FBI Admits It Controlled Tor Servers Behind Mass Malware Attack (wired.com)
"It wasn’t ever seriously in doubt, but the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors." ...
279 comments
[ 3.3 ms ] story [ 283 ms ] threadCheck the timelines. Some of Lulzsec's most dramatic attacks were carried out with an FBI agent literally looking over Sabu's shoulder.
'Opdarknet' in particular seemed quite a bit different from the rest, in the MO (basically the same as the FBI used against Freedom Hosting) and the wording of their release.
I wouldn't call that "much of Annonymous".
"Trust no one! Suspect EVERYTHING!", I can say today without sounding crazy.
Also, remember this? http://www.linuxfoundation.org/news-media/blogs/browse/2011/... ....hmm, I wonder if....
In fact, trying to slip it in under the radar like that would actually just increase the chances of getting caught, because then it becomes something that isn't suppose to be there instead of merely something that does something that it isn't suppose to do.
For example (completely hypothetical), you could create a race condition in the kernel's page allocator that can be reliably be triggered by filling up physical ram and then forcing the kernel to allocate more memory for itself by filling up the proc table past a certain size. So in one patch you include an improvement to the allocator that has this obscure race condition but otherwise makes the allocator work much faster. Then in another patch you increase the maximum size of the proc table (under the pretense of supporting some big-iron system that practically no one outside of some HPC centers own) so that filling it up will force a kernel page allocation. So then you can force the exploit to occur on any system with both patches installed simply by allocating all the physical ram and then creating a ton of do-nothing processes that max out the proc table.
If you are an organization like the NSA you could even have the submissions come from what appear to be completely independent developers.
It is kind of the exploit version of "parallel construction." You know the exploit you want to put into the kernel, you just need to come up with reasonable sounding explanations for every little patch that ultimately gets you to the end goal.
Original article: http://news.slashdot.org/story/01/01/25/1343218/directvs-sec...
Fascinating background story here: http://www.wired.com/politics/security/news/2008/05/tarnovsk...
So the question is, which is harder: does it take more skill to accidently insert a bug that gets by (sometimes for years), or to do so on purpose?
The difference between "tinfoil hatters" and reasonable people like Bruce Schneier now seems to be how concerned they are with their ability to destroy a harddrive, and TEMPEST.
Which way is that?
Also, from your Tinfoil Hat Linux link, this idea is hilariously awesome:
Keystroke monitoring — THL has gpggrid, a wrapper for GPG that lets you use a video game style character entry system instead of typing in your passphrase. Keystroke loggers get a set of grid points, not your passphrase.
I wonder if it might be possible to implement that idea into other operating systems?
https://www.schneier.com/contact.html
All default settings, except the 4096-bit key length.
See: https://www.schneier.com/blog/archives/2013/09/my_new_gpgpgp...
http://www.theguardian.com/world/2013/sep/05/nsa-how-to-rema...
Air gapping is certainly not unprecedented, but individuals using it have traditionally been considered pretty "tinfoil-y".
edit: "I wonder if it might be possible to implement that idea into other operating systems?"
gpggrid itself could probably just be built on any other Linux install. Certainly it could be recreated. One of the neat features of TFL that I really like is the idea of blinking LEDs on the users keyboard instead of displaying things on screen. Effective? Who knows... but certainly amusing.
http://www.washingtonpost.com/wp-dyn/content/article/2010/08...
Search for "Bootable SD Card Method" here: http://chdk.wikia.com/wiki/Prepare_your_SD_card (I have a Canon camera that runs CHDK. Those instructions work, and the camera can write to the SD card.)
It's a Linux live system (with permanent storage on a USB stick) geared specifically towards online banking.
I believe that quite a few people actually use it.
Of course the hardware is the same, but you get a clean single purpose software system.
>I believe that quite a few people actually use it.
That sounds like a great attack vector. How secure are factories where discs are pressed? Even without access to the factory you could buy a bunch of magazines and repackage them with compromised CDs.
Repackaging it seems to be tricky, since the paper inlay is bound in the magazine, it's not just stuck on the cover or whatever. You tear it out at a perforation, leaving part of the DVD cover inside.
There are much more exposed attack vectors on online banking users, I would think.
And you can always just download the ISO and check it against the hash (and the PGP key).
These are still not immune to phishing attacks but it's a lot better than TAN codes or some other 'dumb' authentication scheme.
Typically these systems work in conjunction with pin-and-chip card, a small piece of hardware that generates the codes and a challenge / response system built into the website you use for the authorization.
Separate challenges exist for logging in (read access) and transferring money.
Another cool thing I've seen in Banco do Brasil was the need to authorize the computer you're going to use in a ATM or in a 1-800. If I recall correctly, they do that with a Java applet.
Recently they also launched a common-malware-search-and-destroy application of MANDATORY use in Windows computers (my mom uses, she asked me. And yes, the digital certificates were all valid).
Others may use in-house solutions. Here's Bank of America's two factor solution: https://www.bankofamerica.com/privacy/faq/safepass-faq.go
We're almost to a point where the question isn't whether or not they support it, it's finding out that they have a program, clicking through tiny text links at the bottom of pages, and figuring out how yet-another-implementation works.
The general idea is to use a machine which has minimal opportunity to be compromised through other activities. There have been known to be exploits that allow a compromised VM guest to compromise the host, and obviously if you compromise the host you can compromise all the other guests.
Using a separate VM is worse than using a separate physical machine and better than doing nothing. Whether it's "good enough" depends on who you are. Who are the plausible attackers? What do you stand to lose if it goes wrong?
[1] in other words if the host OS is used as a hypervisor, or if the host OS _is_ a hypervisor.
Oh so he encrypted his files, and walked them between his stand alone and his internet machines. Yeah, okay this established the file's integrity, and that's just fantastic.
But what assurance does he have that the USB stick isn't getting infected on the internet machine, and then deploying stealth hacksaw services onto the standalone, to buffer and relay data and commands each time it jacks in?
I mean, that's exactly what Stuxnet was designed to fucking do.
Things like the Bagram PX were concentrations of high value targets with only one source of supply. The general USB stick marketplace is a lot safer. In China they're often fake and thus unreliable (smaller than advertised), but in the US, I'd be pretty comfortable driving to a Best Buy 50 miles away and picking up a random USB token.
A USB key someone hands you is much more likely to be a targeted attack. A USB key randomly lying on the ground outside a target is also much more likely to be an attack.
That doesn't mean there are no attacks.
So prudence is adviced in either case, on the off chance that the one that you have is a bad one. Ditto for anything else that you stick into a USB port.
That webcam plugged into your computer, are you sure the mike isn't on all the time and that the driver doesn't pass your speech during the day out in compressed and encrypted form to some server farm at night ;)
IMHO, the hard part would be creating the interface on the on the pc.
This should be the new market: Companies inviting the whole world to inspect their hardware (in addition to firmware, software).
KDE/Gnome do the same thing, and there are possible attacks there.
Randomizing the position of landmarks eg. go to A, B, E, C, F, then showing a map could let the user enter a different sequence of keystrokes to get the same result.
So, some evocatively named Linux distro recommends the same key size, is what I understand you to be saying, and therefore... what? Aliens really did land at Roswell?
Anyways: don't use 8192 bit keys. Whatever kills the 4096 bit keys is going to kill RSA along with them. Honestly, I think 4096 bits is also kind of a you're-kidding-yourself key length; if attacks on 2048 bit keys became tractable, RSA is probably in serious trouble.
I get truly excited when I see your replies, I'd love to banter in [inebriated] public! With that said, may I please make the humble request;
Yoou have contributed a shitload of awesome comments on the state f "who-the-fuck-are-we-kidding" with respect to encryption and privacy in light of what we actually know now related to the NSA....
Would you please create a post, in an Explain-Like-I-Am-Five-Years-Old manner on both the state of the capabilities of the NSA, the state of current encryption tech/methods we rely on, AND what the heck I, as and individual, could/can/should do about protecting myself.
---
I can speculate all day long about all sorts of things, but I am asking - given the NSA-Fatigue I suffer from - fr your help.
I WILL PAY YOU FOR THIS SERVICE; Set the price at $20 for the best recommendation. Crowd-source your network of people who have enough info to contribute to the recommendation...
Aside from smashing my machines and cancelling my power utility, I have no clue how to regain privacy at this point.
Then we will drink, and e Merry, Pippin and Sam!
EDIT: Tawny Port May be responsible for this post.
Also, if you had a short string that could be expanded into the larger key, then what you really have is a short key to a slightly different crypto system, which is less secure than the original key in the original system.
Also, if you can significantly compress a string of truly random data, you can also probably compress digital video by a significant factor as well, and should therefore found a startup selling your groundbreaking compression technology.
No, certainly not. I agree with you; the change from 2048 to 4096 isn't interesting.
The interesting part is that he 1) generated a new key (okay, not actually interesting in itself), 2) is using it in an isolated install, 3) this isolate install is on entirely separate hardware, not just a VM, 4) this separate hardware is new hardware that has never been networked.
Tinfoil Hat Linux was never really about using large PGP keys, you could use large PGP keys on a co-located RHEL box just as well as you could on an old crusty THL box covered with shoes and bluejeans in your closet. Rather, Tinfoil Hat Linux was about cautious (really, hyper-paranoid for the hell of it) treatment of private keys and plaintext. Extremely cautious treatment of plaintext and private keys is what he is currently going out of his way to do.
Is going to such an extreme (new hardware that has never been networked?) really necessary? I don't have the expertise to say. What I can say is that is nearing the sort of baseline paranoid treatment of private keys and plaintext that THL is known for. He's not blinking out leaked documents in morse code yet, he isn't worried about white vans down the street reconstructing the images on his monitor or RF leakage from his CPU giving them bits of his private key, but we are at the point where that is the next logical step.
(And no, aliens never landed at Roswell (or anywhere else), JFK was shot from the Book Depository (and only the Book Depository), and Stanley Kubrick did not film the moon landings (that was done with television cameras mounted on tripods, the LEM lander legs, and the astronauts' chests))
Since Schneier's now doing analysis of unreleased Snowden documents for the Guardian, he now has reason to believe that the NSA has a strong motive to see what documents he's working on.
Seems to me that the level of tin-foil-hattery that's reasonable to protect against an organisation likely to be targeting you specifically needs to be an order of magnitude greater than that which is reasonable to protect against a general-population surveillance dragnet.
However, Schneier was a target well before this due to the nature of his work. It is exactly the scope of the recent revelations that throws the conventional thinking on where the fuzzy line between an appropriate risk assessment based on position of interest and the general population. When the potential dragnet is widespread and permanent I no longer have to only consider how important I am now (which I'm not), but I also have to consider if I will ever be take on a role that IS important not just now, but then.
He knows too much to be a reasonable person.
Bruce isn't a nutter. I don't think many people would actually argue otherwise.
[0]: http://richard.stallman.usesthis.com/
https://en.wikipedia.org/wiki/Subliminal_message
People are definitely swayed by overt, liminal signals in subtle ways, but subliminal messaging specifically was created by an ad agency and the science was pretty well debunked.
Or else, you're one of them.
That's sort of where I've gotten to this summer. It's really frustrating and saddening.
Although mind-control waves still aren't, TO THE BEST OF MY KNOWLEDGE, a thing.
knowing that you're under constant surveilance and your every step/action is recorded makes wonders in the way of shaping and controlling your behavior.
Also, culture is the best mind control. Raise people with a mind set the way you want it and you never have to do anything directly, because they already are siding with you even through cognative dissonance.
Yeah, we're self aware and all that, we have choices, but what we generally choose to do is identify with some group and hate opposing groups. It's what we do.
The chimpanzees are laughing at us.
Stupid pop-sci reading pinkerian evo psych pseudo-wisdom lesswrong.com idiot.
Who's "we"? I bet that just pissed you off, keep projecting how much of a inferior you are.
>generalizing everything as a "tribe"
You do know those evo psych idiots use the term "genetics" and not "DNA" right? Now you really don't know what you are talking about.
>highly evolved to fit in
I swear schools should just stick to bible class instead of evolution class if they cant even teach it properly.
It's really not that hard to say this seriously without wearing a tinfoil hat. I've been doing that since high school.
The key is thinking in terms of operations, rather than in terms of generic trust. You need to know what you're doing, maintain opsec and have a strong, realistic threat analysis. For me, the Snowden cascade hasn't changed anything: if someone can penetrate the USGov's defenses, then they can almost certainly penetrate mine.
And that has always been true.
The revelations are a matter of ideological trust--trust in whether or not someone agrees with you--, but the USGov has never had much of this kind of trust, not even at its founding, nor has it ever acquired it.
What's seemingly worse/more crazy is many of these materials date for 4-5 years ago (2008-09). If these data were public, it would have potenially casued huge behavioural shifts.
In that way, its reminiscent of 9-11 where the damage was done not on that day, but the years earlier when the bad guys were training in plain daylight.
http://xurl.es/w2x2a
Will Rust help eliminate the problem of buffer overflows and other memory related hacks?
Of course, this is assuming Rust and Servo ever gain enough traction to build a viable browser; they're still at an early enough stage to be vulnerable to the problems lots of young, ambitious projects have, of taking on too much at once to ever be done enough for production use, interest petering out and never quite getting to the point of something widely usable (like Perl 6).
Are we going to see international arrest warrants and extradition and trials?
Source: HBGary dumps, industry experience.
How is that not a 'mass malware attack'?
Another example, it sounds like one might have dodged this particular attack by using a browser other than the Firefox bundled in the TBB. But whether or not using a non-TBB browser gives you a net increase in security probably depends a lot on the user.
Can't trust the local machine to tunnel things correctly.
(Also, on the first machine, you could use iptables to only permit outgoing traffic from the uid that Tor is running as and to drop everything else, just as an extra precaution.)
>> Donahue also said Marque had been researching the possibility of moving his hosting, and his residence, to Russia.
Nice try FBI, but I have a feeling that Puttin's Russia will have him a gulag after a 5 minute "trial," appeal included.
Funny you should mention that -- I believe that water fluoridation was once suspected of being a communist plot to more or less the same effect.
Of course, none of these "theories" manage to address the fact that there is fairly strong evidence that water fluoridation does in fact reduce tooth decay.
Not agreeing with those theories, but this argument is flawed.
Even if it does "reduce tooth decay", so what, in the context of their argument? Who said a substance can't do two things at one time?
If you narrow that search down further by adding the constraint of a simple and easily explained health benefit that has since been repeatedly validated by science, you should expect to find approximately zero compounds.
To look at it another way, suppose that studies had been done on fluoridation and found no benefit in terms of tooth decay. That would certainly be evidence in favor of the conspiracy theories. It is always the case that if E is evidence of H, then ¬E is evidence of ¬H, so the fact that fluoridation prevents tooth decay must be at least weak evidence that the conspiracy theories are false. The argument above gives one reason that it is not particularly weak evidence.
Fluoride was used in the past to pacify populations, at least, that is the claim made by anti-F people (I haven't myself run down the sources).
There are books out concerning F and its effect on the body's metabolism, such as this one http://www.amazon.com/Fluoride-Aging-Factor-Recognize-Devast... .
Too much fluoride can lead to fluorosis - there is this case of fluorosis among horses drinking municipal water that was fluoridated http://www.fluorideresearch.org/391/files/3913-10.pdf .
edit: link found via google: http://www.livescience.com/28078-skeletal-fluorosis-tea-drin...
See also: Donora death fog. http://www.fluoridation.com/donora.htm
Do you think Russia would give him asylum or a visa? There you go.
Thank you.
Really, it always was, but it was a sort of "undeclared war". Now there's really no question about what's going on, so it's time for the gloves to come off.
So this paragraph of the news report suggests that sometimes Anonymous and the FBI can be united in the goal of stopping child pornography, although not united in how they try to deal with it.
AFTER EDIT: Thanks for your link, which I think came as an edit to your comment. Here is a link to follow-up news:
http://www.theguardian.com/technology/2013/feb/22/lulzsec-sa...
EDIT: Here it is: http://news.ycombinator.com/item?id=6154642
In order to be friendly to mobile users, I'll copy-paste the comment here (although the link is worth reading because of the informative replies):
---
redthrowaway 40 days ago | link | parent | flag
Interesting. Freedom Hosting had been a target of Anonymous' Operation Darknet from the beginning--they're well-known for refusing to take down exploitative sites. Operation Darknet is, itself, a pretty interesting phenomenon: Anonymous hacks onion sites, then hands over user information to the FBI for investigation. Anonymous does what the FBI legally can't, and in exchange they're not prosecuted for it. I can't find the article now, but I recall reading an interview with an FBI agent in Wired or Ars or some such where he described the anons as "Internet Superheroes". (sic)
That, in and of itself, is kind of curious. Curiouser? One of the original Op Darknet principals was Sabu. You may remember him as the hacker the FBI rolled and got to bust up LulzSec. Sabu was turned by the FBI on June 7th, 2011.[1] Operation Darknet began several months later, in October, 2011.[2]
The obvious question, then, is this: Did the FBI use Sabu to entice Anons into attacking child porn networks, thereby evading the laws against them doing it themselves? Did they use the fact they turned a well-known hacktivist to help them deal with criminals they lacked the legal tools to go after? Is this arrest the culmination of those efforts?
[1] https://en.wikipedia.org/wiki/Sabu_(hacktivist)
[2] http://www.informationweek.com/security/attacks/anonymous-at....
Seriously, how do we know the FBI's story isn't "parallel construction"? It always seemed to me that tracking down Anonymous would be easy if you had NSA-scale monitoring. I don't want to sound like paranoid guy, but maybe the FBI's stories about tracking down clues from chat logs are all made up.
I only recently learned about parallel construction: http://en.wikipedia.org/wiki/Parallel_construction
Basically, the NSA is suspected to cooperate with other arms of the government, such as the DEA. The NSA supposedly provides information about who is involved in what illegal activity. Apparently this information is provided illegally, without a warrant. So if the DEA gets info from the NSA, the DEA needs to make up a story about how they came to possess that info, since that info was collected illegally without a warrant. That's parallel construction.
I don't know whether NSA would bother with a target like Anonymous, but it's not outside the realm of realistic possibility.
The biggest question is, how did the FBI identify Sabu? He supposedly revealed himself by visiting the website 2600.com, and selling stolen credit cards on Facebook. But how did visiting that website reveal Sabu?
Actually, now that I think about it, the best explanation is probably the simplest: 2600.com probably runs forums, and Sabu probably posted to those forums from his home IP address like an idiot. So the FBI simply demanded his IP address from 2600.com.
sounds very plausible :)
1) Old whois info with his real name on a domain (prvt.org) that he linked on IRC. He had long since changed it but someone looked it up.
2) Mistakenly logging into IRC without a VPN/Tor.
More: http://arstechnica.com/tech-policy/2012/03/doxed-how-sabu-wa...
Anonymous itself does not have leadership, it's more of a swarm mentality.
Sabu forgot to activate TOR before logging into IRC just a single time, and the FBI was able to locate him. Sabu was the legal guardian of his siblings, and was pretty much told that he would never see them again if he didn't cooperate with the feds. And so Sabu became a mole for the FBI, spending the next several months trying to elicit identifiable information from his own crew. For the most part, it worked.
What's interesting is that at least one of his fellow hackers is already out of prison, and the rest are going to be out in a few years. Sabu on the other hand, being a United States citizen, faces much harsher penalties than his European counterparts even though he was the only one with a deal. If I had to guess, best case scenario he is going to be sentenced to 10 years. To be honest though, I wouldn't be surprised if he got a few decades more.
Also, Sabu didn't have to manipulate Anonymous into attacking CP networks. It's something that they do on a semi-regular basis. They did it before Sabu, and they are doing it now.
Ten years? Even with a deal? Really?
That's astonishing if accurate.
I could very well be wrong.
That's the ask.fm profile of Topiary, the LulzSec leader that spent some time in prison. There's quite a few interesting answers regarding what LulzSec actually was and some of his opinions of Sabu.
But his FBI handlers said he was "brilliant, but lazy": they discovered him selling stolen credit card details on Facebook, and traced him to his home when he used an unguarded internet connection to go on the 2600.com site, which is popular with young and old hackers.
Is 2600.com a honeypot for the FBI? How'd Sabu expose himself by merely visiting that site?
i guess they just ran the query in the NSA's internet traffic meta-info database.
Ya, you were being cute, but Lulzsec was Sabu and his group. Anonymous is whatever a random group of people decided to that day and call themselves Anonymous. Tomorrow it will be a different group of people with a different and potentially conflicting cause.
It's still a proper noun relating to a specific group of people. It's like a team name - just because the roster of the Steelers change over the years doesn't mean that 'Steelers' is not a name.
Edit: 'Anonymous' is a team name, I mean, not 'God' :)
God is an idea that makes people feel better about themselves and to put themselves on a moral high ground over others.
What makes the Steelers the Steelers is not the roster, it is the paid position of the Coach and the owner of a legal entity and a defined goal and purpose. Anonymous is none of that.
Anonymous is anyone. It could be a bunch of people protesting Wall Street today. Tomorrow a group could call themselves Anonymous and protest Westboro Baptist. The day after a group calling itself Anonymous might break into Sony's systems. They might be all the same people, some of the same people or none of the same people. Each group might be made of people that agree with the others or vehemently disagree. It is not a specific group of people, it is not eve a coherent group of people.
I think it is more accurate to say that Anonymous has a fluidity of leadership and followers. It is a bunch of factions that dynamically organize as members see fit.
FBI basically generated a shit-load of Tor nodes (https://blog.torproject.org/blog/how-to-handle-millions-new-...) for some while to increase their chances of intercepting traffic. Following the data collection and using statistic, they were able to pin-point the origin of most Freedom-hosting request/response, and then raided the place.
Think about it: if you own 9/10 of the node of the Tor network (and they did for a while) and simply analyze all the traffic, it's just a matter of time before you can find what you are looking for.
The second interesting thing is how they planned everything using the Firefox exploit to find out who was going on each Website. I'm pretty sure they got what they were looking for.
Even thought this is highly scary in term of government control, I think we can all learn a lot about it. Also, I'm wondering how much this attack cost.
Those are two completely separate events.
The blog post you link to was about a recent massive increase in Tor clients, not Tor nodes.
From what I've read I was under the impression that Freedom Hosting itself was hacked to disclose its IP addresses, rather than the FBI taking over the Tor network.
This is the FBI taking down criminals engaging in a clear criminal activity, and it is silly to implicitly compare it to the NSA fishing for terrorists. All the evidence gathered here will be presented in a court of law, all the techniques used will have to be approved by judges as in accordance with laws and the constitution or the gathered evidence will be thrown out. The suspect and any other future suspects will get a trial if they want. It will be out in the open.
If you are upset that the software you thought was secure and anonymous isn't as secure and anonymous as you thought, that isn't the FBI's fault.
I am worried about government agencies intercepting my traffic / communications because it does happen, it's really hard to find out unless you know what you're looking for, and they don't have a warrant on every American citizen that happens to get caught.
Spend a little time in here: https://duckduckgo.com/?q=warrant+no+knock+raid+mistake&t=ca...
Or here: https://duckduckgo.com/?q=warrant++raid+mistake+death&t=cano...
Or here: http://www.newyorker.com/online/blogs/comment/2013/08/swat-t...
I'm still waiting for the scandal.
ddg, I think, does their own spidering and also serves bing and other results (but not google), but that's from dusty memory and it could be wrong or changed. ddg will however forward your request to google if you want, and you'll get a results page from google itself. In fact I use ddg as a front end for google when I want to use google.
startpage is Dutch/American, ddg is American.
https://startpage.com/eng/company-background.html
https://duckduckgo.com/about http://dontbubble.us/
ddg's Gabriel Weinberg posts here on HN. https://news.ycombinator.com/user?id=epi0Bauqu
how are you sure of that? Do you honestly think the public is privy to the movements of the people in charge?
You might want to rethink your position: http://www.democracynow.org/2010/5/13/25_years_ago_philadelp...
When the FBI engages in unethical and illicit practice, it's like stating that rules do not apply for them. Given for granted that they are in a position of power a priori, it's hard for me to see how this is good thing and how accountability can be held.
Also you seem to be convinced that the judge and court will apply the rule of law to the FBI as they would have done with you and me.
Also to address collective-action problems (like defense).
If we were to learn that they found it to be acceptable practice to use these weapons indiscriminately on innocent people in their efforts to catch the bad guys, I might want to take away their guns, tear gas, and helicopters.
The underlining reason for this has been the notion that the FBI was attempting to catch people engaged in CP related activities...
This maybe a little tin-foil here, but...
If you deliver a 404-type of a page on all requests, no website is traversed, no CP is viewed, transferred, replicated, or distributed. Meaning there is nothing here to charge the person with.
Does this article get the facts wrong, or was the purpose of this exploit something entirely different. Because if the article is true (this exploit was only in "Down for Maintenance" pages, which were the only pages served), all they did was get a bunch of useless IP to MAC to host-name correlation/mapping data for that moment in time.
There is also the 'Fruit of a poisonous tree' argument here. Would this untargeted hacking even stand up in court if this data is used to prosecute someone?
This sounds more like flexing of the muscles - the FBI saying we can get you if we want to. Or something else was going on. It also seems like a waist of a good exploit that they would probably use towards terrorist or national security related issues (ex: if they knew the MAC or host-name of a bad guy using TOR that day, but did not know his IP / so they put this out).
These websites have a unique URL. For example, Bitcoin Fog's URL is http://fogcore5n3ov3tui.onion/ If you try to visit that using a standard web browser, it won't work. But if you use Tor browser, then it takes you to the Bitcoin Fog hidden service.
Some of those websites were devoted specifically to delivering CP. Now the FBI's reasoning goes like this: anyone who was visiting those websites were very likely visiting them for the purpose of looking at CP.
The FBI delivered an exploit designed to identify as many of those people as possible. So even though no CP was being served, people were still accessing the URL. The malware collected the MAC address and hostname of the computer, then submitted that info to an FBI server. So those people were apparently added to a centralized FBI database.
One way that database might be powerful is if e.g. a politician (or any other government worker) were was identified as a visitor of one of these websites, because whoever controls that database now controls them.
The question is what gives them the authority to use these tactics? Wiretapping laws?
But if the government as an official approved sanctioned policy directs an employee to do an action (like, hack into Facebook's servers), good luck trying to get that employee arrested. The government may be doing illegal acts, but no one can be arrested over those since they are sanctioned by the two law making branches of government (executive and congress).
http://en.wikipedia.org/wiki/J._Edgar_Hoover
"Oh noes, we aren't 3 steps ahead of them, they are 3 steps ahead of us." Fuckin-a they are and I'm glad.
Getting rid of scumbag terrorists, child porn shitbirds and spying on foreign adversaries is fine by me.
And yes, I already know the comments will be "what if they designate you a terrorist some day". I suppose I will cross that bridge when that happens.
Nobody is amazed that the "good guys" (btw, whose good guys?) have good tools. It's been known for decades that the USA has some of the best signals intelligence people and systems.
But that's not even relevant here. This particular attack exploits a known issue of Tor, which has existed by design since day one. Hacking machines isn't rocket science, and the particular vulnerability in Firefox was public before the attack.
What people are surprised by is the brazen and open use of an illegal hack by law enforcement officials. We have laws for a reason and lawmen to uphold those laws. When the lawmen are breaking the laws we're pretty much fucked. I'm sorry that you can't see that.
Just so everyone's clear, this was not a "known issue of Tor". It was a javascript based Firefox exploit.
No. When that happens, you won't cross it. You'll fall right into the river.
I'd also like to see the legal theory they used to seize control of someone's computer. Did a judge sign off on this attack strategy?
But ultimately, I think they used some pretty good software engineering to solve a problem they wanted to solve.
It sounds to me as being outside the FBI's legal wiretapping abilities.
First, you are implying that Tor has an official Tor e-mail service, which it does not. Tormail is/was just a basic e-mail service someone not associated with the Tor project was hosting on the deep web. For all anyone knows, Tormail itself could have been run by the FBI or NSA or whatever all along. Anyone who thought Tormail guaranteed them anonymity was a fool, much like anyone who kept Javascript enabled while browsing the deep web was a fool.
Second, Tormail wasn't itself targeted. What was targeted was the hosting provider that was hosting 95% of child pornography in the deep web, and that hosting provider also happened to host Tormail and a bunch of other non child pornography websites.
Conspiracy theories will abound, of course, but keep in mind that the NSA's MO is not to disrupt communication but to intercept it. If the government's real concern here was with Tormail, they would have simply kept it around and tapped it, since they had clearly compromised the hosting provider's boxes and could have done so. They wouldn't have shut it down and just sent people fleeing to the dozens of other supposedly anonymous and secure e-mail services out there, including ones that perhaps they haven't yet compromised.
What the government did was the equivalent of show up at the houses of everyone who used a particular post office and forcibly finger print them because that post office routed 95% of the child porn magazines in the US (regardless of what percentage of their traffic that actually was, which you don't even mention besides 'there were other sites, too').
That would be a clear abuse of powers, as is this.
What do they do about users who do not turn on Javascript?
Or users who do not use the popular browsers?
It seems like the malware authors here, government employees or contractors, are just like all the others that form the underbelly of the internet... they only focus on the least sophisticated users or the users who always follow the herd (not the Hurd): Windows and OSX/iOS users.
Assumptions, assumptions, ...
They're totally insecure, so you can't make sensible security decisions off of them. Why aren't they randomly assigned on power-up?
Some people have compared malware with guns. This is to me a very bad comparison, since guns actually have legal usage like hunting or self defense.
A better example would be a under cover cop, selling real drugs to real people with the intent to impress a local drug cartel. It has to my knowledge never happen, but it would be interesting to know if the cop could be held liable if someone dies from a overdose from those drugs.
Let say that a police virus spreads out of control, and infects millions of computers. What if this specific firefox exploit get copied by a botnet, and is used to execute credit card stealing software on unsuspected users. How liable can the police become when millions of people are effected? I really have no clue.
For quite a while. Law enforcement have installed physical surveilance and tracking devices since as long as they have existed - and unsuspecting innocents have been caught on those tapes and recorders.
It's also a question of whether those tools are illegal - there may be laws against them , but the government can get special permissions
Let's say that there was a store in a neighborhood that was known to sell child porn. No judge would sign a warrant that gave police permission to put a GPS device on every car in that neighborhood to track whether they ever visited that store (and they may have visited but bought only legal merchandise). So why is it different if you do it on the internet?
A better one would be 'Would a judge give a warrant to allow the FBI to place a GPS tracker automatically on everyone who visited a store that was known to sell child porn?'
The answer to that might be yes.
From the article:
Freedom Hosting was a provider of turnkey “Tor hidden service” sites — special sites, with addresses ending in .onion, that hide their geographic location behind layers of routing, and can be reached only over the Tor anonymity network. Tor hidden services are used by sites that need to evade surveillance or protect users’ privacy to an extraordinary degree – including human rights groups and journalists. But they also appeal to serious criminal elements, child-pornography traders among them.
Arsenic is a poison. Lead is a poison. Cyanide is a poison. Tylenol becomes toxic at a certain threshold (like every other substance on the earth for that matter).
Sure, it is toxic to your liver in large doses. That isn't why Tylenol 3 is Schedule II while pure Codeine is Schedule II. The difference is in dosage. Tylenol 3 tends to come in doses of around 5mg Codeine to 300-500mg Tylenol. You get T3 when you have a tooth taken out, or maybe some minor stitches. You are also only given a few pills.
You get pure Codeine when you break a bone or stick a pencil through your eye. Or one of the stronger codeine-derivatives (oxycodeine, etc). These come in larger doses and are more prone to abuse.
Hence Schedule III.
I'm no fan of the DEA or the schedule system...but the "Government" isn't poisoning anyone. That's pure FUBAR and true tin-foil-hattery. Its a classification system for the abuse potential of perfectly legal drugs.
Yes, but in rare cases. Acetaminophen is not the easiest thing in the world for your body to deal with. But this is technically correct and in the 99 percent case you're correct so this is kind of belaboring the point.
Nevertheless, I thought it was worth mentioning.
People get prescribed ratios of 100:1 APAP:hydrocodone (750/7.5 for example) - it's idiotic from a health and safety perspective. If you need opiate painkillers such as hydrocodone or oxycodone, the extra APAP is unlikely to be of much benefit, and you can always just take some APAP on the side. The APAP is there purely to "prevent" abuse.
I'm not suggesting the "Government is poisoning people" as a conspiracy, I'm suggesting the same idiotic politics and ideas at play during alcohol prohibition are still alive.
The Fourth Amendment says: "No Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."[1]
[1] https://en.wikipedia.org/wiki/Fourth_Amendment_to_the_United...
It might be a stretch but..
"LSD was one of the materials tested in the MKUltra program. The final phase of LSD testing involved surreptitious administration to unwitting non-volunteer subjects in normal life settings by undercover officers of the Bureau of Narcotics acting for the CIA." - http://en.wikipedia.org/wiki/Project_MKUltra
If the government release a virus and it cause damages, government might be found liable. Still, an out-of-court settlement is not exactly a predicate, so its hard to know what would happen.
From some quick researching, it seems the government in the US is more and more prosecuting the dealers, or even the person who gave someone the drugs if there is a death. You give your friend Bob some methamphetamine, and Bob dies, you're more than likely getting charged with second degree murder if they can prove you are the source.
They don't even have to hide it any more. They can admit things like this and nobody can do anything about it. We've passed the point of being able to defend ourselves against actions like this. Every step we take to protect our privacy, the Government is presumably two-steps ahead.
We just can't win...
Healthcare, education, housing ... what's next?