06
Sep 14

Dread Pirate Sunk By Leaky CAPTCHA

Ever since October 2013, when the FBI took down the online black market and drug bazaar known as the Silk Road, privacy activists and security experts have traded conspiracy theories about how the U.S. government managed to discover the geographic location of the Silk Road Web servers. Those systems were supposed to be obscured behind the anonymity service Tor, but as court documents released Friday explain, that wasn’t entirely true: Turns out, the login page for the Silk Road employed an anti-abuse CAPTCHA service that pulled content from the open Internet, thus leaking the site’s true location.

leakyshipTor helps users disguise their identity by bouncing their traffic between different Tor servers, and by encrypting that traffic at every hop along the way. The Silk Road, like many sites that host illicit activity, relied on a feature of Tor known as “hidden services.” This feature allows anyone to offer a Web server without revealing the true Internet address to the site’s users.

That is, if you do it correctly, which involves making sure you aren’t mixing content from the regular open Internet into the fabric of a site protected by Tor. But according to federal investigators,  Ross W. Ulbricht — a.k.a. the “Dread Pirate Roberts,” the 30-year-old arrested last year and charged with running the Silk Road — made this exact mistake.

As explained in the Tor how-to, in order for the Internet address of a computer to be fully hidden on Tor, the applications running on the computer must be properly configured for that purpose. Otherwise, the computer’s true Internet address may “leak” through the traffic sent from the computer.

howtorworks

And this is how the feds say they located the Silk Road servers:

“The IP address leak we discovered came from the Silk Road user login interface. Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined.”

“The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal. When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was ‘leaking’ from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.”

For many Tor fans and advocates, The Dread Pirate Roberts’ goof will no doubt be labeled a noob mistake — and perhaps it was. But as I’ve said time and again, staying anonymous online is hard work, even for those of us who are relatively experienced at it. It’s so difficult, in fact, that even hardened cybercrooks eventually slip up in important and often fateful ways (that is, if someone or something was around at the time to keep a record of it).

A copy of the government’s declaration on how it located the Silk Road servers is here (PDF). A hat tip to Nicholas Weaver for the heads up about this filing.

A snapshop of offerings on the Silk Road.

A snapshop of offerings on the Silk Road.

Tags: , , , , ,

76 comments

  1. Very interesting story, I have been wondering how they actually got the locations myself for a while and thanks for clearing that all up.

    • Keep in mind this is the government reporting on how it discovered someone on an anonymity location.

      The real truth is most likely that Tor is compromised and is not anonymous. The NSA isn’t going to state that, however, because they want people to keep using it so they can catch the king pins and other larger targets.

      • well, it was tracked down by Tarbell at FTI, which is not a government agency. Unless you think it’s all a conspiracy…

  2. Free my nigga DPR he ain’t do nothin

  3. I don’t know if that story is real but that’s a stupid way of getting caught.

    • Welcome to Bitcoin!

      • Please don’t associate bitcoin with the silkroad. It can be used to purchase legitimate goods and services. Block-chain technology is the future. Hopefully it will eventually take down 3rd party trust systems that lead to, well…. what we have, one world ruled by bankers and the effects of their currency manipulation.

    • Stupidity is a law enforcers best tool ummm…. Wait a minute… Stupidity is a criminal’s worst enemy.Yes, that what I meant to say

  4. Did anyone bother to check if it is true? Law enforcement agencies must have been aware that their method will be published as part of the court documents. What if they were actually using some NSA grade supersecret zero day vulnerability, and then filed a bogus police report to hide their true methods?
    Anyone has a saved version of the silkroad site to check the source code and verify?

    • When I was in college, I took a class on Astronomy and was assigned a lab partner. The entire class we were supposed to track the movement of a star or cluster of stars (zodiac like) and report on our findings.

      I knew that the end result was to be the number 2.

      So guess what?

      My lab partner kept track of no star, but at the end, backwards constructed the “research” to fit the findings. He got an A.

      I’ve seen police do the same. Once an officer told me he arrived to back up an officer who stopped someone for a traffic violation. Drugs were “found”. He (the backup officer) asked the stopping officer what his “Probable Cause” was….

      The answer: “I’ll have to get back to you on that.”

      The backup officer got back in his car and left the scene.

      Same thing.

      Parallel Construction is where you get the result, then do the math back to the original equation to justify your “result”.

  5. Wonder if this is just a parallel construction cover story though…. That they actually have tor compromised or they did something nefarious and illegal but they want to keep it secret so they dug around and came up with something they otherwise wouldn’t have caught…

    • This is known as parallel construction. In addition to avoiding revealing secrets it also does an end-run around the Fourth Amendment and the “fruit of the poisonous tree” doctrine, which makes any illegally obtained evidence inadmissable. Of course if the TOR server were ruled to be inadmissable then the entire case would collapse, so if there is any parallel construction going on its going to be well hidden.

      See http://en.wikipedia.org/wiki/Parallel_construction for details.

      • If TOR had been compromised, I’m sure the Feds would’ve shut down a whole lot more than just Silk Road by now. I’m sure we’d have had NUMEROUS stories of other “leaking” Tor sites, or “parallel” construction cases.

        I’d bet on just what the affidavit says.

        • Don’t be silly its really just a question of priorities. They *CAN* get just about anyone anywhere accepting payments on the internet. There really is no way to do truly anonymous e-transactions. Its simply a question of effort required.

          Here is the sad part though, rescator[doc]cc is still up. A site that is costing our economy billions and inconveniencing millions. Meanwhile all the resources go toward taking down a site where consenting individuals voluntarily exchange money from products and generally get what they pay for.

          • Taking sites like that down won’t accomplish anything. They will just pop up at a new domain at a more bulletproof provider and registrar.

            Also, how do you think this reporter, law enforcement and the banks first found out HD, Target and others were hacked? Because their cards show up for sale in the underground.

    • Possible they lied about how they compromised Tor, but to do that as an agent in an Affidavit filed with a Judge is a very stupid thing to do. If it was ever discovered that the federal agent lied in an affidavit it would be a felony and punishable by jail time. Judge’s get a little upset when agents lie in affidavits. I’m not saying it is not possible, but I would doubt they lied about how they discovered the computers.

      • Agencies pursue multiple paths in smoking out cyber criminals. 1 path may lead to a discovery and another to an alibi. When one’s path becomes the alibi, the agent will be informed they were responsible for the discovery. Under oath, an agent appears credible, because they honestly believes they were responsible. A circle of distortion will surround the truth.

      • Ah John. You must be an unenlightened Conservative who still believes the police and the US government are the good guys. I used to labor under the same delusion. However, after reading story after story detailing how “our” government violates the Constitution with impunity and even more stories about the police killing citizens for minor offenses, and with appalling frequency kill completely innocent people too, and then suffer no more than a slap on the hand for their murders, it has become painfully apparent that as long as “our” government and “our” police are not held accountable for their crimes, said crimes will continue.

        And foremost among these crimes is the sharing of unconstitutionally obtained information by the NSA and its bedfellows with other departments and local and state law enforcement. The only restriction is that the recipients must use parallel construction to hide how they really got their information.

        I truly wish this were just tinfoil hat stuff. Unfortunately it is not.

      • Nah he would get a 30-60 day paid suspencation.

  6. like Clifford implied I’m amazed that any one able to earn $6901 in four weeks on the computer . Look At This…. http://to.ly/ES4X

  7. Maybe the judge was complicit in the coverup as well. Who knows what goes on “in chambers.”

  8. TheOreganoRouter.onion.it

    So in essence T.O.R. is not one hundred percent anonymous after all and can be cracked by the government if enough investigation work is done.

    Not good !

    • Anyone who ever gave you the impression Tor (or anything, for that matter) was 100% secure was doing you a pretty severe disservice.

      If you want a 100% secure computer, unplug your power cable, remove any battery on the motherboard, disconnect the power supply, and keep it all in a farraday cage.

      The idea that onion routing could maintain anonymity in the face of an adversary with sufficiently broad network perspective and to whom money is hardly an object is just a matter of fantasy. Of course, that’s not what’s being reported here is about. This is just a matter of a misconfigured application leaking data on Tor (something heavily warned about in the Tor documentation). Only thing noteworthy about it is that usually people think of “leaky applications” on Tor being clients (browser being the big one), and in this case, it was a poorly configured server.

      I’ll leave speculation as to whether this is true or a coverup to the tinfoil hat crowd.

    • That’s not what I got from the article.

    • For some fun, sign up to run a node, put your wireshark up on the egress side. Traffic is fun to watch and not secure at all.

  9. Really? who cares how this dufus was caught. he’s gone and that’s it. fight fire with fire. if you’re doing illegal things you should be behind many layers of the penal system, with many guards between you and the outside free world. end of story. DPR = 1D10T. good riddance.

    • What this dufus did was highly profitable. Others will follow and they might not make the same mistake.

    • @pete puma
      “Really? who cares how this dufus was caught”

      I care. When law enforcement catches crooks by violating the Fourth Amendment and the information they obtain is allowed to be used in court, then what will make them think that they can’t use the same tactics against you and me? Perhaps the local sheriff doesn’t like that you write letters to the editor of your town paper to complain about his deputies, without any probable cause, stopping motorists and then billy clubbing their taillights to cover up the illegal stops. So he contacts the NSA to see if they have any info on you and is supplied with credit card data showing multiple charges for prostitutes. Knowing what he is looking for, the sheriff can arrange for a hooker to approach you outside your favorite bar and as soon as you say something, immediately arrest you for accepting a solicitation to commit prostitution. With the “conversation” on video tape (no audio of course), he then obtains a warrant to search your home and computer and BINGO! You are nailed as one who procures prostitutes. Of course this information somehow leaks out to the press, your employer and your family (what fun your teenagers in high school are going to have being bullied and ridiculed because of these revelations). Or maybe it’s me and once in possession of my private emails, he then twists the meaning in some of them to portray me as a home grown terrorist inciting others to overthrow the US government. I get arrested by Homeland Security, thrown in jail without a lawyer or Writ of Habeas Corpus, and rot for years.

      The problem with allowing law enforcement to use unlawful means to obtain evidence is that if you do that, who draws the line between what is allowed and what is off limits? Who is allowed to determine who of us can safely have their rights violated and who cannot? The police? Like in Ferguson, MO? Yeah… I don’t think so :(

  10. I’m as fashionable tin-foiled hatted an the next guy, but this really puts the torpedo into the notion of parallel construction.

    This is not just some “oh, we ‘randomly’ stopped this guy for a traffic violation, and whoah…”, but a series of claims that should be fully verifiable by the defense. After all, an examination of the server’s code when the server was imaged can verify this bug, plus its certain the FBI was recording its own traffic during this analysis.

    It also explains why the FBI was so reluctant to say how they discovered the server, its an amazingly easy style of mistake [1], and they were probably hoping to nail a couple other darknet markets the same way.

    1: I’ve learned the hard way that it is distressingly easy for traffic to bypass a VPN or similar tunnel.

    • Well my first reaction was definitely “parallel construction”. Let’s hope the defense team will dig into this and check the FBI story. And if it turns true then wow… really a stupid mistake !

    • Hi Nicolas! How did you learn the hard way about traffic bypass of a VPN? I’m curious.

      • When I went to DEFCON a few years back, I set up a hardened laptop, but I also routed all the web traffic through an SSH tunnel.

        Well, at least I tried. HA.

        By default, the DNS requests did NOT got through this tunnel when Firefox was set up, and the only way I knew about it was I was also running tcpdump and making sure nothing else was leaking, saw the DNS leaking, and went “oh crud”, figured out what was happening, and fixed that.

        Nothing bad happened, but it was far to easy to screw up. And the only way you know is if you watch all the packets.

  11. TheOreganoRouter.onion.it

    From a recent wired article (docket), it appears to me that the F.B.I. used brute force SQL injection to find out the necessary information

    “As they typed “miscellaneous” strings of characters into the login page’s entry fields, Tarbell writes that they noticed an IP address associated with some data returned by the site didn’t match any known Tor “nodes,” the computers that bounce information through Tor’s anonymity network to obscure its true source. And when they entered that IP address directly into a browser, the Silk Road’s CAPTCHA prompt appeared, the garbled-letter image designed to prevent spam bots from entering the site. ”

    “That discovery by the FBI, the prosecuting attorneys in Ulbricht’s case argue, means that no illegal spying techniques were needed to pinpoint the world’s largest anonymous bazaar for narcotics. In fact, they write, the evidence revealing its physical location was left in plain sight. ”

    “After the initial revelation of the Silk Road server’s location in a data center in Reykjavik, Iceland, the filing explains that Reykjavik police accessed and secretly copied the server’s data. As agents of a foreign government, the prosecution argues, they weren’t required to seek a warrant from any US authority. And the prosecution writes that Ulbricht didn’t himself even own the server: He had allegedly rented it through a third-party service, which in turn rented space in the Icelandic data center. The brief goes on to quote the web host’s terms of service, which warned that “systems may be monitored for all lawful purposes, including to ensure that use is authorized.”

    “But the prosecution’s motion goes on to request that all of Ulbricht’s claims of illegal evidence collection be dismissed. The defense had argued that a surveillance technique known as a pen register applied to Ulbricht’s Comcast internet connection without a warrant had also violated his privacy; the prosecution responds that it merely collected metadata rather than the actual content of his communications, and thus didn’t require proving probable cause to a judge. The defense’s earlier motion argued that when the FBI did get a warrant to seize and search Ulbricht’s Samsung laptop, it used an illegal “general” warrant rather than specifying the data it sought. The prosecution claims that it needed to see all data on the machine to establish Ulbricht’s alleged identity as the so-called “Dread Pirate Roberts” who had created and managed the Silk Road’s billion-dollar drug trade. ”

    What is the government doing now ,violating people’s fourth amendment rights , then trying to find out ways to make T.O.R. less anonymous ?

    Is this what we want the government to do?

  12. In or about early June 2013, another member of CY-2 and I closely examined the traffic data being sent from the Silk Road website when we entered responses to the prompts contained in the Silk Road login interface. This did not involve accessing any administrative area or “back door” of the site. We simply were interacting with the website’s user login interface, which was fully accessible to the public, by typing in miscellaneous entries into the username, password, and CAPTCHA fields contained in the interface.

    According to the same standard set in the AT&T “Weev” hacking case, what they did was “… conspiracy to access a computer without authorization.”

    • I think I agree with “Rick” and believe based upon the following that the Feds did not overstep or violate relevant provisions of the Computer Fraud and Abuse Act.

      Some salient information from Wikipedia:
      “… On April 11, 2014, the Third Circuit issued an opinion vacating Auernheimer’s conviction, on the basis that the venue in New Jersey was improper. ” “… While the judges did not address the substantive question on the legality of the site access, they were skeptical of the original conviction, noting that no circumvention of passwords had occurred and that only publicly accessible information was obtained. …”

      NO CIRCUMVENTION OF PASSWORDS
      ONLY PUBLICLY ACCESSIBLE INFORMATION

      It would seem that in the case in current question (Dread Pirate) the government Did NOT violate any sacrosanct rights possessed by American Citizens when they located the “captcha leak.”

      • I think Rick might be closer to the truth there Sioux City boy, You may have spent too much time near that smelly bridge that offers no welcome to your city. They will simply call it hacking if they want to catch a bad guy and call it investigative work if it’s a good guy doing it.

    • Yes the government should have asked for permission from silk road before obtaining the hidden ip address !
      The information is therefore inadmissible in the court of law !!

  13. So they are basically admitting to breaking the law, specifically the Computer Fraud and Abuse Act?

  14. Mouse with no house

    I dont police .

  15. Serves them right for using those cursed CAPTCHA things.

  16. Idly looking at the categories of goods available from silk Road in that screenshot, my eye was caught by some headings that seem out of place. Food?? Apparel?? Home and Garden?? Who on earth does their online grocery shopping in the Dark Web? Or buys their shirts and underwear from a TOR-hidden site? There must be more to this than meets the eye, unless Mr Dread Pirate had plans to expand into store-to-door delivery services. Your milk delivered by drone perhaps, for extra privacy.

    • Part of DPR’s scheme was “hey, I’m just providing a marketplace, so don’t oppress me with your drug laws, man…” which is why the broad categories.

      But that was transparent fiction, as the things actually sold on the marketplace were almost entirely drugs, drugs, drugs, drugs, drugs, books about drugs, drugs, drugs, drugs, drugs, fake IDs, and drugs.

      • Well, apparently hitmen were also available on the site.

        And obviously stolen credit card numbers.

        It takes a pretty twisted definition of libertarianism that allows contract killing.

        • Eric, using the word “apparently” and then making an conclusion is not really fair.

          There were no hitmen or stolen CC info on SR.

  17. Yeah, that was definitely a n00b mistake – arguably TWO n00b mistakes. Mistake 1, mixing encrypted and unencrypted content on the same page, was something that would obvious to anyone who’s ever done development work on a site intended to run over HTTPS.

    Mistake 2 was using a third-party hosted service for something as basic as a CAPTCHA. To me, that indicates either extreme laziness (building a basic CAPTCHA in, say, PHP would take maybe an hour) – or just plain incompetence.

    • That’s what I thought. If you’re about to do something illegal, at least, make sure you don’t ask or get external help to limit the risk of getting caught.

      That’s even more true when building an illegal website. DIY!!!

  18. Tarbell’s declaration doesn’t fully add up IMO, wish we had more technical specifics.

    https://blog.ageispolis.net/speculating-fbi-silk-road-unmasking-technique/

  19. Anyone else find it funny that Ross was captchad because of his reliance on a faulty Captcha.

  20. “The FBI have good reason to not mention any bugs or forcing the server to do anything, and to pretend that they simply picked up the IP address from the wire, since such actions would raise concerns about how lawful their actions in uncovering the IP address were. What we do know is that their description of “packet sniffing” for the IP through a “leak” is impossible.”

    https://www.nikcub.com/posts/analyzing-fbi-explanation-silk-road/

    • Actually, packet sniffing would pick it up easily if they weren’t using the standard Tor Browser Bundle. Standard TorBB routes both hidden service traffic and benign traffic through Tor.

      But if the configuration was instead “Only Hidden Service traffic through Tor, any non .onion traffic direct”, a basic packet sniffing setup will see the leakage, which could easily come about when using a 3rd party CAPTCHA library (not service, but library) that wasn’t especially perfectly coded.

      And this is something the FBI can’t lie about: The server code itself was captured within a couple of days of this discovery, and if it did NOT have this misconfiguration/error, the defense is going to take the FBI apart, as lying under oath to get evidence admitted is a big big big no-no.

      • No, what’s impossible is that packets sent from the SR server could have had headers with IP addresses in them that were not Tor addresses. No one said it’s impossible to sniff your network traffic. Read the link given in the comment you replied to.

        • Judd Nelson Never Became An Airborne Ranger

          I think people may be slightly misunderstanding how the most typical form of parallel construction takes place when it comes to computer “crimes”. The source code/server would almost certainly have the bug. The question is did they find the bug from the server or from the traffic. It is far harder to blackbox something like this, perhaps, from the outside, but if you have access to the server it becomes a whole lot easier to create a trail backwards by finding the bug and then “knowing where to look to “find the bug”” after. This is the same sort of thing that brings us the “hindsight is 20/20” quote and milleniae of human rationalisation after the fact.

          Tarbell was (*he went to the private sector around when Sabu got sentenced (if you want to call that abomination a “sentence”; I would not)) a tricky fed (look at the Sabu case)… it actually wouldn’t surprise me at all if some of his cases overlapped in (for him) fortuitous (and manufactured to be that way) ways. Which isn’t to call him unethical. As always, the problem is that we have gotten to the point where such a thing is acceptable, though, and thus also cannot be ruled out.

          Nice comments from Dianne by the way about all of this. :-)

  21. Someone made a comment that suggested SQL injection:

    “From a recent wired article (docket), it appears to me that the F.B.I. used brute force SQL injection to find out the necessary information “As they typed “miscellaneous” strings of characters into the login page’s entry fields, ”

    These strings of characters could have been simple fake usernames and passwords designed to exercise login logic to profile network communication. Why is there a jump to conclusions to SQL injection and even brute-force SQLi when there isn’t near enough evidence to suggest that this was the case? I’ve seen this comment in more than one place, but it seems off-base.

    • The reason is exactly that—there’s not enough evidence—because the FBI’s explanation is implausible and imprecise, resulting in several technically divergent theories being tossed around, including what’s been written by Krebs here. Check out my post which I linked above or the one by Nik Cubrilovic for more.

  22. Brian Krebs, are you serious? You run a security blog? This is shoddy reporting.

    It’s right there in the text you quoted from the FBI affidavit, but you don’t even address it: the actual source of the leak is said to be IP addresses in packet headers coming from the SR site. Whether or not the CAPTCHA came up when going to that IP address is entirely secondary, and certainly not what “sunk” DPR.

    Brian Krebs, have you ever used Tor? Traffic coming and going to a site via Tor can’t be routed in parallel to traffic over non-Tor channels. It’s simply impossible – not how Tor works – no way for client or server to know each other’s real IP addresses to initiate a non-Tor connection. Leaky application code is a different beast, but that’s not what the FBI claims. What they claim is impossible and they don’t provide any explanation or details to substantiate.

    That you focused on the secondary bit about the CAPTCHA is pathetic. This is most uneducated and misleading.

    Bad reporting. And people are eating it up.

    • Actually, its very easy for a Tor hidden service site to accidentally route data in a way which escapes Tor: Just a single image referred to by the IP of the server rather than relative or absolute by the .onion address is sufficient.

      And it was probably something as simple as the CAPTCHA library generates an image reference (perhaps in some of the massive javascript goop invariably involved) of the form http://{ip}/image.

      A normal user of the Tor Browser Bundle won’t see this leakage, as the TorBB will happily fetch that image through Tor, so they just see the Tor traffic and only someone pawing through the site source code would notice.

      But if you use a forensics setup, where the Tor proxy is separate from the browser (in order to record all the traffic received from the page in the clear to further analyze later), and you don’t route non .onion traffic through the proxy (why should you? Tor is slow!), you will easily see the leaked traffic just drop-out in the clear.

      • Nicholas, you are describing an application leak. The FBI is claiming to have seen non-Tor IP addresses in the *packet headers* of traffic coming back from the SR server. That’s not possible.

        Again, the ridiculous CAPTCHA talk needs to stop. If you bothered to read the links posted just above, you’d learn the CAPTCHA was served locally; was not externally hosted. Even if it weren’t, “special forensics tools” (wtf is that?) aren’t needed. Right click and view source is what would tell you that, and every amateur hacker on the planet would have been all over that long before.

        Nicholas, please stop endorsing and thus proliferating this bad reporting. Brian Krebs, what do you have to say for yourself?

      • That’s a negative Ghost Rider.
        SR captcha was hosted locally. Several people have been recording raw traffic from SR ever since the shut down. Source code could not have come from legit procedures.
        Have you been pinging SR regularly? Do you have source code?
        If not then let the adults play.

    • +1
      It’s fertilizer.

  23. Just curios,
    If the leased servers were physical machines, is there any way for a service provider to image it without the user being able to find out ?
    Do they use a pretext (failed HDD which needs to be replaced?)
    Were those servers virtual or physical ?

  24. Oops! Badly Caught by Captcha, i was wondering that it can cause such things. Obviously Google doesn’t offer anything free without watching what you are doing.

  25. This “discovery” of leaky captchas is extremely disturbing.

    What I think we should be asking is if all implementations leak PII, and if there is a way to verify it, and somehow prevent it.

    I have noticed that ever since this disclose, lot of DDoS protection services started requiring users to enter a captcha when behind TOR. I’m too paranoid to think of this as juat a coincidence.