I'm not a tin foil kind of guy.... I think it's pretty safe to say the freedom hosting takedown and tor targeted exploit is a masterstroke of saber rattling and psyops dick waving.
Target and capture somebody (possible evil douchebag) who is hidden behind seven proxies, Gain access to highly secure 'hidden .onion' servers used by people who want to stay hidden, scare the TOR user base by proving they can identify you in easily while also not giving a fuck about burning one of the many exploits in their bag - in a single move!
It's purely coincidental and to their luck that they were able to find the hosting provider, and that the provider happened to host so many valuable targets. The exploit isn't at all special.
I think in that sense, this is more of a social engineering hack. Everyone trusted a common host. You can say the trust was not manipulated into existence by an adversary, but trust was involved, in hindsight.
The form thread relies on a domaintools.com query [1], which points to "SCIENCE APPLICATIONS INT" [2] as the owner of this 65.222.202.53 Class C subset (65.222.202.53 has found in the updatify() function listed below [3]). You might recognize SAIC from the NSA's 'XKEYSCORE Systems Engineer' job posting thread [4] a couple days ago.
SAIC is a huge defense contractor with their fingers in a large number of pies.
Anything SAIC related is certainly government related, but not necessarily NSA.
I'm not sure the distinction of what is and is not NSA proper is even meaningful anymore. They deal with national security and intelligence, not child porn, so they almost certainly weren't the primary actor in this case. But given all of the contractors and cooperating agencies and resources that are publicly known, which I would assume is only the tip of the iceberg, it makes little practical difference which agency is on the badge of who pulls the final trigger.
Given the IP space involved, SAIC's involvement, their known existing work in this area including their willingness to purchase exploits for government/law enforcement, and the target, it's a huge stretch to come up with any other explanation.
As someone usually ending up on the anti-NSA side of these discussions, I don't think there is anything particularly surprising or worrying about this. They (whichever agency it was) used an exploit in what was a fairly significant bust in their eyes. I haven't personally analyzed it but I gather it did something ranging from log identifiable information to installing malware. Regardless of what it did, this is a pretty expected law enforcement tactic for adversaries of this nature.
As pointed out by you and others, SAIC definitely has fairly incompetent moments, but they have a lot of money. This is why they can put enough of an attack together to deliver a sophisticated exploit (likely purchased) and execute on the operation, while still leaving their tracks on everything and being somewhat sloppy.
I've seen mixed comments as to whether or not it was actually patched upstream, but if it was, that makes even more sense. If it was patched, they had to use it before it made it into the Tor bundle, or lose it entirely. Generally, high value exploits that are 0day - unknown and unpatched, are not given to law enforcement.
I think to suggest this was "psyops" or something is giving SAIC far too much credit. It was just a sloppy raid that used an exploit, for any number of legitimate reasons.
I've got a bunch of TOR originating traffic coming into a clearweb "whats-my-ip" service that I run, that's really odd (it uses a Chrome user-agent string and apears to be coming from a script, maybe even JS being executed in a Browser).
Attacking a linux box that runs little more than the TOR daemon is much harder than attacking a browser on an avarage client machine. The difference in attack surface is huge.
Further, one needs to attack many (hundreds) of TOR nodes to effectively "own" the TOR network.
The difficulty level between these two attack vectors is very different.
I'd go as far as saying that such an attack is beyond what "low level" fed departments can do (due to HR shortages, budget limits, lack of cooperation with the more serious guys, etc). An attack of this level is something, that in my opinion, is reserved to the guys who hunt down bearded men in some warmer regions of the world.
Now, a "common" browser exploit, and some basic attack skills, is something you can expect for these "low profile" investigations such as the one in question (again, purely in my opinion).
When you visit .onion sites exit nodes don't come into play.
As for controlling a bunch of nodes and figuring out who loads what is not possible, as far as I understand how the network works. How it works is that the sender decides on a path which consists of a random amount of other regular nodes. It encrypts a message with the public key of each of the nodes, and then sends it on its merry way to the first node. None of the nodes know if they're the first, the second, or the last. All the know is the address of the previous and the next node, either of which can be other nodes in the chain or the origin or the destination.
> As for controlling a bunch of nodes and figuring out who loads what is not possible, as far as I understand how the network works.
Given the number of taping points, the NSA might be considered a global passive adversary (or close to one) at this point. Tor does not protect against that.
An entity controlling traffic at your internet connection can force node selection during circuit building by failing requests to uncontrolled nodes. The path bias warning is informational only AFAIK (was added in 2012?) and is not perfect.
"A secretive U.S. Drug Enforcement Administration unit is funneling information from intelligence intercepts, wiretaps, informants and a massive database of telephone records to authorities across the nation to help them launch criminal investigations of Americans.
Although these cases rarely involve national security issues, documents reviewed by Reuters show that law enforcement agents have been directed to conceal how such investigations truly begin - not only from defense lawyers but also sometimes from prosecutors and judges.
The undated documents show that federal agents are trained to "recreate" the investigative trail to effectively cover up where the information originated, a practice that some experts say violates a defendant's Constitutional right to a fair trial. If defendants don't know how an investigation began, they cannot know to ask to review potential sources of exculpatory evidence - information that could reveal entrapment, mistakes or biased witnesses."
It appears that this is actually aFirefox exploit that was patched a while back. Hurray for auto-updating browsers. I read suggestions of using a LiveCD, but that seems like it would leave you stuck to security fixes like this. If you were using Tails you could at least have had a random MAC (https://tails.boum.org/contribute/design/MAC_address/), but this attack could have been a lot worse if it wanted more than the MAC.
Since the OP didn't mention it, here's the gist of what happened:
1) A bug in Firefox related to the onreadystatechange event could end up arbitrarily executing memory on a page reload.
2) The attack created a Windows executable using JavaScript's typed arrays and array buffers (pretty interesting in its own right)
3) The executable phones home with a MAC address and Windows hostname
huh, the title of my post changed and it lost 7 points? random changes like this seem common on HN, interested in why
the original title was "Independent reasearch claims NSA behind Tor Browser exploit, owns 65.222.202.53" -- which I think is completely reasonable and accurate
The new title is a better description of what the article is about. If you just want to submit the AS ownership, you could link to http://pop.robtex.com/nsa.gov.html#records
Full forum post quoted below (I didn't write it, just found it on social media a little while ago):
"Well, the story gets more interesting...
This morning, we read that information from the NSA's illegal surveillance databases has been routinely finding its way into DEA drug cases [1], with an entire government "training programme" in existence to mask the source of the information from defendants... as well as prosecutors and judges.
And this weekend, we've been working through the news that a large breach of security associated with the Tor network - it's been dubbed #torsploit [2] - has taken place. Exploit code is available (see earlier posts in this thread), and folks have been de-obfuscating and analysing the code.
There's also an IP address hard-coded into it - that's where the info gathered by the malware is being sent. That IP address is:
65.222.202.53
Now, the press reporting on the address so far has been saying it's a "Verizon business address in Virginia." Yes, that's what whois shows, but that's not exactly the full story, or the real story.
The folks at Baneki Privacy Labs have been chasing down that detail. They first asked [3], in a game-theoretic way, whether the entire situation isn't a bit too, well... obvious. I mean, did the FBI think nobody would notice? Everyone's been assuming it's the FBI, doing something like the "Darkmarket honeypot," [4] or some such. It's worth noting that nobody has taken public credit for this #torsploit [5] malware yet, so attributing it to the FBI is a leap of assumptive logic.
Turns out, the story is much more interesting than that.
Baneki dug deeper than whois, and got some clues things were spookier than they seemed. First, there's an open port (80) [6] sitting on the machine in question. So it's not some recycled or attempted-at-obfuscated IP address. It's still live and running. Then the fun starts... [7]
SAIC.png [a]
SAIC is, needless to say, deep in the core of the cyber-military complex... and certainly not the FBI.
Some further investigation by Baneki turns up the following information [8]:
NSA.png [b]
That IP address is part of IP space directly allocated to the NSA's Autonomous Systems (AS). It's not FBI; it's NSA.
What is an NSA IP address doing as a command & control contact for javascript malware being deployed in the #torsploit [9] attack? That remains to be seen... but we already know that PRISM data has been "jumping the wall" and leaking into other law enforcement hands. Is this an example of further abuse of PRISM's "national security only" dataset? That appears the most likely explanation, at this point in time.
Glenn Greenwald has been warning us this is happening - and here's another hard, objective, irrefutable data point. The NSA's Alexander - who only last week was at DefCon doing his best to charm the audience [10] - is once again caught lying bald-faced.
What happens now? We sit back to await developments..."
[8] doesn't seem to be quite the smoking gun they are making out. I did some digging into other hosts near that one and it looks like pretty standard business ISP stuff to me. Outlook Web Access, phone systems, a few company websites. (Although the companies themselves are interesting, military and pharmaceuticals from my brief survey of SSL certificates.) Not directly NSA.
Doesn't seem implausible for it to have been running on a compromised host if there's publicly accessible PBXs and stuff around there.
[8] seems to show that the ENTIRE IP RANGE is assigned to nsa.gov. Just seeing that some innocuous-looking services are running on some IPs in that range doesn't mean anything for or against.
The government uses Outlook, has phones ... and even owns businesses (sometimes surreptitiously, like CIA front companies).
In fact, if the intelligence apparatus of this country didn't own or directly control at least one ISP, I'd be very, very surprised.
What [8] shows is that nsa.gov resolves to 65.196.127.226. 65.196.127.226 is part of the range 65.192.0.0/11 assigned to AS (autonomous system) 701, which is "UUnet Technologies, Inc". From Wikipedia, "Today, UUNET is an internal brand of Verizon Business".
Both 65.196.127.226 (the server that hosts nsa.gov) and 65.222.202.53 fall in the same /11 block (i.e. a block of 2,097,152 addresses) assigned to UUnet / Verizon Business.
However, that is a huge block of IP addresses, and numerous other servers are also hosted by Verizon Business on that block - http://route.robtex.com/65.192.0.0-11.html will give you a list.
It is entirely possible that the Verizon Business is providing services to some US government agency to run 65.222.202.53, but the fact that NSA also uses Verizon Business to host its website is hardly conclusive proof of anything.
Sorry to be ignorant, but I don't see where 65.222.202.53 is shown to be NSA-owned? I don't see that in the robtex record. Am I reading it wrong? I'm not familiar with this notation, I don't often look into IP allocation issues.
It isn't NSA owned according to the records. 65.192.0.0/11 is UUnet (Verizon Business) owned. nsa.gov is hosted on 65.196.127.225, and both 65.196.127.225 and 65.222.202.53 fall in the block of 2(32-11) = 2,097,152 addresses designated 65.192.0.0/11 and owned by Verizon Business.
Verizon rents out those 2,097,152 addresses to their customers, but they are unlikely to tell you which customer is assigned which address at which time without customer permission (and neither address is set up in Verizon's nameservers to reverse resolve back to a hostname).
There is as much evidence that the NSA is behind this as there is that the YMCA USA (another Verizon customer) is behind this (or any of the numerous other Verizon Business customers): http://dns.robtex.com/ymcausa.net.html#records (that is just an example to show the flaw in saying that link [8] is a smoking gun that the NSA owns the server; I don't think the YMCA is behind this).
Hasn't it always been perfectly clear that ~all Tor exit nodes are owned by intelligence agencies? You only need a relatively small fraction of the exit nodes to pwn the entire system.
I attended a talk of Roger Dingledine und Jacob Appelbaum two weeks ago and during Q and A the topic of compromised exit nodes came up. If I understood Jacob Appelbaum correctly he said that he didn't believe most exit nodes are owned by intelligence agencies. His reasoning was it was not needed, because they could use the data from comprehensive wire-taps for much the same effect.
He also said, that if they are already after you, Tor is not going to help you.
I'm not an expert in Tor and I attended the talk tired and after a hard days work, so I might have completely misunderstood him.
Why? I mean, insofar as they've already said "encryption makes you suspect", I'd imagine they'd want to break TOR wide open. So if they haven't, I presume it's because of technical difficulty. What's stopping them from doing so, if they haven't?
It's more complicated than that. As of now, the major part of Tor's funding (still) comes from multiple sections of the US government. Nobody likes that, and this is being discussed. (e.g. [1])
The overall relationship between USG (which is, really, a society of different sections, this should not be forgotten) and the Tor project is complex and, I should say, schizophrenic. The initial motivation for developing Tor (while it was being conceived in the US Naval Research lab) as a civilian project was clear (need lots of civilian nodes and civilian traffic to drown out the spies' / army employees / whoever's traffic.) What is happening right now I don't really understand, but would like to, very much.
I wonder if it is used as a pressure release valve for anonymity software developers. That way they focus their efforts on tor, which might be more amenable to USG exploits, than other anonymity networks.
One relevant data point:the author of mixminion remailer is working for the tor project,probably killing mixminion(a far more secure anonymizer).
Another relevant data point(for a similar strategy): Most of the research on JPEG steganography is done on grayscale images, which is mostly useless since mostly nobody sends grayscale images. Alot of What's done on color images is being done in places like iran, china and india(?).
> One relevant data point:the author of mixminion remailer is working for the tor project,probably killing mixminion(a far more secure anonymizer).
Do you mean Nick Mathewson or Roger Dingledine? Both are working for Tor now, as a matter of fact Roger was one of the core founders of Tor, and both of them co-founded the Tor Project as a nonprofit (though not sure of details).
For what it's worth (ahem, 0%), I believe both of them have very high ethical standards and are great people; I've only physically met them in passing so far, but insofar as I can trust an individual person, I do trust they do not have any secondary ulterior motives.
> probably killing mixminion(a far more secure anonymizer).
I'm not sure of details here, either. Both of them view Tor as, ultimately, a compromise between usability and security. This was a deliberate choice. Tor webpage makes it clear that Tor is not an ultimate ends to anonymity and privacy. I do agree that Mixminion, assuming other factors are kept to be invariant, is more secure. However, if only very few people were to use it, that would make it much less secure (as I'm sure you understand); etc. etc.
> Another relevant data point(for a similar strategy): Most of the research on JPEG steganography is done on grayscale images, which is mostly useless since mostly nobody sends grayscale images. Alot of What's done on color images is being done in places like iran, china and india(?).
I've heard about this - if this proves to indeed be the case, then yeah, kind of lol (in a sad way.) :(
> I wonder if it is used as a pressure release valve for anonymity software developers. That way they focus their efforts on tor, which might be more amenable to USG exploits, than other anonymity networks.
But this is an interesting point, I've thought of it as well. It could be that this is happening semi-organically, in a kind of emergent manner. This sounds magic-boxy, but: just as the mind is not a uniform machine, a government structure is not uniform, either; both, however, appear to produce semi-coherent (to an extent) behaviour that makes sense. Sorry for this rambling sentence, but the "top-down vs bottom-up" conspiracy question is an interesting one, and I don't know of ways to communicate it in a rigorous way.
But, again, the pressure valve idea is an interesting one for sure.
>> I believe both of them(Nick Mathewson and Roger Dingledine) have very high ethical standards and are great people;
This all issue of cryptography is ethically complex. One the one hand, too much state power can lead to bad things, definetly. On the other, strong crypto/anonymity can be a risky tool at the hands of terrorists. And in reality , terror can cause very bad stuff[1].
Say you are roger dingledine, and a very convincing NSA guy comes to you, and shows you the evidence that some terror act , that killed X people, has used anon-remailers. How would that make you feel ?
Except the guilt, one implication would be that USG would fight hard against mixminion.
And then he offers you to lead tor, with funding, and explains that this is a network that is hard to break ,so even if NSA can break it, it wouldn't do it for silly stuff , only for emergencies.
You don't need to be a bad person to accept. It's seems like a perfectly ethical thing to do.
Regarding bottom-up or top-down:
My guess is that NSA has a top-down strategy regarding cypherpunks.That's the way military forces work. And it would make sense for this tactic to be part of their strategy.
[1]WWI , The iraq war, and the cease of the israeli peace process were all at least partially caused by terrorists. And we still haven't seen WMD based terror.
> And then he offers you to lead tor, with funding, and explains that this is a network that is hard to break ,so even if NSA can break it, it wouldn't do it for silly stuff , only for emergencies.
> You don't need to be a bad person to accept. It's seems like a perfectly ethical thing to do.
Yeah, except transparency is at the core of Tor. So someone who was approached like that would make sure to communicate this exchange and what they had learnt in a public manner. If this were not possible (for whatever reasons), it wouldn't be an ethical choice to continue because it would endanger people; including people in repressive regimes, whose governments might also decide to track down 'bad guys' because it would be an emergency. (Those governments do buy sophisticated DPI hardware from Cisco et al. and use it.) etc. etc. Nobody would just take the word for it anyway - actual peer-reviewed research is required. If this is not possible, then it cannot be used as a guiding force. If it is, it must be transparently acknowledged.
> [1]WWI , The iraq war, and the cease of the israeli peace process were all at least partially caused by terrorists. And we still haven't seen WMD based terror.
I believe 'terrorist' has become a very semantically-loaded term with multiple connotative fields, so to speak. But I won't argue there, it's probably not the place anyway.
Edit:
> My guess is that NSA has a top-down strategy regarding cypherpunks.That's the way military forces work. And it would make sense for this tactic to be part of their strategy.
Yes, the transparency does make sense. Maybe the NSA guy didn't tell him anything about the exploits of tor.
But the fact that it financed tor implies heavily that there are such exploits accessible to NSA. And the fact that it is known that tor is sensitive to global passive attackers is another. Even plain me can guess this.
Maybe the calculation favors tor, because if we assume you need to be a global passive attacker to exploit it, this favors large coalitions of many (currently democratic) nations collaborating over you're single repressive regime, and that seems like a reasonable compromise in thinking about a very hard ethical choice.
I would feel perfectly justified in knowing that had they not had the anonymizer, the individuals would have been murdered or shipped off to torture facilities without even a hint of due process. If the government's criminal process was actually transparent and just, then I might feel a bit of remorse for promoting anonymity tools, but in the current state, I have a large reason to suspect the motives of the hypothetical "NSA guy".
This is incorrect. You need more than a third of all Tor nodes to be able to have a decent probability of working out which user originated which requests. Just running or observing the exit node is not enough (the exit node has no idea of who originated the traffic).
Either that, or you have to be able to observe the traffic from most/all exit nodes as well as observe all the traffic coming from a user's Internet connection to be able to correlate with some probability what sites that user is visiting through Tor.
Given any random person in any country can run a Tor node (exit or non-exit), both are quite difficult.
As much as I love drama, the notion that the NSA would hardcode a registered IP address of their own into some malware and use that to attack some very publicized network affecting thousands of users.. well..
As another comment points out, why bother when you already coordinate a massive sniffing effort affecting large chunks of the globe?
Your argument is "that would be obvious, so it must not be true"? Why are you letting a feeling outweigh actual evidence?
Why bother? Timing attacks on Tor are much harder (require sniffing & correlating large percentage of network) than direct de-anonymization (require injecting malware in some servers).
The post is not speculation, it's actually pointing to those IP addresses. SAIC also openly does this type of offensive exploitation work for the government. There are many reasons why sniffing may not be sufficient, not least of which is that it's over Tor.
But what is the alternative... someone has pwnd an NSA box and is using it as a CC server for malware that they've injected into all sites hosted by some guy who was just arrested?
I hear a "shooting star" was seen the night of the Tunguska event. The fact this shooting star showed up just prior to an enormously powerful explosion suggests the allies had nuclear weapons in 1908, and that they were supplied by aliens from another world.
For any given series of boring events, the most fantastical explanation that ties them all together must obviously be true.
GET /05cea4de-951d-4037-bf8f-f69055b279bb HTTP/1.1
Don't you think if it was another party they would just have encoded the IP and/or MAC into the URL to of a GET from some scary IP instead of using a cookie to a resource that is actually there on listening on the server.
It's PsyOps. In leaving such an obvious signal, they're trying to remind people that as a state level actor, they can get into Tor or anywhere else they please if they really want to.
So this anonymous malware author compromises an enormous number of Tor sites and funnels identifying information to an SAIC/NSA IP address ... just for laughs?
The site is extremely slow, I got the text to load but apparently relevant images aren't loading. It's not in google cache yet either. If somebody could save the entire page and upload it somewhere (or something).. that would be great.
Someone in a previous thread about ex-NSA Russell Tice asked "Say what you like about Snowden, but at least some of his claims have been backed up by evidence. What have these guys got? Why not name names?"
I responded with:
A stay in a penitentiary helped managed by SAIC[1].
Digitally stalked due to dissent by for-profit "Domain Awareness Centers" run by SAIC[2].
Persistent targeting, one way or another, by drones managed by SAIC[3].
Now after this, I can add "Hunting and exposing swaths of users as to pursue/prosecute/rendition/drone a few via disseminating exploits used against those that dare encrypt their traffic[4]".
Target and capture somebody (possible evil douchebag) who is hidden behind seven proxies, Gain access to highly secure 'hidden .onion' servers used by people who want to stay hidden, scare the TOR user base by proving they can identify you in easily while also not giving a fuck about burning one of the many exploits in their bag - in a single move!