Slashdot Mirror
Feds Say NSA "Bogeyman" Did Not Find Silk Road's Servers
An anonymous reader writes The secret of how the FBI pinpointed the servers allegedly used by the notorious Silk Road black market website has been revealed: repeated login attempts. In a legal rebuttal, the FBI claims that repeatedly attempting to login to the marketplace revealed its host location. From the article: "As they typed 'miscellaneous' strings of characters into the login page's entry fields, Tarbell writes that they noticed an IP address associated with some data returned by the site didn't match any known Tor 'nodes,' the computers that bounce information through Tor's anonymity network to obscure its true source. And when they entered that IP address directly into a browser, the Silk Road's CAPTCHA prompt appeared, the garbled-letter image designed to prevent spam bots from entering the site. 'This indicated that the Subject IP Address was the IP address of the SR Server,' writes Tarbell in his letter, 'and that it was "leaking" from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.'"
Stick a php_info in your code or something equivalent. I don't believe the FBI was claiming that they received traffic from a non-tor IP, but rather that they received an IP address somewhere in the data sent over tor.
Nothing in tor prevents you from sending your name, address, and social security number in the html of a webpage that you serve. If I wanted to depend on a website remaining anonymous over tor I'd probably stick the entire thing on a private network (with private IPs) such that none of the machines ever contained identifying information (including traceable machine IDs or MACs/etc), heavily firewall it, and carefully control that nothing goes out except via tor. I'd treat every device on the network as if it were compromised and intentionally trying to communicate out every bit of data stored within, so it would be essential that none of these devices contain any information worth stealing.
Whether something is true or not matters little to the Slashdot hivemind, as long as it can feed the fires of perpetual outrage.
There is no reason whatsoever to believe this assertion. You're accepting it as fact for no reason. We call people like you a "useful idiot".
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
The only way I can think of to accidentally do what the FBI is claiming is if he just grabbed an poorly written CAPTCHA program off the Internet and it constructed its own URLs back to the server using the server's IP address.
Why it would do that instead of using the configured server name or, even better, just use a relative URL would be anyone's guess. But it's the only plausible way for the FBI's explanation to make any sort of sense.
(Or, to put it another way, they're almost certainly lying.)
You are in a maze of twisty little relative jumps, all alike.
How many sites out there are HTTPS but deliver some data via HTTP by mistake or oversight? Looks like that applies here too. Good job tracking this down. Plain old inspecting what your receiving and digging into it.
> I find it a bit hard to believe that a guy who is able to get one of the largest black-market enterprises running on
> a server/farm connected to an anonymous/decentralized network isn't smart enough to *not* give it a public IP
> and/or put the equivalent to a home internet router in front of it.
as much as I would like to not believe it, this is one of those cases where, he has to be perfect every time, they have to catch him slipping up once.
I don't know what his stack was, but typically, there are a lot of places information can leak. Including in error messages.
The reality is, no hidden service (that isn't intentionally also a non-hidden one) should have a public IP where it can be reached. The last public endpoint should be its tor node, and the tor node itself should then only contact it via private IPs. It should then also only contact its backend databases by private IPs.
If that means you have to setup backend VPNs for the transport.... then guess what....that means you have to setup backend VPNs for the transport.
Frankly, what this guy did, overall, wasn't all that impressive. He put a bunch of tools together. He didn't develop tor, he just made the obvious leap. Being more willing to take the risk doesn't mean you are the best of the best, it just means you are confident enough to risk a fall on your face.
"I opened my eyes, and everything went dark again"
The examples from the wiki describe situations where the initial source was legal, but protected. E.g., placing a sting in the path of a suspect on the word of a protected informant, then omiting the reason for their 'luck' in finding the suspect. Or e.g., withholding NSA wiretaps from DEA until the citizen or geography of the source is determined to be foreign (unethical, but not illegal).
In this case, they would be seizing servers (illegally), then searching them for a weakness to cover their asses, then lying to the judge about it(illegal), and hoping the logs agree with their probes (possibly revealing their lies), or altering them to match (illegal).
I might be naive, but I think the discovery of the IP source through the weakness in the captcha is totally plausible. I also think that Joe law enforcement officer doesn't want to end his career in disgrace over something like this.
this is what Tails tries to do.
Really you could just run tor on a vm and then setup all client machines on the LAN to VPN into it. then set each client's firewall to drop any traffic to any interface except tun/tap.
You could also run dansguarian+squid on that tor vm to sniff for and catch reg-ex's that look like your public IP or PII.
The only way I can think of to accidentally do what the FBI is claiming is if he just grabbed an poorly written CAPTCHA program off the Internet and it constructed its own URLs back to the server using the server's IP address.
Why it would do that instead of using the configured server name or, even better, just use a relative URL would be anyone's guess. But it's the only plausible way for the FBI's explanation to make any sort of sense.
(Or, to put it another way, they're almost certainly lying.)
Well, you could actually read the dam court documents. If you put random junk into the CAPTCHA boxes sometimes you would get an error page back - over TOR - but which contained the true IP address of the server. It appears that while the web server itself was configured to route everything over TOR, the CAPTCHA add-on that was being used had not been properly reviewed to make sure it had no information leaks. Obviously such information leaks would not matter in a normal set-up, so there would be no reason for a CAPTCHA add-on writer to work hard to eliminate them - in fact for debugging purposes some of that information would be useful.
I don't know why people seem to find it so hard to believe that the FBI would decide to target the highest-profile online illegal drug marketplace without prompting from "sinister forces", or that they would carefully review every byte returned from the server to see if there were information leaks that would lead back to the true location. It certainly makes more sense than your theory that it was all a conspiracy by the NSA, and then dozens of people in the FBI and the Icelandic police conspired to forge the evidence to insert a faulty CAPTCHA program into a bug-free server and repeatedly perjure themselves in a way that would be obvious if the defendant produced a back-up with a flawless CAPTCHA code.