Silk Road forums

Discussion => Security => Topic started by: slash on August 11, 2013, 07:11 pm

Title: FH thing lack evidence
Post by: slash on August 11, 2013, 07:11 pm
How comes everyone claims tormail and other sites hosted by FH are in the hands of FBI?

Does it means owner  had access  to all websites data hosted on his server?

Also read that server was in Romania but man got caught in Ireland.

Owner of FH got arrested in the street  ,no mention of FBI having seized equipement,machine,etc..

Tormail owner could have simply shut down his website after having heard news.

Also what I dont get is how can they basically steal a website just from having seized the server he was hosted on?

Forgive me with silly question but not an IT expert here

 anyone have strong evidence of what really happened  and can explain specifically how server website relation works?

thanks




Title: Re: FH thing lack evidence
Post by: kmfkewm on August 11, 2013, 08:06 pm
A lot of speculation. There is no concrete proof it is even FH admin who was arrested yet, it just appears that it is the case. There is evidence that at the very least FH was hacked and had javascript exploits embedded in it that can deanonymize certain users who visit sites on it (users on Windows with old unpatched Tor browser with javascript enabled). The fact that FH having this attack code on it correlated with the bust of someone who is alleged to have hosted 100 CP sites with millions of images on them, and who it took the FBI a good deal of time to track down, strongly indicates but doesn't prove that the FBI somehow pwnt freedom hosting and somehow injected javascript exploits into it to target users accessing it, and that the busted dude in Ireland is FH admin. None of this has a shred of concrete evidence backing it up, and all of the news agencies reporting on it are literally reporting on rumors and speculation as if they are fact, it is actually rather disgusting watching the media report speculation as fact, they are doing a piss poor job as journalists and taking a gamble that they will be proven right in the future.

Websites essentially consist of data files and programs running on computers, usually somewhat specialized computers called servers (although even a home PC is a server if it acts as one). In the case of Tor hidden services this is even more the case, as they don't rely on external parties to assign a domain name to them, and the key that essentially gives them their domain name is a file on the server as well. Take the server and you took the website, though other copies of it may exist on other servers and be able to go online in the future.
Title: Re: FH thing ,something I dont get
Post by: ECC_ROT13 on August 11, 2013, 08:17 pm
How comes everyone claims tormail and other sites hosted by FH are in the hands of FBI?
There just aren't a lot of hard facts.   Most of it is a series of assumptions (but some assumptions are pretty strong):
1. A guy named Eric Marques in Ireland got arrested for hosting huge amounts of child pornography.
2. Based on the alleged amounts of CP, it's most likely FH.
3. At roughly the time the arrest was announced, people noticed a TBB-targeting exploit on all(?) FH-hosted sites.
4. The exploit sent the MAC address to an IP address that is assumed to belong to SAIC, trying to send it over a clear channel.  The exploit was only delivered to browsers matching the TBB profile (Firefox 17, reporting Windows NT as OS to server).  The payload was aimed at Windows only.
5. The exploit that was identified was somewhat old; supposedly newer TBB users weren't affected.

The reason many people are making the assumption that the FBI has the servers (or the data from them) is because of #3 above.  If the same people who arrested Eric Marques had enough access to deliver exploits from the sites, it's difficult to imagine a scenario where they didn't also have the ability to grab all the data.

Quote
Does it means owner  had access  to all websites data hosted on his server?
Yes - he certainly had access to all websites data hosted on his server.   He has full access to the server and storage, so all of the hosted contents were completely accessible to him.   Even if you assume there's some elaborate encryption mechanism  (and I'm guessing there wasn't, other than maybe FDE), with full root access to the server, he could likely rip the necessary keys from memory, backdoor mechanisms, etc.

It's hard to encrypt remote servers, because when they restart, it's hard to securely bring them back up.  Protected by a passphrase? You're typing that into the remote server.   Stick something in the middle of you typing that, and presto.
 
Quote
Also read that server was in Romania but man got caught in Ireland.
Owner of FH got arrested in the street  ,no mention of FBI having seized equipement,machine,etc..
Tormail owner could have simply shut down his website after having heard news.
Also what I dont get is how can they basically steal a website just from having seized the server he was hosted on?
With his credentials, they can remotely connect to a server anywhere and grab whatever they want.  Or apparently, upload exploits.    The FBI did it in the Gorshkov case, capturing his keystrokes and logging into a server in Russia.

What's interesting about this case is that nobody actually knows much, and I think that's by design.  Everyone is assuming it's the FBI, but nobody knows that for sure.    If it was, they likely needed a court order to deliver the exploit, which might explain both how cautiously it was delivered, and why it was targeting an older TBB version (it may have been targeting a current version when they started the due diligence necessary to get the court to approve exploiting strangers for visiting FH).   I'd guess the court order was based on the CP hosting, and Tormail/etc were just casualties of the broad language allowing the exploit. 

Of course, here's what I wonder:
1. We know when the exploit was identified, and everyone generally says it was around a week or less.   I'm unsure how they actually know that.  Guessing somebody's paranoid enough to inspect code coming back on a regular basis, but I haven't seen any actual "It was NOT there on Day X, but it was there on Day Y" data.
2. We don't know that this was the only exploit.    Probably, it was, but nobody knows for certain.

Without a press release by the FBI, or more detailed federal indictments/etc being released, everyone is just stuck rehashing assumptions and asking questions.    Which has to be damned amusing to the FBI or whoever's behind the actual FH exploit.


Title: Re: FH thing lack evidence
Post by: slash on August 11, 2013, 08:22 pm
thanks for your replies

still what I dont get is why does so many website are hosted on the same server if a home PC can do?

how and why do these website can rely on a server if it can take your website so easily?

Also why would FBI shut down the server as soon as the owner had been intercepted ?

If they had full control of those website  surely they would have left them open to spot any ongoing criminal activities and take their time to plan their attack.

someone enlighten me on these question ?im confused...




Title: Re: FH thing lack evidence
Post by: astor on August 11, 2013, 08:35 pm
He offered free web hosting. Lots of people took him up on the offer.
Title: Re: FH thing lack evidence
Post by: ECC_ROT13 on August 11, 2013, 08:46 pm
From a technical perspective, it's relatively difficult to build hidden Tor services to handle large amounts of traffic and not accidentally compromise your identity or location.

Plus, not to state the obvious, but almost everything hosted on Tor hidden services is illegal as hell somewhere.   I'm guessing most people wanting to host illegal stuff want it as far away from them as possible.  FH catered to that crowd.

That's actually one of the things I find the most interesting about Tor hidden services.. if you're not looking to sell some sort of drugs, host CP, or let people leak you super-secret crap to the world, you're probably just going to to host it on a clear website.

This site is the closest thing to an interesting community that I've found on a Tor/i2p network, and it's mostly centered around online drug sales.  But the whole pseudonymity thing makes for more interesting conversation. 
Title: Re: FH thing lack evidence
Post by: kmfkewm on August 11, 2013, 08:48 pm
The exploit causes browser to crash in many (but not all) cases so if it was around for a while it would have probably been noticed when people reported browser crashes. No proof it was the only exploit, but we then must wonder why would the FBI use other exploits ? If they have a zero day exploit they used as well to get the patched users, why even bother to put an old exploit up as well, as the zero day would be all that is needed to target all users. The exploit was identified shortly after the down for maintenance messages started, nobody knows for certain when they were originally put there but unless they put them there before they arrested the person who seems to be FH admin, we have a definite maximum period of time they could have been there. The only thing that comes to mind is that perhaps the FBI put an obvious exploit on the site to make it be identified and make people with newer patched versions etc less paranoid so that they don't delete their caches of CP and have evidence available when FBI raids them. But if the FBI did this it would mean they think most users were on the patched version, as they would then induce people with unpatched versions to delete any evidence in order to get users with patched version to feel safe in not doing so.

If I had to guess my guess would be that the exploit was not there for very long, and that there was only one used, but it is all speculation. When the FBI busted pedoforum hidden service they left some exploit up for two weeks I think, and then after this was revealed they were harshly criticized for allowed child porn to keep trading. From this I can assume two things, either the FBI did the same thing to freedom hosting and the exploit was around for about two weeks, or the FBI didn't want more backlash for letting the biggest CP networks in the world continue trading CP for two weeks, so they went with the maintenance message instead but then had their exploit discovered and fucked off.
Title: Re: FH thing lack evidence
Post by: kmfkewm on August 11, 2013, 08:50 pm
Between pedoforum and probably freedom hosting one thing is clear, the feds are starting to hack hidden services they cannot trace and hack the people visiting them from them. I wouldn't feel very safe anymore unless using layers of isolation.

Another possibility is that the feds have finally realized Tor hidden services have shitty anonymity, and they have taken to tracing them with traffic analysis and then after seizing them they inject exploits into the sites hosted on them to catch the harder to locate users connecting to them.
Title: Re: FH thing lack evidence
Post by: spectrum on August 11, 2013, 10:01 pm
Looks like it's official. Eric Marques was the Freedom Hosting admin.

http://www.independent.ie/irish-news/fbi-agents-in-marques-probe-found-sick-websites-29489403.html
Title: Re: FH thing lack evidence
Post by: comsec on August 12, 2013, 12:45 am
My prediction is they found him through Liberty Reserve server seizures. He was probably paying for hosting using LR, or he was accepting payments through LR to set up shady people Tor hidden services. They could go through the seized LR server records and find where he changed it into fiat easily by forcing an exchanger to comply, or just reading the LR transfer comments. Often exchangers will put in identifying information in LR comments like "Exchange for Bob Smith- Tel xxx.xxx.xxx". In the court docs he withdrew a bunch of money in Romania using a visa/mc debit card, which was most likely linked to Liberty Reserve and clearly not anonymous enough.

Another method is they simply became a good customer of his and waited for him to dry rat himself out over time so they could build a profile of who he really was. That's how they found most of the Lulzsec hackers, just let them talk themselves into jail.
Title: Re: FH thing lack evidence
Post by: bitfool on August 12, 2013, 01:11 am
Quote
Another method is they simply became a good customer of his

And what did they buy from him?
Title: Re: FH thing lack evidence
Post by: kmfkewm on August 12, 2013, 04:51 am
Looks like it's official. Eric Marques was the Freedom Hosting admin.

http://www.independent.ie/irish-news/fbi-agents-in-marques-probe-found-sick-websites-29489403.html

It is not official they quoted that from another article that listed sites on Freedom Hosting after reporting that other people were speculating that Freedom Hosting was busted. If you have been following the media on this on an hourly basis you would see that none of these journalists have a single fucking clue what they are talking about, there has been literally no new legitimate confirmed information. These reporters are talking out of their asses making shit up and just hoping that they are taking a good gamble and get proven right later, it is possible that what they are saying is true but it is obvious they have no more of an idea than we do. This entire thing started with a post on Reddit claiming that this guy is Freedom Hosting admin, that is where 100% of the link between FH and this guy has come from and the media is just laundering the god damn information by quoting each other but it all traces back to an anonymous post on Reddit. It is all speculation based on the javascript exploit being discovered right after this guy was busted, and this guy being identified for sure as someone who hosted hundreds of CP sites. That last sentence is all the real evidence anybody has at this point, everything is else is based on an anonymous reddit post and news agencies laundering the story.
Title: Re: FH thing lack evidence
Post by: kmfkewm on August 12, 2013, 04:53 am
My prediction is they found him through Liberty Reserve server seizures. He was probably paying for hosting using LR, or he was accepting payments through LR to set up shady people Tor hidden services. They could go through the seized LR server records and find where he changed it into fiat easily by forcing an exchanger to comply, or just reading the LR transfer comments. Often exchangers will put in identifying information in LR comments like "Exchange for Bob Smith- Tel xxx.xxx.xxx". In the court docs he withdrew a bunch of money in Romania using a visa/mc debit card, which was most likely linked to Liberty Reserve and clearly not anonymous enough.

I think it is not likely they found him through liberty reserve although I guess it is possible. It is also worth mentioning that he didn't make a single person pay for hosting.

Quote
Another method is they simply became a good customer of his and waited for him to dry rat himself out over time so they could build a profile of who he really was. That's how they found most of the Lulzsec hackers, just let them talk themselves into jail.

He had no contact at all with his "customers".
Title: Re: FH thing lack evidence
Post by: kmfkewm on August 12, 2013, 05:01 am
Currently the only thing linking this guy to FH is an anonymous post on reddit, if somebody made a post saying THIS bust was FH: http://www.irishmirror.ie/news/irish-news/crime/complaint-irish-watchdog-shuts-down-2095231

Quote
A child porn ring of almost 1,000 websites was smashed following an international probe launched in Ireland, it has emerged.

A complaint made by an internet user here who stumbled on the material online led to cyber watchdogs uncovering a huge number of sick sites.

The trail led to Taiwan where a police investigation has now started.

Irish agency Hotline.ie, which is made up of internet service providers here, launched the international probe. The group received a complaint from a member of the public at the end of June over the suspected sharing of child porn content.

Hotline.ie cyber experts found 520 websites hosting the sick material and traced the IP address of the forum to Taiwan.

Authorities there discovered a further 408 child porn sites when they launched their probe.

The 928 websites uncovered all hosted videos or images of
children being abused.

They have since been pulled down and the Taiwanese Criminal Investigation Bureau has taken over the case.

Hotline.ie’s Paul Durrant said this is a stunning success of international co-operation.

He added: “We should be proud of our achievement... when it comes to protecting our most vulnerable citizens in cyberspace.

“We should stay aware, vigilant and alert because regrettably sexual abuse of children is a cruel reality. What binds together internet hotlines worldwide is the desire to combat the distribution of child sexual abuse material from the internet.

“The removal of such material is the only way this horrific abuse of children can stop being perpetuated ad infinitum through the internet.

“Nowadays the use of the internet has become vital, however sometimes due to misuse it brings dangers. I would like to appeal to the public to be vigilant and to report.

“If the public are encountering child pornography or abuse on the internet and do not report it neither the industry nor law enforcement will know about it and therefore will not be in a position to act.”

http://www.independent.ie/irish-news/web-firm-uncovers-900-child-porn-links-after-tipoff-29449950.html
Quote
Dublin-based Hotline.ie discovered the repositories of child pornography following a tip-off from an Irish internet user in June.

The material, which contains images and videos of children thought to be of varying nationalities, has been traced to Taiwanese web servers.

In total, 928 links were discovered, some originating in internet chat rooms, according to Paul Durrant, director of Hotline.ie.

A joint operation by the Irish organisation and its Taiwanese counterpart has seen the offensive material removed.

Police in Taiwan are now investigating the origin of the 'cyberlockers' or file-sharing folders.

Hotline.ie, which relies on members of the public to report suspected incidences of child sex abuse content online, has seen an increase in child pornography traced to Irish sources this year.

Last year, the organisation tracked 96 incidences of child sexual abuse online, with four traced to Ireland. So far this year, the number of confirmed Irish cases has risen to seven, said Mr Durrant.

Accurately tracking the illegal content to individual machines or services is difficult to do because of cloud computer technology. However, last year, Hotline.ie tracked more cases of child-abuse content to Ireland than to Britain, Germany or France. Mr Durrant said 90pc of all illegal content reported is removed from the internet within 72 hours.

people would also be reporting in the media that this bust was FH most likely. It also happened at about the same time as the javascript went up, and there is about as much linking it to it.