October 2, 2014

New court documents released this week by the U.S. government in its case against the alleged ringleader of the Silk Road online black market and drug bazaar suggest that the feds may have some ‘splaining to do.

The login prompt and CAPTCHA from the Silk Road home page.

The login prompt and CAPTCHA from the Silk Road home page.

Prior to its disconnection last year, the Silk Road was reachable only via Tor, software that protects users’ anonymity by bouncing their traffic between different servers and encrypting the traffic at every step of the way. Tor also lets anyone run a Web server without revealing the server’s true Internet address to the site’s users, and this was the very technology that the Silk road used to obscure its location.

Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.

But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events.  And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI’s story.

For starters, the defense asked the government for the name of the software that FBI agents used to record evidence of the CAPTCHA traffic that allegedly leaked from the Silk Road servers. The government essentially responded (PDF) that it could not comply with that request because the FBI maintained no records of its own access, meaning that the only record of their activity is in the logs of the seized Silk Road servers.

The response that holds perhaps the most potential to damage the government’s claim comes in the form of a configuration file (PDF) taken from the seized servers. Nicholas Weaver,a researcher at the International Computer Science Institute (ICSI) and at the University of California, Berkeley, explains the potential significance:

“The IP address listed in that file — 62.75.246.20 — was the front-end server for the Silk Road,” Weaver said. “Apparently, Ulbricht had this split architecture, where the initial communication through Tor went to the front-end server, which in turn just did a normal fetch to the back-end server. It’s not clear why he set it up this way, but the document the government released in 70-6.pdf shows the rules for serving the Silk Road Web pages, and those rules are that all content – including the login CAPTCHA – gets served to the front end server but to nobody else. This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server.”

Translation: Those rules mean that the Silk Road server would deny any request from the Internet that wasn’t coming from the front-end server, and that includes the CAPTCHA.

“This configuration file was last modified on June 6, so on June 11 — when the FBI said they [saw this leaky CAPTCHA] activity — the FBI could not have seen the CAPTCHA by connecting to the server while not using Tor,” Weaver said. “You simply would not have been able to get the CAPTCHA that way, because the server would refuse all requests.”

The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story.

“The server logs which the FBI provides as evidence show that, no, what happened is the FBI didn’t see a leakage coming from that IP,” he said. “What happened is they contacted that IP directly and got a PHPMyAdmin configuration page.” See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.

But this is hardly a satisfying answer to how the FBI investigators located the Silk Road servers. After all, if the FBI investigators contacted the PHPMyAdmin page directly, how did they know to do that in the first place?

“That’s still the $64,000 question,” Weaver said. “So both the CAPTCHA couldn’t leak in that configuration, and the IP the government visited wasn’t providing the CAPTCHA, but instead a PHPMyAdmin interface. Thus, the leaky CAPTCHA story is full of holes.”

Many in the Internet community have officially called baloney [that’s a technical term] on the government’s claims, and these latest apparently contradictory revelations from the government are likely to fuel speculation that the government is trying to explain away some not-so-by-the-book investigative methods.

“I find it surprising that when given the chance to provide a cogent, on-the record explanation for how they discovered the server, they instead produced a statement that has been shown inconsistent with reality, and that they knew would be inconsistent with reality,” Weaver said. “”Let me tell you, those tin foil hats are looking more and more fashionable each day.”


131 thoughts on “Silk Road Lawyers Poke Holes in FBI’s Story

  1. Shawn

    Given the massive levels of computer crime taking place (PoS compromises, JP Morgan Chase, etc) I’m wondering what crimes went unpunished due to lack of resources to end what largely amounted to marketplace for drugs.

  2. PGillespie

    This is unrelated, but just today I received the following via email:

    Subject: blondine Maurice shared “clown 1New folder” with you

    Content: Blondine used Dropbox to share some files with you!

    And this was followed by this link:

    https[doubleslash]www.dropbox.com[slash]l[slash]un41dXXzHxFwyG9o1B9LLr

    Are we seeing a new dropbox related scam, or is this an old trick I’m unaware of? I’m tempted to click on it, being a Linux user, but only tempted.

    1. Someone

      If you do click on it, do it in a virtual environment.

    2. Soy Tenley

      Use a separate computer, no hard drive, booted with a Linux Live CD.

    3. jim

      It’s phishing attempt to get you to download malware. We’ve seen them on our corp. network. If you want to know for sure, copy/paste the URL into virustotal.com and search for it. It will scan the site and say it’s okay (because DropBox itself is fine), but then it will give you the option to view the scan of the downloaded file. I’m sure you’ll see it hits on at least a few A/Vs. If not, go back and do the same in a week, and I’m sure you’ll see it get flagged then.

  3. TheHumanDefense

    My hunch is that the FBI may have a tool in use that they do not want anyone to know about. This might be similar to what was discovered about the NSA.
    My suggestion to anyone operating in the underground, is you may want to consider looking for legitimate work. Someone is always watching, it’s the world we live in now.
    Take a drive down any street or road in your town and just count the number of cameras, it might surprise you.

      1. Jeebus

        But many of the bad guys are the ones manning the cameras.

    1. Mahhn

      Like politics? Then you can do insider trading, and spy on anyone, suposedly legaly.

    2. Algeranon

      Touche’.
      Civilization has always accepted the uncomfortable need to trust government to protect the good and nab the bad.
      Some of those using TOR (etc.) are SO bad I hope the FBI does have the ability to intercept and bust them. Explaining how just serves to defeat the good of that.
      Spying on people just because is totally different, which seems to be what the NSA and the Patriot Act have done to American citizens Creating your own Reality Show just because the tech. is now available to anyone is still wrong.
      The Supreme Court always maintains that citizens have a right to privacy (no matter the technology). Any investigation must have strict reasons and time limits.

    3. nomvois

      It is called onionslice. It is a script that can resolve tor and get you the ip of any tor server. This is script is not documented and not public. Only the Government and some hackers from groups such as HTP and acidbitchez.

    4. Shane

      I assume that Tor is compromised and the Silk Road was allowed to become a honeypot.

      Tor was developed by the Navy wasn’t it?

    1. Senator Snort

      e·lude
      ēˈlo͞od/
      verb
      evade or escape from (a danger, enemy, or pursuer), typically in a skillful or cunning way.
      “he managed to elude his pursuers by escaping into an alley”
      synonyms: evade, avoid, get away from, dodge, escape from, run from, run away from;

      allude to – definition of allude to by The Free Dictionary
      http://www.thefreedictionary.com/allude+to
      verb refer to, suggest, mention, speak of, imply, intimate, hint at, remark on, insinuate, touch upon.

  4. thinkr

    What else to be expected of the FBI except scumbag tricks? Also, if they want to nab you they have plenty of 0days at hand for all types of scenarios. He fought the law, the law won

  5. 1984

    Guys the snowden papers already have revealed that the NSA has give federal and state investigators PRISM data and coached them on how to lie about the source.

    It is clear that this is what was used to identify silkroad.

    That said Silk Road had turned into a scammer filled cesspool with with its llegit trade moving away from consumers to large volumes. The escrow system fell apart and new users were merciless ripped off all with the knowledge of the admins.

    1. IA Eng

      HA! The phones – at least Cell, need a search warrant to be accessed anymore. Is that going to stop the government from “pre-accessing” the information? Probably not. But at least it may cause them to come up with a bogus excuse or evidence line, like in the fantasy world of film where they always seem to convince a judge to scrawl an autograph on a paper.

      “We have evidence beyond a shadow of a doubt (cough) that the infomation on the phone (by illegally accessing customer records, not the phone -yet, well….shhhh) will produce the necessary evidence to help catch (maybe) this crook.

      Smart Crooks may THINK the access to phone data needs a warrant, but IF the phone company willing gives customer data to the Feds – what does it matter? Sure, the companies can say whatever they want you to hear, to keep the customer base. They sure as heck aren’t going to say, come on over here and sign up, if the Feds want your data, we’ll gladly give it to them. Check the EULA (or equivilent) and see what your “paying for”.

  6. Senator Snort

    Brian Krebs:
    Absolutely love your terse ‘translation’ of the tech jargon about the methods of this new problem.

    Am certain that my colleagues lying around on the Senate Floor can use this kind of terse-ology.

  7. flameskywiper

    So does this means that this case will be thrown into the garbage due to technicality? If this will happen, dread pirate roberts will setup a silkroad v2.0 but with better and enhanced obscurity on tor which means more and more american people will buy and use drugs and will also mean DPR will have a happy ending.

    1. IA Eng

      Well, whatever he had, is probably gone, or will sit in the red tape factory for years. IF he gets anything back, it may well be too late. If he had a house, car payment, etc; these may well be gone.

      Now if they can prove that he had “proceeds” that were unreported to the IRS, they will have fun with him next. They will tax the heck out of him, and cause even more misery.

      The government will just flog him silly until he is either broke, or gives in.

      All this means is, there may have been an insider that “assisted’ the FBI for a plea deal. That plea deal may have went sour, or the person fed the FBI a line of cow manure. The Feds may have not done their homework, or, as stated above, may not want to leak the source/action since it may be classified in nature.

      Commmmon man, you honestly think the Feds cant track in TOR? Really? False hopes are everywhere. Hehehehehe.

    2. theantioch

      Silk road 2.0 is already out there with a new DPR. This is just the government flogging the only (known) person connected to 1.0.

  8. Lou Johnson

    The government has been lying to us for a long time. They even lied about casualties in WWII.
    Who was it that said, “If you don’t have enough evidence, just make it up?”

  9. Joe Dirt

    From one of the pdf’s:
    “2) the SR Server was searched by foreign law enforcement authorities to whom the Fourth Amendment does not apply”

    An American loses his rights because a foreign spy did it? This is OK with people?

    1. TLDR

      Need to continue reading…

      “warrant requirement would not apply given that the SR Server was located overseas”

  10. Eaglewerks

    Wow! First I really need to say that I am somewhat concerned by the quantity of postings on this topic that seem to be anti-government, anti-Law Enforcement, and full of Conspiracy Theories. I am also very surprised by the quantity of Pro-Silk Road postings.

    I understand “The scope and legality of the government’s current surveillance practices of broad swaths of its citizenry is a topic of intense public interest and concern,” (U.S. District Judge Yvonne Gonzalez Rogers). I also suspect the secretive Foreign Intelligence Surveillance Court which may be accessed by the NSA and or in some instances the FBI may well have been accessed in this particular case. The Silk Road servers and those in control of the site may well have been a concern of National Security.

    I am much more concerned by the Chinese, Russian, Chechen and Ukrainian hackers than the parasite that ran the Silk Road server/business.

    1. theantioch

      Then your not paying attention. There’s direct evidence showing alphabet agencies mandating security weakness and not disclosing 0 day vulnerabilities so that they can exploit them for intelligence gathering. The problem with this, you can never guarantee someone else wont make use of these as well. These “Chinese, Russian, Chechen and Ukrainian hackers” as you put it can very easily use the vulnerabilities introduced by these agencies for nefarious purposes.

      1. Eaglewerks

        “Then your not paying attention. There’s direct evidence showing alphabet agencies mandating security weakness …” [theantioch]

        Sadly I have personal knowledge about ‘software development’ from the early 1970’s to very recent times. I believe the biggest problem has always been the Developer (or some honcho within the Development Team), The Owner of the software, potential advertisers, and the Management Team of the end user who were all wanting to see how the end user was using the developed software. Hence the use of various ‘Back Doors’ into the software. I have always argued against this practice and always to no avail.

    2. Mike Smith

      Eaglewerks is concerned about too many conspiracy theories posted in the comments and so provides a different conspiracy theory becasue, you know, his conspiracy theory is surely not conspiracy theory.

      Brilliant!

      1. Eaglewerks

        mea culpa, perhaps I should have said:

        It is common knowledge the secretive Foreign Intelligence Surveillance Court may be accessed by the NSA and or in some instances the FBI. The Silk Road servers and those in control of the site were a concern of United States National Security.

  11. Rick James Bartolomeu

    The NSA.. blah… You’re all wrong! He was using AOL Instant Messenger to talk to his mom and forgot to turn off his away message, “Silk Road sale – Today only 1% off all purchases.” The FBI then saw this and called up one of their buddies at Altavista who still had his admin access to thier job at CompuServe which then dialed into AOL’s legacy phone bank and did a simple lookup for that dudes account. See it’s that simple!

  12. Mapleton Willingham III

    Still waiting for you to acknowledge your buddies aren’t the good guys you want them to always be and yet somehow I’m really pleased to see that the comments here have changed quite a bit since your first starry-eyed piece on this story.

    It’s funny how you inject nefarious intent into everything anybody BUT the feds do, but when the feds are involved you seem to be very concerned with third person-ing it all behind a veneer of neutrality. I get it. I know you need your sources, and so forth, but it makes it harder to take you seriously when you won’t point out misbehavior equally.

    “Holes were poked by SR Lawyers”… but of course not “FBI may be violating the Constitution”; it’s about the lawyers and the holes, not what the feds did. I’m not going to make a big deal about this because people come here knowing what to expect. If anything it was almost nice to see you write about it again. As I said, it was nice to see the sea change just in the comments section alone.

    Incidentally the judge ruled on this already (Wired beat you to this). Apparently it doesn’t matter. None of our constitutional rights matter, and it’s a shell game — if it’s outside the country they can access it without a warrant only… they can’t access it because it’s another country’s jurisdiction. So they play hopscotch with peoples’ rights and to many the ends justify the means…. but still: We *all* lose our constitutional rights to fill out the parade. Again; who’s surprised?

    Smoke and mirrors game…

    I was wondering, can you do one of your infamous Q&As on sec professionals with Christopher Tarbell now that he’s in the private sector? Or another person of his ilk? I’m curious how these people think and how they interpret what is and isn’t ethical… but I’m also curious how the recruiting methods have changed. I strongly remember the “Meet the Feds” panel where the vibe all changed. It was with an Air Force agent. Look it up — some fascinating stuff. He was actually almost rabidly looking for people to hire. And yes, they do do stuff like this.

    There are no good guys anymore. Just more powerfully-backed criminals. So really…. we’re basically in Chicago, circa the World’s Fair. I hope it turns around.

    Oh, and “Bloomin’ Onion” was the previous version that goes back like 8 versions even after OnionSlice. You’re so 2006. BTW didn’t HTP get busted or were they half feds themselves?

    Don’t worry, I’m not a ‘bad guy’. I’m not even a ‘good guy’ or a blogger… Or a programmer. I’m an average reader of Brian’s blog who wonders who gives who the right to create loopholes for special people? And when does that specialness end? I’m thinking it never really ends… and that the agents who migrate from doing unethical things for the agency are happily permitted to take their habits to the private sector where it’s not only not frowned upon but welcome; deniability’s the new black(hat).

    Other than that, love your blog Brian, and can’t wait to read your book. Should be a real page-turner.

Comments are closed.