Tor and the Silk Road takedown

by arma | October 02, 2013

We've had several requests by the press and others to talk about the Silk Road situation today. We only know what's going on by reading the same news sources everyone else is reading.

In this case we've been watching carefully to try to learn if there are any flaws with Tor that we need to correct. So far, nothing about this case makes us think that there are new ways to compromise Tor (the software or the network). The FBI says that their suspect made mistakes in operational security, and was found through actual detective work. Remember: Tor does not anonymize individuals when they use their legal name on a public forum, use a VPN with logs that are subject to a subpoena, or provide personal information to other services. See also the list of warnings linked from the Tor download page.

Also, while we've seen no evidence that this case involved breaking into the webserver behind the hidden service, we should take this opportunity to emphasize that Tor's hidden service feature (a way to publish and access content anonymously) won't keep someone anonymous when paired with unsafe software or unsafe behavior. It is up to the publisher to choose and configure server software that is resistant to attacks. Mistakes in configuring or maintaining a hidden service website can compromise the publisher's anonymity independent of Tor.

And finally, Tor's design goals include preventing even The Tor Project from tracking users; hidden services are no different. We don't have any special access to or information about this hidden service or any other. Because Tor is open-source and it comes with detailed design documents and research papers, independent researchers can verify its security.

Here are some helpful links to more information on these subjects:

Technical details of hidden services:
https://www.torproject.org/docs/hidden-services

Our abuse FAQ:
https://www.torproject.org/docs/faq-abuse

For those curious about our interactions with law enforcement:
https://blog.torproject.org/category/tags/law-enforcement
https://www.torproject.org/docs/faq#Backdoor

Using Tor hidden services for good:
https://blog.torproject.org/blog/using-tor-good

Regarding the Freedom Hosting incident in August 2013, which is unrelated
as far as we can tell:
https://blog.torproject.org/blog/hidden-services-current-events-and-fre…

Some general hints on staying anonymous:
https://www.torproject.org/about/overview#stayinganonymous

The Tor Project is a nonprofit 501(c)(3) organization dedicated to providing tools to help people manage their privacy on the Internet. Our focus continues to be in helping ordinary citizens, victims of abuse, individuals in dangerous parts of the world, and others stay aware and educated about how to keep themselves secure online.

The global Tor team remains committed to building technology solutions to help keep the doors to freedom of expression open. We will continue to watch as the details of this situation unfold and respond when it is appropriate and useful.

For further press related questions please contact us at execdir@torproject.org.

Tags
tor
hidden services
fbi
silk road
operational security
download warnings

>>and the fact that you intentionally make these illegal sites easy to find.

What "fact" is this (other than being in your immagination)?

Anon

Anonymous (not verified) said:

October 06, 2013

Permalink

arma,
I share your frustration with dealing with "takers" whose only motivations are to complain and bemoan the work you have done. I pledge to get educated on the issues and start contributing more to the project and on behalf of privacy rights. Thank you for what you do in this critically important area.

Anon

Anonymous (not verified) said:

October 06, 2013

Permalink

i am not the smartest person .. but i wouldnt use tor to access any site or do anything i am not suppose to do from my home internet... or any isp that i pay for with my credit card.. this has to lead to failure in any situation.. this is what prepaid internet wifi is for... go out buy a internet stick .. log in thru a vpn and dont login from anywhere u live.. simple if u are in a car traveling on vpn on prepaid on tor thats alot of investigating ... or just dont do anything you can get in trouble for

Anon

Anonymous (not verified) said:

October 07, 2013

Permalink

I have just came apon Tor and I must say great job. I'm not a super noligable person with how code and all the other jumbo you guys are talking about. And understand all the debate of is this a flaw, weak point, ext. But from the news lately on the Government that help build most of the Internet Security. You I would asume you are way ahead of Google, Firefox, IE, Ect. And would be a model of which to follow and improve off of. So you sir and "yor" TOR team fucking rock in my mind and thanks for your fore thought and prepping for these days to come after every one realized fuck the government dooped us and all of our users out there. And from what I understand the government employes majority of the minds that could rebuild or plug the wholes that the government had them put in! So thanks for the hard work you should get a public service award or the nobel prize!

Anon

Anonymous (not verified) said:

October 09, 2013

Permalink

Torr Is GReat!!! FUck FBI!!!!!

How can I run an obfs3 bridge?

https://www.torproject.org/projects/obfsproxy-debian-instructions might help?

Hi arma, hi all.

There is actually a way to compromise the system, broke into and determine real IP address of the hidden services -- http://www.i2p2.de/how_threatmodel.html#intersection (Intersection attack). However, it is only feasible if an attacker has a lot of resources in its disposal. "Perfectly" achievable in the case of government or really huge corporation. Ordinary person simply don't have such amount of resources.

So, there is a legitimate reason to think that owners of both Silk Road and Freedom Hosting were captured by this attack. FBI lies that they made this through detective investigation. Very sad but true: there's no way to resist against this type of attack, neither Tor nor I2P couldn't resist.

You may also skip through the threat model description page to figure out more insightful things.

Cheers.

There are actually some easier attacks than this one that work against Tor (and probably against I2P and others too).

https://media.torproject.org/video/25c3-2977-en-security_and_anonymity_… has a pretty good overview from a few years ago.

The interesting point here is that it looks like there's even *lower* hanging fruit, in the form of endpoint software vulnerabilities, and that's what adversaries of this size keep choosing (or if you want to get into the next level of paranoia, keep trying to convince us they're choosing).

Guys all of you can calm down, the webhost ip address was found using the the following "bug" (the mistake of DPR in this case):

It is an information leak on the Silk Road server. It appears somebody located a debug or info screen on the Silk Road server that dumped configuration and environment variables. Some possibilities:

The output of Apache's mod_status (example)
Output of phpinfo() (example)
A custom debug page that is part of the Silk Road application

It could have been found by checking known locations of status and debug pages or checking common locations (eg. /phpinfo.php).

This means there is no way to exploit TOR. Also it confirms this blog post, TOR can't stop the FBI from finding the ip address that is being dumped because of the mistake of the site's owner.

More info at: http://security.stackexchange.com/questions/43266/in-the-silkroad-taked…

Well, this recent article sums up a lot:
http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-networ…

Up to date comment:
http://www.theguardian.com/world/2013/oct/04/nsa-gchq-attack-tor-networ…

Does anyone know WHICH VPN provider this guy was using? Many of them claim to not log/store IP addresses, but now I am beginning to wonder...

hey there is no100% security on line u all theres is safe safer and near imposible to hack but if its man made another man can hack u so here is my sujestion way the risksWhat ur desires are and do ur own computations as far as risk and the risk u wana take

WAS/is accessing SR/other hidden services thru orbot just as safe as thru the tor browser?

Alas, probably not.

TBB does many things that Orbot hasn't finished doing yet.

https://www.torproject.org/projects/torbrowser/design/

Yea I agree but until we get a faster pipelines to the Tier 1 Networks of which there are only 13 or so worldwide. Tor won't be any faster. Not to mention ISP have to get on board which most haven't yet. How many Gigabit service providers do you know which aren't in South Korea or maybe Japan lol. We don't have that kind of penetration yet here as they do in South Korea which is at close to 90% last I heard. Here I have a radical idea which might just work. Strangely enough this has been done in some third world countries which don't have much access to the web.

I remember reading something somewhere about some community in Africa. They set up their own private internet using Radio transmission antennas? The range isn't all that great but I have heard small community which have the system in place get pretty good speed. However if you connect from this system to the normal web then your identity is compromised. However some of you guys I am sure could work Tor into that. Mobile private networks are really the future outside of an ISP's control. Probably some time away yet though. Some of you guys probably know more about this then I do as I just remember reading it awhile back but not sure where. Well just an idea is all.

Did anybody else think it was fishy that Mozilla departed from their norm (and have now switched back) to distributing a Tor browser with Javascript defaulting ON. This fitted nicely with the Javascript hack that revealed the origin of hidden site connections.

Also, the LEO's did hack legal sites as well as illegal.

So Mozilla will sell out and LEO's will act illegally if they are anonymous.

> Did anybody else think it was fishy that Mozilla departed from their norm (and have now switched back) to distributing a Tor browser with Javascript defaulting ON

Citations please?

(I hope that in trying to track down your facts you will run across the fact that Mozilla doesn't distribute Tor Browset at all, and then you'll go check some more of them.)

http://motherboard.vice.com/blog/tor-is-less-anonymous-than-you-think

https://blog.torproject.org/blog/improving-tors-anonymity-changing-guar…

Some of the posts (smelling of paranoia) convince me that the kind of world they show we will be living in, in futuristic/sci-fi movies may actually become reality... :)

Before some of you come out with all your artillery and murder me with with your posts, I take off.

Relax and have fun in life!!

The Silk Road and Freedom Hosting busts were both a result of NSA spying. Why do you think Marques planned to flee the country after reading the Snowden leaks.

The NSA took him down because he was planning to flee. They were content to just sit there monitoring him until the Snowden leaks (because we all know they're more interested in power and couldn't care less about actual drugs or child porn).
The so-called police work that ended in the arrests and shutdowns of both Freedom Hosting and The Silk Road were nothing but a smokescreen.

I hope there is some sort of evidence to show what really happened. Or at least I hope to see some tech savvy reporters actually ask a few questions rather then giving American law enforcement the benefit of the doubt (which is just insanity at this point).

We make the mistake of believing it doesn't matter how someone is busted so long as we're all sure they're guilty. It matters greatly! In fact I'm MORE concerned with these "don't ask don't tell" cases that both sides of the debate can't be bothered arguing about because they're both equally disgusted by the victims. It shouldn't matter!

The most pathetic aspect of all of this is that I'm sure both busts were more to do with trying to attack Bitcoin then anything else. Ask Saddam Hussein what happens when you screw with the almighty USD! Oh wait.

I check TOR sites and the deep web every so often just to see how much has been taken down. I believe there is a lot of criminal activity that needs to be put to a stop from peds to drugs to weapons. I am very happy the government is working hard to bring an end to it. It's not that I don't believe in privacy, I just do not believe in allowing criminals to have a free reign on their evil plots. I hope Tor does not get brought down, just those who use it to break laws.