
The FBI Says How It ‘Legally’ Pinpointed Silk Road’s Server - nikcub
http://www.wired.com/2014/09/the-fbi-finally-says-how-it-legally-pinpointed-silk-roads-server/
======
nikcub
The theory I posted last year on Stack Exchange [0]:

> The above environment variables were being dumped in the source of the login
> page on Silk Road. They contained the real IP address of the server.

notbad.gif.

Second - the FBI considering "fiddling" with "miscellaneous" input characters
into the login page not illegal access is good - it means the next person
charged under the CFAA for "exceeding authorization" by fuzzing will have a
precedent to cite.

edit: To add a third point: If you are hosting a Tor hidden service, do it
inside a virtual machine. Put it behind a gateway that acts as an isolating
proxy. Clients/users should be doing the same as well as it protects against
the malware attacks (even better freeze a VM snapshot and restore it each time
you need it). Whonix[1] does this - although it is easy to setup yourself (I
use OpenBSD as the gateway, much slimmer than Whonix and a whole lot less
going on)

[0]
[http://security.stackexchange.com/a/43280](http://security.stackexchange.com/a/43280)

[1] [http://www.whonix.org](http://www.whonix.org)

~~~
meowface
> If you are hosting a Tor hidden service, do it inside a virtual machine. Put
> it behind a gateway that acts as an isolating proxy.

While this is good advice and will help you in the event of your server
accidentally leaking debugging/config information, it won't help if someone is
able to get the hidden service to make a network request. For example, if they
can get it to send an email or check if a page is online, then that email will
obviously go through the gateway. And obviously if someone gains arbitrary
code execution, they can just Google "my IP" and see the externally facing IP.

Some other useful advice: if you're setting up a Tor hidden service, make sure
the HTTP server only accepts requests from the Tor network. The FBI claims
that when they put the $_SERVER['SERVER_ADDR'] IP in their browser they got
the SR home page right on port 80, which is extremely poor security on SR's
part. Someone running a distributed scan of all web servers on the Internet
could have found it on their own within a few weeks or less. And in fact, this
is becoming more common as a technique to identify origin servers hidden
behind reverse proxies and CDNs.

~~~
nikcub
That is why you have it segmented:

> Put it behind a gateway that acts as an isolating proxy.

You don't NAT - you forward the port required through the gateway machine and
to the virtual machine. Either terminate Tor on the gateway and forward the
web port, or terminate Tor on the web server and forward the Tor traffic on
the gateway.

In that case _nothing_ can request out from the web server. If your server
needs to make requests, such as getting the latest bitcoin price - you do that
on _another_ server and run a queue that will pull the data over.

~~~
atmosx
That's correct. Most of _these guys_ are getting cauought because they didn't
believe that will have to _eventually_ face an enemy with so many resources
(FBI/NSA).

I believe that avoiding detection online can be done if you are very strict
about your policies.

I don't believe DRP had the knowledge to understand and the how's and why's of
a setup you're describe unlike skilled engineers[1] who design multi-layered
approaches.

[1] [http://www.daemonology.net/blog/2014-04-09-tarsnap-no-
heartb...](http://www.daemonology.net/blog/2014-04-09-tarsnap-no-heartbleed-
here.html)

~~~
Estragon

      > they didn't believe that will have to eventually face an enemy with so many 
      > resources (FBI/NSA).  I believe that avoiding detection online can be done
      > if you are very strict about your policies.
    

I think the NSA has sufficient resources and incentive to mount a
sybil/correlation attack on the Tor network.

------
abutt
> they typed “miscellaneous” strings of characters into the login page’s entry
> fields

So this is legal when the FBI does it, but when someone else does essentially
the same thing on an AT&T server it's identity fraud and conspiracy to access
a computer without authorization

~~~
meowface
Assuming the FBI had a warrant, they had a right to do whatever they wanted to
SR's server, no?

I think weev's sentence was utter bullshit, but you can't equate the two
things. SR was a drug marketplace, AT&T is not. This is like arguing police
shouldn't be able to pick the lock of your drug safehouse door because you
aren't allowed to pick other people's locks.

~~~
nickodell
That's the thing - the FBI didn't have a warrant. They're trying to argue that
they should be allowed to use the information anyway, because it wasn't
'hacking,' it was 'entering miscellaneous strings.'

On a related note, why the hell didn't they get a warrant? I doubt it would
have taken long.

~~~
meowface
That does change things, I agree.

However, to play devil's advocate a bit: the FBI essentially saw the output of
the PHP call `print_r($_SERVER)`. The only thing that's actually sensitive in
there is the server's IP address and hostname. This is not usually considered
sensitive information. If it is to be believed that is as far as they went
before getting a warrant (and I don't know if that's the case or not), then
obtaining the IP address would allow them to actually serve a court order to
the hosting provider. In that sense it could be seen as non-invasive and
purely conducive to their investigation.

But I agree there should not be a double standard. I think what weev did was
not illegal, and what the FBI did here was not illegal, personally.

~~~
glomph
I remember reading rumors that this happened to some random user when the site
went a bit wrong and they posted the information to the SR forums. I think it
then got deleted fast.

Could that have been the source of the ip leak?

------
themgt
This strongly suggests that anything hosted on Tor should be done through some
sort of (ideally plug-n-play, hardened) NAT+hypervisor/container system such
that the service itself can never, ever know its real external IP. Such a
system could potentially also act as a legal defense in a situation such as
this.

~~~
kyboren
While this is certainly better than not doing so, if one is going to run such
a hidden service in flagrant violation of the law, it seems prudent to take
all feasible precautions--and maybe some unfeasible ones, too.

1) Run the HTTP server in a guest VM to reduce likelihood of hardware
identifier leakage (hardware MACs, HD serials, DMI data, CPUID, etc.)

2) Physically separate HTTP server and Tor client, and restrict communication
between them to a simple packetized high-speed serial interface.

2a) Consider an inline filter on this link that watches for private keys, etc.
and kills communication upon detection, and adds random latency to packets to
reduce bandwidth of timing channels.

2b) Physically isolate these systems as much as possible: power line filters,
electro-optical couplers for the comm link, etc.

3) Stub out all Tor crypto operations to an HSM; keep the onion key and do all
operations on the onion key on that HSM.

4) Make friends in the criminal underground, becasue you're probably going to
prison eventually, anyway ;).

~~~
dilap
Honestly, I'm not so sure about (4). I feel like when I read about criminals
that were captured, they all made avoidable mistakes. I have to wonder if
there are, in fact, many criminals that are never captured because they are
simply better at it.

~~~
kyboren
Sure, but it only takes one avoidable mistake to bring it all crashing down.
Want to bet the rest of your life on being perfect? In any case, it was a
(half) joke.

But yes, it reminds me of the hilarity of FBI's characterization of PLA Unit
61398 as some super-scary 'master hackers': real 'master hackers' don't get
caught.

------
ChuckMcM
Curious why they didn't include this description in the original indictment. I
don't read a lot of indictment documents but pretty much all that I have laid
out the steps law enforcement took to ascertain that a crime had taken place
and that the person they were indicting was the person they believe committed
that crime. I could them requesting that the description remain under seal to
foil other poor server maintainers from protecting their identity but that
isn't what happened here.

~~~
jacques_chester
It wasn't an issue until it was raised by the defence.

~~~
ChuckMcM
Hmm refreshing my memory here, this [1] is the search warrant for SABU (of
Anonymous) and the claim is that the FBI didn't need a warrant for Ulbricht
(which is where this stuff would have been outlined). At least I can't find
such a warrant with basic searching techniques. So I'm guessing had they
gotten a warrant (does Iceland need such things?), they would have presumably
said all of this in the warrant.

[1]
[http://www.scribd.com/doc/197510285/a](http://www.scribd.com/doc/197510285/a)

------
bradleyjg
Even if true it could be a parallel construction.

~~~
virtue3
I don't think anyone here is even remotely doubting that this is anything BUT
parallel construction.

~~~
xorcist
While that may or may not be true (which is completely in the spirit of
parallel construction, and it fscks with your mind), we ARE talking about the
guy who registered an account to advertise his illegal drug marketplace using
his personal email address. That part is fully visible and timestamped, and
can not in any plausible way have been planted. With someone so full of
himself, pretty much anything is possible.

------
thinkcomp
The full docket of the USA v. Ulbricht case is available at:

[http://www.plainsite.org/dockets/20nlzy0uz/new-york-
southern...](http://www.plainsite.org/dockets/20nlzy0uz/new-york-southern-
district-court/usa-v-ulbricht/)

------
logn
I think that given the revelations of parallel reconstruction in general, the
burden should be on the prosecution to prove that the NSA et al. were not
involved. An illegal search/seizure could very well have been what gave the
FBI the idea to find the IP address in this way.

Given that the NSA is able to collect most internet traffic, and they've been
sharing info with other agencies, I would think that most evidence against any
defendant could be thrown out. Yes, that would be ludicrous, and that's
exactly why the NSA needs to be reformed.

~~~
hahainternet
> the burden should be on the prosecution to prove that the NSA et al. were
> not involved

You can't prove a negative.

~~~
spacemanmatt
They should be obligated to testify to the truth under oath. It's not proof
but gets their position into court records.

~~~
tedunangst
And they will. The trial isn't over. Somebody will get on the stand, be sworn
in, and then explain the actions he took to reveal the server's IP.

------
philip1209
If the site was accessible through an IP, could scanning ports and looking for
a particular item on the homepage have identified it?

~~~
MichaelGG
Yep! Sounds like a pretty big problem. With 10,000 scanning processes taking
5/sec per IP, it'd take less than a month to scan all IPs. It should be easy
for a powerful adversary to scale this up and finish in a day or two. It'd
take more work if all ports need to be scanned, but restricting to just known
hosting blocks could shave a bit off. As could eliminating well-known good
sites from a first pass.

It would surprise me if the FBI isn't already doing this for all known onion
sites, just to have the info around.

At any rate, sounds like a real basic Opsec101 failure on The Silk Road. Not
that hidden services are that safe in the first place. The Tor folks have
written about how hidden services are quite vulnerable to some attacks. Not
something I'd want to rely on to save me from a 30 year sentence.

Edit: If someone had to run a hidden service, it might make sense to setup
another onion site (on another Tor instance) and expose that on port 80, as
part of misinformation tactic. Reading several incidents, it seems attackers
will use circumstancial evidence to help narrow down the possibilities. By
intentionally leaking things (like offhand comments about the weather, using
reports from another city) one might be able to gain a few more bits of
anonymity back. Of course someone doing such a thing wouldn't setup their
illegal site on a public IP in the first place.

~~~
dllthomas
It's my understanding that _most_ OpSec failures are real basic OpSec 101
failures. Not because, faced with the question, it's hard to get it right -
but because faced with so many questions it is hard to get _all_ of them
right, and screwing one up is frequently enough.

------
sktrdie
I know a lot of "software" solutions are being discussed in this thread for
greater anonymity, but I would personally simply opt for a more secure
physical solution. Such as hosting the server somewhere that doesn't require
you to give away any of your information.

I know this may sound silly, but there's tons of USB stick sized linux
machines that you can plug virtually anywhere. I'm thinking of public spaces
such as public wifis. The ToR address can be relayed to other locations if it
ever gets breached. And ToR hidden services work great even if you're behind a
firewall.

This seems a lot more sensitive than opting for a system where your name is
somehow attached to a server.

~~~
mattmanser
How could you run a popular website via the upload pipe supplied by a public
wifi? There's no way that's practical.

------
maximumoverload
From /r/darknetmarkets (so grain of salt is needed):

> yeah it was about 6-9 months before it shut down if I remember correctly, it
> was pretty highly upvoted and a lot of chatter about it on the SR forums.
> though I think there were at least a few bugs that they had to shut down for
> once they realized that their asses were on the line.

[http://www.reddit.com/r/DarkNetMarkets/comments/2flnlp/fbi_s...](http://www.reddit.com/r/DarkNetMarkets/comments/2flnlp/fbi_says_sr1_server_ip_located_via_errors_in/ckakq1v)

So yeah, apparently this was an actual bug.

~~~
tedunangst
But, but, but... "Even a rookie would know better, and DPR is no rookie."

[http://www.reddit.com/r/SilkRoad/comments/1dmznd/should_we_b...](http://www.reddit.com/r/SilkRoad/comments/1dmznd/should_we_be_worried_showing_on_login_page/c9s11v8)

~~~
xorcist
Literally _everything_ about DPR screams rookie. From the fact that he had to
ask around on public web forums to get Tor set up, to his PHP skillz.

I know this is in hindsight, but you had to be pretty deep in the reality
distorsion field not to see this coming.

------
yutah
Was that "Parallel construction" from the FBI to hide it's NSA source
(intelligence laundering)?

[https://www.eff.org/deeplinks/2013/08/dea-and-nsa-team-
intel...](https://www.eff.org/deeplinks/2013/08/dea-and-nsa-team-intelligence-
laundering)

------
cyphunk
"fiddling" with "miscellaneous" input characters could be confirmed with
server logs. i wondering if the defence will pursue this.

------
scotty79
So fiddling with a website to obtain information not intended for you is legal
now? Because if that's so then awesome. Tell Weev's lawyers.

~~~
psykovsky
I don't think laws apply retroactively.

~~~
scotty79
That's not a new law. Just incosistent application.

------
tedchs
Article says the FBI located the server by entering "miscellaneous" input into
the Silk Road login page, which at some point disclosed an IP address. I
wonder if they got the Web server to throw a 500 or similar error, that
rendered some debug output?

------
seansoutpost
Parallel Construction

~~~
andy_ppp
Does the Tor Browser allow you to access things on the Internet, because
surely it shouldn't, therefore the Captcha should have failed to load for a
high percentage of Internet users?

~~~
duskwuff
The Tor Browser will let you access things on the Internet... using Tor.

------
xnull2guest
Hmm...

[http://www.ehackingnews.com/2013/08/almost-half-of-tor-
sites...](http://www.ehackingnews.com/2013/08/almost-half-of-tor-sites-
compromised-by.html)

[http://www.wired.com/2013/09/freedom-hosting-
fbi/](http://www.wired.com/2013/09/freedom-hosting-fbi/)

Somehow "fiddling with inputs" and "noticing an IP", while innocently phrased,
sounds unlikely. It's just so hard to know whether this is parallel
construction. The FBI's history with false testimony (i.e. COINTELPRO) is more
than damning.

The 'not in the US, not subject to US law' is a common trick, and also a way
both that the NSA skirts laws about monitoring US citizens (Snowden's leaked
documents repeated showed how partners with the NSA regularly traded bulk
information on US communications for their own), how the CIA and FBI are able
to stop Americans and journalists abroad and how intelligence agencies can
propagandize its own citizens while retaining plausible deniability.

The CIA is authorized to, and in fact in the past decade and a half heavily
decided to, plant stories to international media wire drops that US
journalists subscribe and use as a source of information. The CIA also works
with partners overseas and private enterprises to engineer foreign stories
that the US media will also follow and use for reports (Lincohn Group, Zarqawi
PsyOp, etc). Inevitably some of the material released to the Voice of America
and other international propaganda outlets make it back to the US Media.

Furthermore information is now able to be targeted in very sophisticated ways
(i.e. MINERVA, USAID Cuba Twitter program) for the spread of ideas and support
(or dissidence) via 'social contagions', all without ever having to directly
propagandize any citizens. These sorts of programs are the ultimate and
extreme irony of the Soft Power philosophy.

I find it unfortunate that the Constitution grants rights restricting search
and seizure (and others) but that our representation does not recognize these
rights, broadly 'de facto' recognize, as rights worth enforcing outside a
strictly domestic interpretation. Are these "rights" or "Rights" if our
representation allows and even encourages others to infringe on them?

------
blueking
Bullshit.

------
maxk42
This is just the cover-story.

~~~
voltagex_
Prove it.

~~~
programmarchy
Sorry citizen, that's classified.

