Hacker News new | past | comments | ask | show | jobs | submit login

People should really read VGs special, which covers things like:

* How VG found the IP of the Tor Hidden Server, and discovered that it was being run by Australian police.

* Why Australian police got to run the site, despite having no direct connection to it, due to how their laws allow the police to act in ways that are criminal elsewhere (basically digital black sites).

* How the forum had a policy that all posts from the admin had to include rape images, as an attempt at preventing police from honeypoting the site.

* The ethics of the police running a CP forum, including police posting CP themselves.


I like how discrete VG appears to be, and still asking the right questions (at least in the English version [1]).

Two disturbing things other than the obvious ones such as people abusing children. First,

> While the young Canadian unsuccessfully tried to find help to control the desires he felt, the American kept them shut inside. He was afraid any doctor, psychologist or counsellor he consulted would have to report him if he admitted being sexually attracted to children.

I often feel as if, like with drug users, treating paedophilia not as inherent thoughtcrime but as something someone needs help with, could help prevent a lot of abuse. I don't know what I'd do if there was such a taboo on adult men being attracted to adult women.

The second is the state of anarchy we're in at a global level, with law enforcement, criminals, governments and large multinational companies simply being able to go there where the law is most conducive to whatever they want to do, effectively as if there is no law at all.

Both things for which I don't really know how they could be fixed, but which have me concerned nonetheless.

[1] https://www.vg.no/spesial/2017/undercover-darkweb/?lang=en

>He found one weakness: By asking the server the right question, it would reveal his own IP address .

>The question was asked and the server replied. It was located in Sydney, owned by the server Digital Pacific.

What the hell does that even mean? It almost sounds like they were doing packet sniffing and looking at the IP addresses of where the packets came from. Any non-tor exit node IPs could be the server's IP. Similar strategy was used against Silk Road.

It is this bug: https://www.owasp.org/index.php/Server_Side_Request_Forgery

Except that with tor, hitting ANY external IP from the "real" IP of your hosting box is bad news (since your service is no longer hidden).

This is a rookie mistake for an operator running a hidden service. What you are supposed to do is a) ensure you are not running crappy software and more importantly b) ensure that your server/container/service (preferably) has no network egress or (if you need that) that egress is transparently proxied at the network level through something suitably anonymous. Whatever scheme you choose should be robust against an attacker who compromises your hidden service any any way, up to having root on the host or vm. This usually means that if you are trying to run a hidden service on a single physical machine, you want multiple VMs or containers, and you really want there to be no guest-to-host escapes. There are multiple ways of skinning that cat but VMs are nicer than containers or jails because you can have actually different network stacks.

The officer's methodology for determining whether the requesting IP was really that of the hidden service was quite sound from a forensics point of view and in fact did not require any "special" network access over and above that which a normal citizen would have.

Two things spring to mind: a debug message that spat out the IP it was listening on, or just scanning the internet and sending every server a Host header that's the Tor hostname. Sounds more like the former though.

They have a more technical description of the process further down in the article, in the grey box:

"IP addresses and physical server locations are inherently difficult to find on the Tor network. So how did VG’s computer expert get the forum to disclose this information?

1. Profile picture upload

The forum allowed users to upload a profile picture. This picture could also be fetched from a user-supplied URL.

2. The leak

This is where the information leak occurs. Configured for optimal security, the forum’s software and/or server would fetch the remote profile picture via Tor. Childs Play did not – all traffic to external sites originated from the server’s real IP.

3. The IP address is exposed

By telling the forum to fetch a picture from a server Stangvik controlled, he could see in his server logs that the originating IP was with a hosting provider in Sydney – Digital Pacific. Stangvik went on to confirm that outgoing DNS requests originated from the same provider, and that the forum’s software also loaded images included in forum post previews from the same IP.

4. A proxy, VPN or Tor Exit?

The next question was whether the IP belonged to a Tor Exit Node, a VPN or a proxy server. An IP can hide just about anything. How could he confirm that this was the forum’s location, rather than just a node in a chain of redirects? Stangvik applied three improvised techniques:

5. Timing between the servers

He rented a virtual server with Digital Pacific – the same place as where the suspected IP was located. He then updated the profile picture URL to point to this server. Upon receiving an incoming profile picture request, Stangvik’s server would respond with a redirect to another URL on the same virtual server. Repeating this redirection process several time, Stangvik was able to isolate and measure the roundtrip-time between the two servers. The measurements yielded very low times, consistent with a forum server in close vicinity of his rented server.

6. Measuring intermediate nodes

Stangvik also paid attention to so-called «Time To Live» values on the incoming data packets. These provide some insight into how many intermediate parties are involved from the sender to the recipient. In this case, the values indicated that there were at most one intermediate – a typical result if the servers were located in the same room.

7. Measuring packet size

The final test started to get advanced: Measuring MTU (Maximum Transmission Unit) and packet fragmentation. Each packet in a computer network has a maximum transmission size, based on which intermediates it passes through. Each encapsulating technology, such as VPNs, can result in the total packet size increasing beyond the maximum size, and local networks usually have larger maximum sizes than the “tubes” found on the internet. If the maximum size is surpassed, the packet will be broken into multiple fragments.

By crafting long profile picture URLs, and setting specific packet flags, in the redirects returned by his custom web server software, he could see that the MTU was consistent with that of high-speed local area network traffic, and also ruled out VPN configurations."

Step 4-7 shows the difference between a person who want to block something (ISP blacklists, national firewalls, ectra) vs actually identifying whom is running a server. The questions of end point, a proxy, VPN or Tor Exit should be the minimal standard for IT related investigations. It saves both innocent bystanders and resources, and is also effective in catching the intended suspect.

This is why any server you want hidden should be behind something like whonix where no process running on the server should know the IP.

No, it should be configured to use a purpose-made device that tunnels all traffic over Tor as gateway.

Yes, because running the server in your garage or getting a colocation deal for a special purpose-made device is certainly more secure.

>where no process running on the server should know the IP.

that's not the issue though. Even if the server was behind NAT (and thus only knows its internal IP), it could still find out its real external ip by sending packets to some other machine on the internet and checking what the "from" address was from. preventing this leak can only be done by having a strict routing table and/or outbound firewall. having VMs/containers 7 layers deep wouldn't help if the packets could freely reach the internet unproxied.

if it was behind whonix, all outside traffic would be routed through tor. One of its selling points is that malware running on the VM as root cannot get the real IP (without additional exploits).

Whonix is great but the fact you need two servers and how the set up is more involved than just installing Tor and setting up a Hidden Service are the most common reasons why most takes the easy but less secure route.

Whonix is amazing. I recommend it to anyone who is serious about avoiding even sending a single packet over the clearnet.

Even doing it on a single server is more secure than whatever these guys had. You can only be found if there's an actual exploit in the VM or tor or something, webserver bugs don't pwn you alone.

Damn. If only those child pornographers knew this tip.

If I were going to do something so very illegal, I'd research the hell out of it. If I were going to run something like this, I'd pretty much want to be an expert on the architecture and software stack.

I'd be asking hundreds of questions, taking courses, and using as many layers as would be reasonable to hide even my efforts at learning. I'd probably be obsessed with security, more so than I am now. Much more so, in fact.

And then you'd likely be in a select group of people who could be investigated individually. OPSEC is hard in most circumstances, but it's very hard if you're trying to be an expert on one topic in a short period of time.

Yeah, I'd even have to make a point to hide my learning. Only a specific subset of people would be asking how best to allow uploads while ensuring the IP address was masked via Tor. Added with other questions, it'd put me into a pretty narrow group, so even gathering information would need to be masked.

Fortunately, I don't actually want to do anything illegal. That will make it easier. I do kind of want to learn how to set up a hidden service, but just to satisfy my curiosity.

The original silk road fell because of an opsec failure in a post on stackoverflow...

A few weeks ago, and prompted by an HN post, I considered writing about the possibilities if ML as applied to large aggregate datum and with criminal investigation as the motivation.

With all the public posts, writing style analytics, and use of a common moniker across services, it seems that it may be possible to do just that on a large scale. It seems that it could be made trivial to narrow down lists of suspects by crunching large data sets that contain stuff like SO questions, AC posts on Slashdot, or responses on HN.

After all, how many people are actively seeking to secure a message board as a hidden service and doing so at that time? I sort of envision it as having some commonality with the timing attacks already in use to deanonymize Tor users.

Subject A asked about securing IP addresses for uploads and Sevice A got this feature two weeks later. Subject C asked about this security aspect and Service A has that concern. Subject Q asked about using this forum software and requested this modification. Service A uses that software, etc...

So, maybe Subjects A, C, and Q are all the same people.

While it doesn't prove much, it does potentially aid in narrowing down the list of suspects. Coupled with other bits of information, it may narrow the list down significantly.

That and there are huge sets of data out there. Processing that intelligently, and rapidly, could really change the way investigations are done.

That's what XKEYSCORE does, pretty much. The NSA has spent a lot of time working on these sorts of techniques.

No it doesn't - or at least there is no claim I've seen that this is part of XKEYSCORE. It's not mentioned on the Wikipedia page either[1].

However this is an active areas of research in both classified and (presumably) non-classified areas. See for example this search: https://scholar.google.com.au/scholar?q=related:KbJLbpaKfCkJ...

[1] https://en.wikipedia.org/wiki/XKeyscore

Right, the NSA has a bunch of anti-Tor tools that usually are called QUANTUM-whatever. However, correlation of people across different networks is something that XKEYSCORE does. There's also the writing deanonymisation tools that you mention (but there's Anonymouth[1] which could help).

My original point was that OPSEC is hard if you're trying to be a topic expert in a short period of time. You don't need NSA tools to attack someone in that situation.

[1]: https://github.com/psal/anonymouth

In particular, this part:

> It seems that it could be made trivial to narrow down lists of suspects by crunching large data sets that contain stuff like SO questions, AC posts on Slashdot, or responses on HN.

Is what XKEYSCORE does (or at least, it's the interface you use to query the above data sets which are collected as part of PRISM and the other programs).

I've said it before, I'll say it again. Comments like that are why I like HN. I see there is some long reads associated with this subject.

Once again, HN has sent me off into a subject I'd not have found on my own. That's why I like HN as much as I do.

I feel like eventually some combination of factors would nail anyone against that level of effort and access. It would be interesting if there were a platform for people to compete on how long they can keep their servers up without being compromised.

I've forgotten the link, but there was a detailed story some years ago of a child pornography network where all the participants avoided identification in a long, joint investigation by the international crimes unit of the Five Eyes states.

I think it might have been a Defcon or Black Hat talk on ways of communicating anonymously. They certainly didn't use a web forum, it was more along the lines of posting encrypted messages to Usenet that were widely distributed and could only be decrypted by the recipient.

This was taken as evidence that perfect operational security is possible even against nation-state actors committing a large (but not indefinite) amount of resources.

Thanks, this is the one I was thinking of. Couldn't remember his obscure nickname. I remembered the capture rate in the child pornography group wrong, but the point stands :)

Having read that, I almost wish I were doing something illegal so that I could enjoy such a cat and mouse game.

Maybe there should be some sort of informal game, perhaps played with the major law enforcement agencies, with the goal being to avoid identification. It could be justified by asserting that it would aid in training investigation techniques.

It needn't hand over monetary prizes, just admission of success. Maybe it could trade pictures of cats?

But the whole point of being a criminal is to get a lot of money for not much effort. If you have to put that much work into it, you may as well get a job.

I'm assuming pedophilia isn't profit motivated. I don't really know that, but it seems a good assumption. I'm also not even sure where to begin researching that.

That's actually discussed in the VG article - that in pedophilia circles the "currency" is images and videos with much less money changing hands, which makes "follow the money" quite a bit harder.

I am not keen on learning the ropes, but I understand that it is driven by a barter culture and that there are financial exchanges made but that a lot is simply traded.

The illicit nature is probably one of the attractions. My understanding is that people become 'addicted' to it and strive to amass large collections. Few offenders have just a couple of images and videos but, instead, have vast collections. This is more so than is seen with legal pornographic material and possibly has something to do with the rarity and difficulty of access as well as inconsistency of access.

Disclosure: I used to date a lady who studied and worked with sex offenders. However, we seldom discussed her research and never her individual patients. So, I'm largely speculating with just a hint of regurgitating expert information.

So, with that said, it is largely still a fairly taboo subject of study. I guess there are many misconceptions and misunderstandings, even at the academic level. An example might be that sex offenders have a low rate of recidivism, even lower if narrowed to new sex offenses. On the other hand, they often have many victims prior to their first interaction with the justice system. Most victimization isn't done by strangers and involves grooming by a person close to the victim. That sort of stuff.

I don't have a solution, by the way. There has been some serious discussion of allowing current examples of confiscated CP to be used by those who are predisposed to such, but that goes over about as well as a lead balloon. It also doesn't solve the issue where they seem to want more and new material. Maybe CGI will be the answer? I'm just not sure that society will find that acceptable.

It isn't easy to have a conversation about it. She would very seldom disclose her work with the people she knew and had received death threats and had some instances of vandalism. Her work with offenders negatively impacted her social life.

So, we on HN might discuss it and try to remove our biases and be objective, but we are a rarity and previous threads might indicate that not everyone is willing to do so.

Sorry for the novella and meandering nature of my post. I'm not the greatest wordsmith.

The purpose of addressing the security fault in operational security is partial to retain trust trust in the tools used, and understanding the limitation of them. We don't want to read a news article that said "If only those journalist knew".

You'd think that with a story that big they'd provide an English version. Too bad.

They do. It's just impossible to find since they prefer showing 1080p of some empty US road instead of checking browser headers. But here it is:


(The icon was in the top right, some 20p image!)

Now I see the english version. I read it with google translate.

Bloody hell that was a difficult read.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact