FBI Admits It Controlled Tor Servers Behind Mass Malware Attack

[stojanon 0]

Original source : http://www.wired.com/threatlevel/2013/09/freedom-hosting-fbi/

[dd79 15]

VPNs next?

[InactiveUser 188]

VPNs next?

 

 

The sad reality is - nothing can really protect you from big-budget agencies. Not Tor, not VPNs.

They (NSA, GCHQ, FBI, ...) already attack / sniff VPN users whenever they can:

 

- decrypting flawed VPN crypto / protocols (like PPTP)

- matching incoming / outgoing traffic flows if they're unable to break the crypto

 

Using VPNs with good crypto - like AirVPN - requires them to fall back to the second method, which is more work, so we should definitely keep using VPNs to make it harder for them.

 

 

P.S.: the title saying "Controlled Tor Servers" makes it sound as if they compromised Tor and its node infrastructure itself. This is not the case. They "only" took over one website hosting service. This attack could have been carried out with a pwned www site just as well. Tor itself was and is fine. The out-dated browser that was exploited to harm Tor users wasn't. This is a subtle but encouraging difference to me.

[pj 72]

 

VPNs next?

 

The sad reality is - nothing can really protect you from big-budget agencies. Not Tor, not VPNs.

They (NSA, GCHQ, FBI, ...) already attack / sniff VPN users whenever they can:

 

- decrypting flawed VPN crypto / protocols (like PPTP)

- matching incoming / outgoing traffic flows if they're unable to break the crypto [...]

 

Hello,

 

very well written.

 

I would like to add: beware, apparently there's an ongoing campaign that tries to infiltrate the absurd idea in the "common person" that encryption and/or usage of TOR or VPNs is useless. On the contrary, all the currently leaked documents show clearly and exactly the opposite: strong encryption is the best friend of privacy and it works so well that NSA fears it to the point to require backdoors and software vendors cooperation. Now we see how NSA was/is trying to bypass encryption, not to attack it. It seems that strong encryption and PFS are some of the worst enemies in the NSA PRISM plans etc.

 

About "- matching incoming / outgoing traffic flows if they're unable to break the crypto" can be misleading to someone: it insinuates the idea that this is a "last resort" if the "crypto attack" fails. Everybody should be aware how difficult it is to correlate, even in a low latency network, encrypted traffic flows bouncing in different countries and subnets. And that should be done for every and each person that uses a VPN, TOR, I2P, Freenet... or even worse TOR over VPN or VPN over TOR etc.

 

The more people do that, the "more impossible" the NSA etc. task becomes: NSA plan best scales to entire networks, not to single endpoints. According to Schneier: "The primary way the NSA eavesdrops on Internet communications is in the network. That's where their capabilities best scale. They have invested in enormous programs to automatically collect and analyze network traffic. ... Anything that requires them to attack individual endpoint computers is significantly more costly and risky for them, and they will do those things carefully and sparingly."

 

The above are probably two of the reasons for which this subtle campaign has started. A widespread usage of strong encryption, end-to-end encryption, PFS and different routing (for example TOR over a VPN) is a remarkable menace to the economical feasibility and to the effectiveness of the networks monitoring program core, forcing again to allocate resources to single endpoints computers attacks, with consequent enormous increases in costs and risks which make the task again unfeasible. That's why it's important (for "them") to spread some concepts such as "encryption is useless, then why bother about it?", "nothing to hide nothing to fear" and all that crap.

 

Kind regards

[hashtag 151]

This was a JavaScript exploit of an outdated browser targeted at a single operating system. Even then it would not have worked if you were behind a VPN. In this scenario it would be more useful to talk about how to stop your website from getting hacked.

There was a post on the Silkroad forum from someone who claimed to have obtained an internal document of the Australian Federal Police from a family member. In this document the police say their worst nightmare is if everyone started using PGP.

The other thing that needs to happen is that people need to understand what free software is, why it is important and the difference between free and open source. The world is ruled by evil psychopaths. These people are almost entirely responsible for financing the malware industry. Either you control the software or they will control you through their DRM-locked backdoored systems.