Thoughts and Concerns about Operation Onymous

What happened

Recently it was announced that a coalition of government agencies took control of many Tor hidden services. We were as surprised as most of you. Unfortunately, we have very little information about how this was accomplished, but we do have some thoughts which we want to share.

Over the last few days, we received and read reports saying that several Tor relays were seized by government officials. We do not know why the systems were seized, nor do we know anything about the methods of investigation which were used. Specifically, there are reports that three systems of Torservers.net disappeared and there is another report by an independent relay operator. If anyone has more details, please get in contact with us. If your relay was seized, please also tell us its identity so that we can request that the directory authorities reject it from the network.

But, more to the point, the recent publications call the targeted hidden services seizures "Operation Onymous" and they say it was coordinated by Europol and other government entities. Early reports say 17 people were arrested, and 400 hidden services were seized. Later reports have clarified that it was hundreds of URLs hosted on roughly 27 web sites offering hidden services. We have not been contacted directly or indirectly by Europol nor any other agency involved.

Tor is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents. We are also interested in learning why the authorities seized Tor relays even though their operation was targetting hidden services. Were these two events related?

How did they locate the hidden services?

So we are left asking "How did they locate the hidden services?". We don't know. In liberal democracies, we should expect that when the time comes to prosecute some of the seventeen people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services. We know through recent leaks that the US DEA and others have constructed a system of organized and sanctioned perjury which they refer to as "parallel construction."

Unfortunately, the authorities did not specify how they managed to locate the hidden services. Here are some plausible scenarios:

Operational Security

The first and most obvious explanation is that the operators of these hidden services failed to use adequate operational security. For example, there are reports of one of the websites being infiltrated by undercover agents and the affidavit states various operational security errors.

SQL injections

Another explanation is exploitation of common web bugs like SQL injections or RFIs (remote file inclusions). Many of those websites were likely quickly-coded e-shops with a big attack surface. Exploitable bugs in web applications are a common problem.

Bitcoin deanonymization

Ivan Pustogarov et al. have recently been conducting interesting research on Bitcoin anonymity.

Apparently, there are ways to link transactions and deanonymize Bitcoin clients even if they use Tor. Maybe the seized hidden services were running Bitcoin clients themselves and were victims of similar attacks.

Attacks on the Tor network

The number of takedowns and the fact that Tor relays were seized could also mean that the Tor network was attacked to reveal the location of those hidden services. We received some interesting information from an operator of a now-seized hidden service which may indicate this, as well. Over the past few years, researchers have discovered various attacks on the Tor network. We've implemented some defenses against these attacks, but these defenses do not solve all known issues and there may even be attacks unknown to us.

For example, some months ago, someone was launching non-targetted deanonymization attacks on the live Tor network. People suspect that those attacks were carried out by CERT researchers. While the bug was fixed and the fix quickly deployed in the network, it's possible that as part of their attack, they managed to deanonymize some of those hidden services.

Another possible Tor attack vector could be the Guard Discovery attack. This attack doesn't reveal the identity of the hidden service, but allows an attacker to discover the guard node of a specific hidden service. The guard node is the only node in the whole network that knows the actual IP address of the hidden service. Hence, if the attacker then manages to compromise the guard node or somehow obtain access to it, she can launch a traffic confirmation attack to learn the identity of the hidden service. We've been
discussing various solutions to the guard discovery attack for the past many months but it's not an easy problem to fix properly. Help and feedback on the proposed designs is appreciated.

*Similarly, there exists the attack where the hidden service selects the attacker's relay as its guard node. This may happen randomly or this could occur if the hidden service selects another relay as its guard and the attacker renders that node unusable, by a denial of service attack or similar. The hidden service will then be forced to select a new guard. Eventually, the hidden service will select the attacker.

Furthermore, denial of service attacks on relays or clients in the Tor network can often be leveraged into full de-anonymization attacks. These techniques go back many years, in research such as "From a Trickle to a Flood", "Denial of Service or Denial of Security?", "Why I'm not an Entropist", and even the more recent Bitcoin attacks above. In the Hidden Service protocol there are more vectors for DoS attacks, such as the set of HSDirs and the Introduction Points of a Hidden Service.

Finally, remote code execution exploits against Tor software are also always a possibility, but we have zero evidence that such exploits exist. Although the Tor source code gets continuously reviewed by our security-minded developers and community members, we would like more focused auditing by experienced bug hunters. Public-interest initiatives like Project Zero could help out a lot here. Funding to launch a bug bounty program of our own could also bring real benefit to our codebase. If you can help, please get in touch.

Advice to concerned hidden service operators

As you can see, we still don't know what happened, and it's hard to give concrete suggestions blindly.

If you are a concerned hidden service operator, we suggest you read the cited resources to get a better understanding of the security that hidden services can offer and of the limitations of the current system. When it comes to anonymity, it's clear that the tighter your threat model is, the more informed you need to be about the technologies you use.

If your hidden service lacks sufficient processor, memory, or network resources the DoS based de-anonymization attacks may be easy to leverage against your service. Be sure to review the Tor performance tuning guide to optimize your relay or client.

*Another possible suggestion we can provide is manually selecting the guard node of a hidden service. By configuring the EntryNodes option in Tor's configuration file you can select a relay in the Tor network you trust. Keep in mind, however, that a determined attacker will still be able to determine this relay is your guard and all other attacks still apply.

Final words

The task of hiding the location of low-latency web services is a very hard problem and we still don't know how to do it correctly. It seems that there are various issues that none of the current anonymous publishing designs have really solved.

In a way, it's even surprising that hidden services have survived so far. The attention they have received is minimal compared to their social value and compared to the size and determination of their adversaries.

It would be great if there were more people reviewing our designs and code. For example, we would really appreciate feedback on the upcoming hidden service revamp or help with the research on guard discovery attacks (see links above).

Also, it's important to note that Tor currently doesn't have funding for improving the security of hidden services. If you are interested in funding hidden services research and development, please get in touch with us. We hope to find time to organize a crowdfunding campaign to acquire independent and focused hidden service funding.

Finally, if you are a relay operator and your server was recently compromised or you lost control of it, please let us know by sending an email to bad-relays@lists.torproject.org.

Thanks to Griffin, Matt, Adam, Roger, David, George, Karen, and Jake for contributions to this post.

Updates:
* Added information about guard node DoS and EntryNodes option - 2014/11/09 18:16 UTC

Considering using bridges, but I was thinking.. Unless you have a riseup account(and most Tor users I know don't), aren't bridges received by gmail, yahoo also compromised? And from the "Just give me bridges!" it is easy enough to navigate and get bridge relays. So how can using bridges be safe?
Not trying to be critical, just curious.

keeramon

November 09, 2014

Permalink

Someone talk to admins from Evo and Agora to find out what they did differently over the past few months. They should have some interesting insight.

My guess is that they are hosted in a country that would tell the FBI to fuck off (e.g. Russia or Malaysia). Either that or they are doing something smart from an infrastructure pov (e.g. rolling up new instances to rotate servers / ips).

All the busts seem to be in NSA friendly territories.

The Agora admins are smart enough to keep their mouths shut. They barely say anything to the users on their forums.

They're not going to help Tor if approached. Maybe they would help anonymously, but it will be them contacting Tor, not vice versa.

keeramon

November 09, 2014

Permalink

Onymous was not the only Tor related big operation recently. Last month "Operation Darknet" from Brazil's federal police resulted in 55 people arrested and other 100 arrest warnings issued in the country, suspects were also identified in other countries.

Not from what I heard about through the grapevine. In that case from Brazil the members of the site had to download an executable file (like password maker type of thing). And that's likely what got them, setup from the start. (And good riddance!)

keeramon

November 09, 2014

Permalink

Many of the sites which have been inaccessible after Thursday were not marketplaces. Many were forums, some of which were unconnected to markets and were not directly involved any other illegal activity. Because of this, there are suggestions that all these sites were hosted by the small number of companies which accept Bitcoin as payment, and that Operation Onymous merely seized the servers owned by these companies.

The press release of the Bulgarian State Security Agency explicitly said that there was a single Bulgarian communication company involved, although from the text it is not clear whether all the Bulgarian darknet sites that were taken down were hosted by a single company or whether the infrastructure of a single company was used to execute the takedown.

keeramon

November 09, 2014

Permalink

Does this government stuff mean that regular tor users can be deanonymized?
Thanks a lot.

We don't know how they did this, so anything is possible. It is unlikely this news changes anything for regular users, but it's always good to be cautious and remember that remaining anonymous online is not easy so you should always be careful.

keeramon

November 09, 2014

Permalink

Would reverse proxying / vpn the Hidden Services defend from this?

e.g. Client ---> Server A (Reverse Proxy / VPN) ----> Server B (Hidden Service)

If Fascists (/Feds) find your IP, they'll only seize the proxy / vpn (A). Presumably if this works you could also reverse proxy it a few times for extra protection.

Potentially it would, yes. But do you really want your anonymity to rest on some VPN service that claims it doesn't keep logs? Though I guess its better than being bare-naked at the end of your Tor circuit.

That won't work. If the proxy/VPN gets seized, all they have to do is comb through the server's configuration files and figure out where the hidden server is.

Not if its a double with a canary ,, VPN Rev Proxy + VPN server in case vpn connection fails the proxy will destory its configuration. you could aso do 3 vpn links.
.

Do you mean
Client ---> Server A (Reverse Proxy / VPN) ---> TOR ----> Server B (Hidden Service)

or do you mean

Client ---> TOR ----> Server A (Reverse Proxy / VPN) as a hidden service ---> Server B

or even a quasi/bastardized TOR-over-TOR-like

Client ---> TOR ----> Server A (Reverse Proxy / VPN) as a hidden service ---> second proxy/VPN -> TOR -> Server B (Hidden Service)

The idea of the last two is that "Server B" doesn't have to be in the same country as the hidden service and it doesn't necessarily depend on the hidden service staying up: If the hidden service is seized, a backup hidden service can be brought up as a near-drop-in-replacement.

Of course, both of these two options just trade one set of problems for another. Even as I write this, I can think of some attacks on these two methods that are harder to do with a plain-old client->TOR->Hidden Service model.

I guess

Client ~~> VPN ~~> Destination (~~> = tor circuit)

Would be as good as anything, assuming you paid for the VPN with clean bitcoins.

I mean if you're screwed with that then you will probably be screwed with anything more complicated.

keeramon

November 09, 2014

Permalink

Sorry if it is too offtopic but please give it a read, it might give you some important ideas on a broader view concerning the possible future of the Tor project as well as some insight into general principles of life, the universe and everything. ;)

I think the Tor project has reached a critical point in it's development over the last 1-2 years. I call it 'too big to work' in contrast to the 'too big to fail' theory in economics.

It roughly means that once a 'living' system reaches a certain size and impact on it's environment, the attraction to potential enemies becomes so great that it eventually crashes. The costs of outrunning the growing number of enemies in an arms race simply get too big. This applies to many biological or social systems like populations, communities, and even civilizations.

Think of a uniform population of highly specialized social organisms which have a very good defense against predators, parasites or diseases.
As long as the population is very small and hiding in it's niche, the costs for an adversary to overcome the organisms defenses are in no relation to the potential success (as food source, host for parasites,...). However, as social organisms, they don't do very well in very low densities either.
These were the earliest days of the Tor project. Barely anyone knew about it or noticed it. Neither users nor adversaries.

As the population grows, the individuals can interact more efficiently, greatly increasing their success. First adversaries begin to adapt to their defenses but it takes time and most attempts end in failure. The trade-off between invested resources to break the defense and potential success still is very poor. Our organisms have a head start and flourish while enemies lag behind.
These were the 'golden days' of hidden services until about 2 years ago.

Finally due to this success the population becomes very large, individuals are now not very rare but quite common in the ecosystem. As time progresses, more enemies have still managed to break through the increasingly improved defenses of our organisms. At first this seems meaningless but these adversaries are now able to gain resources off our numerous organisms and multiply themselves while over time more and more different enemies manage the same. Due to the sheer number of potential targets this now pays off greatly. As our population is uniform, once it's defenses are overcome it has to slowly evolve better strategies while having to react to a steadily increasing number of threats, inevitably leading to population decline.
This may be the grim future.

How can the story end?
1) extinction - being completely wiped out
2) great decline, becoming unattractive to adversaries again
3) the only feasible solution I have found is the concept of resilience by redundancy through diversity.
Resilience can be defined as the ability of a system to cope with change without crashing.
Redundancy in this case means multiplication of critical functions of a system with the intention of increasing stability.

Remember, the problem of our population was it's uniformity. Instead of becoming one large population it could have split into several mid-sized sub-populations with different traits, yet the ability to interact (-breed). Some may even break off and become fully independent species.
This way even if a terrible predator or disease would wipe out an entire population, it is highly likely that other related populations with a slightly different defense approach would survive and recover within a reasonable time.
On a larger scale this is believed to be a major factor of ecosystem stability. The more different species you have playing certain key roles in ecosystems, the more resilient the system is to catastrophic change. Even if one species fails, there's another one to quickly take over with little impact on the overall system. A very simple system with few species may crash or at least suffer a severe setback in productivity for a long time until the lost species is replaced by migration or evolution.
I am sure you get the idea now. I know resilience is quite unpopular in our hyper-efficent world as it costs a tremendous amount of resources but in long term I believe it is worth it. Either evolve and diversify into a resilient system or it will crash and you will go extinct. In contrast to our fictional organisms, who can only change randomly and evolve through natural selection, you can guide the evolution process of the Tor project, ideally leading it away from extinction - if you play your cards right! Still, evolution is the best approach out there. Build many different versions and see which one survives in the wild.

TL;DR - Even though I am glad and thankful that the Tor project has matured into something big, fast and convenient, I believe it has reached it's limits. We are no longer running ahead of our adversaries, we are trying to catch up with them. Too many people know and use Tor and being popular attracts many enemies. There is no way we can win an arms race against government-funded adversaries in the long run and even worse, there are little alternatives should Tor become fundamentally compromised. JonDo maybe, but apart from that? I2P and Freenet are not really suitable for most users.

So what I propose may seem radical, but I urge you to diversify this project instead of letting it grow even bigger. Tor is big and fast enough. Several smaller and distinctly different services would make the lives of our adversaries a lot harder and provide a safe haven in case one system gets compromised.
Remember - we can neither fight our adversaries nor outrun them in the long term. Constantly trying to resist attacks is not only a waste of resources but also nearly impossible to keep up. Instead we should spread our resources (within reason), hide, constantly change and multiply to build a resilient system that will remain functional even if some parts become compromised.

I know what I ask is incredibly hard but the sooner someone starts working on adding true redundancy to the existing Tor network the sooner it will be ready in case we need it. Unfortunately I can be of no help here apart from donating.
It seems great to have one powerful tool but to stake everything on one card will sooner or later go terribly wrong.

That's all, thank you and congrats if you managed to read through everything. :)

I did read everything. I think this is a robust and insightful analysis and one that I agree with. My one quibble is in regards to i2p, Freenet, and like programs.

One way to look at the problem is as one of content management. The main reason that i2p etc are not usable for most people is their lack of content. Tor solves the content problem by piggy-backing off the normal internet. However, it's useful to remember that the first video ever on Youtube was from a zoo--at one point in time Youtube didn't have any content either. So the reason that i2p etc isn't usable now is a content problem and one that is--in theory--solvable. The underlying problem with Tor is that while it solves the content problem by piggy backing off the regular internet it is an attempt to create lemonade from lemons--to build a secure system from a system that is inherently insecure.

Tl;dr. Tor is convenient but insecure. Dark nets are secure but inconvenient. But in the long run dark nets are the better solutions because the security is baked into the content. It's just going to take time--maybe lots of time and social turmoil--to get there.

Yeah. Except the hidden services are still a bit light on content themselves. Where are the TMZ's and the Martha Stewart sites? Why can't I buy a chair there? For pick up downtown with PGP & ID. Or flowers? Where are the churches? Where's Scientologymysterycode.onion? Where's Ourchurchofwe'resoextremelyoppressedwecanonlymeetonlinedotfreakin.onion? I actually expected to find that one.

Tor is now in a similar position to where the piratebay was a few years ago. That too, became more and more popular with articles appearing in the 'mainstream' and also attracted more and more powerful enemies. The piratebay was almost brought down, which was the fate of many torrent sites, but their soultion was "resilience by redundancy through diversity". "The piratebay: the most-resilient torrrent site in the universe." Maybe the Tor Project could learn from the experience of the piratebay. Maybe get a few of those guys on board once they have served their jail-time ;)

keeramon

November 09, 2014

Permalink

How do these potential attack vector affect running something like openbazaar? Would running an OB node in effect make you a mini-hidden service?

Yes, you have to run a hidden service at present. You can could change the address every day if you wanted to, you don't need to keep the same one.

keeramon

November 09, 2014

Permalink

I hope that you guys get funding for hidden service development. It shouldn't be too hard to get funding given that all serious news rooms are now using securedrop, which relies on tor hidden services. Maybe the better-funded news orgs could chip in.

keeramon

November 09, 2014

Permalink

Could hidden services err on the side of caution and temporarily cease operating if a DOS is detected? I would rather less uptime than less anonymity.

If you set the EntryNodes torrc option, this will happen. Basically, if none of the relays you explicitly set are available, then Tor will fail to establish any connections (and won't accept any connections, as a result).

keeramon

November 09, 2014

Permalink

What exactly does that mean: "We know through recent leaks that the US DEA and others have constructed a system of organized and sanctioned perjury which they refer to as "parallel construction."?

keeramon

November 09, 2014

Permalink

Roger, I'm just putting this in this thread for no real reason... I was the guy who could only sometimes load Tor 4.0+ despite *not* having Trusteer Rapport.

I figured out the problem, which you might want to publicize.

The culprit: Ad Muncher, a program that's been downloaded by millions of people over the past decade. When Tor first opens a small window as it tries to find a relay, Ad Muncher basically views this as a "pop up" attempt by the browser and kills it. The solution? The program has to be shut down totally, merely disabling filtering doesn't work.

That's it, carry on the good work, glad to see this was a problem on my end all along. :-)

keeramon

November 09, 2014

Permalink

Nachash (proprietor of doxbin) brags that I was the most-doxed on his darknet onion server, along with Keith Alexander, a four-star general and former director of the NSA. The difference between me and Gen. Alexander is that I went to Germany in 1985 to teach Philip Agee how to use his first computer, I was prosecuted for draft resistance in 1969, and I was active in SDS beginning in 1967 to oppose U.S. policy in Vietnam. I also spent three years in grad school studying social ethics and political theory.

Nachash is too uninformed to distinguish between me and Alexander. He doxes us both as a matter of pride and presumed relevance. He includes Social Security numbers and other information that is inconvenient for his victims.

The folks who control Tor make a similar mistake. From the viewpoint of social ethics and plain logic, you must distinguish between freedom to surf the web anonymously, and the freedom to publish anonymously. I ran Scroogle.org for seven years because I believe in the freedom to research anonymously. But I also believe that publishers must be accountable, which automatically means that they must be identifiable.

The Tor people have yet to figure this out. The darknet onion thing provides anonymity to publishers. This is unethical. The Tor browser provides anonymity to passive researchers. This is wonderful. Until Tor figures this out, I will support efforts to close down onion servers, even if this means that I have to support Gen. Alexander.

-- Daniel Brandt, www.crimeflare.com

Well I believe every government document must have been published and the authors and their families must be identifiable. This would be ethical.

I was really impressed by your life's work until the end of your statement.

Your analysis is however incorrect: one cannot be a publisher freely without a permissionless system. Publishers may be held to account after the fact or they may not. This is how a free system without prior restraint works. Tor Hidden Services provide anonymous, end to end, reachable, secure communications channels. This is important and the world needs it.

Your analysis between "researching" or reading and "publishing" or writing is incorrect. All HTTP clients send data - for example - the url they're requesting. This must be done anonymously. This means that to read anonymously on the web, we must also be able to write anonymously on the web.

I'm sorry that you've been a victim of jerks on the internet. I'm also sorry to hear that you're a supporter of General Alexander as a result. I'm even more sad that you believe the solution is to put a kings mark on every document, on every publisher and on every publication system. I say to that: Never.

I don't condone doxing, but you only have to look at what is happening in Russia (all bloggers being required by law to register with the government, a move designed to intimidate and silence critical voices) to see that your stance ("publishers must be accountable, which automatically means that they must be identifiable.") is problematic.

Ah yes Daniel Brandt. I remember you from Wikipedia. You are one of the most filthy, loathsome people I have ever encountered. Don't listen to this guy. He is a snake in the grass.

As a person who got tortured in a NATO country and had to flee just because I wrote more than the government accepted about false-flag terrorism I would just like to say: Screw you. You have done a lot of great thing over the years like running scroogle but your statement that publishers must be "held accountable" made me loose all respect for you. Telling the truth about government lies is not and should not be a reason to get tortured. If you simply do not understand that this is going on, and has been going on, for decades then I might forgive you. If you actually believe that governments should be able to identify those who oppose them so they can torture them then I hope you die in the most horrible way possible.