DOJ Says No NSA Help Was Needed To Find Dread Pirate Roberts Since He Misconfigured His CAPTCHAs

from the oops dept

The lawyers for Ross Ulbricht have been tossing an awful lot of speculative legal theories at the legal wall in his defense in the past few months, and none of them seem to be sticking. The most recent attempt was to argue that the process by which the DOJ/FBI got access to Silk Road’s servers must have violated the 4th Amendment, mainly because it was “hidden” via Tor, and Ulbricht couldn’t figure out how else the FBI tracked down the servers. In response, the DOJ has revealed the details of how it tracked down the servers via a very readable court filing where you can almost feel the snark dripping from the US Attorneys’ Office, as they mock both the speculative and hyperbolic nature of the claims, and reveal that Ulbricht basically misconfigured his CAPTCHA login feature to leak the IP address.

Contrary to Ulbricht?s conjecture that the server hosting the Silk Road website (the ?SR Server?) was located by the NSA, the server was in fact located by the FBI New York Field Office in or about June 2013…. The Internet protocol (?IP?) address of the SR Server (the ?Subject IP Address?) was ?leaking? from the site due to an apparent misconfiguration of the user login interface by the site administrator ? i.e., Ulbricht…. FBI agents noticed the leak upon reviewing the data sent back by the Silk Road website when they logged on or attempted to log on as users of the site…. A close examination of the headers in this data revealed a certain IP address not associated with the Tor network (the ?Subject IP Address?) as the source of some of the data…. FBI personnel entered the Subject IP Address directly into an ordinary (non-Tor) web browser, and it brought up a screen associated with the Silk Road login interface, confirming that the IP address belonged to the SR Server….

Based on publicly available information, the Subject IP Address was associated with a server housed at a data center operated by a foreign server-hosting company in Iceland…. Accordingly, on June 12, 2013, the United States issued a request to Iceland for Icelandic authorities to take certain investigative measures with respect to the server, including collecting routing information for communications sent to and from the server, and covertly imaging the contents of the server…. The Reykjavik Metropolitan Police (?RMP?) provided routing information for the server soon thereafter, which showed a high volume of Tor traffic flowing to the server ? further confirming that it was hosting a large website on Tor…. Subsequently, after obtaining the legal process required under Icelandic law to search the server, and after consulting with U.S. authorities concerning the timing of the search, the RMP covertly imaged the server and shared the results with the FBI on or about July 29, 2013…. Forensic examination of the image by the FBI immediately and fully confirmed that the server was in fact hosting the Silk Road website, i.e., that it was in fact the SR Server…. The server contained what were clearly the contents of the Silk Road website ? including databases of vendor postings, transaction records, private messages between users, and other data reflecting user activity ? as well as the computer code used to operate the website.

Later, the filing points out:

It does not matter that Ulbricht intended to conceal the IP address of the SR Server from public view. He failed to do so competently, and as a result the IP address was transmitted to another party ? which turned out to be the FBI ? who could lawfully take notice of it.

While the DOJ’s story is compelling (and while I’m sure some will still insist “parallel construction,” it seems like there would need to be a lot more evidence of that happening), there are some other interesting tidbits in the filing. Ulbricht had argued that the search of the server was unconsitutional because his property was searched without a warrant. However, the DOJ points out that since the server was in Iceland, the 4th Amendment doesn’t apply. But in defending the lack of a warrant, it’s interesting that the DOJ admits that under the Stored Communications Act, a “warrant was not even an option… given that the SR Server was controlled by a foreign data center.”

That seems to contradict the DOJ’s claims in its ongoing fight with Microsoft over accessing emails stored in Ireland. There, the DOJ insists that a warrant under the SCA is not only very much an option, but that it requires Microsoft to hand over the data. The DOJ says the cases are different since Microsoft is a US entity, and thus the SCA compels the US entity to reveal data no matter where it is, but that doesn’t apply since the Silk Road server was controlled by an Icelandic company.

There remain some interesting legal questions raised by the prosecution against Ulbricht, but so far, the extremely speculative nature of his defense doesn’t seem particularly likely to get anywhere. Also, the leaky CAPTCHA should serve as a reminder that, despite all the freakouts and concerns from law enforcement about how the internet and things like Tor will make it impossible to catch criminals, people will almost always mess up somehow and reveal breadcrumbs back to who they are.

Filed Under: , , , , , ,
Companies: silk road

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “DOJ Says No NSA Help Was Needed To Find Dread Pirate Roberts Since He Misconfigured His CAPTCHAs”

Subscribe: RSS Leave a comment
51 Comments
Anonymous Coward says:

Can't trust any government's story, sorry.

Creating the “how they got him” after the fact…. or genuine?

Why would they release the “how they got him”?

Seriously… is that not the type of shit they criticize Snowden for, but worse as it’s a literal operational method that they “leaked”.

Their operational practices are on a need to know basis, unless they are forced to reveal them. When we know, there is a reason.


-tinfoil- (but not very tinfoil-ey

My bet is on a timing attack of tor. Apparently they have a buffer and can replay traffic over and over again if it’s in the buffer. They have a copy of practically all the traffic at the isp level.

Annonimus says:

Re: Why you should give the DOJ the benefit of a doubt?

Because if they are lying about this case there will be a leak about this case either from the Snowden cache or from one of the new leakers that are running around, but more importantly they did not try to redact their filing of the evidence of how this was obtained in this case.

Also a leaking capcha does not strike me as something the DOJ or the FBI would come up with as an excuse to make this case. The bad guy was an idiot just does not have the same ring to it as all those made up home grown terrorist plots they keep ringing their own bells about.

Anonymous Coward says:

Re: Re: Why you should give the DOJ the benefit of a doubt?

The point is that both the FBI and CIA have been advised to use parallel construction (i.e. falsifying evidence) as a legitimate tactic to try and catch people.

Protip: If you have to ignore the law to catch the criminals, then you are a criminal, too.

Anonymous Coward says:

Re: Re: Why you should give the DOJ the benefit of a doubt?

Because if they are lying about this case there will be a leak about this case either from the Snowden cache or from one of the new leakers that are running around, but more importantly they did not try to redact their filing of the evidence of how this was obtained in this case.

If we had enough leakers to disclose all major falsehoods issued by government officials in service of their duty, we would have a lot more leaks than we’re seeing. Whistleblowers serve a valuable purpose, but you shouldn’t assume that there will always be someone with the access and the motivation around to report misconduct.

Why would they redact a claim that the defendant made a rookie mistake? The government is prone to excessive secrecy, but redacting it doesn’t serve any obvious purpose here. Defence counsel would rightly object to such a redaction, so trying to hide this claim would just annoy the judge.

This strikes me as a perfect excuse. It’s very plausible. It explains the discovery without the need to claim that law enforcement had some genius on staff or super-secret unmasking technique. It’s hard to refute without access to the original server configuration. It’s easy to explain to lay people. If true, it’s a very defensible technique, since courts have been pretty friendly to the idea that law enforcement is bound by what was concealed, not by what the defendant meant to conceal.

Anonymous Coward says:

Re: Re: Re: Why you should give the DOJ the benefit of a doubt?

Why would they redact a claim that the defendant made a rookie mistake?

So that other rookies do not avoid the same the mistake and they can use it to catch them. Their common excuse for redactions is that describing how they got the information makes their job harder by telling the bad guys how to avoid being caught.

Anonymous Coward says:

It looks like Mr. Ulbricht never heard of the “isolating proxy” setup.

https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy

With an isolating proxy, the most that could have leaked from the misconfigured CATPCHA would have been non-routeable private LAN IP addresses.

The nice thing about virtual machines, not only do they anonymize IP addresses. They also anonymize serial numbers and hardware details too.

Confucius says:

Yeah, Ulbricht configured the captcha incompetently and he’s fucked. Security is hard; let that be a lesson, kids.

I have to say I haven’t been impressed with Ulbricht’s attorney Dratel. There was probably a better defense to be put on here by a more tech-savvy attorney. That said, if Ulbricht was lying to him, there’s not much more he could do.

zip says:

parallel construction, skeptics

“I’m sure some will still insist “parallel construction” but it seems like there would need to be a lot more evidence of that happening”

Maybe some of us have been getting a bit skeptical every time there’s another news report about some drug user/dealer who was stopped by police in some routine traffic stop (“not coming to a complete stop”, “following too closely”, etc) by a cop who just happened to have a nose like a bloodhound and could smell cocaine hidden inside the left sun visor. (My personal favorite is when police search passengers on a bus because of some traffic violation the driver is accused of — but never ticketed for)

Maybe we’ve come to expect authorities to lie in every new case because it would be consistent with the way authorities have routinely lied about their investigative methods in the past.

In the Silk Road case, I’ve got to wonder if some convicted hacker working for the feds might have broken into and re-configured the server to spill the IP address. Or if there was even a leaked IP address after all. Bottom line — if the feds had (another) secret backdoor into Tor, would they reveal it?

Anonymous Coward says:

Re: Re: parallel construction, skeptics

What is parallel construction?

Of course he “fucked up”. You find the “how he fucked up” after you get him. Then the story is told of how he fucked up.

Point is… There is no reason to believe that this case isn’t parallel construction. The tactic is used. The authorities don’t usually devulge how people “fucked up” unless they are forced to.

It’s 50/50 that it’s paralell Construction..default.
This case it’s at least 51/49 that it’s parallel construction.(tor,release of operating methods without being forced)

There is more chance of it being parallel constuction than it not being. Can’t believe the authority as they openly use that method)

Anonymous Coward says:

Re: Re: Re:2 parallel construction, skeptics

50/50 as in, if we know the tactic was used. I should have made that clearer. The default “I don’t know”.

The “legal means” doesn’t really bother me as that’s political. They could have used perfectly legal means anyway. It’s the lying about it that is the issue.

Literal secret police. The concequences for normal people will be great if the expansion of those methods come about. They can secretly bend the rules while normal people will get punished for minor infractions.

Anonymous Coward says:

(and while I’m sure some will still insist “parallel construction” but it seems like there would need to be a lot more evidence of that happening)

We know parallel construction exists.
We know agencies that practice it make a huge deal of never mentioning that it was used and of coming up with plausible-looking happy accidents that would explain the outcome.
We know law enforcement at all levels hates to talk about a technique unless it makes them look good; finding him because he made a stupid mistake is nice, but it is hardly the situation that is typically published for pro-enforcement propaganda.
We know that Ulbricht was caught by Federal law enforcement.
We know that Federal law enforcement uses parallel construction in drug cases.
We know that this is alleged to be a drug case.

What more evidence do you need before you reasonably suspect that parallel construction occurred?

Michael (profile) says:

Re: Re:

We know parallel construction exists.
Great, but that has nothing to do with this case.

We know agencies that practice it make a huge deal of never mentioning that it was used and of coming up with plausible-looking happy accidents that would explain the outcome.
Law enforcement not mentioning something is part of your evidence that it happened. Well, I suppose they could have used a psychic in this case since they didn’t mention doing it.

We know law enforcement at all levels hates to talk about a technique unless it makes them look good; finding him because he made a stupid mistake is nice, but it is hardly the situation that is typically published for pro-enforcement propaganda.
I’m not sure what this means in this case. They provided a reasonable explanation as to how they came up with the evidence.

We know that Ulbricht was caught by Federal law enforcement.
This is not evidence of anything other than the fact that he was caught by Federal Law enforcement.

We know that Federal law enforcement uses parallel construction in drug cases.
Since we also know they do not use it in all cases, this is meaningless.

We know that this is alleged to be a drug case.
Again, this is not really evidence of anything.

So, what Mike is looking for would be one of two things, something in the investigation that they could not have gathered through the methods they have shown they used, or someone or something related to the investigation showing information about it was gathered in a method other than what they have shown they used.

Anonymous Coward says:

Re: Re: Re:

Law enforcement not mentioning something is part of your evidence that it happened. Well, I suppose they could have used a psychic in this case since they didn’t mention doing it.

If law enforcement had a history of being truthful, their silence would not be used against them here. They do not have such a history. Please provide a credible reference indicating that law enforcement uses psychics in other cases. Parallel construction is known to have been used elsewhere. Psychics are not known to have been used elsewhere. Ergo, suspecting parallel construction is reasonable, but suspecting psychics is not reasonable.

I’m not sure what this means in this case. They provided a reasonable explanation as to how they came up with the evidence.

Parallel construction is designed to provide reasonable explanations, often based on faked happy accidents that, if you were unaware of parallel construction, could be assumed to be law enforcement getting lucky.

The last three statements are links in a chain. If you like, you could simplify it to “Ulbricht is in an alleged drug case and parallel construction is known to be used in drug cases, therefore it is plausible that parallel construction was used here.”

So, what Mike is looking for would be one of two things, something in the investigation that they could not have gathered through the methods they have shown they used, or someone or something related to the investigation showing information about it was gathered in a method other than what they have shown they used.

Although it is possible that they would field a constructed story that fails to explain the disclosed evidence, that would be sloppy – as sloppy as failing to conceal the real source of information. πŸ˜‰ As for (b), that would be a nice smoking gun, but reasonable suspicion can arise without a smoking gun.

PRMan (profile) says:

Re: Re:

OK, what sounds most likely:

1. FBI goes to Silk Road server and tries various hacking techniques to see if the server will give up its real IP.

2. The NSA calls and tells them that the server is at X. Then the FBI tries various hacking techniques to see if the server will give up a matching IP.

3. The NSA calls, they get an Icelandic warrant for the server based on nothing but the IP address and then spend weeks with the image of the server in their lab finding a flaw in the setup so they can do parallel construction.

Honestly, in writing it out. I’m going with 1 is actually the simplest explanation. Although 2 is simple as well.

Anonymous Coward says:

Re: Re: Re:

OK, what sounds most likely:

You forgot 4.: FBI locates Silk Road server through unspecified, possibly secret and/or illegal technique, then claims (1) in court filings, whether or not such a weakness was present prior to the seizure. This would constitute lying to the court, but that’s the core of parallel construction, which the various law enforcement agencies seem perfectly fine with.

Anonymous Coward says:

So let's review:

The NSA:

-Missed 9/11
-Missed Boston
-Played no role in finding Bin Laden
-Did not stop or detect mega thefts from Target and Home Depot.
-Did not help in tracing the Silk Road.
-Cannot secure their own systems enough to have even a vague idea how many documents were leaked and by whom.

Tell me again, what good are they doing for anyone?

Coises (profile) says:

Competence

β€œIt does not matter that Ulbricht intended to conceal the IP address of the SR Server from public view. He failed to do so competently, and as a result the IP address was transmitted to another party – which turned out to be the FBI – who could lawfully take notice of it.”

So, the next time there is a charge that someone has accessed content by circumventing digital protection measures put it place by the copyright holders… can we argue that they (obviously) failed to do so competently?

John Fenderson (profile) says:

Re: Competence

I understand your point, but there’s a bit of a difference: if the DOJ’s tale is true, then they didn’t circumvent anything at all, they just sniffed the traffic going to and from their own machines when using the system (Silk Road) as intended. That’s legit under any circumstances, and shouldn’t raise any legal problems.

bgmcb (profile) says:

What does this sound like?

“In particular, there was no need to delve into the details of the means by which the FBI had
located the SR Server in the first place. All that mattered was that the FBI had in fact located
it, as its forensic examination of the server had confirmed. How the FBI had done so was not
necessary to establish probable cause for subsequent searches of other property.”

Which came first the IP leak or the bogey man?

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop Β»

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...