Tor is a great honeypot for people who don't know tradecraft.
On Mon, Jan 27, 2014 at 12:17 PM, Rich Jones <[email protected]> wrote: > http://www.wired.com/threatlevel/2014/01/tormail/ > > Bonus link for y'all. Hope you used PGP. Happy monday! > > R > If You Used This Secure Webmail Site, the FBI Has Your Inbox > > - By Kevin Poulsen<http://www.wired.com/threatlevel/author/kevin_poulsen/> > - 01.27.14 > - 6:30 AM > > While investigating a hosting company known for sheltering child porn last > year the FBI incidentally seized the entire e-mail database of a popular > anonymous webmail service called TorMail. > > Now the FBI is tapping that vast trove of e-mail in unrelated > investigations. > > The bureau’s data windfall, seized from a company called Freedom Hosting, > surfaced in court papers last week when prosecutors indicted a Florida man > for allegedly selling counterfeit credit cards online. The filings show the > FBI built its case in part by executing a search warrant on a Gmail account > used by the counterfeiters, where they found that orders for forged cards > were being sent to a TorMail e-mail account: “[email protected].” > > Acting on that lead in September, the FBI obtained a search warrant for > the TorMail account, and then accessed it from the bureau’s own copy of > “data and information from the TorMail e-mail server, including the content > of TorMail e-mail accounts,” according to the > complaint<http://www.justice.gov/usao/nj/Press/files/pdffiles/2014/Roberson,%20Sean%20Complaint.pdf>(.pdf) > sworn out by U.S. Postal Inspector Eric Malecki. > > The tactic suggests the FBI is adapting to the age of big-data with an > NSA-style collect-everything approach, gathering information into a virtual > lock box, and leaving it there until it can obtain specific authority to > tap it later. There’s no indication that the FBI searched the trove for > incriminating evidence before getting a warrant. But now that it has a copy > of TorMail’s servers, the bureau can execute endless search warrants on a > mail service that once boasted of being immune to spying. > > “We have no information to give you or to respond to any subpoenas or > court orders,” read TorMail’s homepage. “Do not bother contacting us for > information on, or to view the contents of a TorMail user inbox, you will > be ignored.” > > In another e-mail case, the FBI last year won a court order compelling > secure e-mail provider Lavabit to turn over the master encryption > keys<http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/>for its > website, which would have given agents the technical ability to spy > on all of Lavabit’s 400,000 users – though the government said it was > interested only in one. (Rather than comply, Lavabit shut down and is > appealing the surveillance order). > > TorMail was the webmail provider of choice for denizens of the so-called > Darknet <http://www.wired.com/opinion/2013/10/thompson/> of anonymous and > encrypted websites and services, making the FBI’s cache extraordinarily > valuable. The affair also sheds a little more light on the already-strange > story of the FBI’s broad attack on Freedom Hosting, once a key service > provider for untraceable websites. > > Freedom Hosting specialized in providing turnkey “Tor hidden service” > sites — special sites, with addresses ending in .onion, that hide their > geographic location behind layers of routing, and can be reached only over > the Tor anonymity network. Tor hidden services are used by those seeking to > evade surveillance or protect users’ privacy to an extraordinary degree – > human rights groups and journalists as well as serious criminal elements. > > By some estimates, Freedom Hosting backstopped fully half of all hidden > services at the time it was shut down last year — TorMail among them. But > it had a reputation for tolerating child pornography on its servers. In > July, the FBI moved on the company and had the alleged operator, Eric Eoin > Marques, arrested at his home in Ireland. The U.S. is now seeking his > extradition for allegedly facilitating child porn on a massive scale; > hearings are set to begin in Dublin this week. > > According to the new document, the FBI obtained the data belonging to > Freedom Hosting’s customers through a Mutual Legal Assistance request to > France – where the company leased its servers – between July 22, 2013 and > August 2 of last year. > > That’s two days before all the sites hosted by Freedom Hosting , including > TorMail, began serving an error message with hidden code embedded in the > page, on August 4. > > Security researchers dissected the code and found it exploited a security > hole <http://www.wired.com/threatlevel/2013/08/freedom-hosting/> in > Firefox to de-anonymize users with slightly outdated versions of Tor > Browser Bundle, reporting back to a mysterious server in Northern Virginia. > Though the FBI hasn’t commented (and declined to speak for this story), the > malware’s behavior was consistent with the FBI’s spyware > deployments<http://www.wired.com/threatlevel/2009/04/fbi-spyware-pro/>, > now known as a “Network Investigative Technique.” > > No mass deployment of the FBI’s malware had ever before been spotted in > the wild. > > The attack through TorMail alarmed many in the Darknet, including the > underground’s most notorious figure — Dread Pirate Roberts, the operator of > the Silk Road drug forum, who took the unusual step of posting a warning on > the Silk Road homepage. An analysis he wrote on the associated forum now > seems prescient. > > “I know that MANY people, vendors included, used > TorMail<http://en.reddit.com/r/SilkRoad/comments/1jrnhx/important_security_announcement_from_dpr_himself/>,” > he wrote. “You must think back through your TorMail usage and assume > everything you wrote there and didn’t encrypt can be read by law > enforcement at this point and take action accordingly. I personally did not > use the service for anything important, and hopefully neither did any of > you.” Two months later the FBI > arrested<http://www.wired.com/threatlevel/2013/10/silk-road-raided/>San > Francisco man Ross William Ulbricht as the alleged Silk Road operator. > > The connection, if any, between the FBI obtaining Freedom Hosting’s data > and apparently launching the malware campaign through TorMail and the other > sites isn’t spelled out in the new document. The bureau could have had the > cooperation of the French hosting company that Marques leased his servers > from. Or it might have set up its own Tor hidden services using the private > keys obtained from the seizure, which would allow it to adopt the same > .onion addresses used by the original sites. > > The French company also hasn’t been identified. But France’s largest > hosting company, OVH, announced on July > 29<http://forum.ovh.com/showthread.php?89685-Le-nouveau-contrat-de-serveur-dedie>, > in the middle of the FBI’s then-secret Freedom Hosting seizure, that it > would no longer allow Tor software on its servers. A spokesman for the > company says he can’t comment on specific cases, and declined to say > whether Freedom Hosting was a customer. > > “Wherever the data center is located, we conduct our activities in > conformity with applicable laws, and as a hosting company, we obey search > warrants or disclosure orders,” OVH spokesman Benjamin Bongoat told WIRED. > “This is all we can say as we usually don’t make any comments on hot > topics." > -- Kelly John Rose Toronto, ON Phone: +1 647 638-4104 Twitter: @kjrose Skype: kjrose.pr Gtalk: [email protected] MSN: [email protected] Document contents are confidential between original recipients and sender.
