Thoughts and Concerns about Operation Onymous

What happened

Recently it was announced that a coalition of government agencies took control of many Tor hidden services. We were as surprised as most of you. Unfortunately, we have very little information about how this was accomplished, but we do have some thoughts which we want to share.

Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.

But, more to the point, the recent publications call the targeted hidden services seizures "Operation Onymous" and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.

Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?

How did they locate the hidden services?

So we are left asking "How did they locate the hidden services?". We don't know. In liberal democracies, we should expect that when the time comes to prosecute some of the seventeen people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services. We know through recent leaks that the US DEA and others have constructed a system of organized and sanctioned perjury which they refer to as "parallel construction."

Unfortunately, the authorities did not specify how they managed to locate the hidden services. Here are some plausible scenarios:

Operational Security

The first and most obvious explanation is that the operators of these hidden services failed to use adequate operational security. For example, there are reports of one of the websites being infiltrated by undercover agents and the affidavit states various operational security errors.

SQL injections

Another explanation is exploitation of common web bugs like SQL injections or RFIs (remote file inclusions). Many of those websites were likely quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem.

Bitcoin deanonymization

Ivan Pustogarov et al. have recently been conducting interesting research on Bitcoin anonymity.

Apparently, there are ways to link transactions and deanonymize Bitcoin clients even if they use Tor. Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks.

Attacks on the Tor network

The number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. We received some interesting information from an operator of a now-seized hidden service which may indicate this, as well. Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks, but these defenses do not solve all known issues and there may even be attacks unknown to us.

For example, some months ago, someone was launching non-targetted deanonymization attacks on the live Tor network. People suspect that those attacks were carried out by CERT researchers. While the bug was fixed and the fix quickly deployed in the network, it's possible that as part of their attack, they managed to deanonymize some of those hidden services.

Another possible Tor attack vector could be the Guard Discovery attack. This attack doesn't reveal the identity of the hidden service, but allows an attacker to discover the guard node of a specific hidden service. The guard node is the only node in the whole network that knows the actual IP address of the hidden service. Hence, if the attacker then manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. We've been
discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated.

*Similarly, there exists the attack where the hidden service selects the attacker's relay as its guard node. This may happen randomly or this could occur if the hidden service selects another relay as its guard and the attacker renders that node unusable, by a denial of service attack or similar. The hidden service will then be forced to select a new guard. Eventually, the hidden service will select the attacker.

Furthermore, denial of service attacks on relays or clients in the Tor network can often be leveraged into full de-anonymization attacks. These techniques go back many years, in research such as "From a Trickle to a Flood", "Denial of Service or Denial of Security?", "Why I'm not an Entropist", and even the more recent Bitcoin attacks above. In the Hidden Service protocol there are more vectors for DoS attacks, such as the set of HSDirs and the Introduction Points of a Hidden Service.

Finally, remote code execution exploits against Tor software are also always a possibility, but we have zero evidence that such exploits exist. Although the Tor source code gets continuously reviewed by our security-minded developers and community members, we would like more focused auditing by experienced bug hunters. Public-interest initiatives like Project Zero could help out a lot here. Funding to launch a bug bounty program of our own could also bring real benefit to our codebase. If you can help, please get in touch.

Advice to concerned hidden service operators

As you can see, we still don't know what happened, and it's hard to give concrete suggestions blindly.

If you are a concerned hidden service operator, we suggest you read the cited resources to get a better understanding of the security that hidden services can offer and of the limitations of the current system. When it comes to anonymity, it's clear that the tighter your threat model is, the more informed you need to be about the technologies you use.

If your hidden service lacks sufficient processor, memory, or network resources the DoS based de-anonymization attacks may be easy to leverage against your service. Be sure to review the Tor performance tuning guide to optimize your relay or client.

*Another possible suggestion we can provide is manually selecting the guard node of a hidden service. By configuring the EntryNodes option in Tor's configuration file you can select a relay in the Tor network you trust. Keep in mind, however, that a determined attacker will still be able to determine this relay is your guard and all other attacks still apply.

Final words

The task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved.

In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries.

It would be great if there were more people reviewing our designs and code. For example, we would really appreciate feedback on the upcoming hidden service revamp or help with the research on guard discovery attacks (see links above).

Also, it's important to note that Tor currently doesn't have funding for improving the security of hidden services. If you are interested in funding hidden services research and development, please get in touch with us. We hope to find time to organize a crowdfunding campaign to acquire independent and focused hidden service funding.

Finally, if you are a relay operator and your server was recently compromised or you lost control of it, please let us know by sending an email to

Thanks to Griffin, Matt, Adam, Roger, David, George, Karen, and Jake for contributions to this post.

* Added information about guard node DoS and EntryNodes option - 2014/11/09 18:16 UTC

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.

Nice post but you didn't ask hidden service operators to look at their logs or contact you about something suspicious. That could help you narrow it down. Many more operations are on going most likes.

More speculation, but now that relays are being seized, its looking more and more likely to be a guard discovery attack followed by a seizure and log search to find the HS. I hope the guy in eastern europe encrypted his node.

it has been posted here many time there is zero use full data on an exit node, taking them is pointless,unless they took them to hide the fact that they had dirty software on them

Right -- there's also nothing on the entry node to say what Tor clients (including hidden services) had used it.

I want to know what distro was on these boxes myself, please do post that info. I would make a guess but i dont want flame wars

It is sure that there was neither OpenBSD nor FreeBSD.
Also, any GNU/Linux distro is the same GNU/Linux distro. Same kernel, same programs, same bugs, same GNU/Linux shit.

Cute, but the trick is to not be obvious.

they may have grabbed a bunch of servers because facebook created the hidden service and they dont want that idea catching on, this is how they operate, personally I would like to see someone that can confirm people were arrested, the user certainly wasnt as he is able to post on the internet,

Don't be silly. This was not orchistrated within two weeks. This likely has *nothing* to do with Facebook.

he meant it about timing the revelation and arrests, not that deanonymization was done after facebook revealed its hs. he makes a pretty good argument and i definitely second him.

Beware of infowars and other alex jones sites...! he has connections and hate Tor users..!

Um, I take it you are already wearing your little tinfoil hat? Facebook had NOTHING to do with this. Laughable thought, or maybe just stupidity on your part. Not sure which.

Anyone who doesn't suspect fowl place from the government due to the close proximity, is the one idealistic and prone to tine foil hat wearing.

The poster did not say Facebook had anything to do with this.
The poster suggested that the timing was used to scare users from using Tor so that other services would not follow Facebook's example and open hidden services aswell.

The Feds had some discretion of when to pull the trigger... they may have reacted to Facebook's timing. Senator Schumer said we're coming after dark markets, and Facebook normalizes things just by choosing them. 400 sites is bigger than anyone expected. Because of the takedowns, prospective users may continue to think twice before venturing onto hidden services, rather than assuming it's all clear just because Facebook's there.

more DoS de-anonymization research:

  • - "The Sniper Attack: Anonymously Deanonymizing and Disabling the Tor Network"
  • - "Short Paper: Challenges in protecting Tor hidden services from botnet abuse"
  • - "Never Been KIST: Tor’s Congestion Management Blossoms with Kernel-Informed Socket Transport"
  • - "... 10,000+ sockets active in fast exits"

i have noticed watching vidalia the past few days that my first hop keeps changing insanely, like every few minutes, this has made TOR really slow, it appears someone can attack the first hop, like the great firewall of china disconnect,oddly the middle and exit are not changing wihile this insanity is happening

More details? Tor version, operating system, which bundle, etc?

Changing the first hop while keeping the second and third hop static is not something that Tor does, or something that a network or relay adversary should be able to induce. Are you sure you really have Tor?

looks like it's a DOS attack, but I'll wait until op give us more info.

Is it true that NSA etc. surely can _force_ every tor user to connect to there own entry guard. Just reset current connection till client select nsa guard. For some time tor client uses just one entry guard.

"Is it true that NSA etc. surely can _force_ every tor user to connect to there own entry guard."

I don't know, is it?

Are you asking us or telling us?

are there any instances of people downloading something pretending to be tor in the past few days? How would I know I have the real Tor?

"How would I know I have the real Tor?"

You might want to start with verifying the signature.

TCP... attack! come on you guys must know how this is done..! or are you just followers running Tor for the fun of it?

What abt the fact that TOR is penetrated by the CIA. etc.!
Almost everyone involved in developing Tor was (or is) funded by the US government

Tor Project has not even attempted to hide that information, which your representation of is off anyway. It's actually funded largely by the government, but not the CIA or NSA or FBI. But they are transparent about it and have been since the beginning. The code behind everything is 100% free and open source and is actively reviewed.

Not saying it's *impossible* for there to be a surreptitiously implanted backddor somewhere in the code, just unlikely given its effectiveness against nation state adversaries in the past. It's also important to note the difference in strength of anonymity between Tor proper and the hidden services protocol. HS need love. Tor proper is much more actively developed, tested and reviewed overall. So HS operators are currently at a disproportionate risk to Tor users overall.

Arpanet was funded by the US DoD...Do you not use TCP/IP?

and Newton formulated the law of universal gravitation what? only british legally can fly?

Perhaps if Newton had been a representative of the British government and had claimed that gravity could somehow help one in hiding from that entity, then your analogy might make sense.

Newton was the Astronomer Royal, lord overseer of the mint, president of the Royal Society, held the Lucasian Chair in Mathematics at Cambridge, and was a minister (maybe even a bishop, I can't remember) in the Church of England. All of these were (at least technically) appointed by the king. In so far as Isaac Newton ever had a "job", that job was representing the British government. Try again.

Has the TCP/IP protocol ever been claimed-to provide anonymity?

Highways are funded by the US government. Don't Drive!!!

Your analogy fails.

Does anybody claim (whether explicitly or implicitly) that the U.S. highway system (or any part thereof) can provide /any/ degree or kind of anonymity or obscurity against /anyone/, much less Uncle Sam (the U.S. government)?

Well the 4th amendment does decree protection of personal privacy, and every citizen's right to be free from unreasonable government intrusion into their persons, homes, businesses, and property. This expectation of privacy extends to vehicles by way of stop.

What about the fact that everyone involved in developing the Internet was the U.S. government. Most major new technology use innovations have come via the millitary / government. Remember the use of airplanes in WWI ? The technologies then expand beyond the sole domain of the government. So your point is ...... ?

"Most major new technology use innovations have come via the military / government."

You are likely correct about that and even if not /most/ then it is still certainly at least /many/ innovations and developments that the government and military sector can be credited with. This taxpayer-funded technology is then appropriated by private corporations, for their own profit, largely at the expense of and to the detriment of the very public that, through their funding, enabled such technology in the first place.

My speculation about what happened follows. The attacker floods a particular hidden service with random/innocent GET requests at a chosen time. The network links are monitored for that flood pattern. Then the suspected servers are unplugged briefly, and the attacker checks which HS goes down at the exact same time. Now the search for evidence actual begins. It is a very simple and effective attack, particularly against low-traffic servers.

Right -- this attack will work, but only if you are already in position to monitor the hidden service's network connection. If you can do that, it's easy to *confirm* that it's the hidden service in question.

But if you don't already know where to look, it's hard to do this sort of confirmation attack.

Are you arma assuming that there is no "global passive adversary" involved?

It doesn't have to be global -- it just has to be big enough to include watching your network connection.

It seems clear from recent documents that there is indeed a pervasive passive adversary (whether it's "global" in the academic literature sense doesn't matter much here). On the other hand, maybe the NSA and GCHQ don't want to share with other orgs. I don't think the FBI by itself is a pervasive network adversary yet.

On the third hand, we certainly have heard examples where the pervasive surveillance people and the law enforcement people *do* collaborate. And then where the law enforcement people lie afterwards about how it happened. :( Is this event one of those cases? Are they rare or commonplace? It sure would be nice to have clearer answers about which laws they're breaking and which social expectation boundaries they're overstepping.

>On the other hand, maybe the NSA and GCHQ don't want to share with other orgs.

Why don't you simply ask the NSA? They pay you $100k+ annually for your job at the Tor project so I assume they'll give you informations as well...

>$100k+ annually for your job at the Tor project

Source for that info?

If true that any of the employees of the Tor Project receive a salary that high, I would like to hear how they justify it.

The Tor Project:
- is a not-for-profit organization
-actively requests donations from the general public
-purports to be dedicated to an altruistic cause

The Tor Project, as any other entity with these characteristics, owes its users, its supporters and the general public an explanation of any expenditures of the like that is alleged here.

IMHO that's a very normal developer salary (which is not even competitive in certain areas of the US, at least not for senior engineers etc.)

Tor's IRS forms are published by Tor Project itself: (e.g. 2013: (note that particular salaries there are only listed if they are over $100k.)

> The Tor Project:
> - is a not-for-profit organization
> -actively requests donations from the general public
> -purports to be dedicated to an altruistic cause

FYI, "not-for-profit" means that any profit garnered by a company remains within the company. Again, (IMO) > $100k salaries for developers in the Western world (e.g. the US, Germany) are very common, no matter if you are aligning with altruistic causes or not.

All of their $$$ is transparent. Have you ever even looked around this site?

Strong software engineers are not cheap. Tor is not something you hire a low paid programmer for.

For the right person I would be okay with them giving $200,000 if it was somebody skilled enough to protect the network for all of us.

Even good talent who love what they're doing need to be paid well if you expect them to stick with Tor.

"I don't think the FBI by itself is a pervasive network adversary yet."

Did you not read the Snowden docs about the FBI and NSA coordinating tasks for PRISM?

WAIT! Wasn't Snowden paid by ...

I think you theory is very good flooding hidden service with GET request and then unplugging part of the internet briefly one part at time eventually helps to find hidden service.

Then monitoring when hidden service stops responding you can round up where hidden service is by comparing it timetables of unplugged parts of internet.

Perhaps in the future if relays contained no hard drive then law encforcement wouldn't really have a reason to seize the relay as it doesn't contain any evidence. It simply runs as a relay in RAM.

Yes. And counterintuitively, the people recommend not using disk encryption. so it's easier for the forensics people to become convinced that there's nothing on the computer but a Tor relay.

See also bullet point #2 at

and you can run freebsd w/ tor without any hdd! or better have windowz installed on disk and press reset button. there will be no evidences.

about convincing - how can you convince that you are not a serial killer or spy? isn't it should work only the other way? they should proof, not you.

Don't we have to deal with what is, not what should be?

Nice question "how can you convince that you are not a serial killer or spy?" Can you?

hmm, oh. I see you were gone for three days. Busy?

Layperson here, but responding to the last sentence in the second paragraph "If your relay was seized...":

Is there any way to write a canary that would reside in a relay's software and squawk if the relay was seized? Somewhat similar to heartbeat functions that indicate all's well until it isn't? This could help identify and exclude seized servers from the network.

The canary could be disabled by the person who seized the relay. Really all they need to do is grab the nickname and identity key and then set it up somewhere else.

That said, for one example of a step we could take, see:

Ultimately, we need more people watching the Tor network for anomalies, e.g.

Thanks for these links, helps me learn.

it's simple - disabled canary can't speak - no signal is the best signal!

Just going to throw my 2 cents down here...

Maybe a sysadmin should be required to enter a passphrase upon starting up a Tor node to prove the node is in the correct hands.
I've not heard of servers being seized without any kind of rebooting happening in order to gain access to the contents of said server.
At least then we won't have any exit servers seized without some kind of alert being set off.

Or maybe we should just look at the possibility of multiple servers sharing the same onion url, and working on an anycast/multicast type scenario, so that if DoS attacks happen, the traffic is equally split amongst datacenters, making things harder to locate.

it's so plain how _can_ they not doing that

:*( We scriptkiddies are doomed. We want some anonymity!

we NSA want to see what you are doing in your toilet. for sure we need it to help you.

How would a SQL injection or an RFI bug lead to deanonymization/location of a hidden service?

If you have shell on a box, I don't think it's hard to learn it's IP address. Except if it's severely firewalled, but there still should be a way.

It is certainly possible to run a hidden service on hardware that is unable to connect to the internet without going through Tor (eg, tor is running on another machine), but probably very few people go to the trouble of doing this.

So, usually, code execution on a hidden service web app means you can locate the server.

Add to this that most hidden service operators seems to be running their operation on a chroot jail/VPS.

While layered hardware routers would be the ideal scenario, it seems that most of these sites do not even bother a decent stopgap measure of having a dedicated machine running something like ESXi to create a virtual layered approach.

people are just dumb and lazy animals

The guy in Eastern Europe who was raided at the behest of the FBI or HSI references the 1st Amendment - how does that apply to him? Does his country have a 1st Amendment?

Yeah, that is kind of a weird phrase for him to throw in.

Alas, even though some of the attackers here are FBI, if he's not an American then they don't have to give him any rights. It's crummy but we've seen it again and again recently. :(

so he should call it terrorist raid from fbi/nsa

I'm in Eastern Europe and I know that my country extradites people who use the internet to break American laws and these people are tried in American courts but I don't know whether the American 1st Amendment applies.

Any person tried in the US under US law has, at least in theory, all the protections of that law, including 1st Amendment constitutional protection. In practice, however, having such rights violated by the courts happens -- and one cannot always afford to seek the judicial reviews needed.

I imagine this is particularly challenging for people who have been extradited here, as they typically also have no access to funds and and are not native English speakers, both of which can act as barriers to effective justice in the US.

His story seems fake, I think he is an American troll.

It's also possible that TOR developers are working with LE, and have injected some hard-to-detect loophole in a convoluted bit of source code. It might be disguised so well that experienced bug hunters would skim right over it and not realize what they were looking at.

Why would TOR devs work with LE? I think in an attempt to help get rid of drug sites/illegal porn sites, they may feel it gives "legitimacy" to TOR, and in turn, may increase donations/funding.

The big problem with that line of thinking, however, is those same "loopholes" used by LE to shut down "illegal" sites will also be used to catch the next Edward Snowden, or crack down on people criticising their government. At this point, I think the evidence points to TOR being compromised from the inside, and TOR's credibility is suspect until/unless we learn otherwise.

Intentionally degrading Tor's anonymity would be stupid. It's already weak enough compared to the very real adversaries that some of our users are facing (even though at the same time it is the best available system).

Putting a backdoor in Tor, which could then be exploited by other people too, would be a really bad idea. We haven't done it and we won't do it.

For more reading and videos, see:

Of course you would deny it.

You're an idiot.

absolutely illogical

His very denial is proof of his guilt!

Wow, what a bunch of big accusations against those that stand between a complete surveillance state vs a somewhat half ass broken private internet.

JAP did that, and it destroyed them. Tor would have to be run by idiots to think that was a good idea, and I don't believe it is.

Exactly! In a similar manner to JAP, if a 'back-door' in Tor was exposed it would be the death-knell of Tor!

I don't think so! If they would, why are some of the worst sites in onionland still online? For me it seems that LE was catching what they could and not what they wish they could!

I very much doubt TOR developers AS A GROUP would do such a thing.

However, a single TOR developer might go "off the reservation" and put his own desires to help rid the world of illegal-drug/illegal-porn sites ahead of those of his fellow developers, the TOR community, those who depend on TOR for purposes even he would presumably think are legitimate. As others have already implied, such a person is only fooling himself if he thinks doing this won't hurt all TOR users.

There is also the remote possibility of a double-agent programmer who only pretends to be working towards the project's goals but is really trying to insert code to serve the needs of his true master, probably a government agency but possibly a non-governmental actor that would benefit from being able to break TOR's security.

A good albeit incomplete defense to such "lone wolf Benedict Arnold coders" is to have all code peer-reviewed before it is committed and to have periodic code audits so every line of code is reviewed every year or two by someone who has neither touched nor reviewed that section in the last few years.

well i believed if you haven't something like jail for him - he _must_ be neutralised (?)

It's Tor, not TOR.

TOR is an acronym so it is TOR. If someone wants to call it Tor that is fine but the equal same is true..

Also, I laugh at everyone here. You cannot hide from low level TCP/IP attack when the transmission medium is compromised. If a packet can go from point A to B it can be tracked.


b) it seems you are fundamentally misunderstanding the Tor design (or overlay networks in general). That's great! You should learn about it. I recommend starting at

Oh that is just great! I am an English major and so I am used to capitalizing all acronyms. now I have to get used to using "Tor", even though I know it is an acronym!

They need tor against putin's kgb russia, so it will live for now...

The scope of the recent seizures makes it clear that TOR has been compromised, and LE has found a way to strip anonymity. It obviously wasn't just one or two people who made mistakes on their security--this was a world-wide coordinated effort with dozens of sites. I also find it hard to believe that the TOR devs were not aware of the exploit LE has been able to use. I suspect they thought TOR would gain "legitimacy" if they allowed LE to crack down on drug sites et al. The problem is LE got greedy, and did this mass infiltration. If it had only been one or two sites, we could have chalked it up to a couple people making security mistakes. Until we find out exactly how they did it, we should assume TOR has been compromised, and assume "they" know who you are when using it.

I assume you're the same person as wrote the comment above; I've replied there.

cookie, user agent, connection keeping etc. of course you now.

He's an idiot that doesn't realize the entire internet is the conception of the United States military. If he's so sure Tor is a honeypot why even come here to post? Its the same story every time, some CS1 level student thinks he's a cypherpunk because he knows about the silk road and has all the answers to questions plaguing humanity. He should focus on his schoolwork.

well $ is usa emanation so immediately stop using it in the world! don't fly if you're not british, drop you guns if you're not chinese!

I don't think the number of busts tells us anything about whether or not Tor has been compromised. If LE had *not* broken Tor and were just doing a regular bust I think you would expect to see them do it like it was done here. Wait until you have gathered enough evidence through whatever channels you can and take down as many targets as possible in a very short space of time. If they had only taken down one or two, others would rush to secure themselves or might go offline entirely. LE wants to look big and strong, more busts is more intimidating.

Of course putting a "backdoor" into the code would be a bad idea, but then again, sometimes the best hiding places are right in front of you. I think the TOR source code needs to be picked through with a fine toothed comb. And who knows what the TOR devs might kowtow to if the FBI showed up at their door, or if they were handed an envelope full of money. Trust nobody--especially the people who say, "you can trust us".

Yes please! Please audit the code. There's a great guy in Russia (we think -- so far he's remained anonymous) who has been finding and reporting bugs in the code over the past years. We need more people doing more of that auditing.

And this is especially the case when you consider the broader ecosystem of software that's involved here -- whether it's apache and nginx, or Firefox, or Tor, or the Linux kernel, etc.

But it's actually worse than this, because even if you do audit the code, you'll only be checking for whether we do things the way we said we did. Popping up a layer on the stack, the other question needs to be "should you be doing them that way, or is there a safer way?" That's what all the research and design work is about, and why we work so closely with the academic anonymous communications research community.

See for some discussion about all the layers that need evaluation and analysis, beyond just source code.

And as a last note, it would be neat to set up some sort of security bug bounty program, like many of the major commercial software companies have these days. If anybody knows a funder or company who wants to help make that happen, please talk to them.

I'm going tor over tor mode with direct guard being a bridge, until this whole thing blows over.

Using a bridge maybe a good idea, but keep in mind that bridges are given much less attention than the public relays. At this point, they are only best-effort. (This is slowly improving, though.)

As for Tor-over-Tor, this may not be such a good idea. It increases the length of your circuit but it doesn't necessarily improve the anonymity properties. Remember that the when the second instance of Tor creates its circuit, it has no idea which relays were chosen by the first instance. If both instances of Tor choose the same node(s) for the circuit, it becomes easier to execute some attacks.

Tor over tor is a poor man's implementation of guard pinning. A cheap way of protecting against RP DESTROY. I think it might have worked against RELAY_EARLY too, but that is old history now.

Downsides as you said, a relay being used twice, and increasing the number of relays involved, thus increasing the chance of a bad one being involved. I'm still trying to iron it out.

inb4 #2667

Considering using bridges, but I was thinking.. Unless you have a riseup account(and most Tor users I know don't), aren't bridges received by gmail, yahoo also compromised? And from the "Just give me bridges!" it is easy enough to navigate and get bridge relays. So how can using bridges be safe?
Not trying to be critical, just curious.

isn't there any randomness in choosing or are you _always_ selecting the same nodes?

Someone talk to admins from Evo and Agora to find out what they did differently over the past few months. They should have some interesting insight.

My guess is that they are hosted in a country that would tell the FBI to fuck off (e.g. Russia or Malaysia). Either that or they are doing something smart from an infrastructure pov (e.g. rolling up new instances to rotate servers / ips).

All the busts seem to be in NSA friendly territories.

The Agora admins are smart enough to keep their mouths shut. They barely say anything to the users on their forums.

They're not going to help Tor if approached. Maybe they would help anonymously, but it will be them contacting Tor, not vice versa.

Onymous was not the only Tor related big operation recently. Last month "Operation Darknet" from Brazil's federal police resulted in 55 people arrested and other 100 arrest warnings issued in the country, suspects were also identified in other countries.

50 persons were jailed in child abuse case ( should I say, in some case baby abuse).
You asked for it..

Thanks! Have you seen any indication that they used an attack on Tor or if this was attributed to opsec failures?

Not from what I heard about through the grapevine. In that case from Brazil the members of the site had to download an executable file (like password maker type of thing). And that's likely what got them, setup from the start. (And good riddance!)

They just said they developed "a method" and tools in partnership with the FBI and British police.

Many of the sites which have been inaccessible after Thursday were not marketplaces. Many were forums, some of which were unconnected to markets and were not directly involved any other illegal activity. Because of this, there are suggestions that all these sites were hosted by the small number of companies which accept Bitcoin as payment, and that Operation Onymous merely seized the servers owned by these companies.

The press release of the Bulgarian State Security Agency explicitly said that there was a single Bulgarian communication company involved, although from the text it is not clear whether all the Bulgarian darknet sites that were taken down were hosted by a single company or whether the infrastructure of a single company was used to execute the takedown.

why anyone should believe in press releases? isn't they now are all prepared in the $$services just as pr-actions?

Does this government stuff mean that regular tor users can be deanonymized?
Thanks a lot.

We don't know how they did this, so anything is possible. It is unlikely this news changes anything for regular users, but it's always good to be cautious and remember that remaining anonymous online is not easy so you should always be careful.

Well good luck with shutting down OpenBazaar

Would reverse proxying / vpn the Hidden Services defend from this?

e.g. Client ---> Server A (Reverse Proxy / VPN) ----> Server B (Hidden Service)

If Fascists (/Feds) find your IP, they'll only seize the proxy / vpn (A). Presumably if this works you could also reverse proxy it a few times for extra protection.

Potentially it would, yes. But do you really want your anonymity to rest on some VPN service that claims it doesn't keep logs? Though I guess its better than being bare-naked at the end of your Tor circuit.

hint: trust distribution over multiple VPN providers

It sounds good in theory. I'm not sure if it would actually work.

That won't work. If the proxy/VPN gets seized, all they have to do is comb through the server's configuration files and figure out where the hidden server is.

Not if its a double with a canary ,, VPN Rev Proxy + VPN server in case vpn connection fails the proxy will destory its configuration. you could aso do 3 vpn links.

tor guys i believe you should listen to the vox pupuli .. (do _3_ vpn links and tor)

Do you mean
Client ---> Server A (Reverse Proxy / VPN) ---> TOR ----> Server B (Hidden Service)

or do you mean

Client ---> TOR ----> Server A (Reverse Proxy / VPN) as a hidden service ---> Server B

or even a quasi/bastardized TOR-over-TOR-like

Client ---> TOR ----> Server A (Reverse Proxy / VPN) as a hidden service ---> second proxy/VPN -> TOR -> Server B (Hidden Service)

The idea of the last two is that "Server B" doesn't have to be in the same country as the hidden service and it doesn't necessarily depend on the hidden service staying up: If the hidden service is seized, a backup hidden service can be brought up as a near-drop-in-replacement.

Of course, both of these two options just trade one set of problems for another. Even as I write this, I can think of some attacks on these two methods that are harder to do with a plain-old client->TOR->Hidden Service model.

I guess

Client ~~> VPN ~~> Destination (~~> = tor circuit)

Would be as good as anything, assuming you paid for the VPN with clean bitcoins.

I mean if you're screwed with that then you will probably be screwed with anything more complicated.

Sorry if it is too offtopic but please give it a read, it might give you some important ideas on a broader view concerning the possible future of the Tor project as well as some insight into general principles of life, the universe and everything. ;)

I think the Tor project has reached a critical point in it's development over the last 1-2 years. I call it 'too big to work' in contrast to the 'too big to fail' theory in economics.

It roughly means that once a 'living' system reaches a certain size and impact on it's environment, the attraction to potential enemies becomes so great that it eventually crashes. The costs of outrunning the growing number of enemies in an arms race simply get too big. This applies to many biological or social systems like populations, communities, and even civilizations.

Think of a uniform population of highly specialized social organisms which have a very good defense against predators, parasites or diseases.
As long as the population is very small and hiding in it's niche, the costs for an adversary to overcome the organisms defenses are in no relation to the potential success (as food source, host for parasites,...). However, as social organisms, they don't do very well in very low densities either.
These were the earliest days of the Tor project. Barely anyone knew about it or noticed it. Neither users nor adversaries.

As the population grows, the individuals can interact more efficiently, greatly increasing their success. First adversaries begin to adapt to their defenses but it takes time and most attempts end in failure. The trade-off between invested resources to break the defense and potential success still is very poor. Our organisms have a head start and flourish while enemies lag behind.
These were the 'golden days' of hidden services until about 2 years ago.

Finally due to this success the population becomes very large, individuals are now not very rare but quite common in the ecosystem. As time progresses, more enemies have still managed to break through the increasingly improved defenses of our organisms. At first this seems meaningless but these adversaries are now able to gain resources off our numerous organisms and multiply themselves while over time more and more different enemies manage the same. Due to the sheer number of potential targets this now pays off greatly. As our population is uniform, once it's defenses are overcome it has to slowly evolve better strategies while having to react to a steadily increasing number of threats, inevitably leading to population decline.
This may be the grim future.

How can the story end?
1) extinction - being completely wiped out
2) great decline, becoming unattractive to adversaries again
3) the only feasible solution I have found is the concept of resilience by redundancy through diversity.
Resilience can be defined as the ability of a system to cope with change without crashing.
Redundancy in this case means multiplication of critical functions of a system with the intention of increasing stability.

Remember, the problem of our population was it's uniformity. Instead of becoming one large population it could have split into several mid-sized sub-populations with different traits, yet the ability to interact (-breed). Some may even break off and become fully independent species.
This way even if a terrible predator or disease would wipe out an entire population, it is highly likely that other related populations with a slightly different defense approach would survive and recover within a reasonable time.
On a larger scale this is believed to be a major factor of ecosystem stability. The more different species you have playing certain key roles in ecosystems, the more resilient the system is to catastrophic change. Even if one species fails, there's another one to quickly take over with little impact on the overall system. A very simple system with few species may crash or at least suffer a severe setback in productivity for a long time until the lost species is replaced by migration or evolution.
I am sure you get the idea now. I know resilience is quite unpopular in our hyper-efficent world as it costs a tremendous amount of resources but in long term I believe it is worth it. Either evolve and diversify into a resilient system or it will crash and you will go extinct. In contrast to our fictional organisms, who can only change randomly and evolve through natural selection, you can guide the evolution process of the Tor project, ideally leading it away from extinction - if you play your cards right! Still, evolution is the best approach out there. Build many different versions and see which one survives in the wild.

TL;DR - Even though I am glad and thankful that the Tor project has matured into something big, fast and convenient, I believe it has reached it's limits. We are no longer running ahead of our adversaries, we are trying to catch up with them. Too many people know and use Tor and being popular attracts many enemies. There is no way we can win an arms race against government-funded adversaries in the long run and even worse, there are little alternatives should Tor become fundamentally compromised. JonDo maybe, but apart from that? I2P and Freenet are not really suitable for most users.

So what I propose may seem radical, but I urge you to diversify this project instead of letting it grow even bigger. Tor is big and fast enough. Several smaller and distinctly different services would make the lives of our adversaries a lot harder and provide a safe haven in case one system gets compromised.
Remember - we can neither fight our adversaries nor outrun them in the long term. Constantly trying to resist attacks is not only a waste of resources but also nearly impossible to keep up. Instead we should spread our resources (within reason), hide, constantly change and multiply to build a resilient system that will remain functional even if some parts become compromised.

I know what I ask is incredibly hard but the sooner someone starts working on adding true redundancy to the existing Tor network the sooner it will be ready in case we need it. Unfortunately I can be of no help here apart from donating.
It seems great to have one powerful tool but to stake everything on one card will sooner or later go terribly wrong.

That's all, thank you and congrats if you managed to read through everything. :)

I did read everything. I think this is a robust and insightful analysis and one that I agree with. My one quibble is in regards to i2p, Freenet, and like programs.

One way to look at the problem is as one of content management. The main reason that i2p etc are not usable for most people is their lack of content. Tor solves the content problem by piggy-backing off the normal internet. However, it's useful to remember that the first video ever on Youtube was from a zoo--at one point in time Youtube didn't have any content either. So the reason that i2p etc isn't usable now is a content problem and one that is--in theory--solvable. The underlying problem with Tor is that while it solves the content problem by piggy backing off the regular internet it is an attempt to create lemonade from lemons--to build a secure system from a system that is inherently insecure.

Tl;dr. Tor is convenient but insecure. Dark nets are secure but inconvenient. But in the long run dark nets are the better solutions because the security is baked into the content. It's just going to take time--maybe lots of time and social turmoil--to get there.

Yeah. Except the hidden services are still a bit light on content themselves. Where are the TMZ's and the Martha Stewart sites? Why can't I buy a chair there? For pick up downtown with PGP & ID. Or flowers? Where are the churches? Where's Scientologymysterycode.onion? Where's Ourchurchofwe'resoextremelyoppressedwecanonlymeetonlinedotfreakin.onion? I actually expected to find that one.

Tor is now in a similar position to where the piratebay was a few years ago. That too, became more and more popular with articles appearing in the 'mainstream' and also attracted more and more powerful enemies. The piratebay was almost brought down, which was the fate of many torrent sites, but their soultion was "resilience by redundancy through diversity". "The piratebay: the most-resilient torrrent site in the universe." Maybe the Tor Project could learn from the experience of the piratebay. Maybe get a few of those guys on board once they have served their jail-time ;)

so it should be understood it's a _war_ with the so called governments and with theirs so called laws...

So you say allow the weakest to die and encourage the survivors to continue without fear?

How do these potential attack vector affect running something like openbazaar? Would running an OB node in effect make you a mini-hidden service?

Yes, you have to run a hidden service at present. You can could change the address every day if you wanted to, you don't need to keep the same one.

I hope that you guys get funding for hidden service development. It shouldn't be too hard to get funding given that all serious news rooms are now using securedrop, which relies on tor hidden services. Maybe the better-funded news orgs could chip in.

Could hidden services err on the side of caution and temporarily cease operating if a DOS is detected? I would rather less uptime than less anonymity.

If you set the EntryNodes torrc option, this will happen. Basically, if none of the relays you explicitly set are available, then Tor will fail to establish any connections (and won't accept any connections, as a result).

Would setting the EntryNodes option would have any drawbacks of its own, at least as far as security/privacy are concerned?

What exactly does that mean: "We know through recent leaks that the US DEA and others have constructed a system of organized and sanctioned perjury which they refer to as "parallel construction."?

See and the first reference for additional information about it.

Roger, I'm just putting this in this thread for no real reason... I was the guy who could only sometimes load Tor 4.0+ despite *not* having Trusteer Rapport.

I figured out the problem, which you might want to publicize.

The culprit: Ad Muncher, a program that's been downloaded by millions of people over the past decade. When Tor first opens a small window as it tries to find a relay, Ad Muncher basically views this as a "pop up" attempt by the browser and kills it. The solution? The program has to be shut down totally, merely disabling filtering doesn't work.

That's it, carry on the good work, glad to see this was a problem on my end all along. :-)

Nachash (proprietor of doxbin) brags that I was the most-doxed on his darknet onion server, along with Keith Alexander, a four-star general and former director of the NSA. The difference between me and Gen. Alexander is that I went to Germany in 1985 to teach Philip Agee how to use his first computer, I was prosecuted for draft resistance in 1969, and I was active in SDS beginning in 1967 to oppose U.S. policy in Vietnam. I also spent three years in grad school studying social ethics and political theory.

Nachash is too uninformed to distinguish between me and Alexander. He doxes us both as a matter of pride and presumed relevance. He includes Social Security numbers and other information that is inconvenient for his victims.

The folks who control Tor make a similar mistake. From the viewpoint of social ethics and plain logic, you must distinguish between freedom to surf the web anonymously, and the freedom to publish anonymously. I ran for seven years because I believe in the freedom to research anonymously. But I also believe that publishers must be accountable, which automatically means that they must be identifiable.

The Tor people have yet to figure this out. The darknet onion thing provides anonymity to publishers. This is unethical. The Tor browser provides anonymity to passive researchers. This is wonderful. Until Tor figures this out, I will support efforts to close down onion servers, even if this means that I have to support Gen. Alexander.

-- Daniel Brandt,

Well I believe every government document must have been published and the authors and their families must be identifiable. This would be ethical.

I was really impressed by your life's work until the end of your statement.

Your analysis is however incorrect: one cannot be a publisher freely without a permissionless system. Publishers may be held to account after the fact or they may not. This is how a free system without prior restraint works. Tor Hidden Services provide anonymous, end to end, reachable, secure communications channels. This is important and the world needs it.

Your analysis between "researching" or reading and "publishing" or writing is incorrect. All HTTP clients send data - for example - the url they're requesting. This must be done anonymously. This means that to read anonymously on the web, we must also be able to write anonymously on the web.

I'm sorry that you've been a victim of jerks on the internet. I'm also sorry to hear that you're a supporter of General Alexander as a result. I'm even more sad that you believe the solution is to put a kings mark on every document, on every publisher and on every publication system. I say to that: Never.

Hey Daniel, I'm publishing this... go read the Federalist Papers and then fuck off.

I don't condone doxing, but you only have to look at what is happening in Russia (all bloggers being required by law to register with the government, a move designed to intimidate and silence critical voices) to see that your stance ("publishers must be accountable, which automatically means that they must be identifiable.") is problematic.

Ah yes Daniel Brandt. I remember you from Wikipedia. You are one of the most filthy, loathsome people I have ever encountered. Don't listen to this guy. He is a snake in the grass.

Two words: Federalist Papers.

Sincerely, Publius.

If Satoshi Nakamoto had not been able to publish anonymously we may not have Bitcoin.


As a person who got tortured in a NATO country and had to flee just because I wrote more than the government accepted about false-flag terrorism I would just like to say: Screw you. You have done a lot of great thing over the years like running scroogle but your statement that publishers must be "held accountable" made me loose all respect for you. Telling the truth about government lies is not and should not be a reason to get tortured. If you simply do not understand that this is going on, and has been going on, for decades then I might forgive you. If you actually believe that governments should be able to identify those who oppose them so they can torture them then I hope you die in the most horrible way possible.

Too much Inertia hurts us all...

Tor Project is soo focused on Tor Tor Tor, Tor is great, we're 501c3, world peace, blah blah blah. Over FIFTEEN years of Tor totally focused on one particular narrow anonymity design, it's own onion routing.

The anonymity community seriously needs to all step the fuck back from their own pet projects, literally sit their asses the fuck down at a roundtable at some con and seriously ask themselves the following:


Tor, Freenet, I2P, Gnunet, Maidsafe, Retroshare, Bitcoin, etc, etc, everyone just STOP, sit the fuck down with everyone else, and rip things apart, put things together, whiteboard that shit... whatever. But for the love of god, don't keep going forward with broken crap just because it's your pet project or the best you think there is.

This is not claiming any project is broken, but that there are all sorts of technologies that need to be fronted, reviewed, ranked, sorted, and plugged and played and layered and interleaved.

You don't do that while head down in your own little projects. And that sux for anonymity. 2015... the year of the global anonymity summit, review, realignment and rework. Make it happen.

Agree,.There's some decent intelligence about how to do the whole anonymous thing properly and correctly in those groups and it's high time they got together and did just that. Waiting to see how the different sources managed to locate HS owners is not going to get publicised so stop kidding yourselves if you think its going to happen. There appears to be disquiet growing that Tor is now fallible and whilst this may or may not be true wth the latest takedown it doesn't do anyone any favors. Work it out and make anonymous exactly that.

Before you go criticizing Tor why don't you do actual research into how Tor and other anonymity systems work. Yes, there are flaws; some of the design choices limit usability or pose security threats. Yes, some of the side effects of the design choices were unknown when they were made. That doesn't necessarily mean that different decisions would be made if the present knowledge was known. Tor isn't perfect; it's impossible to design a system to give you perfect anonymity in communication without risk of attack, let alone to use the underlying system of the internet which doesn't promote anonymity and actually implement that.

The goal isn't to achieve perfection: that's impossible; the goal is simply to do the best they can. With that said, like any other piece of software it works best if used properly. In the past authorities were able to unmask both simple users and hidden services because they did something stupid. If you want to remain anonymous, you need to know how to use Tor safely. Read as much documentation as you can. As a plus, when you complain about how something needs to work differently in Tor you can give a specific example.

there's rumor that any net admin can force tor user to chose nsa first hop, isn't it so?


"low-latency web services is a very hard problem"

With present tor architecture this problem will be persistent.

Therefore tor netdata flow really needs some kind of permanent blank white noise
net traffic?

There are some nasty tricks to unmask an anonymous VPN user based on the default settings on an ISP modem. Maybe they used it for TOR

If "Tor currently doesn't have funding for improving the security of hidden services", is possible to do like wikipedia, put on the top of every page on a message for funding.
Wikipedia wrote that it has no adv, but to survive need x dollars (and Wikipedia obtain milions of dollars).
Tor can write: to improve security for hidden service we need x dollars and make a list of payment methods.

An alternative can be a crowdfunding site.

What do you think about this? Is possible?

This site doesn't get nearly as much traffic as Wikipedia.

A note on the Tor start page, then?

*(TorBrowser start page)

May I ask a question. Is this possible?

1. Create a list of hidden services you want to find.
2. Create a list of hosts where these servers might be located based on history, anonymous payment options etcetera.
3. DDoS/attack each host one-by-one and check if any of the hidden services are affected in the same way as other hosted sites.

> 1. Create a list of hidden services you want to find.
Already done by

> 2. Create a list of hosts where these servers might be located

1. User set "StrictNodes 1" and "ExcludeNodes {au(not us)}{}{}...".
2. User try to connect whichiwanttoumnask.onion
3. If user can't connect to it, then hidden service might located in {au}.

>3. DDoS/attack each host one-by-one and check if any of the hidden services are affected in the same way as other hosted sites.

If you have enough PC and network like NSA, then you can do it.

There is really no need for DoS. Just monitor web hotels and when they go offline check if any hidden service is down. Or maybe NSA can just ask major web hotels to go offline for 10s.

The most likely reason that some of the largest illegal sites are still online is probably that they are not found. The same reason as why some of these sites weren't taken down 6 months ago.

I guess that these kind of methods can be used to locate the servers. Perhaps it's more likely that the server software leaks the ip or other info. I guess some web hotels also scan the hosted data for hidden services.

Please can we create a list of all the onion sites with their current setups like: Operating system, Serversoftware, TorVersion, bitcoin-client(yes/no), PHPVersion, CMS(yes/no/cmsname), ServerHoster(Home/Paid)? Something like that? I am guessing that none of the services used Whonix?? If yes, it would be a strong indicator that it is really a problem of the tor software!!!! Please we need more infos? I also think it was no SQL injection attack or something similiar, because I had a look on many of those sites and they were not vulnerable to such attacks, while I know some still existing sites that are vulnerable and are not being attacked! And yes I can provide proof for that!
Version: GnuPG v1


Why am I allowed to view videos on Tor now? I went to a website that automatically started playing a video. I don't have any plugins installed because flash exposes IPs. The only extra addons I have are Classic Theme Restorer which Tor recommended & AdblockPlus.

I went to a news website and temporarily allowed NoScript. That resulted in the video on the page to automatically play. I then went to Youtube to test if I could view their videos and I could view everything after temporarily allowing NoScript through.

I have the latest version Tor browser bundle 4.0.1.

Since this version of TBB supports MP4 playback, its compatible with more videos now. So that's probably the reason.

HTML 5 video. Your browser now handles videos, not flash.

Firefox can play VP8 videos without using plugins.

HTML5 video. Flesh player or other plugins are not required for them so it must be safe IMHO

>Flesh player

Nooo, the p0rn, it burns my eyes, make it stop!

where can i get that player?!! is it opensource or google's?

because youtube can use HTML5

HTML5 (the new HTML standard) allows video without Flash or other plugins:

Probably what you are seeing is HTML5 video. No Flash required.

For whichever site supports it, the browser will play the video natively without needing a proprietary closed-source plugin. So it's safe and shouldn't compromise anonymity (in theory anyway).

because websites started adopting HTML5 video player instead of Flash.


> Why am I allowed to view videos on Tor now?

HTML5. Built into Firefox, it doesn't require any plug-ins.

Check that Scripts are banned globally,
Then go to Options > Embeddings
And Enable Additional Restrictions for Java/ Adobe Flash/ Silverlight/ etc.

I hope that solves your problem.


Hello, is anyone reading this? I too can view videos on Tor when we're not suppose to. I use the addon Flash Control on Firefox and thought to try it out now on Tor to block all the flash videos but they STILL PLAY. What is going on? Flash is suppose to be disabled because it exposes real IP.

It's HTML5, not Flash. I'm pretty sure Javascript has to be enabled for HTML5 videos to play, and if you want to be especially secure you will disable Javascript. Go to URL about:config, search for javascript.enabled and double click the value field so that it changes to 'false'.

sometimes in my tor browser 4.0.1 no script switches itself to allow scripts globally,i don't know why

idk, maybe it was HTML5 video

Nowadays, videos are officially supported by HTTP standards. You don't Need Flash anymore, and sites start to make use of HTTP video more and more.

HTML 5 ?

It might have been html5 videos you've been watching

You are talking about youtube? They support html5 which is built into the browser, no flash needed. You can watch streaming video with torbrowser quite well know on any site that supports html5 video (though you are correct you must enable scripting for this to work for some reason).

When using Tor youtube and I presume other websites play videos through HTML5 if you don't have flash enabled; you still need to have javascript enabled though.

Tor Browser (and the Firefox 31 ESR that it is based on) supports HTML5 video elements and can play webm (but not yet mp4) videos natively, meaning some videos will work without any plugins. This is normal expected behavior if you are allowing scripts.

Please do NOT install addons or plugins into Tor Browser. Seriously, remove them now. Most people will not have any addons, so using them will make you obvious; clicking New Identity will still give you a new circuit but a website will be able to recognize you are that same user that always uses Tor, Adblock and Theme Restorer together. If you want to be anonymous you simply have to accept that you will see ads and will have to deal with whatever Firefox UI is current.

Don't just take my word for it, the Tor Project recommend never to install extra features to Tor Browser: . I did see Mike Perry's comment about the Classic Theme Restorer, he wasn't saying it was safe or tested with Tor, simply that people who know and understand the risks can check it out.

Can you 'get smart' - changing you useragent from ten highest popular strings _do not_ 'harm you privacy'!! Don't be stupid! It's just like 'i win - i vote for winners'!!

it's HTML5 video, welcome to the future.

It's enabled because it doesn't cause any known IP address leaks in TBB (but if you find any, please report it!)

is it just the same myth as the sentence "you ports are closed - nothing to be bothered about" ( 'use your little grey cells' - any packet need to be investigated by the driver and the ip stack ... )

Well, how to know if your eve server is on the route to a hidden service?
* contibute a small delay pattern (on eve relay node) and check if you can see the same delaypattern on probing/attacking machine
* measure time between sending a request and seeing a particular pattern on your eves relay: attacker to eve to hs
* mesaure time between response from hs and your eve relay to attacker
* try to maximize attack to eve relay by chance to get closer to guard
* measure time from attacker to hs and back (rtt) subtract time of attacker to eve, eve to attacker, and delay pattern
* i call this result network to network time
* if you have lots of pinging statistics from one network to another (like some have), you can measure and guess which network you is of your interest and take all asn of your list with too bad rtt
* guard will change some day
* now do all the measuring again
* if you are lucky enough you are the last hop before the guard.
* try to remove asn by asn from your list, until you end up with one to ten.

doesn't the NSA and other adversaries have the capability to monitor large parts of the internet ?

this should make the following possible:

carefully construct an innocent looking GET request with a hidden but fingerprintable signature.

send it through the TOR network to your target hidden service.
monitor the internet for that fingerprint.

voila, IP revealed...

you should your HS somewhere out of monitor reach, which is likely impossible.

HTTP normalization. which would also be very hard or maybe even impossible because of the openness of the protocol.

I can remember a very long thread on a message board a year or two ago about a hacking organisation that had at least 20 entry and exit nodes in use. At the time the nodes were all held on 4 servers.

The worry was that accessing Tor through an entry node and exit node operated by the same people on the same server could help them to end-to-end match a user and the sites (s)he visited

So now we have nodes identified, sites identified and users identified. Interesting.

BTW, the organisation? CCC - the Chaos Computer Club. I'm not accusing them (why not?, I ask myself), but maybe NSA or GCHQ or Echelon have taken their idea and put it to their own use.

Court docs show Defcon was not using tor but Google chrome. They used that including NSA helping him with admin to locate his server location sure you can fig the rest out. Tor needs help $ someine with business at stake needs to help them $ we are going to lose this whole operation soon if the minds and $ DONT stip to take a time with basics in this darkweb game

Scallion/Scorpion can generate Tor hidden site's private key.
If FBI has much PC power to use, it's easy to generate private_key and setup fake server to tor network.

I'm new to TOR, but I know spin doctoring and propaganda. From what I'm reading, they took down 27 servers, but instead of saying "we've taken down 27 servers recently" they counted each and every URL on those servers and announced that through "Operation Onymous" they "took down over 400 hidden sites" ... etc ... etc ...

It's possible that these agencies have TOR all figured out and we're all screwed. However, if that were the case, they wouldn't announce it or try to overstate the size or success of the operation. Instead, they'd seek to downplay it so people, especially criminals, would still feel comfortable using TOR. Otherwise, TOR users would get paranoid and take extra security precautions which would make they agency's job that much harder in the future.

One example would be how long it was after the FBI took down the original silk road site before it became public knowledge that a leaky capatcha was to blame. Although some of you techies were on to it earlier, it was clear that the FBI wasn't out there announcing their little secret willingly.

Here, I think it's the opposite. Law enforcement agencies have goals of not only catching who they view as criminals, but of prevention as well. You also have surveillance agencies that just want your data and don't give a sh*t whether you're a criminal, a hero, or something in between. These goals would be easier if they could scare people away from using TOR.

So they scoop up 27 poorly secured servers, inflate the importance of this by announcing that they shut down over 400 individual URLs, and they brand it with a catchy operation name to get the conspiracy nuts to hyperventilate. This way they convince everyone that there is no sense in going through the hassle of anonymizing your internet presence because services like TOR do not work anyway.

Of course, I think it's important to investigate and see how they managed to get the 27 servers, and I think it's important for everyone to donate to the TOR project to get it back on it's feet in full force to fix any issues like this as they arise. However, I wouldn't want to see this cause some panic that turned away potential users of the service since I think that was the point of the whole endeavor by the agencies involved and I think the core reason for the whole thing was because TOR actually works when it's used properly.

"they could scare people" - and then they'll shout they 'were all terrorists' and 'we protect you'! and arma are you with as or ...

Well he is back on 14 November.

ok, let's rephrase: these terrorists from gov agencies have just one purpose - terror.
and 'properly used' -> means more entry guards and more relays?
look, in their insane minds - if your comp is _not_ compromised by newest 0-day virus -> you _are_ comp spec and potential tor user so lets go and get you!!
so should all tor users _install_ latest viruses from nsa? to be like all others?

Before if I could download a PDF and read it when I am offline but now it downloads and opens straight away. I am wondering about the implication to my anonymity now. TBB version 4.0.

I believe your change in PDF behavior is because the newer TBB is based on Firefox 31 which has built-in support for PDF. As a result, TBB itself now supports PDF.

An earlier TBB was based on Firefox 24. Then PDF viewing depended on downloading and then using whatever independent PDF app was running on your operating system to view the document.

your granny doesn't tell you not to put all eggs into one basket?

And there is implication - pdf can have hyperlinks and now you can be traced.

if you activate those links while reading outside of tor... if ythe links fetch or activate or... while reading pdf in tor, then all url visits are inside tor,

That's another great reason to view the pdf inside the browser, rather than using a separate pdf viewer.


don't you think it's simple to just flood hidden services with recognizable amounts of requests and check where they arrive? You do it with different intervals and amounts, you draw a graph and compare on the network devices (and you have access to those devices if you are the government).

Also the guys cought were not really keeping secret who they are. Useing facebook, gmail..etc good joke.

Wow, not a single mention of "illegal" in your blog posting. Maybe have some thoughts about the legality of the services offered with your technology and just stop offering services that can easily be abused by criminals? Just a thought ...

Should everybody write long list "legal - usa; legal - gb, illegal - china, illegal -russia, legal - nigeria, illegal -india, illegal - italy etc." ??
"ISPs in the US and Thailand intercepting their customers' data to strip a security" - is it legal or illegal and where? It's just a noisy pr word. Well such 'service' can easily be abused by criminals from nsa.

I don't think you can be anonymous from any fixed location like your home, business, etc. You can be anonymous by using someone else's connection although terming that "anonymous" is a bit of a misnomer. Stolen or a fraudulent identity might be a more correct term. Think Linux Live distros for jumping on the net via some else's open unsecured wi-fi or whatever and if you're really paranoid, make sure you can swap out your memory chips in your laptop when you are through with using some else's connection for some nefarious reasons. The object is no record, no history, nothing on your machine.

All this doesn't mean they can't (or won't) plant something on your machine if they really want you.

But be very aware of surveillance cameras around frequently touted "free wifi" with Cheeseburgers locations. Always seems to be a lot of cameras in the mix.

You can try - openly connect to _your own_ proxy server and ask connection to It will ask _your own_ dns server for address and connect you to And use size normalizer for your ip packets etc.

All these people got busted because of their hosting provider. The DDoS attack is unrelated.

Hetzner is like all big companies in Germany, in Europe and in the USA forced and paid gold by the local NSA (the BND) to run a grep-like tool on the disks of their customers. A simple pattern like .onion will show all hosts with contents somehow related with Tor and it's quite easy to detect and bust hidden services in this way, though at a random success rate.

How can anyone in his mind use provider's disks to keep anything private? Look at latest breakage in openssl web site! Doesn't anybody know all the so called 'cloud' is spoiled? How _can_ you _trust_ an alien processor to work on _your_ _private_ data?!! Call them big or small they are all companies to get profits from customers and pay bribes to governments.


I consider this a strange post. We have known for more than a decade that TOR is not NSA-resistant.

"Low-latency systems like Onion Routing aim to provide
anonymity against an adversary who is not watching both
Alice and Bob [39]. If the adversary watches both, he can
for instance count packets and observe packet timing to
become confident that they are communicating."

The problem is not so much how to make anonymity perfect, but that TOR is only accepted by law enforcement BECAUSE these vulnerabilities are built-in.

The real challenge IMHO is how to build mutual societal security on top of perfect anonymization in order to get clearance to e.g. upgrade TOR and scale it across all communication.


Stephan Engberg

Freenet ontop of tor?

Maybe the solution is to be found on the machines that were NOT seized. What have they done to go unnoticed ?

Probably either not host any illegal activity or have any close association with any person or machine that does, and/or have the illegal activity so non-publicized that the police were never aware of it.

An example of the former would be a US-based hidden service that catered to the needs of Chinese dissidents.

An example of the latter would be a hidden service which offers mundane, legal things such as catering to the needs of Chinese dissidents as a front so a handful of buddies can use the same machine to exchange illegal material privately, without anyone including the other users of the machine even suspecting. Of course, if one of the people in the group comes to the attention of law enforcement, the whole group is at risk.

There are plenty of illegal hidden services still standing.

Thank you everyone so much for the help! I had no idea about the HTML5 being allowed. Just as long as it doesn't expose IPs the way flash does. I was about to delete my twitter and email account because I had them opened in other tabs when I was on that news site that showed the video. I thought it was flash and wondered how did this happen being I have no flash plugins enabled. Thanks again!

You win $1M!!! Come to the nearest NSA department to get it (keep you security number ready).

Suppose they did make arrests ,how many ? 17, big forkin deal, out of how many lol , I fancy my chances of NOT getting caught , they are scaremongering ,I for one will keep buying my weed online ;)

You see guys, *this* is why you always purchase servers for your hidden service far away from you geographically, and purchase them anonymously (no, bitcoins are not anonymous by default. You have to either get them anonymously, which is more difficult than most people are comfortable with, or wash them through something like Bitcoin Fog). And of course, use disk encryption. That way if your hidden service is deanonymized and the feds go to the very datacenter it is hosted in, the worst they can do is take it offline (and if they perform a cold-boot attack, read even the encrypted disk, but you are still safe because you purchased it anonymously).

Now a very important note to hidden service operators, especially those who run controversial/taboo services like drugs, cp, various political views, etc:
USE PGP! Somewhere on your site, sign the current onion URL with your key. If your site is seized and the feds gain access to your hidden service's private key, they will be able to redirect all traffic to that URL to a site of their choice. But worse than that, if you don't use PGP, anyone can create a new clone of your site and pretend to be you. If you do use PGP however, when you bring up a new site under a new URL, you can sign that URL with the same key to prove it is official. This effectively allows you to keep a "master key" for all your hidden services that remains offline (i.e. it will not be up for grabs by anyone who gets access to your server). The next HS protocol will have something like this built-in, but for now you will have to use PGP.

On a more "experimental" note, I suggest that hidden service owners monitor their logs for possible denial of service attacks, and if any are detected, *disable your hidden service* and wait a little bit before bringing it back online. If you have the resources, bring it up immediately at a different location. Hopefully this will prevent active deanonymization attacks that rely on DoS, because the feds will be unlikely to get enough samples. I say "experimental" because I have not thought this through thoroughly so it is certainly possible that doing this just makes things worse. Anyhow, it's just a thought I'd like to put out there.

1) Assume your servers will be deanonymized and take measures to ensure that even if they are, you personally will remain safe (buy them anonymously).
2) Get use to using PGP so you can prove you are the real you if your site goes down and you are forced to create a new one.
3) If you're getting DoSed, it might be a deanonymization attempt. It *might* be a good idea to shut your server down for a little bit, or move it somewhere else completely if you have the resources.

How to stay anonymous while using Tor,
I say this as a Tor user myself, I have configured bridge settings,
Please take my advice seriously, I am a computer programmer.
If you don't do that I believe that the NSA and FBI could potentially hack into Tor and find out who you are.

That makes it harder for the adversary to identify you as a tor user because you aren't directly connected to a listed relay, but it doesn't help you against traffic analysis and other attacks.
Even the FBI/NSA could run/control bridges and could run a traffic confirmation attack (, etc.) on you...
Remember: "Bridge relays are just like normal Tor relays except they don't publish
their server descriptors to the main directory authorities." (source: Tor bridges specification)
So they aren't really an additional layer of defence to hide WHO you are, they just try to hide the fact that you are USING TOR.

What if law enforcement just set up wiretapping at many guard nodes (they are listed in public) and filter out relays and low traffic connections? "This IP generates a lot of Tor traffic and is not a relay, our IT specialists are super sure its a well known hidden service, which are almost exclusivly of illegal nature" is good enough for police state lawyers to allow a seizure.

... computer security ALWAYS fails on the same exploit ... human stupidity

Yes and nsa inspired standards is just one example - look at starttls option! It's absolutely insane at first start open connection and then say lets use crypto! And how many im programs decide to drop support for "old method" for dumbest "new standard"? Now you have "In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag—called STARTTLS—from email traffic."

And what about simply running a browser with a script trying to connect to the target onion site all day long for a few months and through random tor circuits, then mathematically correlate the failed attempt dates/times with known, publically available maintenance/failure reports from ISPs and other Internet actors.
The more the service fails because of external network problems, the faster you'll find your guy. And if you have the power to selectively shut down sections of the Internet, you can find it even faster (dichotomy => logarithmic time)...

As far as I can see there is no cp site seized right? Could it be that the FBI and others told some onion hosting hosters to hand them a copy of their sites? And because the hosters that were controlled had strict anti cp rules, thats why there is no cp and thats how they managed to "hack" the sites? I mean that would fit the story!?

Interesting thought. Or it might have just been a "digital drug bust" - illegal marketplaces subverting capitalism and so forth, maybe considered a greater threat in the future? Tor markets have certainly been successful so far. CP is essentially a bunch of dodgy masturbation, not as pressing a concern?

What fits the *story* was nachash saying he was using "Debian Wheezy" whilst Julian Assange is waffling on about Debian being owned by the NSA... Microsoft just released (dot) NET into ope source and then there are other tid-bits that are just pure Candy, Like for instance did you know the Linux Kernel from version 2.6 has always supported v9fs? The virtual Plan9 filing system - in the KERNEL!?! So if your Toring away and you do /proc it would never de-anonymise shitloads of Linux boxes running v9fs virtually - would it?

Tor had too many bugs since one of its March updates. In May the entire network got slower and now apparently using Tor is simply using another browser to gain excess to hidden sites but Tor offers no anonymity anymore.

C'mon guys! 27 servers! Drop in the bucket.

I can spin that up in Amazon EC2 in 2 seconds.

Misconfigurations. Final Answer.

I'm smart too but the answer is usually simple.

All these people going argh what do we do, you make me laugh, try reading a technical paper on anti-web framework and loading INFERNO-OS everywhere... Fuck Tor! Time to employ some next generation security everywhere and if the Feds dont like it, just remind them that we can delete there entire IP range for-eva!

I read a lot of comment on the impact the take down was to Hidden Sites, but I am curious as to the impact to the visitors of HS. Were they equally compromised? I would assume if the HS boxes were assimulated, client compromise would be probable.

did you notice this research:

81% of Tor users can be de-anonymised by analysing router information, research indicates

On the Effectiveness of Traffic Analysis Against
Anonymity Networks Using Flow Record

In this paper, we assess the feasibility and effectiveness of
practical traffic analysis attacks against the Tor network using
NetFlow data. We present an active traffic analysis method based
on deliberately perturbing the characteristics of user traffic at the
server side, and observing a similar perturbation at the client side
through statistical correlation. We evaluate the accuracy of our
method using both in-lab testing, as well as data gathered from a
public Tor relay serving hundreds of users. Our method revealed
the actual sources of anonymous traffic with 100% accuracy for
the in-lab tests, and achieved an overall accuracy of about 81.4%
for the real-world experiments, with an average false positive rate
of 6.4%.

By the way, the "Russian" tor exit node which distributed malware recently probably comes from NSA

Why? Because it distributed a miniduke variant and there is a link between miniduke and NSA:

A mathematics professor was attacked with a Miniduke variant that was
sent to him with a faked linkedln message. This miniduke variant
communicated with a hacked Belgacom server over encrypted channels.
And thanks to Snowden, we know that this Belgacom server was hacked
by NSA.

Belgacom was hacked with a quantum insert attack, that only
an agency is capable to do if it has access to the backbones of the
american internet.

The Russians and Chinese do not have this access to US backbones and thereby they can not do a quantum insert attack on Belgacom.

Hence it is unlikely that both NSA and Russians hacked Belgacom.

So the Communication relay for the Miniduke variant on the professor's laptop was likely set up at Belgacom by NSA.

As a result, we have a link between Miniduke and NSA....

And then there is a link between Miniduke and the recently distributed malware from the "Russian" tor node:

“This strongly suggests that although OnionDuke and MiniDuke are two separate families of malware, the actors behind them are connected through the use of shared infrastructure,”

Probably NSA went to a Russian server to distribute their tor malware after their last attack on tor in 2013 was traced by researchers to NSA servers directly:

Well, at least that last url you cite is now believed to be wrong. The August 2013 malware was planted by the FBI and phoned home to the FBI.

As for the rest of it, I have no idea. The various agencies sure work together more often than makes me comfortable these days -- and it's far too easy to lump together foreign law enforcement and other foreign groups with them too.

i believe 'nsa' was used as a common name for all xxx agencies nsa/fbi/cia/... as in Lexx

Hidden Wiki even seems to be down now - Any idea anyone if there will be a new link provided somewhere, and if so, if it will be safe to go?

There have been dozens of onion services calling themselves 'the hidden wiki' over the past decade. There will be more. None of them were or will be official. (Well, except for the first one, but that one shut down in 2005. :)

"official" is but a relative term, isn't it?

See here :

Buncha fucktards.

This is ridiculous.
All people want some privacy not to be spied on 24/7.
Also your ISP knows that your using Tor, although they can't snoop on your searches they still know your using Tor.
I don't use Tor I use ixquick as a search engine.
Read ixquicks privacy policy and you will be impressed, plus all searches are encrypted using powerful encryption tools.

"I don't use Tor" - and what are you going to sell here?

what you said does not convince me to not use tor. i use ixquick while i'm using tor.

Beginning in approximately April (Nearly the same time as the disclosure of Heartbleed) there was a rash of impostor Hidden Services (MITM HS proxies (As discussed here http://hbjw7wjeoltskhol.onion/discussion/view/61177/mitm-attacks-on-hidden-services and http://soupksx6vqh3ydda.onion/mitm.shtml )) which appeared to be phishing for Bitcoins or attempting Sybil attacks. These were involved in gathering information for this Operation without breaking nor exploiting Tor but instead through BTC. Work back from the spoofed and duped addresses.

I like the comment of several days ago where it asks why are there no comments about child pornography flowing through the tor network via Firefox. That is a HUGE reason why law enforcement cracks Tor.

Dissidents are passe in this world. All countries know they have them and they really do not care.

All countries know they have child rapists and pornographers using tor. And They CARE. A great deal.

UPDATE: Europol has now told the New York Times that it closed around 50 sites, a marked downgrade from the 414 number previously released.
Despite the fact that some 50 hidden services were seized, only 17 arrests took place and several of those suspects are already out on bail.


has there been any cisco router exploits lately? combo a router exploit with this, and you have a recipe for unmasking tor hidden services i'm guessing:

No, that article is misinterpreting the paper. Even the author of the paper says so.

Is scary!! The experts of tor dont know what happened,
Then,please! stop the lies about TOR (we really dont have security around here and we have more attention of the Government,i quit!.
i Go back to the normal browsers, dudes,the police and the goverment put traps to this geeks again and again and it seems to goes worst every time...

you mean your government legally mark software named tor and tor-browser illegal and prosecute everyone who has it? then you are right - they log you when you download it. so it's too late to go to "normal browsers" officially allowed to use in your gulags. now they are just looking for who are these "we" of yours. i advise you to escape to some other country out of your government influence and you again will be quite legal slave.

By learning from the mistakes, humans are getting better and wiser.

Don't be pessimists!

When there is a problem, there is a solution hiding somewhere.

well said, thank you.

The scared ones, should wear tin foil hats, quit internet, stay home and wait till some alien comes to their rescue.
The complainers should just shut up. Problems are not getting solved by complaining all day. Try to help out, be creative.

But overall, I'm really amazed how most do stand up, create, thinker, share, take risks for their ideals.
To all those, a big thank you! And keep up the good work!

can some one please help im able to connect tor but when im trying to connect vidalia it shows an error

The Tor software requires Vidalia to send the contents of an authentication cookie, but Vidalia was unable to find one.
Would you like to browse for the file 'control_auth_cookie' yourself?

i have looked every where for a file called this name
i have searched the hole web for this file to download
i am using a acer c720 chromebook dualbooting with ubuntu 14.10 if any body can help id love you for forever

Remember: the pen is mightier than the sword! There may be HS taken down and there may not. The problem is that even tor team doesn't know the integrity if the people running the HS. LE can provide HSs for tor and they will decide to take down such HSs just to bring about confusion in the tor network which may give them an insight of good people's thought toward possible way in which tor might have been compromise just like the discussion here.
Again we all know that stay anonymity is not an easy task, at least we should appreciate the fact that tor has got to this extends without LE compromising it.
And any sensible person will know that there is something fishy when FB reveal there HS. Am sure the author refuse to mention FB in this article to avoid further chaos.
And lastly, if it happens that HSs are really taken down and they (LE) are not the legitimate runners of these (taken down HSs), then there's every possibility that tor team is compromise.
Reason, from the architecture of tor you know that its not an easy thing for some one or groups to penetrate tor without an insider.
Lastly if you are running HS, make sure your design was also meant to run HS, that is, look into, critically the way you pay for your service, many people think cryptocurrencies are secured, mind you, they aren't, except if you add little measures in acquiring them.

How to locate a Tor Hidden Service ?

- The obvious question being are StrictNodes really strictly necessary ?!?!

Wait, what? This url sounds like somebody who doesn't understand Tor trying to come up with some sort of tricks that will magically make him/her safe.

Syndicate content Syndicate content