

Large Number of Tor Sites Seized by the FBI were Clone or Scam Sites - nikcub
https://www.nikcub.com/posts/onymous-part1/?resub=1

======
yc1010
"The slapshot nature of how sites were seized suggests that rather than
starting with an onion address and then discovering the host server to seize,
this campaign simply vacuumed up a large number of onion websites by targeting
specific hosting companies. We have tracked down the hosting companies
affected and the details will be published in a follow-up."

Very interested to see the list of hosting companies that were targeted.

~~~
cesarb
The most interesting question to me would be, does this means that the server
administrators now have a "get out of jail free card" due to the "fruit of the
poisoned tree" doctrine or similar?

Hosting a hidden service by itself does not mean doing something illegal, even
_Facebook_ hosts a hidden service nowadays. The only valid justification for
the seizure would be if they had traced an illegal hidden service to that
host, but from what I have read this seizure sounds too indiscriminate for
that to be the case (IIRC even some pure relays, which don't host anything at
all, were seized).

~~~
forgottenpass
_The most interesting question to me would be, does this means that the server
administrators now have a "get out of jail free card" due to the "fruit of the
poisoned tree" doctrine or similar?_

That would require the defendant's rights to have been violated. I'm no doctor
of law, but even if they were slipshod enough to violate rights in
investigation regarding the datacenters, I'd be surprised if the defendants
rights were the ones violated (3rd party doctrine and all).

------
monort
Tor TLS traffic can be distinguished by random domain in SNI during handshake
([https://news.ycombinator.com/item?id=5505056](https://news.ycombinator.com/item?id=5505056)).

If FBI can sniff all traffic originating from hosting provider, then it seems
to be trivial to detect all Tor servers and go through them manually?

~~~
userbinator
SNI is an extension, it's not required and makes for the traffic to be easily
distinguishable, so what's the reason for Tor to send an SNI?

~~~
monort
Probably it will be even easier to detect Tor nodes - just look for IPs which
never receive SNI in TLS exchange on 443 port.

~~~
userbinator
Thinking over the protocol again I think TLS wasn't a great choice for Tor -
not only because of SNI but other things like server certificates are also
sent in cleartext during the handshake so it's easy to distinguish and just
block all TLS traffic that uses self-signed or otherwise certificates not
issued by the big CAs.

Something more like SSH, not relying on central CAs, would be less
distinguishable - is it Tor traffic, or is it just someone accessing his/her
server remotelly.

~~~
conductor
I would suggest impersonating other encrypted protocols with heavy traffic
like encrypted BitTorrent or P2P Skype (is it still P2P or MS centralized it
already?). On the other hand, systems administrators are frequently blocking
BitTorrent and Skype traffic so the "TLS" traffic on port 443 has more chances
to pass.

------
kissickas
This is quite interesting. It's initially unclear exactly what the angle of
this research is, but I think that reflects the uncertainty that still
surrounds this operation.

Most notable to me was that the jihad-funding site was left up while its clone
was taken down. Does that mean they couldn't locate the server, or that it's
controlled by the FBI?

~~~
userbinator
_Most notable to me was that the jihad-funding site was left up while its
clone was taken down. Does that mean they couldn 't locate the server, or that
it's controlled by the FBI?_

I was wondering the same thing - and this line from the article too:

 _In a number of cases the FBI has seized the clone or scam version of a site
while leaving up the real site._

Is it because all the clone/scam sites were hosted on the same set of servers,
or do the FBI know where the real ones are already but are deliberately
leaving it up (and just removing the fakes since they're presumably
interfering with their surveillance)?

------
MisterNegative
Well this is to be expected if they can force a hosting company to report when
servers connect to public tor nodes for a considerable amount of traffic.

