Hacker News new | past | comments | ask | show | jobs | submit login

This likely points to this being an FBI "network investigative technique".* I'm really curious where this attack was injected, as that also means that that .onion is also compromised.

My guess? Some darknet market.

* Sure, this could be some type of awkward false flag, but it seems unlikely to my gut.





Unrelated, but kudos on the arbitrary hash use on the Wordpress auto updater last week.


Thanks. That was all Matt Barry. I just prettied it up. He literally did that in his spare time and one day showed up at work and after some smalltalk he was like "Oh, yeah by the way..." and my jaw hit the floor.

That was a few months ago. We had to go through the disclosure process via HackerOne etc.

I'm really lucky to be working with people like Matt and others on the team.


It's on a CP site (giftbox). The exploit got loaded on the confirmation page after logging in.


Eh, with that being the case, I don't personally have too much sympathy.

+1 to FBI on this being pretty well targeted; you had to have had a successful login for them to be attempting this in the first place. It's about as precise as they can get; you're only going after users that are active members of the service. They are at least being reasonable in who they are targeting. I can't really think of how they can be more targeted in attempting to deanonymize people in the network.

I don't like this whole NIT garbage because I'm afraid this will lead to fishing expeditions, where you just root everyone on an .onion that happens to visit it, and then clean up with a multitude of search warrants later and hope you get something. I also don't believe it's the FBI's (or America's) job to play world police.

-1 to the FBI, at least: they were (once again) actively serving CP on a compromised server again, which seems like something you shouldn't be doing as an LEA fighting the distribution of the content. Illegal actions shouldn't be taken to fight crime. Distributing the thing you are fighting is the definition of the abyss having gazed into you.


> Illegal actions shouldn't be taken to fight crime.

I disagree with that and I am on favor of illegal actions against criminal actions.

I just think that this is not FBI's role. Illegal organizations should assume the illegal work. If FBI commits crimes to fight crimes, then to me they're as criminal as the folks they're hunting, and therefore I would treat them the same way I treat the "regular" criminal people.


Hey! Motherboard reporter here. Can you provide some evidence of this? You can contact me (anonymously) via OTR lorenzofb@jabber.ccc.de or ricochet:p5mbxsckf3qbmobc Also via email (PGP: https://keybase.io/lorenzofb/key.asc)


I found the following note in a pastebin-similar website on TOR (Deep Paste): http://pastebin.com/iNRasUFT


It's not much, but the code redirects the user to a 'member.php' page after 2 seconds. So whatever the target was, it probably had a member.php page.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: