Stories
Slash Boxes
Comments

SoylentNews is people

posted by azrael on Tuesday October 21 2014, @07:42PM   Printer-friendly
from the end-justifying-the-means dept.

Krebsonsecurity reports that new court documents released this week by the U.S. government in its case against "Dread Pirate Roberts" suggest that the feds may have some explaining to do.

Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.

But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events. And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI's story.

The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story.

"The server logs which the FBI provides as evidence show that, no, what happened is the FBI didn’t see a leakage coming from that IP," he said. "What happened is they contacted that IP directly and got a PHPMyAdmin configuration page." See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.

Bruce Schneier reckons FBI's story is a botched parallel construction on hints from NSA.

 
This discussion has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Interesting) by tibman on Tuesday October 21 2014, @09:05PM

    by tibman (134) Subscriber Badge on Tuesday October 21 2014, @09:05PM (#108401)

    The first thing you do when you install PHPMyAdmin is move the directory elsewhere. You could even add a .htaccess if you wanted to. But don't leave it vanilla! I use a custom 404 page that looks at what the intended destination was. If the client asks for any generic admin-ish URL then the IP is added to the drop list. They get their 404 with an explanation of why they can never connect to the site again. A living user could appeal via email, obviously. But i doubt that someone who was intentionally trying to break-in would ever do so.

    I'm curious why the ip address is local? Some kind of tunnel?

    --
    SN won't survive on lurkers alone. Write comments.
    Starting Score:    1  point
    Moderation   +1  
       Interesting=1, Total=1
    Extra 'Interesting' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 3, Interesting) by maxwell demon on Tuesday October 21 2014, @11:14PM

    by maxwell demon (1608) on Tuesday October 21 2014, @11:14PM (#108462) Journal

    I use a custom 404 page that looks at what the intended destination was. If the client asks for any generic admin-ish URL then the IP is added to the drop list. They get their 404 with an explanation of why they can never connect to the site again.

    This should make is dead easy to kill the Google indexing of your page if someone (maybe the very person trying to attack your site!) desires to do so: Just put a link to an admin-ish URL somewhewre where Google can find it, and soon all Google spider addresses will be permanently blocked.

    Also, if an attempt is made from a connection with dynamic IP, it is very likely that you'll not block the original attacker, but a random user who has no idea what's going on.

    --
    The Tao of math: The numbers you can count are not the real numbers.
    • (Score: 2) by tibman on Wednesday October 22 2014, @03:03AM

      by tibman (134) Subscriber Badge on Wednesday October 22 2014, @03:03AM (#108519)

      All true : ) But i'll also never fall victim to someone finding an outdated/vulnerable version of phpmyadmin. The whole folder tree should not be viewable by just anyone. Mine is only viewable if the source addr is localhost. So i have to ssh tunnel in and connect that way. The machine is headless.

      About the 404 blocker. If i ran a site that people actually visited then i'd worry more about automated crawlers being blocked. But right now it is not intended to be listed. 90% of the current traffic is automated vulnerability scanners (well, i hope it's automated, lol). There isn't much i can do about proxy ips and dynamic ips. If someone was using Tor, for example, the server would end up blocking all the exit nodes and nobody could reach the site via Tor anymore. Those kinds of issues don't have simple answers. White-listing ips that actively spew garbage at your server is an uncomfortable compromise. Thankfully, it is not one i need to worry about right now. The best solution i know for dynamic ips is to just block them for shorter periods of time. Maybe a week or two. It'll shut up a noisy scanner but someone who inherits a previously blocked ip will be in a temporary situation. It's another compromise : /

      --
      SN won't survive on lurkers alone. Write comments.