Hidden Services, Current Events, and Freedom Hosting

Around midnight on August 4th we were notified by a few people that a large number of hidden service addresses have disappeared from the Tor Network. There are a variety of rumors about a hosting company for hidden services: that it is suddenly offline, has been breached, or attackers have placed a javascript exploit on their web site.
A Hidden service is a server – often delivering web pages – that is reachable only through the Tor network. While most people know that the Tor network with its thousands of volunteer-run nodes provides anonymity for users who don´t want to be tracked and identified on the internet, the lesser-known hidden service feature of Tor provides anonymity also for the server operator.
Anyone can run hidden services, and many do. We use them internally at The Tor Project to offer our developers anonymous access to services such as SSH, IRC, HTTP, and our bug tracker. Other organizations run hidden services to protect dissidents, activists, and protect the anonymity of users trying to find help for suicide prevention, domestic violence, and abuse-recovery. Whistleblowers and journalists use hidden services to exchange information in a secure and anonymous way and publish critical information in a way that is not easily traced back to them. The New Yorker's Strongbox is one public example.
Hidden service addresses, aka the dot onion domain, are cryptographically and automatically generated by the tor software. They look like this http://idnxcnkne4qt76tg.onion/, which is our torproject.org website as a hidden service.
There is no central repository nor registry of addresses. The dot onion address is both the name and routing address for the services hosted at the dot onion. The Tor network uses the .onion-address to direct requests to the hidden server and route back the data from the hidden server to the anonymous user. The design of the Tor network ensures that the user can not know where the server is located and the server can not find out the IP-address of the user, except by intentional malicious means like hidden tracking code embedded in the web pages delivered by the server. Additionally, the design of the Tor network, which is run by thousands of volunteers, ensures that it is impossible to censor or block certain .onion-addresses.
The person, or persons, who run Freedom Hosting are in no way affiliated or connected to The Tor Project, Inc., the organization coordinating the development of the Tor software and research. In the past, adversarial organizations have skipped trying to break Tor hidden services and instead attacked the software running at the server behind the dot onion address. Exploits for PHP, Apache, MySQL, and other software are far more common than exploits for Tor. The current news indicates that someone has exploited the software behind Freedom Hosting. From what is known so far, the breach was used to configure the server in a way that it injects some sort of javascript exploit in the web pages delivered to users. This exploit is used to load a malware payload to infect user's computers. The malware payload could be trying to exploit potential bugs in Firefox 17 ESR, on which our Tor Browser is based. We're investigating these bugs and will fix
them if we can.
As for now, one of multiple hidden service hosting companies appears to be down. There are lots of rumors and speculation as to what's happened. We're reading the same news and threads you are and don't have any insider information. We'll keep you updated as details become available.

EDIT: See our next blog post for more details about the attack.

Some of these things are so obvious that I don't believe you aren't assuming one thing. I'll take your word for it and pretend, because you MIGHT be the only sane person around. But I doubt it :)

I tested NoScript in normal web-activity: yes, it disables Javascript if you just disable all "scripts". Apparently it's even the same (?). Anyway, it should work.

Here's how it is:
Tor Browser Bundle comes with JS enabled in the browser prefs - this is irrelevant as NoScript handles any javascript. What is relevant, and unfathomably stupid, is that NoScript is BY DEFAULT SET TO ALLOW SCRIPS GLOBALLY IN TBB!!!
This is an issue which has been pointed out many times, to no avail. The reasoning behind this insane decision by Torproject is apparently to make non-techs "feel at home" with TBB, i.e. everything works just like using a normal browser including malicious scripts! Which makes the whole concept of a secure, "ready tweaked" browser bundle for non-techs useless!
A simple text instruction during (or prior to/after) installation regarding how Javascript is handled and the safety aspect of having it enabled is really not a tall order guys!

"everything works just like using a normal browser including malicious scripts! "

Malicious script?
What about malicious images?

You are not making sense.

I guess I'll be the first to say it, and to the anon a few posts back who said that "these ??'s have been asked/answered over and over ... ..." Thank you and can't believe it took so long for someone to say it. Kudos

I am not here to bad mouth the torproject or anything else but try to learn a bit but I have to say, all the stuff this poster mentioned is true and while I do understand not making things too technical, I struggle with a lot of it but thats just part of it, not to mention rewarding when it all clicks. I believe that this "ease of use, and JS issue is due to most(not all) Windows users just not wanting to learn or make any sacrafices in the name of security/privacy/anonymity. I've seen it over and over, in all sorts of settings. While not perfect either, why anyone would chose TBB over Tails is beyond me. I see this as more of a "dumb it down for M$ users" than an overall usability issue. I have almost no issues with heavy use of NoScript and never have JS enabled and other than "Captcha's" and a few other confirmation stuff I almost never have issues. I let the shit I want in, I decide how functional a site is with my configs and if the trade-off is needed or worth it when I make an exception. I have no problems and if you think that Tor is slow, you are just spoiled, young, or both. Small price to pay. All that being said, I don't think this can't happen to Tails and Linux users and more tech savy users of any OS, only that much of the dumbing down is for people who claim to care about censorship, surveilance, and privacy rights and here they are using a lowsy proprietary OS that I treat as malware. Go FOSS and don't believe that linux is hard, it's not. Dumbing down is never the answer. Thank you to the Tor Dev's and all the helpful people who are less known than the big public names.
d_k

Seth Schoen

August 05, 2013

Permalink

17.05 are vulnerable, 17.07 (24-28 june) invulnerable, I tested the exploit right now, for 17.07. does not work (Win7 64)

How can we be sure that the code did not execute on a linux machine? Do you think I need to format if i used TBB on a linux machine and then tried to access TorMail using Chrome and a free offered web2tor site such as onionsite.onion.to (.to) being the link to the darknet to clearnet site.
I do not do anything illegal thus do not care if my IP address was given, but I do care if the exploite is going to cause problems to my machine such as downloading stuff i do not want. I am using Ubuntu Linux.

Seth Schoen

August 05, 2013

Permalink

morbid curiosity which mac address gets sent over? presuming the computer network adapter address or would it be the router? or another?

Seth Schoen

August 05, 2013

Permalink

ehhh i think on the one hand taking down paedofile sites is good but what about all the innocent users who might get caught up in this?

Seth Schoen

August 05, 2013

Permalink

If LE actually did have this in place on Freedom Hosting, WHY would they advertise the fact by arresting the Sysop? Wouldn't it be logical for them to quietly gather information for as long as they could?

Maybe they couldn't get access to the servers until after arresting him. Maybe his cooperation in giving up passwords/location of servers was part of a plea bargain?

If this is true, then Tor itself is unlikely to be compromised.

He's been arrested in Ireland to pssibly be extradited to the us. Is anyone in a position to do anything like that? He isn't in a position to notice what's happening to the servers logs etc if he is connected to fh

Seth Schoen

August 05, 2013

Permalink

does the cookie sent to the washington server shows only the IP of the person or does it indicate too precisely the site on FH that was visited?

It sends an ID along with your IP and your MAC address. I think they are able to correlate that ID to a given onion domain, so yes the probably know exactly on which site you were.

Seth Schoen

August 05, 2013

Permalink

I still don't understand it all - sorry in advance :)

Does the script just tell the server the site you got it from (e.g. Tormail) or does it track all the browsing of the current session?

Seth Schoen

August 05, 2013

Permalink

"At first they came for the paedophiles and I did not speak up, for I was not a paedophile". Get a grip.

If you have used Tor to access illegal material then you deserve to be raided and caught. Simple. It doesn't matter if you were only curious or viewed it once and it was a first time. It still provides the audience which creates the demand for these images to be created.

If you use Tor for legitimate reasons, it begs the question...why? Because you don't like the idea of NSA seeing your facebook photos of you and your friends with your shoes in a circle or finding out what branch of Nando's that last instagram photo of chicken wings was taken? They have more important things to worry about.

If you've not broken the law by viewing illegal material then don't worry. No one is going to get arrested for never accessing it. If you have accessed it, then sort your affairs out or better still just throw yourself off the highest bridge you can find. What will your parents say when they find out?

Also, please learn the difference between the following: they're, there, their, your and you're.

Simplistic, moralistic hyperbole is not a constructive submission, I believe. By your "logic" no one should be permitted to drive cars because many people are killed each year by drunk drivers. Tor is a tool, a superb tool, that can be used or (in your micro-cognitive estimation) misused, but the fact is, there is a hierarchy of importance here, and it's infinitely more important that people can have the freedom and security of anonymity, than for a few people who like things that you don't like to be prosecuted.

I'm afraid the logic behind your car analogy is flawed. There is a distinct purpose for everyone to have a car... to travel. The only true purpose of Tor is to remain anonymous while browsing the internet. We have many browsers that allow you to browse the internet without anonymity, however this doesn't seem to be good enough.

You state that it is "infinitely" more important that people can browse the internet without anyone knowing what they are looking at than children being protected - which is the aim of knowing who has viewed this material.

The last sentence you wrote actually sent a chill up my spine... "it's infinitely more important that people can have the freedom and security of anonymity, than for a few people who like things that you don't like to be prosecuted." This is you stating that viewing images of child rape is just a preference and that those who do it should not be prosecuted (held accountable by law, unless you meant 'persecuted', in which case I am right in thinking you're overcompensating with your over indulgent vocabulary that you can't pull off) if it means having IP numbers logged for other persons.

Again, those who view this material create the audience and therefore demand for it. They might as well be in the room committing the crime. Their prosecution serves as an example and deterrent for others. If it saves one child's innocence then it is worth it.

There are a few reasons why you might be in the camp you're in:

1) you have an ego/fantastist problem and think that your browsing history and online activity is of such great interest to governments and law enforcement that anonymity is the only way to go without waking up in some hellish Enemy of the State scenario. Possibly a side effect of smoking way too much weed.

2) your web history actually IS of great interest to governments and law enforcement, in which case...good luck. Judging by your comment which prioritises online anonymity over the arrest of child rapists, this could be a possibility.

The problem nowadays is the romanticism associated with anonymity. You're all too happy to stand in a crowd wearing Guy Fawkes masks and protest a cause, but all too hesitant to stand alone with the whole world knowing who you are and declaring what you believe in. The driving force behind this is fear. Go to your employers, neighbours and family and tell them you think the arrest of paedophiles is not as important as your little toy. I double dare you.

Without privacy you can't have freedom of speech, and without freedom of speech you can't have democracy.

And besides, if you're interested in arresting child rapists, why are you promoting making finding evidence of their crimes more difficult?

Your argument, then, is against the very concept of internet anonymity. It's the old "if you aren't doing anything wrong, you have nothing to fear" line. This, however, presupposes that we should all trust the government to always do what's best for us. Anyone who believes that is either hopelessly stupid or an LEA member (like yourself).

Now, as for your point that "the audience creates the demand," that may be true only in the sense of the demand for POSTING the material, not for producing it in the first place (and CERTAINLY not for performing the acts depicted in it). The way CP really works is that the pedo has sex with a child for their private reasons (i.e. sexual gratification), takes pictures/videos for their own later use and finally decides to share them online for both "altruistic" and bragging purposes. Only this final step is actually encouraged by their being an audience out there.

So, now that we have established that having an audience for CP does not encourage adult-on-child sex, what argument do you have left against it being available for public consumption? Or should we just assume it is an automatic evil because YOU said so? The use of pornography in general is known to REDUCE real-world sexual behavior. This must be especially true for pedophiles, who are under enormous external pressure NOT to act out.

And finally, what childhood "innocence" are you talking about? I started to explore sexuality at the ripe young age of 4, without intervention from any adult. By age 10, I had learned about orgasm and have never looked back, and pretty much all of my friends were doing the same.

So, what freakin' Victorian universe are you living in? EVERYBODY knows that children are interested in sex and will readily engage in it, either alone or with their little friends, whenever an opportunity arises. This is such a fact of life that worried parents routinely take precautions to try to deny them such opportunities. And then, in the very next breath, they'll crow about their baby's "innocence..." What a hypocritical and absurdly prudish society we have here!

All this said, I don't relish the idea of a grown man or woman trying to ingratiate themselves into a family under false pretense and fucking with everybody's minds -- all of this just to get their rocks off -- and unfortunately, this is what many pedophiles actually end up doing. The way things are in society right now, both pedos and children are much better off if the former just stay at home fapping to their CP. Which brings us back to why CP is NOT evil, but rather a pretty useful social escape valve that prevents real-world problems.

Catch you later, officer... The donut break is over, time to get back to work. :)

"The way CP really works is that the pedo has sex with a child for their private reasons (i.e. sexual gratification), takes pictures/videos for their own later use and finally decides to share them online for both "altruistic" and bragging purposes."

That sounds about correct in at least many cases. Perhaps even most.

But there absolutely does exist a great deal of CP that clearly was produced for commercial purposes. (At least of the vintage variety. How many commercial CP operations still exist, I don't know but elementary economics dictates that as long as there are people willing to pay for such material, there will be people producing it for the purpose of selling it to them.)

Nonetheless, even if originally produced for commercial purposes, in how much of the distribution of CP that occurs today, particularly over Tor, is financial gain even a factor?

"The use of pornography in general is known to REDUCE real-world sexual behavior."

That is an incredibly bold, sweeping assertion. Do you have even any evidence --much less proof-- to back-up it up?

It may be true for some people but for others, just the opposite is true: By inciting and fueling lust and desire, porn increases "real-world sexual behavior".

(Do you really believe, for example, that the increased incidence of such acts as fellatio and even anal penetration[1] among youth of increasingly young ages is not directly related to the explosion in availability of porn that the Internet has brought to the same demographic?)

I hope to post again to respond to somewhat further to other parts of your post.

NOTES:
[1] Acts, it must be noted, that are repugnant, revolting and even traumatic to most females. When such acts occur between heterosexual couples, it is always always at the urging of the male partner. And, regarding homosexual males, it must be noted that more than a few are less-than comfortable with anal penetration, at least, as well yet face much the same type of pressure to engage in the act that females do. See man2manalliance.org and funfrotfacts.blogspot.com , expressly pro-homoerotic sites that present a dissident, rarely-heard view of anal penetration and its centrality in contemporary "gay culture".

Seth Schoen

August 05, 2013

Permalink

I only allow certain sites to use javascript, and am using the latest Torbrowser on a Linux VM, and I don't recall visiting any torsites in the past several days, and use a new identity several times a day, BUT I woke up to a message that my browser had crashed after I left it on overnight.

This never happens.

Same here! Use Tails LiveCD which has IceWeasel which I think is based on FireFox. I tried to access TorMail and cldn't. Left browser on overnight and in the morning the browser had closed. No warning messages. Has never happened before. Not once

Seth Schoen

August 05, 2013

Permalink

There is so much noise in these threads. The real question here is - How was Eric Eoin Marques identified?

The javascript nonsense is meaningless, JS on or off there are plenty of other ways to attack software on the client machine. What I am most curious about, is that the admin of freedom hosting was supposedly technically savvy. I would have to assume that the server was run in an isolated environment where it had no connectivity outside of Tor. Basically two machines, one running the Tor proxy, and the other running the web server. I would thing anyone with a strong desire to stay anonymous would set up their Tor connectivity like this - so that even if the machine is fully compromised, it cannot contact clearnet and cannot reveal the owners identity. The machine running Tor would have no services available outside the local machine, and administered via console - basically invulnerable. It was the first thing I thought of when using Tor years ago, and is made easy now by packages like Whonix.

So, how was Eric Eoin Marques identified? It seems he either made a huge mistake, or was identified through some other attack on hidden services.

To say it again, even breaking into root access on freedom hostings server should not have identified the owner.

Discussion about that would be much more interesting than bickering over whether javascript should be enabled or not.

He is allegedly the Admin of Freedom Hosting, no one can really confirm that yet. Some of the points in the original article do not fit and FH was never mentioned.

"The javascript nonsense is meaningless, JS on or off there are plenty of other ways to attack software on the client machine."

How is it meaningless if that's apparently exactly what has been affected, as opposed to other purely hypothetical discussion? Sure, that would all have to be analysed, but JS is exactly to the point.

The point is that on a proper Tor setup, the machine can be completely compromised by any means (javascript this time) and still not be able to reveal the identity of the owner.

Ture, that leads me to the question if it is a good idea to deploy a TBB for the non tech "mainstream". There are just too many pitfalls and there is always some awareness about current attacks required to operate TOR in a relatively save way. The fact that people are surprised that it's a bad idea to enable JS speaks volumes to me and so do some of the questions asked here. When it comes to OS and security i would say that Windows is one of the worst choices you can make even without the X number of closed source applications and services which one would usually find RUNNING on a windows system. It might be better to advertise complete solutions like Tails, Liberté Linux, or isolating transparent tor proxies.

Then you do not understand how this hack works. Once the JS, cookie and malware payload were injected they would get yr local IP, MAC Address and Windows host name and send them outside of TOR to a server owned/used by SAIC who work for the NSA but also for FBI and others

Everyone has their own ideas about what is supposedly a significant point to discuss, as opposed to addressing each in a reasonable manner... But self-righteousness after all is an important part of any hidden or fringe parts of the web.

FreedomHosting admin starts accepting BitCoins a few months ago. The FBI traces his BitCoin transactions to withdrawals into a real-world bank account via currency exchange services, thus revealing the identity of the FH admin, and an arrest is made on July 29th, 2013 in Ireland. The servers were then shut down. On August 3rd, 2013 the sites came back online with the exploit code installed.

Onion Bank, the Bitcoin service that FH operated, had its own coin tumbler. The admin was very much aware of the need to use mixing to hide transactions.

Seth Schoen

August 05, 2013

Permalink

I still don't understand it all - sorry in advance :)

I've read several different things about the exploit, one mentioned a tracking cookie that could not only reveal your IP but also every other site visited while the cookie is active.

So for my question:
Does the script just tell the server the site you got it from (e.g. Tormail) and your real IP or does it track all the browsing of the current session?

Seth Schoen

August 05, 2013

Permalink

Got a technical question. You say that JavaScript is enabled for the TOR browser so that TOR users can't be distinguished from normal users on the Internet. But users browsing .onion sites are known to be TOR users just because they're seeing .onion sites. So is it possible to set up NoScript to block scripts on the .onion TLD? I know NoScript can be set up to block scripts on a domain, but I'm not sure if it can be set to block a TLD. Perhaps this is a question that should be put to the NoScript author?

Seth Schoen

August 05, 2013

Permalink

I'm sorry I'm not understanding but in the TBB I hit the big blue button next to the onion and turn off scripts does that mean if I visited a FH website I'm safe?

Seth Schoen

August 05, 2013

Permalink

I would rather pedos could look at pictures on the net than create their own fantasies. Drive people further underground and it only gets darker.

Create a boogie man for society and it only gets worse. Remember, the same thing that is being done to pedos today was done to homosexuals, heterosexuals outside of marriage, and interracials at one time.

It was also done to people who liked to look at nude over 18 women and men at one point as well.

It's time to stop turning sexualities into scapegoats, most pedos are not child forcible rapists. Yes, some of them have had sex with children but in almost all of those situations, if you would look at them in a neutral light and compare them to sexual relationships between two adults or two children? They look EXACTLY THE SAME.
Exactly.