[tor-talk] potential leak on Torpedo

Eugen Leitl eugen at leitl.org
Mon Jul 21 14:31:35 UTC 2014


Please read if you use/depend on Tor. Never before seen FH information.

submitted 16 hours ago * by Deepthroat2 [+1]

Hello everyone, I have some information that I have been dying to share for
months, but due to the circumstances, and to avoid detection, I had to wait
for some time before I was able to safely make this post. My goal here is to
provide information that I know is credible and for the Tor community to use
it as they see fit, due to the nature of my work, and the severe penalties
associated with breaking the rules and giving out information you aren't
supposed too, I have no way of verifying or proving anything to you that I
say here, I understand if find me less than credible, however, this is
essentially a PSA, and you can take it for what it's worth to you.

Just about one year ago, the Tor community was shaken by a Firefox exploit
which utilized a javascript exploit and an old vulnerbility in the Tor
Browser Bundle to unmask some users of Freedom Hosting. There has been
rampant misinformation, and speculation to the point that I felt like pulling
my hair out, or just simply bursting out into laughter when reading some of
the outlandish claims made by people who have little to no idea what they are
talking about. Today, I will set the record straight.

The FH exploit was a government engineered, and deployed exploit that was
designed in response to former Director Mueller's fustration at an earlier
child pornography case in which the FBI was ridiculed for being unable to
ascertain the source of child pornography, for those who aren't familiar with
this case, it involved a man who had accessed child pornography by accident
on a Tor hidden service, and then brought his desktop computer to the office,
explaining what had happened and that he subsequently preformed a "Full wipe"
on the disk.

The agent who took the report had limited knowledge about Tor, however, at
the time he knew that any directed effort to identify a specific Tor user was
hopeless, and in the report he indicated that "There is currently no known
way to ascertain the location of a Tor user, thus, no investigative leads
exsist." This got leaked to the press, and they had a field day, hinting at
the incompetency of the Bureau. Needless to say, the FBI had it's ego hurt
quite badly by this public display of incompetency.

Then Director Mueller directed the CEOS (Child exploitation and obscenity
section) to find a way to penetrate the layers of protection provided by Tor,
and to come up with a fesible way to conduct a sting operation in order to
bring these people to justice. The FBI had previously conducted a sting on
viewers of child pornography in a case out of Nebraska, that resulted in the
arrest of about 25 people. This was the first successful take down of CP
consumers that were utilizing a Tor hidden service.

One of the errors that I see alot on these forums and others was that the
Nebraska take down was done in a similar fashion to the FH exploit, with the
code being deployed onto the pages of the boards, however, this is not the
case. From my understanding, the Nebraska field office was able to find the
actual server, take it over covertly, then upload a series of files that
purported to be child pornography, but actually contained nothing but
encrypted gibberish. They were video files that were embedded with code that
called back to a computer that recorded the IP address of the requestor, date
and time similar to the way windows media player attempts to recall album
information and cover art for music cds and such. These were files that the
user actually had to download and attempt to open. This is why the service
was run for weeks, and only 25 people were identified as users. This method
was described by the techs who deployed it as a "NIT" or "Network
Investigational Tool".

Now for Freedom Hosting....

The javascript exploit could not be deployed directly on the servers which
Mr. Marques was using due to either technical reasons, or legal requirements
by the AUSA in Maryland. So the decision was made to clone the services
exactly, and transport then to the home of the FBI CEOS in the Greenbelt
division of Maryland. This location was picked specifically because
sentencing in this district for Child Pornography crimes is more severe. It
was July 31st of 2013 when the exploit actually went live, and tried to
identify criminals. It was installed previously, however, there were
technical problems early on and the code had to be revised 3 times before it
was running as intended, it ran for about 11 days before being shut down.

The amount of people identified by this exploit is still a closely gaurded
secret, with only agents having a direct "Need to know" being privy to this
information. Howver, the victory dance was short lived as news started
flowing around that the evidence may not be admissible in court, due to the
manner in which it was collected, among other reasons. Although proper
warrants were issued, it would take atleast 4-7 years to comb through the
list of suspects, and question, arrest each one. The major problem is that
after about 12 months, the courts start to presume your evidence is
prejudicial to the defendant because you're supposed to have an indictment
and serve it on the defendant within 30 days, and that just wasn't possible.
You can request an extension of this time, however you must present a new,
fresh reason for doing so..."We still aren't ready" doesn't cut it. There is
no statue of limitations for the crime of "Accessing with intent to view
child pornography" so barring any other limitations, the FBI can come after
someone 10-15 years later.

The AUSA became uncomfortable with the prospects of his legal case against
the exploitees of FH and went to the US Attorney. There was disagreement as
to whether or not the evidence would be viable, however, the operation went
on anyways. One of the victims of the FH exploit was a man by the name of
Grant Klein from Vermont. The Bureau had made arrangements with the local
police for assistance with the raid (This is pretty much standard operation
procedure, and is done for the saftey of the agents, as well as to maintain
professional courtesy. Local cops get butt hurt when you arrest people on
their turf without them knowing).

The FBI had provided the local police with court documents and the affidavit
of arrest regarding the cirsumstances of Mr. Klein's warrant, which they
promptly posted onto their press release against the wishes of the FBI. This
resulted in the termination of atleast one employee from local PD.

He was raided and before even being asked a question ,he began spewing a
confession. His home was searched, and a desktop computer with no hard disk
was found, as well a laptop computer belonging to his wife Susan. There was
no illegal materials found on these, however, he had a smartphone in the
drawer of a nightstand which contained illegal images of minors. He was
arrested and charged with 3 seperate crimes.

To make a long story short, the FH related charges were dropped because the
FBI had crossed a legal line by offering up child pornography de novo, by
shutting down the server, then bringing it back online hosting real CP. They
were uncomfortable with the prospects of this case, and were able to use a
leon good faith exception to admit the evidence they found on his phone to
make a single possession charge stick, however, he agreed to plead guilty.
The rest of the leads which lead to foreign nationals were then distributed
accordingly to the various LEA's.

Also, earlier this wekk, the UK police arrested 660 people as part of
Operation Notarise.

The operation name of the FBI takedown in Nebraska was "Operation Torpedo"

This was a cute poke at both the method they used, and the users they

Torpedo - Navy missile

Tor Pedo - Tor Pedophile.


moar comments on Reddit

More information about the tor-talk mailing list