The Tor network, which aims to provide secure, anonymous use of the internet, has come under attack lately by a coalition of US government departments, with relays compromised, 400 hidden services seized, and an estimated 17 people arrested. It's part of the secretive Operation Onymous, and according to a statement appearing on the Tor website, no one is more confused about it than Tor.
There are many questions Tor would like to get to the bottom of, from how the relays were located, to what those arrested will be charged with. We might not have any more information on the latter point until those people are actually in court, but in a statement Tor has asked for anyone with knowledge on how their services might have been located and compromised to step forward.
So we are left asking "How did they locate the hidden services?". We don't know. In liberal democracies, we should expect that when the time comes to prosecute some of the seventeen people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services. We know through recent leaks that the US DEA and others have constructed a system of organized and sanctioned perjury which they refer to as "parallel construction."
The statement then outlines a few possible ways the attack could have been conducted, from SQL injections to Bitcoin deanonymisation.
The recent events put a damper on Tor's recent expansion efforts. Having launched the Tor browser and working on a secure chat app, the organisation was making steps towards providing user-friendly, secure communication for those who didn't want to dive headfirst into information security. But these attacks on the network will reduce faith in Tor, and for those with only one foot in the infosec world, it'll be tough to know what's safe and what isn't.
Adding to the difficulties is a lack of funds. "It's important to note that Tor currently doesn't have funding for improving the security of hidden services," said Tor. The organisation also called for programmers to help eliminate security flaws by reviewing their code. You can bet Operation Onymous will be.
Read the full statement here.