Silk Road forums
Discussion => Security => Topic started by: eleanorrobot on August 04, 2013, 05:35 pm
-
News here:
- http://newsiiwanaduqpre.onion/?e=5
- *CLEARNET* http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html
- *CLEARNET* http://www.twitlonger.com/show/n_1rlo0uu
If you used the same username/password combination on TorMail or any other Onion site it would be wise to change that combination now.
You should also assume that any unencrypted information in TorMail emails are now available to authorities. Especially recent emails, see below:
Has anyone read this? Apparently there was a javascript exploit placed on the tormail site by the fbi during the window of when it was seized up until when it became public knowledge that it was seized.
The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.
In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.
http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html
This is undoubtedly a big blow to the TOR community, Crypto Anarchists, and more generally, to Internet anonymity. All of this happening during DEFCON.
If you happen to use and account name and or password combinations that you have re used in the TOR deep web, change them NOW.
Eric Eoin Marques who was arrested runs a company called Host Ultra Limited.
http://www.solocheck.ie/Irish-Company/Host-Ultra-Limited-399806
http://www.hostultra.com/
He has an account at WebHosting Talk forums.
http://www.webhostingtalk.com/showthread.php?t=157698
A few days ago there were mass outages of Tor hidden services that predominantly effected Freedom Hosting websites.
http://postimg.org/image/ltj1j1j6v/
“Down for Maintenance
Sorry, This server is currently offline for maintenance. Please try again in a few hours.”
If you saw this while browsing Tor you went to an onion hosted by Freedom Hosting. The javascript exploit was injected into your browser if you had javascript enabled.
What the exploit does:
The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn’t get deleted. Presumably it reports the victim’s IP back to the FBI.
An iframe is injected into FH-hosted sites:
TOR/FREEDOM HOST COMPORMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/pmGEj9bV
Which leads to this obfuscated code:
Javascript Mozilla Pastebin
Posted by Anonymous on Sun 4th Aug 02:52
http://pastebin.mozilla.org/2776374
FH STILL COMPROMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/K61QZpzb
FBI Hidden Service in connection with the JavaScript exploit:
7ydnpplko5lbgfx5
Who’s affected Time scales:
Anyone who accessed an FH site in the past two days with JavaScript enabled. Eric Eoin Marques was arrested on Sunday so that’s the earliest possible date.
“In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf
The FBI Ran a Child Porn Site for Two Whole Weeks
http://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510247728
http://postimg.org/image/o4qaep8pz/
On any other day one would say these sick perverts got what they deserved. Unfortunately the Feds are stepping far beyond just pedophiles in this latest issue.
The js inserted at Freedom Hosting? Nothing really, just an iframe inject script with a UUID embedded server-side.
The iframe then delivers an exploit kit that appears to be a JavaScript 0day leading to…something. It only attempts to exploit Firefox (17 and up) on Windows NT. There’s definitely some heap spraying and some possible shell code. The suspect shell code block contains some strings that look to formulate an HTTP request, but I haven’t been able to collect the final payload yet. The shell code also contains the UUID with which the exploit was delivered. Any UUID will work to get this part of the exploit.
I’m still pulling this little bundle of malware apart. So far, I’ve got that the attack is split across three separate files, each loaded into an iframe. Calls are made between the frames to further obfuscate the control flow. The ‘content_2.html’ and ‘content_3.html’ files are only served up if the request “looks like” Firefox and has a correct Referer header. The ‘content_2.html’ is loaded from the main exploit iframe and in turn loads ‘content_3.html’.
Short version. Preliminary analysis: This little thing probably CAN reach out without going through Tor. It appears to be exploiting the JavaScript runtime in Firefox to download something.
UPDATE: The exploit only affects Firefox 17 and involves several JS heap-sprays. Note that the current Extended Support Release is Firefox 17, so this may also affect some large organizations using Firefox ESR.
http://pastebin.mozilla.org/2777139
The script will only attempt the exploit on Firefox 17, so I’m no longer worried about it being some new 0day. Enough of the “Critical” MFSAs are for various sorts of memory corruption that I don’t have the time to find out if this is actually a new exploit or something seen before.
http://postimg.org/image/mb66vvjsh/
Logical outcomes from this?
1. FBI/NSA just shut down the #1 biggest hosting site and #1 most wanted person on Tor
2. Silkroad is next on their list, being the #2 most wanted (#1 was Child Porn, #2 is drugs)
3. Bitcoin and all crypto currenecies set to absolutely CRASH as a result since the feds can not completely control this currency as they please.
I don’t always call the Feds agenda transparent, but when i do, I say they can be trying harder.[/quote
Anyone know anything about this?
-
Not good.
-
So Everyone that went on Tormail got an exploit in his computer?
-
Brace yourselves Silk Roaders...
-
So Everyone that went on Tormail got an exploit in his computer?
As far as I know, FBI put a javascript exploit on the site when they compromised FreedomHosting. If you have javascript on your tor browser (TURN IT OFF!) and visited TorMail then it's possible they de-anonymized your browsing. Somebody can correct me if that's wrong, though.
Also, depending on how TorMail worked, it's possible that authorities now have access to all emails on the server. Hopefully people were using encryption to communicate sensitive information.
Again, please correct me if I am wrong and I will edit. Do not want to spread incorrect information.
-
so with Tormail being compromised, what alternatives do we have for safe email?
-
There is still the message "Sorry site down for maintenance" in TorMail.
Luckily I don't have Javascript enabled and I don't use the same username/password there as in any other site but still now it's impossible to either delete the account or some e-mails just in case you need it.
Not good.
-
I thought TOR has Java disabled, so we must go to Options/Embeddings then click Forbid?
Wonder if my IP address was compromised when i used tormail, since i had to click Options then Allow (tormail) in order to even send an email.
-
What law did the owner of freedom hosting break in order to be shutdown by the FBI and extradited?
If sites using his service are hosting CP shouldn't the operators of those sites be the ones that get in trouble? Unless he explicitly knew and helped them I guess.
-
I thought TOR has Java disabled, so we must go to Options/Embeddings then click Forbid?
Java yes, but unlucky JavaScript no, that's a very questionable decision in the name of usability.
The first thing I always do when I install a new version of the ToR bundle (if I use it and not a Whonix VM) is to IMMEDIATELY disable JavaScript. ToR has bundled inside NoScript so the decision to keep JavaScript ON is really idiotic IMO.
Anyway, if I were you I would immediately A) erase ToR and reinstall it again anew deleting the old version completely, B) change all passwords of the onion sites you use for security. If you then had some document in your Tormail not encrypted then consider it as in the hands of LE.
In any case if you are a normal user I don't think you have much to worry about, but still, as I said, I would both reinstall ToR and change immediately all passwords. Better be extra safe then sorry.
-
This is very troubling, indeed. How the hell did the feds find/unmask the FH founder?
-
Wow. If they can do this to an onion like TorMail, what's stopping them from getting to us?
Child porn. That would be their first big attack on TOR. Stepping stones.
-
Thanks BlackIris. I've done what you've said. But they would still have my IP address and the IP of the Vendor i was talking to? PGP was in use.
-
Thanks BlackIris. I've done what you've said. But they would still have my IP address and the IP of the Vendor i was talking to? PGP was in use.
Yours it can be (depending on when you did go to that site and also depending if you got the cookie or not - and also naturally if you aren't behind a public Wi-Fi or a proxy) the one of the vendor not unless s/he has visited that same site as you (and got that cookie too). However don't alarm yourself: the reality of the situation is still unknown and, as I said, if you are a normal user I really doubt that also just in case LE will care something about your IP.
PGP will help you on not having anybody else reading the information you share with the person you want, but will not help you in this case.
-
How do you turn off scripts and all that jazz via Tails??
-
How do you turn off scripts and all that jazz via Tails??
Same way. Find the S icon at the top of your browser (next to onion icon). Click it and a menu will pop up. Select "Forbid Scripts Globally (recommended)"
-
What law did the owner of freedom hosting break in order to be shutdown by the FBI and extradited?
If sites using his service are hosting CP shouldn't the operators of those sites be the ones that get in trouble? Unless he explicitly knew and helped them I guess.
Do you still think this is about law? justice? following regulations?
Mon ami.. this is about FORCE, POWER and FEAR. Get that through your head right now. The only good cop is a dead cop. The only person in uniform who can be assured will not fuck you.. is a corpse in uniform. This is not about LAW.. it's about how they can FUCK their enemies.
And you.. are their Enemy.
Run away and live to fight another day. :D
-
Very strange I will say that, has anyone noticed who is back?
-
What law did the owner of freedom hosting break in order to be shutdown by the FBI and extradited?
If sites using his service are hosting CP shouldn't the operators of those sites be the ones that get in trouble? Unless he explicitly knew and helped them I guess.
He's the only one to be arrested right now, as far as we know.
It's highly possible that he's got server side encryption hiding data that the FBI wants and they are in the process of offering lesser punishment for the encryption keys. Which would be very detrimental to anyone communicating sensitive information by TorMail.
-
Very strange I will say that, has anyone noticed who is back?
Tell us.
-
So, if I'm reading that correctly, they found the Tormail server, seized it and added the JavaScript exploit, which was only live on the site for a few days, between FH / Tormail going down and the operator being arrested. What's really scare is that means they found the hidden service some other way. Even though attacks on Tor exist to identify hidden services, an email server is so complicated that they may have used an application level exploit to find the server.
Still, it's worrying.
-
The Hidden Wiki discussion page has the most comprehensive explanation of the attack that I've found. The only part I don't agree with, simply because there is no evidence, is the claim that the FH admin was identified through bitcoin cashing out. It is factually incorrect that Onion Bank was started months ago. It was started like 10 days before the bust. However, the FH admin may have been accepting private bitcoin donations, particularly from the CP site operators and users. After all, someone was paying the bills to keep the site running. It's possible that the FBI made a donation and tracked the payment, and if the FH admin didn't take proper precautions in cashing out, he was identified that way. All this will come out in the discovery during his court case.
I do agree that the compromise of Tormail accounts could be very bad for some members of our community, especially if they didn't encrypt their emails and routinely delete read emails from the server.
Here's the Hidden Wiki discussion of the attack.
1. It runs only if Javascript was enabled and affects Firefox 17 on Windows. The exploit used (MFSA 2013-53) and was fixed in Firefox 17.0.7 which is the one used in the latest Tor Browser Bundle, and relies on Windows libraries to execute its payload. If you were using an outdated Tor Browser on Windows and you had Javascript enabled (it is by default) then you have definitely been compromised. If you were using Tor on any other OS, had disabled Javascript, or had the latest version of the Tor Browser Bundle (Torbrowser - Help - About shows the version, which must be 17.0.7 or higher) then you are safe and your public IP has not been transmitted anywhere.
2. The exploit has only been online since after the servers came back on August 3rd, 2013. Now read on for the details...
By default, the Tor Browser comes with NoScript set to "Allow All Javascript Globally", meaning that Javascript is enabled by default. They do this to make it convenient for users which is why it's the default setting even though it's not safe.
3. If you were running an exploitable version of the Tor Browser on Windows and didn't either manually set NoScript to "Forbid Javascript Globally" or disabled Javascript entirely via the Firefox settings, then you are absolutely 100% busted. But if you had disabled Javascript like smart people kept telling you, using either of the two methods mentioned, then the code never executed and you are safe.
4. The FreedomHosting compromise consisted of a small, non-existent image <img> tag injected into all Freedom Hosting sites, and this <img> tag contained an <img onerror=""> event attribute. The fact that the image was missing meant that the "onerror" code ran and retrieved the rest of the code from another Onion site. They did it this way via a small, hidden image to avoid drawing attention to any obvious <script> tags.
5. The main payload (main exploit code) from that onion site then created an iframe and set a cookie in it (the sole purpose of which was to reliably identify your unique browser as you traveled between different compromised FH sites, to build a list of which FH sites you've been visiting) and more importantly ran some 0-day exploits using heap overflows to run any code they desired and escape the Tor sandbox.
6. The 0day exploit code executed some functions that revealed your public internet IP address, MAC address, local hostname (such as "LarrysPC") and what Freedom Hosting site you were browsing (they used a unique UDID for each compromised website) and sent it all to a clear-net IP in Washington. This is no joke. I wish I was kidding. It really did this! They transmit your unique browser ID (cookie value) over the clear internet to their public-internet server, thus giving them a physical person tied to the "random person" they've been observing browsing the different FH sites. With this connection performed, they know your public IP, they have the computer's hostname & MAC address to conclusively identify your computer, they have your unique browser ID cookie, and they have a full list of Freedom Hosting sites that have been viewed by that unique browser. They know exactly how deeply you are involved and their lists allow them to target the people that are clearly intentionally seeking out illegal content.
7. The use of 0day exploits means that the attacker had the huge resources required to find such completely new exploits, and is therefore most likely the government.
8. The fact that FreedomHosting was compromised means that the attacker either physically seized the servers and installed the code (government), or managed to exploit the webserver software (other malicious attacker). Considering recent news reports, it is clear that it was the government.
9. The fact that the clear-net IP collecting all the data is in Washington and that FreedomHosting is now down without a word suggests that the attacker was in fact the FBI.
10. The attacker now has the public IP addresses + what FreedomHosting site you were viewing of everybody that had Javascript enabled on Windows with an outdated Tor Browser Bundle. You better prepare to be raided. Destroy all the evidence now, if your freedom depends on it.
11. The cookie is called "n_serv" and can be viewed under Tor Button - Cookie Protections. By default, Tor is set to erase all non-protected cookies on browser restarts (and to make all cookies non-protected unless explicitly told by the user to protect certain cookies). This means that the "n_serv" cookie will not persist between browser restarts, unless the FBI has made part of their exploit code tell Tor Button to protect the cookie. That is very unlikely, though, as it would be difficult to do so and wouldn't do them much good, since the cookie changing its value doesn't actually harm their operation. They will still get your public IP for every unique browser ID that's being transmitted to them, so it doesn't matter to them if the cookie gets cleared and the browser ID changes. Therefore, due to the fact that the cookie clears itself on restart, the only way to know if you've been affected if you're running a vulnerable browser bundle is if your browser has been running non-stop since before FreedomHosting went down. Meaning that your browser has been running for at least 1 week, preferably 2 or more. If you've got no "n_serv" cookie in a session that has lasted that long then you conclusively know that the exploits have never successfully executed on your machine. The cookie only clears on browser restart. I've always been using NoScript in "Forbid Javascript Globally" mode, my last browser restart was over 2 weeks ago and I am 100% sure I have browsed some FH sites before they went offline and without restarting this browser and I don't have the cookie. People that have either set NoScript to globally forbid, or disabled Javascript entirely in the Firefox settings, are therefore conclusively safe. Everyone else will have been infected and can check for the existence of that cookie to verify that fact (will only be there if their browser hasn't restarted in the past few weeks). Note that the cookie will be created if Javascript is enabled, but the exploit that transmits your public IP to tie that cookie to your identity is a separate action and will only run on exploitable (outdated) Tor Browser Bundles on Windows. Therefore, the existence of the cookie is not enough reason to panic yet. If you're using Windows and you've got a Javascript-enabled Tor Browser that's older than 17.0.7 then your identity has absolutely been compromised.
12. Previous news reports from July 29th, 2013 shows that the FBI performed a nationwide "child sex trafficking" bust, freeing 105 children and arresting 150 pimps/ring leaders (www.fbi.gov/news/stories/2013/july/operation-cross-country-recovering-victims-of-child-sex-trafficking/operation-cross-country-recovering-victims-of-child-sex-trafficking).
13. Other news from July 29th, 2013 shows that the FBI is trying to extradite "the biggest child-porn facilitator on the planet" from Ireland (www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html). Seems that the FH admin was a 28 year old that was arrested in Ireland and that the javascript exploits were set up in a joint-operation between the FBI and the Irish law enforcement since all collected IPs were sent to the FBI. If this is the guy, then Freedom Hosting is never coming back, and he's looking at a lot of jailtime.
14. Also consider the fact that the attackers installed code that uniquely identifies each FreedomHosting site you were visiting, since FH served much more than just child porn. The FBI wouldn't want to bust down the doors of people that were looking at relatively harmless stuff from FreedomHosting. They really cared about knowing which specific sites you were viewing and took many steps to ensure that they accurately tracked which sites you visited, through the use of per-site UDIDs and a tracking cookie.
15. Timeline of events: FreedomHosting admin starts accepting BitCoins a few months ago. The FBI traces his BitCoin transactions to withdrawals into a real-world bank account via currency exchange services, thus revealing the identity of the FH admin, and an arrest is made on July 29th, 2013 in Ireland. The servers were then shut down. On August 3rd, 2013 the sites came back online with the exploit code installed.
16. It is pretty conclusive: Get a fucking move on if you were too stupid to disable Javascript, keep Tor Browser Bundle updated, were running Windows, and visited any of the FH sites after they came back online. You do not have much time. Someone in Washington, otherwise known as the FBI, now has your public IP and a list of which FH sites you were browsing. GET A FUCKING MOVE ON! NOW! Destroy everything before you end up behind bars! Remember to run multiple secure wipe-passes of your entire hard drives so that NOTHING can be recovered, and remember that encryption alone is not safe enough, data leaks out of your encrypted containers into the operating system's thumbnail caches. They might not be able to view your actual encrypted TrueCrypt images, but they sure as hell can see what kind of images you had been looking at in the past (Windows has a global thumbnail database containing smaller versions of all Thumbs.db contents from every drive on the system, Mac OS has a QuickLook cache of everything you have ever viewed, and Linux has similar leaks depending on what image viewers you were using). Also remember that they can force you to give up encryption keys (and even sentence you harshly based on suspicion if you refuse to give it out), so it's definitely not safe to keep encrypted TrueCrypt containers. Your freedom should be worth more than that. Take no chances. Perform a full 3-pass random DBAN (http://www.dban.org/) format of ALL hard disks that were used for child porn AND ALL operating system disks related to that! We are on the verge of a global law-enforcement crackdown unlike anything else ever before once the FBI uses the data they have collected, and you may only have a few days until the knock comes. Don't waste time with 35-pass erases, it takes days and they may knock on the door sooner than it can finish and research shows that even a single-pass erase is safe enough, but if you are truly paranoid (even though you would not gain anything from it and would only waste more time) you could do 3 random passes just to be extra safe. Good luck everyone and may God be with you. Time to brace for impact. And remember that silence does not mean that nothing is going on. People that are getting busted won't have any time to connect to Tor and let others know they've been busted. Silence does not mean that busts are not taking place. The FBI is taking this FreedomHosting compromise as the biggest victory in human history. You should treat it with equal respect and do everything in your power to stay safe. This is the calm before the storm. You will see the victims being paraded around in a giant FBI press release within a month or two.
17. For those that had blocked Javascript and are safe: It's now a good idea to remember that Tor should never be trusted, and that any content from Tor sites can be compromised at any time. Always be sure to update your media players such as VLC to the latest versions to protect against exploits in media files. There are no signs that such tampering has taken place, but this is a good time to remind people to be smart. How to be as safe as you can be: 1: Keep Tor Browser Bundle up to date every time you get an update notification. 2: Always disable Javascript. 3: Always keep all your software fully updated. 4: Run everything in a Virtual machine (VirtualBox is free) to avoid data leaking out into your main OS. 5. Use Linux in that VM even if you are primarily a Windows user, because Linux is a fuckton more resilient against attacks. 6: Use encrypted containers inside the VM if your freedom depends on your data being safe from prying eyes. 7: Trust noone. Never reveal personal info on Tormail (now compromised) or even Torchat. You never want to leak anything that leads back to you. Always assume that everyone is out to get you and you will never have the issue of trusting the wrong person.
18. More warnings (TORMAIL): The hidden service for Tormail has been compromised since it ran on FreedomHosting. It's therefore very likely that all the contents of your Tormail inboxes are in their hands. Do not log into your accounts. Depending on how Tormail works, your emails might possibly have been stored in encrypted form in the database and will only be decrypted whenever you log in. In that case, they can only read them by installing a backdoor that makes unencrypted copies as soon as someone logs into their account. Logging in would thereby give them the unencrypted versions. Alternatively, if Tormail already stored everything unencrypted then they already have a complete copy of it and no logging-in-and-deleting will do any good whatsoever. Unfortunately everything points towards Tormail just using a regular IMAP mail server hosted on Freedom Hosting (because of how they allowed regular Roundcube / SquirrelMail access to your mailbox, both of which are just regular unencrypted IMAP web clients), and that would mean that all plaintext emails are already in the FBI's hands and there's nothing you can do about it. Do not log in. Logging in can only make things worse! Tormail is guaranteed to be a major part of this sting because it (along with certain private messaging systems on boards) is the most likely place where people will reveal their true identities to people they've trusted. Tormail has been compromised and all you can do now is NOT log in, and pray that everything was stored as decrypt-on-demand via custom IMAP server software (unfortunately extremely unlikely because no off-the-shelf IMAP servers offer encrypted email storage). That, and destroy all the evidence so that anyone knocking down your door will find nothing on your computers.
-
Apparently the Javascript exploit targeted users using Firefox 17 for Windows. I'm blanking on specifics here, but if you updated your bundle in the past month, you should be more okay than not.
If you're running Linux, OSX, etc., you should also be okay.
In any case, don't use Tor more than you absolutely have to.
-
Out of interest where does Tor Browser Bundle save cookies?
I understand since it runs on firefox portable it would be
FirefoxPortable\Data\profile
And the file in question is
cookies - cookies.sqlite
Since it's sql, I guess I creates it's own database, I shouldn't be affected but if I am the cookie will still be there so I want to make sure
-
click on the onion icon and look at cookie protection.. that lists all the cookies it has stored.
-
wasn't a 0-day it was a 37-day, which is why all the people with the new TBB are safe. There were two exploits to the best of my understanding, one relied on javascript but later they added one that exploited image tags, presumably in order to get the people they were missing because they had disabled javascript. Both of the exploits delivered the same payload that only works on Windows, and both of the vulnerabilities were fixed in the most recent Tor Browser. So if you were on Windows with outdated Tor Browser you are still probably fucked even if you had javascript off.
-
First of all they'd need to hack the Silk Road to put their exploit there. This wasn't so hard on Freedom Hosting, as everyone could create a website there and upload exploits.
-
The most recent browser bundles are 2.3.25-9 for Windows and OS X, released on June 12, and 2.3.25-10 for Linux, released on June 26. They had to update the Linux version because of a bug that caused crashes on 64 bit Linux. If you updated your browser bundle within a few days of the latest release, which you should always do, then you were almost certainly protected against this exploit (even if it was on the server since before August 3, as claimed in the HW discussion, it was unlikely to be there for more than a few weeks).
We should use cases like this to learn and improve our security. Although I always update my browser bundle on the day a new version is released, admittedly I have been lax in allowing JavaScript. I will definitely be more strict about enabling it going forward.
More importantly, we must find out how the FH server and/or admin were identified. Was it an attack on the Tor network, a exploit of the email or web servers, or tracking of bitcoin transactions? (Those are the 3 ideas I've heard so far, although it may turn out to be something completely different.)
-
...
5. The main payload (main exploit code) from that onion site then created an iframe and set a cookie in it (the sole purpose of which was to reliably identify your unique browser as you traveled between different compromised FH sites, to build a list of which FH sites you've been visiting) and more importantly ran some 0-day exploits using heap overflows to run any code they desired and escape the Tor sandbox.
6. The 0day exploit code executed some functions that revealed your public internet IP address, MAC address, local hostname (such as "LarrysPC") and what Freedom Hosting site you were browsing (they used a unique UDID for each compromised website) and sent it all to a clear-net IP in Washington. This is no joke. I wish I was kidding. It really did this! They transmit your unique browser ID (cookie value) over the clear internet to their public-internet server, thus giving them a physical person tied to the "random person" they've been observing browsing the different FH sites. With this connection performed, they know your public IP, they have the computer's hostname & MAC address to conclusively identify your computer, they have your unique browser ID cookie, and they have a full list of Freedom Hosting sites that have been viewed by that unique browser. They know exactly how deeply you are involved and their lists allow them to target the people that are clearly intentionally seeking out illegal content.
...
14. Also consider the fact that the attackers installed code that uniquely identifies each FreedomHosting site you were visiting, since FH served much more than just child porn. The FBI wouldn't want to bust down the doors of people that were looking at relatively harmless stuff from FreedomHosting. They really cared about knowing which specific sites you were viewing and took many steps to ensure that they accurately tracked which sites you visited, through the use of per-site UDIDs and a tracking cookie.
pheww!!!
I was finding it hard to believe that the exploit would be designed so indiscriminately that non-cp visits to FH would get caught up in this. I hope the above is accurate.
Thanks for the info, Astor.
-
SUMMARY:
This is a critical security announcement.
An attack that exploits a Firefox vulnerability in JavaScript [1]
has been observed in the wild. Specifically, Windows users using the
Tor Browser Bundle (which includes Firefox plus privacy patches [2])
appear to have been targeted.
This vulnerability was fixed in Firefox 17.0.7 ESR [3]. The following
versions of the Tor Browser Bundle include this fixed version:
2.3.25-10 (released June 26 2013) [4]
2.4.15-alpha-1 (released June 26 2013) [4]
2.4.15-beta-1 (released July 8 2013) [5]
3.0alpha2 (released June 30 2013) [6]
Tor Browser Bundle users should ensure they're running a recent enough
bundle version, and consider taking further security precautions as
described below.
WHO IS AFFECTED:
In principle, all users of all Tor Browser Bundles earlier than
the above versions are vulnerable. But in practice, it appears that
only Windows users with vulnerable Firefox versions were actually
exploitable by this attack.
(If you're not sure what version you have, click on "Help -> About
Torbrowser" and make sure it says Firefox 17.0.7. Here's a video: [7])
To be clear, while the Firefox vulnerability is cross-platform, the
attack code is Windows-specific. It appears that TBB users on Linux
and OS X, as well as users of LiveCD systems like Tails, were not
exploited by this attack.
https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
-
what about orbot for Android phones? also i can't figure out how to uninstall tor on windows 7. the uninstall a program section doesn't list tor.
-
That's because the browser bundle is portable. Just delete folder where it was extracted and it's gone, although it does leave some traces on your computer. If you need to get rid of all evidence of Tor, you basically need to do a full disk wipe.
-
Can someone post a link to the hidden wiki discussion ?
-
Can someone post a link to the hidden wiki discussion ?
I don't have the HW discussion. Not sure what that is, TBH. But here's a good one:
https://www.cryptocloud.org/viewtopic.php?f=9&t=2894&p=3852#p3852
-
does this fbi exsploit work with tails 19
-
does this fbi exsploit work with tails 19
No for two reasons, for one the browser in tails 19 is patched from it and for two it had a payload that only targeted Windows.
-
Can someone post a link to the hidden wiki discussion ?
http://kpvz7ki2v5agwt35.onion/wiki/index.php/Talk:Freedom_Hosting
This might be it?
-
http://www.newstalk.ie/High-Court-to-hear-extradition-request-on-child-porn-kingpin
-
Yeah, I was just thinking last night that he's supposed to see the judge on Thursday, so maybe we'll get some more details about who he is and how they found him. I guess not until next week.
-
Can someone post a link to the hidden wiki discussion ?
http://kpvz7ki2v5agwt35.onion/wiki/index.php/Talk:Freedom_Hosting
This might be it?
Yecch. I read that thread - and although it had some very good information about it - there's a lot of posts by bunch of pedos freaking out that they've been caught. I feel unclean.
I know most people here are mostly freaking out that it's just a stepping stone to busting the legitimate drug users (*victimless crime*), but I'm totally down with the pedos going to jail. Seriously. Fuck them.
(Actually don't, you'll probably catch something.)
-
Can someone post a link to the hidden wiki discussion ?
http://kpvz7ki2v5agwt35.onion/wiki/index.php/Talk:Freedom_Hosting
This might be it?
Yecch. I read that thread - and although it had some very good information about it - there's a lot of posts by bunch of pedos freaking out that they've been caught. I feel unclean.
I know most people here are mostly freaking out that it's just a stepping stone to busting the legitimate drug users (*victimless crime*), but I'm totally down with the pedos going to jail. Seriously. Fuck them.
(Actually don't, you'll probably catch something.)
I understand how you feel about the pedos -- they're far from my favourite people. Please remember that the methods that are used against them can also be used against us. Either everyone is safe, or no one is safe.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Can someone post a link to the hidden wiki discussion ?
http://kpvz7ki2v5agwt35.onion/wiki/index.php/Talk:Freedom_Hosting
This might be it?
Yecch. I read that thread - and although it had some very good information about it - there's a lot of posts by bunch of pedos freaking out that they've been caught. I feel unclean.
I know most people here are mostly freaking out that it's just a stepping stone to busting the legitimate drug users (*victimless crime*), but I'm totally down with the pedos going to jail. Seriously. Fuck them.
(Actually don't, you'll probably catch something.)
Drug use funds cartels who kill people in the future, looking at CP does nothing to kids who were harmed in the past :). Not that I have anything against either of these things, and indeed I am a long time drug enjoyer myself with absolutely no regret for using drugs, and I blame mostly the government and prohibition for the victims created by the war on drugs. But objectively speaking drug use has, because of prohibition, probably led indirectly to more victims being created than looking at CP has. If nobody looked at CP there would still be just as many kids molested, probably more actually, and if nobody used drugs there would be tens of thousands less people murdered by cartels in Mexico alone.
-
Tormail.org also ceased to be updated, so I guess he was running Tormail too (and not just hosting it).
I'm sure the NSA also wanted at that to get Snowden emails.
-
I know very little of the facts. That said, It would not surprise me if the CP kingpin allegation was trumped up based on the fact his site gave out free anonymous sites that were used by real CP sickos and profiteers. Lying is LE's "stock and trade". To get to Snowden, his Emails or any current fancy; they will trample truth and liberty any chance they get. Hurting children to make money from CP makes me sick. Our gov't agents would do (and probably have done) that and even more horrible stuff to fulfill their evil agenda. If you have no connection to CP, I would not relax and assume CP was the real motivation for this action. Seems more like a convenient excuse for evil doings to me.
-
" Your freedom should be worth more than that. Take no chances. Perform a full 3-pass random DBAN (http://www.dban.org/) format of ALL hard disks that were used for child porn AND ALL operating system disks related to that! "
Huh? If you need to cleanse your HDs to that extent because you're removing child porn, then I'm not convinced your freedom should be given all that much consideration...gotta say that I don't have a problem with the cops busting kiddy fiddlers.
-
Drug use funds cartels who kill people in the future, looking at CP does nothing to kids who were harmed in the past :). Not that I have anything against either of these things, and indeed I am a long time drug enjoyer myself with absolutely no regret for using drugs, and I blame mostly the government and prohibition for the victims created by the war on drugs. But objectively speaking drug use has, because of prohibition, probably led indirectly to more victims being created than looking at CP has. If nobody looked at CP there would still be just as many kids molested, probably more actually, and if nobody used drugs there would be tens of thousands less people murdered by cartels in Mexico alone.
People who are killed by drug cartels often have the choice in their life path that led them to their unfortunate demise – obviously some don't, but many do. However, children universally don't have that choice. Of course I don't want the "gubmint" to take down SR or legitimate political sites, but I'm not crying about pedos (or the Armory, for that matter).
Looking at CP generates the demand for CP, and then it is made. Death may be preferable than being used that way.
Ultimately, if I had to choose in the end, I can take being sober if it means less kids are molested. (I may be selfish, but I'm not *that* selfish.)
But it won't come to that, because if the layer occupied by sites discussing politics, drugs, and the SR can well and truly separate themselves from the pedos, we'll be much safer. Because everyone hates pedos with a passion. When you're talking about that kind of emotion, pursuing pedos becomes political.
But not everyone really hates drug users quite so bad, certainly nothing like they have it out for pedos. We keep them away from us, and hopefully the heat becomes a bit more tolerable. I wish there were a way to keep the technology out of their hands.
After this, we'll just step it up, and stay one step ahead (this time, without agencies pissed about pedos and guns on our tail). It's always been that way, and always will be.
-
... looking at CP does nothing to kids who were harmed in the past ...
... have the choice in their life path that led them to their unfortunate demise – obviously some don't, but many do. However, children universally don't have that choice. ...
Looking at CP generates the demand for CP, and then it is made. Death may be preferable than being used that way.
... Because everyone hates pedos with a passion. When you're talking about that kind of emotion, pursuing pedos becomes political.
I said some negative stuff about CP but I do agree some of Kmf's points have some validity. I agree looking at CP does not create a market (except, if you look on a place with advertisements, and I suppose, the person who looked grows their personal desire to pay for it). Paying for CP is what I think leads to horrible results.
Also, the definition of CP varies widely and I don't agree with some peoples definition. I think some young people do choose to make money from what some would call CP. At what age do people deserve freedom to sell their bodies is a challenging subject and I think depends on the individual and their life experiences and, maybe even, on what it is they plan to allow. I know I don't agree with my government's mandate that you can never sell your body at any age.
I'm not saying I think any people should do bad things for money, I just think people, at some point in their lives, deserve the freedom to make such decisions for themselves. Profiteering from abusing children younger than that point in their lives, should be universally discouraged by everyone. Sadly, assuming everyone agrees on that would also be an over-generalization.
Draconian government head-in-the-sand strategies make education on the truly harmful CP issues more difficult just like the "war on drugs" makes drug safety education difficult.
I'd also like to say I appreciate Kmf's attempts in the forum to move these derailing subject discussions out of most forum threads they have nothing to do with. I don't plan to visit the dedicated thread as I have put more thought into this distasteful subject than I care to already. If people want to discuss this further, that would probably be the better place. I probably should have placed this comment there instead.
-
It is really just a matter of having a little bit of empathy and compromise. You hate pedophiles and although it isn't right for you to do so, since they are not all child molesters, it is understandable why you do, because you cannot help but think with emotions any more than a pedophile can help that they are attracted to children. Pedophiles should not be assumed as child molesters and treated as such just because they might abuse kids, any more than men should be assumed as rapists and treated as such because they might rape females. Pedophiles need some outlet for their sexual feelings, and they cannot have sex with kids because it will hurt the kids and is bad. They are unlikely to resist looking at child pornography, just as a man who does not obtain sex is likely to use adult pornography as an outlet. The police and society take advantage of this to essentially make it illegal for them to even exist, technically there is no law against pedophilia but there are laws against everything a pedophile does. It makes more sense to me to divide what they do into categories of if they hurt people or not, and only prevent them from doing things that hurt people. Nobody can seriously argue that looking at child porn causes the kids depicted to be revictimized again, that argument is saying that some photographs are magical and it is clearly just bullshit. The argument that looking at child porn causes more kids to be molested is dubious and contested by many researchers and experts on the matter, some even claim that letting pedophiles look at pornography they like reduces their probability of molesting a kid. Sure you can find research in any direction, but I believe the researchers who say that it reduces the probability.
The only good argument against child porn is that it is an invasion of privacy for the child depicted, but I see that as just an unfortunate thing that is not so much the fault of the person viewing the material as it is the fault of the person distributing it and especially the fault of the person who made it in the first place. Go ahead and keep distribution illegal, and certainly make paying for it illegal, and beyond a doubt make creating it illegal, but to say that people can not look at the only pornography they find attractive because it depicts abuse, despite them having nothing to do with funding or distributing or causing the abuse by looking at the pictures of it, is just being full of hate and disgust for them. Laws against child porn have morphed from laws to protect child abuse from being funded into laws used to hunt down people with deviant fantasies, most of whom are not a risk to anybody and the vast majority of whom have never contributed to in any way the abuse of others. The law has changed from protecting children into policing the thoughts and desires of others. All you do by demonizing them for looking at pornography is give them more motivation to act out with a child, in either case they will be sex offenders for life and in many cases they get longer prison sentences for having viewed child porn than they would get for having sex with a child. Having 500 images of child porn is 500 different felony charges each of which can get you 5 years in prison, having sex with a single child will not leave you facing 2,500 years in jail. People should be happy for the pedophiles who only look at porn and do not abuse kids, and they should be glad that they control themselves and do not hurt people, instead of treating them like they are just the same as people molesting kids.
-
Please note that I have not started the derailment of a single thread, only responded to other people, and even made a thread in off topic to point people to so they would stop derailing threads with spontaneous rants against people viewing CP, but everybody derailing threads simply ignored it when I pointed them to it, and then it got locked, and then I deleted it.
-
Yeah, but you contributed to it. I swear, if I was mod, nothing would change except the CP threads would be locked or reassigned to their proper place in Off Topic. At least I had the power to lock one thread down. Don't let this shit ruin one of the best subforums in onionland, mods.
-
I agree I really wish people would stop spontaneously ranting in threads about how we must castrate and murder all pedophiles and everybody who looks at CP, there is no need to have such conversations in threads that are about security or silk road related topics.
-
In addition to ranting about how much kiddy fiddlers are terrible people, I believe I was discussing the necessity of somehow technologically distancing ourselves from the CP community so lessen the chances of being busted alongside them, and wondering aloud about the feasibility of that.
-
The formal extradition request was filed today, but no evidence was presented in court. Looks like they will make their case on September 11.
http://www.irishmirror.ie/news/irish-news/extradition-case-child-porn-accused-2170785
-
In addition to ranting about how much kiddy fiddlers are terrible people, I believe I was discussing the necessity of somehow technologically distancing ourselves from the CP community so lessen the chances of being busted alongside them, and wondering aloud about the feasibility of that.
<Sigh> There is a simple, inescapable principle here: EITHER EVERYONE IS SAFE OR NO ONE IS SAFE.
There is no technological solution (nor will there ever likely be one) that will afford everyone but [insert hated group here] protection. It simply doesn't matter what your favorite hated group is: pedophiles, drug vendors/users, terrorists or what have you.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
This all exploded while I was busy with life IRL, so doing a bit of catching up right now.
I checked out the Hidden Wiki conversation on the subject and feel really dirty... I cannot believe some of the BS and rationalizations those sick fucks use, but I do not want to derail the topic again as the fact remains; CP is a real-world problem. The internet and TOR did not create child-abuse, and to stop it we need to make the changes IRL. But TOR and the services like it, that enable reasonable dissent against fascist/totalitarian governments/organizations (most of which are NOT part of the 'developed' world like the US and EU) are necessary to ensure the freedom to express controversial opinions, especially those around drug legislation. That these services enable morally questionable behavior is simply a reflection of the real world, where morally questionable behavior exists. If we want a moral internet, we need a moral world first, not the other way round....
Anyhow, back to the subject. I am much more concerned about the seizure of the TorMail servers than about the Java exploit, especially so close on the heels of of LavaBit being forced to close. People seem to be concentrating quite alot on the exploit (I guess since it can directly unmask them personally), but this seems to me to be a pretty niche measure; it'll only pick of the least-proficient TOR users, those with TBB and on Windows and has Java enabled. But now the only two reasonably secure ways to email have been shut down! And on top of that, there is a fairly good chance that the FBI or the NSA or some other agency has all the TorMail data! This is a potential disaster, and not just for kiddy-fiddlers and drug-users, but for real freedom-fighters and political movements. How much sensitive information might be in the hands of the US government right now? Enough to undermine liberal movements in South America? It wouldn't be the first time the US has stuck it's oar in there. How many other movements might the US throw to the wolves for political deals? Even if every communication was encrypted, the sender/receiver trail could expose the networks themselves...
I hope a new alternative to TorMail comes along, but I also hope a few other things come out; I think we all need to know now how TorMail worked, how it stored and secured data, how vulnerable all that data is now (guessing totally compromised from what I've read), and ways to ensure this cluster-fuck doesn't happen again. I hope that whatever supersedes TorMail has ways of ensuring data isn't stored in such a way that it's available to LE if it's ever seized....
-
This all exploded while I was busy with life IRL, so doing a bit of catching up right now.
I checked out the Hidden Wiki conversation on the subject and feel really dirty... I cannot believe some of the BS and rationalizations those sick fucks use, but I do not want to derail the topic again as the fact remains; CP is a real-world problem. The internet and TOR did not create child-abuse, and to stop it we need to make the changes IRL. But TOR and the services like it, that enable reasonable dissent against fascist/totalitarian governments/organizations (most of which are NOT part of the 'developed' world like the US and EU) are necessary to ensure the freedom to express controversial opinions, especially those around drug legislation. That these services enable morally questionable behavior is simply a reflection of the real world, where morally questionable behavior exists. If we want a moral internet, we need a moral world first, not the other way round....
Anyhow, back to the subject. I am much more concerned about the seizure of the TorMail servers than about the Java exploit, especially so close on the heels of of LavaBit being forced to close. People seem to be concentrating quite alot on the exploit (I guess since it can directly unmask them personally), but this seems to me to be a pretty niche measure; it'll only pick of the least-proficient TOR users, those with TBB and on Windows and has Java enabled. But now the only two reasonably secure ways to email have been shut down! And on top of that, there is a fairly good chance that the FBI or the NSA or some other agency has all the TorMail data! This is a potential disaster, and not just for kiddy-fiddlers and drug-users, but for real freedom-fighters and political movements. How much sensitive information might be in the hands of the US government right now? Enough to undermine liberal movements in South America? It wouldn't be the first time the US has stuck it's oar in there. How many other movements might the US throw to the wolves for political deals? Even if every communication was encrypted, the sender/receiver trail could expose the networks themselves...
I hope a new alternative to TorMail comes along, but I also hope a few other things come out; I think we all need to know now how TorMail worked, how it stored and secured data, how vulnerable all that data is now (guessing totally compromised from what I've read), and ways to ensure this cluster-fuck doesn't happen again. I hope that whatever supersedes TorMail has ways of ensuring data isn't stored in such a way that it's available to LE if it's ever seized....
Well said, thoughtful, and insightful. A huge +1 to you! :)
-
I hope a new alternative to TorMail comes along, but I also hope a few other things come out; I think we all need to know now how TorMail worked, how it stored and secured data, how vulnerable all that data is now (guessing totally compromised from what I've read), and ways to ensure this cluster-fuck doesn't happen again. I hope that whatever supersedes TorMail has ways of ensuring data isn't stored in such a way that it's available to LE if it's ever seized....
I think the biggest lesson learned is no matter how secure you think you are there will always be vulnerabilities. The only way to mitigate this is through always using PGP, Encryption, and running Tails and always keeping DBAN or other methods ready at all times. Make sure to keep your house as clean as possible, as really we have no idea at the extent of the damage, but I'm sure it's astronomical.
Vanquish
-
Well said, thoughtful, and insightful. A huge +1 to you! :)
Thank you! I would +1 you again, but I've done that already today ;-)
With all the NSA revelations, and with the erosion of avenues for reasonable dissent, I am seriously considering put far more energy/effort into developing better tools/services...
-
Well said, thoughtful, and insightful. A huge +1 to you! :)
Thank you! I would +1 you again, but I've done that already today ;-)
With all the NSA revelations, and with the erosion of avenues for reasonable dissent, I am seriously considering put far more energy/effort into developing better tools/services...
Yeah it's some truly scary stuff, during my MXE trip last night I freaked out and pretty much cleaned out my entire house.
Which really needed to be done anyway since I'm getting attacked by Hallucinating Horse.
You never know when or why you will be compromised and freedom is worth everything in the world.
Ever since my trip I've been clean over 24 hours and will be staying clean until I'm healthy.
Always assume that everything you do is being watched, recorded, or listened to.
Just yesterday there was an announcement about NSA and Android Mobile Phones running Jellybean - which allowed a backdoor rootkit to compromise everything on the phone.
Scary stuff.
:(
-
Always assume that everything you do is being watched, recorded, or listened to.
...and stored forever, and decrypted either right now (almost live) or in not that long...
Who can guess what will happen with that data?
-
The question remains, what now? as in how can one communicate now? I'm sure as hell not going to send encrypted stuff over a yahoo acct.
-
Well said, thoughtful, and insightful. A huge +1 to you! :)
Thank you! I would +1 you again, but I've done that already today ;-)
With all the NSA revelations, and with the erosion of avenues for reasonable dissent, I am seriously considering put far more energy/effort into developing better tools/services...
There is nothing wrong with the tools/services that are currently available (i.e. nymservers / remailers). Instead of trying to develop new tools, why not use already tried, tested and proven ones like Cypherpunk nymservers?
Hint: check out the remailer operators' mailing list
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Mixminion and Mixmaster are not used by enough people to be secure unless you use Tor to connect to them.
-
Word.
Always assume that everything you do is being watched, recorded, or listened to.
Just yesterday there was an announcement about NSA and Android Mobile Phones running Jellybean - which allowed a backdoor rootkit to compromise everything on the phone.
Scary stuff.
:(