Delivery-Date: Thu, 11 Sep 2014 10:42:37 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id 5C06C1E0842;
	Thu, 11 Sep 2014 10:42:36 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id 083B52ABD1;
	Thu, 11 Sep 2014 14:42:32 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 27A2C2AAEE
 for <tor-talk@lists.torproject.org>; Thu, 11 Sep 2014 14:42:28 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id ZvQKvq6DQwnh for <tor-talk@lists.torproject.org>;
 Thu, 11 Sep 2014 14:42:28 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id E43C02AA75
 for <tor-talk@lists.torproject.org>; Thu, 11 Sep 2014 14:42:27 +0000 (UTC)
Received: from plantcutter.riseup.net (plantcutter-pn.riseup.net [10.0.1.121])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 2FA78532D9
 for <tor-talk@lists.torproject.org>; Thu, 11 Sep 2014 07:42:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1410446545; bh=l0yEH9vDgbAIeovN6asj5BTtV2n4reAutppzxIinT+I=;
 h=Date:From:To:Subject:References:In-Reply-To:From;
 b=ezz4/PcE8wH8uoTii396lUWCXeHIUNd0TP8flAchbkcgCDgV9opqu+6nxaH/pM57T
 JqPhQkP0SHjFsFc5DJEkJVlXXYvk+bnuFnAl929jP0Vw1gsiw71VlPCoEURwOPrrtj
 5ByoOHp1Fuk7iKxe1/a0baS16LiZXcMmPSaM68cs=
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: mirimir) with ESMTPSA id 582DC219EE
Message-ID: <5411B4CC.8060001@riseup.net>
Date: Thu, 11 Sep 2014 08:42:20 -0600
From: Mirimir <mirimir@riseup.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <541131E1.9060409@copper.net>
In-Reply-To: <541131E1.9060409@copper.net>
X-Virus-Scanned: clamav-milter 0.98.4 at mx1
X-Virus-Status: Clean
Subject: Re: [tor-talk] How FBI Pinpointed Silk Road's Server
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 09/10/2014 11:23 PM, Jim wrote:
> Wired has recently published an article about how the FBI claims to have
> found Silk Road's server:
> 
> http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-pinpointed-silk-roads-server/
> 
> 
> The FBI claims:
> 
> "As they typed 'miscellaneous' strings of characters into the login
> page's entry fields, Tarbell writes that they noticed an IP address
> associated with some data returned by the site didn't match any known
> Tor 'nodes,' the computers that bounce information through Tor's
> anonymity network to obscure its true source."
> 
> I don't see how that is possible, regardless how badly misconfigured the
> server is.  When the server is accessed as a Tor hidden service it
> doesn't know the client's IP address.  So the only way it can respond is
> back through Tor.  Unless by "typing miscellaneous strings" they managed
> to infect the server with something that contacted an FBI machine via
> clearnet, similar to Magneto.  Am I missing something?  Or are they
> stretching the meaning of "typing miscellaneous strings"?  Or outright
> lying?

If the server is properly configured for securely hosting a hidden
service, what you say is true. But that apparently wasn't the case here,
no matter what tools FBI agents may have used.

If the webserver and tor process are running on the same machine, the
webserver might serve on 127.0.0:8080. The tor process would listen on
that address:port, and might forward to myonionaddressis.onion:80.

An SSH port is also necessary, and that must also be configured as a
hidden service. It's best to use a separate onion address, and not just
a different port (say port 2020 forwarded to 22). The same approach
should have been used for any other apps needing remote access.

The server's firewall would block all incoming, forwarding and outgoing
traffic by default, and allow outgoing traffic only by the tor process
(identified by userid). That userid would be running nothing else except
tor. That way, neither the webserver nor sshd etc could reach the
Internet, except through Tor.

However, if the server's firewall wasn't properly configured, direct
outgoing connections (bypassing Tor) might have been permitted by sshd,
webserver, php, mysql and/or some other app. That's a big fail.

Also, for a hidden service like Silk Road, it would have been prudent
(extremely so) to segregate all server apps and the tor process on
separate machines (or at least, on separate VMs). Separating webserver
and backend databases on separate machines would also have been wise.
That would have provided redundant protection against misconfiguration
and/or compromise.

Firewalls on both webserver and tor process machines would block
everything by default except for two sorts of connections. Connections
would be allowed between server apps and the tor process, and between
the tor process and the Internet. In both cases, connections would be
locked down by userid and address:port to prevent leaks outside Tor.
-- 
tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

