Silk Road forums
Discussion => Security => Topic started by: ascarabeus938 on August 03, 2013, 10:33 pm
-
http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html
http://www.reddit.com/r/onions/comments/1jmrta/founder_of_the_freedom_hosting_arrested_held/
http://newsiiwanaduqpre.onion/?e=5 (only works with tor)
http://newsiiwanaduqpre.onion.to/?e=5
US authorities are seeking the extradition of a 28-year-old Irishman described in the High Court by an FBI special agent as "the largest facilitator of child porn on the planet."
Eric Eoin Marques appeared before Mr Justice Paul Gilligan on foot of an extradition request by the FBI, which alleges he is involved in the distribution of online child pornography.
-
That's the admin of "Freedomhosting" which was anonymous hosting not Tormail. Free service, don't know why he had tons of money rolling through a Romanian bank account I guess he was setting up private servers too.
-
That is not the founder of Tor Mail. That is the owner of FreedomHosting. FreedomHosting is the server where Tor Mail was hosted. You are now spreading FUD.
-
That is not the founder of Tor Mail. That is the owner of FreedomHosting. FreedomHosting is the server where Tor Mail was hosted. You are now spreading FUD.
Thank you for the clarification.
This news was very disconcerting being that TOR is down right now while I have a lot of sensitive info and unanswered emails on their server.
-
That is not the founder of Tor Mail. That is the owner of FreedomHosting. FreedomHosting is the server where Tor Mail was hosted. You are now spreading FUD.
Thank you for the clarification.
This news was very disconcerting being that TOR is down right now while I have a lot of sensitive info and unanswered emails on their server.
Well, Tor Mail is hosted on FreedomHosting. It's possible that they have access to those emails. It depends on if they used server side encryption. You should have been using PGP regardless. No one knows who created or operated Tor Mail. Many suspected that it was run by a government intelligence agency.
-
That is not the founder of Tor Mail. That is the owner of FreedomHosting. FreedomHosting is the server where Tor Mail was hosted. You are now spreading FUD.
Thank you for the clarification.
This news was very disconcerting being that TOR is down right now while I have a lot of sensitive info and unanswered emails on their server.
While we all can hope for the best, we have to anticipate the worst. It is only prudent to assume that:
1) The Tormail operator did NOT use server-side encryption; and
2) The authoriies will have access to ALL email on the server.
Astor, myself and others have long recommended that people use PGP with Tormail. This recommendation was made precisely WITH this scenario in mind.
If you and your correspondents had both used PGP, the most the authorities would be able to determine is that you were communicating with one or more parties -- they would not be able to read your communications. If you didn't use it... then you have to assume that ALL your information is compromised, and govern yourself accordingly.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
That is not the founder of Tor Mail. That is the owner of FreedomHosting. FreedomHosting is the server where Tor Mail was hosted. You are now spreading FUD.
Thank you for the clarification.
This news was very disconcerting being that TOR is down right now while I have a lot of sensitive info and unanswered emails on their server.
Well, Tor Mail is hosted on FreedomHosting. It's possible that they have access to those emails. It depends on if they used server side encryption. You should have been using PGP regardless. No one knows who created or operated Tor Mail. Many suspected that it was run by a government intelligence agency.
It's a sure thing that, if Tormail were really run by one of the 3 letter agencies, that particular data collection operation is now well and truly burned. The FBI are not going to be the most popular guys around, right now.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (MIT clearnet keyserver)
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key: http://dkn255hz262ypmii.onion/index.php?topic=174.msg633090#msg633090 (Silk Road Forums PGP Key Link)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
Yikes I wonder how they traced somebody who used virtual machine isolation plus Tor. It seems that either they broke Tor to trace him or they hacked into his server and busted out of layers of virtual machines. In either case that is fucking scary.
-
Yikes I wonder how they traced somebody who used virtual machine isolation plus Tor. It seems that either they broke Tor to trace him or they hacked into his server and busted out of layers of virtual machines. In either case that is fucking scary.
Welcome to the layer cake son ;)
-
That is not the founder of Tor Mail. That is the owner of FreedomHosting. FreedomHosting is the server where Tor Mail was hosted. You are now spreading FUD.
Thank you for the clarification.
This news was very disconcerting being that TOR is down right now while I have a lot of sensitive info and unanswered emails on their server.
Well, Tor Mail is hosted on FreedomHosting. It's possible that they have access to those emails. It depends on if they used server side encryption. You should have been using PGP regardless. No one knows who created or operated Tor Mail. Many suspected that it was run by a government intelligence agency.
It's a sure thing that, if Tormail were really run by one of the 3 letter agencies, that particular data collection operation is now well and truly burned. The FBI are not going to be the most popular guys around, right now.
The rumors I had read were that it was possibly run by a Russian intelligence agency, not American.
-
This is very, very, very bad news.
-
Wow, This is serious stuff,
If they can infiltrate FH there should be no reason to think the same thing couldn't happen Silk Road
-
I always thought it was stupid that Tor Project left javascript on by default in Tor Browser. I really question a lot of choices that they make in the name of making their software more user friendly. Leaving javascript on to "hide your browser fingerprint in a larger crowd" might turn out to be about the same as wrapping a rope around your neck , tying it to a fan, and jumping off a chair, because you don't want to step on a tack on the floor.
-
To everyone freaking out: Most of the people on this board are users, not vendors. If you are a user it is doubtful you have much to worry about. LEO is already overloaded with cases to investigate and they primarily go for sellers, not buyers. Not that they won't bust a buyer if it lands in their lap but they are not going to spend time investigating someone who bought three hits of acid six months ago (or last week for that matter). Yes you should be very careful, use pgp, etc, but there is entirely too much paranoia among buyers on here in my opinion.
mm
-
disable javascript, side channel disabled. anyone running tor with javascript enabled is retarded. tor is still safe.
better yet, migrate to whonix, any type of exploit difficulty is much increased. whatever, fuck those pedos, doubt they give half a shit about drug users. much more of us than them, and we are relatively harmless, other than kmfkwem anyway, lololol, with all his maniacal posts!
-
if you used same password on tormail as sr, you need to change it now. this is why i don't use any email service, even tor based.
-
*starts sweating nervously* changing all passwords and upgrading security! BOOM!
Ryno
-
Has anyone read this? Apparently there was a javascript exploit placed on the tormail site by the fbi during the window of when it was seized up until when it became public knowledge that it was seized.
The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.
In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.
http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html
This is undoubtedly a big blow to the TOR community, Crypto Anarchists, and more generally, to Internet anonymity. All of this happening during DEFCON.
If you happen to use and account name and or password combinations that you have re used in the TOR deep web, change them NOW.
Eric Eoin Marques who was arrested runs a company called Host Ultra Limited.
http://www.solocheck.ie/Irish-Company/Host-Ultra-Limited-399806
http://www.hostultra.com/
He has an account at WebHosting Talk forums.
http://www.webhostingtalk.com/showthread.php?t=157698
A few days ago there were mass outages of Tor hidden services that predominantly effected Freedom Hosting websites.
http://postimg.org/image/ltj1j1j6v/
“Down for Maintenance
Sorry, This server is currently offline for maintenance. Please try again in a few hours.”
If you saw this while browsing Tor you went to an onion hosted by Freedom Hosting. The javascript exploit was injected into your browser if you had javascript enabled.
What the exploit does:
The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn’t get deleted. Presumably it reports the victim’s IP back to the FBI.
An iframe is injected into FH-hosted sites:
TOR/FREEDOM HOST COMPORMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/pmGEj9bV
Which leads to this obfuscated code:
Javascript Mozilla Pastebin
Posted by Anonymous on Sun 4th Aug 02:52
http://pastebin.mozilla.org/2776374
FH STILL COMPROMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/K61QZpzb
FBI Hidden Service in connection with the JavaScript exploit:
7ydnpplko5lbgfx5
Who’s affected Time scales:
Anyone who accessed an FH site in the past two days with JavaScript enabled. Eric Eoin Marques was arrested on Sunday so that’s the earliest possible date.
“In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization”
http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf
The FBI Ran a Child Porn Site for Two Whole Weeks
http://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510247728
http://postimg.org/image/o4qaep8pz/
On any other day one would say these sick perverts got what they deserved. Unfortunately the Feds are stepping far beyond just pedophiles in this latest issue.
The js inserted at Freedom Hosting? Nothing really, just an iframe inject script with a UUID embedded server-side.
The iframe then delivers an exploit kit that appears to be a JavaScript 0day leading to…something. It only attempts to exploit Firefox (17 and up) on Windows NT. There’s definitely some heap spraying and some possible shell code. The suspect shell code block contains some strings that look to formulate an HTTP request, but I haven’t been able to collect the final payload yet. The shell code also contains the UUID with which the exploit was delivered. Any UUID will work to get this part of the exploit.
I’m still pulling this little bundle of malware apart. So far, I’ve got that the attack is split across three separate files, each loaded into an iframe. Calls are made between the frames to further obfuscate the control flow. The ‘content_2.html’ and ‘content_3.html’ files are only served up if the request “looks like” Firefox and has a correct Referer header. The ‘content_2.html’ is loaded from the main exploit iframe and in turn loads ‘content_3.html’.
Short version. Preliminary analysis: This little thing probably CAN reach out without going through Tor. It appears to be exploiting the JavaScript runtime in Firefox to download something.
UPDATE: The exploit only affects Firefox 17 and involves several JS heap-sprays. Note that the current Extended Support Release is Firefox 17, so this may also affect some large organizations using Firefox ESR.
http://pastebin.mozilla.org/2777139
The script will only attempt the exploit on Firefox 17, so I’m no longer worried about it being some new 0day. Enough of the “Critical” MFSAs are for various sorts of memory corruption that I don’t have the time to find out if this is actually a new exploit or something seen before.
http://postimg.org/image/mb66vvjsh/
Logical outcomes from this?
1. FBI/NSA just shut down the #1 biggest hosting site and #1 most wanted person on Tor
2. Silkroad is next on their list, being the #2 most wanted (#1 was Child Porn, #2 is drugs)
3. Bitcoin and all crypto currenecies set to absolutely CRASH as a result since the feds can not completely control this currency as they please.
I don’t always call the Feds agenda transparent, but when i do, I say they can be trying harder.[/quote
Anyone know anything about this?
-
Thank you for that Clandestinus!
RYno
-
holy shitballs...
that last quote makes for scary reading!
hopefully the irish don't bloody extradite him!!
-
everyone has read it thats why the post is here
-
I didn't mean "has anyone heard about tormail being seized?" obviously, yes, that's why this thread is here. I was referring more specifically to the concrete evidence of an fbi-placed javascript exploit that may have revealed the IP addresses of a lot of users. That has not been previously mentioned in this thread.
-
What evidence do we have that tormail itself has been compromised?
Tor Mail service consists of several servers, this hidden service, and an incoming and outgoing internet facing mail servers - the relays, they relay mail in and out of the Tor network, they are disposable servers purchased anonymously and not traceable to user or service provider.
The owners declare the only things stored on the hard drive of those servers is the Exim mail server and the Tor software. No emails, logs or personal data are stored on those servers, thus it doesn't matter if they are seized or shut down. They claim to be prepared to quickly replace any relay that is taken offline for any reason.
The service and SMTP/IMAP/POP3 are on a hidden server completely separate from the relays. The relays do not know the IP address of the hidden service. The owners declare the service does not cooperate with anyone attempting to identify or censor a Tor Mail user.
Ignoring the fact that none of this information on Wikipedia cites its source, if they go to this length to ensure anonymity and security why would they just skip server-side data encryption?
-
To everyone freaking out: Most of the people on this board are users, not vendors. If you are a user it is doubtful you have much to worry about. LEO is already overloaded with cases to investigate and they primarily go for sellers, not buyers. Not that they won't bust a buyer if it lands in their lap but they are not going to spend time investigating someone who bought three hits of acid six months ago (or last week for that matter). Yes you should be very careful, use pgp, etc, but there is entirely too much paranoia among buyers on here in my opinion.
mm
+1 for that, I agree.
-
What evidence do we have that tormail itself has been compromised?
Tor Mail service consists of several servers, this hidden service, and an incoming and outgoing internet facing mail servers - the relays, they relay mail in and out of the Tor network, they are disposable servers purchased anonymously and not traceable to user or service provider.
The owners declare the only things stored on the hard drive of those servers is the Exim mail server and the Tor software. No emails, logs or personal data are stored on those servers, thus it doesn't matter if they are seized or shut down. They claim to be prepared to quickly replace any relay that is taken offline for any reason.
The service and SMTP/IMAP/POP3 are on a hidden server completely separate from the relays. The relays do not know the IP address of the hidden service. The owners declare the service does not cooperate with anyone attempting to identify or censor a Tor Mail user.
Ignoring the fact that none of this information on Wikipedia cites its source, if they go to this length to ensure anonymity and security why would they just skip server-side data encryption?
You would assume that they wouldn't given their credibility from creating TorMail, but then again it's not always safest to assume.
-
As of 8:52 PM UTC the tormail .org and .onion domains are back up. The no-javascript email client is 404 but the roundcube client (requires javascript) is accessible.
Does this make anyone else suspicious? Their server host gets taken down using a java exploit and now you can only login using the javascript client? It does not seem hard to set up a man-in-the-middle attack to target tormail users' login info if you only have control of the hidden service login page and not the data servers themselves.
-
well, I cant make this 'quick reply' without JS enabled
My question is, "is there ANY chance SR data/passwords HAVE BEEN compromised?"
hmmmm?
-
well, I cant make this 'quick reply' without JS enabled
My question is, "is there ANY chance SR data/passwords HAVE BEEN compromised?"
hmmmm?
Maybe if some SR users had their username & pw the same as on a FH site, otherwise no.
If SR was hosted on freedomhosting it would likely have had the same pattern of service outages as FH sites leading up to the bust.
-
Hmmm thanks man, TSR was "down for maintenance" a few days back last week ..... but that's reassuring to hear anyway :P
kind regards xennek 8)
m m m :)
-
Look, they aren't interested in some piddly Silk Road user that can't even give them the name of the person they buy from. From what I read, they arrested this guy and set up an exploit that compromised half the nodes in the Tor network and also set up a fake server maintenance page for this guy's hosting service. I imagine they then took the CP sites offline hoping the admins of those sites would come along and ask for server maintenance and they could get an IP. From what I read SR is hosted on these same servers and if any admin here went to that page they could be compromised. That being said, this is a CP operation from everything they have said. They are looking for sick fucks that like that kind of stuff and distribute it. I don't think you have anything to worry about if you are a small time buyer here. The people that need to be worried are any site admins that have had contact with freedom hosting through that page that could have revealed their true IP. Unless you are a pedo frequenting pedo servers or running one I wouldn't care. If the FBI took an interest in SR during this operation it would be to arrest the admins and take the site offline and seize their bank accounts. Maybe they would go after vendors, but the reality is taking the site offline permanently would be a huge newsworthy win for them and that's what they care about.
-
^^ what he said..
but, i was wondering, if the yanks did get hold of him and extradited him from the paddys, they'd torture the shit out of him until he gave up his super l33t 2048 bit super passwords. which may reveal back doors to revealing something or other. aside from the JS attacks and false servers...
thankfully we haven't used tormail nor FH for shit but if the connections to here and our admins are real, then this could mean further leads on investigations already underway into this place.
fucking feds.
-
Look, they aren't interested in some piddly Silk Road user that can't even give them the name of the person they buy from. From what I read, they arrested this guy and set up an exploit that compromised half the nodes in the Tor network and also set up a fake server maintenance page for this guy's hosting service. I imagine they then took the CP sites offline hoping the admins of those sites would come along and ask for server maintenance and they could get an IP. From what I read SR is hosted on these same servers and if any admin here went to that page they could be compromised. That being said, this is a CP operation from everything they have said. They are looking for sick fucks that like that kind of stuff and distribute it. I don't think you have anything to worry about if you are a small time buyer here. The people that need to be worried are any site admins that have had contact with freedom hosting through that page that could have revealed their true IP. Unless you are a pedo frequenting pedo servers or running one I wouldn't care. If the FBI took an interest in SR during this operation it would be to arrest the admins and take the site offline and seize their bank accounts. Maybe they would go after vendors, but the reality is taking the site offline permanently would be a huge newsworthy win for them and that's what they care about.
obviously SR is not hosted on freedomhosting or it would be down right now. and no tor 'nodes' were compromised. it was users using the browser bundle with javascript enabled.
-
I simply repeated two things reported in some of the articles. So if that's not correct fine. They claim SR was hosted there but obviously SR is still up. Maybe it was hosted there in the past, I have no idea. Of course if they are only after CP sites they may not have shut down all the site that FH is hosting.
-
...this is a CP operation... They are looking for sick fucks that like that kind of stuff and distribute it.
It's worth bearing in mind that some law enforcement agents regard people who like and distribute illegal drugs as "sick fucks".
-
...this is a CP operation... They are looking for sick fucks that like that kind of stuff and distribute it.
It's worth bearing in mind that some law enforcement agents regard people who like and distribute illegal drugs as "sick fucks".
+1
-
...this is a CP operation... They are looking for sick fucks that like that kind of stuff and distribute it.
It's worth bearing in mind that some law enforcement agents regard people who like and distribute illegal drugs as "sick fucks".
And that matters why? He is being charged with being the largest distributor of child porn in the world. He knew what was on his servers and left it there. The case has nothing to do with drugs other than one article claimed that silk road was hosted there. People on these forums have to have a certain level of paranoia, but if SR isn't even hosted there then what are you so worried about? Even if they did find something related to SR they are going to go after the admins first I would think. Of course I could be wrong but I kinda doubt they want to pick off online buyers one by one when they could take the entire site down at once if they identified an admin.
-
...this is a CP operation... They are looking for sick fucks that like that kind of stuff and distribute it.
It's worth bearing in mind that some law enforcement agents regard people who like and distribute illegal drugs as "sick fucks".
And that matters why? He is being charged with being the largest distributor of child porn in the world. He knew what was on his servers and left it there. The case has nothing to do with drugs other than one article claimed that silk road was hosted there. People on these forums have to have a certain level of paranoia, but if SR isn't even hosted there then what are you so worried about? Even if they did find something related to SR they are going to go after the admins first I would think. Of course I could be wrong but I kinda doubt they want to pick off online buyers one by one when they could take the entire site down at once if they identified an admin.
They are worried because of the java 0 day exploit that was embedded on every freedom host server which infected Tormail users. It also exploited HackBB and other non diddler sites. It now doesn't look like the attack worked, or was specifically targeted to a certain user(s) they were after. If you used updated Tor Browser Bundle you didn't get compromised because Noscript is running by default. If you used home made Tor like FireFox w/proxy addon you're screwed.
-
That is not the founder of Tor Mail. That is the owner of FreedomHosting. FreedomHosting is the server where Tor Mail was hosted. You are now spreading FUD.
Thank you for the clarification.
This news was very disconcerting being that TOR is down right now while I have a lot of sensitive info and unanswered emails on their server.
Well, Tor Mail is hosted on FreedomHosting. It's possible that they have access to those emails. It depends on if they used server side encryption. You should have been using PGP regardless. No one knows who created or operated Tor Mail. Many suspected that it was run by a government intelligence agency.
Sh!t...just......got.........REAL! :-\
-
...this is a CP operation... They are looking for sick fucks that like that kind of stuff and distribute it.
It's worth bearing in mind that some law enforcement agents regard people who like and distribute illegal drugs as "sick fucks".
And that matters why? He is being charged with being the largest distributor of child porn in the world. He knew what was on his servers and left it there. The case has nothing to do with drugs other than one article claimed that silk road was hosted there. People on these forums have to have a certain level of paranoia, but if SR isn't even hosted there then what are you so worried about? Even if they did find something related to SR they are going to go after the admins first I would think. Of course I could be wrong but I kinda doubt they want to pick off online buyers one by one when they could take the entire site down at once if they identified an admin.
They are worried because of the java 0 day exploit that was embedded on every freedom host server which infected Tormail users. It also exploited HackBB and other non diddler sites. It now doesn't look like the attack worked, or was specifically targeted to a certain user(s) they were after. If you used updated Tor Browser Bundle you didn't get compromised because Noscript is running by default. If you used home made Tor like FireFox w/proxy addon you're screwed.
I had noscript enabled (with 'forbid java' on), but java script was also enabled under options > content......so you're saying I should be safe?
I accessed a Freedom Site yesterday. Not a diddler site, but I am still concerned that I could be compromised because of my drug transactions through said site.
I hope you're right...
-
If you were targeted you'd already be arrested, they tend to do these things before announcing a big bust.
After the fact, maybe you're on a list now.
This was the exploit used: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
It was fixed with latest 17.07 TBB. So if you're using updated Tor browser bundle the hack did nothing. If you used an older verison you're screwed and might want to nuke everything/clean house.
-
If you were targeted you'd already be arrested, they tend to do these things before announcing a big bust.
After the fact, maybe you're on a list now.
This was the exploit used: https://www.mozilla.org/security/announce/2013/mfsa2013-53.html
It was fixed with latest 17.07 TBB. So if you're using updated Tor browser bundle the hack did nothing. If you used an older verison you're screwed and might want to nuke everything/clean house.
What about people using a version before 17?
-
They are worried because of the java 0 day exploit that was embedded on every freedom host server which infected Tormail users. It also exploited HackBB and other non diddler sites. It now doesn't look like the attack worked, or was specifically targeted to a certain user(s) they were after. If you used updated Tor Browser Bundle you didn't get compromised because Noscript is running by default. If you used home made Tor like FireFox w/proxy addon you're screwed.
That goes against other info where I read the javascript was injected through the use of an i frame which is not blocked by no-script or Tor Browser bundle by default.
Not trying to break your balls here but just wondering did you consider this?