[tor-talk] Wired Story on Uncovering Users of Hidden Services.
blobby at openmailbox.org
blobby at openmailbox.org
Wed Aug 13 10:06:00 UTC 2014
A recent story in Wired is entitled "Visit the Wrong Website and the FBI
Could End Up in Your Computer" by Kevin Poulsen
(http://www.wired.com/2014/08/operation_torpedo/). The story involves
the FBI uncovering the IP addresses of numerous users of a Tor hidden
service.
I know this was mentioned previously
(https://lists.torproject.org/pipermail/tor-talk/2014-August/034270.html)
but I am interested in a different aspect.
Within the story, there is a link to a PDF of an application for a
search warrant
(https://www.documentcloud.org/documents/1261620-torpedo-affidavit.html)
which provides illuminating reading (parts are a bit disgusting as they
refer to the content of the hidden service which was serving child
porn).
In short, the FBI arrested the owner of the hidden service, took over
the server, then installed a "Network Investigative Technique" (malware)
which collected the IP of visitors. See pages 31-33 of the PDF
affidavit.
Three questions:
If it's possible for the owner of a hidden service (whether the FBI or a
regular person) to install malware which grabs visitors' IPs, then what
is stopping any hidden service owner from doing this?
The Wired article states that "In a two-week period, the FBI collected
IP addresses, hardware MAC addresses (a unique hardware identifier for
the computer’s network or Wi-Fi card) and Windows hostnames on at least
25 visitors to the sites. Subpoenas to ISPs produced home addresses and
subscriber names, and in April 2013, five months after the NIT
deployment, the bureau staged coordinated raids around the country."
However, in the affidavit, I'm not sure that MAC addresses are
mentioned.
Considering the number of individuals that must have visited the hidden
service, this doesn't seem to be very many people. Why were so few
identified? Were the 25 using outdated browsers (TBB)?
How, in this case, was it possible for the FBI to learn the IP addresses
of visitors to this hidden service? The Tor hidden server page states
that "In general, the complete connection between client and hidden
service consists of 6 relays: 3 of them were picked by the client with
the third being the rendezvous point and the other 3 were picked by the
hidden service."
Can someone knowledgeable please explain how visitors to a Tor hidden
service can have their real IPs detected?
More information about the tor-talk
mailing list