Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
Government Java Security

Half of Tor Sites Compromised, Including TORMail 583

Posted by samzenpus
from the out-of-action dept.
First time accepted submitter elysiuan writes "The founder of Freedom Hosting has been arrested in Ireland and is awaiting extradition to USA. In a crackdown the FBI claims to be about hunting down pedophiles, half of the onion sites in the TOR network have been compromised, including the e-mail counterpart of TOR deep web, TORmail. The FBI has also embedded a 0-day Javascript attack against Firefox 17 on Freedom Hosting's server. It appears to install a tracking cookie and a payload that phones home to the FBI when the victim resumes non-TOR browsing. Interesting implications for The Silk Road and the value of Bitcoin stemming from this. The attack relies on two extremely unsafe practices when using TOR: Enabled Javascript, and using the same browser for TOR and non-TOR browsing. Any users accessing a Freedom Hosting hosted site since 8/2 with javascript enabled are potentially compromised."
This discussion has been archived. No new comments can be posted.

Half of Tor Sites Compromised, Including TORMail

Comments Filter:
  • by Cynops (635428) on Sunday August 04, 2013 @04:04PM (#44471719)

    Looks very much like the three letter agencies decided it's time now to start playing hardball.

  • Idiots (Score:0, Interesting)

    by Anonymous Coward on Sunday August 04, 2013 @04:15PM (#44471791)

    Wait, wait, wait, woah, woah woah. Are you serious?

    No, really, I'm not believing what I'm reading here. Is this REALLY serious?

    People actually, seriously believed Tor was some sort of privacy magic bullet? A network where anyone can host an exit node, nobody knows who those exit nodes are, and there's no control on what happens at those exit nodes, and this is all by DESIGN, and people somehow thought this was impervious to surveillance and thoroughly uncompromisable? REALLY? What, did everyone just think that the government wasn't allowed to use publicly-available network services or something?

    No wonder the government's getting away with everything. When people who claim to be privacy nuts are such godawfully fucktarded morons to fall for this, I guess we're pretty well doomed on that front. Wait, I've got it! Someone else suggest a private browsing mechanism over public channels! I'm SURE it'll work this time! I don't know how, but if we just keep throwing the words "anonymized" and "encrypted" in it over and over again and post about it on Slashdot, it's sure to work! Yeah!

    Idiots.

  • by Anonymous Coward on Sunday August 04, 2013 @04:21PM (#44471833)

    We do have to be somewhat real about this. Lolita City, the pedophile HQ of the internet, has over 15,000 members (and who knows how many 'guests'). Of course the FBI was going to attack these massive pedophile rings. Good for them.

    But again, there are legal issues here. Why did the FBI have the right to infiltrate TORmail? They are using general warrants here, just like the NSA does. Because one person may be using TORmail for illicit purposes, the FBI feels that it can install tracking and search software on every user.

  • by Anonymous Coward on Sunday August 04, 2013 @04:27PM (#44471877)

    You go, Al Queda!

    I'm sorry, WHAT?!?!?!

    Woah, woah, woah, woah....where in the hell did that come from? Now, I fully agree that we need changes in our Government, and I'm even on board with listening to what revolutionaries have to say, but that's a far damn cry from supporting the murder of innocent citizens and the repression of (plenty) of basic human rights. No, I'm afraid your downmods were your own fault.

    I am not that guy, and while I really don't believe Al Queda are good guys or a group to support, I kinda feel like I should support them in some things. For example they recently said they want to break guantanamo. And hey, I fully support them in that. It seems like the right thing to do, pretty extreme but if the government wanted a less extreme option they had plenty of time for it.
    The government is really going to make extremist groups be way easier to relate to.

  • Be smarter (Score:5, Interesting)

    by Anonymous Coward on Sunday August 04, 2013 @04:31PM (#44471889)

    First of all, use Whonix [whonix.org] to access Tor, never the same browser you use for any other purpose.
     
    Second, use Firefox with a JonDoFox profile [anonymous-...ervers.net] which is not included in Whonix Workstation by default.
     
    Third, go to ip-check.info [ip-check.info] and run the test on your browser. Everything should be green or yellow at the worst. If you see anything in red, fix it before you go to any questionable site. Finally, make sure you don't have any DNS Leaks in your host OS by running this test [dnsleaktest.com] also from your regular host browser. Don't use or trust DNS from your ISP.
     
    If you want to be extra-cautious, run the Whonix Gateway after you establish a VPN connection. Choose an offshore provider that has multi-hop technology to avoid traffic analysis. I'm using iVPN [ivpn.net] who is located in Malta.

  • by plover (150551) on Sunday August 04, 2013 @04:44PM (#44471965) Homepage Journal

    If anyone else used exploits to screw with people, it would be called hacking and they'd probably go to prison, but when the FBI does it, it's 'okay.'

    Actually, a judge has yet to find whether it's OK or not. The admissibility of the evidence in these cases is going to hinge on whether or not it was collected through legal means. And no matter which way the judge finds, the loser is going to appeal. As far as I know, this is all untested legal ground.

  • by Jane Q. Public (1010737) on Sunday August 04, 2013 @04:47PM (#44471995)
    Looks more to me like the 3-letter agencies have decided to BREAK THE LAW.

    Unconstitutional surveillance is bad enough. But they don't have any more right to commit "unauthorized access to a computer system" than anybody else. (That is to say, their javascript hack of site visitors who may be innocent.) They can't break the law in order to enforce the law, unless they want to face criminal charges themselves. Aaron Schwartz faced 30 years in prison for far less. I say, let's see the FBI face the same thing.

    And yes, it may well be enforceable. Look up 18 USC 242, "Deprivation of Civil Rights Under Color of Law". The civil rights in question here might be, just for example, the privacy of your own computer system, which legally requires a warrant or subpoena to access. Just my opinion, but I don't see how simply visiting a website could constitute probable cause, much less justify intrusion in the form of a "hack".

    18 USC 242 IS fairly frequently prosecuted, and last I checked it has a conviction rate of about 98%, which is awesome for any law. And it specifically targets government agents and agencies. The President is not immune.

    (P.S. After reading that law, many folks have been prone to conclude that it only applies to racial and other discrimination. That is because of the awkward wording [e.g., there is a strategically placed comma that makes a big difference]. In fact it applies to ANY Constitutional right. However, my mention of it here is not meant to imply that the law does apply here. Only that it might. IANAL and I don't pretend to be one, but I have researched this law and its application.)
  • by SocietyoftheFist (316444) on Sunday August 04, 2013 @04:54PM (#44472035)

    against our "stout" principles. I'm a libertarian leaning type of guy, that said... I abhor child abuse and especially child sexual abuse, it should be an automatic death sentence, so if they got even one fucking child rapist, I somehow find myself turning a blind eye to this obvious subversion of personal rights.

  • by Anonymous Coward on Sunday August 04, 2013 @05:12PM (#44472163)

    Can you give an example of Russia initiating violence against any country in the last two decades?

    If you're going to bring up Georgia, then I would like to remind that this conflict started with an all-out assault by Georgian troops onto South Ossetia (which has been a de facto independent state for 15 years - far longer than, say, Kosovo), which involved an indiscriminate artillery shelling of a heavily populated city and the barracks of the Russian peacekeepers stationed therein (with an international mandate to be there); ten peacekeepers died in that attack. If that's not a legitimate casus belli for a just war, then what the hell is?

  • by Arker (91948) on Sunday August 04, 2013 @05:24PM (#44472259) Homepage

    Al Qaeda are a bunch of murderous thugs. They get and should get no sympathy whatsoever. But it's the US governments own responses which gives them grounds to curry sympathy. This is why they wanted us in Afghanistan, in Iraq, and beyond. Our government had its own reasons to want to do this, but in the end the result is the same.

    So when you draw lines on your mental map and you are thinking about enemy of my enemy, keep in mind that Al Qaeda and the Feds may be better seen as allies, for the moment at least, rather than enemies. Oh, they dont like each other. But they have been strengthening each others hands and playing together to common goals for a long time. In Afghanistan during the soviet period, in the balkans, and right now in Syria. Al Qaeda, contentless US Press releases to the contrary, was weak and nearly powerless in 2002, and today it has a presence in countries from Mali to Indonesia, and can even field an army (by all accounts the strongest and most successful in the entire opposition) to contend in the Syrian Civil War.

    And the US is backing them, there, much as we did in the Balkans not so very long ago. What's really going on here?

  • by Will.Woodhull (1038600) <wwoodhull@gmail.com> on Sunday August 04, 2013 @05:35PM (#44472353) Homepage Journal

    It is a legal arena defined by the new secret laws whose application is subject only to the new secret courts.

    Congress is not going to do anything about this. Hell, they cannot even decide which hand they should use to wipe their collective ass. The Obama Administration might be complicit in this, or it might have its hands tied. Because the secret courts have the authority to issue secret injunctions against any organization, including other parts of the Federal government, it is possible that Obama has no effective oversight on what they are doing. They seem to report to the Judicial Branch, not the Executive Branch. And the Judicial Branch was not constituted to manage this kind of execution of law.

    We are now beginning to see how a rogue element has managed to gain control of significant Federal powers while remaining outside of any of the constitutional checks and balances.

    This is not going to end well.

  • by jamstar7 (694492) on Sunday August 04, 2013 @05:48PM (#44472477)

    Actually, a judge has yet to find whether it's OK or not. The admissibility of the evidence in these cases is going to hinge on whether or not it was collected through legal means. And no matter which way the judge finds, the loser is going to appeal. As far as I know, this is all untested legal ground.

    You're forgetting something: They said 'pedophile' in the press release.

    An old Soviet trick to remove a recalcitrant politician or bureaucrat who just wouldn't step down when asked nicely then threatened was to label them a pedophile or a rapist, then 'disappear' them. That's how they got rid of Beria rather than let him take over the whole Soviet Union after Stalin.

  • by tnk1 (899206) on Sunday August 04, 2013 @06:15PM (#44472669)

    Although I should point out, Beria actually was a sick fuck. They didn't have to make up half that shit about him. It's just that no one actually could or would do anything about it while Stalin was alive and Beria was still the top flunky.

  • by Anonymous Coward on Sunday August 04, 2013 @06:19PM (#44472693)

    Everybody has a tipping point. I think for US it's going to be the Big Brother issues.

    I'm from Turkey and for us the tipping point was a park.

    For years, we had been suffering the same politics of fear that I see in US. The government was practically putting anyone (particularly people speaking against them) under surveillance, making journalists wait in custody for years before even having their trials, suing people in a corrupt justice system just for speaking their minds using something equivalent of the Patriot Act. The freedom of speech was no where to be seen.

    During all this time, what stopped people from acting was the feeling of being alone and powerless. And that's what happens when all the media is corrupt and distorting and hiding what's really going on. But people were no fools. Thanks to the internet, there were ways of knowing what's really been going on and people have been getting the news.

    So one day, police attacked hundreds of people who were having a sit-in for saving a park and the trees in it with. Anger overwhelmed fear and in a few hours millions were on the street, protesting. I had seen nothing like this. People coming out of Yoga classes were throwing tear gas grenades back to the police. Mothers were preparing solutions to use against the effect of pepper spray. Nobody was afraid of being against the police anymore. The whole story is really interesting, from using google maps to track and distribute police movements to a whole series of sub-culture graffiti on the walls of Istanbul. If you want to learn more, visit this [showdiscontent.com], this [readlists.com] and this [washingtonpost.com] link.

    This lasted for two weeks. For the first five days there was *nothing* on TV or newspapers about this. This was an eye opener for the people who have seen what wasn't being reported. It was what they needed for reverse-engineering the mass-media and bypassing it with social media.

    Now everything is calmer, at least in appearance. But the change that people have gone through is an irreversible process. And I think it is, or will be, of a much important consequence than over-throwing an oppressive government. Because the problem doesn't reside within a single government. It's this whole inhumane, ecologically unmaintainable, unjust system and it is all around the world. We all need to open our eyes and do something about it.

  • It is elements of the FBI charged with executing the secret laws that came into existence more than 6 years ago and are administered by the Judicial Branch through secret courts that were set up for that purpose. Those courts have the authority to issue secret writs that include penalties for even saying that you have received one or are bound by one to act in certain ways.

    Mueller may be operating under Judicial constraints that prevent him from saying anything to Obama, or Clapper, or any elected official or appointee of an elected official. There is no way to know. That's part of the secrecy.

    There are strong Constitutional walls that prevent the Executive Branch from interfering with the operations of the Judicial Branch. The Judicial Branch has no mechanisms for executing laws on its own. But in this situation, the Judicial has been granted direct control over portions of Executive agencies, and those portions of the affected agencies appear to be legally constrained from reporting to their superiors-on-record about their activities. We have heads of agencies that can commit perjury before Congressional committees with impunity-- apparently because the perjury has been approved by some branch of the Judiciary, either directly or under some umbrella order.

    Several years ago, probably for very patriotic reasons to protect everyone from another 9/11, a bunch of lawmakers corrupted the US Constitution with this deadly foolishness. There has been time enough for that corruption to grow the roots it needs-- acquire the secretarial pools, dedicated agents, middle managers, and perhaps even gung-ho janitors-- and now like a corpse flower the thing is coming into bloom.

    There are times when getting out the tinfoil hat is appropriate, such as the 1960s in the USA wrt LBJ's "Guns and Butter" Great Society. We are living in another of those times. No matter how dangerous the world becomes, the USA will certainly lose its core values of liberty and justice for anyone if secret laws and secret courts are not terminated.

  • by cervesaebraciator (2352888) on Sunday August 04, 2013 @06:38PM (#44472843)
    I rather agree with Hayek's views on central planning. But central planning is not the only road to servitude and even the path of classical liberalism can lead to such an end, as Hilaire Belloc warns in The Servile State (it may be found here free [archive.org], here in paper [amazon.com], and here for free on audio [librivox.org]). I sometimes find it interesting, in spite of my libertarian leanings, to consider third ways [amazon.com], apart from the old collectivist/individualist dichotomy.
  • by Anonymous Coward on Sunday August 04, 2013 @06:41PM (#44472855)

    This is not relevant. I don't need nor want to have a name on the internet. My words speak truth for themselves.

    Also i consider your non anonymity as a deviant behavior.

  • by Harik (4023) <Harik@chaos.ao.net> on Sunday August 04, 2013 @07:28PM (#44473179)

    There's a pretty good unwrapping of the payload here [mozilla.org], and it's a pretty creative exploit of the javascript interpreter to execute shellcode. Just from a glance at the shellcode, I see a hand-crafted HTTP header so at minimum they're using the OS network stack directly to give the tor-level UUID a public IP coorelation. Beyond that, they could be doing anything since they're already through the sandbox.

  • by oztiks (921504) on Monday August 05, 2013 @07:10AM (#44475795)

    We certainly are living in interesting times and considering that you're 200,000 UIDs older than me, you have to consider what Slashdot was like years ago.

    I remember when people started taking shots at Slashdot for the type of articles it posted, flamed it for being too mainstream, Apple-centric, or because it's become a popular wannabe geek pissing ground. Though all these things may be true or not, it doesn't really matter.

    What's important to know is that Slashdot is about IT/Geek news and if you look at the IT segment alone it has become massively political. The shit fights between Netscape and Microsoft pale in comparison to the crap we're subjected too today. The Obama administration is now getting involved in the Smartphone wars for example ... who would'a thought? The EU slapping Microsoft over antitrust, so what? The US is now posturing against Russia because of leaked data that has been spilled out on the internet. We're talking about "news for geeks" hosting stories about stuff that wars are made from!

    You say hardball? you say interesting times? I say how much more interesting is it gonna get?

  • Re:citation needed (Score:4, Interesting)

    by Quila (201335) on Monday August 05, 2013 @07:37AM (#44475911)

    They approve all applications because: First, the same few FBI lawyers make the applications and have a pretty good idea of what will get approved and what won't. Second, the FISA court clerks know what their bosses will and won't approve, so reject or send back for modification almost all deficient applications before they even hit the judges where they can be counted in this approval rate.

    The rate of applications modified or rejected by the clerks is the real approval rate, but that's not tracked.

An inclined plane is a slope up. -- Willard Espy, "An Almanac of Words at Play"

Working...