Tor exit nodes compromised, operator warns

https://lists.torproject.org/pipermail/tor-talk/2014-December/036067.html

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

Dear all,

Many of you by now are probably aware than I run a large exit node cluster for the Tor network and run a collection of mirrors (also ones available over hidden services).

Tonight there has been some unusual activity taking place and I have now lost control of all servers under the ISP and my account has been suspended. Having reviewed the last available information of the sensors, the chassis of the servers was opened and an unknown USB device was plugged in only 30-60 seconds before the connection was broken. From experience I know this trend of activity is similar to the protocol of sophisticated law enforcement who carry out a search and seizure of running servers.

Until I have had the time and information available to review the situation, I am strongly recommending my mirrors are not used under any circumstances. If they come back online without a PGP signed message from myself to further explain the situation, exercise extreme caution and treat even any items delivered over TLS to be potentially hostile.


Add this to your torrc file to ensure you don't use these relays as part of your circuits:

ExcludeNodes 77.95.229.0/24, 89.207.128.241, 5.104.224.15, 128.204.207.215

StrictNodes 1


Comments


[33 Points] iLoveDNM:

Hm... concerning, but I'm not sure it applies to us exactly. Visiting a hidden service doesn't traverse an exit node but it sucks that somebody is attacking tor.


[24 Points] U_Better_Call_Saul:

Better lawyer up.

http://www.bettercallsaul.com/

505-503-4455


[9 Points] presari0:

Kinda ominous that agora has been down all day, a few days ago the tor developers warned about coming attacks, and now this.


[5 Points] None:

For those of us who aren't as technologically gifted, how would someone go about excluding these nodes?


[4 Points] None:

[deleted]


[1 Points] None:

It sounds like this has something to do with the owner (cthulusec), definitely not dnm related.

Hacker news has interesting discussion, some think it could be a bios/firmware level attack similar to that of DEITYBOUNCE.

HP released a report saying the Sony hackers used Tor, but seizing his servers wouldn't have done much to help that seeing as they follow Tor's best practices.


[0 Points] None:

[deleted]


[-1 Points] None:

[deleted]


[-1 Points] None:

TLS is such a complete joke. It actually manages to make things worse via false sense of security. Sheesh.


[-2 Points] otto3210:

Explains this then?


[-8 Points] None:

Land of the free.

At this point I think it would be best to just blacklist all exit nodes in the US.