Delivery-Date: Mon, 21 Jul 2014 13:11:49 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED,FREEMAIL_FROM,RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id A5B801E0033
	for <archiver@seul.org>; Mon, 21 Jul 2014 13:11:47 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 3EB9D303FB;
	Mon, 21 Jul 2014 17:11:42 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 9B7632FA7E
 for <tor-talk@lists.torproject.org>; Mon, 21 Jul 2014 17:07:13 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id Ebg2sKJ2SSWh for <tor-talk@lists.torproject.org>;
 Mon, 21 Jul 2014 17:07:13 +0000 (UTC)
Received: from mail-qg0-x22b.google.com (mail-qg0-x22b.google.com
 [IPv6:2607:f8b0:400d:c04::22b])
 (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits))
 (Client CN "smtp.gmail.com",
 Issuer "Google Internet Authority G2" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 6B0CF2C69B
 for <tor-talk@lists.torproject.org>; Mon, 21 Jul 2014 17:07:10 +0000 (UTC)
Received: by mail-qg0-f43.google.com with SMTP id a108so5768154qge.30
 for <tor-talk@lists.torproject.org>; Mon, 21 Jul 2014 10:07:08 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
 h=message-id:date:from:user-agent:mime-version:to:subject:references
 :in-reply-to:content-type:content-transfer-encoding;
 bh=VnJbmsnVInKPvKslCiqBKcALuqWD/QXs9NKsZJwdVh4=;
 b=N+kWpCSMzs2+zPVPPw1tU7aHiMwsiqSdZ0vVcZqzPLqcYPzvXwkAn5Wr+uXn1BafeO
 X7fWW6BLoUlga8XgziQW7YcYnoAoI3vVsNymUD11nLFjpkCyrXK+WMs1SgXS048+9LO4
 V0hlH5P+mi9NGRdrjRL6wP9Sg3RFSBDmnmD+4hakNZivpn3qm55CJ3l6C42ldjMvYD44
 9W69iG5Pe2F5Z6q6I5Z+CfNt1S2vDqIo52zkltWdo8JVYM0KCV6CLm7C5N9CXoy628GT
 Q49xkLLXJVuk8UjUeNcqSA6+8JG7XIu69TApQTlGEHykW2tIHoLm3UUwZfIdtv6HCiii
 HIYw==
X-Received: by 10.224.171.197 with SMTP id i5mr45814532qaz.55.1405962428015;
 Mon, 21 Jul 2014 10:07:08 -0700 (PDT)
Received: from [192.168.1.103] (68-186-246-127.dhcp.oxfr.ma.charter.com.
 [68.186.246.127])
 by mx.google.com with ESMTPSA id g35sm16682092qgf.49.2014.07.21.10.07.07
 for <tor-talk@lists.torproject.org>
 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
 Mon, 21 Jul 2014 10:07:07 -0700 (PDT)
Message-ID: <53CD48B9.6050209@gmail.com>
Date: Mon, 21 Jul 2014 13:07:05 -0400
From: Neuman1812 <neuman1812@gmail.com>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:24.0) Gecko/20100101 Thunderbird/24.6.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <20140721143135.GU26986@leitl.org>
In-Reply-To: <20140721143135.GU26986@leitl.org>
Subject: Re: [tor-talk] potential leak on Torpedo
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

I read this on Reddit,  but I have to say.  Did he say anything new?  
Most of what was stated was already known or at least most guessed at it.


On 07/21/2014 10:31 AM, Eugen Leitl wrote:
> https://pay.reddit.com/r/TOR/comments/2b8oq3/please_read_if_you_usedepend_on_tor_never_before/
>
> Please read if you use/depend on Tor. Never before seen FH information.
> (self.TOR)
>
> submitted 16 hours ago * by Deepthroat2 [+1]
>
> Hello everyone, I have some information that I have been dying to share for
> months, but due to the circumstances, and to avoid detection, I had to wait
> for some time before I was able to safely make this post. My goal here is to
> provide information that I know is credible and for the Tor community to use
> it as they see fit, due to the nature of my work, and the severe penalties
> associated with breaking the rules and giving out information you aren't
> supposed too, I have no way of verifying or proving anything to you that I
> say here, I understand if find me less than credible, however, this is
> essentially a PSA, and you can take it for what it's worth to you.
>
> Just about one year ago, the Tor community was shaken by a Firefox exploit
> which utilized a javascript exploit and an old vulnerbility in the Tor
> Browser Bundle to unmask some users of Freedom Hosting. There has been
> rampant misinformation, and speculation to the point that I felt like pulling
> my hair out, or just simply bursting out into laughter when reading some of
> the outlandish claims made by people who have little to no idea what they are
> talking about. Today, I will set the record straight.
>
> The FH exploit was a government engineered, and deployed exploit that was
> designed in response to former Director Mueller's fustration at an earlier
> child pornography case in which the FBI was ridiculed for being unable to
> ascertain the source of child pornography, for those who aren't familiar with
> this case, it involved a man who had accessed child pornography by accident
> on a Tor hidden service, and then brought his desktop computer to the office,
> explaining what had happened and that he subsequently preformed a "Full wipe"
> on the disk.
>
> The agent who took the report had limited knowledge about Tor, however, at
> the time he knew that any directed effort to identify a specific Tor user was
> hopeless, and in the report he indicated that "There is currently no known
> way to ascertain the location of a Tor user, thus, no investigative leads
> exsist." This got leaked to the press, and they had a field day, hinting at
> the incompetency of the Bureau. Needless to say, the FBI had it's ego hurt
> quite badly by this public display of incompetency.
>
> Then Director Mueller directed the CEOS (Child exploitation and obscenity
> section) to find a way to penetrate the layers of protection provided by Tor,
> and to come up with a fesible way to conduct a sting operation in order to
> bring these people to justice. The FBI had previously conducted a sting on
> viewers of child pornography in a case out of Nebraska, that resulted in the
> arrest of about 25 people. This was the first successful take down of CP
> consumers that were utilizing a Tor hidden service.
>
> One of the errors that I see alot on these forums and others was that the
> Nebraska take down was done in a similar fashion to the FH exploit, with the
> code being deployed onto the pages of the boards, however, this is not the
> case. From my understanding, the Nebraska field office was able to find the
> actual server, take it over covertly, then upload a series of files that
> purported to be child pornography, but actually contained nothing but
> encrypted gibberish. They were video files that were embedded with code that
> called back to a computer that recorded the IP address of the requestor, date
> and time similar to the way windows media player attempts to recall album
> information and cover art for music cds and such. These were files that the
> user actually had to download and attempt to open. This is why the service
> was run for weeks, and only 25 people were identified as users. This method
> was described by the techs who deployed it as a "NIT" or "Network
> Investigational Tool".
>
> Now for Freedom Hosting....
>
> The javascript exploit could not be deployed directly on the servers which
> Mr. Marques was using due to either technical reasons, or legal requirements
> by the AUSA in Maryland. So the decision was made to clone the services
> exactly, and transport then to the home of the FBI CEOS in the Greenbelt
> division of Maryland. This location was picked specifically because
> sentencing in this district for Child Pornography crimes is more severe. It
> was July 31st of 2013 when the exploit actually went live, and tried to
> identify criminals. It was installed previously, however, there were
> technical problems early on and the code had to be revised 3 times before it
> was running as intended, it ran for about 11 days before being shut down.
>
> The amount of people identified by this exploit is still a closely gaurded
> secret, with only agents having a direct "Need to know" being privy to this
> information. Howver, the victory dance was short lived as news started
> flowing around that the evidence may not be admissible in court, due to the
> manner in which it was collected, among other reasons. Although proper
> warrants were issued, it would take atleast 4-7 years to comb through the
> list of suspects, and question, arrest each one. The major problem is that
> after about 12 months, the courts start to presume your evidence is
> prejudicial to the defendant because you're supposed to have an indictment
> and serve it on the defendant within 30 days, and that just wasn't possible.
> You can request an extension of this time, however you must present a new,
> fresh reason for doing so..."We still aren't ready" doesn't cut it. There is
> no statue of limitations for the crime of "Accessing with intent to view
> child pornography" so barring any other limitations, the FBI can come after
> someone 10-15 years later.
>
> The AUSA became uncomfortable with the prospects of his legal case against
> the exploitees of FH and went to the US Attorney. There was disagreement as
> to whether or not the evidence would be viable, however, the operation went
> on anyways. One of the victims of the FH exploit was a man by the name of
> Grant Klein from Vermont. The Bureau had made arrangements with the local
> police for assistance with the raid (This is pretty much standard operation
> procedure, and is done for the saftey of the agents, as well as to maintain
> professional courtesy. Local cops get butt hurt when you arrest people on
> their turf without them knowing).
>
> The FBI had provided the local police with court documents and the affidavit
> of arrest regarding the cirsumstances of Mr. Klein's warrant, which they
> promptly posted onto their press release against the wishes of the FBI. This
> resulted in the termination of atleast one employee from local PD.
>
> He was raided and before even being asked a question ,he began spewing a
> confession. His home was searched, and a desktop computer with no hard disk
> was found, as well a laptop computer belonging to his wife Susan. There was
> no illegal materials found on these, however, he had a smartphone in the
> drawer of a nightstand which contained illegal images of minors. He was
> arrested and charged with 3 seperate crimes.
>
> To make a long story short, the FH related charges were dropped because the
> FBI had crossed a legal line by offering up child pornography de novo, by
> shutting down the server, then bringing it back online hosting real CP. They
> were uncomfortable with the prospects of this case, and were able to use a
> leon good faith exception to admit the evidence they found on his phone to
> make a single possession charge stick, however, he agreed to plead guilty.
> The rest of the leads which lead to foreign nationals were then distributed
> accordingly to the various LEA's.
>
> Also, earlier this wekk, the UK police arrested 660 people as part of
> Operation Notarise.
>
> The operation name of the FBI takedown in Nebraska was "Operation Torpedo"
>
> This was a cute poke at both the method they used, and the users they
> targeted
>
> Torpedo - Navy missile
>
> Tor Pedo - Tor Pedophile.
>
> -DT
>
> moar comments on Reddit

-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

