* How VG found the IP of the Tor Hidden Server, and discovered that it was being run by Australian police.
* Why Australian police got to run the site, despite having no direct connection to it, due to how their laws allow the police to act in ways that are criminal elsewhere (basically digital black sites).
* How the forum had a policy that all posts from the admin had to include rape images, as an attempt at preventing police from honeypoting the site.
* The ethics of the police running a CP forum, including police posting CP themselves.
Two disturbing things other than the obvious ones such as people abusing children. First,
> While the young Canadian unsuccessfully tried to find help to control the desires he felt, the American kept them shut inside. He was afraid any doctor, psychologist or counsellor he consulted would have to report him if he admitted being sexually attracted to children.
I often feel as if, like with drug users, treating paedophilia not as inherent thoughtcrime but as something someone needs help with, could help prevent a lot of abuse. I don't know what I'd do if there was such a taboo on adult men being attracted to adult women.
The second is the state of anarchy we're in at a global level, with law enforcement, criminals, governments and large multinational companies simply being able to go there where the law is most conducive to whatever they want to do, effectively as if there is no law at all.
Both things for which I don't really know how they could be fixed, but which have me concerned nonetheless.
>The question was asked and the server replied. It was located in Sydney, owned by the server Digital Pacific.
What the hell does that even mean? It almost sounds like they were doing packet sniffing and looking at the IP addresses of where the packets came from. Any non-tor exit node IPs could be the server's IP. Similar strategy was used against Silk Road.
Except that with tor, hitting ANY external IP from the "real" IP of your hosting box is bad news (since your service is no longer hidden).
This is a rookie mistake for an operator running a hidden service. What you are supposed to do is a) ensure you are not running crappy software and more importantly b) ensure that your server/container/service (preferably) has no network egress or (if you need that) that egress is transparently proxied at the network level through something suitably anonymous. Whatever scheme you choose should be robust against an attacker who compromises your hidden service any any way, up to having root on the host or vm. This usually means that if you are trying to run a hidden service on a single physical machine, you want multiple VMs or containers, and you really want there to be no guest-to-host escapes. There are multiple ways of skinning that cat but VMs are nicer than containers or jails because you can have actually different network stacks.
The officer's methodology for determining whether the requesting IP was really that of the hidden service was quite sound from a forensics point of view and in fact did not require any "special" network access over and above that which a normal citizen would have.
"IP addresses and physical server locations are inherently difficult to find on the Tor network. So how did VG’s computer expert get the forum to disclose this information?
1. Profile picture upload
The forum allowed users to upload a profile picture. This picture could also be fetched from a user-supplied URL.
2. The leak
This is where the information leak occurs. Configured for optimal security, the forum’s software and/or server would fetch the remote profile picture via Tor. Childs Play did not – all traffic to external sites originated from the server’s real IP.
3. The IP address is exposed
By telling the forum to fetch a picture from a server Stangvik controlled, he could see in his server logs that the originating IP was with a hosting provider in Sydney – Digital Pacific. Stangvik went on to confirm that outgoing DNS requests originated from the same provider, and that the forum’s software also loaded images included in forum post previews from the same IP.
4. A proxy, VPN or Tor Exit?
The next question was whether the IP belonged to a Tor Exit Node, a VPN or a proxy server. An IP can hide just about anything. How could he confirm that this was the forum’s location, rather than just a node in a chain of redirects? Stangvik applied three improvised techniques:
5. Timing between the servers
He rented a virtual server with Digital Pacific – the same place as where the suspected IP was located. He then updated the profile picture URL to point to this server. Upon receiving an incoming profile picture request, Stangvik’s server would respond with a redirect to another URL on the same virtual server. Repeating this redirection process several time, Stangvik was able to isolate and measure the roundtrip-time between the two servers. The measurements yielded very low times, consistent with a forum server in close vicinity of his rented server.
6. Measuring intermediate nodes
Stangvik also paid attention to so-called «Time To Live» values on the incoming data packets. These provide some insight into how many intermediate parties are involved from the sender to the recipient. In this case, the values indicated that there were at most one intermediate – a typical result if the servers were located in the same room.
7. Measuring packet size
The final test started to get advanced: Measuring MTU (Maximum Transmission Unit) and packet fragmentation.
Each packet in a computer network has a maximum transmission size, based on which intermediates it passes through. Each encapsulating technology, such as VPNs, can result in the total packet size increasing beyond the maximum size, and local networks usually have larger maximum sizes than the “tubes” found on the internet. If the maximum size is surpassed, the packet will be broken into multiple fragments.
By crafting long profile picture URLs, and setting specific packet flags, in the redirects returned by his custom web server software, he could see that the MTU was consistent with that of high-speed local area network traffic, and also ruled out VPN configurations."
that's not the issue though. Even if the server was behind NAT (and thus only knows its internal IP), it could still find out its real external ip by sending packets to some other machine on the internet and checking what the "from" address was from. preventing this leak can only be done by having a strict routing table and/or outbound firewall. having VMs/containers 7 layers deep wouldn't help if the packets could freely reach the internet unproxied.
Whonix is amazing. I recommend it to anyone who is serious about avoiding even sending a single packet over the clearnet.
I'd be asking hundreds of questions, taking courses, and using as many layers as would be reasonable to hide even my efforts at learning. I'd probably be obsessed with security, more so than I am now. Much more so, in fact.
Fortunately, I don't actually want to do anything illegal. That will make it easier. I do kind of want to learn how to set up a hidden service, but just to satisfy my curiosity.
With all the public posts, writing style analytics, and use of a common moniker across services, it seems that it may be possible to do just that on a large scale. It seems that it could be made trivial to narrow down lists of suspects by crunching large data sets that contain stuff like SO questions, AC posts on Slashdot, or responses on HN.
After all, how many people are actively seeking to secure a message board as a hidden service and doing so at that time? I sort of envision it as having some commonality with the timing attacks already in use to deanonymize Tor users.
Subject A asked about securing IP addresses for uploads and Sevice A got this feature two weeks later. Subject C asked about this security aspect and Service A has that concern. Subject Q asked about using this forum software and requested this modification. Service A uses that software, etc...
So, maybe Subjects A, C, and Q are all the same people.
While it doesn't prove much, it does potentially aid in narrowing down the list of suspects. Coupled with other bits of information, it may narrow the list down significantly.
That and there are huge sets of data out there. Processing that intelligently, and rapidly, could really change the way investigations are done.
However this is an active areas of research in both classified and (presumably) non-classified areas. See for example this search: https://scholar.google.com.au/scholar?q=related:KbJLbpaKfCkJ...
My original point was that OPSEC is hard if you're trying to be a topic expert in a short period of time. You don't need NSA tools to attack someone in that situation.
> It seems that it could be made trivial to narrow down lists of suspects by crunching large data sets that contain stuff like SO questions, AC posts on Slashdot, or responses on HN.
Is what XKEYSCORE does (or at least, it's the interface you use to query the above data sets which are collected as part of PRISM and the other programs).
Once again, HN has sent me off into a subject I'd not have found on my own. That's why I like HN as much as I do.
I think it might have been a Defcon or Black Hat talk on ways of communicating anonymously. They certainly didn't use a web forum, it was more along the lines of posting encrypted messages to Usenet that were widely distributed and could only be decrypted by the recipient.
This was taken as evidence that perfect operational security is possible even against nation-state actors committing a large (but not indefinite) amount of resources.
Maybe there should be some sort of informal game, perhaps played with the major law enforcement agencies, with the goal being to avoid identification. It could be justified by asserting that it would aid in training investigation techniques.
It needn't hand over monetary prizes, just admission of success. Maybe it could trade pictures of cats?
The illicit nature is probably one of the attractions. My understanding is that people become 'addicted' to it and strive to amass large collections. Few offenders have just a couple of images and videos but, instead, have vast collections. This is more so than is seen with legal pornographic material and possibly has something to do with the rarity and difficulty of access as well as inconsistency of access.
Disclosure: I used to date a lady who studied and worked with sex offenders. However, we seldom discussed her research and never her individual patients. So, I'm largely speculating with just a hint of regurgitating expert information.
So, with that said, it is largely still a fairly taboo subject of study. I guess there are many misconceptions and misunderstandings, even at the academic level. An example might be that sex offenders have a low rate of recidivism, even lower if narrowed to new sex offenses. On the other hand, they often have many victims prior to their first interaction with the justice system. Most victimization isn't done by strangers and involves grooming by a person close to the victim. That sort of stuff.
I don't have a solution, by the way. There has been some serious discussion of allowing current examples of confiscated CP to be used by those who are predisposed to such, but that goes over about as well as a lead balloon. It also doesn't solve the issue where they seem to want more and new material. Maybe CGI will be the answer? I'm just not sure that society will find that acceptable.
It isn't easy to have a conversation about it. She would very seldom disclose her work with the people she knew and had received death threats and had some instances of vandalism. Her work with offenders negatively impacted her social life.
So, we on HN might discuss it and try to remove our biases and be objective, but we are a rarity and previous threads might indicate that not everyone is willing to do so.
Sorry for the novella and meandering nature of my post. I'm not the greatest wordsmith.
(The icon was in the top right, some 20p image!)