Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

There really isn't much information to provide right now. Basically everything is speculations and guesses. And reports of a few attempts to reverse engineer the exploit. It is not certain the exploit have worked at all.

Seth Schoen

August 04, 2013

Permalink

What about if you visited some .onion uploading picture sites? I tried a few of them on the third, all were down. Could those sites also be targeted?

Possibly, if they were hosted by Freedom Hosting. From the reports I have seen, only a few sites were infected with this malicious javascript exploit, not all sites from Freedom Hosting.

Seth Schoen

August 04, 2013

Permalink

okay, so im a little confused. if i use tor to exclusively to visit onion sites and not do personal email, facebook, etc. am i still revealed? or do you have to do all that stuff in tor to be effected by this?

If you visited one of the affected .onion sites with Javascript enabled (the default), and running on Windows, you may have been revealed. No other usage of Tor Browser is required for the exploit to work.

Seth Schoen

August 04, 2013

Permalink

So apparently I disallowed scripts in NoScript but had Javascript activated in the browser. Many complaints seem to be targeted at having NoScript deactivated by default. But does it also block Javascript when blocking "all scripts"?

In a nutshell, no.

The longer answer is this. In earlier versions of Tor, javascript was disabled by default (can't remember if it was the browser or Noscript, but one had javascript disabled.) The Tor Project then removed this in a later update to make Tor more user friendly and announced it on the Tor site. A lot of users seemed to have missed this update (especially as users tend to download the update when prompted to from starting Tor and don't necessarily read the release notes.

OK, I can see how disabling JS globally would make the browsing experience of the user rather, uhm, unpleasant.

But why not ship the TBB with a NoScript rule that disables JS on the .onion sites only?

NoScript's whitelist and blacklist feature doesn't work for top-level domains, but you can add ABE rules to disable all possibly dangerous content on .onion sites:

Open NoScript's option window, click the "Advanced" tab, then the "ABE" sub-tab.
On the left, choose the USER ruleset, and add the following lines:

  1. </p>
  2. <p>## Rules for loading Onionland content<br />
  3. Site .onion<br />
  4. # Sandbox all .onion site requests<br />
  5. Sandbox from SELF+<br />
  6. Sandbox from .onion<br />
  7. # Prevent embedding Onionland content in Clearnet pages.<br />
  8. Deny from ALL</p>
  9. <p>## Catch-all rules for content not matched above<br />
  10. ## Always put these at the end of the ruleset!<br />
  11. Site *<br />
  12. # Prevent embedding Clearnet content in Onionland pages<br />
  13. Deny from .onion<br />
  14. # Default policy for Clearnet content<br />
  15. Accept from ALL</p>
  16. <p>

Note that the "Sandbox" directive will also disable iframes, which might result in an empty page. Looking at the HTML source code might help in those cases.

From my knowledge yes. Noscript blocks every script including Javascript even if it's activated in the browser. If you install Noscript in the normal browser and block all scripts, you will see that they block the actions of Javascript also even if it's activated in the browser options.

Seth Schoen

August 04, 2013

Permalink

THIS EXPLOIT TARGETS KIDDIE PORN VIEWERS ONLY. If that's not you, you have nothing to worry about.

It may only have targetted childporn viewers yet. But your reasoning is very dangerous. They may have a working deanonymizing exploit against all Tor users.

No silly This whole thing is a global psy-op. It affects every single human including you. The CP factor is to justify attrocities against humanity. You really think big brother has justice in mind when running these ops? They run the CP rings for christ sakes! We've all been fooled. We have allowed the true enemy of mankind to grow to unstoppable proportions. Absolute enslavement is pending and nearly innevitable.

Seth Schoen

August 04, 2013

Permalink

Let me ask something, hypotheticaly speaking what would happen if: Java is enabled but Javascript is disabled? or Viceversa?

And is it safe to assume that if both were disabled then the user is safe?

I don't think you can activate Java in Tor Browser Bundle.

If Javascript was deactivated you are safe against this exploit either way, as it doesn't use Java. There is many other exploit against Java however.

The more simplified any technology is, the fewer vectors exist for an attacker, hence the more secure but they less capable, some sites may not work entirely well.

The method I use is to turn things off until you find something that is required. Until you confront that something that requires something you turned off, don't turn it back on again.

Totally agrees. You simply cannot shut down sites on Freenet, no matter what. And it is harder to exploit, and maybe harder to track original uploaders of content.

Seth Schoen

August 04, 2013

Permalink

It was aimed at CP/pedos.. But from what I can gather all sites from freedom hosting were targeted. The recent versions of TOR bundle enabled JavaScript. So if you didnt manually disable it, and visited any of the downed sites it sent your real IP to the FBI etc. Not much to worry about if you aren't doing anything wrong, but you're now your ip and computer MAC address are on file. This MAC address links you to Facebook, email etc (I presume) So you just got done with a sticky hand near the honey pot.

Hitler began by persecuting "undesirables" too, and ended up destroying his country, and taking 10's of millions of innocent lives down with him.

Germans accepted the persecution of those deemed unsavory, not realizing it would ultimately lead to their own destruction. 20 million Germans died, all told. About the same number of Russians.

What do you think will happen to America if we head down that same road?

Erm... Stalin's Russia was over 60 million , not 20 mate. And what do you mean *if* USA? They are the nation in history who have killed most peoples! Only RUssia and China have killed more people , which were mainly their own however. Since WW2 , US has murdered and killed 37 million people roughly. Just in Afghanistan and Iraq now? Not too far off half of the number of jews, gypsies, and others massacred by the Nazis. Concentrationc camps, invasion, torture abduction to those concentration camps,'people are not human', fuck the Geneve concention, put in place to avoid nazi style atrocities again.. but no.. US is a neo-liberal facist state.. which is not as bad as Nazi Germany.. perhaps but it certainly is neo-nazism. And whilst you're at it, you can watch The Afghan Massacre, the convoy of death to start of with.

Now, "They were targetting child porn viewers and participators". Ye, good, and I hope they bring em all in.. guess any notable US serviceman or so will be noticably issing... and cult peeps, the ones who perform a lot of this I'm guessing. WHere have all these 5000 arrests gone then? WTF... I resfuse to believe they are THAT transparent and just are making this freedom hoster a target due to what was on the servers. Seriously, they seem to not having given a fuck after all about children eh :/

Seriously.. go and fucking BURN IN HELL US... you day will come, and when it does, you will never fucking be wanted in this world again.

Seth Schoen

August 04, 2013

Permalink

Yet another attempt of the government to spy that will backfire in it's face.

Thank you Tor and Tor developers for this useful post. Keep up the good work!

Seth Schoen

August 04, 2013

Permalink

Stop saying it only affects child porn lookers. Tor Mail is not child porn. I had a Tor Mail account, I tried to access it, and now I'm tied up with pedos.

Not really. That is like saying that if you hosted with a server company that was found to be hosting child pornography that wasn't on the Deepweb, that you are automatically guilty of trading in child pornography and supporting that.

Seth Schoen

August 04, 2013

Permalink

i don't think they are going to come after anyone who just happened to brows upon one these or TorMail i think there looking for distributors of this stuff. otherwise there will allot people going to jail over this. so i think we all have nothing to worry about at all. i hope i'm right.

Seth Schoen

August 04, 2013

Permalink

Good morning everyone.

I think it's best to organize concerns into 3 different risk categories:

Low Risk
Moderate Risk
Fucked

Let's start with Fucked. You accessed and possibly surfed the child pornography website on Freedom Host within the last few days using TBB. Your curiosity and/or perversions have finally gotten the best of you and now you may have a raid on your hands. Please do a search on this page for:

"OK so how do i ride my PC of this if i got it anyone? from Tor mail?"

Mind the quotation marks and check the response to the question. It's a very good response IMHO. Please note that it appears that this vulnerability was targeting Windows systems. It's possible but has not been confirmed that there is any danger towards Linux users.

Moderate Risk:
You've accessed other onion sites hosted by Freedom Host (such as tormail) within the past few days. There is a possibility that the javascript gift the feds spread across the server has infected your browser. If you're using a VPN you should be fine. Keep an eye on your accounts or delete them.

Low Risk.
You're just using tor but haven't really been to any onion sites at all. Your only concern should be whether or not you want to disable javascript. There has been a debate about that. See: https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled

This is just a quick break down of concerns. If anyone has corrections or more information to add please reply.

***One other thing. I believe that this should be a wake up call to the Tor Community that the fed machine is getting a bit out of control. To ensure that online anonymity is maintained, we must begin innovate new technolgies. Otherwise, the Eye of Sauron will know all.

Seth Schoen

August 04, 2013

Permalink

I'm seeing many mentions this exploit was designed to work for Windows NT & maybe Linux.

Anyone got any idea if it would work similarly on Mac OSX? Or would that nix it?

Also if one was accessing Tor through a VPN at the time, would the exploit reveal the VPN IP, or the real IP?

Thanks.

If you had JavaScript enabled but used Tor through a non-logging VPN you would have been safe as the exploit would have returned only the VPN's IP.

Seth Schoen

August 04, 2013

Permalink

The main problems we have is that grevious hackers are getting paid thousands of dollars by Governments to find flaws in our communications systems.

The spies are in our communities!

http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-…

http://www.forbes.com/sites/andygreenberg/2012/03/21/meet-the-hackers-w…

http://www.nytimes.com/2013/07/14/world/europe/nations-buying-as-hacker…

Seth Schoen

August 04, 2013

Permalink

I don't see why everyone is so fucking paranoid. If you KNOW you're viewing illegal shit online then you should have been prepared before hand to set up a proxy/vpn before even using TOR. Nothing is safe.
Use a virtual box next time with a socks5 before you connect to Tor. You'll be fine little children.

Not everyone has the knowledge to set up a virtual box in a safe way without doing any mistakes, or configuring a extra hop using a non-tor proxy/vpn.

By the way, single hop proxies like VPN doesn't really provide much additional anonymity.

I guess the Internet's already forgotten that HideMyAss was the first VPN provider to get caught spying for the FBI (re: AntiSec).

Seth Schoen

August 04, 2013

Permalink

I have the Tor Browser Bundle for Mac. Its a version released sometime at the end of 2012. It appears NoScript has been working correctly for me.

A few days ago, I tried to run it. Vidalia opened and connected. The icon for the Tor Browser opened, but closed before the browser appeared. It did this several times.

I've been reading everyone saying that the exploit only works on Windows, and not Linux, but no one mentions Mac. Could I be infected? I don't remember visiting any sites that showed error or maintanence messages.

It seems this particular exploit was written for Windows users. But if you're using a TBB from 2012, for god's sake upgrade -- you are vulnerable to many other potential attacks.

Seth Schoen

August 05, 2013

Permalink

supposedly ed snow leaked to the guard via tor. has anyone said how it was pinned on him so fast?