[tor-talk] Wired Story on Uncovering Users of Hidden Services.

blobby at openmailbox.org blobby at openmailbox.org
Wed Aug 13 10:06:00 UTC 2014 

A recent story in Wired is entitled "Visit the Wrong Website and the FBI 
Could End Up in Your Computer" by Kevin Poulsen 
(http://www.wired.com/2014/08/operation_torpedo/). The story involves 
the FBI uncovering the IP addresses of numerous users of a Tor hidden 
service.

I know this was mentioned previously 
(https://lists.torproject.org/pipermail/tor-talk/2014-August/034270.html) 
but I am interested in a different aspect.

Within the story, there is a link to a PDF of an application for a 
search warrant 
(https://www.documentcloud.org/documents/1261620-torpedo-affidavit.html) 
which provides illuminating reading (parts are a bit disgusting as they 
refer to the content of the hidden service which was serving child 
porn).

In short, the FBI arrested the owner of the hidden service, took over 
the server, then installed a "Network Investigative Technique" (malware) 
which collected the IP of visitors. See pages 31-33 of the PDF 
affidavit.

Three questions:

If it's possible for the owner of a hidden service (whether the FBI or a 
regular person) to install malware which grabs visitors' IPs, then what 
is stopping any hidden service owner from doing this?

The Wired article states that "In a two-week period, the FBI collected 
IP addresses, hardware MAC addresses (a unique hardware identifier for 
the computer’s network or Wi-Fi card) and Windows hostnames on at least 
25 visitors to the sites. Subpoenas to ISPs produced home addresses and 
subscriber names, and in April 2013, five months after the NIT 
deployment, the bureau staged coordinated raids around the country."

However, in the affidavit, I'm not sure that MAC addresses are 
mentioned.

Considering the number of individuals that must have visited the hidden 
service, this doesn't seem to be very many people. Why were so few 
identified? Were the 25 using outdated browsers (TBB)?

How, in this case, was it possible for the FBI to learn the IP addresses 
of visitors to this hidden service? The Tor hidden server page states 
that "In general, the complete connection between client and hidden 
service consists of 6 relays: 3 of them were picked by the client with 
the third being the rendezvous point and the other 3 were picked by the 
hidden service."

Can someone knowledgeable please explain how visitors to a Tor hidden 
service can have their real IPs detected?

More information about the tor-talk mailing list