Hidden Services, Current Events, and Freedom Hosting

by phobos | August 4, 2013

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.


Please note that the comment area below has been archived.

August 04, 2013

In reply to by Anonymous (not verified)


Whonix is neither Window, nor does it know your home IP, so in theory the VM should not be able to disclose it through this security issue. The code is still beging examined at the time of me writing this though, so I suppose we cannot be 100% sure of what this could affect.

The vulnerability being exploited by this attack was fixed in Firefox 22 and Firefox ESR 17.0.7. The vulnerability used is MFSA 2013-53

People who are on the latest supported versions of Firefox are not at risk.

Although the vulnerability affects users of Firefox 21 and below the exploit targets only ESR-17 users. Since this attack was found on Tor hidden services presumably that is because the Tor Browser Bundle (TBB) is based on Firefox ESR-17. Users running the most recent TBB have all the fixes that were applied to Firefox ESR 17.0.7 and were also not at risk from this attack.

No they didn't there are sites that have more GB's than everything combined on "Freedom Hosting" and "Freedom Hosting" had also a lot of legit sites like TorMail.

August 06, 2013

In reply to by Anonymous (not verified)


I think they targeted FH because it would inflict the most noticible, immediate damage on the Tor network.

I hope my Tormail address is not gone permanently.

So what does this mean for the people who legitimately used TOR mail for social purposes, and had nothing to do with the criminality in question?

That's probably why FH had so much of it. They used TorMail and other legit sites as a cover if you will. (Sorta like Prohibition-era mobs running speakeasies beneath, say, bookstores)

They have also revealed a Firefox exploit which presumably affects the tor browser bundle. That's the relevant news here. We've got to know about that exploit, so now we can expect that bug in Firefox to be fixed.
Also it's a nice reminder: web browsers tend to have critical bugs in them. JavaScript engines are becoming more and more complex, and thereby the number of critical bugs in them grows continuously.
Of course, there is nothing really surprising in this. Like most developers, the guys developing Firefox tend to focus more on implementing new features and improving performance than on making their product as secure as they can make it. It is just more fun to do something that has some effect on the user experience than to review lots of code.

> It is just more fun to do something that has some effect on the user experience than to review lots of code.
Yup. As funny as running firefox on 512MB-machine with slow CPU, or even building\installing 100+ dependencies. And with no alternative, since rendering engines nowadays are also complex and fat, which automatically increases entropy, i.e. increases probability of a bug.

Firefox binary is larger than my system kernel.

What about Midori and QupZilla?

Anyone who's used these delightfully fast and light browsers would surely understand my wishing that one of them could be adopted for Tor use (as well as be made to be at least as secure as Firefox for ordinary browsing; offer NoScript functionality, etc.)

The canary did its job. Now, to work out how the canary might not have died, and adjust designs / practices accordingly. That's how these things work.

I'm minded to think that if an anonymous community arises such as the Tor hidden services community, that community can either police itself, or expect to be policed. We didn't bother worrying about the fact that Tor hidden services were being used for the distribution of child pornography, so someone else worried about it for us. Is everyone really that surprised by this?

Best comment, by now!

The crux of the matter is the fact that many gullible people here and elsewhere haven't been caring about who runs, funds and developed Tor in the first place, and how those people are not what they pretend to be.

KP is an excuse. They just want to "regulate", and unless there will be sever push back, today is the first day of Tor's demise. So unless it will be fortified ten fold, Tor is done for, and it is time to develop new, secure, free world, detached from oppression of thugs.

Except in all likelyhood; the child porn servers were being run by the FBI themselves to discredit Freedom Hosting. It's not as if it has not happened time and time before:


It's a simple tactic; you try to pubically accuse person/company x of doing something society overwhelmingly condemn. In order to trash their public reputation; no one will then dare criticise the actions and the huge holes in the flawed accusation. For they will fear they will themselves be accused of condoning such activities person/company x was accused of.

No, the demise of Tor is not imminent. The Office of Naval Intelligence developed it, and the State Department uses it for diplomatic traffic. The U.S. government also promotes its use to oppressed populations (at least those we support) internationally. Tor is not going anywhere. Tor mail is another matter. That was probably the target.

Absolutely. If Tor services can be compromised and shut down because of some illegal child porn activity that someone doesn't like and with it simultaneously shut down a lot of other sites not involved in child porn... then the Tor network can no longer be considered a safe option for whistle blowers, reporters, activists and others. This week, its child porn, next week it may be a whitle blower or an activist...

Basically, you're all morons.

Tor sights have never been immune to some of the most common attacks, such as DDoS attacks, and the fact you're connecting your web services (Apache+PHP+MySQL+Whatever else) to the clients via Tor does not automatically make those more secure, nor does it make the clients more secure.

Tor itself did its job. There is no reason to suspect that Tor is in any danger of compromise. The problem lies on both sides of the Tor connection.

Tor did its job?

The sole purpose of Tor is to provide anonymity, to both users and hidden service providers.

Now we know that users of Tor can be identified, and hidden servers aren't hidden after all.

I'd call that a big fat FAIL.

Pardon my french, but why do you assume that it is TOR that got compromised ?

For all we know, the feds might have broken into FH's servers (and out of any VMs FH might have employed for security) and leveraged this position to bypass TOR.

It's actually not even that hard - there's probably a lot of heterogenous code on any shared hosting, some of it less secure than other.

Or, and in my opinion, most likely, they just had a rat in the datacenter. The weakest link is usually the one made of meat.

There are now law and rules when it comes to track down pedofiles . They do not deserve to be protected by the law . FBI done an amazing job , and saved many kids from EVIL sick molesters.

August 04, 2013


Roger, Jacob, Karen, Tom, Andrew, or whoever reads this comment section: We can't trust exit nodes and/or hidden services. These guys are injecting javascript and using 0-day exploits against the browser bundle.

Right now, the noscript in the browser bundle is setup to allow javascript. In the past, it blocked it. It's a pity we have to block it again, but it seems there is no way around this.

Have to be honest, having followed Tor off and on for about ten years, I'm quite surprised to hear that the Torbrowser was shipping with javascript enabled. What drove that decision?

Not very anonymous when you are rooted by FBI 0 day. Tor developers need to wake up and see that we want a fucking anonymity network and anonymity and security software, not something that slows down our internet while we watch cat videos on youtube. Unfortunately they have been more and more going in the direction of user friendlyness even at the significant expense of user security and anonymity, and I just wonder how friendly it will be in prison for all of the people who just were deanonymized because of user friendly software.

With all due respect, up until recently, Javascript WITHOUT Flash and/or Java was through to be safe.

Actually, I would have to say it still IS safe unless there is a big freaking hole in Javascript somewhere.

Right. There are a lot of parts of Firefox that are potential attack surfaces. Javascript is one big one, but there are other big ones. We shouldn't focus solely on Javascript or we'll end up surprised by the next vulnerability.

Thought to be safe? By whom? JavaScript is indeed safer than Flash, and probably Java, but that's not saying much! JavaScript has historically been a source of *innumerable* security bugs in *every* browser I know of that has implemented it. Not to mention all of the subtle ways that intentional JavaScript features (as opposed to bugs) may be used to compromise your anonymity, because they simply weren't designed with anonymity in mind.

It is, in my view, foolish in the extreme not to assume that "the bad guys", whoever they are, have frequent access to 0-day vulnerabilities in the major JS implementations. This seems likely to continue for the forseeable future, especially given how much browser makers have been focusing lately on improving JS performance (which almost inevitably results in the introduction of new vulnerabilities.)

^ This.

JavaScript is considered THE number one reason of virus infections.
Virtually EVERY exploit kit worldwide uses JS to see if the target is vulnerable in the first place, even if the actual exploit doesn't use a JS vulnerability.

Activating it is batshit insane crazy with suicidal tendencies.

If you browse the clearnet without NoScript, you are a risk to yourself and the rest of the internet,
if you do illegal stuff with JS enabled, you are a risk to yourself and the rest of the internet and are asking to be put into prison.

"If you browse the clearnet without NoScript, you are a risk to yourself and the rest of the internet,"

Isn't it about time that at least /some/ of the most basic protections that NoScript offers, such as against XSS, be incorporated into Firefox itself? (and, for that matter, other browsers as well)

If that's the case Tor needs to become practical for p2p traffic and other video traffic that makes up most of internet traffic. Can you imagine the 3 letter agencies trying to sort through all internet traffic? It also needs to be clear that these are our papers and they are protected by the 4th amendment among other protections.
The right of the people to be _secure _in their persons, houses, _papers_, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized

More importantly it needs to be technically impossible to seize your papers and consequences to attempting to seize them. They've shown again and again that the moment it becomes technically feasible they will make the attempt. The issue of pedophiles is irrelevant they will find another reason if you take that issue away.
Remember Martin Niemöller.

Also true security protects in layers with the assumption that one or more layers will become compromised. We need more physical hardware level protection and more Network address translation boxes with dhcp to hide ip addresses. Ideally we should be doing lily pad networking as well. Make it feasible to wirelessly connect anywhere

It's hard to know where to start.

You don't have any 4th Amendment protections for international communications. You need to go back to ... hmm ... high school? Grade school? Learn what "sovereignty" means! You may live in a country that affords you certain civil rights, including the right to be free from unreasonable searches and seizures without a warrant. Several important points:

1. These rights that your country might afford you end at the country's border. Outside of that border, you are no longer in that country. You are outside of its area of sovereignty. Depending on where you are, you are subject either to the sovereignty of another country, which is unlikely to afford you the same rights, or you are floating on the ocean and only subject to whatever rights international law gives you. Even your own country does not have to afford you the same rights outside of its borders.

2. Even within your country, there are limits to the rights that you might have. In the U.S., for example, your 4th Amendment rights require the government to get a warrant based upon probable cause to enter your home and seize your "papers and effects." Your rights outside of your home - for example, traveling on an Interstate highway, or using a public communications network (paid for by the taxpayers - in the case of the Internet, the Defense Advanced Research Projects Agency, the major research universities (funded with federal tax money), and, oh yeah, Al Gore), are much more limited if they exist at all. If you want privacy for your electronic communications, pay AT&T to set up a totally private network on private property for you to use, and the chances that you will get your privacy improve dramatically.

3. Even assuming that government violates your 4th Amendment rights in the U.S., as a practical matter, the only legal remedy available to you is to prevent the government from using the information obtained without a warrant against you in a criminal proceeding. No criminal prosecution? No harm, no foul. They can collect all of the information they want. [One of the reasons I don't get too excited about NSA is that the revelations involving DEA using the same software (see discussion, below) to collect information on citizens without warrants, and then covering up the illegal collection of evidence and using it in criminal trials, a legal violation that is much more serious.]

4. Your 4th Amendment only applies to the government of the U.S. Now, think about it: If you were the head of sigint (signals intelligence) or elinit (electronic intelligence) at GCHQ in the U.K., F.S.B in Russia, Mossad in Israel, etc., where is the first place you would put a covert agent? Hmm. My guess is you'd put a covert software engineer at MSFT and every other major software company. Why do you think there are so many updates to fix security vulnerabilities? You'd think they'd have found them all by now! No. N.S.A. puts one in, Mossad finds it, takes it out, puts theirs in, F.S.B. finds it, takes it out, puts theirs in, GCHQ finds it, takes it out, puts theirs in, and on and on. And, your computer reboots every night with yet another update fixing yet another problem. The point here is that even if N.S.A, C.I.A., F.B.I. legally are prohibited from invading your privacy, the foreign intelligence services are not. When you hear on the news that, "The threat risk has been increased based upon credible intelligence received by U.S. intelligence officials." what is usually being said (if the threat involves something in the U.S.) is, "Some foreign intelligence service monitoring communications inside the U.S. that our agencies could not legally monitor tipped us off." Look at Snowden's grant of conditional asylum in Russia. He can only stay so long as he does not "reveal any additional information harmful to our American friends." Why did Putin include that? What could Snowden possibly reveal? Maybe that F.S.B. cooperates with the U.S. to a much greater degree than we are aware? You think we have a problem with Islamic terrorism?. When you get back to school, look at a stinking map! Russia has Islamic republics all along its borders. Everything that you have heard of N.S.A. collecting - and more - is available to every major intelligence service in the world.

5. The only legal issues here - and they are extremely serious - are the use of "general warrants" by the U.S. intelligence community (I.C.) before the F.I.S.A. court, and the blatantly illegal conduct of D.E.A, which nobody seems to care about.

6. You want it to be technically impossible "to seize your papers and consequences" for trying? In your dreams! First, the U.S. I.C. has a company, In-Q-Tel, Inc., in Reston Va. that provides venture capital to entrepreneurs developing (among other things) software of value to intelligence gathering. In-Q-Tel is NOT the only venture capital company in this business. (You didn't think PRISM, XKEYHOLE, etc. were written by entry-level government employees, did you?) There are companies spending hundreds of millions, even billions, developing these technologies. It is never going to be "technically impossible" to conduct surveillance. As for imposing consequence on those who try to do so, you might find that locating all of the "sleeper agents" sent here by K.G.B. - predecessor to F.S.B. - is not going to be easy. F.B.I. counterintelligence is working on it, and they caught about 10 of them a couple years ago, but many remain. The "consequences" for these folks is prosecution for espionage and imprisonment, until of course Russia grabs a few U.S. tourists, charges them as spies, and we have to arrange a swap. As for the Mossad, these are not nice people. They make your average U.S. criminal sociopath look like an alter boy. Israel believes it is always at war and, therefore, is not subject to restraints on murder, kidnapping or other conduct that virtually all other countries, even those hostile to us, deem beyond the bounds of civilized conduct. Any attempt to impose "consequences" on them is likely to backfire.

7. I know you are going to find this hard to believe, but entrepreneurs who rely on venture capital companies for funding tend to be single-minded. They only want to sell their products whenever it is legal to do so to anyone with the money to buy them. They just want to become profitable as soon as possible, so that they can buy out the venture capitalists (often referred to as "vulture" capitalists). They are not terribly discerning about whom they sell to. So, not only is every governmental intelligence agency with funding - probably including North Korea - gathering the same information as the N.S.A., but private companies, lots of them, are customers of Google, Facebook, Twitter, and all those social sites you love so much. Ancestry.com scares the hell out of me! If they can trace the addresses of my great grandparents, what can they report about me? These social networking sites are not funded by the government like National Public Radio, and they are not charities. You're not paying them, so how are they making money? By selling every word you write to private companies that prepare personality profiles on you. They have access to and use the same software as N.S.A. and all the intelligence agencies. You can find your teenager's car by geolocating his/her cell phone in real time if you have the money. So can pedophiles, other low-lifes, schools, employers, and anybody else nosy enough to want to know. No, the 4th Amendment does not apply to private conduct.

8. You think universal "wireless" connectivity is the way to go, huh? A basic legal principle - codified in the Communications Act of 1934 - is that "the airwaves belong to the people." And, those "people" include the government, that government famously, "of the people, by the people and for the people." This means that anything you put out on the airwaves belonging to the people is the property of the people. I have radio frequency scanners, and I can listen to police, fire, F.B.I., C.I.A., air traffic control, virtually anything. The frequencies they use are published in public documents. They sometimes try to use trunked systems or encryption, but if I can track it or decrypt it, I can listen to it. [Yes, there are statutes that prohibit listening to cell phone traffic or selling scanners with that capability. But, those scanners can be purchased in Canada, and the Constitutionality of those statutes is questionable.] Fedora ships Linux with utilities that crack WiFi. Why would you promote wireless? Anybody, including the government, who can hack it is free to do so on the people's airwaves! And, you wouldn't want it any other way. If they can stop you from listening to police, fire, F.B.I., C.I.A., air traffic control or your neighbor's WiFi, it is only a very short step to stop you from watching BBC or receiving TV or radio broadcasts government deems "dangerous" or of value to "terrorists."

Stop dreaming. Learn something. Get a life.

[Yes, by education and historical avocation I am a lawyer. And, I studied constitutional law under Arthur Kinoy, one of the nation's most brilliant constitutional scholars and a founder of the Center for Constitutional Rights in New York. I've practiced at world class law firms, served two NYSE companies as a senior legal executive, and been an international entrepreneur.]

Well said.

But how should we feel about a policy that basically says the government will prosecute infringements on its privacy while at the same time denying ours? Do you think that's overstating it?

"You can find your teenager's car by geolocating his/her cell phone in real time if you have the money. So can pedophiles, other low-lifes,"

Not to take away from your points and arguments but it should probably be noted that children and teens are said to be at far greater risk from family members and others who are close to them in real life, than from random, mysterious, distant stalkers.

"Fedora ships Linux with utilities that crack WiFi."

The tool of choice for that sort of thing seems to have been BackTrack Linux, now re-branded as "Kali Linux".

I have seen speculation that the producer/distributor has less-than-harmless motivations but I have no idea how credible such suspicions are.

"If they can stop you from listening to police, fire, F.B.I., C.I.A., air traffic control or your neighbor's WiFi, it is only a very short step to stop you from watching BBC or receiving TV or radio broadcasts government deems "dangerous" or of value to "terrorists.""

That argument sounds troublingly like that advanced in support of completely unfettered, unrestricted access to firearms. Or any number of other things that enjoy support only from those on fringes of any given ideology or camp.

In the USA, according to the 2nd and 9th amendments, everyone not in prison (see 13th amendment) ARE allowed to have guns, despite any supreme court decisions or state laws. This includes felons, wife beaters, etc.

The problem is that the courts are corrupt, politically motivates, tyrants.

You could try to fight the law in court, but you don't have enough money and even f you did they won't let you win/

You do not need to be a constitutional scholar to understand what is written there.

All laws are subordinate to the bill of rights. IF any law violates them then that law is unconstitutional.

The 9th amendment implies that our rights are subject to old common law - no right to kill, cheat, lie, maim, similar.

A right is not a right if you cannot freely exercise it with impunity.
Anything else is just a privilege.

If TOR used Quantum encryption or even 3 dimensional encryption, no one could decode the transmissions except the recipient of the transmission.

I recent read that the feds cracked HTTPS now. Even that is no longer a safe avenue.

"the Center for Constitutional Rights in New York"

Are you, by any chance, familiar with the radio program "Law and Disorder"?

"I've practiced at world class law firms, served two NYSE companies as a senior legal executive, and been an international entrepreneur."

Have you any regrets or moral qualms, at least about the latter two roles?

(I am fairly convinced that "socially responsible" or "ethical" corporation is an oxymoron.)

I am absolutely forced to chime in that just because things are hashed out in a court and deemed a certain way, does not mean that they live up to a true constitutional legal standard. An example is that the 1st amendment is freedom to say whatever you want, courts have ruled and most people accept not screaming fire in a movie theater. But I believe that most references to amendment rights in the abysmal world you pointed out are to the idealistic forms. ie: the ability to scream fire in a theater regardless of all the legalize one could throw at it is still technically your right.

Internationally speaking our Commander in Chief and all our military personnel swear an oath to put a whooping on anyone who would infringe upon the constitutional rights of its citizens. In real life it may not happen, but idealistically speaking you tell an American on a boat in the ocean he can't be a religion and you would be explaining that to a host of wonderful US Navy vessels shortly thereafter.

Well, that's bullshit. If you would want to hide the fact that you're using Tor, you would have to get rid of Tor Exit Nodes that are known to everyone anyways.
This all just boils down to that short sighted resolve to rather put users in danger than to lose them.

No, that's not it. The fact that your browser is disallowing JS acts as a further filter criterion, on top of the fact that you are a Tor user.

Of course, if the majority of Tor users disabled JS, this metric would change and become ineffective..

"Well, that's bullshit."

No, it is not.

"Disabling JavaScript by default, then allowing a few websites to run scripts, is especially bad for your anonymity: the set of websites which you allow to run scripts is very likely to uniquely identify your browser."

Using NoScript with a specific list of white-listed domains might identify you.

Using NoScript with a zero white-listed domains is just not very practical.

"that short sighted resolve to rather put users in danger than to lose them."

No, YOU are short sighted: any user that stops using Tor because it is not working properly is less protected.

Pure stupidity. It is so obvious that Javascript should not be enabled for security. But the Tor developers would rather that your browser fingerprint blends in with 500,000 other rooted people rather than blend in with 10,000 non-rooted people. It doesn't make any sense to me either, and they have been warned months and even years ago not to allow javascript by default, but they didn't listen and now thousands of their users are compromised. I hope it was worth letting retards watch cat videos on youtube.

With all due respect, too many sites on the regular internet will not work correctly without Javascript. So, disabling Javascript by default is bad ju-ju in the real world.

Maybe it's time to start thinking less about disabling Javascript (which from what I have seen is only a vulnerability when paired with Flash or Java) and start focusing on disabling certain functionalities of Javascript.

" it was worth letting retards watch cat videos on youtube "

If you think JS is only for playing videos, then YOU ARE THE RETARDED ONE.

I don't know about that anon, I just updated my bundle a few days ago and my noscript is set to disable Java, although the firefox settings say that it is enabled. A quick check on a Java website test shows that it is infact still disabled, Javascripts are not running!

To anyone that are under these circumstances, the code didn't get injected. Unless it's magical unicorn NSA pony hax. Anyone care to add/detract from the Java enabled in options/disabled on noscript default question? I'm pretty sure Noscript is overriding options anywhere else on the Firefox Tor Browser Bundle.

Question is, how in the world would this hack get your real IP address when it is supposed to be impossible without Flash and Java also being installed to do that?

I'm calling BS on this and I think that we should wait until some real, verifiable information comes out.

According to some FF developers on their site, the exploit used was MFSA-2013-53, so not a 0-day. It was fixed a month ago. If you updated the Tor bundle within a month (if it has FF ver. 17.07), had js disabled, was using an OS other than Windows, the js exploit should not have worked.

The reason they could get your ip is simple, with this exploit they can execute any binary code they want. People on the net have already looked at the so called payload, or shellcode, that the attacker is trying to execute. Instead of installing a keylogger their binary code (shellcode) "just" checks your hostname, MAC and sends it to their server over clearnet, so they get your ip as well.

Slashdot is also mentioning something about a cookie. I haven't researched this part.

It appears that this was 'aimed' at the first Alpha version of the "No Vidalia necessary" TBB.

So, if you had updated your Alpha version (is it setup to notify you if there is a new version?) you were golden.

The second part is true (3.0alpha2 is safe from this particular attack), the first part is not (there's no reason to think this was aimed at 3.0alpha1).

Do you think if we are using Linux that we are prone to this malware? Or should I format? I just want to be reassured, I only used TorMail and i tried to logon today and was unable to see anything exept a pink background with a small box, it seems as if nothing loaded...How can I be sure that I am not infected, if I am on a linux box?

Very interesting that Tor "just happened" to enable JavaScript in their Browser Bundle so that LE could exploit it. What a incredible unfortunate "coincidence".


August 05, 2013

In reply to by Anonymous (not verified)


While we're playing the conspiracy theory game: can you point at the version of Tor Browser Bundle that shipped with Javascript disabled? I believe this is a myth and it is confusing many people.

August 05, 2013

In reply to arma


To the two FBI agents who are posting in this thread anonymously: Congratulations. You've succeeded in setting us at each other's throats rather than thinking rationally with the evidence your contractors left behind. Go to the Keurig at the canteen and toast to yourselves with crappy coffee.

To everybody else, it would be wise to actually look at the evidence at hand before commenting. There seems to be a lot of people here who are more interested in seeing their words appear in the comments than using their brains.

"To the two FBI agents who are posting in this thread anonymously suck my big hairy cock!!!!!!!!!!!!"

People who say this (i.e., extend invitations to perform fellatio upon them) almost invariably are the same people who then turn around and expect the one(s) whom they claim to love to perform the same act upon them.

Ever think about that?

Either fellatio is a sordid, degrading, dishonorable act (as the insult would imply) or a wholesome, legitimate form of intimacy between people who love each other. It can't be both, now, can it?

Nice that someone thinks about the logical implications of insults. When I used to drive a delivery van in traffic all day, I'd often hold back yelling at someone for the same reason.

August 04, 2013



> Does that say anything about the security of the system? The browser seemed to work normally afterwards...

No. Your browser should have acted normally. Nothing changed. The malicious JS set a cookie and visited some Washington-based IP address, so when non-Tor browsing your IP would be logged using that cookie, or something. It was not malware in the sense that your AV/Anti-malware would detect it.

Everyone: disable JS on Tor, and FFS use NoScript!

This is only half the story. It also employed an javascript heap spraying attack of which the details aren't currently know yet, but presumably use an exploit in Firefox to phone home circumventing Tor altogether.

If you visited one of the hidden services hosted by Freedom Hosting on Firefox on Windows (or at least the Tor Browser Bundle) these past few days, you should assume your anonymity has probably been compromised.

>If you visited one of the hidden services hosted by Freedom Hosting on Firefox on Windows (or at least the Tor Browser Bundle) these past few days

With javascript enabled.

I don't know how TOR would have been 'circumvented entirely' by this, when Firefox disallows connections except to the proxy being used.

Nah.... something doesn't sound right about your explanation.

Some of these javascript functions I have been reading about are a bad idea to have in the first place, so maybe this will start a discussion about paring down on/removing some javascript calls.

With an exploit like that, they can execute arbitrary code so what Firefox allows or disallows isn't important. Once an attacker can execute arbitrary code on your system, you have to assume your identity and system have been compromised.

I'm not sure what removing certain javascript calls would accomplice. You should disable Javascript anyway when using Tor.

1) TOR has NOT been attacked.

2) The attack was directed against the Windows version of Firefox v17 (version 17.0.7 excluded). It seems that versions: 18,19,20,21 were (and still are) vulnerable but have not been attacked.

3) The attack can only be successful if JavaScript is enabled, i.e.: not blocked by noscript or not turned off within the Firefox settings.

3) The attack is immediately effective, i.e. you IP is submitted by the shell code by the use of Windows-API which does not use the TOR sockets proxy. Again you ip is send in the very moment in which the exploit is successful. There is no need to wait for you until you visit the clearnet.

4) Linux, Android, MacOS, ... seem to have not been affected so far.

Is this proven? If we are running any OS other then Windows we are fine? I am running Linux should i format, and start over?

No, the attack wasn't against the client browsers, it was against the hidden servers, which has to have the javascript exploit planted on them first.

Why all the focus on the attack on the client browser, when it was the hidden servers that had to be unhidden, identified, and compromised first?

The attack on the browser is secondary.

If the servers had not been identified and compromised, we wouldn't even be having this discussion, so lets focus there.

August 04, 2013


I think the code was or is broken, they also modified the injected code a couple of times. It changed from a cleannet IP to an onion address and back again, after that they obfuscated the code and encoded the URL.

The code can be found here: http://pastebin.mozilla.org/2777139

That code is strange because it only runs if the userAgent browser version is between 17 and 18. The current Tor Browser comes up as 10.0, even though the blog post says it's based on Firefox 17 ESR. I think if you're using Tor Browser the malicious code will think it's version 10 and load "content_1.html" which is not shown.

Are you running the 3.0 alpha of Tor Browser? What version comes up for you in help/about tor browser?

Mine shows "Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17" and I am running current stable release, which by the way have been based on ESR17 for a while.

False. This exploit in particular sniffs for Firefox-specific features.

function isFF() {
return (document.getBoxObjectFor != null || window.mozInnerScreenX != null || /Firefox/i.test(navigator.userAgent));

Unless, of course, your UA switcher also disables document.getBoxObjectFor and window.mozInnerScreenX, which most don't. Not sure why they check for multiple signs of Firefox, when just checking for window.mozInnerScreenX would do.

I use Proxomitron, which can both spoof the UA, and filter arbitrary bits of javascript, or turn it off entirely. Gutting javascript isn't however as secure as turning it off entirely.

That looks like it targets the Tor Browser 3.0 alpha build (which is based on Firefox 17 ESR). The latest Tor Browser identifies as version 10 in which case it loads "content_1.html" that is not shown in your link.

Same version which JonDoFox uses - no surprise here.
The exploit seems to work on Windows only and may be limited to FF v17 because of a JS update on new Firefox versions or because the FF codebase changed to much. The exploitation of payload delivery by heapspraying is relatively strong bound to the targeted executable so again no surprise here.

A few sites were warning about the bad script in TORmail. Also, not the dude you're responding to, though I'm interested in hearing their response as well.

August 04, 2013


The fallout from the captured data should be entertaining, depending on your point of view. The plain text data and relationships found in tormail will generate a huge number of links to real people.

If you consider hundreds of destroyed lives to be entertainment, then yes.

I truely hope a number of non pedos are caught up by this, perhaps those people will have hated pedos too, but will now get to feel what it's like to be one. Perhaps they'll also realise why its never a good idea to support the persecution of minorities. One day, they might just come knocking on your door.

Freedom took a great blow today, in the name of *saving the children*, the battlecry of oppressive governments for a long time. You will not rid the world of people you hate, by ostracising them and destroying small numbers of them. If you bought the line that this has anything to do with hunting pedos, I feel sorry for your misunderstanding of their push to control all information, using this as their get out clause.

I suggest you look up Rick Falkvinges excellent piece on why possession/distribution of CP should be decriminalised (not production mind you). http://falkvinge.net/2012/09/11/child-porn-laws-arent-as-bad-as-you-thi…

This attack has helped no one, harmed many, and damaged one of the last areas people can be free from government control. Having known one person destroyed by laws like these, I can tell you it doesn't just harm the convicted, but their families and friends too. It creates homeless, jobless and hopeless people, new burdens on the state where once productive individuals existed. In the worst cases, it creates corpses, suicide is a common outcome from CP raids, usually because the people caught were perfectly decent, honest and hardworking individuals, now faced with no future and no hope, essentially a social death penalty.

So by all means, continue to support the criminalisation of possession, watch as your freedoms are eroded away with that as the excuse, watch as people you know and love are destroyed by the laws you support and finally, watch as censorship becomes the default stance of the web, as is happening in some EU locations right now. But at least it was entertaining to watch, right?

August 04, 2013


I tested the shellcode in an isolated VM and faked the connect() call to succeed. But it crashes after gethostbyname. Did someone examine this any further? To which IP is the UUID forwarded?

Was your VM on linux ? A lot of people are saying it's only windows based, but on my ubuntu machine the user agent and version matched to run the exploit.

It maybe passed the server-side injected script, but the iframe script it loads specifically checks your useragent for "Windows NT" so I doubt it ran.

Can someone varify this? I am using an ubuntu machine and used TBB to just access TorMail and was instead given a pink background with a table and it showed me the exclamation mark, and seemed like something was wrong. I dont do anything wrong on tormail so i tried to access tormail through the onionsite.onion.to (that web2tor site- obviously i would never unless its to check if tormail is down) on google chrome and got the site is down message...Do you think I should format, using a linux machine?

I'm sure the parameters are filled in elsewhere, which could be why it's crashing. Did you run all of the script or just the code in variable magneto? Because magneto is appended to a bunch of other random hex strings, then copied into the big array view[] and then various globals are copied into various offsets in view[].

I only ran magneto and stepped through with OllyDbg in a VM.
I actually came across the IP, i just forgot to cast to sockaddr_in of the connect() call. The IP is: and they used the port 5000. It makes 5 tries to connect.
Then it gets the hostname with gethostname().
Then it gets all the local IPs and associated hostnames with gethostbyname.
Since i have no network adapter, i dont know how all this info was used in the following.
Then it cooks cooks up a HTTP GET String with the UUID provided by the javascript as parameter and it appends the local hostname in the Host: field.
Then it tries to get the MAC-Adress with SendARP() and puts it in a cookie field named "ID", which i faked the return to confirm.
Then it sends everything away with send().
And after that it even does a closesocket(). After that it probably tries to gracefully exit the shellcode somehow without crashing the target, i can't really tell.
Maybe i'll try to examine this in a real exploiting situation with all the javascript stuff and the vulnerable tor browser.

Really good info, I think you're on to something. That IP is one digit off from an earlier version of the server-side javascript that opened an iframe and sent the UUID to Both the IP's belong to a Verizon business account in the western Washington D.C. suburbs. Where both FBI and CIA headquarters are located.

Are you sure it's port 5000? I looked at the same block of code earlier and vaguely remember it being 0x00 0x50, i.e. port 80 in network byte order.

August 04, 2013


I don't understand WHY in the world the default setting on the TOR bundle is to "Allow global scripts". Since JavaScript is the most common mechanism for privacy-busting exploits, it should be disabled by default, don't you think?

"Since JavaScript is the most common mechanism for privacy-busting exploits"


"it should be disabled by default, don't you think?"

No, it doesn't follow.

You might as well say that a web browser is the "most common mechanism for privacy-busting exploits" so you should not use one.

You have to consider what you lose by disabling JS. And you lose a lot.

August 04, 2013


That code is strange because it only runs if the userAgent version is between 17 and 18. The current Tor Browser comes up as 10.0 in the user agent, even though the blog post says it's based on 17 ESR. I think if you're using Tor Browser the malicious code will think it's version 10 and load "content_1.html" which is not shown.

The current TorBrowserBundle comes up as 17.0 in the user agent.

> Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0

Tested with "tor-browser-gnu-linux-...-2.3.25-10-dev.tar.gz"

August 04, 2013


Before FH went down i was already wondering what the future of Tor is after the Snowden revelations. How secure is the Tor network if the USA en UK are buffering the whole internet transit for days and can inspect traffic passing between nodes, shouldn't the project avoid relays and nodes in those countries? Can the nodes be changed to insert random traffic to make it mode difficult to snoopers? And now that FH went down it is important to understand what happened, even if FH has been hacked the admin could take it down but hasn't. There is speculation that the admin has been arrested, if it is true it would be even more important to understand what happened and how. I'm surprides that there hasn't been any statements from the Tor Project about all the illegal snooping that USA and UK are doing and how it affects the project and if there are any risks.

Doesn't seem Tor Project has been taking things all that seriously. Not even since Snowden, and now this. We need a whole new international project run by some people much more serious about privacy and internet freedom. Tor is dead! Now let's replace it with something better!

There is nobody on the planet better at what they do, then the people behind the Tor project. If you want better tools, stop fucking crying and start do peer review & develop or stfu.

It is you, who piss on his own privacy for so long, not Tor project.

"How secure is the Tor network if the USA en UK are buffering the whole internet transit for days and can inspect traffic passing between nodes, shouldn't the project avoid relays and nodes in those countries?"

They aren't buffering traffic "for days," if they were TCP connections would never complete. They'd time out all the time.

"...shouldn't the project avoid relays and nodes in those countries?"

Several of the Snowden docs have evidence that the NSA is sharing COMINT with the intelligence agencies of other countries in an agreement of reciprocity. On the chance that the NSA missed some traffic, a friendly intel agency may have grabbed it instead and given it to them. So, this wouldn't help.

"Can the nodes be changed to insert random traffic to make it mode difficult to snoopers?"

That is in the Tor FAQ.

I can't help but wonder if this is part of an effort to dissuade people using Tor and other such services by a) inducing learned helplessness and b) mistrust of any and all providers of such services because most people don't seem to understand that there is no such thing as perfect security.

> They aren't buffering traffic "for days,"

Actually he certainly means:
they are keeping a copy of the whole traffic for a few days

August 04, 2013


If wonder if the exploit got around the bundled NoScript Add-on if it's set up properly? If so, how?

Also, what happened to the Tor button I used to see near the top-left of the browser? That's been gone from the Tor firefox browser since 2.3.25-10.

No, it doesn't. I modified the Java Script that tries to load that site into the IFrame by replacing the original address by one of my own server. Then I watched tail -f -n 10 /var/log/apache2/access.log.
When Java Script was enabled in NoScript, a GET request showed up. When I deactivated Java Script in NoScript, it didn't. And yes. I emptied the cache and even restarted TBB so it wouldn't load from cache.

August 04, 2013


So what do you guys have to say about having NoScript allow all Scripts globally in the default settings? Isn't now the time to see and accept that this was a really really stupid decision on your side?
A lot of users trust you and think JS is deactivated by default while you ignore that fact and betray them.

Same here, I guess I looked for it briefly to deactivate it the first time but didn't see it since I'm not used to the setting, and thought it wouldn't matter or forgot about it later.

You could set up NoScript to have JS disabled by default. Then when visiting a Website with Java Script for the first time, let a message pop up informing the user and then ask what to do. Keep JS disabled for better anonymity or enable JS for the price of anonymity.
But as it is now, it is utterly dangerous. I'm quite tech savvy, but even I forgot to disable JS in NoScript for one or two days after I updated my TBB every now and then. Now imagine Average Joe who doesn't even know the difference between Java and JS, stumbling over all sorts of sites in the world, assuming that he'll be safe because he thought the Tor Project guys knew best what's the safest possible config.

Perhaps it would be more secure, but it wold be bad for the user's anonymity because after a few days of browsing with TBB and making exceptions in NoScript, people would have a very distinct whitelists which an exit node could use to fingerprint every user. Besides, I'm sure that people accessing FH (for example, but it would be the same for any site) would have JavaScript whitelisted for that site and the exploit would have succeeded anyway.

Only if the whitelists were sent to the websites AND the cookies and other things were allowed to stay between 'visits'.

Which, in the default setup of TBB, it's in private mode, which clears all that stuff between closings and openings of the browser.

Private mode would not prevent exit nodes and web site admins, for example, from being able to observe distinct patterns with regard to which sites were allowed to execute scripts and which were not.

Cookies and cache are all but irrelevant here.

August 04, 2013


@ Anonymous

Disabling poor wittle Javascript would likely buy little additional security when dealing with something like FBI.

It's not unreasonable to assume they can develop capabilities for penetration of browsers with JS disabled, or already have such ability.

A more robust approach would be to get a goddamn Raspberry Pi and this https://github.com/grugq/PORTALofPi (assuming you have to seriously worry about FBI), and / or a really thorough VM setup (though it's not like there aren't any VM escape exploits out there, amrite? =) )

Exactly. Javascript is only one attack vector, and is usually considered safe - this was an extreme case, otherwise you'd be hearing about Javascript exploits all the time.

Even loading images can be dangerous, depending on the image-loading code. A PHP script that returns an image mimetype could be used to exploit any weakness in that code. Should we look at the entire internet in plaintext, given the possibility that there's a vulnerability in that code? How many other attack vectors have opened up recently?

August 04, 2013


-Evil cookies
-HTTP requests
-Through Tor?
-Around Tor?
-Using desktop Firefox?

And will people be arrested for using services with no proof of anything close to borderline illegal, just for using encrypted services?

I'm using Qubes+TorVM from now on.

August 04, 2013


I am shocked anyone uses Javascript with Tor. One is owned by Adobe and is used to all manner of malicious ends, while Tor is precisely the opposite.

You don't understand what people are using. Java and Javascript are different. Both are potentially bad. One version of Java is owned by Oracle although there are others. openjdk as an example of a non-Oracle Java. Then there is Javascript which is completely different technology and not owned by Oracle.

So Oracle owns a piece of OPEN SOURCE software released under the GPL? That's weird.
FYI: Oracle develops OpenJDK but it's open source so anyone can fork it, no one owns it.

August 04, 2013


Guys i think this malicious code could be a hoax. They say it is on all of the sites that were on freedom hosting but I only found it on one onion site. That site claims to be hosted by freedom hosting but clearly isn't because it is still up even days after the raid on freedom hosting.

August 04, 2013


Why would anyone want to shut down something like Tormail? It's a damn webmail service, if it was the FBI or anyone from the government that took FH and in extension Tormail down then the responsible persons must be fired immediately and taken to justice for abuse of power. They are doing the same they did with Megaupload, they shut everything down and everyone must suffer even if they didn't do any wrong or anything illegal. What a shame of agency, and what a waste of money giving them a single penny

More potentially incriminating evidence that you can shake Edward Snowden at. Tormail is ostensibly shady, so it makes sense to seize the entire site rather than try to partner with it.

Think about it.

This is coming right on the heels of the Snowden NSA mass spying and data mining revelations. I myself had just decided to "go deep and dark" because of it, as I am sure millions of others have, and tens of millions more, if only they knew how.

I just opened a Tormail account that day and had sent myself one lousy test message. Now, I might have to worry about the FBI and SWAT team coming to my house, just for opening a damned anonymous and encrypted email account!

It is no coincidence that this is happening now, right when it could be easily foreseen that a great number of people would be migrating to the "deep web" to get away from the pervasive NSA spying.

This is clearly a "psy-op" to prevent that, much more than a shutting down and prosecution of those hosting illegal data, which is window dressing. After all, the U.S. government are the biggest child sex traffickers in the world, the real stuff, not just images, though that is where many of them come from. The NSA itself plants child porn on the computers of politicians and government workers in order to blackmail them and buy their obedience and their silence. It is a powerful tool of control that they do not hesitate for one second to use.

I have no doubt they will also use the IP and MAC address data to go on "fishing expeditions" against those who didn't even do anything illegal. They will use it as their "probable cause" This will allow them to tear people's houses apart looking for anything and everything they can use as evidence.

We all need to get real and get serious, because this isn't America anymore, and the stakes of forgetting that are getting very high.

This is why Tor Browser needs to come "locked down" to its highest security mode. Screw convenience. It isn't convenient living in a tyranny, and anyone who is the least bit in touch with reality knows that is where we are now at, and where we are going. No more play time! I didn't decide to go to TOR for entertainment.

On another note, I am more interested in HOW these JS exploits were put on the servers, since we know exactly how they got put on the clients.

Maybe NSA owned those servers all along.

August 04, 2013


Did this exploit get installed on TorMail or any other hidden service? What hidden services had this exploit running? Is it still running there? Did anyone post the code + shellcode for the exploit?

August 04, 2013


well tor is dead now , good job dipshits devlopers to include the genius idea of globally allowing scripts

Oh look! You can post a link. 'atta boy! Let me pat you on the head.

Still doesn't change, that their reasoning is bullshit. As I said in another comment, your Tor usage is identifiable anyways, because most of the Exit Nodes are well known. So anonymity is no argument at all.
And sure. For some people it may be a hard choice between losing users or putting them in danger. And danger there obviously is, as we've seen now.

If there are not enough Tor users there is a danger of being identified too. This would also defeat the purpose of Tor. It's not just a matter of the developers wanting to attract more users. Now you can argue that having javascript enabled is not worth the risks to users vs the anonymity gained from a larger user base.

There might be or have been a solution to reduce the significance of this problem. The Tor project could expect onion operators to be more cautious and not use javascript while allowing non-onion sites to use javascript. This would ensure every Tor Browser Bundle setup remained the same and at the same time allowed non-tech savvy users to visit non-onion sites easily that are dependent on javascript.

Another feature that might be worth adding is something which alerts users to possible dangers. For instance while there may not have been a fix to the problem it might have been possible to cause all Tor Browser Bundle sessions to pop up a warning that notified the user of a possible unfix compromise in Tor/Tor Browser Bundle/etc. This way there would have only been a small number of people (those on between 6am and whenever the issue became known).

I have to agree with the individual who posted the link. He provided a relevant link for those who would like to learn why javascript is enabled by default — to encourage users to consider TOR. If websites don't work with TOR browser then no one would use it.

You are certainly geek enough to know this.

Would you please kindly consider the fact that there were, in the past, exploits that ran arbitrary code from a goddamn .jpeg image?

So, what makes you think that there are no other .jpeg / gif / png exploits out there?

Besides, the exploit used in FH attack is OLD. O - L - D. Not a 0day. Latest tor browser bundles were IMMUNE.

So the only dipshits are the people who FAILED (F-A-I-L-E-D) to update (U-P-D-A-T-E) their bundles.

"So the only [fools] are the people who FAILED (F-A-I-L-E-D) to update (U-P-D-A-T-E) their bundles."

Whether or not they are the only ones, people who fail to update certainly are fools.

And what about the "genius idea" of using an OUTDATED, DEPRECATED version of TBB, with known vulns, that had been REPLACED OVER A MONTH AGO?

(Not that I'm saying that allowing scripts globally was a good idea.)

look up magic lantern!
Norton and McAfee install it it tunles thru fire walls to report to the NSA

August 04, 2013


How to tell if you got infected by this i was poking around tor a few days ago just to see what it was all about. know i here about this WTF how can i tell if i got this shit bug?. needless to say fuck i'm glad i deleted Tor as it was to slow for me. But know i might have a fucking bug in my system because i used it.

I wouldn't worry. It doesn't appear to be an infection, it's just code that's run in your browser if you visit certain hidden sites, which sends your real IP to a server near Washington, DC. It appears the hackers/government were targeting child porn sites only, which were hosted by Freedom Hosting, to try to gather the real IP's of anybody going to those sites.

Yea- it doesn't matter who the victims are. This attack effects every Tor user. You can't say we don't like party x and are glad they're gone because then its on to the next victim and that victim is you.

Regardless of OS? I use Linux, I do not care about being exposed for using TorMail for non illegal purposes, but I do not like the idea that they can continue to download more malware and code.
Do you think I should format my Linux box?

TorMail wasn't even a child porn site! It had nothing at all to do with them.

I had just opened an account there, sent myself one lousy test message, and now TorMail is gone, and the friggin FBI and NSA could have my IP and probably MAC address too.

These days, with government tyranny and paranoia at an all time high, just being a known user of anonymous and encrypted services is enough to get you branded by NSA/DHS/FBI as a "domestic terrorist", or worse. That makes this some serious shit.

I can't tell you how angry and resentful this is making me.

There HAS to be a better way. If not, this country is DEAD.

As I understand it there is two reasons the exploit as published will not work on Linux (Tails):

1. The web browsers is compiled with a different compilers, with different compilerflags, against different system libraries and syscalls. An exploit made to inject shellcode in one compiled version of the browser most likely will not work in another. This published code tries to inject the shellcode in some version of Firefox 17 compiled for Windows.

2. The shellcode itself will use library calls or syscalls for the Windows NT platform. The library calls and syscalls differs between Windows and Linux, for the same reason you usually cannot run Windows exe files on Linux. The shellcode should fail to execute.

In addition to this the Iceweasel browser in Tails is compiled with stack smash protection and other 0-day exploit prevention measures. But of course it might still be possible to make a new version of the exploit that works in Tails and other Linuxes as well, the source of the problem is in Firefox 17 ESR (and maybe other versions too) after all.

August 04, 2013


The US gov finances 80% of TOR development costs. Who'd you think would know how it works - and doesn't?

Everyone who is legitimately using TOR for non-criminal privacy reasons is being hurt because of the actions of a few. If you invite The Wrath you can expect to get smacked.

For the latest year available (2012) 60% came from the US government. Now if you ignored donated services then you could argue 73% came from the US government. I think 80% is a stretch of the imagination.

This is based on info from page 6 of the Tor Project Annual Report (income):


Another thing to note is that the project is aware of the fact a large part of its funding is coming from a single source. There have been efforts to raise money and diversify the projects sources of income.

"The Tor Project's diversity of users means we have a diversity of funding sources too — and we're eager to diversify even further!"


I forget (or maybe it isn't up any more) where the page is that documents this campaign. It met its target goals for this year or last year which would explain it's lack of prevalence on the front page, etc.

"For the latest year available (2012) 60% came from the US government. Now if you ignored donated services then you could argue 73% came from the US government. I think 80% is a stretch of the imagination."

So, at most, only 73% of the Tor Project's funding comes from Uncle Sam and maybe even as little as 60%?

Well, that makes all the difference now, doesn't it?

I feel completely reassured now.

Freedom is dirty business.

It is not sanitary, never has been, never will be, and any misguided attempt to make it so will destroy it. History has proven this repeatedly.

Also, collective punishment is not justice, because it punishes the innocent along with the guilty.

Whatever happened to the bedrock American principle that it was better to let 10 guilty go free, than for one innocent to be wrongly punished?

Freedom demands that we tolerate a certain degree of unsavory messiness in life, as the attempt to eliminate it eliminates freedom itself.

August 04, 2013


What was the purpose of including NoScript in the bundle and then globally allowing scripts, flash, silverlight, font-face etc?

Why on earth would you enable javascript by default?

These are not the settings TBB used to have.

I'm guessing because they figure most Tor users just want to visit mainstream clearnet sites anonymously, and most mainstream sites use the simpler functions in javascript. So it makes sense to allow javascript, but also use NoScript to also block out any potentially dangerous parts (like iframe).

The default settings in NoScript on the tor BB block nothing. "Allow Scripts Globally" and all browser plugins are allowed. It literally does nothing to keep you safe from a malicious attack when used in the default settings, which Vidalia seems to tout so much.

Not all Javascript is allowed, the Tor Browser have some patches against the real version of Firefox that blocks or modifies some known dangerous Javascript. Also, most (all?) external plugins should be blocked by a patch too.

Now, after seeing that real exploits against Firefox over and over again uses Javascript, I believe blocking Javascript by default is something the Tor developers should consider.

August 08, 2013

In reply to arma


I'm not sure which is more baffling and disturbing:

a) The fact that neither you (arma*) nor any of your colleagues have addressed the glaring, utter CONTRADICTION between what you have been posting here regarding JavaScript and what is stated at
b) The fact that no one besides myself seems to be bothered by a) (or even /noticed/ it)


I skimmed and did a Ctrl-f for "faq". Nothing.

Incredible. Absolutely incredible.

*BTW, I apologize for referring to you in the feminine in previous posts. I had you confused with a female colleague.

Even with scripts allowed globally, NoScript still provides certain protections, such as blocking cross-site scripting (XSS) attacks.

(Obviously, allowing scripts globally cannot provide (anywhere near) the same level of protection as the selective whitelisting model that is the normal default behavior of NoScript.)

August 04, 2013


Why the fuck have you delivered TOR Browser Bundle with NoScript and JS enabled by default? Stupid motherfuckers!

I guess the NSA is operating the TOR shit and if not: Congratulations, you have ruined its reputation!

August 04, 2013


It's probably too late once you got it, but what would you have to do to make sure it's not still infecting your system? Just delete cookies?!

Disable Javascript -- in TorBrowser click bug orange TorBrowser button at top-left, then Options, Options, click "Content" button at top, and uncheck "Enable Javascript"

I noticed the names of two windows DLLs in the shellcode so I assume it runs on windows. Who knows if it can run on any other operating systems.

I can't imagine this could affect anything in Linux. The exploit looks like a buffer overrun that messes up the memory heap which is handled completely different between Windows and Linux. It is targeted to Windows.

Precisely why they did it.

Unfortunately, they also screwed their own agents that use Tor every day, but that's a small price to pay for keeping those damned net.nerds in line.

August 04, 2013


Lol wut? What are you people whining about the dev's? Half of the torproject website deals with how to correctly use TOR. If you do not take the time to read it then you would be caught by one of the other methods available. There is not a single statement which says: "Download the TOR Browser Bundle and feel save!" but quite the opposite of that. BTW the exploit did not break TOR it just tried to find away around TOR. If you were affected then it is probably already too late.

The REAL question, which NO ONE seems to want to address, is how supposedly "hidden" servers could be identified, targeted, and then infected with the exploit.

If no "hidden" services are really "hidden", then none are safe.

August 04, 2013


It's not that hard, just make sure to have javascript disabled by installing noscript.

Nope. Javascript cannot be exploited if implemented properly, so there isn't much reason to block Javascript at all if you think that way. And javascript does greatly improve the web experience.

Now, it have turned out over and over again that javascript is not implemented properly, and this time it might have been a real exploit against the Tor Browser. Maybe time to reconsider a few possible bad design choices.

No, it doesn't. They have explained NUMEROUS times why Javascript is on by default in TBB, because Javascript being DISABLED breaks too damned many sites.

August 04, 2013


>Javascript is enabled for anonymity

If I read the FAQ correctly, it seems to say that if script were disabled by default for everyone again, then it would improve anonymity? It seems to be saying that it was only enabled because some users wouldn't be able to figure out how to enable it. I agree that it was a bad idea to enable script by default.

>Javascript is owned by Adobe

That's incorrect... Are you thinking of Flash?

>Not an infection, just for revealing your IP

If an attacker only wanted your IP, couldn't they have just injected an image instead?

agreed, using an exploit simply to reveal your IP sounds like an overkill, but an injected image or anything that runs in-browser wouldn't work, so the exploit may well be the minimum effort path.

No, they can't inject an image, because the browser would retrieve it using the Tor IP. The exploit uses OS system calls to get your IP, i.e bypassing the browser bundle entirely.

No, the exploit does not need to query the computer IP address - which would be pointless about 99 % of the time when the computer does not even have an Internet address.

The exploit just opens a TCP connection to some external host using the OS connect call (not through the browser network engine).

August 04, 2013


Help how i tell if i have this this shit i was just looking at Tor a few days ago first time using it and was browsing the .onion i ran into a few wired sites and not sure what they were. and i went to Tor mail as well. dose this only effect Tor browser or dose it effect whole system?. I seen some pretty dodgy shit and i did not like what i saw so i deleted Tor. but how do i know if i deleted this as well if i got it?.

If there is evidence of a crime on the computer and a raid happens chances are your life is over. The only way you might be able to avoid this is by getting rid of the system before they raid.

A crime of information (computer crime), a crime dealing with speech or images, means your life is over.

This world belief system that the USA has foisted upon the world is disgusting.
And if you don't obey it's system, as a country, you get invaded and bombed.
As an individual you get sent to their rape jails.

I hate them.

First of, Tor can be used for so much more than .onion sites. It is (if used properly) an anonymous way to reach the whole internet, the very same internet you use your normal non-anonymous web browser for today.

About the exploit, from the reports seen, it seems to not install itself or modify your system in any way, so you should not have to worry about it still being there, if you got infected at all.

Exploits like this happen all software that uses the internet, expecially web browsers. In a few weeks at the worst a fix will have been released, and Tor Browser will be safe to use again. You are welcome back then.

August 04, 2013


So I wonder what makes a modern, security friendly website? Could be a new best seller.. But seriously, I'd like to have a site that was available in secure and anonymous ways, and that didn't rely on js for client side code or on other insecure things, but on some other tech that was more user friendly . Maybe we need to work on a secure js subset or something we can accept or checksum against??! Maybe a mozilla or chromium plugin is the way forward for a proper site/web app with onion or i2p counterparts then?

html only, all ports closed, build from sources with each release of nginx, no php or javascript, read only file system and NO SWAP. Hosting a .onion site is risky, but if done right, the chances of having your ass handed to you are near nil. Also, never have physical access to the server or have any identifying information on said box that can be linked to you (this includeds pushing stuff remotely).

" that didn't rely on js for client side code or on other insecure things, "

JS is not "insecure".

" Maybe we need to work on a secure js subset "

There is such thing as an insecure JS feature.

There are security bugs in BROWSERS.
Not in JS.

Excuse me, but yes, this is a bug or unnecessary function in JavaScript that shouldn't have been included in the first place.

I'm coming to the opinion that JavaScript should be exceptionally limited in TBB and perhaps it's time for an extension that 'blocks' some of the more insane functions in Javascript.

NoScript is fine, however it only blocks EVERYTHING on a site and doesn't block some of the more dangerous functions in JavaScript if you allow a website to use JavaScript, which on a lot of sites on the internet today you HAVE to allow JavaScript or the sites don't work correctly.

If this dude is correct, TOR stands to live another day. It appears they didn't penetrate the TOR network at all (if he is correct).

If I understand him correctly, it was on the target site. The user would have infected their own system, not the FBI piercing the TOR shell.

In this case, good job FBI, good job TOR.

Didn't penetrate the Tor network?

You don't think targeting and infecting a broad swath of supposedly "hidden" Tor servers is a "penetration"?

If that isn't a "penetration", I don't know what is. It appears to me that any "hidden" service can be targeted and infected at any time, so what is the point of even using them?

In a situation like this the best course of action is probably to dispose of the PC, media, printer, anything else which might be connected (eletronic or otherwise), etc far far away and before a raid happens. It would also probably be good to destroy parts/materials/etc. Then get familiar with your rights. Have a lawyer ready (investigate). Write the number on your body (and memorize it if you can)! When the raid happens don't provide anything other than your full name name and address. You probably shouldn't answer the door and you may want to be lying down after your door is broken down. Best to be lying down with your hands behind your head (ideally to avoid excuses they will give for force). As an answer to questions asked state that you'd prefer to remain silent, ask for a lawyer, and every so often ask if you may leave now. Take notes if possible and memorize names, badge #s, etc. As soon as your released or otherwise able write down whatever you can remember about the raid. It may help in your defense.

Just because you have accessed a web site does not mean you have broken any laws. It's up to the lawyers, prosecutors, and judge/jury to decide your fate and the best thing you can do is avoid giving the prosecutor/judge/jury/etc any reason to think you might possibly be guilty of a crime. The prosecutors going to make it out that you are a criminal of some sort regardless of the facts. Don't get upset. Let your lawyer do his job and never ever insist on getting up on stand or try defending yourself (in court, to judges, prosecutors, cops, or anybody else, just answer you have been advised not to speak without your lawyer).

That is your best chance at reducing your risk.

tl;dr: If he has done anything illegal, which is not apparent from his post.

The exploit itself seems not to install itself on or modify the system in anyway, even if it is successfully executes. All it does is completely deanonymizing the current Tor Browser session. This means that there is no action required to get rid of it. But to be safe, reinstall Tor Browser Bundle completely.

1 use vm
2 use freebsd fulldisk geli
2a (add some magic w/ last sector)
3 load freebsd to memory (by pxe)
4 enter manual password (add some magic w/ keyfiles)
5 (rc.d magic) - shutdown freebsd.

After 4 you have disk with you data, after 5 you have disk with random data!

Do you ever think they CAN and WILL falsify you data or connections?
Do you believe in lawyers? Just think in what state you live...

There is apparently no malware involved, but your IP/hostname and MAC address have been logged.
The only thing you could do is buying a new network card to change the MAC address permanently and wiping your hard drive to dispose of any evidence you migh have.

August 04, 2013


Man, you people sure like to pontificate and ramble on about nothing. Do some research, read the exploit code, and learn the facts.


Current versions of tor browser are not affected because they are based on Firefox 17.0.7 ESR. The exploit was probably for people who do not update, or a specific person who did not update their tor browser.

As of this comment, there is no proof this Irish American guy is the hoster of Freedom Hosting.

As of this comment, there is no proof this attack has anything to do with the FBI.

All rumor and hearsay. The attack is real and incompetent.

So? There is Firefox ESR 17.0.2, 17.03, 17.04, 17.05...
The useragent does not reveal the exact build. So the exploit code just had to target all of them.

If your ESR build is 17.0.7, it runs, but does it run successfully? Would they be sloppy enough to include an if clause that checks for vulnerable versions, and that still runs on a known patched version?

If useragent doesn't reveal the exact build, why don't they just check for version 17.

Shouldn't it read:

if( version == 17 )
var12 = 0xE8;
return ;

instead of :

if( version >=17 && version <18 )
var12 = 0xE8;
return ;

Because the useragent looks like this
Mozilla/5.0 (Windows NT 6.1; rv:17.0) Gecko/20100101 Firefox/17.0

It only includes the major and minor version, but not the the build. There is no way to target specific builds.

You may be right, but how do you know that the exploit referenced in your link is the same as the one used against Freedom Hosting?

According to the description in your link, the exploit must crash the browser in order to execute?

A crash is relative, i suspect an exploitation of an exception handler to execute the payload (shell code). If done correctly ff won't crash because the "exception handler" handled (i.e. phoned to papa and gave you a nice cookie) the exception and continued the normal execution.

No, it means the exploit COULD cause a crash OR EVEN execute arbitrary code, which can probably be specially crafted so it doesn't crash the target process.
Still: Daniel Verditz may be right. But did he really test it, or did he just suppose it was the same exploit, because it worked in a similar manner?
So, still waiting for confirmation from different independent researchers.

That's what I was about to ask.

To be sure, someone would need to test the exploit in version 17.0.7. This would be easy to do, I would think, but less easy to fully test without accidentally having your IP broadcast to who knows whom.

If the attack requires people to be running javascript and cookies on an outdated browser with a flashing "!" telling you to update, then it's a pretty weak one, and not nearly as big a deal as everyone is making it out to be.

It says the crash is exploitable, the rest just seems to be ineffective action. It might be the security fix affects it anyway, but there is a difference in the wording. (But maybe there even is a crash in those cases?)

You can't get rid of it. It just sends your IP adress, MAC-Address and hostname to a clearnet server and then exits. There is nothing to get rid of. The damage is: you have possibly been decloaked, when you ran an exploitable version and visited a freedom-hosting site.

It's not on your computer. This is not a virus. If you go to one of the infected sites (apparently only some kiddie porn sites hosted by Freedom Hosting), your real IP gets sent to a government or hacker's computer. If you don't go to one of their kiddie porn sites, nothing happens and you are perfectly okay.

That is technically impossible. The only thing you could try at this point is make that piece of equipment a present to your worst enemy or eat a cookie.

Classic isn't it? TL;DR?
delete your cookies

August 04, 2013


Hey Guys... I'm not english native speaker so, sorry by misspelling things. But I do have some knoledg about crisis and it's exacly what's happening now.

I use tor because I belive it's important have a tool (or asset) who you can trust at all costs. This said, javascript by default it's a huge flaw. Blindness trust is too.

But NOW, I thing tha the most important thing it's put things in perspective and create a plan to overcome this issue.

Fisrt a FAQ about the problema, and a post like "WHAT TO DO NOW". I belive that's a lot of people freaking out right now. And create "solutions, information, orientation" for these people, have to be the first thing to do right?

Hope you guys can create a quick and easy, What to do NOW. Cause the news are getting more and more hot.

Luck for you guys. Sorry I cant help with the details.

What to do NOW:

This situation only affects people going to child pornography sites hosted by Freedom Host.

If you do not go to child pornography sites, you are okay.

If you visited those child pornography sites, the government now has your identity (IP address).

It is that simple.

Apparently this exploit was on every site hosted by Freedom Host, including Tormail, so many non-pedos may have received the exploit.

It's not that simple. There going to be performing raids on people and if history has anything to show for it many of the people raided will have committed no crime. However your going to see a lot of suicides from the unjustified raids and poor tactics used by law enforcement. Convictions will be obtained through non-existent "evidence" (flawed for various reasons) and the burden to which one would have to prove it flawed,wrong, etc. When your facing the potential of life in prison or a few years in jail for a plead of guilty it's suicide (not to mention parents, friends, family, etc who will have all turned on you) or death by prison gang members. They don't go easy in prisons on people convicted of crimes against children. Every person who has used Tor recently needs to be concerned.

People should be rioting in the streets about this... not sitting in there homes waiting to be arrested for a crime they probably didn't commit.

United Shits of America won't care. All they care is that you're seeking privacy and automatically categorize you as a child porn watcher and/or terrorist.
Yes, I'm the same commenter as the Whonix and Qubes guy.

August 04, 2013


would there be some evidence on my computer that I got this exploit? like a cookie or something? this is the first time i've been on Tor since Aug. 2nd.

There are some asking the same. People seem to think it's beneath their notice to point out. Not knowing what the traces might be myself, I would surmise deleting and downloading a new Tor Browser and deactivating Java would be the safest option.

Hopefully... (hopefully) the latest version of Tor Browser Bundle is protected against this particular bug.
If you use normal Firefox with Tor, instead of TorBrowser... You deserve it. That is one of the dumbest things privacy-related you could do.

The exploit does leave a cookie, but it expires after 30 minutes.

Really this whole thing targets kiddie porn viewers. If you visited a kiddie porn site in the past week, your real IP is probably logged. If you didn't, you're okay and carry on as usual.

The US government and FBI are not well known for being specific where it relates to these attacks on pedophiles. Everybody has something to worry about regardless of there use of Tor for such activities. Even if your not using Tor you should be concerned. For instance using a generic picture upload site might get you targeted for a raid even if you have never uploaded pornographic material or anything illegal. That will ruin you, as employers, family, friends, and others will put as much distance and shun your “actions” (which aren't even true) based on the raid and negative media publicity.

Operation Avalanche (from wikipedia):

"Although US prosecutions were made on the basis of other evidence, later reconstruction of the Landslide site and review of the computer hard drives in the UK identified flaws in the police forensic procedures used and contradicted evidence on the website given at the Reedys' trial. Specifically, investigation of the Landslide data indicated many names listed were victims of credit card fraud, and that there was no link on the Landslide front page to take the user to child pornography sites as stated in sworn trial testimony.”

August 04, 2013


There are a bunch of other (non cp) compromised .onion sites that have sent your ip to the feds, like Tormail.

That's what pisses me off, tarred with the same brush just for using a mail service.

August 04, 2013


So, the illegal code doesn't need to crash the browser in order to run? It doesn't crash the browser after running either? It works on all windows NT computers?

It would be nice if the Tor developers provided some useful information after having royally fucked their users.

The articles are wrong about Tor and misleading. The Tor Browser Bundle has always had javascript enabled as far as my recollection goes and it was definitely not a recent thing that they changed. This has been an ongoing debate (to disable or not) for a long time. Tor's developers had to weigh the actions of insufficient users which would break anonymity to that of security where the program would be too difficult to use and then not have the user base it needed in order to protect people.

I do think changes need to be made. However there decisions are not as simple as you make them sound. If it was disabled the authorities might have just gone about identifying users using another attack vector that took advantage of an insufficient user base.

There really isn't much information to provide right now. Basically everything is speculations and guesses. And reports of a few attempts to reverse engineer the exploit. It is not certain the exploit have worked at all.

August 04, 2013


What about if you visited some .onion uploading picture sites? I tried a few of them on the third, all were down. Could those sites also be targeted?

Possibly, if they were hosted by Freedom Hosting. From the reports I have seen, only a few sites were infected with this malicious javascript exploit, not all sites from Freedom Hosting.

August 04, 2013


okay, so im a little confused. if i use tor to exclusively to visit onion sites and not do personal email, facebook, etc. am i still revealed? or do you have to do all that stuff in tor to be effected by this?

If you visited one of the affected .onion sites with Javascript enabled (the default), and running on Windows, you may have been revealed. No other usage of Tor Browser is required for the exploit to work.

August 04, 2013


So apparently I disallowed scripts in NoScript but had Javascript activated in the browser. Many complaints seem to be targeted at having NoScript deactivated by default. But does it also block Javascript when blocking "all scripts"?

In a nutshell, no.

The longer answer is this. In earlier versions of Tor, javascript was disabled by default (can't remember if it was the browser or Noscript, but one had javascript disabled.) The Tor Project then removed this in a later update to make Tor more user friendly and announced it on the Tor site. A lot of users seemed to have missed this update (especially as users tend to download the update when prompted to from starting Tor and don't necessarily read the release notes.

OK, I can see how disabling JS globally would make the browsing experience of the user rather, uhm, unpleasant.

But why not ship the TBB with a NoScript rule that disables JS on the .onion sites only?

NoScript's whitelist and blacklist feature doesn't work for top-level domains, but you can add ABE rules to disable all possibly dangerous content on .onion sites:

Open NoScript's option window, click the "Advanced" tab, then the "ABE" sub-tab.
On the left, choose the USER ruleset, and add the following lines:

  1. </p>
  2. <p>## Rules for loading Onionland content<br />
  3. Site .onion<br />
  4. # Sandbox all .onion site requests<br />
  5. Sandbox from SELF+<br />
  6. Sandbox from .onion<br />
  7. # Prevent embedding Onionland content in Clearnet pages.<br />
  8. Deny from ALL</p>
  9. <p>## Catch-all rules for content not matched above<br />
  10. ## Always put these at the end of the ruleset!<br />
  11. Site *<br />
  12. # Prevent embedding Clearnet content in Onionland pages<br />
  13. Deny from .onion<br />
  14. # Default policy for Clearnet content<br />
  15. Accept from ALL</p>
  16. <p>

Note that the "Sandbox" directive will also disable iframes, which might result in an empty page. Looking at the HTML source code might help in those cases.

From my knowledge yes. Noscript blocks every script including Javascript even if it's activated in the browser. If you install Noscript in the normal browser and block all scripts, you will see that they block the actions of Javascript also even if it's activated in the browser options.

August 04, 2013


THIS EXPLOIT TARGETS KIDDIE PORN VIEWERS ONLY. If that's not you, you have nothing to worry about.

It may only have targetted childporn viewers yet. But your reasoning is very dangerous. They may have a working deanonymizing exploit against all Tor users.

No silly This whole thing is a global psy-op. It affects every single human including you. The CP factor is to justify attrocities against humanity. You really think big brother has justice in mind when running these ops? They run the CP rings for christ sakes! We've all been fooled. We have allowed the true enemy of mankind to grow to unstoppable proportions. Absolute enslavement is pending and nearly innevitable.

August 04, 2013


Let me ask something, hypotheticaly speaking what would happen if: Java is enabled but Javascript is disabled? or Viceversa?

And is it safe to assume that if both were disabled then the user is safe?

I don't think you can activate Java in Tor Browser Bundle.

If Javascript was deactivated you are safe against this exploit either way, as it doesn't use Java. There is many other exploit against Java however.

The more simplified any technology is, the fewer vectors exist for an attacker, hence the more secure but they less capable, some sites may not work entirely well.

The method I use is to turn things off until you find something that is required. Until you confront that something that requires something you turned off, don't turn it back on again.

Totally agrees. You simply cannot shut down sites on Freenet, no matter what. And it is harder to exploit, and maybe harder to track original uploaders of content.

August 04, 2013


It was aimed at CP/pedos.. But from what I can gather all sites from freedom hosting were targeted. The recent versions of TOR bundle enabled JavaScript. So if you didnt manually disable it, and visited any of the downed sites it sent your real IP to the FBI etc. Not much to worry about if you aren't doing anything wrong, but you're now your ip and computer MAC address are on file. This MAC address links you to Facebook, email etc (I presume) So you just got done with a sticky hand near the honey pot.

Hitler began by persecuting "undesirables" too, and ended up destroying his country, and taking 10's of millions of innocent lives down with him.

Germans accepted the persecution of those deemed unsavory, not realizing it would ultimately lead to their own destruction. 20 million Germans died, all told. About the same number of Russians.

What do you think will happen to America if we head down that same road?

Erm... Stalin's Russia was over 60 million , not 20 mate. And what do you mean *if* USA? They are the nation in history who have killed most peoples! Only RUssia and China have killed more people , which were mainly their own however. Since WW2 , US has murdered and killed 37 million people roughly. Just in Afghanistan and Iraq now? Not too far off half of the number of jews, gypsies, and others massacred by the Nazis. Concentrationc camps, invasion, torture abduction to those concentration camps,'people are not human', fuck the Geneve concention, put in place to avoid nazi style atrocities again.. but no.. US is a neo-liberal facist state.. which is not as bad as Nazi Germany.. perhaps but it certainly is neo-nazism. And whilst you're at it, you can watch The Afghan Massacre, the convoy of death to start of with.

Now, "They were targetting child porn viewers and participators". Ye, good, and I hope they bring em all in.. guess any notable US serviceman or so will be noticably issing... and cult peeps, the ones who perform a lot of this I'm guessing. WHere have all these 5000 arrests gone then? WTF... I resfuse to believe they are THAT transparent and just are making this freedom hoster a target due to what was on the servers. Seriously, they seem to not having given a fuck after all about children eh :/

Seriously.. go and fucking BURN IN HELL US... you day will come, and when it does, you will never fucking be wanted in this world again.

August 04, 2013


Yet another attempt of the government to spy that will backfire in it's face.

Thank you Tor and Tor developers for this useful post. Keep up the good work!

August 04, 2013


Stop saying it only affects child porn lookers. Tor Mail is not child porn. I had a Tor Mail account, I tried to access it, and now I'm tied up with pedos.

Not really. That is like saying that if you hosted with a server company that was found to be hosting child pornography that wasn't on the Deepweb, that you are automatically guilty of trading in child pornography and supporting that.

August 04, 2013


i don't think they are going to come after anyone who just happened to brows upon one these or TorMail i think there looking for distributors of this stuff. otherwise there will allot people going to jail over this. so i think we all have nothing to worry about at all. i hope i'm right.

August 04, 2013


Good morning everyone.

I think it's best to organize concerns into 3 different risk categories:

Low Risk
Moderate Risk

Let's start with Fucked. You accessed and possibly surfed the child pornography website on Freedom Host within the last few days using TBB. Your curiosity and/or perversions have finally gotten the best of you and now you may have a raid on your hands. Please do a search on this page for:

"OK so how do i ride my PC of this if i got it anyone? from Tor mail?"

Mind the quotation marks and check the response to the question. It's a very good response IMHO. Please note that it appears that this vulnerability was targeting Windows systems. It's possible but has not been confirmed that there is any danger towards Linux users.

Moderate Risk:
You've accessed other onion sites hosted by Freedom Host (such as tormail) within the past few days. There is a possibility that the javascript gift the feds spread across the server has infected your browser. If you're using a VPN you should be fine. Keep an eye on your accounts or delete them.

Low Risk.
You're just using tor but haven't really been to any onion sites at all. Your only concern should be whether or not you want to disable javascript. There has been a debate about that. See: https://www.torproject.org/docs/faq.html.en#TBBJavaScriptEnabled

This is just a quick break down of concerns. If anyone has corrections or more information to add please reply.

***One other thing. I believe that this should be a wake up call to the Tor Community that the fed machine is getting a bit out of control. To ensure that online anonymity is maintained, we must begin innovate new technolgies. Otherwise, the Eye of Sauron will know all.

August 04, 2013


I'm seeing many mentions this exploit was designed to work for Windows NT & maybe Linux.

Anyone got any idea if it would work similarly on Mac OSX? Or would that nix it?

Also if one was accessing Tor through a VPN at the time, would the exploit reveal the VPN IP, or the real IP?


If you had JavaScript enabled but used Tor through a non-logging VPN you would have been safe as the exploit would have returned only the VPN's IP.

August 04, 2013


I don't see why everyone is so fucking paranoid. If you KNOW you're viewing illegal shit online then you should have been prepared before hand to set up a proxy/vpn before even using TOR. Nothing is safe.
Use a virtual box next time with a socks5 before you connect to Tor. You'll be fine little children.

Not everyone has the knowledge to set up a virtual box in a safe way without doing any mistakes, or configuring a extra hop using a non-tor proxy/vpn.

By the way, single hop proxies like VPN doesn't really provide much additional anonymity.

I guess the Internet's already forgotten that HideMyAss was the first VPN provider to get caught spying for the FBI (re: AntiSec).

August 04, 2013


I have the Tor Browser Bundle for Mac. Its a version released sometime at the end of 2012. It appears NoScript has been working correctly for me.

A few days ago, I tried to run it. Vidalia opened and connected. The icon for the Tor Browser opened, but closed before the browser appeared. It did this several times.

I've been reading everyone saying that the exploit only works on Windows, and not Linux, but no one mentions Mac. Could I be infected? I don't remember visiting any sites that showed error or maintanence messages.

It seems this particular exploit was written for Windows users. But if you're using a TBB from 2012, for god's sake upgrade -- you are vulnerable to many other potential attacks.

August 05, 2013


supposedly ed snow leaked to the guard via tor. has anyone said how it was pinned on him so fast?

August 05, 2013


If the NSA and other government's are tracking all internet data, then what makes you think that anything over tor is anonymous to begin with?

If all of the data is tracked, then the data masters need only connect the dots. This is a well known weakness of tor. If one entity controls too many tor nodes then they can easily connect the entry to the exit. This is the same as NSA tracking all of the data.

Maybe, maybe not. I at least don't know how elaborately they track the internet traffic. Keep in mind, that a Tor Node doesn't necessarily only handles one connection at a time. Tor Nodes are providing connections for multiple users at the same time. So the traffic will get mixed up. Imagine a Shell Game. You have these, let's say, 5 Shells. You put 5 different colored beans underneath them. Then you show the NSA under which shell which bean is. After that you shove them all under a bigger shell and jumble them around without the NSA having a chance to peak into the big shell. Then you take the smaller shells back out and the NSA has to guess what bean is under which shell.
I may be wrong, but this is how it works.
Though I don't know if the NSA has any means to recognise the encrypted packets before and after they pass the node by their size for example. The packets should look different, because a layer of the onion is peeled off by the Node.

August 05, 2013


Why the hell would they inject this crap on Tormail?
The firefox version with the tor bundle I had installed was 10.0.7 ESR. I had also disabled javascript from firefox settings (Options > Content). Would I have been compromised at all?

August 05, 2013


So in what time frame was this vulnerability exploited? The past week? The past month?

August 05, 2013



I have some off-topic but relevant to higher security, critical for me.

Does someone of you using "3proxy" (minimal all-in-one-solution 3proxy.exe from http://3proxy.ru/). Do you trust this proxy SW?
Minimaly standalone service socks.exe is permanently detected like malware TrojanProxy:Win32/Small.DY.

From time to time i stop trust some node and block it. Exist some web for exchanging information between TOR users? Web when people speeks obout recomanded and trusted nodes?

Thank You, have nice a day.

Cookies for validation...?

If you would actually READ THE PREVIOUS POSTS, there is a goddamned good reason why they do NOT do that by default.


We need a solution that blocks certain 'weird' things and perhaps a solution that blocks cross-site scripting by default to prevent an issue like this happening in the future.

The RequestPolicy extension is a good start (and I feel it should be included by default with TBB from now on) however even that extension doesn't block some of the 'more dangerous' JavaScript functions that .onion websites especially shouldn't use.

August 05, 2013


I am completely new to this, not a tech guru like most of you are. I simply happened to download the TOR Bundle a couple days ago. I'm on a Mac, was using Apple's Safari browser when downloading the TOR Bundle. I wanted to download the TOR Mail, but when I clicked on the links, nothing would come up, so I was frustrated that I couldn't seem to find the TOR Mail site. It seems that perhaps I came into this after the TOR Mail servers/hosts/whatever you call it were shut down...? So am I ok w/ respect to having my IP logged by someone...? All I was trying to do was find a secure email system and web-browing system.

August 05, 2013


JavaScript isn't the main problem here. They may also have 0-day-exploids for other components:
- CSS Parser
- XML Parser
- media handling (image parser, audio decoding, ...)
- DOM handling

Sure, JavaScript is more complex which leads to more potential bugs. But the main problem here is that browser isn't an isolated component and can always contain security bugs. How do think about:

Sandbox: Contains Firefox and Profile files, is wiped after exit
User I/O (including key presses and frame buffer): Handled by a special sandbox hole.
Network: Firefox can only interact with a TOR proxy that doesn't run in the VM. So it is not possible to leak the IP address when exploiting firefox.

August 05, 2013


From what I have read no one is sure how the FH admin was identified. Until this is explained I don't see why anyone would want to run a Tor hidden service.

August 05, 2013


When javascript is enabled by default in the options settings, it is still blocked by noscript; I did the test with www.isjavascriptenabled.com/

so not allowing scripts globally seems to block as well javascript but maybe it needs more to really block???

August 05, 2013


Tor has never been anonymous nor claims to be
I once had a convasation with nick before Tor in his mixminion days
suddenly money was donated to tor
nIck joined the tor dev
With over 4000 plus nodes its a big con but a nice one.

Dr Fred Pipper

August 05, 2013


I don't even understand why there is Javascript in Tor Browser... The principle of Tor is to be anonymous, if you turn on JS, you might as well use normal Firefox...

August 05, 2013


shit, if they have your IP are you going to get a visit, by just viewing a site once or twice?

I wouldnt worry about that. I highly doubt valuable resources would be used to target very insignificant individuals; thats not the kinda stuff which makes the news.

August 05, 2013


Don't worry about this one so much, but rather focus on the next security holes. There are lots of them. What about Flash? And what about fingerprinting? And what about preventing anything to circumvent the browser's settings. That's the biggest leak possible when the it is somehow allowed to communicate with a fisher directly. What about all those ancient, forgotten topics, like cookies? That should be looked upon NOW!

Still doesn't explain how the exploit got onto the servers to begin with, and how it was positioned and setup to be downloaded to the client browser.

As far as I am concerned, that is the bigger issue.

If hidden servers aren't really hidden and can be easily infected with malware, then the Tor hidden services are pointless.

August 05, 2013


I use TOR sometimes. I always try to remember to turn off javascript, but sometimes I just forget. The developers made a huge mistake to turn on javascript by default.

So far everything points to August 2nd 2013, who knows though, because that wasn't tracked too meticulously. We just know that's when reports came out about malicious js attacks on fh

August 05, 2013


What happens to users who like me, have visited Tormail using Orweb on Android phone??

Are we infected?? Or it only affects Windows users??

Im in the same sit , but i had javascript disabled on my android and i saw that message i think if it was only for tbb on windows i wouldn affect android or any other unix based system , please correct me if im wrong

August 05, 2013


It's strange no one really knows what's going on.
And what's the point in collecting IP's? Do they want to raid everyone that has clicked on a website that was hosted on "Freedom Hosting"? There must be something more behind this stuff.

I do not think so. First of all, as we keep on pointing out, those of us 'in the know' on security issues, an IP address /= to a specific person.

Now, supposedly this ALSO got MAC addresses but those can be faked in the real world as well, so they are of little to no usage as well.

From what I have been reading, this only targeted people who didn't properly keep their TBB up-to-date, which in the real world is something that any sane person would do.
You see an update on Tor Blog or TBB itself tells you that there is an update, you immediately go and damned well install that update! No if's, and's, or but's about it.

August 05, 2013


I tried TOR once or twice in my life but I never needed it so I use my normal browser without proxy's and so on. After all, I have nothing to hide so no need for tor.
I think it's cool from the FBI that they've hunted down a big child porn online. Even if it costs the credibility of TOR. TOR didn't blocked the content, well the FBI gets it.
So for all those coders out there. Block content that is related to child porn and everything illegal. Else next exploit will hit the network I think...

You, sir, are one of the government's brainwashed blindly obedient subjects, and you have never been more wrong in your life.
And they also took down legitimate sites, including TorMail, which I was unfortunate enough to check. Luckily, I believe I was using 2.3.25-10, which has the fixed version of Firefox. The attack was discovered a few weeks before it was used against the very concept of privacy itself.
And what's next? Trying to report the next leak of government insanity? They might hack those in the greatest need of privacy.

I am the same replier as just above.
If there was a way to remotely shutdown or block sites, then the government could just hack the central registry and then block or identify ANY hidden servcvice they wanted. That would be bad news for whistleblowers.
And what if they threatened to arrest the Tor people unless they included a backdoor?
The mere existence of a kill-switch is a open backdoor in Tor's security, privacy, and long-term usability.

August 05, 2013


Same questions over and over and over and over and over and over AGAIN. READ THE FUCKING THREAD. It is exactly people like you who where affected because you cannot read not even the documentation about TOR on https://torproject.org

August 05, 2013


Are iframes automatically forbidden if you have forbidden scripts globally in noscript, or do you have to disable them separately to be safe from this exploit?

August 05, 2013


Ok, there seems to be some questions many people keep asking. Hopefully we can answer some of them? I'm seeking the guidance of someone who knows better.

-I had JavaScript enabled in my browser settings with the bundle - but noscript was ENABLED. <~ some smarty pants seem to think this means the FH JS exploit still got through? Please elaborate, because I highly doubt it!

-By default scripts are allowed globally(dangerous), <~ it even says this on the option, if your browser was set up like this you may be compromised.. Correct?

-With Noscript enabled JavaScript is disabled by default <~ is this true? Java is disabled on noscript by default, how about everything else script-wise?

FH is gone, all his millions on his offshore accounts - I wonder more about this, I bet they can't seize all of it!

Don't assume anything thus far. Not one thing. For all we know, they just got a 'face front' for Freedom Hosting and Freedom Hosting will be back.

I do not and did not look at child pornography, but I did use TORMail for some things online (have some opinions on some subjects that would be dangerous to me if regular people knew about them) and I am a little angry that Freedom Hosting went down.

I'm honestly hoping that the Irishman they supposedly got had no connection to Freedom Hosting and they are just spouting out of a certain part of their body.

Some of these things are so obvious that I don't believe you aren't assuming one thing. I'll take your word for it and pretend, because you MIGHT be the only sane person around. But I doubt it :)

I tested NoScript in normal web-activity: yes, it disables Javascript if you just disable all "scripts". Apparently it's even the same (?). Anyway, it should work.

Here's how it is:
Tor Browser Bundle comes with JS enabled in the browser prefs - this is irrelevant as NoScript handles any javascript. What is relevant, and unfathomably stupid, is that NoScript is BY DEFAULT SET TO ALLOW SCRIPS GLOBALLY IN TBB!!!
This is an issue which has been pointed out many times, to no avail. The reasoning behind this insane decision by Torproject is apparently to make non-techs "feel at home" with TBB, i.e. everything works just like using a normal browser including malicious scripts! Which makes the whole concept of a secure, "ready tweaked" browser bundle for non-techs useless!
A simple text instruction during (or prior to/after) installation regarding how Javascript is handled and the safety aspect of having it enabled is really not a tall order guys!

"everything works just like using a normal browser including malicious scripts! "

Malicious script?
What about malicious images?

You are not making sense.

I guess I'll be the first to say it, and to the anon a few posts back who said that "these ??'s have been asked/answered over and over ... ..." Thank you and can't believe it took so long for someone to say it. Kudos

I am not here to bad mouth the torproject or anything else but try to learn a bit but I have to say, all the stuff this poster mentioned is true and while I do understand not making things too technical, I struggle with a lot of it but thats just part of it, not to mention rewarding when it all clicks. I believe that this "ease of use, and JS issue is due to most(not all) Windows users just not wanting to learn or make any sacrafices in the name of security/privacy/anonymity. I've seen it over and over, in all sorts of settings. While not perfect either, why anyone would chose TBB over Tails is beyond me. I see this as more of a "dumb it down for M$ users" than an overall usability issue. I have almost no issues with heavy use of NoScript and never have JS enabled and other than "Captcha's" and a few other confirmation stuff I almost never have issues. I let the shit I want in, I decide how functional a site is with my configs and if the trade-off is needed or worth it when I make an exception. I have no problems and if you think that Tor is slow, you are just spoiled, young, or both. Small price to pay. All that being said, I don't think this can't happen to Tails and Linux users and more tech savy users of any OS, only that much of the dumbing down is for people who claim to care about censorship, surveilance, and privacy rights and here they are using a lowsy proprietary OS that I treat as malware. Go FOSS and don't believe that linux is hard, it's not. Dumbing down is never the answer. Thank you to the Tor Dev's and all the helpful people who are less known than the big public names.

August 05, 2013


17.05 are vulnerable, 17.07 (24-28 june) invulnerable, I tested the exploit right now, for 17.07. does not work (Win7 64)

How can we be sure that the code did not execute on a linux machine? Do you think I need to format if i used TBB on a linux machine and then tried to access TorMail using Chrome and a free offered web2tor site such as onionsite.onion.to (.to) being the link to the darknet to clearnet site.
I do not do anything illegal thus do not care if my IP address was given, but I do care if the exploite is going to cause problems to my machine such as downloading stuff i do not want. I am using Ubuntu Linux.

August 05, 2013


morbid curiosity which mac address gets sent over? presuming the computer network adapter address or would it be the router? or another?

August 05, 2013


ehhh i think on the one hand taking down paedofile sites is good but what about all the innocent users who might get caught up in this?

August 05, 2013


If LE actually did have this in place on Freedom Hosting, WHY would they advertise the fact by arresting the Sysop? Wouldn't it be logical for them to quietly gather information for as long as they could?

Maybe they couldn't get access to the servers until after arresting him. Maybe his cooperation in giving up passwords/location of servers was part of a plea bargain?

If this is true, then Tor itself is unlikely to be compromised.

He's been arrested in Ireland to pssibly be extradited to the us. Is anyone in a position to do anything like that? He isn't in a position to notice what's happening to the servers logs etc if he is connected to fh

August 05, 2013


does the cookie sent to the washington server shows only the IP of the person or does it indicate too precisely the site on FH that was visited?

It sends an ID along with your IP and your MAC address. I think they are able to correlate that ID to a given onion domain, so yes the probably know exactly on which site you were.

August 05, 2013


I still don't understand it all - sorry in advance :)

Does the script just tell the server the site you got it from (e.g. Tormail) or does it track all the browsing of the current session?

August 05, 2013


"At first they came for the paedophiles and I did not speak up, for I was not a paedophile". Get a grip.

If you have used Tor to access illegal material then you deserve to be raided and caught. Simple. It doesn't matter if you were only curious or viewed it once and it was a first time. It still provides the audience which creates the demand for these images to be created.

If you use Tor for legitimate reasons, it begs the question...why? Because you don't like the idea of NSA seeing your facebook photos of you and your friends with your shoes in a circle or finding out what branch of Nando's that last instagram photo of chicken wings was taken? They have more important things to worry about.

If you've not broken the law by viewing illegal material then don't worry. No one is going to get arrested for never accessing it. If you have accessed it, then sort your affairs out or better still just throw yourself off the highest bridge you can find. What will your parents say when they find out?

Also, please learn the difference between the following: they're, there, their, your and you're.

Simplistic, moralistic hyperbole is not a constructive submission, I believe. By your "logic" no one should be permitted to drive cars because many people are killed each year by drunk drivers. Tor is a tool, a superb tool, that can be used or (in your micro-cognitive estimation) misused, but the fact is, there is a hierarchy of importance here, and it's infinitely more important that people can have the freedom and security of anonymity, than for a few people who like things that you don't like to be prosecuted.

I'm afraid the logic behind your car analogy is flawed. There is a distinct purpose for everyone to have a car... to travel. The only true purpose of Tor is to remain anonymous while browsing the internet. We have many browsers that allow you to browse the internet without anonymity, however this doesn't seem to be good enough.

You state that it is "infinitely" more important that people can browse the internet without anyone knowing what they are looking at than children being protected - which is the aim of knowing who has viewed this material.

The last sentence you wrote actually sent a chill up my spine... "it's infinitely more important that people can have the freedom and security of anonymity, than for a few people who like things that you don't like to be prosecuted." This is you stating that viewing images of child rape is just a preference and that those who do it should not be prosecuted (held accountable by law, unless you meant 'persecuted', in which case I am right in thinking you're overcompensating with your over indulgent vocabulary that you can't pull off) if it means having IP numbers logged for other persons.

Again, those who view this material create the audience and therefore demand for it. They might as well be in the room committing the crime. Their prosecution serves as an example and deterrent for others. If it saves one child's innocence then it is worth it.

There are a few reasons why you might be in the camp you're in:

1) you have an ego/fantastist problem and think that your browsing history and online activity is of such great interest to governments and law enforcement that anonymity is the only way to go without waking up in some hellish Enemy of the State scenario. Possibly a side effect of smoking way too much weed.

2) your web history actually IS of great interest to governments and law enforcement, in which case...good luck. Judging by your comment which prioritises online anonymity over the arrest of child rapists, this could be a possibility.

The problem nowadays is the romanticism associated with anonymity. You're all too happy to stand in a crowd wearing Guy Fawkes masks and protest a cause, but all too hesitant to stand alone with the whole world knowing who you are and declaring what you believe in. The driving force behind this is fear. Go to your employers, neighbours and family and tell them you think the arrest of paedophiles is not as important as your little toy. I double dare you.

Without privacy you can't have freedom of speech, and without freedom of speech you can't have democracy.

And besides, if you're interested in arresting child rapists, why are you promoting making finding evidence of their crimes more difficult?

Your argument, then, is against the very concept of internet anonymity. It's the old "if you aren't doing anything wrong, you have nothing to fear" line. This, however, presupposes that we should all trust the government to always do what's best for us. Anyone who believes that is either hopelessly stupid or an LEA member (like yourself).

Now, as for your point that "the audience creates the demand," that may be true only in the sense of the demand for POSTING the material, not for producing it in the first place (and CERTAINLY not for performing the acts depicted in it). The way CP really works is that the pedo has sex with a child for their private reasons (i.e. sexual gratification), takes pictures/videos for their own later use and finally decides to share them online for both "altruistic" and bragging purposes. Only this final step is actually encouraged by their being an audience out there.

So, now that we have established that having an audience for CP does not encourage adult-on-child sex, what argument do you have left against it being available for public consumption? Or should we just assume it is an automatic evil because YOU said so? The use of pornography in general is known to REDUCE real-world sexual behavior. This must be especially true for pedophiles, who are under enormous external pressure NOT to act out.

And finally, what childhood "innocence" are you talking about? I started to explore sexuality at the ripe young age of 4, without intervention from any adult. By age 10, I had learned about orgasm and have never looked back, and pretty much all of my friends were doing the same.

So, what freakin' Victorian universe are you living in? EVERYBODY knows that children are interested in sex and will readily engage in it, either alone or with their little friends, whenever an opportunity arises. This is such a fact of life that worried parents routinely take precautions to try to deny them such opportunities. And then, in the very next breath, they'll crow about their baby's "innocence..." What a hypocritical and absurdly prudish society we have here!

All this said, I don't relish the idea of a grown man or woman trying to ingratiate themselves into a family under false pretense and fucking with everybody's minds -- all of this just to get their rocks off -- and unfortunately, this is what many pedophiles actually end up doing. The way things are in society right now, both pedos and children are much better off if the former just stay at home fapping to their CP. Which brings us back to why CP is NOT evil, but rather a pretty useful social escape valve that prevents real-world problems.

Catch you later, officer... The donut break is over, time to get back to work. :)

"The way CP really works is that the pedo has sex with a child for their private reasons (i.e. sexual gratification), takes pictures/videos for their own later use and finally decides to share them online for both "altruistic" and bragging purposes."

That sounds about correct in at least many cases. Perhaps even most.

But there absolutely does exist a great deal of CP that clearly was produced for commercial purposes. (At least of the vintage variety. How many commercial CP operations still exist, I don't know but elementary economics dictates that as long as there are people willing to pay for such material, there will be people producing it for the purpose of selling it to them.)

Nonetheless, even if originally produced for commercial purposes, in how much of the distribution of CP that occurs today, particularly over Tor, is financial gain even a factor?

"The use of pornography in general is known to REDUCE real-world sexual behavior."

That is an incredibly bold, sweeping assertion. Do you have even any evidence --much less proof-- to back-up it up?

It may be true for some people but for others, just the opposite is true: By inciting and fueling lust and desire, porn increases "real-world sexual behavior".

(Do you really believe, for example, that the increased incidence of such acts as fellatio and even anal penetration[1] among youth of increasingly young ages is not directly related to the explosion in availability of porn that the Internet has brought to the same demographic?)

I hope to post again to respond to somewhat further to other parts of your post.

[1] Acts, it must be noted, that are repugnant, revolting and even traumatic to most females. When such acts occur between heterosexual couples, it is always always at the urging of the male partner. And, regarding homosexual males, it must be noted that more than a few are less-than comfortable with anal penetration, at least, as well yet face much the same type of pressure to engage in the act that females do. See man2manalliance.org and funfrotfacts.blogspot.com , expressly pro-homoerotic sites that present a dissident, rarely-heard view of anal penetration and its centrality in contemporary "gay culture".

August 05, 2013


I only allow certain sites to use javascript, and am using the latest Torbrowser on a Linux VM, and I don't recall visiting any torsites in the past several days, and use a new identity several times a day, BUT I woke up to a message that my browser had crashed after I left it on overnight.

This never happens.

Same here! Use Tails LiveCD which has IceWeasel which I think is based on FireFox. I tried to access TorMail and cldn't. Left browser on overnight and in the morning the browser had closed. No warning messages. Has never happened before. Not once

August 05, 2013


There is so much noise in these threads. The real question here is - How was Eric Eoin Marques identified?

The javascript nonsense is meaningless, JS on or off there are plenty of other ways to attack software on the client machine. What I am most curious about, is that the admin of freedom hosting was supposedly technically savvy. I would have to assume that the server was run in an isolated environment where it had no connectivity outside of Tor. Basically two machines, one running the Tor proxy, and the other running the web server. I would thing anyone with a strong desire to stay anonymous would set up their Tor connectivity like this - so that even if the machine is fully compromised, it cannot contact clearnet and cannot reveal the owners identity. The machine running Tor would have no services available outside the local machine, and administered via console - basically invulnerable. It was the first thing I thought of when using Tor years ago, and is made easy now by packages like Whonix.

So, how was Eric Eoin Marques identified? It seems he either made a huge mistake, or was identified through some other attack on hidden services.

To say it again, even breaking into root access on freedom hostings server should not have identified the owner.

Discussion about that would be much more interesting than bickering over whether javascript should be enabled or not.

He is allegedly the Admin of Freedom Hosting, no one can really confirm that yet. Some of the points in the original article do not fit and FH was never mentioned.

"The javascript nonsense is meaningless, JS on or off there are plenty of other ways to attack software on the client machine."

How is it meaningless if that's apparently exactly what has been affected, as opposed to other purely hypothetical discussion? Sure, that would all have to be analysed, but JS is exactly to the point.

The point is that on a proper Tor setup, the machine can be completely compromised by any means (javascript this time) and still not be able to reveal the identity of the owner.

Ture, that leads me to the question if it is a good idea to deploy a TBB for the non tech "mainstream". There are just too many pitfalls and there is always some awareness about current attacks required to operate TOR in a relatively save way. The fact that people are surprised that it's a bad idea to enable JS speaks volumes to me and so do some of the questions asked here. When it comes to OS and security i would say that Windows is one of the worst choices you can make even without the X number of closed source applications and services which one would usually find RUNNING on a windows system. It might be better to advertise complete solutions like Tails, Liberté Linux, or isolating transparent tor proxies.

Then you do not understand how this hack works. Once the JS, cookie and malware payload were injected they would get yr local IP, MAC Address and Windows host name and send them outside of TOR to a server owned/used by SAIC who work for the NSA but also for FBI and others

Everyone has their own ideas about what is supposedly a significant point to discuss, as opposed to addressing each in a reasonable manner... But self-righteousness after all is an important part of any hidden or fringe parts of the web.

FreedomHosting admin starts accepting BitCoins a few months ago. The FBI traces his BitCoin transactions to withdrawals into a real-world bank account via currency exchange services, thus revealing the identity of the FH admin, and an arrest is made on July 29th, 2013 in Ireland. The servers were then shut down. On August 3rd, 2013 the sites came back online with the exploit code installed.

Onion Bank, the Bitcoin service that FH operated, had its own coin tumbler. The admin was very much aware of the need to use mixing to hide transactions.

August 05, 2013


I still don't understand it all - sorry in advance :)

I've read several different things about the exploit, one mentioned a tracking cookie that could not only reveal your IP but also every other site visited while the cookie is active.

So for my question:
Does the script just tell the server the site you got it from (e.g. Tormail) and your real IP or does it track all the browsing of the current session?

August 05, 2013


Got a technical question. You say that JavaScript is enabled for the TOR browser so that TOR users can't be distinguished from normal users on the Internet. But users browsing .onion sites are known to be TOR users just because they're seeing .onion sites. So is it possible to set up NoScript to block scripts on the .onion TLD? I know NoScript can be set up to block scripts on a domain, but I'm not sure if it can be set to block a TLD. Perhaps this is a question that should be put to the NoScript author?

August 05, 2013


I'm sorry I'm not understanding but in the TBB I hit the big blue button next to the onion and turn off scripts does that mean if I visited a FH website I'm safe?

August 05, 2013


I would rather pedos could look at pictures on the net than create their own fantasies. Drive people further underground and it only gets darker.

Create a boogie man for society and it only gets worse. Remember, the same thing that is being done to pedos today was done to homosexuals, heterosexuals outside of marriage, and interracials at one time.

It was also done to people who liked to look at nude over 18 women and men at one point as well.

It's time to stop turning sexualities into scapegoats, most pedos are not child forcible rapists. Yes, some of them have had sex with children but in almost all of those situations, if you would look at them in a neutral light and compare them to sexual relationships between two adults or two children? They look EXACTLY THE SAME.

Both of these comments show a huge misunderstanding of the psychology behind what drives these people to do what they do.

To the first poster... access to these photos will not suppress the desire to make fantasies or act them out in real life, rather they will encourage it. Also remember that these photos had to be made. For every photo made, a child has effectively had their life destroyed.

To the second... I call bullshit. The difference between this and all the groups you listed is that the groups you listed consist of CONSENTING ADULTS. You might as well say that because photographs of people having sex with animals is illegal that in future years, a more enlightened race of humans will embrace the love between a woman and her english sheepdog.

  • 'Both of these comments show a huge misunderstanding of the psychology behind what drives these people to do what they do.'
  • Quite the opposite actually, they seem to understand the situation far better than you do. Lets take the next bit.

  • 'access to these photos will not suppress the desire to make fantasies or act them out in real life, rather they will encourage it.'
  • Incorrect. There are a number of peer reviewed research papers that demonstrate the opposite of this (see Milton Diamond), there is also no causation or correlation between viewing and doing. I think you should start looking at real research, instead of self congratulatory bunk created by childrens charities and dedicated task forces who live off the money generated by mis information.

  • 'For every photo made, a child has effectively had their life destroyed.'
  • Totally incorrect. The VAST majority of pictures are neither porn, nor abusive. The TINY minority of pictures that would actually class as 'life destroying', are neither welcomed widely by viewers, nor requested outside of very small groups. I don't blame you for not knowing that, the information that provides the proof has been completely censored from view, using the laws you support, with ACTUAL life destroying consequences for those that see it and are subsequently prosecuted. If you want to really know whats going on, i suggest you find the document released on wikileaks by Mr X, that gives a far more accurate view of the so called 'CP Industry'. What you're doing here, is spreading emotive propaganda. The same stuff that the people who use CP as an excuse to censor the internet spread, because it's very hard to argue against the protection of children, of which prosecution of possession does nothing for. Which is why anyone with censorship as a goal uses it.

  • 'The difference between this and all the groups you listed is that the groups you listed consist of CONSENTING ADULTS.'
  • Maybe they are seen as that now, but in the period he was referencing, they are a perfect analogy. At the time same sex relationships were as illegal as underage relationships are now, and just as viciously persecuted. They may have been adults, but they couldn't consent to sex for that purpose (at the time both morally and legally). Just because it's legal now, and we all have a new 'enlightened' view on it, does not change the past. If the age of consent was lowered to 10 tommorrow, it would no longer be illegal, simple as that (it's been that low before, it may be that again one day, who knows). But hey, your views are in the majority, and the majority has never been wrong about sexuality before, or gender, or race...

    [disclaimer] I don't believe in the legalisation of production, but based on the misinformation thats continually spread, and used as an excuse to shut down avenues of free speech, it should NEVER be illegal to possess information. As this posted has demonstrated, misinformation is easy to maintain, when the evidence is concealed. It also helps to protect the producers far more when possession is criminalised, which in turn helps harm those children who have actually been abused to make the images, far more.

    Without a large group of obese balding men in their late 40's to 50's, there would be no market for CP. Since there is however, and these men desire such images, it creates a demand which some fathers, uncles, etc. are all too eager to provide. No child wants to grow up and look back thinking, "thanks daddy for putting images of me out there sucking on your wang when I was 4 years old". The argument it doesn't harm children is laughable.

    Simplistic stereotyping, and appeals to emotion don't alter the fact that by making it illegal to posess images, you cover up the evidence, ironically making it safer for those 'uncles' to publish. You also make it far easier for goverments to make blocklists that censor other speech that you don't disagree with, using CP as the excuse.

    By going after the thousands and thousands of viewers, rather than concentrating resources on producers, you inadvertently cause more harm than you prevent. Essentially by supporting the criminalisation of possession, you support the actual physical abuse of someone.

    The argument that its better to arrest someone looking at pictures, rather than those making them, is the real joke. One that the hardcore producers no doubt rely on to continue producing, whilst the jails are filled with low hanging fruit and people that are far less dangerous.

    Your arguments have been around for many years, and over those years we have seen lots of peoples lives destroyed so that people like you can be smug about the 'balding 40-50yr obese men"(false stereotype) that have been put away. Way to miss the point. The demand for images will always be there, people will always make them. You wont even make a dent on those numbers, especially trying to take out all the viewers. The most you can say for those tactics, are that it really fills the jobs out for the cops that do it, gives the charities and politicians some nice prole feed to get away with their money grabbing. There is a multi billion dollar child porn industry out there, trouble is, it's being run by the 'good guys', and they use the ignorance of people like you to fund their comfortable lives.

    If you're a member of that industry, then ignore what I just said, you're a lost cause anyway and don't give two shits about actual children. Just the money they generate with the current witch hunts. If however you really do give a shit, and your livelyhood doesn't rely on destroying 'pedos' lives for extra funding and covering up evidence from public view, i suggest you read these articles.



    They may not change your mind at all, you may be fully convinced that a zero tolerance approach is working and that when all child porn is gone (not going to ever happen) and all abuse has been stopped, the world will suddenly be 100% safe, because there are no abusers left in the world, all thanks to the child porn witch hunt. I wonder what they'll move onto next, perhaps they'll go after gays again.

    "Essentially by supporting the criminalisation of possession, you support the actual physical abuse of someone." - Sounds like you're taking too many hits of the bong buddy.

    August 05, 2013


    Perhaps someone with more technical skills than myself could construct an onion page that would allow Tor users to see if their particular setup was vulnerable to the exploit.

    August 05, 2013


    I'm sorry if I sound stupid but if I clicked the big blue S next to the onion at the top mean if I visited a FH website I will be safe

    August 05, 2013


    So is it true that NoScript DOES NOT block JavaScipt source code inside iFrames, even when activated plus JavaScript deactivated in browser settings?

    August 05, 2013


    Seems that this attack won't effect most users. You must be on windows, have slightly out-of-date TBB, and disable browsing through tor after visiting an effected site. I'm not convinced that it will fail to phone-home after the cookie expires, but it doesn't matter much since not many people would use their Tor Browser for anything other than browsing through Tor.

    Kinda stupid that they didn't spread a piece of malware through the exploit. It was completely capable of it and would have been a much more effective assuming they took the time to avoid being identified by all those useless AV programs.

    No you don't have to deactivate browsing through TOR to be affected. It is a JavaScript SECURITY EXPLOIT BYPASSING TOR, which phones home with YOUR REAL IP ADDRESS. No malware needed. Just a slightly old version of the Tor Browser Bundle.
    It fired your ip address right at them and they got you. Why would they need malware for this?

    You don't need to "disable browsing through tor after visiting an effected site" for the exploit to work. If you visit an infected site with javascript enabled in a vulnerable browser on windows, then your IP and MAC address are logged on a government server more or less immediately.

    Still, there are far fewer affected than previously assumed.

    August 05, 2013


    I actually remember "NoScript" notifications in hindsight, not quite mentally registering what they were. Since the PC was slow anyway at the time (which is sometimes the case recently), I thought it was some standard notification about a crashed plugin. Now I only hope it didn't really crash at the time, because that might mean something got through afterwards. Or would NoScript not be able to crash in that way?

    August 05, 2013


    Should I just call them and ask if they're on to me? Do they have something like the Amazon Support Chat?

    Perhaps if you go to jail, others will realise this crusade has nothing to do with pedos, and everything to do with shutting down one of the last places they can't fully control information wise. When you get there, you can tell the other residents you're not a pedo, don't worry they'll believe you.

    Collateral damage in a war without end.

    It's not about controlling information, it's about purging images of children being sexually abused. Most people would give up a slice of control and an ounce of privacy for the sake of removing sexual abuse images. The whining of pedos is so annoying.

    August 05, 2013


    The first thing that people need to do in response to this incident is to CALM DOWN. Be vigilant, think things through, but don't go overboard.

    As an IT professional, I can tell you that there's no such thing as "foolproof defenses" Given enough time and money, anything can be overcome. In 332 BC Alexander the Great demanded the surrender of the city of Tyre. Since the walled city was a small island off the coast of Phoenicia, they refused. Over the next six months, Alexander's army (and a large group of involuntary laboreres) built a causeway to the island wide and strong enough to support siege towers that battered the walls down.

    There are three basic concepts to information security (INFOSEC): vulnerability, threat, and control. These three concepts can be used to describe any situation.

    -Vulnerability is like an unlocked door-- a weakness that can be exploited.

    -Threat is the potential to do harm. In most cases, this is from people. Threats can be internal or external to the TOR network.

    -Control is the action (or technology) that prevents a threat from exploiting a vulnerability.

    For example, imagine a room full of valuables. The *threat* is that someone outside of the room with enter and steal something from it. The *control* is the locked door. The threat (a thief) cannot get past the door and is stopped. However, if the room has a window(s), a *vulnerability* that bypasses the strong door, then the threat may gain entry through that other path.

    In short, threats are blocked by control of the vulnerabilities. Whenever examining a security issue, begin by identifying the vulnerability, the threat (who might attack this way), and the control (how the attack will be thwarted).

    "Distrust and caution are the parents of security" ~~Benjamin Franklin

    August 05, 2013


    The first thing that people need to do in response to this incident is to CALM DOWN. Be vigilant, think things through, but don't go overboard.

    As an IT professional, I can tell you that there's no such thing as "foolproof defenses" Given enough time and money, anything can be overcome. In 332 BC Alexander the Great demanded the surrender of the city of Tyre. Since the walled city was a small island off the coast of Phoenicia, they refused. Over the next six months, Alexander's army (and a large group of involuntary laborers) built a causeway to the island wide and strong enough to support siege towers that battered the walls down.

    There are three basic concepts to information security (INFOSEC): vulnerability, threat, and control. These three concepts can be used to describe any situation.

    -Vulnerability is like an unlocked door-- a weakness that can be exploited.

    -Threat is the potential to do harm. In most cases, this is from people. Threats can be internal or external to the TOR network.

    -Control is the action (or technology) that prevents a threat from exploiting a vulnerability.

    For example, imagine a room full of valuables. The *threat* is that someone outside of the room will enter and steal something from it. The *control* is the locked door. The threat (a thief) cannot get past the door and is stopped. However, if the room has a window(s...lol), a *vulnerability* that bypasses the strong door, then the threat may gain entry through that other path.

    In short, threats are blocked by control of the vulnerabilities. Whenever examining a security issue, begin by identifying the vulnerability, the threat (who might attack this way), and the control (how the attack will be thwarted).

    "Distrust and caution are the parents of security" ~~Benjamin Franklin

    August 05, 2013


    The just needed a reason to gain access to tor to mess the tranquility up. They couldn't care less about porr little children. They wan to tregulate bitcoin and drugs. It's time to fortify Tor and have mirrors.

    August 05, 2013


    There are 4 Information Security goals (INFOSEC) - [being shared for the benefit of the community, mainly directed towards directors/owners of hidden services on deepweb. Most of this should be common sense to sysadmins and operators]:

    1. Confidentiality---The protected item must be accessible only by authorized people or applications. Clearly define the people and technologies that have authorized access.

    a. Examples of confidentiality:
    -Protection of information in the system from unauthorized disclosure.
    -In some cases is may be advisable to protect even the existence of a data file.
    -Systems should be accessible only by authorized parties.
    -Prevent downloading of confidential data. If download is necessary, ensure only properly authorized users can do so.

    b. Confidentiality controls
    -Limit the users who can read from files and access programs that can read files. This can be done with operating system security, internal database security, etc.
    -Ensure all data backups and reports are properly safeguarded and shredded when no longer needed.

    2. Integrity---Protect from accidental or intentional unauthorized changes. An accidental change that erases critical data is just as damaging as an intentional act.

    a. Examples of integrity:
    -Protection of systems from intentional or accidental unauthorized changes.
    -Assets that can be modified only by authorized parties (as more systems move into the cloud, this is an even greater concern)
    b. Establishing integrity control:
    -Encrypt communications through virtual private networks.
    -Store regular data backups securely offsite.
    -Separate duties between developers and system implementers.
    -Rotate duties.

    3. Availability---Assets are accessible to authorized users when needed.

    a. Examples of problems with availability:
    -Denial of service
    -Loss of data processing capabilities as a result of natural or man-made disasters.
    -Fires, floods, storms, earthquakes and law enforcement make facilities unavailable.
    b. Establishing availability control
    -Create an alternate data center in a separate location (set up automatic conditional failover [you can script it] in the event that the primary is compromised).
    -Maintain mirrored databases.
    -Segment network into virtual networks.

    4. Authenticity---assurance that user is who they say they are.

    a. Example of authenticity assurance:
    -User ID/password.
    b. Establishing authenticity control:
    -Require strong passwords, change frequently.
    -Biometric identification.
    -Authentication tokens (incl. OTP generators)

    Remember, it is not possible to protect everything forever and there is no such thing as a 100 percent foolproof defense. A determined opponent with unlimited time and resources can crack whatever defenses have been built. The trick is to outlast the attacker until they give up and go after a weaker target (hint: setup dummy systems)

    August 05, 2013


    What process does it use to send the data ? I have a firewall app that blocks all unknown processes requests.

    August 05, 2013


    What process does it use to send the IP ? My software firewall blocks all unknown apps from accessing the internet.

    August 05, 2013


    Should we expect a raid if we are not in the USA ? I doubt a single click on the link could provoke this.

    If this is a part of global operation definitely - yes but later. If this is USA operation, then raids will come up within days, to keep digital evidence and avoid suspect to wipe hard drives and flash sticks. Of course it depens of court and state jurisdiction. So as mentioned before, better wipe your drives and just be ready to contact your lawyer.

    August 05, 2013


    Glad I don't use any of the FH based sites, haven't been on Tormail any time lately and use NoScript religiously. But does anyone have any suggestions for communicating or leaving contact details on SR since presumably everyone will be avoiding Tormail?

    WTF?! IMO they should go after the trolls and haters instead.

    P.S. Wow, procrastinating over checking Email turns out to be A Good Thing!

    August 05, 2013


    so i'm a bit confused, i've used for the past maybe 2 weeks or a month the 2.3.25-10 release of the tbb

    Presumed javascript was turned off for some reason but it appears not however fingers crossed i've nae visited any affected sites

    But reports are that it affects ff17? so even if javascript was turned on if you're using the above version would it still work? or is that exploit only for folk using older versions of the tbb/ff?

    it's times like this i don't think i'm bright enough to be digging around in the onionworld lol

    August 05, 2013


    I am new to TBB. I visited a freedom hosting site two days ago and it showed me a " down for maintenance " message. My TBB firefox version is 10.0.05 ESR and I had javascript DISABLED. Is it probable that my identity has been compromised? I use windows NT.

    It's a shame that my TBB is not the latest because everytime I clicked the check for updates button, it showed me that the browser was up to date. Didn't occur to me to manually check the TOR website.

    One more thing: is there anyway I can know I have been compromised?

    I had set my home page to something else. And no, I am not shown all those signs of an outdated TBB.
    But I had JS disabled. So am I safe?

    August 06, 2013


    i was last time on tormail back in march... i didnt use any fh stuff since then... so everything should be fine ?

    August 06, 2013


    I have a software firewall that blocks unknown executables by default. Could it have blocked the malware ?

    The payload which calls some network related WindowsAPI has not been executed by an "unknown executable". The payload was injected directly into the process space of FF, so nope nothing should have been blocked by an application level firewall which allows FF to access the net.

    August 06, 2013


    Since the government isn't above hacking peoples systems, it seems like they would not be above planting evidence while they are at it. The exploit loads dynamic code so they could use it to download and save illegal images to random locations around the users hard drive without the victim's knowledge. Only people with IP addresses on their hitlist would receive their "special" payload and that way the security researchers might not stumble on it. That would let them get rid of troublesome dissidents.

    August 06, 2013


    You should propose two versions of the TBB, one for those who need strict and real protection, and another one for the morons who need to watch cats on Youtube.

    August 06, 2013


    So having JS disabled would have stopped the exploit. Would torbutton have done the same on older FF/Vidalia bundles?

    August 06, 2013


    ok guys, straight up: Am I safe if I had Javascript disabled while browsing on TOR regardless of my TBB version? I guess many users have the same question.

    August 06, 2013


    Here's what I think happened (correct me if I am wrong - after all I am a noob) :

    The malicious code was triggered on outdated versions of TBB which had JS enabled when the user visited an FH Site. This code then opened up firefox and phoned back home.

    Am I right? or did the code manage all this through TBB without opening up firefox externally?

    August 06, 2013


    Given the funding sources of TOR Project which include the likes of
    U.S. government (60%) and Google, I'm not sure why anyone in their right mind would even support let alone put their trust in TOR by using TBB? The fact that it is open source makes no difference as not only will there always be non-tech people using it, but it sets the stage for breeches from many different directions as we've seen here. Please go ahead and correct my thinking. These guys seem really dedicated in providing tools for us to "Protect [our] privacy. Defend [ourselves] against network surveillance and traffic analysis" and I should be greatful for their efforts. But how easy was it for this little slip to occur albeit from the part of the user? How perfect would this be from the perspective of an Orwellian state seeking entity? It seems trust is being broken down on every level these days, deliberately or not. There's a big pot of unrest brewing in the world.

    August 06, 2013


    OK, now I am a real noob. And I only have a single question:

    If JavaScript was globally disabled in my browser and NoScript was activated - does that mean that the JavaScript-exploit could not even begin to do the job it was supposed to?

    Thank you.

    A lot of unknowns at this time, but it appears you neede to have three things for the exploit to compromise you:

    1 Windows
    2. Vulnerable browser (v 17-17.07 etc). Looks like they might have targeted browsers below 17, but no has the shellcode for content_1, so maybe it wasn't implemented. Hidden wiki person thinks it is only v17 that is targeted.
    3. JS enabled. This is the killer. They could perhaps just see who has this enabled, that that is that. Is this the first version that had JS enabled by default? If so, it makes sense that they would specifically target this version, more so than earlier version that theoretically had it the other way around.

    It would seem that if JS was disabled when you went to "infected" sites, you "should" be OK. I really don't know.

    Surfing Safe always involved no JS and no cookies. Guess that got forgotten along the way.

    August 06, 2013


    ok since i can not find anyother interactive forum on the topic right now i'll ask here, for 2 days now the only .onion link i can get to work is the one to tor homepage at the begining of this thread, anybody know whats going on, or where else i might look for info about this? i will check back in a little while

    August 06, 2013


    Come on, if it only had as target window$' users, so this so "called" attack targeted noobs. It was more a homework done by the "FBI hackers" than a serious real life job.

    August 06, 2013


    Well, tor hidden services(most of em) are officially compromised, so no one should use them. Any of those websites could have been hacked and maybe sending you more exploits. You guys couldn't even identify that there was an exploit until those sites went down. And the fact that tor exit nodes are blocked by most websites makes tor utterly useless for the common folk. The worse of it is the fact that tormail went down. If their data centers are in US or EU jurisdiction, they and all their users are pretty much f**ked. Adios to tor, it creates more problems than it solves. *deletes tbb*

    August 06, 2013


    This is long overdue and welcomed news. As much as people play the privacy card, the truth is most of these hidden services are for illegal purposes. Freedom Hosting was basically a pedophile site in disguise with TOR being the enabler. Good riddance to the site and I could care less if TOR suffers bad publicity.

    People who value safety over freedom, deserve neither. Usually they don't get them either. Better hope you don't find yourself in the situation where something you were born as is as heavily persecuted, or you may well be grateful for a few shadows to hide in.

    Credit the NSA?

    Why not credit Hitler, Stalin, Mao, and Pol Pot, while you are at it?

    What NSA is helping to prepare for America, and the world, will be many times worse than all of them combined.

    Total Information Awareness is total power, which is total control, which is total tyranny. No good can, or will come of it, but untold misery and death will.

    No government, human being, or group of human beings deserves that kind of power, and history shows it WILL be abused, to the greatest extent possible, if allowed to.

    The right to privacy does not exist to protect the guilty, but to protect the innocent, and to limit the power of government and other criminal operations.

    You may have nothing to hide, but everyone has something to protect, and the right to privacy is required to do so.

    August 07, 2013


    Does this affect only Windows computers? OR should Ubuntu Linux users format their computers?

    August 07, 2013


    Please help.
    If someone had not updated TOR since May (can be difficult in some countries/situations).
    That someone had incriminating evidence on there tormail, evil government (I mean truly evil). Would you suggest something please.
    Example that it is known that USA send info to there "friends" regardless if they are fair or not.
    Someone please say if my mail is likely taken please.

    Yes CATS team owned TorMail. What you should do:
    1) Stay calm, drink some tee or beer, sit and try to remember if you somehow revealed YOUR real identity while using TM? This is very important!

    a) SO if YES, then it is bad, and you should prepare resonable answers+contact people who is competent in your local law.
    b) If NO, you should take serious position, NEVER,NEVER even under pressure NEVER confirm your connection with that TM account. Even if they show you your hunted IP/HOSTNAME/MAC data.

    3) Wipe your computer, better buy a NEW one, if your network hardware is PCI/USB based, destroy it.

    P.s You can enforce point b) by default, but I assume this wont help you, as evindence may be too reliable like if they put you on record (traffic,phone,even real life), if you are from NATO country, be sure they will.

    Under the circumstances it would be stupid and naive to think your TorMail contents are safe in any way. It's impossible to say who exactly has control of them, but those people are not likely to be your friends.

    August 07, 2013


    I just want to know how the hell supposedly "hidden" tor onion servers could be specifically targeted and infected. Perhaps they aren't really "hidden" at all.

    Why does no one seem to care about that issue, and its ramifications?

    After all, if the servers had not been planted with the bug, then we wouldn't even be here having this conversation.

    Who will want to use Tor "hidden" services when it looks like they might not be so "hidden" after all?

    Yea. This is an excellent question.

    Apparently Anonymous (the group) was able to hack that particular server a couple of years ago and remove cp content. The admin put it back and updated the site's security. So this is not the first time that that particular server has been compromised.

    Since Freedom Hosting was indeed a hosting service, any users could upload content to the server. I guess that - the ability to place potentially malicious content on a server - is a natural weakness but I've read nothing to say that was done.

    If Tor Project would run the Mail service the Tor Project could be forced to censor the service or it may be unlawful at all in their countries, as FH seems to be in prison for very much the same service.
    If Tor Project would otherwise hide the location, company is already under the enormous personal pressure even if in their country such uncensored service could be lawful (which I think is not) and such service could harm the Tor software projects development even more.

    Better look for the company from the country where they could at least have a time to warn publicity and decide to purge the data if they would be confronted and tried to be forced by surveillance, which I think could be forbidden in USA and EU now at all. Better to find a country where the company would not face prison so the cooperation would not be considered.
    Maybe a trusted company in some country without the extradition conventions or with less is less dangerous for all than anonymous hoster
    that is going to face more prison years than??? and distributed the exploit to all these people which are awaiting the same because he was running anonymous uncensored hosting in the country where it seems to be illegal

    oh shit, these people might even do legally in their country and couldn't even know that the FH servers were used or be illegal elsewhere but they would be inspected etc. and then they could face the foreign laws for what they have done according to the database, maybe during tourism, maybe captured at home, what kind of stinky USSR 2.0 it turned to be

    Anybody has the list of FH sites so they could be avoided if they suddenly became awake again?

    The FH admin was behind Onion Bank. He could also have been behind Tor Mail. Notice the similarity in name structure? "Tor Mail"? "Onion Bank"? If Tor Mail reappears there is no way you could know if it was run by LEA. If they restore with your account intact you will know for sure they are NSA/LEA honeypot.

    August 08, 2013


    It will be interesting to see how this plays out in US Courts considering the Communications Decency Act says FH's admin would not be responsible. You and I both know that FH admin knew about the content and condoned it, and I'd like to see him do 30 years in jail... but the feds will have to go up against their own law to gain a conviction.

    30 years in jail for pictures he didn't even produce nor upload anywhere? You americans are really phobic about sex at almost a laughable level, especially considering that "the children" are your last thought when it comes to shoot, torture (both psychologically and physically) or trial them like adults.

    August 08, 2013


    ALERT!: independent email provider forced to shutdown before betraying user's Constitutional rights:
    August 8, 2013
    My Fellow Users,

    I have been forced to make a difficult decision: to become complicit in crimes against the American people or walk away from nearly ten years of hard work by shutting down Lavabit. After significant soul searching, I have decided to suspend operations. I wish that I could legally share with you the events that led to my decision. I cannot. I feel you deserve to know what’s going on--the first amendment is supposed to guarantee me the freedom to speak out in situations like this. Unfortunately, Congress has passed laws that say otherwise. As things currently stand, I cannot share my experiences over the last six weeks, even though I have twice made the appropriate requests.
    What’s going to happen now? We’ve already started preparing the paperwork needed to continue to fight for the Constitution in the Fourth Circuit Court of Appeals. A favorable decision would allow me resurrect Lavabit as an American company.
    This experience has taught me one very important lesson: without congressional action or a strong judicial precedent, I would _strongly_ recommend against anyone trusting their private data to a company with physical ties to the United States.

    Ladar Levison
    Owner and Operator, Lavabit LLC

    August 08, 2013


    wate so these websites will never be online again? & also what about our things we were signed up to toe cops gunna see every thing :( FUCK!

    August 08, 2013


    If I had Js disable from the browser TBB old version but not disable in Noscript am I vulnerable?

    August 08, 2013


    I was on a board on FH , with this script they can know only I was at that board or even which post I have sent? Please clarify me this.

    August 09, 2013


    I’ve been watching this discussion closely over the past few weeks and I am confused as to the nature of the Freedom Host servers being Identified (Traced to physical address). I know everyone has been talking about child Porn sites and the JavaScript exploit but has anyone considered how these servers were traced. I know that the Guy was accepting Bitcoins donations and may have been involved with the Onion Bank but could it really be that simple? Could Bitcoins be traced to a real World Bank account and therefore a real person? I noticed that more and more sites, legal and otherwise are accepting Bitcoins lately and I can’t help but think that this could be a major risk factor to the Anonymity of this community. And now this morning I see that LavaBit has pulled down the shutters rather than allow US Government access to its systems (http://www.theguardian.com/technology/2013/aug/08/lavabit-email-shut-do…). It’s hard not to think that this is all a concerted effort by NSA / Government attempts to attack and shut down the entire Anonymity Community and the services that it offers to the world.

    More questions than Answers.

    Undoubtedly the powers that be "followed the money". In one article they note how this guy transferred large sums of money to Romania.

    Somewhere along the line, the guy had to take possession of his illgotten gains - and they were watching. After that - they nail him, he spills the beans and gives out passwords to the servers, they insert the exploit, and that's that.

    Nobody has content_1.html? Wonder if that was a dead end, and versions under v17, and especially stand alone versions, got away? How would we know?

    I read one place that all attempts to retrieve content_1.html failed. From some other things I read the code was quite obfuscated and small changes (fake earlier version perhaps) would make it fail completely. However you would think someone could just capture the entire conversion with a stock older browser.

    August 10, 2013


    This is not about Child Porn, don't be silly, sadly, US doesn't give a f*ck about Child porn, they wanted Tormail, first Lavabit, now tormail, they are just, wow, mad. Incredible.

    August 12, 2013


    With regard to hidden services, what about all that "we are prepared to replace any server taken offline..." mumbo jumbo? Was TOR just bluffing and the FBI called it? Where is the new hidden service to replace the one taken offline?

    What the heck are you talking about?

    Tor didn't run the hidden services, and didn't make any claims like you describe.

    Citation please?

    Then maybe Google, Yahoo, GoDaddy should read the minds of their millions of users who daily use their products for neafarious purposes. It's like saying the "Internet" should be cleaned up - keep dreaming.

    August 12, 2013


    The bugs are in the hardware now, there is no privacy. Never was. Since day one, this whole last decade was about implementing monitors. The questions is wither or not your on the list of Freethinkers, Militants, or Domestic Terrorists. Long before Marshall Law or a War, all the "listed" people will be removed from the equation.

    "Long before Marshall Law or a War, all the "listed" people will be removed from the equation."

    Looks like you meant MARTIAL law.

    (The Marshall PLAN, was the program of rebuilding Europe after WWII, named after U.S. Sec. of State George C. Marshall)

    August 16, 2013


    Leaving Tor bundle 'wide open' when you install it was a gift to the Nazi Spy Agency.

    An anonymity software that betrays its users identity because it comes out of the box with javascript switched on is asking to be compromised.

    Obviously or deliberately stupid.

    Is it "user friendly" for anonimty software to NOT be anonymous ?

    Moving to another system http://code.google.com/p/phantom/

    August 17, 2013


    Somebody needs to get word to Mr. Marques attorney: The FBI/USDOJ has lied to the Irish Courts. They've been after TorMail since Wikileaks started, and they accelerated their efforts after Edward Snowden popped up. TorMail is also hosted by Freedom Hosting. They've been networking with the usual anonymous vigilante cowards for years/months to upload the illegal material to the servers so it looks good on paper and they could file false charges for extradition. Mr. Marques had little if any control over the material uploaded to the servers - that's how most Hosting systems work.

    August 23, 2013


    Anyone know why the hiddenwiki and other tor sites are offlune. Im getting the following error:

    500 Internal Privoxy Error

    Privoxy encountered an error while processing your request:

    Could not load template file forwarding-failed or one of its included components.

    Please contact your proxy administrator.

    If you are the proxy administrator, please put the required file(s)in the (confdir)/templates directory. The location of the (confdir) directory is specified in the main Privoxy config file. (It's typically the Privoxy install directory, or /etc/privoxy/).

    August 29, 2013


    GMAIL is now the biggest email provider scammers use to troll and scam Craigslist. Of every legitimate ad we post - 100's a months, each gets about 5-10 scammers wanting to buy what we sell. Serious buyers call us because it's a local offer, scammers email. We've contacted Google and most of the email addresses we have reported are still working, even after 1 year. I can only imagine how many millions of dollars have been stolen via Google's GMAIL service?

    September 09, 2013


    But if it's a "javascript exploit", it's not really dangerous for users because Noscript is installed and activated in the firefox version of TBB. Logicaly any javascript code, exploit or not, is not active for TBB users.

    September 10, 2013

    In reply to arma


    Ok i understand. But if Noscript not allow javascript globaly. This exploit not work, it cannot bypass noscript, i'm right ?

    ps : english is not my native langage, please apologize

    September 12, 2013


    Is the attack still vulnerable even if the sites wouldnt load? I havent been on tor in a while and was wondering why the sites weren't loading. I was using a windows. Last time I updated tor was around june 26-August 1st .. pretty sure I had javascript disabled, but I checked and it wasnt.. not surr why it was enabled. I always had it disabled.

    September 14, 2013


    What a bunch of baloney.
    Tor provided thousands of individuals the ability to communicate without the fear of tyranny and oppression.
    Here is what Tor is right off of their website;
    Many individuals know about the new "Pirate Browser" which is really just tor with a cute pirate shell on top.
    What is Tor?
    Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis

    Accordingly this story is another example of how completely gun hoe and out of place the American government really is.
    To put this into perspective, this man Eric, pretty much created a "go-daddy" of the "deep-web", aka, tor. He sold his hosting services to any who would buy it, just like go-daddy, or any other hosting provider.

    What the customers or individuals do with their privately own server space is their own business.
    Furthermore any kind of blame that would be attributed to this Eric person would be like one individual buying hosting from go-daddy, putting child pornography on it, and instead of arresting the individual who actually is guilty of a crime they go after go-daddy cause they're frustrated that the criminals of today's are evolving faster than they can keep up with.

    This is a sick story of the American Government trying to make an example out of an innocent man just to instill fear in the hearts of millions around.

    If you or anyone else you know are in trouble because of the U.S. Government is exaggerating, fabricating, or otherwise corrupting law and due process please contact me immediately.

    September 23, 2013


    I have seen on exactly 2 web pages people say that it gets the host names of all local machines. Every other place says only the host name of the machine where the attack ran. I have seen only 1 annotation of the code. Can anyone point to an annotation of the code which explains how it gets all local host names ?

    Any evidence it got the mac address of local machines (other than where the explot ran) as well ? In spite of what some people have said there are windows programs which can get the other wireless client mac addresses in some cases

    I realize some have said that the code was not constant over time (at least the ip addresses it was sent to changed). Any links to two significantly different exploit code ?

    September 27, 2013


    this global terrorism fuck fbi fuckkkkkk

    any date to back freedom hosting ?? tormail etc..


    October 15, 2013


    I'm part of us govt. relying on TOR in my foreign post. My up was recently compromised. Dead. I fear I am next, with no secure or trustable commo link, pretty scary. burning everything and going native. maybe you can read my book if i ever make it back :) Love you V!