Delivery-Date: Fri, 05 Feb 2016 10:26:01 -0500
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,T_DKIM_INVALID,T_RP_MATCHES_RCVD autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id DD0741E045A;
	Fri,  5 Feb 2016 10:25:59 -0500 (EST)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 5A47B399A5;
	Fri,  5 Feb 2016 15:25:53 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 1E0A239997
 for <tor-talk@lists.torproject.org>; Fri,  5 Feb 2016 15:25:49 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at 
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id u2W8mXyizjhS for <tor-talk@lists.torproject.org>;
 Fri,  5 Feb 2016 15:25:49 +0000 (UTC)
Received: from mail-io0-x22e.google.com (mail-io0-x22e.google.com
 [IPv6:2607:f8b0:4001:c06::22e])
 (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id F15DA39991
 for <tor-talk@lists.torproject.org>; Fri,  5 Feb 2016 15:25:48 +0000 (UTC)
Received: by mail-io0-x22e.google.com with SMTP id g73so131964568ioe.3
 for <tor-talk@lists.torproject.org>; Fri, 05 Feb 2016 07:25:48 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=ahmia-fi.20150623.gappssmtp.com; s=20150623;
 h=subject:to:references:from:message-id:date:user-agent:mime-version
 :in-reply-to:content-type:content-transfer-encoding;
 bh=ebj1HrlC+jcJNrK7XWq7pgtZUiSdUixvx7W2y4T0gWI=;
 b=z8ThmeIjhWXKpvnLFnvKW+bE0Y0LSxp6Y09brGJgcniHsNyN3BUjOgA3wnZPAkXsA9
 h8r1L5YHd8zwOQFJh0BGPT1f5I0jNk1QD4DCPWwy3keU+rjwPH7jYj9Puwtx8lRyupFU
 wcaRrw+VHYrKrNzJoKsBHD6TX3Cl30+9cAoI6Xe1dgy5Piz/EYoGh2i6/I0rGVC2SHTw
 E9X/1LKkRUMiHTZWPdSQwRZ/TLlj6+M9bajU+PY8PHmAm80IVhMGDE1Wbzy8E2mu2ysg
 1ZS6XQg+Wduk+oDOnuyaZu13ifhbbRjp896Nv9MGGGdZjmD5Gy//lmEDw8Wv7su78wbP
 Zq9A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
 d=1e100.net; s=20130820;
 h=x-gm-message-state:subject:to:references:from:message-id:date
 :user-agent:mime-version:in-reply-to:content-type
 :content-transfer-encoding;
 bh=ebj1HrlC+jcJNrK7XWq7pgtZUiSdUixvx7W2y4T0gWI=;
 b=avWtHqmjPsUDV+kLWTk0jAY3pcahHAzfOukfMtf0PkelvAwwUBj0/EOuosK/B/eDnV
 OhVddmCmAEuhWg1jKRtxDkGKOQeU6I6zbfPb/pfQkMs2bAcm5bt5mmYK1UT5AN8lBpKH
 lyMdk/7lr26Xd9MjgqPuE3BqLUsFP91UBhXdDzhncUrq6J+I/Y9iLuoVkoUEb8bjsJb6
 V4NLUE5qltK6JQ4Yf1V9IFEjhUJ/+Sf2rKNaThqdLey+G4xneWR0b6pPNmERa066yGEa
 zGIZs2dEDc+dgXNtPCZ/Auh8y8JGAf1fCV54ryxFME6g7BUc/2bh0JDCCFGQZzzuIS7T
 BA2g==
X-Gm-Message-State: AG10YOTIw9kYH/aV9vAIFhBFj7xXDytFgP6JaOvJ6J6htvUKgbik5vjZgoUZ+wBz4hKacw==
X-Received: by 10.107.30.144 with SMTP id e138mr14419682ioe.158.1454685946698; 
 Fri, 05 Feb 2016 07:25:46 -0800 (PST)
Received: from [10.4.12.131] ([184.75.214.163])
 by smtp.googlemail.com with ESMTPSA id e32sm6901906iod.25.2016.02.05.07.25.44
 for <tor-talk@lists.torproject.org>
 (version=TLSv1/SSLv3 cipher=OTHER);
 Fri, 05 Feb 2016 07:25:45 -0800 (PST)
To: tor-talk@lists.torproject.org
References: <k8zvpue--3-0@tutanota.com> <56a85c39.6080502@ahmia.fi>
 <DC644F66E44.00000281beatthebastards@inbox.com>
 <DD9B1122-4B5E-4206-B5C5-1722883675A9@riseup.net>
From: Juha Nurmi <juha.nurmi@ahmia.fi>
X-Enigmail-Draft-Status: N1110
Message-ID: <56B4BEF7.2020608@ahmia.fi>
Date: Fri, 5 Feb 2016 17:25:43 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101
 Thunderbird/38.5.1
MIME-Version: 1.0
In-Reply-To: <DD9B1122-4B5E-4206-B5C5-1722883675A9@riseup.net>
Subject: Re: [tor-talk] Warning: 37 new booby trapped onion sites
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Hi,

> Is there anyway to somehow automate the process? (The developer in
> me coming out)
> 

Absolutely.

> I ask because this seems like something that you will be doing
> perpetually. Something like an algorithm that can compare
> percentage match of heuristics of a database of previous sites
> marked as fake against all new ones and then giving a trust score?
> 
> 

First way I did this was pretty simple: I compared my real ahmia
(msydqstlz2kzerdg.onion) to the fake one. I scanned them and detected
the difference. The fake ahmia changes URLs to point to fake services.

Now I have several clever methods to detect fake websites.

> I'd be happy to help write something in Python to do this & put on
> github, assuming I can get a decent sets of sample data to test
> against.
> 

Thanks! Be free to do that. I can help :) Share your code and ideas.

> Or would putting it out there publically allow those creating the
> fake sites to up their game and change their tactics. Seems like
> this will always be a cat & mouse game.
> 

Yes, that's why I am not describing all of my methods publicly. Please
note that the attacker is probably reading this mailing list.

- -Juha
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJWtL73AAoJELGTs54GL8vAx7UIALErU1Id4xmoZXXJ5oT241/1
xrW7cd7cmbBuk9lLJmNpAXacyCQsFLNb4Nct4maUFvrb/cNbU96vOfVD7IIKgIEY
6LgMnkvxhC2ymrcgboh1bMIauRojkLuDDxOka8qPDDjjyd0S1RP1v3F/GIq9yEpM
JNUzil9O1zokKiLx7h/CmZ4nIB/1xEzq9Q6VdeQuS+StnSK6QsfYlkzv9w31uZEX
Kd1wJnCnnp3nm6i+yqQiW8wVwg6fC28JfuTi2YDXrhAkDgXRgxZNKHKDe2a3TnIe
QSkZeO/ZbHvKFdiriRGCoBLLiIxYSI64nWb2a1YxMRTVAo17dmkVS3QquCqES8w=
=QxNL
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

