Silk Road forums

I have been following the whole "FH was busted" line for a while now.

I find the following odd

#1) The first time this came up was a person who posted it to redit, linked to an article about a child porn distributor that was taken down in Ireland. (No mention of FH or TOR at all in the article)
#2) It has circulated for several days and has gotten bigger as it goes.
#3) The site has been up and down over the last couple of weeks, in various states of F-ed up.
#4) The Java exploit that was discussed was originally on a child porn site that was suspected of being on FH and not on the "Temporary down" page. It seems to have morphed over time.
#5) I have seen the temporary down page and it is flat HTML with no Iframes on it. The exploit was calmed to be in an iframe call.

The reason it smells off to me is that

#1) If the feds had taken down a child porn site on TOR or FH as a distributor, it would be news! They would blast that everywhere to scare potential TOR users away or make them think it is not as secure as it is.
#2) I have not seen any corroborating evidence that did not come from that first redit post. See #1!

I am not saying it is safe or that the person who runs FH did not get busted. I am saying that I would not be surprised if this was a hoax and the site had been hacked. The owner working to get it back up and not paying attention to the posts floating around.

BTW, tormail was up earlier today with the main page and the login page but when you tried to login it failed with a 404. There was No JS anywhere on the page, I checked.

Yes it does seem a bit odd to me as well, and my first impression was that it could be Anonymous PsyOps. However, a few things to take into consideration. Somebody who is a major host of CP sites was indeed busted about the same time that Freedom Hosting went down. That could be a coincidence, or it could not be. The busted person certainly matches up with Freedom Hosting pretty well, he hosted dozens of websites with CP on them and had over one million images. All of the pedo's seem to think it is Freedom Hosting admin, as none of them can think of anyone else who hosted so many CP sites and so much content. In the recent past there were busts of similar sized CP rings, a few years ago in the Ukraine they busted a commercial CP service that ran dozens of sites and had a large number of images, but it was immediately clear from reading the article that it was not Freedom Hosting because they charged for access and took Paypal, and anyway some of the Pedos on Tor already knew about their operation. There was another pedo forum that got busted on Tor a few months ago, and that made the news as well, but they never mentioned that it was on the Tor Network. This is the site that they called "Website A" and ran undercover for a week or two busting members on it (I wonder with what exploit :/). After reading about it some more, it seems pretty conclusive that this was the Tor Hidden Service known as Pedo Forum.

The second point is that people have obtained real exploit code off of the freedom hosting sites, so obviously somebody did inject exploit code into all of the websites on freedom hosting.

Additionally, apparently the admin of one of the CP sites on Freedom Hosting collaborated the story that malicious javascript had been injected to his website.

Additionally, the phone home IP address of the malicious javascript belongs to a company that provides hosting exclusively for the intelligence and law enforcement community in the USA.

So all things considered, it seems to paint a ton of circumstantial evidence, although I also have not seen anything 100% conclusive yet.

Is it just me or did the FBI just take down one of the most secure servers on the internet and then hack into hundreds of people who tried to access it?

I happened to be running the vulnerable browser with JS on and I clicked on a pedo link while exploring the hidden wiki on the 3rd. Should I expect a raid soon ? I'm not in located in the USA.
I've never had any illegal material on my PC, and I'm not a pedo, so they'll probably let me go after 24h, but being investigated for accessing pedo sites could completely ruin my life forever. It could destroy it.
Any idea how to prevent this or prepare for it ? Or maybe what to explain ?

Safest bet for you is to wipe hard drive, destroy networking card and get a new one, change hostname (hopefully it was not your own), get a wireless router anonymously with cash and leave it open and stop using Tor, get a lawyer as soon as police contact you or if you cannot do that in your country say you have no clue what happened.

The core CP community will be completely unphased by this, they have been studying computer security for twenty+ years and are more likely to use OpenBSD or Qubes than they are to use Windows. Freedom Hosting was actually pretty secure from a technical perspective, it will be really interesting to see how they took it down. It is beyond a doubt the most secure CP site that has ever been compromised, by a huge margin. My guess is that the people fucking with CP are going to ditch Tor and I2P at this point and move entirely to Freenet, which is already the network with the most CP on it. Feds cannot really hack CP on Freenet to remove it, and they cannot really put exploit code on a site on Freenet. CP traders are much more secure to download image files off Freenet without ever using a browser, and then opening the files on computers without access to the internet. That is likely what the most skilled CP traders have been doing all along.

Quote from: crazycracker on August 05, 2013, 10:23 pm

They likely would still need a specific warrant for each account to see the contents of emails just like they would with any other email provider. I believe they need less to see the headers and subject but for the actual content they need to show probable cause to a judge to get access to the content. Assuming this is in the USA or some similar country.

Yeah and who exactly are they going to serve these warrants on? No one is going to own up to being the owner of Tormail are they?

Warrants for E-mail are not required if the E-mail is more than 60 days old. They can just wait two months and then have at it.

As the story is still breaking, here's the most updated info (which contradicts reports of NSA involvement):

There are incorrect press reports circulating that the command-and-control IP address, 65.222.202.54, belongs to the NSA. Those reports are based on a misreading of domain name resolution records. The NSA’s public website, NSA.gov, is served by the same upstream Verizon network as the Tor malware command-and-control server, but that network handles tons of government agencies and contractors in the Washington DC area.

source:  http://www.wired.com/threatlevel/2013/08/freedom-hosting/

Although the Patriot Act gave the NSA some new and broad powers for domestic surveillance, this operation appears to be more criminal in nature than an issue of national security and thus outside of their jurisdiction.  It's more than likely FBI.

And to those that would scoff about issues of jurisdiction in regards to NSA acts, consider what the exploits were hoping to accomplish.  They were attempting to identify users involved in some seriously depraved criminality for the purpose of prosecution.  The FBI, not the NSA, has authority in this regard.

Considering it just broke that the NSA has been sharing criminal intelligence with the DEA, I think it makes sense to assume they are sharing criminal intelligence with the FBI as well.

wasn't a 0-day it was a 37-day, which is why all the people with the new TBB are safe. There were two exploits to the best of my understanding, one relied on javascript but later they added one that exploited image tags, presumably in order to get the people they were missing because they had disabled javascript. Both of the exploits delivered the same payload that only works on Windows, and both of the vulnerabilities were fixed in the most recent Tor Browser. So if you were on Windows with outdated Tor Browser you are still probably fucked even if you had javascript off.