There’s definitely more to this, but essentially what’s reported in the Irish Independent.ie is that a guy called Eric Marques, allegedly an operator of Freedom Hosting, is being extradicted by the United States government for being the ‘biggest facilitator of child pornography’, and was lifted sometime on 29th July. A straightforward case of someone getting caught doing something naughty? Not quite. The story gets interesting.
Was this another politically-motivated attack on our freedoms? Initially I thought so, given the US government’s reputation for privacy invasions and malicious hacking. There was also a question of exactly how guilty Marques was, as there’s a difference between being ignorant of a crime and actually being responsible for it.
If we look deeper into this, it begins to look like the persons responsible had very good intentions. Firstly there really were child pornographers using Freedom Hosting – a lot of very prolific ones. Secondly, nobody demonstrates an exploit unless they wanted to highlight a vulnerability, in this case a side channel attack against Tor that could have also been applied to any VPN or onion routing system.
The JS Exploit
What’s interesting here is the NSA, or whoever it was, made the code visible to everyone, and it’s definitely worth studying it to gain an understanding of browser exploits in general work, and how malware installers can be loaded onto victims’ machines by visiting a dodgy web site.
From what I understand, the FBI or NSA compromised the Freedom Hosting servers around the time of Marques’ arrest, and planted their malware installer on the relevant hosting accounts before putting the services back online. It’s unclear exactly which services were affected, but some reckon it included TorMail – entirely possible, but the information it was siphoning off is only useful for a limited time.
Result? Whatever protection Tor might have provided has been defeated, and some intelligence or law enforcement agency now has a list of who visited which pages on Freedom Hosting’s servers.
The exploit itself is pretty hard to read quickly (although some researchers managed it), as most the work is done by 31 variables/buffers of shellcode, and the bulk of that in a variable called ‘magneto’ (the payload itself). Vlad Tsyrklevich has posted the disassembled payload (that’s another thing I must learn) here with comments. Some of us can now modify this and swap it back into the exploit.
In that code, the IP addresses 126.96.36.199 and 188.8.131.52 were identified, and they were assigned to somebody by Verizon. Researchers considerably more skilled than myself have drawn a blank at a Verizon data centre in Virginia, although it does appear to have been within the range used by nsa.gov. The accuracy of the records has been disputed, so we can’t be fully certain. It looks like the NSA hinting they were responsible.
Most people would see this effort as an attack on digital rights, but the outcome was actually quite favourable to us. Whoever was behind this openly demonstrated how anonymity can be broken through a side channel attack, and that Tor wasn’t quite as decentralised as we initially thought. And the beautiful thing about it is the code can be packaged, modified and repurposed by anyone motivated enough to compromise another web server, which is something I warned would (or rather will) happen if the US government started deploying its own malware.
Personally I doubt this was a political move against Tor users in general. It looks more like someone within a three/four letter agency settling scores with CP distributors, and perhaps sending a couple of messages while they were at it. Could it have been another vigilante at work? Not really, as the exploit and IP address harvesting system were ready prior to Eric Marques being arrested. The payload’s function was also very specific. As Kevin Poulsen at Wired.com put it: ‘Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.’
Under the Cover of Digital Rights
Assuming that TorMail users weren’t the targets here (I have a couple other strong reasons for making this assumption), this is not a Tor, privacy or digital rights issue, and Freedom Hosting pretty much needed to be kicked off. It’s unfortunate the business just happened to be hosting legitimate services.
a) The operators at Freedom Hosting knowingly had a substantial volume of CP on their servers, and just so there was no misunderstanding, they were presented with evidence of this by Anonymous back in 2011. Surely, over the course of two years, it might have occurred to them it might be a serious liability?
b) It can also be demonstrated that a good number of those distributing the material simply don’t care about privacy issues, as it took less than 15 minutes to start finding their profiles on the clearweb and a string of other CP forums they were frequenting. These people were using Tor for the sole purpose of covering their own asses while committing a crime involving real victims. They also get away with it by implicating innocent people, whether it’s through identity fraud or using someone else’s IP address.