Silk Road forums
Discussion => Silk Road discussion => Topic started by: jsmithy123 on October 03, 2013, 10:50 pm
-
It is interesting that the forum is still up I feel if they had access to that server they would have seized it at the same time.
Quite possibly it took a lot of digging (running dozens of tor exit nodes and mapping traffic) to identify where the main SR server was, in order to image it, and that digging was not reproduced for the forums or was, but it moved recently and the work was rendered useless.
I think it is revealing that in all of this
- PGP is not vulnerable despite the strength of the NSA
- Nobody was identified by following bitcoin blockchain information
- TOR was functioning to keep IPs muddled up and apparently also protected the forum as well
All the key players therefore still exist: pgp, tor, bitcoin, vendors, customers.
Note that the indictment does not mention or even hint as to how the SR server IP was identified. This means that part of the operation was the trickiest. I think. Not to say they won't get much better at it in future. The more people use TOR the harder server identification will become.
-
Note that the indictment does not mention or even hint as to how the SR server IP was identified. This means that part of the operation was the trickiest. I think. Not to say they won't get much better at it in future. The more people use TOR the harder server identification will become.
I would say there are four possibilities there based on what we know so far:
1) Traffic analysis - that would require input from signals intelligence agencies - they could probably justify it with some 'threat to life' scenario (go figure) to satisfy the paperwork
2) The 'cooperating witness' knew exactly where it was hosted as it seems he/she was an ex employee
3) They have obviously been on 'DPRs' case for a while so I would expect them to expend a significant amount of effort on targeted surveillance, not just of the electronic variety
4) Local LEO/or intelligence agency clocked it and tipped of the feds so that they could secure some brownie points with the US
All are feasible but If I were a betting man I would go for 2 or 3, probably both.
-
They did not "find the server" they found dpr... he led them to the server in one way or another. He made some very novice mistakes, in the beginning when you dont know you will be getting big, is when mistakes are commonly made. This was fault of dpr, not the system in place.
-
They did not "find the server" they found dpr... he led them to the server in one way or another. He made some very novice mistakes, in the beginning when you dont know you will be getting big, is when mistakes are commonly made. This was fault of dpr, not the system in place.
I wouldn't be so sure of that. They're never going to elaborate on how they found the server. That's the part they never want people to know.
-
It's actually not certain that LE actually found 'the server'. It could very well be that the .onion address of SR simply has been re-routed to another server that displays the takedown message. This would be equivalent to seizing a domain name on the clearnet, but not the server behind it - just changing the IP address a domain resolves to at the DNS level and have another server provide the takedown page.
On the clearnet that would be rather obvious since there would be a visible change in the IP address a domain name resolves to, but on the .onion net that is much more difficult to detect. There would be little or no way to prove that the takedown picture displayed now is actually served up by the same server that hosted SR before.
The forum is on yet another server (it remained up when SR bucked under attack or load in the past), though i would not assume it is not compromised somehow. Law enforncement can surely read what we discuss here - regardless if they actually have control over the forum or not - and probably like that very much. People are posting to what other marketplace they are going massively, so that provides them with plenty of information on what to target next.
I'm sure there will be a new and improved SR at some point, but i may not be something like bmr or sheepmarket since those seem to be the backups for sr users right now, and have been around long enough to have made some beginner security mistake too.
-
... There would be little or no way to prove that the takedown picture displayed now is actually served up by the same server that hosted SR before.
Perhaps not proof but a pretty good indication:
http://silkroadvb5piz3r.onion/orders/%0A/
That URL will generate a 404 error and you will see the the silk road logo and banner along the top and if you look at the source code of the returned page you will see it is the SR template.
Which seems quite risky to me, after all if you are taking control of the site, why would you leave the existing machine running and rely on reconfiguring the web server to redirect to a new front page. Surely as you suggest they would put the .onion key onto a new server. The server looks like the original nginx web server.
There is actually still SR data on the server too.
Very odd eh?
Answers on the back of a post card please.
-
It's actually not certain that LE actually found 'the server'. It could very well be that the .onion address of SR simply has been re-routed to another server that displays the takedown message. This would be equivalent to seizing a domain name on the clearnet, but not the server behind it - just changing the IP address a domain resolves to at the DNS level and have another server provide the takedown page.
On the clearnet that would be rather obvious since there would be a visible change in the IP address a domain name resolves to, but on the .onion net that is much more difficult to detect. There would be little or no way to prove that the takedown picture displayed now is actually served up by the same server that hosted SR before.
The forum is on yet another server (it remained up when SR bucked under attack or load in the past), though i would not assume it is not compromised somehow. Law enforncement can surely read what we discuss here - regardless if they actually have control over the forum or not - and probably like that very much. People are posting to what other marketplace they are going massively, so that provides them with plenty of information on what to target next.
I'm sure there will be a new and improved SR at some point, but i may not be something like bmr or sheepmarket since those seem to be the backups for sr users right now, and have been around long enough to have made some beginner security mistake too.
How on earth is it not certain they found the server(s)? They had an image from July 23 after receiving cooperation from the country the server is located in. They're burying DPR mainly with evidence of his communications on the site. The criminal complaint (obviously) was written before Ulbricht's arrest. Have you had your head buried in the sand for 24 hours?
-
It is interesting that the forum is still up I feel if they had access to that server they would have seized it at the same time.
What's it's interesting about that? Forums aren't illegal; I think we still have freedom of speech in the US, but I'm not sure anymore (not being a smart ass -- I'm serious).
The forums and SR weren't necessarily hosted on the same server if that's what you mean.
Quite possibly it took a lot of digging (running dozens of tor exit nodes and mapping traffic) to identify where the main SR server was, in order to image it, and that digging was not reproduced for the forums or was, but it moved recently and the work was rendered useless.
There are so many theories. The story I read in Bloomberg implied that the Feds waited for Ulbricht to open and log into his laptop in the library before they approached him, so that they'd have unfettered access to his PC. Another story that I've heard was that the server was located in a country that the US had a LE cooperation agreement with and that that country's government informed the US. Whatever it was, I bet it ws much more simple than combing through tor exit node traffic. My hunch is that it happened via the biggest flaw in TOR security: human error/laziness (we've probably all been guilty of this at one time or another).
There's also some sort of malware that's been circulated that attacks TOR users, reporting back to it's source the users' REAL IP and OS version; I think that's how they got Freedom Hosting. Google it. It's specific to older versions of Firefox (TBB uses Firefox 17 ESR).
As for the forums, I guarantee they weren't wasting time trying to figure out how to shut them down. Have you ever seen the sheer nuber of drug forums that are on the clearnet? Nobody's trying to shutdown drugs-forum.com, the drugs.com forums, opiophile,org, erowid, etc. And those are just four that I came up with quickly off the top of my head, there are hundreds of others.
I think it is revealing that in all of this
- PGP is not vulnerable despite the strength of the NSA
- Nobody was identified by following bitcoin blockchain information
- TOR was functioning to keep IPs muddled up and apparently also protected the forum as well
Seriously? I can't comment on PGP; as far as I know it's still safe, but I'm not guaranteeing anything. Your assumption about the blockchain is naive. I can't say if anyone was or wasn't identified, but here's a link showing how it's can be done and that thousands of addresses were easily identified as being involved in the drug trade:
http://www.forbes.com/sites/andygreenberg/2013/09/05/follow-the-bitcoins-how-we-got-busted-buying-drugs-on-silk-roads-black-market/
And as for TOR, don't be so sure. Here's most of the first page of results I found when searching for 'TOR malware phone home':
http://arstechnica.com/tech-policy/2013/08/researchers-say-tor-targeted-malware-phoned-home-to-nsa/
http://www.usnews.com/news/newsgram/articles/2013/08/05/more-surveillance-secret-dea-database-and-tor-malware-revealed
http://www.reddit.com/r/onions/comments/1jr9uu/researchers_say_tortargeted_malware_phoned_home/
http://www.washingtonpost.com/blogs/the-switch/wp/2013/08/05/a-bunch-of-tor-sites-spread-malware-was-the-fbi-behind-it/
https://www.techdirt.com/articles/20130913/16572624513/yes-fbi-used-malware-to-try-to-reveal-tor-users.shtml
http://www.tomsguide.com/us/FBI-Tor-Browser-Bundle-Anonymous-Magneto-Freedom-Hosting,news-17277.html
http://www.wilderssecurity.com/showthread.php?t=351475
All the key players therefore still exist: pgp, tor, bitcoin, vendors, customers.
PGP and TOR aren't "players." PGP is like fucking 20 years old. TOR is at least 10 years old. I don't consider bitcoin to be a "player" either, but it's 4 years old. And the thing that those 3 (plus the forums) have in common is that none of them are illegal.
Note that the indictment does not mention or even hint as to how the SR server IP was identified. This means that part of the operation was the trickiest. I think. Not to say they won't get much better at it in future. The more people use TOR the harder server identification will become.
How do you know that the "SR server IP" was identified? And even if it were, it doesn't mean that it was the trickiest part. It means that if they did, they don't want anyone to now how so that people can't take steps to build SR 2.0 using that information.
You assume too much.
PS An internet connection and a search engine can be your BFFs.
-
Want to point out a few things.
Our American friend helped us, but there is no indictment unsealed yet. What we are reading are affidavits for applications for arrest warrants.
There is much information missing. There also will be information that will never be public or even used in the case, the official term is parallel reconstruction. The facts from this case will be very important and useful.
But there WILL BE misinformation and stuff left out, 100%. Mostly stuff left out.
Very disappointing that there seems to be no backup, no backup plan, no redundant systems, single person control of all of this.
Be certain the forums are being monitored HEAVILY if not under LE control. It is ok, be VERY careful. Don't use your realname@gmail.com address in a PM or anything. :0
-
Guys, early yesterday when shit hit the fan, a few people here posted that they definetly saw that now infamous seizure notice on the FORUM as well.. and yet it vanished shortly. I didn't personally see that.
Can anyone confirm that? I'm assuming the forums ARE absolutely under LE control, but if someone can actually give credence to what I just asked about.. then its absolutely a no brainer.
-
of course the SR server IP was identified. That is the only way to locate the webhost, and then locate the country the webhost is in, and then lean on the authorities in that country to lean on the webhost to lean on an admin to image the server and get the image to the feds, either once, or repeatedly over the course of some time. It reads plainly in the printed warrant. What they skipped is the part on how they located where the server was. You can't do shit without a real world IP address (and time stamps) if you're chasing internet operations for images or records.
The way the warrant reads was that (a) they did controlled buys to show the market was real etc (b) they started investigating the first mention of the site, and linking it to identities in the real world (c) they *located the server* and imaged it, rifled through private messages to further establish that DPR was the main guy and paid a cadre of people via bitcoin (d) they either set him up, or got lucky, with the attempted murder plots and messages pertaining to that and the fake identities to his home address (e) they connected the dots of which they really had more than they needed.
As to why they don't take down the forum, they should, if they could. Not because forums are illegal but because the admins (some known and some unknown) that got paid would use it to contact each other and to possibly spirit away some of the proceeds they are clearly after beyond the escrow amount. It is part of the crime, after all. They'd have no problem arguing for the takedown of the forum as it is intimately connected with the operation of the site.
There is no hint that the bitcoin money trail was a weak link, I know in theory the block chain is a transaction record but they refer to the tumbling in the warrant saying it is hard to pin a particular transaction on a particular person. Note that even though they actually watched as DPR paid a federal agent (from a wire transfer out of australia) it did not apparently help them pin down his identity. His identity was available through much more traditional means: a fucking gmail account in his full name, and a google plus account in his full name, both linked to the origins of the site. Christ on a bike he made his mistakes way back at the start: stackexchange had his identity, and just didn't know it.
The people who run BMR and other forums should take heed, they need to run the servers that surface the marketplace to users as zero-value sites the way botnets are run, with command and control hosts disguised so that even if you identify a single C&C server it doesn't help, the owners and redundant controllers are available. If there is a messaging system, it should enforce end to end encryption and so looking through PMs on an imaged database would be useless. The game will move on and get more difficult for the feds, I think. In retrospect given the mistakes that DPR made, and the evident interest the feds had in finding him, it is unbelievable it took them so long.
-
Simple assume they are under LE control. Easiest and safest.
-
Yes it does. You guys REALLY need to read the special agent's affidavit. Pages 24-32. It won't outright spell it out for you but it's obvious that if they had his VPN IP then all they needed to do was track the endpoints he connected to (the NSA's specialty) and go from there. He spent most of his time on SR and eventually LE was able to get enough evidence to get a warrant to image that endpoint. Easy fucking easy. This all happened July 23-26. See page 14. I suspect the NSA obtained all sorts of stuff off the books and the DEA/FBI used it in reverse to gather the admissible evidence they needed to move forward. Illegal but very common practice for the modern day police surveillance state.
DPR got some serious heat put on him on July 10th when CBP seized a shipment of fake IDs with his face on them. Homeland Security visited him on the 26th, interviewed him and watched him closely afterwards (or much more likely were already watching him from July 10th on after the seizure). It wasn't long until they put 2 and 2 together then found out what VPN provider he was using and then subpoenaed the records of the VPN's hosting provider to determine his real IP. They found he was using a nearby wifi connection of a friend. They also had an FBI agent on the inside who was able to finger him for the supposed hits of two people. The first done with real world USD funds.
In the end if DPR had just used Tor over his VPN then it would've taken A LOT longer for SR to be physically located and compromised. Just the use of Tor. That's it. That's what fucked this site more than anything else. A simple mistake. One made many times over if you believe the affidavit which I do.
Note that the indictment does not mention or even hint as to how the SR server IP was identified.