Posted by: Neal Rauhauser </span> November 11, 2014
Among of Friday night chatter regarding Operation Onymous I noticed that doxbin was among the sites that had gone missing. If doxbin is new to you, this was a site just for dox, but it’s closely associated with Encyclopedia Dramatica. After checking to make sure that wasn’t a troll I decided to track down the particulars, because nachash is basically the Richard B. Riddick of the internet. I figured if anyone had some insight into what actually happened, it would be him – a couple of years ago nachash shared that his motivation for taking the site over from the original operator was so he could hone his methods of protecting onions in the most difficult environment imaginable.
@loldoxbin and @ioerror, Jacob Applebaum, were publicly talking about logs Friday night. This later popped up as a long post on the tor-dev list – a 1,300 word writeup with an onion address containing the logs, the source of the site, and the details on the work nachash did to secure the system.
While he was writing that I caught up with him on IRC. He was pretty adamant that doxbin will not be coming back again. About a year ago nachash publicly retired and turned operation of the site over to another hacker named Intangir, but he got it back last July.
(11:38:13 PM) nachash: tl;dr I guess we’ll see if they can do anything @ me as a human
(11:38:23 PM) nachash: but I have no plans of reviving doxbin
(11:38:41 PM) nachash: I could move boxes and tighten it up some more
(11:38:51 PM) nachash: and publish the hidden service descriptors again
(11:38:54 PM) nachash: pull in some of the traffic
(11:38:57 PM) nachash: and rebuild that way
(11:38:58 PM) nachash: but honestly
(11:39:06 PM) nachash: it’s a fucking 12 year old skid shit show
(11:39:10 PM) nachash: not worth my time
After the tor-dev post went up there was a lot of chatter theorizing about how the takedown was accomplished. There was talk of SQL injection being how the markets were had, but that made no sense for doxbin, as the site didn’t even have a SQL database – its done with flat files. There are a lot of theories being floated but it seems that there is a stealth DoS that loads up Tor, and this is being used to trigger admin visits to servers and otherwise work at deanonymizing them. This tweet was fairly interesting for those who want the gritty details and there are many more like it in @loldoxbin’s timeline.
.@puellavulnerata Want me to get some other log reports up, so you can get a baseline for comparison?
— nachash (@loldoxbin) November 9, 2014
There were a couple of questions posed on tor-dev, and nachash returned with further clarifications in this post:
The Tor Project posted their Thoughts and Concerns about Operation Onymous about thirty six hours later . The eye opening paragraph has to do with the seizure of relays:
“We are also interested in learning why the authorities seized Tor relays even though their operation was targeting hidden services. Were these two events related?”
Nothing is certain at this point, but the analysis contained speculation as to how these takedowns were accomplished. The theories include:
1.) OPSEC troubles, which were clearly the issue for Silk Road 2.0
2.) SQL injection, but this was clearly not how doxbin was taken
3.) Bitcoin de-anonymization, but again not an issue for doxbin
4.) Direct attacks on the Tor network itself
As far as doxbin itself, I think they missed one – it’s quite possible that the site merely had the bad luck to be quartered in a facility that had a serious player in it, and they were a target of opportunity.
The Tor Project blog post closed with advice to concerned hidden service operators. The attacks being used were based on resource exhaustion, with the implicit advice being more ram and more cores are a cheap insurance policy. The other notable suggestion was the manual selection of the guard node for your hidden service. This is another box to register and fund with the same stealth as a server hosting a hidden service.
Taking a step back from the technical details, Tor is not a cloak of invisibility, it’s a piece of software with network and cryptographic features. Both of these offer an attack surface for a motivated intruder. The lesson for site operators is simple: What happens when a fault in Tor exposes your server? If your answer is a deer in headlights look you need to leave this work to others.