back to article TORpedo'd dev dumps Doxbin files after police raids

An administrator of Tor hidden service site Doxbin taken down by the FBI last week has released log files in a bid to crowd-source an analysis of how the sites were captured. Former Doxbin admin NaChash (@loldoxbin) released the website files in hopes users would discover how it was discovered and shut down. His site was …

  1. Vociferous

    Ah, so that's what all the "darknet" propaganda was about.

    I was kindof wondering why police, politicians and press have spent the last two months harping about the unimaginable horrors of the darknet. I should've guessed they were preempting.

    Yeah, they may have onion-peeling software, but since it's EU, an added complication is that cops can monitor web sites and search the mandatory ISP logs at leisure.

    1. Anonymous Coward
      Anonymous Coward

      Re: Ah, so that's what all the "darknet" propaganda was about.

      A good few years ago I had a server on a 100MBs connection (when that was still fast!) and put a TOR node on it. My server had a small USB camera installed front and rear so I check at all times what was going on in my CoLo.

      A few weeks after the TOR node was installed, I experienced a brief mysterious network disconnect that my hosting company told me was a switch outage. When I looked at the camera footage at the time they were obviously completely re-patching my server. I am 99% sure that it was actually being changed so that it could be monitored by the security services.

      So I would assume that all TOR nodes in all countries that Eschelon has access to are directly monitored. I would suggest that given that level of monitoring - for which individual connections MIGHT still be relatively anonymous, but having that level of access, if you can target traffic at a particular host on the dark net, then statistical analysis would likely reveal it's location...

      1. Anonymous Coward
        Happy

        Re: Ah, so that's what all the "darknet" propaganda was about.

        "was a switch outage. When I looked at the camera footage at the time they were obviously completely re-patching my server."

        To a switch that was still working perhaps?

        Sometimes the most obvious answer is the correct one.

        1. Anonymous Coward
          Anonymous Coward

          Re: Ah, so that's what all the "darknet" propaganda was about.

          "To a switch that was still working perhaps?"

          No - there was no network outage until they moved the patching - and it only lasted the duration of the move.

          Also they denied any patching work - and considering it was a large datacentre with core chassis switches via patching frames - such a failure would never require changing the in cabinet patching to a specific server. I think they were passing my traffic through another locally placed device like the DCS1000 / Carnivore.

      2. Dan Paul

        Re: Ah, so that's what all the "darknet" propaganda was about.

        Echelon is right. ISP's in the states were pressured to put in an Echelon monitoring server into their system years ago. All the Fed's had to say was "KP" and the ISP's rolled over.

        Warrant be damned. Too bad, one could say that any conviction based on any evidence garnered by that method is "poisoned fruit" and can't be used against you. But try proving it.

        However we live in the Totalitarian Socialist Republic of the United States now.

  2. as2003

    A little explanation of what DoxBin is/was would be nice, and also some comment on why this guy claims he won't be going to prison would interesting.

    1. Arthur 1

      Because his site didn't do anything especially illegal. It was just an uncensored pastebin clone.

      1. Fibbles

        So why was it seized? Simply because it hosted information deemed inconvenient?

        1. Destroy All Monsters Silver badge
        2. Matt Bryant Silver badge
          Big Brother

          Re: Fibbles

          "So why was it seized?....." Not sure exactly what material was cited as evidence but Doxbin was a dumping-ground/bragging site for hackers, so I expect there was a lot of incriminating evidenc of other e-crime, especially as an in-duh-vidual going by the handle 'Intangir', who also claims to be an admin/owner of Doxbin, seems to have 'security-checked'/hacked the Hidden Wiki site (http://motherboard.vice.com/read/a-hacker-scrubbed-child-porn-links-from-the-dark-webs-most-popular-site). Hoisted by his/her own petard, it seems.

    2. Anonymous Coward
      Anonymous Coward

      Doxbin is a terrorist assistant site

      Doxbin is a site that assists terror and crime. It does so by posting person info about people, including names, addresses, social security numbers, bank numbers, passwords, and on. This is done to facilitate crime against them. Not sure if this links, but here is a link: http://viaviewfiles.wordpress.com/2014/11/09/attorney-jay-leiderman-and-his-vicodin-fueled-litigation/comment-page-1/#comment-16644

  3. Brian Miller

    Tor = broken!

    There are a lot of "secret" services which are essentially broken by design. The Tor service can be decloaked if one rents sufficient temporary capacity, and then makes a lot of requests to the site in question, and the analyzes the traffic on the captive Tor nodes. Eventually, the server that you are after lights up in the statistics, and you've got them.

    Tor nodes can be evil, too, dumping malware on the files being transfered. Thus when feeding traffic back to someone, you can drop into the stream some exploits to easily track the user's computer.

    The only way that a service can be effectively hidden is if it exists on multiple nodes, and move around of its own accord. There was a research paper about using the logic in the Game of Life to keep nodes alive, and give a stable user experience.

    And what was doxbin? A blackmailing service! Kind of like an evil Wikileaks.

    1. Anonymous Coward
      Anonymous Coward

      Re: Tor = broken!

      It was pastebin minus the takedowns. Aka: freedom of speech (I apologise if you live in the UK).

      Downvote this comment to fight online harassment. Every downvote can save a potential victim.

  4. Crazy Operations Guy

    I figure it would be something as simple a GET request to a targeted server and following it by way of packet dumps on ISP routers (well, the encrypted packet containing the GET...)

    1. A Non e-mouse Silver badge

      I don't think it's as easy at that.

      Firstly, the content via the TOR network is all encrypted. Then your traffic doesn't just go through one TOR server, but multiple before breaking out to the real world. Finally, a TOR node will be servicing multiple clients at the same time.

      So, although you can see your packet enter the first TOR node, you can't tell which subsequent outbound packets from that TOR node are yours, and which belong to another client.

      As has been mentioned in multiple places, it is possible to decloak TOR by controlling some TOR nodes and using statistical techniques. This is how it is suggested that this recent spate of TOR take downs were achieve.

      1. Crazy Operations Guy

        They control one or more TOR nodes, so they could watch as it passes through the first node, and see what the packet looks like on the other side. To ensure that they know which packet is theirs, they could cut traffic to that node from external sources just long enough so theirs becomes the only packet passing through it.

        As for tracking it, I'm sure that they have a full map of where every tor node sits and have wire taps at their closest routers (well, closest that they control).

  5. imanidiot Silver badge

    Still wondering why

    Why would the cops take down doxbin? It doesn't seem particularly interesting over any of the other similar sites. Seems like a bit of a waste of resources.

    1. tfewster

      Re: Still wondering why

      Eeurocops - From Yorkshire, obviously. They're different there...

      1. TonyJ

        Re: Still wondering why

        Do you mind? I am originally from Yorkshire and the people there are...feck it you're right, they are different! :-)

        1. Ben Bonsall

          Re: Still wondering why

          Do you mind? I am originally from Yorkshire and the people there are...feck it you're right, they are different! :-)

          Me too. But not different. Better.

    2. K

      Re: Still wondering why

      Possibly an unintended bonus.. Even some Tor websites are hosted on shared servers, my guess is they made a grab for the servers IP address / range.

    3. Anonymous Coward
      Anonymous Coward

      Re: Still wondering why

      Doxbin was used to enable terroristic acts against thousands of people, that's why. the site was a combination of cyberstalking, harassment, invasion of privacy, blackmail, extortion, death threats, defamation, assisting in crimes of all kinds, from assassinations to hacking. That should be reason enough. The clown running it is still on Twitter acting surprised, when she or he should more constructively be packing bags and fleeing to some place with no extradition treaty with the U.S. The problem with that might be that Doxbin posted info on people internationally, so there may not be a nation that will protect this idiot.

  6. Destroy All Monsters Silver badge
    Trollface

    His site was terminated, along with hundreds of others across the US and Europe, last week as Eeurocops enacted Operation Onymous whicih took down sites like Hydra and Cannabis Road

    ...evidently after the dear author had partaken of the goods previously sold by the same.

  7. Anonymous Coward
    Anonymous Coward

    Doxbin isn't 'free speech'.

    It's 'yelling fire in a crowded theater' speech.

    For those who don't know; it's basically a place where stolen and/or sensitive data was/is posted with the most malicious possible intent. Someone cracks the crap database at your doctors office, your medical records go up on doxbin. You get the idea... Its no coincidence such enterprises tend to be run by sociopathic teenagers with no concept of the harm they're actually doing. I too was once a sociopathic teenager, so to be perfectly frank, it takes one to recognize one.

    In short, though, no. Doxbin is not in the ambit of the 'free speech' ethos. Its well past the gray area, into the black. The asinine war against legitimate security researchers is something that needs to be stopped but lets not wrap up the turd that is doxbin into that cause.

    1. Zipdedodah

      true

      This comment is true. Doxbin is malicious and dangerous.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like