SoylentNews is people
SoylentNews
Krebsonsecurity reports that new court documents released this week by the U.S. government in its case against "Dread Pirate Roberts" suggest that the feds may have some explaining to do.
Last month, the U.S. government released court records claiming that FBI investigators were able to divine the location of the hidden Silk Road servers because the community’s login page employed an anti-abuse CAPTCHA service that pulled content from the open Internet — thus leaking the site’s true Internet address.
But lawyers for alleged Silk Road captain Ross W. Ulbricht (a.k.a. the “Dread Pirate Roberts”) asked the court to compel prosecutors to prove their version of events. And indeed, discovery documents reluctantly released by the government this week appear to poke serious holes in the FBI's story.
The FBI claims that it found the Silk Road server by examining plain text Internet traffic to and from the Silk Road CAPTCHA, and that it visited the address using a regular browser and received the CAPTCHA page. But Weaver says the traffic logs from the Silk Road server (PDF) that also were released by the government this week tell a different story.
"The server logs which the FBI provides as evidence show that, no, what happened is the FBI didn’t see a leakage coming from that IP," he said. "What happened is they contacted that IP directly and got a PHPMyAdmin configuration page." See this PDF file for a look at that PHPMyAdmin page. Here is the PHPMyAdmin server configuration.
Bruce Schneier reckons FBI's story is a botched parallel construction on hints from NSA.
(Score: 1, Informative) by Anonymous Coward on Wednesday October 22 2014, @08:57AM
Parallel construction isn't even against the rules. A lot of people fail to realize that. The whole point of parallel construction is to gather good fruit from an unspoiled tree. The poisoned tree only poisons its own fruits. A prosecutor can always still use other, untainted fruits to prove the same thing. That is actually what they are supposed to do after a mistake that spoils evidence; find another way to prove it.
You don't have to like it. I certainly don't like it. But if the defense uncovers parallel construction, they're doomed. There is no law against the NSA, for example, giving them a tip. In pushing to uncover it, they're probably hoping that the prosecution's attempt to hide the processes, for op-sec-related reasons of secrecy, will taint some of what was acquired in Iceland. But that is a long shot, because more likely, the prosecution will give the judge a peek behind the curtain, and when he sees military signals interception outside the US he'll just start approving everything.
The part that will actually be used is the legal search done under Icelandic law. For evidence discovered outside the country, that chain of evidence is what is important, not how it was discovered. There are few limits on it. They're not allowed to bribe a foreign government official, for example. But hacking into a suspected server overseas, who thinks that is illegal? People who never looked into it, that is who.
And the Schneier link is kindof weird. Just because a log that the FBI released only shows them making it into the PHPMyAdmin interface, that tells them nothing for or against how they discovered the IP. It isn't for or against. It means that particular log doesn't have the answer to that question; it is from a later time. Somebody is checking the "false" box when the correct answer is "not enough information."
And there is even some hand-waving claiming, "the CAPTCHA couldn't leak in that configuation," but the linked configuration just shows there is nothing being done there that would expose it. But that doesn't show what other networking configuration exists. In fact it is so sparse, it simply shows that the configuration was being done somewhere else. All that is leaked so far is configs and logs that don't show anything.
What we would actually need to see would be the CAPTCHA script code itself, to be able to determine if some leaky state exists with the right inputs. Without that, you can prove it did happen, but you can't prove it didn't happen. Plus you need a whole bunch of info about the networking setup.