> Here's how the attack may have happened: Step one, collect data about which computers are sending and receiving large amounts of Tor bandwidth. Step two, if the server resides in a datacenter, request an image of the server. Step three, you now know whether the server is a darknet website.
This in itself is not sufficient: there are thousand of Tor bridges, relays and exit points. All of them carry lots of traffic and all of them could be hosting hidden services as well. The total traffic in itself doesn't necessarily show that a server hosts hidden services. It could also me masked by generating fake traffic to/from the server.
Knowing that Tor traffic comes and goes through a server isn't enough. Most data centers would not just hand over disk images just because a server is running Tor and a hidden service. You would need good evidence that the particular hidden service you seek is hosted at that particular data center.
You still need detective work to pinpoint the location of the datacenter. This could come from timing attacks or an unrevealed weakness in the Tor protocol itself, but it's more likely that they noticed suspicious activity in real life (large purchases, people already known to be involved in drugs), infiltrated some markets, managed to get some people to talk, ... Once you suspect a particular person and they are under surveillance, you can catch them paying for servers with their CC, connect to their server directly, or watch their BTC transactions.
They would certainly need the cooperation of the involved data centers at some point, but neither Europol nor the FBI can just walk into any data center and request images of any server that handles Tor traffic without a warrant, which would require some tangible evidence to support its release, lest it becomes inadmissible in court.
>This in itself is not sufficient: there are thousand of Tor bridges, relays and exit points. All of them carry lots of traffic and all of them could be hosting hidden services as well. The total traffic in itself doesn't necessarily show that a server hosts hidden services. It could also me masked by generating fake traffic to/from the server.
Relays (exit and non-exit relays) are listed in the consensus, so you can easily rule them out, or just watch the hidden service and the relay and correlate downtime.
Bridges are not listed in the consensus, but they also don't survive very long, and don't carry very much traffic, since they tend to be used by a small number of individuals. So bridges will naturally churn out of your target set.
>neither Europol nor the FBI can just walk into any data center and request images of any server that handles Tor traffic without a warrant,
This seems optimistic at best. They could certainly ask to install a wiretap, or just threaten their way into installing a wiretap (i.e., install this wiretap or my buddy at the EPA is going to be allllll over you for how bad your parking lot is drained, etc). They could just ask and say they suspect the computer is involved in child pornography, which will probably override most people's objections.
But beyond that, people tend to cooperate with authorities. It's either a natural state of humans to be subservient, or we've been indoctrinated through eons of hierarchy, but now, the only thing necessary to get someone to kill someone else is a stern command. If you don't believe me, look up the Milgram experiments.
Knowing that Tor traffic comes and goes through a server isn't enough. Most data centers would not just hand over disk images just because a server is running Tor and a hidden service. You would need good evidence that the particular hidden service you seek is hosted at that particular data center.
They can just enumerate every hidden service, figure out which ones are doing something obviously illegal, then once they locate a datacenter that is likely to be hosting hidden services e.g. accepts payment in Bitcoin, get netflow data and pump traffic at each hidden service in turn. When a synchronised block of encrypted traffic turns up at a host, there's your probable cause to go image the server: it's practically bulletproof evidence that the hidden service corresponding to some black market is running on that machine.
The only bottleneck to this approach is finding the datacenters, but there aren't that many which accept Bitcoin for payment, and I bet intelligence agencies can easily provide a list of every colocation facility that is running long term connections to the Tor network. Heck they can probably identify the precise machines by doing traffic correlation automatically - it's the sort of task they'd be good at, and they have the infrastructure.
neither Europol nor the FBI can just walk into any data center and request images of any server that handles Tor traffic without a warrant, which would require some tangible evidence to support its release
What about with a data request by a judge in Italy, raising a sealed subpoena through a Texas court to get the FBI to physically remove a server from a datacenter in London belonging to a UK organisation, without informing them, the UK government or the UK police, all while keeping the original reasons for this under seal, and then suddenly returning the hardware just as mysteriously as it was first taken, without thinking you should have to explain a single thing?
As long as everyone has someone else to point to who is responsible, these things will continue to happen. It's the same pretty much everywhere in the world.
Agreed, but the sheer scope of this operation forces us to consider whether the authorities are playing by all of the rules. Since we don't know which rules are still reliable, the best defense is simply to assume your server is compromised from the start. And, incidentally, your support staff.
By the way, I'd also like to thank everyone for the thoughtful responses. It's great that people are thinking about this problem.
This in itself is not sufficient: there are thousand of Tor bridges, relays and exit points. All of them carry lots of traffic and all of them could be hosting hidden services as well. The total traffic in itself doesn't necessarily show that a server hosts hidden services. It could also me masked by generating fake traffic to/from the server.
Knowing that Tor traffic comes and goes through a server isn't enough. Most data centers would not just hand over disk images just because a server is running Tor and a hidden service. You would need good evidence that the particular hidden service you seek is hosted at that particular data center.
You still need detective work to pinpoint the location of the datacenter. This could come from timing attacks or an unrevealed weakness in the Tor protocol itself, but it's more likely that they noticed suspicious activity in real life (large purchases, people already known to be involved in drugs), infiltrated some markets, managed to get some people to talk, ... Once you suspect a particular person and they are under surveillance, you can catch them paying for servers with their CC, connect to their server directly, or watch their BTC transactions.
They would certainly need the cooperation of the involved data centers at some point, but neither Europol nor the FBI can just walk into any data center and request images of any server that handles Tor traffic without a warrant, which would require some tangible evidence to support its release, lest it becomes inadmissible in court.