To address a question from Mansour Moufid first: There aren't any preserved access logs, unfortunately. I copied some of the access logs from the August DoS to another directory but never bothered to scp them to my box. Another regret is that pcaps weren't taken, but we both made the mistake of assuming that because the DoS was mitigated that nothing that was preserved would be all that important anymore. If there was more to give, we would have been released it.
The box was an OpenVZ VPS (Essentially a glorified chroot jail, for those who are unfamiliar)), so no, there was no physical hardware from my standpoint. Thus, full disk crypto wasn't really an option. From the standpoint of someone with root access to a dedi with OpenVZ vms, finding hidden services that are hosted by customers is a matter of looking for files named private_key anywhere under the /vz folder.
Neither of us are rolling in fake internet money like the drug market operators (Hint: This should indicate to anyone thinking of asking if we ran bitcoind that we didn'), so the other alternatives were to either use rooted boxes or flip a coin to decide who gets to host from home. Since rooted boxes are obviously not ideal and hosting from home would probably only be safe if we were running something like Cat Facts (http://2v7ibl5u4pbemwiz.onion/index.php), we went with the lesser of evils. As was the tradition with doxbin boxes, the registration info usually either went back to some criminal who was on the run at the time of purchase (Such as this guy: http://www.dailytelegraph.com.au/notorious-con-man-on-the-run-in-us/story-fn...) or it went back to someone who had a comprehensive doxbin entry (Hello, Daniel Brandt and Keith Alexander).
I don't have an exact time, but by around 13:00 UTC or so on the 6th, the box was down. When the Silk Road 2.0 seizure news broke, doxbin was already gone. I checked the most current doxbin onion and attempted to ssh into the box every couple of hours for around the first 24 hours, until a friend pointed out that one of the old doxbin onions was serving up the Silk Road 2.0 seizure page. At the time, the main onion was serving up some 404 page (Which I expected to eventually point to some sort of honeypot, but the pigs really let me down on that one), while other onions were unresponsive. This had changed by the next day, when all the onions from the doxbin box were pointed to the seizure page. The speculation has been that the cops were adding onions one at a time, and my personal experience supports that. Police who are dedicated to seizing and taking control of hidden services are still struggling with managing a torrc file efficiently. Go figure.
There was some downtime on the box maybe a month ago, which I originally thought was when it got imaged pre-seizure, once all this drama began. I can't look at the access log report numbers and say "This is the date, because there's a huge dip in traffic" so I'm going to have to get back with you on that. The fact that they were adding onions to the seizure box over 24 hours after the takendown might suggest that they for some reason didn't image it beforehand, which would be a curious break from their habits as laid out in past criminal complaints.
An update: All of the access log reports ever generated for doxbin can be now be downloaded from the URLs in my initial e-mail. Other people wanted some of them to compare to the DoS log reports, so now they can pick their own control group.
P.S. Neither of us have been arrested or have even noticed any signs of in-person heat (Cleaning vans, new neighbors, etc), which also seems to point to the doxbin seizure being half-cocked.
Here until I'm in handcuffs,
nachash
On 11/09/2014 05:51 AM, Roger Dingledine wrote:
On Sat, Nov 08, 2014 at 10:10:23PM +0000, Fears No One wrote:
If you have any questions/clarifications, just ask.
[...]
All of these files are in the hands of the cops anyway (And I have no plans of bringing doxbin back), so there are 0 real-time opsec concerns.
Hello Mr. Supervillain,
Can you clarify for us what actually happened to your server and site? A lot of people have been saying a lot of stuff over the past few days.
In particular, did they seize the actual hardware? Did they put up their own hidden service using your hidden service key? If both, a) did the hardware get taken before the hidden service went up, or vice versa? and b) do you have approximate timestamps of these events? I guess "c) was there disk encryption" is a fine next question.
(For that matter, *was* there actual hardware, or was this a vm in somebody else's computer?)
The php elephant does indeed seem like a big issue. But it would be neat to find a data point here where they had the hidden service key before they took the hardware.
--Roger
tor-dev mailing list tor-dev@lists.torproject.org https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-dev