[tor-talk] Warning: Do NOT use my mirrors/services until I have reviewed the situation

Thomas White thomaswhite at riseup.net
Mon Dec 22 16:57:26 UTC 2014

Hash: SHA512

Hey all,

So after one crazy night, some more information is slowly coming to light.

1. Right now I am happy that whatever happened is not the result of a
seizure as access to the servers has now been restored to me.

2. The USB device is from the KVM according to the provider but given
the circumstances such information was collected under it isn't
possible to fully reference all the events before my initial mailing.

3. The DC has confirmed via Twitter that the servers were not
"accessed". Having been raided in the past I know indeed they can be
forced under Dutch law not to inform clients of raids, but I don't
feel this may be the case. With that being said, a chassis intrusion
indicator still must be addressed and I cannot find it in the logs
anymore. The DC company are not the people who I directly interact
with however so I am still awaiting a direct response form those we
host the server with.

4. i3D has provided a statement saying the USB device is the KVM,
whereas the host I rent directly from has said no USB device was in
the machine at the time. I haven't spoken in full yet to either party
so I can't know the full facts of their statements or if there is a
explanation for what seem conflicting statements. Somebody has
suggested to me that the KVM could appear as a USB device which would
make sense, but that right now is a theory and not a fact.

5. I am not in any way saying i3D or Snel are bad hosts. They have
been excellent with me so far and I know they do not hand over
information unless they are bound to by law. I cannot expect an
ISP/business to go beyond the law in defending their customers and so
I feel they are doing the best they can for their clients including
me. Indeed I have written a very positive review for my current ISP
some months back and I stand by that review, especially for any party
who wants to host their own Tor exit nodes on dedicated hardware.

6. The disappearance of logs such as bandwidth information so far has
not been solved. There is no obvious cause of this right now either
but I've decided to file it as a bug report with the ISP to get some
more information on the matter and see if any backups of it were stored.

7. Having had an email from my partner, he has confirmed nothing
sensitive was on the machines under his management. We are now
considering our options of re-launching the mirrors but for now we
will be keeping the exits offline. I should add at this point as arma
has pointed out previously there is only a little bit more information
that an adversary can gain from hijacking your relays than they could
watching the IXP for example and so even hijacking the servers, whilst
uncomfortable, in itself should not be enough to break a users'
anonymity or the safety of the network.

8. I haven't been raided yet so I have stored my spartan cape, shield
and spear back into the cupboard. I think I can let me guard down a
little more now.

9. Media: Please do not report this as a Tor network compromise. Those
severs held not just Tor stuff and the IPs/fingerprints were
blacklisted very quickly thanks to ioerror who I talked to privately
with what little information I had at the time. The blacklists were
precautionary and we had no evidence then it was actually compromised.
The reporting of suspicious circumstances and being proactive when it
comes to system security is very important, especially where there is
a responsibility to other users.

10. For all those people who I host stuff for over hidden services, I
have already moved all of your files to another ISP and securely
deleted the hard drives which were encrypted. That server does not
appear to have been as severely effected as others so I am pretty
confident nothing has fallen into the hands of a third party, but I
will issue fresh hidden service addresses as requested.

- -T

- -- 
Activist, anarchist and a bit of a dreamer.

PGP Keys: key.thecthulhu.com
Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983
Key-ID: 0CCA4983
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0
Key-ID: EF1009F0

Twitter: @CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966


More information about the tor-talk mailing list