how to use Tor securely (Re: Silk Road founder arrested ...)

Andy Isaacson adi at hexapodia.org
Fri Oct 4 11:49:52 PDT 2013 

On Fri, Oct 04, 2013 at 08:16:48PM +1000, James A. Donald wrote:
> Two security failures:  The feds were able to find the Tor hidden
> web server, and, having found it, there was information on the web
> server that should not have been there.

Note that this thread has meandered around, discussed several different
security failures, and you seem to be returning to the Silk Road one.

> My understanding is that they found a bunch of Tor machines,

I don't see any evidence or claim that the investigation touched,
investigated, or influenced any Tor relays in the published documents
about the Silk Road arrest.  Do you have any basis for this
understanding?

(BTW, it's *very* easy to "find a bunch of Tor machines", most of the
Tor relays' IPs are listed in the public "consensus".)

> installed malware by means of rubber hoses,

Again, I see no published claim that any malware was used in this
investigation, nor that the investigators had to lean on anyone (much
less torture them, as the phrase "rubber hose" indicates) to install
malware.

> and thus located the
> Silk Road hidden web server.

The complaint and the indictment are stunningly silent on that part of
the investigation, and the press coverage I've seen also doesn't shed
much light on exactly how the machine in "a certain foreign country" was
located.  A few possibilities have been raised:

 - an investigator exploited the Silk Road software stack via its public
   web UI and caused the server to disclose its IP by connecting to a
   service outside of Tor.  This seems quite plausible, to me.

 - the investigation already had Ulbricht targeted, but without a
   smoking gun, and watched his SSH traffic using a standard wiretapping
   warrant.  This should have shown up in the arrest complaint if so.

 - a NSA/GCHQ capture was used to locate the server, and the public
   disclosure so far is an example of "parallel construction".

 - a vulnerability in the Tor network let the investigators find the
   server, possibly assisted by the investigators running some number of
   Tor relays.

 - the IP was known to any of the several criminal elements known to be
   interested in Silk Road, and the investigators got it as part of a
   deal (to drop another investigation, or harass someone's enemy, or
   similar).

Given the shoddy quality of the rest of Ulbricht's security posture, I
strongly suspect that a "phone home" vuln in the SR server was the
trigger.  "Never trust anyone who's programming language of choice is
PHP."

-andy

More information about the cypherpunks mailing list