[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] Warning: Do NOT use my mirrors/services until I have reviewed the situation



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

At this moment in time I have shut down the servers where I can to
preserve any information on the disks and will be getting backups as
soon as possible. I have scraped some logs together which I will sort
into some legible format when I can but I need to get a backup sent
out somewhere first just in the event I am raided or other issues arise.

The code on the mirrors does not appeared to have been altered but
those mirrors are on the same physical server as several relays and
are split into several virtual machines. I need to await my partner
who maintains that server before I want to do much more with it as he
is better placed to collect information given I do not have access to
my SSH keys right now.

Again I have to stress to everyone I have zero proof this is the work
of law enforcement, it could just be a datacenter staffer making some
kind of work screw up or checking something - I honestly don't know at
this point. However this is similar to what happened on a previous
raid at Snel which I raised in the Paris meeting in summer. (Pepjin
pop me an email please!)

- -T

Jacob Appelbaum:
> Hi,
> 
> On 12/21/14, Thomas White <thomaswhite@xxxxxxxxxx> wrote:
>> -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512
>> 
>> Node fingerprints are as follows, please blacklist ASAP. Some 
>> servers are accessible via their KVM again but not networked.
>> 
>> D78AB0013D95AFA60757333645BAA03A169DF722 
>> 6F545A39D4849C9FE5B08A6D68C8B3478E4B608B 
>> 5E87B10B430BA4D9ADF1E1F01E69D3A137FB63C9 
>> 0824CE7D452B892D12E081D36E7415F85EA9988F 
>> 35961469646A623F9EE03B7B45296527A624AAFD 
>> 1EA968C956FBC00617655A35DA872D319E87C597 
>> E5A21C42B0FDB88E1A744D9A0388EFB2A7A598CF 
>> 5D1CB4B3025F4D2810CF12AB7A8DDDD6FC10F139 
>> 722B4DF4848EC8C15302C7CF75B52C65BAE3843A 
>> 93CD9231C260558D77331162A5DC5A4C692F5344 
>> A3C3D2664F5E92171359F71931AA2C0C74E2E65C 
>> 575B40EF095A0F2B13C83F8485AFC56453817ABF 
>> 27780F5112DEB64EA65F987079999B9DC055F7C0 
>> 54AA16946DB0CF7A8FA45F3B48A7D686FD1A1CEF 
>> 1EB8BDA15D27B3F9D4A2EDDA58357EA656150075 
>> 17A522BC05A0D115FC939B0271B8626AAFB1DDFF 
>> 1324EC51FBFA5FD1A11B94563E8D2A7999CD8F57
>> 
> 
> Thank you for reporting this possible compromise. Hopefully the 
> thieves will be brought to justice!
> 
> It sounds like if possible, one should very carefully consider if 
> they want to have USB enabled in their kernel. If possible, remove 
> it or replace it with a module that logs details on devices - 
> perhaps triggering a panic?
> 
> I've rejected your relays like so:
> 
> # torrrc changes # thecthulhu reports unknown compromise December 
> 21st, 2014 AuthDirReject 77.95.224.187 AuthDirReject 89.207.128.241
> AuthDirReject 5.104.224.15 AuthDirReject 128.204.207.215
> 
> # approved-routers changes # thecthulu reports compromise december 
> 21st, 2014 !reject D78AB0013D95AFA60757333645BAA03A169DF722
> !reject 6F545A39D4849C9FE5B08A6D68C8B3478E4B608B !reject 
> 5E87B10B430BA4D9ADF1E1F01E69D3A137FB63C9 !reject 
> 0824CE7D452B892D12E081D36E7415F85EA9988F !reject 
> 35961469646A623F9EE03B7B45296527A624AAFD !reject 
> 1EA968C956FBC00617655A35DA872D319E87C597 !reject 
> E5A21C42B0FDB88E1A744D9A0388EFB2A7A598CF !reject 
> 5D1CB4B3025F4D2810CF12AB7A8DDDD6FC10F139 !reject 
> 722B4DF4848EC8C15302C7CF75B52C65BAE3843A !reject 
> 93CD9231C260558D77331162A5DC5A4C692F5344 !reject 
> A3C3D2664F5E92171359F71931AA2C0C74E2E65C !reject 
> 575B40EF095A0F2B13C83F8485AFC56453817ABF !reject 
> 27780F5112DEB64EA65F987079999B9DC055F7C0 !reject 
> 54AA16946DB0CF7A8FA45F3B48A7D686FD1A1CEF !reject 
> 1EB8BDA15D27B3F9D4A2EDDA58357EA656150075 !reject 
> 17A522BC05A0D115FC939B0271B8626AAFB1DDFF !reject 
> 1324EC51FBFA5FD1A11B94563E8D2A7999CD8F57
> 
> All the best, Jacob
> 

- -- 
Activist, anarchist and a bit of a dreamer.

Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983
Key-ID: 0CCA4983
Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0
Key-ID: EF1009F0

Twitter: @CthulhuSec
XMPP: thecthulhu at jabber.ccc.de
XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJUlz9WAAoJEFwqjFoMykmD/ZAP/jPYRkFHX+Sju3NJcAVUjvJY
ppNhhuy9qk2su4PiNBPZbrhQUPIZQgQyWc0IogD/rVU9XvSLWBNFJB2gU86s9i2K
USqorXGSsCI9nS2TuT7RoCJmeTaA1X9EJuq+huv8/1a+iGj2oLvMdqvOHMNl027p
BdNt7ED7Gb5xVH9EAkmrR6d0ea6LFoOsteB09pmV8yUF1bzWrpn1wcDHSdfDTA7n
/duoodg5o8ap22OgoP2LhFWj+mCcgcwrFXGs6HakhPsq/CgfAwxZcsmDlGMzErKK
aax9KaVljy5Go/A6vqP3J/gSxXSWypQdbvw82HaXqi2gCyT8GBjndGIlVc2idPRY
oPX6UAVUl6iRXMvFfjvAtrO60wIQq1LnHMv5K7+lRd/gT49yHnpXpMcXDaPGbwsv
nyXe1wViS+JwylHfJ4RHzoWxiWEiH1+9WjrhCV8jrAO0qH0mSG5Vc+YLbVtCQvef
o3oa7pACXKXn+G9Bt3ZaGq9feRbXpl+JjJmjiPkqpIaqJu2pzO5MDKUmaRi+IJ5O
Refmax7935PLc/Z/P4elX+j8FPA2RCydCW556tx3U9Dn9wopHqvlfRDsIDzwLdJf
e7VkK6fmWoNxwAZ1AM0J+N9azzXjCFz7YcLSt9+YU3VpAxCJbjQo2ez3KPEF2/jU
ZcgRXzOai9OvQgdY5MMc
=r5qt
-----END PGP SIGNATURE-----
-- 
tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx
To unsubscribe or change other settings go to
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk