REPOSTED: By JAMES GLANZ, NY Times , June 17, 2015
The F.B.I.’s route to the St. Louis Cardinals’ front office in pursuit of an apparent hacker, or hackers, involved a trip through a shrouded corner of the Internet.
Deadspin pointed out last June that internal documents of the Houston Astros had been posted anonymously online at a site called Anonbin. Alarmed, the Major League Baseball commissioner’s office notified law enforcement officials. From the Anonbin posting, those officials worked backward to find the perpetrator, who had tried to leave no tracks.
The person or people who penetrated the Astros’ network apparently used a network of servers called Tor to hide the source of the documents that found their way to the posting site.
“Tor is among the best anonymizing services out there, but it is not a silver bullet,” said Sascha Meinrath, director of X-Lab, a technology policy organization in Washington. Tor is most effective in the hands of an experienced hacker, Mr. Meinrath said. The hacking, though, seems to have left traces somewhere in the welter of Tor servers.
“What this tells me is that whoever leaked this is not very tech savvy,” he said.
The Tor network functions as a sort of Internet maze to throw off anyone who tries to trace the origin of an electronic message, Mr. Meinrath said. When the network receives a message, it bounces from server to server. The ordinary Internet pastes a series of addresses onto a message, allowing it to be traced back to the sender. In contrast, the Tor network strips that information out.
When the message emerges from the network, the source is, in theory, untraceable. Even so, it has long been known that intelligence and law enforcement agencies have made extensive efforts to infiltrate the Tor network and trace those who use it.
Many of the servers on the Tor network — apparently including the server raided by the F.B.I., according to the documents — are run by volunteers. That raid, Mr. Meinrath said, may indicate that the F.B.I. was not able to infiltrate enough servers on its own to trace the origin of the documents. The raid may have provided the last link in the chain back to the source.
“Probably the F.B.I. had some of that information but not all of it,” Mr. Meinrath said.
Another possibility, he said, was that the volunteer was not operating his server properly, and kept information about routes taken by the messages passing through it.
A skilled hacker, Mr. Meinrath said, would take into account all of these possibilities and add one or two additional layers of security to the communication — for example, using software to cloak the identity of the laptop that sent the message and connecting to the Internet somewhere that could not be linked to its source. Those measures seem to have eluded those who did the hacking.