That sounds like just another successful law enforcement operation against illicit online material, but this time there was a difference: Freedom Hosting and its customers were hidden, operating within the Tor network – an anonymous, encrypted subset of the Internet – to thwart the authorities. Users of the sites felt themselves invulnerable – they were using an encryption layer specifically designed to evade the spying eyes of state surveillance, among a thriving community of drug dealers, weapons sellers and porn traders. In 2011, Freedom Hosting was subjected to a denial-of-service attack in an Anonymous-led campaign dubbed Operation Darknet, but the outage was short-lived and the sites were back in business in short order, until the feds dropped the bomb this week.
This marks the first known instance of a government agency successfully targeting a host in the "deep Web". And while we cheer at the downfall of a community trafficking in child abuse, there are deeper implications for many other players too.
The authorities have been beefing up and flexing their online muscle in recent times, demonstrating that the illusion of anonymity is often only that: an illusion. In early 2012, it was revealed that Hector "Sabu" Monsegur, a senior member of Anon and Lulzsec, had been turned and was working as an FBI informant for nearly a year, giving the agency access to the inner workings of both groups and leading to high-level arrests. The FBI has also developed a track record of taking over Web sites dealing in illicit material, then allowing them to continue operation for a time, allowing users to be identified for future investigations and prosecution – most recently, the feds ran a captured child porn site for a fortnight, until its 5 000-strong user base had been sufficiently analysed, but this was far from an isolated case.
The attack against Freedom Hosting comprised several stages, and while the main objectives appear to be complete, mopping up will likely take months or years. Details are scanty, but the background can be pieced together from what is known.Finding the unfindable
The first problem for the authorities was finding who to attack. Freedom Hosting was hidden deep within the encrypted Tor network, inaccessible from the public Internet (see "Inside Tor and the deep Web" sidebar). But it was a Web hosting service, and like any hosting service, its various layers of operating software were open to attack. It appears the authorities, operating through Tor connections of their own, identified a vulnerability in Freedom Hosting's software, and compromised the servers, escalating their control to a point where customer Web sites could be taken over as well.
At some point in this time-frame, the site owner was identified as one Eric Eoin Marques – an American citizen living in Ireland. Marques could have already been under investigation, or identified through the attack on the hosting service – we may never know. But warrants for his arrest were granted in the US, and Irish authorities picked him up. At the time of publication, he has been denied bail as a flight risk, and is awaiting an extradition hearing.
With the sites under the control of the authorities, and the man described as the "largest child porn dealer on the planet" behind bars, the initial goals of the campaign would be met. But the agencies prefer to take these cases a step further; identifying the users and gathering evidence against them while they are unaware their porn dealer has turned honeypot.
Most users will feel a moment’s alarm, then go right back to browsing insecurely.
Well planned, but rushed?
The authorities now have a unique code and a real-world IP address to match the encrypted Tor connection to a real user.
Because of the speed of the final act, many observers have reacted to this incident as if the Freedom Hosting compromise was an overnight attack – this is unlikely. Chances are the site was compromised some time ago, as part of a long and well thought-out campaign. On the other hand, the final stage was clumsy enough to lend weight to the idea that the denouement could have been accelerated. The NSA could have done a great deal more to conceal its involvement, such as using a backdoor Trojan (raising the possibility that the hack was malicious), routing beacon traffic through a commercial hosting provider, and so on.
The attack itself made for fascinating watching as it unfolded, but the "what now" questions are where it gets interesting, because so many players are involved, from the criminals and the authorities, as well as legitimate Tor users, the network itself, and more.
…for the criminals
For the criminals, and the authorities, the slow-turning wheels of justice will grind on, but whether further investigations will be forthcoming is questionable. Operation Ore and Operation Avalanche in 1999 yielded many thousands of leads into potential child porn users, but resulted in relatively few prosecutions.
Anon's #OpPedoChat and #OpDarkNet turned over many IP addresses of users (of the very sites the FBI has targeted now) but resulted in no direct action (though it is possible the FBI got a leg up through Anon's efforts). However, the ability to concretely link an anonymous Tor user to an IP address accessing illegal material is among the best evidence a prosecutor could ask for, so we can hope that further investigations will be more extensive this time.
If they aren't, the material will likely resurface in short order. Although this attack may scare some users into inactivity for a while, the fundamentals of Tor (and other anonymous networks) remain solid, and there are other sites trading in illicit material anyway. Just as spam levels dip briefly when a profligate spammer is arrested, but then return to normal, we can probably expect similar results here. Supply and demand is a very real phenomenon in the black market, after all.
It is also likely that some criminal syndicates may be driven further underground, joining the tight-knit, closed communities where the phrase "dark net" truly does apply.
…for law enforcement
Just because you are hosting within a secretive network doesn’t protect you from the usual exploits.
The Tor network itself was unharmed in the making of this saga – the encryption, and the connection strategies, are still assumed to be whole and secure. The project organisers moved quickly to distance themselves from the incident, and to reassure users that the network was still secure.
…for other Tor users?
Like any big Web exploit, this should be a wake-up call for users, but probably won't. Most users will feel a moment's alarm, then go right back to browsing insecurely. The next time a similar exploit is conducted, as it surely will, it will also succeed. We can only hope that it is targeted against as deserving a community as the child pornographers, rather than legitimate whistleblowers or political activists.
Best practice and the best technologies are a powerful combination. But, as one law enforcement officer explained it to me: Criminals are stupid.
…for .onion operators
For other .onion site operators, hosting hidden services within the Tor network or elsewhere, this is a wake-up call. Just because you are hosting within a secretive network doesn't protect you from the usual exploits. And, whether you're operating a bulletin board for dissidents or hosting illegal material, chances are you are in the sights of someone in authority, who may well have access to an arsenal of exploit code. Take the appropriate steps.
The problem with Tor's .onion sites is finding them – you have to know their address. They aren't indexed by Google, or listed anywhere public. The truly secret sites are jealously guarded and shared among close communities, but inevitably information leaks, as sites become more popular and their users forget the first rule of Fight Club. For example, the Hidden Wiki, a community information portal within the Tor network, lists many of the illicit sites including their private .onion addresses.
…for privacy in general
For some time now, the Tor project has been high on the list of technologies held up to demonstrate how security tech can be used to thwart authorities. The last few months have demonstrated that the authorities have kept pace, developing their technologies and skills to attack anonymous networks, crack encryption, and effect surveillance deep within the online services we use every day.
Best practice and the best technologies are a powerful combination. But, as one law enforcement officer explained it to me: "Criminals are stupid." Most users eventually make basic mistakes, leaving gaps for authorities to penetrate. And these campaigns demonstrate one thing clearly: the authorities are very, very patient.
So expect more attacks against online communities like this. Lolita City was a high-value target for the feds – Silk Road may well be next (and if that goes, watch out for BitCoinageddon – the virtual currency operates in a close symbiosis with the underground marketplace). Political activists and journalists are also likely candidates. We're in for interesting times.
Our comments policy does not allow anonymous postings. Read the policy here