Pages:
Author

Topic: Half of all Tor sites compromised, Freedom Hosting founder arrested. (Read 5099 times)

legendary
Activity: 1316
Merit: 1003
This is an interesting point.
Why would the NSA infiltrate the network if they developed it and control enough exit nodes to keep extensive logs anyway?
sr. member
Activity: 336
Merit: 250
Well isn't that something! I just assumed most exit nodes were honeypots and never bothered snooping around .onion sites.
newbie
Activity: 42
Merit: 0
Tor was not compromised. Only the servers hosting half of the hidden service and users browser if JS was not disabled.

For those only skimming this thread, this is the correct answer. (doesn't mean it isn't pretty bad, but an important distinction to be made nonetheless)

Thanks
legendary
Activity: 1904
Merit: 1002
Wow, thats super legit. Somebody should build a chrome-os type thing off of that for clients. Its made for that type of thing. Problem is youd likely get very bad load times, am I right? Still, I'm sure some people would have a use for it.

Wow, with Whonix & Bitcoin, its possible to practically use the entirity of the internet, payments & all, without any privacy concerns whatsoever. Its good to the point of being disconcerting.

No.  Technology can not alleviate all privacy concerns.  You still need to engage your brain.  Even sentence structure and word choice habits can be used to pinpoint your identity.

Quote
In any case, wouldn't it be possible to build it right into the browser? I mean, everything in the browser, all plug-ins, etc... would either not work, or would have to go through tor. Thatd be much more convenient than having to completely re-boot into an entirely different OS just to use tor.

Again, no.  If you do it all in the browser, you expose yourself to browser exploits.  Browsers have pretty much the largest attack surface of any major piece of software.  Even with an OS based solution, you are vulnerable to kernel exploits.  However, kernels receive much better auditing and have a much smaller attack surface.
hero member
Activity: 675
Merit: 507
Freedom to choose
1. Disable JS
2. Enable NS
3. Use VPN for backup connection, NOT directly from your ISP.

4. be smart
full member
Activity: 168
Merit: 100
Kids, the way to use Tor is to have your firewall to intercept ALL your outgoing connections and route em via Tor proxy. Flash or no flash.


How does one go about doing this?
vip
Activity: 756
Merit: 503
Quote

In any case, wouldn't it be possible to build it right into the browser? I mean, everything in the browser, all plug-ins, etc... would either not work, or would have to go through tor. Thatd be much more convenient than having to completely re-boot into an entirely different OS just to use tor.
You don't need to reboot anything. It's working with 2 virtual machine on top of your actual OS.

Or something like this: http://learn.adafruit.com/onion-pi/overview
Very nice I might try to build one.
legendary
Activity: 2058
Merit: 1005
this space intentionally left blank
Quote

In any case, wouldn't it be possible to build it right into the browser? I mean, everything in the browser, all plug-ins, etc... would either not work, or would have to go through tor. Thatd be much more convenient than having to completely re-boot into an entirely different OS just to use tor.
You don't need to reboot anything. It's working with 2 virtual machine on top of your actual OS.

Or something like this: http://learn.adafruit.com/onion-pi/overview
vip
Activity: 756
Merit: 503
Quote

In any case, wouldn't it be possible to build it right into the browser? I mean, everything in the browser, all plug-ins, etc... would either not work, or would have to go through tor. Thatd be much more convenient than having to completely re-boot into an entirely different OS just to use tor.
You don't need to reboot anything. It's working with 2 virtual machine on top of your actual OS.
legendary
Activity: 1470
Merit: 1007
Tor was not compromised. Only the servers hosting half of the hidden service and users browser if JS was not disabled.

For those only skimming this thread, this is the correct answer. (doesn't mean it isn't pretty bad, but an important distinction to be made nonetheless)
hero member
Activity: 518
Merit: 500
Kids, the way to use Tor is to have your firewall to intercept ALL your outgoing connections and route em via Tor proxy. Flash or no flash.


Agreed. Correct settings and no problem.
full member
Activity: 168
Merit: 100
What? Then whats the entire point of tor? Wtf?

I still don't see how JS is getting my IP, though. I'm using TOR, the browser is the TOR browser. I assume (i'm not an expert) that all connections through that browser have to hop through tor, right? So how is the JS opening the connection outside of TOR, in order to get the IP?

It's a script so it can do quite a number of things. One thing it can do is launch different protocol handlers, ie. Flash, which when launched won't know to connect through the Tor client and will connect through your regular connection - because that's what it does by default. So you'd load the site on Tor and some component thereof on your regular connection, which needless to say, compromises your identity.

Wow, I thought tor protected you from this kind of hack in some way. Isn't there some way of stopping all non-tor connections automatically? I mean, like doing some way of catching all traffic that isn't through tor, and blocking it all. Clearly it would get in the way sometimes, but going without JS sorta makes the majority of websites useless.

I was under the impression there was some 0-day firefox exploit that allowed the hacker to download some .exe (or equiv) file to the client computer and execute it, and get the IP in that way.

In a perfect world, there would be an https-style warning "this site is attempting to display some content to you outside of the tor network, do you want to allow" or the like.

Quote
Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network[5], Debian GNU/Linux[6] and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP.
Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.
https://whonix.org/wiki/Main_Page

Wow, thats super legit. Somebody should build a chrome-os type thing off of that for clients. Its made for that type of thing. Problem is youd likely get very bad load times, am I right? Still, I'm sure some people would have a use for it.

Wow, with Whonix & Bitcoin, its possible to practically use the entirity of the internet, payments & all, without any privacy concerns whatsoever. Its good to the point of being disconcerting.

In any case, wouldn't it be possible to build it right into the browser? I mean, everything in the browser, all plug-ins, etc... would either not work, or would have to go through tor. Thatd be much more convenient than having to completely re-boot into an entirely different OS just to use tor.

vip
Activity: 756
Merit: 503
What? Then whats the entire point of tor? Wtf?

I still don't see how JS is getting my IP, though. I'm using TOR, the browser is the TOR browser. I assume (i'm not an expert) that all connections through that browser have to hop through tor, right? So how is the JS opening the connection outside of TOR, in order to get the IP?

It's a script so it can do quite a number of things. One thing it can do is launch different protocol handlers, ie. Flash, which when launched won't know to connect through the Tor client and will connect through your regular connection - because that's what it does by default. So you'd load the site on Tor and some component thereof on your regular connection, which needless to say, compromises your identity.

Wow, I thought tor protected you from this kind of hack in some way. Isn't there some way of stopping all non-tor connections automatically? I mean, like doing some way of catching all traffic that isn't through tor, and blocking it all. Clearly it would get in the way sometimes, but going without JS sorta makes the majority of websites useless.

I was under the impression there was some 0-day firefox exploit that allowed the hacker to download some .exe (or equiv) file to the client computer and execute it, and get the IP in that way.

In a perfect world, there would be an https-style warning "this site is attempting to display some content to you outside of the tor network, do you want to allow" or the like.

Quote
Whonix is an operating system focused on anonymity, privacy and security. It's based on the Tor anonymity network[5], Debian GNU/Linux[6] and security by isolation. DNS leaks are impossible, and not even malware with root privileges can find out the user's real IP.
Whonix consists of two parts: One solely runs Tor and acts as a gateway, which we call Whonix-Gateway. The other, which we call Whonix-Workstation, is on a completely isolated network. Only connections through Tor are possible.
https://whonix.org/wiki/Main_Page
full member
Activity: 168
Merit: 100
What? Then whats the entire point of tor? Wtf?

I still don't see how JS is getting my IP, though. I'm using TOR, the browser is the TOR browser. I assume (i'm not an expert) that all connections through that browser have to hop through tor, right? So how is the JS opening the connection outside of TOR, in order to get the IP?

It's a script so it can do quite a number of things. One thing it can do is launch different protocol handlers, ie. Flash, which when launched won't know to connect through the Tor client and will connect through your regular connection - because that's what it does by default. So you'd load the site on Tor and some component thereof on your regular connection, which needless to say, compromises your identity.

Wow, I thought tor protected you from this kind of hack in some way. Isn't there some way of stopping all non-tor connections automatically? I mean, like doing some way of catching all traffic that isn't through tor, and blocking it all. Clearly it would get in the way sometimes, but going without JS sorta makes the majority of websites useless.

I was under the impression there was some 0-day firefox exploit that allowed the hacker to download some .exe (or equiv) file to the client computer and execute it, and get the IP in that way.

In a perfect world, there would be an https-style warning "this site is attempting to display some content to you outside of the tor network, do you want to allow" or the like.
member
Activity: 70
Merit: 10
j-coin//just 4 cpu's
fucktards are gonna be fucktards, all there is to it.
hero member
Activity: 1302
Merit: 502
What? Then whats the entire point of tor? Wtf?

I still don't see how JS is getting my IP, though. I'm using TOR, the browser is the TOR browser. I assume (i'm not an expert) that all connections through that browser have to hop through tor, right? So how is the JS opening the connection outside of TOR, in order to get the IP?

It's a script so it can do quite a number of things. One thing it can do is launch different protocol handlers, ie. Flash, which when launched won't know to connect through the Tor client and will connect through your regular connection - because that's what it does by default. So you'd load the site on Tor and some component thereof on your regular connection, which needless to say, compromises your identity.
sr. member
Activity: 405
Merit: 250

What? Then whats the entire point of tor? Wtf?

I still don't see how JS is getting my IP, though. I'm using TOR, the browser is the TOR browser. I assume (i'm not an expert) that all connections through that browser have to hop through tor, right? So how is the JS opening the connection outside of TOR, in order to get the IP?
Not a problem with Tor.  A problem with people using poorly configured web-browsers waiting to be exploited to reveal IP.  I think if you download a respectable TOR package then it will have javascript disabled by default.  A site really bent on security should run a javascript capability test and enforce it upon users.

TOR is a networking tunnel system.  Your computer is still connected to the internet with an IP address.  Not sure how many people turned on javascript or failed to turn it off.  The javascript could also create cookies which could be queried elsewhere.  I am not sure of specifics but cookies and javascript would be the downfall.  

Again - research browser packages.  Trying to set all the stuff up yourself is asking to have these exploits left open. (but might possibly save you from nefarious third-parties if the tor browser package has been compromised.)
sr. member
Activity: 364
Merit: 250
Forgive me if I'm being naiive, but this doesn't quite make sense to me?

So somehow freedom hosting was hacked, and the hacker put some malicious JS on each of freedom hosting's hosted websites, and used that hack to put software on freedom hosting's machine to ascertain its location. That part seems reasonable & believable. But, apparently the JS somehow got at the viewer's IP? That seems like, sorta a major bug in the Tor software? Couldn't any admin anywhere use that code to get at the viewer's IP, in theory? Unless I'm understanding something wrong?

EDIT: so the tor browser had some sort of a glitch that allowed malware to be downloaded to the computers, and then apparently ping one of the attacker's computers outside of tor to get the IP of the viewer?

Basically you can do that with Flash, Javascript, and a few other web languages.

Usually NoScript stops all these things in the browser bundle, but they don't have it enabled by default because it breaks a lot of sites and they are trying to capture more, less savvy users.

What? Then whats the entire point of tor? Wtf?

I still don't see how JS is getting my IP, though. I'm using TOR, the browser is the TOR browser. I assume (i'm not an expert) that all connections through that browser have to hop through tor, right? So how is the JS opening the connection outside of TOR, in order to get the IP?

From what I understand it basically drops a little bomb that ticks off a ping when you use the browser outside of TOR, or something to that extent. I could be completely mistaken.
full member
Activity: 168
Merit: 100
Forgive me if I'm being naiive, but this doesn't quite make sense to me?

So somehow freedom hosting was hacked, and the hacker put some malicious JS on each of freedom hosting's hosted websites, and used that hack to put software on freedom hosting's machine to ascertain its location. That part seems reasonable & believable. But, apparently the JS somehow got at the viewer's IP? That seems like, sorta a major bug in the Tor software? Couldn't any admin anywhere use that code to get at the viewer's IP, in theory? Unless I'm understanding something wrong?

EDIT: so the tor browser had some sort of a glitch that allowed malware to be downloaded to the computers, and then apparently ping one of the attacker's computers outside of tor to get the IP of the viewer?

Basically you can do that with Flash, Javascript, and a few other web languages.

Usually NoScript stops all these things in the browser bundle, but they don't have it enabled by default because it breaks a lot of sites and they are trying to capture more, less savvy users.

What? Then whats the entire point of tor? Wtf?

I still don't see how JS is getting my IP, though. I'm using TOR, the browser is the TOR browser. I assume (i'm not an expert) that all connections through that browser have to hop through tor, right? So how is the JS opening the connection outside of TOR, in order to get the IP?
Pages:
Jump to: