FBI Hacks Tor Service

[AmberStarfire]

That's disturbing and I'd like to say it's unexpected, but Tor seems too 'big and shiny' a target for the US government to let slip. Some people are using it for bad things, after all - it's a known fact, but a lot of people are using it because they don't like anyone prying in their 'stuffs'.

I was giving thought to changing over to Tor recently, but you don't know who's operating the nodes, and the US government is providing some funding for the Tor network. Anyone who operates an exit node is at pretty big risk, because that's where users' transmitted content becomes visible, and whoever is operating those nodes can (and in some cases has been) prosecuted for content passing through. A lot of people just use Tor for their regular browsing, but a lot of torrent data as well as things people want hidden go through Tor. My understanding is it changes your IP address to that of an exit node, so if you were to access certain sites through it, you might run into problems because the exit nodes are known IP addresses and some sites will block them.

It's really the desire for privacy and security that made Tor appeal to me, but I couldn't bring myself to trust it. It doesn't FEEL secure with all that's going on, and this article only reinforces that. After what happened with Lavabit and other sites, I'm not surprised this was done.

[Tairis]

In essence there is no such thing as a hidden server. Only a server that's location is obscured to the point that it can't be positively identified who it belongs to... and even that can be gotten around.

The real issue is more of a slippery slope argument. FBI will counter with 'but child porn'! And anybody that argues against it, no matter how well, is going to be just a little tainted because even without saying it they can imply 'well look, these guys are clearly defending child porn'.

The question becomes do you trust the government to know when its okay to break their own rules? Because I sure as hell don't.

[Cheka Man]

Child porn is evil but so is a too-powerful government.

[ladia2287]

This is rather disconcerting. There are already so many security issues we have to be aware of in our day-to-day browsing. In this case the FBI has justified their hacking by claiming that the server was being used to distribute an illegal and grossly immoral product, but it's a fine line between justifiable cause and non-justifiable cause. My concern is that this could set a precedent for other breaches of a basic right of privacy. What happened to there being a strict protocol to follow in situations like this?

[Tharic]

If you think the FBI (or more appropriately the NSA) isn't capable of strolling through Tor, you're grossly underestimating our cyber technology and knowledge. This is PUBLIC information what the FBI has done. It wouldn't be public if the government wasn't willing to let it be public. It's known that the NSA can pop the encrypto keys that Tor uses. If that's known publicly, imagine what's not revealed and happening in some white room lab.

As a long-time Tor user, Tor is NOT something that's secure and safe. If you're walking into Tor thinking you're doing something that's "safe", you're going in with the wrong intentions.

It's no different than walking into a dark alley in a big city and thinking that you're doing something "safe". You need to approach anything and everything you do on Tor the same way. With as much caution and care as you can. Just don't make the assumption that anything on Tor, silk road, dealing with BTC or anything else is safe or 100% secure.

Do everything you can to cover your own ass. Even if you're just firing up Tor to go "oh, what's this all about". If you aren't doing it as encrypted and obfuscated as you can possibly do, you're doing it wrong. If you don't know what I'm talking about, unfortunately, you probably don't have much business diving into Tor.

Don't take this the wrong way, because it's for your own personal good and protection. Tor is a dangerous, scary place.

This way be dragons..

[Callie Del Noire]

My issue is this Tharic, if  you can put 'back doors' in Tor software, what is to stop using the SAME justifications for all browsers, email programs, firewalls, even the OS any computer works on. And once that is done, the foundation of trust that all this house of cards called the internet works on. From there, we wind up with a balkanized internet that isn't stable, unified or even half as 'safe' as the one we have now.

[Tharic]

My issue is this Tharic, if  you can put 'back doors' in Tor software, what is to stop using the SAME justifications for all browsers, email programs, firewalls, even the OS any computer works on. And once that is done, the foundation of trust that all this house of cards called the internet works on. From there, we wind up with a balkanized internet that isn't stable, unified or even half as 'safe' as the one we have now.

There's not much need to put 'back doors' into the browsers or email programs we use. The majority of traffic transmitted via the Internet using most browsers and email programs is 100% unencrypted. It's plain text. I could drop a wifi laptop next to most office buildings, be on their network in about 5 minutes an gobbling up unencrypted data with an easy linux app such as tcpdump or wireshark or ettercap.

That's not even getting into the concept of having IXP level access, like the government does. (and don't believe the NSA doesn't have access to core IXP's) I mean, look at the southeast US. You've got an IXP in Miami, Tampa and Atlanta. Everything else is going to route through one of those IXPs. Even Miami and Tampa route up to Atlanta to get "anywhere"  You sit on a core IXP like Atlanta and you've got access to every drop of traffic flowing out of the southeast of the united states.

If you believe the Internet is safe, you're sadly mistaken.

(And yes, this is what I do for a living. I'm working towards my CISSP certification.)

[Callie Del Noire]

There's not much need to put 'back doors' into the browsers or email programs we use. The majority of traffic transmitted via the Internet using most browsers and email programs is 100% unencrypted. It's plain text. I could drop a wifi laptop next to most office buildings, be on their network in about 5 minutes an gobbling up unencrypted data with an easy linux app such as tcpdump or wireshark or ettercap.

That's not even getting into the concept of having IXP level access, like the government does. (and don't believe the NSA doesn't have access to core IXP's) I mean, look at the southeast US. You've got an IXP in Miami, Tampa and Atlanta. Everything else is going to route through one of those IXPs. Even Miami and Tampa route up to Atlanta to get "anywhere"  You sit on a core IXP like Atlanta and you've got access to every drop of traffic flowing out of the southeast of the united states.

If you believe the Internet is safe, you're sadly mistaken.

(And yes, this is what I do for a living. I'm working towards my CISSP certification.)

Thing is, and I am aware of the vulnerabilities as well, is you don't violate your own laws to find wrongdoing. It is bad practices. It's stupid. It undercuts the process, public trust and the stability of the system. If you work in the field, you would agree that engineered vulnerabilities are dangerous as they never STAY secret right? Eventually, someone in the 'wild' will find them right?

That's my issue. We are undermining our own system by endorsing back doors. For god sakes, the NSA purposely put in a hack into an encryption standard.  How can that not be dangerous if leaked ?

[ladia2287]

If you think the FBI (or more appropriately the NSA) isn't capable of strolling through Tor, you're grossly underestimating our cyber technology and knowledge. This is PUBLIC information what the FBI has done. It wouldn't be public if the government wasn't willing to let it be public. It's known that the NSA can pop the encrypto keys that Tor uses. If that's known publicly, imagine what's not revealed and happening in some white room lab.

As a long-time Tor user, Tor is NOT something that's secure and safe. If you're walking into Tor thinking you're doing something that's "safe", you're going in with the wrong intentions.

It's no different than walking into a dark alley in a big city and thinking that you're doing something "safe". You need to approach anything and everything you do on Tor the same way. With as much caution and care as you can. Just don't make the assumption that anything on Tor, silk road, dealing with BTC or anything else is safe or 100% secure.

Do everything you can to cover your own ass. Even if you're just firing up Tor to go "oh, what's this all about". If you aren't doing it as encrypted and obfuscated as you can possibly do, you're doing it wrong. If you don't know what I'm talking about, unfortunately, you probably don't have much business diving into Tor.

Don't take this the wrong way, because it's for your own personal good and protection. Tor is a dangerous, scary place.

This way be dragons..

Anyone is capable of hacking into any system, no matter how 'secure' it is. That's why anyone who is smart with their internet access installs firewalls, anti-virus software and takes other security measures. What worries me is the ethics behind the actions of a government-sanctioned investigative body. There may be loopholes in the US law that allows this to happen, I don't know as I don't live there. But I can imagine the stink it would create if my country's equivalent body were caught doing the same thing. I don't believe it is ever okay to invade someone's privacy without their consent and in my opinion this is no better than breaking into someone's home, leaving a few hidden microphones lying around and listening in on everything that happens. Regardless of how it is justified, it is just plain unethical.

[AmberStarfire]

Very little seems to be reliably secure anymore. It's disturbing to see just how much information companies like Google gather about you, and with the advent of social networking and sites like LinkedIn, it's very easy to put a lot of private information out there. Once you do that, it's there. You can take it down, but you can't be sure it's ever truly gone. It only takes a look at the Wayback machine to find something from 10 years ago and removed might still be lurking about.

There need to be more secure options that aren't clunky or complicated (requiring personal keys etc). That is what I was hoping Tor would be - I'm not interested in their onion sites. What I want is a bit of added privacy or anonymity without a slew of information being gathered about me in the process. If you want a web site to work nowadays, to be found and recognised by people, you don't forego Google. They're too popular, but I'll admit I'm so close to ditching Google, Gmail, Yahoo and similar altogether, and trying to find a more private option. The only thing is, for normal everyday people, I'm not sure one actually exists. Tor was a hope, but the FBI got around that with quite a bit of ease. Is email any more secure if it's on your own hosting account, but hosted on American servers?

[AmberStarfire]

An interesting story that's connected:

http://www.news.com.au/technology/us-authorities-shut-down-alleged-silk-road-black-market-charge-accused-mastermind-ross-william-ulbrich/story-e6frfro0-1226731942871

[Callie Del Noire]

An interesting story that's connected:

http://www.news.com.au/technology/us-authorities-shut-down-alleged-silk-road-black-market-charge-accused-mastermind-ross-william-ulbrich/story-e6frfro0-1226731942871

I figured sooner or later this would happen. One of the issues you have to deal with using an alias.. is you ALWAYS have to use it. For everything. You slip up..someone will hear/read it..from there it is a simple step to work through data to find it out. The more you post/chat online..the easier it gets over time.

[Chris Brady]

Thing is, and I am aware of the vulnerabilities as well, is you don't violate your own laws to find wrongdoing. It is bad practices. It's stupid. It undercuts the process, public trust and the stability of the system. If you work in the field, you would agree that engineered vulnerabilities are dangerous as they never STAY secret right? Eventually, someone in the 'wild' will find them right?

That's my issue. We are undermining our own system by endorsing back doors. For god sakes, the NSA purposely put in a hack into an encryption standard.  How can that not be dangerous if leaked ?

Why is this surprising, though?  Governments have been doing this for as long as they've been around.

The sad part of this is, it's that this is nothing new.  We all get upset about it, we all feel violated, but at the end of the day, no one can do anything about it, because if, as someone pointed out, you fight against it, they just point out you're defending criminals.  The ends ALWAYS justify the means.

It's a sick, sad truth.

[Callie Del Noire]

Why is this surprising, though?  Governments have been doing this for as long as they've been around.

The sad part of this is, it's that this is nothing new.  We all get upset about it, we all feel violated, but at the end of the day, no one can do anything about it, because if, as someone pointed out, you fight against it, they just point out you're defending criminals.  The ends ALWAYS justify the means.

It's a sick, sad truth.

Thing is.. it's dangerous. You're literally pulling 'bricks' out of the foundation. It undermines the foundation of your case. I know a few former DAs (like my brother) who wince when they hear things like this. This was a dangerous tactic. Granted it might pay off in the initial case but you are almost definitely assured of a massive appeal with LOTS of groups who would otherwise wouldn't get involved.

-Civil Liberties groups
-Right to Privacy groups like the EFF.

Oh yeah.. definitely going to be messy in the follow up.

[doodasaurus]

An interesting story that's connected:

http://www.news.com.au/technology/us-authorities-shut-down-alleged-silk-road-black-market-charge-accused-mastermind-ross-william-ulbrich/story-e6frfro0-1226731942871

I've been following this story quite closely and it increasingly looks like the TOR hack has nothing to do with it.  In particular, the Silk Road guy was getting sloppy and cocky.  I BELIEVE that what lead to his arrest was really that Ulbrich hired an undercover cop to kill a former business partner who stole from Silk Road, thought here was a growing body of evidence pointing to Ulbrich that had nothing to do with the TOR system.  Like . . . he left his URL in SR code, he had an SR account linked to a Gmail address, they captured some documentation crossing the US/Canadian border that was linked to the SR account liked to the Gmail address, stuff like that.  So far, there has been nothing to indicate that Ulbrich got picked up because of the federal TOR hack and he got caught in very traditional police work.

I also think there's some circumstantial evidence to suggest that Ulbrich was caught by traditional police methods.  In particular, if possible, the FBI would have tried to simultaneously arrest Silk Road's biggest suppliers.  That they didn't, that they arrested this one lone man, suggests to me that they did not successfully infiltrate SR electronically, otherwise I think they would have cast a much bigger net.  I admit that's circumstantial, though, but consistent with the way the FBI likes to arrest racketeers - you take as many as you can all at once to lessen flight.

But I could also be 100% wrong.  ;D

[AmberStarfire]

I'm inclined to agree with you for the most part, Doodasaurus. I've been following the story as well, and it seems that Mr Dread Pirate Roberts made some blunders that led to his identity being found out.

Another story was saying he'd revealed his Gmail address on Stack Overflow (which had his real name in it) and that the guy he'd tried to have knocked off was threatening to reveal the identities of SR users. Also, that he'd already bargained to have at least one other person killed.

It's hard to know which details are accurate and which aren't, but it sounds like it was only a matter of time until his house of cards came tumbling down.

I agree with what Callie's saying though. Personally, I'm of the opinion that they may have decided to bring this guy down now because of current public opinion regarding NSA spying. It's one way to show the public that there's a real and tangible result (and a big one at that) for penetrating what was deemed to be a secure network.

If they had the means to do this before (bring the guy down) but didn't.. until now, it could well be a PR exercise. After all, they had every ability to use the site before to find people out (who's distributing these things). Maybe they can still track things from IP addresses, emails and so forth, but they just compromised their use of the site to catch its owner. But then once they have him, they likely have full access to the site and its records too.

[Callie Del Noire]

I find it very hard to think that anyone that has any thoughts of their own and a willingness to post them online WON'T give away hints to knowledgeable and patient people. Your syntax and sentence structure stands out, I've caught one DM who was mining RPOL for NPCS by putting adds up for games. You have interests you comment on? THose can catch you out. Mr. DPR had an interest in one unusual school of economics. Things like what you do, where you live, which poitics and so on can point you out.

It basically came down to enough data to build a set of points that led back to their suspect.

[AmberStarfire]

In what way was he was mining for NPCs?

I'm inclined to agree - those points add up. It's so easy to put a lot of data out there on the internet, what with social networking, forums, etc.

[Callie Del Noire]

In what way was he was mining for NPCs?

I'm inclined to agree - those points add up. It's so easy to put a lot of data out there on the internet, what with social networking, forums, etc.

He was taking the characters and 'suddenly' the same stats, skills, and gear would show up on a game on another game board.

[Chris Brady]

Thing is.. it's dangerous. You're literally pulling 'bricks' out of the foundation. It undermines the foundation of your case. I know a few former DAs (like my brother) who wince when they hear things like this. This was a dangerous tactic. Granted it might pay off in the initial case but you are almost definitely assured of a massive appeal with LOTS of groups who would otherwise wouldn't get involved.

-Civil Liberties groups
-Right to Privacy groups like the EFF.

Oh yeah.. definitely going to be messy in the follow up.

I'm not going to argue with this, because you're VERY right.  It does undermine the foundation of more than just a case, it undermines the entire point of civilization.

Thing is, it happens more often than we want to admit, or are ever allowed to see.  And a lot of the time, we can't fight it because it was used to do some 'good'.  The fact of the matter, a site that allowed child porn to proliferate has been shut down.  This is the end result.  How they got there, no longer matters, because the amount of good done will outweigh anything anyone else will say, because child porn is a such a hot button topic (and rightly so.)

[Oniya]

So, Avast is hyping their latest product - a Virtual Private Network thing, and the ad for today was 'Protect your information from snoops and hackers!'  Then, in smaller letters: 'Yeah, we're thinking of Mr. Snowden's former employer, too.'

[Braioch]

I also find it odd, that despite the myriad of other things on the TOR services, assassinations, drug trafficking, counterfeiting, etc, that this is what they go for...

Well I suppose it does look really really good in the papers. >,>

[Callie Del Noire]

I also find it odd, that despite the myriad of other things on the TOR services, assassinations, drug trafficking, counterfeiting, etc, that this is what they go for...

Well I suppose it does look really really good in the papers. >,>

Not to mention it was something the FBI works hard on.. the Kiddie Porn underground.. the other stuff is not as easy to track.

[Light Ice]

That this horrible material is being hosted on obfuscated servers isn't really the issue; how would you feel if every conversation, every email, every phone call you made was being monitored? Not because you have done anything wrong but because there is a chance than someone else has and we should stop that wrongness. We know you've done nothing wrong so when we do look into you we won't find anything, but those people who have done wrong things they won't want us looking but you're not one of them, are you?

It's very easy to use the "won't you think of the children?" argument to justify just about any action, but that doesn't make it right or legal. In this case it's the FBI, they are a civilian organization and should be subject to the same laws as everyone else but in this (and possibly many other instances) they appear to invoke a variant of the ancient rule - It's not cheating if you don't get caught.

It's important to make it clear that you've already given various entities consent to sift through your personal information.  Every major OS, every major web browser, every major account you have ever signed up for has a TOS.  That TOS allows them to review any and all content you view.  This is aggregated into tables and categorized for many purposes.  Advertising, mainly, but others as well. 

So, before you kill the government for going through your computer, you should reconsider where your arguments lie.  Google knows a great deal more about you then the government does.  The reason being, obviously, you've given them permission to.

[Valthazar]

It's important to make it clear that you've already given various entities consent to sift through your personal information.  Every major OS, every major web browser, every major account you have ever signed up for has a TOS.  That TOS allows them to review any and all content you view.  This is aggregated into tables and categorized for many purposes.  Advertising, mainly, but others as well. 

So, before you kill the government for going through your computer, you should reconsider where your arguments lie.  Google knows a great deal more about you then the government does.  The reason being, obviously, you've given them permission to.

This is an excellent point, but none of us agreed to a contract letting us know the government would have access to this data. 

If you read those TOS, you'll see explanations for when information can be disseminated to third parties (such as in criminal investigations, certain marketing purposes, etc).  As it stands, Google and many of these other companies claim they were not aware that government had access to their servers, but if they did, many clauses in their TOS have been violated - unless they protected themselves in the contract through broad/vague wording.