back to article Infosec analysts back away from 'Feds attacked Tor' theory

When Tor admitted early this week that some nodes on the network had suddenly and inexplicably gone dark, thanks in part to a malware attack, theories abounded as to just what was going on and why. That the FBI arrested a man suspected of using Tor to host child pornography distribution services further fuelled speculation …

COMMENTS

This topic is closed for new posts.
  1. Franklin
    Devil

    Cue "The NSA got to the infosec researchers!" conspiracy theories in 3... 2... 1...

    1. Shades

      You have proof that they didnt? No, thought not.

      1. xyz Silver badge
        Black Helicopters

        err...that's the point of a conspiracy theory

        When they do "track down" the IP address, it'll probably end up leading to an account belonging to a dock worker called John Authur Bennett (or someone equally mundane).who'll end up being killed in an accident at work.

        We're a bit more Elysian on this sitde of the pond and prefer the old "committed suicide in a field" approach.

        1. Roo
          Facepalm

          Re: err...that's the point of a conspiracy theory

          "We're a bit more Elysian on this sitde of the pond and prefer the old "committed suicide in a field" approach."

          It's not quite the same ball game. The TOR exploit lies in the world of espionage whereas Kelly died as a result of undermining a PR campaign. For those who didn't get to enjoy Tony Blair and his propaganda machine first hand: the propaganda was intended to deceive the public into supporting the illegal invasion of Iraq.

          Amazingly, Tony Blair still wanted us to believe that he was telling the truth as he trousered $30m from oil businesses while working as a middle east peace envoy. If Cromwell had never happened I suspect that Tony Blair's head would be adorning traitors gate.

      2. Anonymous Coward
        Anonymous Coward

        "You have proof that they didnt? No, thought not."

        Exactly. Not many would have thought the NSA would be breaching personal privacy on the scale they apparently do. So, as far I am now concerned, nothing is off the cards.

      3. Anonymous Coward
        Anonymous Coward

        Proving the negative, are we?

    2. Anonymous Coward
      Big Brother

      The NSA got to the infosec researchers.

    3. Matt Bryant Silver badge
      Thumb Up

      Re: Franklin.

      "Cue "The NSA got to the infosec researchers!" conspiracy theories in 3... 2... 1..."

      It will be something along the lines of:

      "No! I want to believe! Baa-aa-aa! Don't try changing my minds with actual facts or analysis, dammit! Baa-aa-aa!"

      And Potty will insist it's not an attack on TOR, it's actually a pre-emotive strike on the means of communication of The Free prior to the US launching a massive invasion of Mooseland to seize Canuck oil...... XD

      1. hplasm
        Gimp

        Re: Baaa Mat.

        Nurse! He's frothing again.

    4. chuBb.
      Black Helicopters

      annother conspiracy theory waiting to happen...

      Its the same SAIC that backs/is patent troll VirteX, who seem to be going after any one with anything to do with VPN's and other secure networking tech's..

      How long till someone claims that its to force backdoors on to the tech...

    5. NomNomNom

      There is no such thing as the NSA. The NSA is a fiction designed to confuse and distract a media led population away from the truth that an ancient race of reptiles now control our governments.

      1. andreas koch
        Alien

        @ NomNomNom -

        For Sobek's sake, man, shut up! You can't just blab that around on the web.

      2. codejunky Silver badge

        @NomNomNom

        Is that a round about way of calling Obama a snake?

        1. hplasm
          Coat

          Re: @NomNomNom

          National Serpent Agency.

        2. Tom 13

          @codejunky

          If it were me I can see where you might wonder that, but not him.

          Of course I have more respect for snakes than to compare them to The Big 0.

      3. Anonymous Coward
        Anonymous Coward

        Good god man, they live

        explain why royal births are no longer attended by the government.

        Home secretaries used to attend royal births. The last time was in 1936 for the birth of the Queen's cousin, Princess Alexandra. The custom was ended in 1948 ahead of the birth of Prince Charles. At the time Home Office researchers could find no evidence for the belief that the home secretary's presence was anything to do with verification, according to a biography of the Queen written by Ben Pimlott.

        can't have them seeing the egg...

      4. Anonymous Coward
        Anonymous Coward

        @NomNomNom

        If you are going to do it, do it right:

        NSA? There is No Such Agency.

    6. nigel 15
      Alien

      yes that is what happened.

  2. Rol

    When your reputation is on the line, you will make a point of not jumping to conclusions and tell it how it is.

    After your mortality in this world is brought into question, you'll tell it how you're told.

    This comment has nothing to do with the article and any reference that suggests it is, is purely coincidental and unintentional.

    "and...."

    Oh and the NSA are a really nice bunch of guys fighting for peace

    "Thank you for your cooperation sir"

    1. Destroy All Monsters Silver badge

      A disquieting message in your chat applet

      "Victor the Cleaner has been spotted taking the lift to your floor"

  3. Anonymous Coward
    Anonymous Coward

    "...their initial analysis of the malware was wrong"

    I made a stab at understanding the 'rambling' post explaining why they're backtracking a bit, and came to a different conclusion.

    The article gives the impression of people who rushed to condemn and then found, on digging deeper, that they were wrong. What the later post actually seems to be saying is that detailed information that they relied on seems to be different now and they are disturbed as to why that is - ie either they were embarrassingly sloppy in their initial work, or a clean-up crew has already been in.

    I wouldn't know one way or the other, but it is intriguing.

    1. Kingston Black
      Big Brother

      Re: "...their initial analysis of the malware was wrong"

      I read Crypocloud's post as well. Seems they have good but not conclusive evidence that the ARIN records for the C&C server used for Torspoilt changed after they (and others) started to investigate. NSA offensive spookery is suspected...

      1. Anonymous Coward
        Anonymous Coward

        Re: "...their initial analysis of the malware was wrong"

        Yup, the suspicions are obvious. The trouble is, Cryptocloud seem to have forgotten a fundamental rule of investigation : always take a copy of significant information as you come across it, otherwise your conclusions can be written off as mere speculation. As it is they can't offer much hard evidence that things were changed.

  4. Anonymous Coward
    Anonymous Coward

    one should just switch to linux now is the time easy as one two three

    https://www.youtube.com/watch?v=_uouWFgfrvo

    then top it off with tor

    https://www.youtube.com/watch?v=Z3Ocw1YOqG8

    their dont have to worry about the windows end of it :)

    1. Crisp
      Boffin

      Don't the details of the exploit use insecurities in FireFox? Not Windows?

      1. yossarianuk

        Although it was a weakness in Firefox, the exploit only effected Windows machines.

        Tor now advise people to stop using Windows, not just for this exploit.

        http://www.bbc.co.uk/news/technology-23587620

        "Really, switching away from Windows is probably a good security move for many reasons"

        1. Matt Bryant Silver badge
          Boffin

          Re: yossarianuk

          The Beeb article also points out that the Anonyputzs have previosly attacked Freedom Hosting for hiding paedo sites, and it is not outside the bounds of possibility that the skiddies may have compromised (or even hired) a server or servers at the hosted IP addresses mentioned, so this could be just another Anonyputz effort and nothing to do with the NSA. Whether they actually meant to take down TOR nodes is doubtful, but then they may just have goofed on their malware and knocked the TOR nodes out by accident.

          1. Conrad Longmore

            Re: yossarianuk

            Well, except that Eric Eoin Marques of Freedom Hosting does actually appear to have been busted by law enforcement, so I think the exploit should be regarded in this context.

            Also, the analysis I've seen of the exploit indicates that it simply collects data and sends it back , and doesn't leverage the vulnerability to install any malware on the machine. I would have thought that skiddies would do a lot more damage than that. Also, skiddies would almost definitely not be corporate customers of Verizon in the DC/VA area. It looks like a duck, it quacks like a duck..

          2. Old Handle

            Re: yossarianuk

            I had a similar thought: Just because the exploit points to that IP, doesn't mean the people who own that IP actually did the exploit. All the same, with the arrest occurring at the same time, it still seems like a "feds did it" scenario is the Occam's Razor explanation. Exactly which bunch of feds doesn't seem terribly important.

  5. Sir Runcible Spoon

    Sir

    This is the real damage that Snowden has done to US interests.

    Now any time that anything like this happens, everyone's first instinct will be to shout 'NSA'. Now would be a great time for someone else to move under the provided cover.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sir

      how long until it turns out that Snowden allegedly owns those IP addresses ;-)

    2. Destroy All Monsters Silver badge
      Big Brother

      Re: Sir

      It's fresh compared to the constant yells of "It's the PRC".

      1. hplasm
        Black Helicopters

        Re:Re: Sir

        It's the TLA!

        All of them!

  6. Conrad Longmore

    I did some of the debunking on that one

    The IP addresses in question, 65.222.202.53 (for the code) and 65.222.202.54 (for the data upload) were incorrectly identified as belonging to a US government contractor, SAIC due to an error with the analysis tool used.

    What happened was that DomainTools accidentally reported the entire 65.222.202.0/24 as belonging to SAIC, when actually it is a Verizon Business IP range shared with many companies. Verizon then suballocates most of the IPs to their customers, almost all of whom are based in the Washington DC or Virginia area. The error was made in good faith, and looking at the underlying data it is easy to see how it happened.

    SAIC has the first few IPs, the next block belongs to some ISP, then the next to the US government. The fourth block is where the exploit is homed and the data uploaded, but the IP records don't show who it is allocated to. But analysing the rest of the range shows that it likely to be a large-ish organisation physically located in the DC/VA area.

    Now.. just think about the sort of organisations that operate in that physical location. It's not as if the IP traces to an apartment block next to the bus station in Tiraspol is it?

    Now, assuming that Eric Eoin Marques was the person responsible for the servers hosting the tracking code, then it doesn't take a genius to link his arrest with some agency gaining access to the server farm and adding the code. It seems highly likely that the two things are connected.

    This is my debunking:

    http://blog.dynamoo.com/2013/08/torsploit-is-6522220253-nsa.html

    This is what is in the rest of the IP block in question:

    http://blog.dynamoo.com/2013/08/what-is-65222202024.html

    1. Don Jefe
      Happy

      Re: I did some of the debunking on that one

      Conrad Longmore, Public Information Liason, National Security Agency, at your service.

      1. Conrad Longmore

        Re: I did some of the debunking on that one

        Shhhh... that's a secret.

        1. FunkyEric
          Black Helicopters

          Re: I did some of the debunking on that one

          S*E*R*F*

    2. Arthur 1

      Re: I did some of the debunking on that one

      I actually stumbled across that article earlier and was reading it. Here's the rub for me: no matter what, it's a business IP address located in the DC/Virginia hub that houses all the major three-letters and almost all of their contractors. Its primary targets were distributors of child pornography, malware toolkits, and the only large fully anonymous remailer service left on the internet. Specifically the target wasn't the data or anything of the sort, but the identities of the end users.

      Correct identification of the block as registered to a specific agency or contractor or not (and there's some evidence that it was a valid ID but the record was 'fixed' since the initial investigations began) you'd have a very, very hard time telling me that a Washington DC enterprise is trying to identify pedophiles, cybercriminals and those using anonymous communication online and the various US government cybersecurity branches have nothing to do with it. Throw in that the IDs are the only data that's being targeted, not any content, and further mix in that law enforcement already seized the site backups in Ireland, and now at best you can tell me 'it's not impossible the NSA had nothing to do with it'.

      Yeah. It's not impossible. It's a hell of a contrarian viewpoint to take, though.

      1. Conrad Longmore

        Re: I did some of the debunking on that one

        The NSA is certainly a candidate for the organisation involved, or equally as well it could be another three-letter agency or a contractor working for them. The whole approach could be a multi-agency thing anyway.

        Just at a guess on the very little information we have to go on - I would think that the FBI would have worked with local law enforcement (the Garda, for example) to go after the obviously illegal content. They then may have worked with other agencies (NSA / CIA are candidates) to set up the "torsploit" and access other data (Tormail for example) that might have been seized. Different agencies would be interested in different aspects of the data collected.

        If Tormail is involved then that in itself is not an illegal service, but it is exactly the sort of thing that has been out of reach of law enforcement and intelligence services for some time.

        1. Arthur 1

          Re: I did some of the debunking on that one

          I can't think of many outside of foreign intelligence (the FBI legally can't be monitoring it for local cases unless they already know the identity of the user, right?) who would have any use for connecting Tormail users to IP addresses. And while I haven't verified myself (not an existing user and sure as hell not planning on becoming one now), Tormail keeps getting mentioned as one of the services involved.

          In general you may have a point, it's probably an FBI/INTERPOL thing on the kiddy fiddler side, but I doubt the FBI has the capability to design zero day exploits by themselves (as you pointed out). There's definitely NSA/CIA/INSCOM/someone from high up on the signals intelligence foodchain involved.

          1. Arthur 1

            Re: I did some of the debunking on that one

            Just to follow up quickly, my main objection was to the slant of the various articles which seem to be saying that it's totally out of left field to attribute this to the US government and their affiliates, when in fact it's only some specifics about exactly who and where which are being discussed.

  7. DropBear

    HOW MANY TIMES do we have to tell you it's only swamp gas, weather ballons, and the light from Venus?!? Why won't you finally just accept it? Why?!?

This topic is closed for new posts.

Other stories you might like