Silk Road forums

Discussion => Security => Topic started by: Willy Wonka on August 04, 2011, 03:03 pm

Title: Recent Kidpron bust LE methodology?
Post by: Willy Wonka on August 04, 2011, 03:03 pm


first and foremost these guys should be castrated

secondly how were they rounded up??? from the news articles it appears everything was encrypted & running behind proxies. They had a mole obviously but that doesn't explain how they located everyone. These were sophisticated sickos.

I have one friend in the IT security biz & nothing is showing up in his feeds.





Title: Re: Recent Kidpron bust LE methodology?
Post by: peaceloveharmony on August 04, 2011, 04:10 pm
How do you know that there was anything encrypted (which is not so easy to manage on a forum as every user have to be able to decrypt it)? Also i couldnt find any info about proxies beside some rumours that it was a TOR Hidden Service but nothing official.
Title: Re: Recent Kidpron bust LE methodology?
Post by: chronicpain on August 04, 2011, 04:22 pm
It easily could have been tor. Remember, they were all uploading and downloading pictures and videos (sickos) and I know that even thru tor, it will somehow unmask  you when you do that. So, if tor was used, im sure that hey not only had moles, but were able to find them because of the uploaded/downloaded items...

Try and download something with tor, it gives you a big message saying that you could be unmasked by doing so. Thats why I never upload or download programs via tor.
Title: Re: Recent Kidpron bust LE methodology?
Post by: peaceloveharmony on August 04, 2011, 04:44 pm
It easily could have been tor. Remember, they were all uploading and downloading pictures and videos (sickos) and I know that even thru tor, it will somehow unmask  you when you do that. So, if tor was used, im sure that hey not only had moles, but were able to find them because of the uploaded/downloaded items...

Try and download something with tor, it gives you a big message saying that you could be unmasked by doing so. Thats why I never upload or download programs via tor.

Do you perhaps know how the unmasking works during data transfer?
At least traffic analysis should be easier if someone is sending a high amount of traffic for a longer period of time but i doubt that this is the key.
Title: Re: Recent Kidpron bust LE methodology?
Post by: Willy Wonka on August 04, 2011, 05:21 pm
My buddy says the control servers were based in atlanta and if the feds hacked those could have gotten account info. He also pointed out of the 600 members and only 72 caught, perhaps because they were lazy. Hopefully they catch the rest.

just hope there isn't operation 'road kill' :(
Title: Re: Recent Kidpron bust LE methodology?
Post by: RedRocket on August 04, 2011, 06:22 pm
and at the same time, a pedo in the UK has just been Crowned 'the most prolific predator' with over 300thousand pics or something. the police also boasted about breaking through his encryption using latest technology??

on sky news today
http://news.sky.com/home/uk-news/article/16043820
Title: Re: Recent Kidpron bust LE methodology?
Post by: envious on August 04, 2011, 09:44 pm
I did some googling and I am pretty sure Dreamboard was on clearnet. No clear proof but many comments referring the CP fags to Tor boards as a  replacement for Dreamboard.
Quote
    KINDZAZA - Requires upload of on-topic material to join, like Dreamboard but in Tor. Largely in Russian. Material is uploaded on clearnet presumably to non-JavaScript file sharing sites. (Registration required but a fake email address is accepted.) Note: A login for new members seems to be impossible. It says that the password or name are wrong. (Confirmed: logins can be created, but even after the expected error message about emailling, you can't log in with the new account) (http://pb.i2p.to/pboard/viewtopic.php?f=37&t=116)

    its a shame how the administration is exploiting these children as well, they will obviously do anything to try to boost Obama's poll. not only that but you destroyed a case like this if you wanted to catch more of those offenders. that board must be a ghost town moved to a different site with more security. its ran through a network called tor by the way.... (http://www.silive.com/news/index.ssf/2011/08/72_charged_in_probe_of_child_s.html)

Title: Re: Recent Kidpron bust LE methodology?
Post by: dp2emjade on August 05, 2011, 03:45 pm
A couple of possibilities are that:

1. They hacked and took control of Tor exits.
2. They setup a bunch of Tor exits and monitored all traffic going to the site.

#2 is scary because we could all be using one of their exits now.
Title: Re: Recent Kidpron bust LE methodology?
Post by: Fred Flintstone on August 05, 2011, 07:06 pm
Those sick fucks should get what they deserve. I really hope this isn't something we need to worry about on SR. I am computer savvy enough to use a tor browser and run PGP, but aside from that my knowledge of all things hacker is fairly limited.

Would someone with more knowledge shed some light on this subject? Should we be worried, and is there anything we, as SR users, can do to better protect ourselves?

Title: Re: Recent Kidpron bust LE methodology?
Post by: JWSR on August 06, 2011, 11:24 am
A couple of possibilities are that:

1. They hacked and took control of Tor exits.
2. They setup a bunch of Tor exits and monitored all traffic going to the site.

#2 is scary because we could all be using one of their exits now.

Disclaimer:

1.  I don't live or work in the US.
2.  I have no specific knowledge of this case.
3.  I am in no way an expert on Tor.

I do, however, work in the Forensic examination of computers - including giving expert evidence in court.  I have examined and written reports on scores of computers used in different CP cases (and other areas as well - not just CP).

Forget #1 - #2 would be way easier.

But I doubt very much Tor was the issue at all, for a few reasons:

1.  The investigation was going on for years.  If the way they obtained information was through some weakness in Tor exits (allowing identification of source IP addresses) then they'd have sufficient information to identify far more than the relatively small percentage of users they caught.
2.   Add in the huge latency of Tor to the inherent issues of using TCPIP (where packets have to be received in order - with no new data received until the next packet in order has been received) and it would be a nightmare to run a site that depended on large upload/download volumes.  Tor doesn't support UDP I believe.
3.   There's no reason why LE would need lots of Tor exits anyway.  As soon as they've identified the server they could just intercept at the server end and get access to the traffic from ALL Tor exits without having to run loads themself.  That's, of course, IF it was using Tor at all.

My educated guess on how they would have taken it down would be a combination of a few things:

1.  LE would have got someone (or more than one somebody) signed up on the site.  Once there, they'd start befriending the paedos and begin getting IDs for some of them.  Lots of paedos will be careful with difficult things but mess up on really silly things e.g. (both of these real things I've come across):
1a) Using a fake name, disposable email address and well-disguised IP address then giving their home 'phone number out to others on their forum.
1b) Downloading all CP direct to an external drive which was hidden in a VERY hard to find place every night.  LE raid them, seize their computer.  One week later back come LE with a new warrant, go straight to the hiding place and grab the HD.  How?  Because the paedo had bragged about their brilliant hiding place on IRC and not bothered deleting IRC logs.

There's plenty more ways they can get the IDs of paedos once they're semi-trusted by them - but as I've no interest in helping paedos avoid getting caught I'm not gonna discuss them.

2.  When LE finally raided the server they'd have imaged (made a coy of) the HDs without powering it off.  Doing something like Truecrypting a drive may encrypt all data on it - but so long as the computer ain't powered off, everything on it remains accessible.

I'd bet even if the forums were accessed by Tor the uploading/downloading wasn't done so securely by everyone.  That the server was physically located in the US was pretty dumb of them.

Something else to bear in mind is this:

When these sort of paedophile rings are broken, the evidence from the servers (including totally unmasked IP addresses) is only used to get the initial warrants.  When charges are brought they rely almost exclusively on what was found on the computers belonging to the individuals (even where credict card info/transactions were on the servers it's not generally sufficient on its own to sustain a conviction).  Typically LE isn't even keen on revealing what info they got from servers - as they know reasonable doubt isn't too hard to achieve on things like server-stored IP addresses and CC details.  And they (quite sensibly) don't want to reveal all the details of how they infiltrated the network and compromised its security.

What will get people on here caught isn't so much likely to be Tor as:

Not shredding details of information you gain about other members.
Bragging about/revealing too much information about yourself to stroke your e-peen.
Doing really dumb stuff like buying some e-book on growing MJ from a user (LE) and DLing it direct from a URL they give you.  Doubly dumb if you buy on the same ID as you sell on - or use non-washed BTC from sales to buy with.
Leaving stuff on your computer which you gain no benefit from retaining but which would greatly assist LE if they ever lay hands on your computer.

Honestly, in summary, I wouldn't get too paranoid about Tor - most of the time it's stupidity that gets people caught not some genius "hacking" by LE.
Title: Re: Recent Kidpron bust LE methodology?
Post by: nef on August 06, 2011, 11:41 am
I did some googling and I am pretty sure Dreamboard was on clearnet.

I found the same quote, and came to the same conclusion:it was a clearnet site, but some (most?) users were accessed it via Tor.  If they only caught 10% of the members of the board, they might have just caught the stupid ones that forgot to use Tor that one time.

Another way of attacking Tor users is to use javascript injection, but this only works for clearnet sites, and won't work again SR. How this works is that an LE-run exit node sees that data from Dreamboard is entering Tor, and they add in javascript that queries the sending computer for third party cookies that you may have received earlier when using a clearnet, or for unique characteristics ala https://panopticlick.eff.org/ .  Tor users access clearnet sites should be using the TorBrowser combo pack, which disables all known attacks along these lines.

But perhaps LE found another way to come up with a list of suspects.  Maybe they just started with a list of all registered sex offenders, which is easy enough.  And there's a very straightforward way to try to find people making self-made porn: look at their bodies and try to identify them, or identify the kids being abused and ask them.  Mirrored surfaces and image processing can work wonders these days (not quite Bladerunner yet, but getting closer).   Obviously, these attacks don't work against SR.

Even if LE isn't exactly sure of the identity, they can come up with a long list of possible suspects, and could winnow this list down quickly by monitoring every suspect's Internet usage, even if the suspects are using Tor.  By monitoring the suspect's home IP address, LE can record when their suspect is using Tor because Tor has a unique Internet signature.  They don't know which site(s) they're connecting to, but they know they are using Tor.  Next, by looking at the timestamp of every forum post, LE can verify that the suspect was actively using Tor from home at every time that there is a forum post by a certain user.  If suspect X was home and using Tor for 15 minutes every day, and every single one of the posts by user Y happened to occur in those 15 minute windows, they have some good circumstantial evidence that suspect X is user Y.  Add in cell phone records that show that the suspect was home at the time of every one of the user's forum post, and they might have enough for a search warrant.

Note that I have no evidence that this kind of correlation attack is actually happening, it's just the only attack I know of that can plausibly be used against Tor onion site users.  These are a few ways to avoid a wide dragnet that LE might have cast to look for SR users:

* use Tor for more than just SR.  This increases the window of time your IP address is using Tor, and decreases their confidence that you are user X.  If your IP address is online and using Tor 24 hours a day, the timing/correlation attack mentioned above is useless.
* if possible, connect to SR & post from someplace like Starbucks at least once, and at the same time leaving your cell phone at home.  Just one instance of a post or transaction when your cell phone is at home and your home network isn't using Tor is enough to discard you from a big automated dragnet.  Make sure that when checking into SR remotely, you don't check any other sites that would indicate you're not at home, like checking your email.

How likely is it that LE is actively looking for SR users? I don't know, but if a correlation attack dragnet was written to try to identify kidpron abusers, you know they'll want to use it to find druggies, too.  If I had been convicted for distribution in the past, I'd be extra careful trying to confuse correlation attacks because I'd be an automatic entrant to any dragnet.  But I doubt there's anything active happening as of yet.  If I were DEA chief, I likely still would be waiting for the lawyers to get back to me about what they think about trying to prosecute someone that accepted bitcoins.   Also, volumes here are still tiny: you read headlines about busts with tons of cocaine (check this one out about the CIA allowing tons of coke into the US:   http://www.elpasotimes.com/ci_18608410 ), and I'd be surprised if all of the SR vendors combined have moved 1/4 kilo of coke this year.
Title: Re: Recent Kidpron bust LE methodology?
Post by: CrunchyFrog on August 07, 2011, 07:04 am
> Another way of attacking Tor users is to use javascript injection, but this only works for clearnet sites, and won't work again[st] SR....

True, javascript *injection* by an exit relay won't work against .onion sites.  But if the .onion site itself is compromised and employs javascript -- and the client browser has javascript enabled -- that's a different matter altogether.

Disable javascript in your browser and avoid sites that require it -- clearnet or otherwise -- if you value your privacy.  (Or else use a VM to conceal your public IP from your browser.)