Slashdot Mirror

← Back to Stories (view on slashdot.org)

Popular Dark Web Hosting Provider Got Hacked, 6,500 Sites Down (zdnet.com)

Posted by msmash on from the meanwhile-on-the-dark-web dept.

Daniel's Hosting, one of the largest providers of Dark Web hosting services, was hacked this week and taken offline, ZDNet reports. From a report: The hack took place on Thursday, November 15, according to Daniel Winzen, the software developer behind the hosting service. "As per my analysis it seems someone got access to the database and deleted all accounts," he said in a message posted on the DH portal today. Winzen said the server's root account was also deleted, and that all 6,500+ Dark Web services hosted on the platform are now gone. "Unfortunately, all data is lost and per design, there are no backups," Winzen told ZDNet in an email today. "I will bring my hosting back up once the vulnerability has been identified and fixed."

49 of 104 comments (clear)

  1. No backups?! by fbobraga · · Score: 4, Informative

    all data is lost and per design, there are no backups Wow

    1. Re:No backups?! by Tuidjy · · Score: 4, Insightful

      By design.

      I find it quite surprising, as well. It's easier to secure backups than it is to secure an Internet facing server... as the host learned, incidentally.

      I can't trust someone to make backups and store them safely, I probably would not I trust him host my server.

      --
      No good deed goes unpunished...
    2. Re:No backups?! by Anonymous Coward · · Score: 3, Insightful

      Pretty sure that they are trying to prevent a government from getting a court order to access their backup tapes, which would allow them access to all historical communications, etc... Much more information than they would keep on a running server.

      That said, they should plan on running the old hardware through a chipper-shredder and re-building on a completely different hardware and OS than they were running on before.

    3. Re:No backups?! by Anonymous Coward · · Score: 1, Insightful

      It's dark web you nutsack, they deliberately do not make backups.
      "Wow"

    4. Re:No backups?! by ShanghaiBill · · Score: 4, Insightful

      I find it quite surprising, as well

      You should not be surprised. This is the dark web. If backups are made, they can be subpoenaed.

      I can't trust someone to make backups and store them safely, I probably would not I trust him host my server.

      You are missing the point. His customers are looking for someone they can trust to NOT make backups.

      Anyway, good luck to Daniel and his customers. As long as we have overreaching governments grasping for power, we need the anonymity and secrecy of the dark web. Hopefully someday their activities can be done openly.

    5. Re:No backups?! by bob4u2c · · Score: 5, Funny

      Just contact the CIA, I'm sure they have a few backups.

    6. Re:No backups?! by ctilsie242 · · Score: 1

      One of the selling points is that he did not take backups, so the data never left the root account.

      However, what he should have done, assuming he was using AWS, was at least pop snapshots on a daily/weekly/monthly level, with a guarantee that they would be deleted, perhaps with code that deletes the snapshot of a client VM when the client deletes the snapshot, using crypto keys to ensure the data is not readable.

    7. Re:No backups?! by Anonymous Coward · · Score: 1

      It's a dark net hosting site, the policy makes perfect sense.

    8. Re:No backups?! by Anonymous Coward · · Score: 2

      Who would be dumb enough to back up the content of thousands of kiddy porn sites?

    9. Re:No backups?! by Anonymous Coward · · Score: 1

      This is to prevent a government or criminal agency requesting the backup password from Mr. Daniel with his body strapped to a restraining table in a non-descrip basement.

    10. Re:No backups?! by Anonymous Coward · · Score: 2, Insightful

      Or being gay. Or as a woman being in public without a hijab. Or smoking pot. Or all the illegal activities by all sorts of governments, sanctioned or not, in other countries that they don't want others to know about. Perhaps if the governments weren't going around doing horrible things to people your argument would hold up. As it stands, there has to be some force to try to counterbalance the excesses and abuses of government.

    11. Re:No backups?! by Anonymous Coward · · Score: 2, Insightful

      Because the government has no business knowing if children are being sold for child porn, or women (mainly women) are being sold into forced prostitution, or if murders are being set up.

      Considering governments are guilty of doing all of those things and more, I don't see the point of them knowing. They won't stop themselves or others from doing those things, which is about the only business one would expect the government to perform, so what difference does it make?

      If the government that has been caught with indisputable evidence of selling people into slavery, murder, breaking the very laws they set for themselves, and peddling in and production of child porn - what do you honestly expect them to do about other people doing those things?
      If they won't stop it, exactly what is the point?

      But now that your strawman has been taken down, what about all the other non-crimes that governments kidnap, rape, torture, and murder innocent people over?

      What about *rescuing* victims of slavery, forced prostitution, and the children being exploited that if done in the open invites a death sentence?

      I'm sure people would love to see children or women being raped in the open.

      As my last statement shows, you clearly are against saving people from kidnap, rape, slavery, and murder. Why do you want those people to endure such awfulness? Why don't you want to help them, and condemn their rescuers to death?

    12. Re:No backups?! by ShanghaiBill · · Score: 4, Interesting

      Because the government has no business knowing if children are being sold for child porn

      Pedophilia is a medical condition as well as a crime. By over-criminalizing it, we push it into the shadows, make it harder to treat and increase the number of victims. In Japan, pedophiles can buy childlike sex dolls. There is strong evidence that these dolls provide a satisfactory outlet for many pedophiles, and reduces their desire to prey on real children. These dolls are illegal in America, and can only be ordered on the dark web. Do you think that makes sense?

      ... or if murders are being set up.

      Most of the murders arranged on the dark web are between drug gangs. This is a direct result of their activities being illegal, and thus very profitable but with no access to legal processes of dispute resolution.

      Alcohol prohibition in the 1920s also led to plenty of murders. The solution was fewer restrictions on what citizens could do, not more.

      I'm sure people would love to see children or women being raped in the open.

      Because that is what always happens when governments reduce censorship?

      Reductio ad absurdum

    13. Re:No backups?! by Luckyo · · Score: 2

      Dark Web hosting is by definition of the kind you don't want any backups of. This is about securing backups against a government entity with court backup. Not against "random hackers".

      And it's much harder to secure backups against such entity, requiring a completely different approach. You're thinking securing against hackers. That's a completely different game compared to one they're playing.

    14. Re:No backups?! by grep+-v+'.*'+* · · Score: 1

      no backups Wow

      Just one phrase: Bookie Flash Paper.

      "The days of guys writing bets on flash paper so they could burn everything when the cops busted in are long gone," But I guess that was before most of y'alls time.

      Believe it or not, there's are times where you WANT to lose your data.

      Oh, and speaking of old phrases, does anyone remember: "If anyone says they're from the government and here to help you, run"? Now-days it seems more like a demand rather than a joke.

      --
      If the universe is someone's simulation -- does that mean the stars are just stuck pixels?
    15. Re:No backups?! by _merlin · · Score: 1

      I can't comment on child porn or organised hits, but I actually do know something about the sex industry in Australia in particular, which should be relevant given you're a wombat. Ironically, the sex slavery for the most parts is happening in licensed brothels. The unlicensed brothels or "massage parlours" are mostly students trying to save some money in the face of the ludicrous cost of living, or women funding an extended holiday. They don't want to attract any unnecessary attention. However there are plenty of cases of licensed brothels keeping women locked up, forcing them to work over sixteen hours at a time, bringing them in under false pretenses and then telling them they have to pay off a debt, etc. And the dark web? It's less than a rounding error. If you want to actually improve conditions for sex workers, get something done about the licensed brothels. But it's probably tied up with corruption in the ranks of the people responsible for enforcement, so good luck.

    16. Re:No backups?! by ShanghaiBill · · Score: 1

      Licensed brothels in Europe and Latin America require ID cards, have regular health inspections, and the working women are interviewed periodically by both health professionals and law enforcement without a manager present. I have a hard time seeing how the abuses you describe could happen there. Why is Australia's system so dysfunctional?

    17. Re:No backups?! by _merlin · · Score: 2

      Same's true in Australia in theory, but enforcement is lax. There are various ways to side-step inspections or make them ineffective anyway. If you've got contacts in the police force, you can get advance notice of when an inspection is going to happen and temporarily move your sex workers who are on the wrong kind of visa off the premises. The ones who actually have permission to work in Australia but aren't being paid properly or are being forced to work excessive hours can be coerced into giving convenient answers if interviewed using various carrot/stick approaches.

      Enforcement is pretty lax in Europe as well. It's an open secret that organised criminal groups move women from Eastern Europe and Russia through the German FKK clubs and the Amsterdam glass houses. Probably a lot of corruption and lack of will to take enforcement seriously.

    18. Re:No backups?! by Anonymous Coward · · Score: 1

      Yep. Kill all the kids so they can't be harmed by any of those creepy fuckers. It's the only way to keep them safe as there's no way to determine ahead of time when someone will become a pedophilia.

  2. Now we know ... by PPH · · Score: 5, Funny

    ... where Bobby Tables went to work after graduating.

    --
    Have gnu, will travel.
    1. Re:Now we know ... by Anonymous Coward · · Score: 1

      A pox on you for not linking to the relevant XKCD!

    2. Re:Now we know ... by freeze128 · · Score: 1

      You still need a link? Turn in your geek card!

  3. Dumb move. by Gravis+Zero · · Score: 1

    If they had merely created a backdoor account and given the FBI access, I'm certain that the server would have been seized and a shitload of arrests would have happened. There is no way he was hosting 6500 darkweb sites without lots of them being highly illegal.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re:Dumb move. by Anonymous Coward · · Score: 1

      Empirical proof > Circumstantial evidence > Implicating factors > Psychic intuition > steaming pile of dogshit > Your as-yet unfounded opine

    2. Re:Dumb move. by phantomfive · · Score: 1

      Since they don't do backups, it would seem logical that their customers keep their own to re-upload.

      I think his problem is that now he doesn't know who his customers are......or how much they owe.

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Dumb move. by fustakrakich · · Score: 1

      Customers don't have receipts either, eh?

      --
      “He’s not deformed, he’s just drunk!”
    4. Re:Dumb move. by phantomfive · · Score: 1

      They might or might not, but if I were a customer with a bill about to come due, I sure wouldn't volunteer that information.

      --
      "First they came for the slanderers and i said nothing."
  4. Dark web host by PPH · · Score: 3, Insightful

    Big Red Button next to the front door. 'In the event of a search warrant, press"

    --
    Have gnu, will travel.
  5. Is this related to the cryptocurrency crash? by xack · · Score: 1

    Considering how linked the two are, I expect people are cashing out their ill gotten coins as fast as possible.

  6. The dark web by fredrated · · Score: 4, Funny

    went dark. Oh the irony.

  7. Re:Don't fucking bother, mate. by zlives · · Score: 1

    probably the same people that use Experian, ATT, Verizon, Comcast, Blueshield....

  8. Hacker Unkown by AlexanKulbashian · · Score: 2

    Let me guess, hacker router his connection through the dark web? :D

  9. Has nobody yet thought about one-way backups? by burni2 · · Score: 1

    Perhaps one-way is the wrong term, perhaps "Postbox"-Backups are a better term?

    I mean, we have the tools to create a public & private key used for asymetric encryption.

    With my public-key I can encrypt data and without the private key this data can't be decrypted?

    How to use these keys in backup and restoration?
    So when I would generate such a key-pair and put the public key into the backup service of this hosting provider, the data could be backed up and gets encrypted with the public-key. But nobody except the owner of the private key could decrypt it.

    The owner of the private key should not be the hosting provider :)

    postbox
    It is like a postbox, you can put letters in, however only the mailman can open the box with his key and get the letters out. (disclaimer: metaphorically speaking, not including access by lock picking, explosives, extortion, and so on ..)

    Another application
    Naturally it would also be possible to equip an email service with this technique, the server receives an email and without storing it anywhere outside RAM, it will be encrypted with your "public" key first and then stored inside your mailbox. You receive it and decrypt it locally.

    This way a person getting access to the eMail-Account without the private key will only get encrypted data.

    Or am I getting something wrong?

    I know if we would live in a perfect world we all would do key-exchanges and signing and ofc singing and dancing. But this world is far from perfect.

    1. Re:Has nobody yet thought about one-way backups? by burni2 · · Score: 1

      It protects the hoster against a subpeona, because he will surrender all data, but at least the backup is still encrypted.

      To decrypt it you would need to get to the person, who has the private key, in his/her possession and use violence or just force him to surrender the private key.

      And a darkweb hoster tries not to know who the customer is :)

  10. Web servers at home? by DogDude · · Score: 2

    Why do so few people set up web servers at home? It ain't rocket science. It can be done on *any* computer. Really. Unless you're hosting something really huge or something that gets a huge amount of traffic, just fire up any old PC, install a web server, and you're done. Do your own backups (drag and drop folders, if you're too clueless to schedule something). People used to do it all of the time, back when setting up things like web and FTP servers were more complicated than it is now. It's100% free, and if you're doing something sketchy, you've got 100% control of your own files and your own backups.

    --
    I don't respond to AC's.
    1. Re:Web servers at home? by Woldscum · · Score: 2

      Most ISPs require a business class contract to have a server. Here that is a min of $350/mo for 50/5.

    2. Re:Web servers at home? by phantomfive · · Score: 2

      It's100% free, and if you're doing something sketchy, you've got 100% control of your own files and your own backups.

      People with technical knowledge who are doing sketchy things like to host their stuff on other people's home servers, often on their router (which has firmware that hasn't been updated in years).

      --
      "First they came for the slanderers and i said nothing."
    3. Re:Web servers at home? by thegarbz · · Score: 1

      Most ISPs require a business class contract to have a server. Here that is a min of $350/mo for 50/5.

      Wow!. I agree with your first sentence. I had to switch to a business class contract to get a public facing IP address. I had the choice of paying 59EUR for a 250/10 consumer connection or ... 62EUR for a 250/40 connection with 2 IP addresses with each additional IP a few eur per month.

      You're being fleeced. But then you knew that already.

    4. Re:Web servers at home? by Bazar · · Score: 1

      As someone who's done home email servers, webhosting, phones, the lot
      The age of running web services from your home connection has passed.

      If you try to run emails out of a home connection, either your ISP will block by default port 25 used for sending emails, or your ip address will be blacklisted by any and every spam filter system out there.
      Even if you're ISP is good and unblocks you, you'll still likely hit some spam filters.

      As for security, do you really want to go to the hassle of applying security updates and being aware of security vulnerabilities and mitigating them?
      And when you get hit by a zero-day exploit, do you want to run the risk of your machine being used to infect other machines on your network. Do you want to invest in the technology and have the skill set to ensure that the system is segregated or firewalled off from the rest of the network?

      And finally, understand that if you have such a machine on your premise, you can easily be tracked by a simple subpoena to your ISP. At which point any civil, let alone criminal investigation will effortlessly tie all actions/crimes your website is responsible for to you, the tech-head running it in your home.

      Just get someone else to host your crap, its not worth the trouble to do it yourself..

      --
      To avoid criticism; Say nothing, Do nothing, Be nothing.
  11. Well who would still use Cisco Powny Phones? by burni2 · · Score: 1

    And switches and firewalls and VOIP-Gateways and .. and .. and ..

    Yeah I know the hoster still looses because he hosts true to himself like a real darkweb hoster.

  12. Groping genitals, forced sex? by burni2 · · Score: 1, Flamebait

    I'm sure people would love to vote for a candidate, boasting about groping womens genitals and doing such a bad job as being recorded with that statement?

    And actually they did, what will this now tell about if these people would live to see children or women being raped in the open?

  13. Re:Thanks in a way & why, lol... apk by Anonymous Coward · · Score: 1

    Wow you really just can't stop yourself can you.
    What none of us can understand is why you don't just fuck off and never look at this website again. Then all of our problems would be solved. Surely you would be happier on reddit?

  14. Re: "Dark Web" by edris90 · · Score: 1

    You have it backwards. The darknet is the public web. No rules, handle yourself or not the risks are yours to take. Nobody's in charge. The real internet. The little walked garden searchable by search engines are but a small subset of the internet and the smallest part. And it's been run the shit by e-commerce censorship and political agendas. The censorded cross indexed commercialized internet you use Is the weird little mutant, the dark web is everything more the internet was and still is.

  15. Because there aren't enough IPv4 addresses by tepples · · Score: 1

    Why do so few people set up web servers at home?

    Last I checked there were 7 billion people in the world and roughly half that many IPv4 addresses. This means each IPv4 address will, on average,* correspond to more than one home subscriber. Thus ISPs in many countries put each neighborhood behind a carrier-grade network address translation (CGNAT) device, which allows a hundred or so to make outgoing connections on the same IP address. But a device behind CGNAT cannot receive incoming connections because the CGNAT does not know to whom to forward the connection. For example, if someone connects to port 443 of a public IP address that you share with 200 other subscribers, how does the CGNAT know that the connection is for your server, not a server run by someone who lives a block away? Even if you have your own /56 worth of routable IPv6 addresses, that doesn't help when an IPv4-only client attempts to connect to your server.

    * Some countries have more IPv4 addresses per 1000 people than the average. But this means other countries have even fewer.

    1. Re:Because there aren't enough IPv4 addresses by thegarbz · · Score: 1

      I had this problem, so I pay my ISP 3eur / month more to get a business connection. I also get an additional 30mbit upload bandwidth for that.

    2. Re:Because there aren't enough IPv4 addresses by tepples · · Score: 1

      The United States and whatever EU member state you live in have a larger-than-average allocation of IPv4 addresses per thousand people. In some places, an IPv4 address costs a lot more than 3 euros per month. It's much more expensive to get your own IP in somewhere like Myanmar, as Bert64 reported: First you have to buy a business license, as none of the ISPs in a given city will sell a business connection to an individual. Then your business is placed behind CGNAT unless you lease individual IPv4 addresses at extra cost. It ends up cheaper to lease a VPS for use as a VPN endpoint.

    3. Re:Because there aren't enough IPv4 addresses by thegarbz · · Score: 1

      Being a registered business is also a hurdle that is different in different countries.

      I have a registered business in Australia. It cost me the time it took to fill out a form, and that gave me an assigned name an business number from the tax department. Just like in Australia you need to be a registered business to get a domain name, it's a hurdle that has stopped no one.

      Funny side anecdote: every other person is their own registered business due to the tax benefits you can get from it. A classic case was to get financial assistance during university you need to prove you had a job before you got to university. One classic way of doing that was for the parents to be a registered business and actually report their kid's allowances to the tax department as "wages". I'm amazed that this was tolerated :-)

      But yes, fundamentally the problem is we're out of IPv4 addresses, we broke the internet, and no one gives a crap.

  16. Backups? are you kidding me by UnixUnix · · Score: 1

    Just Dark Web? Imagine subpoenas for backups of 4chan's /b/ *the horror

  17. aha! by sad_ · · Score: 1

    now i know what to tell my boss the next time there are no backups.
    it's by design!

    --
    On a long enough timeline, the survival rate for everyone drops to zero.