Slashdot Mirror

← Back to Stories (view on slashdot.org)

Feds Say NSA "Bogeyman" Did Not Find Silk Road's Servers

Posted by samzenpus on from the try-and-try-again dept.

An anonymous reader writes The secret of how the FBI pinpointed the servers allegedly used by the notorious Silk Road black market website has been revealed: repeated login attempts. In a legal rebuttal, the FBI claims that repeatedly attempting to login to the marketplace revealed its host location. From the article: "As they typed 'miscellaneous' strings of characters into the login page's entry fields, Tarbell writes that they noticed an IP address associated with some data returned by the site didn't match any known Tor 'nodes,' the computers that bounce information through Tor's anonymity network to obscure its true source. And when they entered that IP address directly into a browser, the Silk Road's CAPTCHA prompt appeared, the garbled-letter image designed to prevent spam bots from entering the site. 'This indicated that the Subject IP Address was the IP address of the SR Server,' writes Tarbell in his letter, 'and that it was "leaking" from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.'"

3 of 142 comments (clear)

  1. Re:Analyzing the FBI's Explanation of How They Loc by Rich0 · · Score: 4, Interesting

    Stick a php_info in your code or something equivalent. I don't believe the FBI was claiming that they received traffic from a non-tor IP, but rather that they received an IP address somewhere in the data sent over tor.

    Nothing in tor prevents you from sending your name, address, and social security number in the html of a webpage that you serve. If I wanted to depend on a website remaining anonymous over tor I'd probably stick the entire thing on a private network (with private IPs) such that none of the machines ever contained identifying information (including traceable machine IDs or MACs/etc), heavily firewall it, and carefully control that nothing goes out except via tor. I'd treat every device on the network as if it were compromised and intentionally trying to communicate out every bit of data stored within, so it would be essential that none of these devices contain any information worth stealing.

  2. Re:Seems unlikely to me by TheCarp · · Score: 4, Interesting

    > I find it a bit hard to believe that a guy who is able to get one of the largest black-market enterprises running on
    > a server/farm connected to an anonymous/decentralized network isn't smart enough to *not* give it a public IP
    > and/or put the equivalent to a home internet router in front of it.

    as much as I would like to not believe it, this is one of those cases where, he has to be perfect every time, they have to catch him slipping up once.

    I don't know what his stack was, but typically, there are a lot of places information can leak. Including in error messages.

    The reality is, no hidden service (that isn't intentionally also a non-hidden one) should have a public IP where it can be reached. The last public endpoint should be its tor node, and the tor node itself should then only contact it via private IPs. It should then also only contact its backend databases by private IPs.

    If that means you have to setup backend VPNs for the transport.... then guess what....that means you have to setup backend VPNs for the transport.

    Frankly, what this guy did, overall, wasn't all that impressive. He put a bunch of tools together. He didn't develop tor, he just made the obvious leap. Being more willing to take the risk doesn't mean you are the best of the best, it just means you are confident enough to risk a fall on your face.

    --
    "I opened my eyes, and everything went dark again"
  3. Re: Or so they say... by Dr.+Evil · · Score: 5, Interesting

    The examples from the wiki describe situations where the initial source was legal, but protected. E.g., placing a sting in the path of a suspect on the word of a protected informant, then omiting the reason for their 'luck' in finding the suspect. Or e.g., withholding NSA wiretaps from DEA until the citizen or geography of the source is determined to be foreign (unethical, but not illegal).

    In this case, they would be seizing servers (illegally), then searching them for a weakness to cover their asses, then lying to the judge about it(illegal), and hoping the logs agree with their probes (possibly revealing their lies), or altering them to match (illegal).

    I might be naive, but I think the discovery of the IP source through the weakness in the captcha is totally plausible. I also think that Joe law enforcement officer doesn't want to end his career in disgrace over something like this.