Tor and the Silk Road takedown

We've had several requests by the press and others to talk about the Silk Road situation today. We only know what's going on by reading the same news sources everyone else is reading.

In this case we've been watching carefully to try to learn if there are any flaws with Tor that we need to correct. So far, nothing about this case makes us think that there are new ways to compromise Tor (the software or the network). The FBI says that their suspect made mistakes in operational security, and was found through actual detective work. Remember: Tor does not anonymize individuals when they use their legal name on a public forum, use a VPN with logs that are subject to a subpoena, or provide personal information to other services. See also the list of warnings linked from the Tor download page.

Also, while we've seen no evidence that this case involved breaking into the webserver behind the hidden service, we should take this opportunity to emphasize that Tor's hidden service feature (a way to publish and access content anonymously) won't keep someone anonymous when paired with unsafe software or unsafe behavior. It is up to the publisher to choose and configure server software that is resistant to attacks. Mistakes in configuring or maintaining a hidden service website can compromise the publisher's anonymity independent of Tor.

And finally, Tor's design goals include preventing even The Tor Project from tracking users; hidden services are no different. We don't have any special access to or information about this hidden service or any other. Because Tor is open-source and it comes with detailed design documents and research papers, independent researchers can verify its security.

Here are some helpful links to more information on these subjects:

Technical details of hidden services:
https://www.torproject.org/docs/hidden-services

Our abuse FAQ:
https://www.torproject.org/docs/faq-abuse

For those curious about our interactions with law enforcement:
https://blog.torproject.org/category/tags/law-enforcement
https://www.torproject.org/docs/faq#Backdoor

Using Tor hidden services for good:
https://blog.torproject.org/blog/using-tor-good

Regarding the Freedom Hosting incident in August 2013, which is unrelated
as far as we can tell:
https://blog.torproject.org/blog/hidden-services-current-events-and-fre…

Some general hints on staying anonymous:
https://www.torproject.org/about/overview#stayinganonymous

The Tor Project is a nonprofit 501(c)(3) organization dedicated to providing tools to help people manage their privacy on the Internet. Our focus continues to be in helping ordinary citizens, victims of abuse, individuals in dangerous parts of the world, and others stay aware and educated about how to keep themselves secure online.

The global Tor team remains committed to building technology solutions to help keep the doors to freedom of expression open. We will continue to watch as the details of this situation unfold and respond when it is appropriate and useful.

For further press related questions please contact us at execdir@torproject.org.

Anonymous

October 02, 2013

Permalink

I really appreciate all that you folks do to keep Tor operational and in service so those of us who couldn't build a Tor look-alike ourselves can use what Tor provides. Thank you.

You guys are so full of shit... 60% of your funding money comes from Government subsidiaries. Yes it's true servers have to be configured properly to provide the proper security but as far as I'm concerned Tor is the a comprised network that probably the NSA runs half the relays and god knows about the exit nodes. ANYONE ELSE FEEL SAFE USING TOR AFTER FREEDOM HOSTING AND NOW SILK ROAD?

ANYONE ELSE NOTICE IT'S THE ILLEGAL SITES GETTING NABBED? IF THAT'S NOT A CLEAR INDICATION THAT TOR IS INVOLVED WITH THE GOVERNMENT THEN i GOT A BRIDGE TO SELL YOU IN SAN FRAN.

Sorry for the caps but I'm tired of the lies and deceits from this camp of developers that promote their values and are nothing but two face government lackeys.

As for the funding discussion: a) you wouldn't even be saying 60% if we weren't so transparent with all our finances, and b) we publish everything we do and you can look at it and decide for yourself. I have a longer answer over at the "quick ant" blog post:
https://blog.torproject.org/blog/tor-nsa-gchq-and-quick-ant-speculation…

As for the NSA running half the relays, see my comment below:
https://blog.torproject.org/blog/tor-and-silk-road-takedown#comment-356…

As for the "do you feel safe" part, there are some serious adversaries attacking the Internet these days. It may be that Tor can't protect you against the NSA's large-scale Internet surveillance, and it may be that no existing anonymous communication tool can. "Stop using the Internet" is a perfectly reasonable answer. See the discussion in the "quick ant" blog post for more:
https://blog.torproject.org/blog/tor-nsa-gchq-and-quick-ant-speculation…

Hi, if you made Tor a subscription service the community could support the developers and increase the number of relays 10fold. Torproject llc could lease out their services to various 3rd parties who would handle payment and take a set % to setup additional nodes. I would be more than happy to pay over $100 a year to pay for a more resilient Tor.

That is a terrible idea, no one has the right to charge Tor users a subscription fee. What about the people in Egypt, or Syria, or China that require the use of the Tor network? They can't afford a fee to get important news in and send important messages out.

yeah sure, make everyone pay then your anonymity goes to the FBI together with your bank details. As long as America believe that they are the world police, everyone is in danger

Totally agree. Most of the successful raids , have been through subpoenaed bank accounts; more so on the VPN companies that promise anonymity. Just look at Hushmail as a good example. You can no longer use a free account with Hushmail while using the TOR network (due to the owner having his balls owned by the Feds). So now the owner of the company insists on payment for such an account, when using TOR.

I'm amazed actually, that people as well as the TOR team , have not done more research on CIPAV . This nasty little virus has been used before on the TOR network, rendering everyone powerless to hide their privacy.

Some guy recently managed to obtain the virus, and reversed engineered it . From the sounds of it , with a few tweaking here and there , TOR development could create a "No-script" Firefox equivalent add-on to the TOR Firefox to prevent such a thing from happening. HIPS is now the biggest issue on internet privacy/ security now. someone seriously needs to develop an add-on HIPS for this, to prevent such programs as CIPAV from working .

That is a great idea. However, you need to leave a space for free users, and open another space for paid users. Tor might have this option already, I think. You pay a subscription, and you get faster speed than the free user does.

Now how do you suppose to speed up a Tor connection through dozens of servers all over the globe?
Got a magic pill for that? Duhhhhhh

I would pay $100 a year even if some countries people cannot. Listen carefully, the Arab nations can afford to fund TOR forever with the monies they have. TOR has been a relief from little brother (state government) slowing down my work related work on the internet and tracking my every move, when fact is our ITS service department plays video games 90% of their time...fact...seen it...watched it...was disgusted. I praise TOR and they work they are doing. Charge me a monthly fee of $25 and I will still pay...rock on TOR....sad to see Lava go to the wayside.

You are merely repeating that chorus over and over again to get fewer people to use Tor. More users and nodes make Tor more secure.

Yeap, I have said that all along especially when they got to Mt. Gox and took everyone's bitcoins. The feds have been in on this all along and have made money off of it. So take the money and help pay off the motherfing deficit, stop paying the Congress members and quit giving them full pensions after two years of service. To all of you self righteous, conservatives, the Supreme Court has approved this health care bill, so get your head out of your asses, accept the same health care as the rest of us, drop your pensions, except for what you have paid into it and pay the other 800,000 government employees who need a pay check.

As one of those "self righteous, Conservatives" I'd like to invite you to lick a dogs' anal glands until they bleed. I am disabled through no fault of my own, and now I'm supposed to stand in line behind skateboarding morons, 14 year old gang-banging single mothers with AIDS/crack babies, 11,000,000 "undocumented democrats" and heroin addicts, welfare frauds faking mental retardation and militant members of Islam that are here to plan for the downfall of my country that all want the same Social Security Disability I get? Screw that, I've had cancer since I was two years old and fought hard all my life to work and pay in, only to be repeatedly turned down when I needed those benefits when the radiation damage and chemo therapy side effects caught up with me at 28. The lovely state of New Jersey literally forced me out of the state while illegally denying me benefits for OVR and I was forced into the roles of welfare and foodstamps once I reached PA. Finally, having been turned down three times for benefits despite every doctor they sent me to saying I was honestly disabled , I got a PA DAP advocate and put the matter before an administrative law judge who instantly approved and expedited the case, " Due to the over-whelming preponderance of evidence"- which meant the law office that presented the case (when I say presented, I mean literally shuffled three or four pages) got 25% of my back pay and settlement and when I wanted to sue the people responsible for holding up my money and driving me to the point of suicide, I was told I was lucky I'd get as much as I did and should keep my head down. The glorious People's Republic of New Jersey was later sued by the Feds for forcing out and/or preventing disabled people from moving into the state and LOST! But I never saw a dime from it. Now I have to sit in waiting rooms with the scum of the earth who brag about the ways they trick doctors into giving them narcotics they don't need so they can sell them and supplement their prostitution income and welfare fraud. It's gotten so bad that where once I could walk into my doctors office unannounced and be seen without an appointment, I have to wait up to three weeks to see a doctor three towns away using a medical assistance service because I can no longer safely drive. And every driver tells me the same stories of how the filthy drug addict/pushers get the same rides from Philly to Pitts PA for their dope and the drivers don't dare tell the cops because, of course, they have a confidentiality clause in their contract. Now I can't even get refills for my non-addictive pain patch and pills, I have to travel to a doctor 45 miles away to pick the script up in person no matter how much pain I'm in or how foul the weather is and there are NO REFILLS allowed on pain drugs at all, all thanks to dog shit like you and the liberal traitors who are too afraid of the vermin infesting our country to take a stand. I won't even get into the gun control issue here, I'm sure you think it's perfectly OK for roving bands of Crips and Bloods to kill white cripples for fun and profit. Doctors here are retiring at record rates, Obama is demanding what amounts to a National ID card for forced health coverage while denying the need for voter ID and a piece of shit like you wants to run his mouth at the only real American's left.

Hey bro, you know of any other browser, thats a little less known. I did 7 yrs down the road, don't want a repeat, jus curious, The SouthEastern Flyer, thanks

The first articles out on Silk Road made it quit clear he was arrested due to being turned in by a close ally snitch, not by their tech ability.

Here is a novel idea;
If you are tired of Tor is there anyone preventing you from rolling your own?!
Only incompetent amateurs whine about an other man's business in which they, themselves, have no place to be.

p.s. NOT DEFENDING NOR PROMOTING TOR JUST SICK AND TIRED OF THE ABOVE AND ANY OTHER TWO-BIT CLICKER. (Oh Yeah; I am sorry about the caps but... Well, i dont remember exactly why...)

"ANYONE ELSE NOTICE IT'S THE ILLEGAL SITES GETTING NABBED?"

Well, yeah. Do you expect the FBI to take down legal sites? You're a special kind of idiot.

I don't know.I'm paranoid anyway,by nature.I used to use Tor because I hated the idea of being snooped on and not because I'm doing anything illegal.I was hoping there was finally a way of using the Net privately but,at the same time,I know that at this point there is no such thing as true anonymity in the real sense of the word.You gotta expect there will be weaknesses in any so-called secure environment and that those weaknesses are sure to be exploited by entities known and unknown.Now,as far as Tor being partly funded by the government,I've always had concerns there.You shake hands with the Devil....ect.,ect.This did raise quite an eyebrow with myself and many others because we all know what happens when good 'ole Uncle Sam shows up to cash in his marker.He manipulates the process by swindling you into a no-win situation.Next thing you know,Uncle Sam is behind the wheel,Tor Project designers is in the passenger seat and we the people don't even know whose driving the damn car.If this is not the case right now it's sure to be in the future.The government doesn't just give you anything.There will be a price,now or later.I applaud Tor Project in their efforts to advance Internet freedom and privacy for us all.I just wish they would continue their efforts independently of government involvement in any way.I'm sure there are many financially independent people all over the world who would contribute financially to the continued development of the Tor Project.I know I would,if I could.Having private donors and continued transparency would be a huge first step at assuring us a little more peace-of-mind when we surf the net.The best step is to never trust a piece of security software in the first place and stay paranoid and cautious.Check and double-check everything,every step of the way and never think your hidden and safe.I know it's a terrible way to have to use the Internet but it beats the alternative if your Internet activities are illegal or your just wanting to be anonymous.I'm standing with Tor,at least until they prove themselves to be untrustworthy.I have confidence they will figure out a way to work through these setbacks so,I choose to give them the benefit of the doubt.But,as with any other software company,I do so extremely cautiously.No disrespect to Tor Project designers.As I said,it's just in my nature.

Interesting how loud ignorant people seem to yell to spew their stupidity around.
You didn't say one thing to make me believe you know anything about what you said.
Have you looked at the code to put you're value of security or lack there of on it.
Nope, I'm sure you didn't.
The way you talk to people you don't even know is really sad. Shows a very Juvenal mind. How old are you, fourteen? Oh sixteen sorry senior sir!
There are hundreds, if not thousands who know the value of TOR and use it every day to protect their very lives.
I do for one.
Oh and read the fine print. Tor alone does not protect you. You must be able to do something you have not exhibited and ability to do. THINK!
It helps if you have an IQ larger than you're shoe size too. Helps even more if you apply what intelligence to what you do instead of ranting like you just did! Please do not spread you're DNA around.

Quote:

"ANYONE ELSE NOTICE IT'S THE ILLEGAL SITES GETTING NABBED?"

I'm new to this whole thing, so this is an honest question:

Why wouldn't the illegal sites be the ones getting nabbed? Why would they nab people who aren't breaking any laws, and what would they nab them for?

Anonymous

October 02, 2013

Permalink

The last thing posted on Ross Ulbricht's public Google+ account:

"anybody know someone that works for UPS, FedEX, or DHL?"

Anonymous

October 02, 2013

Permalink

Literally nobody believes the official narrative.

Can you say: P.A.R.A.L.L.E.L C.O.N.S.T.R.U.C.T.I.O.N ?

When they jail the next tor operator next month, it still will not prove anything but a trend. They will be just lucky, but anybody in his senses can point out the existence of a Bletchley Park, thats SIGINT 101, information theory and a nice tin-foil hat.

I think you are right, they will not reveal anything and do parallel constructions instead.

When I hear "tor operator" I think "Tor relay operator". And I would hope that's a separate fight. Hopefully I can convince you to change your terminology to confuse people less.

But that said, yes, I started out thinking along these lines too, until I read all the details of just how much this guy screwed up. I think we have to throw this data point out when we're trying to find trends.

*That* said, I think we have to expect that there are now many more groups in law enforcement who are ramped up and educated about attacking this sort of site. So we should expect more news like this in the coming years, and even worse, hearing more news won't really tell us more about which theory to believe.

If only there were a few more people out there leaking documents....

arma, do you seriously believe one of the most wanted men in America running a 1.2 billion dollar business would give his real photograph and contactable address to a violent motorcycle gang?

Or that somebody knowledgeable about cryptographic currency enough to construct a random mix would wire assassination funds from a bank account?

Or that a long time hidden service operator wouldn't know to use Tor to administrate a remote server as root?

Or for that matter he didn't use an anonymizer to advertise an illegal business he himself setup.

Or that he met with federal agents and mentioned he got contraband from an illegal market.

It is possible that DPR's opsec was sloppy and he did some foolish things.

But it is more likely that a great deal, perhaps everything, of what we are hearing is total bullshit. Yeah he got caught. But not for any of the reasons we've read.

Going a level deeper into speculative territory, it is also possible that the Bitcoin forum connection is nonsense. Why? Because, and I'm just putting this out there, maybe that quoted text forum post with his Gmail address in it isn't real. Totally retroactively fabricated. Nobody seriously remembers back that far and there are only two or three publicly available services which offer the ability to analyze old forum postings, all of which live under USA jurisdiction and definitely have assets cultivated at them.

Before Snowden, I'd have said bullshit. Now I'm not so sure.

Hey, who knows. I think it's clear that they did more things in the investigation than they wrote up in their indictments.

My guess is that the things they wrote up did happen -- they risk having their case thrown out if they don't have all their ducks in a row.

But whether the things they wrote up were the way they busted him originally? It seems more likely that they got a tip from somewhere (his employee? something else?), found him, and then set about creating a set of facts and a timeline that look like a great case. And alas, that's not a conspiracy theory -- it's their job to do it that way.

:: On October 6th, 2013 Anonymous said:
(My guess is that the things they wrote up did happen -- they risk having their case thrown out if they don't have all their ducks in a row.)
yeah and they had chemical weapons in IRAQ ::

Psst actually they did. Was there.... but we had to get them out before the world realized who gave it to them.

Oh please! Jar-heads still, till this day, have " mission accomplished" tattoo-ed on their arm and "Semper Fi , Hoo rah!" mentality. You guys just don't want to look like a-holes for playing follow the leader and being duped. Trying to save face after a decade makes you[all US mil-personnel] look more like a reinforced a-hole.

Actually it was confirmed on news broadcasts that the weapons existed, but was kept far more hush hush than everything else the various media outlets wanted to put out, all in the name of profit.

And frankly, I don't care if someone has the opinion that we shouldn't have gone in there if the opinion is consistent across administrations. The problem is, they haven't been consistent with the media, though we've entered 3 different countries for less reasons than Iraq, which by the way we had authority to go in based upon a treaty signed, and broken, by Iraq. Not that those were the reasons stated to the public, which was the idiocy of that past administration amongst many other mistakes.

The militant anti-military groups are the assholes, outright. Hypocritical bitches, the lot of ya.

agreed but in the modern world only a slim percentage of the population will come to realize these things e.g. the cia training and funding the mujahidean (Al Quaida in propogandic news) right up until 911. There is no war its simply a strategic takeover and seizer of resources, and also a good way to keep up funding. the best funding for militarys nowadays is successful terrorism hence 911.

It's their job to bring the administration of justice in to disrepute by violating the REASONABLE restrictions placed upon them? It's their job to remove freedom from people for violating the same set of laws that they themselves violated through parallel construction?

If your code is anything like your world view, I have serious hangups about starting a hidden service.

On the bright side, your cripplingly naive and presumably pessimistic (ohh no! the terrorists! think about what the terrorists would do with freedomz!) world view has gained one more pair of competent eyes (unless I'm the REAL Dredd Pirate Roberts, sporting an eye patch, arrr arrr arrr) auditing the code.

My initial fear is that the NSA can knock individual suspects' connections off the internet and correlate inaccessible hidden services with disconnected clients to spot the "bad man hidding from the government's caring eyes".

This can be mitigated by having a multi-homed setup... redundant connections to TOR and what not... but even then, the NSA could catch me!

Imagine a Venn diagram with "IPs with the last octet being divisible by 3" and "IPs with the first octet being divisible by 2" both showing a dead site. The NSA would know I have a multi-homed service when none of their initial "divisible by 3 -> success, divisible by 3 & first octet divisible by 2 -> failure, divisible by 3 & first octet not divisible by 2 -> failure" search failed to narrow down the pool of potential IPs.

Now the NSA knows that the trusted server, used to update the publicly accessible servers, is multi homed. They also know that these 2 or more connections have common attributes--that the last octet of both is 3 for example.

The NSA, with their power over ISPs, can knock off more refined groups of IPs within the "successful" area of the Venn diagram. When 2 circles in that area are found that result in success, you can keep on using the parameters of one of the broad circles while refining the other. Eventually, you get the individual IPs.

Ohh noez!

I guess you can't successfully host a hidden service in the U.S., where the government controls the internet?

How is what they're doing any less evil than what China does, by the way? Both stifle freedom of expression--one publicly and the other through parallel construction.

* posted on the clearnet from my cellular internet... 'cause I can't possibly be harmed by government anymore than I have already been. *