[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] How FBI Pinpointed Silk Road's Server



On 09/10/2014 11:23 PM, Jim wrote:
> Wired has recently published an article about how the FBI claims to have
> found Silk Road's server:
> 
> http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-pinpointed-silk-roads-server/
> 
> 
> The FBI claims:
> 
> "As they typed 'miscellaneous' strings of characters into the login
> page's entry fields, Tarbell writes that they noticed an IP address
> associated with some data returned by the site didn't match any known
> Tor 'nodes,' the computers that bounce information through Tor's
> anonymity network to obscure its true source."
> 
> I don't see how that is possible, regardless how badly misconfigured the
> server is.  When the server is accessed as a Tor hidden service it
> doesn't know the client's IP address.  So the only way it can respond is
> back through Tor.  Unless by "typing miscellaneous strings" they managed
> to infect the server with something that contacted an FBI machine via
> clearnet, similar to Magneto.  Am I missing something?  Or are they
> stretching the meaning of "typing miscellaneous strings"?  Or outright
> lying?

If the server is properly configured for securely hosting a hidden
service, what you say is true. But that apparently wasn't the case here,
no matter what tools FBI agents may have used.

If the webserver and tor process are running on the same machine, the
webserver might serve on 127.0.0:8080. The tor process would listen on
that address:port, and might forward to myonionaddressis.onion:80.

An SSH port is also necessary, and that must also be configured as a
hidden service. It's best to use a separate onion address, and not just
a different port (say port 2020 forwarded to 22). The same approach
should have been used for any other apps needing remote access.

The server's firewall would block all incoming, forwarding and outgoing
traffic by default, and allow outgoing traffic only by the tor process
(identified by userid). That userid would be running nothing else except
tor. That way, neither the webserver nor sshd etc could reach the
Internet, except through Tor.

However, if the server's firewall wasn't properly configured, direct
outgoing connections (bypassing Tor) might have been permitted by sshd,
webserver, php, mysql and/or some other app. That's a big fail.

Also, for a hidden service like Silk Road, it would have been prudent
(extremely so) to segregate all server apps and the tor process on
separate machines (or at least, on separate VMs). Separating webserver
and backend databases on separate machines would also have been wise.
That would have provided redundant protection against misconfiguration
and/or compromise.

Firewalls on both webserver and tor process machines would block
everything by default except for two sorts of connections. Connections
would be allowed between server apps and the tor process, and between
the tor process and the Internet. In both cases, connections would be
locked down by userid and address:port to prevent leaks outside Tor.
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk