
Logs of compromised Tor site released - randomfool
https://lists.torproject.org/pipermail/tor-dev/2014-November/007731.html
======
raquo
Am I understanding this correctly?

* Attacker has control of X number of tor nodes

* Attacker DDoS-es a hidden service, sending millions of requests to it

* Attacker hopes that at least one of these requests will be routed exclusively through their own tor nodes, thus revealing the IP address of the hidden service

That sounds neat. Is it a viable way to de-anonimize a hidden service?

~~~
deutronium
Is there actually anything you can do to prevent this kind of attack?

I'm assuming once your network is compromised to such an extent there is not
much you can do.

~~~
s_q_b
Cut the hardline. Well, but seriously, shut down the network temporarily.

~~~
comboy
Wouldn't that only make it easier to confirm that this network/ip is
associated with given hidden service?

This made me thinking btw about the latest hetzner hiccups which never
happened before.

~~~
s_q_b
Yeah, assuming a global adversary, you'd just watch which servers went dark
and the investigate them. We really need a "defensive mode" for TOR.

------
jlgaddis
To grab everything:

    
    
      $ mkdir foo
      $ cd foo
      $ wget --mirror --convert-links --adjust-extension --page-requisites --no-parent http://doxbin.strangled.net/
    

Or you can grab a tarball here:
[http://evilrouters.net/mirror/doxbin.strangled.net.tar](http://evilrouters.net/mirror/doxbin.strangled.net.tar)
(~37 MB)

------
arthurcolle
I don't understand the context of this post on torproject.org

Who is this guy? Nachash? Is he an operator of one of the illegal websites
that were seized as a result of Onymous? He is talking as I would expect a
sysadmin, so is that what you'd call him? He talks about inheriting PHP code,
is he referring to the original SR source code? If so, how could he have
acquired this source code?

~~~
tux3
> _Who is this guy?_

He was the guy running doxbin [0] before Onymous seized the servers.

He's trying to provide any relevant information he can to the Tor devs so that
they can better prevent attacks against hidden services in the future.

> _He talks about inheriting PHP code, is he referring to the original SR
> source code?_

He's referring to the doxbin source code [1], which he didn't write entirely
but just improved upon.

[0] doxbinzqkeoso6sl.onion

[1] qhlkmirbijvet2dp.onion

~~~
FurSec
>Who is this guy?

To add on to what tux3 has posted, nachash has been involved in various other
illegal happenings on the net over the past few years, usually with other ED
hackertypes.

You can just use google to find irc logs to get a general idea of who this guy
is.

~~~
libraryatnight
ED?

~~~
arthurcolle
encyclopedia dramatica?

~~~
libraryatnight
Thank you - now that I know I feel silly not making the connection, as I had
just been looking at some Encyclopedia Dramatica after Googling Nachash.

These guys seem to be pretty smart, but constantly embroiled in some seemingly
petty feud or scandal within their scene.

------
aosmith
What if we just started using keys with tor and setting a few (trusted)
default nodes...

Update to clarify: I'm talking about every user setting a few distinct trusted
nodes.

~~~
owenmarshall
A few nodes makes it easier for a global adversary to attack, I'd think.

The FBI could seize those nodes and replace them with rooted boxes. The NSA
could use their little boxes in Sprint/ATT/L3's broom closets to forward
packets to Ft. Meade.

What Tor needs is lots more traffic going through lots more nodes.

------
jokoon
Isn't freenet or I2P more resilient to such attacks ?

I mean tor is great because it allows to browse webpages, but aren't there
thicker means to be anonymous ?

~~~
aosmith
Every system is susceptible to a graph attack at some level...

~~~
doublec
Freenet doesn't have the concept of a server that hosts a site though. Data is
distributed across the datastore in nodes in Freenet. When users request a
site or data then it is gathered from the nodes that hold the information.

This means sites can't have dynamic functionality but for those that host only
static data then it would seem to be an alternative.

They are possibly vulnerable to being discovered when inserting data if the
attacker knows what they are inserting.

~~~
runeks
> They are possibly vulnerable to being discovered when inserting data if the
> attacker knows what they are inserting.

If we go by the theory that compromising a single Tor user is not feasible,
then connecting to the Freenet network through a fresh Tor connection every
time you want to insert new data should make it a lot more difficult to find
the identity of the person who is inserting this data.

I'm thinking here in the context of operating a black market, where new items
are signed with the operator's key, and uploaded to Freenet, along with a list
of all items on the market in question, also signed by the operator (with an
increasing nonce).

~~~
contingencies
_new items are signed with the operator 's key, and uploaded to Freenet, along
with a list of all items on the market in question, also signed by the
operator (with an increasing nonce)._

It really confuses me why people insist on thinking about electronic systems
of exchange in broken physical world terms: market/store, buyer, seller. See
[https://github.com/OpenBazaar/OpenBazaar/issues/961](https://github.com/OpenBazaar/OpenBazaar/issues/961)

~~~
runeks
I don't see what's "broken" about these terms. People understand them, and
they serve their purpose: explaining the roles of various nodes in the
network.

However, I understand your argument that there's really no need to
differentiate between "buyers" and "sellers": every node on the network could
be either, both or neither at any point in time.

I don't think changing the language used in OpenBazaar really makes much of a
difference though. I doubt people are that interested in doing barter trading
via an online market. That seems very inefficient (ie. sending a pound of beef
jerky in in the mail in exchange for receiving five LED bulbs). The only
reason for doing this would be if the two parties don't have proper money
available.

It'd be a lot more efficient for either party to sell their good (beef jerky
or light bulbs) for money locally (for example bitcoins), and pay for the
other item in bitcoins, so only a single good needs to be sent via mail. The
party receiving money can then just buy the goods he wants locally.

------
justcommenting
also of note: [https://blog.torservers.net/20141109/three-servers-
offline-l...](https://blog.torservers.net/20141109/three-servers-offline-
likely-seized.html)

------
weinzierl

        From the standpoint of someone with root access to a 
        dedi with OpenVZ vms, finding hidden services that are 
        hosted by customers is a matter of looking for files   
        named private_key anywhere under the /vz folder.
    
        [...]
     
        2. Cross your fingers and pray really, really hard that 
        the money trail is correctly obscured.
    

Hetzner is a popular German hoster and as far as I know payment requires
either a valid credit card or a German bank account. How is it possible to
obscure the money trail at all?

~~~
aosmith
Can you use a prepaid credit card?

~~~
weinzierl
From their payments page [1]:

    
    
        The following credit cards are accepted through this  
        payment facility: Visa, Master, Diners and Amex. 
    

I don't know if any of those companies offers prepaid credit cards.

[1]
[http://www.hetzner.co.za/helpcentre/index.php/articles/conte...](http://www.hetzner.co.za/helpcentre/index.php/articles/content/category/payments/what_methods_are_ava_87/)

~~~
bnr
This page states they also support Direct Deposit, which means you can walk
into any bank and deposit cash, no ID required.

~~~
aosmith
In the US there's no option for this... Most banks will not allow you to
deposit funds into another persons account.

~~~
umanwizard
This is false; I've done it several times with no issue.

------
aosmith
So this is perhaps a little naive but could any of these boxes be shell shock
vulnerable? If they were that would make this whole thing trivial...

------
imaginenore
%5C%22 stands for \"

Not sure if that's significant in any way, could be just a unique identifier.

~~~
AlyssaRowan
It looks like guard discovery was one component of the attack, and DoS could
have been used to boot HSes into choosing a malicious guard, or at least, a
raided (but no logs?) or somehow-rooted guard. So it's probably just a badly-
coded script-kiddie-grade DoS script. It doesn't have to be an _amazing_ ,
novel DoS to have an effect - it just has to be a DoS, and they don't have to
show their hands by using anything particularly amazing.

What I think is that they probably _don 't_ have anything that we don't know
about already as being theoretically possible. They just tried every attack we
_do_ know about at once, and some of it proved fruitful given their reach. Tor
stinks - but it still _works_ , and we can improve it.

