On Wed, Sep 10, 2014 at 12:26:03AM -0400, Griffin Boyce wrote: > Kyle Maxwell wrote: > >Griffin Boyce wrote: > >>Actually, no, I *am* surprised that they decided to not even > >>bother trying to gift malware to Mac or Linux users. > > > >Probably just playing the odds, I'd suspect. Though they could've > >examined the access logs at some point - do we know either way on that? > > Hey Kyle, > > With Freedom Hosting, I actually don't know. It seems like few technical > details have come out of that case. However, I *do* know that they'd been > hacked at various points, and the service had very poor security overall. > The restrictions in place did not actually prevent php files from creating > *other* types of scripts... Their sandboxing was reputedly quite bad, and > for years they had no restrictions on resources that users could utilize. > So creating an app designed to expand to occupy all resources on the server > until it crashed was highly effective. The server itself may not even have > kept access logs. It's unclear. > > With SilkRoad[2], supposedly investigators imaged the entire drive, so > this should still be possible. In any case, I think it's important to avoid > taking the investigators' statements at face value. Weev mentioned that > investigators made dubious technical statements in some places, and while I > haven't read all of the documents to come out about this case, that's > certainly within the realm of possibility. > > There are likely still details that haven't come out yet about both cases > (though I can't know for sure) and it's not entirely clear what level of > technical expertise various people have. > > Things that are important to note for hidden service operators: > - Firewall rules are really useful for keeping out unwarranted scrutiny. > - Don't hardcode your IP address in any links (though this is one of the > least-likely theories). > - Having a pseudonym isn't a replacement for excellent security practices. > - Don't run a hidden service host. > - For best security, run your own services rather than relying on someone > else's security. I feel like this is often overlooked in the name of > "easiness" but it's really important IMO. [1]
Is it does not contradict with previous statement about "don't run a hidden service host"? -- tor-talk mailing list - [email protected] To unsubscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
