
Global Web Crackdown Arrests 17, Seizes Hundreds Of Dark Net Domains - DarkCow
http://www.wired.com/2014/11/operation-onymous-dark-web-arrests/#
======
downandout
Lessons learned:

1) Don't engage in businesses that make you a target of the world's best-
funded law enforcement agencies.

2) If ignoring lesson 1, don't access servers directly, from home, and don't
pay for said servers with personal credit card.

3) Don't pay for your $130K Tesla using BTC a month after you open up a
massive illegal drug marketplace that runs exclusively on BTC. Someone may
suspect something.

4) When cashing in your ill-gotten gains, don't use your real name.

Seriously, if you're going to do this kind of stuff, paranoia is your friend.
"They" probably are, indeed, following you.

~~~
ge0rg
_Just how law enforcement agents were able to locate the Dark Web sites
despite their use of the Tor anonymity software remains a looming mystery._

Do you happen to have a source for the "personal credit card" and "Tesla for
BTC" lessons, or is this mere speculation?

Edit: Tesla downpayment documented in Blake Benthall Criminal Complaint:
[http://www.scribd.com/doc/245744857/Blake-Benthall-
Criminal-...](http://www.scribd.com/doc/245744857/Blake-Benthall-Criminal-
Complaint)

~~~
km3k
The Ars Technica article at [http://arstechnica.com/tech-policy/2014/11/silk-
road-2-0-inf...](http://arstechnica.com/tech-policy/2014/11/silk-
road-2-0-infiltrated-from-the-start-sold-8m-per-month-in-drugs/) has the
quote:

> "The server was controlled and maintained during the relevant time by an
> individual using the email account 'blake@benthall.net,'"

Since he used his personal e-mail for hosting, I would assume he used his
personal credit card too.

~~~
ge0rg
That might be right, but there are tens of thousands of people who use their
personal email and credit card to buy hosting services. You can't assume they
all operate Silk Road 2.x

------
bhouston
I think that TOR should no longer be considered secure in the wake of so many
busts. Either it isn't secure by some flaw, or it is too easy to fingerprint
visitors, or some other work around.

~~~
devconsole
There are some interesting theories being tossed around. I'd like to add one
more.

The common thread across all darknet websites is the fact that they generally
run from datacenters. Most people don't host websites from their residence.

Further, most people don't colocate servers anymore. I would be surprised if
any of the 414 websites operated on boxes that had been colocated. However I
won't rule out that colocating is also compromised.

I'd like to posit the following law of nature: You can't run a darknet website
from a datacenter and think you've hidden the location of the server,
regardless of whether it's using Tor or other anonymity software.

Why not? Because the datacenter has the ability to image servers, along with
the ability to notice that you're generating large amounts of outgoing Tor
traffic (or other anonymity software).

Here's how the attack may have happened: Step one, collect data about which
computers are sending and receiving large amounts of Tor bandwidth. Step two,
if the server resides in a datacenter, request an image of the server. Step
three, you now know whether the server is a darknet website.

Remember, the point of Tor is to hide the final IP address of a web request or
web service. It does _not_ hide the total volume of traffic that must be
delivered. And it can't. If you operate a darknet marketplace, you're probably
serving a large volume of traffic. Guess who notices? ISPs and datacenters.
Guess which datacenters can be trusted not to divulge an image of your server
to authorities? None of them.

What do I think the future of darknet opsec will look like? Well, if you're
reading this, and you're an individual or group interested in pursuing your
ideology through a darknet website, you will need to run your website from a
datacenter and not rent your server in your name. In fact, your opsec needs to
be so good that there's no way to trace the account back to you. This sounds
hard, and it is, but it's possible. Secondly, you must assume at all times
that the server you're using is compromised. Assume that aurhorities can
access the contents of the server, can manipulate it, and can subvert anything
you put on it.

This is a grim situation, to be sure. The above assumption is that you are
never safe from authorities gaining a copy of the contents of your datacenter-
hosted darknet website (including any databases), and from a takedown of the
service whenever authorities deem to do so.

Here's the ray of hope: Just because they takedown your website doesn't mean
they take _you_ down. This is where opsec comes into play, and it's our last
hope. Every other link in the chain of trust for darknet websites has been
broken. The one and only chance is that you can figure out a way to create
accounts at datacenters without authorities being able to trace them back to
you.

Authorities takedown your service? Okay, start it again at some other
datacenter. Authorities get a copy of what's on your server? Okay, no problem:
you were assuming it was compromised anyway, right? Authorities install a
program to make your software malfunction? That's unfortunate, and will shake
the trust in your website, but it's possible to recover from this.

Do your best, and do not get caught. The rest follows from this.

At a minimum, you need to research opsec. Read history of how groups have
evaded detection. Do your research using Tor, because associating such Google
searches with your home account is a terrible mistake.

One of your biggest problems is going to be anonymous money. No, bitcoin won't
help you. You can't rent a server from a datacenter using bitcoin. But you can
anonymize your money and then use that money to rent your server.

It's a long shot, but it's all we've got left. Be perfect. There's no room for
error. Or realize the truth: If you can't be perfect, you will get caught. And
you may get caught anyway. Being perfect sounds impossible, but human history
has shown that there are situations in which no or few mistakes are made. I
would recommend you research those situations and how to minimize the total
number of mistakes you make. Use software to help you do this, while realizing
that clever software alone won't be enough. For example, if you're configuring
an individual piece of software on your personal computer to connect to your
darknet website, even through Tor, you're doing it wrong. You need to isolate
yourself from this equation at all times. Sound hard? Oh, it's hard. It will
slowly dawn on you how hard this method of operating is. Convenience? No. You
don't get to enjoy the benefits of convenience. Convenience is the opposite of
security.

Oh, and if you do happen to somehow make a lot of money, you should keep it as
bitcoin for the forseeable future. What good is it? Maybe converting small
amounts won't be noticed. On the other hand, converting large amounts of
bitcoin to dollars _will_ be noticed, and it's extraordinarily dangerous to
your opsec.

I'll be around to answer questions if you have them. If you'd like to ask a
question anonymously using Tor, create a new HN account and post your
question. I'll see it, but it will show up as dead on HN, so I won't be able
to reply to it directly. So I'll reply to my own comment with a copy of your
question, along with a response. Then you can reply to that, and I'll repeat
the process.

HN is one of the few websites that we can even have these kinds of
conversations on using Tor. Everything on Reddit is autokilled. 4chan doesn't
let you use Tor. Maybe we should work on this problem first: How to make the
equivalent of unlisted Tor exit nodes so that Tor isn't so trivially blocked?

There are a lot of ideas in my comment, and some of them are better than
others. I hope that the bad ideas can be discarded and the good ones refined
until we have someting workable.

~~~
Renaud
> Here's how the attack may have happened: Step one, collect data about which
> computers are sending and receiving large amounts of Tor bandwidth. Step
> two, if the server resides in a datacenter, request an image of the server.
> Step three, you now know whether the server is a darknet website.

This in itself is not sufficient: there are thousand of Tor bridges, relays
and exit points. All of them carry lots of traffic and all of them could be
hosting hidden services as well. The total traffic in itself doesn't
necessarily show that a server hosts hidden services. It could also me masked
by generating fake traffic to/from the server.

Knowing that Tor traffic comes and goes through a server isn't enough. Most
data centers would not just hand over disk images just because a server is
running Tor and a hidden service. You would need good evidence that the
particular hidden service you seek is hosted at that particular data center.

You still need detective work to pinpoint the location of the datacenter. This
could come from timing attacks or an unrevealed weakness in the Tor protocol
itself, but it's more likely that they noticed suspicious activity in real
life (large purchases, people already known to be involved in drugs),
infiltrated some markets, managed to get some people to talk, ... Once you
suspect a particular person and they are under surveillance, you can catch
them paying for servers with their CC, connect to their server directly, or
watch their BTC transactions.

They would certainly need the cooperation of the involved data centers at some
point, but neither Europol nor the FBI can just walk into any data center and
request images of any server that handles Tor traffic without a warrant, which
would require some tangible evidence to support its release, lest it becomes
inadmissible in court.

~~~
tedks
>This in itself is not sufficient: there are thousand of Tor bridges, relays
and exit points. All of them carry lots of traffic and all of them could be
hosting hidden services as well. The total traffic in itself doesn't
necessarily show that a server hosts hidden services. It could also me masked
by generating fake traffic to/from the server.

Relays (exit and non-exit relays) are listed in the consensus, so you can
easily rule them out, or just watch the hidden service and the relay and
correlate downtime.

Bridges are not listed in the consensus, but they also don't survive very
long, and don't carry very much traffic, since they tend to be used by a small
number of individuals. So bridges will naturally churn out of your target set.

>neither Europol nor the FBI can just walk into any data center and request
images of any server that handles Tor traffic without a warrant,

This seems optimistic at best. They could certainly ask to install a wiretap,
or just threaten their way into installing a wiretap (i.e., install this
wiretap or my buddy at the EPA is going to be allllll over you for how bad
your parking lot is drained, etc). They could just ask and say they suspect
the computer is involved in child pornography, which will probably override
most people's objections.

But beyond that, people tend to cooperate with authorities. It's either a
natural state of humans to be subservient, or we've been indoctrinated through
eons of hierarchy, but now, the only thing necessary to get someone to kill
someone else is a stern command. If you don't believe me, look up the Milgram
experiments.

~~~
jeffreyrogers
> but now, the only thing necessary to get someone to kill someone else is a
> stern command. If you don't believe me, look up the Milgram experiments

I think you're being a bit hyperbolic here.

~~~
tedks
Look up the Milgram experiments and tell me I'm being hyperbolic.

------
logfromblammo
As much as this story interests me on deeper levels, my brain keeps wanting to
think of it as a misspelled or mispronounced "Operation Ominous" rather than
subtracting the "an-" prefix to negate "anonymous" (which they undoubtedly
thought was very clever).

And I do find it very ominous that apparently the only way that I can speak
and act freely over the Internet is to maintain absolutely perfect operational
security across an entire group of individuals that I already know enough to
trust, thanks to out-of-band signaling.

While I don't really have anything to plan or discuss that would be considered
threatening to any current regime, I also know that regimes change and evolve,
and the Internet is rather capricious with regard to what it forgets. I have
to wonder if someday even my posts on HN will be used against me at a time
when prison, or execution, or even just denial of a benefit is a possibility.

Right now, they are busting folks for trading contraband and criminal
services. But it somehow feels like the evidence of massive surveillance and
interdiction is more threatening to me personally than the existence of the
online black markets. Perhaps I'd just like to pretend that in theory, I could
defy an objectionable government edict and not get squashed like a bug. I'd
like to believe that the spirit of rebellion still lives among the people, and
that the underdog can still put up a good fight, even if they can't actually
win.

------
userbinator
I wonder if these attacks, along with some clever fingerprinting of the server
host, and advanced techniques on traffic correlation, were enough to determine
the whereabouts of the servers:

[http://www.ieee-security.org/TC/SP2013/papers/4977a080.pdf](http://www.ieee-
security.org/TC/SP2013/papers/4977a080.pdf)

[http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf](http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf)

------
rglover
_“This is something we want to keep for ourselves,” he said. “The way we do
this, we can’t share with the whole world, because we want to do it again and
again and again.”_

That is _so_ freaking evil.

~~~
Lrigikithumer
They say this but why aren't they targetting the real evil shit on the dark
web? Why the hell are they wasting their time and resources on drug busts when
there are seriously sick dangerous people using those services, hunt them.
They're the real dangers to society, not the ones selling weed and ecstasy.

Makes me feel sick all the wasted talent that isn't being used to take down
the dark dark corners of this world.

~~~
oftenwrong
You say that as if organisations involved in the international drug trade are
not engaging in "real evil shit". Not all cannabis sold in the United States
is grown by long-haired Californians. Much of it is grown in Mexico by violent
drug cartels that use slave labour and kill indiscriminately. They are
practically the definition of evil, and sites like The Silk Road are pushing
their product.

~~~
benajnim
Of course, the ideal way of sucking out the oxygen from these entities is to
legalize the product they're pushing. Perpetuating the drug war is some "real
evil shit" when you consider the police unions are among the biggest lobbying
groups fighting to keep these substances in question illegal..

------
CmdrKrool
"When WIRED spoke Thursday night with Troels Oerting, head of the European
Cybercrime Center, he said his staff hadn’t even had time to assemble the full
list of sites it’s pulled down in the sprawling operation."

That sounds a bit cavalier. Are they actually checking whether the sites are
involved in illegal activity before they pull them down? Or is merely hosting
a website on Tor illegal nowadays?

~~~
atwebb
A less ominous interpretation could be that they pulled some servers and
aren't sure how many sites were hosted on them.

------
vuldin
Maybe a decentralized market server approach is better:
[https://openbazaar.org/](https://openbazaar.org/)

Edit: I should say that openbazaar hasn't been released, and very little work
has gone into allowing for anonymous nodes on the market. The idea is that
once openbazaar is released then people can apply Tor anonymity to connecting
their market node to the database of all nodes where things are available for
purchase.

------
dobbsbob
They probably just use the tried and true method of exploiting flaws in the
server, then helpfully offering to fix it. Repeat until trust builds and
eventually a fed agent is the Sr technical lead with access to everything.

------
higherpurpose
I think Wired was the first with the first Silk Road bust, too, or in similar
FBI operations. Does the Wired have FBI "sources" or FBI PR contacts that give
them these almost-exclusives?

~~~
krapp
It's a high profile tech magazine with mainstream credibility. It would be
silly for them not to have FBI sources.

~~~
higherpurpose
It just doesn't seem right for media sites to "partner" with FBI/the
government for a story like this, and give them a platform to spread its
propaganda.

For the record I'm one of the people who believe what the FBI did here is
_wrong_. I imagine if they had know what it is and what it can do early on,
they would've shut down Bittorrent Inc, too, for "facilitating piracy",
"conspiracy to create piracy", "money laundering" (by making money as a
company that creates torrent technology), and some other CFAA charges, for
good measure - all of them bullshit.

~~~
krapp
This isn't entirely propaganda, though. Sure, the government's version of
events is, but it's also a newsworthy event that Wired's readership would be
interested in. Why would they _not_ cover it, or foster partnerships that make
it easier to get access to stories like this? It is literally their job.

------
zurn
Europol took over the .onion domains? How does that work technically? And
doesn't it sound a little brusque considering Europol doesn't have authority
to do anything on the field?

------
diyorgasms
I am curious how a .onion domain seizure works. Does this mean the various law
enforcement agencies are in possession of the private keys of the services
they shut down?

~~~
lucb1e
They somehow find the physical location of the hidden service and then are
able to take control (e.g. via a letter to the webhost). After that they have
full control over the server and thereby also the key behind the .onion
address.

How do they find the physical location? This could be by plenty of technical
methods, which is really too elaborate to expand on here, but it's almost
certainly not a flaw in Tor itself. It's just very hard to do it all correctly
from A through Z, one mistake and you're busted, so that's why so many
services can be taken down.

------
yc1010
Assuming TOR is compromised, what is to stop someone buying a vps (with
fake/disposable credit card etc) hiding the main server behind this vps (with
haproxy or stunnel)?

FBI come along and image the vps, but it wont be the main server, connection
details could be stored in RAM and if server taken down to image no configs
would be left.

Thoughts? obviously buying vps/servers in own name is dumb opsec. That way
even if TOR is compromised you lose just a frontend point.

~~~
knyt
Don't think that'd add anything. The people investigating you would presumably
look at your network traffic and see all of the non-anonymized TLS packets
traveling between your VPS and the real server. And they shouldn't need to
bring the VPS down to get an image of its disk (or its RAM).

~~~
yc1010
Of course tho' I doubt it be enough for evidence in court especially if
everything is bought with fake aliases.

And the saving memory contents (could hold config files on tmpfs for example)
seems to be a difficult process, from wikipedia "Holding unpowered RAM below
−60 °C helps preserve residual data by an order of magnitude, improving the
chances of successful recovery. However, it can be impractical to do this
during a field examination."

It would be interesting to get perspective from any forensic experts.

The key imho is to put as many hoops in attackers path.

~~~
knyt
They could just write the memory to disk.
[https://www.suse.com/documentation/sles11/book_kvm/data/sec_...](https://www.suse.com/documentation/sles11/book_kvm/data/sec_libvirt_manage_save.html)

------
fixermark
Ah, good.

Now if only they can snag people who send anonymous death threats too.

------
jordanbaucke
I think it will be very interesting to see the correlation of "discovery
vectors" these LE's purport to have used in locating these services.

~~~
angch
I wonder how hard it is to cause a very spiky, targeted temporary network
outage (DDoS, etc) and use it to correlate with which Dark web sites relies on
which physical network. With enough random events, it's probably possible to
pin down the location, unless you have more than a host or move around a bit.

------
thesis
Couldn't they just be monitoring these sites for uptime?

When datacenters have a network event and the sites go offline it would seem
like a fairly easy correlation.

------
nickthemagicman
Commenting to save this post. Downvote away.

~~~
lotharbot
Any post you upvote is saved in your "saved stories" link
([https://news.ycombinator.com/saved?id=[your](https://news.ycombinator.com/saved?id=\[your)
id] -- you can find it in your profile. No, it won't display other peoples'
saved stories for you.)

If you must comment, try to at least include something other people will want
to read. (And then you can stick a keyword like "saved" or "fleezblort" into
your post to make it easy for you to search for.)

~~~
nickthemagicman
Brilliant! Thanks, did know know that.

------
gnu8
The only criminals here are the feds. Each and every one of them belong in a
cage.

