Delivery-Date: Wed, 22 Apr 2015 23:11:00 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED,
	T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id A81971E0B92
	for <archiver@seul.org>; Wed, 22 Apr 2015 23:10:58 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5562634EF0;
	Thu, 23 Apr 2015 03:10:54 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 907EF34EDE
 for <tor-talk@lists.torproject.org>; Thu, 23 Apr 2015 03:10:50 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Q6n_tJG-VCdl for <tor-talk@lists.torproject.org>;
 Thu, 23 Apr 2015 03:10:50 +0000 (UTC)
Received: from mx1.sigaint.org (mx2.sigaint.org [62.113.238.120])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "mx1.sigaint.org", Issuer "mx1.sigaint.org" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 4F0FE34EAD
 for <tor-talk@lists.torproject.org>; Thu, 23 Apr 2015 03:10:46 +0000 (UTC)
X-Greylist: delayed 396 seconds by postgrey-1.34 at eugeni;
 Thu, 23 Apr 2015 03:10:47 UTC
Received: from sigaintevyh2rzvw.onion (localhost [127.0.0.1]);
 by localhost (OpenSMTPD) with ESMTP id 46dde08f;
 for <tor-talk@lists.torproject.org>;
 Thu, 23 Apr 2015 03:03:57 +0000 (UTC)
Received: from 127.0.0.1 (HTTP authenticated user support)
 by localhost with HTTP; Thu, 23 Apr 2015 03:03:57 -0000
Message-ID: <223eaa337204f5f94241636062f9a9e4.webmail@localhost>
Date: Thu, 23 Apr 2015 03:03:57 -0000
From: support@sigaint.org
To: tor-talk@lists.torproject.org
MIME-Version: 1.0
X-Priority: 3 (Normal)
Importance: Normal
Subject: [tor-talk] SIGAINT email service targeted by 70 bad exit nodes
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello tor-talk,

So apparently we have drawn attention to our humble little email service that
mostly lives inside of the Tor network.

Today we reported 58 bad exit nodes to Philipp. He instantly found 12 more
that
we had missed, and there may be even more of them. (Thank you, Philipp!)

FYI: They were added to the BadExit list just hours ago so traffic to them
should dry up.

The attacker had been trying various exploits against our infrastructure over
the past few months. Our exploit mitigations have been sounding various
alarms.

We are confident that they didn't get in. It looks like they resorted to
rewriting the .onion URL located on sigaint.org to one of theirs so they
could
MITM logins and spy in real-time.

The attacker doesn't seem to be after passwords (they probably have some of
them now). We get less than 1 user of 42K complaining about their account
being hijacked every 3 months.

I think we are being targeted by some agency here. That's a lot of exit
nodes.

I know we could SSL sigaint.org, but if it is a state-actor they could just
use one of their CAs and mill a key.

Interestingly, we ended up becoming a sort of canary. Those exit nodes may
have been doing other shady stuff as well.

SIGAINT Admin

P.S. My PGP key is here: http://sigaintevyh2rzvw.onion/pubkey.txt

-----BEGIN PGP SIGNATURE-----
Version: GnuPG

iQIcBAEBAgAGBQJVOGCZAAoJEM1IOzMPil9PMesQAKc2ne7jUfG5BQPrdQw3KN7V
n4Tc3Xa6tPrEZamJZ1bFtU7Urw/3u9ffz6APG1DAIi3j/CeWot0W1zpLHJJQ6CQO
pJ200wjxOwozItDhZQMzTawos6LnWJ+i8P5qJk3/BY9Kt/ve1Jh0QxBTBBQl7SBM
3w4by8axK1wzQkEeKFM5wjlM6Sw1wB2KPBB6ZeVRWXQmTZTE+uXa1tDfuL2f1/2e
4CY+3oec1FXXTcDsxT/2EHBCSRKx+VCXoLyD1rk3h4mWfuh9Xld0ED9l0Bi7WAG2
1EJH/aLzmxs/fDAV0nSWu5aErh1nd45S0TbDG/uPrvAZbWeK9og7ZLJuaPv3Ix2a
JXjU6aQke8sVLDZr9AwDULpb5G0AcbkPGWwLCkgbalnxiuMcWYG/wwcKa66jarJ2
XyV/ewXPFBfByMj25CS79M8DZeDV9U7wBNdLtFufFW5OkpwDyRmAoyeaZYoLWj1/
8lZB9fRWxGuqf3hFwdKwBe8yTfTYjLtNoCHUddyuuIZ2X2PBi1OmmC5lVOOG6C/v
+Pe3+Do1v5zYilT47a8FCf2CfhOLUksCZWL7LQs4774UenIjvQQJNWQAG9IHXxJu
d+zyfUolwWx0lB90MOWobGijxJrwS2reClSOLoJZ6eUdsqgxGenEr4A7jFKTbJOm
+Cc1JX/xRYbRpJ9J/FyK
=r6pc
-----END PGP SIGNATURE-----


-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

