Delivery-Date: Wed, 13 Aug 2014 20:03:06 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 3617B1E0E20;
	Wed, 13 Aug 2014 20:03:05 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id A2F4630A1A;
	Thu, 14 Aug 2014 00:03:01 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 63693309E6
 for <tor-talk@lists.torproject.org>; Thu, 14 Aug 2014 00:02:58 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Xd_IlMYu7CK4 for <tor-talk@lists.torproject.org>;
 Thu, 14 Aug 2014 00:02:58 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 304CF3093B
 for <tor-talk@lists.torproject.org>; Thu, 14 Aug 2014 00:02:58 +0000 (UTC)
Received: from plantcutter.riseup.net (unknown [10.0.1.121])
 (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 118B152246
 for <tor-talk@lists.torproject.org>; Wed, 13 Aug 2014 17:02:55 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1407974575; bh=oCxIg7S6yHPa0OGabClgWW02m5dbxvqKZzvavKfUZ7o=;
 h=Date:From:To:Subject:References:In-Reply-To:From;
 b=ImYAX8V91Axq9dLH4+0Sqb6tv5aLMwYqkPn9Ns+Vn+PVLmV49rFEc5KBG9sOY6mHV
 hUzdyURpjjJKqFZhgyj97g8YF21qNxvEL0goTzqGk7x3mu/jnw9mgdlJczBKBFvTzU
 tualfZtg6XxY2dim4kjLK4ws+LeTyQk3klqyrjFw=
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: mirimir) with ESMTPSA id 2C20922003
Message-ID: <53EBFCAC.3020902@riseup.net>
Date: Wed, 13 Aug 2014 18:02:52 -0600
From: Mirimir <mirimir@riseup.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <4dbf80e1a3ae8b182a15ea2af6fa10dc@openmailbox.org>
 <CAKkunMats8JoVc8wqYrMtWE4f0gTA7RVVWirhuJz6t9sA5dDQQ@mail.gmail.com>
In-Reply-To: <CAKkunMats8JoVc8wqYrMtWE4f0gTA7RVVWirhuJz6t9sA5dDQQ@mail.gmail.com>
X-Virus-Scanned: clamav-milter 0.98.1 at mx1
X-Virus-Status: Clean
Subject: Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 08/13/2014 03:01 PM, Anders Andersson wrote:
> On Wed, Aug 13, 2014 at 12:06 PM,  <blobby@openmailbox.org> wrote:

<SNIP>

>> How, in this case, was it possible for the FBI to learn the IP
>> addresses of visitors to this hidden service? The Tor hidden server
>> page states that "In general, the complete connection between
>> client and hidden service consists of 6 relays: 3 of them were
>> picked by the client with the third being the rendezvous point and
>> the other 3 were picked by the hidden service."
>> =

>> Can someone knowledgeable please explain how visitors to a Tor
>> hidden service can have their real IPs detected?
> =

> AFAIK the malware used javascript to break the users' browsers. As =

> someone who argues against using javascript in any context, I can
> only say "told you so", but that doesn't really help anyone. :)
> =

> Because they managed to get in to the client browser, they could
> learn the real IP address and MAC address, they didn't learn this
> through Tor.

This is an old story. Here is an explanation from Wired[0]:

> The heart of the malicious Javascript was a tiny Windows executable
> hidden in a variable named =93Magneto.=94 A traditional virus would use
> that executable to download and install a full-featured backdoor, so
> the hacker could come in later and steal passwords, enlist the
> computer in a DDoS botnet, and generally do all the other nasty
> things that happen to a hacked Windows box.
> =

> But the Magneto code didn=92t download anything. It looked up the
> victim=92s MAC address =97 a unique hardware identifier for the
> computer=92s network or Wi-Fi card =97 and the victim=92s Windows hostnam=
e.
> Then it sent it to a server in Northern Virginia server, bypassing
> Tor, to expose the user=92s real IP address, coding the transmission as
> a standard HTTP web request.
> =

> =93The attackers spent a reasonable amount of time writing a reliable
> exploit, and a fairly customized payload, and it doesn=92t allow them
> to download a backdoor or conduct any secondary activity,=94 said Vlad
> Tsyrklevich, who reverse-engineered the Magneto code, at the time.
> =

> The malware also sent a serial number that likely ties the target to
> his or her visit to the hacked Freedom Hosting-hosted website.

They didn't get the "real" IP address through the browser. Magneto just
sent information to the FBI's server directly, rather than through Tor.
Also, Magneto is a Windows executable ;)

Proper firewall rules would have prevented that leak. Those using Whonix
weren't affected, because nothing in the workspace knows the "real" IP
address (and also because it's Debian, not Windows).

[0] http://www.wired.com/2013/09/freedom-hosting-fbi/
-- =

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

