Re: [tor-talk] Silk Road taken down by FBI
----- Forwarded message from mirimir <mirimir@riseup.net> ----- Date: Thu, 03 Oct 2013 20:58:57 +0000 From: mirimir <mirimir@riseup.net> To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] Silk Road taken down by FBI Message-ID: <524DDA91.30008@riseup.net> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 Reply-To: tor-talk@lists.torproject.org On 10/03/2013 05:49 PM, Ahmed Hassan wrote:
One question is still remain unanswered. How did they locate Silkroad server before locating him?
They had full image of the server before his arrest.
From <http://www.bbc.co.uk/news/technology-24371894> we know:
According to the court complaint document, it was the discovery of the rossulbricht@gmail.com email address that gave investigators a major boost in their search.
Through records "obtained from Google", details of IP addresses - and therefore locations - used to log into Mr Ulbricht's account focused the search on San Francisco, specifically an internet cafe on Laguna Street.
Furthermore, detailed analysis of Silk Road's source code highlighted a function that restricted who was able to log in to control the site, locking it down to just one IP address.
As would be expected, Dread Pirate Roberts was using a VPN - virtual private network - to generate a "false" IP address, designed to cover his tracks.
However, the provider of the VPN was subpoenaed by the FBI.
While efforts had been made by DPR to delete data, the VPN server's records showed a user logged in from an internet cafe just 500 yards from an address on Hickory Street, known to be the home of a close friend of Mr Ulbricht's, and a location that had also been used to log in to the Gmail account.
At this point in the investigation, these clues, investigators concluded, were enough to suggest that Mr Ulbricht and DPR - if not the same person - were at the very least in the same location at the same time.
So they did have the server before they knew who he was. We also knew that he was sold out by his VPN provider. Hopefully, the identity of that VPN provider will come out soon. Given what I see in the complaints, I suspect that he was sold out by one of his administrators, perhaps the one (with a huge drug debt) that he tried to have killed. This is rather like Snowden, isn't it? More fundamentally, a business built around selling drugs by mail to customers' actual physical addresses was doomed. Anonymity in the physical world is much^N harder than on the Internet.
On Thu, Oct 3, 2013 at 1:26 PM, shadowOps07 <shadow.unit.x@gmail.com> wrote:
No, it was a rookie fuck-up that enabled old-fashioned detective work. if it wasn't a fookie fuck-up, then none of this would have happened.
On Thu, Oct 3, 2013 at 11:15 AM, Gordon Morehouse <gordon@morehouse.me
wrote:
Jonathan D. Proulx:
2) Traditional police work still works - this should be good news to the law and order folks that traditional methods still work and no extensive digital survailance state is needed.
Note I'm only anecdotally familiar with Silk Road so no personal opinion on wether he should be praised or flogged, I do think in a "dear legislator please don't ban privacy" kindof way point 2 is important.
A trillion times, this.
I knew Silk Road would very likely get busted by good old fashioned police work. It was too big to not leave trails that smart, patient, Bill-of-Rights-respecting (though that remains to be seen) cops can pick up.
Best, -Gordon M.
-- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
-- tor-talk mailing list - tor-talk@lists.torproject.org To unsusbscribe or change other settings go to https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk ----- End forwarded message ----- -- Eugen* Leitl <a href="http://leitl.org">leitl</a> http://leitl.org ______________________________________________________________ ICBM: 48.07100, 11.36820 http://ativel.com http://postbiota.org AC894EC5: 38A5 5F46 A4FF 59B8 336B 47EE F46E 3489 AC89 4EC5
This October 2, 2013, complaint describes US officials tracking a Silk Road narcotics vendor on- and off-line: http://cryptome.org/2013/10/sadler-white-complaint.pdf
On 2013-10-06 22:28, Eugen Leitl wrote:
----- Forwarded message from mirimir <mirimir@riseup.net> -----
Date: Thu, 03 Oct 2013 20:58:57 +0000 From: mirimir <mirimir@riseup.net> To: tor-talk@lists.torproject.org Subject: Re: [tor-talk] Silk Road taken down by FBI Message-ID: <524DDA91.30008@riseup.net> User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.0 Reply-To: tor-talk@lists.torproject.org
On 10/03/2013 05:49 PM, Ahmed Hassan wrote:
One question is still remain unanswered. How did they locate Silkroad server before locating him?
They had full image of the server before his arrest.
Suppose someone is operating a big server that handles lots of traffic. From time to time, you storm that server with spam. NSA observes the corresponding traffic surges. Statistical correlation between spam attacks and data flow eventually reveals the server. We know silk road was attacked with spam and malware. That it was attacked with spam, suggests that malware did not suffice.
On Mon, Oct 07, 2013 at 05:55:02AM +1000, James A. Donald wrote:
We know silk road was attacked with spam and malware. That it was
We know that Freedom Hosting platform was compromised, and dropped malware via a known vulnerability in the TBB. We do not know how exactly TSR was taken down. There are reasons to suspect that the official story might be a parallel construct.
attacked with spam, suggests that malware did not suffice.
The rise in Tor traffic well predates the events, and seems to be entirely attributable to C&C traffic of a botnet.
--On Monday, October 07, 2013 10:02 AM +0200 Eugen Leitl <eugen@leitl.org> wrote:
On Mon, Oct 07, 2013 at 05:55:02AM +1000, James A. Donald wrote:
We know silk road was attacked with spam and malware. That it was
We know that Freedom Hosting platform was compromised, and dropped malware via a known vulnerability in the TBB.
But that doesn't explain how freedom hosting itself was found in the first place, does it?
We do not know how exactly TSR was taken down. There are reasons to suspect that the official story might be a parallel construct.
attacked with spam, suggests that malware did not suffice.
The rise in Tor traffic well predates the events, and seems to be entirely attributable to C&C traffic of a botnet.
On Mon, Oct 07, 2013 at 06:01:00AM -0300, Juan Garofalo wrote:
But that doesn't explain how freedom hosting itself was found in the first place, does it?
Let's say you run a piece of buggy PHP code as a hidden service, on a mass hoster allowing easy signups and installation of own code, with no hard separation of service hosted, and possibly not even firewall the VM traffic, forcing it through Tor. While it's possible they knew the physical host already, there are certainly far easier ways to nail your ass, given the above. It would be interesting to post a hidden service with actionable content as a honeypot with everything done right, to see what the parallel construct story would emerge. No, I'm not volunteering.
--On Monday, October 07, 2013 11:25 AM +0200 Eugen Leitl <eugen@leitl.org> wrote:
On Mon, Oct 07, 2013 at 06:01:00AM -0300, Juan Garofalo wrote:
But that doesn't explain how freedom hosting itself was found in the first place, does it?
Let's say you run a piece of buggy PHP code as a hidden service, on a mass hoster allowing easy signups and installation of own code, with no hard separation of service hosted, and possibly not even firewall the VM traffic, forcing it through Tor.
That is possible, but is there evidence of that actually happening, in the case of freedom hosting? Hadn't fh been running for a couple of years, like silk road? (or more?) - If fh's security was so lousy the so called authorities should have got him (way) sooner?
While it's possible they knew the physical host already, there are certainly far easier ways to nail your ass, given the above.
Yes, I realize that pwning the server through a PHP exploit or the like is far easier - The main reason I see that explanation as not fully satisfactory is that the attack (if it was possible) was not tried sooner.
It would be interesting to post a hidden service with actionable content as a honeypot with everything done right, to see what the parallel construct story would emerge.
Indeed.
No, I'm not volunteering.
hehe =)
On Tue, 2013-10-08 at 05:22 -0300, Juan Garofalo wrote:
That is possible, but is there evidence of that actually happening, in the case of freedom hosting?
Hadn't fh been running for a couple of years, like silk road? (or more?) - If fh's security was so lousy the so called authorities should have got him (way) sooner?
The Wired articles mention that the FBI and the operator "struggled for control of the servers" by changing passwords on each other. You're ignoring the fact that once a server is exploited, it's an unbounded road from there to actionable, convictable evidence. Suppose the Freedom Hosting operator only ever logged in via SSH over another hidden service endpoint. How would the FBI find him? What if the servers they compromised were VMs with traffic forced through Tor? What if they were some other crazy configuration dreamed up by someone hosting a hidden service hosting service? For DPR, we know he got lazy, and more than that, that he was extremely sloppy. I'd bet that the Freedom Hosting guy was a similar situation. There are plenty of illegal *websites* that haven't been busted yet. -- Sent from Ubuntu
participants (5)
-
Eugen Leitl -
James A. Donald -
John Young -
Juan Garofalo -
Ted Smith