Krebsonsecurity reports that new court documents released this week by the U.S. government in its case against "Dread Pirate Roberts" suggest that the feds may have some explaining to do.
Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.
But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events. And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI's story.
The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story.
"The server logs which the FBI provides as evidence show that, no, what happened is the FBI didn’t see a leakage coming from that IP," he said. "What happened is they contacted that IP directly and got a PHPMyAdmin configuration page." See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.
Bruce Schneier reckons FBI's story is a botched parallel construction on hints from NSA.
Related Stories
Silk Road 2.0 and 400 other sites believed to be selling illegal items including drugs and weapons have been shut down. The sites operated on the Tor network - a part of the internet unreachable via traditional search engines. The joint operation between 16 European countries and the US saw 17 arrests.
Although details of how the sites were identified are not given, it does suggest that software now exists that removes the veil that behind which the DarkNet once hid. Any Soylentils have any ideas of how this might be achieved? This story might be the clue.
More information can be found here : http://www.bbc.co.uk/news/technology-29950946
(Score: 2) by takyon on Tuesday October 21 2014, @07:55PM
If the USG doesn't manage to convict Ulbricht of something, many chuckles will be had.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by skullz on Tuesday October 21 2014, @08:01PM
Why can't he just suffer from depression like a normal cyber criminal mastermind? They know how to handle those types.
(Score: 2) by Kromagv0 on Tuesday October 21 2014, @08:01PM
This is all well and good but the biggest question is will the jury be competent enough to figure things out? If the defense presents all this evidence and the case hinges on feds screwing the pooch while doing parallel construction then it will probably be a conviction unless Mr. Ulbricht has got Johnnie Cochran providing a Chewbacca defense.
T-Shirts and bumper stickers [zazzle.com] to offend someone
(Score: 1, Insightful) by Anonymous Coward on Tuesday October 21 2014, @08:16PM
will the jury be competent enough to figure things out
Even lets say they figure it out, and 'ares smarts enouh'. It may not matter at all. They did do something wrong. It is pretty clear at this point they have the right guys. So they may convict anyway. Even if the gov should never have been there in the first place. This is not like say the OJ case where the one major piece of evidence they had did not fit on his hand in front of the jury and there was at least some doubt if it was him. Its pretty clear they have the right guys. They just did not follow the law finding them. I am not arguing that is right. I am just saying how people seem to react to it. They do not care about rights. They care about 'catching the bad guy'. Who knows I usually get these things wrong :)
(Score: 2) by Nerdfest on Tuesday October 21 2014, @08:23PM
It also seems pretty clear that the "law enforcement" types here broke more important laws than the people they were after.
(Score: 3, Informative) by takyon on Tuesday October 21 2014, @08:28PM
There really needs to be more jury nullification [wikipedia.org].
Of course if the FBI can prove the hitman stuff, Ulbricht is probably done for.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 2) by c0lo on Tuesday October 21 2014, @08:49PM
If the evidence is based on the prosecution breaking the law, is it still the jury to decide or is the judge to dismiss the suit?
https://www.youtube.com/watch?v=aoFiw2jMy-0 https://soylentnews.org/~MichaelDavidCrawford
(Score: 2) by takyon on Tuesday October 21 2014, @09:38PM
Probably the judge's decision to throw out the suit or some of the evidence. The judge [wired.com] has not reacted well to the defense's claims so far.
[SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
(Score: 1, Insightful) by Anonymous Coward on Tuesday October 21 2014, @10:46PM
she argues that even if the FBI did hack the Silk Road server, Ulbricht hadn’t sufficiently demonstrated that the server belonged to him, and thus can’t claim that his privacy rights were violated by its search.
Seems like she's just fine with the "fruit of the posionous tree" - it ought not to matter if it was his rights or anyone else's, the issue is if she is OK with the cops breaking the law to enforce the law. And if she is OK with that, then she's given up any claim that the cops are more legitimate than any other lawbreaker.
(Score: 1, Informative) by Anonymous Coward on Wednesday October 22 2014, @08:57AM
Parallel construction isn't even against the rules. A lot of people fail to realize that. The whole point of parallel construction is to gather good fruit from an unspoiled tree. The poisoned tree only poisons its own fruits. A prosecutor can always still use other, untainted fruits to prove the same thing. That is actually what they are supposed to do after a mistake that spoils evidence; find another way to prove it.
You don't have to like it. I certainly don't like it. But if the defense uncovers parallel construction, they're doomed. There is no law against the NSA, for example, giving them a tip. In pushing to uncover it, they're probably hoping that the prosecution's attempt to hide the processes, for op-sec-related reasons of secrecy, will taint some of what was acquired in Iceland. But that is a long shot, because more likely, the prosecution will give the judge a peek behind the curtain, and when he sees military signals interception outside the US he'll just start approving everything.
The part that will actually be used is the legal search done under Icelandic law. For evidence discovered outside the country, that chain of evidence is what is important, not how it was discovered. There are few limits on it. They're not allowed to bribe a foreign government official, for example. But hacking into a suspected server overseas, who thinks that is illegal? People who never looked into it, that is who.
And the Schneier link is kindof weird. Just because a log that the FBI released only shows them making it into the PHPMyAdmin interface, that tells them nothing for or against how they discovered the IP. It isn't for or against. It means that particular log doesn't have the answer to that question; it is from a later time. Somebody is checking the "false" box when the correct answer is "not enough information."
And there is even some hand-waving claiming, "the CAPTCHA couldn't leak in that configuation," but the linked configuration just shows there is nothing being done there that would expose it. But that doesn't show what other networking configuration exists. In fact it is so sparse, it simply shows that the configuration was being done somewhere else. All that is leaked so far is configs and logs that don't show anything.
What we would actually need to see would be the CAPTCHA script code itself, to be able to determine if some leaky state exists with the right inputs. Without that, you can prove it did happen, but you can't prove it didn't happen. Plus you need a whole bunch of info about the networking setup.
(Score: 3, Interesting) by tibman on Tuesday October 21 2014, @09:05PM
The first thing you do when you install PHPMyAdmin is move the directory elsewhere. You could even add a .htaccess if you wanted to. But don't leave it vanilla! I use a custom 404 page that looks at what the intended destination was. If the client asks for any generic admin-ish URL then the IP is added to the drop list. They get their 404 with an explanation of why they can never connect to the site again. A living user could appeal via email, obviously. But i doubt that someone who was intentionally trying to break-in would ever do so.
I'm curious why the ip address is local? Some kind of tunnel?
SN won't survive on lurkers alone. Write comments.
(Score: 3, Interesting) by maxwell demon on Tuesday October 21 2014, @11:14PM
This should make is dead easy to kill the Google indexing of your page if someone (maybe the very person trying to attack your site!) desires to do so: Just put a link to an admin-ish URL somewhewre where Google can find it, and soon all Google spider addresses will be permanently blocked.
Also, if an attempt is made from a connection with dynamic IP, it is very likely that you'll not block the original attacker, but a random user who has no idea what's going on.
The Tao of math: The numbers you can count are not the real numbers.
(Score: 2) by tibman on Wednesday October 22 2014, @03:03AM
All true : ) But i'll also never fall victim to someone finding an outdated/vulnerable version of phpmyadmin. The whole folder tree should not be viewable by just anyone. Mine is only viewable if the source addr is localhost. So i have to ssh tunnel in and connect that way. The machine is headless.
About the 404 blocker. If i ran a site that people actually visited then i'd worry more about automated crawlers being blocked. But right now it is not intended to be listed. 90% of the current traffic is automated vulnerability scanners (well, i hope it's automated, lol). There isn't much i can do about proxy ips and dynamic ips. If someone was using Tor, for example, the server would end up blocking all the exit nodes and nobody could reach the site via Tor anymore. Those kinds of issues don't have simple answers. White-listing ips that actively spew garbage at your server is an uncomfortable compromise. Thankfully, it is not one i need to worry about right now. The best solution i know for dynamic ips is to just block them for shorter periods of time. Maybe a week or two. It'll shut up a noisy scanner but someone who inherits a previously blocked ip will be in a temporary situation. It's another compromise : /
SN won't survive on lurkers alone. Write comments.