[tor-talk] Tor Speculated Broken by FBI Etc - Freedom Hosting, MITTechReview

[grarpamp]

https://www.technologyreview.com/s/615163/a-dark-web-tycoon-pleads-guilty-but-how-was-he-caught
https://twitter.com/techreview/status/1226212530856611840
https://www.courtlistener.com/recap/gov.uscourts.mdd.451238/gov.uscourts.mdd.451238.57.0.pdf
https://www.courtlistener.com/recap/gov.uscourts.mdd.247657/gov.uscourts.mdd.247657.13.1.pdf
https://arstechnica.com/tech-policy/2017/03/doj-drops-case-against-child-porn-suspect-rather-than-disclose-fbi-hack/
http://darknetq7skv7hgo.onion/

Given the variety of known weaknesses, exploits, categories
of papers, and increasing research efforts against tor and
overlay networks in general, and the large number of these
"mystery gaps" type of articles (some court cases leaving hardly
any other conclusion with fishy case secrecy, dismissals, etc)...
the area of speculative brokeness and parallel construction
seems to deserve serious investigative fact finding project of
global case collation, interview, analysis to better characterize.


Feb 8, 2020
A dark web tycoon pleads guilty. But how was he caught?
The FBI found Eric Marques by breaking the famed anonymity service
Tor, and officials won’t reveal if a vulnerability was used. That has
activists and lawyers concerned.

When the enterprising cybercriminal Eric Eoin Marques pleaded guilty
in an American court this week, it was meant to bring closure to a
seven-year-long international legal struggle centered on his dark web
empire.

In the end, it did anything but.

Marques faces up to 30 years in jail for running Freedom Hosting,
which temporarily existed beyond reach of the law and ended up being
used to host drug markets, money-laundering operations, hacking
groups, and millions of images of child abuse. But there is still one
question that police have yet to answer: How exactly were they able to
catch him? Investigators were somehow able to break the layers of
anonymity that Marques had constructed, leading them to locate a
crucial server in France. This discovery eventually led them to
Marques himself, who was arrested in Ireland in 2013.

Marques was the first in a line of famous cybercriminals to be caught
despite believing that using the privacy-shielding anonymity network
Tor would make them safe behind their keyboards. The case demonstrates
that government agencies can trace suspects through networks that were
designed to be impenetrable.

Marques has blamed the American NSA’s world-class hackers, but the FBI
has also been building up its efforts since 2002. And, some observers
say, they often withhold key details of their investigations from
defendants and judges alike—secrecy that could have wide-ranging
cybersecurity implications across the internet.

“The overarching question is when are criminal defendants entitled to
information about how law enforcement located them?” asks Mark Rumold,
a staff attorney at the Electronic Frontier Foundation, an
organization that promotes online civil liberties. “It does a
disservice to our criminal justice system when the government hides
techniques of investigation from public and criminal defendants.
Oftentimes the reason they do this kind of obscuring is because the
technique they use is questionable legally or might raise questions in
the public’s mind about why they were doing it. While it’s common for
them to do this, I don’t think it benefits anyone.”

Freedom Hosting was an anonymous and illicit cloud computing company
running what some estimated to be up to half of all dark web sites in
2013. The operation existed entirely on the anonymity network Tor and
was used for a wide range of illegal activity, including the hacking
and fraud forum HackBB and money-laundering operations including the
Onion Bank. It also maintained servers for the legal email service Tor
Mail and the singularly strange encyclopedia Hidden Wiki.

But it was the hosting of sites used for photos and videos of child
exploitation that attracted the most hostile government attention.
When Marques was arrested in 2013, the FBI called him the “largest
facilitator” of such images “on the planet.”

Early on August 2 or 3, 2013, some of the users noticed “unknown
Javascript” hidden in websites running on Freedom Hosting. Hours
later, as panicked chatter about the new code began to spread, the
sites all went down simultaneously. The code had attacked a Firefox
vulnerability that could target and unmask Tor users—even those using
it for legal purposes such as visiting Tor Mail—if they failed to
update their software fast enough.

While in control of Freedom Hosting, the agency then used malware that
probably touched thousands of computers. The ACLU criticized the FBI
for indiscriminately using the code like a “grenade.”

The FBI had found a way to break Tor’s anonymity protections, but the
technical details of how it happened remain a mystery.

“Perhaps the greatest overarching question related to the
investigation of this case is how the government was able to pierce
Tor’s veil of anonymity and locate the IP address of the server in
France,” Marques’s defense lawyers wrote in a recent filing.

In the original indictment, there is little information beyond
references to an “investigation in 2013” that found a key IP address
linked to Freedom Hosting (referred to in the document as the “AHS,”
or anonymous hosting service).

Marques’s defense lawyers said they received only “vague details” from
the government, and that “this disclosure was delayed, in part,
because the investigative techniques employed were, until recently,
classified.”

Peter Carr, a Justice Department spokesperson, said the letter is “not
in the public record.” The defense attorneys did not respond to
questions.
Related story
The NSA found a dangerous flaw in Windows and told Microsoft to fix it

The secretive security agency identified the vulnerability and is
taking public credit as part of an effort to “build trust.”
Not-so-full disclosure

US government agencies regularly find software vulnerabilities in the
course of their security work. Sometimes these are disclosed to
technology vendors, while at other times the government decides to
keep these exploits for use as weapons or in investigations. There is
a formal system for deciding whether an issue should be shared, known
as the Vulnerabilities Equities Process. This is meant to default
toward disclosure, under the belief that any bug that affects the “bad
guys” also has the potential to be used against American interests; an
agency that wants to use a major bug in an investigation has to get
approval, or else the bug will be publicly disclosed. US officials say
the vast majority of such vulnerabilities end up disclosed so that
they can be fixed, ideally increasing internet security for everyone.

But if the FBI used a software vulnerability to find Freedom Hosting’s
hidden servers and didn’t disclose the details, it could still
potentially use it against others on Tor. This has observers
concerned.

“It’s not uncommon to play these games where they hide the ball about
the source of their information,” the EFF’s Rumold says.

Tor is free software designed to let anyone use the internet
anonymously by encrypting traffic and bouncing it through various
nodes to obfuscate connections to the original users. Users could
include Americans sick of being tracked by advertising companies,
Iranians attempting to circumvent censorship, Chinese dissidents
escaping national surveillance, or criminals like Marques attempting
to stay ahead of international police. The users are diverse in every
way, but software vulnerabilities can affect all of them.

In a 2017 criminal case, the US government put the secrecy of its
hacking tools above all else. Prosecutors chose to drop all charges in
a case of child exploitation on the dark web rather than reveal the
technological means they used to locate the anonymized Tor user.

Freedom Hosting’s closure was the first in a series of stunning
successes by international law enforcement that shut down some of the
most high-profile criminal websites in history.

Two months after Marques was caught, the free-wheeling marketplace
Silk Road was shut down in another FBI-led operation. After
facilitating at least hundreds of millions of dollars in sales, Silk
Road became a symbol of the apparent invulnerability of the criminals
inhabiting the dark web. Although it lasted  less than three years, it
was clear that Silk Road’s founder, nicknamed Dread Pirate Roberts,
felt invincible. Close to the end, the anonymous figure was giving
interviews to magazines like Forbes and writing political essays about
his cause and the ideology behind it.

Then, in October 2013, Ross Ulbricht—a 29-year-old online
bookseller—was arrested in San Francisco and charged with running Silk
Road. He was eventually sentenced to life in prison, a punishment that
far exceeds whatever Marques might receive at his sentencing date in
May.

Freedom Hosting and Silk Road were just the most well-known dark web
sites that were brought down by law enforcement despite the anonymity
that Tor is meant to provide.

“We can’t have a world where a government is allowed to use a black
box of technology from which spring these serious criminal
prosecutions,” Rumold says. “Defendants have to have the ability to
test and review and look at the methods that are used in criminal
prosecutions.