[tor-dev] yes hello, internet supervillain here

Fears No One nachash at observers.net
Sun Nov 9 07:30:22 UTC 2014

To address a question from Mansour Moufid first: There aren't any
preserved access logs, unfortunately. I copied some of the access logs
from the August DoS to another directory but never bothered to scp them
to my box. Another regret is that pcaps weren't taken, but we both made
the mistake of assuming that because the DoS was mitigated that nothing
that was preserved would be all that important anymore. If there was
more to give, we would have been released it.

The box was an OpenVZ VPS (Essentially a glorified chroot jail, for
those who are unfamiliar)), so no, there was no physical hardware from
my standpoint. Thus, full disk crypto wasn't really an option. From the
standpoint of someone with root access to a dedi with OpenVZ vms,
finding hidden services that are hosted by customers is a matter of
looking for files named private_key anywhere under the /vz folder.

Neither of us are rolling in fake internet money like the drug market
operators (Hint: This should indicate to anyone thinking of asking if we
ran bitcoind that we didn'), so the other alternatives were to either
use rooted boxes or flip a coin to decide who gets to host from home.
Since rooted boxes are obviously not ideal and hosting from home would
probably only be safe if we were running something like Cat Facts
(http://2v7ibl5u4pbemwiz.onion/index.php), we went with the lesser of
evils. As was the tradition with doxbin boxes, the registration info
usually either went back to some criminal who was on the run at the time
of purchase (Such as this guy:
or it went back to someone who had a comprehensive doxbin entry (Hello,
Daniel Brandt and Keith Alexander).

I don't have an exact time, but by around 13:00 UTC or so on the 6th,
the box was down. When the Silk Road 2.0 seizure news broke, doxbin was
already gone. I checked the most current doxbin onion and attempted to
ssh into the box every couple of hours for around the first 24 hours,
until a friend pointed out that one of the old doxbin onions was serving
up the Silk Road 2.0 seizure page. At the time, the main onion was
serving up some 404 page (Which I expected to eventually point to some
sort of honeypot, but the pigs really let me down on that one), while
other onions were unresponsive. This had changed by the next day, when
all the onions from the doxbin box were pointed to the seizure page. The
speculation has been that the cops were adding onions one at a time, and
my personal experience supports that. Police who are dedicated to
seizing and taking control of hidden services are still struggling with
managing a torrc file efficiently. Go figure.

There was some downtime on the box maybe a month ago, which I originally
thought was when it got imaged pre-seizure, once all this drama began. I
can't look at the access log report numbers and say "This is the date,
because there's a huge dip in traffic" so I'm going to have to get back
with you on that. The fact that they were adding onions to the seizure
box over 24 hours after the takendown might suggest that they for some
reason didn't image it beforehand, which would be a curious break from
their habits as laid out in past criminal complaints.

An update: All of the access log reports ever generated for doxbin can
be now be downloaded from the URLs in my initial e-mail. Other people
wanted some of them to compare to the DoS log reports, so now they can
pick their own control group.

P.S. Neither of us have been arrested or have even noticed any signs of
in-person heat (Cleaning vans, new neighbors, etc), which also seems to
point to the doxbin seizure being half-cocked.

Here until I'm in handcuffs,


On 11/09/2014 05:51 AM, Roger Dingledine wrote:
> On Sat, Nov 08, 2014 at 10:10:23PM +0000, Fears No One wrote:
>> If you have any questions/clarifications, just ask.
> [...]
>>  All of these files are in the hands of the
>> cops anyway (And I have no plans of bringing doxbin back), so there are
>> 0 real-time opsec concerns.
> Hello Mr. Supervillain,
> Can you clarify for us what actually happened to your server and site? A
> lot of people have been saying a lot of stuff over the past few days.
> In particular, did they seize the actual hardware? Did they put up their
> own hidden service using your hidden service key? If both, a) did the
> hardware get taken before the hidden service went up, or vice versa?
> and b) do you have approximate timestamps of these events? I guess
> "c) was there disk encryption" is a fine next question.
> (For that matter, *was* there actual hardware, or was this a vm in
> somebody else's computer?)
> The php elephant does indeed seem like a big issue. But it would be neat
> to find a data point here where they had the hidden service key before
> they took the hardware.
> --Roger
> _______________________________________________
> tor-dev mailing list
> tor-dev at lists.torproject.org
> https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev

More information about the tor-dev mailing list