top | item 8575322

(no title)

dobbsbob | 11 years ago

The SR2 guy 'defcon' was also selling his services as a .onion developer/ops so likely all these other sites he set up for vendors and they were seized when he was caught and cooperated. From the FBI complaint he was completely careless like all other recently busted darknet admins and mods so wouldn't be surprised if they were all hosted at the same host too.

discuss

fabulist|11 years ago

Every time something like this happens, lots of people shout that the sky is falling and Tor is "dead."

Thank you for putting forward a reasonable hypothesis amid the FUD.

That being said, I doubt he was a developer for 399 other sites, thats quite a few. I think a "watering hole" style attack is likely here, but I think there must be a part of the story that hasn't been revealed; perhaps there was a federation of .onion marketplaces that Benthall was a part of.

meowface|11 years ago

I work in the security industry, and normally I'm the first one to argue against the FUD, but this time I'm not so sure. Clearly, out of these ~400 a decent portion were probably on the same server or in the same datacenter, and many of their operators were obviously quite careless in terms of personal, infrastructure, and application security (as has always been the case and will likely forever remain the case).

But it's still a pretty high number. I would not completely rule out some sort of trick or analysis being employed by global law enforcement to identify the ISP or datacenter being used to host hidden services. It may just be a matter of them plotting the volume of Tor traffic around the world and narrowing it down from there; it's likely not that difficult to distinguish Tor traffic from a popular hidden service and Tor traffic from a relay, exit node, or client.

Note the bottom of the FBI's press release:

>The law enforcement authorities of Bulgaria, Czech Republic, Finland, France, Germany, Hungary, Ireland, Latvia, Lithuania, Luxembourg, Netherlands, Romania, Spain, Sweden, Switzerland, and the United Kingdom, whose actions have been coordinated through Eurojust and Europol’s EC3, provided substantial assistance.

That's a lot of countries. Many unscrupulous hosting providers are located in those countries. It's possible that the FBI narrowed their search down to individual foreign ISPs, then had foreign law enforcement work with ISPs, NOCs, and hosting companies to place selective taps and narrow things down even further, centered purely around analysis of Tor traffic volume.

Or they may have found a general purpose vulnerability. Or perhaps a combination of the two.

These tweets by a (not currently arrested) popular hidden service operator are also very interesting:

https://twitter.com/loldoxbin/status/530764492326838272

https://twitter.com/loldoxbin/status/530766985794420736

https://twitter.com/loldoxbin/status/530768176007884800

https://twitter.com/loldoxbin/status/530768358355251200

https://twitter.com/loldoxbin/status/530891182612955136

Tor is not dead, but anyone running an illicit hidden service should probably be concerned, at least until further details are released or discovered. It's entirely possible that they took down all of these services purely through typical cybercrime investigative techniques, but I think it's unwise to rule out something a bit more powerful this early on.

dobbsbob|11 years ago

He sold cookie cutter stores that vendors bought and wouldn't take long to que up puppet and deploy a .onion for the hundreds of vendors on SR2. I wouldn't give Tor a green light either though, esp with people considering peddling narcotics using that p2p alpha market software Open Market where you run your own server. Seems incredibly risky for timing analysis plus nobody knows how they discovered SR #1.