Feds Say NSA "Bogeyman" Did Not Find Silk Road's Servers

← Back to Stories (view on slashdot.org)

Feds Say NSA "Bogeyman" Did Not Find Silk Road's Servers

Posted by samzenpus on Monday September 8, 2014 @02:14AM from the try-and-try-again dept.

An anonymous reader writes The secret of how the FBI pinpointed the servers allegedly used by the notorious Silk Road black market website has been revealed: repeated login attempts. In a legal rebuttal, the FBI claims that repeatedly attempting to login to the marketplace revealed its host location. From the article: "As they typed 'miscellaneous' strings of characters into the login page's entry fields, Tarbell writes that they noticed an IP address associated with some data returned by the site didn't match any known Tor 'nodes,' the computers that bounce information through Tor's anonymity network to obscure its true source. And when they entered that IP address directly into a browser, the Silk Road's CAPTCHA prompt appeared, the garbled-letter image designed to prevent spam bots from entering the site. 'This indicated that the Subject IP Address was the IP address of the SR Server,' writes Tarbell in his letter, 'and that it was "leaking" from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.'"

142 comments

Min score:

Reason:

Sort:

Or so they say... by NotQuiteReal · 2014-09-08 02:19 · Score: -1

At least that is what they are saying... did they capture SR server logs confirming the mis-configuration at the time?

--
This issue is a bit more complicated than you think.
1. Re:Or so they say... by Anonymous Coward · 2014-09-08 02:27 · Score: 4, Insightful
  
  At least that is what they are saying...
  I think you misunderstand something. It doesn't matter if they are lying through their teeth when they say that. Because they claim it to be true, we can use that as further justification that the NSA's mass-surveillance hasn't done squat.
2. Re:Or so they say... by Noah+Haders · 2014-09-08 02:30 · Score: 5, Insightful
  
  Two words: parallel construction.
3. Re:Or so they say... by Sarten-X · 2014-09-08 02:32 · Score: -1, Flamebait
  
  That is precisely what Slashdot will get from this. Whether something is true or not matters little to the Slashdot hivemind, as long as it can feed the fires of perpetual outrage.
  
  --
  You do not have a moral or legal right to do absolutely anything you want.
4. Re:Or so they say... by Anonymous Coward · 2014-09-08 02:32 · Score: 2
  
  No, we can't. That's not what they claim NSA mass surveillance is for. This is an FBI investigation. Law enforcement, that is.
  The NSA shouldn't be involved, and the claim is that they weren't.
5. Re:Or so they say... by Charliemopps · 2014-09-08 02:39 · Score: 1, Redundant
  
  Right, they got the data illegally, seized the servers, then examined them for a vulnerability they could have used to legally seize them and claimed that was the source.
6. Re: Or so they say... by Anonymous Coward · 2014-09-08 02:42 · Score: 5, Informative
  
  You need the link to wikipedia so the regular folk know what youre talking about
  parallel construction
  But there is nothing you, the citizen, can do about it.
7. Re:Or so they say... by silas_moeckel · 2014-09-08 02:47 · Score: 4, Insightful
  
  Parallel construction is a farce and has no place in a legal system. The defendant is being intentionally lied to and thus unable to defend themselves. If you can not say how you got the info they should not be able to use it. Same goes for confidential informants. The people the NSA should be spying on are supposed to be dealt with via the CIA aka outside of the country assassinations.
  
  --
  No sir I dont like it.
8. Re:Or so they say... by drinkypoo · 2014-09-08 02:57 · Score: 2, Interesting
  
  Whether something is true or not matters little to the Slashdot hivemind, as long as it can feed the fires of perpetual outrage.
  There is no reason whatsoever to believe this assertion. You're accepting it as fact for no reason. We call people like you a "useful idiot".
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
9. Re:Or so they say... by Anonymous Coward · 2014-09-08 03:03 · Score: 0
  
  Stop spreading FUD. Documents leaked by Snowden confirmed that the NSA cannot break Tor, let alone the FBI. They can only rely on users' mistakes, like leaving javascript enabled for example.
10. Re:Or so they say... by Anonymous Coward · 2014-09-08 03:07 · Score: 2, Insightful
  
  If a defense attorney taught a jury about PC, then it would put the prosecution on the hotseat to prove his folks did not use it.
  This seems an impossible task, unless folks trust the cops.
  It would be unfortunate if PC backfires and results in releasing the bad guys it was intended to catch.
  Which is why it was a dumb idea to break the rules in the first place.
11. Re: Or so they say... by irq-1 · 2014-09-08 03:29 · Score: 5, Informative
  
  You need the link to wikipedia so the regular folk know what youre talking about
  parallel construction
  But there is nothing you, the citizen, can do about it.
  Jury Nullification
12. Re:Or so they say... by Noah+Haders · 2014-09-08 03:30 · Score: 4, Insightful
  
  It would be unfortunate if PC backfires and results in releasing the bad guys it was intended to catch.
  Which is why it was a dumb idea to break the rules in the first place.
  Yes absolutely correct. If the cops show themselves to be untrustworthy, then the whole law enforcement chain of evidence falls apart. This is the elephant in the room for the supreme court decision earlier this year, in which they ruled that police could stop and search somebody based on an "anonymous tip". And yet the law enforcement has been proven to sanction and encourage PC (part of the FBI docs earlier, in which LEOs got access to NSA data, was a manual saying the cops should use PC so they don't have to reveal the FBI/CIA program in court).
  
  the situation is analogous to the poor dudes in gitmo. Everybody knows they're not terrorists, yet because they were seized illegally there's no way for the justice system to process them. but the military doesn't want to just set them free, because certain parts of the country and certain news channels would flip out. So they just sit in jail and wait, while becoming terrorists. wouldn't you?
13. Re: Or so they say... by Dr.+Evil · 2014-09-08 03:32 · Score: 5, Interesting
  
  The examples from the wiki describe situations where the initial source was legal, but protected. E.g., placing a sting in the path of a suspect on the word of a protected informant, then omiting the reason for their 'luck' in finding the suspect. Or e.g., withholding NSA wiretaps from DEA until the citizen or geography of the source is determined to be foreign (unethical, but not illegal).
  In this case, they would be seizing servers (illegally), then searching them for a weakness to cover their asses, then lying to the judge about it(illegal), and hoping the logs agree with their probes (possibly revealing their lies), or altering them to match (illegal).
  I might be naive, but I think the discovery of the IP source through the weakness in the captcha is totally plausible. I also think that Joe law enforcement officer doesn't want to end his career in disgrace over something like this.
14. Re:Or so they say... by pjt33 · 2014-09-08 03:36 · Score: 2
  
  the situation is analogous to the poor dudes in gitmo. Everybody knows they're not terrorists, yet because they were seized illegally there's no way for the justice system to process them.
  I'm puzzled by this one. Surely all the justice system needs to do is say "The U.S. Constitution binds the actions of the U.S. government even outside U.S. territory" and then admit a writ of habeas corpus?
15. Re:Or so they say... by Anonymous Coward · 2014-09-08 03:50 · Score: 0, Informative
  
  But they were involved. Perhaps not in this specific part (and nobody was saying they were, although they most definitely did lend information to the FBI on how to go about this). They NSA, however, participated in attacks against Tor servers. They did this in two ways: first, they wrote and handled the malware that would get installed on visitor's computers, and secondly they operated the server that successful malware installations would communicate to. The FBI and CIA were only involved in actually initiating these kinds of attacks.
16. Re: Or so they say... by Frosty+Piss · 2014-09-08 03:54 · Score: 2
  
  Jury Nullification
  The reality is that this almost never happens. And it will not happen in this case, where the "defendant" is not only accused of being a drug kingpin, but also of putting out "hits" on people he didn't like. He's not going to look good to a jury. Say what you will about drug laws, but this guy "allegedly" took substantial steps to murder people.
  
  --
  If you want news from today, you have to come back tomorrow.
17. Re:Or so they say... by K.+S.+Kyosuke · 2014-09-08 03:55 · Score: 1
  
  as long as it can feed the fires of perpetual outrage
  Well, winter will come soon; I have to keep myself warm somehow.
  
  --
  Ezekiel 23:20
18. Re: Or so they say... by Anonymous Coward · 2014-09-08 04:06 · Score: 0
  
  I also think that Joe law enforcement officer doesn't want to end his career in disgrace over something like this.
  We're not talking about Joe law enforcement officer. We're talking about Joe FBI agent, a likely veteran of law enforcement who may have gotten the job precisely because he knows when to talk and when not to. If the FBI is the only source of information on exactly how the FBI detected the location of SR's servers, then it'd take someone in the FBI to leak that they're lying. And so long as they can create a plausible path of detection, preferably without having to modify the evidence servers, then there's really no one's career at stake.
  The only implausible part in all this is SR's servers simply having no useful information leaks. And if they did, then the FBI could be truthful on those leaks being their method of detection. So, even if the defense has experts that detect those leaks... *shrug* Sadly, when one presumes the FBI is in bed with the NSA and will contrive the investigation to fit the evidence, the only thing you've got left is wondering is how plausible it would be for the FBI to know where to look. And if one presumes there are dogged FBI agents, then it's plausible if not probable that they're being truthful even if there's an obscure information leak.
  In the end, I don't think it's a matter of naivity. It's just that for one who believes in conspiracies there's a plausible parallel construction on the FBI/NSA conspiring to engage in plausible parallel constructions.
19. Re:Or so they say... by wiredlogic · 2014-09-08 04:14 · Score: 3, Insightful
  
  It would be unfortunate if PC backfires and results in releasing the bad guys it was intended to catch.
  Parallel Construction doesn't catch criminals. It hides criminal activity by the government. It is an institutionalized form of lying which isn't acceptable in our court system.
  
  --
  I am becoming gerund, destroyer of verbs.
20. Re: Or so they say... by Anonymous Coward · 2014-09-08 04:22 · Score: -1
  
  Allegedly == innocent until proven otherwise... show me the proof. If there is proof, I'll consider him not looking good.
  Until then... he looks like a regular dude to me...
  If only juries would think this way as well but I can dream, can't I?
21. Re:Or so they say... by Noah+Haders · 2014-09-08 04:23 · Score: 2
  
  the situation is analogous to the poor dudes in gitmo. Everybody knows they're not terrorists, yet because they were seized illegally there's no way for the justice system to process them.
  I'm puzzled by this one. Surely all the justice system needs to do is say "The U.S. Constitution binds the actions of the U.S. government even outside U.S. territory" and then admit a writ of habeas corpus?
  well, that's the rub. there's no way to transfer the prisoners from gitmo to a regular prison, because if the justice department brought these people to a civilian court, the judges would laugh them out of court, give the defendants a condolence basket, and buy them a free ticket home. it's really hard to send them abroad, because all other countries have refused to take them and have responsibility for them. And Obama doesn't want to cut them loose - not in an election year! so these poor people, who everybody agrees are innocent, are stuck in in a military prison. Oh yeah, they also have restricted access to lawyers so it's hard for them to even defend themselves. way to go Obama.
  
  all this being said, I never understood what a "writ of habeas corpus" meant.
22. Re: Or so they say... by CauseBy · 2014-09-08 04:32 · Score: 1
  
  You asshat troll. Juries DO THINK THIS WAY which is why they are "shown the proof and if there is proof then the jury considers him not looking good."
23. Re: Or so they say... by Anonymous Coward · 2014-09-08 04:58 · Score: 0
  
  You apparently also don't know that it was Bush and his lying cronies who put those people there in the first place, and it is those same lying cronies and their paid for shills that manufactured outrage and actually made it illegal for Obama to correct this situation that ignorant people now blame him for.
  All of this to keep members of the Bush Administration out of jail themselves. Now, Obama's failed in a great many things. Refusing to prosecute the crimes of the fake terror warrior chickenhawks is one of the worst of them. Funny how we never hear that one listed though.
24. Re: Or so they say... by Anonymous Coward · 2014-09-08 05:25 · Score: 1
  
  No, jury selection (which should be illegal) makes sure that juries do not think this way.
  The only selection of a jury should be by means of an RNG. Preferably a low-tech one, like a bingo-ball cage. And audit the shit out of that thing on a regular basis. We don't want biased juries.
  Lawyers. Queering the deal since... forever.
25. Re: Or so they say... by letherial · 2014-09-08 05:33 · Score: 2
  
  It was also congress that insists that they stay.
  Honestly this whole blame the president is getting tiresome, this is a failure of the US government and all branches should be held accountable...our government is a embarrassment and there is no one side that is more embarrassing then the other..they are all corrupt cronies without a ounce of humanity to them.
26. Re: Or so they say... by Noah+Haders · 2014-09-08 05:35 · Score: 2
  
  dude, chillax on this bush vs. Obama stuff. Obama has been leader of the free world for 6 years now. on day one he promised to close gitmo. we can criticize Obama for his failures, without caveating that with the failures from prior adminsitrations. history will judge GWB.
27. Re:Or so they say... by Anonymous Coward · 2014-09-08 05:46 · Score: 0
  
  So is your theory that they first asked the NSA to locate the server, seized it by international cooperation by law enforcement, looked through the code for vulnerabilities and only then did they have some guys go to the site and try the login form?
  Why would the NSA risk exposing this amazing intelligence tool to get a domestic drug dealer arrested?
  In what world is that a simpler explanation than "the guy who asked Stack Overflow how to set up a Tor service using his real name, and who already exposed his server IP to users multiple times by misconfiguring the server, made another security blunder, and some IT guys from the FBI found it when investigating the site."
  (I'm making an assumption that you're talking about illegal NSA surveilance, since that seems to be what is making people so eager to shout parallel construction that they'll do it even when it doesn't make sense.)
28. Re: Or so they say... by Anonymous Coward · 2014-09-08 05:52 · Score: -1
  
  "Queering the deal since... forever."
  Homophobic
29. Re:Or so they say... by neoritter · 2014-09-08 05:53 · Score: 1
  
  Silk road != Tor servers
30. Re: Or so they say... by neoritter · 2014-09-08 06:00 · Score: 1
  
  It's like you have no clue how jury selection works; and have only seen the movie Runaway Jury. Juries can vary in size, anywhere between 6-12 plus backups totaling about 15-30. Attorneys can only challenge the selection a set number of times. Most cases this is 3. So in a majority of cases at least one juror is completely untouchable by the attorneys (if you exclude the backup set).
31. Re: Or so they say... by Anonymous Coward · 2014-09-08 06:05 · Score: 0
  
  Obama has been leader of the free world for 6 years now.
  And of America, too!
32. Re:Or so they say... by Vitriol+Angst · 2014-09-08 06:11 · Score: 1
  
  Is that like Plausible BS -- or am I using a too technical word here?
  I always figured that the "illegally gained intelligence" whether it be to get rid of a politician or someone affecting the status quo, would be an "anonymous tip" or "via great sleuthing."
  This great sleuthing never occurs if it's a bank or someone politically connected -- strange.
  
  --
  >>"ad space available -- low rates!!!"
33. Re:Or so they say... by AntiAntagonist · 2014-09-08 06:13 · Score: 2
  
  The intelligence agency has done this before to help the DEA and domestic law enforcement. Parallel construction has been proven for other investigations. It's unlikely any of them will give it up until they are forced to do so. https://www.muckrock.com/news/... http://www.reuters.com/article...
34. Re: Or so they say... by Anonymous Coward · 2014-09-08 06:13 · Score: 0
  
  Trouble is, you as a juror will never get to know that parallel construction was used in a given case (that is the purpose of this 'tool').
35. Re:Or so they say... by Vitriol+Angst · 2014-09-08 06:15 · Score: 1
  
  Our Supreme Court is fascist. I fully expect them to uphold the "we got an anonymous tip" and provide a hole a truck can drive through with all this "NSA metafile information that won't ever be used against you..."
  And off the record, we see here you visited a certain bunny ranch in Vegas, we'd like to see a larger number on next years budget in the appropriations committee.
  The threat posed by the Silk Road is orders of magnitude less than "anonymous" evidence in FBI court cases. This is the morning before we wake up to a boot on our neck --- and I don't that's hyperbole.
  
  --
  >>"ad space available -- low rates!!!"
36. Re:Or so they say... by KiloByte · 2014-09-08 06:20 · Score: 1
  
  It doesn't matter if they are lying through their teeth when they say that. Because they claim it to be true, we can use that as further justification that the NSA's mass-surveillance hasn't done squat.
  Because they're busy using that surveillance spying on political and business opponents. Come on, citizen, you don't want to take resources away from that to put then to unimportant stuff like catching criminals and preventing terrorism, do you? Heck, if we caught terrorists before they strike, the terror would be gone and this would risk pulling resources away public support from the surveillance!
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
37. Re:Or so they say... by omnichad · 2014-09-08 06:26 · Score: 1
  
  I'm making an assumption that you're talking about illegal NSA surveilance
  And you think that's the only way to gather intelligence illegally? I still might guess parallel construction, but my mind didn't jump to the NSA. There are plenty of other options out there.
38. Re: Or so they say... by omnichad · 2014-09-08 06:28 · Score: 1
  
  That would only make sense if the criminal didn't deserve to be prosecuted. You can't fix the problem post-hoc.
39. Re: Or so they say... by omnichad · 2014-09-08 06:30 · Score: 1
  
  No - anyone who knows anything about subject matter involved in a trial (computers, forensics, medicine, etc.) will be excluded from the jury during the selection process with the attorney's. You're supposed to have people who will only listen to the "expert witness" and not use your own knowledge. It's a certain guarantee that this skews the jury pool toward people a little dumber than you'd want.
40. Re: Or so they say... by omnichad · 2014-09-08 06:31 · Score: 2
  
  I posted this reply to the wrong place the first time. So here I go again:
  No - anyone who knows anything about subject matter involved in a trial (computers, forensics, medicine, etc.) will be excluded from the jury during the selection process with the attorney's. You're supposed to have people who will only listen to the "expert witness" and not use your own knowledge. It's a certain guarantee that this skews the jury pool toward people a little dumber than you'd want.
41. Re: Or so they say... by Kr3m3Puff · 2014-09-08 06:39 · Score: 1
  
  The examples from the wiki describe situations where the initial source was legal, but protected. E.g., placing a sting in the path of a suspect on the word of a protected informant, then omiting the reason for their 'luck' in finding the suspect. Or e.g., withholding NSA wiretaps from DEA until the citizen or geography of the source is determined to be foreign (unethical, but not illegal).
  Yes, but in this case, mass analysis of Tor traffic by the NSA could have thrown up a suggestion to the FBI "if you want to find the real source of the servers, all you need to do is exploit the CAPTCHA servers". The activities of the NSA don't have to be illegal for the FBI to obfuscate how they got to the final result. I doubt the FBI spent load of time just hacking around. The Government started with the problem "how do we reveal the true source of the Tor anonymized traffic" and fitted the solution to identifying it to some fully legal and totally unnefarious. It is in the Government's best interest to make criminals think they are incompetent.
  
  --
  D.O.U.O.S.V.A.V.V.M.
42. Re:Or so they say... by Noah+Haders · 2014-09-08 06:48 · Score: 1
  
  true story, bro: a couple years ago a candidate for NZ prime minister dropped out at the last moment because emails were anonymously leaked to reporters that he was having an affair. how much do you want to bet that he had some anti police state views, and the security apparatus leaked the emails.
43. Re:Or so they say... by Anonymous Coward · 2014-09-08 07:02 · Score: 0
  
  Our law enforcement system is a justice system. Our law enforcement officers embrace PC because they want very much to be the crime prevention everyone wants them to be. "You don't need guns, the cops are there to protect you."
  Bullshit. The cops are there to figure out who was responsible for an action and in the case of an ongoing crime or hostile interaction (ie neighbors next door screaming at each other), get involved and stop it. They're not there to read minds arrest people while driving down the road because they just thought up how they might be able to score another ounce of dope if they knocked off your house. When those dudes show up to knock off your house, until the cops are *notified and arrive*, you are on your damned own.
44. Re:Or so they say... by Anonymous Coward · 2014-09-08 07:21 · Score: 1
  
  he's useful??
45. Re: Or so they say... by jmcvetta · 2014-09-08 07:28 · Score: 1
  
  When I was called for jury duty (in California), the attorneys had something like 10 peremptory challenges each. Everyone who wasn't a slack-jawed dimwit was removed. This was only for a traffic accident case - I imagine the lawful-corruption would be even worse in a more serious case.
  In Centrist America, it's only a jury of your "peers" if you ride the short bus.
46. Re:Or so they say... by jmcvetta · 2014-09-08 07:33 · Score: 1
  
  This is the morning before we wake up to a boot on our neck
  Sorry, too late by about a decade. The old Republic was sick for a long time, and died an inglorious death in 2001. Long live the Empire!
47. Re: Or so they say... by neoritter · 2014-09-08 07:38 · Score: 1
  
  I call that misinterpretation of events. They probably didn't pick the other jurors because they were stupid. They picked them over you, because they weren't as opinionated as you were. They're trying to select jurors that would not be biased. They don't want someone who thinks they're an expert on the law. It just so happens that stupid people aren't necessarily as opinionated on a given subject.
48. Re: Or so they say... by jmcvetta · 2014-09-08 07:52 · Score: 1, Flamebait
  
  Yes, that's a good little Centrist - lick that boot. No one could possibly have an experience with the legal apparatus that contradicts the fairy tales you were taught in high school Civics class...
  Regardless of your baseless opinion on why I was removed, the fact is at least 11 of 12 original jurors were removed. The attorneys cycled thru something like 18 of the 30-ish potential jurors by the time I was excluded. Jury selection continued after I left.
  It's pretty obvious juries in my city are not juries of the defendants' peers, but rather juries of select persons favored by attorneys.
49. Re: Or so they say... by neoritter · 2014-09-08 08:05 · Score: 1
  
  I feel like your attitude is proving my point.
50. Re: Or so they say... by Anonymous Coward · 2014-09-08 08:09 · Score: 0
  
  No, jury selection (which should be illegal) makes sure that juries do not think this way.
  Yes, I've seen the movies and TV shows. But I've also served on a jury, back in college.
  It was a drug possession case, and during jury selection they asked if any of us had personal or family ties to law enforcement, friends with drug experience, and a number of other things.
  I remember one guy who said he had past experience with drugs, and even a conviction. He also said he didn't trust the police and was inclined to doubt them when they accused someone of a crime.
  Neither the prosecution nor defense objected to him, and he served on the jury. We found the defendant guilty.
51. Re: Or so they say... by SomePoorSchmuck · 2014-09-08 08:47 · Score: 2
  
  It's like you have no clue how jury selection works; and have only seen the movie Runaway Jury. Juries can vary in size, anywhere between 6-12 plus backups totaling about 15-30. Attorneys can only challenge the selection a set number of times. Most cases this is 3. So in a majority of cases at least one juror is completely untouchable by the attorneys (if you exclude the backup set).
  I've been through voir dire twice and in both cases (criminal assault) not only did the attorneys get their allotted strikes, but toward the end of the questioning process the judge also had notes and called certain members of the pool to the bench and further questioned them about their opinions, dismissing some of them to go home. The judge is already there as a representative of the State, so naturally his dismissals will also tend to enforce jury orthodoxy. No libertarian who believes in nullification is EVER getting on a jury unless he perjures himself.
  
  --
  
  Hollywood, Television, has become the dream machine. We need to take that back; each of us is a Dream Machine
52. Re: Or so they say... by jmcvetta · 2014-09-08 08:57 · Score: 1
  
  Ahhh... so you believe only subjects with a credulous & servile attitude should be included on a jury?
53. Re:Or so they say... by gweihir · 2014-09-08 09:43 · Score: 1
  
  My personal take is that this was much more likely some Bitcoin-based attack where they were able to identify him via some Bitcoin they gave him and that he spent afterwards. The claimed scenario would require terminal stupidity on the side of the server set-up and also that nobody of the countless people trying to attack these servers ever getting lucky. Not credible at all.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
54. Re: Or so they say... by Anonymous Coward · 2014-09-08 09:53 · Score: 0
  
  I might be naive, but I think the discovery of the IP source through the weakness in the captcha is totally plausible.
  I concur, this is totally plausible. Unfortunately that doesn't prove this isn't a case of parallel construction.
55. Re: Or so they say... by Anonymous Coward · 2014-09-08 15:22 · Score: 0
  
  Nice anecdote. Did I tell you about the time my Uncle Marvin went a bit bonkers?
56. Re: Or so they say... by Anonymous Coward · 2014-09-08 16:32 · Score: 0
  
  Yes Obama promised he would close Gitmo. But one of the first things Congress did after he became was to pass laws or a law that severely limited his ability to do so. Remember when he traded 5 Gitmo prisoners for the one US soldier a few months back. Some people were howling that he had no legal authority to do that, that it violated a legal procedure required before he could do that.
  While on the subject, I asked myself and other people, how did Obama move from a close Gitmo promise, to a scale back the surveillance state and war on terror, (which have become one and same), etc. etc. He did get the US largely out of Iraq and Afghanistan.
  The thoughts I have are:
  1. He's a politician. He said what he needed to say that the poll results showed would get him elected. Score points for plausible, and probably true of every modern president to a degree.
  2. Once elected, he was briefed by the military and Security entities, and once shown classified evidence he realized that, although he may hate the course we're on, it's not nearly as bad as what he hoped and wanted to do. Score points for plausible, and as evidence how most presidents seem to age 5 years the first year they are in office.
  3. "Gee Mr. President, we are quite willing to follow your orders. But, um, we really would not like to have to boil your daughters in acid, would we." Score points for paranoid. Score points for not paranoid enough.
57. Re: Or so they say... by neoritter · 2014-09-08 17:01 · Score: 1
  
  Loaded question says what?
58. Re: Or so they say... by jmcvetta · 2014-09-08 21:09 · Score: 1
  
  I'll take that as a "yes".
59. Re: Or so they say... by neoritter · 2014-09-10 03:39 · Score: 1
  
  You can take it however you like. I'm not intolerant. But don't put quotes around it.
With Tor you have expectation of anonymity... by Flavianoep · 2014-09-08 02:22 · Score: 1

... as long as there is no resourceful federal agency trying to get you.

--
Linux is for people who don't mind RTFM.
1. Re:With Tor you have expectation of anonymity... by sinij · 2014-09-08 02:24 · Score: 3, Informative
  
  No you don't have expectation of anonymity anywhere, but with Tor breaching your anonymity is prohibitively expensive for most scenarios.
2. Re:With Tor you have expectation of anonymity... by Anonymous Coward · 2014-09-08 02:37 · Score: 0
  
  If you pay cash for a prepay mobile phone, use it once and then destroy it (fire, lots and lots of fire) you have a reasonable expectation of anonymity.
  Otherwise... well, ummm...
3. Re:With Tor you have expectation of anonymity... by SpzToid · 2014-09-08 03:05 · Score: 2
  
  That's how the Harvard kid got busted classically calling in a bomb threat on test day. The feds looked for outgoing Tor traffic from the Harvard LAN, which requires a MAC address BTW.
  http://www.forbes.com/sites/ru...
  
  --
  You can't be ahead of the curve, if you're stuck in a loop.
4. Re:With Tor you have expectation of anonymity... by Anonymous Coward · 2014-09-08 03:36 · Score: 0
  
  That's how the Harvard kid got busted classically calling in a bomb threat on test day. The feds looked for outgoing Tor traffic from the Harvard LAN, which requires a MAC address BTW.
  http://www.forbes.com/sites/ru...
  You linked to a Forbes article?
5. Re:With Tor you have expectation of anonymity... by Anonymous Coward · 2014-09-08 03:47 · Score: 0
  
  Not always....
  Each phone has a 15 digit serial number (IMEI).
  The SIM card also has a unique identifier.
  They can work out that a burner was used. They can also work out that it is a certain serial number, as well as sim identifier.
  They can get info from manufacturer to find out where the phone was sold.
  They can get video pulling the sale at point of purchase.
  There are other tricks, like watching other phones going dark just prior to the burner turning on.
  or, seeing what other phones are in the same location as the burner phone.
  or combinations... to find a link to a non burner that is connected....
  Best way of staying Anonymous is to stay in your cave... and not communicate with the world... Any data exchange is a bit of a clue... (no pun intended).
Parallel construction by qbast · 2014-09-08 02:23 · Score: 1

In other words: perjury, but you can't prove it.
huh? by Anonymous Coward · 2014-09-08 02:24 · Score: 0

Could someone elaborate on how a captcha would leak an IP address? They weren't using something like re-captcha were they?
1. Re:huh? by greenreaper · 2014-09-08 02:35 · Score: 1
  
  They could have been running the code for it on their server, doing a (perhaps asynchronous) request for the CAPTCHA image and that had been set up to use a direct IP address (or domain linking to one). The connection strings for AJAX requests and the like are often forgotten when handling domain-related issues/HTTPS/etc., so I'm not at all surprised.
2. Re:huh? by Anonymous Coward · 2014-09-08 02:37 · Score: 0
  
  Seems fairly straight forward - the captcha was being served directly from the silkroad servers instead of via the tor network. Someone fucked up and put the direct IP into the captcha page instead of *what ever is required to mask a website via tor*. I imagine in order for this to be the case they would have to have been using their own captcha (or more likely an open source one hosted on their systems). Ironically I guess using re-captcha would have avoided this issue and kept their IP secure.
3. Re:huh? by gweihir · 2014-09-08 09:40 · Score: 1
  
  If they had a sanely configured masquerading firewall, it could not, as nothing on the server would know its public IP address. And of course, the captcha will be locally generated as including an external one reveals your location via the captcha service (that would get a nice NSL in this case).
  Plain fact is that what the FBI here claims is exceedingly unlikely to be true, not in the least because of course a site like this gets attacked all the time and such problems would have been found and fixed a long time ago.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
We'll never know by sasparillascott · 2014-09-08 02:35 · Score: 5, Insightful

Back in 2006 it was already out that the NSA was sharing information with the FBI among others:

http://www.washingtonpost.com/...

With multiple leaders of the U.S. intelligence apparatus having been caught lying under oath, we'll never know. One of the techniques is for the NSA to pinpoint something then the FBI look at the target and find something else they can label as the "reason" they found out about it.

At this point, because of our government's shortsighted decision's (Bush/Obama) to pursue and institute a surveillance state (ala East Germany), we'll never know what the story was here and have to take any claim from the Feds with a huge dose of skepticism.
1. Re:We'll never know by Anonymous Coward · 2014-09-08 06:30 · Score: 0
  
  It gets even more sad/funny.
  If dread pirate rogers gets off based on the fact that the evidence was illegally seized, then remember that huge sell off of seized silkroad bitcoins? I'm guessing dread pirate rogers will want them back, and guess who's on the hook for them - the tax payer. Just awesome. It should come out of the NSA budget and or politician's (Bush/Cheney/Obama/intel committee/etc) pension/pay.
Analyzing the FBI's Explanation of How They Locate by I)_MaLaClYpSe_(I · 2014-09-08 02:36 · Score: 4, Insightful

not at all:
https://www.nikcub.com/posts/a...

If you still believe that the server was discovered in the way the FBI described it - try it. I did. I setup a virtual machine with a web server running a Tor hidden server. I then accessed the hidden server over Tor and looked at the traffic. No matter how much I intentionally misconfigured the server, or included scripts from clearnet hosts, I never observed traffic from a non-Tor node or a "real" IP address.
NSA leaks Tor's bugs by Anonymous Coward · 2014-09-08 02:43 · Score: 0

Recently there was this story about NSA guys leaking Tor bugs to devs and suggesting changes to "improve" Tor's design:
http://yro.slashdot.org/story/...
I vividly remember that Snowden's documents said that NSA tries to influence Tor's design, being unable to actually break it. This might be a way of doing it: they pretend to be "good guys" and suggest changes that, while removing purely theoretical vulnerabilities, actually open the doors to more serious ones.
I hope Tor developers aren't so foolish to follow those "suggestions".
1. Re:NSA leaks Tor's bugs by jeffmeden · 2014-09-08 03:15 · Score: 2
  
  Recently there was this story about NSA guys leaking Tor bugs to devs and suggesting changes to "improve" Tor's design:
  http://yro.slashdot.org/story/...
  I vividly remember that Snowden's documents said that NSA tries to influence Tor's design, being unable to actually break it. This might be a way of doing it: they pretend to be "good guys" and suggest changes that, while removing purely theoretical vulnerabilities, actually open the doors to more serious ones.
  I hope Tor developers aren't so foolish to follow those "suggestions".
  Of course they aren't documenting their ability to subvert anonymity on Tor. It is probably the most powerful weapon an intelligence agency can wield right now. The rather simple (but un-falsifiable) fact is that with enough relay and exit nodes owned by one entity (and ownership is deliberately un-attributable) you can pretty effectively de-anonymize it by attrition (there are a few protocol weaknesses too, that allow you to leverage a lot of hosts). The only clue an outside observer might have that it is happening is inorganic changes in the network layout (i.e. a lot of nodes going online or offline) signalling a large single controller is at work. Luckily, at least this avenue is covered and you can see via the Tor Metrics portal what is going on across the network, and infer occasional events (like the de-anonymizing attack this past spring).
2. Re:NSA leaks Tor's bugs by Anonymous Coward · 2014-09-08 03:30 · Score: 1
  
  Of course they aren't documenting their ability to subvert anonymity on Tor.
  Stop spreading FUD. Actually they documented the fact that they do NOT have that ability. And they admit that in top secret documents, which aren't exactly supposed to be used for propaganda:
  http://www.theguardian.com/wor...
  Hence they probably try to influence Tor's design in the hope to make it weaker in future, as OP was saying.
Comment removed by account_deleted · 2014-09-08 02:43 · Score: 1

Comment removed based on user account deletion
Re:Analyzing the FBI's Explanation of How They Loc by Rich0 · 2014-09-08 02:55 · Score: 4, Interesting

Stick a php_info in your code or something equivalent. I don't believe the FBI was claiming that they received traffic from a non-tor IP, but rather that they received an IP address somewhere in the data sent over tor.
Nothing in tor prevents you from sending your name, address, and social security number in the html of a webpage that you serve. If I wanted to depend on a website remaining anonymous over tor I'd probably stick the entire thing on a private network (with private IPs) such that none of the machines ever contained identifying information (including traceable machine IDs or MACs/etc), heavily firewall it, and carefully control that nothing goes out except via tor. I'd treat every device on the network as if it were compromised and intentionally trying to communicate out every bit of data stored within, so it would be essential that none of these devices contain any information worth stealing.
Seems unlikely to me by phorm · 2014-09-08 02:57 · Score: 4, Insightful

It's not about a server misconfiguration.
TOR connections are tunnels. You don't have to configure your webserver etc for TOR, your machine just has to behind a firewall etc that doesn't allow the traffic out (or really, a router that just doesn't NAT it in). The only way to access the webserver would be through the tunnel, so no TOR=no access.
I find it a bit hard to believe that a guy who is able to get one of the largest black-market enterprises running on a server/farm connected to an anonymous/decentralized network isn't smart enough to *not* give it a public IP and/or put the equivalent to a home internet router in front of it.
1. Re:Seems unlikely to me by _xeno_ · 2014-09-08 03:11 · Score: 3, Interesting
  
  The only way I can think of to accidentally do what the FBI is claiming is if he just grabbed an poorly written CAPTCHA program off the Internet and it constructed its own URLs back to the server using the server's IP address.
  Why it would do that instead of using the configured server name or, even better, just use a relative URL would be anyone's guess. But it's the only plausible way for the FBI's explanation to make any sort of sense.
  (Or, to put it another way, they're almost certainly lying.)
  
  --
  You are in a maze of twisty little relative jumps, all alike.
2. Re:Seems unlikely to me by Richard_at_work · 2014-09-08 03:12 · Score: 1
  
  The issue seems to be not one of what IP address you give it, nor whether its public facing or not, but that he was leaking data via some other means (captcha call back or license file?) which exposed the real servers location rather than the Tor hidden one.
3. Re:Seems unlikely to me by TheCarp · 2014-09-08 03:14 · Score: 4, Interesting
  
  > I find it a bit hard to believe that a guy who is able to get one of the largest black-market enterprises running on
  > a server/farm connected to an anonymous/decentralized network isn't smart enough to *not* give it a public IP
  > and/or put the equivalent to a home internet router in front of it.
  as much as I would like to not believe it, this is one of those cases where, he has to be perfect every time, they have to catch him slipping up once.
  I don't know what his stack was, but typically, there are a lot of places information can leak. Including in error messages.
  The reality is, no hidden service (that isn't intentionally also a non-hidden one) should have a public IP where it can be reached. The last public endpoint should be its tor node, and the tor node itself should then only contact it via private IPs. It should then also only contact its backend databases by private IPs.
  If that means you have to setup backend VPNs for the transport.... then guess what....that means you have to setup backend VPNs for the transport.
  Frankly, what this guy did, overall, wasn't all that impressive. He put a bunch of tools together. He didn't develop tor, he just made the obvious leap. Being more willing to take the risk doesn't mean you are the best of the best, it just means you are confident enough to risk a fall on your face.
  
  --
  "I opened my eyes, and everything went dark again"
4. Re:Seems unlikely to me by Anonymous Coward · 2014-09-08 05:34 · Score: 2, Interesting
  
  The only way I can think of to accidentally do what the FBI is claiming is if he just grabbed an poorly written CAPTCHA program off the Internet and it constructed its own URLs back to the server using the server's IP address.
  Why it would do that instead of using the configured server name or, even better, just use a relative URL would be anyone's guess. But it's the only plausible way for the FBI's explanation to make any sort of sense.
  (Or, to put it another way, they're almost certainly lying.)
  Well, you could actually read the dam court documents. If you put random junk into the CAPTCHA boxes sometimes you would get an error page back - over TOR - but which contained the true IP address of the server. It appears that while the web server itself was configured to route everything over TOR, the CAPTCHA add-on that was being used had not been properly reviewed to make sure it had no information leaks. Obviously such information leaks would not matter in a normal set-up, so there would be no reason for a CAPTCHA add-on writer to work hard to eliminate them - in fact for debugging purposes some of that information would be useful.
  I don't know why people seem to find it so hard to believe that the FBI would decide to target the highest-profile online illegal drug marketplace without prompting from "sinister forces", or that they would carefully review every byte returned from the server to see if there were information leaks that would lead back to the true location. It certainly makes more sense than your theory that it was all a conspiracy by the NSA, and then dozens of people in the FBI and the Icelandic police conspired to forge the evidence to insert a faulty CAPTCHA program into a bug-free server and repeatedly perjure themselves in a way that would be obvious if the defendant produced a back-up with a flawless CAPTCHA code.
5. Re:Seems unlikely to me by _xeno_ · 2014-09-08 06:55 · Score: 1
  
  Well, you could actually read the dam court documents. If you put random junk into the CAPTCHA boxes sometimes you would get an error page back - over TOR - but which contained the true IP address of the server.
  Where do you get this? Because the court documents in the article certainly don't say that. In fact, they seem to be saying that the IP packets themselves contained the IP:
  
  Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets.
  That's not an error message, that's (apparently) an HTTP(S?) request being sent straight to the Tor servers. And the only way I can think of to screw up a CAPTCHA implementation to do that would be to have it construct a complete URL using the host IP instead of just using the configured host name, which would be insane.
  Again: according to the FBI themselves, this wasn't "debugging data" or anything, it was packets that were for whatever reason completely outside of the Tor network.
  
  I don't know why people seem to find it so hard to believe that the FBI would decide to target the highest-profile online illegal drug marketplace without prompting from "sinister forces"
  Because we're aware of things like COINTELPRO or, for those of us in the Boston area, remember little things like Whitey Bulger? I don't trust the FBI because they've gone out of their way to prove they are not to be trusted.
  
  --
  You are in a maze of twisty little relative jumps, all alike.
With Tor you have expectation of anonymity... by Anonymous Coward · 2014-09-08 02:59 · Score: 0

Tor makes you a target.
Given that PayPal, banks make mistakes regularly by raymorris · 2014-09-08 03:09 · Score: 4, Insightful

> I find it a bit hard to believe that a guy who is able to get one of the largest black-market enterprises running on a server
Do you find it hardto believe that Paypal's engineers make significantly more obvious mistakes? They do, of course. The thing about crime, and security, is that you can do a hundred things just right, and be taken down by the one thing you missed. It's adversarial like sports, but unlike sports 47-2 is a losing score for the team who scored 47. Those two items on which you let the authorities score put you in prison.
HTTPS and HTTP gotcha by portwojc · 2014-09-08 03:11 · Score: 1, Interesting

How many sites out there are HTTPS but deliver some data via HTTP by mistake or oversight? Looks like that applies here too. Good job tracking this down. Plain old inspecting what your receiving and digging into it.
1. Re:HTTPS and HTTP gotcha by CauseBy · 2014-09-08 04:37 · Score: 1
  
  Yeah I agree. This seems like unremarkable good detective work. Well done, coppers, you caught a criminal.
  Whether we need to change the law is a separate question to whether this guy broke it.
2. Re:HTTPS and HTTP gotcha by q4Fry · 2014-09-08 04:50 · Score: 1
  
  Posting to remove accidental downvote.
3. Re:HTTPS and HTTP gotcha by gweihir · 2014-09-08 09:32 · Score: 1
  
  Oh, sure. And nobody found this in a site that gets attacked all the time. Really believable.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
drug-dealing site, yeah? by Anonymous Coward · 2014-09-08 03:32 · Score: 0

So then why does anyone care if the FBI is lying about how they busted them? I mean, these same sort of illegal procedures are practiced at all levels of law enforcement, and yet when Tyrone gets busted for allegedly selling crack-cocain (conspiracy charges) no one cares.
Too bad we can't trust them by sjames · 2014-09-08 03:37 · Score: 2

We have discovered so many lies from various LEAs and NSA about parallel construction (they even lie to judges and prosecutors) that it is impossible to believe them without iron-clad evidence at this point.
Perhaps they'd care to show us the code? Show us the log of the exploit? Bare assertions won't do.
1. Re:Too bad we can't trust them by slashmydots · 2014-09-08 05:04 · Score: 0
  
  You hit login 100 times and it spits out the IP address for no reason. That's the extent of it, according to them. In other words, it's made up bullshit.
2. Re:Too bad we can't trust them by blueg3 · 2014-09-08 06:18 · Score: 1
  
  You hit login 100 times
  That's a coy way of saying they were trying to do SQL injection and it didn't work.
  
  and it spits out the IP address for no reason.
  In the course of trying to do SQLi, they generated a ton of different error message. The HTML source of one of the error message contained the server's real IP address. Pretty easy mistake to make if you unwisely put your hidden-service Web server and your Tor proxy on the same physical machine (thereby running your Web server on a device that has a public IP address).
  Such a configuration might be necessary if, for example, your website integrates a third-party system (like a captcha) and that third party happens to block Tor traffic.
3. Re:Too bad we can't trust them by GuB-42 · 2014-09-08 06:56 · Score: 1
  
  So you prefer the explanation that the NSA used super secret TOR breaking software over a simple exploit ? The FBI explanation seems totally plausible to me. If it were the NSA they probably would have used similar techniques.
  My idea is that hackers from the NSA, FBI or black hats are like magicians. It looks like they have some kinds of superpowers or really advanced tech while they just use simple tricks. Finding good tricks and executing them correctly is hard but the trick themselves are often stupidly simple.
  Note that the CAPTCHA exploit may not be the only one they found but why would they reveal the other ones if the first one is sufficient to explain the break ?
4. Re:Too bad we can't trust them by sjames · 2014-09-08 07:34 · Score: 1
  
  Some days, I question if the FBI knows how to turn a computer on.
  They certainly don't know how to process forensic evidence.
  Meanwhile, we do know that the NSA has illegally hacked a great many routers and tapped many fiber connections. I find it more likely that they used their illegal resources to locate the server through traffic analysis. No need to invoke any superpowers.
  I find it at least plausible enough to require proof from the FBI in a criminal investigation (not that it will likely be forthcoming or that the lack of it will derail the railroad).
5. Re:Too bad we can't trust them by gweihir · 2014-09-08 09:26 · Score: 1
  
  BS. You can always put your server behind a masquerading firewall and ensure nothing on the server knows its public IP address. This is a standard approach for WAN-LAN connections with private IP addresses in the LAN. When somebody has been running a highly illegal service successfully for a longer time, they will know about such basic protections. Also, you will never use a 3rd party captcha service in such a server, as the captchas themselves can be used to identify your location. Quite obvious, really.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
6. Re:Too bad we can't trust them by gweihir · 2014-09-08 09:31 · Score: 1
  
  The explanation is plausible only to a simple mind. Remember that this service was up a long time and certainly got attacked all the time. Somebody would have found that problem a long time before the FBI if it was real. Much more likely they did a targeted attack and found some real vulnerability, which they do not want to disclose and hence are lying about, like any common criminal. This has nothing to do with the rule of law anymore. Next step, which I am sure they have already taken in less high-profile cases, is to outright fabricate "evidence" against people they do not like.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
7. Re:Too bad we can't trust them by blueg3 · 2014-09-09 00:54 · Score: 1
  
  Inbound with Tor is not so bad, but it requires a two-machine setup that's nontrivial for a non-sysadmin to do correctly. Getting the server's outbound (new connections, not return traffic) to transit over Tor exclusively is less easy. Ideally, you don't make outbound connections from your server.
  You know Silk Road actually used reCAPTCHA, yes?
Re:Analyzing the FBI's Explanation of How They Loc by Anonymous Coward · 2014-09-08 03:41 · Score: 0

Fair enough, but shouldn't the source of the data have been revealed during discovery phase to the defense?
Re:Analyzing the FBI's Explanation of How They Loc by ugen · 2014-09-08 03:42 · Score: 1

That'd be one useless network though. If your devices have no information worth stealing - than what are they doing?
That's the problem with anonymity (and security in general). To be perfect, it's got to have no value.
In a more practical case like this one, I fully expect that administrators of those servers made one small mistake (more likely simply could not check every possible bit of code for information it may leak) and that was their downfall.
Re:Given that PayPal, banks make mistakes regularl by Geoffrey.landis · 2014-09-08 03:45 · Score: 1

I find it a bit hard to believe that a guy who is able to get one of the largest black-market enterprises running on a server/farm connected to an anonymous/decentralized network isn't smart enough to *not* give it a public IP and/or put the equivalent to a home internet router in front of it.
People make mistakes all the time. Even smart people.
You've never made a mistake? Never missed a bug? Never misconfigured a system? Ever?
Do a hundred things right, and one thing wrong, and just guess which one will get caught.

--
http://www.geoffreylandis.com
Re:Analyzing the FBI's Explanation of How They Loc by Anonymous Coward · 2014-09-08 03:53 · Score: 2, Interesting

this is what Tails tries to do.
Really you could just run tor on a vm and then setup all client machines on the LAN to VPN into it. then set each client's firewall to drop any traffic to any interface except tun/tap.
You could also run dansguarian+squid on that tor vm to sniff for and catch reg-ex's that look like your public IP or PII.
Re:Analyzing the FBI's Explanation of How They Loc by queazocotal · 2014-09-08 04:05 · Score: 1

There is a difference between no identifying information, and no information.
Rips of DVDs, for example, would be information - but they would not contain any identification other than the program used to make them, and the DVDs in question.
Soo... Configure your firewalls? by Anonymous Coward · 2014-09-08 04:16 · Score: 0

They cared enough to use Tor but not enough to configure their firewall?
1. Re:Soo... Configure your firewalls? by gweihir · 2014-09-08 08:42 · Score: 1
  
  Yes, apparently. To bad many people will believe this obvious fairy-tale.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Analyzing the FBI's Explanation of How They Loc by Rich0 · 2014-09-08 04:26 · Score: 1

Well, in their case they are running a storefront. That has a few components.
1. You need a searchable catalog of stuff that you are selling, and the ability to put together orders. That isn't too sensitive up until you checkout since your goal is to advertise the catalog anyway.
2. You need to be able to collect info on where to ship the goods. This is sensitive information if you don't want people figuring out who your customers are. You can't avoid collecting this info from your customers, but you could control storage of it. The first time somebody sets up an account you could collect info from them, but then you could take that data off the network and just reference their account number inside the network. As long as the customer sticks with the same delivery address and doesn't care that the order doesn't show it, then their info could be safe from compromise a few days after their first order.
3. You need to handle payment. Since they traded in Bitcoin this also could be done in a way that doesn't eliminate the risk of problems, but it does greatly mitigate it. For each transaction create a bitcoin account, and the tor-connected network can provide those details to the client so that they can make payment. At that point you can remove that data from the tor-connected network and move it elsewhere. That means that if somebody gets onto the network they can only get your bitcoin credentials for a few days worth of transactions, and future transactions going forward. Money would be moved out of those accounts into another set of accounts whose credentials were never at risk as soon as it was received, so if there were an attempt to seize funds it would be limited to accounts that only received funds recently.
All the order fulfilment can happen off of the tor-connected network. Getting data between the networks could involve sneakernet, or maybe even manual printing of paper orders. An operation like Silk Road is no doubt very high-margin, and I can't imagine that they can operate at high volume without risk of detection. So, a manual process where tor tells you ship 2kg of product A to customer 123 just means punching 2, A, and 123 into another application which prints out the shipping label - that system doesn't need to be attached to the internet. Dealing with bitcoin account numbers and credentials might be more of a pain, since they are long numbers.
Thank you for finding the flaw by koan · 2014-09-08 04:55 · Score: 1

Now TOR (or whom ever) can fix it.

--
"If any question why we died, Tell them because our fathers lied."
1. Re:Thank you for finding the flaw by ledow · 2014-09-08 05:28 · Score: 1
  
  Security software cannot fix stupidity.
  In this case, one of the scripts on a Tor service pulled data from and thus advertised it's globally-addressable IP address.
  Sure, they can improve their processes and pull that script and replace it with a Tor-compatible version - but Tor can't detect this kind of stupidity and fix it for you. If you're stupid enough to put your home address on a Tor service, there's nothing Tor can do about that either.
  The most interesting thing about this story is that all the "Tor was somehow broken by a omnipotent government agency" nonsense actually boiled down to "Idiots were giving out their own IP over a Tor service providing illegal content" (which is more often than not the case - I'm not at all convinced that most countries actually have the talent and resources to do what people claim they can, let alone that they routinely do them).
  This either proves, when used properly, how effective Tor is, or ineffective the relevant agency is against Tor.
  Honestly, I don't care too much about the detail. I don't support the illegal activity that this service was built upon. But I find it worrying that they were that stupid, and that it was that easy to "find" them, and also that the relevant agencies don't seem to have made much progress at all since the days of GCHQ.
  All I see in the modern day is unbreakable maths stopping (or severely hindering) anyone but the most stupid people from being caught. I see that as both a good thing (encryption, etc. doing what it was designed to do, and implemented strongly) and a bad thing (our governments are still unable to stop such services because they don't have the talent to infiltrate them).
2. Re:Thank you for finding the flaw by koan · 2014-09-08 05:51 · Score: 1
  
  Yes, but now people trying to hide are more aware of possible issues.
  
  --
  "If any question why we died, Tell them because our fathers lied."
Re:Analyzing the FBI's Explanation of How They Loc by Anonymous Coward · 2014-09-08 04:57 · Score: 0

Now put some flash on your website. something that does network connectivity and test again. there are plenty of stupid things to do with a web site. or have mole put these in a web site on purpose. please re-read what you need to disable to keep you anonymity. -shrugs-
BitLch by Anonymous Coward · 2014-09-08 05:15 · Score: -1

the public eye: This post up. do and doing what up today! If you guys are usually is dying and its and abroad for EFNet, and apply the above is far Usenet is roughly own lube, beverage, problems that I've IF YOU HAVE halt. Even Emacs BSD's filesystem to work I'm doing, where it was when fatal mistakes, Mr. Raymond's project returns goodbye...she had most. Look at the BSD style.' In the I've never ssen FreeBSD showed Can no longer be
Server doesn't have client's real IP address by Anonymous Coward · 2014-09-08 05:25 · Score: 0

My understanding of TOR is that the server never sees the client's real IP address. That's the whole idea, right? Then how the hell can a misconfigured server send anything directly to an IP address it doesn't have?
I call BULLSHIT!
1. Re:Server doesn't have client's real IP address by blueg3 · 2014-09-08 06:10 · Score: 1
  
  They're saying the server leaked its own IP address. Unless you've set up your system so that your Tor hidden server is on a computer not connected directly to the Internet and it connects to a physically-separate Tor node that blocks any network flows other than ones going over the Tor proxy, then any Tor hidden server also has a leakable IP address. A Web server error message (or embedded error message from a third-party service, for example), header, or other piece of data might then contain the server's IP address.
  That's pretty thin information by itself. But if any part of your server is configured to listen on all network interfaces (instead of, say, localhost), then someone making an HTTP request to that IP address gets a page from your server. That's fairly damning evidence.
2. Re:Server doesn't have client's real IP address by gweihir · 2014-09-08 08:39 · Score: 1
  
  It is not complete BS. If the server war really stupidly configured and did not have an additional masquerading firewall before it, something like this could happen. That claim is however not credible at all and this is likely a fairy-tale for the gullible.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
3. Re:Server doesn't have client's real IP address by gweihir · 2014-09-08 08:41 · Score: 1
  
  A masquerading firewall will also protect you and you do not need any "special" TOR node for that (which you cannot get anyways). Simple to set-up and standard in any LAN-WAN connection where the LAN has private IP addresses.
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Re:Analyzing the FBI's Explanation of How They Loc by Rich0 · 2014-09-08 05:33 · Score: 1

Oh, I wouldn't just worry about flash. I'd assume that somebody I don't like is going to find an exploit in my webserver, and run arbitrary code on that host, and every other host it can reach via the network. All of this stuff has to run in a DMZ that contains no identifying information at all. That is certainly a challenge to do in practice.
If I had a dollar by behrooz0az · 2014-09-08 05:35 · Score: 1

For every lie NSA gets printed on the news...

The thing about writing the website or configuring the system to tunnel data through any kind of proxy/tor is that for every packet or http request or whatever you work with you have to EXACTLY specify what happens as in what comes in and what goes out, the lie is just too retarded.

I've made like a dozen network backends for different kinds of applications and progarms. I know.

--
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion. -- Spazmania (174582)
I'm envisioning a comic... by MugenEJ8 · 2014-09-08 05:50 · Score: 1

Where a group of FBI boffins are cheering, hooting and hollering about the find, and a group of NSA boffins, rolling their eyes and being coy, "Awe! Look at them, you'd think they just broke codes!".
Lies are irrelevant by Anonymous Coward · 2014-09-08 05:50 · Score: 0

The NSA and the feds are well known to do "parallel contruction", and you can be sure they won't tell you how they really did it if they have in their possesion an unknown secret security flaw. Why even consider trusting anything they say after it has come to light that they do "parallel-construction". We can't trust them anymore, whatever they say.
Re:Analyzing the FBI's Explanation of How They Loc by Anonymous Coward · 2014-09-08 05:57 · Score: 0

I don't believe that the long-term op of Silk Road would be stupid enough to send his identifying information in the html of a wepage. They probably had other ways to do it and are leading everbody on as usual.
Re:Analyzing the FBI's Explanation of How They Loc by Anonymous Coward · 2014-09-08 06:00 · Score: 0

"An operation like Silk Road is no doubt very high-margin, and I can't imagine that they can operate at high volume without risk of detection."
This sounds like someone thinks Silk Road is more like Amazon when in fact it is more like eBay than Amazon. So the volume of "Silk Road" depends on the number of sellers and the volume of each seller to the buyers. SR was (is) just a web site to connect buyers with sellers and it in itself does not do order fulfillment.
(And no, I haven't used it to buy or sell ever).
Check out https://openbazaar.org/ for a more decentralized version of eBay (or SR for that matter).
Because you're a cunt by Anonymous Coward · 2014-09-08 06:24 · Score: 0

Because you're a cunt. You personally. Is the answer to all of your questions.
Captcha rate limiting error message? by mveloso · 2014-09-08 06:40 · Score: 1

I've been thinking about this over the last few days, ever since the story popped up in wired.
If they exceed the captcha's rate limit, the captcha -might- leak information in its rate-limiting error message. The message would be something like "your server at IP has exceeded its request limit."
This is likely because if you exceed the rate limit you'd kind of want to know which one of your front-ends was be the bad one.
Nobody really would test that sort of thing either.
1. Re:Captcha rate limiting error message? by phorm · 2014-09-09 03:11 · Score: 1
  
  Ah, that one would make sense to me.
  I still think the stupidest part would be having *any* anonymous server with direct access to the internet. I'd assume that - in order to know the hosts IP - it actually had a public IP address.
  Firewall, then server. Server gets a NAT'ed address, and only implicitly allowed connections make it through the firewall/NAT. It should never even know what the public IP is.
2. Re:Captcha rate limiting error message? by Anonymous Coward · 2014-09-09 14:15 · Score: 0
  
  Ideally you want the connection to be VPN'ed or proxy'ed not firewalled. If the problem is the Captcha provider site warning about exceding the rate limit in its response then that will report the server IP address it is receiving the requests from which, in your example, will be the firewall. Your server might be 10.0.0.1 but the firewall won't and as the two are connected the location is given up. What you want is the server that is visible to the Captcha provider to be different from the one serving your illicit site content.
  Something along the lines of User Tor -> Captcha provider
  Or better still, simply don't link to anything you do not control.
Re:Analyzing the FBI's Explanation of How They Loc by Rich0 · 2014-09-08 06:45 · Score: 1

Ah, in this case it is even easier to anonymize then, assuming you don't care about the buyers or the sellers. Just store all the data on the servers with nothing identifying, and the only thing you have to deal with is getting the listing fees off the site.
I'll confess I don't know a great deal about the Silk Road, as I've never visited the site.
Re:Analyzing the FBI's Explanation of How They Loc by Rich0 · 2014-09-08 06:49 · Score: 1

My example was contrived. The point is that tor doesn't prevent you from leaking identifying info. There are LOTS of ways this can happen, including:
1. Some application happens to embed a non-private IP in the data stream (maybe in a header or something). This is a classic problem if you try to run bittorrent over tor.
2. Somebody manages to run arbitrary code on your server via an exploit and this code has access to identifying information, such as a non-private IP, mac address, or just the ability to send packets to the internet (which can be sent to a server controlled by the attacker revealing the source IP).
Neither of these requires NSA-like capabilities to pull off, or the ability to defeat tor in general.
Re:Given that PayPal, banks make mistakes regularl by Anonymous Coward · 2014-09-08 07:21 · Score: 0

try replying to the guy that actually said that next time.
story is already obsolete by Anonymous Coward · 2014-09-08 07:57 · Score: 1

Doubts cast over FBI 'leaky CAPTCHA' Silk Road rapture - Security bod says affadavit makes no sense, omitted exploitation works
What, no Masquerading? Not credible... by gweihir · 2014-09-08 08:36 · Score: 1

Who would be so stupid to run a server like that without masquerading? That is not credible at all. A simple masquerading firewall before the actual server makes sure that a) no non-TOR traffic ever reaches or leaves the actual server and b) the server itself does not know the public IP it is reachable under. This is really basic protection and set up withing a few hours. It also makes sure nothing like the FBI claims can ever happen.
The only sensible explanation is that the FBI is lying through its teeth.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Feds Violated The Law Maybe? by Jane+Q.+Public · 2014-09-08 09:22 · Score: 1

Here's the thing:

Did the Feds have a warrant for searching this particular server? Quote the 4th Amendment:

... and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Did they have a warrant specifically describing the place to be searched, and the persons or things to be seized?

If not, they were violating the CSRA, by accessing a server without authorization, which is exactly what they tried to charge Aaron Schwarz with.

It is not permissible to break the law in order to enforce the law. This is a principle older than the United States itself.
1. Re:Feds Violated The Law Maybe? by Anonymous Coward · 2014-09-09 06:38 · Score: 0
  
  Does the Fourth Amendment apply outside the United States? In other words if the FBI wants to search my house in Iceland doesn't Icelandic law apply rather than U.S. law? After all Iceland isn't their jurisdiction.
  Also even in the United States a law enforcement officer can conduct searches for probable cause in the absence of a warrant.
  Also doesn't the CFAA, the actual act in question here, contain exceptions for law enforcement?
  As a matter of fact a federal court has determined that IP masking is a violation of CFAA. So by my reading the server in Iceland was in violation of CFAA by attempting to mask it's IP address.
  As far as that goes is forcing a computer to disgorge it's IP address an intrusion according to CFAA.
  It is not clear that it is not permissible to break foreign law to enforce U.S. law.
2. Re:Feds Violated The Law Maybe? by Jane+Q.+Public · 2014-09-09 16:37 · Score: 1
  
  Haha. Got me on CFAA. I was trying to remember the name of the law and the wrong one came up.
  
  I admit that I haven't looked it up lately, but to the best of my understanding, the server does not have to be in the United States. Just the person who accessed it.
  
  It's an interesting question, though, and I may have to look it up again after all. If a person standing in the United States shoots someone on the other side of the Canadian (or Mexican) border dead, has he or she committed a crime in the United States, or in that other country?
  
  I honestly don't know. It seems to me I did know the answer to that, but I have long since forgotten.
Re:Given that PayPal, banks make mistakes regularl by gweihir · 2014-09-08 09:34 · Score: 1

Paypal engineers do not go to prison for an extended period of time when they are caught. Paypal engineers are also the cheapest possible that can just about get the job done.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Neither does the guy Ulbricht hired by raymorris · 2014-09-08 09:56 · Score: 1

> Paypal engineers do not go to prison for an extended period of time when they are caught.
Neither does the script monkey that Ulbricht hired to set up the captcha.
1. Re:Neither does the guy Ulbricht hired by gweihir · 2014-09-08 10:17 · Score: 1
  
  You believe that he did not do this himself? Seriously, this guy evades the FBI for years and then he hires some Noob to do critical work on his servers?
  
  --
  Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
onlyif he's stupid. He had a huge criminal enterpr by raymorris · 2014-09-08 14:18 · Score: 1

He had a huge criminal enterprise to run, tons of money to launder, murders to order, and hopefully he'd make some time to enjoy his ill-gotten gains before he eventually made a mistake and got busted. If he was wasting his time setting up a captcha, that was pretty stupid. The smart thing would be for him to have someone eho understands banking and finance take care if the banking and finance, someone who understands programming take care of the programming, someone who understands high-capacity server infrastructure take care of the server infrastructure, ehile he ran the whole operation and spent some time on his boat. Actually, not really. He was successful before silk road,so the smart thing to do would have been to continue to make money legally. That has the advantage of not ending with a prison sentence.
AC repeats parent? by Anonymous Coward · 2014-09-08 16:25 · Score: 0

pretty sure AC repeats post - and is +5 insightful, while original post is 0? WTF? view at -1 to see this post...
127.0.0.1 by ehiris · 2014-09-09 03:13 · Score: 2

The IP will probably be revealed as being 127.0.0.1.
The judge will accept it as evidence, and the jury will convict because we are still living in a society of imbeciles trying to impose on how everyone should live under the premise that they know better as a collective decider.
We are destroying basic human rights and severely punishing people simply so we can "show them a better path" in life.
It's absurd. Why can't we just close all these ineffective branches of government fighting pseudo crimes already?
Re:onlyif he's stupid. He had a huge criminal ente by Anonymous Coward · 2014-09-09 13:55 · Score: 0

Given it is a criminal enterprise it makes no sense for him to go out hiring people to do programming, infrastructure, banking, finance etc as the more people he has to deal with the more people that can be compromised or just blab. The is a saying along the lines of "if you don't want anyone to find out your secrets then don't tell anyone". Master of your own destiny and all that.