Feds Say NSA "Bogeyman" Did Not Find Silk Road's Servers 142
An anonymous reader writes The secret of how the FBI pinpointed the servers allegedly used by the notorious Silk Road black market website has been revealed: repeated login attempts. In a legal rebuttal, the FBI claims that repeatedly attempting to login to the marketplace revealed its host location. From the article: "As they typed 'miscellaneous' strings of characters into the login page's entry fields, Tarbell writes that they noticed an IP address associated with some data returned by the site didn't match any known Tor 'nodes,' the computers that bounce information through Tor's anonymity network to obscure its true source. And when they entered that IP address directly into a browser, the Silk Road's CAPTCHA prompt appeared, the garbled-letter image designed to prevent spam bots from entering the site. 'This indicated that the Subject IP Address was the IP address of the SR Server,' writes Tarbell in his letter, 'and that it was "leaking" from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.'"
With Tor you have expectation of anonymity... (Score:1)
Re:With Tor you have expectation of anonymity... (Score:4, Informative)
Feds Violated The Law Maybe? (Score:2)
Did the Feds have a warrant for searching this particular server? Quote the 4th Amendment:
... and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
Did they have a warrant specifically describing the place to be searched, and the persons or things to be seized?
If not, they were violating the CSRA, by accessing a server without authorization, which is exactly what they tried to charge Aaron Schwarz with.
It is not permissible to break the law in order to enforce the law. This is a principle older than the United States itself.
Re: (Score:2)
I admit that I haven't looked it up lately, but to the best of my understanding, the server does not have to be in the United States. Just the person who accessed it.
It's an interesting question, though, and I may have to look it up again after all. If a person standing in the United States shoots someone on the other side of the Canadian (or Mexican) border dead, has he or she committed a crime in the United
Re: (Score:3)
That's how the Harvard kid got busted classically calling in a bomb threat on test day. The feds looked for outgoing Tor traffic from the Harvard LAN, which requires a MAC address BTW.
http://www.forbes.com/sites/ru... [forbes.com]
Parallel construction (Score:2)
We'll never know (Score:5, Insightful)
http://www.washingtonpost.com/... [washingtonpost.com]
With multiple leaders of the U.S. intelligence apparatus having been caught lying under oath, we'll never know. One of the techniques is for the NSA to pinpoint something then the FBI look at the target and find something else they can label as the "reason" they found out about it.
At this point, because of our government's shortsighted decision's (Bush/Obama) to pursue and institute a surveillance state (ala East Germany), we'll never know what the story was here and have to take any claim from the Feds with a huge dose of skepticism.
Re: (Score:2)
Seems unlikely to me (Score:4, Insightful)
It's not about a server misconfiguration.
TOR connections are tunnels. You don't have to configure your webserver etc for TOR, your machine just has to behind a firewall etc that doesn't allow the traffic out (or really, a router that just doesn't NAT it in). The only way to access the webserver would be through the tunnel, so no TOR=no access.
I find it a bit hard to believe that a guy who is able to get one of the largest black-market enterprises running on a server/farm connected to an anonymous/decentralized network isn't smart enough to *not* give it a public IP and/or put the equivalent to a home internet router in front of it.
Given that PayPal, banks make mistakes regularly (Score:5, Insightful)
> I find it a bit hard to believe that a guy who is able to get one of the largest black-market enterprises running on a server
Do you find it hardto believe that Paypal's engineers make significantly more obvious mistakes? They do, of course. The thing about crime, and security, is that you can do a hundred things just right, and be taken down by the one thing you missed. It's adversarial like sports, but unlike sports 47-2 is a losing score for the team who scored 47. Those two items on which you let the authorities score put you in prison.
Re: (Score:2)
I find it a bit hard to believe that a guy who is able to get one of the largest black-market enterprises running on a server/farm connected to an anonymous/decentralized network isn't smart enough to *not* give it a public IP and/or put the equivalent to a home internet router in front of it.
People make mistakes all the time. Even smart people.
You've never made a mistake? Never missed a bug? Never misconfigured a system? Ever?
Do a hundred things right, and one thing wrong, and just guess which one will get caught.
Re: (Score:2)
Paypal engineers do not go to prison for an extended period of time when they are caught. Paypal engineers are also the cheapest possible that can just about get the job done.
Neither does the guy Ulbricht hired (Score:2)
> Paypal engineers do not go to prison for an extended period of time when they are caught.
Neither does the script monkey that Ulbricht hired to set up the captcha.
Re: (Score:2)
You believe that he did not do this himself? Seriously, this guy evades the FBI for years and then he hires some Noob to do critical work on his servers?
onlyif he's stupid. He had a huge criminal enterpr (Score:2)
He had a huge criminal enterprise to run, tons of money to launder, murders to order, and hopefully he'd make some time to enjoy his ill-gotten gains before he eventually made a mistake and got busted. If he was wasting his time setting up a captcha, that was pretty stupid. The smart thing would be for him to have someone eho understands banking and finance take care if the banking and finance, someone who understands programming take care of the programming, someone who understands high-capacity ser
Re:Seems unlikely to me (Score:4, Interesting)
The only way I can think of to accidentally do what the FBI is claiming is if he just grabbed an poorly written CAPTCHA program off the Internet and it constructed its own URLs back to the server using the server's IP address.
Why it would do that instead of using the configured server name or, even better, just use a relative URL would be anyone's guess. But it's the only plausible way for the FBI's explanation to make any sort of sense.
(Or, to put it another way, they're almost certainly lying.)
Re: (Score:2, Interesting)
The only way I can think of to accidentally do what the FBI is claiming is if he just grabbed an poorly written CAPTCHA program off the Internet and it constructed its own URLs back to the server using the server's IP address.
Why it would do that instead of using the configured server name or, even better, just use a relative URL would be anyone's guess. But it's the only plausible way for the FBI's explanation to make any sort of sense.
(Or, to put it another way, they're almost certainly lying.)
Well, you c
Re: (Score:2)
Well, you could actually read the dam court documents. If you put random junk into the CAPTCHA boxes sometimes you would get an error page back - over TOR - but which contained the true IP address of the server.
Where do you get this? Because the court documents in the article certainly don't say that. In fact, they seem to be saying that the IP packets themselves contained the IP:
Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets.
That's not an error message, that's (apparently) an HTTP(S?) request being sent straight to the Tor servers. And the only way I can think of to screw up a CAPTCHA implementation to do that would be to have it construct a complete URL using the host IP instead of just using the configured host name, which would be insane.
Again: according t
Re: (Score:2)
The issue seems to be not one of what IP address you give it, nor whether its public facing or not, but that he was leaking data via some other means (captcha call back or license file?) which exposed the real servers location rather than the Tor hidden one.
Re:Seems unlikely to me (Score:5, Interesting)
> I find it a bit hard to believe that a guy who is able to get one of the largest black-market enterprises running on
> a server/farm connected to an anonymous/decentralized network isn't smart enough to *not* give it a public IP
> and/or put the equivalent to a home internet router in front of it.
as much as I would like to not believe it, this is one of those cases where, he has to be perfect every time, they have to catch him slipping up once.
I don't know what his stack was, but typically, there are a lot of places information can leak. Including in error messages.
The reality is, no hidden service (that isn't intentionally also a non-hidden one) should have a public IP where it can be reached. The last public endpoint should be its tor node, and the tor node itself should then only contact it via private IPs. It should then also only contact its backend databases by private IPs.
If that means you have to setup backend VPNs for the transport.... then guess what....that means you have to setup backend VPNs for the transport.
Frankly, what this guy did, overall, wasn't all that impressive. He put a bunch of tools together. He didn't develop tor, he just made the obvious leap. Being more willing to take the risk doesn't mean you are the best of the best, it just means you are confident enough to risk a fall on your face.
Captcha rate limiting error message? (Score:2)
I've been thinking about this over the last few days, ever since the story popped up in wired.
If they exceed the captcha's rate limit, the captcha -might- leak information in its rate-limiting error message. The message would be something like "your server at IP has exceeded its request limit."
This is likely because if you exceed the rate limit you'd kind of want to know which one of your front-ends was be the bad one.
Nobody really would test that sort of thing either.
HTTPS and HTTP gotcha (Score:2, Interesting)
How many sites out there are HTTPS but deliver some data via HTTP by mistake or oversight? Looks like that applies here too. Good job tracking this down. Plain old inspecting what your receiving and digging into it.
Re: (Score:2)
Yeah I agree. This seems like unremarkable good detective work. Well done, coppers, you caught a criminal.
Whether we need to change the law is a separate question to whether this guy broke it.
Re: (Score:1)
Re: (Score:2)
Oh, sure. And nobody found this in a site that gets attacked all the time. Really believable.
Too bad we can't trust them (Score:3)
We have discovered so many lies from various LEAs and NSA about parallel construction (they even lie to judges and prosecutors) that it is impossible to believe them without iron-clad evidence at this point.
Perhaps they'd care to show us the code? Show us the log of the exploit? Bare assertions won't do.
Re: (Score:2)
So you prefer the explanation that the NSA used super secret TOR breaking software over a simple exploit ? The FBI explanation seems totally plausible to me. If it were the NSA they probably would have used similar techniques.
My idea is that hackers from the NSA, FBI or black hats are like magicians. It looks like they have some kinds of superpowers or really advanced tech while they just use simple tricks. Finding good tricks and executing them correctly is hard but the trick themselves are often stupidly
Re: (Score:2)
Some days, I question if the FBI knows how to turn a computer on.
They certainly don't know how to process forensic evidence.
Meanwhile, we do know that the NSA has illegally hacked a great many routers and tapped many fiber connections. I find it more likely that they used their illegal resources to locate the server through traffic analysis. No need to invoke any superpowers.
I find it at least plausible enough to require proof from the FBI in a criminal investigation (not that it will likely be forthcoming
Re: (Score:2)
The explanation is plausible only to a simple mind. Remember that this service was up a long time and certainly got attacked all the time. Somebody would have found that problem a long time before the FBI if it was real. Much more likely they did a targeted attack and found some real vulnerability, which they do not want to disclose and hence are lying about, like any common criminal. This has nothing to do with the rule of law anymore. Next step, which I am sure they have already taken in less high-profile
Re: (Score:2)
You hit login 100 times
That's a coy way of saying they were trying to do SQL injection and it didn't work.
and it spits out the IP address for no reason.
In the course of trying to do SQLi, they generated a ton of different error message. The HTML source of one of the error message contained the server's real IP address. Pretty easy mistake to make if you unwisely put your hidden-service Web server and your Tor proxy on the same physical machine (thereby running your Web server on a device that has a public IP address).
Such a configuration might be necessary if, for example, y
Re: (Score:2)
BS. You can always put your server behind a masquerading firewall and ensure nothing on the server knows its public IP address. This is a standard approach for WAN-LAN connections with private IP addresses in the LAN. When somebody has been running a highly illegal service successfully for a longer time, they will know about such basic protections. Also, you will never use a 3rd party captcha service in such a server, as the captchas themselves can be used to identify your location. Quite obvious, really.
Re: (Score:2)
Inbound with Tor is not so bad, but it requires a two-machine setup that's nontrivial for a non-sysadmin to do correctly. Getting the server's outbound (new connections, not return traffic) to transit over Tor exclusively is less easy. Ideally, you don't make outbound connections from your server.
You know Silk Road actually used reCAPTCHA, yes?
Thank you for finding the flaw (Score:1)
Now TOR (or whom ever) can fix it.
Re: (Score:2)
Security software cannot fix stupidity.
In this case, one of the scripts on a Tor service pulled data from and thus advertised it's globally-addressable IP address.
Sure, they can improve their processes and pull that script and replace it with a Tor-compatible version - but Tor can't detect this kind of stupidity and fix it for you. If you're stupid enough to put your home address on a Tor service, there's nothing Tor can do about that either.
The most interesting thing about this story is that all the "Tor
Re: (Score:1)
Yes, but now people trying to hide are more aware of possible issues.
If I had a dollar (Score:1)
The thing about writing the website or configuring the system to tunnel data through any kind of proxy/tor is that for every packet or http request or whatever you work with you have to EXACTLY specify what happens as in what comes in and what goes out, the lie is just too retarded.
I've made like a dozen network backends for different kinds of applications and progarms. I know.
I'm envisioning a comic... (Score:1)
What, no Masquerading? Not credible... (Score:2)
Who would be so stupid to run a server like that without masquerading? That is not credible at all. A simple masquerading firewall before the actual server makes sure that a) no non-TOR traffic ever reaches or leaves the actual server and b) the server itself does not know the public IP it is reachable under. This is really basic protection and set up withing a few hours. It also makes sure nothing like the FBI claims can ever happen.
The only sensible explanation is that the FBI is lying through its teeth.
127.0.0.1 (Score:2)
The IP will probably be revealed as being 127.0.0.1.
The judge will accept it as evidence, and the jury will convict because we are still living in a society of imbeciles trying to impose on how everyone should live under the premise that they know better as a collective decider.
We are destroying basic human rights and severely punishing people simply so we can "show them a better path" in life.
It's absurd. Why can't we just close all these ineffective branches of government fighting pseudo crimes already?
Re:Or so they say... (Score:4, Insightful)
At least that is what they are saying...
I think you misunderstand something. It doesn't matter if they are lying through their teeth when they say that. Because they claim it to be true, we can use that as further justification that the NSA's mass-surveillance hasn't done squat.
Re: (Score:2)
No, we can't. That's not what they claim NSA mass surveillance is for. This is an FBI investigation. Law enforcement, that is.
The NSA shouldn't be involved, and the claim is that they weren't.
Re: (Score:2)
Silk road != Tor servers
Re: (Score:2)
It doesn't matter if they are lying through their teeth when they say that. Because they claim it to be true, we can use that as further justification that the NSA's mass-surveillance hasn't done squat.
Because they're busy using that surveillance spying on political and business opponents. Come on, citizen, you don't want to take resources away from that to put then to unimportant stuff like catching criminals and preventing terrorism, do you? Heck, if we caught terrorists before they strike, the terror would be gone and this would risk pulling resources away public support from the surveillance!
Re: (Score:3, Interesting)
Whether something is true or not matters little to the Slashdot hivemind, as long as it can feed the fires of perpetual outrage.
There is no reason whatsoever to believe this assertion. You're accepting it as fact for no reason. We call people like you a "useful idiot".
Re: (Score:1)
he's useful??
Re: (Score:2)
as long as it can feed the fires of perpetual outrage
Well, winter will come soon; I have to keep myself warm somehow.
Re:Or so they say... (Score:5, Insightful)
Re: (Score:2, Redundant)
Right, they got the data illegally, seized the servers, then examined them for a vulnerability they could have used to legally seize them and claimed that was the source.
Re: (Score:2)
Re: (Score:2)
I'm making an assumption that you're talking about illegal NSA surveilance
And you think that's the only way to gather intelligence illegally? I still might guess parallel construction, but my mind didn't jump to the NSA. There are plenty of other options out there.
Re: Or so they say... (Score:5, Informative)
You need the link to wikipedia so the regular folk know what youre talking about
parallel construction [wikipedia.org]
But there is nothing you, the citizen, can do about it.
Re: Or so they say... (Score:5, Informative)
You need the link to wikipedia so the regular folk know what youre talking about
parallel construction [wikipedia.org]
But there is nothing you, the citizen, can do about it.
Jury Nullification [wikipedia.org]
Re: (Score:3)
Jury Nullification
The reality is that this almost never happens. And it will not happen in this case, where the "defendant" is not only accused of being a drug kingpin, but also of putting out "hits" on people he didn't like. He's not going to look good to a jury. Say what you will about drug laws, but this guy "allegedly" took substantial steps to murder people.
Re: (Score:2)
You asshat troll. Juries DO THINK THIS WAY which is why they are "shown the proof and if there is proof then the jury considers him not looking good."
Re: (Score:1)
No, jury selection (which should be illegal) makes sure that juries do not think this way.
The only selection of a jury should be by means of an RNG. Preferably a low-tech one, like a bingo-ball cage. And audit the shit out of that thing on a regular basis. We don't want biased juries.
Lawyers. Queering the deal since... forever.
Re: (Score:2)
It's like you have no clue how jury selection works; and have only seen the movie Runaway Jury. Juries can vary in size, anywhere between 6-12 plus backups totaling about 15-30. Attorneys can only challenge the selection a set number of times. Most cases this is 3. So in a majority of cases at least one juror is completely untouchable by the attorneys (if you exclude the backup set).
Re: (Score:3)
I posted this reply to the wrong place the first time. So here I go again:
No - anyone who knows anything about subject matter involved in a trial (computers, forensics, medicine, etc.) will be excluded from the jury during the selection process with the attorney's. You're supposed to have people who will only listen to the "expert witness" and not use your own knowledge. It's a certain guarantee that this skews the jury pool toward people a little dumber than you'd want.
Re: (Score:2)
When I was called for jury duty (in California), the attorneys had something like 10 peremptory challenges each. Everyone who wasn't a slack-jawed dimwit was removed. This was only for a traffic accident case - I imagine the lawful-corruption would be even worse in a more serious case.
In Centrist America, it's only a jury of your "peers" if you ride the short bus.
Re: (Score:2)
It's like you have no clue how jury selection works; and have only seen the movie Runaway Jury. Juries can vary in size, anywhere between 6-12 plus backups totaling about 15-30. Attorneys can only challenge the selection a set number of times. Most cases this is 3. So in a majority of cases at least one juror is completely untouchable by the attorneys (if you exclude the backup set).
I've been through voir dire twice and in both cases (criminal assault) not only did the attorneys get their allotted strikes, but toward the end of the questioning process the judge also had notes and called certain members of the pool to the bench and further questioned them about their opinions, dismissing some of them to go home. The judge is already there as a representative of the State, so naturally his dismissals will also tend to enforce jury orthodoxy. No libertarian who believes in nullification i
Re: (Score:2)
I call that misinterpretation of events. They probably didn't pick the other jurors because they were stupid. They picked them over you, because they weren't as opinionated as you were. They're trying to select jurors that would not be biased. They don't want someone who thinks they're an expert on the law. It just so happens that stupid people aren't necessarily as opinionated on a given subject.
Re: (Score:2, Flamebait)
Yes, that's a good little Centrist - lick that boot. No one could possibly have an experience with the legal apparatus that contradicts the fairy tales you were taught in high school Civics class...
Regardless of your baseless opinion on why I was removed, the fact is at least 11 of 12 original jurors were removed. The attorneys cycled thru something like 18 of the 30-ish potential jurors by the time I was excluded. Jury selection continued after I left.
It's pretty obvious juries in my city are not juries
Re: (Score:2)
I feel like your attitude is proving my point.
Re: (Score:2)
Ahhh... so you believe only subjects with a credulous & servile attitude should be included on a jury?
Re: (Score:2)
Loaded question says what?
Re: (Score:2)
I'll take that as a "yes".
Re: (Score:2)
You can take it however you like. I'm not intolerant. But don't put quotes around it.
Re: (Score:2)
No - anyone who knows anything about subject matter involved in a trial (computers, forensics, medicine, etc.) will be excluded from the jury during the selection process with the attorney's. You're supposed to have people who will only listen to the "expert witness" and not use your own knowledge. It's a certain guarantee that this skews the jury pool toward people a little dumber than you'd want.
Re: (Score:2)
That would only make sense if the criminal didn't deserve to be prosecuted. You can't fix the problem post-hoc.
Re: Or so they say... (Score:5, Interesting)
The examples from the wiki describe situations where the initial source was legal, but protected. E.g., placing a sting in the path of a suspect on the word of a protected informant, then omiting the reason for their 'luck' in finding the suspect. Or e.g., withholding NSA wiretaps from DEA until the citizen or geography of the source is determined to be foreign (unethical, but not illegal).
In this case, they would be seizing servers (illegally), then searching them for a weakness to cover their asses, then lying to the judge about it(illegal), and hoping the logs agree with their probes (possibly revealing their lies), or altering them to match (illegal).
I might be naive, but I think the discovery of the IP source through the weakness in the captcha is totally plausible. I also think that Joe law enforcement officer doesn't want to end his career in disgrace over something like this.
Re: (Score:2)
The examples from the wiki describe situations where the initial source was legal, but protected. E.g., placing a sting in the path of a suspect on the word of a protected informant, then omiting the reason for their 'luck' in finding the suspect. Or e.g., withholding NSA wiretaps from DEA until the citizen or geography of the source is determined to be foreign (unethical, but not illegal).
Yes, but in this case, mass analysis of Tor traffic by the NSA could have thrown up a suggestion to the FBI "if you want to find the real source of the servers, all you need to do is exploit the CAPTCHA servers". The activities of the NSA don't have to be illegal for the FBI to obfuscate how they got to the final result. I doubt the FBI spent load of time just hacking around. The Government started with the problem "how do we reveal the true source of the Tor anonymized traffic" and fitted the solution t
Re:Or so they say... (Score:5, Insightful)
Parallel construction is a farce and has no place in a legal system. The defendant is being intentionally lied to and thus unable to defend themselves. If you can not say how you got the info they should not be able to use it. Same goes for confidential informants. The people the NSA should be spying on are supposed to be dealt with via the CIA aka outside of the country assassinations.
Re: (Score:2, Insightful)
If a defense attorney taught a jury about PC, then it would put the prosecution on the hotseat to prove his folks did not use it.
This seems an impossible task, unless folks trust the cops.
It would be unfortunate if PC backfires and results in releasing the bad guys it was intended to catch.
Which is why it was a dumb idea to break the rules in the first place.
Re:Or so they say... (Score:5, Insightful)
It would be unfortunate if PC backfires and results in releasing the bad guys it was intended to catch.
Which is why it was a dumb idea to break the rules in the first place.
Yes absolutely correct. If the cops show themselves to be untrustworthy, then the whole law enforcement chain of evidence falls apart. This is the elephant in the room for the supreme court decision earlier this year, in which they ruled that police could stop and search somebody based on an "anonymous tip". And yet the law enforcement has been proven to sanction and encourage PC (part of the FBI docs earlier, in which LEOs got access to NSA data, was a manual saying the cops should use PC so they don't have to reveal the FBI/CIA program in court).
the situation is analogous to the poor dudes in gitmo. Everybody knows they're not terrorists, yet because they were seized illegally there's no way for the justice system to process them. but the military doesn't want to just set them free, because certain parts of the country and certain news channels would flip out. So they just sit in jail and wait, while becoming terrorists. wouldn't you?
Re: (Score:3)
I'm puzzled by this one. Surely all the justice system needs to do is say "The U.S. Constitution binds the actions of the U.S. government even outside U.S. territory" and then admit a writ of habeas corpus?
Re: (Score:3)
I'm puzzled by this one. Surely all the justice system needs to do is say "The U.S. Constitution binds the actions of the U.S. government even outside U.S. territory" and then admit a writ of habeas corpus?
well, that's the rub. there's no way to transfer the prisoners from gitmo to a regular prison, because if the justice department brought these people to a civilian court, the judges would laugh them out of court, give the defendants a condolence basket, and buy them a free ticket home. it's really hard to send them abroad, because all other countries have refused to take them and have responsibility for them. And Obama doesn't want to cut them loose - not in an election year! so these poor people, who every
Re: (Score:3)
It was also congress that insists that they stay.
Honestly this whole blame the president is getting tiresome, this is a failure of the US government and all branches should be held accountable...our government is a embarrassment and there is no one side that is more embarrassing then the other..they are all corrupt cronies without a ounce of humanity to them.
Re: (Score:3)
Re: (Score:2)
Our Supreme Court is fascist. I fully expect them to uphold the "we got an anonymous tip" and provide a hole a truck can drive through with all this "NSA metafile information that won't ever be used against you..."
And off the record, we see here you visited a certain bunny ranch in Vegas, we'd like to see a larger number on next years budget in the appropriations committee.
The threat posed by the Silk Road is orders of magnitude less than "anonymous" evidence in FBI court cases. This is the morning before w
Re: (Score:2)
This is the morning before we wake up to a boot on our neck
Sorry, too late by about a decade. The old Republic was sick for a long time, and died an inglorious death in 2001. Long live the Empire!
Re:Or so they say... (Score:4, Insightful)
It would be unfortunate if PC backfires and results in releasing the bad guys it was intended to catch.
Parallel Construction doesn't catch criminals. It hides criminal activity by the government. It is an institutionalized form of lying which isn't acceptable in our court system.
Re: (Score:2)
Is that like Plausible BS -- or am I using a too technical word here?
I always figured that the "illegally gained intelligence" whether it be to get rid of a politician or someone affecting the status quo, would be an "anonymous tip" or "via great sleuthing."
This great sleuthing never occurs if it's a bank or someone politically connected -- strange.
Re: (Score:2)
Re: (Score:2)
My personal take is that this was much more likely some Bitcoin-based attack where they were able to identify him via some Bitcoin they gave him and that he spent afterwards. The claimed scenario would require terminal stupidity on the side of the server set-up and also that nobody of the countless people trying to attack these servers ever getting lucky. Not credible at all.
Re: (Score:2)
Analyzing the FBI's Explanation of How They Locate (Score:5, Insightful)
https://www.nikcub.com/posts/a... [nikcub.com]
If you still believe that the server was discovered in the way the FBI described it - try it. I did. I setup a virtual machine with a web server running a Tor hidden server. I then accessed the hidden server over Tor and looked at the traffic. No matter how much I intentionally misconfigured the server, or included scripts from clearnet hosts, I never observed traffic from a non-Tor node or a "real" IP address.
Re:Analyzing the FBI's Explanation of How They Loc (Score:5, Interesting)
Stick a php_info in your code or something equivalent. I don't believe the FBI was claiming that they received traffic from a non-tor IP, but rather that they received an IP address somewhere in the data sent over tor.
Nothing in tor prevents you from sending your name, address, and social security number in the html of a webpage that you serve. If I wanted to depend on a website remaining anonymous over tor I'd probably stick the entire thing on a private network (with private IPs) such that none of the machines ever contained identifying information (including traceable machine IDs or MACs/etc), heavily firewall it, and carefully control that nothing goes out except via tor. I'd treat every device on the network as if it were compromised and intentionally trying to communicate out every bit of data stored within, so it would be essential that none of these devices contain any information worth stealing.
Re: (Score:2)
That'd be one useless network though. If your devices have no information worth stealing - than what are they doing?
That's the problem with anonymity (and security in general). To be perfect, it's got to have no value.
In a more practical case like this one, I fully expect that administrators of those servers made one small mistake (more likely simply could not check every possible bit of code for information it may leak) and that was their downfall.
Re: (Score:2)
There is a difference between no identifying information, and no information.
Rips of DVDs, for example, would be information - but they would not contain any identification other than the program used to make them, and the DVDs in question.
Re: (Score:2)
Well, in their case they are running a storefront. That has a few components.
1. You need a searchable catalog of stuff that you are selling, and the ability to put together orders. That isn't too sensitive up until you checkout since your goal is to advertise the catalog anyway.
2. You need to be able to collect info on where to ship the goods. This is sensitive information if you don't want people figuring out who your customers are. You can't avoid collecting this info from your customers, but you co
Re: (Score:2)
Ah, in this case it is even easier to anonymize then, assuming you don't care about the buyers or the sellers. Just store all the data on the servers with nothing identifying, and the only thing you have to deal with is getting the listing fees off the site.
I'll confess I don't know a great deal about the Silk Road, as I've never visited the site.
Re: (Score:2, Interesting)
this is what Tails tries to do.
Really you could just run tor on a vm and then setup all client machines on the LAN to VPN into it. then set each client's firewall to drop any traffic to any interface except tun/tap.
You could also run dansguarian+squid on that tor vm to sniff for and catch reg-ex's that look like your public IP or PII.
Re: (Score:2)
Oh, I wouldn't just worry about flash. I'd assume that somebody I don't like is going to find an exploit in my webserver, and run arbitrary code on that host, and every other host it can reach via the network. All of this stuff has to run in a DMZ that contains no identifying information at all. That is certainly a challenge to do in practice.
Re: (Score:2)
My example was contrived. The point is that tor doesn't prevent you from leaking identifying info. There are LOTS of ways this can happen, including:
1. Some application happens to embed a non-private IP in the data stream (maybe in a header or something). This is a classic problem if you try to run bittorrent over tor.
2. Somebody manages to run arbitrary code on your server via an exploit and this code has access to identifying information, such as a non-private IP, mac address, or just the ability to
Re: (Score:2)
If they had a sanely configured masquerading firewall, it could not, as nothing on the server would know its public IP address. And of course, the captcha will be locally generated as including an external one reveals your location via the captcha service (that would get a nice NSL in this case).
Plain fact is that what the FBI here claims is exceedingly unlikely to be true, not in the least because of course a site like this gets attacked all the time and such problems would have been found and fixed a long
Re: (Score:3)
Recently there was this story about NSA guys leaking Tor bugs to devs and suggesting changes to "improve" Tor's design:
http://yro.slashdot.org/story/... [slashdot.org]
I vividly remember that Snowden's documents said that NSA tries to influence Tor's design, being unable to actually break it. This might be a way of doing it: they pretend to be "good guys" and suggest changes that, while removing purely theoretical vulnerabilities, actually open the doors to more serious ones.
I hope Tor developers aren't so foolish to follow those "suggestions".
Of course they aren't documenting their ability to subvert anonymity on Tor. It is probably the most powerful weapon an intelligence agency can wield right now. The rather simple (but un-falsifiable) fact is that with enough relay and exit nodes owned by one entity (and ownership is deliberately un-attributable) you can pretty effectively de-anonymize it by attrition (there are a few protocol weaknesses too, that allow you to leverage a lot of hosts). The only clue an outside observer might have that it
Re: (Score:1)
Of course they aren't documenting their ability to subvert anonymity on Tor.
Stop spreading FUD. Actually they documented the fact that they do NOT have that ability. And they admit that in top secret documents, which aren't exactly supposed to be used for propaganda:
http://www.theguardian.com/wor... [theguardian.com]
Hence they probably try to influence Tor's design in the hope to make it weaker in future, as OP was saying.
Re: (Score:2)
They're saying the server leaked its own IP address. Unless you've set up your system so that your Tor hidden server is on a computer not connected directly to the Internet and it connects to a physically-separate Tor node that blocks any network flows other than ones going over the Tor proxy, then any Tor hidden server also has a leakable IP address. A Web server error message (or embedded error message from a third-party service, for example), header, or other piece of data might then contain the server's
Re: (Score:2)
A masquerading firewall will also protect you and you do not need any "special" TOR node for that (which you cannot get anyways). Simple to set-up and standard in any LAN-WAN connection where the LAN has private IP addresses.
Re: (Score:2)
It is not complete BS. If the server war really stupidly configured and did not have an additional masquerading firewall before it, something like this could happen. That claim is however not credible at all and this is likely a fairy-tale for the gullible.
Re: (Score:2)
Yes, apparently. To bad many people will believe this obvious fairy-tale.