Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

Anonymous

August 23, 2013

Permalink

Anyone know why the hiddenwiki and other tor sites are offlune. Im getting the following error:

500 Internal Privoxy Error

Privoxy encountered an error while processing your request:

Could not load template file forwarding-failed or one of its included components.

Please contact your proxy administrator.

If you are the proxy administrator, please put the required file(s)in the (confdir)/templates directory. The location of the (confdir) directory is specified in the main Privoxy config file. (It's typically the Privoxy install directory, or /etc/privoxy/).

Anonymous

August 29, 2013

Permalink

GMAIL is now the biggest email provider scammers use to troll and scam Craigslist. Of every legitimate ad we post - 100's a months, each gets about 5-10 scammers wanting to buy what we sell. Serious buyers call us because it's a local offer, scammers email. We've contacted Google and most of the email addresses we have reported are still working, even after 1 year. I can only imagine how many millions of dollars have been stolen via Google's GMAIL service?

Anonymous

September 09, 2013

Permalink

But if it's a "javascript exploit", it's not really dangerous for users because Noscript is installed and activated in the firefox version of TBB. Logicaly any javascript code, exploit or not, is not active for TBB users.

Ok i understand. But if Noscript not allow javascript globaly. This exploit not work, it cannot bypass noscript, i'm right ?

ps : english is not my native langage, please apologize

Anonymous

September 12, 2013

Permalink

Is the attack still vulnerable even if the sites wouldnt load? I havent been on tor in a while and was wondering why the sites weren't loading. I was using a windows. Last time I updated tor was around june 26-August 1st .. pretty sure I had javascript disabled, but I checked and it wasnt.. not surr why it was enabled. I always had it disabled.

Anonymous

September 14, 2013

Permalink

What a bunch of baloney.
Tor provided thousands of individuals the ability to communicate without the fear of tyranny and oppression.
Here is what Tor is right off of their website;
https://www.torproject.org/
Many individuals know about the new "Pirate Browser" which is really just tor with a cute pirate shell on top.
What is Tor?
Tor is free software and an open network that helps you defend against a form of network surveillance that threatens personal freedom and privacy, confidential business activities and relationships, and state security known as traffic analysis

Accordingly this story is another example of how completely gun hoe and out of place the American government really is.
To put this into perspective, this man Eric, pretty much created a "go-daddy" of the "deep-web", aka, tor. He sold his hosting services to any who would buy it, just like go-daddy, or any other hosting provider.

What the customers or individuals do with their privately own server space is their own business.
Furthermore any kind of blame that would be attributed to this Eric person would be like one individual buying hosting from go-daddy, putting child pornography on it, and instead of arresting the individual who actually is guilty of a crime they go after go-daddy cause they're frustrated that the criminals of today's are evolving faster than they can keep up with.

This is a sick story of the American Government trying to make an example out of an innocent man just to instill fear in the hearts of millions around.

If you or anyone else you know are in trouble because of the U.S. Government is exaggerating, fabricating, or otherwise corrupting law and due process please contact me immediately.

Anonymous

September 23, 2013

Permalink

I have seen on exactly 2 web pages people say that it gets the host names of all local machines. Every other place says only the host name of the machine where the attack ran. I have seen only 1 annotation of the code. Can anyone point to an annotation of the code which explains how it gets all local host names ?

Any evidence it got the mac address of local machines (other than where the explot ran) as well ? In spite of what some people have said there are windows programs which can get the other wireless client mac addresses in some cases

I realize some have said that the code was not constant over time (at least the ip addresses it was sent to changed). Any links to two significantly different exploit code ?

Anonymous

September 27, 2013

Permalink

this global terrorism fuck fbi fuckkkkkk

any date to back freedom hosting ?? tormail etc..

thanks

Anonymous

October 15, 2013

Permalink

I'm part of us govt. relying on TOR in my foreign post. My up was recently compromised. Dead. I fear I am next, with no secure or trustable commo link, pretty scary. burning everything and going native. maybe you can read my book if i ever make it back :) Love you V!