
Silk Road shutdown: how can the FBI seize Bitcoins? - flavmartins
http://www.theguardian.com/technology/2013/oct/02/bitcoin-silk-road-how-to-seize
======
panarky
According to blockchain.info [0] and Arstechnica [1], the seized SR bitcoins
may be in address 1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX .

    
    
      [0] https://blockchain.info/address/1F1tAaz5x1HUXrCNLbtMDqcw6o5GNn4xqX 
      [1] http://arstechnica.com/tech-policy/2013/10/internet-lobs-insults-at-fbis-silk-road-bitcoin-wallet/

------
sliverstorm
_In the US, lawyers have argued that forcing someone to hand over their
encryption keys violates the Fifth Amendment right to protection from self-
incrimination._

Is the implication supposed to be that seizure of Bitcoins is protected by the
Fifth Amendment? That seems far-fetched.

~~~
anologwintermut
Typically the 5th amendment argument applies to handing over passwords that
are only in your head, not keys that are written down. The government can
force you to turn over data you have.

The case for not turning over passwords for bitcoin wallets is probably
stronger than for true crypt volumes.

If they arrest you with an encrypted volume on your laptop, they know its
your's. The only question is what it is. In a lot of cases, the government
knows what it is, they just need to be able to prove it. Courts call this a
forgone conclusion and can compel you do use your decryption password( but not
tell it to the cops).[0]

On the other hand, handing over bitcoin keys maybe the only way they can learn
which bitcoins are yours. This is,arguably, not a forgone conclusion at all.
And again, you are not just giving them access to the data, you are
effectively being compelled to testify that it is your data.

[0][http://www.slate.com/articles/technology/future_tense/2012/0...](http://www.slate.com/articles/technology/future_tense/2012/03/encrypted_files_child_pornography_and_the_fifth_amendment_.html)

~~~
sliverstorm
_handing over bitcoin keys maybe the only way they can learn which bitcoins
are yours_

Mmm, good point. Although considering bitcoin is a public network, they could
have linked a certain address to you already, ala "follow the money"

~~~
kevinpet
And the inquisitors may have already proven that you are a witch, so what's a
little harm in torturing you to confess.

They may have evidence that this is your wallet, but by supplying them with
the password, you are testifying that it is your wallet.

"An act is testimonial when the act entails implicit statements of fact, such
as admitting that evidence exists, is authentic, or is within a suspect's
control."

"By entering the password Boucher would be disclosing the fact that he knows
the password and has control over the files on drive Z."

Compelling Ulbricht to unlock the wallet would be compelling him to testify
that the wallet is his. You may think this is a silly chain of reasoning, but
I'm sure you will forgive me if I will continue to side with existing federal
precedent.
[http://www.volokh.com/files/Boucher.pdf](http://www.volokh.com/files/Boucher.pdf)

~~~
anologwintermut
Ultimately, Burcher was orderd to decrypt his drive because the government
both knew it was his and knew part of what was on it.[0]

In Ulbricht's case there is a compelling argument that the bitcoin's contained
in the wallet on his computer(assuming it was on his computer and not the
server) are his. The question is what does the government know about those
coins. Clearly, if they know Ulbricht's bitcoin id/public key, then they can
look up his transactions in the block chain. If they don't, I'm not sure what
they could possibly know.

Of course, given Ulbricht's apparently atrocious OPSEC, it seems likely his
password is Ludwig von Mises and the FBI won't need his help at all.

[0][http://en.wikipedia.org/wiki/In_re_Boucher](http://en.wikipedia.org/wiki/In_re_Boucher)

------
Aqueous
Another question: According to reports Silk Road and DPR made $80 million in
commissions. Yet the FBI has only told us about seizing $3.6 million in
BitCoins.

Where's the rest of the fortune?

~~~
swamp40
Well, riddle me this:

Why is the Cayman Islands, with a population of 56,000, the 5th largest
financial center in the world?

~~~
noonespecial
That would be because they've managed to acquire somewhat of a reputation both
for not handing over depositor's money to any and every government thug that
waves some paper at them _and_ for returning that money to said depositor on
request. A tough reputation indeed to maintain on 21st century earth.

------
jotm
Can't they just gain access to the account and call it a day? No need to
transfer the funds elsewhere, really...

~~~
ChrisClark
And then the owner can just have someone else transfer them to a different
address. Suddenly they aren't seized any more. ;)

------
agildehaus
How are they identifying the owners of these hidden services?

Are denial of service attacks the answer? DDOS a site and just ask popular
hosting providers if they're experiencing any unusual traffic levels?

Seems like such an attack always precedes a takedown.

~~~
A1kmm
If they have a near global view of the network, they can do traffic
correlation without having to 'ask' hosting providers - and putting a large
signal through would certainly help that traffic correlation to occur.

It is possible that DDOS attacks are not actively initiated by the NSA, but
that they greatly help them complete their traffic correlation analysis
network to an acceptable level of certainty by lighting up the circuits from
the rendezvous points to the hidden service.

~~~
kevinpet
That, or just look through old forum posts to see if the announcement of a
bitcoin drug marketplace looking to hire php programmers was signed
rossulbricht at gmail dot com.

~~~
A1kmm
That doesn't explain how they were able to find the server hosting the hidden
service by July the 23rd. The complaint relies on a lot of circumstantial
evidence to tie the server to the person, and that evidence wouldn't easily
have allowed them to find the server (e.g. that someone accessed a VPN that in
turn accessed the Silk Road server from an Internet cafe close to where Ross
Ulbricht lived).

If there is stronger evidence that they could have followed from the person to
the server, they would probably have put that in the complaint as it would be
more direct and therefore more incriminating.

Therefore, it seems likely that they didn't find the server by following it
from the person. There are several possibilities here:

1\. Perhaps the NSA helped with finding the server by traffic analysis to
follow the circuit back to the hidden service IP?

2\. Perhaps the server was rented from / on the advice of an informant and
setup only shortly before it was imaged. Reading between the lines,
redandwhite was a law enforcement plant on Silk Road (possibly Canadian, given
that is what the article claims) that DPR trusted to some extent and possibly
took advice about how to get a host for the server. The complaint conceals
where the server was found - perhaps for this reason.

3\. Perhaps a foreign government surveillance programme routinely searches
virtual servers, and this resulted in the server being found.

~~~
honzzz
1\. could you please try to briefly explain how would such traffic analysis
work? People with deeper knowledge of networking always mention traffic
analysis without further explanation... but to us curious amateurs this does
not really explain anything.

The fact that they had the server image related to specific date - July 23rd -
does this say anything about how they obtained the image? Can we infer that
they did not locate or hack the real server (because they would continue to
have access after that date) and that maybe somehow they got hands on some
backup image or something? Can we infer anything else?

~~~
A1kmm
To understand how a traffic analysis attach works, you first need to
understand how hidden services work.

The way Tor hidden services work is that the hidden service builds a route
(called a circuit) through the network of Tor nodes through to a node which it
calls a 'rendezvous point' (RP). It then repeats this process to establish
multiple circuits, one to each RP. The IPs of the RPs are public information,
but no node (not even the RP) except the hidden service knows the route the
circuit takes to the RP - only how to get to the next hop. End-users build
their own circuit with Tor to the RP, so the RP or the hidden service also
don't know the identity of the end-user.

An attacker wants to find out the route a circuit takes from an RP to the
private node, to find the private node.

Tor does not send masking traffic - it only sends data when someone is
actually asking something. So when someone sends data through the RP, the RP
receives that data, unwraps one layer of the 'onion' packet and sends the rest
along the circuit. The next node does the same. Therefore, this creates a
pattern that is observable to someone who is sniffing the networks.

An attacker with access to all the networks between the nodes cannot see the
contents of the packets, since it is encrypted, but they can look for the
pattern in the traffic to see where the traffic is flowing. If no one was
using Tor at all except for one packet being sent along one circuit, it would
be trivial to see the path a packet follows, since you would see the RP
sending the packet, then a slightly smaller packet going to the next node, and
so on to the destination. In practice, lots of people are using Tor, so you
need to do statistical analysis and build up confidence over time about a
circuit.

If there is an unusual amount of data traveling over the circuit you care
about (e.g. due to a DDOS), this again makes it easier - just look for all the
most active nodes. If you can send a pulse of exceptionally high traffic, you
can watch the time evolution of the pulse through the system and see where it
ends up. Even without a high traffic pulse, you can compute probabilities that
observed traffic outputs from a node were caused by a given input (based on
the timing, size, etc...) and over time, combine a lot of individual points of
weak evidence to get strong evidence about a circuit.

The complaint says that the 23rd was when they asked a foreign government to
assist them by imaging the server - so they know where it is physically, and
who owns the datacentre.

