[tor-talk] Facebook brute forcing hidden services

Alec Muffett alecm at fb.com
Fri Oct 31 12:35:50 UTC 2014


Hi - My name¹s Alec, I work for Facebook and am the team lead for Facebook
over Tor.

Long story short: details will come out later, but we just did the same
thing as everyone else: generated a bunch of keys with a fixed lead prefix
("facebook") and then went fishing looking for good ones.

I feel that we got tremendous lucky.

    - alec

On 10/31/14, 5:23 AM, "Mike Cardwell" <tor at lists.grepular.com> wrote:

>https://www.facebook.com/notes/protect-the-graph/making-connections-to-fac
>ebook-more-secure/1526085754298237
>
>So Facebook have managed to brute force a hidden service key for:
>
>https://urldefense.proofpoint.com/v1/url?u=http://facebookcorewwwi.onion/&
>k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=PKCvk5ihsZdnlobuFIuhTw%3D%3D%0A&m=CZ27
>H74ab0d0fF2o5LtJoybnrPSp3tV2eaCxPdBkwxU%3D%0A&s=df412954e11b3460e9e27ad5ae
>8cb307233465ec461aa8ca461b66a94e457dfc
>
>If they have the resources to do that, what's to stop them brute
>forcing a key for any other existing hidden service?
>
>-- 
>Mike Cardwell  
>https://urldefense.proofpoint.com/v1/url?u=https://grepular.com/&k=ZVNjlDM
>F0FElm4dQtryO4A%3D%3D%0A&r=PKCvk5ihsZdnlobuFIuhTw%3D%3D%0A&m=CZ27H74ab0d0f
>F2o5LtJoybnrPSp3tV2eaCxPdBkwxU%3D%0A&s=d9b3aa4ee032ade1291d78d5505c434b554
>faf83d500bf7760e23af875c29f57
>https://urldefense.proofpoint.com/v1/url?u=https://emailprivacytester.com/
>&k=ZVNjlDMF0FElm4dQtryO4A%3D%3D%0A&r=PKCvk5ihsZdnlobuFIuhTw%3D%3D%0A&m=CZ2
>7H74ab0d0fF2o5LtJoybnrPSp3tV2eaCxPdBkwxU%3D%0A&s=d21764a1dcedecaf889635ab6
>ca8300b1867a5084b7e78922ecdf0a911d9dfc4
>OpenPGP Key    35BC AF1D 3AA2 1F84 3DC3   B0CF 70A5 F512 0018 461F
>XMPP OTR Key   8924 B06A 7917 AAF3 DBB1   BF1B 295C 3C78 3EF1 46B4



More information about the tor-talk mailing list