back to article STAY AWAY: Popular Tor exit relays look raided

As foreshadowed last week, Tor network exit nodes have gone down after what appear to be raids by law enforcement authorities. Thomas White (@CthulhuSec) warned users to steer clear of his Tor servers after he lost control following what he's called "unusual activity" that meant "I have now lost control of all servers under …

  1. Christian Berger

    It doesn't matter if they actually found a technical attack against Tor

    The intention obviously is to scare away people from using Tor for obvious reasons.

    1. Matt Bryant Silver badge
      Facepalm

      Re: Christian Berger Re: It doesn't matter if they actually found a technical attack against Tor

      The intention obviously is to scare away criminals from using Tor for crime-prevention reasons (paranoid wannabes scaring themselves silly is just an amusing side-effect).

      TFTFY

  2. Gordon 10

    Foreshadowed me arse

    How on earth does a few exit nodes being taken down relate at all to the directory servers being taken down?

    Presumably this guy had a sizable set of servers operating as exit nodes but I would actually like to know what proportion of the available TOR bandwidth his servers represent - presumably it's peanuts.

  3. AustinTX

    Protecting my current TOR client

    So, I'm advised to "avoid using" a list of TOR exits and services. Very well and good, but how do I do this? My TOR client fires up and picks it's relays and exits automatically. Is there a patch I can install or a file I should edit?

    1. Ole Juul

      Re: Protecting my current TOR client

      So, I'm advised to "avoid using" a list of TOR exits and services. Very well and good, but how do I do this?

      I don't think you need to do anything. The servers are now blacklisted, so that should take care of that.

      From what I can tell, the Tor exit cluster operator in question is doing the right thing, but seems a bit confused himself. He talks about it here. My feeling is that this could very well be an unrelated situation which is getting over-reported because of the earlier Tor announcements. When I read the following, I can't help but think that the ISP could be screwing around and it's all just a minor and local incident.

      5. Support staff at the ISP have confirmed to me there has been unauthorised access to my account. This could be down to the fact I access the control panel often via Tor (yes, using TLS before anybody asks), however it does raise the prospect of a non-LE person(s) being behind this but does not explain why a chassis intrusion was detected for example or anything else to do with on-board sensors.

      1. streaky

        Re: Protecting my current TOR client

        Chassis intrusion doesn't just happen. I would assume if the host is saying they know nothing about it to assume they've been told not to saying anything - and they absolutely will comply.

        1. Mark 65

          Re: Protecting my current TOR client

          Technical question - would he have been automatically notified about the chassis intrusion by the machine itself and how? I'm interested from a purely geek perspective of knowing how it is setup and works.

          1. squigbobble

            Re: Protecting my current TOR client

            I've had a PC with a microswitch built into the case that was triggered when you took the side off it, I think it logged an event in the BIOS or somet'. Presumably it's the same sort of thing for a rackserver.

          2. streaky

            Re: Protecting my current TOR client

            "would he have been automatically notified about the chassis intrusion by the machine itself and how"

            IPMI et al I'd assume.

            No kidding though USB followed by that pretty much screams somebody touched it - pretty standard "it was approached by somebody w/crash cart and opened it up"; then you have to wonder why if they're denying it. If it's me I destroy the data on the drives, reinstall and start from clean backups because all the rootkit hunter tools in the world won't solve that problem.

          3. NogginTheNog

            Re: Protecting my current TOR client

            Decent spec hardware (Dell, HP, IBM, Fujitsu to name the ones I'm familiar with) have sensors for many hardware events, including case openings. These will be logged in some form of system management log, but if there's a remote management unit installed (eg. DRAC, ILO, IMM) then these can also be configured to fire off alerts via email, SNMP, etc.

            1. DropBear

              Re: Protecting my current TOR client

              Sure, I've seen that microswitch a couple of times. But I have to wonder how hard would it be for any serious attacker with physical access to simply employ some "can opener" of some sort or other to bypass it (or even just good old-fashioned shims to keep it depressed) - those switches were not designed to provide any sort of serious security after all...

              1. streaky

                Re: Protecting my current TOR client

                "those switches were not designed to provide any sort of serious security after all"

                They're not supposed to be physical security, they're logical security. The physical security is who swiped their card and what in the DC at the time the alert pinged; presto you're fired and the lawyers are looking into taking action.

                As to bypassing them - it wildly depends on the hardware, some are better than others, and at the end of the day it could have been the chap either forgot or if it's maybe in a colo suite (which is highly likely by the sounds of things) might not have even know it has intrusion detection or assumed alerts weren't configured (they very rarely are) or wasn't aware of the location of it.

                If you're a DC tech and you see the same servers over and over and you know where it is it's one thing, if you're lets say hypothetically an interpol lackey and you're doing the business under the gaze of the DC company's lawyer (again totally hypothetically) there's a fair chance you've never even heard of such a thing or you again assume it isn't even enabled.

                None of this is totally unreasonable in any way.

                Like I said nuke it from orbit - start again with clean either HDD's or servers entirely (latter option might be total overkill). If you have any doubt about your file system integrity (security) it's the only way. Also probably look at getting some crypto in there..

                1. Wzrd1 Silver badge

                  Re: Protecting my current TOR client

                  First, for a rack mounted server, there would be no reason to open the case. At all.

                  One need only use the KVM to monitor it and one's magic USB tools to do data collection on it.

                  I'll call bullshit on it as well, as I was using my research machine from 15:30 to 00:30 today at work and it's on TOR. Didn't have any performance issues at all.

                2. J. R. Hartley

                  Re: nuke it from orbit

                  It's the only way to be sure.

          4. Alan Brown Silver badge

            Re: Protecting my current TOR client

            As long as you have things setup to do so, impi will notify you of everything that's happening on the box.

  4. Nick Kew
    Trollface

    If you've nothing to hide ...

    ... then perhaps you should be using Tor at times when it's suspected something might be compromised. Give the spooks a run for their money chasing ElReg Commentards. Provide the haystack for the needles who really need it to hide in.

    1. batfastad

      Re: If you've nothing to hide ...

      Yep, I use Tor every so often for mundanely pointless browsing.

      But remember kids, please don't pull your t0rrents of "Miss Congeniality Cruise Control 2 Return Of The King" or any other generic Holywood tripe down through it.

      1. Alan Brown Silver badge

        Re: If you've nothing to hide ...

        "Yep, I use Tor every so often for mundanely pointless browsing."

        For real paranoia, setup one of those browserbots which masks your own activity in bucketloads of random pointless browsing and link following.

    2. Alan Brown Silver badge

      Re: If you've nothing to hide ...

      Alternatively, use Tor for everything.

      The logic behind this is simple and the same as behind advice to encrypt everything, not just your sensitive stuff.

      If you only encypt the sensitive stuff, then the badguys automatically know that if it's encrypted it's worth looking it. If you encrypt everything then they don't know if it's your laundry list or your bank details.

  5. herman

    Tor RTFM

    https://www.torproject.org/docs/tor-manual.html.en

    ExcludeExitNodes node,node,…

    A list of identity fingerprints, nicknames, country codes and address patterns of nodes to never use when picking an exit node---that is, a node that delivers traffic for you outside the Tor network. Note that any node listed in ExcludeNodes is automatically considered to be part of this list too. See also the caveats on the "ExitNodes" option below.

    1. Martin-73 Silver badge

      Re: Tor RTFM

      Read the F***ing manual, the exitnodes option plain doesn't work. Keeps erroring out with 'expected accept or reject' or some crap. Not met anything quite that badly documented before

  6. Pascal Monett Silver badge

    "I haven't even mentioned a specific agency and the theories are already flowing"

    Is there any doubt that the NSA is behind it all ?

    Goaded by MPAA, perhaps ?

    Who doesn't really matter to me. Any state security organization has the authority to mandate chassis intrusion and intimidating ISPs into silence. And anything they find will, in the end, end up on NSA servers somewhere. The NSA is just the tip of the surveillance society iceberg we are now living in.

    1. robmobz
      Black Helicopters

      Re: "I haven't even mentioned a specific agency and the theories are already flowing"

      His twitter suggests that he is in the UK so I suspect MI5.

      1. Pascal Monett Silver badge

        He may well be from the UK, but the NSA is listening to everyone.

      2. Carlo Graziani

        Re: "I haven't even mentioned a specific agency and the theories are already flowing"

        According to traceroute+whois, all those nodes listed in the article are on LANs in the Netherlands.

      3. Vociferous

        Re: "I haven't even mentioned a specific agency and the theories are already flowing"

        > His twitter suggests that he is in the UK so I suspect MI5.

        This kind of thing is much easier to do in the EU than the US. So yeah, almost certainly some european security service, albeit at the request of the US (it's believed this is the beginning of the payback for the Sony hack).

        1. Wzrd1 Silver badge

          Re: "I haven't even mentioned a specific agency and the theories are already flowing"

          "This kind of thing is much easier to do in the EU than the US. So yeah, almost certainly some european security service, albeit at the request of the US (it's believed this is the beginning of the payback for the Sony hack)."

          Why bother? The NSA cracked TOR a handful of years ago.

      4. Matt Bryant Silver badge
        Facepalm

        Re: robmobz Re: "I haven't even mentioned a specific agency and the theories are already flowing"

        "His twitter suggests that he is in the UK so I suspect MI5." What , you didn't leap straight to James Bond? Sorry to piss all over your fantasy, but such activity in the UK would be conducted by the Police, most likely the NCCU (http://en.m.wikipedia.org/wiki/National_Cyber_Crime_Unit).

        1. Alan Brown Silver badge

          Re: robmobz "I haven't even mentioned a specific agency and the theories are already flowing"

          Or the CIty of London Police - good at making noisy press releases about having raided a "pirate" but not so noisy when the CPS throws out the case because they don't have a leg to stand on.

          One might ask why the govt keeps throwing millions of pounds at them when all they seem to be doing is making a bigger target for false arrest and related claims.

    2. Wzrd1 Silver badge

      Re: "I haven't even mentioned a specific agency and the theories are already flowing"

      "Is there any doubt that the NSA is behind it all ?"

      The NSA doesn't have agents that serve warrants and physically touches servers. They're part of the DoD and are prohibited from doing any such thing in the US.

      The FBI can and does such things.

      Meanwhile, I was using TOR on my research computer all afternoon, through midnight Eastern time. Zero problems.

      So, I call bullshit on this one.

  7. Philip Virgo

    US spook comms saved from attack by who: North Korea?

    Remembering that TOR was created by US Naval Intelligence to protect its secure communications, including from leak from other agencies, I read the e-mails from the TOR organisers rather differently. My conclusion is that they have now reviewed the situation and are satisfied that those agents whose security was not breached by Manning and Snowden remain safe. Whether or not you believe that they not know or suspect who attempted the breach is up to you. My guess is that it was not the FBI or NSA but a foreign power, perhaps North Korea as a proxy for ... take your pick ... they need the money now that the falling oil price has destroyed their sales of conventional weapons.

    1. streaky

      Re: US spook comms saved from attack by who: North Korea?

      It is pretty clear from the Snowden leaks if they are to be believed (and I've seen no evidence suggesting they aren't) that certainly GCHQ relies pretty heavily on TOR and wouldn't want to screw around with it's security model.

  8. Anonymous Coward
    Anonymous Coward

    Why not have the server automatically shut down

    If someone opens the chassis while it is running or plugs in a USB device? Or go into some sort of suspended state where it needs him to input his PGP key or whatever to restart it?

    Having monitoring that detects "server is now unsafe" but leaves the unsafe server running is kind of stupid.

    1. Vociferous

      Re: Why not have the server automatically shut down

      > needs him to input his PGP

      Not handing over encryption keys when law enforcement asks for them is a serious crime in the UK, punishable by up to five years imprisonment. The situation is much the same for intentionally destroying the information on the server. I guess the best is to make the server forgetful by design, e.g. not storing logs of anything sensitive, with small and regularly flushed caches, and those who happen to be using it when it's seized by the secret service, well, they're just SOL.

      1. streaky

        Re: Why not have the server automatically shut down

        "Not handing over encryption keys when law enforcement asks for them is a serious crime in the UK, punishable by up to five years imprisonment"

        In criminal cases yes. Couple of things - there are reasons to pop people's servers (legally and otherwise) when there is no criminal case pending against the server owner. If it's any kind of secret service alphabet from anywhere in the world they won't ask they'll just pop it open and rootkit it which is why elsewhere I suggested to kill the data on the servers and start afresh.

        Other potential adversaries are organised crime and a civil suit directed at the servers via a warrant that could potentially be executed without even talking to the owners of the servers (happens all the time) and no such law exists in civil cases.

        As for the actual law itself in criminal cases I still don't believe it's been tested properly due to the lack of controls and the fact I don't believe that crypto keys have "an existence independent of the will of the suspect" (Saunders v UK) - there's no case law AFAIK that says they do - any more than a memory of what somebody was doing at some time on some date or "how many drinks sir has had tonight". If you write it down on the other hand..

        1. Matt Bryant Silver badge
          Facepalm

          Re: streaky Re: Why not have the server automatically shut down

          ".....If it's any kind of secret service alphabet from anywhere in the world they won't ask they'll just pop it open and rootkit it....." The GCHQ and NCCU types are not newbs, they know all about chassis switches. I would be very surprised if they needed to open the case to root a server seeing as all the fun bits (such as the disks) are usually accessible from the front and/or rear. It's more likely they would cut the power to stop any deleting of data, remove and clone the disks, and then only look inside if they suspected an internally-attached USB drive if they really needed to (and with a snake cam they don't even need to open the case to look inside - http://www.advanced-intelligence.com/optics.html#!vid016). The remote operator sees a power-cut, easily explained, and then his node pops back into life with him none the wiser to any added code.

    2. Aitor 1

      Re: Why not have the server automatically shut down

      Errr, no, it is way more safe than doing it otherwise. It is a SILENT ALARM.

      You would know, but the attackers probably wouldn't.

  9. Aitor 1

    servers are unsafe

    their firmware might be compromised, or maybe the nics are compromised.

    they opened them, therefore they installed something: not safe.

  10. Anonymous Coward
    Anonymous Coward

    Epic Register Fail

    There is no indication at all that this is related to what was "foreshadowed last week", which was about Tor's directory system not any collection of Tor network relays.

    More to the point:

    From Thomas White's post to tor-talk, Mon, 22 Dec 2014 16:57:26 +0000, of a list of what is known and advisable about these events

    "9. Media: Please do not report this as a Tor network compromise. Those severs held not just Tor stuff and the IPs/fingerprints were blacklisted very quickly thanks to ioerror who I talked to privately with what little information I had at the time. The blacklists were precautionary and we had no evidence then it was actually compromised. The reporting of suspicious circumstances and being proactive when it comes to system security is very important, especially where there is a responsibility to other users."

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like