Joined 6 years, 3 months, 4 weeks, 1 day, and 8 hours ago.

Rant and Rave about The Canna Trade.
AGD
good karma
good karma
Custom Title: nOT-a-BoT
Has bestowed Karma : 1 time
Received Karma : 1 time
Posts: 202
Joined: Mon Sep 21, 2015 3:05 am

Joined 6 years, 3 months, 4 weeks, 1 day, and 8 hours ago.

Post by AGD »

nbrk wrote:Smokes, PLEASE.

And guy, I know you're reading this, and I'll repeat what I've said in emails. CONTACT THE FBI. Someone is trying really hard to set you up. THIS IS NOT A THREAT. Even if you are cicero, the evidence is way too weak to convict (looking at the timeline it looks bad though). The varietyjones.com stuff, is stronger. Most interesting is the FBI's lack of interest. Anyone that thinks identity theft is meh has a screw loose. https://www.fbi.gov/about-us/investigat ... nvestigate" onclick="window.open(this.href);return false;

edit: Re-evaluating. But the explanation that's it's just an artist trying to publicize his/her work nonsense. The only place art is for sale is fetaknight s6. This was created pre 2013 (May 27) before any drama unfolded. Starting to think all images are pre-2014 and this guy has had his accounts seized or stolen.

So you mean there is no art for sale on Society6.com?

User avatar
Plural of Mongoose
Tank Aficionado
some karma
some karma
Custom Title: Tank Aficianado
Received Karma : 5 times
Posts: 93
Joined: Thu May 21, 2009 4:24 pm

Joseph Cox from Motherboard Vice scores a hole in one!

Post by Plural of Mongoose »

Joseph Cox over at Motherboard Vice has been as busy as a little beaver lately.

He's managed to uncover some rather unethical and 'technically' illegal activities by the FBI; the FBI of course will skate around the illegal aspects of their warrantless attacks, claiming it wasn't them, it was 'researchers' what done the deeds. Oh sure, they paid them in excess of 1 million dollars to do said 'research'...

Now, if we could just see the investigative work product notes of Christopher 'the dog ate my notes' Tarbell, maybe we could get some more questions answered, eh.

Let's all hear it for Mr. Cox, shall we.

EDIT: <golf clap>
Last edited by Plural of Mongoose on Thu Nov 12, 2015 5:57 am, edited 2 times in total.
The last fucking thing you want is my undivided attention...

User avatar
Plural of Mongoose
Tank Aficionado
some karma
some karma
Custom Title: Tank Aficianado
Received Karma : 5 times
Posts: 93
Joined: Thu May 21, 2009 4:24 pm

Court Docs Show a University Helped FBI Bust Silk Road 2...

Post by Plural of Mongoose »

Original article:
http://motherboard.vice.com/read/court-docs-show-a-university-helped-fbi-bust-silk-road-2-child-porn-suspects
[0]

By:
Joseph Cox
[1]


Originally published November 11, 2015 // 11:54 AM EST
Court Docs Show a University Helped FBI Bust Silk Road 2, Child Porn Suspects

An academic institution has been providing information to the FBI that led to the identification of criminal suspects on the dark web, according to court documents reviewed by Motherboard. Those suspects include a staff member of the now-defunct Silk Road 2.0 drug marketplace, and a man charged with possession of child pornography.

It raises questions about the role that academics are playing in the continued crackdown on dark web crime, as well as the fairness of the trials of each suspect, as crucial discovery evidence has allegedly been withheld from both defendants.


***


In January of this year, Brian Richard Farrell from Seattle was arrested[2] and charged with conspiracy to distribute heroin, methamphetamine and cocaine.

In an interview with the FBI, Farrell quickly admitted to being "DoctorClu," a staff member on the Silk Road 2.0 marketplace, saying[3] “You're not going to find much of a bigger fish than me.”

Silk Road 2.0 was launched shortly after[4] the original was shut down[5] in October 2013. It also relied on the Tor anonymity network to hide the IP addresses of both the servers running the marketplace as well as mask of those accessing it.

In the search warrant executed against Farrell's home in January, Special Agent Michael Larson writes that from January 2014 to July 2014, an FBI “Source of Information (SOI)” provided “reliable IP addresses for TOR and hidden services such as SR2.” This included the main marketplace, the vendor section of the site that was typically only accessed by dealers or staff, the site's forum, and its support interface, where staff dealt with customer issues.

This information led to the location of the Silk Road 2.0 servers, Larson wrote, which led to the identification of "at least another seventeen black markets on TOR." That refers to Operation Onymous, a multi-agency effort that eventually led to the shuttering of several dark web sites, including Silk Road 2.0. It also took down[6] a number of fake and scam sites.

But that wasn't all that the source provided, the warrant continues. “The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address,” it says, referring to users of the site.


"Whatever you're doing, it isn't science."


One of these IP addresses led investigators to a house where Farrell was living. After physical surveillance was carried out, his house mate questioned, and FBI interviews, Farrell was eventually arrested.

However, who or what exactly the FBI Source of Information is has remained a mystery, with journalists and researchers only being able to speculate.[7]

Then in a motion filed in Farrell's case last week, his defense dropped a bombshell.

“On October 12, 2015, the government provided defense counsel a letter indicating that Mr. Farrell's involvement with Silk Road 2.0 was identified based on information obtained by a 'university-based research institute' that operated its own computers on the anonymous network used by Silk Road 2.0,” the motion reads.

In response to this letter, the defense asked for additional discovery evidence and information to determine the relationship between this institute and the government, as well as the means used to identify Farrell “on what was supposed to operate as an anonymous website.”

“To date, the government has declined to produce any additional discovery.”


***


The timeline lines up perfectly with an attack on the Tor network last year.

On July 30 2014, the Tor Project announced in a blog post[8] it had “found a group of relays that we assume were trying to deanonymize users.” Relays are nodes of the Tor network that route traffic, and can be set up by anyone. “They appear to have been targeting people who operate or access Tor hidden services.”

These relays joined the network on January 30, and the Tor Project then removed them on July 4: the same time period for which the FBI's source provided IP addresses of dark web sites, as well as apparent users.

This suggests that the FBI's Source of Information was whoever was behind this attack; an attack that may have swept up perfectly innocent users of Tor and hidden services, as well as those using the network for illegal purposes.

"If you're doing an experiment without the knowledge or consent of the people you're experimenting on, you might be doing something questionable—and if you're doing it without their informed consent because you know they wouldn't give it to you, then you're almost certainly doing something wrong. Whatever you're doing, it isn't science,” Nick Mathewson, co-founder of the Tor Project, told Motherboard in a statement.

The attack, according to Tor Project's writeup, relied on a set of vulnerabilities in the Tor software, and involved setting up a number of relays in order to monitor the activity of a Tor user.

[image]http://www.myplanetganja.com/gallery/al ... 008648.jpg[/image]
A section of a legal document filed in Farrell's case, stating that a
"university-based research institute" provided information that
led to his arrest. Screencap: Motherboard


“If the first relay in the circuit (called the "entry guard") knows the IP address of the user, and the last relay in the circuit knows the resource or destination she is accessing, then together they can deanonymize her,” Tor Project wrote.

At the time, there was only speculation who might be behind the attack. Because it would have required a substantial number of Tor relays to carry it out, the attack could have been the work of a large intelligence agency. Or, “if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future,” Tor Project wrote.


***


Then in July, a much anticipated talk at the Black Hat hacking conference was abruptly canceled.[9] Alexander Volynkin and Michael McCord, academics from Carnegie Mellon University (CMU), promised to reveal how a $3,000 piece of kit could unmask the IP addresses of Tor hidden services as well as their users.

Its description bore a startling resemblance to the attack the Tor Project had documented earlier that month. Volynkin and McCord's method would deanonymize Tor users through the use of recently disclosed vulnerabilities and a “handful of powerful servers.” On top of this, the pair claimed they had tested attacks in the wild.

Motherboard contacted Michael McCord, but received a response from Richard Lynch, public relations manager for CMU’s Software Engineering Institute.

“Thanks for your inquiry, but it is our practice not to comment on law enforcement investigations or court proceedings,” Lynch wrote.

Experts who have been following Farrell's case feel that CMU is very likely to be the institute behind the attack, and therefore the source of the information that led to Farrell’s arrest.

The institute that worked with the FBI is “almost certainly” CMU, Nicholas Weaver, a senior researcher at the International Computer Science Institute at University of California, Berkeley told Motherboard in a phone interview.

“Both the time and the capability” of the attack on Tor in 2014 lined up with what CMU was proposing, Weaver said.

Earlier this year, Weaver[10] also noticed the similarities and links between Farrell's search warrant, the sustained attack on Tor, and CMU's proposed Black Hat talk, and estimated that the attack cost somewhere in the region[11] of $50,000. Only now has concrete proof of an academic institution's involvement come to light.

There is no hard evidence at this time that CMU was the source of the FBI's information, however, although circumstantial evidence points to it. It could have been another "university-based research institute."


***


Farrell's case may not be the only one impacted by this source's involvement.

On November 1, a hearing was held in the case of Gabriel Peterson-Siler, a man charged with possessing child pornography. In that case, Peterson-Siler's defense requested the same discovery material as Farrell's lawyers had asked for, according to documents in Farrell's case.

“Given that these two cases present identical issues, Mr. Farrell respectfully requests that his trial be continued and that he be allowed to follow the briefing schedule set in Peterson-Siler,” Farrell's defense writes.

Peterson-Siler is suspected of posting on three different child pornography sites from March 29, 2012 through to August 20, 2012. In his case documents, these are simply referred to as Website 1, Website 2, and Website 3.

In June 2014, within the same time frame that Farrell's IP address was provided to the FBI, an investigation into Peterson-Siler determined an IP address that belonged to him. After his property was searched in September 2014, he was indicted for possession of child pornography in April of this year, and pleaded not guilty to all charges.

[image]http://www.myplanetganja.com/gallery/al ... 120731.jpg[/image]
A section of the search warrant against Farrell, stating that
the Source of Information provided 78 IP addresses to the FBI.
Screencap: Motherboard


None of the legal documents of Peterson-Siler's case reviewed by Motherboard make any explicit mention of a research institute, however.

But as well as Peterson-Siler's case, Farrell's warrant indicated that the source had provided the FBI with 78 individual IP addresses, so it is likely that other criminal cases are dealing with the same evidence.

At this stage, it is unclear whether the FBI directed the academic institution to carry out the attack, or whether the institution approached the agency afterwards. Regardless, questions of the legality of this attack, and whether a warrant was necessary or obtained, are raised.

The FBI did not respond to multiple requests for comment.

UPDATE: After the publication of this piece, the Tor Project published a blog post[12] claiming that researchers at Carnegie Mellon University were paid "at least $1 million" to work with the FBI.

"Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk," the Tor Project wrote.

The source of the $1 million figure came from "friends in the security community," Roger Dingledine, director of the Tor Project, told WIRED.


The last fucking thing you want is my undivided attention...

User avatar
Plural of Mongoose
Tank Aficionado
some karma
some karma
Custom Title: Tank Aficianado
Received Karma : 5 times
Posts: 93
Joined: Thu May 21, 2009 4:24 pm

Did the FBI Pay a University to Attack Tor Users?

Post by Plural of Mongoose »

Original article:
https://blog.torproject.org/blog/did-fbi-pay-university-attack-tor-users
[0]

By:
Roger Dingledine
[1]


Originally published November 11, 2015
Did the FBI Pay a University to Attack Tor Users?

The Tor Project has learned more about last year's attack by Carnegie Mellon researchers on the hidden service subsystem. Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes. We publicized the attack last year, along with the steps we took to slow down or stop such an attack in the future:
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/[2]

Here is the link to their (since withdrawn) submission to the Black Hat conference:
https://web.archive.org/web/20140705114447/http://blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget[3]
along with Ed Felten's analysis at the time:
https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/[4]

We have been told that the payment to CMU was at least $1 million.

There is no indication yet that they had a warrant or any institutional oversight by Carnegie Mellon's Institutional Review Board. We think it's unlikely they could have gotten a valid warrant for CMU's attack as conducted, since it was not narrowly tailored to target criminals or criminal activity, but instead appears to have indiscriminately targeted many users at once.

Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.

This attack also sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses "research" as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute. Legitimate privacy researchers study many online systems, including social networks — If this kind of FBI attack by university proxy is accepted, no one will have meaningful 4th Amendment protections online and everyone is at risk.

When we learned of this vulnerability last year, we patched it and published the information we had on our blog:
https://blog.torproject.org/blog/tor-security-advisory-relay-early-traffic-confirmation-attack/[5]

We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor — but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people's privacy, and certainly cannot give it the color of "legitimate research".

Whatever academic security research should be in the 21st century, it certainly does not include "experiments" for pay that indiscriminately endanger strangers without their knowledge or consent.


The last fucking thing you want is my undivided attention...

User avatar
Plural of Mongoose
Tank Aficionado
some karma
some karma
Custom Title: Tank Aficianado
Received Karma : 5 times
Posts: 93
Joined: Thu May 21, 2009 4:24 pm

Tor Says Feds Paid Carnegie Mellon $1M to Help Unmask Users

Post by Plural of Mongoose »

Original article:
http://www.wired.com/2015/11/tor-says-feds-paid-carnegie-mellon-1m-to-help-unmask-users/
[0]

By:
Andy Greenberg
[1]


Originally published 11.11.15 5:01 pm
Tor Says Feds Paid Carnegie Mellon $1M to Help Unmask Users

Ever since a Carnegie Mellon talk on cracking the anonymity software Tor was abruptly pulled from the schedule of the Black Hat hacker conference last year,[2] the security community has been left to wonder whether the research was silently handed over to law enforcement agencies seeking to uncloak the internet’s anonymous users. Now the non-profit Tor Project itself says that it believes the FBI did use Carnegie Mellon’s attack technique—and paid them handsomely for the privilege.

The Tor Project on Wednesday afternoon sent WIRED a statement from its director Roger Dingledine directly accusing Carnegie Mellon of providing its Tor-breaking research in secret to the FBI in exchange for a payment of “at least $1 million.” You can now read the full statement on the Tor Project’s blog.[*][3] And while Carnegie Mellon’s attack had been rumored to have been used in takedowns of dark web drug markets that used Tor’s “hidden service” features to obscure their servers and administrators, Dingledine writes that the researchers’ dragnet was larger, affecting innocent users, too.

“Apparently these researchers were paid by the FBI to attack hidden services users in a broad sweep, and then sift through their data to find people whom they could accuse of crimes,” Dingledine writes. “Such action is a violation of our trust and basic guidelines for ethical research. We strongly support independent research on our software and network, but this attack crosses the crucial line between research and endangering innocent users.”

Tor’s statement all but confirms that Carnegie Mellon’s attack was used in the late 2014 law enforcement operation known as Operation Onymous,[4] carried out by the FBI and Europol. That dark web purge took down dozens of Tor hidden services, including several of the most popular Tor-based black markets for drugs including the Silk Road 2, and led to at least 17 arrests. Tor, for its part, has made efforts to subsequently block the attack, which it says it first detected in July of 2014.[5]

When WIRED contacted Carnegie Mellon, it didn’t deny the Tor Project’s accusations, but pointed to a lack of evidence. “I’d like to see the substantiation for their claim,” said Ed Desautels, a staffer in the public relations department of the university’s Software Engineering Institute. “I’m not aware of any payment,” he added, declining to comment further.

Tor’s Dingledine responded to that call for evidence by telling WIRED that it identified Carnegie Mellon as the origin of the attack by pinpointing servers running on Tor’s network that were used in the de-anonymization technique. When it asked Carnegie Mellon if the servers were being run by its researchers—a suspicion based on the canceled Black Hat conference presentation—the anomalous servers disappeared from the network and the university offered no response. The $1 million payment, Dingledine says, was revealed to Tor by “friends in the security community.”

WIRED has also reached out to the FBI for comment, and we’ll update this story if the agency responds.

Tor’s accusations against Carnegie Mellon were triggered Wednesday morning by a report from Vice’s Motherboard news site,[6] which found a reference in legal documents obtained by the defense attorneys of alleged Silk Road 2 drug dealer Brian Richard Farrell. According to the documents, prosecutors revealed to Farrell’s lawyers that the technique used to identify him was “based on information obtained by a ‘university-based research institute’ that operated its own computers on the anonymous network used by Silk Road 2.0.”

In his statement, Tor’s Dingledine excoriates Carnegie Mellon for violating its academic ethics to help invade the privacy of Tor’s users.

“This attack…sets a troubling precedent: Civil liberties are under attack if law enforcement believes it can circumvent the rules of evidence by outsourcing police work to universities. If academia uses ‘research’ as a stalking horse for privacy invasion, the entire enterprise of security research will fall into disrepute,” Dingledine writes. “We teach law enforcement agents that they can use Tor to do their investigations ethically, and we support such use of Tor–but the mere veneer of a law enforcement investigation cannot justify wholesale invasion of people’s privacy, and certainly cannot give it the color of ‘legitimate research.'”

“Whatever academic security research should be in the 21st century,” he concludes, “it certainly does not include ‘experiments’ for pay that indiscriminately endanger strangers without their knowledge or consent.”

[*] UPDATE 4:45 PM ET 11/11/15: This story has been updated to link to the Tor Project’s full statement.


The last fucking thing you want is my undivided attention...

User avatar
Plural of Mongoose
Tank Aficionado
some karma
some karma
Custom Title: Tank Aficianado
Received Karma : 5 times
Posts: 93
Joined: Thu May 21, 2009 4:24 pm

Why were CERT researchers attacking Tor?

Post by Plural of Mongoose »

Original article:
https://freedom-to-tinker.com/blog/felten/why-were-cert-researchers-attacking-tor/
[0]

By:
Ed Felton
[1]


Originally published July 31, 2014
Why were CERT researchers attacking Tor?

Yesterday the Tor Project issued an advisory[2] describing a large-scale identification attack on Tor hidden services. The attack started on January 30 and ended when Tor ejected the attackers on July 4. It appears that this attack was the subject of a Black Hat talk that was canceled[3] abruptly.

These attacks raise serious questions about research ethics and institutional responsibilities.

Let’s review the timeline as we know it (all dates in 2014):
  • 30 January: 115 new machines join the Tor network as relays, carrying out an ongoing, novel identification attack against Tor hidden services.
  • 18 February – 4 April: Researchers at CERT (part of the Software Engineering Institute at Carnegie Mellon University) submit a presentation proposal to Black Hat, proposing to discuss a new identification attack on Tor.
  • sometime March – May: Tor Project learns of the research and seeks information from the researchers, who decline to give details.
  • early June: Black Hat accepts the presentation and posts an abstract[4] of the research, referencing the vulnerability and saying the researchers had carried out the attack in the wild.
  • late June: The researchers give the Tor Project a few hints about the attack but do not reveal details.
  • 4 July: Tor Project discovers the ongoing attack, ejects the attacking relays from the Tor network, and starts developing a software fix to prevent the attack. The discovery was aided by some hints that the Tor team was able to extract from the researchers.
  • 21 July: Black Hat announces cancellation of the scheduled presentation, saying that “the materials that he would be speaking about have not yet approved by CMU/SEI for public release.”
  • 30 July: Tor Project releases a software update to fix the vulnerability, along with a detailed technical discussion of the attack. Tor Project is still unsure as to whether the attacks they saw were carried out by the CERT researchers, though this seems likely given the similarities between the attacks and the researchers’ presentation abstract.
This story raises some serious questions of research ethics. I’m hard pressed to think of previous examples where legitimate researchers carried out a large scale attack lasting for months that aimed to undermine the security of real users. That in itself is ethically problematic at least. The waters get even darker when we consider the data that the researchers might have gathered—data that would undermine the security of Tor users. Did the researchers gather and keep this data? With whom have they shared it? If they still have it, what are they doing to protect it? CERT, SEI, and CMU are not talking.

The role of CERT in this story deserves special attention. CERT was set up in the aftermath of the Morris Worm[5] as a clearinghouse for vulnerability information. The purpose of CERT was to (1) prevent attacks by (2) channeling vulnerability information to vendors and eventually (3) informing the public. Yet here, CERT staff (1) carried out a large-scale, long-lasting attack while (2) withholding vulnerability information from the vendor, and now, even after the vulnerability has been fixed, (3) withholding the same information from the public.

So CERT has some explaining to do. While they’re at it, they ought to explain what their researchers did, what data was collected and when, and who has the data now. It’s too late to cover up what happened; now it’s time for CERT to give us some answers.

[Post updated, 31 July 2014 at 6:45pm EDT, to correct two details in the timeline (number of servers and date of first hints from the researchers). Thanks to the Tor Project for pointing these out.]


The last fucking thing you want is my undivided attention...

User avatar
Plural of Mongoose
Tank Aficionado
some karma
some karma
Custom Title: Tank Aficianado
Received Karma : 5 times
Posts: 93
Joined: Thu May 21, 2009 4:24 pm

You Don't Have to be the NSA to Break Tor...

Post by Plural of Mongoose »

Original article:
https://web.archive.org/web/20140705114447/http://blackhat.com/us-14/briefings.html#you-dont-have-to-be-the-nsa-to-break-tor-deanonymizing-users-on-a-budget
[0]

By:
Alexander Volynkin - Carnegie Mellon University / CERT
[1]
Michael McCord - Carnegie Mellon University / SEI/CERT
[2]


Black Hat USA 2014 Briefings - August 6 & 7
You Don't Have to be the NSA to Break Tor: Deanonymizing Users on a Budget

The Tor network has been providing a reasonable degree of anonymity to individuals and organizations worldwide. It has also been used for distribution of child pornography, illegal drugs, and malware. Anyone with minimal skills and resources can participate on the Tor network. Anyone can become a part of the network. As a participant of the Tor network, you can choose to use it to communicate anonymously or contribute your resources for others to use. There is very little to limit your actions on the Tor network. There is nothing that prevents you from using your resources to de-anonymize the network's users instead by exploiting fundamental flaws in Tor design and implementation. And you don't need the NSA budget to do so. Looking for the IP address of a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. We know because we tested it, in the wild...

In this talk, we demonstrate how the distributed nature, combined with newly discovered shortcomings in design and implementation of the Tor network, can be abused to break Tor anonymity. In our analysis, we've discovered that a persistent adversary with a handful of powerful servers and a couple gigabit links can de-anonymize hundreds of thousands Tor clients and thousands of hidden services within a couple of months. The total investment cost? Just under $3,000. During this talk, we will quickly cover the nature, feasibility, and limitations of possible attacks, and then dive into dozens of successful real-world de-anonymization case studies, ranging from attribution of botnet command and control servers, to drug-trading sites, to users of kiddie porn places. The presentation will conclude with lessons learned and our thoughts on the future of security of distributed anonymity networks.


The last fucking thing you want is my undivided attention...

User avatar
Plural of Mongoose
Tank Aficionado
some karma
some karma
Custom Title: Tank Aficianado
Received Karma : 5 times
Posts: 93
Joined: Thu May 21, 2009 4:24 pm

Black Hat anti-Tor talk smashed by lawyers' wrecking ball

Post by Plural of Mongoose »

Original article:
http://www.theregister.co.uk/2014/07/22/legal_wrecking_balls_break_budget_tor_popping_talk/
[0]

By:
Darren Pauli
[1]


Originally published 22 Jul 2014 at 01:32
Black Hat anti-Tor talk smashed by lawyers' wrecking ball

Unmasking hidden users is too hot for Carnegie-Mellon

Boring Carnegie-Mellon University lawyers have scuppered one of the most hotly anticipated talks at the Black Hat conference – which would have explained how $3,000 of kit could unmask Tor hidden services and user IP addresses.

The university did not say why[3] it torpedoed the accepted talk, triggering speculation[4] that it feared breaking federal wiretapping laws - or that it had simply not gained pre-approval and the scuppering was a part of internal bureaucracy.

Tor Project leader Roger Dingledine said[5] it was provided with informal access to some research materials but "never received slides or any description of what would be presented in the talk itself beyond what was available on the Black Hat webpage".

"We did not ask Black Hat or CERT (the university's computer emergency response team) to cancel the talk. We did -- and still do -- have questions for the presenter and for CERT about some aspects of the research, but we had no idea the talk would be pulled before the announcement was made."

That announcement was planned to be made later this week and would have included details on the attack.

Dingledine said previous researchers had tipped off Tor about bugs and found the Project to be "pretty helpful" and "generally positive" to work with.

University researchers Alexander Volynkin and Michael McCord planned to demonstrate how hundreds of thousands of Tor clients, along with thousands of hidden services, could be de-anonymised within a couple of months.

It would do this using unspecified recently disclosed vulnerabilities within the design and implementation of Tor user anonymity and about $3000 worth of tools including a "handful of powerful servers and a couple gigabit links".

Volynkin and McCord said they had successfully tested the attacks in the wild.

Further details had not been discussed but, in a now deleted synopsis,[6] they wrote how they planned to cover the feasibility and limitations of attacks before detailing how botnet command and control servers, child pornography forums and hidden drug marketplaces like the Silk Road have been revealed.

"There is nothing that prevents you from using your resources to de-anonymise the network's users by exploiting fundamental flaws in Tor design and implementation," the researchers said. "And you don't need the NSA budgets to do so."

"Looking for the IP address of a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done."

One or two controversial talks are pulled from the BlackHat and DEF CON events each year, typically to allow affected vendors and developers time to fix vulnerabilities and repair design flaws.

Last year, three researchers at the university of Luxembourg revealed, in a paper titled Trawling for Tor Hidden Services: Detection, Measurement, Deanonymisation [PDF],[7] how flaws in the design and implementation of Tor’s hidden services allowed them to be de-anonymised and taken down.


Last edited by Plural of Mongoose on Thu Nov 12, 2015 12:51 pm, edited 1 time in total.
The last fucking thing you want is my undivided attention...

User avatar
Plural of Mongoose
Tank Aficionado
some karma
some karma
Custom Title: Tank Aficianado
Received Karma : 5 times
Posts: 93
Joined: Thu May 21, 2009 4:24 pm

Active attack on Tor network tried to decloak users...

Post by Plural of Mongoose »

Original article:
http://arstechnica.com/security/2014/07/active-attack-on-tor-network-tried-to-decloak-users-for-five-months/
[0]

By:
Dan Goodin
[1]


Originally published Jul 30, 2014 5:36 pm UTC
Active attack on Tor network tried to decloak users for five months

Attack targeted "Tor hidden services" used to protect IDs of website operators.

Officials with the Tor privacy service have uncovered an attack that may have revealed identifying information or other clues of people operating or accessing anonymous websites and other services over a five-month span beginning in February.

The campaign exploited a previously unknown vulnerability in the Tor protocol to carry out two classes of attack that together may have been enough to uncloak people using Tor Hidden Services,[2] an advisory published Wednesday[3] warned. Tor officials said the characteristics of the attack resembled those discussed by a team of Carnegie Mellon University researchers who recently canceled a presentation at next week's Black Hat security conference[4] on a low-cost way to deanonymize Tor users. But the officials also speculated that an intelligence agency from a global adversary might have been able to capitalize on the exploit.

Either way, users who operated or accessed hidden services from early February through July 4 should assume they are affected. Tor hidden services are popular among political dissidents who want to host websites or other online services anonymously so their real IP address can't be discovered by repressive governments. Hidden services are also favored by many illegal services, including the Silk Road online drug emporium that was shut down earlier this year.[5] Tor officials have released a software update[6] designed to prevent the technique from working in the future. Hidden service operators should also consider changing the location of their services. Tor officials went on to say:
Unfortunately, it's still unclear what "affected" includes. We know the attack looked for users who fetched hidden service descriptors, but the attackers likely were not able to see any application-level traffic (e.g. what pages were loaded or even whether users visited the hidden service they looked up). The attack probably also tried to learn who published hidden service descriptors, which would allow the attackers to learn the location of that hidden service. In theory the attack could also be used to link users to their destinations on normal Tor circuits too, but we found no evidence that the attackers operated any exit relays, making this attack less likely. And finally, we don't know how much data the attackers kept, and due to the way the attack was deployed (more details below), their protocol header modifications might have aided other attackers in deanonymizing users too.
The first attack, known as a traffic confirmation attack,[7] works when the adversary controls or observes relays on both ends of a Tor circuit and compares traffic timing, volume, or other characteristics to discover pairs of relays on the same circuit. When the first relay in a circuit knows the IP address of the user and the last relay knows the destination of the Tor hidden service, the attacker can deanonymize the user.


Worries about a “large intelligence agency”


The attackers injected a signal into Tor protocol headers that could be read by relays on the other end of a circuit. When Tor users connected to an attacker-controlled hidden service relay, the relay sent the hidden service name in an encoded format through the circuit. When other attacking relays were randomly chosen as the first hop of a circuit, they would learn which clients requested information about a hidden service. The injection leaked potentially privacy-breaking information that could be detected not only by the attackers but also by anyone else who may have been running a relay and looking for the encoded traffic. The advisory stated:
And we might also worry about a global adversary (e.g. a large intelligence agency) that records Internet traffic at the entry guards and then tries to break Tor's link encryption. The way this attack was performed weakens Tor's anonymity against these other potential attackers too—either while it was happening or after the fact if they have traffic logs. So if the attack was a research project (i.e. not intentionally malicious), it was deployed in an irresponsible way because it puts users at risk indefinitely into the future.
The traffic confirmation attack was combined with a Sybil attack,[8] in which adversaries create large numbers of pseudonymous identities on a targeted network to gain a disproportionately large influence. The attack observed earlier this year wielded about 115 fast non-exit relays (all running on the IP blocks 50.7.0.0/16 or 204.45.0.0/16). Collectively, they acted as "entry guards" for a "significant chunk of users over their five months of operation," the advisory explained.

One of the questions that remains unanswered, according to Wednesday's advisory, is "Was this the Black Hat 2014 talk that got canceled recently?" The advisory went on to say: "We spent several months trying to extract information from the researchers who were going to give the Black Hat talk, and eventually we did get some hints from them about how 'relay early' cells could be used for traffic confirmation attacks, which is how we started looking for the attacks in the wild. They haven't answered our e-mails lately, so we don't know for sure, but it seems like that answer ... is 'yes.' In fact, we hope they were the ones doing the attacks, since otherwise it means somebody else was."

Tor officials said they still don't know if they have uncovered all the malicious relays, if the malicious relays targeted points outside of the Tor hidden services, and if the data collected has been destroyed.


The last fucking thing you want is my undivided attention...

User avatar
Plural of Mongoose
Tank Aficionado
some karma
some karma
Custom Title: Tank Aficianado
Received Karma : 5 times
Posts: 93
Joined: Thu May 21, 2009 4:24 pm

How Did The FBI Break Tor?

Post by Plural of Mongoose »

Original article:
http://www.forbes.com/sites/kashmirhill/2014/11/07/how-did-law-enforcement-break-tor/
[0]

By:
Kashmir Hill
[1]


Originally published Nov 7, 2014 @ 03:02 PM
How Did The FBI Break Tor?

Global law enforcement conducted a massive raid of the Dark Web this week. It started with the FBI takedown of Silk Road 2.0 and the arrest of its alleged operator Blake Benthall[2] in San Francisco on Wednesday. But it quickly exploded from there,[3] as European counterparts[4] seized over 400 black market ‘hidden sites’[5] and arrested 19 other people alleged to be involved in their operation. Wired called it “a scorched-earth purge of the Internet underground.”[6] But how exactly did law enforcement take their digital blow torches to the Dark Web sites that were using Tor anonymity software to protect themselves? Law enforcement has been mysterious on that count, saying it won’t reveal its methods because they are “sensitive.”[7]

[image]http://www.myplanetganja.com/gallery/al ... bes_01.png[/image]

The FBI is calling it Operation Onymous. (As in, no longer “Anonymous.”) In the Benthall indictment, the FBI revealed that part of its investigation was good-old fashioned undercover police work. One of the helpful volunteers Benthall allegedly tapped to help moderate the underground drug marketplace was an undercover Homeland Security agent (who was paid over $30,000 in Bitcoin for his or her efforts). But the indictment is vague about how exactly the FBI got its hands on the supposedly hidden server Silk Road 2.0 was using. In fact the indictment made it sound easy, saying the FBI “identified the server located in a foreign country,” and that law enforcement went in and imaged it sometime around May 30, 2014.

Around that same time, two researchers from Carnegie Mellon, Alexander Volynkin and Michael McCord, were preparing for a presentation at hacker conference Black Hat about work they’d done to easily “break Tor.”[8] They were vague about the details but promised that their work wasn’t just theoretical: “Looking for an IP address for a Tor user? Not a problem. Trying to uncover the location of a Hidden Service? Done. We know because we tested it, in the wild.” In a summary of the talk on the conference website, the researchers claimed that it was possible to “de-anonymize hundreds of thousands of Tor clients and thousands of hidden services within a couple of months,” and that they would discuss examples of their own work identifying ”suspected child pornographers and drug dealers.”

In July, the talk was suddenly canceled.[9] Tor revealed that a bunch of nodes in its network had been compromised[10] for at least 6 months, and asked users[***] to upgrade their Tor software to patch the vulnerability the attackers used:
On July 4 2014 we found a group of relays that we assume were trying to deanonymize users. They appear to have been targeting people who operate or access Tor hidden services. The attack involved modifying Tor protocol headers to do traffic confirmation attacks.
If you control enough of the Tor network, it’s possible to get a kind of bird’s eye view of the traffic being routed through it. It was clear that Tor thought the Carnegie Mellon researchers were responsible. The researchers refused to talk to the press, but a conference spokesperson told Reuters[12] the talk was canceled because the researchers hadn’t cleared the release of their work through their department, the Software Engineering Institute,[13] which receives funding from the Defense Department. At the time, many assumed that the university pulled the plug on the talk because of academic ethics considerations and the gray legal zone it was in, with the researchers casually intercepting Web traffic. But maybe it got pulled because the researchers were revealing a law enforcement technique that the government did not want publicized. If nothing else, it’s highly likely the information the researchers collected about “drug dealers and child pornographers” made its way into law enforcement hands. McCord said he was “unable to comment on the matter.” Carnegie Mellon’s SEI declined comment about the canceled talk and about whether it had provided information from the research to law enforcement.

Is the Carnegie Mellon research linked to this week’s law enforcement raid on the Dark Web? “The feds could certainly ask for the research or try to get it,” says Hanni Fakhoury, an attorney at the Electronic Frontier Foundation. “Whether that actually happened, we have no way of knowing.”

What does seem clear to security researchers, based on law enforcement seizing over 400 Dark Web sites (meaning they found out where they were hosted), is that law enforcement likely found a crack in Tor’s shield of anonymity. “The global law enforcement community has innovated and collaborated to disrupt these ‘dark market’ websites, no matter how sophisticated or far-flung they have become,” said Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division [url=Is the Carnegie Mellon research linked to this week’s law enforcement raid on the Dark Web? “The feds could certainly ask for the research or try to get it,” says Hanni Fakhoury, an attorney at the Electronic Frontier Foundation. “Whether that actually happened, we have no way of knowing.”

What does seem clear to security researchers, based on law enforcement seizing over 400 Dark Web sites (meaning they found out where they were hosted), is that law enforcement likely found a crack in Tor’s shield of anonymity. “The global law enforcement community has innovated and collaborated to disrupt these ‘dark market’ websites, no matter how sophisticated or far-flung they have become,” said Assistant Attorney General Leslie R. Caldwell of the Justice Department’s Criminal Division in a press release from the FBI in a press release from the FBI.[14]

“I am 95% certain that law enforcement did a mass de-anonymization attack on Tor hidden services,” says Nicholas Weaver, a researcher at the International Computer Science Institute. He called any link to the earlier research “circumstantial.” But he points out that the work the researchers did was expensive. A “back of the envelope estimate suggests that whoever was running the attack on Tor at the beginning of the year using [Amazon hosting services] spent at least $50,000 in computer time,” says Weaver. That’s not the kind of money an academic can spend on a hobby project.

Tor had little to say about the takedown. “From what we know now, some hidden services and illegal markets were recently seized by International law enforcement,” said Tor executive director Andrew Lewman by email. “Tor was created to protect people’s privacy and anonymity and we don’t condone its use for these illegal activities.”

Despite the crackdown, Dark Web denizens seem undeterred. There’s already a Silk Road 3.0.[15]

Another theory circulating on the Twitters is that Bitcoin over Tor can lead to deanonymization, with many linking to this research paper[16] published in October.



The last fucking thing you want is my undivided attention...

Locked