[tor-talk] Wired Story on Uncovering Users of Hidden Services.

Griffin Boyce griffin at cryptolab.net
Wed Sep 10 04:26:03 UTC 2014 

Kyle Maxwell wrote:
> Griffin Boyce wrote:
>> Actually, no, I *am* surprised that they decided to not even
>> bother trying to gift malware to Mac or Linux users.
> 
> Probably just playing the odds, I'd suspect. Though they could've
> examined the access logs at some point - do we know either way on that?

Hey Kyle,

   With Freedom Hosting, I actually don't know.  It seems like few 
technical details have come out of that case.  However, I *do* know that 
they'd been hacked at various points, and the service had very poor 
security overall.  The restrictions in place did not actually prevent 
php files from creating *other* types of scripts...  Their sandboxing 
was reputedly quite bad, and for years they had no restrictions on 
resources that users could utilize.  So creating an app designed to 
expand to occupy all resources on the server until it crashed was highly 
effective.  The server itself may not even have kept access logs.  It's 
unclear.

   With SilkRoad[2], supposedly investigators imaged the entire drive, so 
this should still be possible.  In any case, I think it's important to 
avoid taking the investigators' statements at face value.  Weev 
mentioned that investigators made dubious technical statements in some 
places, and while I haven't read all of the documents to come out about 
this case, that's certainly within the realm of possibility.

   There are likely still details that haven't come out yet about both 
cases (though I can't know for sure) and it's not entirely clear what 
level of technical expertise various people have.

Things that are important to note for hidden service operators:
   - Firewall rules are really useful for keeping out unwarranted 
scrutiny.
   - Don't hardcode your IP address in any links (though this is one of 
the least-likely theories).
   - Having a pseudonym isn't a replacement for excellent security 
practices.
   - Don't run a hidden service host.
   - For best security, run your own services rather than relying on 
someone else's security.  I feel like this is often overlooked in the 
name of "easiness" but it's really important IMO. [1]

best,
Griffin

[1] Incidentally, the hidden service documentation rewrite has been 
underway for a while now.
[2] As Salvador Dali once said "I don't do drugs, I *am* drugs." #fact

More information about the tor-talk mailing list