[tor-talk] Wired Story on Uncovering Users of Hidden Services.
Griffin Boyce
griffin at cryptolab.net
Wed Sep 10 04:26:03 UTC 2014
Kyle Maxwell wrote:
> Griffin Boyce wrote:
>> Actually, no, I *am* surprised that they decided to not even
>> bother trying to gift malware to Mac or Linux users.
>
> Probably just playing the odds, I'd suspect. Though they could've
> examined the access logs at some point - do we know either way on that?
Hey Kyle,
With Freedom Hosting, I actually don't know. It seems like few
technical details have come out of that case. However, I *do* know that
they'd been hacked at various points, and the service had very poor
security overall. The restrictions in place did not actually prevent
php files from creating *other* types of scripts... Their sandboxing
was reputedly quite bad, and for years they had no restrictions on
resources that users could utilize. So creating an app designed to
expand to occupy all resources on the server until it crashed was highly
effective. The server itself may not even have kept access logs. It's
unclear.
With SilkRoad[2], supposedly investigators imaged the entire drive, so
this should still be possible. In any case, I think it's important to
avoid taking the investigators' statements at face value. Weev
mentioned that investigators made dubious technical statements in some
places, and while I haven't read all of the documents to come out about
this case, that's certainly within the realm of possibility.
There are likely still details that haven't come out yet about both
cases (though I can't know for sure) and it's not entirely clear what
level of technical expertise various people have.
Things that are important to note for hidden service operators:
- Firewall rules are really useful for keeping out unwarranted
scrutiny.
- Don't hardcode your IP address in any links (though this is one of
the least-likely theories).
- Having a pseudonym isn't a replacement for excellent security
practices.
- Don't run a hidden service host.
- For best security, run your own services rather than relying on
someone else's security. I feel like this is often overlooked in the
name of "easiness" but it's really important IMO. [1]
best,
Griffin
[1] Incidentally, the hidden service documentation rewrite has been
underway for a while now.
[2] As Salvador Dali once said "I don't do drugs, I *am* drugs." #fact
More information about the tor-talk
mailing list