The (Silk) Road to Hell is paved with noob mistakes
September 12, 2014 11:06 AM   Subscribe

The FBI has recently released details on how the Silk Road black market was taken down.

While the transactions were secured by the Tor network, the Silk Road provided a misconfigured CAPTCHA that used elements from the open Internet. FBI investigators noticed this and, from there, were able to trace back to the main server. Some security experts remain skeptical of the technique described but cannot disprove it. Previously: 1 2 3 4 5.

FULL DISCLOSURE: Ross Ulbricht, the man alleged to be the Silk Road's Dread Pirate Roberts, went to high school with my younger son, but I don't believe either of us knew him.
posted by ubiquity (37 comments total) 22 users marked this as a favorite
 




That dude is in so much trouble.
posted by SpacemanStix at 11:32 AM on September 12, 2014


I'd absolutely love it if Ulbricht walks because the FBI gets caught lying to the judge and/or defense about how they hacked the server.
posted by jeffburdges at 11:52 AM on September 12, 2014 [8 favorites]


Or it could be NSA intervention plus what they call “parallel construction”, with the official version being a cover story whose sole purpose is to allow law-abiding members of the public to keep believing that there isn't a creepy secret police watching their every move.
posted by acb at 11:52 AM on September 12, 2014 [6 favorites]


I love how these Dunning-Kruger fucks defend their assertion that it wasn't the Captcha with "if it was, I would have found it."
posted by tonycpsu at 11:56 AM on September 12, 2014 [9 favorites]


They also used unobtanium powered unicorns and definitely in no way violated anyone's rights.
posted by blue_beetle at 11:59 AM on September 12, 2014 [1 favorite]


It's a plausible story, but ever since we learned about Parallel Construction we have to treat any statement by LE about sources or methods as a superposition of truths, and decide whether we give enough of a shit to keep the wave function from collapsing.
posted by RobotVoodooPower at 12:01 PM on September 12, 2014 [21 favorites]


Or it could be NSA intervention plus what they call “parallel construction”, with the official version being a cover story whose sole purpose is to allow law-abiding members of the public to keep believing that there isn't a creepy secret police watching their every move.

Another fishy aspect of the case that points to this is the fact that Ulbricht ordered fake IDs from Canada which were intercepted and given to the FBI. According to the FBI, they had no idea what his real name or physical address were before this happened, and the fake IDs were seized during a routine search by customs.
posted by burnmp3s at 12:05 PM on September 12, 2014 [2 favorites]


burnm3ps, I'm a bit dense today. Wouldn't the story be that Customs found fake IDs and gave them to the FBI? What's the contradiction?
posted by Sticherbeast at 12:08 PM on September 12, 2014


Yes, because it's not like counterfeit IDs would be considered contraband to be seized by customs, nor would customs forward such contraband to the FBI out of legitimate concerns.
posted by NoxAeternum at 12:09 PM on September 12, 2014 [1 favorite]


I don't think there's any parallel construction here. The 2 reddit threads i linked to in my previous comment were made before the bust and detailed that the site was leaking its public ip.
posted by I-baLL at 12:18 PM on September 12, 2014


If IP leaks were repeatedly documented by Ulbricht and others, I think it's going to take some crazy smart experts to prove that this isn't the way that the FBI got the information simply because others couldn't reproduce the conditions, or didn't notice it first. If the FBI is lying on this, they are certainly doing it in a way that makes others work hard for the right to prove otherwise.
posted by SpacemanStix at 12:22 PM on September 12, 2014 [2 favorites]


There is this mythos of super hackers (yes I know the varieties of the entomology of 'hack') and the government having alternately super science resources or a captured 'superhacker' team. But probably over 90% of software attacks, breaks or government cases are just simple stuff. Default passwords just left open on production servers. Some simple gotcha that's carefully listed in a manual. There's got to be some long slow slogging, and folks have determination to hunt down the open door but it's rarely super tech, just someone forgot to "lock the front door".
posted by sammyo at 12:26 PM on September 12, 2014 [5 favorites]


Um, you don't think fraudulent id would be of interest to US Customs? You think they go "oh, hey, sure, we'll just let these illegal items through"? What planet are you living on?
posted by tavella at 12:27 PM on September 12, 2014 [1 favorite]


...actually, I think NoxAeternum was being sarcastic in response to burnm3ps. Sorry!
posted by tavella at 12:31 PM on September 12, 2014


@tonycpsu, I don't see how that is a Dunning-Kruger effect at all. The method of finding the ip they describe isn't rocket science and really should have been easy to find by any pen tester if it really existed in the form they are claiming.

Who knows, perhaps there is an NSA required bit of code in the CAPTCHA that allows people with the proper key to just ask for the ip address. Perhaps this is just bullshit. Without a copy of the source code for the site, it'll be hard to prove one way or the other.
posted by HappyEngineer at 12:34 PM on September 12, 2014


HappyEngineer: @tonycpsu, I don't see how that is a Dunning-Kruger effect at all. The method of finding the ip they describe isn't rocket science and really should have been easy to find by any pen tester if it really existed in the form they are claiming.

I do info sec for a living. People make basic mistakes all the time. They review a different rev of the code than the one that's in production, they grep for the IP in the tcpdump output forgetting that they did so with a filter, they set up their IDS alerts with an overly-specific rule...

Maybe this is the only time they ever let something through, compared to 999 times they caught this kind of error. The Dunning-Kruger part is where they assume that they're immune to basic human nature -- where they assume they can't possibly make an error one out of a thousand times they do something.
posted by tonycpsu at 12:41 PM on September 12, 2014 [4 favorites]


Some people have had a strangely inflated sense of how secure Silk Road was because of the halo effect of viewing DPR as some kind of underground hero. How could the authorities have ever sniffed him out without resorting to nefarious tactics?

How about because DPR was posting basic programming questions on public forums around the time he was launching SR? Expert coders working on software for years still can't plug every potential attack surface. The probability that DPR and some right hand man or two helping him out would stumble somewhere was nearly 100%. That the stumble would involve leaking an IP outside Tor was among the most likely. Truly an Occam's Razor scenario.

The same is true of every other underground black market, too. If Apple and Adobe and Oracle can't keep their products completely secure, you think a few radicals bootstrapping a DIY web market for quasi-criminals can do better?
posted by thebordella at 12:44 PM on September 12, 2014 [9 favorites]


If Apple and Adobe and Oracle can't keep their products completely secure, you think a few radicals bootstrapping a DIY web market for quasi-criminals can do better?

Especially if the FBI and other parts of the US justice system are trying to find your security holes.
posted by sideshow at 1:03 PM on September 12, 2014


However the FBI did it, the number of no0b errors is infinite. Thinking you know all of them is one of them
posted by jfuller at 1:12 PM on September 12, 2014 [5 favorites]


I feel like the efficacy of the hunt for DPR was less about "OMG FBI HAS TEH HAXXORS" and more about "they pay this one guy to constantly try and find this other guy." Remember that DPR was running a business as well as trying to stay hidden. The FBI has less distractions.
posted by oceanjesse at 1:20 PM on September 12, 2014


People make basic mistakes all the time. They review a different rev of the code than the one that's in production [...]
Kovacs didn't claim that he personally would definitely have caught any real IP address in the SR pages, so there couldn't have been one.

What he claimed was that not only he, but dozens of other people, were looking at those pages, and that at least one person who would have said something should have caught it.

I don't tend to believe his reasoning either, because I've seen lots of people screw up, and probably only one in 10 actually would say anything in public if they did find it, and we don't know how long the bug was there, and a lot of other reasons. The FBI's claim sounds plausible enough to me, although I would by no means bet a lot of money on it.

But you're mischaracterizing what the guy wrote and calling him a "fuck" because of that mischaracterization.
posted by Hizonner at 1:28 PM on September 12, 2014 [2 favorites]


First off, Kovacs was quoting Nik Cubrilovic, so I'm not calling Kovacs a "fuck" at all.

And, yes, I'm calling anyone who claims that it's "unreasonable" that he and a group of peers wouldn't make a mistake a "Dunning-Kruger fuck." It's very reasonable that even the best security researchers would make what looks like a simple mistake, because we do it all the time. Just because he and his peers spent so much time with it doesn't preclude the possibility that they fucked up.

You know that feeling you get when you watch that Youtube video where you follow the basketball for a minute or two and then it asks you if you saw the gorilla? Nik Cubrilovic is saying "I'm not wrong -- there was no gorilla."
posted by tonycpsu at 1:36 PM on September 12, 2014 [3 favorites]


So what about the FBI's child porn takedown on Tor, which did involve a Firefox zero-day exploit to track users? Obviously not a fan of the distribution of child pornography, but the FBI's methods on that one are particularly troubling to me.
posted by zachlipton at 1:43 PM on September 12, 2014 [1 favorite]


I don't think anyone expects thst DPR perfectly configured his server. It is just that most thnk the NSA has other tools to discover TOR hidden servers and those are a lot easier to use. Once the FBI has access to the server for a few months they can find a improper configuration and use that to explain how they found it. This protects the NSA and hides any possible illegal search from the court in the name of national security.
posted by humanfont at 1:45 PM on September 12, 2014


burnm3ps, I'm a bit dense today. Wouldn't the story be that Customs found fake IDs and gave them to the FBI? What's the contradiction?

Yeah I didn't really describe my reasoning. Given the amount of mail that is transferred between the United States and Canada and the fact that fake IDs would be very hard to detect without physically opening the envelope, it seems like it would have been very bad luck for that particular shipment to be randomly searched and seized. Whereas if the FBI had already found Ulbricht's name and location via a different source (such as the NSA), then they could have purposely intercepted the shipment and then used it after the fact as an alternative explanation of how they found his name and address.
posted by burnmp3s at 1:46 PM on September 12, 2014 [5 favorites]


How about because DPR was posting basic programming questions on public forums around the time he was launching SR?

Mark Karpelès, the (most recent and most significant) owner of Mt. Gox, the bitcoin exchange that handled 70% of the trading volume in bitcoin until its controlled flight into terrain, had a blog. His most recent entry, before it was hacked and nuked, was describing his excitement at trying to write an SSH server in PHP.

In PHP.
posted by fatbird at 2:16 PM on September 12, 2014 [5 favorites]


brb hacking up unux in some cobol basic logo. gonna use all my megahertz
posted by Sticherbeast at 2:24 PM on September 12, 2014 [3 favorites]


What he claimed was that not only he, but dozens of other people, were looking at those pages, and that at least one person who would have said something should have caught it.

One word: Heartbleed.

The "many eyes makes bugs shallow" argument has been disproven time and time again.
posted by NoxAeternum at 2:28 PM on September 12, 2014 [2 favorites]


DNS leaks are a tricky thing, even for services that supposedly know how to deal with it. I was talking to tech support at my VPN proxy service, when the tech asked me why I was trying to access their torrent proxy server through their VPN. I was stunned, I told him, "because that's how it is supposed to be set up. That's the whole point of your company."
posted by charlie don't surf at 2:44 PM on September 12, 2014 [4 favorites]


It is just that most thnk the NSA has other tools to discover TOR hidden servers and those are a lot easier to use.

we actually know a great deal of what the nsa is capable of re: tor thanks to snowden, and there is nothing to suggest this. the US gov invented tor and is the #1 funder of the tor project, because our spooks use it too
posted by p3on at 2:46 PM on September 12, 2014


we actually know a great deal of what the nsa is capable of re: tor thanks to snowden, and there is nothing to suggest this.

There is information to suggest it. Among other things we learned that the NSA considers anyone having interest in TOR as grounds to mark them a person of interest and record all their information in perpetuity. That level of surveillance combined with the NSA culture of secret unconstitutional searching seems like it could plasibly have cracked this nut illegally, which (thanks to Snowden et al) is also something we know is a standard operating procedure.
My own guess is that people aware of tor are logged because having a giant log of all traffic entering and exiting TOR from every user/box, provides (or is expected to someday provide) a way to link users and activities, even if traffic remains mostly inscrutable.
posted by anonymisc at 4:51 PM on September 12, 2014


"Um, you don't think fraudulent id would be of interest to US Customs? You think they go "oh, hey, sure, we'll just let these illegal items through"? What planet are you living on?"

Well, since fake IDs don't usually get sent with a big sticker that says HEY THESE ARE SOME FAKE IDs!, it seems a little implausible that they'd just happen upon them. Fake IDs are some of the easiest, least risky contraband to ship because they look just like legitimate mail. And the government isn't supposed to go through our mail without a warrant or probable cause.
posted by klangklangston at 5:24 PM on September 12, 2014 [3 favorites]


Well, since fake IDs don't usually get sent with a big sticker that says HEY THESE ARE SOME FAKE IDs!, it seems a little implausible that they'd just happen upon them.

Out of curiosity, I tried to google for how often such things get nabbed by Customs. There are a weirdly large number of questions on the internet from dopes who bought fake IDs from China, whose packages are caught by Customs. PLEASE HOPE ME, ASKYAHOO

Also, who's the industrial-grade dingdong who's buying fake IDs from China, to be sent to the US?
posted by Sticherbeast at 7:10 PM on September 12, 2014 [2 favorites]


The protections against US government search of your packages and correspondence via US Postal Service only apply to items sent within the United States. As soon as the item crosses the border the government can search it.
posted by humanfont at 8:06 PM on September 12, 2014 [3 favorites]


sammyo: There is this mythos of super hackers (yes I know the varieties of the entomology of 'hack') and the government having alternately super science resources or a captured 'superhacker' team.

Well to be fair, this is one of the most badass hacks i've ever heard of. Mr. Toad would sit down after that wild ride and go "well, fuck." And the government did it, so...

I just don't think it's a ridiculous assumption to make. That they would sink that amount of resources into silk road is silly, but they seemingly do have the capability to pull off some really gonzo shit.
posted by emptythought at 9:46 PM on September 12, 2014


« Older Where have you gone John Williams? A nation turns...   |   Seven hours they had talked and they could have... Newer »


This thread has been archived and is closed to new comments