[tor-talk] Warning: Do NOT use my mirrors/services until I have reviewed the situation

-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Hey all, So after one crazy night, some more information is slowly coming to light. 1. Right now I am happy that whatever happened is not the result of a seizure as access to the servers has now been restored to me. 2. The USB device is from the KVM according to the provider but given the circumstances such information was collected under it isn't possible to fully reference all the events before my initial mailing. 3. The DC has confirmed via Twitter that the servers were not "accessed". Having been raided in the past I know indeed they can be forced under Dutch law not to inform clients of raids, but I don't feel this may be the case. With that being said, a chassis intrusion indicator still must be addressed and I cannot find it in the logs anymore. The DC company are not the people who I directly interact with however so I am still awaiting a direct response form those we host the server with. 4. i3D has provided a statement saying the USB device is the KVM, whereas the host I rent directly from has said no USB device was in the machine at the time. I haven't spoken in full yet to either party so I can't know the full facts of their statements or if there is a explanation for what seem conflicting statements. Somebody has suggested to me that the KVM could appear as a USB device which would make sense, but that right now is a theory and not a fact. 5. I am not in any way saying i3D or Snel are bad hosts. They have been excellent with me so far and I know they do not hand over information unless they are bound to by law. I cannot expect an ISP/business to go beyond the law in defending their customers and so I feel they are doing the best they can for their clients including me. Indeed I have written a very positive review for my current ISP some months back and I stand by that review, especially for any party who wants to host their own Tor exit nodes on dedicated hardware. 6. The disappearance of logs such as bandwidth information so far has not been solved. There is no obvious cause of this right now either but I've decided to file it as a bug report with the ISP to get some more information on the matter and see if any backups of it were stored. 7. Having had an email from my partner, he has confirmed nothing sensitive was on the machines under his management. We are now considering our options of re-launching the mirrors but for now we will be keeping the exits offline. I should add at this point as arma has pointed out previously there is only a little bit more information that an adversary can gain from hijacking your relays than they could watching the IXP for example and so even hijacking the servers, whilst uncomfortable, in itself should not be enough to break a users' anonymity or the safety of the network. 8. I haven't been raided yet so I have stored my spartan cape, shield and spear back into the cupboard. I think I can let me guard down a little more now. 9. Media: Please do not report this as a Tor network compromise. Those severs held not just Tor stuff and the IPs/fingerprints were blacklisted very quickly thanks to ioerror who I talked to privately with what little information I had at the time. The blacklists were precautionary and we had no evidence then it was actually compromised. The reporting of suspicious circumstances and being proactive when it comes to system security is very important, especially where there is a responsibility to other users. 10. For all those people who I host stuff for over hidden services, I have already moved all of your files to another ISP and securely deleted the hard drives which were encrypted. That server does not appear to have been as severely effected as others so I am pretty confident nothing has fallen into the hands of a third party, but I will issue fresh hidden service addresses as requested. - -T - -- Activist, anarchist and a bit of a dreamer. PGP Keys: key.thecthulhu.com Current Fingerprint: E771 BE69 4696 F742 DB94 AA8C 5C2A 8C5A 0CCA 4983 Key-ID: 0CCA4983 Master Fingerprint: DDEF AB9B 1962 5D09 4264 2558 1F23 39B7 EF10 09F0 Key-ID: EF1009F0 Twitter: @CthulhuSec XMPP: thecthulhu at jabber.ccc.de XMPP-OTR: 4321B19F A9A3462C FE64BAC7 294C8A7E A53CC966 -----BEGIN PGP SIGNATURE----- iQIcBAEBCgAGBQJUmE1zAAoJEFwqjFoMykmD8/YP/2v+thZX7Mal4rmzrHUbnMg8 B670OlX5JgjnOhb8tR/OA83GKps3m5P0XCOlCWG3g+QHOdSyA5B0FuGYjCcX6auf 0sNdSfiUBrQ1umD//VjCeCwMZ4tGORu0uqQrbYfSucLj/nEL3Zzo437efwEzwJKS vZDBDbjKtLJvanAYhT5aMPLC35L3N2/7VDaTb0R7DVeJhOe8SB3RuT7r2Dho1CoF U5iM/HgdvwOS/PzSd9O3FVElTAsryazsJU3LxYCcHQbOeVHytUlBFcxfyxIOWuYy IUxzGuOcM89u5gEfBkPbqhPbd22KAnv0irPH6VlWd8XOvhv+0EB+Jb6RsGzPyVDc PNeErfjyXKMWyNU7VTj+BbBB+B5mcJqMtaHpr15wBChvjb0eYTqQOzsAwPPAR6uD MhZpQILUeG2mIiIyW/9lBSP5b3k6ZgVek1cDhKr9W11Sp95QKfnsK0e4Mau7xP22 xeKNGlD/LJAh7fAtsIiw10dcEqTsFUN+Q7ONRSk81Q7xmwt3kwOrJo5g0QTTW26f 2Q0oJ3p62SA+nP46b9UGkMQ9xAe4LCcMn5X+3YjBBjeABsMKgD22sP9HjOm2VTYl HjjcX4MQw5ZZXzWnjPaY+0a9AzOzUQt4GfDDlAluszVzL2kkouk02p6pyBEVn79N 10PQHF5PN8GG2JOBQm5p =lJrp -----END PGP SIGNATURE-----