How Did the Feds Identity Dread Pirate Roberts?

Last month, I wrote that the FBI identified Ross W. Ulbricht as the Silk Road’s Dread Pirate Roberts through a leaky CAPTCHA. Seems that story doesn’t hold water:

The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But [Nicholas] Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story.

“The server logs which the FBI provides as evidence show that, no, what happened is the FBI didn’t see a leakage coming from that IP,” he said. “What happened is they contacted that IP directly and got a PHPMyAdmin configuration page.” See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.

But this is hardly a satisfying answer to how the FBI investigators located the Silk Road servers. After all, if the FBI investigators contacted the PHPMyAdmin page directly, how did they know to do that in the first place?

“That’s still the $64,000 question,” Weaver said. “So both the CAPTCHA couldn’t leak in that configuration, and the IP the government visited wasn’t providing the CAPTCHA, but instead a PHPMyAdmin interface. Thus, the leaky CAPTCHA story is full of holes.”

My guess is that the NSA provided the FBI with this information. We know that the NSA provides surveillance data to the FBI and the DEA, under the condition that they lie about where it came from in court.

NSA whistleblower William Binney explained how it’s done:

…when you can’t use the data, you have to go out and do a parallel construction, [which] means you use what you would normally consider to be investigative techniques, [and] go find the data. You have a little hint, though. NSA is telling you where the data is…

Tags: , , , , , , , , ,

Posted on October 20, 2014 at 6:19 AM44 Comments

Comments

Bob S. October 20, 2014 7:14 AM

Parallel construction:

That’s the way I figured it too, thus compounding damage to the Constitution and Rule of Law.

And, I still don’t know what to think of judges who play Three Monkeys.

Gra October 20, 2014 7:15 AM

Bad parallel construction. Simple as that. Now, I just wonder why it took these many years for FBI to go after Silk Road. From the documents released by Eduard Snowden, NSA had the capability to deanonymize Tor hidden services for quite some time now, using traffic analysis and correlation. And, of course, they could see enough tor traffic. So the question that lingers is not how FBI found him (NSA) but why just now? They didn’t care enough before? They were after something specific? If so, what was it? I really would like to see these questions answered.

Thoth October 20, 2014 7:47 AM

I have a feeling the US Government programs have gotten too powerful to the point the Congress could not rein the NSA, FBI, CIA, DOD … all of them back under the control of the President and Congress and the TLAs can run crazy and free and do as they want.

Heck, they could actually replace the judges or juries or setup the judges and juries in the court if they want. If they wanted more money, they could actually blackmail or manipulate their way in and if they want to cover up or frame someone, they can get everything they want with no consequences nor efforts spent.

I wouldn’t be surprise they could actually replace the President of the USA whenever they want it done ……

The only way to handle such widespread misuse of power is to level the playing field and allow everyone to have elevated power in their hands.

Andrew October 20, 2014 8:48 AM

@gra: IANAL but a law was passed not holding web sites responsible for user content. This law is extremely important for freedom of speech. But it means that an argument can be made that Silk Road is not illegal… FBI had to wait for the perp to break other laws.

f2i4u4uhugyfgu3y October 20, 2014 8:56 AM

Maybe the dozens of U.S. defense IPs on the TOR network have something to do with it?

The NSA doesn’t hire illiterate people or standard talent.. It’s not far fetched to say they know how to unwrap packet streams on the network in real-time..

Bardi October 20, 2014 9:04 AM

Thoth: “I wouldn’t be surprise they could actually replace the President of the USA whenever they want it done ”

What makes you think they have not? If nothing else a reminder that would last for decades, who really runs the show.

Clive Robinson October 20, 2014 9:07 AM

@ Bruce,

I suspect William Binney’s statment is nolonger true.

That is whilst tha NSA does tell them where the data is, the receiving LEA’s can nolonger be bothered to actually go through the pretence of investigating to find it, and will even make the evidence “more sexy”.

In the UK people who visited a well known sex site front end run from the US were accused of being those who prey on children. In court the prosecution produced an image of the sites front page given to them by a US LEA. As it turns out this image was false, somebody had moved the contents of the page around and made the aspect of children very very prominent towards the top of the page, where as the original had it in much smaller and harder to read font towards the bottom of a large page, thus many people on loading the page may not have even displayed it on their screen.

The man in the UK in charge of the investigation and thus responsible for not checking or prefering to take the more convenient but false view to court has never apologized and conveniently jumped before he could be correctly investigated and fired. It has been estimated by several groups involved that he has set child protection in the UK back atleast seven years…

But this was not the only negligence, the investigation team even when presented with very reliable evidence that people had not even visited the site refused to investigate as they were duty bound to do. It subsiquently turns out that some of those accused by the police had in fact had their credit card details stolen whilst using the services of a large UK supermarket chain…

So I suspect as the NY Police were once accused of being to fat to work so would “pull a gun rather than run” similar “unfit” accusations against US Police forces can be made not just on physical or mental grounds, but also apply to their investigative abilities as well, and is probably endemic.

BoppingAround October 20, 2014 9:43 AM

Thoth,

I’d like to know what the TLAs think. Do they do what they do because they themselves believe in that terrorist boogeyman? Because of money? Power? Because they have been playing the game for too long and now the game plays them too?

Thoth October 20, 2014 9:59 AM

@BoppingAround
All of the above. It is all interrelated issues. You play in the game too long and get addicted and don’t want to “lose control” so the next step is to accuse everyone and try to gain more “control”. Money and power are interrelated as well. I am not the TLAs (since I don’t reside in the US) so I can only figure out what is in their minds by observing their steps and making guesses. Bogeyman in the toilet/closet is a good way to earn more fear (thus more funds and power).

Norman October 20, 2014 10:26 AM

The problem is not the NSA. The problem is US, the people. We have allowed many things that should never have happened. We did this because we were asleep consciously. We allowed entities like the CIA and NSA to have ultimate power AND in secret. Power corrupts and ultimate powers corrupts ultimately. We have all heard of this truth and we know it is true and we allowed it. We continue to allow it. The people are the ultimate power but we have giving that power away to corrupt men who are far more asleep that we are.

The good news is that we are awakening. Because we are having these conversations now.

We ARE our government and we can change this all anytime we choose to. Just like in Egypt they got rid of a 40 year dictator in 2 weeks of action. We too can change the CIA and NSA and make their madness, which we have allowed, a thing of the past, like Mubarak.

Blessings

Bob S. October 20, 2014 11:01 AM

@Dave, RE:Grugq & faulty OPSEC

Except, that’s not at all what the FBI says it did under oath in court. FBI claims they entered random characters into the captcha and Shazam! cracked the whole thing.

On top of that, parallel construction is an approved policy of the US Government.

Once again, it’s unclear to me why judges allow this vast negation of the Constitution and hundreds of years of established law principles.

Another thing, has anyone actually duplicated the FBI claim? If it’s that easy, it should be repeatable.

Thoth October 20, 2014 11:03 AM

@Norman, BoppingAround and all..
I would say the problem like almost every other problem is multi-fold. It takes a lot of causes and conditions to ripen into this state for the whole world.

On one hand it is the NSA and TLAs attempting to write what they want and get what they want. On the other hand it is all of US (includes the World) that is at fault for allowing ignorance and such behaviours to propagate.

When the NSA and TLAs are just picking up steam to upset the balance and make themselves the Owners instead of US as the Owners, most of US simply let it be and when they grew into Owners, US lost a significant control and try to snatch it back and they will try to prevent it.

Bear October 20, 2014 12:08 PM

Y’know, I’m pretty sure that requiring anyone to lie in court (esp. about where evidence comes from) violates some fundamental principles of the rule of law. How is that not the primary issue here?

What we have here isn’t just a violation of computer security, it’s a violation of the US constitution.

nginx October 20, 2014 12:46 PM

There’s a really stupid bug in the linked SR nginx configuration. As configured, anyone issuing regular GETS to https://<hidden>/index.php or /pgpadmin.php or /~DreadPirateSR or … gets access to the local SR server. That’s because the second nginx “location ~* .php$ {” block has absolutely no ACL directives. This is bad, as SR was supposed to allow access to the site only via tor on localhost. Toss in the fact SR allowed the redditors to see its IP address on a login page, and its game over. No spooky hypotheses are necessary.

All this points to Silk Road being undone by @ DreadPirateSR’s incompetence.

nginx October 20, 2014 12:48 PM

There’s a really stupid bug in the linked SR nginx configuration. As configured, anyone issuing regular GETS to https://<hidden>/index.php or /pgpadmin.php or /~DreadPirateSR or … gets access to the local SR server. That’s because the second nginx “location ~* .php$ {” block has absolutely no ACL directives. This is bad, as SR was supposed to allow access to the site only via tor on localhost. Toss in the fact SR allowed the redditors to see its IP address on a login page, and its game over. No spooky hypotheses are necessary.

All this points to Silk Road being undone by @ DreadPirateSR’s incompetence.

nginx October 20, 2014 12:58 PM

Here’s the documentation for nginx configuration:

Let’s look at how nginx chooses a location to process a request for a typical, simple PHP site. … The first matching expression stops the search and nginx will use this location.

In the case of SR’s site, requests to /*.php are handled by the second location block. The access control directive in the first location block is ignored for such requests.

Silk Road was safely hidden behind tor only until anyone asked it serve up its PHP admin page and a second misconfiguration mistake like that shown on reddit revealed its real IP address.

Turk October 20, 2014 3:12 PM

To: Bruce
Re: News story about: Stingray – IMSI Catcher – GSM interceptors

I thought this was important so…

10-20-14
Cops Need a Warrant to Grab Your Cell Tower Data, Florida Court Rules
http://www.wired.com/2014/10/florida-court-requires-warrant-cell-tower-data/

Snippets:

-The Florida Supreme Court ruled Thursday that obtaining cell phone location data to track a person’s location or movement in real time constitutes a Fourth Amendment search and therefore requires a court-ordered warrant.
-But the way the ruling is written, it would also cover the use of so-called “stingrays”— sophisticated technology law enforcement agencies use to locate and track people in the field without assistance from telecoms.
-The American Civil Liberties Union calls the Florida ruling “a resounding defense” of the public’s right to privacy.

Java October 20, 2014 3:52 PM

@Norman
Nice to blame it on the citizens. Its nearly like blaming the rape victim for the rape.

Before US went to war with Iraq we had over 100K people demonstrating against it. Here in USA. Did it help anything? No it did not – Bush and Dick ignored all of that and did what they wanted.

The Egyptian demonstrators did not do what they did alone. They got help from outside of Egypt.

If you try anything more violent than a standard demonstration you can be sure that this government has far more resources for battle than what you and your fellow demonstrators would have.

Grauhut October 20, 2014 4:26 PM

@Bruce “My guess is that the NSA provided the FBI with this information.”

I the dead pirate really used a service like googles recaptcha they just had to type in a long wrong code and ask google or some other captcha service from wich server this code was presented.

If they accessed the servers official external eth web address then its possible they saw a phpmyadmin login there. The .onion hidden web service could have been driven on another vhost or server instance mapped to the localhost address.

Ryan October 20, 2014 5:27 PM

There was a time when Judges performed a public service in ensuring strong protections against police abuses occurred. That was probably before Grand Juries became rubber stamp operations, and warrant-signing judges started flowing ink all over the place.

Robert Schneier (Bruce's less known twin brother) October 20, 2014 6:38 PM

@Grauhut

I the dead pirate really used a service like googles recaptcha they just had to type in a long wrong code and ask google or some other captcha service from wich server this code was presented.

This has actually been my concern about tracking internet users behavior for nearly a decade.

Bob S. October 20, 2014 6:56 PM

I think I read here, Dread Pirate confesses to being caught by the FBI just like they said via a recaptcha fault and Bruce’s brother, Bob, (not me) says that’s been a problem for a decade while his brother Bruce thinks this is an example of parallel construction.

I think I’ll just go ahead and reboot my brain. I think I need it.

dprobertsfail October 20, 2014 7:02 PM

My impression when silkroad went down was thus:

He had links and several posts from him mentioning his varios personal interests, inculuding some quite rare per population ideas. The FBI then went to these websites, and searched for other similiar posts, found some, then used the fbi wayback machine to check history of these pages, and bam, they found him with different logins, etc.
Long story short,(too late) they just used really good police work to link up several of his online profiles, mostly because he was sloppy, and because he thought if he changed something, even his account name, profile name, that it would not be archived somewhere.

Next, armed with this circumstancial eveidence, plus the idiots own assertion to the customs and border patrol agents, whom brought him his ordered multiple fake ids from Canada, that he didn’t order them, oh no, but if he did he would use silkroad, he said. It was only a matter of time before he was tailed 24 hours a day, 7 days a week.

His main login location, a coffee shop in san fran,(kinda fuzzy here my mem is), was easily found by corralating postings on silkroad with his observed online time. Then a supeana of telco records showed just were he was going, and yes, some of it was tor. But some of it wasn’t! As you can see, he didn’t know what he was doing, he was even found with some of his other identies to be asking about how to do this or that on stackheap, etc. And there was the direct link to the silkroad server.

WhambamTYmaam later, the FBI had the PHYSICAL machine in their presence, yes they actully went to the machine itself, and from here I think you can all figure out just how easy it is to hack a machine you have physiucal asscess to.

Now for why the courts have such a convulted version of all of this is: They are so many people involved with such little knowledge, that the excutive summary itself cannot be understood, and with such a large telephone game of egos, they screw it up. But rest assured(or not as the case maybe) he is going to jaol.

f2i4u4uhugyfgu3y October 20, 2014 7:18 PM

SUMMARY: God couldn’t even find a hole in TOR software or protocol or used ciphers..

Harry Johnston October 20, 2014 7:19 PM

“After all, if the FBI investigators contacted the PHPMyAdmin page directly, how did they know to do that in the first place?”

… well, there’s less than 4 billion publicly routable IP addresses. It wouldn’t be implausible to check all of them.

AlanS October 20, 2014 9:14 PM

@baudrillard

That’s Glennon’s thesis. They don’t as it makes no difference who is elected to the office. See post here.

Andrew_K October 21, 2014 12:52 AM

@ Thoth, BoppingAround

I do like to think that there may be some honourable men left inside the agencies. Some who are good by heart but simply mislead. Thinkin’ they are doing good to the U.S. Thinkin’ that closing down Silk Road is so important that it has to be done, what ever it takes. Anyhow, I do not insinuate that any of those are in charge. They won’t, their character of having a consciousness probably will fail the character test for promotion.

Why do I think that? Because everything else would be too scary. There is much evil in the world. Just statistics: There has to be some good, too.

If we want to change something, perhaps we should apply for jobs at NSA. Change from inside a system often is easier than from outside. The NSA is there for a reason and it originally was a good one. We just need to remember which one it was. Wasn’t it something along the lines of supporting decisions with intel?

@ Norman, Java
I see the bigger problem with the media. Have a look at Europe. Main stream media repeatedly covers Intelligence, failed operations, and how they try to fool officials. The links Benni posts here are not links to some ultra-critical marginal group sites. Der Spiegel is one of the biggest magazines in Germany. NDR, WDR and Sueddeutsche Zeitung are a powerful coalition of two public broadcast services and a private newspaper. This is something we miss in the U.S.: A critical and powerful media coverage that is received by broad masses. So if there are people storming Ft. Meade, more important than their weapons is the presence of the news networks who then need to live-broadcast what happens. NSA will make the people disappear and the networks must follow them.
The worst thing for the agencies is the bright spot of independend broad media with knowledge. A well informed journalist bulldoggy-like publicly asking for individuals’ fate over and over again can be more pain in the ass than the individual itself. Sidenote: This is how Amnesty International works: Let there no one be forgotten.
Interestingly, this very appeal also fits several military codes of honour.

Mike the goat October 21, 2014 2:47 AM

nginx: I agree, misconfiguration could indeed explain it. I have seen this before when doing sec audits of large organizations – things like a 5xx page leaking the IP of the web server (a bad thing where they are hiding behind a service like cloudflare to prevent DDoSing), a fool leaving a php config page world readable etc. I consider that if you were in Silk Road’s shoes having a real interface on the web serving machine could potentially cause you trouble down the line. It would be much better to terminate the tunnel on a dedicated router and then have the web serving machine behind it so that exposure of a real interface IP (or any other info) isn’t possible. Sure the routing machine could be compromised but you’d reduce the attack surface on that host by a large margin just by not running a http server.

However – while misconfiguration, the use of an external captcha service and a myriad of other explanations are indeed possible I personally don’t buy it.

I have heard mutterings and innuendo from a friend of mine who would likely know (given clearance and who they work for) that there is a big hole in tor that is generally exploitable given enough time but becomes especially permeable when that host is running a high traffic hidden service. Sure, this could be disinfo but I sincerely doubt it.

The most information I could get from the guy is that the key to the efficacy of their vuln is the way that “changing of the guard” is engineered and that recent tor releases have somewhat mitigated the issue but this has only increased their time to uncloak and hasn’t entirely rendered the attack ineffective.

Now, we have all seen the paper on tor traffic analysis via correlation. Whether they are applying the techniques there or not I don’t know. What I do know is that I would not be running a tor H/S from a machine that could be traced back to me if tor wasn’t as good as advertised.

Mike the goat October 21, 2014 2:49 AM

Harry: I guess Shodan and similar services do it, so if private enterprise can effectively port scan the entire netspace then for govt it would be a non issue.

Grauhut October 21, 2014 4:45 PM

@Robert Schneier: “…tracking internet users behavior…”

Once upon a time, more then ten years ago, i was a freelance pm for the key account division of a big magenta coloured service provider, managing the creation of a web bug based browser profiling toolkit with some funny cross site around your proxy phone home features based on java and shockwave, features or bugs still available at this time. Some of these “bugs” should still work today. I know some profiling tricks, invented some, thats why i am trained on seeing this kind of simple “abuses” of nice software as a service tools… 😉

@Thor of Asgard: That tor box was really a little bit fraudy…

Badly set up and patched openwrt on a china crap 18,-$ pocket router, no own invention as promised, all bad copycat work.

Grauhut October 21, 2014 5:02 PM

@Mike the goat: If you are the NSA, you see all the traffic on all lines and you operate a tor inbound gateway, you shorten the hops by one. If you disconnect this server now for some seconds from the internet and craft some “morse code like” package sequences, size and time encoded, send them to the hidden server and you can follow these “morse sequences” on all routes, you will at at least find out the data center where the hidden service is hosted.

The rest is FBI level work.

Gweihir October 22, 2014 9:19 AM

More evidence of a Police State actually being in a late stage of establishment in the US: When they do not even bother to lie convincingly under oath and get still away with it, it is high time to leave the country.

Joshtree October 22, 2014 10:51 AM

@Gra: it is not uncommon for law enforcement to sit on a case, until it grows big enough to bust. makes everybody look good. it’s been the trend.

Grauhut October 22, 2014 3:13 PM

@loser interface: Tor bundled by default with a browser like Chromium or Firefox would be tor for the masses. But for such a decision a software team or corporation would need somebody with balls of steel. Do this and you are enemy no. 1, “special treatment” from the IRS included…

Gerard van Vooren October 22, 2014 3:57 PM

@ Grauhut

“Tor bundled by default with a browser like Chromium or Firefox would be tor for the masses.”

You are probably true.

However, from a security POV I would rather see TOR as a simple layer, like TLS. That means without the software bundle.

That combined with only allowing a subset of HTML features in the TOR environment. In that case a very simplified browser could work.

Because, let’s be honest, if you use TOR would you like to see the nicest animated tracking ads or only the things that are important?

Grauhut October 22, 2014 8:37 PM

@Gerard: The internet is insecure by design because one doesnt need a security license to use it and “Insecure is easier!”. Thats why “security for the masses” is an oxymoron.

A minimal secure browser using tor as infrastructure is not enough, you need some sandbox to. Maybe with dockers for windows… 🙂

And as long as free as beer pr0ne video on demand over tor is unstable the masses will not use it by default. /zyn

Jerry Jones November 7, 2014 4:41 PM

is it possible they are simply sweeping all ip addresses (256256256*256) and looking for the website to appear?

Leave a comment

Login

Allowed HTML <a href="URL"> • <em> <cite> <i> • <strong> <b> • <sub> <sup> • <ul> <ol> <li> • <blockquote> <pre> Markdown Extra syntax via https://michelf.ca/projects/php-markdown/extra/

Sidebar photo of Bruce Schneier by Joe MacInnis.