In the article
http://www.zdnet.com/beyond-silk-roa...bi-7000035604/
is described how the FBI seized many darknet sites running within the Tor ecosystem.
"On Sunday, the Tor Project group said they were 'as surprised as most of you' at the seizure, but have 'very little information about how this was accomplished.'
The Tor Project said it has no idea how the hidden services were located, but 'is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents.' However, there are a number of plausible scenarios which could explain the mass takedown.
The operators of hidden websites may have failed to use adequate operational security, or common web bugs like SQL injections or RFIs (remote file inclusions) may have been exploited by undercover agents. In addition, as Tor relays were potentially seized — according to the group — the Tor network may have been attacked in order to unveil the locations of these hidden services."
Also see:
http://www.newsroomamerica.com/story...websites_.html
There are several well-known recent breaks in SSL security, too (example:
http://www.linux-magazine.com/Online...ession-Cookies )
and php security.
Even worse, as has been my opinion for years, there is an overabundant use of Javascript / JQuery in web sites that are a fundamental security risk, IMO.
I rarely allow Javascript (yet it is increasingly fundamental for trivial websites). I understand this shifts computing necessity from a backend server to the user's computer and is desirable to large websites, but it also easily allows "spyware" code snippets to constantly be downloaded to the user's computer.
The FBI details having setting up honey-pot and fake websites with such code snippets aimed at "targets." Unless a target were using Tails 100% of the time and never connected using their unprotected IP address, a code snippet unwittingly remaining on their computer could then be used to triagulate their IP address / location without having to actually defeat Tor. (Of course, this is even easier to cross-correlate with the undoubted rogue Tor relays that security agencies likely have in place to monitor Tor traffic.)
See:
http://www.statecolumn.com/2014/10/f...-fake-website/
In short, unless one uses all security measures at all times, security is not complete. No Javascript. Encryption at all times. Never use a secure computer only "part-time with (all) security enabled". The Tor developers have said this for years, and one does not need to assume a break in the Tor protocol to explain surveillance successes in tracking Tor users.
As Javascript-requiring websites have become increasingly pervasive, I see end-users' security slipping and becoming sloppier and sloppier. They assume that if so many websites are using it, it must be safe, and are lulled into a false (self-deluded) sense of security. Big data and backend providers are hardly secure (witness increasingly common big-database thefts). "Functionality first, security second" has always been the software developers' mindset, but I think that mindset is dangerous.
Here's an example. A fully functional, fast text-based email server named SquirrelMail has been around for years and is quite functional and rather secure (especially when used with encrypted messages). Most meaningful email is text-based anyway. Is there really a need for all the photos and links and texting and Facebook add-ons (all of which are security risks) built into the email server using Javascript extensions? MS Outlook was despised for a decade or so for being extremely insecure (largely due to all the scripted functions linking to extraneous services provided by Microsoft servers), but now we see Yahoo (now bought by MS) and Google and other email providers acting in the same fashion. Heck, they mine the messages just to provide ads! A lot of people may actually like this, but it is the furthest thing from private or secure.
I am not particularly fond of (and am very against) Silk Road, and weapons and drug trading and other illegal activities, but I also realise government agencies are often corrupt, stupid, erroneous, and dangerous in their own measure ( cf. http://www.calgaryherald.com/technol...432/story.html ), and believe strongly in privacy and good security. Besides, there's a famous saying (I think it's from Greece): "If the government can spy on you, so can the criminals."
Here's some initial basic security steps I like:
http://ubuntuguide.org/wiki/Kubuntu_Trusty_Privacy
http://www.zdnet.com/beyond-silk-roa...bi-7000035604/
is described how the FBI seized many darknet sites running within the Tor ecosystem.
"On Sunday, the Tor Project group said they were 'as surprised as most of you' at the seizure, but have 'very little information about how this was accomplished.'
The Tor Project said it has no idea how the hidden services were located, but 'is most interested in understanding how these services were located, and if this indicates a security weakness in Tor hidden services that could be exploited by criminals or secret police repressing dissents.' However, there are a number of plausible scenarios which could explain the mass takedown.
The operators of hidden websites may have failed to use adequate operational security, or common web bugs like SQL injections or RFIs (remote file inclusions) may have been exploited by undercover agents. In addition, as Tor relays were potentially seized — according to the group — the Tor network may have been attacked in order to unveil the locations of these hidden services."
Also see:
http://www.newsroomamerica.com/story...websites_.html
There are several well-known recent breaks in SSL security, too (example:
http://www.linux-magazine.com/Online...ession-Cookies )
and php security.
Even worse, as has been my opinion for years, there is an overabundant use of Javascript / JQuery in web sites that are a fundamental security risk, IMO.
I rarely allow Javascript (yet it is increasingly fundamental for trivial websites). I understand this shifts computing necessity from a backend server to the user's computer and is desirable to large websites, but it also easily allows "spyware" code snippets to constantly be downloaded to the user's computer.
The FBI details having setting up honey-pot and fake websites with such code snippets aimed at "targets." Unless a target were using Tails 100% of the time and never connected using their unprotected IP address, a code snippet unwittingly remaining on their computer could then be used to triagulate their IP address / location without having to actually defeat Tor. (Of course, this is even easier to cross-correlate with the undoubted rogue Tor relays that security agencies likely have in place to monitor Tor traffic.)
See:
http://www.statecolumn.com/2014/10/f...-fake-website/
In short, unless one uses all security measures at all times, security is not complete. No Javascript. Encryption at all times. Never use a secure computer only "part-time with (all) security enabled". The Tor developers have said this for years, and one does not need to assume a break in the Tor protocol to explain surveillance successes in tracking Tor users.
As Javascript-requiring websites have become increasingly pervasive, I see end-users' security slipping and becoming sloppier and sloppier. They assume that if so many websites are using it, it must be safe, and are lulled into a false (self-deluded) sense of security. Big data and backend providers are hardly secure (witness increasingly common big-database thefts). "Functionality first, security second" has always been the software developers' mindset, but I think that mindset is dangerous.
Here's an example. A fully functional, fast text-based email server named SquirrelMail has been around for years and is quite functional and rather secure (especially when used with encrypted messages). Most meaningful email is text-based anyway. Is there really a need for all the photos and links and texting and Facebook add-ons (all of which are security risks) built into the email server using Javascript extensions? MS Outlook was despised for a decade or so for being extremely insecure (largely due to all the scripted functions linking to extraneous services provided by Microsoft servers), but now we see Yahoo (now bought by MS) and Google and other email providers acting in the same fashion. Heck, they mine the messages just to provide ads! A lot of people may actually like this, but it is the furthest thing from private or secure.
I am not particularly fond of (and am very against) Silk Road, and weapons and drug trading and other illegal activities, but I also realise government agencies are often corrupt, stupid, erroneous, and dangerous in their own measure ( cf. http://www.calgaryherald.com/technol...432/story.html ), and believe strongly in privacy and good security. Besides, there's a famous saying (I think it's from Greece): "If the government can spy on you, so can the criminals."
Here's some initial basic security steps I like:
http://ubuntuguide.org/wiki/Kubuntu_Trusty_Privacy
Comment