
“Warning: Do Not use my mirrors/services until I have reviewed the situation” - chummm
http://article.gmane.org/gmane.network.tor.user/34619
======
ChuckMcM
Interesting.

It is entirely possible it is survivor bias on my part but I get the suspicion
that a global sort of 'cyberwar' that has been rumbling along for years is
heating up rapidly. I've seen a 10x increase in various scripted attacks being
attempted (patch early and often folks!) and a number of APT level compromises
of systems either staging malware or deploying it (see the latest bulletin on
the Afghan government compromise). And of course the whole Free Syrian Army /
ISIS / terrorist nom de jure attacks.

I can't shake the analogy to pictures from WW II where shop keepers were
huddled in the back while soldiers fought from the front of the store. I see
innocent servers being 'occupied' by enemy malware so that it can launch
attacks on other servers further into a protected network.

Fortunately in this modern version of war you can "kick the soldiers out" of
your server by bringing it down and re-imaging it. And they won't turn around
and shoot you, but that is not all that comforting somehow.

~~~
_RPM
Does ISIS really have the resources to carry out criminal computer activities?
From what I understand, they are a group with limited technological advantage,
and there is no way they could carry out a major attack on the Internet.

~~~
geographomics
(Note to ossreality, who also replied to this comment: you appear to be
hellbanned.)

~~~
jamesaguilar
Re: his edit, thank you for your compliment, but I just think there are more
constructive ways to approach most conversations than accusing people of
talking out of their ass, or calling them losers. :( If you truly were banned
for arguing with someone important, that's unfortunate, but I saw two good
reasons to ban you in your most recent three comments. Maybe I just caught you
on a bad day.

------
drodgers
For anyone who missed the warning a few days ago:
[https://blog.torproject.org/blog/possible-upcoming-
attempts-...](https://blog.torproject.org/blog/possible-upcoming-attempts-
disable-tor-network)

~~~
mmaunder
And the HN thread:
[https://news.ycombinator.com/item?id=8774833](https://news.ycombinator.com/item?id=8774833)

------
flux_w42
A Dutch tech news site [1] published the news on their site and got in contact
with the ISP Snel:

The ISP told Tweakers that the account of Thomas White was blocked due to a
security policy of the company. The customer let a deadline for verification
accidentally expire and logged in through KVM. "Some KVM's generate a USB
event when you use it to set up a connection to the server, this is what the
customer just notified." \- according to the ISP Snel. Meanwhile, the man's
account is released.

[1] [https://tweakers.net/nieuws/100388/beheerder-verliest-
contro...](https://tweakers.net/nieuws/100388/beheerder-verliest-controle-
over-cluster-tor-exitnodes.html)

~~~
spacefight
So much about ISP <> customer confidentiality then!?

~~~
psykovsky
Especially when the media has better information than the customer.

------
mmastrac
Interesting to see this play out in realtime. This message just showed up in
the thread[1]:

    
    
      Node fingerprints are as follows, please blacklist ASAP. Some servers are 
      accessible via their KVM again but not networked.
    
      D78AB0013D95AFA60757333645BAA03A169DF722
      6F545A39D4849C9FE5B08A6D68C8B3478E4B608B
      5E87B10B430BA4D9ADF1E1F01E69D3A137FB63C9
      0824CE7D452B892D12E081D36E7415F85EA9988F
      35961469646A623F9EE03B7B45296527A624AAFD
      1EA968C956FBC00617655A35DA872D319E87C597
      E5A21C42B0FDB88E1A744D9A0388EFB2A7A598CF
      5D1CB4B3025F4D2810CF12AB7A8DDDD6FC10F139
      722B4DF4848EC8C15302C7CF75B52C65BAE3843A
      93CD9231C260558D77331162A5DC5A4C692F5344
      A3C3D2664F5E92171359F71931AA2C0C74E2E65C
      575B40EF095A0F2B13C83F8485AFC56453817ABF
      27780F5112DEB64EA65F987079999B9DC055F7C0
      54AA16946DB0CF7A8FA45F3B48A7D686FD1A1CEF
      1EB8BDA15D27B3F9D4A2EDDA58357EA656150075
      17A522BC05A0D115FC939B0271B8626AAFB1DDFF
      1324EC51FBFA5FD1A11B94563E8D2A7999CD8F57
    

[1]
[http://thread.gmane.org/gmane.network.tor.user/34619](http://thread.gmane.org/gmane.network.tor.user/34619)

~~~
mmastrac
Further updates via @CthulhuSec on Twitter:

Not much further info at this point. Trying to do secure log dumps but most
systems seem unavailable again. Bracing for possible local raid

Apologies no further info atm, I don't know what I am dealing with yet, ISP
has made no comment Re: if warrant executed at servers

Interesting that the servers were briefly up and running, but down again.

------
draugadrotten
Update on twitter:
[https://twitter.com/CthulhuSec](https://twitter.com/CthulhuSec) "People have
taken my mere suspicions way too seriously. I haven't even mentioned a
specific agency and the theories are already flowing."

Update on tor-talk: [https://lists.torproject.org/pipermail/tor-
talk/2014-Decembe...](https://lists.torproject.org/pipermail/tor-
talk/2014-December/036078.html)

In the first original email, he writes "At this moment in time I am under no
gagging orders or influence from external parties/agencies. If no update is
provided within 48 hours you may draw your own conclusions."

Please may I call your attention that this canary paragraph is missing from
the latest tor-talk update. Draw your own conclusions.

~~~
dmix
Which latest tor-talk update is missing the canary?

The one you linked to says:

> 7\. Again, at this moment in time I am under no gagging orders or
> unreasonably withholding information under orders.

~~~
draugadrotten
The "under no influence" part is missing.

~~~
grrowl
IF we take the strict differences of the phrasing, we could say he's
reasonably withholding information by request. Incorporated with the
timeframe, this could be anyone — but given his response and the extra 250+
twitter followers today, he's probably been reminded the cost of drawing
conjecture in public.

~~~
draugadrotten
I am thinking this guy is very exact and precise in his phrasing, especially
with regards to a canary. He's a crypto-geek, anarchist and running an exit
node and this crowd knows Alice is not Bob.

He knows what he says will be scrutinized by thousands. Why wouldn't he be
very careful in what he says?

Based on his first canary vs the last, he could, as you say, "reasonably" be
withholding information on request. Perhaps terrorists, kitty pr0n or the
threat of jail is reason to him. Good resons, who knows.

He could also be under the control of someone that asks him to add new, lie or
modify information. Worse reasons, perhaps.

Either way his first canary reminded us that whatever he says now needs to be
treated as possible disinformation.

~~~
grrowl
Further, his subsequent posts to the mailing list[1] are missing the canary
entirely, but everything has been addressed except for:

> 3\. The DC has confirmed via Twitter that the servers were not "accessed".
> Having been raided in the past I know indeed they can be forced under Dutch
> law not to inform clients of raids, but I don't feel this may be the case.
> With that being said, a chassis intrusion indicator still must be addressed
> and I cannot find it in the logs anymore. The DC company are not the people
> who I directly interact with however so I am still awaiting a direct
> response form those we host the server with.

Either way, it's not a direct raid or seizure, _if anything_ a backdoor
installed by someone at the DC, but honestly at this point you have to accept
the possibility and either accept/balance/mitigate the risk or get new
hardware.

[1]: [https://lists.torproject.org/pipermail/tor-
talk/2014-Decembe...](https://lists.torproject.org/pipermail/tor-
talk/2014-December/036084.html)

------
binaryanomaly
Update here: [https://lists.torproject.org/pipermail/tor-
talk/2014-Decembe...](https://lists.torproject.org/pipermail/tor-
talk/2014-December/036078.html) Seems mysterious but not confirmed to be LE
raid.

------
gnu8
How did these criminals penetrate the ISP? Is there security footage? It
should be no trouble to identify the perpetrators and have them arrested if
their pictures are posted online.

~~~
alfiedotwtf
The criminals were probably carrying a warrant.

~~~
olefoo
Your comment is indicative of the crisis of legitimacy that has infected our
governments, and most of the institutions of stability in our global society.
It seems like a small thing; but once the perception that the forces of law
and order are themselves lawless exceeds a certain critical threshold things
begin to change rapidly. Indeed the United States itself came to be in the
wake of the erosion of the legitimacy of Englands colonial government.

There won't be an announcement; but once that threshold is crossed events
begin to move rapidly and forcefully and do not stop until a new arrangement
of powers is found that society can scaffold itself upon. Who knows what will
be the stable state of a world seeded with the idea of networks and
knowledgable in their subversion and subornation.

~~~
markbnj
I'd love to see some historical basis for this supposition that there is a
natural counter balance to "lawless" power. First of all, your premise
presupposes that there is some standard of "lawfulness" against which the
existing power structure can be judged. If the powers that be are faithful to
their own interests and rules then by definition they are lawful, since they
create and administer the law. Your appeal to a higher morality (I assume,
since I don't know what other standard there could be) makes a good muse for
an artisan, but I see no evidence in the long, bloody history of our species
that it acts as some sort of automatic restorer of natural order. Quite the
contrary, in fact. It is the current state of affairs in some Western
countries, in which the citizens have leave to consider whether their
governments are lawful and ways to act if they are not, that is the exception.

~~~
olefoo
I fear that we are talking past each other and have different readings of the
same words; and vastly different conceptual backgrounds.

Map political science onto the sandpile model [1] to get a first order
approximation of the framework of analysis I'm using from a macro perspective.
On the micro level of individual perception; what matters isn't merely the
perceived lawlessness of the elites and of the guardian castes, but the
growing sense that "If you play by the rules; you're a sucker." And depending
on your level of investment in the current order that sense can be a powerful
motivator to working around limits that were introduced to promote
institutional stability.

And if most peoples reality is that the ruleset they're working off of is
largely economically workable only because it's technically illegal... that's
inherently unstable.

1\.
[http://en.wikipedia.org/wiki/Abelian_sandpile_model](http://en.wikipedia.org/wiki/Abelian_sandpile_model)

------
0x0
Wonder what shenanigans the USB device is up to. A bootable drive for flashing
backdoored bios/hdd firmware or keylogging? Snapshotting the HDDs? 0day'ing
the kernel USB stack?

~~~
dsl
Probably just a USB stick with Second Look or a similar tool on it. Very first
thing you do is dump the running memory on the system. Then you pull the
drives, plug them into a write blocker, then image the drives.

Modifying anything before you have a complete forensic dump is a big no-no
because you need to preserve evidence.

~~~
xorcist
Can you explain more? How do go about dumping memory?

~~~
adrianpike
The specific tool they were mentioning is:
[https://secondlookforensics.com/](https://secondlookforensics.com/)

Interestingly enough, look who makes it.

~~~
grrowl
Spoiler/save-the-click: "© 2014 Raytheon Cyber Products. All rights reserved.
Second Look® is a registered trademark of Raytheon."

> The Raytheon Company is a major American defense contractor and industrial
> corporation with core manufacturing concentrations in weapons and military
> and commercial electronics.

------
nullflow

      the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken.
    

In which country did this happen?

As an European I expected the US/EU governments would keep their hands of Tor
because dissidents use it in countries where US/EU want regime change.

~~~
redthrowaway
The USG is not a monolithic entity. The State Department loves TOR, for the
reasons you list, while Justice hates it. The Justice Department does not need
State approval to get warrants and take down servers, nor do they need State
approval to work with their foreign partners to do the same.

~~~
mpyne
One of my favorite examples of this:
[http://articles.latimes.com/1989-06-07/news/mn-1711_1_rocky-...](http://articles.latimes.com/1989-06-07/news/mn-1711_1_rocky-
flats-fbi-and-epa-justice-department)

------
folta
Latest update posted in the mailing list:
[https://lists.torproject.org/pipermail/tor-
talk/2014-Decembe...](https://lists.torproject.org/pipermail/tor-
talk/2014-December/036084.html)

No canary in this update.

~~~
folta
One more update: [https://lists.torproject.org/pipermail/tor-
talk/2014-Decembe...](https://lists.torproject.org/pipermail/tor-
talk/2014-December/036089.html)

Several nodes are going to go back online and are being requested to be un-
blacklisted. "I have emailed some of the DirAuths to remove several nodes and
IPs from the blacklist that we feel confident have not been breached or
compromised in any way."

------
alfiedotwtf
As the Tor community knew of a possible compromise in advance, what what is
the purpose of this? Sounds like fear mongering by the TLAs with the aim to
discredit anonymity within the network rather than actual malice.

~~~
spacefight
I thought the advanced warning was related to directory servers, not exit
nodes.

~~~
ridgewell
It is.

    
    
      an attempt to incapacitate our network in the next few days through the seizure of specialized servers in the network called directory authorities.
    

\- [https://blog.torproject.org/blog/possible-upcoming-
attempts-...](https://blog.torproject.org/blog/possible-upcoming-attempts-
disable-tor-network)

------
Nanzikambe
Off Topic: But out of curiosity what does a Tor hidden service keep in memory?
Would there be any information that would uniquely identify the services it's
running?

Given that they're often run in datacentres (either colocated or within a VM)
- wouldn't a USB device capable of scraping RAM and dumping a list hosted
.onions be quite practical for law enforcement purposes?

They're obviously finite amount of datacenters in each country/jurisdiction
that accept bitcoin or sell VPSs.

------
fluential
What do you think is the business / legal risk of running few tor relays (no
exit) nodes as a commercial company (UK or US based)? One of my friends told
me that he would be afraid of the potential of freezing company assets if
someone start investigation and those nodes would be part of that case.

Any thoughts? Comments?

