Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Government Java Security

Half of Tor Sites Compromised, Including TORMail 583

First time accepted submitter elysiuan writes "The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA. In a crackdown the FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network have been compromised, including the e-mail counterpart of TOR deep web, TORmail. The FBI has also embedded a 0-day Javascript attack against Firefox 17 on Freedom Hosting's server. It appears to install a tracking cookie and a payload that phones home to the FBI when the victim resumes non-TOR browsing. Interesting implications for The Silk Road and the value of Bitcoin stemming from this. The attack relies on two extremely unsafe practices when using TOR: Enabled Javascript, and using the same browser for TOR and non-TOR browsing. Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled are potentially compromised."
This discussion has been archived. No new comments can be posted.

Half of Tor Sites Compromised, Including TORMail

Comments Filter:
  • by Cynops ( 635428 ) on Sunday August 04, 2013 @04:04PM (#44471719)

    Looks very much like the three letter agencies decided it's time now to start playing hardball.

    • by Anonymous Coward on Sunday August 04, 2013 @04:14PM (#44471783)

      If anyone else used exploits to screw with people, it would be called hacking and they'd probably go to prison, but when the FBI does it, it's 'okay.'

      • by plover ( 150551 ) on Sunday August 04, 2013 @04:44PM (#44471965) Homepage Journal

        If anyone else used exploits to screw with people, it would be called hacking and they'd probably go to prison, but when the FBI does it, it's 'okay.'

        Actually, a judge has yet to find whether it's OK or not. The admissibility of the evidence in these cases is going to hinge on whether or not it was collected through legal means. And no matter which way the judge finds, the loser is going to appeal. As far as I know, this is all untested legal ground.

        • by Arker ( 91948 ) on Sunday August 04, 2013 @05:00PM (#44472075) Homepage

          "Actually, a judge has yet to find whether it's OK or not. The admissibility of the evidence in these cases is going to hinge on whether or not it was collected through legal means."

          But regardless of whether or not the judge decides to admit the evidence, we wont see any of these agents arrested and sent to prison for what they did.

        • This is all handled under one of the new secret courts, where the new secret laws are applied.

          So don't expect to see any due process.

          The laws and Constitution of the USA have been thoroughly corrupted by the worst enemies of the country: the faceless professional patriots who run the Federal Agencies and Bureaus. As Pogo said during the Vietnam peace-keeping thing we did once: "We have met the enemy, and he is us".

        • by citizenr ( 871508 ) on Sunday August 04, 2013 @05:21PM (#44472239) Homepage

          Judge? what judge? You are funny. There will be no judge, only terror charges, or 2 years in prison while DOJ pretends to do discovery while lives are being destroyed and property stolen.

        • by Joce640k ( 829181 ) on Sunday August 04, 2013 @05:34PM (#44472351) Homepage

          Actually, a judge has yet to find whether it's OK or not. The admissibility of the evidence in these cases is going to hinge on whether or not it was collected through legal means. And no matter which way the judge finds, the loser is going to appeal. As far as I know, this is all untested legal ground.

          You're forgetting something: They said 'pedophile' in the press release.

          • by jamstar7 ( 694492 ) on Sunday August 04, 2013 @05:48PM (#44472477)

            Actually, a judge has yet to find whether it's OK or not. The admissibility of the evidence in these cases is going to hinge on whether or not it was collected through legal means. And no matter which way the judge finds, the loser is going to appeal. As far as I know, this is all untested legal ground.

            You're forgetting something: They said 'pedophile' in the press release.

            An old Soviet trick to remove a recalcitrant politician or bureaucrat who just wouldn't step down when asked nicely then threatened was to label them a pedophile or a rapist, then 'disappear' them. That's how they got rid of Beria rather than let him take over the whole Soviet Union after Stalin.

            • by Pino Grigio ( 2232472 ) on Sunday August 04, 2013 @05:56PM (#44472527)
              Speaking of the Soviets, I happen to be reading Hayek's, The Road to Serfdom [amazon.com] at the moment. The conflict between Freedom and Security is covered in some detail. I highly recommend slashdotters read it too.
            • by tnk1 ( 899206 ) on Sunday August 04, 2013 @06:15PM (#44472669)

              Although I should point out, Beria actually was a sick fuck. They didn't have to make up half that shit about him. It's just that no one actually could or would do anything about it while Stalin was alive and Beria was still the top flunky.

        • by Seumas ( 6865 ) on Sunday August 04, 2013 @05:48PM (#44472469)

          I don't know that what a judge finds matters. We have seen that the executive branch and all of the three-letter-agencies do whatever the hell they want. There is nothing that will change that. Not legislation, not public outcry. Not even presidential decree. Nothing. Will you drive them back into secrecy? Yes. And that is where they will continue to do what they want.

      • by Archangel Michael ( 180766 ) on Monday August 05, 2013 @09:58AM (#44477197) Journal

        "Tyranny is defined as that which is legal for the government but illegal for the citizenry."

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      We do have to be somewhat real about this. Lolita City, the pedophile HQ of the internet, has over 15,000 members (and who knows how many 'guests'). Of course the FBI was going to attack these massive pedophile rings. Good for them.

      But again, there are legal issues here. Why did the FBI have the right to infiltrate TORmail? They are using general warrants here, just like the NSA does. Because one person may be using TORmail for illicit purposes, the FBI feels that it can install tracking and search software

      • by JaredOfEuropa ( 526365 ) on Sunday August 04, 2013 @05:20PM (#44472225) Journal
        Seriously, you think this is about pedophiles? Whenever some politician or law enforcement officer tells you he's after kiddie porn, he is really saying "I can and will do whatever the hell I want to you, your family and your dog, because I have a great excuse to do so". It's also a great way to attack and discredit political opponents or undesirables, as has happened a few times here in Europe: "Well, we couldn't find any offence to pin on him after we arrested him, except for the kiddie porn we found on his computer".

        Our rights and freedoms are getting reamed so badly in the name of fighting child pornography, that I sometimes think that legalizing transmission and posession of kiddie porn would be the lesser evil. Think about that for a moment.
        • by slashmon ( 3007991 ) on Sunday August 04, 2013 @06:45PM (#44472891)
          It shouldn't be illegal, anymore than stuff on sites like rotten.com is illegal. Information should be free. It's distasteful, yes. But that's why most people wouldn't want to look at it. Anymore than most people would want to look at rotten.com or beheading videos or a video of an adult getting raped. It's creepy stuff. Go after the people that actually hurt the children. All this emphasis on bad pictures gives the government endless opportunities to erode freedoms.
          • by SuricouRaven ( 1897204 ) on Monday August 05, 2013 @01:43AM (#44474791)

            The original idea was that banning the pictures would greatly reduce demand for them, thus eliminating the economic inventive towards the child abuse required for their production.

            That's the excuse, anyway. It doesn't explain why many countries then expanded the definition to include photoshopped images where no abuse actually took place ('pesudo-photographs' is the term in UK law), artistic depictions, artistic depictions of non-human characters that have some characteristics of human children (Yes, the UK even thought of that one!) and even completly fictional stories.

            The real reason is much simpler. A collective desire: 'This stuff makes me feel icky and I hate the people who like it, so it should be illegal.'

        • Seriously, you think this is about pedophiles?

          Yes, and clearly. This is the largest pedophile bust in history. Duh. If the biggest bust in history doesn't solidify the topic for you, I have to wonder about your motivations.

          • by SeaFox ( 739806 ) on Monday August 05, 2013 @01:05AM (#44474657)

            Seriously, you think this is about pedophiles?

            Yes, and clearly. This is the largest pedophile bust in history.

            Says who? None of these people have been given their due process. At this point they are, at the very most, alleged child pornography traffickers.

            Also, isn't your source of information the very government agency that was using a JavaScript exploit in a potentially illegal fashion to catch these perpetrators? Not exactly an unbiased source of information as to the legitimacy of their actions, huh?

      • by davydagger ( 2566757 ) on Sunday August 04, 2013 @05:23PM (#44472253)
        the issue isn't the FBI attacking pedophiles(which I agree, good riddance to bad rubbish).

        Its also things like TORMail, and other non-pedophile sites.

        This is good in a way because it proves a good PoC that

        "But again, there are legal issues here. Why did the FBI have the right to infiltrate TORmail? They are using general warrants here, just like the NSA does. Because one person may be using TORmail for illicit purposes, the FBI feels that it can install tracking and search software on every user."

        because American law enforcement works on the principle of "arrest everyone and sort it all out later". Given the notion that everyone using TOR who's not NSA, is automaticly a criminal of SOME kind, they can just arrest everyone and make them try and prove their innocence, by co-operating somehow with the FBI. They will then use this co-operation as a wedge to keep out dissedents, and create a pool of informants by default, by charging people with crimes they were if only vaugely associated with, with excessive jail times until they give useful informaiton or become informations.

        Its also funny that the malware specificlly targets TORBrowser.

        I think I called it. When the NSA, CIA, FBI, looses intrest, or no longer needs TOR, they will simply arrest everyone publicly involved with it for pedophilia or whatever other activities go on. They can play stupid to technophile judges, and juries, and know they'll get away with it.
        • by slashmon ( 3007991 ) on Sunday August 04, 2013 @06:10PM (#44472613)
          Pedophile means that the person has a condition called "pedophilia". It does not mean they break the law. It's not illegal to be attracted to children. Most people with pedophilia live their lives legally and deal with their attractions to children (which they cannot change) legally, also. Pedophile does not equal child molester. Just as someone who just thinks about robbing a bank is not a bank robber. This short article tells the real deal about pedophiles: http://www.commonatheist.com/ped.htm [commonatheist.com]
          • by meta-monkey ( 321000 ) on Sunday August 04, 2013 @07:17PM (#44473101) Journal

            Regardless, they are after those who are in possession of child pornography, which is a crime. You may not think it should be, but that is completely beside the point. In order to find those who MIGHT be in possession of this material, the FBI gained unauthorized access to the computers of nearly EVERYONE who visited sites on Freedom Hosting, whether they were visiting a site that trafficked in this material. There are other sites on Freedom Hosting that do not host or distribute child pornography, and yet their users were exposed, as well.

            This is akin to police discovering that a booth at a flea market is selling stolen merchandise. A reasonable course of action would be to obtain a warrant to search the property of the booth's operator. It would also be reasonable to conduct a stakeout of the booth to see who else visits the booth to knowingly buy or sell stolen goods, and then, after observing such activity, search the vehicles of these associates. That's all fine. But here, they basically came in and rummaged through the cars of everyone who came to the flea market, regardless of whether they visited the stolen goods booth or even knew of its existence.

            That shit is fucked up, yo.

    • by Jane Q. Public ( 1010737 ) on Sunday August 04, 2013 @04:47PM (#44471995)
      Looks more to me like the 3-letter agencies have decided to BREAK THE LAW.

      Unconstitutional surveillance is bad enough. But they don't have any more right to commit "unauthorized access to a computer system" than anybody else. (That is to say, their javascript hack of site visitors who may be innocent.) They can't break the law in order to enforce the law, unless they want to face criminal charges themselves. Aaron Schwartz faced 30 years in prison for far less. I say, let's see the FBI face the same thing.

      And yes, it may well be enforceable. Look up 18 USC 242, "Deprivation of Civil Rights Under Color of Law". The civil rights in question here might be, just for example, the privacy of your own computer system, which legally requires a warrant or subpoena to access. Just my opinion, but I don't see how simply visiting a website could constitute probable cause, much less justify intrusion in the form of a "hack".

      18 USC 242 IS fairly frequently prosecuted, and last I checked it has a conviction rate of about 98%, which is awesome for any law. And it specifically targets government agents and agencies. The President is not immune.

      (P.S. After reading that law, many folks have been prone to conclude that it only applies to racial and other discrimination. That is because of the awkward wording [e.g., there is a strategically placed comma that makes a big difference]. In fact it applies to ANY Constitutional right. However, my mention of it here is not meant to imply that the law does apply here. Only that it might. IANAL and I don't pretend to be one, but I have researched this law and its application.)
    • by icebike ( 68054 )

      Looks very much like the three letter agencies decided it's time now to start playing hardball.

      Well when you realize that TOR was originally developed and set up by three letter agencies, its not a surprise that it is being used as a honey pot.

    • by oztiks ( 921504 ) on Monday August 05, 2013 @07:10AM (#44475795)

      We certainly are living in interesting times and considering that you're 200,000 UIDs older than me, you have to consider what Slashdot was like years ago.

      I remember when people started taking shots at Slashdot for the type of articles it posted, flamed it for being too mainstream, Apple-centric, or because it's become a popular wannabe geek pissing ground. Though all these things may be true or not, it doesn't really matter.

      What's important to know is that Slashdot is about IT/Geek news and if you look at the IT segment alone it has become massively political. The shit fights between Netscape and Microsoft pale in comparison to the crap we're subjected too today. The Obama administration is now getting involved in the Smartphone wars for example ... who would'a thought? The EU slapping Microsoft over antitrust, so what? The US is now posturing against Russia because of leaked data that has been spilled out on the internet. We're talking about "news for geeks" hosting stories about stuff that wars are made from!

      You say hardball? you say interesting times? I say how much more interesting is it gonna get?

  • Computer Intrusion (Score:2, Insightful)

    by msobkow ( 48369 )

    Computer Intrusion is illegal, and the FBI knows that.

    So is spying on someone without a warrant, and given that they can't know who they're spying on, I don't see how they could possibly have obtained a warrant for this action.

    I hope the TOR user community sues them. Very roughly. And with extreme prejudice.

    The US has gotten way too fucking big for it's britches.

    I used to think maybe there was justification for the anti-terrorism attitude that the US has.

    I've changed my mind.

    My sympathies now

    • by achbed ( 97139 )

      All these "illegal" acts by a government are only "illegal" within that country. If they target another country, or a citizen of another country, that's called "espionage" and all fallout is handled by the State Department/Foreign Affairs Office or by military action.

      Oh, and the punishment for "illegal" acts for the elite (read: government employees and/or corporate executives) is now officially a wrist-slap in a press release, and MAYBE a fine. MAYBE.

      Oh, and make sure to say hi to all the nice men in Gua

      • by gmuslera ( 3436 )

        Maybe you would consider intentionally hosting a child porn site [gizmodo.com] something legal? That happened inside US, after all.

        Anyway, lose any hope to find justice in US, you are part of them and then outside law's reach [rollingstone.com] , or you are not, and you can be labeled as terrorist [topinfopost.com], jailed for decades under any excuse [slashdot.org], or eliminated [rt.com] if you cause trouble to their protegees.

        • by achbed ( 97139 )

          Actually, you could argue in a court of law that because the original site was not set up by the FBI that the entire operation fell under an "undercover investigation" status, even after the site was compromised. The FBI even had a fairly clean defense against charges of entrapment as well, because they didn't create the site in the first place, and shut it down shortly after acquiring control.

          In this case, if looks like the FBI did a similar play - hack an existing site that is used for illegal activity,

    • by RoknrolZombie ( 2504888 ) on Sunday August 04, 2013 @04:19PM (#44471813) Homepage

      Computer Intrusion is illegal, and the FBI knows that.

      Yup...people have been clamoring for more transparency...perhaps this is that?

      So is spying on someone without a warrant, and given that they can't know who they're spying on, I don't see how they could possibly have obtained a warrant for this action.

      Agreed - the legislation that's in place has granted them far too much power, far more than most of us feel comfortable with.

      I hope the TOR user community sues them. Very roughly. And with extreme prejudice.

      That'd be nice, but I doubt it'll happen. It won't happen any faster than voting decency into office will :-/

      The US has gotten way too fucking big for it's britches.

      I agree - we need to get these douchebags outta office and get someone in office that does their f'ing job!

      I used to think maybe there was justification for the anti-terrorism attitude that the US has.

      I'm sure that at least some of the people involved believe that they're doing the right thing. Their belief doesn't make it "right" however...they need to stay the f out of my life. If I'm not breaking the law, they've got no business knowing a goddamned thing about me.

      I've changed my mind.

      My sympathies now lie with those who rise up against these goddamn born-again Nazis in their attempt at world domination.

      YES! We need to protest, rise up as one mind, with one purpose, to effect change in our Government! Occupy Wall Street was only the beginning!

      You go, Al Queda!

      I'm sorry, WHAT?!?!?!

      Woah, woah, woah, woah....where in the hell did that come from? Now, I fully agree that we need changes in our Government, and I'm even on board with listening to what revolutionaries have to say, but that's a far damn cry from supporting the murder of innocent citizens and the repression of (plenty) of basic human rights. No, I'm afraid your downmods were your own fault.

      • Re: (Score:3, Interesting)

        by Anonymous Coward

        You go, Al Queda!

        I'm sorry, WHAT?!?!?!

        Woah, woah, woah, woah....where in the hell did that come from? Now, I fully agree that we need changes in our Government, and I'm even on board with listening to what revolutionaries have to say, but that's a far damn cry from supporting the murder of innocent citizens and the repression of (plenty) of basic human rights. No, I'm afraid your downmods were your own fault.

        I am not that guy, and while I really don't believe Al Queda are good guys or a group to support, I kinda feel like I should support them in some things. For example they recently said they want to break guantanamo. And hey, I fully support them in that. It seems like the right thing to do, pretty extreme but if the government wanted a less extreme option they had plenty of time for it.
        The government is really going to make extremist groups be way easier to relate to.

      • by Anonymous Coward on Sunday August 04, 2013 @06:19PM (#44472693)

        Everybody has a tipping point. I think for US it's going to be the Big Brother issues.

        I'm from Turkey and for us the tipping point was a park.

        For years, we had been suffering the same politics of fear that I see in US. The government was practically putting anyone (particularly people speaking against them) under surveillance, making journalists wait in custody for years before even having their trials, suing people in a corrupt justice system just for speaking their minds using something equivalent of the Patriot Act. The freedom of speech was no where to be seen.

        During all this time, what stopped people from acting was the feeling of being alone and powerless. And that's what happens when all the media is corrupt and distorting and hiding what's really going on. But people were no fools. Thanks to the internet, there were ways of knowing what's really been going on and people have been getting the news.

        So one day, police attacked hundreds of people who were having a sit-in for saving a park and the trees in it with. Anger overwhelmed fear and in a few hours millions were on the street, protesting. I had seen nothing like this. People coming out of Yoga classes were throwing tear gas grenades back to the police. Mothers were preparing solutions to use against the effect of pepper spray. Nobody was afraid of being against the police anymore. The whole story is really interesting, from using google maps to track and distribute police movements to a whole series of sub-culture graffiti on the walls of Istanbul. If you want to learn more, visit this [showdiscontent.com], this [readlists.com] and this [washingtonpost.com] link.

        This lasted for two weeks. For the first five days there was *nothing* on TV or newspapers about this. This was an eye opener for the people who have seen what wasn't being reported. It was what they needed for reverse-engineering the mass-media and bypassing it with social media.

        Now everything is calmer, at least in appearance. But the change that people have gone through is an irreversible process. And I think it is, or will be, of a much important consequence than over-throwing an oppressive government. Because the problem doesn't reside within a single government. It's this whole inhumane, ecologically unmaintainable, unjust system and it is all around the world. We all need to open our eyes and do something about it.

  • "Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled are potentially compromised."


    That would include all the FBI computers used to deliver the poison, then?
    • Probably not but the analysis of the malware is still on-going. Hence 'potentially'. Regardless I think it's safe to assume any thing traced back to FBI lab computers are probably not high on the list of actionable items.

    • "Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled are potentially compromised."

      That would include all the FBI computers used to deliver the poison, then?

      Nah, they're probably using IE 6. Still.

  • Tips for Tor (Score:5, Informative)

    by Meditato ( 1613545 ) on Sunday August 04, 2013 @04:06PM (#44471733)

    Put your Tor client in a Secure Linux VM, so none of your hardware information can be exposed. Go to https://check.torproject.org/ [torproject.org] to check if Tor is working, and make sure NoScript or something similar is enabled.

    • Comment removed based on user account deletion
    • Re:Tips for Tor (Score:5, Informative)

      by Cynops ( 635428 ) on Sunday August 04, 2013 @04:12PM (#44471773)

      Or use Tails, a Linux distro specifically designed for paranoia. You burn it on a CD (or USB stick) and boot from it into a Linux desktop environment specially crafted for privacy and security. All internet traffic is routed through Tor (sic), so after rebooting you should be fine.

      • Re: (Score:2, Informative)

        by Anonymous Coward

        Tails have Javascript enabled, so would be insecure. Wait for the next update.

  • No defcon? (Score:5, Funny)

    by Anonymous Coward on Sunday August 04, 2013 @04:07PM (#44471741)
    Should have invited the feds to defcon after all. Seems they got bored this weekend.
  • line of beaters (Score:2, Insightful)

    by Anonymous Coward

    So the FBI, with no particular target in mind, are using the Tor network as a line of beaters in the bush scaring out any kind of animal and hopefully only shooting the ones they are trying to find. Meanwhile, every animal is scared out of it's normal activities until the beaters have passed.

    Yeah, that's not intrusive at all. No privacy compromised for anyone. And all it takes is the FBI actually infecting the Tor network with their own malware. Thank heavens they're the good guys. Oh, wait, the good g

  • by coder111 ( 912060 ) <coder@[ ]ail.com ['rrm' in gap]> on Sunday August 04, 2013 @04:12PM (#44471771)
    I wonder about the legality of FBI's action here. Ok, I guess they have some kind of search order/wiretap order for "investigating pedophiles" against one specific site, but what about collateral damage? I mean they shut down an email service used by normal people as well. They did track and spy on activities on normal law abiding citizens. Did they effectively break into a big number of law abiding citizen's machines against whom no search or writetap orders were issued?

    Or can FBI hack anyone at will without any legal oversight? I don't remember getting the memo where such behaviour from a government agency is legal.

    Well I guess we can stop pretending we live in a law-abiding democratic world. It's an oligarchy run by the banks, the rich, lobyists and professional politicans, and scew everyone else...

    --Coder
  • by girlintraining ( 1395911 ) on Sunday August 04, 2013 @04:15PM (#44471789)

    So basically, if you're legally accessing a website while browsing with Tor, making use of legal services in a legal fashion... the FBI will install a wiretap on your computer, without a warrant, in order to monitor all your activities, on the off chance that you might be up to no good. This is rather like walking out into rush hour traffic, pointing at random cars, and saying "Search that car! We know terrorists use cars, so let's start searching them all."

    Dear FBI,

    Fuck you. That's a terrorist's mentality. You're worse than the lowly pieces of shit you hunt, because we expected you to uphold principles of integrity, honor, and those other words you got plastered on your slimy logo that used to mean something. You are, in fact, worse than a terrorist: You're a corrupt law enforcement organization with a bigger budget than any terrorist organization out there, and you are doing more harm to this country than catching a hundred Bin Ladens could accomplish.

    -_- The internet is a global and international community and you need to show some restraint, otherwise you're going to create large amounts of resentment and anger throughout the world. No wait: You already have created this. You are endangering the infrastructure and the people you are oath-bound to protect with your actions. I don't give a flying fuck through a rolling doughnut what authority or law you think gives you the right to act in this fashion... you're a public menace. You're just giving everyone who doesn't like this country piles of ammunition and sympathy from the general public that can be used to attack MY country.

    Knock it the fuck off. Now.

  • by Kevin Fishburne ( 1296859 ) on Sunday August 04, 2013 @04:19PM (#44471819) Homepage
    I'm starting to wish governments would just get it over with and declare a permanent state of emergency. A different arm band for each person's assessed threat level, embedded RFID with skin tattoo for redundancy and mandatory iris, DNA and fingerprint sampling for all citizens. Upgrade traffic cameras with RFID readers and facial recognition software, require RFID and cellular GPS transponders on all automobiles and motorcycles and perform mandatory searches of persons and vehicles for any traffic stop. Nationalizing all ISPs, search engines, telco providers and banks would also be a smart move. Frankly I'm disappointed the government is taking this long. Guess that's democracy for ya.
  • Be smarter (Score:5, Interesting)

    by Anonymous Coward on Sunday August 04, 2013 @04:31PM (#44471889)

    First of all, use Whonix [whonix.org] to access Tor, never the same browser you use for any other purpose.
     
    Second, use Firefox with a JonDoFox profile [anonymous-...ervers.net] which is not included in Whonix Workstation by default.
     
    Third, go to ip-check.info [ip-check.info] and run the test on your browser. Everything should be green or yellow at the worst. If you see anything in red, fix it before you go to any questionable site. Finally, make sure you don't have any DNS Leaks in your host OS by running this test [dnsleaktest.com] also from your regular host browser. Don't use or trust DNS from your ISP.
     
    If you want to be extra-cautious, run the Whonix Gateway after you establish a VPN connection. Choose an offshore provider that has multi-hop technology to avoid traffic analysis. I'm using iVPN [ivpn.net] who is located in Malta.

  • by wjcofkc ( 964165 ) on Sunday August 04, 2013 @04:43PM (#44471951)
    Yesterday I made a posting on CNN regarding the story about the heightened terrorist threat alert. While it covers a different subject, I could re-write it to fit this situation, but I think the slashdot crowd will get my drift, here is a direct copy\paste:

    I do not know who to trust or what to think anymore. If this threat is real or not, I imagine we are intended to suppose that it was the US governments blanket surveillance of the world, including domestic spying that tipped them off. On the other hand, the timing is such (Snowden/Manning) that for all I know they made the whole thing up to better justify government wrongdoing in the eyes of the people. Or perhaps al Qaeda made the whole thing up just to see if they can manipulate the movements of our government by taking advantage of info gathering with a campaign of false intel. I don't know who to trust or what to think anymore, with the exception that I know I don't trust my own government. They have proven themselves manipulative liars.
  • by Agent ME ( 1411269 ) <agentme49NO@SPAMgmail.com> on Sunday August 04, 2013 @04:48PM (#44471999)

    I don't see how this affects Bitcoin at all. It's not an exploit of Bitcoin. Bitcoin isn't dependent on any onion sites, "Freedom Hosting", or Tor. The Silk Road are not the only users of Bitcoin.

  • EFF (Score:5, Insightful)

    by mill3d ( 1647417 ) on Sunday August 04, 2013 @05:01PM (#44472089)

    EFF in the White house, ASAP please.

    I understand there's a legitimate need to conduct surveillance when justified. But having people from the EFF and/or ACLU running, or at least supervising things will likely act as a filter to prevent further abuses and level the playing field.

  • Tor collaborated (Score:3, Insightful)

    by Yvanhoe ( 564877 ) on Sunday August 04, 2013 @06:05PM (#44472581) Journal
    I think it is very hard to believe that TOR mistakenly released a single version of their TOR browser with javascript conveniently activated. I wouldn't be surprised there was a concerted operation with FBI to reduce child porn on the TOR network. Actually, they could be legally coerced into doing exactly that.
  • by Harik ( 4023 ) <Harik@chaos.ao.net> on Sunday August 04, 2013 @07:28PM (#44473179)

    There's a pretty good unwrapping of the payload here [mozilla.org], and it's a pretty creative exploit of the javascript interpreter to execute shellcode. Just from a glance at the shellcode, I see a hand-crafted HTTP header so at minimum they're using the OS network stack directly to give the tor-level UUID a public IP coorelation. Beyond that, they could be doing anything since they're already through the sandbox.

  • by Urza9814 ( 883915 ) on Sunday August 04, 2013 @10:45PM (#44474235)

    OK, so why the hell doesn't someone take the five minutes to add some code to Tor that would strip out client-side scripting? It's not that hard; plenty of other secure networks do it (ex. Freenet) so why the hell doesn't Tor? I mean yeah, I get it, they give you ample warnings before you download, but is there any legitimate reason they don't do this or have they just decided they don't want to try to stop this kind of attack?

  • by slashmydots ( 2189826 ) on Sunday August 04, 2013 @11:31PM (#44474385)
    This is the most surprising story I've ever read. I'm all about the feds finally growing some balls and using whatever techniques necessary to arrest some scumbags but this could easily be the tip of the iceberg given all the NSA crap going on. If they feel like they can do anything, they will and it's a slippery slope. In this particular case, I'm glad they finally stopped letting those losers hide behind legal BS.

    BUT, seriously, who the hell would use TOR on a browser and then use it for non-tor stuff? I didn't know that was even possible given how the tor browser bundle works. This is seriously going to catch like zero people, lol. But A+ for effort. Then again, some pedos are notoriously dumb.

    I'm kinda mad that tormail is down though. That was a huge privacy/anti-NSA tool. Obviously they took that down on purpose as "collateral" just so it's gone. That sucks.
  • by aNonnyMouseCowered ( 2693969 ) on Sunday August 04, 2013 @11:45PM (#44474453)

    We're now in the age of Big Data crime enforcement, where to be abnormal, in the sense of deviating too far from the median/norm is all it takes to be flagged as a suspect. The danger I see in the future is that, in order to avoid being caught in the net of the federal surveillance agencies people will deliberately start acting within the "norm", like visiting the sites online, Facebook/Twitter/G-something for your communication needs, or CNN/Fox/BBC for your "news", or whatever local site is "popular" in your area. To have an opinion will be to choose from an approved list, much like a multiple-choice exam or, worse, like the presidential election.

    • This is already the case. If you write something which goes against government propaganda in Norway (and other NATO countries) then the government tortures you. It's already dangerous to have opinions different from the government approved list. I know a lot of people here will violently oppose this truth, but deal with it: we have to truthfully asses the current situation in order to improve it, and improvement really is needed. Free speech is a nice theory that I would like to see become practice.
  • by Alsee ( 515537 ) on Monday August 05, 2013 @03:43AM (#44475183) Homepage

    The exploit transmits your identifying information to IP address 65.222.202.54. The information includes a unique tracking number generated by the exploit server, your computer's MAC address, your computer's host name, and any other IP addresses and host names visible on your local network.

    This IP address traces back to a Verizon business account just outside Washington D.C., not far from FBI and CIA headquarters. You can see the IP location trace here [truevue.org], complete with a zoomable Google map. However note that the location trace is probably just an approximate location. Zooming all the way in shows a local shopping center, but that's probably just the location randomly landing at the "center" of a town or other service area.

    -

One good suit is worth a thousand resumes.

Working...