1. According to recent court documents, the malicious threat actor known as Kax17, operating since 2017, is the German government actively deanonymizing Tor users. Essentially, the Germs (aka Kax17) run hundreds of malicious Tor nodes, run correlation attacks on users who hit certain interesting websites and hidden services, collect verifiable IP addresses, distribute these to relevant Lawn Enfornsmend Orbanigatons. According to reports, people have been raided with no charges pressed, which means the info they derive from their techniques are not 100%. But it doesn't have to be. Freenet has been assaulted for years with spurious investigations based on technically false analysis. What matters in the end is that they have (a) an IP, and (b) a cool story to tell the judge, so they can (c) bust down your door.
Now is an especially good time to get out of the pool.Operation Liberty Lane (LE Running Gaurd and middle nodes to deanonymize HS users)https://old.reddit.com/r/TOR/comments/19benkx/operation_liberty_lane_le_running_gaurd_and/
20 Jan 2024
Operation Liberty Lane (FBI/DHS joint operation) is a multi-national law enforcement operation that involves the United States, Brazil, Germany, and the United Kingdom, and targets users of illegal hidden services. It appears this once theoretical attack has been operationalized and has unmasked thousands of users. The NCA and FBI have jointly developed a software program called "Good Listener" that involves LE spinning up as many guard and middle nodes as possible, and then using a timing attack to correlate the IP at the malicious gaurd to the timing at the illegal HS. It appears that this is only possible once the HS has been identified and the traffic to it can be interecepted and fed into the program.There was a few posts previously about cases where users using TAILS and WHONIX were caught so a NIT was ruled out, we now have our answer. This next part is only a guess, but it's likely KAX17 was run by the German government in support of this operation.
This operation is currently classified as TOP SECRET so any court filings are done under protective order, however, here are some documents from attorneys on these cases that are read in to the program that lightly describes how it works.
While this isn't a new concept or attack, the fact that it has been successfully operationalized and used to make dozens of arrests in the US alone. All of these documents are publicly available via PACER due to sloppy and careless handling by the attorneys who agreed to properly redact them.
[–]Enter_The_Trashcan 2 points 1 month ago*
So, this pretty much confirms all my suspicions based on the info we had before this latest round of documents. They need to know the clearnet IP of the targetted hidden site. They can tap the whole server to run time correlation attacks, or in theory they may also wait and see if they get lucky on the hidden site with their malicious guard nodes, knowing the IP. I also noticed there were more cases, an apparently seperate batches of IPs from 2022, which presumably must be a different takedown using this method than the first cases.
More:
A mysterious threat actor is running hundreds of malicious Tor relays
https://therecord.media/a-mysterious-threat-actor-is-running-hundreds-of-malicious-tor-relays
Was threat actor KAX17 de-anonymizing the Tor network?
https://www.malwarebytes.com/blog/news/2021/12/was-threat-actor-kax17-de-anonymizing-the-tor-network
Is “KAX17” performing de-anonymization Attacks against Tor Users?
https://nusenu.medium.com/is-kax17-performing-de-anonymization-attacks-against-tor-users-42e566defce8
Malicious relays and the health of the Tor network
https://blog.torproject.org/malicious-relays-health-tor-network/
2. Just a reminder that your favorite web hosts and backbone providers are really working for the Secret Police. Linode and Hetzner were configured to conduct a MiTM attack on a jabber service, funnelling malicious SSL certificates from Lets Encrypt. Read their responses at the end. From Akamai: "At this time, we have observed no illegal activity impacting your services," which is to say, as the author himself proposes, that Linode and Hetzner were compelled by the authorities to conduct the MiTM, and thus the spying was lawful.Encrypted traffic interception on Hetzner and Linode targeting the largest Russian XMPP (Jabber) messaging servicehttps://notes.valdikss.org.ru/jabber.ru-mitm/
November 2023
TL;DR: we have discovered XMPP (Jabber) instant messaging protocol encrypted TLS connection wiretapping (Man-in-the-Middle attack) of jabber.ru (aka xmpp.ru) service’s servers on Hetzner and Linode hosting providers in Germany.
The attacker has issued several new TLS certificates using Let’s Encrypt service which were used to hijack encrypted STARTTLS connections on port 5222 using transparent MiTM proxy. The attack was discovered due to expiration of one of the MiTM certificates, which haven’t been reissued.
There are no indications of the server breach or spoofing attacks on the network segment, quite the contrary: the traffic redirection has been configured on the hosting provider network.
The wiretapping may have lasted for up to 6 months overall (90 days confirmed). We believe this is lawful interception Hetzner and Linode were forced to setup.
More:
What we’re doing in response to the jabber.ru MITM attack
https://unredacted.org/blog/2023/11/what-were-doing-in-response-to-the-jabber-ru-mitm-attack/
3. A good article by the EFF detailing how bad KOSA (Kids Online Safety Act) really is. The increased censorship foisted upon Big Tech in the post-Trump, post-COVID, post-Ukraine eras via powerful censorship lobbies (trans, State Dept., etc.) will now be enforced directly by draconian laws. These laws require AI enforcement, and thus represent the initial stages of the first AI-powered cultural genocide (https://boychat.org/messages/1595443.htm).Don’t Fall for the Latest Changes to the Dangerous Kids Online Safety Acthttps://www.eff.org/deeplinks/2024/02/dont-fall-latest-changes-dangerous-kids-online-safety-act
February 15, 2024
KOSA remains a dangerous bill that would allow the government to decide what types of information can be shared and read online by everyone. It would still require an enormous number of websites, apps, and online platforms to filter and block legal, and important, speech. It would almost certainly still result in age verification requirements. Some of its provisions have changed over time, and its latest changes are detailed below. But those improvements do not cure KOSA’s core First Amendment problems. Moreover, a close review shows that state attorneys general still have a great deal of power to target online services and speech they do not like, which we think will harm children seeking access to basic health information and a variety of other content that officials deem harmful to minors.
More:
The UK’s controversial Online Safety Bill finally becomes law
https://www.theverge.com/2023/10/26/23922397/uk-online-safety-bill-law-passed-royal-assent-moderation-regulation
Can an EU law save children from harmful content online?
https://www.reuters.com/legal/litigation/can-an-eu-law-save-children-harmful-content-online-2022-07-12/
EU Digital Services Act: How it will make the internet safer for children
https://www.weforum.org/agenda/2022/06/eu-digital-service-act-how-it-will-safeguard-children-online/
Original title: New Liberal 'online harms' bill to make online hate punishable up to life in prison
Online harms: Liberals seek to create digital safety commission, new ombudsperson
https://www.msn.com/en-ca/news/other/liberals-to-introduce-long-promised-legislation-to-combat-harmful-online-content/ar-BB1iTlEo
4. From the "but I like Windows" and "The future of archiving is PDF uploads" (https://boychat.org/messages/1593371.htm) departments. Last chance to ride / Figure it out or fry: https://qubes-os.orgMicrosoft Confirms Windows Exploits Bypassing Security Featureshttps://www.securityweek.com/microsoft-confirms-windows-exploits-bypassing-security-features/
February 13, 2024
Microsoft on Tuesday rolled out a massive batch of security-themed software updates and called urgent attention to at least three vulnerabilities being exploited in live malware attacks.
The world’s largest software maker documented 72 security vulnerabilities in the Windows ecosystem and warned users of the risk of remote code execution, security feature bypass, information disclosure and privilege escalation attacks.
Separately, software maker Adobe on Tuesday patched at least 30 documented security flaws in multiple products and warned that unpatched machines are exposed to code execution, security feature bypass and denial-of-service attacks.
Adobe documented at least 13 serious security defects covered in the Adobe Acrobat and Reader update and warned that both Windows and macOS users are at risk.
“Successful exploitation could lead to arbitrary code execution, application denial-of-service, and memory leak,” Adobe said.
| |
From his One Horse Open Sleigh,
The King of Zembla
|
