[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Wired Story on Uncovering Users of Hidden Services.



No. As I clarified previously, I recommend against running a hidden service for others to use as you are likely to be legally reasonable for their content.

On September 17, 2014 6:45:47 AM EST, "ÐÑÑÑÑ ÐÑÑÐÐÐÐ" <art.istom@xxxxxxxxx> wrote:
>On Wed, Sep 10, 2014 at 12:26:03AM -0400, Griffin Boyce wrote:
>> Kyle Maxwell wrote:
>> >Griffin Boyce wrote:
>> >>Actually, no, I *am* surprised that they decided to not even
>> >>bother trying to gift malware to Mac or Linux users.
>> >
>> >Probably just playing the odds, I'd suspect. Though they could've
>> >examined the access logs at some point - do we know either way on
>that?
>> 
>> Hey Kyle,
>> 
>>   With Freedom Hosting, I actually don't know.  It seems like few
>technical
>> details have come out of that case.  However, I *do* know that they'd
>been
>> hacked at various points, and the service had very poor security
>overall.
>> The restrictions in place did not actually prevent php files from
>creating
>> *other* types of scripts...  Their sandboxing was reputedly quite
>bad, and
>> for years they had no restrictions on resources that users could
>utilize.
>> So creating an app designed to expand to occupy all resources on the
>server
>> until it crashed was highly effective.  The server itself may not
>even have
>> kept access logs.  It's unclear.
>> 
>>   With SilkRoad[2], supposedly investigators imaged the entire drive,
>so
>> this should still be possible.  In any case, I think it's important
>to avoid
>> taking the investigators' statements at face value.  Weev mentioned
>that
>> investigators made dubious technical statements in some places, and
>while I
>> haven't read all of the documents to come out about this case, that's
>> certainly within the realm of possibility.
>> 
>>   There are likely still details that haven't come out yet about both
>cases
>> (though I can't know for sure) and it's not entirely clear what level
>of
>> technical expertise various people have.
>> 
>> Things that are important to note for hidden service operators:
>>   - Firewall rules are really useful for keeping out unwarranted
>scrutiny.
>>   - Don't hardcode your IP address in any links (though this is one
>of the
>> least-likely theories).
>>   - Having a pseudonym isn't a replacement for excellent security
>practices.
>>   - Don't run a hidden service host.
>>   - For best security, run your own services rather than relying on
>someone
>> else's security.  I feel like this is often overlooked in the name of
>> "easiness" but it's really important IMO. [1]
>
>Is it does not contradict with previous statement about "don't run a
>hidden service host"?
>-- 
>tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
>To unsubscribe or change other settings go to
>https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk

-- 
"Hackers are not rockstars. You know who are rockstars? ROCKSTARS."
~Dan Kaminsky
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk