Stories
Slash Boxes
Comments

SoylentNews is people

posted by azrael on Tuesday October 21 2014, @07:42PM   Printer-friendly [Skip to comment(s)]
from the end-justifying-the-means dept.

Krebsonsecurity reports that new court documents released this week by the U.S. government in its case against "Dread Pirate Roberts" suggest that the feds may have some explaining to do.

Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.

But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events. And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI's story.

The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story.

"The server logs which the FBI provides as evidence show that, no, what happened is the FBI didn’t see a leakage coming from that IP," he said. "What happened is they contacted that IP directly and got a PHPMyAdmin configuration page." See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.

Bruce Schneier reckons FBI's story is a botched parallel construction on hints from NSA.

Related Stories

Huge Raid to Shut Down 400-plus DarkNet Sites 31 comments

Silk Road 2.0 and 400 other sites believed to be selling illegal items including drugs and weapons have been shut down. The sites operated on the Tor network - a part of the internet unreachable via traditional search engines. The joint operation between 16 European countries and the US saw 17 arrests.

Although details of how the sites were identified are not given, it does suggest that software now exists that removes the veil that behind which the DarkNet once hid. Any Soylentils have any ideas of how this might be achieved? This story might be the clue.

More information can be found here : http://www.bbc.co.uk/news/technology-29950946

This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 2) by takyon on Tuesday October 21 2014, @07:55PM

    by takyon (881) <{takyon} {at} {soylentnews.org}> on Tuesday October 21 2014, @07:55PM (#108370) Journal

    If the USG doesn't manage to convict Ulbricht of something, many chuckles will be had.

    --
    [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 2) by skullz on Tuesday October 21 2014, @08:01PM

      by skullz (2532) on Tuesday October 21 2014, @08:01PM (#108375)

      Why can't he just suffer from depression like a normal cyber criminal mastermind? They know how to handle those types.

  • (Score: 2) by Kromagv0 on Tuesday October 21 2014, @08:01PM

    by Kromagv0 (1825) on Tuesday October 21 2014, @08:01PM (#108374) Homepage

    This is all well and good but the biggest question is will the jury be competent enough to figure things out? If the defense presents all this evidence and the case hinges on feds screwing the pooch while doing parallel construction then it will probably be a conviction unless Mr. Ulbricht has got Johnnie Cochran providing a Chewbacca defense.

    --
    T-Shirts and bumper stickers [zazzle.com] to offend someone
    • (Score: 1, Insightful) by Anonymous Coward on Tuesday October 21 2014, @08:16PM

      by Anonymous Coward on Tuesday October 21 2014, @08:16PM (#108380)

      will the jury be competent enough to figure things out

      Even lets say they figure it out, and 'ares smarts enouh'. It may not matter at all. They did do something wrong. It is pretty clear at this point they have the right guys. So they may convict anyway. Even if the gov should never have been there in the first place. This is not like say the OJ case where the one major piece of evidence they had did not fit on his hand in front of the jury and there was at least some doubt if it was him. Its pretty clear they have the right guys. They just did not follow the law finding them. I am not arguing that is right. I am just saying how people seem to react to it. They do not care about rights. They care about 'catching the bad guy'. Who knows I usually get these things wrong :)

      • (Score: 2) by Nerdfest on Tuesday October 21 2014, @08:23PM

        by Nerdfest (80) on Tuesday October 21 2014, @08:23PM (#108383)

        It also seems pretty clear that the "law enforcement" types here broke more important laws than the people they were after.

    • (Score: 3, Informative) by takyon on Tuesday October 21 2014, @08:28PM

      by takyon (881) <{takyon} {at} {soylentnews.org}> on Tuesday October 21 2014, @08:28PM (#108384) Journal

      There really needs to be more jury nullification [wikipedia.org].

      Of course if the FBI can prove the hitman stuff, Ulbricht is probably done for.

      --
      [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
    • (Score: 2) by c0lo on Tuesday October 21 2014, @08:49PM

      by c0lo (156) Subscriber Badge on Tuesday October 21 2014, @08:49PM (#108397) Journal

      This is all well and good but the biggest question is will the jury be competent enough to figure things out?

      If the evidence is based on the prosecution breaking the law, is it still the jury to decide or is the judge to dismiss the suit?

      --
      https://www.youtube.com/watch?v=aoFiw2jMy-0
      • (Score: 2) by takyon on Tuesday October 21 2014, @09:38PM

        by takyon (881) <{takyon} {at} {soylentnews.org}> on Tuesday October 21 2014, @09:38PM (#108425) Journal

        Probably the judge's decision to throw out the suit or some of the evidence. The judge [wired.com] has not reacted well to the defense's claims so far.

        In a 38-page ruling Friday, Judge Katherine Forrest dismissed the defense’s motion to suppress evidence that hinged on the argument that law enforcement had violated Ulbricht’s Fourth Amendment right to privacy from unreasonable searches. Just last week, Ulbricht’s lawyers went so far as to contend that the FBI had illegally hacked a Silk Road server in Iceland without a warrant to determine its location.

        But the Judge’s rejection of that argument comes down to what may be seen as a fateful technicality: she argues that even if the FBI did hack the Silk Road server, Ulbricht hadn’t sufficiently demonstrated that the server belonged to him, and thus can’t claim that his privacy rights were violated by its search.

        --
        [SIG] 10/28/2017: Soylent Upgrade v14 [soylentnews.org]
        • (Score: 1, Insightful) by Anonymous Coward on Tuesday October 21 2014, @10:46PM

          by Anonymous Coward on Tuesday October 21 2014, @10:46PM (#108453)

          she argues that even if the FBI did hack the Silk Road server, Ulbricht hadn’t sufficiently demonstrated that the server belonged to him, and thus can’t claim that his privacy rights were violated by its search.

          Seems like she's just fine with the "fruit of the posionous tree" - it ought not to matter if it was his rights or anyone else's, the issue is if she is OK with the cops breaking the law to enforce the law. And if she is OK with that, then she's given up any claim that the cops are more legitimate than any other lawbreaker.

    • (Score: 1, Informative) by Anonymous Coward on Wednesday October 22 2014, @08:57AM

      by Anonymous Coward on Wednesday October 22 2014, @08:57AM (#108593)

      Parallel construction isn't even against the rules. A lot of people fail to realize that. The whole point of parallel construction is to gather good fruit from an unspoiled tree. The poisoned tree only poisons its own fruits. A prosecutor can always still use other, untainted fruits to prove the same thing. That is actually what they are supposed to do after a mistake that spoils evidence; find another way to prove it.

      You don't have to like it. I certainly don't like it. But if the defense uncovers parallel construction, they're doomed. There is no law against the NSA, for example, giving them a tip. In pushing to uncover it, they're probably hoping that the prosecution's attempt to hide the processes, for op-sec-related reasons of secrecy, will taint some of what was acquired in Iceland. But that is a long shot, because more likely, the prosecution will give the judge a peek behind the curtain, and when he sees military signals interception outside the US he'll just start approving everything.

      The part that will actually be used is the legal search done under Icelandic law. For evidence discovered outside the country, that chain of evidence is what is important, not how it was discovered. There are few limits on it. They're not allowed to bribe a foreign government official, for example. But hacking into a suspected server overseas, who thinks that is illegal? People who never looked into it, that is who.

      And the Schneier link is kindof weird. Just because a log that the FBI released only shows them making it into the PHPMyAdmin interface, that tells them nothing for or against how they discovered the IP. It isn't for or against. It means that particular log doesn't have the answer to that question; it is from a later time. Somebody is checking the "false" box when the correct answer is "not enough information."

      And there is even some hand-waving claiming, "the CAPTCHA couldn't leak in that configuation," but the linked configuration just shows there is nothing being done there that would expose it. But that doesn't show what other networking configuration exists. In fact it is so sparse, it simply shows that the configuration was being done somewhere else. All that is leaked so far is configs and logs that don't show anything.

      What we would actually need to see would be the CAPTCHA script code itself, to be able to determine if some leaky state exists with the right inputs. Without that, you can prove it did happen, but you can't prove it didn't happen. Plus you need a whole bunch of info about the networking setup.

  • (Score: 3, Interesting) by tibman on Tuesday October 21 2014, @09:05PM

    by tibman (134) Subscriber Badge on Tuesday October 21 2014, @09:05PM (#108401)

    The first thing you do when you install PHPMyAdmin is move the directory elsewhere. You could even add a .htaccess if you wanted to. But don't leave it vanilla! I use a custom 404 page that looks at what the intended destination was. If the client asks for any generic admin-ish URL then the IP is added to the drop list. They get their 404 with an explanation of why they can never connect to the site again. A living user could appeal via email, obviously. But i doubt that someone who was intentionally trying to break-in would ever do so.

    I'm curious why the ip address is local? Some kind of tunnel?

    --
    SN won't survive on lurkers alone. Write comments.
    • (Score: 3, Interesting) by maxwell demon on Tuesday October 21 2014, @11:14PM

      by maxwell demon (1608) on Tuesday October 21 2014, @11:14PM (#108462) Journal

      I use a custom 404 page that looks at what the intended destination was. If the client asks for any generic admin-ish URL then the IP is added to the drop list. They get their 404 with an explanation of why they can never connect to the site again.

      This should make is dead easy to kill the Google indexing of your page if someone (maybe the very person trying to attack your site!) desires to do so: Just put a link to an admin-ish URL somewhewre where Google can find it, and soon all Google spider addresses will be permanently blocked.

      Also, if an attempt is made from a connection with dynamic IP, it is very likely that you'll not block the original attacker, but a random user who has no idea what's going on.

      --
      The Tao of math: The numbers you can count are not the real numbers.
      • (Score: 2) by tibman on Wednesday October 22 2014, @03:03AM

        by tibman (134) Subscriber Badge on Wednesday October 22 2014, @03:03AM (#108519)

        All true : ) But i'll also never fall victim to someone finding an outdated/vulnerable version of phpmyadmin. The whole folder tree should not be viewable by just anyone. Mine is only viewable if the source addr is localhost. So i have to ssh tunnel in and connect that way. The machine is headless.

        About the 404 blocker. If i ran a site that people actually visited then i'd worry more about automated crawlers being blocked. But right now it is not intended to be listed. 90% of the current traffic is automated vulnerability scanners (well, i hope it's automated, lol). There isn't much i can do about proxy ips and dynamic ips. If someone was using Tor, for example, the server would end up blocking all the exit nodes and nobody could reach the site via Tor anymore. Those kinds of issues don't have simple answers. White-listing ips that actively spew garbage at your server is an uncomfortable compromise. Thankfully, it is not one i need to worry about right now. The best solution i know for dynamic ips is to just block them for shorter periods of time. Maybe a week or two. It'll shut up a noisy scanner but someone who inherits a previously blocked ip will be in a temporary situation. It's another compromise : /

        --
        SN won't survive on lurkers alone. Write comments.