Freenet De-Anonymization

autosectools.com/Freenet-De-anonymization

I wonder what kind of exploit this is?

Other urls found in this thread:

reddit.com/r/Freenet/comments/4es8lv/law_enforcement_freenet_project_links/
my.mixtape.moe/rtnfim.pdf
127.0.0.1:8888/uploads/
torrentz.eu/13afe95e655d36f5a5818e760327940703a23989
torrentz.eu/8ee07b18029056202c8825e133532a67d0f5ec03
web.archive.org/web/20160412090016/https://www.ncjtc.org/ICAC/Courses/trngres/Torrential_Downpour_BitTorrent_Update_Refresher.pdf
web.archive.org/web/20160412085720/https://www.ncjtc.org/ICAC/Courses/trngres/Bittorrent_Case_Study.pdf
web.archive.org/web/*/https://www.ncjtc.org/ICAC/Courses/trngres/*
web.archive.org/web/20160412085857/https://www.ncjtc.org/ICAC/Courses/trngres/NetClean_Analyze_Webinar_Downloads.pdf
web.archive.org/web/20160412085819/https://www.ncjtc.org/ICAC/Courses/trngres/Griffeye_Analyze_DI_Basics_PPT.pdf
wfaa.com/story/news/crime/2015/01/08/plano-officer-arrested-twice-for-possessing-child-porn/21482787/
ncjtc.org/ICAC/Courses/trngres/Forms/AllItems.aspx
cyb3rcrim3.blogspot.de/2012/07/multiplicity-ep2p-and-child-pornography.html
webcache.googleusercontent.com/search?q=cache:gdPAM-Ae1swJ:https://www.ncjtc.org/ICAC/Courses/trngres/Forms/AllItems.aspx&num=1&strip=1&vwsrc=0
mega.nz/#!wodhHKZK!wILqKISENq6_noHlEOPJUXo9FGVwhOQDVUu5_-gh_Og
twitter.com/hashtag/TorrentialDownpour
emu.freenetproject.org/pipermail/devl/2016-May/038923.html
emu.freenetproject.org/pipermail/devl/2016-May/038925.html
en.wikipedia.org/wiki/StealthNet
twitter.com/NSFWRedditVideo

It doesn't sound like they've deanonymized anyone. It's basically an inquiry to a skid group.

They are trying to sell it.

Given that he is fuzzing stuff, has real buffer overflow CVEs, and also the phrasing of


it is probably an exploit in Freenet code to be used against a direct peer to run code that gathers all the personal data on target system. Maybe it's even a JVM exploit, though it should be much more valuable and there are many more uses for that.

Freenet is a zombie project developed by fans, I don't think they are going to sort that out. Maybe getting more attention of hacking circles to the fact of targeting such tool can. Still, you shouldn't run network services outside a tight jail and let them have access to your personal system.

He seem to report Java vulns to Oracle, so that's probably a Freenet or some native code exploit.

...

So law enforcement has gotten hundreds of warrants based on "this node has a small chance of being the requester" by looking if the HTL is 18 and requested a known file of interest.

That doesn't mean the IP is the actual requester, innoncent people will get raided just for running freenet.

encryption doesn't work

...

So, basically, if you want to run Freenet, you should run it on an anonymous VPS and download from it through Tor.

You might get your VPS popped based on the exploit in OP.

Congratulations, you now have an adversary-controlled man in the middle performing your crypto and a paper trail leading back to you.

...

The objective in these kinds of investigations is almost never to bust people for using freenet/tor/i2p/etc, but to establish probable cause to kick in their doors and search their hard drives. It's unlikely they could make a case purely based on log analysis.

You can buy a VPS with bitcoins.

People in the west have no legitimate reason to use Freenet.

how were they able to get addresses from IPs if they were just doing "knock and talks". There wasn't even probable cause, just the fact they were using Freenet.

They hadn't even developed their flawed methods to get probable cause based on a lie.

...

A significant part of that document is copied from Freenet documentation. Do they respect its license?

> Duh, we're law enforcement, we can carelessly mention CP and don't give a fuck about hurting its victims once again, unlike those bastards everywhere else!

There is no reason to believe child abuse unit jokes about its topic any less often than other departments who deal with decaying bodies or street prostitutes.


They fell for the pedos' meme!


Wow, that's really dangerous. Someone may confuse it with high quality data and spoil the collection.


Sigh.


I found the person that actually kept all that content alive by slowly downloading it.


Moar liek Everything_I_can_get_Library, amirite?


Note: typically, in the lab means you create a virtual network, populate it with Freenet nodes, and study the data flow (there's even code for such simulations), but those researchers simply ran Freenet node on a shitty connection, as suggested by number of nodes on location graph.

Extremely slow Freenet is a meme.


Another meme with no technical foundation.


This should be a banner or something. No discussion of government policies should be without mention that this is how they think.


See, those little rights are actually useful and worth fighting for.


RTFM, noob. That shit has been documented since the time current version existed only in theory.

That's where the bullshit ends and tech guy starts typing. Still,


That's some serious technology worth mentioning, man.

They still needed two people to implement request loging and downloading of manifest data, pfft. And someone else wrote the log parser.


Hmm, nice word with a pretty specific legal meaning. Everyone who runs Freenet is already a suspect. Can I see a court decision for that?


Aaand they had a bug in their project. I don't have data for 2012 at hand, but that looks like a total number of all US node IP addresses seen in a month. Did they really consider any change in port number (e. g. caused by NAT) a sign of a new node running at the same address?


What a surprise.


That's another nice way to say we simply log everyone by setting HTL limit so high that originator of request can be any node in the world.


Their stats calcualtions are shit. See USK@sUm3oJISSEU4pl2Is9qa1eRoCLyz6r2LPkEqlXc3~oc,yBEbf-IJrcB8Pe~gAd53DEEHgbugUkFSHtzzLqnYlbs,AQACAAE/random_babcom/207/#Iamdarknetonlyagain and ask developers for further info.


...

He probably also watches YIFI rips.

It is set by first time setup wizard based on amount of free space on partition, idiots.


Having burger internet connection is suffering.


They save the latest name user chose for posting on a specific board, you idiot. It also can be "Anonymous". At least one identity is created at start, even if you never use it.


...


BY ITSELF? OMFG!


Because everyone who ever run Freenet did it for CP.


Typical level of knowledge of Windows sysadmins.


You still do transmit others' requests, ensure caching of your downloads on many nodes, and heal them, idiots! You are distributors, big time.


So they sometimes suspect Freenet is actually smarter than they think?


Wait, there wasn't any.


Thanks for the quotes, faggot.


And still can't rotate logs.


Show some love.

Redditors reading this, get useful once in a while. We need more attention to this discussion.

From here: reddit.com/r/Freenet/comments/4es8lv/law_enforcement_freenet_project_links/

Could someone download the PPT PDF and post it here?

SSK@EAtNA9ig~weyGoGuNnAU9rWrVr2jh5IjLkjH2eiDYJk,B1He6ANPE9nq9hKsxIsEJ3-w4D2T-TzgOj7JdD0CZgU,AQACAAE/Freenet_Investigations_PPT.pdf

SSK@o-8TvD9vF6bTAhFeyHV8CoCD6MkXC5~dIVRu31C~h7o,xKH~bxJBAAWnEENg3IlJdFM797RA6kIYq7aDrirFLCA,AQACAAE/Freenet%20Investigations%20White%20Paper%20-Black%20Ice%20%20%28090413%29.pdf

Just for the record, I found some data. According to the someone's stats node, 4 200 US IP addresses were seen in October 2012 out of 28 000 total, of which roughly 40% was not registered before. Today, the network is less than half of it.

Sources say there was an unprotected public directory on some law enforcement organization server that had many documents for training courses. Here's a presentation that rehashes article that was posted: my.mixtape.moe/rtnfim.pdf

I saved everything.

They apparently use harvested Freenet IPs and have a way to see all the networks a suspect IP was active on.

I assume they run a few Tor entry nodes to harvest limited IPs too.

— We know multiple hick law enforcement departments started to worry about Freenet in 2011, so that probably was a country-wide decree. A couple of years too slow, but whatever. With some effort, they quickly managed to implement a textbook passive attack and gather data for analysis.
— We know more sophisticated attacks and analysis of Freenet source were performed by more skilled researchers and brought some results.
— We don't know a lot, but can presume there's a global monitoring of Freenet by the agency that likes to globally monitor everything.

So the question is whether sharing a small amount of data publicly is still safe (sharing hundreds of megabytes of data, the way it is referenced in this leak, was never considered safe).

The other question is where has the IT community spent at least last 5 years slacking off from building stronger solutions. Integrating fart button apps with Facebook and Twitter?


>>>127.0.0.1:8888/uploads/
Pleeeeeease.

DID YOU ARCHIVE THE THREAD?
if so link pls

torrentz.eu/13afe95e655d36f5a5818e760327940703a23989
torrentz.eu/8ee07b18029056202c8825e133532a67d0f5ec03

Old junk with totally inconspicuous names.

I clicked that and it had 1000 pedo pics.
are you going to Torrent that m8? If so gibme a screencap because I dont want to download those.

Each year, they record over 1 million IP address in the US sharing known CP on torrents/eMule/Gnutella. And only make a couple thousand arrests a year. They need to step their game up.

the second link is actual cp videos, I fucking wish I had not clicked that you fucking pedoshit.

If you are dumb enough to get some random renamed CP shit from torrent has just been demonstrated as monitored by authorities, you should ask assistance from legal CP download troubleshooting servicemen in a nearest police office.

...

Nigger I dont want no cp I am not a fucking pedoshit


Did you archive the thread?

Well, I saved you from googling that.


You seem to overreact (or overact?). Hush, hush, authorities know you are a good citizen always watching over your neighborhood.

...

stop theorising, I did not over-react

We won't give you the thread, Mr. Officer, sir.

They monitor over 40,000 torrent info hashes

Is that all you got from that screenshot?

They weight CP torrent.

1 is legal clothed children

9 is "worst of the worst"

I am not an officer or a pedo, I am the GNU/Linux Masterace


enjoy your vanning


gibsme moar screencaps

what is Torrential Downpour, are you taking the screenshots or have you saved them from elsewhere and also you FBI?

www.ncjtc.org/ICAC/Courses/trngres + Google cache

It's from a training document.

web.archive.org/web/20160412090016/https://www.ncjtc.org/ICAC/Courses/trngres/Torrential_Downpour_BitTorrent_Update_Refresher.pdf

web.archive.org/web/20160412085720/https://www.ncjtc.org/ICAC/Courses/trngres/Bittorrent_Case_Study.pdf

when I entered that in my searchbar it said this which means you must work for ICAC


Thanks

Is Deluge safe?

...

Someone download and archive everything. It's missing like 30 documents, they are removing it from archive.org too.

web.archive.org/web/*/https://www.ncjtc.org/ICAC/Courses/trngres/*

Your posts in this thread are so stupid I'd like to see you removed from internet by court decision.

If I download it will it reveal my IP?


fuck you wincuck

Were they there in the first place?

All 105 documents were archived last time I looked, now it's down to 67.

If I download it will it reveal my IP?
because I know that if your dl docs through tor it leaks your IP.

Who cares? They fucked up and made a course page accessible to anyone for couple days.

They are public documents now.

I care will it?

> mfw some documents were not cached because they contain bad words

kek they are monitoring your chinese cartoons

web.archive.org/web/20160412085857/https://www.ncjtc.org/ICAC/Courses/trngres/NetClean_Analyze_Webinar_Downloads.pdf

web.archive.org/web/20160412085819/https://www.ncjtc.org/ICAC/Courses/trngres/Griffeye_Analyze_DI_Basics_PPT.pdf

So you only looked? Who else did (more)?

Of course they montior people who download loli. They are pedophiles. Many probably go on to download real CP.

Look for freenet nodes with this IP range

PLEASE DONATE TODAY. Your generosity preserves knowledge for future generations. Thank you.

You can easily get anyone raided because of their method.

Get a target IP and modify freenet or use a firewall to only connect to it. Make all requests go through the node with a HTL of 18. the IP gets raided.

...

Most of the officers who investigate computer crimes are just trained monkeys who know how to push buttons.

Most of the officers who investigate computer crimes are just trained monkeys who know how to push buttons.

The officers in Plano TX are doing great work!

wfaa.com/story/news/crime/2015/01/08/plano-officer-arrested-twice-for-possessing-child-porn/21482787/

At least google cache page for ncjtc.org/ICAC/Courses/trngres/Forms/AllItems.aspx loads some other .aspx file resources as text for some reason. If you know anything about ASP, you can check it. I don't.

Hmm.

cyb3rcrim3.blogspot.de/2012/07/multiplicity-ep2p-and-child-pornography.html

So what is API for those endpoints?

...

((((that guy)))

What part of anonymous VPS paid with bitcoins from a Starbucks through an anonymous VPN did you not understand?


In short: if you're going to browse fucking CP, use a single board computer completely disconnected from the internet, dm-crypt with Serpent, and put a RAM wipe on shutdown hook on your initscripts.

It sounds like it does, the police and prosecutors just use the excuse of "we can't break this, so automatically worst criminal activity imaginable" and some oldfuck judge agrees with them.

Or they somehow get their hands on an exploit for Tor, Freenet, i2p or any other anonymizing or vpn service and examine the traffic rather than trying to break the suspect's encryption when they seize their machines.

Downloaded 67 documents from web.archive.org/web/*/https://www.ncjtc.org/ICAC/Courses/trngres/*
but webcache.googleusercontent.com/search?q=cache:gdPAM-Ae1swJ:https://www.ncjtc.org/ICAC/Courses/trngres/Forms/AllItems.aspx&num=1&strip=1&vwsrc=0 shows that there was more than 100.
Anybody have rest? I can share my parts if anyone wants.

Nah, I take it as people who either don't use it properly (e.g. their password is "easy to remember" or they check the "Cache password on memory" box on Veracrypt), people who sperg hard on crypto while disregarding anything else (if you run a completely unpatched out-of-the-box Windows 7 you might just as well save everything as plaintext), or who fail to realize just how pervasive the botnet is (e.g. they use a modern computer with Intel TPM, Windows 10 and Avast).

As posted earlier, you can get cached text content for most files if you google their links. Name the saved file the same way original was named to avoid confusion.

So they've been making arrests since 2013? They were able to keep it quiet until 2015.

Someone posted these files on Freenet, how ironic.

Someone posted these files on Freenet, how ironic.

Entertaining posts user. You're the kind of person that makes browsing Holla Forums worthwhile.

Are there any similar documents on de-anonymization of Tor users?

...

lmao fam u must be a cuck irl

I hope this security issue is fixed, freenet was definitely the coolest of private networks and was very fun to post on.

All anime-abusers should be subjected to anime prison, where their drawn likeness does hard time as imaginary punishment for an imaginary crime.

This picture is worth two: Officer Fuckface.

viewing loli is bad. it normalizes and reinforces sexual feelings toward children. it isn't imaginary, it can be a catalyst to real child rape.

playing GTA is bad. it normalizes and reinforces violent impulses towards people. it isn't imaginary, it can be a catalyst to real mass murder.

Are we actually sure that the FBI doesn't have a zero day on Freenet? After all, there isn't as much development on it as, for example, Tor.
Also, Java.

The FBI has a zero day on Apple's encryption as well, I wouldn't be surprised at all.

The FBI spent 1 million dollars for the apple exploit. For 1 million dollars, they can buy a 0day exploit for any application.

...

So can someone reupload them somewhere already?

The privacy community really needs to start pushing for Libre Hardware.

Why do I only hear negative things about freenet?

Because, the creator even said it is nothing but a wasteland for CP.

mega.nz/#!wodhHKZK!wILqKISENq6_noHlEOPJUXo9FGVwhOQDVUu5_-gh_Og

here
mega.nz/#!wodhHKZK!wILqKISENq6_noHlEOPJUXo9FGVwhOQDVUu5_-gh_Og

Here's all the files from archive.org
mega.nz/#!wodhHKZK!wILqKISENq6_noHlEOPJUXo9FGVwhOQDVUu5_-gh_Og

Doesn't seem legit to me

Did the creator abandon it?

partially

Wise choice

No, and he didn't say that about Freenet. He said it about Frost.

CP isn't even the largest thing on FreeNet, some Japanese warez things are.

Rope meet neck, neck meet rope.
Nice reply, you should totally work for the topest of men. Mainly the FBI and catch all of the scarey boggymen in the name of National Security.

twitter.com/hashtag/TorrentialDownpour
Whoops

Learn how to speak English you fucking currynigger

What?

Freenet devs response to this:

emu.freenetproject.org/pipermail/devl/2016-May/038923.html

emu.freenetproject.org/pipermail/devl/2016-May/038925.html

"the vulnerability to HTL18 they use has already been addressed in
2008, so any probability they claim using that is false. For every
connection there is a 50% chance that all the requests (not only a
single one) did not originate from the node from which we received them
but were forwarded one step. So for 10 connection (the lowest value),
there are 5 other nodes whose HTL18 requests are forwarded with HTL18,
so the probability that a given HTL18 request originated at the node
From which we received it is only about 17% (1 in 6). And this
probability does not get better when gathering more requests of chunks
From a specific file or a specific kind of files, because they can
reasonably all be forwarded from a different node — the one which really
sent them. The only way to get good statistics would be to connect to
this node over and over again at different times when the peers of the
node changed (that requires waiting at least 2 hours to change a
significant number of peers — the only way to be sure would be to wait
for the other node to go offline for more than 5 minutes and then to
connect to it again). However screening out every node which ever sent a
HTL17 or HTL16 request could improve the reliability a lot, though with
significant cost. That doesn’t change that their probabilities are
calculated incorrectly, but could give them a pretty good hit rate on
people downloading a large volume of material."

I don't think courts care if its a lie. They have already decided that there is no legitimate reason to use freenet.

If you run a freenet node from your home, be prepared for a search at any time. I ran a freenet node for year or so, but I shut it down a couple a weeks ago. I'm still running i2p and non-tor relay for now.

non-exit tor relay*

archive them somewhere else, the mega fat fuck said mega.nz might be shutting down soon

btw 29 extra documents are showing now

web.archive.org/web/*/https://www.ncjtc.org/ICAC/Courses/trngres/*

What the fuck is stealth net?

en.wikipedia.org/wiki/StealthNet

Anyone ever heard of this?

brand new tool called Spotlight

huehuehue

No, and defunct

Bump.