Silk Road forums
Discussion => Security => Topic started by: Blksheep on March 08, 2012, 01:41 am
-
http://arstechnica.com/tech-policy/news/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon.ars
I found this article by accident and since it is two pages most people have skimmed it but didn't finish it... but page two is where it gets interesting.
"On March 1, the agents obtained a court order allowing them to use a "pen register/trap and trace" device that could reveal only "addressing information" and not content. In other words, if it worked, agents could see what IP addresses Hammond was visiting, but they would see nothing else.
The FBI describes its device as a "wireless router monitoring device” that captures addressing and signaling information and transmits it wirelessly through the air to FBI agents watching the home. It was installed the same day and was soon showing agents what Hammond was up to online.
His Macbook's MAC address was soon seen connecting to IP addresses known to be part of the Tor anonymizing network. "An FBI Tor network expert analyzed the data from the Pen/Trace and was able to determine that a significant portion of the traffic from the Chicago Residence to the Internet was Tor-related traffic,” said the FBI's affidavit.
And while this definitely sounded like their man, the Bureau went to even greater lengths to double-check their target. The main technique was to observe when Hammond left his home, then to call Sabu in New York and ask if any of Hammond's suspected aliases had just left IRC or the Jabber instant messaging system.
Here, for instance, are two such logs from March 1:
On March 1, 2012, at approximately 5:03 PM CST, Hammond was seen leaving the Chicago Residence. Almost immediately after, CW-1 (in New York) contacted me to report that the defendant was off-line. Pen/Trap data also reflected that Tor network activity and Internet activity from the Chicago Residence stopped at approximately the same time.
Later, also on March 1, 2012, at approximately 6:23 PM CST, Hammond was observed returning to the Chicago Residence. Tor Network traffic resumed from the Chicago Residence approximately a minute or so later. Moreover, CW-1 reported to me that the defendant, using the online alias “yohoho," was back online at approximately the same time as physical surveillance in Chicago showed Hammond had returned to the Chicago Residence.
Surveillance continued right up through March 4, when Sabu had his last online sighting of Hammond at 7:00pm CST. On March 5, the FBI drew up its finalized arrest affidavit and presented it to Judge Ronald Ellis in the lower Manhattan federal courthouse. Later that day, it was acted upon in Chicago."
So basically from reading this we can gather that the Feds can tap your internet and know when you get on and off of TOR but they haven't a clue what you were doing there... that is very good news!
As long as you don't fall for some Fed stunt like convincing you to go to a non-TOR site where they can capture your real IP (your identity) then you are fairly safe to continue using TOR and buying/selling at Silk Road.
-
Can they tell if the traffic is tor related if you use a bridge relay?
-
The real moral of the story is that Tor doesn't protect from traffic confirmation attacks. If the feds can see traffic at two points on the Tor network, they can determine that it is part of the same flow. They didn't just see that he was using Tor, they confirmed that he was their suspect (which they already had a pretty good idea of, but nothing hard). They did a timing attack to demonstrate that the person they were monitoring with the trap and trace was the person in the IRC. Because they could see him send data and they could also see it arrive at the end point (since he was talking to an informant).
The real fuck up on his part was apparently in leaking enough information that the feds could consider him a suspect. If the feds had controlled his entry guard (due to some dragnet signals intelligence operation that they probably have going) they would have been able to determine his identity, in this case they already thought they had their guy and they confirmed his identity. So apparently none of these guys were using FBI pwnt entry guards for the entire duration of their lulz. This is valuble intelligence as we can actually look at how long they were operating for and determine the number of entry guards they would have used, and show that apparently none of them were owned by FBI.
meh I am too tripping balls to give this the more concise reply it deserves :P.
-
This is actually a prime example of why hidden services are not actually anonymous from FBI. Using the 06 attack they can trace to entry guards in a matter of minutes to hours. Then they use a trap and trace on the entry guard to pick out the hidden service. If the entry guards are not in USA (any one out of the three) they will need to spend a tiny bit of time on MLAT paper work, or they could just wait a month or two considering entry guards change every month or two, and its only a matter of time until one is in USA (probably not much time at all considering how many Tor nodes are in USA).
My opinion is that hidden services stand a 0% chance of not being traceable by the feds.
-
Honestly the FBI could put all Tor relays in the USA under constant passive surveillance. Trap and trace / pen register does *not* require a warrant, only good faith that it will aid in a criminal investigation. The ISP level technology to passively monitor Tor relays has been in the hands of the FBI since at least Carnivore in the late 90s. And it would technically be legal for the FBI to monitor all Tor relays in the USA.
Many people think that NSA is the agency doing such attacks though, and not FBI. This case actually makes it pretty apparent that the FBI is not doing such surveillance as they would have almost certainly been able to identify these guys a lot faster if they had been. But it should be kept in mind that nothing is (apparently, please correct me if I am wrong....) preventing them from doing this, on a legal or technological level.
-
Isn't this a big deal? informants, long investigations? :-[
-
well if you didn't already know they use informants and long investigations I don't think you are in the right line of work lol
-
Seriously. How scared should I be? I don't buy a ton of stuff so I feel like I'm under the radar.
-
interesting read, thanks for posting it up dude.
-
well if you didn't already know they use informants and long investigations I don't think you are in the right line of work lol
Well my line of work isn't LE! so there's that. And of course I know these things, what I'm saying is this is a big deal. I'm small fish, (att: SR LE watcher), and I need to replace this computer anyway. I was just thinking this is a big deal! We have had so much attention and Senators (with nothing better to do! the fucks!) Making a statement about shutting us down. So it seems to me its only a matter of time before some asshole piece of shit like Sabu turns on the SR. and then they will grab a handful of buyer's and sellers to make it seem like there doing something, other than trying to start another war or attacking women's reproductive rights. In any case as always its a risk assessment we all have to deal with! You seem like a smart person (love yours and Pines post) For me though its just "Another Brick in The Wall
-
fascinating read. it does show the limitations of fbi surveillance on tor hidden services.
a timing attack like this is a rather naive approach, though obviously effective when used on a person who is already a suspect.
i guess you just have to fight the timing attacks using a vps or something running tor with active connections to your desktop, so there's no real difference between when you are home, versus when you are not home.
even with a trap and trace, you cant really break the tor encryption easily, from what i can tell, they can only coorrelate traffic between your home and your online identity.
the obvious solution is to dissociate your online identity from your physical presence at home.
it seems i'm going to need to spend money on an offshore vps. :/ preferably from somewhere on rocky terms with the US
-
Exactly. Everyone has known for a while now that tor is vulnerable to traffic timing attacks under the right circumstances. The point is not to give away enough information for them to profile and find you, and then set up all these "sophisticated" (lol) attacks simply to confirm your identity beyond a reasonable doubt. Lulzec and all the other moralfag splinter groups of Anonymous are full of emotionally disturbed, developmentally challenged immature manchildren who may be able to memorize a programming language and use publicly released exploits to hack weakly defended targets, but they are still just dumbass kids who can't keep their mouths shut in a desperate effort to feel like they "belong" to a group that does something "important". If they truly cared about their cause and didn't treat it like an IRL game, they would have had the self-control not to become best buddies with individuals that were supposed to remain anonymous. That's why you can't be a loner and expect to treat anonymous online contacts with the distance and restraint necessary. The Chi guy's (Jeremy Harrmond?) own mom said he was a genius without a brain. That's why IQ means nothing without common sense and self-control.
Anyway, what I really want to know is just how the FBI was able to monitor this dude's wifi router. Unless he just left it open to be like, freely providing for the community, man, or perhaps in a failed attempt at establishing plausible deniability, I don't see how they were able to see that specifically his Macbook's MAC address was connecting to a tor IP. If the network was properly secured, all IP destination information should have been encrypted. What security did he have on it, if any? Was it any sort of WEP key, or a WPA setup with a weak password? Was the router open to the WPS vulnerability? Did they straight up crack his WPA2/AES passphrase, or just completely bypass the security altogether using a technique that's still secret? Whatever it was, it must have been easier and more direct than tapping his actual ISP connection. Hmm.. perhaps this was some cable modem type device that allowed his ISP to modify the device settings at will, thus giving the FBI access.
-
...who's to say the public info regarding circumstances are accurate?! -if i were the FBI i'd also claim to be able to trace logon info from thin air.?!
:o