As far as the Shodan issue - it's too late without setting everything up again. What you'd want to do is only allow the webserver to accept traffic from cloudflare. The other thing would be to create a cert and apply it to the default server in nginx or apache and change the public IP address of the server.
Since it's already been discovered by shodan and likely other services they'd have to basically reset everything. Since the colo/provider is already known it'd be a bit moot at this point. I haven't looked recently, but they'd need to deal with any extra dns records also leaking data. If I recall correctly the mail server's their web application and/or mail router is/was using isn't originating from their host, but It's been awhile since I looked (since before the change this year.)
The URL prefetching thing is a bit of a I miss on the devs part I guess. Since the server makes a request to the URL, one can simply host an image on a webserver and then monitor logs and wait for the GET req to come from the host they're trying to find. There's many ways they could deal with this - from using an API to prefetch the urls, using a completely different 'unrelated' host somewhere else, Etc.
The thing with hosting services and applications is that normally there's a certain level of anonymity that is good enough. Generally, you're not trying to hide where you're hosted at all costs, simply because the nature of a hosted webapp is accessibility. The more layers of abstraction, the more difficult it becomes for the end user to utilize the service. You can throw a load balancer in the mix, but it adds another hop if that makes sense as an example. Now, in this case they're a target, so it's a bit different. You have to think about the things needed to be in place before you start deploying them because if you make one mistake it's relatively easy to uncover it.
To be fair, there's not really a huge 'market' so to speak for trying to hide where something is hosted. Sure, the concept exists, but in general it's pretty niche. You'd be in the realm of criminal type platforms at that point (or just people who understand the security as it relates to this specifically. Since I doubt this person and team are criminals or cybersec pros they likely aren't on the 'up and up' with the current ways to stay hidden. They've done a fairly good enough job though.
Physical security and configuration is not the only thing either that needs to be locked down - a simple search engine query will bring up a couple of somewhat recent posts on reddit which one could likely infer are related to TD. (Think stonetear & and the reddit inquiry) I'm sure that account was a throwaway lol, but people are creatures of habit so you never know... The takeaway here is that people have to be careful about what they say.
One thing to consider is the volume a platform like this has. This isn't a small site (traffic wise). It's not as simple as a smaller vps of which it's content can be moved around quickly and easily. They've built quite a bit of infrastructure here to handle the sheer number of people utilizing the service. Something like that would be easier to hide.
If it were me, I'd spread it around. Just like everything else you don't want to put all your eggs in one basket. One trade off I guess would be exposure. If you were really a target and more services were handling your data I suppose it's more of a risk that someone will give you up under pressure. Another trade off would be the complexity - again the scale at which the service is being provided means spreading it out across different providers / locations / ISP's / etc. would mean more complexity and can turn into integration hell rather quickly trying to make everything 'talk' to each other. The goal with an implementation like this would be to handle different parts and pieces of the infrastructure getting down'd without taking down everything.
Anyway, just some random thoughts I guess. My original post was really just a dig at the person who made the write up because came off like their shit doesn't stink because they did x to find y and look how smart I am. To put it into perspective they did the basic legwork anyone with these somewhat basic skills would do, it's like coming in 1st at an 'everybody wins contest'... 😜
You could do things until you're blue in the face to prevent the host from being disclosed... but they're potentially dealing with two types trying to discover information. At the end of the day, if it's government the data could be subpoenaed from the registrar, ISPs, services they'd subscribed to like cloudflare, mail, Etc.
I'm not saying it's impossible, but back to my point about being 'good enough' there's a reason for it... There's a reason why people who actually have illegal services aren't just hanging out on the public internet (I mean some are lol, but you get my drift I think...) TD is not illegal... The point being is that you can only do so much, and it's likely not enough unless you start doing stuff that's going to make it less accessible. Plus, who want's to be associated with places that are actually up to shady shit...
They'll be fine. Worst case scenario they'll move the infra to a country that gives zero fucks. It will make people question why it's located there, and bring on it's own issues, but it's honestly the easy button here. Lots of people probably have heard of the Pirate Bay. Similar concept.
Web browsers are already inherently insecure anyways, considering how shoddily they are coded--Firefox was promoted as being the best option for privacy for a while now and yet its sandboxing capabilities are shit compared to Chrome's. Chrome.
Thanks for the excellent analysis and details, fren!
I'm very interested in this topic, and cybersecurity, cryptography in general, but I'm very green, so I was reading every word of it with pleasure.
I was thinking about it too and also came up with idea that in the end, moving to a safe harbor country (oh irony it's not here) is the first and probably the best step. IDGAF if it's not here, who cares.
As far as the Shodan issue - it's too late without setting everything up again. What you'd want to do is only allow the webserver to accept traffic from cloudflare. The other thing would be to create a cert and apply it to the default server in nginx or apache and change the public IP address of the server.
Since it's already been discovered by shodan and likely other services they'd have to basically reset everything. Since the colo/provider is already known it'd be a bit moot at this point. I haven't looked recently, but they'd need to deal with any extra dns records also leaking data. If I recall correctly the mail server's their web application and/or mail router is/was using isn't originating from their host, but It's been awhile since I looked (since before the change this year.)
The URL prefetching thing is a bit of a I miss on the devs part I guess. Since the server makes a request to the URL, one can simply host an image on a webserver and then monitor logs and wait for the GET req to come from the host they're trying to find. There's many ways they could deal with this - from using an API to prefetch the urls, using a completely different 'unrelated' host somewhere else, Etc.
The thing with hosting services and applications is that normally there's a certain level of anonymity that is good enough. Generally, you're not trying to hide where you're hosted at all costs, simply because the nature of a hosted webapp is accessibility. The more layers of abstraction, the more difficult it becomes for the end user to utilize the service. You can throw a load balancer in the mix, but it adds another hop if that makes sense as an example. Now, in this case they're a target, so it's a bit different. You have to think about the things needed to be in place before you start deploying them because if you make one mistake it's relatively easy to uncover it.
To be fair, there's not really a huge 'market' so to speak for trying to hide where something is hosted. Sure, the concept exists, but in general it's pretty niche. You'd be in the realm of criminal type platforms at that point (or just people who understand the security as it relates to this specifically. Since I doubt this person and team are criminals or cybersec pros they likely aren't on the 'up and up' with the current ways to stay hidden. They've done a fairly good enough job though.
Physical security and configuration is not the only thing either that needs to be locked down - a simple search engine query will bring up a couple of somewhat recent posts on reddit which one could likely infer are related to TD. (Think stonetear & and the reddit inquiry) I'm sure that account was a throwaway lol, but people are creatures of habit so you never know... The takeaway here is that people have to be careful about what they say.
One thing to consider is the volume a platform like this has. This isn't a small site (traffic wise). It's not as simple as a smaller vps of which it's content can be moved around quickly and easily. They've built quite a bit of infrastructure here to handle the sheer number of people utilizing the service. Something like that would be easier to hide.
If it were me, I'd spread it around. Just like everything else you don't want to put all your eggs in one basket. One trade off I guess would be exposure. If you were really a target and more services were handling your data I suppose it's more of a risk that someone will give you up under pressure. Another trade off would be the complexity - again the scale at which the service is being provided means spreading it out across different providers / locations / ISP's / etc. would mean more complexity and can turn into integration hell rather quickly trying to make everything 'talk' to each other. The goal with an implementation like this would be to handle different parts and pieces of the infrastructure getting down'd without taking down everything.
Anyway, just some random thoughts I guess. My original post was really just a dig at the person who made the write up because came off like their shit doesn't stink because they did x to find y and look how smart I am. To put it into perspective they did the basic legwork anyone with these somewhat basic skills would do, it's like coming in 1st at an 'everybody wins contest'... 😜
I should also mention this -
You could do things until you're blue in the face to prevent the host from being disclosed... but they're potentially dealing with two types trying to discover information. At the end of the day, if it's government the data could be subpoenaed from the registrar, ISPs, services they'd subscribed to like cloudflare, mail, Etc.
I'm not saying it's impossible, but back to my point about being 'good enough' there's a reason for it... There's a reason why people who actually have illegal services aren't just hanging out on the public internet (I mean some are lol, but you get my drift I think...) TD is not illegal... The point being is that you can only do so much, and it's likely not enough unless you start doing stuff that's going to make it less accessible. Plus, who want's to be associated with places that are actually up to shady shit...
They'll be fine. Worst case scenario they'll move the infra to a country that gives zero fucks. It will make people question why it's located there, and bring on it's own issues, but it's honestly the easy button here. Lots of people probably have heard of the Pirate Bay. Similar concept.
Web browsers are already inherently insecure anyways, considering how shoddily they are coded--Firefox was promoted as being the best option for privacy for a while now and yet its sandboxing capabilities are shit compared to Chrome's. Chrome.
Thanks for the excellent analysis and details, fren!
I'm very interested in this topic, and cybersecurity, cryptography in general, but I'm very green, so I was reading every word of it with pleasure.
I was thinking about it too and also came up with idea that in the end, moving to a safe harbor country (oh irony it's not here) is the first and probably the best step. IDGAF if it's not here, who cares.