This sounds fishy. He probably pleaded guilty as part of a plea deal, so law enforcement has a scapegoat and some meaningless "media success" in exchange for him getting a drastically reduced sentencing. They always do that, threaten people with insane penalties if they don't accept so shitty plea deal and if you are not super certain that you can win, you will likely accept that one, just because it seems "safer".<p>There are a LOT of cases like this, just most of them don't gain this publicity. Actually, 95% of court cases never reach court because of this. Innocent people plead guilty because they don't have the wealth and resources to win in court. USA is a shithole when it comes to law enforcement. Medieval and sad. Land of the free (as long as you are rich, that is).
If you're wondering why a web host, who could potentially be immune to prosecution under CDA 230, was charged with the distribution of child pornography, according to the warrant [1] an admin of one of the pedo sites claimed that Freedom Hosting had "full control" over the websites (well, he had root access to the servers, but so did OVH), was patching the websites, that the pedo site hosting was free, and that he assumed that Marques covered the hosting costs as a service to the "pedo community". Technically the prosecutors might have had to prove that he knew what the sites were hosting, but he did plead guilty. Hopefully the actual operators of the pedo sites are found and prosecuted, and not just this sysadmin.<p>[1] <a href="https://www.courtlistener.com/recap/gov.uscourts.mdd.247657/gov.uscourts.mdd.247657.13.1.pdf" rel="nofollow">https://www.courtlistener.com/recap/gov.uscourts.mdd.247657/...</a>
Running a hosting server for onion services, as was done in this case, is a terrible idea. It greatly increases the risk of deanonymization. The question is less how this hosting service was discovered and more how it ever stayed up long enough to become so notorious. Here's why:<p>1. Each hidden service chooses a "guard" relay to serve as the first hop for all connections.<p>2. A server running multiple hidden services has a guard for each of them. Each new guard is another chance to choose a guard run by the adversary.<p>3. An adversary running a fraction p of the guards (by bandwidth) has a probability p of being chosen by a given hidden service. A hosting service with k hidden services is exposed to k guards and thus has ~kp probability of chosen an adversary's guard. With, say, 50 hidden services, an adversary with only 2% of guards has nearly 100% chance of being chosen by one of those 50 hidden services.<p>4. The adversary can tell when it is chosen as a guard by connecting to the hidden service as a client and looking for a circuit with the same pattern of communication as observed at the client. Bauer at el. [0] showed a long time ago this worked even using only the circuit construction times.<p>5. The adversary's guard can observe the hidden service's IP directly.<p>The risk of deanonymization with onion services in general (i.e. even not using an onion hosting service) is significant against an adversary with some resources and time. Getting 1% of guard bandwidth probably costs <$500/month using IP transit providers (e.g. relay 8ac97a37 currently has 0.3% guard probability with only ~750Mbps [1]). And every month or so a new guard is chosen, yielding another chance to choose an adversarial guard. Not to mention the risk of choosing a guard that isn't inherently malicious but is subject to legal compulsion in a given jurisdiction (discovering the guard of a hidden service has always been and remains quite feasible with little time or money, as demonstrated by Øverlier and Syverson [2]).<p>[0] "Low-Resource Routing Attacks Against Tor" by Kevin Bauer, Damon McCoy, Dirk Grunwald, Tadayoshi Kohno, and Douglas Sicker. In the Proceedings of the Workshop on Privacy in the Electronic Society (WPES 2007), Washington, DC, USA, October 2007.<p>[1] <<a href="https://metrics.torproject.org/rs.html#details/014E24C0CD21D2B9829E841D5EC1D3C415F866BF>" rel="nofollow">https://metrics.torproject.org/rs.html#details/014E24C0CD21D...</a><p>[2] "Locating Hidden Servers" by Lasse Øverlier and Paul Syverson. In the Proceedings of the 2006 IEEE Symposium on Security and Privacy, May 2006.
This report came out only a few months before he was caught: <a href="https://www.reddit.com/r/onions/comments/1guiav/we_have_analyzed_tor_hidden_services_and_shown/" rel="nofollow">https://www.reddit.com/r/onions/comments/1guiav/we_have_anal...</a><p>He was likely de-anonymized through this technique or similar. The issue was that he trusted the Tor network to keep him anonymous and paid for the servers with his real identity.
Isn't it rather trivial to find who is accessing a website if you can manage to monitor tor nodes? Just do some heuristic, to see when traffic happens, and over time, narrow down users.<p>If you're the FBI and have the authority to monitor the whole internet, isn't it trivial to catch any tor user?<p>Tor is still secure, but of course if you are the government and have skilled engineers, time and admin access to the internet infrastructure (by legit or covert means, I'm pretty sure the US can monitor traffic outside his jurisdiction), tor is not safe. But tor is still safe from countries other than the US, unless the US government have a problem with what you're doing.<p>I would still be curious to see if tor does counter this problem by passively sending traffic to avoid this. Anyway I stand that there are 2 kinds of security: security against small bad actors, and security against competent, resourceful, big actors. The latter is usually impossible to get because it becomes extremely fastidious and complicated.
The central premise of the article is that there is no disclosure regarding the vulnerability used, suggesting the existence of some unknown zero-day exploit..<p>Various well documented analysis have linked this incident to "EgotisticalGiraffe", a well known -- and since fixed vulnerability.<p>FUD or lazy journalism? I mean, at least read the subjects Wikipedia page before publishing something..
I mean, it's not like he's just some TOR user they were after, he ran a huge dark web hosting service. There's so much traffic and data to work with, it was just a matter of time.
It's strange to me that people who make a habit of doing fantastically illegal things on the internet are always so sloppy about it. Even if they don't have the technical ability to break into their neighbor's wifi or set up a long range antenna to connect to an open access point they can still get a burner smartphone and drive to a Starbucks. Back when I used to torrent my TV shows I didn't even let my piracy laptop touch my home network and I never used that machine for anything other than downloading.
afaicr the bug used was the one reported as MFSA 2013-53 aka CVE-2013-1690[1] but someone correct me if m wrong.<p>[1] <a href="https://www.mozilla.org/en-US/security/advisories/mfsa2013-53/" rel="nofollow">https://www.mozilla.org/en-US/security/advisories/mfsa2013-5...</a>
Hacker Factor has a series of articles about various attacks on Tor: <a href="https://www.hackerfactor.com/blog/index.php?/archives/868-Deanonymizing-Tor-Circuits.html" rel="nofollow">https://www.hackerfactor.com/blog/index.php?/archives/868-De...</a><p>The tor daemon really needs to be re-written and audited. Apparently the codebase right now is a huge mess.