
Freedom Hosting sites compromised, founder arrested - DevUps
http://www.twitlonger.com/show/n_1rlo0uu
======
cookiecaper
This whole post is a mess. Someone distributes an exploit via a popular
hosting provider for onion sites (and it's curious why anyone with a serious
interest in privacy would outsource onion site hosting anyway) and suddenly
Tor is damaged? There's a link to a paper that claims people can do things
you're not supposed to be able to do with onion sites, but I don't see how
that's relevant -- this post is conflating at least a few things.

So here's what I can grok from it:

* "Freedom Hosting" founder has been arrested; presumably, many people were using "Freedom Hosting" to host onion sites (is this where "half of all Tor sites compromised" comes from?). No charges listed, article slightly hints at child pornography charges.

* Someone, presumably the FBI, has set up an exploit to be distributed through Freedom Hosting sites that will phone home and reveal your non-Tor IP address (solution: seven proxies). "Freedom Hosting" founder was probably coerced into allowing distribution of this exploit.

* Author claims that said exploit only affects Firefox >= 17 on Windows.

* There's a link to a paper about possible problems with hidden services, which is apparently not relevant to any of this other than the fact that there was just a shakedown on a big onion site provider.

I'm flagging this article because it is utterly incoherent and the headline is
sensationalist. There is no evidence of a fundamental flaw in Tor being
related to any of the events mentioned. Hopefully someone will write a
comprehensible piece soon and put it out there.

~~~
aqme28
How is it sensationalist? The headline was not that there is a vulnerability
in TOR, but a vulnerability in "half of all TOR sites."

~~~
cookiecaper
The headline implies that the "compromise" is an inherent failure in the
protocol (or else how could "half" of all sites be infected?) instead of the
reality that the hosting provider intentionally placed an exploit in all of
their pages.

A better title may be like: "major .onion hosting service infiltrated by feds,
all sites converted to honeypots; founder arrested". This does not imply any
fundamental flaws in Tor itself or the technology in use, it does not falsely
attribute a specific portion of .onion sites as infected, it does not
communicate uncertainty into which sites are damaged (only sites hosted by
Freedom Hosting were affected afawk), and it correctly reflects the events.

~~~
threeseed
You're being bizarrely pedantic.

If the headline had read "half of all web sites compromised" I would never
have it thought it was because of some underlying fault with HTTP.

~~~
cookiecaper
Onion sites are (typically) accessed over HTTP, so the fact that I didn't
think HTTP was flawed demonstrates that there's some misinterpretation here.

I'd suggest that _you 're_ the one being overly pedantic. "Protocol" doesn't
necessarily have to refer to something explicitly labeled as a "protocol".

------
__float
They make note that the vulnerability used is only in Firefox 17--the current
ESR (extended support release). What they do not mention is that the Tor
Browser Bundle[1]--created so users can simply download one executable and
feel protected by Tor--is based on this very release.

Among all internet users, Firefox 17 is probably rare, but among Tor users? My
bet is that it owns a significantly higher chunk of the market.

[1] Tor Browser Bundle:
[https://www.torproject.org/projects/torbrowser.html.en](https://www.torproject.org/projects/torbrowser.html.en)

~~~
cookiecaper
The quote in the article claims that the exploit affects 17 _and higher_ ,
only on NT-based platforms.

Furthermore, Tor Browser Bundle disallows JavaScript by default, and one
should be cautious while allowing execution of arbitrary client-side code
whilst intent on keeping their direct IP address secret. You have to take at
least a couple of steps to be affected by this bug.

EDIT: The author has updated the OP and now claims that he believes Firefox 17
is the _only_ affected version. His language is ambiguous such that it is
unclear whether the exploit only affects Windows or if the code distributed by
FH is simply not attempting to exploit any non-Windows environments (perhaps
they were trying to get specific players).

~~~
Torgo
TBB does not disallow javascript by default. In fact they recommend you do not
disable javascript because it makes your browser fingerprint more traceable.

~~~
cookiecaper
Checking on this now. I find it dubious, but possible. I haven't used the Tor
Browser Bundle for quite a while, but last I recall they definitely had a
mechanism to keep JavaScript from executing. It seems ridiculous that they
wouldn't, given their long history of advocacy for NoScript et al. Will edit
when done installing/checking.

EDIT: So it seems that NoScript _is_ installed as part of the package, but
that scripts are enabled globally by default. I just experienced this with a
fresh install. Here's the answer confirming it:
[https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEna...](https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled)
.

Personally I think that's a horrible compromise, and it's obviously something
that's changed since last time I used it. This should be undone ASAP. Some
education is required to use Tor properly even without considering things like
JavaScript, so teaching someone to enable JS only when prudent should be fine
to include as part of that educational package. It seems like there is some
nefarious force at work here trying to trick people who really shouldn't be
using Tor into using Tor. I know, for instance, that I had to stop several of
my friends from using Tor after they heard about it from the news or whatever
after the PRISM leaks. _Do NOT_ use Tor if you don't fully understand the
implications, like that all data you send through it is going to be decrypted
to plaintext at a random exit node that could be run by literally anyone with
a modern computer and internet connection.

Fortunately, NoScript continues to warn pretty blatantly with a big red
exclamation point that scripts should not be allowed globally, and an educated
Tor user will automatically forbid all scripts despite the awful default, so
this is probably only a problem for people who are just dinking around anyway.

~~~
Torgo
[EDIT: edited typo, clarified what TAILS was] I had mentioned (split between a
couple other posts) that even with JS enabled, Noscript will prevent many
XSS/CSRF and clickjacking attempts, which has been explained to me as the
reason for its inclusion. And That disabling Javascript actually makes you
more fingerprintable because it's rare for browsers to do this.

I am guessing that the payload that article mentions s/he does not have
included a Windows (or Windows Firefox)-specific exploit which bypassed the
tor tunnel so that they could then match the cookie in and out of Tor to
identify the traffic origin. Otherwise, just having the cookie through Tor
would be pretty worthless.

Other people that could be dinged by this would be anybody usuing that
specific version of Firefox, without Torbutton. Torbutton wipes cookies when
you switch between Tor and not-Tor, but Torbutton as a separate tool has been
discontinued and TBB promoted, because to be safe you really need to have a
separate browser profile.

On Linux (not targeted by this exploit, but maybe someday) you could avoid
this using an Apparmor/SeLinux profile that prevented TBB Firefox from even
making a network connection that's not to the Tor tunnel, or possibly even
prevent Firefox from knowing it's own IP. Dunno if something like this is even
possible on Windows. For traveling, I currently have been experimenting with a
VM with TBB and an apparmor profile, and an iptables rule to prevent ANY
outside traffic, except Tor. It works but it's a pain in the ass and nobody
could be expected to install all that shit. That's what they made TAILS (A
bootable disc image with only Tor, saves nothing to your machine, contains no
known exploitable extraneous apps) for, people could check that out. Even
running TAILS in a VM would have prevented this, though they recommend for
maximum security you burn it and boot it.

No sympathy for child pornographers, but obv. this could be used against
anybody seeking anonymity.

~~~
hackinthebochs
>prevented TBB Firefox from even making a network connection that's not to the
Tor tunnel, or possibly even prevent Firefox from knowing it's own IP. Dunno
if something like this is even possible on Windows.

I don't currently use Tor, but I've thought about it and this is how I would
do it. This can be done on windows using a virtual machine that disallows
internet connections. Have the VM only able to network with the host OS, which
is running the Tor app. That way the VM doesn't have an internet IP to leak,
and if firefox itself is compromised there isn't anything on the VM that could
give you away.

~~~
foobarqux
Whonix already does this.

~~~
hackinthebochs
Looks sweet. I'll check it out.

~~~
foobarqux
Be careful, I don't think it has received a great deal of peer review and the
community doesn't seem to be large.

------
iM8t
Europeans point of view: Am I the only one who feels that the US is taking
over the Internet and all of our privacy with it?

~~~
JulianMorrison
It's not just that they're stealing everyone's privacy. They're acting like
"it's foreigners, so we don't have to care" \- even the latests attempts to
rein in NSA make no effort to cut back its international misbehavior.

Basically, I think most civilized people have been operating on the premise
that democratic western states are behaving in a vaguely civilized way towards
people in other such states. But it's clear that America at least is behaving
like the purest sociopath, where "friends" just means "easier to manipulate".
They are breaking the unspoken international social contract, and it is going
to have worse repercussions than they yet understand.

~~~
duaneb
> America

The American government, you mean.

~~~
return0
For us foreigners, knowing that America has strong democratic roots, it is
obvious (and worrying) that the majority of american citizens actually agree
with that.

~~~
crocowhile
Well, can't blame the electorate this time: Obama is doing the opposite of
what he always promised and got elected for.

~~~
smsm42
That argument would be very convincing if Obama weren't elected twice. Fool me
once, shame on you, fool me twice...

~~~
vacri
You make it sound like there was a viable alternative, like the other party in
the two-party system wasn't being held to ransom by ultra-nationalists.

~~~
smsm42
That's because it is exactly the situation. Nobody is "held ransom" by
anybody. But voters that think like you - low-information voters that can vote
for anybody provided that he is "our guy" because "their guy" is The Devil
himself - are exactly the reason why it happens again and again. And will
happen until the majority abandons such mentality - which I personally
wouldn't expect happening any time soon.

~~~
vacri
Voters that think like me live in a multipolar democracy that currently has a
minority government in power. It's a tacit weakness of the US system that
there can only be two _viable_ parties. "If everyone changed and voted for a
third person" is _not_ a retort, because it still requires everyone jumping on
the same bandwagon to effect a win; it'll just be a different brand of wagon.

~~~
Volpe
It's a two party system, but the two parties don't have to be the same ones
that are their now.

I don't understand the "viable alternative" arguement. You are saying "I won't
vote for who I really want to vote, because they'll never win, because
everyone else won't vote for them" <\--- Is that what you mean? That seems
self defeating.

...

~~~
vacri
If you had rapid iteration - elections every month - then a tertiary party
would have something of a chance. As it stands, the iterations are so slow,
that with FPTP voting, the two main parties will just move slightly to
diminish the threat - the incumbent edifice carries on.

With preferential voting (or similar), you actually have the realistic
probability of more than one party being in power. Here in Australia, the
current government is formed from one major party, one minor party, and a
couple of independents. It's not just 'mathematically possible', but a
plausible outcome. That can't really happen with FPTP voting. Well, it can
happen, but it's an oddity - see the current situation in the UK with the lib
dems.

 _" I won't vote for who I really want to vote, because they'll never win,
because everyone else won't vote for them"_

The problem here is that by voting for someone whom you slightly prefer, you
split the vote in a FPTP system, making them both lose out to the third person
you didn't want in. If 60% of the population want a left-wing candidate, and
they're split evenly-ish, they'll still lose out to the single right-wing
candidate who only has 40%. It sounds self-defeating on paper, but in real
terms it's more like self-preservation.

------
cjbprime
We should be clear that this isn't a vulnerability in the Tor software or
network, but an (apparent) vulnerability in this unrelated "Freedom Hosting"
company's site:

[https://blog.torproject.org/blog/hidden-services-current-
eve...](https://blog.torproject.org/blog/hidden-services-current-events-and-
freedom-hosting)

~~~
mintplant
And possibly in Firefox (!), with some sort of JavaScript exploit. This is the
most worrying part for me--does anyone have any info on what the payload does?

~~~
keyme
Doesn't have to do much. Once you execute pretty much any (non-sandboxed) code
on a machine, you can bypass something like TOR easily. From this point, any
network packet sent by the payload to the feds effectively de-anonymizes the
user completely. Also, by including a tracking cookie in the JS, they can
cross reference all user activity on the compromised websites with the newly
discovered IP address.

~~~
shabble
> _Once you execute pretty much any (non-sandboxed) code on a machine, you can
> bypass something like TOR easily. From this point, any network packet sent
> by the payload to the feds effectively de-anonymizes the user completely._

One partial solution would be to run the Tor client on a physically separate
machine which acts as a transparent proxy for your browsing/internet box, and
blocks any direct contact with the public internet via iptables trickery. I
dunno what the processing overhead of running tor client is, but in theory you
might be able to do so on a router running openWRT or similar.

~~~
keyme
I actually use a setup that involves a bunch of VMs for pretty good
separation. It's a bit of a complicated setup, so I won't elaborate here. The
main thing about it, is that even if an attacker runs with root privs on the
"anonymous" VM, they'll need a 0-day in the Virtualization engine itself to
de-anonymize the machine. I make sure that the VMs are as isolated from the
host machine as they can be, so the attack surface is indeed minimized to the
VM engine itself. Some "VM busting" attacks did occur in the past, but I
believe very few (if any) attacked the VM engine itself. Most used the wider
attack surface provided by stuff like the "VMWare tools" API (which for
"isolated" VMs should be disabled). Edit: come to think of it, I should
probably write up my method and post it to HN at some point...

------
inDigiNeous
Am I the only one who is f*cking tired of FBI and other violence based
organizations using pedophilia as their excuse to raid and bust people ?

Think of the children! Yes .. a good front to make it so that they can just
bust anything using SWAT forces.

Is pedophilia such a big problem? Really ? I would like to see one study about
pedophilia and the problems it creates, instead of what the problems that NSA
and FBI are facing when people start encrypting their traffic and we actually
have some freedom of speech in some areas.

~~~
abrichr
...perhaps you could argue that there's nothing wrong with pedophilia _per se_
, but there is definitely something wrong with child abuse, and I shouldn't
need to link you to a study to convince you of that.

By shutting down child pornography rings, police are preventing further abuse.
How else would you propose they go about it?

~~~
tbrownaw
_By shutting down child pornography rings, police are preventing further
abuse._

Maybe, maybe not. Probably in some or even many cases, but certainly not all.

But, it also provides an unquestionable excuse to not care about "accidental"
overreach or collateral damage. Someone's hosting something they don't like on
a shared server? Guess what happens when they "discover" kiddie porn hosted by
someone else on that same server?

------
makomk
Previous discussion of arrest:
[https://news.ycombinator.com/item?id=6154493](https://news.ycombinator.com/item?id=6154493)

Previous discussion of malicious Javascript:
[https://news.ycombinator.com/item?id=6154246](https://news.ycombinator.com/item?id=6154246)

------
kaoD
> The JavaScript zero-day exploit that creates a unique cookie and sends a
> request to a random server that basically fingerprints your browser in some
> way, which is probably then correlated somewhere else since the cookie
> doesn't get deleted. Presumably it reports the victim's IP back to the FBI.

"in some way", "probably", "presumably" = I have no idea what's going on.

~~~
Shank
It's more that we know very well that up to the transmission point, it creates
a unique identifier. If we're following the most likely guess (that this is
targeting distribution of Child Pornography), then it seems like a reasonable
goal to simply identify and fingerprint Tor users.

That being said, there is always a point that this could be used for something
else entirely, though. Compromising Tor mail is a lot less of a targeted
attack.

------
galapago
A preliminar analysis of the 0day used:

[http://pastebin.mozilla.org/2777139](http://pastebin.mozilla.org/2777139)

 _edit_ : Maybe is a good idea to submit this link (or another related) to
discuss about it in a new HN thread.

~~~
greenyoda
It's not really 0-day: since it only affects Firefox 17, it was apparently
fixed long ago. But see this comment regarding why it may be of interest to
lots of TOR users:

[https://news.ycombinator.com/item?id=6156779](https://news.ycombinator.com/item?id=6156779)

~~~
makomk
Firefox 17 is their most recent ESR release for enterprises that want a more
stable platform, and at least in theory it's still receiving security updates.

------
popee
Here is real reason why little sisters force everything into browser. Because
they care about security >:-)

People should stop using web/browsers for everything.

~~~
duaneb
The idea of having JS enabled is directly at odds with a secure system, too.
All TOR sites should have non-JS friendly interaction. There's really
negligible benefit compared to exploits like the on in TFA.

~~~
asveikau
I remember a bit over ten years ago, "javascript is annoying" was a mainstream
position among hacker types. That seems to be long gone by now.

I guess hardware catching up with resource requirements took away one of the
biggest reasons against it. And most people really embraced the web as more
than a document platform. I think part of me still misses the old way of
thinking about it.

~~~
duaneb
I don't have any base issue with javascript; I think it's a wonderful way to
build web applications. However, TOR and the dark net has entirely different
considerations, and the cost of letting unvetted code run without asking you
from a site you know nothing about is far, far greater. I wouldn't be
surprised if just being on TOR would be convincing evidence for an
unknowledgable jury, even if the site was about something legal but
connotative (activism targeting the federal government, for example).

~~~
asveikau
I see the first two sentences of your reply as inextricably linked and
contradictory. You don't think it's the culture of it being acceptable to make
sites that won't work without JS that is ultimately forcing the Tor folks to
enable it? For instance, reading up on this subject I found this:

> Why is NoScript configured to allow JavaScript by default in the Tor Browser
> Bundle? Isn't that unsafe?

> We configure NoScript to allow JavaScript by default in the Tor Browser
> Bundle because many websites will not work with JavaScript disabled. Most
> users would give up on Tor entirely if a website they want to use requires
> JavaScript, ...

[https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEna...](https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled)

~~~
duaneb
I see the purposes of the internet serving content-rich web apps and the
purposes of TOR as different. They may have compatible protocols, but if GMail
ran on TOR nobody would even use it. Why bother? It's slow and it's gonna leak
information like a watering hose.

------
marincounty
I'm afraid to comment out of fear being picked on? I didn't read the article
very well(depressed about things, and what the Internet is morphing into), but
didn't the U.S. federal government put money into TOR?

~~~
brador
Take a news break for a few days, your health is important.

------
D9u
Since I've never been an .onion site user, I've not noticed any issues with my
Tor connections to the "regular" net.

It's my understanding that one can host a .onion "hidden" site without having
to go through any such provider as Freedom Hosting, so I don't see how my
privacy is being affected by this situation.

------
lawl
Uhm, so where exactly does the FBI/NSA come in?

As of now there is some guy stating that some hoster has been pwnd and
uploaded some JS that expoloited something that might be FF17 that might have
been shipped with the tor browser bundle.

Why exactly does he thing FBI/NSA is involved? If he has the exploit code why
didn't he upload it?

Lots of conclusions based on assumptions. As of now I'd think it's more likely
someone just pwnd the largest TOR hidden host provider, uploaded a sploit that
will affect most of the users (tor browser bundle) and called it a day.

Sure there MIGHT be some GOV/whatever involvment. But wouldn't it be time to
wait with such accusations until we got some actual proof? Not even uploading
the alleged exploit doesn't really help his position.

I would think that since about 60% of TOR projects funding comes from the
.gov[0], that they have an incencitive to keep it online. I could imagine they
have some nodes for which they wouldn't want to reveal the physical location.
I don't know warhead controllers or something. Of course that only works if
the're are enough nodes involved so you can hide yourself. That's why _I
think_ this might not have been a .gov action.

[0] [https://www.torproject.org/about/findoc/2012-TorProject-
Annu...](https://www.torproject.org/about/findoc/2012-TorProject-Annual-
Report.pdf)

~~~
duaneb
TOR is also a great honeypot. There are no ways of validating a given node is
not governmental, either.

~~~
superuser2
There are no ways of validating _anything_ is not governmental.

~~~
duaneb
Yes, but there are degrees of this, and TOR gives you nothing without the
resources of the government.

~~~
superuser2
The government is allowed to create fake identities and corporations, use
private facilities and infrastructure, etc. in order to run sting operations
against sophisticated criminals. That's exactly the sort of "real police work"
they should be doing, rather than surveillance.

Where is there ever a "degree" of visibility as to whether something is a
government honeypot?

------
Paul12345534
Anyone who was using Windows for TOR browsing was already asking for trouble.
Anyone browsing outside a "sealed" VM setup such as Whonix was also asking for
trouble.

~~~
quotemstr
Browsing in a VM doesn't help: the VM still has an IP address.

~~~
prolde
If you just run tor inside the VM, the above is true. If all the traffic out
of the VM is routed through tor, then the IP address they will get is a tor
(not clearnet) IP address. In order to get a clearnet IP address off a VM,
you'll need to exploit the VM itself, a task clearly much harder than misusing
javascript in a browser.

------
belorn
I think there is a large insight to be had by all this.

State can and will use computer exploits in military and law enforcement. Like
with PRISM, its no longer just the tinfoil - Its confirmed. The businesses
model for a few companies are to hoard zero-day exploits, and sell it on the
market. The military, police, "business intelligence" a.k.a industry spying,
and criminals are their customers. In contrast to disease research, software
virus research are not regulated or illegal, so both good and bad is the
result. It is good when independent research find vulnerabilities in software
we use, and less so when its hoarded and sold to be used against us.

------
joshfraser
This has given us a pretty rare chance to look at a 0-day exploit being used
in the wild by the US government. Has anyone traced the code enough to know
how it works?

[http://pastebin.mozilla.org/2777139](http://pastebin.mozilla.org/2777139)

------
synchronise
I have a question for Tor users. Would such an exploit to the system encourage
you to transition to similar darknet services such as I2P, or will you be
sticking with Tor with greater caution?

------
Zuider
Anyone notice this:

>3\. Bitcoin and all crypto currenecies set to absolutely CRASH as a result
since the feds can not completely control this currency as they please.

~~~
dlitz
I wouldn't think too much of it. It could be a bit of wishful thinking, or an
attempt to manipulate the price of Bitcoins by spreading rumors. Both are
fairly popular among Bitcoin speculators.

------
Amarok
I'm curious if the exploits would work with javascript enabled, but with
noscript installed. This is default for the current TBB I think.

------
denzil_correa
What does it mean by "Half of Tor sites compromised". Was not it just "Freedom
Hosting" which was compromised?

------
ToothlessJake
I must yet again point to a company like Endgame Systems[1] as being a likely
contractor for this service rendered for the FBI.

Some of Endgame's products used by the likes of the NSA: "There are even
target packs for democratic countries in Europe and other U.S. allies. Maui
(product names tend toward alluring warm-weather locales) is a package of 25
zero-day exploits that runs clients $2.5 million a year. The Cayman botnet-
analytics package gets you access to a database of Internet addresses,
organization names, and worm types for hundreds of millions of infected
computers, and costs $1.5 million."

Exploiting an unknowable amount of users of a service as to hunt them. Using
illegally harvested data from botnets, while others get hunted and prosecuted
for coding them.

This tiered society where the legally immune can profit off acts that get
others jailed. The market manipulation that comes with bribing companies for
data access, the government giving less regulatory oversight to companies it
has secret 'deals' with.

For the sake of society, economy, basic morality. It must end.

[1]
[http://wiki.echelon2.org/wiki/Endgame_Systems](http://wiki.echelon2.org/wiki/Endgame_Systems)

~~~
jenandre
"Exploiting an unknowable amount of users of a service as to hunt them. Using
illegally harvested data from botnets, while others get hunted and prosecuted
for coding them. This tiered society where the legally immune can profit off
acts that get others jailed."

Not that I disagree with this sentiment, but how is this different from the
fact the government is "legally immune" from using/possessing weapons and
firearms that the average person can't possess or use?

~~~
tomp
It's more like the government hiring non-government forces that can then
legally possess arms that other "non-affiliated" people (i.e. civilians)
can't, and being given legal immunity for killing random people, some of which
might turn out to be criminals. I.e. Batman, with a bit less moral compass.

~~~
bigiain
Or even "Batman with a completely normal corporate moral compass – 100%
focused on its primary goal – of 'increasing shareholder value'"…

------
LekkoscPiwa
Software that creates randomly TBs of fake email, voice (skype) and other
communication daily to disrupt NSA. Possible? Helpful?

I.e. billions of emails created daily originating from millions of email
accounts created daily that contain random words including the ones the NSA is
looking for.

I mean, they went on the path of the least resistance with this whole PRISM
thing. Kind of blatantly stupid approach of "just listen to everything". That
can possibly be derailed by simple creating tons and tons of "everything"
daily to feed their stupid programs.

~~~
badfile
Even if I don't see why you are saying it on this specific thread, it actually
came to my mind few days ago. I think it is a good, simple idea. No technical
difficulties, just spamming and make the whole thing unanalyzable.

------
vertis
You have to respect an effort like this.

------
rogerthis
As a Catholic, I don't know what I hate most: child pornographics or the FBI.

