Kyle Maxwell wrote:
Griffin Boyce wrote:Actually, no, I *am* surprised that they decided to not even bother trying to gift malware to Mac or Linux users.Probably just playing the odds, I'd suspect. Though they could've examined the access logs at some point - do we know either way on that?
Hey Kyle,With Freedom Hosting, I actually don't know. It seems like few technical details have come out of that case. However, I *do* know that they'd been hacked at various points, and the service had very poor security overall. The restrictions in place did not actually prevent php files from creating *other* types of scripts... Their sandboxing was reputedly quite bad, and for years they had no restrictions on resources that users could utilize. So creating an app designed to expand to occupy all resources on the server until it crashed was highly effective. The server itself may not even have kept access logs. It's unclear.
With SilkRoad[2], supposedly investigators imaged the entire drive, so this should still be possible. In any case, I think it's important to avoid taking the investigators' statements at face value. Weev mentioned that investigators made dubious technical statements in some places, and while I haven't read all of the documents to come out about this case, that's certainly within the realm of possibility.
There are likely still details that haven't come out yet about both cases (though I can't know for sure) and it's not entirely clear what level of technical expertise various people have.
Things that are important to note for hidden service operators:- Firewall rules are really useful for keeping out unwarranted scrutiny. - Don't hardcode your IP address in any links (though this is one of the least-likely theories). - Having a pseudonym isn't a replacement for excellent security practices.
- Don't run a hidden service host.- For best security, run your own services rather than relying on someone else's security. I feel like this is often overlooked in the name of "easiness" but it's really important IMO. [1]
best, Griffin[1] Incidentally, the hidden service documentation rewrite has been underway for a while now.
[2] As Salvador Dali once said "I don't do drugs, I *am* drugs." #fact -- tor-talk mailing list - tor-talk@xxxxxxxxxxxxxxxxxxxx To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk