<div dir="ltr"><div><a href="http://www.wired.com/threatlevel/2014/01/tormail/">http://www.wired.com/threatlevel/2014/01/tormail/</a><br><br></div>Bonus link for y'all. Hope you used PGP. Happy monday!<br><br>R<br><div>
<h1><font size="4">If You Used This Secure Webmail Site, the FBI Has Your Inbox</font></h1>
<ul><li class="">By <a href="http://www.wired.com/threatlevel/author/kevin_poulsen/">Kevin Poulsen</a></li><li class="">01.27.14</li><li class="">6:30 AM</li></ul><p>While investigating a hosting company known for sheltering child porn
last year the FBI incidentally seized the entire e-mail database of a
popular anonymous webmail service called TorMail.</p>
<p>Now the FBI is tapping that vast trove of e-mail in unrelated investigations.</p>
<p>The bureau’s data windfall, seized from a company called Freedom
Hosting, surfaced in court papers last week when prosecutors indicted a
Florida man for allegedly selling counterfeit credit cards online. The
filings show the FBI built its case in part by executing a search
warrant on a Gmail account used by the counterfeiters, where they found
that orders for forged cards were being sent to a TorMail e-mail
account: “platplus@tormail.net.”</p>
<p>Acting on that lead in September, the FBI obtained a search warrant
for the TorMail account, and then accessed it from the bureau’s own copy
of “data and information from the TorMail e-mail server, including the
content of TorMail e-mail accounts,” according to the <a href="http://www.justice.gov/usao/nj/Press/files/pdffiles/2014/Roberson,%20Sean%20Complaint.pdf" target="_blank">complaint</a> (.pdf) sworn out by U.S. Postal Inspector Eric Malecki.</p>
<p>The tactic suggests the FBI is adapting to the age of big-data with
an NSA-style collect-everything approach, gathering information into a
virtual lock box, and leaving it there until it can obtain specific
authority to tap it later. There’s no indication that the FBI searched
the trove for incriminating evidence before getting a warrant. But now
that it has a copy of TorMail’s servers, the bureau can execute endless
search warrants on a mail service that once boasted of being immune to
spying.</p>
<p>“We have no information to give you or to respond to any subpoenas or
court orders,” read TorMail’s homepage. “Do not bother contacting us
for information on, or to view the contents of a TorMail user inbox, you
will be ignored.”</p>
<p>In another e-mail case, the FBI last year won a court order compelling secure e-mail provider Lavabit to <a href="http://www.wired.com/threatlevel/2013/10/lavabit_unsealed/" target="_blank">turn over the master encryption keys</a>
for its website, which would have given agents the technical ability to
spy on all of Lavabit’s 400,000 users – though the government said it
was interested only in one. (Rather than comply, Lavabit shut down and
is appealing the surveillance order).</p>
<p>TorMail was the webmail provider of choice for denizens of the so-called <a href="http://www.wired.com/opinion/2013/10/thompson/" target="_blank">Darknet</a>
of anonymous and encrypted websites and services, making the FBI’s
cache extraordinarily valuable. The affair also sheds a little more
light on the already-strange story of the FBI’s broad attack on Freedom
Hosting, once a key service provider for untraceable websites.</p>
<p>Freedom Hosting specialized in providing turnkey “Tor hidden service”
sites — special sites, with addresses ending in .onion, that hide their
geographic location behind layers of routing, and can be reached only
over the Tor anonymity network. Tor hidden services are used by those
seeking to evade surveillance or protect users’ privacy to an
extraordinary degree – human rights groups and journalists as well as
serious criminal elements.</p>
<p>By some estimates, Freedom Hosting backstopped fully half of all
hidden services at the time it was shut down last year — TorMail among
them. But it had a reputation for tolerating child pornography on its
servers. In July, the FBI moved on the company and had the alleged
operator, Eric Eoin Marques, arrested at his home in Ireland. The U.S.
is now seeking his extradition for allegedly facilitating child porn on a
massive scale; hearings are set to begin in Dublin this week.</p>
<p>According to the new document, the FBI obtained the data belonging to
Freedom Hosting’s customers through a Mutual Legal Assistance request
to France – where the company leased its servers – between July 22, 2013
and August 2 of last year.</p>
<p>That’s two days before all the sites hosted by Freedom Hosting ,
including TorMail, began serving an error message with hidden code
embedded in the page, on August 4.</p>
<p>Security researchers dissected the code and found it <a href="http://www.wired.com/threatlevel/2013/08/freedom-hosting/" target="_blank">exploited a security hole</a>
in Firefox to de-anonymize users with slightly outdated versions of Tor
Browser Bundle, reporting back to a mysterious server in Northern
Virginia. Though the FBI hasn’t commented (and declined to speak for
this story), the malware’s behavior was consistent with the <a href="http://www.wired.com/threatlevel/2009/04/fbi-spyware-pro/" target="_blank">FBI’s spyware deployments</a>, now known as a “Network Investigative Technique.”</p>
<p>No mass deployment of the FBI’s malware had ever before been spotted in the wild.</p>
<p>The attack through TorMail alarmed many in the Darknet, including the
underground’s most notorious figure — Dread Pirate Roberts, the
operator of the Silk Road drug forum, who took the unusual step of
posting a warning on the Silk Road homepage. An analysis he wrote on the
associated forum now seems prescient.</p>
<p>“I know that MANY people, <a href="http://en.reddit.com/r/SilkRoad/comments/1jrnhx/important_security_announcement_from_dpr_himself/" target="_blank">vendors included, used TorMail</a>,”
he wrote. “You must think back through your TorMail usage and assume
everything you wrote there and didn’t encrypt can be read by law
enforcement at this point and take action accordingly. I personally did
not use the service for anything important, and hopefully neither did
any of you.” Two months later the <a href="http://www.wired.com/threatlevel/2013/10/silk-road-raided/" target="_blank">FBI arrested</a> San Francisco man Ross William Ulbricht as the alleged Silk Road operator.</p>
<p>The connection, if any, between the FBI obtaining Freedom Hosting’s
data and apparently launching the malware campaign through TorMail and
the other sites isn’t spelled out in the new document. The bureau could
have had the cooperation of the French hosting company that Marques
leased his servers from. Or it might have set up its own Tor hidden
services using the private keys obtained from the seizure, which would
allow it to adopt the same .onion addresses used by the original sites.</p>
<p>The French company also hasn’t been identified. But France’s largest hosting company, OVH, <a href="http://forum.ovh.com/showthread.php?89685-Le-nouveau-contrat-de-serveur-dedie" target="_blank">announced on July 29</a>,
in the middle of the FBI’s then-secret Freedom Hosting seizure, that it
would no longer allow Tor software on its servers. A spokesman for the
company says he can’t comment on specific cases, and declined to say
whether Freedom Hosting was a customer.</p>
<p>“Wherever the data center is located, we conduct our activities in
conformity with applicable laws, and as a hosting company, we obey
search warrants or disclosure orders,” OVH spokesman Benjamin Bongoat
told WIRED. “This is all we can say as we usually don’t make any
comments on hot topics."</p></div></div>