNET Imperatives by Anonymous Coward · · Score: 0

    1.) Stay under the surface. If they cannot get hold of you, they cannot force you to insert shite, consciously or through stress. Do NOT be a publicity whore - or leave it to more disciplined fighters. Sign your stuff using GPG on a DISCONNECTED machine.

    2.) TOR is of course simpletonistic. We need something much better.

    3.) Having a single "onion route" is easy to attack with things like bandwidth modulation.

    4.) Build dozens of routes instead of one.

    5.) Have a Constant Flow rate through all routes; send chaff if your node has nothing useful to transmit. This defeats Bandwith Modulation.

    6.) Chop payload packages in lots of small crypto-packages, similar to the I2P Garlic Routing concept

    7.) Make the number of hops user-configurable. TOR is setting it on a fixed number of just THREE. Nicht gut.

    8.) Don't use C. This language has specifically been invented* in order to make those computers-cum-cipher-machines easier to subvert. There are much more robust languages like Ada, Pascal and the like out there. You might also use C++ with full bounds checking, smart pointers and so on. Do NOT use C patterns.

    * by a branch of U.S.G. with very close finance and technology ties to NSA - AT&T Bell Laboratories.

    1. Re:MIXNET Imperatives by Anonymous Coward · · Score: 0

      C. This language has specifically been invented* in order to make those computers-cum-cipher-machines easier to subvert.

      Dude, lay off the crack. And loosen your tinfoil hat a bit.

      C itself is a good language. It's simple and small. The problems with it are known. Follow the CERT standards, as much of a pain-in-the-ass as they are. Don't get lazy. Check all errors. Keep the code small and test all the paths. Run Valgrind religiously.

      People write bad C code because they don't know better or get lazy. Well-written C code does exactly what it says, with no mysteries. Trying to get fancy or skimping anywhere is an invitation to shoot yourself in the foot. KISS.

      Don't blame the tool, blame the incompetent idiot who's using it. An incompetent programmer writing in any language, C or otherwise, shouldn't be writing crypto code in the first place. Another language won't save you from your own incompetent ass. Some code can be written to not care, because the consequences are low. Here, the consequences may be life or death, literally. There's no room for people who aren't competent enough to play the game at that level.

    2. Re:MIXNET Imperatives by Anonymous Coward · · Score: 0

      Given that not even operating system developers "get it right", your claim "People write bad C code because they don't know better or get lazy." is moot.

      If not even THE BEST developers (and that is what operating system developers usually are) can avoid these stupid buffer overruns, freed pointers and so on, WHO CAN ?

      C is badly lacking an "additional safety net", which could easily eliminate about 50% of exploits.

      Face it folks, we have been "conceptually pwned" by the Powers That Be. JCS, NSC, NSA - you name it. Computer people are NOT as smart as they think they are. The really smart and nasty guys wear uniforms and very short, very ugly haircuts. They want to CONTROL us and therefore they need to look onto our harddrives.

      Even a C64 could be employed as a kind of Soft-SIGABA and said short-haircut folks would be massively pissed that they cannot read the plebejans communications. So they Made Sure all of the stuff can be realiably pwned. At least if you "use it as designed".

  20. Papers by Anonymous Coward · · Score: 0

    The first step of mastering something is to go to the library. Here is a starting point:

    http://www.ee.washington.edu/research/nsl/papers/proceedings-06.pdf

  21. Same as Truecrypt by Anonymous Coward · · Score: 0

    I always wanted to donate to Truecrypt project, but knew that if I did, I'd be put on one of those US lists.

  22. Payment Options by Anonymous Coward · · Score: 1

    Will they accept Flooz?

  23. NOT just about the code by Anonymous Coward · · Score: 0

    It isn't only about the code. The code can be 100% perfect, but if 90% of the exit nodes (or internal nodes) are run by your nemesis, TOR is vulnerable. It is a multi-part security issue here.