Delivery-Date: Mon, 08 Sep 2014 03:22:13 -0400
Return-Path: <tor-talk-bounces@lists.torproject.org>
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on moria.seul.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.7 required=5.0 tests=BAYES_00,DKIM_SIGNED,
	RCVD_IN_DNSWL_MED,RP_MATCHES_RCVD,T_DKIM_INVALID,UNPARSEABLE_RELAY
	autolearn=ham version=3.3.1
X-Original-To: archiver@seul.org
Delivered-To: archiver@seul.org
Received: from eugeni.torproject.org (eugeni.torproject.org [38.229.72.13])
	(using TLSv1.2 with cipher ADH-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by khazad-dum.seul.org (Postfix) with ESMTPS id D6F1A1E022C;
	Mon,  8 Sep 2014 03:22:11 -0400 (EDT)
Received: from eugeni.torproject.org (localhost [127.0.0.1])
	by eugeni.torproject.org (Postfix) with ESMTP id AF3E628821;
	Mon,  8 Sep 2014 07:22:04 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1])
 by eugeni.torproject.org (Postfix) with ESMTP id 7C7E324D97
 for <tor-talk@lists.torproject.org>; Mon,  8 Sep 2014 07:22:01 +0000 (UTC)
X-Virus-Scanned: Debian amavisd-new at eugeni.torproject.org
Received: from eugeni.torproject.org ([127.0.0.1])
 by localhost (eugeni.torproject.org [127.0.0.1]) (amavisd-new, port 10024)
 with ESMTP id 0x1n1QsmmBle for <tor-talk@lists.torproject.org>;
 Mon,  8 Sep 2014 07:22:01 +0000 (UTC)
Received: from mx1.riseup.net (mx1.riseup.net [198.252.153.129])
 (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by eugeni.torproject.org (Postfix) with ESMTPS id 4626424375
 for <tor-talk@lists.torproject.org>; Mon,  8 Sep 2014 07:22:01 +0000 (UTC)
Received: from berryeater.riseup.net (berryeater-pn.riseup.net [10.0.1.120])
 (using TLSv1 with cipher ECDHE-RSA-AES256-SHA (256/256 bits))
 (Client CN "*.riseup.net", Issuer "Gandi Standard SSL CA" (not verified))
 by mx1.riseup.net (Postfix) with ESMTPS id 10AA152220
 for <tor-talk@lists.torproject.org>; Mon,  8 Sep 2014 00:21:58 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=riseup.net; s=squak;
 t=1410160918; bh=l9i2oQHxPOs+YjksK/gKItgC8O8XpenLmf13M4NVcnY=;
 h=Date:From:To:Subject:References:In-Reply-To:From;
 b=fOYHFn8lMcA7CvdOdNKESe7MWpbsd7j/5i+mTWjoT7Nj4tiNWzae9PV6TqPLdx33s
 VM4LigvFuMk91vD8ZllaVneymEYpGXwAFI8kwSVXHC3Tiqhmkwiriu76Il7/fpD9hj
 ItbaXXAqp5vKmF6rFpnmKdKtSp6+Q4QdM9NP7vws=
Received: from [127.0.0.1] (localhost [127.0.0.1])
 (Authenticated sender: mirimir) with ESMTPSA id 3A3F54203E
Message-ID: <540D5911.1060506@riseup.net>
Date: Mon, 08 Sep 2014 01:21:53 -0600
From: Mirimir <mirimir@riseup.net>
User-Agent: Mozilla/5.0 (X11; Linux x86_64;
 rv:31.0) Gecko/20100101 Thunderbird/31.0
MIME-Version: 1.0
To: tor-talk@lists.torproject.org
References: <4dbf80e1a3ae8b182a15ea2af6fa10dc@openmailbox.org>
 <20140814001854.GO8819@moria.seul.org>
 <cd0f0f8d006df59c665f6e8cba21e16f@openmailbox.org>
In-Reply-To: <cd0f0f8d006df59c665f6e8cba21e16f@openmailbox.org>
X-Virus-Scanned: clamav-milter 0.98.4 at mx1
X-Virus-Status: Clean
Subject: Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.
X-BeenThere: tor-talk@lists.torproject.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: tor-talk@lists.torproject.org
List-Id: "all discussion about theory, design,
 and development of Onion Routing" <tor-talk.lists.torproject.org>
List-Unsubscribe: <https://lists.torproject.org/cgi-bin/mailman/options/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=unsubscribe>
List-Archive: <http://lists.torproject.org/pipermail/tor-talk/>
List-Post: <mailto:tor-talk@lists.torproject.org>
List-Help: <mailto:tor-talk-request@lists.torproject.org?subject=help>
List-Subscribe: <https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk>, 
 <mailto:tor-talk-request@lists.torproject.org?subject=subscribe>
Content-Type: text/plain; charset="windows-1252"
Content-Transfer-Encoding: quoted-printable
Errors-To: tor-talk-bounces@lists.torproject.org
Sender: "tor-talk" <tor-talk-bounces@lists.torproject.org>

On 09/07/2014 01:25 PM, blobby@openmailbox.org wrote:
> On 2014-08-14 00:18, Roger Dingledine wrote:
>> On Wed, Aug 13, 2014 at 10:06:00AM +0000, blobby@openmailbox.org wrote:
>>> If it's possible for the owner of a hidden service (whether the FBI
>>> or a regular person) to install malware which grabs visitors' IPs,
>>> then what is stopping any hidden service owner from doing this?
>>
>> See
>> https://lists.torproject.org/pipermail/tor-announce/2013-August/000089.h=
tml
>>
>> and
>> https://blog.torproject.org/blog/tor-security-advisory-old-tor-browser-b=
undles-vulnerable
>>
>> plus all the discussion under it.
>>
>> Browser security is a big issue because there's so much surface area
>> to secure.
>>
>> The defense is to stay up to date on your browser. It's not perfect
>> but it sure does help (and it was sufficient in this case).
>>
>>> How, in this case, was it possible for the FBI to learn the IP
>>> addresses of visitors to this hidden service? The Tor hidden server
>>> page states that "In general, the complete connection between client
>>> and hidden service consists of 6 relays: 3 of them were picked by
>>> the client with the third being the rendezvous point and the other 3
>>> were picked by the hidden service."
>>>
>>> Can someone knowledgeable please explain how visitors to a Tor
>>> hidden service can have their real IPs detected?
>>
>> In addition to the above links, you might also like
>> https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-august-7th-20=
13
>>
>> https://blog.torproject.org/blog/tor-weekly-news-%E2%80%94-august-14th-2=
013
>>
>> https://blog.torproject.org/blog/hidden-services-current-events-and-free=
dom-hosting
>>
>>
>> --Roger
> =

> Thanks for these links. Illuminating reading.
> =

> However, the story I referred to has nothing to do with Freedom Hosting.
> =

> It refers to "Operation Torpedo" (get the joke: "tor" + "pedo").
> =

> Wired did a follow up to the original story on 26 August:
> http://www.wired.com/2014/08/federal-cybersecurity-director-guilty-child-=
porn-charges/
> =

> =

> Original story (5 August): http://www.wired.com/2014/08/operation_torpedo/
> =

> As I mentioned, the original story has a link to the affidavit which
> contains information about the FBI malware.

It's the same malware.

Operation Torpedo _preceded_ the Freedom Hosting takedown.

| From the perspective of experts in computer security and privacy,
| the NIT is malware, pure and simple. That was demonstrated last
| August, when, perhaps buoyed by the success of Operation Torpedo,
| the FBI launched a second deployment of the NIT targeting more
| Tor hidden services.
|
| This one=97still unacknowledged by the bureau=97traveled across the
| servers of Freedom Hosting, an anonymous provider of turnkey Tor
| hidden service sites that, by some estimates, powered half of
| the Dark Net.

-- =

tor-talk mailing list - tor-talk@lists.torproject.org
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

