, , , , , , , , , , , , , , ,

There’s definitely more to this, but essentially what’s reported in the Irish Independent.ie is that a guy called Eric Marques, allegedly an operator of Freedom Hosting, is being extradicted by the United States government for being the ‘biggest facilitator of child pornography’, and was lifted sometime on 29th July. A straightforward case of someone getting caught doing something naughty? Not quite. The story gets interesting.

Freedom Hosting operated a number of Tor services, and these were restored shortly after Marques’ arrest, but something was planted there that exploited a JavaScript vulnerability in the browsers of anyone who visited certain addresses with a slightly outdated version of Firefox. The payload caused the client machines, if they were running the Windows OS, to send their MACs, IP addresses and hostnames to an IP address. We’re still speculating about who deployed the malware and for what reason.

Was this another politically-motivated attack on our freedoms? Initially I thought so, given the US government’s reputation for privacy invasions and malicious hacking. There was also a question of exactly how guilty Marques was, as there’s a difference between being ignorant of a crime and actually being responsible for it.

If we look deeper into this, it begins to look like the persons responsible had very good intentions. Firstly there really were child pornographers using Freedom Hosting – a lot of very prolific ones. Secondly, nobody demonstrates an exploit unless they wanted to highlight a vulnerability, in this case a side channel attack against Tor that could have also been applied to any VPN or onion routing system.

The JS Exploit
What’s interesting here is the NSA, or whoever it was, made the code visible to everyone, and it’s definitely worth studying it to gain an understanding of browser exploits in general work, and how malware installers can be loaded onto victims’ machines by visiting a dodgy web site.

From what I understand, the FBI or NSA compromised the Freedom Hosting servers around the time of Marques’ arrest, and planted their malware installer on the relevant hosting accounts before putting the services back online. It’s unclear exactly which services were affected, but some reckon it included TorMail – entirely possible, but the information it was siphoning off is only useful for a limited time.
So a batch of CP distributors with a slightly outdated version of Firefox and JavaScript enabled visit the address, probably to check whether the site is active, and the JavaScript vulnerability is exploited. The payload in this exploit runs on their computers (think of it as an EXE, but injected into the Firefox process), causing it to send the hostname, MAC and IP address over the Internet to another server in Virginia. This happens before after the JavaScript redirects the browser to a page that installs a cookie.
Result? Whatever protection Tor might have provided has been defeated, and some intelligence or law enforcement agency now has a list of who visited which pages on Freedom Hosting’s servers.


The exploit itself is pretty hard to read quickly (although some researchers managed it), as most the work is done by 31 variables/buffers of shellcode, and the bulk of that in a variable called ‘magneto’ (the payload itself). Vlad Tsyrklevich has posted the disassembled payload (that’s another thing I must learn) here with comments. Some of us can now modify this and swap it back into the exploit.


In that code, the IP addresses and were identified, and they were assigned to somebody by Verizon. Researchers considerably more skilled than myself have drawn a blank at a Verizon data centre in Virginia, although it does appear to have been within the range used by nsa.gov. The accuracy of the records has been disputed, so we can’t be fully certain. It looks like the NSA hinting they were responsible.

Most people would see this effort as an attack on digital rights, but the outcome was actually quite favourable to us. Whoever was behind this openly demonstrated how anonymity can be broken through a side channel attack, and that Tor wasn’t quite as decentralised as we initially thought. And the beautiful thing about it is the code can be packaged, modified and repurposed by anyone motivated enough to compromise another web server, which is something I warned would (or rather will) happen if the US government started deploying its own malware.

Personally I doubt this was a political move against Tor users in general. It looks more like someone within a three/four letter agency settling scores with CP distributors, and perhaps sending a couple of messages while they were at it. Could it have been another vigilante at work? Not really, as the exploit and IP address harvesting system were ready prior to Eric Marques being arrested. The payload’s function was also very specific. As Kevin Poulsen at Wired.com put it: ‘Magneto reads like the x86 machine code embodiment of a carefully crafted court order authorizing an agency to blindly trespass into the personal computers of a large number of people, but for the limited purpose of identifying them.’

Under the Cover of Digital Rights
Assuming that TorMail users weren’t the targets here (I have a couple other strong reasons for making this assumption), this is not a Tor, privacy or digital rights issue, and Freedom Hosting pretty much needed to be kicked off. It’s unfortunate the business just happened to be hosting legitimate services.

a) The operators at Freedom Hosting knowingly had a substantial volume of CP on their servers, and just so there was no misunderstanding, they were presented with evidence of this by Anonymous back in 2011. Surely, over the course of two years, it might have occurred to them it might be a serious liability?
b) It can also be demonstrated that a good number of those distributing the material simply don’t care about privacy issues, as it took less than 15 minutes to start finding their profiles on the clearweb and a string of other CP forums they were frequenting. These people were using Tor for the sole purpose of covering their own asses while committing a crime involving real victims. They also get away with it by implicating innocent people, whether it’s through identity fraud or using someone else’s IP address.