Silk Road forums

Discussion => Silk Road discussion => Topic started by: d0nniedark0 on August 04, 2013, 06:02 pm

Title: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: d0nniedark0 on August 04, 2013, 06:02 pm
"BREAKING: HALF OF TOR SITES COMPROMISED, INCLUDING TORMAIL

The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.

In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.

http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html

This is undoubtedly a big blow to the TOR community, Crypto Anarchists, and more generally, to Internet anonymity. All of this happening during DEFCON.

If you happen to use and account name and or password combinations that you have re used in the TOR deep web, change them NOW.

Eric Eoin Marques who was arrested runs a company called Host Ultra Limited.

http://www.solocheck.ie/Irish-Company/Host-Ultra-Limited-399806
http://www.hostultra.com/

He has an account at WebHosting Talk forums.

http://www.webhostingtalk.com/showthread.php?t=157698

A few days ago there were mass outages of Tor hidden services that predominantly effected Freedom Hosting websites.

http://postimg.org/image/ltj1j1j6v/

"Down for Maintenance
Sorry, This server is currently offline for maintenance. Please try again in a few hours."

If you saw this while browsing Tor you went to an onion hosted by Freedom Hosting. The javascript exploit was injected into your browser if you had javascript enabled.

What the exploit does:

The JavaScript zero-day exploit that creates a unique cookie and sends a request to a random server that basically fingerprints your browser in some way, which is probably then correlated somewhere else since the cookie doesn't get deleted. Presumably it reports the victim's IP back to the FBI.

An iframe is injected into FH-hosted sites:

TOR/FREEDOM HOST COMPORMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/pmGEj9bV

Which leads to this obfuscated code:

Javascript Mozilla Pastebin
Posted by Anonymous on Sun 4th Aug 02:52
http://pastebin.mozilla.org/2776374

FH STILL COMPROMISED
By: a guest on Aug 3rd, 2013
http://pastebin.com/K61QZpzb

FBI Hidden Service in connection with the JavaScript exploit:
7ydnpplko5lbgfx5

Who's affected Time scales:

Anyone who accessed an FH site in the past two days with JavaScript enabled. Eric Eoin Marques was arrested on Sunday so that's the earliest possible date.

"In this paper we expose flaws both in the design and implementation of Tor’s hidden services that allow an attacker to measure the popularity of arbitrary hidden services, take down hidden services and deanonymize hidden services
Trawling for Tor Hidden Services: Detection, Measurement, Deanonymization"

http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf

The FBI Ran a Child Porn Site for Two Whole Weeks
http://gizmodo.com/why-the-fbi-ran-a-child-porn-site-for-two-whole-weeks-510247728

http://postimg.org/image/o4qaep8pz/

On any other day one would say these sick perverts got what they deserved. Unfortunately the Feds are stepping far beyond just pedophiles in this latest issue.

The js inserted at Freedom Hosting? Nothing really, just an iframe inject script with a UUID embedded server-side.

The iframe then delivers an exploit kit that appears to be a JavaScript 0day leading to...something. It only attempts to exploit Firefox (17 and up) on Windows NT. There's definitely some heap spraying and some possible shell code. The suspect shell code block contains some strings that look to formulate an HTTP request, but I haven't been able to collect the final payload yet. The shell code also contains the UUID with which the exploit was delivered. Any UUID will work to get this part of the exploit.

I'm still pulling this little bundle of malware apart. So far, I've got that the attack is split across three separate files, each loaded into an iframe. Calls are made between the frames to further obfuscate the control flow. The 'content_2.html' and 'content_3.html' files are only served up if the request "looks like" Firefox and has a correct Referer header. The 'content_2.html' is loaded from the main exploit iframe and in turn loads 'content_3.html'.

Short version. Preliminary analysis: This little thing probably CAN reach out without going through Tor. It appears to be exploiting the JavaScript runtime in Firefox to download something.

UPDATE: The exploit only affects Firefox 17 and involves several JS heap-sprays. Note that the current Extended Support Release is Firefox 17, so this may also affect some large organizations using Firefox ESR.

http://pastebin.mozilla.org/2777139

The script will only attempt the exploit on Firefox 17, so I'm no longer worried about it being some new 0day. Enough of the "Critical" MFSAs are for various sorts of memory corruption that I don't have the time to find out if this is actually a new exploit or something seen before.

http://postimg.org/image/mb66vvjsh/

Logical outcomes from this?

1. FBI/NSA just shut down the #1 biggest hosting site and #1 most wanted person on Tor

2. Silkroad is next on their list, being the #2 most wanted (#1 was Child Porn, #2 is drugs)

3. Bitcoin and all crypto currenecies set to absolutely CRASH as a result since the feds can not completely control this currency as they please.

I don't always call the Feds agenda transparent, but when i do, I say they can be trying harder."

source: http://www.twitlonger.com/show/n_1rlo0uu

Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: HeatFireFlame on August 04, 2013, 06:20 pm
First of all +1, and thank you for taking the time to put that together, It's people like you who keep the community thriving.
Well at least it isnt some NSA newely created virus, I suppose the injection is expected to be on FBI level skills. Now hang on, Im no technical expert, But does this mean the exploit would not work if you were using tails?
This points out to me the feds went back to square one, They literally went to the tor website and looked at how to stay safe. The bit on the website that tells you Tor keeps you good for the most part but you need to do certain things (use it right) otherwise you may as well be using google chrome with no proxy.

One of them happens to be keep javascript disabled, as this can reveal your IP, They may well use another famous one like dont download files in tor, Say become a vendor sell useless PDF's and get everyone to download it, i reckon half would not do it offline in a VM and would reveal their IP. I actually think TBB and tails comes with javascript auto disabled is this not right?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: PaperStreetSoapCompany on August 04, 2013, 06:26 pm
Subscribed and nervous. :-\
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: cirrus on August 04, 2013, 06:47 pm
I think common sense at this point tells us to remain extra cautious, that includes turning off your javascript on your browser.   
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: uglydoll on August 04, 2013, 06:52 pm
I think common sense at this point tells us to remain extra cautious, that includes turning off your javascript on your browser.

But if your javascript was enable , and you disable it now. would the exploit will be disabled to then>?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: StExo on August 04, 2013, 06:56 pm
Change all your passwords, ensure javascript is turned off is definitely what to do right now. If you're as paranoid as I am, changing every password you have and using a new drive may be the way to go with fresh installs of everything even though I don't think I was successfully hit.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 04, 2013, 07:09 pm
Change all your passwords, ensure javascript is turned off is definitely what to do right now. If you're as paranoid as I am, changing every password you have and using a new drive may be the way to go with fresh installs of everything even though I don't think I was successfully hit.

That's what I did (not to the point of changing drive but I did erase it with DBan and copied anew also the Whonix VM) and I did already have Javascript disabled  ;)
I don't care to be called paranoid, it just takes one minute and it puts my mind at ease.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: NorthernStar on August 04, 2013, 07:10 pm
I think common sense at this point tells us to remain extra cautious, that includes turning off your javascript on your browser.
How do I do that please cirrus?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 04, 2013, 07:23 pm
^
Go to the NoScript icon (the S above, left of the address and right of the onion logo) click on it and select "Forbid Scripts Globally (recommended)". If you don't want notification on the bottom about Scripts blocked then, when the bar appears select "Options" to the right and uncheck "Display blocked Scripts" (or something similar, don't remember the exact nomenclature now).
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: 4am on August 04, 2013, 07:35 pm
^
Go to the NoScript icon (the S above, left of the address and right of the onion logo) click on it and select "Forbid Scripts Globally (recommended)". If you don't want notification on the bottom about Scripts blocked then, when the bar appears select "Options" to the right and uncheck "Display blocked Scripts" (or something similar, don't remember the exact nomenclature now).

To add, make sure you've got "Forbid <IFRAME>" selected as well.

In the description it says that the exploit came from within an IFRAME, and by default IFRAME's are NOT blocked by NoScript.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: eleanorrobot on August 04, 2013, 08:10 pm
I actually think TBB and tails comes with javascript auto disabled is this not right?

No, javascript is enabled by default I think. I remember I had to turn mine off.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: ananas_xpress on August 04, 2013, 08:36 pm
How does this play out for those of us using the TOR browser bundle, I believe the no script plug in is installed by default and warns you to allow javascript on a case by case basis.

Just wondering can anyone confirm anything since I guess its one of the most popular avenues onto TOR 
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: d0nniedark0 on August 04, 2013, 08:45 pm
Yes the Tor Bundle does have Javascript enabled by default. Make sure every time you update tor bundle to disable your javascript.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: hornblower on August 04, 2013, 08:47 pm
You know, this is what I hated most about accessing SR and Tor...somehow being associated with fucking pedos. 

I always thought it would simply be a very remote possibility since I only used Tor to access SR and the forums but it never occurred to me (cause I'm a fucking moron)  that when I was viewing bud porn photos I was accessing an onion image service that apparently pedos were using as well.

Now, although I had Noscript set to forbid JS globally, I didn't have IFRAME disbled (never even heard of that before yesterday) and I did try to view some old bud porn links recently, from qwerfdsa, and now here I am, fucking pissed off because I may or may not be infected.

But my only fear of being merely associated with pedos even though I've never fucking viewed CP but may or may not have been caught accessing a service used by them.

I'm fairly certain I have nothing to worry about but just the mere possible association with that kind of depravity and ugliness is bothersome.

edit: it just occurred to me that it wasn't a maintenance message but a server unavailable/network problem  type message (like a white page with simple font text and maybe a horizontal line near the top, very generic looking).  Does anyone know if the infected maintenance page was more elaborate?  I just assumed the maintenance page was the same as the 'unavailable' page I used to get every so often.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: HeatFireFlame on August 04, 2013, 09:11 pm
Right ok, Hang on, I use tails, Am i still traceable if i was hit? Im not sure i was hit, But just to be sure. When i checked there, The fucking disable scripts part was not turned on or off actually i had to select it, However i know for a fact that im never able to watch videos or anything like that anyway, I thought tails turned it off automatically. Am i safe with tails? Or have i been hit. Can someone please put it in black and white :) thanks all.

And Blackiris, How does it only take a minute? Im with you 200% about not being paranoid, It does not make you paranoid at all.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: SirBaxter on August 04, 2013, 09:17 pm
I hate that all of the tech stuff flies over my head for the most part. Should I be worried if all I use is a thumb drive with Liberte? I had two tormail accounts that I had never used to send anything. Nor have I logged into them for many months. I never reused passwords but had a tormail matching my sr username.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Thetruthseeker1234 on August 04, 2013, 09:53 pm
Subbed
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Dread Pirate Roberts on August 04, 2013, 10:06 pm
Is there any information on how he was tracked down and arrested?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: mclovin on August 04, 2013, 10:13 pm
!!Shit

I been trying hackbb 24/7 And Tor mail and was getting them messages .

But the real crazy thing is last night very stupidly bought a hackin package from a vendor on SR
as soon as i downloaded and un-packed it

My computer was fucked !! i lost control and all my files were popping up everywhere my note pad opened and words were being writen
example : Do you want to see pictures of a naked baby ????????????????!!!!!!!!!!!!!!!not just on note pad other places on the screen and loads of code and jibberish i think it was trying was to mak extract more SHIT!!
So i pulled the battery out as my mouse was flying around AVG was saying trogan backdoor alert as well as others

After pulling battery went safe mode and wiped all the files and done a few scans but seems ok now but maybe not if there up to date and undetected ????

This all sounds very fishy . just so you know iam no pedo!! 

I was half way though a order in hackbb hope they get new hosting soon.


Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Angel Eyes on August 04, 2013, 10:14 pm
It APPEARS that anyone using a non-windows system has nothing to worry about.  This includes tails and any other linux-based, or mac osx systems.  The exploit has been reported to only work on the windows OS.  While we cannot be sure this is the case, it does seem plausible.  However, if the exploit does work on non-windows systems then using tails, etc. would likely not protect you from having your IP address discovered, as the IP provided by your ISP would be the same whether you use tails or not.

I have done quite a bit of research on javascript and IP address discovery.  There is no way that I have discovered to obtain your location's public IP address from javascript.  All that (non-hacked) javascript has the capacity to do is report the private IP address of the local computer it is running on, which is useless to LE.  Its clear that the FBI, or someone the FBI bought the exploit from (yes, the FBI buys shit off the black market too), has a way to do this.

If you don't know about public and private IP addresses, very basically, your home network behind your firewall (you do have a firewall right?) assigns private IP addresses (via dhcp) to all your computers beginning with either "10."  or "192.".  Any IP starting with those numbers is a private IP and is guaranteed to be unique ONLY within your home network.  The public IP is the IP your internet service provider assigns to your cable/dsl modem.  This is the IP address that appears to websites when you access sites via clearnet or without a VPN or other obfuscating proxy.  All your home network computers share this IP to talk to the internet.  This is the IP that LE wants to get.  Generally, javascript running in a browser on your computer only has access to your private IP which, again, is useless to identify you on the public internet.  However, you cannot rely on that as this FBI sting makes clear.  As others have said already, DISABLE JAVASCRIPT COMPLETELY IN YOUR TORBROWSER SETTINGS TO HELP KEEP YOURSELF ANONYMOUS.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: mclovin on August 04, 2013, 10:17 pm
I THINK I AM GETTING A NEW COMPUTER TOMORROW!!!
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Angel Eyes on August 04, 2013, 10:30 pm
Is there any information on how he was tracked down and arrested?

Was the Freedom Hosting owner even keeping his identity secret?  I assume he didn't provide free hosting services.  Perhaps he only allowed anonymous currency payments.  Its not clear from any of the reports I've read.  Its also not clear whether he was responsible for the child porn directly or his company hosted a hidden service that was responsible. 

The firefox javascript exploit is being reported alongside this story but there is no actual information as to the relationship between the two.  It SEEMS LIKE Freedom Hosting was busted quietly and the firefox exploit was quietly distributed to all the hidden services so they would distribute it to everyone who logged on.  This way they could find end users of the child porn site(s) as well.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kingsandman on August 04, 2013, 10:34 pm
Alright, so they got freedom hosting. The owner apparently had a history with child pornography. Illegal photographs were being hosted on freedom hosting's servers.. but they can't necessarily use that same tactic to shut SR down.. am I right? Yes, drugs are being sold here, but that doesn't give them any more than they already have to go after the company that hosts SR. Am I the only one who doesn't believe SR is next?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kingpinirl on August 04, 2013, 10:37 pm
DPR - not sure how he was found.  One aspect no one has brought up that I don't understand is that this person has dual-citizenship, Ireland and US.   How/why the US is asking Ireland to extradite him is just bs.  He wasn't targeting the US, wasn't operating in the US (as far as I know), and Ireland has laws against CP as well - considering the guy has lived in Ireland since he was 5, where does the US Gov get off bringing him here to convict him.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: PureEnergy on August 04, 2013, 10:51 pm
Does anyone have any guess as to whether deleted messages on Tormail would be recoverable by an agency? Im thinking specifically ones that I deleted a year or so ago.

PE
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: samesamebutdifferent on August 04, 2013, 10:59 pm
Is there any information on how he was tracked down and arrested?

Was the Freedom Hosting owner even keeping his identity secret?  I assume he didn't provide free hosting services.  Perhaps he only allowed anonymous currency payments.  Its not clear from any of the reports I've read.  Its also not clear whether he was responsible for the child porn directly or his company hosted a hidden service that was responsible. 

The firefox javascript exploit is being reported alongside this story but there is no actual information as to the relationship between the two.  It SEEMS LIKE Freedom Hosting was busted quietly and the firefox exploit was quietly distributed to all the hidden services so they would distribute it to everyone who logged on.  This way they could find end users of the child porn site(s) as well.

I'm not entirely clear on what is/has happened here, are people saying the java script exploit was up and running before the FH sites went down or after?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: HeatFireFlame on August 04, 2013, 11:00 pm
Yes im sorry i think you are the only one. What they have proved here is that they can get at people who use the deepnet .
We have a problem because anyone who tried to access tormail will have been hit with this javascript injection. Now people are working on it clearly and taking apart the code and injection one by one, SO we will see soon enough what the extent of it is.
I think that FH was just allowing .onion sites to be hosted, I dont know if he directly was involved in CP or if it was just more of a "He allowed them to be hosted , Hes as guilty as the people downloading them"

Either way, DPR surely you know some people who are well versed in the arts of programming and coding, Get them on it pronto. Your business and all of ours relies on it. In the meanwhile, everyone else technical great job so far. Good luck deciphering the rest of the scripting an coding. Hopefully this isnt a brand new NSA created virus, Just another FBI script.

So your saying that even if disable scripts was off and i went to the tormail hidden service via tails, and of course the page didnt load , I am safe so long as tails was used?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kingpinirl on August 04, 2013, 11:05 pm
Is there any information on how he was tracked down and arrested?

Was the Freedom Hosting owner even keeping his identity secret?  I assume he didn't provide free hosting services.  Perhaps he only allowed anonymous currency payments.  Its not clear from any of the reports I've read.  Its also not clear whether he was responsible for the child porn directly or his company hosted a hidden service that was responsible. 

The firefox javascript exploit is being reported alongside this story but there is no actual information as to the relationship between the two.  It SEEMS LIKE Freedom Hosting was busted quietly and the firefox exploit was quietly distributed to all the hidden services so they would distribute it to everyone who logged on.  This way they could find end users of the child porn site(s) as well.

I'm not entirely clear on what is/has happened here, are people saying the java script exploit was up and running before the FH sites went down or after?

I read somewhere that the exploit was up and running at least a week prior to the FH sites going offline.  I can't seem to find where I read it though.  If I do, I'll post the link.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Northwest Nuggets on August 04, 2013, 11:16 pm
Somebody on Reddit says they tested the Javascript and it only revealed the IP of the TOR exit node.

chris530 8 points 21 hours ago

As a amateur security researcher, I was interested in the pastebin link which was posted. After reading the code, I was skeptical it would work. So I created a page which hosts the bad javascript code. Visited the link in cleartext. Got of ip as I was expecting. Spun up a VM, and installed torbrowser. ( non tails ) Got the ip from a tor exist node ( the js did run ) as expected. I do not see what you would gain putting this on a illegal websites besides the tor exit node ip.

I could be missing something, of course. Those are my findings.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: eleanorrobot on August 04, 2013, 11:19 pm
Is there any information on how he was tracked down and arrested?

None concrete yet.

I am beginning to believe it was his own negligence that lead to his identification and arrest. He also ran a clearnet host (hostultra.com) and didn't seem too concerned about keeping his identity a secret (clearnet - http://www.webhostingtalk.com/showthread.php?t=157698). Freedom Hosting apparently had quite a lot in common with Host Ultra which, while circumstantial, could raise suspicion.

Also, Anonymous leaked specific software information about the Freedom Hosting server in fall of 2011. He was the wrong guy in their witch hunt but the information they collected I'm sure was filed by the FBI.

There is speculation of him running other deepweb services (I've read he ran OnionBank? any confirmations on that?) and there is also mention of large amounts of money running through his own bank account which is unlikely to be from Freedom Hosting as his plans were all unmetered. He could have been taking under-the-table payments to keep CP sites online above normal fees, and that would leave a paper trail if the client had been caught or was under investigation - or if a client that paid him under the table was actually law enforcement. There's also a bit of focus on a transaction to Romania (6000 euros) from his own bank account, which he claims is investment in another business. It's been mentioned in a couple of threads the possibility of "real life" social engineering.

It says the FBI has been investigating him for a year. He is also a US citizen, though living in Ireland since age 5 and the warrant is issued from Maryland.

Sorry I can't provide more info.

ER.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: HeatFireFlame on August 04, 2013, 11:23 pm
Is there any information on how he was tracked down and arrested?

None concrete yet.

I am beginning to believe it was his own negligence that lead to his identification and arrest. He also ran a clearnet host (hostultra.com) and didn't seem too concerned about keeping his identity a secret (clearnet - http://www.webhostingtalk.com/showthread.php?t=157698). Freedom Hosting apparently had quite a lot in common with Host Ultra which, while circumstantial, could raise suspicion.

Also, Anonymous leaked specific software information about the Freedom Hosting server in fall of 2011. He was the wrong guy in their witch hunt but the information they collected I'm sure was filed by the FBI.

There is speculation of him running other deepweb services (I've read he ran OnionBank? any confirmations on that?) and there is also mention of large amounts of money running through his own bank account which is unlikely to be from Freedom Hosting as his plans were all unmetered. He could have been taking under-the-table payments to keep CP sites online above normal fees, and that would leave a paper trail if the client had been caught or was under investigation - or if a client that paid him under the table was actually law enforcement. There's also a bit of focus on a transaction to Romania (6000 euros) from his own bank account, which he claims is investment in another business. It's been mentioned in a couple of threads the possibility of "real life" social engineering.

It says the FBI has been investigating him for a year. He is also a US citizen, though living in Ireland since age 5 and the warrant is issued from Maryland.

Sorry I can't provide more info.

ER.

Surely the guy that invente tormail would know to accept BTC only though? That is one of the most basic things we know.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: eleanorrobot on August 04, 2013, 11:24 pm
Is there any information on how he was tracked down and arrested?

Was the Freedom Hosting owner even keeping his identity secret?  I assume he didn't provide free hosting services.  Perhaps he only allowed anonymous currency payments.  Its not clear from any of the reports I've read.  Its also not clear whether he was responsible for the child porn directly or his company hosted a hidden service that was responsible. 

The firefox javascript exploit is being reported alongside this story but there is no actual information as to the relationship between the two.  It SEEMS LIKE Freedom Hosting was busted quietly and the firefox exploit was quietly distributed to all the hidden services so they would distribute it to everyone who logged on.  This way they could find end users of the child porn site(s) as well.

I'm not entirely clear on what is/has happened here, are people saying the java script exploit was up and running before the FH sites went down or after?

Apparently the exploit was on FH sites (inc TorMail) between the time he was busted and the time the bust was public/stuff went down. I don't know dates as I didn't use any of those sites and can't speak from first hand experience.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: eleanorrobot on August 04, 2013, 11:26 pm
Surely the guy that invente tormail would know to accept BTC only though? That is one of the most basic things we know.

As far as I know, he didn't invent Tormail, he just owned the servers it was hosted on. He also did not only accept BTC at his clearnet hosting site - http://www.hostultra.com
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: PureEnergy on August 04, 2013, 11:40 pm
Tor Project statement

https://blog.torproject.org/blog/hidden-services-current-events-and-freedom-hosting
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: bodizzle on August 05, 2013, 12:18 am
Uhg, I am a complete tech newbie. I have used tormail in the past with java script enabled...

I have disabled javascript now, but what other steps should I take? Is it safe to log on to tormail to change my password? Is my usage on SR now comprimised? Would my computer be compromised?

Ack, so many questions. Im a complete computer layman so any advice would be greatly appreciated!

*ps: how do I go about doing the forbid <iframe> ? (ive aleady disabled scripts but not sure what the disable iframe is)
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: ForeverStrung on August 05, 2013, 01:17 am
For the techs, help.

If we had the javascript turned on, and we accessed tormail, and the computer was infected. How do we know the comp was infected? And if it was infected, would reformatting (Ubuntu) solve the problem?

We don't know if we were infected or not but better safe than sorry. We reformatted our Ubuntu, changed passwords, new PGP, etc.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: samesamebutdifferent on August 05, 2013, 01:27 am
Ok so assume the worst, now what? reformat HD and re instal the OS?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: P2P on August 05, 2013, 01:31 am
Ok so assume the worst, now what? reformat HD and re instal the OS?

DBAN or get a new comp. I did not even touch tormail and I am still DBANing just in case. Those who laugh about security end up in security.

I am also interested to know what stexo is doing about this latest development. I believe his site was run through FH, correct?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Nero on August 05, 2013, 01:47 am
Although the TORmail host has been compromised, that doesn't mean LE has access to the servers correct? Couldn't the TORmail ownder just log on and wipe that shit as soon as things got hairy?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 01:58 am
First of all, yes all of the Tor Project software, from Tor Browser to Tails, ships with javascript enabled by default. If you didn't turn it off, then it is on. I always thought it was stupid for them to ship with javascript enabled by default, and maybe now they will wake up to this fact.

Second of all, nobody has actually shown any proof that this guy who got busted is the owner of Freedom Hosting. It does look like he probably is, since he was busted running multiple websites hosting more than a million images of CP. On the other hand, there are busts of people running large websites with many images of CP on a fairly regular basis, just a few years ago there was a bust in Ukraine of people running dozens of CP pay sites with millions of images on them, but nobody jumped to the conclusion that it was freedom hosting at the time. On the other hand, in this case we just don't know the details of the operation, in the Ukraine case they talked about pay walls and paypal and etc, in this case we only know the very basic facts. Also it is a bit weird that the busted guy had funneled like half a million dollars through his bank account, that makes it sound like perhaps he was operating a for pay CP network, or maybe he is just some rich fuck who owns his own hosting company. Running a site like Freedom Hosting would probably require at least five hundred bucks a month, so since he did it for free he obviously was pretty well to do. So yeah it looks like Freedom Hosting admin was busted, but I have not seen any concrete evidence on this yet, and a lot of the stuff I am seeing about it looks like it is fresh from the asshole of Anonymous trying to scare everybody. Nobody in the news has linked Freedom Hosting to this busted guy, it has all been random fucks who seem to have no solid evidence that the person busted is freedom hosting admin. On the other hand, it looks like at least one person running a CP site on Freedom Hosting claims that they had javascript exploits injected into their site content, so that is certainly not a good sign.

Also No Script shipped with Tor Browser has iframe enabled by default so I don't think it is going to protect anyone from this if it turns out to actually be real.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: WhiteShark on August 05, 2013, 02:03 am
Subbing..

What does this mean for silkroad? Are they next?

Anyway to check if we are infected? What should we do? =(
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: samesamebutdifferent on August 05, 2013, 02:06 am
Showing my ignorance, what is iframe?

Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: hornblower on August 05, 2013, 02:13 am
kmfkewm mentioned that having iframe enabled might be enough for the exploit to work.

Fuck me but I did try to access bud porn on servers that were probably targeted by the feds  (I got the server maintenance page).

I don't view cp and never have but am screwed here because I tried to access one of the targeted servers?

I mean I've probably accessed nug porn images on any of those servers dozens of times.  Since the feds won't have access to my Tor browsing history, how will they differentiate between those that viewed cp and those that didn't?

I can imagine that them having a record of someone accessing the server (through the js exploit) would be enough probably cause for warrants but I would have to have them seize my computers for them to do forensic analysis to determine that I, indeed, don't and never had cp?

wtf???
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 02:17 am
I hate that all of the tech stuff flies over my head for the most part. Should I be worried if all I use is a thumb drive with Liberte? I had two tormail accounts that I had never used to send anything. Nor have I logged into them for many months. I never reused passwords but had a tormail matching my sr username.

I don't think Liberte users are vulnerable because it doesn't use Firefox or Iceweasel does it?

Quote
Is there any information on how he was tracked down and arrested?

No I don't think there is. I don't think there is even any proof yet that this is actually him, although circumstantial evidence strongly suggests that it is. I do know that he used virtual machines to isolate his web servers though, that means if he was hacked the hackers had to break out of a virtual machine, which is pretty advanced compared to everything we have thus far witnessed LE hackers do. Another possibility is that his server was traced to its entry guards and then LE got a court order to tap an identified entry guard in order to locate his hidden service. Another possibility is that he fucked up in some other way, maybe social engineering got him or maybe the datacenter his server was at noticed he had 24/7 terabytes a day of Tor traffic.

Quote
It APPEARS that anyone using a non-windows system has nothing to worry about.  This includes tails and any other linux-based, or mac osx systems.  The exploit has been reported to only work on the windows OS.  While we cannot be sure this is the case, it does seem plausible.  However, if the exploit does work on non-windows systems then using tails, etc. would likely not protect you from having your IP address discovered, as the IP provided by your ISP would be the same whether you use tails or not.

The exploit only targets what looks like Windows OS, but Tor Button makes all Tor users look like they are using Windows. So it is not certain that it wont work against Linux users, it will try to exploit them anyway due to the fact that Tor Button spoofs user agent to look like Windows. I have seen a few peoples opinions on this exploit code so far, and nobody is yet willing to say if it works against Linux or not. So far I have not heard much that sounds very solid.

Quote
I have done quite a bit of research on javascript and IP address discovery.  There is no way that I have discovered to obtain your location's public IP address from javascript.  All that (non-hacked) javascript has the capacity to do is report the private IP address of the local computer it is running on, which is useless to LE.  Its clear that the FBI, or someone the FBI bought the exploit from (yes, the FBI buys shit off the black market too), has a way to do this.

Javascript directly cannot obtain IP address, but it can be used to take full remote control of a persons computer, because it can be used to exploit security vulnerabilities in firefox or whatever, and that is what people think has happened.

Quote

Was the Freedom Hosting owner even keeping his identity secret?  I assume he didn't provide free hosting services.  Perhaps he only allowed anonymous currency payments.  Its not clear from any of the reports I've read.  Its also not clear whether he was responsible for the child porn directly or his company hosted a hidden service that was responsible.

He kept his identity a secret and he did offer free hosting services.

Quote
Alright, so they got freedom hosting. The owner apparently had a history with child pornography. Illegal photographs were being hosted on freedom hosting's servers.. but they can't necessarily use that same tactic to shut SR down.. am I right? Yes, drugs are being sold here, but that doesn't give them any more than they already have to go after the company that hosts SR. Am I the only one who doesn't believe SR is next?

Of course they could use the same tactic to shut SR down.

Quote
Does anyone have any guess as to whether deleted messages on Tormail would be recoverable by an agency? Im thinking specifically ones that I deleted a year or so ago.

It may be possible, or it may not be, it depends on too many variables that we do not know. You should have used GPG.

Quote
I'm not entirely clear on what is/has happened here, are people saying the java script exploit was up and running before the FH sites went down or after?

The claim is that the exploit was injected during the down time, and during the time when the server is down message was coming up.

Quote
I think that FH was just allowing .onion sites to be hosted, I dont know if he directly was involved in CP or if it was just more of a "He allowed them to be hosted , Hes as guilty as the people downloading them"

He didn't host CP himself and he actually said in the rules that he wouldn't allow CP to be hosted, but he also turned a complete blind eye to it and obviously was fine with people using his server to host CP.

Quote
None concrete yet.

I am beginning to believe it was his own negligence that lead to his identification and arrest. He also ran a clearnet host (hostultra.com) and didn't seem too concerned about keeping his identity a secret (clearnet - http://www.webhostingtalk.com/showthread.php?t=157698). Freedom Hosting apparently had quite a lot in common with Host Ultra which, while circumstantial, could raise suspicion.

Also, Anonymous leaked specific software information about the Freedom Hosting server in fall of 2011. He was the wrong guy in their witch hunt but the information they collected I'm sure was filed by the FBI.

There is speculation of him running other deepweb services (I've read he ran OnionBank? any confirmations on that?) and there is also mention of large amounts of money running through his own bank account which is unlikely to be from Freedom Hosting as his plans were all unmetered. He could have been taking under-the-table payments to keep CP sites online above normal fees, and that would leave a paper trail if the client had been caught or was under investigation - or if a client that paid him under the table was actually law enforcement. There's also a bit of focus on a transaction to Romania (6000 euros) from his own bank account, which he claims is investment in another business. It's been mentioned in a couple of threads the possibility of "real life" social engineering.

It says the FBI has been investigating him for a year. He is also a US citizen, though living in Ireland since age 5 and the warrant is issued from Maryland.

Sorry I can't provide more info.

ER.

I don't think he was too stupid or anything, he had some of the best technical security of anyone in onionland and he has been running Freedom Hosting for quite a lot of years now with no issues. He also didn't charge anything for hosting anything. Also the person who is busted used his credit card to withdraw 6,000 Euro in romania but also sent about half a million dollars worth of Euros to Romania through his bank account.





Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 02:17 am
Showing my ignorance, what is iframe?

An embedded frame that loads remote HTML, kind of like a hotlinked image but a hotlinked website instead.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 02:19 am
kmfkewm mentioned that having iframe enabled might be enough for the exploit to work.

Fuck me but I did try to access bud porn on servers that were probably targeted by the feds  (I got the server maintenance page).

I don't view cp and never have but am screwed here because I tried to access one of the targeted servers?

I mean I've probably accessed nug porn images on any of those servers dozens of times.  Since the feds won't have access to my Tor browsing history, how will they differentiate between those that viewed cp and those that didn't?

I can imagine that them having a record of someone accessing the server (through the js exploit) would be enough probably cause for warrants but I would have to have them seize my computers for them to do forensic analysis to determine that I, indeed, don't and never had cp?

wtf???

They can probably differentiate between those who attempted to view CP and those who attempted to view drug images.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: dr octagon on August 05, 2013, 02:22 am
Ok, my example here should be similar to many users, so please answer this:

Haven't logged on to Tormail for at least a couple of months, but do have some mail in there (90% encrypted, nothing sensitive unencrypted.)

Always set tor browser bundle no script to disable Java (not iFrame though)

Tormail pw is nothing like any others I use.


Any instructions for people in this situation?

Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 02:26 am
I wonder how the FBI got permission to hack into arbitrary computers around the world. Viewing CP is not illegal in Russia for example, or most of Sourt America, or about half of the world. But in Russia and these other countries, it is illegal to hack into computers. So it seems to me like the FBI has violated the sovereignty of many countries and illegally hacked into the computers of non-criminals around the world. 
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: P2P on August 05, 2013, 02:33 am
What is iframe? I usually just use noscript to disable JS. I do not know what iframe is. Can you elaborate, kmf?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: dr octagon on August 05, 2013, 02:37 am
Go to No script options > Embedding > disable iFrame if you want to turn it off.

Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: DrugsAndCash on August 05, 2013, 02:39 am
I personally don't believe that Tormail is in FBI hands.
Think logic, wouldn't be better for FBI to intercept tormail and stay it the same as it was and just spy all traffic between mailboxes?
For what purpose they embeed any iFrame exploit ? Do you really think that they need IP adresses of all people who use tormails ?
Why they burned the best method for taking down all deep net community?
Are this news trusted source of information ?
I'll be waiting for some clever opinions because I see that everyone makes paranoia here.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: QuickSilverHawk on August 05, 2013, 02:40 am
Admittedly I haven't been reading too in-depth about this stuff, but I have a question.

If in the same browsing session/window I was logged into my SR account and in a separate tab also into a TorMail account that is used for everyday unrelated shit, is safety still something to be concerned about? Granted, I spent a good amount of time today cleaning stuff up and whatnot, and one wants to always stay safe; but is this cause for worry?

(EDIT: Not so much personal shit, but stuff independent from SR nonetheless.)
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: royalblue on August 05, 2013, 02:41 am
IFrames are a Microsoft creation for loading remote content.

Scenario 1: You left the noscript settings default out of the box and connected to a hosted website like TORMail or QicPic.  You could have been affected.
Scenario 2: You blocked scripts but left IFrames enabled.  No real threat here except you connected to a remote server through TOR.  This doesn't expose you.
Scenario 3: You blocked scripts and iframes.  You are safe.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BruceCampbell on August 05, 2013, 02:43 am
So this guy is running a million dollar hosting service linked to CP and got busted. What do you think the ramifications of this are for silk road vendors and buyers kmfkewm? Low on the totem pole or are they after servers? Ran antivirus and malware on all my machines and found nothing. Went to noscript options, disabled iframe. DBAN and new operating system just to be safe. Possibly discontinue being omnipresent on TOR, regardless of wardriving or piggybacking off local wifi.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: royalblue on August 05, 2013, 02:51 am
Ran antivirus and malware on all my machines and found nothing.
0-day exploit won't be detected.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 02:52 am
I had Java enabled under the 'Content' section in 'Options'', but I had 'Forbid Java' checked under the Noscript options.

Am I safe?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 02:55 am
Only Windows users with Javascript enabled are screwed: https://krebsonsecurity.com/2013/08/firefox-zero-day-used-in-child-porn-hunt/

Actually that doesn't go into such details, but I talked with some very skilled hackers who have analyzed the exploit code and they say it requires Windows to work, and javascript to get started. So Linux users should be safe as well as anyone who has Javascript disabled.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 03:02 am
https://bugzilla.mozilla.org/show_bug.cgi?id=901365
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: DrMDA on August 05, 2013, 03:17 am
Firefox deletes all cookies on closing so wouldn't that exploit cookie get deleted too?

Also if Tor is ran over a VPN wouldn't it just show the VPN IP?

Who else is buying a new laptop tomorrow?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: QuickSilverHawk on August 05, 2013, 03:23 am
Well, whatever the case may be, I'm definitely going to use TAILS more faithfully/judiciously from now on.
Sometimes I can get a little "lazy" and browse clearnet stuff in Firefox (separately from the Tor Browser, but still).
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: T5 on August 05, 2013, 03:27 am
Hello everybody,
 
An IMPORTANT BREACH in the TOR network just happened. I'll let the article speak for itself:

http://www.twitlonger.com/show/n_1rlo0uu

Quote
BREAKING: HALF OF TOR SITES COMPROMISED, INCLUDING TORMAIL

The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA.

In a crackdown that FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network has been compromised, including the e-mail counterpart of TOR deep web, TORmail.

PLEASE STAY AWAY AND STAY SAFE!
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: paxpax on August 05, 2013, 03:39 am
Would users who access tormail using an torrified email client also be affected? I would think no as you are only using pop or imap.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: MammothDorset on August 05, 2013, 04:28 am
There is no "infection", your computer is not "infected" and scans will not show anything, regardless if it's 0-day or not.

My understanding, so far, is that if you were an unlucky one, your IP Address, MAC Address, and some additional info, would have been sent to 'someone' in Washington, DC. That's it.

There is no infection.

Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 05:06 am
Latest News:

Vulnerable users = Use Windows, Have Javascript Enabled, Do not have most recent Tor Browser (17.0.7)

If you don't meet all three of these criteria you are likely safe , at least as far as we can tell so far.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: DrMDA on August 05, 2013, 05:07 am
Yep mainly IP address and MAC address and that's pretty much it. IP address is no big deal if you were running over a VPN and the MAC address just identifies the type of device. Here is what an expert who diagnosed it said:

I only ran magneto and stepped through with OllyDbg in a VM.
I actually came across the IP, i just forgot to cast to sockaddr_in of the connect() call. The IP is: 65.222.202.54 and they used the port 5000. It makes 5 tries to connect.
Then it gets the hostname with gethostname().
Then it gets all the local IPs and associated hostnames with gethostbyname.
Since i have no network adapter, i dont know how all this info was used in the following.
Then it cooks cooks up a HTTP GET String with the UUID provided by the javascript as parameter and it appends the local hostname in the Host: field.
Then it tries to get the MAC-Adress with SendARP() and puts it in a cookie field named "ID", which i faked the return to confirm.
Then it sends everything away with send().
And after that it even does a closesocket(). After that it probably tries to gracefully exit the shellcode somehow without crashing the target, i can't really tell.
Maybe i'll try to examine this in a real exploiting situation with all the javascript stuff and the vulnerable tor browser.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: koonta on August 05, 2013, 05:44 am
LOL at all u pedos in this thread shitting yourselves.


This is the only site i visit on TOR and my java is always disabled so im good.

Have fun in jail cunts.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: DrMDA on August 05, 2013, 05:47 am
^^^^ Tor Mail is not child porn....... cunt.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: hornblower on August 05, 2013, 05:48 am
Can someone test the script in a controlled environment and confirm that Firefox 17.0.7 is not affected?

According to the site below, and as kmfkewm mentioned, supposedly 17.0.7 is protected against the exploit used.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: WhiteShark on August 05, 2013, 05:49 am
The worst part about tor...is that pedophiles can use it.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: samesamebutdifferent on August 05, 2013, 05:54 am
LOL at all u pedos in this thread shitting yourselves.


This is the only site i visit on TOR and my java is always disabled so im good.

Have fun in jail cunts.

Great way to demonstrate your utter ignorance on the subject, do you have any idea how many people use tormail? of course you don't you fucktard.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 05:55 am
LOL at all u pedos in this thread shitting yourselves.


This is the only site i visit on TOR and my java is always disabled so im good.

Have fun in jail cunts.

The name of the network is Tor, Java is not Javascript, and you are a dumbfuck.

Quote
The worst part about tor...is that pedophiles can use it.

Yes horrible Tor lets people look at naughty pictures :( oh noez.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: hornblower on August 05, 2013, 05:55 am
LOL at all u pedos in this thread shitting yourselves.


This is the only site i visit on TOR and my java is always disabled so im good.

Have fun in jail cunts.

Have you ever viewed any bud porn or something similar that people on this board have posted?  You should understand that "innocent" (non-cp) people might be caught up in this.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: koonta on August 05, 2013, 05:57 am
You only make yourselves look guiltier protesting at my post lol.

Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: DrMDA on August 05, 2013, 05:58 am
The worst part about tor...is that pedophiles can use it.

Them and drug dealers. They suck.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 05:58 am
Latest News:

Vulnerable users = Use Windows, Have Javascript Enabled, Do not have most recent Tor Browser (17.0.7)

If you don't meet all three of these criteria you are likely safe , at least as far as we can tell so far.

Thanks, but what if Java was disabled in Noscript options, but Javascript was enabled in the regular options?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BruceCampbell on August 05, 2013, 06:00 am
How do you check what version of tor or firefox tor is running on TBB?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: q on August 05, 2013, 06:03 am
FBI claims to have compromised HALF of the TOR sites, why the fuck ain't DPR signing his messages after reading that?
This forum and silkroad could be compromised aswell, we don't know shit yet about what is going on.

This exploit could have ran for quiet some time before being discovered.

Someone said TOR developers where paid by FBI to enable javascript again as default, making this attack much more effective.

Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: therealtintizzy on August 05, 2013, 06:06 am
Bruce, you can check the Firefox version through the Help tab drop down menu in the upper left. Click the bottom selection About TorBrowser.
As far as Tor, you can check the Vidalia Control Panel near the bottom it has an About button with an exclamation mark on it.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: ChemCat on August 05, 2013, 06:07 am
@Bruce

Click the orange "TorBrowser" button at the top left of your screen.
Then Hover over "Help" and go to "About TorBrowser"

Therein you will see what version of the TBB That you have.



Peace & Hugs,

Chem

  O0
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: WhiteShark on August 05, 2013, 06:07 am
How do you check what version of tor or firefox tor is running on TBB?


Help >> about Tor browser

Version is shown under Firefox ESR
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BruceCampbell on August 05, 2013, 06:09 am
FBI claims to have compromised HALF of the TOR sites, why the fuck ain't DPR signing his messages after reading that?
This forum and silkroad could be compromised aswell, we don't know shit yet about what is going on.

This exploit could have ran for quiet some time before being discovered.

Someone said TOR developers where paid by FBI to enable javascript again as default, making this attack much more effective.

That is some straight FUD. Some people are on drugs here. Some people probably have already purchased new computers. Others are nuking hard drives. Drugs + crimes + tormail = paranoia. Please keep FUD off the topic unless stuff is confirmed. There's enough floating around already.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: DrMDA on August 05, 2013, 06:12 am
FBI claims to have compromised HALF of the TOR sites, why the fuck ain't DPR signing his messages after reading that?
This forum and silkroad could be compromised aswell, we don't know shit yet about what is going on.

This exploit could have ran for quiet some time before being discovered.

Someone said TOR developers where paid by FBI to enable javascript again as default, making this attack much more effective.

Dude, relax, the TOR sites that are affected are DOWN (because they were on FreedomHosting).

We know a freaking shitload if you would bother reading everything. Many security experts have already posted the forensics of the exploit already.

Yes yes yes, Tor was paid by the FBI, Zimmerman of PGP was blackmailed by the NSA, and the moon landing never happened. Anything else? want to throw some aliens in there as well?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: DrMDA on August 05, 2013, 06:14 am
Damn, when Bruce Cambell tells you to calm the fuck down then you know they are freakin nuts. That's gotta be a first.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BruceCampbell on August 05, 2013, 06:16 am
Damn, when Bruce Cambell tells you to calm the fuck down then you know they are freakin nuts. That's gotta be a first.

There's a difference between security and professionalism and being a part of an illegal online enterprise and trolling around on SMF man.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 06:23 am
How do you check what version of tor or firefox tor is running on TBB?


Help >> about Tor browser

Version is shown under Firefox ESR

Mine says I'm using version 10.0.9.... Does this affect versions before 17, or after?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BruceCampbell on August 05, 2013, 06:31 am
Ok. I don't want to be a FUD slinger myself. But how many of you guys have been using privnote.com?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: WhiteShark on August 05, 2013, 06:36 am
Personally I never use privnote =)
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: q on August 05, 2013, 06:38 am
FBI claims to have compromised HALF of the TOR sites, why the fuck ain't DPR signing his messages after reading that?
This forum and silkroad could be compromised aswell, we don't know shit yet about what is going on.

This exploit could have ran for quiet some time before being discovered.

Someone said TOR developers where paid by FBI to enable javascript again as default, making this attack much more effective.

Dude, relax, the TOR sites that are affected are DOWN (because they were on FreedomHosting).

We know a freaking shitload if you would bother reading everything. Many security experts have already posted the forensics of the exploit already.

Yes yes yes, Tor was paid by the FBI, Zimmerman of PGP was blackmailed by the NSA, and the moon landing never happened. Anything else? want to throw some aliens in there as well?


So you think you know a shitload about this?

Only information about this 1 exploit is not shitloads of information at all, you don't know what the fuck is going on this operation expect about the exploit.
You claim to be sure about only FH being affected by this, how do you know?
You just assume that's the case. So why don't you start throw some aliens yourself?

What if DPR used tormail or other FH service and he was tracked down too? He should sign his messages now to prove they are most likely written by him, especially after an incident like this.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 06:40 am
why would the FBI make known what they did?

It just gives the kiddy diddlers time to delete their harddrives.

does anyone think this was just an attempt to scare people, and that they were really only targetting the admins of these kiddy diddler websites?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: WhiteShark on August 05, 2013, 06:43 am
If they are just targeting CP sites I hope they all get taken down. However we can never really know what they are doing.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: therealtintizzy on August 05, 2013, 06:48 am
why would the FBI make known what they did?

It just gives the kiddy diddlers time to delete their harddrives.

does anyone think this was just an attempt to scare people, and that they were really only targetting the admins of these kiddy diddler websites?

Seems like a plausible scenario. I would think trying to nab everyone would be like trying to kill a centipede by ripping off it's legs one at a time when you could just smash it. I don't think they would exert that much effort when they could just snuff out the sources and lock up a few high profile people. Though I could always be wrong. Who knows?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Hungry ghost on August 05, 2013, 06:51 am
I have nothing to contribute on the technical side here, so feel free to skip this comnent.

Slightly unrelated, but on the "relationship" between Tor and CP, I always assumed this would be used by police when interrogating any suspected SR user.
     "We see you have been using Tor, like looking at pictures of child abuse do you?"
     "No comment. Wheres my lawyer?"
    "Do you know what they do to people like you in prison?"
     "No comment. Lawyer"
     (*lying now *)"We have found some illegal images on your computer"
    ""NOOO! I WAS JUST SELLING DRUGS! I SWEAR I'M NOT A NONCE........shit"

Naturally I despise CP and those who use it. But the child porn accusation seems to be wheeled out often by authorities to justify some tyrannical behaviour.
        There was a case a few years ago where armed police kicked in the door of two brothers and shot one of them in the shoulder. All the headlines were "TERRORIST BOMB FACTORY UNCOVERED" (the brothers were Muslim of course).
        As the story progressed it became apparent that in fact they were completely innocent, and they were eventually completely exonerated and compensated. However I remember seeing stories (presumably leaked by police) in papers talking about 'finding child porn on their computers'.
It seems to be something that just gets thrown out there in these situations.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 08:06 am
So does this ONLY affect people who were using Firefox 17.x ?

I am using version 10.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Nero on August 05, 2013, 08:12 am
Scientist, I think everyone needs to assume that they've been compromised, and act accordingly.
Do not ASSUME you are safe. And having version 10 is silly, do you know how many bug fixes and exploit fixes you're missing!? Do not ASSUME you are safe because of a technicality like version number, thats just dumb.
Do not rely on someone in a forum to tell you if you're safe or not.


There's a saying that comes to mind:

"Prepare for the worst and hope for the best"
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 08:18 am
Scientist, I think everyone needs to assume that they've been compromised, and act accordingly.
Do not ASSUME you are safe. And having version 10 is silly, do you know how many bug fixes and exploit fixes you're missing!? Do not ASSUME you are safe because of a technicality like version number, thats just dumb.
Do not rely on someone in a forum to tell you if you're safe or not.


There's a saying that comes to mind:

"Prepare for the worst and hope for the best"

You're right, but I'd still like to know if there is anything in the code to suggest it only affects version 17, and not prior versions.

I did find this:

"version >=17 && version <18"
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 05, 2013, 08:35 am
You're right, but I'd still like to know if there is anything in the code to suggest it only affects version 17, and not prior versions.

You read wrong, it is: "DO NOT have most recent Tor Browser (17.0.7)" i.e. those that are affected are those that DON'T HAVE the latest version and so are open to the exploit(s).

You have a very old version of the bundle and so you are open to many exploits, included this one.



Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: koonta on August 05, 2013, 08:45 am
Your not even anon scientist ...........pedos are so dumb.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 08:47 am
You're right, but I'd still like to know if there is anything in the code to suggest it only affects version 17, and not prior versions.

You read wrong, it is: "DO NOT have most recent Tor Browser (17.0.7)" i.e. those that are affected are those that DON'T HAVE the latest version and so are open to the exploit(s).

You have a very old version of the bundle and so you are open to many exploits, included this one.

I am not doubting I am vulnurable, but this part seems to suggest it only affects people using version 17 - correct me if I'm wrong:

function b()
{
var version = al();
if(version <17)
{
window.location.href="content_1.html";
}
if( version >=17 && version <18 )
var12 = 0xE8;
return ;


Quote
Your not even anon scientist ...........pedos are so dumb.
I was using tormail, troll.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: PureEnergy on August 05, 2013, 08:59 am
the moon landing never happened

Correct :)
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 05, 2013, 09:01 am
I am not doubting I am vulnurable, but this part seems to suggest it only affects people using version 17 - correct me if I'm wrong:

function b()
{
var version = al();
if(version <17)
{
window.location.href="content_1.html";
}
if( version >=17 && version <18 )
var12 = 0xE8;
return ;

That's only a different call depending on the version of the browser because between certain versions there are slight differences. The culprit is the vulnerability caused by the onreadystatechange event exploiting an unmapped memory access on reloading pages. This exploit was fixed only on version 17.0.7, so ALL previous versions are affected.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 09:09 am
So US government could be reading my Tormail, and get my national government (which is not USA) to press charges against me for selling drugs.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: q on August 05, 2013, 09:15 am
So US government could be reading my Tormail, and get my national government (which is not USA) to press charges against me for selling drugs.

USA work closely together with a lot of other countries, especially concerning drugs.
If you did not encrypt your communication, you might be fucked.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 05, 2013, 09:20 am
Let's not get too hasty here. We don't know many of the specifics. It can either be that this operation was made appositely just to bust a bunch of people and they care absolutely nothing of the rest.

Even more it is highly improbable that even if they can collect all data and IPs they will go after small time buyers/vendors (now, if you have sort of an international smuggling operation of bulk drugs the thing may change, but also here it is NOT sure), even less if they are inside other governments jurisdictions. They have more pressing matters to concern themselves with. It can perfectly be that all this operation was just made to bust a bunch of known CP users/distributors and they care absolutely nothing about the rest. Nothing is certain at this point, as for example the range of the operation and what they can plan to do with the info gathered.

Still, as a security, it's naturally best to clean house and erase all evidence of connections you can have (if you have them on your house or your PC) along beginning immediately to increase your security from now on.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 09:34 am
Let's not get too hasty here. We don't know many of the specifics. It can either be that this operation was made appositely just to bust a bunch of people and they care absolutely nothing of the rest.

Even more it is highly improbable that even if they can collect all data and IPs they will go after small time buyers/vendors (now, if you have sort of an international smuggling operation of bulk drugs the thing may change, but also here it is NOT sure), even less if they are inside other governments jurisdictions. They have more pressing matters to concern themselves with. It can perfectly be that all this operation was just made to bust a bunch of known CP users/distributors and they care absolutely nothing about the rest. Nothing is certain at this point, as for example the range of the operation and what they can plan to do with the info gathered.

Still, as a security, it's naturally best to clean house and erase all evidence of connections you can have (if you have them on your house or your PC) along beginning immediately to increase your security from now on.

But even if I destroy my computer and get rid of all of my drugs, all the information they need is contained in the emails that are now linked to my IP address...

Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 09:40 am
"After that it cleans up the state and appears to deliberately crash."

I don't remember my browser ever crashing yesterday.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 05, 2013, 09:41 am
You have been totally naive and unscrupulous on not encrypting all your transactions etc. in the e-mails.

NEVER trust a third-party site (of whatever nature) with YOUR info, neither SR or any other community/business for that matter. ALWAYS encrypt your information so that only YOU can read it.

Now the only thing you can hope for is that: A) or the exploit didn't work in your case (because it is not 100% sure it will work), B) they don't care anyway about you and the info they gathered about you.

You better learn an hard lesson from this thing for the future and I really hope you the best.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 05, 2013, 09:45 am
I don't remember my browser ever crashing yesterday.

Then maybe you have been lucky and the exploit didn't work (in fact it is not sure to work because the exploit to access the unmapped memory requires a sort of "combination of circumstances" and it is not guaranteed to work all the times; it is an exploit caused by a bug and if the bug doesn't present then the exploit doesn't work).

Still they have access to all your unencrypted info in there and it depends if those are enough to tie you (your real identity) with what is written in them.

Be prepared for the worst, hope for the best. There's nothing more you can do at this point. Worrying yourself will not resolve the issue, just be prepared and try to work a counter-measure just in case.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: whatagwan on August 05, 2013, 09:56 am
I got a bit freaked out about 2 weeks ago.. the icon to start tor moved down a position an tor started REMEMBERING MY HISTORY! I was freaked out so I deleted tor, re-installed (have up to date one now, but did not before)

Any advice for me?
Thanks
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 05, 2013, 10:01 am
Any advice for me?
Thanks

I don't think it's related (actually I'm sure it's not), but in any case (even if it has nothing to do with this and you worry something is quite not right) erase/DBan the drive and start anew then change passwords.

Also use steps to increase your security for next times (as a Whonix VM or using Tails).
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: ananas_xpress on August 05, 2013, 10:02 am


But even if I destroy my computer and get rid of all of my drugs, all the information they need is contained in the emails that are now linked to my IP address...

Did you use TOR on a Virtual machine with vpn or just on your own computer.
Depending on your answers to these questions the result could be a whole lot different for you. 

If you were using vpn on VM they COULD have your vpn ip and VM mac address in which case I would burn both, new clean VM and new VPN provider just in case they try to track future payment and usage logs.
I'm 99% sure what I'm saying is good knowledge but if someone could confirm or deny it would give me confidence in my actions too.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 05, 2013, 10:07 am
I'm 99% sure what I'm saying is good knowledge but if someone could confirm or deny it would give me confidence in my actions too.

It's good, but even better at this point is creating a Whonix VM. In that case exploits as these will never work just because your IP is ToRified from the beginning. Probably the Whonix solution is the best (better than Tails in an home solution) to prevent exploits for trying to control your system or gather info about yourself through your machine.

A VPN is fine, but you anyway have to rely on the VPN not giving out info about yourself and I never trust anybody with this, no matter what. The best ways imo are using Tails in public Wi-Fi accesses (random and changing) or a Whonix VM. This or a remote computer access in some Russia server or similar.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: whatagwan on August 05, 2013, 10:08 am
Any advice for me?
Thanks

I don't think it's related (actually I'm sure it's not), but in any case (even if it has nothing to do with this and you worry something is quite not right) erase/DBan the drive and start anew then change passwords.

Also use steps to increase your security for next times (as a Whonix VM or using Tails).

Thanks for your reply, it seems pretty weird though right? do you have some Idea what happened?
Agree I need use Tails.. I am considering erasing.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 05, 2013, 10:12 am
No, because it can be a lot of things and it's impossible for me to say "it can be this or that" here.

Most probably is nothing but it's always best to be paranoid than be sorry (some rootkits and similar are not discovered by AV in Windows and either in the case they are they will be much probably not cleaned correctly) so the right approach if you have some worry is always to erase and start anew. It doesn't take that much and it puts your mind at ease.

Naturally when you re-install then go for better security or the problem can present itself anew.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 10:27 am
I don't remember my browser ever crashing yesterday.

Then maybe you have been lucky and the exploit didn't work (in fact it is not sure to work because the exploit to access the unmapped memory requires a sort of "combination of circumstances" and it is not guaranteed to work all the times; it is an exploit caused by a bug and if the bug doesn't present then the exploit doesn't work).

Still they have access to all your unencrypted info in there and it depends if those are enough to tie you (your real identity) with what is written in them.

Be prepared for the worst, hope for the best. There's nothing more you can do at this point. Worrying yourself will not resolve the issue, just be prepared and try to work a counter-measure just in case.

From what I read the exploit tries really hard not to crash anything. It seems pretty confirmed that it only works on Windows and outdated versions of Tor Browser, and the most recent obfsproxy browser unfortunately. I heard there was a second exploit that replaced the first one that used some image tag vulnerability, so that one might work without javascript being enabled but it still only will work against Windows I think. I have not heard much about the second exploit only the first one, but someone in an IRC analyzing this situation found a second exploit as well according to them.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BlackIris on August 05, 2013, 10:49 am
Yes, I saw that too, thanks kmfkewm.

I'm trying to keep myself informed on the exploit to understand better how it works. It is a lot of time I don't care anything about programming and relied matters, but anyway it's always been a passion of mine so when these sort of things happen my interest sparks again.

I'm a little rusted and some things I have to catch up with but it's good to see that like learning to use a bicycle you never really forget it altogether.

So if I say some idiocy on the issue correct me, since I'm still in the trial stage ;)
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Miss Sexy Boots on August 05, 2013, 12:04 pm
"Live in interesting times"...

Thank you to all for the quality of content and community on this thread. Means a lot.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Miss Sexy Boots on August 05, 2013, 12:12 pm
Taking a quick look at the Tormail login... It is very different and looks to be similar in font/ layout to the messages which were reported on broken Tor Image sites a few days ago.

Is this more likely to be a result of high volume usage or as a result of a potential Phishing operation?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Rocknessie on August 05, 2013, 12:33 pm
I wonder how the FBI got permission to hack into arbitrary computers around the world. Viewing CP is not illegal in Russia for example, or most of Sourt America, or about half of the world. But in Russia and these other countries, it is illegal to hack into computers. So it seems to me like the FBI has violated the sovereignty of many countries and illegally hacked into the computers of non-criminals around the world.

You're talking about an LE agency from a country that illegally invaded another country and murdered a million Muslims.

So they presumably got their permission from the "fuck the whole world" guys, i.e. the guys who actually run the USA.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: q on August 05, 2013, 01:42 pm
Taking a quick look at the Tormail login... It is very different and looks to be similar in font/ layout to the messages which were reported on broken Tor Image sites a few days ago.

Is this more likely to be a result of high volume usage or as a result of a potential Phishing operation?

Tormail is compromised, you can never use it again.
Don't get tempted to even go there, it is a TRAP!
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: goldenone on August 05, 2013, 03:40 pm
DBR, or anybody who is security conscious will not have JS enabled on Tor for any sites, also they would use linux, even use a text browser like lynx. So if they to attempt to grab low end users that browse the deepnet with JS enabled and use Windows with the most used bundle browser available out ther, it does not mean that SR or DBR is compromised in any way. It does mean that low hanging fruits will always fall from the tree. Those that know that this is serious stuff, that enemies do exists, and that take seriously security protocols will be much much harder to get for LE or any kind of enemy.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: ThisUsernameIsTaken on August 05, 2013, 05:01 pm
Go to No script options > Embedding > disable iFrame if you want to turn it off.

While you're there, forbid Java as well.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: sharonneedles on August 05, 2013, 05:12 pm
Just to be sure, how do I ensure that my javascript is not enabled? Thanks
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: GetUp on August 05, 2013, 05:27 pm
Roger Dingledine from the TOR project posted a security advisory about the exploit.
It sums up everything you need to know about this issue (clearnet) : https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.html
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: WhiteShark on August 05, 2013, 05:47 pm
Just to be sure, how do I ensure that my javascript is not enabled? Thanks

 disabling JavaScript (click the blue
  "S" beside the green onion, and select "Forbid Scripts Globally").
  Disabling JavaScript will reduce your vulnerability to other attacks
  like this one, but disabling JavaScript will make some websites not work
  like you expect. A future version of Tor Browser Bundle will have an
  easier interface for letting you configure your JavaScript settings [11].
  You might also like Request Policy [12]. And you might want to randomize
  your MAC address, install various firewalls, etc.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: abitpeckish on August 05, 2013, 07:51 pm
TLDR:

Always encrypt any and all personally and potentially personally identifying information when sending it to others, regardless of whether or not you trust that person or the administrators of the service you are using to do so.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Mr. Fluffles Schrodinger on August 05, 2013, 07:52 pm

NEVER trust a third-party site (of whatever nature) with YOUR info, neither SR or any other community/business for that matter. ALWAYS encrypt your information so that only YOU can read it.


Worth repeating.

People who encrypted everything are breathing easily right now. 



What if DPR used tormail or other FH service and he was tracked down too? He should sign his messages now to prove they are most likely written by him, especially after an incident like this.

Calm down now...

http://dkn255hz262ypmii.onion/index.php?topic=196518.0


What should we do? =(

Step up our game and be more diligent.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 08:40 pm
This is a good example of where using WiFi of a neighbor from home could protect you. There are a lot of people out there right now who know they are probably pwnt by the FBI. The ones who used a neighbors WiFi in addition to Tor have revealed their hostname, mac address and their neighbors IP address. If they destroy their networking card, wipe their drives and use a new hostname (and hopefully didn't name their computers after themselves to begin with) and stop using their neighbors WiFi (and probably stop using Tor from home themselves now), they are still not likely to be deanonymized. The people who used their own internet and fell victim to this attack are totally fucked. This is the unlinkability of using a neighbors WiFi that I was discussing in the past. They would be even better off if they used WiFi from a random location, then they would be safer to continue using Tor from home.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: The Scientist on August 05, 2013, 08:50 pm
Just to be sure, how do I ensure that my javascript is not enabled? Thanks

 disabling JavaScript (click the blue
  "S" beside the green onion, and select "Forbid Scripts Globally").
  Disabling JavaScript will reduce your vulnerability to other attacks
  like this one, but disabling JavaScript will make some websites not work
  like you expect. A future version of Tor Browser Bundle will have an
  easier interface for letting you configure your JavaScript settings [11].
  You might also like Request Policy [12]. And you might want to randomize
  your MAC address, install various firewalls, etc.

Does 'forbid scripts globally' automatically forbid java script?

Because when I go into the Noscript options, it says nothing about javascript, only Java.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Nero on August 05, 2013, 10:28 pm
Are we sure that the only way to be exposed to the exploit is visiting an FH website while running a non-recent version of firefox/Tor on a Windows computer?

That seems way too specific for me to believe it.

Unless people who look up CP all use the same setup. It sounds like theyre just trying to round up the low hanging fruit because all of this is easily avoidable with even a modicum of electronic security.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: MarcelKetman on August 05, 2013, 10:34 pm
Ok. I don't want to be a FUD slinger myself. But how many of you guys have been using privnote.com?

What's privnote got to do with this pray tell?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: SmokesHisBroccoli on August 05, 2013, 10:37 pm
So on the first page it says the time frame that we know of is at least the past few days if you visited a FH hosted site you may have been infected.  I assume that means if you're like me and you haven't used tormail in months then you're still anonymous?  What's stopping someone from doing this same "trick" to SR?  I'm not as into computer programming but maybe one of you knows how the FBI or government might try to use this same trick with SR and what we might be able to do to prevent ourselves from falling into the trap.  Do we need to be nervous about visiting this site or the SR site?  I'd hate to think just accessing SR on my web browser would tell authorities my IP address and who I am. 
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: offbeatadam on August 05, 2013, 10:44 pm
So, first: Someone asked about emails that have been deleted being read. It depends - most email systems have a recycle bin type system, where you move mail to the trash and then it is deleted after a certain amount of time. It is only deleted if you specifically force it. I could go into the possibility of disk recovery, but chances are tormail does enough data writes to at least make that a little hard for the FBI to do.

Javascript itself, as in, the language itself, has no ability what-so-ever to obtain an ip address, or any other information not available from the browser.

However, and I want to be very, very clear on this: The internet itself, has methods for doing so. Every request you make, produces that information in the header requests. There are many sites on the web that do a very simple thing, displaying your public IP address (whatsmyip.org for example). The FBI need only set up a site that records that request when the javascript says hello. It's that simple. They'll know more too, unless you've take the time to obfuscate your browser information. And, depending on how invasive the exploit was, they could also hijack the browser itself, examining information generated from the proxy connection that it makes to the tor client. This would take a lot of effort and is unlikely, but the former part is extremely easy - and its one of the easiest ways for a site to know you are coming from a TOR exit node.

Most of that information is inconsequential though. It barely stands up in court for RIAA/MPAA lawsuits. The concept that an IP address makes any one person in a household guilty of anything is flimsy at best. The only time it matters, is in situations like tracking numbers - when you access a tracking number from TOR they don't need the IP. They know it was either the sender or the receiver that did it, and they've got that info. Otherwise an IP address is as useless as tits on a bull.

Now, the articles regarding the freedom hosting crackdown are all rather clear on the matter. The guy was operating a service that allowed the distribution of CP. That is a federal offense - just simply being that person who does that. It's trafficking.

This is TOR. It was created BY a US agency that is far more notorious for clandestine invasions of privacy than the FBI - and if you think they don't know you from these forums or from SR you're being naive. TOR is one of those means to an end that the agencies allow. The reason is simple: because it allows them to catch the fucks like Eric Eoin Marques and prosecute them. It also allows them to catch terrorists and other persons of interest that would normally be invisible - and be very aware that they would be invisible. Bin Laden evaded for the length of time that he did because he was invisible - he didn't participate in anything that would have demonstrated his identity to any form of surveilance, even in the face of his neighbors. We are miniscule to this goal. Our presence is of value to them: because it hides them in the open. Determining information about the user behind a TOR connection is not impossible, and the ability to do so has been around in public hands for a while now... there is no reason why they wouldn't have it either.

So, before we go conspiracy theory on this bitch, think about that. The FBI, the NSA and the CIA have had crap like this going on since before SR. It's naive to believe otherwise, and its stupid to act like you don't need to protect yourself from it. So, to say it a third or fourth time: If you operated believing TOR was the only protection you needed, that you were safe simply because you connected via TOR, then you were wrong. The documentation on TOR, on the website, and on the many many other discussions on TOR and personal security/privacy... here, and otherwise... says the same.

Now, as for an answer on how to avoid things like this.

First, these agencies are all dependant on one thing: money. They will not throw a ton of money to have 100% coverage - they will go for the largest base of evidentiary capture and hit that, as that is the most efficient thing to do. They'll usually also judge it by the availability of an exploit. Because of this, do yourself a favor... use a browser that isn't on that list. Use a browser that does not allow vectors like plugins and enhanced code. Use a browser that does not have all of the creative bells and whistles that make things look pretty. Become a minority and you reduce your chances of being a part of a funded group.

Second, read the news. Stay informed. The worst thing you can do is stay oblivious to the happenings. This means speculating too.

Third, be smart about what you do. Encrypt, destroy, don't record, do whatever it takes. Be prepared so when something does happen you don't have to be the one in this thread that is in a state of panic. If its truly that hard, don't use a permanent system to perform these tasks - use a live environment off a thumb drive or a DVD, like the few that have been mentioned on this thread and in the forums. Don't use a username that is easily associated to you in the real world. Don't use the same email username on tormail that you use elsewhere.

Fourth, rely on others only if it is absolutely unavoidable. TorMail is not necessary for anything done here, nor is privnote. Be diligent and think before you do something. If a vendor doesn't give a method for encryption when they can't use PGP, then chances are you shouldn't use that vendor. Most of those vendors use TorChat as well - which is 1000x better than TorMail with OR without PGP.

And last, if something happens out of the ordinary, it is better to err on the side of caution. Don't go back to that place. Erase it from your memory. Ignore it. Assume it has been compromised until you are told otherwise. If you followed the prior 4 steps, then this shouldn't be hard to do.

Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 05, 2013, 11:21 pm
Are we sure that the only way to be exposed to the exploit is visiting an FH website while running a non-recent version of firefox/Tor on a Windows computer?

That seems way too specific for me to believe it.

Unless people who look up CP all use the same setup. It sounds like theyre just trying to round up the low hanging fruit because all of this is easily avoidable with even a modicum of electronic security.

It seems the vulnerability itself is exploited with javascript, so that is why only users with javascript enabled are affected. Who knows why they only targeted Windows, the same exploit works theoretically against Linux as well but the payload was analyzed and it makes several Windows specific OS calls and will not work on Linux. The attack is not a 0-day but rather an exploit that was published a little over a month ago, which explains why the most recent browser is not affected. It is entirely possible that they didn't want to release a 0-day for analysis, and most people using Tor are thought to be using outdated Browser Bundles on Windows. The attacker was probably pretty sure that whatever attack they used would be analyzed to hell and back by a shit ton of security researchers. Also, 0-day attacks are usually used for really really high priority targets, they are more likely to burn one of those on somebody who has like kidnapped a child and is holding them ransom, or a suspected terrorist, than they are somebody who is running even the biggest CP site in the world.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: bbcooltwo on August 05, 2013, 11:25 pm
+1
for all of you and your informations!
Thats a strong and great community!
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Nero on August 05, 2013, 11:45 pm
Are we sure that the only way to be exposed to the exploit is visiting an FH website while running a non-recent version of firefox/Tor on a Windows computer?

That seems way too specific for me to believe it.

Unless people who look up CP all use the same setup. It sounds like theyre just trying to round up the low hanging fruit because all of this is easily avoidable with even a modicum of electronic security.

It seems the vulnerability itself is exploited with javascript, so that is why only users with javascript enabled are affected. Who knows why they only targeted Windows, the same exploit works theoretically against Linux as well but the payload was analyzed and it makes several Windows specific OS calls and will not work on Linux. The attack is not a 0-day but rather an exploit that was published a little over a month ago, which explains why the most recent browser is not affected. It is entirely possible that they didn't want to release a 0-day for analysis, and most people using Tor are thought to be using outdated Browser Bundles on Windows. The attacker was probably pretty sure that whatever attack they used would be analyzed to hell and back by a shit ton of security researchers. Also, 0-day attacks are usually used for really really high priority targets, they are more likely to burn one of those on somebody who has like kidnapped a child and is holding them ransom, or a suspected terrorist, than they are somebody who is running even the biggest CP site in the world.

Great info here, thanks kmf, +1.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: offbeatadam on August 05, 2013, 11:59 pm
Are we sure that the only way to be exposed to the exploit is visiting an FH website while running a non-recent version of firefox/Tor on a Windows computer?

That seems way too specific for me to believe it.

Unless people who look up CP all use the same setup. It sounds like theyre just trying to round up the low hanging fruit because all of this is easily avoidable with even a modicum of electronic security.

It seems the vulnerability itself is exploited with javascript, so that is why only users with javascript enabled are affected. Who knows why they only targeted Windows, the same exploit works theoretically against Linux as well but the payload was analyzed and it makes several Windows specific OS calls and will not work on Linux. The attack is not a 0-day but rather an exploit that was published a little over a month ago, which explains why the most recent browser is not affected. It is entirely possible that they didn't want to release a 0-day for analysis, and most people using Tor are thought to be using outdated Browser Bundles on Windows. The attacker was probably pretty sure that whatever attack they used would be analyzed to hell and back by a shit ton of security researchers. Also, 0-day attacks are usually used for really really high priority targets, they are more likely to burn one of those on somebody who has like kidnapped a child and is holding them ransom, or a suspected terrorist, than they are somebody who is running even the biggest CP site in the world.

Chances are the reason for windows is a monetary one. The goal should be wide ranging and effective in a short timeframe, while being effective on the cost to execute. That almost universally means windows. I would also suspect that they would at the very least look statistically at the relative chance that someone would be running the affected version. More often than not, a linux (or mac) user is statistically going to examine updates and execute them more often than on windows... this not only stems from an ignorance factor but also from a trust issue... windows update alone in the past has caused more trouble than its been worth. So, at the very least if I were making the decision, I'd go after windows users.

Also you make a really good point. The person who did this, or rather who designed this attack, planned for our speculation. Chances are they accomplished already what they wanted to accomplish - if an arrest hasn't been made, its incoming (or if a situation hasn't been handled, its close). If not, the situation was far worse than any of them thought.

The articles that don't deal with the engineering side of this have pretty well spelled it out - this is a CP case. Anything else is probably irrelevant or at the very least collateral damage (or, for them, useful evidence that is useless to the case at hand).

I would bet that they developed this with something specific in mind. Expanding from my windows inference earlier and the concept kmf established, chances are they already knew what the habits of the person(s) they were targeting were. As kmf said, its already pretty well known (and well accepted) that the majority of those on the tor network are using outdated software, and the majority of those users are also using prepackaged run-and-gun packages to get up and going as fast as possible. That in and of itself breeds in exploitation risk. At the very least, I don't lump the CP crowd in with particularly intelligent species... but necessity breeds invention, and they've been requiring to hide for quite some time now. I would suspect that there is a rather specific core set of users, that are largely unaffected by this attack.. but their support structure was probably at least catalogued by it. That will eventually lead to the effective knowledge of the leaders... that is how we caught bin laden after all... communication between underlings.

To be completely honest folks, while it is scary if they truly index the information on tormail related to SR type offenses, I would really just like to note that they took down freedom hosting for CP and, given that it was a rather large host, I will speculate they've got their hands full.

In the future, another recommendation with things like mail: if you want something anonymous, or at the very least in your control, use pop3 - imap as a protocol stores its messages on the server and pop3 does not. If you connect using pop3, all of the information on the server is gone. You can do as you wish with that data locally after that. Don't use the web panel.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: BruceCampbell on August 06, 2013, 12:27 am
Ok. I don't want to be a FUD slinger myself. But how many of you guys have been using privnote.com?

What's privnote got to do with this pray tell?

Privnote is a third party site requiring javascript that a fuckton of people use to send sketchy information. So I am now against privnote.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 06, 2013, 12:32 am
The core CP community will be completely unphased by this, they have been studying computer security for twenty+ years and are more likely to use OpenBSD or Qubes than they are to use Windows. Freedom Hosting was actually pretty secure from a technical perspective, it will be really interesting to see how they took it down. It is beyond a doubt the most secure CP site that has ever been compromised, by a huge margin. My guess is that the people fucking with CP are going to ditch Tor and I2P at this point and move entirely to Freenet, which is already the network with the most CP on it. Feds cannot really hack CP on Freenet to remove it, and they cannot really put exploit code on a site on Freenet. CP traders are much more secure to download image files off Freenet without ever using a browser, and then opening the files on computers without access to the internet. That is likely what the most skilled CP traders have been doing all along.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: marrti on August 06, 2013, 02:03 am
I happened to be running the vulnerable browser with JS on and I clicked on a pedo link while exploring the hidden wiki on the 3rd. Should I expect a raid soon ? I'm not in located in the USA.
I've never had any illegal material on my PC, and I'm not a pedo, so they'll probably let me go after 24h, but being investigated for accessing pedo sites could completely ruin my life forever. It could destroy it.
Any idea how to prevent this or prepare for it ? Or maybe what to explain ?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 06, 2013, 02:29 am
I happened to be running the vulnerable browser with JS on and I clicked on a pedo link while exploring the hidden wiki on the 3rd. Should I expect a raid soon ? I'm not in located in the USA.
I've never had any illegal material on my PC, and I'm not a pedo, so they'll probably let me go after 24h, but being investigated for accessing pedo sites could completely ruin my life forever. It could destroy it.
Any idea how to prevent this or prepare for it ? Or maybe what to explain ?

Safest bet for you is to wipe hard drive, destroy networking card and get a new one, change hostname (hopefully it was not your own), get a wireless router anonymously with cash and leave it open and stop using Tor, get a lawyer as soon as police contact you or if you cannot do that in your country say you have no clue what happened.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: zerostate976 on August 06, 2013, 02:36 am
I happened to be running the vulnerable browser with JS on and I clicked on a pedo link while exploring the hidden wiki on the 3rd. Should I expect a raid soon ? I'm not in located in the USA.
I've never had any illegal material on my PC, and I'm not a pedo, so they'll probably let me go after 24h, but being investigated for accessing pedo sites could completely ruin my life forever. It could destroy it.
Any idea how to prevent this or prepare for it ? Or maybe what to explain ?

hard to feel bad for you, dont click on pedo sites. Dot a pedo but look at the sites?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 06, 2013, 03:22 am
I happened to be running the vulnerable browser with JS on and I clicked on a pedo link while exploring the hidden wiki on the 3rd. Should I expect a raid soon ? I'm not in located in the USA.
I've never had any illegal material on my PC, and I'm not a pedo, so they'll probably let me go after 24h, but being investigated for accessing pedo sites could completely ruin my life forever. It could destroy it.
Any idea how to prevent this or prepare for it ? Or maybe what to explain ?

hard to feel bad for you, dont click on pedo sites. Dot a pedo but look at the sites?

Hard to feel bad for the people who used Tor Mail to place drug orders. Don't order drugs on the internet. Not a drug addict but order drugs on the internet??
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: SmokesHisBroccoli on August 06, 2013, 03:31 am
Does anybody know if this was just in the past few days or could we have been exposed earlier?

I haven't logged into tormail for at least a month and def no other FH sites.  If I meet all the browser/java criteria could I have still been exposed that far back? 
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: anonymart on August 06, 2013, 03:56 am
I actually think TBB and tails comes with javascript auto disabled is this not right?

No, javascript is enabled by default I think. I remember I had to turn mine off.

This is true, Every single time I update my Tor browser the first thing I do is to disable javascripts and I never go to any link any one sends me bc that is a way of fishing for IP addresses.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: q on August 06, 2013, 05:04 am
Does anybody know if this was just in the past few days or could we have been exposed earlier?

I haven't logged into tormail for at least a month and def no other FH sites.  If I meet all the browser/java criteria could I have still been exposed that far back?
At least 2 weeks I have heard. But noone knows for sure.

I also want to say that there could have been another payload when the exploit was still undetected, as soon as the word spread they could have changed payload.
If you believe you might have exposed yourself earlier, wipe your comp and install a clean system with new encryption. It does not take much time and work to do it, and it's always better to take a few extra safety precautions then doing nothing.

Someone said they have put Tormail online again, and if you log in you can't log out properly. They might be fishing for people to decrypt their mails by logging in. So never visit tormail again.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 06, 2013, 05:16 am
Does anybody know if this was just in the past few days or could we have been exposed earlier?

I haven't logged into tormail for at least a month and def no other FH sites.  If I meet all the browser/java criteria could I have still been exposed that far back?
At least 2 weeks I have heard. But noone knows for sure.

I also want to say that there could have been another payload when the exploit was still undetected, as soon as the word spread they could have changed payload.
If you believe you might have exposed yourself earlier, wipe your comp and install a clean system with new encryption. It does not take much time and work to do it, and it's always better to take a few extra safety precautions then doing nothing.

Someone said they have put Tormail online again, and if you log in you can't log out properly. They might be fishing for people to decrypt their mails by logging in. So never visit tormail again.

Not likely to be more than one week.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: noinoi on August 06, 2013, 05:38 am
Is the road already being used the same way?
seems they've recently got some muuch better hackers...related to all the people that went down after Lulzec?
Do we cancel orders? Sounds like we're all fucked.
Pretty much anyone who's viewed any image at all on deepweb in the last 2weeks + will be assumed to have been looking at cp!??
wtf??

Didnt SR go down just recently for "maintainance"?? ....cool shit man.

Can someone explain why not?

would make sence - difference between cp and drugs is you gota order, looking isnt illegal...so they have to stay under the radar for longer?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: marrti on August 06, 2013, 06:21 am
I happened to be running the vulnerable browser with JS on and I clicked on a pedo link while exploring the hidden wiki on the 3rd. Should I expect a raid soon ? I'm not in located in the USA.
I've never had any illegal material on my PC, and I'm not a pedo, so they'll probably let me go after 24h, but being investigated for accessing pedo sites could completely ruin my life forever. It could destroy it.
Any idea how to prevent this or prepare for it ? Or maybe what to explain ?

Safest bet for you is to wipe hard drive, destroy networking card and get a new one, change hostname (hopefully it was not your own), get a wireless router anonymously with cash and leave it open and stop using Tor, get a lawyer as soon as police contact you or if you cannot do that in your country say you have no clue what happened.
Hey I'm not afraid of prosecution because I haven't actually browsed CP, just clicked on the link. This is not enough to convict me in my country. But an investigation like this will ruin my lfie. I want to prevent them raiding my home...
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: astor on August 06, 2013, 07:38 am
Are we sure that the only way to be exposed to the exploit is visiting an FH website while running a non-recent version of firefox/Tor on a Windows computer?

That seems way too specific for me to believe it.

Unless people who look up CP all use the same setup. It sounds like theyre just trying to round up the low hanging fruit because all of this is easily avoidable with even a modicum of electronic security.

It seems the vulnerability itself is exploited with javascript, so that is why only users with javascript enabled are affected. Who knows why they only targeted Windows, the same exploit works theoretically against Linux as well but the payload was analyzed and it makes several Windows specific OS calls and will not work on Linux. The attack is not a 0-day but rather an exploit that was published a little over a month ago, which explains why the most recent browser is not affected. It is entirely possible that they didn't want to release a 0-day for analysis, and most people using Tor are thought to be using outdated Browser Bundles on Windows. The attacker was probably pretty sure that whatever attack they used would be analyzed to hell and back by a shit ton of security researchers. Also, 0-day attacks are usually used for really really high priority targets, they are more likely to burn one of those on somebody who has like kidnapped a child and is holding them ransom, or a suspected terrorist, than they are somebody who is running even the biggest CP site in the world.

I would add, based on my reading of the exploit, that you would have had to visit the FH main onion address, the Tormail web site, and perhaps some specific CP sites hosted on FH. The exploit set a cookie and had to be run from each site you visited to update your Tor Browser cookies with a specific ID. I haven't seen any evidence that they served the exploit on all onion addresses that were hosted on FH.

I think the bigger issue for this community is all the intel they are going to gather from unencrypted Tormail messages.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: astor on August 06, 2013, 07:41 am
So, first: Someone asked about emails that have been deleted being read. It depends - most email systems have a recycle bin type system, where you move mail to the trash and then it is deleted after a certain amount of time. It is only deleted if you specifically force it. I could go into the possibility of disk recovery, but chances are tormail does enough data writes to at least make that a little hard for the FBI to do.

The FH main page used to say that they make daily backups which are saved for one month, and I have talked to someone who emailed the Tormail admin and asked for a deleted message to be restored, and it was. It had been deleted a few weeks prior. So I can confirm that deleted messages were saved (probably in back ups on another server) for at least one month.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: marrti on August 06, 2013, 07:43 am
Is there any way to get the exploited code and test it locally (with internet shut off) to see what it does ? Where can I download it ?
And what do you mean by "executed binary code". What system process does this associate with ? I have a software firewall that might have blocked it.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: Yama Dass on August 06, 2013, 08:06 am
Is there any way to get the exploited code and test it locally (with internet shut off) to see what it does ? Where can I download it ?
And what do you mean by "executed binary code". What system process does this associate with ? I have a software firewall that might have blocked it.

https://www.cryptocloud.org/viewtopic.php?f=9&t=2894&p=3852#p3849
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: marrti on August 06, 2013, 08:48 am
It doesn't answer my question if a software firewall could have stopped the executable from accessing the internet.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 06, 2013, 11:26 am
It doesn't answer my question if a software firewall could have stopped the executable from accessing the internet.

it could have
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: kmfkewm on August 06, 2013, 11:30 am
Are we sure that the only way to be exposed to the exploit is visiting an FH website while running a non-recent version of firefox/Tor on a Windows computer?

That seems way too specific for me to believe it.

Unless people who look up CP all use the same setup. It sounds like theyre just trying to round up the low hanging fruit because all of this is easily avoidable with even a modicum of electronic security.

It seems the vulnerability itself is exploited with javascript, so that is why only users with javascript enabled are affected. Who knows why they only targeted Windows, the same exploit works theoretically against Linux as well but the payload was analyzed and it makes several Windows specific OS calls and will not work on Linux. The attack is not a 0-day but rather an exploit that was published a little over a month ago, which explains why the most recent browser is not affected. It is entirely possible that they didn't want to release a 0-day for analysis, and most people using Tor are thought to be using outdated Browser Bundles on Windows. The attacker was probably pretty sure that whatever attack they used would be analyzed to hell and back by a shit ton of security researchers. Also, 0-day attacks are usually used for really really high priority targets, they are more likely to burn one of those on somebody who has like kidnapped a child and is holding them ransom, or a suspected terrorist, than they are somebody who is running even the biggest CP site in the world.

I would add, based on my reading of the exploit, that you would have had to visit the FH main onion address, the Tormail web site, and perhaps some specific CP sites hosted on FH. The exploit set a cookie and had to be run from each site you visited to update your Tor Browser cookies with a specific ID. I haven't seen any evidence that they served the exploit on all onion addresses that were hosted on FH.

I think the bigger issue for this community is all the intel they are going to gather from unencrypted Tormail messages.

To the best of my understanding they did indeed inject it into all sites hosted by freedom hosting.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: astor on August 06, 2013, 12:58 pm
To the best of my understanding they did indeed inject it into all sites hosted by freedom hosting.

Interesting. Thanks for the info.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: astor on August 06, 2013, 02:05 pm
There are still puzzling aspects to this story. I read the original article in the Irish newspaper, which you can find here:

http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html

It says that FH admin was arrested Thursday, contrary to every other report I've read, which said Sunday.

Can anyone remember when exactly FH went offline? I'm thinking it was Tuesday or Wednesday of last week. Now why would that happen? Did LE seize the server before they arrested the operator? Surely they wouldn't do that or it would tip him off. Did they add the exploit to the server at that time? Maybe he discovered the exploit and took the server offline himself. I'd like to find the answers to these questions.

He's been in custody since his arrest, so when the maintenance page came up, that was definitely run by LE. If they didn't seize the server outright, they had enough control over it to add that page along with the exploit code.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: toejammer on August 06, 2013, 04:24 pm
good questions.. the arrested thursday and stated sunday.. thats a propaganda piece by the us.. they never want to give the correct answers.. y.. control..

as for the tormail front page. I have been to tormail in the past where the homepage from time to time was taken over by hacker groups. it goes back online shortly after that. ALSO.....

if there is no real drives for tormail and nothing to access for info as it all sits on relays.. then how are the feds getting the info from our accounts?? hermm.
ALSO if its not even a server on US soil then why grab the fredom hosting guy and why the tormail guy.. Fuck... if this is the case y not go after google or c&^cast cause those could be at fault as well..they are providing internet service to these people as well. U cant tell me EVERY C.P. person ONLY used tor and ONLY used FH.THEY have to be able to connect to the internet. SOMEWAY...just from those questions i am SURE there is a van of agents on the way for me but really there are too many holes here. ones that need to be rammed with a big fat non lubed thorny stick..
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: MarcelKetman on August 06, 2013, 04:41 pm
There are still puzzling aspects to this story. I read the original article in the Irish newspaper, which you can find here:

http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html

It says that FH admin was arrested Thursday, contrary to every other report I've read, which said Sunday.

Can anyone remember when exactly FH went offline? I'm thinking it was Tuesday or Wednesday of last week. Now why would that happen? Did LE seize the server before they arrested the operator? Surely they wouldn't do that or it would tip him off. Did they add the exploit to the server at that time? Maybe he discovered the exploit and took the server offline himself. I'd like to find the answers to these questions.

He's been in custody since his arrest, so when the maintenance page came up, that was definitely run by LE. If they didn't seize the server outright, they had enough control over it to add that page along with the exploit code.

Tormail was down so often, it could just be coincidence it was down two days before the arrest. It may not be of course too but it was so unrealiable, you never know.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: colorblack on August 06, 2013, 04:49 pm
So the exploit does NOT apply to computers running Mac OS? This is Windows specific?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: NorthernStar on August 06, 2013, 05:18 pm
So the exploit does NOT apply to computers running Mac OS? This is Windows specific?
Affirmative.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: turningjapanese on August 06, 2013, 07:24 pm
Can someone explain to me what the exploit is, in laymens terms? NVM I DID SOME READING LIKE A GOOD BOY : )
 
Should I relax about all this Tormail biz since I run Mac OS? or are they two different things? Sorry for all the Q's.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: farmer1 on August 06, 2013, 07:36 pm
Can someone explain to me what the exploit is, in laymens terms? NVM I DID SOME READING LIKE A GOOD BOY : )
 
Should I relax about all this Tormail biz since I run Mac OS? or are they two different things? Sorry for all the Q's.

1. Any data that was hosted by Freedom Hosting should be considered compromised. This includes anything sent or received over Tormail.

2. If you visited any .onion site hosted by FH in the past couple weeks, you had javascript enabled, you weren't running the latest version of Tor, and you were running windows, then your computer may have sent your MAC address and IP address to the US government.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: richporter on August 06, 2013, 07:38 pm
Hold on a minute can someone please answer a really simple question:

OK the S symbol in between the onion and the address bar on my Tor browser when I click on it, the second option down says "allow scripts globally (dangerous)" now am I correct in thinking that If I clicked on this the message would change to "forbid scripts globally" (i.e. the setting I now have it on)? But then when I go into the NoScript options embeddings tab the forbid java box is unchecked and also within the tor browser options content tab the Enable Javascript box is checked, which is the overriding setting here? Shouldn't it it be the forbid scripts globally option in NoScript that the browser was set up with as default?

Also since I updated my Tor browser the last time (late June I think) I saw the exclamation mark over the onion next to the address bar (to v.17.0.7 - just checked) won't that mean that this attack won't affect me and if I keep on updating my browser as soon as I see the exclamation mark notification then I'll be immune from similar attacks in the future?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: colorblack on August 06, 2013, 11:14 pm
Can someone explain to me what the exploit is, in laymens terms? NVM I DID SOME READING LIKE A GOOD BOY : )
 
Should I relax about all this Tormail biz since I run Mac OS? or are they two different things? Sorry for all the Q's.

1. Any data that was hosted by Freedom Hosting should be considered compromised. This includes anything sent or received over Tormail.

2. If you visited any .onion site hosted by FH in the past couple weeks, you had javascript enabled, you weren't running the latest version of Tor, and you were running windows, then your computer may have sent your MAC address and IP address to the US government.

Jesus. Not good. Hope everyone is and stays safe! But this too shall pass..
Personally I use a Mac and PGP the fuck out of everything.. but who knows that's on tormail.

Question for DPR - Obviously without getting into specifics.. should we rest assured some mechanism is in place that in the unlikely/horrible event that the SR server was compromised or located or .. (and I say this with confidence that we know you're too smart for "them") God forbid you were located.. is there a kill/wipe/selfdestruct "nuclear" plan on all data/PMs/transaction history/logs?

Basically, are we, the SR community insured?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: PoolPlaya on August 07, 2013, 12:03 am


I think the bigger issue for this community is all the intel they are going to gather from unencrypted Tormail messages.

True, and just think of all the activity with TORmail when the attacks hit SR  a few months back.  People were doing business thru TORmail.  I have seen more then enough vendors using questionable practices on a ongoing basis, it's not a stretch to think many likely didn't use PGP when sending messages.  And there's so many customers that don't even know how to use PGP, I'll bet many thought using TORmail by itself, was secure enough.

It's not much, but I'll bet there's nothing more that bugs a LEO then finding email correspondence between 2 people of interest, but they used PGP and all they can do is look at a pile of characters and wonder what juicy info is inside.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: astor on August 07, 2013, 12:40 am
Yeah, I have already read posts and heard personally from vendors who admitted to sending plaintext emails to their sources. This isn't just about buyers getting compromised re the BlueGiraffe fiasco, but vendor sources. Some vendors source their drugs from clearnet chemical companies and other suppliers that don't give a fuck about PGP. This has the potential to compromise a lot of shit.
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: TMan99 on August 07, 2013, 01:33 am
Why would tails by default have javascript enabled?

How can I disable javascript on tails?
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: hornblower on August 07, 2013, 07:11 am
Can anyone describe the server maintenance page that was put up on the FH servers?

When the news started flooding into the forum, I panic-assumed that I hit the js infected maintenance page (following bud porn links NOT cp, and I'm not even certain that the link even took me to an FH server) but it occurred to me earlier that I just might have hit a server unavailable page (or something similar) which I'm so used to seeing when following forum links to bud porn (a very plain, white html page displaying a line of text).

If the server maintenance page was more elaborate than that, I'm certain I would have noticed before I closed the tab.

If anyone actually hit the maintenance page could you try to give a description of it (graphics, images or colors, if any)?

tia
Title: Re: ATT DPR: In-depth analysis on Freedom Hosting/TORMAIL Crackdown.
Post by: hornblower on August 08, 2013, 02:01 am
Kinda feel like I'm talking to myself here but I thought I could share something that might help relieve some people, since it did for me.  I suspect that the majority of people here are predominantly worried over the potential tormail exposure (this doesn't help them in any way), but if there's any concern, as I was, about image links to an FH server from here, it looks to be OK.

After some light digging, I discovered something that was totally unknown to me but maybe common knowledge to most everyone else.  FH operated on an invite/pay system (is this correct?).  It then occurred to me that it was unlikely that bud reviewers would be using a pay/invite image uploading service.

In any case, I found a site that listed all onion sites that went down during the rumored FBI take down ( I say all but there's no way, at least for me, to determine if it's exhaustive or accurate, and there is one glaring omission, tormail.)  But I could only find one image uploading service on that list, and a search here on the forums for that domain name came up empty so there actually might not be any FH bud porn image links here.  :D

http://uscyberlabs.com/blog/2013/08/05/freedom-hosting-tor-website-list-tangodown/