back to article Tor servers vanish as FBI swoops on kiddie-smut suspect

Network anonymisation outfit TOR has posted a fascinating piece of commentary on reports that some of the anonymous servers it routes to have disappeared from its network. “Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network,” the …

COMMENTS

This topic is closed for new posts.

Page:

Silver badge

Is Tor really secure?

Correct me if I'm wrong (and I just might be), but it seems to me that Tor has become a bit insecure by default. I'm thinking this because the government spook agencies and probably some criminal outfits [is there a difference?] seem to have figured out that they can just listen in on exit node traffic and scoop up lots of juicy communication from criminals, extremists, freedom fighters, dope smugglers, other spook agencies, etc.

Am I wrong on this? I've avoided using the Tor Browser Bundle recently for this reason. Not that anyone would be even slightly interested in reading any of my communication, but still it seems kind of a bad idea to place stuff directly into the government dragnet like that.

1
0
Silver badge

Re: Is Tor really secure?

Tor isn't meant to be secure - it's meant to be anonymous.

of course if all the exit nodes are FBI then it isn't even that

13
0

Re: Trojans

You are a bit wrong. First of all, exit nodes communicate unencrypted only with the regular web. Accessing hidden services makes the communication encrypted end-to-end. And even for the regular web, you can use https to achieve the same result.

This will hide both the origin of the traffic and the content of the traffic from anyone listening. Depending on how many intermediate nodes there are between you and the exit node, it can be almost impossible for someone to trace you, under normal conditions.

However, if most of the entry, exit and intermediate nodes are owned by FBI/NSA etc., everything changes. And it seems they lease some cloud servers from time to time to do just that.

TL/DR: TOR is not secure when attacked by someone with a lot of resources.

9
0

Re: Is Tor really secure?

> Am I wrong on this? I've avoided using the Tor Browser Bundle recently for this reason. Not that anyone would be even slightly interested in reading any of my communication, but still it seems kind of a bad idea to place stuff directly into the government dragnet like that.

Use Tails in LiveCD mode, rather than the TOR Browser Bundle.

For hardcore mode, use Tails in LiveCD mode without a HDD installed in the laptop, a USB wireless dongle that you purchased using cash from a camera less kiosk, change MAC address anyway, wardrive for internet connection while keeping the laptop suspended over a bucket of saltwater. Slowly roll a cyanide capsule around your mouth and be prepared to bite down on it at anytime.

24
0
Anonymous Coward

Re: Is Tor really secure?

With the recent revelations about the level of internet surveillance, I would have to say Tor's security is not looking good. At least not good enough for anyone the NSA might be after. Hidden services are probably especially vulnerable due to their persistence, and the fact that the Tor Project has been neglecting that part of the software for some time.

Unfortunately the only countermeasure to this type of correlation attack, as far as I know, is to add a large randomized delay at each step in the circuit. This, needless to say, would not be very attractive to most users.

Personally, I think some of this also shows that the Tor Project needs to rethink their strategy. Now obviously, their goal was not to provide a way for people to access child pornography, but of course the same attack could be used against more sympathetic users, and it directly took advantage of two things the Tor Project did thinking they would make people safer. #1 Encouraging everyone to use the same browser bundle, and #2 keeping JavaScript enabled. Their thinking was safety in numbers, and that making it user friendly would get more people to use it, but it seems to me they discounted the more acute risk of a targeted exploit.

4
0

Re: Is Tor really secure?

Don't forget cars have licences plates so rent one from a place without a cam.

1
0
Silver badge
Boffin

Re: Is Tor really secure?

@Andy Prough

"...the government spook agencies and probably some criminal outfits [is there a difference?]..."

No.

7
3
Silver badge
Big Brother

Re: Is Tor really secure?

@Unauthorized - >"For hardcore mode, use Tails in LiveCD mode without a HDD installed in the laptop, a USB wireless dongle that you purchased using cash from a camera less kiosk, change MAC address anyway, wardrive for internet connection while keeping the laptop suspended over a bucket of saltwater. Slowly roll a cyanide capsule around your mouth and be prepared to bite down on it at anytime."

Too risky - you might forget to bite down on the capsule. Safer to grab a 1,000-count bottle of one-minute time-release cyanide capsules. Every 59.5 seconds, spit one out and replace it with a new one.

Hard core - 5,000-count bottle of 20-second time release capsules.

1
0
Holmes

Re: Is Tor really secure?

You forgot the bear trap, just in case they try to hold your jaw open. You can set it to spring close on your head when the lappy drops into the sea water.

1
0
Silver badge
Coffee/keyboard

Re: Is Tor really secure?

And the man-eating sharks in sea water, in case they try to reach in and grab it out quickly. And a slow drip of blood into the sea water, to keep the sharks hungry.

1
0
Trollface

Re: Is Tor really secure?

@Ted Treen-

@Andy Prough

"...the government spook agencies and probably some criminal outfits [is there a difference?]..."

No.

The spook agencies have seemingly unlimited resources. Some of them wear badges.

1
0
Silver badge
Black Helicopters

Re: Is Tor really secure?

Just remember to remove the battery from your cell phone first, before you borrow your ex-neighbor's friend's 1982 car.

1
0
Anonymous Coward

Re: Is Tor really secure?

Should have used a more secure browser - such s a current version of IE....

1
0
Bronze badge
Boffin

Re: Is Tor really secure?

Or just take to wearing a long bushy beard sans 'tache, Ray-Bans and a keffiyeh and have lots of online conversations about The Great Satan, meeting up at Logan Airport etc. That should keep you off their radar fine.

0
0
Silver badge

oh boy

I wonder how many Tor exit nodes are hosted by the U.S.'s FBI and other organizations?

7
1
Bronze badge
Angel

@theodore - Re: oh boy

Think common sense.

Who invented TOR/Onion Routing? Why the U.S. Government of course.

2+2 does actually = 4.

2
4

Re: oh boy

A bunch. That shouldn't be an issue if you restrict your usage to hidden services, as there is no exit node involved. However...

The payload sets a tracking cookie and appears to phone home with information about your system (IP address, for instance) that it shouldn't have. The code will only run if it thinks it's on a Windows machine running Firefox 17... Word is that the Tor Browser Bundle presents itself as FF 17 on Windows, regardless of the machine it is actually running on.

Sit back and watch the fun.

0
0

Re: oh boy

A large number.

At the exit nodes the data is decrypted so that it can be sent to its final location. While the FBI et al cannot work out the sender (unless they're accessing a service that gives that away, such as gmail etc, though those details might be limited) they can work out what the sender is doing (in some cases at least, unless you're engaging in encrypted communications and using TOR as the backbone).

0
0
Silver badge

Re: @theodore - oh boy

Left hand: We need to do something to aid political expression in certain repressive regimes, and prevent those governments snooping on dissidents, as social change in those countries is essential for continued peaceful coexistence.

Right hand: We need to set up improved monitoring and tracing systems systems for the internet - it'll be impossible to enforce the law effectively online if anyone can disappear into electronic mist at will, not to mention the potential for money laundering.

I don't think they were communicating at the time.

2
1

Re: oh boy

The number is proportional to the number of spooks who participate in civil disobedience/protestes.

0
0
Silver badge
Thumb Up

Re: @theodore - oh boy

Well, now I know. I've never used it, nor have a felt the need to use it.

yes, 2+2=4.

0
0
Anonymous Coward

Re: oh boy

I used to host a 100 mbit TOR node in the UK, and i'm 99% sure it was monitored by the security services.

I had a hidden USB camera in my rack server and it showed suspicious repatching taking place to just my server during a mysterious brief outage that my CoLo proider denied knowing anything about, this being a couple of weeks after I started running an exit node....and my server had been in place without change for over a year. As soon I realised what had likely happened I stopped hosting TOR.

1
0
Bronze badge
Black Helicopters

Slashdot has more - TOR hacked by FBI

http://yro.slashdot.org/story/13/08/04/2054208/half-of-tor-sites-compromised-including-tormail

3
1
Silver badge
Big Brother

Re: Slashdot has more - TOR hacked by FBI

Wow. Talk about walking into a trap. The fact that you get infected by a 0-day exploit on top of it is really bad. This quote on the Tor blog does not instill confidence: "We're investigating these bugs and will fix them if we can." I guess this is what you get when you build your service on a 1-year-old browser with known security holes.

Hadn't used it in quite awhile, but Tor Browser Bundle has just gotten permanently banned from any of my systems.

1
6
Silver badge
Boffin

Re: Slashdot has more - TOR hacked by FBI

The included browser is supposed to be optimized to avoid leaking info, but it isn't required to do Tor browsing. You can simply point any FF/Chrome build to Tor by setting up the proxy settings to use the Tor local relay.

That said, Tor can be de-anonymized if the same person owns both the guard relay (entry point to Tor network) and the exit node, as explained by the Tor Project people at DEFCON. It could be what happened here, and it has more to do with the fact that Tor wasn't designed against a multi-national cooperation attacking the network, but was more about one single country trying to check on their users (i.e. China).

4
0
Silver badge
Go

Re: WonkoTheSane Re: Slashdot has more - TOR hacked by FBI

The slashdot post about the FBI putting malware on the site is interesting but hardly surprising, but could be construed as interfering in an investigation.

As to how effective the FBI are being, the Internet Watch Foundation may provide an insight. They report that since June there has been a spike in the number of attacks looking to create hidden folders of paedo porn on poorly defended websites, linked to regular pron sites, which looks like the paedo peddlers desperately moving and hiding their stuff and trying to hide their traffic amongst regular porn traffic (http://www.iwf.org.uk/about-iwf/news/post/367-websites-hacked-to-host-the-worst-of-the-worst-child-sexual-abuse-images). Whatever the FBI did in Ireland seems to be making the paedos a bit desperate and they seem to be deserting TOR. All good news AFAICS.

1
3
Bronze badge
Holmes

is this a surprise ?

spooks, cops and assorted crims would have TOR as main target for years. Real cyberwarfare. The Norks will be jealous

1
0
Anonymous Coward

Re: is this a surprise ?

Just use a decent anonymous VPN provider too - then it's going to be very hard to trace you....Such malware will just show your VPN IP.....

0
0
Gold badge
Unhappy

So a system that protects *privacy* is a major target for everyone.

Which kind of suggests who their real enemy is.

Individual rights.

10
1
Silver badge

thank god this sick fuck network is down.

now they just need to arrest all the trolls on twitter and the internet will finally be clean and polite.

4
15
Silver badge

I REALLY hope that post was in jest. It looks like it, but you can never be sure...

8
0
Facepalm

Inappropriate sarcasm much?

Badly misplaced irony, dude, seriously

2
1
Bronze badge

RE: thank god this sick fuck network is down.

Obviously, you forgot your <sarcasm> tag!

1
0
Bronze badge
Black Helicopters

Frankly, I wouldn't use TOR for anything really secure

I rarely use TOR/Onion routers, and then I only use them out of frustration to overcome the irritating IP location-based blocking (watching online TV outside the viewing region and such).

It seems to me that trusting TOR with anything truly secure is a dangerous move. I do not believe--nor I'm not convinced--that the internet can ever be truly secure when messages are sent, say, between Alice and Bob and both their IP addresses are known and linked to them personally.

The internet cannot work unless IP addresses are 'published'. And as we've seen with recent revelations, government has back-door access to all those IP addresses--and probably access to servers along the way which would allow man-in-the-middle attacks.

With government having so much access to the internet, and with its very powerful pattern matching capabilities aided by super computers which are triggered at the first sight of encrypted text, you'd be mad to trust your secrets to the net.

Moreover, no one has shown that programs such as Mozilla Firefox can ever be truly secure.

In my opinion, TOR/Onion routers etc. should only be used in once-off emergencies such as a dissident trying to escape an oppressive regime.

A few high profile cases such as this might eventually serve to warn the world that the internet can never be truly secure in the same way as most us know that you never say anything on a public telephone network that you don't want the world to know about.

3
0
Silver badge

TOR is “investigating these bugs and will fix them if we can

'If'?

2
1

Good News?

This is one of the few places where I would support a fascist dictatorship of allegedly moral officials. The Libertarian ideal of freedom to the point of not harming others is crossed badly by kiddie porn, and who would doubt it? The only danger here is that a fascist dictatorship of allegedly moral officials would accuse their detractors of anything -- even kiddie porn -- as a means to an end. I support any fascist dictatorship if kiddie porn is their actual target, but it says volumes about what I think of their character if I don't trust them even as to their statements about kiddie porn. After Snowden's revelations -- and their lies in response -- who would doubt it?

0
12
(Written by Reg staff)

Re: Good News?

But the point of kiddy porn is that the child is harmed in its creation - thus, the libertarian ideal of doing no harm still stands against child porn.

(yes, I'm vaguely libertarian'ish, sort of, mainly on Thursday nights when there's nothing good on the telly...)

5
2
Silver badge
Boffin

Re: Gaz Re: Good News?

".....the point of kiddy porn is that the child is harmed in its creation....." I used to think that all paedos were dribbling old men with snuff vids of 5-year-olds, but the reality is it is not all kiddie-rapists and the like. A while back I helped host a website for a charity, one of the services they provided was storage space for code contributors and some users did dump porn in their folders. This wasn't a problem until a guy in Spain started dumping pics of young teen couples, nothing abusive or looking like it was either party being coerced, but legally paedo material in the UK. The website owner and I had a chat with the guy and he pointed out that in Spain the age of consent was 13, so he felt unfairly judged when we accused him of being a paedo using UK law, and was horrified that we lumped him in with the type of people raping infants and the like. Our response was tough, the server is in the UK, remove your material. He wasn't too pleased and left the site, threatening to sue us for slander (which he didn't).

It all goes to show that some paedos do not view themselves as crims nor think that they are doing wrong, and some apply cultural values that make them think what they do is not morally wrong even though we would consider it morally repugnant and illegal. Don't assume it is all nasty types willingly torturing kiddies, there are some "normal" and talented people out there willingly helping paedos hack code for hidden sites and the so-called digital underground or dark net.

9
1
Silver badge
Facepalm

Re: Good News?

What a great idea!

What about your sister or brother who has autism? Uncle Fred, the benevolent leader doesn't like imperfections ( even though he's probably a short-arse with gammy leg! ) so off to "the hospital" with little Johnny or Sarah.

Your Mum or Dad, being of a different generation, forgot one day that things are different and said something the Great Leader ( "All hail his magnificence!" ) wouldn't like and uh-oh the neighbour they never got along with dobbed them in as state-traitors! They even gave the neighour a nice reward for it so he could get that nice new car!

Your partner and you had a baby and it's got a finger missing? Oh dear, you can't keep it, off the state orphanage with it!

You wanted to read what book that you read as a child? Sorry but that's not the state's agree reading list!

You were heard down the pub talking about "the old days", I think a little red-education with a 240v shock to your dangly bits will sort out that head of yours down at the "the hospital"!

Hey-ho we can lock up a couple hundred kiddie-fiddlers so fuck the 100 million people in the country who've done nothing wrong and will no longer be allowed to have their own opinion on anything ever again!

4
1

This post has been deleted by its author

Silver badge

Definition time

"Pedophilia:

Sex or sexual activity with children who have not reached puberty."

i.e. Pre-pubescent.

Above this age and below 16 (in the UK) it is illegal, but biology reckons this group to be physically (if not emotionally) mature - (hence the illegality of it here).

1
1
Coat

Re: Good News?

In a perfect world, we would ALL be Libertarians. We don't live in that perfect world so we have to do the best with what we got. The game is rigged.

0
0
Silver badge

I wouldn't trust Tor for anything illegal

It's too easy for law enforcement to set up any number of exit nodes and stand a good chance of discovering illegality and in far higher concentrations than if they just monitored regular network activity.

That said, someone wishing to stay anonymous for more mundane reasons (torrent sites etc.) probably has nothing to fear.

2
0
Silver badge

Sir

It looks like a lot of people have just received thier first virtual electronic tag.

2
0
Silver badge

I don't think that law enforcement carried this out.

If they had then they would be crowing from every rooftop about this.

0
0
Anonymous Coward

Re: I don't think that law enforcement carried this out.

Re "crowing from the rooftops"

I rather think they'd prefer people go on using it to be honest. Expect minimal crowing, apart from the people involved TOR and the like, which is what we've seen here.

1
0

"Crowing from the rooftop"

Er, no, not while it's clearly 'work in progress'.

Once they'd destroyed the entire TOR network then yes, pull out all the stops to help justify PRISM (yes, I know it's not really related but 'saving the children' is a great carrion cry excuse for anything like this) and anti-freedom actions in general.

3
2
Anonymous Coward

Yep

This is the start of the smear campaign that will be used to taint anyone using such services.

If you've nothing to hide, and are an honest law abiding sheeple, why are you using TOR or a VPN?

Very soon that will be used as the justification to destroy whatever privacy options we have left.

5
1
Silver badge

Re: Yep

I use it so I can watch TV on http://pluzz.francetv.fr/ and similar sites without it making racist comments about my IP address.

2
0
Anonymous Coward

Re: Yep

"If you've nothing to hide, and are an honest law abiding sheeple, why are you using TOR or a VPN?"

Because I'm paranoid. Any further questions, Sir? :)

0
0

Page:

This topic is closed for new posts.

Forums