Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

If that's the case Tor needs to become practical for p2p traffic and other video traffic that makes up most of internet traffic. Can you imagine the 3 letter agencies trying to sort through all internet traffic? It also needs to be clear that these are our papers and they are protected by the 4th amendment among other protections.
The right of the people to be _secure _in their persons, houses, _papers_, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized

More importantly it needs to be technically impossible to seize your papers and consequences to attempting to seize them. They've shown again and again that the moment it becomes technically feasible they will make the attempt. The issue of pedophiles is irrelevant they will find another reason if you take that issue away.
Remember Martin Niemöller.

Also true security protects in layers with the assumption that one or more layers will become compromised. We need more physical hardware level protection and more Network address translation boxes with dhcp to hide ip addresses. Ideally we should be doing lily pad networking as well. Make it feasible to wirelessly connect anywhere

It's hard to know where to start.

You don't have any 4th Amendment protections for international communications. You need to go back to ... hmm ... high school? Grade school? Learn what "sovereignty" means! You may live in a country that affords you certain civil rights, including the right to be free from unreasonable searches and seizures without a warrant. Several important points:

1. These rights that your country might afford you end at the country's border. Outside of that border, you are no longer in that country. You are outside of its area of sovereignty. Depending on where you are, you are subject either to the sovereignty of another country, which is unlikely to afford you the same rights, or you are floating on the ocean and only subject to whatever rights international law gives you. Even your own country does not have to afford you the same rights outside of its borders.

2. Even within your country, there are limits to the rights that you might have. In the U.S., for example, your 4th Amendment rights require the government to get a warrant based upon probable cause to enter your home and seize your "papers and effects." Your rights outside of your home - for example, traveling on an Interstate highway, or using a public communications network (paid for by the taxpayers - in the case of the Internet, the Defense Advanced Research Projects Agency, the major research universities (funded with federal tax money), and, oh yeah, Al Gore), are much more limited if they exist at all. If you want privacy for your electronic communications, pay AT&T to set up a totally private network on private property for you to use, and the chances that you will get your privacy improve dramatically.

3. Even assuming that government violates your 4th Amendment rights in the U.S., as a practical matter, the only legal remedy available to you is to prevent the government from using the information obtained without a warrant against you in a criminal proceeding. No criminal prosecution? No harm, no foul. They can collect all of the information they want. [One of the reasons I don't get too excited about NSA is that the revelations involving DEA using the same software (see discussion, below) to collect information on citizens without warrants, and then covering up the illegal collection of evidence and using it in criminal trials, a legal violation that is much more serious.]

4. Your 4th Amendment only applies to the government of the U.S. Now, think about it: If you were the head of sigint (signals intelligence) or elinit (electronic intelligence) at GCHQ in the U.K., F.S.B in Russia, Mossad in Israel, etc., where is the first place you would put a covert agent? Hmm. My guess is you'd put a covert software engineer at MSFT and every other major software company. Why do you think there are so many updates to fix security vulnerabilities? You'd think they'd have found them all by now! No. N.S.A. puts one in, Mossad finds it, takes it out, puts theirs in, F.S.B. finds it, takes it out, puts theirs in, GCHQ finds it, takes it out, puts theirs in, and on and on. And, your computer reboots every night with yet another update fixing yet another problem. The point here is that even if N.S.A, C.I.A., F.B.I. legally are prohibited from invading your privacy, the foreign intelligence services are not. When you hear on the news that, "The threat risk has been increased based upon credible intelligence received by U.S. intelligence officials." what is usually being said (if the threat involves something in the U.S.) is, "Some foreign intelligence service monitoring communications inside the U.S. that our agencies could not legally monitor tipped us off." Look at Snowden's grant of conditional asylum in Russia. He can only stay so long as he does not "reveal any additional information harmful to our American friends." Why did Putin include that? What could Snowden possibly reveal? Maybe that F.S.B. cooperates with the U.S. to a much greater degree than we are aware? You think we have a problem with Islamic terrorism?. When you get back to school, look at a stinking map! Russia has Islamic republics all along its borders. Everything that you have heard of N.S.A. collecting - and more - is available to every major intelligence service in the world.

5. The only legal issues here - and they are extremely serious - are the use of "general warrants" by the U.S. intelligence community (I.C.) before the F.I.S.A. court, and the blatantly illegal conduct of D.E.A, which nobody seems to care about.

6. You want it to be technically impossible "to seize your papers and consequences" for trying? In your dreams! First, the U.S. I.C. has a company, In-Q-Tel, Inc., in Reston Va. that provides venture capital to entrepreneurs developing (among other things) software of value to intelligence gathering. In-Q-Tel is NOT the only venture capital company in this business. (You didn't think PRISM, XKEYHOLE, etc. were written by entry-level government employees, did you?) There are companies spending hundreds of millions, even billions, developing these technologies. It is never going to be "technically impossible" to conduct surveillance. As for imposing consequence on those who try to do so, you might find that locating all of the "sleeper agents" sent here by K.G.B. - predecessor to F.S.B. - is not going to be easy. F.B.I. counterintelligence is working on it, and they caught about 10 of them a couple years ago, but many remain. The "consequences" for these folks is prosecution for espionage and imprisonment, until of course Russia grabs a few U.S. tourists, charges them as spies, and we have to arrange a swap. As for the Mossad, these are not nice people. They make your average U.S. criminal sociopath look like an alter boy. Israel believes it is always at war and, therefore, is not subject to restraints on murder, kidnapping or other conduct that virtually all other countries, even those hostile to us, deem beyond the bounds of civilized conduct. Any attempt to impose "consequences" on them is likely to backfire.

7. I know you are going to find this hard to believe, but entrepreneurs who rely on venture capital companies for funding tend to be single-minded. They only want to sell their products whenever it is legal to do so to anyone with the money to buy them. They just want to become profitable as soon as possible, so that they can buy out the venture capitalists (often referred to as "vulture" capitalists). They are not terribly discerning about whom they sell to. So, not only is every governmental intelligence agency with funding - probably including North Korea - gathering the same information as the N.S.A., but private companies, lots of them, are customers of Google, Facebook, Twitter, and all those social sites you love so much. Ancestry.com scares the hell out of me! If they can trace the addresses of my great grandparents, what can they report about me? These social networking sites are not funded by the government like National Public Radio, and they are not charities. You're not paying them, so how are they making money? By selling every word you write to private companies that prepare personality profiles on you. They have access to and use the same software as N.S.A. and all the intelligence agencies. You can find your teenager's car by geolocating his/her cell phone in real time if you have the money. So can pedophiles, other low-lifes, schools, employers, and anybody else nosy enough to want to know. No, the 4th Amendment does not apply to private conduct.

8. You think universal "wireless" connectivity is the way to go, huh? A basic legal principle - codified in the Communications Act of 1934 - is that "the airwaves belong to the people." And, those "people" include the government, that government famously, "of the people, by the people and for the people." This means that anything you put out on the airwaves belonging to the people is the property of the people. I have radio frequency scanners, and I can listen to police, fire, F.B.I., C.I.A., air traffic control, virtually anything. The frequencies they use are published in public documents. They sometimes try to use trunked systems or encryption, but if I can track it or decrypt it, I can listen to it. [Yes, there are statutes that prohibit listening to cell phone traffic or selling scanners with that capability. But, those scanners can be purchased in Canada, and the Constitutionality of those statutes is questionable.] Fedora ships Linux with utilities that crack WiFi. Why would you promote wireless? Anybody, including the government, who can hack it is free to do so on the people's airwaves! And, you wouldn't want it any other way. If they can stop you from listening to police, fire, F.B.I., C.I.A., air traffic control or your neighbor's WiFi, it is only a very short step to stop you from watching BBC or receiving TV or radio broadcasts government deems "dangerous" or of value to "terrorists."

Stop dreaming. Learn something. Get a life.

[Yes, by education and historical avocation I am a lawyer. And, I studied constitutional law under Arthur Kinoy, one of the nation's most brilliant constitutional scholars and a founder of the Center for Constitutional Rights in New York. I've practiced at world class law firms, served two NYSE companies as a senior legal executive, and been an international entrepreneur.]

Well said.

But how should we feel about a policy that basically says the government will prosecute infringements on its privacy while at the same time denying ours? Do you think that's overstating it?

"You can find your teenager's car by geolocating his/her cell phone in real time if you have the money. So can pedophiles, other low-lifes,"

Not to take away from your points and arguments but it should probably be noted that children and teens are said to be at far greater risk from family members and others who are close to them in real life, than from random, mysterious, distant stalkers.

"Fedora ships Linux with utilities that crack WiFi."

The tool of choice for that sort of thing seems to have been BackTrack Linux, now re-branded as "Kali Linux".

I have seen speculation that the producer/distributor has less-than-harmless motivations but I have no idea how credible such suspicions are.

"If they can stop you from listening to police, fire, F.B.I., C.I.A., air traffic control or your neighbor's WiFi, it is only a very short step to stop you from watching BBC or receiving TV or radio broadcasts government deems "dangerous" or of value to "terrorists.""

That argument sounds troublingly like that advanced in support of completely unfettered, unrestricted access to firearms. Or any number of other things that enjoy support only from those on fringes of any given ideology or camp.

In the USA, according to the 2nd and 9th amendments, everyone not in prison (see 13th amendment) ARE allowed to have guns, despite any supreme court decisions or state laws. This includes felons, wife beaters, etc.

The problem is that the courts are corrupt, politically motivates, tyrants.

You could try to fight the law in court, but you don't have enough money and even f you did they won't let you win/

You do not need to be a constitutional scholar to understand what is written there.

All laws are subordinate to the bill of rights. IF any law violates them then that law is unconstitutional.

The 9th amendment implies that our rights are subject to old common law - no right to kill, cheat, lie, maim, similar.

A right is not a right if you cannot freely exercise it with impunity.
Anything else is just a privilege.

If TOR used Quantum encryption or even 3 dimensional encryption, no one could decode the transmissions except the recipient of the transmission.

I recent read that the feds cracked HTTPS now. Even that is no longer a safe avenue.

"the Center for Constitutional Rights in New York"

Are you, by any chance, familiar with the radio program "Law and Disorder"?

"I've practiced at world class law firms, served two NYSE companies as a senior legal executive, and been an international entrepreneur."

Have you any regrets or moral qualms, at least about the latter two roles?

(I am fairly convinced that "socially responsible" or "ethical" corporation is an oxymoron.)

I am absolutely forced to chime in that just because things are hashed out in a court and deemed a certain way, does not mean that they live up to a true constitutional legal standard. An example is that the 1st amendment is freedom to say whatever you want, courts have ruled and most people accept not screaming fire in a movie theater. But I believe that most references to amendment rights in the abysmal world you pointed out are to the idealistic forms. ie: the ability to scream fire in a theater regardless of all the legalize one could throw at it is still technically your right.

Internationally speaking our Commander in Chief and all our military personnel swear an oath to put a whooping on anyone who would infringe upon the constitutional rights of its citizens. In real life it may not happen, but idealistically speaking you tell an American on a boat in the ocean he can't be a religion and you would be explaining that to a host of wonderful US Navy vessels shortly thereafter.


August 04, 2013

In reply to by Anonymous (not verified)


Well, that's bullshit. If you would want to hide the fact that you're using Tor, you would have to get rid of Tor Exit Nodes that are known to everyone anyways.
This all just boils down to that short sighted resolve to rather put users in danger than to lose them.

No, that's not it. The fact that your browser is disallowing JS acts as a further filter criterion, on top of the fact that you are a Tor user.

Of course, if the majority of Tor users disabled JS, this metric would change and become ineffective..

"Well, that's bullshit."

No, it is not.

"Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

Using NoScript with a specific list of white-listed domains might identify you.

Using NoScript with a zero white-listed domains is just not very practical.

"that short sighted resolve to rather put users in danger than to lose them."

No, YOU are short sighted: any user that stops using Tor because it is not working properly is less protected.

Pure stupidity. It is so obvious that Javascript should not be enabled for security. But the Tor developers would rather that your browser fingerprint blends in with 500,000 other rooted people rather than blend in with 10,000 non-rooted people. It doesn't make any sense to me either, and they have been warned months and even years ago not to allow javascript by default, but they didn't listen and now thousands of their users are compromised. I hope it was worth letting retards watch cat videos on youtube.

With all due respect, too many sites on the regular internet will not work correctly without Javascript. So, disabling Javascript by default is bad ju-ju in the real world.

Maybe it's time to start thinking less about disabling Javascript (which from what I have seen is only a vulnerability when paired with Flash or Java) and start focusing on disabling certain functionalities of Javascript.

" it was worth letting retards watch cat videos on youtube "

If you think JS is only for playing videos, then YOU ARE THE RETARDED ONE.

I don't know about that anon, I just updated my bundle a few days ago and my noscript is set to disable Java, although the firefox settings say that it is enabled. A quick check on a Java website test shows that it is infact still disabled, Javascripts are not running!

To anyone that are under these circumstances, the code didn't get injected. Unless it's magical unicorn NSA pony hax. Anyone care to add/detract from the Java enabled in options/disabled on noscript default question? I'm pretty sure Noscript is overriding options anywhere else on the Firefox Tor Browser Bundle.

Question is, how in the world would this hack get your real IP address when it is supposed to be impossible without Flash and Java also being installed to do that?

I'm calling BS on this and I think that we should wait until some real, verifiable information comes out.

According to some FF developers on their site, the exploit used was MFSA-2013-53, so not a 0-day. It was fixed a month ago. If you updated the Tor bundle within a month (if it has FF ver. 17.07), had js disabled, was using an OS other than Windows, the js exploit should not have worked.

The reason they could get your ip is simple, with this exploit they can execute any binary code they want. People on the net have already looked at the so called payload, or shellcode, that the attacker is trying to execute. Instead of installing a keylogger their binary code (shellcode) "just" checks your hostname, MAC and sends it to their server over clearnet, so they get your ip as well.

Slashdot is also mentioning something about a cookie. I haven't researched this part.

It appears that this was 'aimed' at the first Alpha version of the "No Vidalia necessary" TBB.

So, if you had updated your Alpha version (is it setup to notify you if there is a new version?) you were golden.

Do you think if we are using Linux that we are prone to this malware? Or should I format? I just want to be reassured, I only used TorMail and i tried to logon today and was unable to see anything exept a pink background with a small box, it seems as if nothing loaded...How can I be sure that I am not infected, if I am on a linux box?

Very interesting that Tor "just happened" to enable JavaScript in their Browser Bundle so that LE could exploit it. What a incredible unfortunate "coincidence".


August 05, 2013

In reply to by Anonymous (not verified)


While we're playing the conspiracy theory game: can you point at the version of Tor Browser Bundle that shipped with Javascript disabled? I believe this is a myth and it is confusing many people.

To the two FBI agents who are posting in this thread anonymously: Congratulations. You've succeeded in setting us at each other's throats rather than thinking rationally with the evidence your contractors left behind. Go to the Keurig at the canteen and toast to yourselves with crappy coffee.

To everybody else, it would be wise to actually look at the evidence at hand before commenting. There seems to be a lot of people here who are more interested in seeing their words appear in the comments than using their brains.

"To the two FBI agents who are posting in this thread anonymously suck my big hairy cock!!!!!!!!!!!!"

People who say this (i.e., extend invitations to perform fellatio upon them) almost invariably are the same people who then turn around and expect the one(s) whom they claim to love to perform the same act upon them.

Ever think about that?

Either fellatio is a sordid, degrading, dishonorable act (as the insult would imply) or a wholesome, legitimate form of intimacy between people who love each other. It can't be both, now, can it?

Nice that someone thinks about the logical implications of insults. When I used to drive a delivery van in traffic all day, I'd often hold back yelling at someone for the same reason.


August 04, 2013



> Does that say anything about the security of the system? The browser seemed to work normally afterwards...

No. Your browser should have acted normally. Nothing changed. The malicious JS set a cookie and visited some Washington-based IP address, so when non-Tor browsing your IP would be logged using that cookie, or something. It was not malware in the sense that your AV/Anti-malware would detect it.

Everyone: disable JS on Tor, and FFS use NoScript!

This is only half the story. It also employed an javascript heap spraying attack of which the details aren't currently know yet, but presumably use an exploit in Firefox to phone home circumventing Tor altogether.

If you visited one of the hidden services hosted by Freedom Hosting on Firefox on Windows (or at least the Tor Browser Bundle) these past few days, you should assume your anonymity has probably been compromised.

>If you visited one of the hidden services hosted by Freedom Hosting on Firefox on Windows (or at least the Tor Browser Bundle) these past few days

With javascript enabled.