What started as an arrest in Ireland pertaining to a case of child pornography took an international twist this past weekend, and brought doubts on the security and privacy of Tor, the popular anonymizing network. It all started with Eric Marques, the CEO of Freedom Hosting, a small hosting company that provides accounts to anyone who wants one. Eric became infamous in the underground of the web because of his willingness to turn a blind eye on any activity that went on inside the network of Freedom Hosting. This included potential child pornography sites, along with other illicit activities. In October of 2011, the activist group Anonymous had learned about this company and launched a denial of service attack against its servers, claiming that those servers hosted the vast majority of child pornography sites on the web, many of them being provided as Tor hidden services.

That last point, the fact that many sites on Freedom Hosting were provided as Tor hidden services, is where things become more complicated. Most people know of Tor as a simple software package that you can download and then use to anonymize your Internet connection, which I’ve written about recently. Your browser connects to various hops along the way before going to your destination, providing privacy against spies, either governmental or criminal, who would want to track you down.

But Tor also introduced the concept of a hidden service. This is a website which uses the same technology in order to be completely anonymous. That means if you go to a special web URL, such as http://tnysbtbxsf356hiy.onion or one of thousands of other sites, then you can connect to a website, which remains anonymous. This particular address is StrongBox, a legitimate privacy service from The New Yorker. There is also TOR Mail, which is a popular anonymous email system, but also a lot of potentially illegal sites, such as the famous Silk Road which provides drugs and weapons for sale, child pornography sites, crime gangs, and so on. These make up part of the Deep Web, available only through Tor.

The problem is that Freedom Hosting happened to host quite a bit of these hidden websites, including TOR Mail, and other popular destinations. So when the Ireland authorities arrested Eric, they all went offline. But the story doesn’t end there. The sites are actually still available, but with a blank page saying the service is down for maintenance. However, that maintenance page is also serving a JavaScript exploit. This exploit is especially targeted at Firefox 17, the version included in the Tor browser bundle. So it’s more than likely that it was created especially to infect Tor users. But what does this exploit do? It simply reports your IP and MAC address to a server in Virginia. It didn’t take long after this exploit was found for people to make the link between the FBI-sponsored Irish arrest, Tor, and a certain-Virginia based US government agency. While there is no way to be sure, it seems plausible that the exploit was planted by US authorities in order to make a list of all Tor users.

The Tor project itself was quick to distance itself, saying that Tor has nothing to do with Freedom Hosting, and the project itself is still intact. Technically that’s true, but the problem here is complacency. While anyone can run a hidden service, a large majority selected the same company as hosting provider, so when that one point of failure goes down, it appears as if most of the network is also down. No doubt that this was a wake up call for anyone operating in the Deep Web. The other problem is the JavaScript exploit, and within a day the Tor project released a patch to fix it.

Whether Eric Marques is truly guilty of hosting child pornography is debatable, and something the courts will have to decide; however, the whole event is interesting for many more reasons. The fact that even popular hidden services like TOR Mail went offline because of this one arrest places some doubt on Tor itself, especially since all the major news outlets picked up the story. Also, while this is hardly the first time that US authorities have used computer exploits to try and hack into suspects’ machines, this JavaScript exploit could end up being the most widespread one. It’s likely that thousands of people who happened to go on one of the many offline sites have had their address sent to Virginia by now, and if this is indeed the work of the authorities, this information was likely linked with PRISM data.

It’s interesting to note that just this past week, General Alexander, the head of the NSA, was speaking at Black Hat trying to reassure the tech crowd on how lawful the spying operation is, and how no abuse is being done. Meanwhile, leaks keep coming out, like the recent Reuters report about how the DEA uses data to target suspects, before agents are directed to cover up where the information came from. Meanwhile, this #torsploit story, as it’s been nicknamed on social networks, is still being heavily looked into. There seems to be little doubt in some people’s minds that the IP address in question is owned by the NSA, which would hint at yet another instance of data spillage going on. One thing seems certain, we’re far from done hearing about these secret Internet spying programs.