Joined 6 years, 3 months, 4 weeks, 1 day, and 8 hours ago.

[Plural of Mongoose]

Original article:
http://arstechnica.com/tech-policy/2015/01/did-feds-mount-a-sustained-attack-on-tor-to-decloak-crime-suspects/[0]

By:
http://arstechnica.com/author/dan-goodin/[1]


Originally published Jan 21, 2015 9:15 pm UTC
Did feds mount a sustained attack on Tor to decloak crime suspects?

Court doc suggests investigators spent six months last year exploiting anonymity bug.

Last week's arrest of a man alleged to help run the Silk Road 2.0 online drug bazaar[2] has touched off speculation he was identified using a controversial attack that for six months last year systematically worked to deanonymize users of the Tor privacy service.

In a search warrant affidavit filed earlier this month,[3] a special agent with the Department of Homeland Security said the Silk Road follow-on site was accessible only as a hidden service on Tor, a measure that typically would have made it impossible to identify the IP addresses hosting the underlying servers, as well as IPs used by end users who accessed them. Despite the use of Tor, FBI investigators were able to identify IP addresses that allegedly hosted and accessed the servers, including the Comcast-provided IP address of one Brian Farrell, who prosecutors said helped manage SR2. In the affidavit, DHS special agent Michael Larson wrote:

From January 2014 to July 2014, a FBI NY Source of Information (SOI) provided reliable IP addresses for TOR and hidden services such as SR2, which included its main marketplace URL (silkroad6ownowfk.onion), its vendor URL (vx3w763ohd256iyh.onion), its forum URL (silkroad5v7dywlc.onion) and its support interface (uz434sei7arqunp6.onion). The SOI's information ultimately led to the identification of SR2 servers, which led to the identification of at least another seventeen black markets on TOR.

The SOI also identified approximately 78 IP addresses that accessed a vendor .onion address. A user cannot accidentally end up on the vendor site. The site is for vendors only, and access is only given to the site by the SR2 administrators/moderators after confirmation of a significant amount of successful transactions. If a user visits the vendor URL, he or she is asked for a user name and password. Without a user name and password, the vendor website cannot be viewed.

The timeframe of the information leak bears a striking resemblance to a deanonymization attack uncovered in July by Tor officials.[4] For six months, the people behind the campaign exploited a previously unknown vulnerability in the Tor protocol to carry out two classes of attack that together may have been enough to uncloak people using Tor Hidden Services. The decloaking effort began in late January 2014 and ran until early July when Tor officials shut it down. The Tor officials said the characteristics of the attack resembled those discussed by a team of Carnegie Mellon University researchers who a few weeks earlier canceled a security conference presentation on a low-cost way to deanonymize Tor users.[5] The Tor officials went on to warn that an intelligence agency from a global adversary also might have been able to capitalize on the vulnerability.

Nicholas Weaver,[6] a security researcher at the University of California at Berkeley and the International Computer Science Institute, said that besides the six-month window of the two attacks, they are also connected by the way they work.

"If the victim connected to one of the attacker's relays and queried a hidden service onion name that was being served by the attackers' hidden service directory, the attacker could say: 'This IP attempted to access this hidden service,'" Weaver told Ars. "The capabilities used to provide the information to the FBI match the capabilities that the attack [uncovered by Tor officials] provided."

"If the victim connected to one of the attacker's relays and queried a hidden service onion name that was being served by the attackers' hidden service directory, the attacker could say: 'This IP attempted to access this hidden service,'" Weaver told Ars. "The capabilities used to provide the information to the FBI match the capabilities that the attack [uncovered by Tor officials] provided."

Officials with the Black Hat security conference, where the Tor deanonymization attack was scheduled to be presented last August, said the talk was pulled because the results had "not yet been approved"[7] by officials from Carnegie Mellon University and the school's Software Engineering Institute, which conducted the research. The research has never been published or publicly commented on since.

Over the past 18 months, federal investigators have been shown to use several attacks to identify suspected criminals using Tor to conceal their IP addresses. Decloaking techniques have included exploiting vulnerabilities in Firefox[8] and Adobe Flash.[9] The details provided in the recently unsealed search warrant strongly suggest federal investigators have tried at least one other technique that went well beyond those previous efforts. The affidavit makes clear SR2 was only one hidden services investigators were able to decloak. It wouldn't be surprising to see other .onion addresses in the federal cross hairs soon.

• [0] --Did feds mount a sustained attack on Tor to decloak crime suspects?
  http://arstechnica.com/tech-policy/2015/01/did-feds-mount-a-sustained-attack-on-tor-to-decloak-crime-suspects/
• [1] --Dan Goodin
  http://arstechnica.com/author/dan-goodin/
• [2] --[Alleged “right hand man” to Silk Road 2.0 leader arrested in Seattle
  http://arstechnica.com/tech-policy/2015/01/alleged-right-hand-man-to-silk-road-2-0-leader-arrested-in-seattle/
• [3] --UNITED STATES OF AMERICA v. BRIAN RICHARD FARRELL
  cdn.arstechnica.net/wp-content/uploads/2015/01/5498263-0-14302.pdf
• [4] --Active attack on Tor network tried to decloak users for five months
  http://arstechnica.com/security/2014/07/active-attack-on-tor-network-tried-to-decloak-users-for-five-months/
• [5] --Tor developers vow to fix bug that can uncloak users
  http://arstechnica.com/security/2014/07/tor-developers-vow-to-fix-bug-that-can-uncloak-users/
• [6] --Nicholas Weaver
  http://www1.icsi.berkeley.edu/~nweaver/
• [7] --Black Hat | USA 2014: A Schedule Update
  https://www.blackhat.com/latestintel/07212014-a-schedule-update.html
• [8] --Attackers wield Firefox exploit to uncloak anonymous Tor users
  http://arstechnica.com/security/2013/08/attackers-wield-firefox-exploit-to-uncloak-anonymous-tor-users/
• [9] --Feds used Adobe Flash to identify Tor users visiting child porn sites
  http://arstechnica.com/security/2014/12/feds-used-adobe-flash-to-identify-tor-users-visiting-child-porn-sites/

[CryptoSensu]

Thanks PoM, although I guess a lot of people here are quite capable of finding all these sources by themselves

Sooooo, how come you are still free? Why doesn't the gov give a shit about you - I mean, regardless of the "rogue agent" thing, you have basically acknowledged being VJ so plenty of material for them to go after you. Not that I wish you such a fate, but I'm wondering why this hasn't happened.

Also smokes knows a lot about this story and isn't saying much, would be nice to hear from him instead of getting a status update on the lid once in a while.

Regarding the whole vj.com I have to say I'm baffled; it doesn't sound to be linked to our present case, does it? It went on for pages and pages and yet I don't see where PoM would have anything to do with that

Lynn Ulbricht meanwhile had a heart attack a few weeks ago, apparently induced by the stress of her son's case. I don't think allegations about a rogue agent going after her family helped either, but for now they are just this - allegations -. So name dropping the guy who's the rogue agent would be cool I guess. Same regarding the guys blocking your trip to NYC.

Or are you writing a gig-enormous post about all this (including your day in court in the UK!) ?

[Plural of Mongoose]

Thanks PoM, although I guess a lot of people here are quite capable of finding all these sources by themselves

Heh, I wasn't posting that stuff up there for you guys, eh.

Sooooo, how come you are still free? Why doesn't the gov give a shit about you - I mean, regardless of the "rogue agent" thing, you have basically acknowledged being VJ so plenty of material for them to go after you. Not that I wish you such a fate, but I'm wondering why this hasn't happened.

While the FBI tried to turn my story into a "complaint by Variety Jones" in their statement to Motherboard, I don't recall acknowledging anything of the sort.

As to why doesn't the government give a shit about me?

That is indeed the US$100,000,000.00 question, at today's BTC rates, eh. (A few days ago it would have been a US$150,000,000.00 question! What a roller-coaster ride.)

Also smokes knows a lot about this story and isn't saying much, would be nice to hear from him instead of getting a status update on the lid once in a while.

I think smokes is holding out for a movie deal where he gets to play himself opposite Scarlett Johansson.

Regarding the whole vj.com I have to say I'm baffled; it doesn't sound to be linked to our present case, does it? It went on for pages and pages and yet I don't see where PoM would have anything to do with that

I'm not sure if that whole subject is a complete waste of time, or a hidden goldmine waiting for nbrk to hit the mother lode. Only time will tell, I guess.

Lynn Ulbricht meanwhile had a heart attack a few weeks ago, apparently induced by the stress of her son's case. I don't think allegations about a rogue agent going after her family helped either, but for now they are just this - allegations -. So name dropping the guy who's the rogue agent would be cool I guess. Same regarding the guys blocking your trip to NYC.

Of course I heard about her illness, and wish her a speedy recovery. I can't imagine how hard this last two years have been on her.

Or are you writing a gig-enormous post about all this (including your day in court in the UK!) ?

There are still quite a few threads to tug on as far as Diamond in specific, and the Feds in general, before this whole story is going to roll to a close. I wouldn't hold your breath waiting for closure on it all.


But someday I will get back to Ms. Shirley Potts Smythe-Beddows, and my adventures in the High Court of Justice.

[Jesús Malverde]

I can think of ~1.73 billion reasons any digging into CMU's SEI will quickly hit bedrock.

The explicitly linked vj, korchata, blockoperator, some japanese name I can't remember, kimcheesy et al hairball can be pretty casually be at least somewhat disentangled using the tool smokes linked to above. There are a bunch of bitcoin themed domains and some other stuff too somewhere in one of the knots if you spend another half hour or so and breadcrumbs and geese too. How much time do you want to invest in a hairball? I hit the wall pretty fast, it just isn't that interesting.

[nbrk]

There was a reason I reported the stolen identity guy to the feds, and it was more erring to the side of a certain kind of irony than hypocracy (regarding my apparent contempt for certain parts of that outfit). What do you know, they've not done squat, and the guy I'm talking to has more or less admitted to everything short of being the artist(yes, he's just now effectively admitted to being behind varietyjones.com).

At the moment the varietyjones.com story is separate to the SR story. The only things that link it are it's appearance directly after and before the articles about PoM and Variety Jones on dailydot and motherboard (between these two articles pub dates), and it's subject matter (variety jones).

This publicity/attention seeking aspect is a fact. It is also a fact that the nature of that publicity has been negative. This negative aspect is indicated by the fact that Atlantis ,and other criminal groups, were cited as places of employment for 'Variety Jones' on the original homepage. It is also a fact that the Atlantis wolf found on vj.com pre-dates the vj publicity period and is linked to the aliases of persons who registered domains linked to vj.com. Said aliases pre-date 2013. The *meaning/implication* behind these links is still uncertain/hypothetical.

These are the only facts I've found but they are hopeful. I've no satisfactory theory other than someone wanted negative publicity for variety jones. Every theory I, or others have publicly suggested has been debunked -- except of course for the general unified crank theory, which is looking pretty good at the moment.
.....

Regarding the tor stuff, I wonder who that mystery CI of Jared's was -- the one I coincidentally happened to mention before these new revelations surfaced? I was under the impression they'd caught traffic from some of the back end servers talking to flagged gox accounts (evidence on their knowledge of these accounts was also whipped quickly before the defence before being crammed back into an already stuffed pocket. Claims were made of no knowledge of such accounts that were then recanted). Do we have a clearer idea now? Might be worth looking into when that certain academic relationship began.

[Shazaam]

But someday I will get back to Ms. Shirley Potts Smythe-Beddows, and my adventures in the High Court of Justice.

yeah sure

someday

will i live long enough to see it?

[twilson]

Clip - Ever since a Carnegie Mellon talk on cracking the anonymity software Tor was abruptly pulled from the schedule of the Black Hat hacker conference last year,[2] the security community has been left to wonder whether the research was silently handed over to law enforcement agencies seeking to uncloak the internet’s anonymous users.
-------------------------------------------

Any body that's listened to 2600 on wbai knows that after one of these hackers gets out of jail it's not unusual for him to get a high paid job working for the corporate scumbags or law enforcement scumbags.

[intermission]

[intermission]

[Plural of Month]

But someday I will get back to Ms. Shirley Potts Smythe-Beddows, and my adventures in the High Court of Justice.

yeah sure

someday

will i live long enough to see it?

Patience is a virtue young buck.