Thoughts and Concerns about Operation Onymous

What happened

Recently it was announced that a coalition of government agencies took control of many Tor hidden services. We were as surprised as most of you. Unfortunately, we have very little information about how this was accomplished, but we do have some thoughts which we want to share.

Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.

But, more to the point, the recent publications call the targeted hidden services seizures "Operation Onymous" and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.

Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?

How did they locate the hidden services?

So we are left asking "How did they locate the hidden services?". We don't know. In liberal democracies, we should expect that when the time comes to prosecute some of the seventeen people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services. We know through recent leaks that the US DEA and others have constructed a system of organized and sanctioned perjury which they refer to as "parallel construction."

Unfortunately, the authorities did not specify how they managed to locate the hidden services. Here are some plausible scenarios:

Operational Security

The first and most obvious explanation is that the operators of these hidden services failed to use adequate operational security. For example, there are reports of one of the websites being infiltrated by undercover agents and the affidavit states various operational security errors.

SQL injections

Another explanation is exploitation of common web bugs like SQL injections or RFIs (remote file inclusions). Many of those websites were likely quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem.

Bitcoin deanonymization

Ivan Pustogarov et al. have recently been conducting interesting research on Bitcoin anonymity.

Apparently, there are ways to link transactions and deanonymize Bitcoin clients even if they use Tor. Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks.

Attacks on the Tor network

The number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. We received some interesting information from an operator of a now-seized hidden service which may indicate this, as well. Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks, but these defenses do not solve all known issues and there may even be attacks unknown to us.

For example, some months ago, someone was launching non-targetted deanonymization attacks on the live Tor network. People suspect that those attacks were carried out by CERT researchers. While the bug was fixed and the fix quickly deployed in the network, it's possible that as part of their attack, they managed to deanonymize some of those hidden services.

Another possible Tor attack vector could be the Guard Discovery attack. This attack doesn't reveal the identity of the hidden service, but allows an attacker to discover the guard node of a specific hidden service. The guard node is the only node in the whole network that knows the actual IP address of the hidden service. Hence, if the attacker then manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. We've been
discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated.

*Similarly, there exists the attack where the hidden service selects the attacker's relay as its guard node. This may happen randomly or this could occur if the hidden service selects another relay as its guard and the attacker renders that node unusable, by a denial of service attack or similar. The hidden service will then be forced to select a new guard. Eventually, the hidden service will select the attacker.

Furthermore, denial of service attacks on relays or clients in the Tor network can often be leveraged into full de-anonymization attacks. These techniques go back many years, in research such as "From a Trickle to a Flood", "Denial of Service or Denial of Security?", "Why I'm not an Entropist", and even the more recent Bitcoin attacks above. In the Hidden Service protocol there are more vectors for DoS attacks, such as the set of HSDirs and the Introduction Points of a Hidden Service.

Finally, remote code execution exploits against Tor software are also always a possibility, but we have zero evidence that such exploits exist. Although the Tor source code gets continuously reviewed by our security-minded developers and community members, we would like more focused auditing by experienced bug hunters. Public-interest initiatives like Project Zero could help out a lot here. Funding to launch a bug bounty program of our own could also bring real benefit to our codebase. If you can help, please get in touch.

Advice to concerned hidden service operators

As you can see, we still don't know what happened, and it's hard to give concrete suggestions blindly.

If you are a concerned hidden service operator, we suggest you read the cited resources to get a better understanding of the security that hidden services can offer and of the limitations of the current system. When it comes to anonymity, it's clear that the tighter your threat model is, the more informed you need to be about the technologies you use.

If your hidden service lacks sufficient processor, memory, or network resources the DoS based de-anonymization attacks may be easy to leverage against your service. Be sure to review the Tor performance tuning guide to optimize your relay or client.

*Another possible suggestion we can provide is manually selecting the guard node of a hidden service. By configuring the EntryNodes option in Tor's configuration file you can select a relay in the Tor network you trust. Keep in mind, however, that a determined attacker will still be able to determine this relay is your guard and all other attacks still apply.

Final words

The task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved.

In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries.

It would be great if there were more people reviewing our designs and code. For example, we would really appreciate feedback on the upcoming hidden service revamp or help with the research on guard discovery attacks (see links above).

Also, it's important to note that Tor currently doesn't have funding for improving the security of hidden services. If you are interested in funding hidden services research and development, please get in touch with us. We hope to find time to organize a crowdfunding campaign to acquire independent and focused hidden service funding.

Finally, if you are a relay operator and your server was recently compromised or you lost control of it, please let us know by sending an email to bad-relays@lists.torproject.org.

Thanks to Griffin, Matt, Adam, Roger, David, George, Karen, and Jake for contributions to this post.

Updates:
* Added information about guard node DoS and EntryNodes option - 2014/11/09 18:16 UTC

Seth Schoen

November 10, 2014

Permalink

I'm new to TOR, but I know spin doctoring and propaganda. From what I'm reading, they took down 27 servers, but instead of saying "we've taken down 27 servers recently" they counted each and every URL on those servers and announced that through "Operation Onymous" they "took down over 400 hidden sites" ... etc ... etc ...

It's possible that these agencies have TOR all figured out and we're all screwed. However, if that were the case, they wouldn't announce it or try to overstate the size or success of the operation. Instead, they'd seek to downplay it so people, especially criminals, would still feel comfortable using TOR. Otherwise, TOR users would get paranoid and take extra security precautions which would make they agency's job that much harder in the future.

One example would be how long it was after the FBI took down the original silk road site before it became public knowledge that a leaky capatcha was to blame. Although some of you techies were on to it earlier, it was clear that the FBI wasn't out there announcing their little secret willingly.

Here, I think it's the opposite. Law enforcement agencies have goals of not only catching who they view as criminals, but of prevention as well. You also have surveillance agencies that just want your data and don't give a sh*t whether you're a criminal, a hero, or something in between. These goals would be easier if they could scare people away from using TOR.

So they scoop up 27 poorly secured servers, inflate the importance of this by announcing that they shut down over 400 individual URLs, and they brand it with a catchy operation name to get the conspiracy nuts to hyperventilate. This way they convince everyone that there is no sense in going through the hassle of anonymizing your internet presence because services like TOR do not work anyway.

Of course, I think it's important to investigate and see how they managed to get the 27 servers, and I think it's important for everyone to donate to the TOR project to get it back on it's feet in full force to fix any issues like this as they arise. However, I wouldn't want to see this cause some panic that turned away potential users of the service since I think that was the point of the whole endeavor by the agencies involved and I think the core reason for the whole thing was because TOR actually works when it's used properly.

ok, let's rephrase: these terrorists from gov agencies have just one purpose - terror.
and 'properly used' -> means more entry guards and more relays?
look, in their insane minds - if your comp is _not_ compromised by newest 0-day virus -> you _are_ comp spec and potential tor user so lets go and get you!!
so should all tor users _install_ latest viruses from nsa? to be like all others?

Seth Schoen

November 10, 2014

Permalink

Before if I could download a PDF and read it when I am offline but now it downloads and opens straight away. I am wondering about the implication to my anonymity now. TBB version 4.0.

I believe your change in PDF behavior is because the newer TBB is based on Firefox 31 which has built-in support for PDF. As a result, TBB itself now supports PDF.

An earlier TBB was based on Firefox 24. Then PDF viewing depended on downloading and then using whatever independent PDF app was running on your operating system to view the document.

if you activate those links while reading outside of tor... if ythe links fetch or activate or... while reading pdf in tor, then all url visits are inside tor,

Seth Schoen

November 11, 2014

Permalink

Hello,

don't you think it's simple to just flood hidden services with recognizable amounts of requests and check where they arrive? You do it with different intervals and amounts, you draw a graph and compare on the network devices (and you have access to those devices if you are the government).

Also the guys cought were not really keeping secret who they are. Useing facebook, gmail..etc good joke.

Seth Schoen

November 11, 2014

Permalink

Wow, not a single mention of "illegal" in your blog posting. Maybe have some thoughts about the legality of the services offered with your technology and just stop offering services that can easily be abused by criminals? Just a thought ...

Should everybody write long list "legal - usa; legal - gb, illegal - china, illegal -russia, legal - nigeria, illegal -india, illegal - italy etc." ??
"ISPs in the US and Thailand intercepting their customers' data to strip a security" - is it legal or illegal and where? It's just a noisy pr word. Well such 'service' can easily be abused by criminals from nsa.

Seth Schoen

November 11, 2014

Permalink

I don't think you can be anonymous from any fixed location like your home, business, etc. You can be anonymous by using someone else's connection although terming that "anonymous" is a bit of a misnomer. Stolen or a fraudulent identity might be a more correct term. Think Linux Live distros for jumping on the net via some else's open unsecured wi-fi or whatever and if you're really paranoid, make sure you can swap out your memory chips in your laptop when you are through with using some else's connection for some nefarious reasons. The object is no record, no history, nothing on your machine.

All this doesn't mean they can't (or won't) plant something on your machine if they really want you.

But be very aware of surveillance cameras around frequently touted "free wifi" with Cheeseburgers locations. Always seems to be a lot of cameras in the mix.

Seth Schoen

November 11, 2014

Permalink

All these people got busted because of their hosting provider. The DDoS attack is unrelated.

Hetzner is like all big companies in Germany, in Europe and in the USA forced and paid gold by the local NSA (the BND) to run a grep-like tool on the disks of their customers. A simple pattern like .onion will show all hosts with contents somehow related with Tor and it's quite easy to detect and bust hidden services in this way, though at a random success rate.

How can anyone in his mind use provider's disks to keep anything private? Look at latest breakage in openssl web site! Doesn't anybody know all the so called 'cloud' is spoiled? How _can_ you _trust_ an alien processor to work on _your_ _private_ data?!! Call them big or small they are all companies to get profits from customers and pay bribes to governments.

Seth Schoen

November 11, 2014

Permalink

Phonbos

I consider this a strange post. We have known for more than a decade that TOR is not NSA-resistant.

"Low-latency systems like Onion Routing aim to provide
anonymity against an adversary who is not watching both
Alice and Bob [39]. If the adversary watches both, he can
for instance count packets and observe packet timing to
become confident that they are communicating."
http://freehaven.net/anonbib/cache/minion-design.pdf

The problem is not so much how to make anonymity perfect, but that TOR is only accepted by law enforcement BECAUSE these vulnerabilities are built-in.

The real challenge IMHO is how to build mutual societal security on top of perfect anonymization in order to get clearance to e.g. upgrade TOR and scale it across all communication.

Regards

Stephan Engberg

Seth Schoen

November 11, 2014

Permalink

Maybe the solution is to be found on the machines that were NOT seized. What have they done to go unnoticed ?

Probably either not host any illegal activity or have any close association with any person or machine that does, and/or have the illegal activity so non-publicized that the police were never aware of it.

An example of the former would be a US-based hidden service that catered to the needs of Chinese dissidents.

An example of the latter would be a hidden service which offers mundane, legal things such as catering to the needs of Chinese dissidents as a front so a handful of buddies can use the same machine to exchange illegal material privately, without anyone including the other users of the machine even suspecting. Of course, if one of the people in the group comes to the attention of law enforcement, the whole group is at risk.

Seth Schoen

November 11, 2014

Permalink

Thank you everyone so much for the help! I had no idea about the HTML5 being allowed. Just as long as it doesn't expose IPs the way flash does. I was about to delete my twitter and email account because I had them opened in other tabs when I was on that news site that showed the video. I thought it was flash and wondered how did this happen being I have no flash plugins enabled. Thanks again!

Seth Schoen

November 11, 2014

Permalink

Suppose they did make arrests ,how many ? 17, big forkin deal, out of how many lol , I fancy my chances of NOT getting caught , they are scaremongering ,I for one will keep buying my weed online ;)

Seth Schoen

November 11, 2014

Permalink

You see guys, *this* is why you always purchase servers for your hidden service far away from you geographically, and purchase them anonymously (no, bitcoins are not anonymous by default. You have to either get them anonymously, which is more difficult than most people are comfortable with, or wash them through something like Bitcoin Fog). And of course, use disk encryption. That way if your hidden service is deanonymized and the feds go to the very datacenter it is hosted in, the worst they can do is take it offline (and if they perform a cold-boot attack, read even the encrypted disk, but you are still safe because you purchased it anonymously).

Now a very important note to hidden service operators, especially those who run controversial/taboo services like drugs, cp, various political views, etc:
USE PGP! Somewhere on your site, sign the current onion URL with your key. If your site is seized and the feds gain access to your hidden service's private key, they will be able to redirect all traffic to that URL to a site of their choice. But worse than that, if you don't use PGP, anyone can create a new clone of your site and pretend to be you. If you do use PGP however, when you bring up a new site under a new URL, you can sign that URL with the same key to prove it is official. This effectively allows you to keep a "master key" for all your hidden services that remains offline (i.e. it will not be up for grabs by anyone who gets access to your server). The next HS protocol will have something like this built-in, but for now you will have to use PGP.

On a more "experimental" note, I suggest that hidden service owners monitor their logs for possible denial of service attacks, and if any are detected, *disable your hidden service* and wait a little bit before bringing it back online. If you have the resources, bring it up immediately at a different location. Hopefully this will prevent active deanonymization attacks that rely on DoS, because the feds will be unlikely to get enough samples. I say "experimental" because I have not thought this through thoroughly so it is certainly possible that doing this just makes things worse. Anyhow, it's just a thought I'd like to put out there.

tl;dr
1) Assume your servers will be deanonymized and take measures to ensure that even if they are, you personally will remain safe (buy them anonymously).
2) Get use to using PGP so you can prove you are the real you if your site goes down and you are forced to create a new one.
3) If you're getting DoSed, it might be a deanonymization attempt. It *might* be a good idea to shut your server down for a little bit, or move it somewhere else completely if you have the resources.

Seth Schoen

November 11, 2014

Permalink

How to stay anonymous while using Tor,
DO NOT CONNECT TO THE PUBLIC TOR NETWORK
CONFIGURE BRIDGE SETTINGS TO STAY ANONYMOUS
I say this as a Tor user myself, I have configured bridge settings,
Please take my advice seriously, I am a computer programmer.
If you don't do that I believe that the NSA and FBI could potentially hack into Tor and find out who you are.

That makes it harder for the adversary to identify you as a tor user because you aren't directly connected to a listed relay, but it doesn't help you against traffic analysis and other attacks.
Even the FBI/NSA could run/control bridges and could run a traffic confirmation attack (, etc.) on you...
Remember: "Bridge relays are just like normal Tor relays except they don't publish
their server descriptors to the main directory authorities." (source: Tor bridges specification)
So they aren't really an additional layer of defence to hide WHO you are, they just try to hide the fact that you are USING TOR.

Seth Schoen

November 12, 2014

Permalink

What if law enforcement just set up wiretapping at many guard nodes (they are listed in public) and filter out relays and low traffic connections? "This IP generates a lot of Tor traffic and is not a relay, our IT specialists are super sure its a well known hidden service, which are almost exclusivly of illegal nature" is good enough for police state lawyers to allow a seizure.

Yes and nsa inspired standards is just one example - look at starttls option! It's absolutely insane at first start open connection and then say lets use crypto! And how many im programs decide to drop support for "old method" for dumbest "new standard"? Now you have "In recent months, researchers have reported ISPs in the US and Thailand intercepting their customers' data to strip a security flag—called STARTTLS—from email traffic."

Seth Schoen

November 12, 2014

Permalink

And what about simply running a browser with a script trying to connect to the target onion site all day long for a few months and through random tor circuits, then mathematically correlate the failed attempt dates/times with known, publically available maintenance/failure reports from ISPs and other Internet actors.
The more the service fails because of external network problems, the faster you'll find your guy. And if you have the power to selectively shut down sections of the Internet, you can find it even faster (dichotomy => logarithmic time)...

Seth Schoen

November 12, 2014

Permalink

As far as I can see there is no cp site seized right? Could it be that the FBI and others told some onion hosting hosters to hand them a copy of their sites? And because the hosters that were controlled had strict anti cp rules, thats why there is no cp and thats how they managed to "hack" the sites? I mean that would fit the story!?

Interesting thought. Or it might have just been a "digital drug bust" - illegal marketplaces subverting capitalism and so forth, maybe considered a greater threat in the future? Tor markets have certainly been successful so far. CP is essentially a bunch of dodgy masturbation, not as pressing a concern?

What fits the *story* was nachash saying he was using "Debian Wheezy" whilst Julian Assange is waffling on about Debian being owned by the NSA... Microsoft just released (dot) NET into ope source and then there are other tid-bits that are just pure Candy, Like for instance did you know the Linux Kernel from version 2.6 has always supported v9fs? The virtual Plan9 filing system - in the KERNEL!?! So if your Toring away and you do /proc it would never de-anonymise shitloads of Linux boxes running v9fs virtually - would it?

Seth Schoen

November 13, 2014

Permalink

Tor had too many bugs since one of its March updates. In May the entire network got slower and now apparently using Tor is simply using another browser to gain excess to hidden sites but Tor offers no anonymity anymore.

Seth Schoen

November 13, 2014

Permalink

C'mon guys! 27 servers! Drop in the bucket.

I can spin that up in Amazon EC2 in 2 seconds.

Misconfigurations. Final Answer.

I'm smart too but the answer is usually simple.

Seth Schoen

November 13, 2014

Permalink

All these people going argh what do we do, you make me laugh, try reading a technical paper on anti-web framework and loading INFERNO-OS everywhere... Fuck Tor! Time to employ some next generation security everywhere and if the Feds dont like it, just remind them that we can delete there entire IP range for-eva!

Seth Schoen

November 14, 2014

Permalink

I read a lot of comment on the impact the take down was to Hidden Sites, but I am curious as to the impact to the visitors of HS. Were they equally compromised? I would assume if the HS boxes were assimulated, client compromise would be probable.

Seth Schoen

November 14, 2014

Permalink

did you notice this research:

http://thestack.com/chakravarty-tor-traffic-analysis-141114

81% of Tor users can be de-anonymised by analysing router information, research indicates

On the Effectiveness of Traffic Analysis Against
Anonymity Networks Using Flow Record

https://mice.cs.columbia.edu/getTechreport.php?techreportID=1545&format…

In this paper, we assess the feasibility and effectiveness of
practical traffic analysis attacks against the Tor network using
NetFlow data. We present an active traffic analysis method based
on deliberately perturbing the characteristics of user traffic at the
server side, and observing a similar perturbation at the client side
through statistical correlation. We evaluate the accuracy of our
method using both in-lab testing, as well as data gathered from a
public Tor relay serving hundreds of users. Our method revealed
the actual sources of anonymous traffic with 100% accuracy for
the in-lab tests, and achieved an overall accuracy of about 81.4%
for the real-world experiments, with an average false positive rate
of 6.4%.

Seth Schoen

November 15, 2014

Permalink

By the way, the "Russian" tor exit node which distributed malware recently probably comes from NSA

http://www.f-secure.com/weblog/archives/00002764.html

Why? Because it distributed a miniduke variant and there is a link between miniduke and NSA:

A mathematics professor was attacked with a Miniduke variant that was
sent to him with a faked linkedln message. This miniduke variant
communicated with a hacked Belgacom server over encrypted channels.
And thanks to Snowden, we know that this Belgacom server was hacked
by NSA.

http://www.pcworld.com/article/2093700/prominent-cryptographer-victim-o…

Belgacom was hacked with a quantum insert attack, that only
an agency is capable to do if it has access to the backbones of the
american internet.

The Russians and Chinese do not have this access to US backbones and thereby they can not do a quantum insert attack on Belgacom.

Hence it is unlikely that both NSA and Russians hacked Belgacom.

So the Communication relay for the Miniduke variant on the professor's laptop was likely set up at Belgacom by NSA.

As a result, we have a link between Miniduke and NSA....

And then there is a link between Miniduke and the recently distributed malware from the "Russian" tor node:

http://www.techienews.co.uk/9720308/rogue-russian-binary-patching-tor-e…

“This strongly suggests that although OnionDuke and MiniDuke are two separate families of malware, the actors behind them are connected through the use of shared infrastructure,”

Probably NSA went to a Russian server to distribute their tor malware after their last attack on tor in 2013 was traced by researchers to NSA servers directly:

http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted…

Well, at least that last url you cite is now believed to be wrong. The August 2013 malware was planted by the FBI and phoned home to the FBI.

As for the rest of it, I have no idea. The various agencies sure work together more often than makes me comfortable these days -- and it's far too easy to lump together foreign law enforcement and other foreign groups with them too.

Seth Schoen

November 15, 2014

Permalink

Hidden Wiki even seems to be down now - Any idea anyone if there will be a new link provided somewhere, and if so, if it will be safe to go?

There have been dozens of onion services calling themselves 'the hidden wiki' over the past decade. There will be more. None of them were or will be official. (Well, except for the first one, but that one shut down in 2005. :)

Seth Schoen

November 15, 2014

Permalink

This is ridiculous.
All people want some privacy not to be spied on 24/7.
Also your ISP knows that your using Tor, although they can't snoop on your searches they still know your using Tor.
I don't use Tor I use ixquick as a search engine.
Read ixquicks privacy policy and you will be impressed, plus all searches are encrypted using powerful encryption tools.