Tor Tells It’s Secrets

gAtO pLaYiNg with words in Tor We just simply counted the number of times a word appeared in our search engine by pages- this is something every search engine does but what it gave us was a picture of what Tor really is. It’s not all crime and ugly but information is number one in Tor. Exactly what it’s supposed to be. Tor was created to share information from the table below we see lot’s of stuff inside Tor.output

Tor word data points: We put this report together to see what our word count occurrence was, in our crawled data so far. The chart below gives an interesting picture of the Tor data points that it generates.

We are finding that these are the best categories to put our websites into. The words by site occurrence speaks volumes to understand trends in Tor.  For example it shows i2p network in Tor 2 notices above drugs in Tor. Because i2p is fast being intwined with Tor to get better anonymity.

  • These are real data point based on 3/27/2013-4/3/2013 – this is a live report from our crawls.
  • As we crawl and add more data our picture will change as to the landscape of Tor. 
  • Bitcoins is the fourth most popular word – currency in the Dark Web is number 1  

Word Num. Occurrences
blog 1014
wiki 985
anonymous 966
bitcoin 837
sex 530
gun 492
market 458
I2P 400
software 372
drugs 365
child 353
pedo 321
hacking 314
weapon 221
politic 209
books 157
exploit 118
anarchism 105
porno 88
baby 87
CP 83
fraud 76
piracy 69


  • Bitcoins are above SEX tell us volumes in that bit coins are the normal exchange currency in Tor.
  • Fraud and piracy are the lowest were we would except it to be much higher, People trust more in Tor.

This map does tell us that crime is everywhere in Tor at a more alarming rate than we though.

We are doing the same in the e-mail we found in Tor. In the email table is a place where we can get a better picture of emails in the Tor network. Not all of them go to tormail.org as we thought. As mentioned more i2p and connections with other anonymous networks seems to be a trend, as the growth rate of Tor users increase so is the technical base and more sophisticated users will come on board.

Hope this gives you a better picture of Tor. -gAtO oUt


Tor is NOT the ONLY Anonymous Network

gAtO fOuNd – this very interesting and wanted to share –

Tor does some things good, but other anonymous networks do other things better. Only when used together do they work best. And of course you want to already know how to use them should something happen to Tor and you are forced to move to another network.fin_07

Try them! You may even find something interesting you cannot find on Tor!

Anonymous networks

These are well known and widely deployed anonymous networks that offer strong anonymity and high security. They are all open source, in active development, have been online for many years and resisted attack attempts. They run on multiple operating systems and are safe to use with default settings. All are well regarded.

  • Tor – Fast anonymous internet access, hidden websites, most well known.
  • I2P – Hidden websites, anonymous bittorrent, mail, out-proxy to internet, other services.
  • Freenet – Static website hosting, distributed file storage for large files, decentralized forums.

Less well known

Also anonymous networks, but less used and possibly more limited in functionality.

  • GnuNet – Anonymous distributed file storage.
  • OneSwarm – Bittorrent, has a non-anonymous mode, requires friends for anonymity.
  • RetroShare – File-sharing, chat, forums, mail. Requires friends, and not anonymous to those friends, only the rest of the network.
  • Omemo – Distributed social storage platform. Uncertain to what extent it is anonymous.

Non-free networks

These are anonymous networks, but are not open source. Therefore their security and anonymity properties is hard to impossible to verify, and though the applications are legit, they may have serious weaknesses. Do not rely on them for strong anonymity.

  • Osiris – Serverless portal system, does not claim to provide any real anonymity.

In development

  • Phantom – Hidden Services, native IPv6 transport.
  • GlobaLeaks – Open Source Whistleblowing Framework.
  • FreedomBox – Project to create personal servers for distributed social networking, email and audio/video communications.
  • Telex – A new way to circumvent Internet censorship.
  • Project Byzantium – Bootable live distribution of Linux to set up wireless mesh nodes with commonly available hardware.
  • Hyperboria A distributed meshnet built on cjdns.

Routing Platforms

These are internets overlaid on the internet. They provide security via encryption, but only provides weak to none anonymity on their own. Only standard tools such as OpenVPN and Quagga are required to connect. Responsibility for a sufficiently anonymous setup is placed on the user and their advertised routes. More suited for private groups as things out in the open can be firewalled by other participants. Can be layered above or below other anonymity nets for more security and fun.

  • Anonet – AnoNet2, a more open replacement for AnoNet1.
  • dn42 – Another highly technical routing community.
  • CJDNS, an IPV6 overlay network that provides end to end encryption. It is not anonymous by itself.

Alternative Internet

  • Netsukuku – A project that aims to build a global P2P online network completely independent from the Internet by using Wi-Fi. The software is still in active development, although the site is no longer updated. A new site is in progress of being built.
  • Many other wireless communities building mesh networks as an alternative to the Internet, e.g. Freifunk, http://guifi.net and many more around the globe. see also

Alternative domain name systems

  • Namecoin – Cryptocurrency with the added ability to support a decentralised domain name system currently as a .bit.
  • OpenNIC – A user controlled Network Information Center offering a democratic, non-national, alternative to the traditional Top-Level Domain registries.
  • Dot-P2P – Another decentralized DNS service without centralized registry operators (at July 18, 2012 page is not accessible and has not known anything about the status of project from February 2011).

See Also


Black Market in Tor Growing

gAtO been down sIcK so I had to slow down so I’ve been reading underground looking around and the .onion network is beginning to take shape as more users explore it. Let’s just say it’s growing. In the Black Market things are looking up per say, more newbies and more scams with money mules, shipping mules, bot’s rentals and creation and trade. Here are two different crime recruitment points one the physical/ one code / and they are taking advantage of the economics of the situation.

People are losing their homes and eviction is coming “well I can do this for these guys online and I can make a little money and pay a few bills buy some food”. Grooming these new cyber shipping mules is a full time job, but they select and groom some for more and more /—then hit’s them with money mules transactions and they’re hooked. Greed / Pay the rent/ Now these guy know that as the money mule get’s more and more orders right the amount will go up and when they will bail with the criminals money is anyones guess, but by this time they have funneled so much money or goods thru these mules that they are throw away at the end of the life cycle of use. You also have the new code warriors watching and trading in botware working in Tor. Why because it works -/ and other have seen the .onion network as a new area were if they keep quite nobody can find them. If you keep quite nobody will know what your doing and that’s why Tor is working for the bad guys – Why can’t it work for the good guy’s when are we going to start using the best technology for the best job and leave all this other politics alone.

Cyber crime is working in the .onion but when will the law catch up, never I guess 2 many lost opportunities when they treat everyone like shit, just like the ugNazi CC bust- do they have a clue how many other CC sites are out there working in Tor and/or the surface web… . Silk road is all the rage while Black Market Reload sells explosives and drugs but come on the school boys in Cornell and other places are putting their finger into Tor to defeat Tor-attack the Tor Network Yeah – Yeah- “What If- What If -does not work in Tor students”, as they go for Silk Road the hundred of other places were real commercial cyber crooks get away with everything they can is working hard for the money boy’s and girls…. One service takes stolen credit cards to buy goods and directly ship products to the Ebay customer who purchase it and they pay them clean money while their new iPad was purchased with a stolen CC. It’s just these newbies in Tor think they are hip and cool in the surface but in the Tor network the good old boy’s that were there in the beginning are watching with a grim silly smile, knowing but not telling… gATO oUT 


Hacktivist ‘Unlike Us’ Video

This was inevitable. London crew Hacktivist – whose unique, rap driven take on tech metal has been heralded as the arrival of ‘rap djent’ (yes, really) – has unveiled their new video Unlike Us.


Anon iWot Team (Internet War On Terror)

gAtO see – a new twist on Anonymous – They are going after the money trail of terroristDahabshiil International Funds Transfer is their target. This team call’s itself  iWot -“Internet War On Terror” Now the reason gAtO looked carefully at this group is because #1 they are going after bankers –lulz– #2 this is a well though out plan to first show they have the real information before the big data bump. But there is more to this first announcement –

I kind of followed the data and when I saw – BAYD0009016 MOHAMED MURSAL SHEIK A/RAHMAN this is Omar Abdel-Rahman also know as the Blind Sheikh – famed World Trade Center 1993 bombing. and tied to —  (Somali: Maxamed Mursal Sheikh Cabduraxman) is a former deputy district commissioner and Minister of National Assets and Procurement of Somalia –  Well this posting has got my attention.

This list also has CHILDREN’S VIILLAGES of SOMALIA and some other innocent looking people. After looking at some of the names and email and google a few —> this one is real there are some real terrorist on this list. These guy’s have a little class and I like that in a hacktivist. I will have to keep and eye out for this groups they have interesting lulz -gAtO oUt

This new paste  –http://pastebin.com/VqrSV5bG


BY: A GUEST ON JUL 19TH, 2012  |  SYNTAX: NONE  |  SIZE: 11.12 KB  |  HITS: 739  |  EXPIRES: NEVER

After years of offensive hacking against many companies, governments, etc, we [Anonymous], decided to share data related to an internal confidential project from multiple l33t hackers worldwide. We called that “iWot“, meaning “Internet War On Terror“.

Though we will never forget what happened with Megaupload, Pirate Bay, Sopa, friends, etc, our sub-branch of the Anonymous was created with trusted hackers, to follow a specific goal. This email will be the first from us. Thanks to spread our words

We officially declare War on Terror. This is a call for actions of monitoring and/or destruction of companies and institutions that do work with terrorists, rogue countries, etc.

We already broke the security of multiple networks on earth. Each time we will be able to control them, and to steal data, we will then publish our documents on the net, or share them directly to people involved with Newspapers, Justice, etc, worldwide. Some documents, about some banks working with rogue countries, were already shared to some email addresses. And we are quite happy to see that the truth is on its way.. sometimes..

As some of us already explained, we are not a terrorist organization. It’s just that we are fed-up with the fact that our society is loosing time. So we just decided to speed-up actions against terrorists and their friends. We will first try to eradicate the sources of terrorist financing. It is not possible to know at this time the precise scope or the duration of our actions to counter terrorist threats linked to Internet.

Today, as a proof of concept, we will share information about a really evil bank, hiding ugly activities with terrorists. It’s called “Dahabshiil“, an international funds transfer company. Their networks have been broken by different hackers teams for many years. And it’s time for us to share information here in this mail.

Thanks to Wikileaks, secret documents related to Guantanamo detainees publicly explained part of the truth about Dahabshiil. A veteran extremist and a probable associate of Usama Bin Laden, provided direct financial support to Al-Qaeda, Al-Wafa and other terrorist and terrorist support entities through the Somalia-based company Dahabshiil. This bank is currently helping Al-Qaeda, including members of Al-Shabaab.

Despite the fact that the CEO of Dahabshiil tried to get rid of some people, and sometimes people from its own family, this will not be enough for us. We have stolen many many many documents from Dahabshiil. We have destroyed many workstations in Australia, Kenya, USA, UK, Sweden, Somalia, Dubai, Djibouti, etc. We can transfer money from accounts to accounts, despite the stupid security with tokens, passwords, etc. We have modified Windows kernel on many servers and workstations. We have added different kind of cyber-bombs hidden on many workstations and servers. We have powned switches, routers, firewalls, satellite stuff from Telco, etc.

As Dahabshiil members might think we are lying, we have to share data. Feel free to download and copy the data before everything get destroyed, as it’s totally illegal. And now, if Dahabshiil members were unable to understand why the network sometimes crashed, the computers sometimes died, data from internal servers sometimes died, etc, do not search. It was just our actions against you, with people from our team. As an example, we recently destroyed data on the internal LAN in Somaliland, from the Dahabshiil Headquarters (Hargeisa, etc). That’s why you guys, lost Gigs of internal sensitive data on main servers like \\Dahabshiil7, \\Dahabshiil6…

By the way, we also found out that many employees were looking at facebook stuff, personal email, and tons of incredible hardcore porn web sites especially in countries from the Arabian Peninsula, and from the bank (not at home). Also, the password of the account Administrator of the internal LAN in Somaliland, was mainly “Dahab1234”. Awesome. This is how they protect data of their customers. Quite a serious bank. As we have remote 0days against some of their tools, we easily took the control of any workstations there. Then we bounced and bounced, in order to explore this bank. Hopefully, we were a huge number of hackers at the same time, and during months, which helped at stealing sensitive data, spying on end-users and banking transactions, etc. After months and months of fun against these guys who support Terror on earth, we just decided that it was time to destroy them.

This was just the beginning… and just a proof. So from now, dear Dahabshiil members and customers, you can expect a global internal destruction in less than 2 months. You can keep on asking external consultants, even in Europe, about how to install Antivirus, Firewalls, NAC, IPS, Waf, etc. But we will still destroy your networks, steal your data, and sometimes share internal stuff to the public. This is called a sabotage… We had first to be sure that you could not get rid of our offensive tools. That’s why we used two layers of tools. Skilled stuff (with kernel 0dd modifications, etc), and easy tricks (to annoy and to play with your network/data). Now it’s ready. The bombs will kill your networks and your data in less than 2 months. You can also backup the poor data that you still have, but we also infected random Office/PDF documents left, so you’ll just backup some of our bombs, and your network will still die.

If you want us to immediately stop this cyber-sabotage, it’s quite easy. We just ask you to stop lying, to recognize your help with Somalia terror, and to officially change your behavior. We need a public message from you, as a proof. As you might have seen, public excuses of far more bigger banks than Dahabshiil, were done recently, from people who worked with rogue countries, etc. So, we just ask you to do do the same and to change. We will monitor you, as we already made these years. You have 2 months. Maximum. If we see that you are still asking for help against us, to your supposed-to-be IT Security consultants (UK, etc), or if we see that you are trying to clean our stuff in your kernels, etc, we will then launch the cyber-bombs before the 2 months. You don’t have the choice. You have to submit. You have to leave this world of hate, this world of slaughters, this world of killers, and to leave terrorists behind you.

Of course you needed money. Of course most of your employees/customers are not terrorists. Of course most of your employees/customers didn’t know your links with Terror. Of course someone else would have done this in your place. Of course our offensive actions are totally illegal (like yours when you support Terror). But according to us, these reasons are not good reasons. The countdown is already running. It’s too late. You have the choice between living, or dying with honors in the family of people who helped terrorists. You will be our first public example of cyber-destruction, as others already changed their minds. Be smart. Choose life.

And now a message to Dahabshiil customers: if you have money in this bank, if you are a customer of this bank, if you use this bank to transfer money from a country to another, and even if you are not a terrorist, we will let you less than 2 months before we either publish your personal information (passport, ID card, postal address, phone, email, etc), or we destroy your account by moving your money elsewhere, which will not be complex. As an example, we already shared this kind of information, as a proof of capability. Less than 2 months. After that, don’t cry if you lost your money at Dahabshiil, even if they told your that everything was under control (lulz), that they were able to clean their systems (lulz), etc. So, just take your money out of Dahabshiil now (!), and leave them behind you, before the destruction of this unofficial financial support for terrorists. First casualty of war is innocence. Be smart. Choose life.

And now a message to people in the same situation than Dahabshiil: If you are working with terrorists, if you are helping them, if you are linked to them, we will find you, and you will also be destroyed by our cyber-team, sooner or later. There is no place for you on earth. No place for you on Internet. No place for hate. Make love. Make kids. Be smart. Choose life.

We are Anonymous. We are Legion. We do not forgive. We do not forget. Expect us

Anon iWot Team (Internet War On Terror)

Bonus: This is really sad to see that some companies helped Dahabshiil after our intrusions (sometimes from Europe, etc). We won’t reveal the names of these IT Security workers, cause we understood that they just wanted to make money. But, as a last advice for them and their family, thanks to think twice the next time you will help Dahabshiil and terrorists. You are helping people who helped Al-Qaeda, like many other unscrupulous Islamic banks that helped at laundering kind of donations. We know you. You are not anon anymore. *We are Anonymous.*

Credits: though we will hide the identity of the people who helped us, we will at least share our thanks to their organizations, for those who accepted it. So, many many thanks to people from Iomart (!), from Vizada and from Somtel. Some of them accepted to share technical stuff (passwords, remote access, etc) as they do follow our spirit and our values against Terror. *We are legion.*

Contacts: no need to answer to this email address, as it’s not ours. If you want to meet us, as always we’ll be at Defcon soon, and we hope that there will be a special prize for Dahabshiil, though it’s a bit late to propose them to the Powney Awards. We do believe that being an international bank, with really lame security, fake official answers, and real links with terrorists to kill people in Africa, Europe or America (Al-Qaeda), should bring them to a special prize. They deserve it. *We do not forget.*

Future: if you want to participate, just share your thoughts or ideas of targets on Internet with the official related proofs showing links with terrorists. Like any skilled hackers, we can have remote access anywhere on earth (gov, telco, comp, etc) as the current IT Security community is just selling dreams and fake products. If you like our values, thanks to support Anonymous iWot (internet War on terror) and put tags like #anoniwot2012 so that we can find your list of targets, your messages, your help, your ideas, etc. You cannot contact us directly, so, please shout enough so that we can hear you. You can just share message to our teams on public spaces, and we’ll read them. Before that, if you enjoyed our specific actions against terrorists in Somalia, thanks to really show your support about this Somaleaks operation, with the tag #somaleaks and just wait, as many other places might burn sooner or later. *Expect us.* –DATA Dump  http://www.animegist.com/old//Somaleaks/


Latino Hacktivist on the Rise

gAtO cHeKs —  http://pastebin.com/trends“>http://pastebin.com/trends  – every day or so just to get a pulse on the hacktivist movement. One thing has change I see more and more Latinos getting involved in social cyber activist. Below is a break down of what I saw it’s good to see Latino nation using the social media for political dialog. As more of the world understands the importance of the new ways of connecting via the matrix, we will have more freedom of speech in cyberspace for everyone.

Let’s take a look at what my Latino brothers and sisters, si – Latina women are very much in the hacktivist roles all over Twitter sphere (#tangodown #dos ). Let’s take a look at today Sunday 1407 July,8 2012 –

A few post – goes out to the new cyber latino hacktivist and of course give thanks to Sweden and Italy brothers and sisters that have help the education of the spanish crowd-source with cyber hacktivist 101. But this was a big hit to -.MX Mexico is becoming a new cyber hot-bed for these cyber strikes –/ I have seen more and more hacktivist attacks at the Mexican politicals like MEGAMARCHA- against  “Public Radio International” or their message../ mAyBe nO-sI —  it’s about the PRI Mexican Party, corruption and the protesters went for both, that party and the Radio noise that helped them.

Besides Mexico, you have a push at UASD from a few sources with the Spanish hacktivist–/  a -DoX from Columbia I think  and a plan for the Olympics cyber lulz. From the Latino community this is a big show and tell on pasternBin.com  — gAtO oUt


.02.) Mexico 1. http://pastebin.com/CRu8raYU #PrimaveraMexicana—— #Anonymous #Opmexico #Megamarcha #ExigimosDemocracia #PrimaveraMexicana#PrimaveraMexicana


.01.) Mexico MEGAMARCHA –MEGAMARCHA! this was the new dump: http://pastebin.com/HcCN7kCv

  2. MEGAMARCHA VS el pri a le horas que usteden quierena empezamos:


Latino Hacktavist- gAtOmAlO2

Latino Hacktavist- @gAtOmAlO2


1.) Mexico 1. #Anonymous México. #OpMarchaPacifica – Untitled  http://pastebin.com/S8kZ02Ua

2.) Operación #OPSalvemos a la #UASD, Gracias por Leer esto #Op Salvemos la UASD. —http://pastebin.com/z1qTzz3n

3.) FALSA BANDERA OLIMPIADAS 2012 (NUEVOS AÑADIDOS) -Olympic Plans Overview — This is a planing stage Olympics latino based in London http://pastebin.com/T5Gu6p6s

4.) A spanish DoX – DOXEO JUAN PABLO FRANZONI http://pastebin.com/2WGmPgcx 

5.) Dominican Anonymous.-Anonymous Explica como esta hackiando la pagina de la UASD. http://pastebin.com/G5yE6uGr  — Administrators or webmaster of the site of the #UASD

6.) Mexico – Leaks Name & Password http://pastebin.com/GjTGdC6k -@Anonymousbr11  @Anon_central @AnonymousOIC  Target:http://www.isc.gob.mx


ToR is released

Tor updates the addresses for two of the eight directory
authorities, fixes some potential anonymity and security issues,
and fixes several crash bugs.

We're going to be following it soon with, which works around
a bug in OpenSSL's TLS renegotiation (currently being tested in the Tor release). Stay tuned.

Tor 0.2.1.x has reached its end-of-life. Those Tor versions have many
known flaws, and nobody should be using them. You should upgrade. If
you're using a Linux or BSD and its packages are obsolete, stop using
those packages and upgrade anyway.


Changes in version - 2012-05-24
  o Directory authority changes:
    - Change IP address for maatuska (v3 directory authority).
    - Change IP address for ides (v3 directory authority), and rename
      it to turtles.

  o Security fixes:
    - When building or running with any version of OpenSSL earlier
      than 0.9.8s or 1.0.0f, disable SSLv3 support. These OpenSSL
      versions have a bug (CVE-2011-4576) in which their block cipher
      padding includes uninitialized data, potentially leaking sensitive
      information to any peer with whom they make a SSLv3 connection. Tor
      does not use SSL v3 by default, but a hostile client or server
      could force an SSLv3 connection in order to gain information that
      they shouldn't have been able to get. The best solution here is to
      upgrade to OpenSSL 0.9.8s or 1.0.0f (or later). But when building
      or running with a non-upgraded OpenSSL, we disable SSLv3 entirely
      to make sure that the bug can't happen.
    - Never use a bridge or a controller-supplied node as an exit, even
      if its exit policy allows it. Found by wanoskarnet. Fixes bug
      5342. Bugfix on (for controller-purpose descriptors)
      and (for bridge-purpose descriptors).
    - Only build circuits if we have a sufficient threshold of the total
      descriptors that are marked in the consensus with the "Exit"
      flag. This mitigates an attack proposed by wanoskarnet, in which
      all of a client's bridges collude to restrict the exit nodes that
      the client knows about. Fixes bug 5343.
    - Provide controllers with a safer way to implement the cookie
      authentication mechanism. With the old method, if another locally
      running program could convince a controller that it was the Tor
      process, then that program could trick the controller into telling
      it the contents of an arbitrary 32-byte file. The new "SAFECOOKIE"
      authentication method uses a challenge-response approach to prevent
      this attack. Fixes bug 5185; implements proposal 193.

  o Major bugfixes:
    - Avoid logging uninitialized data when unable to decode a hidden
      service descriptor cookie. Fixes bug 5647; bugfix on
    - Avoid a client-side assertion failure when receiving an INTRODUCE2
      cell on a general purpose circuit. Fixes bug 5644; bugfix on
    - Fix builds when the path to sed, openssl, or sha1sum contains
      spaces, which is pretty common on Windows. Fixes bug 5065; bugfix
    - Correct our replacements for the timeradd() and timersub() functions
      on platforms that lack them (for example, Windows). The timersub()
      function is used when expiring circuits, while timeradd() is
      currently unused. Bug report and patch by Vektor. Fixes bug 4778;
      bugfix on
    - Fix the SOCKET_OK test that we use to tell when socket
      creation fails so that it works on Win64. Fixes part of bug 4533;
      bugfix on Bug found by wanoskarnet.

  o Minor bugfixes:
    - Reject out-of-range times like 23:59:61 in parse_rfc1123_time().
      Fixes bug 5346; bugfix on 0.0.8pre3.
    - Make our number-parsing functions always treat too-large values
      as an error, even when those values exceed the width of the
      underlying type. Previously, if the caller provided these
      functions with minima or maxima set to the extreme values of the
      underlying integer type, these functions would return those
      values on overflow rather than treating overflow as an error.
      Fixes part of bug 5786; bugfix on 0.0.9.
    - Older Linux kernels erroneously respond to strange nmap behavior
      by having accept() return successfully with a zero-length
      socket. When this happens, just close the connection. Previously,
      we would try harder to learn the remote address: but there was
      no such remote address to learn, and our method for trying to
      learn it was incorrect. Fixes bugs 1240, 4745, and 4747. Bugfix
      on Reported and diagnosed by "r1eo".
    - Correct parsing of certain date types in parse_http_time().
      Without this patch, If-Modified-Since would behave
      incorrectly. Fixes bug 5346; bugfix on Patch from
      Esteban Manchado Velázques.
    - Change the BridgePassword feature (part of the "bridge community"
      design, which is not yet implemented) to use a time-independent
      comparison. The old behavior might have allowed an adversary
      to use timing to guess the BridgePassword value. Fixes bug 5543;
      bugfix on
    - Detect and reject certain misformed escape sequences in
      configuration values. Previously, these values would cause us
      to crash if received in a torrc file or over an authenticated
      control port. Bug found by Esteban Manchado Velázquez, and
      independently by Robert Connolly from Matta Consulting who further
      noted that it allows a post-authentication heap overflow. Patch
      by Alexander Schrijver. Fixes bugs 5090 and 5402 (CVE 2012-1668);
      bugfix on
    - Fix a compile warning when using the --enable-openbsd-malloc
      configure option. Fixes bug 5340; bugfix on
    - During configure, detect when we're building with clang version
      3.0 or lower and disable the -Wnormalized=id and -Woverride-init
      CFLAGS. clang doesn't support them yet.
    - When sending an HTTP/1.1 proxy request, include a Host header.
      Fixes bug 5593; bugfix on
    - Fix a NULL-pointer dereference on a badly formed SETCIRCUITPURPOSE
      command. Found by mikeyc. Fixes bug 5796; bugfix on
    - If we hit the error case where routerlist_insert() replaces an
      existing (old) server descriptor, make sure to remove that
      server descriptor from the old_routers list. Fix related to bug
      1776. Bugfix on

  o Minor bugfixes (documentation and log messages):
    - Fix a typo in a log message in rend_service_rendezvous_has_opened().
      Fixes bug 4856; bugfix on Tor 0.0.6.
    - Update "ClientOnly" man page entry to explain that there isn't
      really any point to messing with it. Resolves ticket 5005.
    - Document the GiveGuardFlagTo_CVE_2011_2768_VulnerableRelays
      directory authority option (introduced in Tor
    - Downgrade the "We're missing a certificate" message from notice
      to info: people kept mistaking it for a real problem, whereas it
      is seldom the problem even when we are failing to bootstrap. Fixes
      bug 5067; bugfix on
    - Correctly spell "connect" in a log message on failure to create a
      controlsocket. Fixes bug 4803; bugfix on
    - Clarify the behavior of MaxCircuitDirtiness with hidden service
      circuits. Fixes issue 5259.

  o Minor features:
    - Directory authorities now reject versions of Tor older than, and Tor versions between and
      inclusive. These versions accounted for only a small fraction of
      the Tor network, and have numerous known security issues. Resolves
      issue 4788.
    - Update to the May 1 2012 Maxmind GeoLite Country database.

  - Feature removal:
    - When sending or relaying a RELAY_EARLY cell, we used to convert
      it to a RELAY cell if the connection was using the v1 link
      protocol. This was a workaround for older versions of Tor, which
      didn't handle RELAY_EARLY cells properly. Now that all supported
      versions can handle RELAY_EARLY cells, and now that we're enforcing
      the "no RELAY_EXTEND commands except in RELAY_EARLY cells" rule,
      remove this workaround. Addresses bug 4786.

Attacking a ToR Network

Attacking a ToR .network

gAtO hAs– found that there are a few ways to attack a secure network some is old fashion technology and some more modern. The FBI and Secret Service and other international law enforcement have used these technique and they have been de-classified:

UPDATE: -5-21-2012 -0900 There a re few more attack vectors that I recently found in the .onion network – let’s just say attack from within that – If you are a legit-legal Security Researcher please write me. I want to keep those secret for now —

Let’s take a look at:

The Cold Boot Attacks

One of the problems with encryption is that in order for it to work, your computer has to know the private key and any other information needed for decryption. This information is stored in memory and while memory isn’t a good place to store things long term, it does store data for an amount of time from seconds to minutes after your machine has been turned off. An adversary, knowing that they are facing a locked down machine with lots of encryption, may perform a cold boot attack. This involves turning off your computer, spraying your memory with liquid nitrogen (or something to keep it cold), and then recovering your encryption key from memory. Once frozen, data in memory can be retained (and then further reconstructed) for hours. Countermeasures:  If you feel this is a risk, you need to implement physical security measures that deal with the possible threat. This could be as simple as a laser tripwire on a door that triggers a shutdown.

Radio Leakage, TEMPEST, etc.

All electronics create radio interference as a consequence of their operation. While this radio interference is often useless it can also provide valuable information for your adversary. For instance, the radio interference generated by keyboards can divulge your passwords to an adversary sitting across the street from your house. RF shielding is the only solution for this problem and involves surrounding your machine in some type of metal. This isn’t all though, as the power pull generated when you use the keyboard, etc. can also be monitored through your wall socket. I don’t know of any solutions to this. One idea would be to lock your machine in a box with a UPS to filter the electricity and a security scheme similar to the one used to prevent cold boot attacks but I’m not sure how effective this would be. Countermeasures: Get some chicken wire and build a faraday cage for all your secure computing equipment. What ever music you like play it loud I would suggest Metal this is filled with so many harmonics that it will very hard to extract the EMF.

Physical Security

An adversary may put a camera, microphone, or some other recording device in the room with your hidden service machine. If they capture your encryption passphrase, your data will be compromised. Recently the FBI and Secret Service used this technique against a bust of the ShadowCrew carding board and it’s been used for a long time by both law enforcement and intelligence. While using a blanket will deter a camera, the audio generated by your keyboard may not be sufficiently muffled to stop a microphone from knowing what’s going on. Countermeasures:  Always be careful of anyone coming into the place were your computing equipment or office. Remember that todays technology has WiFi cameras and all kinds of devices. Also check you router to see any weird connections to it and remember the logs they will show failed attempts to access your network. Another way is to scan for SSID with Kismet or NetStumbler you may be able to scan for the device. And for microphones : What ever music you like play it loud I would suggest Metal this is filled with so many harmonics that it will very hard to extract the from the noise.

Traffic Correlation

If your adversary suspects you run a hidden service, they can watch your internet connection and try to use traffic analysis to determine if the hidden service is run on your network. If your adversary downloads a few 50 megabyte files from your server and every time around 50MB of encrypted traffic goes across your network, it’s pretty good evidence. Combine that with shutting off the power to your machine and watching the hidden service go down and you’ve got somebody who knows what’s going on.  Countermeasures: There are creative ways of dealing with this such as cover traffic, UPSs, redundant servers, and physical security.

a government censor can render it moot by simply blocking the relays


gAtO hopes that this will help you understand that the ToR network a little better and don’t worry the Tor Project is working hard on Traffic Correlation attacks. – gAtO oUt 





Will the Real th3j35t3r Please Stand Up

Will the Real th3j35t3r Please Stand Up.

gAtO hAs -been keeping tabs of the th3j35t3r escapades since I impersonated him last week when his twitter account went down and his post on his website went missing. First when I created the @_th3j35t3r account I saw the I could not use the th3j35t3r name because it was not deleted, just the tweets were deleted the account was still active. Now we see that the Aspergers kiddies are still going after analysis of Tom Ryan DoX and this was a play to make some bitCOins, that he was distracting people from the DoX and everything an obsess people do to figure out his next move.

Do gAtO think he has been DoX? No – Si maybe I found some interesting posting on pastern.com that showed that they are still trying to figure out his game of thrones@cubespherical: now is a real interesting character if he is or not th3j35t3r we will see soon, the game cannot be kept up.

He wrote on May 16:

Smedley Manning @cubespherical

I have him – just waiting for confirmation from my superiors to drop it.


6:30 PM Wed May 16 2012 · web

Who are his superiors? Who is in the food chain gAtO wonders? Remember the th3j35t3r and Smedley Manning are great at PSYOP’s and this is were they both have an advantage, but I find it kind hard to believe that th3j35t3r would send “PLS DM ME”, the th3j35t3r is a little more forceful even when he is cornered. I have seen him in IRC’s and he is a wee bit more aggressive. But the count-down has begun Sunday May 21 on blogtalkradio.com @cubespherical will Dox th3j35t3r. we all wait on the edge of our seats:

Oh by the way the th3j35t3r posted this on his site: MAy 16: you do the mathgAtO oUt


Not totally sure what just happened, but damn it’s getting out of hand now.

Posted: May 16, 2012 


Below is this last weeks th3j35t3r in Pasterbin- Post May 12 – May 19

Why th3j35t3r has not been doxed

_ST0RM ON MAR 12TH, 2012  |  SYNTAX: NONE  |  SIZE: 1.51 KB  |  HITS: 5,147  |  EXPIRES: NEVER




BY: A GUEST ON MAY 14TH, 2012  |  SYNTAX: NONE  |  SIZE: 3.69 KB  |  HITS: 3,161  |  EXPIRES: NEVER



th3j35t3r “The Patriot Hacker” To Be Unmasked

BY: A GUEST ON MAY 14TH, 2012  |  SYNTAX: NONE  |  SIZE: 7.00 KB  |  HITS: 353  |  EXPIRES: NEVER



@th3j35t3r – log file #saladin tool

BY: ANONYMOUSDOWN ON MAY 15TH, 2012  |  SYNTAX: NONE  |  SIZE: 16.54 KB  |  HITS: 217  |  EXPIRES:

http://pastebin.com/mJx5hc6W –xxx



BY: A GUEST ON MAY 15TH, 2012  |  SYNTAX: NONE  |  SIZE: 4.55 KB  |  HITS: 1,800  |  EXPIRES: NEVER



You end tonight, th3j35t3r.

BY: PIRAX-XOXO ON MAY 16TH, 2012  |  SYNTAX: NONE  |  SIZE: 6.40 KB  |  HITS: 299  |  EXPIRES: NEVER



12 Reasons Why Th3J35t3r is Smedley Manning

BY: JELLYBRO ON MAY 17TH, 2012  |  SYNTAX: NONE  |  SIZE: 17.71 KB  |  HITS: 248  |  EXPIRES: NEVER



The Jester’s True Identity

BY: RECK ON MAY 17TH, 2012  |  SYNTAX: NONE  |  SIZE: 3.73 KB  |  HITS: 3,048  |  EXPIRES: NEVER