Security

At a hacker conference no one is safe.

When I first went to Defcon in 1995, the halls were mobbed with teenagers and attendees seemed more concerned with freeing Kevin Mitnick and seeing strippers than hacking each others' computers.

Jump forward to Defcon 17 this year, which was held over the weekend in Las Vegas, things certainly have changed. The attendees are older and wiser and employed, most of the feds aren't in stealth mode, and even the most savvy of hackers is justifiably paranoid.

The Riviera Hotel room key customized for Defcon attendees. What else does it do?

(Credit: James Martin/CNET News)

The evolving demographic of Defcon attendees shows that the hacker community, like all of us, is aging. But it's also a reflection of how the threat landscape has changed. Web site defacements have given way to much more serious risks like financial fraud and unaddressed critical infrastructure weaknesses. It's a cornucopia of phishing e-mails, cross-site scripting attacks that poke holes in trusted Web sites, and criminals harvesting credit card numbers and selling them on the underground equivalent of eBay with guarantees of service and support.

Defcon and Black Hat, the pricier and more corporate sister confab held the two days preceding Defcon ($120 for Defcon registration versus $1,395 to $2,095 for phased registration at Black Hat), offer a forum for researchers to share information about vulnerabilities they find in software, hardware and systems.

Targeted this year were everything from the iPhone and surveillance video feeds to e-parking meters and security underlying the Domain Name System.

Vendors and users weren't the only ones who need worry. Attendees had plenty to fear and security experts themselves weren't spared.

On July 27, Web sites belonging to a handful of security researchers and groups were hacked and passwords, private e-mails, IM chats, and potentially sensitive documents were exposed on the vandalized site of security golden boy Dan Kaminsky. (Mitnick, whose jailing in the '90s for computer crimes made him a cause celebre at "Free Kevin" benefits at Defcon at the time, was among those attacked.)

There were more widespread threats at the shows, too. Anyone using the Wi-Fi networks at the events had better be careful lest they get their password sniffed and posted on the Wall of Sheep. Then there was the USB thumb drive that was passed around among attendees of Black Hat that was found to be infected with the Conficker virus.

Reporters who aren't nearly as geeky as the sources they interview are always easy prey. One reporter was concerned about being hacked via the local area network in the press room after a rare Blue Screen of Death crashed his laptop.

Last year, three French men were expelled for sniffing the press room LAN at Black Hat. They said they had obtained eWeek's and CNET's passwords but failed to prove the CNET allegation.

This year, three South Koreans registered as press were ejected for asking questions that led organizers to believe they were on an intelligence-gathering mission instead of merely reporting, according to the IDG News Service.

I had a panic of my own at Defcon this year. I was connected to the Internet using an EVDO wireless card and a virtual private network and was startled a short while later when a Web page opened up out of the blue and I noticed the VPN was disconnected. Granted it looked like a legitimate page for my wireless carrier, but not wanting to take any chances I immediately logged off.

(See "Defcon: What to leave at home and other do's and don'ts" for tips on how to best protect yourself.)

Unfortunately, I had neglected to disable the Wi-Fi on the laptop. Because Windows XP event logging is lacking, it's not clear whether someone may have spoofed the name of a wireless network the laptop is configured to automatically connect to. Time to call the help desk.

At least I didn't use any automatic teller machines at the hotel. Defcon organizers confirmed on Monday that a fake ATM was discovered in a lobby of the Riviera Hotel where the event was held, right near the hotel security office. The ruse was up after someone looked through the camera hole using a flashlight and saw a PC inside.

Meanwhile, Chris Paget, a security expert who works at Google, reported on Twitter that he lost $200 from a compromised ATM at the Rio Hotel over the weekend. There are multiple Diebold ATMs with the skimmers inside at the Rio casino, he tweeted, later adding: "Secret Service just called back. They're taking it seriously, reading between the lines it seem(s) like there's more going on here."

There is no evidence that the fake Riviera ATM was planted by anyone at Defcon, and in all likelihood the hacked Rio ATM was not associated with the hacker show.

However, a small group of Defcon attendees was seen hacking into an ATM at the Artisan hotel where a "Ninja" party was being held on Saturday night and it appeared they had the ATM in administrator mode and were trying to change settings, several sources said.

Heightening the paranoia at Defcon was the report from event organizers on Saturday that there was a confirmed Trojan on the CD the conference hands out to all attendees. The report turned out to be false.

Also arousing suspicion were the Defcon badges, which featured a built-in microphone, LED, digital signal processor, and custom circuit boards designed to be hacked as part of a contest. I prudently popped the battery out of my badge after discussing the microphone capability with another journalist. Some attendees chose not to wear the badges at all, even without the battery, tucking them in satchels and digging them out every time they needed to display them.

As it does every year, Defcon also had its share of stupid attendee tricks--one arrest reportedly for carrying a concealed weapon and another for bungee jumping off the hotel roof.

But those are par for the course when you mix booze and rebellious youth trying to out-impress each other. It was the other stuff--the hacking and viruses and sniffing--that made me and others at the show jumpy.

Security guru Bruce Schneier, however, brushed it off as the mere cost of doing business.

"This is the way hackers play," he said. "This is the experimental battlefield. It's not bad; it is just what it is. Defcon has an important place in computer security."

Updated 12:54 p.m. PDT with information on Defcon attendees trying to hack ATM, and at 11:00 a.m. with this: Apparently, some feds at Defcon got a scare of their own. As part of a security awareness project, researchers set up an RFID reader connected to a Web camera that sniffed data from RFID-enabled cards in bags and pockets as people walked by and snapped a photo of the person in possession of the card, Kim Zetter at Wired.com reports. At risk of exposure was information on government access cards and badges agents tend to carry, as well as data stored on RFID-enabled cards that accompanied badges for Black Hat. After federal agents speaking at a panel were informed of the project, the data collected was destroyed.

Attending Defcon and Black Hat can make you feel a bit like a deer in a forest full of hunters.

The iPhone, love it, but leave it at home when going to Defcon, experts say.

(Credit: CNET )

With virus-infected USB drives, Wifi network sniffing, badges with built-in microphones and even security experts getting hacked, it seems like it's only a matter of time until your number comes up if you're not careful.

I asked some security experts for suggestions on what they do to protect themselves at the events and here is what they said.

Do's:
• Have minimal software on your laptop, such as only the operating system and necessary applications.

• Make a backup of your computer before you leave for the conference and then wipe everything and reinstall when you get home.

• Disable Bluetooth and Wi-Fi on all devices.

• Use an EVDO wireless card.

• Only connect to the Internet when you must.

• Use a virtual private network and--if you can--use RSA ID authentication and stop all direct connections to the computer.

• Run Linux off a USB key, back up documents online, and start with a fresh operating system every day.

• In addition to using updated security, application, and system software (antivirus in particular) and installing patches, use an operating system-level firewall.

An EVDO modem, such as the one pictured, should be the only gateway to the Internet used at a hacker conference.

(Credit: Verizon)

• Use a disposable camera and a pre-paid cell phone.

• Lock up your equipment in your hotel room when you are going to be gone.

• Take the drives with you when you leave the laptop in the hotel room.

• Ask to be listed as a non-registered guest at the hotel so people can't get your room number or acknowledgement that you are staying at the hotel.

• Stay off the Wi-Fi networks at the airport and the events.

• Don't use the ATMs in the vicinity of the conferences.

What to leave at home:
• Your laptop and smart phone. You can't be attacked if you don't bring your equipment. If you must bring it, consider leaving it in the hotel room.

Apple on Friday fixed an SMS-related security flaw in the iPhone that had been at the center of one of the most talked-about exploits at this week's Black Hat security conference.

"We appreciate the information provided to us about SMS vulnerabilities which affect several mobile phone platforms," Apple representative Tom Neumayr told CNET.

"This morning, less than 24 hours after a demonstration of this exploit," Neumayr continued, "we've issued a free software update that eliminates the vulnerability from the iPhone. Contrary to what's been reported, no one has been able to take control of the iPhone to gain access to personal information using this exploit."

The security flaw involved malicious SMS messages that could allow hackers to take control of an iPhone. The flaw could have let them make calls, send text messages, or almost anything they wanted on the victim's iPhone.

Security researchers Collin Mulliner and Charlie Miller showed the flaw in action at Black Hat earlier this week. Miller said the flaw could take control of the iPhone because of the way the device handled the SMS message. Researchers at Black Hat also showed how SMS-related vulnerabilities can affect Windows Mobile smartphones including those from HTC, Motorola, and Samsung.

Miller said that Apple was first notified of the flaw six weeks ago.

According to Apple, the iPhone 3.0.1 update released today improves the device's memory handling, essentially fixing the exploit.

The update is available by plugging your iPhone into your computer and clicking on the Check for Update button in iTunes.

MacKay parking meter reads $999.99

(Credit: Joe Grand, Jacob Appelbaum, Chris Tarnovsky)

A three-man team of programmers and engineers announced on Thursday that it has found a way to park for free by bypassing the security of "smart" parking meters used in cities including San Francisco, which has about 25,000 of them.

The parking meters are manufactured by J.J. MacKay Canada and accept coins and prepaid plastic cards that can be purchased in $20 and $50 denominations from local drugstores and grocery stores.

Although MacKay claims (PDF) its meters use "sophisticated security algorithms to deter fraud," it took the trio of hackers three days to figure out how to decode how the stored value card worked and boost its value to $999.99.

"We don't want people to walk away from this saying, 'Oh my God, they can steal money,'" said Jacob Appelbaum. "We want them to think, 'There's a whole computer in here. What kind of due diligence are people doing?'"

"If they're not using encryption, they're probably doing it wrong," Appelbaum added.

Appelbaum and his colleagues are presenting their research on Thursday afternoon at the Black Hat security conference in Las Vegas. The other two team members are Joe Grand, a hardware engineer and president of Grand Idea Studio, and Chris Tarnovsky, who runs Flylogic Engineering, which performs security analysis of semiconductors.

"We're concerned about this news and we'll do everything we can to work with MacKay and see what we can do to make the meters more secure," Judson True, a spokesman for the San Francisco Municipal Transportation Agency, said in an interview on Thursday afternoon.

One option would be for the city to flag cards with suspicious activities and reprogram every parking meter -- they're visited every two or three days for coin removal purposes -- to ignore that card, True said.

In addition, the problem may eventually disappear as hardware is replaced, True said. "We are moving forward in the next few years to replace all these meters with meters that accept credit cards. We may still have some version of a parking card. That may be a medium-term solution. In the interim, we'll see what we can do in terms of additional security for the meters and for the cards."

MacKay did not respond to multiple requests for comment on Thursday.

San Francisco has purchased about 25,000 MacKay parking meters--from the Guardian XLE series--to replace the old ones that used only coins. A 2002 article in the San Francisco Chronicle put the cost of the conversion at more than $37.7 million, though the city estimates that the cost of the meters was closer to $25 million.

Updated: With a response from the San Francisco Municipal Transportation Agency.

LAS VEGAS--Researchers at the Black Hat security conference on Thursday showed how an attacker could spoof a type of SMS message that appears to be sent from the carrier or some other trusted source.

This attack on MMS (multimedia messaging service) messages, a type of SMS message, could allow an attacker to trick the recipient into visiting a malicious Web site or ultimately do something else to harm the phone or steal data.

The attacks work potentially on any type of phone that is MMS-enabled and operating on Global System for Mobile communications (GSM) networks, said Zane Lackey, a senior consultant at ISEC Partners, and independent researcher Luis Miras.

Luis Miras and Zane Lackey prepare for their presentation on SMS spoofing at Black Hat.

(Credit: Elinor Mills/CNET)

They used a jailbroken iPhone for their demos of their proof-of-concept code that allows for bypassing carrier protections for SMS communications by sending specially crafted MMS messages.

SMS communications are used by carriers to do administration on the phone and contact customers. For example, voice mail notifications are often delivered over SMS, according to Lackey.

As a result, such admin messages are trusted by recipients, despite the fact that they typically do not reveal the source of the message and other details, they said. Spoofed messages could appear to come from any trusted company like a bank or PayPal.

"This is a carrier issue," Miras said. "We disclosed to them and they're working on a fix."

The researchers also have shared information with the GSM Alliance, which is providing details of the exploit to carriers, they said.

In one demo, they sent a victim a message that offered a $20 credit and included a link to a supposedly malicious site. In other demos the researchers sent a fake voice mail alert and sent an SMS that prompted the recipient to accept or decline unknown new phone settings.

If the recipient accepted the changes believing they were something routine from the carrier, an attacker could be using the permission granted to do something behind the scenes like route all the phone's Internet traffic through an attacker's server instead of a carrier server, which would allow the attacker to spy on all the communications.

The SMS exploits the researchers showed allow an attacker to "bypass the carrier spoofing protections" including anti-malware filtering, Lackey said. The attacks also could be used to find out what operating system a phone is running so that someone could launch an attack targeted for that software, he said.

Lackey and Miras released a tool called TAFT (There's an Attack For That) that automates the implementation flaws that have been fixed. It does not allow for the spoofing issues, which carriers still need to address, they said.

SMS attacks are getting easier because iPhones and Android devices are easily modified and because SMS functionality has been built at higher layers that provide full access to an attacker, said Lackey.

The researchers also said they uncovered an SMS implementation flaw that they exploited to temporarily crash the phone process of an Android phone so no calls or texts could be sent or received. Google fixed that flaw, they said.

They also discovered a flaw in a third-party iPhone app from SwirlySpace that interfered with the phone and texting capabilities and that too has been fixed, Miras said.

There isn't much someone can do to protect against these attacks except be wary of SMS messages in general, he said.

Douglas Merrill, ex-Google CIO who recently left EMI.

(Credit: Elinor Mills/CNET News)

LAS VEGAS--You can take the man out of Google, but you can't take Google out of the man.

While working as chief information officer and vice president of engineering at Google from 2004 to 2008, Douglas Merrill oversaw the search giant's internal IT systems. He left to be chief operating officer of new music at EMI, marrying his professional ambitions with his love of music.

At EMI, employees used Exchange Calendar, which uses a "painful remote-access methodology," he said in a keynote speech on Tuesday at the Black Hat security conference.

"I paid my admin to put appointments and contacts in my private Google Calendar," said Merrill, who left EMI earlier this year. If he were in charge of IT security, he would have had to censure himself for violating corporate policies, but he didn't care--he just wanted to access his appointments while waiting in the Hong Kong airport.

"It's just a lot easier to use," he said of the free Web-hosted calendar his former company offers.

That might be a strange message to give to a group of security professionals, but it fit with a larger theme of the importance of innovation to companies, including innovation and practices driven by users with consumer software. That's effectively a Google mantra.

"The center of innovation is consumer technologies, not enterprise," he said. "A lot of companies are doing consumer technology that is a lot better than what we have in the enterprise."

That innovation should be fostered by companies by allowing employees to work on their own projects. (Sound familiar? Google lets engineers work 20 percent of their time on special projects of their own design.)

Engineers also have a lot of choices at Google. "We didn't control what environments our engineers work in," said Merrill, who is writing a book due out next year titled "Organization in the Google Era."

Meanwhile, companies need to design security systems that will more readily and easily be used by people, and that eliminate the chances for human error.

"Humans are like rats. If you make it easy for them to get through the maze, they will," Merrill said, acknowledging that the cynical viewpoint would likely end up as the main quote in news stories. (Sorry Doug.)

One feature in particular that seems to be helping users is a link at the bottom of Gmail that provides information about the activity on their account, such as Internet Protocol addresses used to access it and when.

"Larry Page pushed us to add that feature. We all thought it was dumb, but he's writing our checks, so we did it," Merrill said.

It turns out, the feature gets a lot of users, as people realize that information can help protect them, he said.

At least one IT security manager at the show disagreed with Merrill's liberal attitude about security and the work environment.

"I'm for well though-out projects to promote innovation," John Johnson, a senior security program manager at tractor maker John Deere, said during a chief security officer panel discussion.

But "it's not security's responsibility to go out there and say, 'Users want to use Gmail. Let them use it,'" Johnson added. "If we decide to use Gmail, we need to have a project and treat it in a formal way and pay money to do it right."

LAS VEGAS--Web sites of a handful of security experts and groups were hacked and passwords, e-mails, IM chats and other information was posted on the Internet on Tuesday, the eve of the Black Hat security conference.

Targeted were Dan Kaminsky, known for his discovery of a high-profile flaw in the domain name system last year; Kevin Mitnick, one of the first hackers to be prosecuted for computer crimes; and the PerlMunks programmer community, among others.

A long treatise was posted to Kaminsky's Web site with the data and criticisms accusing the victims of hyping security threats to advance their careers and lacking security expertise. It's unclear how the sites were breached, but several of the blogs attacked were running on WordPress and there were allusions to vulnerabilities in the software.

"It's just drama," Kaminsky said when asked to comment.

"If there was anything technically interesting to discuss, cool. But I hope that my dating life was interesting," said Kaminsky, who was preparing for an afternoon presentation on problems with X.509, an encryption standard for public key infrastructure. "The impacts of a single event are whatever. There's actual research going on."

Mitnick said someone using a European IP address hacked into his Web hosting provider about 10 days ago and redirected traffic to a site displaying a photo-shopped pornographic image of him. A week later his Web site was breached and the files deleted, most likely by the same people and probably via back doors left behind in the first breach, he said.

"They looked through my Web server but I never keep e-mail or personal files there, only publicly available information," Mitnick said. His hosting provider, a friend, has asked him to leave because of the repeated attacks and erasure of his and other customers' data, he said. As a result, he's switching to FireHost, a host that specializes in security.

Kaminsky, had the "illusion of invulnerability," keeping all his e-mail, research, and personal files on a server connected to the Internet, Mitnick said.

Mitnick, whose site has been successfully hacked four times, said he doesn't host his own Web site so that he can keep his public site separate from his corporate network.

"It was a jackpot," he said of the attack on Kaminsky. "I really respect the guy and I think he's super intelligent in security and yet he was victimized. On a public-facing box you don't keep anything confidential on there."

My favorite security show each year is one at which there are no sales pitches, the speakers favor black T-shirts and dyed hair over suits and ties, and the talks tend to be controversial enough to prompt legal threats and even arrests.

I'm talking about Defcon, which starts Thursday and runs through Sunday. The event turns part of the Las Vegas strip into a geek equivalent of "Animal House" for a three-day weekend every summer.

Jeff Moss, founder of Black Hat and Defcon.

(Credit: Black Hat)

Started in 1993 by Jeff Moss, aka Dark Tangent, Defcon brings together some of the top security experts from around the world, along with thousands of hacker wannabes whose pranks in previous years--hacking the elevators and ATMs and cementing the toilets, to name a few--have led to bans at certain hotels.

"One good thing about the [economic] downturn is that the Riviera Hotel has been easier to deal with," said Moss, who was recently named to the Homeland Security Advisory Council. "They're letting us have access to the pool, so we'll have pool parties, and they've allowed us to do more social things that we wanted to do."

In addition to being a hacker playground and summer camp, Defcon is a semi-neutral ground where people who blur the lines of legality mingle with federal agents whose job it is to hunt them down.

Moss also heads up Defcon's big-sister conference, Black Hat, whose briefings schedule runs Wednesday and Thursday at the more upscale but no less kitschy Caesars Palace. (Black Hat training sessions started over the weekend.)

While Black Hat is more professional, with vendor tables in the lobby and respectable product presentations in meeting rooms, Defcon is a chaotic tableau of goth-attired groupies, script kiddies hunkered over laptops lining the hallways at all hours of the night and gray-haired hackers who were likely teens when they first started coming to the event.

The presentations are usually top-notch (many of them duplicates from the more expensive Black Hat show), but Defcon is known just as much for the activities going on outside of the sessions.

There's Hacker Jeopardy, Hacker Karaoke, an artwork contest, geo-caching events, a beverage cooling contraption contest, organized target shooting, a Capture the Flag penetration testing competition, lock picking workshops, a PGP Key Signing Party, DJs, a scavenger hunt, the highly popular Spot the Fed contest, a competition to find the best social engineer and a Cannonball Run car race described as "a race against time over 288 miles of road" from Redondo Beach to Las Vegas on Thursday.

Despite the recession, both events are expected to be crowded.

"We had been expecting 30 percent fewer attendees and in reality we're only going to have 10 to 15 percent fewer," Moss said. "The market went down and all of this research came up."

The research topics run the gamut of vulnerabilities and exploits on everything from iPhones to smart grids. One session deals with air traffic control security (or lack thereof). Others have to do with injecting electromagnet pulses into the wiring system of jets, insecurities with Firefox plug-ins, cloud computing security issues and a new tool to send controversial news to censored countries without using proxy servers.

Unveiling a darknet
Several researchers are going to release a tool for hacking into Oracle databases. Meanwhile, two Hewlett-Packard researchers plan to demonstrate a proof-of-concept browser-based darknet type of network called "Veiled" that allows for the creation of a secure, decentralized peer-to-peer network in which no client software is downloaded.

"The clients are the owners of the files and there is no single point of failure," said Matt Wood, a senior researcher in the Web Security Research Group at HP Software and Solutions. "No one in the government can go to you and say 'we need the files.'"

Interesting session titles include "Cracking 400,000 Passwords, or How to Explain to Your Roommate why the Power Bill is a Little High," "Manipulation and Abuse of the Consumer Credit Reporting Agencies," "Hacking Capitalism '09," and "'Smart' Parking Meter Implementations, Globalism, and You (aka Meter Maids Eat Their Young)."

There's always a Meet the Fed panel with representatives from all the major defense and security-related government agencies. And well-known keynote speakers and presenters include Robert Lentz, chief security officer for the Department of Defense; Rod Beckstrom, former Director of the National Cyber Security Center in the U.S. Department of Homeland Security; Adam Savage, co-host of the "MythBusters" TV show; and perennial favorite Bruce Schneier, security guru and chief technology officer of BT Counterpane.

When hackers go public with details on exploits, vendors get nervous--companies have moved to block presentations at the shows over the years. This year is no exception. Juniper Networks pulled a talk one of its researchers was set to give about a flaw in ATM software after the ATM vendor complained. In his presentation entitled "Jackpotting Automated Teller Machines," Barnaby Jack was planning to provide a live demonstration of an attack on an automated teller machine.

"I'm disappointed Barnaby Jack's talk was canceled," said Moss. Another speaker this year was "forced or encouraged" not to release a tool, Moss said, but he couldn't remember which speaker or talk it was.

Last year, a talk on hacking smartcards used in the Boston subway system was blocked after a federal judge granted the Massachusetts transit authority's request for an injunction. In 2005, a security researcher was sued after giving a presentation at Defcon on how attackers could take over Cisco Systems routers. And in 2001, the FBI took Russian crypto expert Dmitry Sklyarov into custody at his Las Vegas hotel the day after he gave a Defcon talk about insecurities in e-book security software. All cases were eventually settled.

Defcon averted another type of legal debacle this year--the importation of its microprocessor-dependent badges, which are needed for the badge-hacking contest.

"I'm excited the badges for Defcon will be here," Moss said gleefully. "They were held up in Chinese customs for two months. It was a complete nightmare."

Two researchers for Hewlett-Packard have created a browser-based darknet, an idea that could make it easier for businesses to keep eavesdroppers from uncovering confidential information.

Darknets are encrypted peer-to-peer networks normally used to communicate files between closed groups of people. Most darknets require a certain level of technological literacy to set up and maintain, including taking care of the necessary servers. However, HP researchers Billy Hoffman and Matt Wood plan next week to demonstrate a browser-based darknet called "Veiled," which they claim requires little proficiency to set up and run.

"This will really lower the barriers to participation," Wood told ZDNet UK. "If you want to create a darknet, you can send an encrypted e-mail saying, 'Here's the URL.' When (the recipient visits) the Web site, the browser can just get (the darknet application) going."

Hoffman and Wood are scheduled to demonstrate the technology next week at the Black Hat security conference in Las Vegas.

Wood said HP does not want to turn the project into a commercial product. While the company does not plan to make the source code available, the researchers do plan to open source their idea, so to speak, so other security researchers can "pick up the baton."

"HP has no desire to patent or copyright or release any code," Wood said. "Black Hat is one of the top security conferences, and we want to get this cool idea into the hands of people who are really smart."

Businesses could use browser-based darknets to set up workgroups to exchange commercially sensitive information, or to have a means of making anonymous suggestions to management, Wood said. "I like the idea of a suggestions box on the Web," he said. "It provides an anonymous way to make suggestions to your boss."

HP's darknet research came about when the researchers realized the potential of new browser technologies, according to Wood.

Browsers with HTML 5 support--such as recent versions of Firefox, Safari and Internet Explorer--allow files to be stored "persistently" on the client, for working on them when offline. This feature, coupled with the distributed grid-computing nature of a darknet, means files can be effectively uploaded in perpetuity, even when the initial browser has been shut down. It also makes the darknet resilient, said Wood.

"One of the benefits of a darknet is that they are distributed," said Wood. "To destroy it, you would have to take down all of the clients, because if one server gets compromised, you just shift to a different server. They can hop around."

Advances in JavaScript engines, such as Google's Chrome V8 and Mozilla's TraceMonkey, have also helped make browser-based darknets possible, according to Wood. These engines allow browser-based communications to be set up quickly and encrypted. The Veiled darknet uses RSA public key cryptography, but any cryptography will work.

"Cool advances in JavaScript technology allow encryption in the browser," said Wood. "Browsers are getting really powerful."

Tom Espiner of ZDNet UK reported from London.