Tor and the Silk Road takedown

We've had several requests by the press and others to talk about the Silk Road situation today. We only know what's going on by reading the same news sources everyone else is reading.

In this case we've been watching carefully to try to learn if there are any flaws with Tor that we need to correct. So far, nothing about this case makes us think that there are new ways to compromise Tor (the software or the network). The FBI says that their suspect made mistakes in operational security, and was found through actual detective work. Remember: Tor does not anonymize individuals when they use their legal name on a public forum, use a VPN with logs that are subject to a subpoena, or provide personal information to other services. See also the list of warnings linked from the Tor download page.

Also, while we've seen no evidence that this case involved breaking into the webserver behind the hidden service, we should take this opportunity to emphasize that Tor's hidden service feature (a way to publish and access content anonymously) won't keep someone anonymous when paired with unsafe software or unsafe behavior. It is up to the publisher to choose and configure server software that is resistant to attacks. Mistakes in configuring or maintaining a hidden service website can compromise the publisher's anonymity independent of Tor.

And finally, Tor's design goals include preventing even The Tor Project from tracking users; hidden services are no different. We don't have any special access to or information about this hidden service or any other. Because Tor is open-source and it comes with detailed design documents and research papers, independent researchers can verify its security.

Here are some helpful links to more information on these subjects:

Technical details of hidden services:
https://www.torproject.org/docs/hidden-services

Our abuse FAQ:
https://www.torproject.org/docs/faq-abuse

For those curious about our interactions with law enforcement:
https://blog.torproject.org/category/tags/law-enforcement
https://www.torproject.org/docs/faq#Backdoor

Using Tor hidden services for good:
https://blog.torproject.org/blog/using-tor-good

Regarding the Freedom Hosting incident in August 2013, which is unrelated
as far as we can tell:
https://blog.torproject.org/blog/hidden-services-current-events-and-fre…

Some general hints on staying anonymous:
https://www.torproject.org/about/overview#stayinganonymous

The Tor Project is a nonprofit 501(c)(3) organization dedicated to providing tools to help people manage their privacy on the Internet. Our focus continues to be in helping ordinary citizens, victims of abuse, individuals in dangerous parts of the world, and others stay aware and educated about how to keep themselves secure online.

The global Tor team remains committed to building technology solutions to help keep the doors to freedom of expression open. We will continue to watch as the details of this situation unfold and respond when it is appropriate and useful.

For further press related questions please contact us at execdir@torproject.org.

(some thought) problem how to simulate continuous work of disconnected server?
Maybe tor (exit?) node should send some irregular junk back to the client and client just drop it. Will it lower correlation between client and server? Junk can be in any form for example bad checksum packets, or rare flags combination ResetSynAck etc.

DPR left his email on a bitcoin forum asking people for help - it's right here, not fake or "made up" https://bitcointalk.org/index.php?topic=47811.msg568744#msg568744

He also had his real name on a stackoverflow help request then changed it to a new fake one

DPR was an idiot, an idiot who made a site that got seriously popular and he made a bunch of money. He was still an idiot and didn't clear his tracks.

Anybody dumb enough to incriminate their-self on these airwaves, hell they get what they deserve, theirs so many ways to go about anonymity on everything you do on here, just saying.

k239

October 02, 2013

Permalink

The complaint says that the server running Silk Road was imaged and forensically examined in late July. This was done surreptitiously by the hosting provider at the request of the FBI via local authorities and the Mutual Legal Assistance Treaty. They used the server's ssh config to find the VPN server he was logging in from and the VPN server's last login record to find a cafe near his house. They were able to correlate the location based on Google's records of the email account that was previously used to solicit users and help on the BitCoin forums, which he accessed from home the same day he logged into the VPN server. Other information on the Silk Road hidden server was used to correlate with openly sourced information to get the probable cause needed to arrest him.

The complaint does not reveal how they located the Silk Road server, so it could have been an attack on Tor.

Yep. It looks like there are a lot of ways that things went wrong, but they haven't specified exactly which ones they made use of first. We should keep watching and learning. Let us know if you find anything more concrete!

Although we don't know, it is far more likely the FBI used a vulnerability in the server to get it to reveal its address (perhaps by sending a packet out on the open internet) then, say doing traffic analysis or some other attack. Especially given the operators lack of caution relative to the risk and apparent lack of serious technical skill.

Also, another indictment that has surfaced reveals that DPR arranged for a delivery of 1kg of cocaine from an undercover agent to a SR employee. The SR employee was arrested and it is possible that information his computer led them to the SR server.

A third possibility is the SR server, or some other related server, may have done some BitCoin transactions without using TOR, allowing investigators to locate it.

All of these much easier than attacking TOR...

Also, another indictment that has surfaced reveals that DPR arranged for a delivery of 1kg of cocaine from an undercover agent to a SR employee. The SR employee was arrested and it is possible that information his computer led them to the SR server.

Can you provide a link to the source for this information?

This is from the Maryland indictment released last night; here's a copy: https://dl.dropboxusercontent.com/u/182368464/dpr-maryland-indictment.p…

Note that this provides a much more direct route to DPR: just follow the wire money from Australia.

It's the Maryland indictment and I found it on this great post on Popehat.

http://www.popehat.com/2013/10/02/the-silk-road-to-federal-prosecution-…

Ubiquitous network surveillance (NSA) used in conjunction with a DoS would highlight the route to any hidden service. In light of Snowden's leak, this is likely possible and would be used to kickoff an investigation for court admissible evidence.

Yep. The trick is that "ubiquitous" in this case needs to include the location of the hidden service. If he put it someplace they're watching, yes, else no. Now we get to wonder exactly how much they're watching in terms of foreign jurisdictions.

Found this:

http://www.journalgazette.net/article/20131006/NEWS03/310069901/1066/NE…

Don't know if it is more concrete or true, but it is specific.

CIPAV

I find it strange that nobody is considering that illicit methods might have been used in finding the server. Since Edward Snowden's leaks we all should be aware that secret services have been monitoring ALL internet traffic and have successfully forced companies to work together with them.

They might have used a DDoS attack to bring down the server and then locate it by analyzing the internet traffic of whichever country it was located in.

They might have cooperated with the host and had them look for keywords related to the silk road on all their hosted servers (or did it themselves).

Or they might have compromised the whole of the TOR network.

The criminal complaint in fact doesn't even have a parallel construction, it has no mention at all on how the server was found! That's just suspicious.

I don't think they're watching ALL Internet traffic. But what fraction are they watching, and how is it distributed across the globe, is a great question that we'd all love the answer to.

What do you think about the "oh but the Maryland complaint provides all the details" answer that a lot of people here are giving? Convincing or still suspicious?

what about not just monitoring but fabricating/injecting

so it was NOT using encrypted disk ...

Dude, you can google for the original post where he uses the same name he used to announce the silk road to advertise for developers using an email that's just his full legal name. Tor can't help you if you use it to A.N.O.N.Y.M.I.Z.E your connection to the FBI.gov crime report form.

but they found the server before they found him.

So is using a VPN while also using the TBB a bad idea? If so, that should be added to the list of warnings.

If you use a VPN and go from there to the Tor network, it should be ok. There are a few downsides, like if "they" are watching your VPN provider for some other reason, but not you, then they'll get to see your traffic when otherwise they wouldn't.

If you use the Tor network to reach your VPN, that's typically worse -- you're aggregating all of your traffic at one exit point, who can then build a pseudonymous profile of your activities to guess who you are. Or maybe they just look at the credit card address, depending on how you pay for the VPN.

But if you just use a VPN, full stop, like apparently this guy did? We've heard a lot of stories about how that can go bad. Tor isn't in the picture.

I decided to stay away from tunneling the tor traffic through VPN. In case of a persistent use of one and the same VPN provider their logs (likewise the network provider logs) will enable traffic analysis, user/use estimation and profiling.
What makes it better? At this point I suggest to cover the wanted tor traffic with extra traffic. My 'wanted traffic' can be seen but it looks like an ant in an anthill. Hard to isolate.
I think we touch the discussion around entry point rotation.

" if "they" are watching your VPN provider for some other reason, but not you, then they'll get to see your traffic when otherwise they wouldn't. "

How is using a VPN to access Tor any different than using your own ISP? This just moves the point from which you reach your entry guard, which may provide more privacy from "they". Please elaborate.

The issue is that there are now two places (and all the network links between them) that gets to see your traffic. "You -> VPN provider -> Entry Guard" shows traffic to a different part of the Internet than "You -> Entry Guard" does. So what they can see in each case depends in part on Internet routing, and in part on whether they (for whatever reason) had already decided watching "VPN provider" was a good move.

Lets assume they dont have to watch the VPN provider because they are already watching all the lines going between you and the VPN. Would it not be better to use bittorrent cover traffic while accessing Tor over an encrypted VPN connection to a VPN server located in the same non-monitored country as the bridge you are connecting to?

I dont think it matters anymore if they are watching the particular endpoints (entry node, exit node, website) because they are watching the main backbones the connections go over. The only way to circumvent this is to move ones connection to Tor out into a non-monitored country where it does not pass over monitored lines.

Don't get it. The "Two places seeing traffic = Bad" thing. Because I didn't think they were. The traffic from You -> VPN provider is encrypted.

Tor only shows up under DPI from VPN provider -> Entry Guard. Still encrypted, but "they" know Tor is being used. It still can't be correlated with with traffic from You -> ISP.

So you're comparing one collection of random gibberish with a second much bigger collection of random gibberish from many sources.

Am I missing something here?

Just because it's encrypted doesn't mean they can't see the traffic flow.

If your logic were right -- that they can't do anything unless their DPI box says it's Tor -- then using an Obfsproxy bridge would provide bulletproof anonymity.

If they're watching your destination website, and they're watching you send traffic to your VPN provider, those are the beginning conditions for a correlation attack.

"Pad the heck out of your VPN traffic" seems like it will help, but will it help enough to matter? Open research question.

It seems to me that, if the TLA's run a large portion of the nodes, then they can do traffic analysis on where those nodes send and if the traffic comes out the other side or terminates there. They can unravel the network one node at a time toward the most popular hidden services.

One case where being a high traffic node is a bad thing.

Solutions?

  • Yes. Pad the traffic between nodes. Establish a minimum traffic level and don't let the nodes traffic drop below this point.
  • More nodes. Ones not owned by the government, not controlled by the government. But how do you prove this?
  • Some way of blacklisting a node if it is found to be a front for someone trying to disable TOR. But then they could use that same blacklisting to disable all the nodes they can't control leaving only the ones they can. Possibly a trust system? lines of trust? My node will only talk upstream to a few nodes I trust? Not that I'm running a node, of course.
  • Maybe a mirroring system. Let a hidden service exist in more than one place, managing service updates and control across TOR on another layer of VPN pretending to be yet another set of nodes. I remember one of the darknets had some way of caching stuff across the hosts so you didn't even know what your computer was serving up to the community.

So if I have a transparent VPN on my computer, then bring up the Tor browser this is ok?

Then you're in category one in my list above. It is a reasonable thing to do -- it makes you safer in some ways and less safe in others. If you think your VPN doesn't keep logs and isn't monitored by anybody else (well, and if you're right ;), it's probably a net win.

You -> Open Source VPNMesh of anonymously funded VPS/Rental servers, using application routing such as Tinc (open source) -> Tor.

Benefit: Run Tor at higher speeds. Contribute some bw back to Tor on some or all nodes and mask your traffic.

In the last 10+ years, the only packets that have left my computers were my VPN meshes. OpenVPN, then Tinc. I pay for servers using truly anonymous methods (not bitcoin). Say what you want, it has worked out well and is quite handy for routing around problem internet links.

It's not worse than using your own real IP address.

The point about VPN is that although it hides your real IP address, the service is being provided by a third party company.

If you are being investigated by LEA and they know the VPN IP address you used, they could (as happend here) get your real IP address from the VPN provider.

This all depends of course on LEA knowing your VPN address which they're not likely to do if you're using it to access TOR (as opposed to outside TOR, which is what appears to have happened with Ulbricht)

Tor Project and Mozilla Foundation should analyze the takedown page for any new exploits that the FBI may be using and if either product is compromised, then issue an emergency update.

It was my understanding that it was a png and a tiny amount of html.

Let us know if you learn anything different.

What is being done about Hidden Service technology? It has not been updated in a long time.

I still haven't seen a valid explaination for how the FBI managed to track down the servers without access to DPR (he was still under surveillance at the time).

The post above mentioning 1k of cocaine: this is the first I have heard such a story in my reading. Would it be paranoid to consider the possibility that it's in someone's interest to throw us off the track of a vulnerability?

You're right to wonder. That said, they sure threw us a lot of juicy, very plausible details this time.

Is the general consensus that if there were more relay's (and or more exit nodes) Tor would be more secure?

Yes, but that's not the whole story.

First, it depends on the *location* of the relays relative to what the adversary can see. As an example, if the adversary is already watching a given part of the Internet, and ten more people start running relays there, it's going to hurt rather than help Tor's overall anonymity, because it increases the fraction of capacity that the adversary can watch.

Second, there are a variety of attacks in the research literature that don't care about network size. See http://freehaven.net/anonbib/ and https://media.torproject.org/video/25c3-2977-en-security_and_anonymity_… for more details.

Tor was initially developed by the NAVY wasn't it? Couldn't they have embedded backdoors in the code? Or is this a stupid/moot question?