15-11-2015, 12:33 #1
[EN] What exactly is the dark web?The “dark web” is a part of the world wide web that requires special software to access. Once inside, web sites and other services can be accessed through a browser in much the same way as the normal web.
However, some sites are effectively “hidden”, in that they have not been indexed by a search engine and can only be accessed if you know the address of the site. Special markets also operate within the dark web called, “darknet markets”, which mainly sell illegal products like drugs and firearms, paid for in the cryptocurrency Bitcoin.
There is even a crowdfunded “Assassination Market”, where users can pay towards having someone assassinated.
Because of the the dark web’s almost total anonymity, it has been the place of choice for groups wanting to stay hidden online from governments and law enforcement agencies. On the one hand there have been whistleblowers using the dark web to communicate with journalists, but more frequently it has been used by pedophile groups, terrorists and criminals to keep their dealings secret.
There are a number of ways to access the dark web, including the use of Tor, Freenet and I2P. Of these, the most popular is Tor (originally called The Onion Router), partly because it is one of the easiest software packages to use. Tor downloads as a bundle of software that includes a version of Firefox configured specifically to use Tor.
Tor provides secrecy and anonymity by passing messages through a network of connected Tor relays, which are specially configured computers. As the message hops from one node to another, it is encrypted in a way that each relay only knows about the machine that sent the message and the machine it is being sent to.
Rather than conventional web addresses, Tor uses “onion” addresses, which further obscure the content. There are even special versions of search engines like Bing and Duck Duck Go that will return onion addresses for Tor services.
It is a mistake to think that Tor is entirely anonymous. If a web site is accessed, it can still potentially find out information about whoever is accessing the site because of information that is shared, such as usernames and email addresses. Those wanting to stay completely anonymous have to use special anonymity services to hide their identity in these cases.
Services on the dark web would not have been as popular without a means of paying for them. This is something that Bitcoin has made possible. A recent study by Carnegie Mellon researchers Kyle Soska and Nicolas Christin has calculated that drug sales on the dark net total US$100 million a year. Most, if not all, was paid for in Bitcoin.
Bitcoin is made even more difficult to track on the dark web through the use of “mixing services” like Bitcoin Laundry, which enables Bitcoin transactions to be effectively hidden completely.
How ‘dark’ is the dark web?
The developers of Tor and organizations like the Electronic Frontier Foundation (EFF argue that the principal users of Tor are activists and people simply concerned with maintaining their privacy. Certainly, Tor has been used in the past for journalists to talk to whistleblowers and activists, including Edward Snowden).
However, even a cursory glance at the Hidden Wiki – the main index of dark websites – reveals that the majority of sites listed are concerned with illegal activities. Some of these sites are scams, and so it is not clear how easy it is to buy guns, fake passports and hire hackers from the services listed. But there are likely sites on the dark web where these things are entirely possible.
Although the dark web makes law enforcement agencies’ jobs much more difficult, they have had a great deal of success in bringing down sites and arresting their users and the people behind them. The most famous of these was the arrest of Ross Ulbricht, the person behind the most well known of the drug markets, Silk Road.
More recently, the FBI’s arrest of two users of a child abuse site on the dark web highlighted that they are now able to use a range of techniques to unmask Tor users’ real internet addresses.
15-11-2015, 12:35 #2
Crowdfunded “Assassination Market” foi tema central de um episódio do seriado americano Blacklist.
15-11-2015, 13:17 #3
$30,000 to $1 Million -- Breaking Tor Can Bring In The Big Bucks
Thomas Fox-Brewster, Forbes Staff
I cover crime, privacy and security in digital and physical forms.
Nov 12, 2015
Earlier this year, before his company was torn apart by a security breach, I was having coffee with Eric Rabe, the mouthpiece for Hacking Team. The Italian organisation, which even its CEO called a “notorious” provider of government spyware, was looking to expand its line of products, Rabe said. That included targeting the anonymizing Tor network, where civil rights activists, researchers, paedophiles and drug dealers alike try to hide from the global surveillance complex.
Rabe wouldn’t say much more on how it might do that, but just a matter of weeks later, the leaks from the attack revealed their Tor exploits – a service that would see Hacking Team hardware placed on a target’s ISP to intercept their previously-hidden traffic. Given it was selling its malware for millions of dollars, one would expect its anti-Tor tools to be worth a fair sum too, such is the obsession amongst mandarins and snoops with the so-called “dark web”.
If it hasn’t already been made apparent, cops, spies and their contractors will pay anyone big money to break Tor. Unsubstantiated claims from the Tor Project that a pair of Carnegie Mellon (CMU) researchers were paid $1 million by the FBI to de-anonymize users are shocking not so much because of the figure, but because university researchers, not private dealers, were allegedly selling (keep in mind no one has admitted to any such deal and for now, the claims are based on hearsay and educated assumptions). There’s also been much anxiety around the techniques used – essentially catch-all exploits that could well have ensnared a vast number of innocent users, according to Tor Project leader Roger Dingledine. Was it justifiable to do that for the sake of catching a Silk Road 2 user and possibly some paedophiles?
There are, though, a vast number of those private exploit salesmen and women now focusing on Tor. A few times a year they share their exploits in private forums and exhibitions. Their hacks might place most Tor users in danger, but there’s currently not so much of a furore surrounding their business practices, even if concerns have been raised in the past.
Chaouki Bekrar, the founder of exploit sales firms VUPEN and Zerodium, says attacks targeting Tor nodes and de-anonymizing dark web users “are the holy grail of exploits for government agencies in charge of criminal investigations”. Zerodium, he says, is currently offering researchers up to $30,000 per zero-day exploit – an attack on an otherwise-unknown, unpatched vulnerability – targeting the Tor Browser Bundle. That’s the same Zerodium that offered a $1 million bounty for an untethered iPhone 6 jailbreak via browser exploits. As Zerodium will then sell zero-days on to interested parties, there’s likely a significant mark-up on that $30,000 by the time it is passed on to government agencies.
Bekrar believes a more targeted approach to identifying Tor denizens is better for law enforcement, however, rather than ensnaring large tranches of users to catch a few. “Targeting the Tor network itself by attacking or manipulating nodes to trace a few criminals is a dangerous practice as it may leak and threaten the identity of legitimate users, hence we always recommended to government investigators to use Tor Browser exploits instead as they can target a group of criminals without destabilizing the whole Tor network, and it’s more reliable and much cheaper,” he added.
Hacking Team’s Rabe, though coy about his company’s interest in Tor over email, expressed little surprise that a university may have been paid $1 million for such a service. ”If the work led to shutting down a major drug bazaar on the Internet, law enforcement might well feel that $1 million was cheap compared to the lives potentially destroyed by the criminal activity. “Clearly, any effort such as the one Tor alleged happened here would have significant value based on the time and expertise required as well.”
The company was due to talk at ISS World Training in Prague this summer about breaking Tor, in a presentation entitled “Demystifying SSL/TOR Interception: Attack case history and state-of-art countermeasures”. SSL is a web encryption protocol, shown in the address bar with the HTTPS prefix. The company’s CEO David Vincenzetti, operations manager Daniele Milan, and QA manager Fabrizio Cornelli were due to give the talk.
A brief look at the line-up for recent ISS conferences, which press and non-industry folk are not permitted to attend, also provides ample evidence that the dark web is a big seller. In October, the events organizer, TeleStrategies, provided a training seminar in Washington D.C. with the title “Understanding and Defeating Tor”.
The techniques described in the presentation’s blurb cover similar ground to the promises of the cancelled Black Hat talk from CMU. TeleStrategies’ Dr. Matthew Lucas, who told me his alma mater happens to be CMU, was focused on “identifying Tor traffic via IP lookups and protocol signatures”. He was also to guide law enforcement attendees through malware infection and uncovering “identity-related traffic outside the Tor stack”.
Dr. Lucas was due to give a talk about how Bitcoin and dark markets, such as the now-defunct drug bazaar Silk Road, worked together too. That was part of an entire track dedicated to the “Dark Web, Tor and Bitcoin Investigation”. There will be many, many more seminars on exposing those on Tor across a wide range of ISS events over the next year.
15-11-2015, 13:18 #4
OK to break Tor… most of the time
Why are Tor exploit sales deemed a depressing fait accompli but similar deals between academia and government are perceived as more ethically abhorrent? Universities across the world work closely with intelligence agencies and law enforcement, receiving significant funding in return.
CMU, for instance, hosts a major Computer Emergency Response Team (CERT) that regularly partners with government and law enforcement as they try to cope with manifold online threats. It is primarily funded by the U.S. Department of Defense and the Department of Homeland Security, and is widely seen as a boon to keep everyone abreast of the latest digital threats.
Born in the embryonic phase of the Cold War, the MIT Lincoln Laboratory, a federally-funded entity, continues to research ways to benefit national security. It has dedicated surveillance and cybersecurity arms.
In the UK, GCHQ is increasingly active in its sponsorship of universities. The Heilbronn Institute, for instance, comprises of distinguished research fellows at various UK universities. Half their time is spent pursuing research directed by the spy agency. Their research output is esoteric and little is known about how GCHQ uses the fellows’ findings.
Just this week, GCHQ announced a £6.5 million scheme “to support cutting edge cyber security research and protect the UK in cyber space”. Again, who knows how GCHQ might use what it learns from the so-called CyberInvest project? It has certainly been interested in hacking Tor in the recent past.
Academics need that kind of sponsorship to get on with their work, to the extent that a $1 million payday from the FBI shouldn’t be much of a surprise if true. “Note that a £100,000 personal grant is barely sufficient to obtain a PhD in UK for an EU citizen,” said Dr. Markku-Juhani O. Saarinen, a research fellow with the Centre for Secure Information Technologies at Queen’s University Belfast. “In CMU a small multiple of that would be required due to significantly larger tuition fees. Factor in administration, laboratories and other facilities, travel to conferences, etc., and a research project employing a couple of persons for few years may easily cost $1 million.”
It’s also worth noting that the Tor Project has received significant grants from various parts of the US government – grants that help it stay up.
“I think Tor are being a little disingenuous,” said Professor Alan Woodward, a security expert from the University of Surrey, one of a handful of UK universities to have been named an Academic Centre of Excellence in Cyber Security Research, receiving a grant in the process. “CMU is a research-only university and relies external funding from a variety of sources. Not a great surprise then that the US government would pay them for their expertise in this area.”
But, for many, if CMU really did give away a set of Tor exploits for $1 million, there are ethical difficulties. Saarinen said that if he had the chance to earn that much to crack Tor, he would take it, but he would ask for assurances he could report any findings back to the Tor team.
Keith Martin, from London’s Royal Holloway, said GCHQ provides both sponsorship of PhD projects and small grants for certain projects, though it is never requested by the intel agency. But, he said, if the stories were true about CMU, he’d see “an ethical clash between CMU’s apparent undermining of Tor and its technical support for Tor”. CMU not only helps run some of the nodes that make up the Tor network, but is believed to have set up malicious ones to carry out its attacks.
Matthew Green, cryptographer and professor at Johns Hopkins University, perhaps put it most eloquently in a blog post today: “Active attacks that affect vulnerable users can be dangerous, and should never be conducted without rigorous oversight — if they must be conducted at all. It begins with the idea that universities should have uniform procedures for both faculty researchers and quasi-government organizations like CERT, if they live under the same roof. It begins with CERT and CMU explaining what went on with their research, rather than treating it like an embarrassment to be swept under the rug.”
Whether true or not, Dingledine’s claims have brought up some big ethical questions that, by their very nature, polarizing and possibly intractable. One fact that everyone can agree on, however, is that Tor is frequently shown to be flawed. For those who perceive Tor to be the home of drug dealers and paedophiles, this can only be a good thing. For those who see it as a beneficial tool for those who want to preserve their privacy and speak their mind away from the gaze of government, it’s simply depressing.
15-11-2015, 14:01 #5
Ethan Zuckerman @EthanZ Nov 11
University lab - possibly at CMU - worked with FBI to compromise Tor network, expose users - http://motherboard.vice.com/read/cou...-porn-suspects … Serious ethical issues
Edward Snowden @Snowden Nov 9
Worst vulns are only disclosed after adversary use detected or burned. Effective, but reckless. Severity matters.
Edward Snowden added,
Is it true Mr. @Snowden? #NSA claims it shares 91% of security flaws with its manufactures | https://www.hackread.com/nsa-zero-da...ility-sharing/ …