Cue "The NSA got to the infosec researchers!" conspiracy theories in 3... 2... 1...
Infosec analysts back away from 'Feds attacked Tor' theory
When Tor admitted early this week that some nodes on the network had suddenly and inexplicably gone dark, thanks in part to a malware attack, theories abounded as to just what was going on and why. That the FBI arrested a man suspected of using Tor to host child pornography distribution services further fuelled speculation …
-
-
-
Thursday 8th August 2013 05:22 GMT xyz
err...that's the point of a conspiracy theory
When they do "track down" the IP address, it'll probably end up leading to an account belonging to a dock worker called John Authur Bennett (or someone equally mundane).who'll end up being killed in an accident at work.
We're a bit more Elysian on this sitde of the pond and prefer the old "committed suicide in a field" approach.
-
Thursday 8th August 2013 11:24 GMT Roo
Re: err...that's the point of a conspiracy theory
"We're a bit more Elysian on this sitde of the pond and prefer the old "committed suicide in a field" approach."
It's not quite the same ball game. The TOR exploit lies in the world of espionage whereas Kelly died as a result of undermining a PR campaign. For those who didn't get to enjoy Tony Blair and his propaganda machine first hand: the propaganda was intended to deceive the public into supporting the illegal invasion of Iraq.
Amazingly, Tony Blair still wanted us to believe that he was telling the truth as he trousered $30m from oil businesses while working as a middle east peace envoy. If Cromwell had never happened I suspect that Tony Blair's head would be adorning traitors gate.
-
-
-
Thursday 8th August 2013 07:11 GMT Matt Bryant
Re: Franklin.
"Cue "The NSA got to the infosec researchers!" conspiracy theories in 3... 2... 1..."
It will be something along the lines of:
"No! I want to believe! Baa-aa-aa! Don't try changing my minds with actual facts or analysis, dammit! Baa-aa-aa!"
And Potty will insist it's not an attack on TOR, it's actually a pre-emotive strike on the means of communication of The Free prior to the US launching a massive invasion of Mooseland to seize Canuck oil...... XD
-
-
-
Thursday 8th August 2013 11:44 GMT Anonymous Coward
Good god man, they live
explain why royal births are no longer attended by the government.
Home secretaries used to attend royal births. The last time was in 1936 for the birth of the Queen's cousin, Princess Alexandra. The custom was ended in 1948 ahead of the birth of Prince Charles. At the time Home Office researchers could find no evidence for the belief that the home secretary's presence was anything to do with verification, according to a biography of the Queen written by Ben Pimlott.
can't have them seeing the egg...
-
-
Thursday 8th August 2013 05:55 GMT Rol
When your reputation is on the line, you will make a point of not jumping to conclusions and tell it how it is.
After your mortality in this world is brought into question, you'll tell it how you're told.
This comment has nothing to do with the article and any reference that suggests it is, is purely coincidental and unintentional.
"and...."
Oh and the NSA are a really nice bunch of guys fighting for peace
"Thank you for your cooperation sir"
-
Thursday 8th August 2013 06:34 GMT Anonymous Coward
"...their initial analysis of the malware was wrong"
I made a stab at understanding the 'rambling' post explaining why they're backtracking a bit, and came to a different conclusion.
The article gives the impression of people who rushed to condemn and then found, on digging deeper, that they were wrong. What the later post actually seems to be saying is that detailed information that they relied on seems to be different now and they are disturbed as to why that is - ie either they were embarrassingly sloppy in their initial work, or a clean-up crew has already been in.
I wouldn't know one way or the other, but it is intriguing.
-
-
Thursday 8th August 2013 08:33 GMT Anonymous Coward
Re: "...their initial analysis of the malware was wrong"
Yup, the suspicions are obvious. The trouble is, Cryptocloud seem to have forgotten a fundamental rule of investigation : always take a copy of significant information as you come across it, otherwise your conclusions can be written off as mere speculation. As it is they can't offer much hard evidence that things were changed.
-
-
-
-
-
-
Thursday 8th August 2013 14:30 GMT Matt Bryant
Re: yossarianuk
The Beeb article also points out that the Anonyputzs have previosly attacked Freedom Hosting for hiding paedo sites, and it is not outside the bounds of possibility that the skiddies may have compromised (or even hired) a server or servers at the hosted IP addresses mentioned, so this could be just another Anonyputz effort and nothing to do with the NSA. Whether they actually meant to take down TOR nodes is doubtful, but then they may just have goofed on their malware and knocked the TOR nodes out by accident.
-
Thursday 8th August 2013 15:30 GMT Conrad Longmore
Re: yossarianuk
Well, except that Eric Eoin Marques of Freedom Hosting does actually appear to have been busted by law enforcement, so I think the exploit should be regarded in this context.
Also, the analysis I've seen of the exploit indicates that it simply collects data and sends it back , and doesn't leverage the vulnerability to install any malware on the machine. I would have thought that skiddies would do a lot more damage than that. Also, skiddies would almost definitely not be corporate customers of Verizon in the DC/VA area. It looks like a duck, it quacks like a duck..
-
Thursday 8th August 2013 19:06 GMT Old Handle
Re: yossarianuk
I had a similar thought: Just because the exploit points to that IP, doesn't mean the people who own that IP actually did the exploit. All the same, with the arrest occurring at the same time, it still seems like a "feds did it" scenario is the Occam's Razor explanation. Exactly which bunch of feds doesn't seem terribly important.
-
-
-
-
-
-
Thursday 8th August 2013 10:02 GMT Conrad Longmore
I did some of the debunking on that one
The IP addresses in question, 65.222.202.53 (for the code) and 65.222.202.54 (for the data upload) were incorrectly identified as belonging to a US government contractor, SAIC due to an error with the analysis tool used.
What happened was that DomainTools accidentally reported the entire 65.222.202.0/24 as belonging to SAIC, when actually it is a Verizon Business IP range shared with many companies. Verizon then suballocates most of the IPs to their customers, almost all of whom are based in the Washington DC or Virginia area. The error was made in good faith, and looking at the underlying data it is easy to see how it happened.
SAIC has the first few IPs, the next block belongs to some ISP, then the next to the US government. The fourth block is where the exploit is homed and the data uploaded, but the IP records don't show who it is allocated to. But analysing the rest of the range shows that it likely to be a large-ish organisation physically located in the DC/VA area.
Now.. just think about the sort of organisations that operate in that physical location. It's not as if the IP traces to an apartment block next to the bus station in Tiraspol is it?
Now, assuming that Eric Eoin Marques was the person responsible for the servers hosting the tracking code, then it doesn't take a genius to link his arrest with some agency gaining access to the server farm and adding the code. It seems highly likely that the two things are connected.
This is my debunking:
http://blog.dynamoo.com/2013/08/torsploit-is-6522220253-nsa.html
This is what is in the rest of the IP block in question:
http://blog.dynamoo.com/2013/08/what-is-65222202024.html
-
Thursday 8th August 2013 13:45 GMT Arthur 1
Re: I did some of the debunking on that one
I actually stumbled across that article earlier and was reading it. Here's the rub for me: no matter what, it's a business IP address located in the DC/Virginia hub that houses all the major three-letters and almost all of their contractors. Its primary targets were distributors of child pornography, malware toolkits, and the only large fully anonymous remailer service left on the internet. Specifically the target wasn't the data or anything of the sort, but the identities of the end users.
Correct identification of the block as registered to a specific agency or contractor or not (and there's some evidence that it was a valid ID but the record was 'fixed' since the initial investigations began) you'd have a very, very hard time telling me that a Washington DC enterprise is trying to identify pedophiles, cybercriminals and those using anonymous communication online and the various US government cybersecurity branches have nothing to do with it. Throw in that the IDs are the only data that's being targeted, not any content, and further mix in that law enforcement already seized the site backups in Ireland, and now at best you can tell me 'it's not impossible the NSA had nothing to do with it'.
Yeah. It's not impossible. It's a hell of a contrarian viewpoint to take, though.
-
Thursday 8th August 2013 14:55 GMT Conrad Longmore
Re: I did some of the debunking on that one
The NSA is certainly a candidate for the organisation involved, or equally as well it could be another three-letter agency or a contractor working for them. The whole approach could be a multi-agency thing anyway.
Just at a guess on the very little information we have to go on - I would think that the FBI would have worked with local law enforcement (the Garda, for example) to go after the obviously illegal content. They then may have worked with other agencies (NSA / CIA are candidates) to set up the "torsploit" and access other data (Tormail for example) that might have been seized. Different agencies would be interested in different aspects of the data collected.
If Tormail is involved then that in itself is not an illegal service, but it is exactly the sort of thing that has been out of reach of law enforcement and intelligence services for some time.
-
Thursday 8th August 2013 17:03 GMT Arthur 1
Re: I did some of the debunking on that one
I can't think of many outside of foreign intelligence (the FBI legally can't be monitoring it for local cases unless they already know the identity of the user, right?) who would have any use for connecting Tormail users to IP addresses. And while I haven't verified myself (not an existing user and sure as hell not planning on becoming one now), Tormail keeps getting mentioned as one of the services involved.
In general you may have a point, it's probably an FBI/INTERPOL thing on the kiddy fiddler side, but I doubt the FBI has the capability to design zero day exploits by themselves (as you pointed out). There's definitely NSA/CIA/INSCOM/someone from high up on the signals intelligence foodchain involved.
-
Thursday 8th August 2013 17:05 GMT Arthur 1
Re: I did some of the debunking on that one
Just to follow up quickly, my main objection was to the slant of the various articles which seem to be saying that it's totally out of left field to attribute this to the US government and their affiliates, when in fact it's only some specifics about exactly who and where which are being discussed.
-
-
-