The TOR Panic of 2013…

Date: August 06, 2013

01) Freedom hosting on Tor pedo sites compromised

02) Founder of the Freedom Hosting arrested, held without bail in Ireland, awaiting extradition to the USA

03) ‘Largest facilitator of child porn on planet’ must wait month for FBI case

04) Feds bring down Tor-hosted child porn site using suspected vulnerability in Firefox browser

05) News Article

06) TOR Developers Advise Stop Using Windows

First…All of the BC threads are worth reading.

Second…On a personal note…Given enough time, this sort of serious security failure [which has taken even experienced users, and the developers themselves, by surprise] is entirely predictable.

The “false sense of security” principle, applies to people using TOR, encryption [SSL, PGP, etc.], or any number of security programs…It is safe and secure, only up until the point where it is not safe and secure…And by the time a serious security breach is discovered, it is already too late for many…Those unfortunates will be unaware, until something happens to make them aware…And whatever aftermath follows.

I use TOR, and I have done very shallow exploration of “the deep web”…Not recently, but yes…And I am pretty certain I’ve visited the web pages, of a few services hosted by Freedom Hosting…like TORmail, for example…maybe a live chat service…To be completely honest, it is hard to find “deep web” sites…They are mostly just linked, at “index” pages, which set the course for wherever you end up…And Freedom Host websites, seem to be very well represented. Mostly, I just use TOR, when I do not want the owner of a website [on “the open net”] I am visiting, to get my IP address…Though, I often just use a regular proxy for that…TOR is very useful, but at the same time…it is not a complete security package…It is one part, of a security plan.

I consider myself a realist, when it comes to “internet security”…Ultimately, anything can be cracked and exploited…no matter how much, you think you have done your due diligence…Are these things worthwhile? …yes…But they are absolutely not fail safe…and due to their complexities, it is often hard to know when you are making a misstep, while using all of this great software…Again, I am a realist, and I have felt the sting of some security compromise threaten me too many times…even when I thought the circumstances were safe. My coping mechanism, has been to embrace this reality…and to stop lying to myself, with false security blankets.

I will concede, I have never tried TAILS though…and I am quite intrigued by it…But I think it is bound to be a complete mess, trying to juggle TAILS with my blogging and the various other things I do online…I only use flash drives for backups…I don’t trust them enough, to regularly use them for frequently accessed storage [like a hard drive replacement]…I’m also not excited about having just “another thing”, to synchronize with the rest of my stuff, such as the flash drive content is guaranteed to become. I think this is the main reason why I have never tried it…I think it is very likely to get in the way and be annoying.

My sympathies are with those out there feeling compromised, perhaps betrayed…

Third…I have been using the TOR Browser Bundle for years…and I have to admit, that I thought the whole idea behind this bundle, is to have an “isolated” web browser which only sends and receives information through TOR. I am aware of third party services like YouTube, being able to snag your IP, because that sort of content won’t go through TOR…but I thought the TOR Browser was optimized, to simply not allow that sort of content…at all…Finding out something like this, is disturbing.

Fourth…let me attempt to give a layman’s summary, on what has happened.

TOR is a “fetching system”, which uses three layers of proxies…These are not typical online proxies, but a more private network of clients more akin with “peer to peer”. The whole idea behind TOR, is to create several layers between your machine, and the machine you are accessing data from, while at the same time leaving no way to trace the request back to you. TOR does not encrypt anything, between your machine and the immediate machine you are sending/receiving information from…the entry/exit node, I believe it is called. There are a number of ethical reasons, why somebody might have a need for something like TOR.

TOR hosts nothing…It simply fetches what you request it to…This is part of why people are still saying, TOR itself has not been compromised…or, it still works as intended…They always knew about the potential for browser exploits…They just was not expecting something quite like this.

Freedom Host is a service with loose standards and loose enforcement, which operated on the dark net, and was apparently only accessible through TOR [though I may be wrong about that last part] …Allegedly, “child pornography” was hosted on some websites, on the Freedom Host server.

Some of these sites were openly described as such, on “index” pages which I referenced earlier…which is one of the reasons, why I have never gone back to explore the .onion dark net…It was a pretty brazen atmosphere, making itself a big target.

Somehow, the FBI discovered who owns Freedom Hosting…they got access to the host server…planted some type of script on various websites, hosted by that server…and these scripts exploited a Firefox 17 [for Windows] security hole…causing some people’s machines to secretly make contact with an entirely separate server, entirely outside of the TOR network…Or in other words, their machine was forced to make contact with an FBI server, over the open internet, without their knowledge, when they visited certain “Freedom Hosting” websites. This gave up their IP address to the FBI, and allowed the FBI to see who was visiting those “Freedom Hosting” websites…Apparently, it also snooped on any cookies existing on the machine, and forwarded that information.

It is good to know, several things needed to be true in order to have gotten hit by this.

Apparently, this was a javascript exploiting a security hole in Firefox 17…and the TOR Browser Bundle is based on Firefox…so it has the same defect…

…What a mess.

…Part of me has wanted to investigate setting up a presence on the .onion dark net, just like I’ve previously had an interest in a presence on Freenet…Then stuff like this happens, and it leaves you wondering “what is the use?”…

Tell Us What You Think...

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.