Recent Court docs show Silk Road and DPR were sunk by a leaky login CAPTCHA

[polunna]

Ever since October 2013, when the FBI took down the online black market and drug bazaar known as the Silk Road, privacy activists and security experts have traded conspiracy theories about how the U.S. government managed to discover the geographic location of the Silk Road Web servers. Those systems were supposed to be obscured behind the anonymity service Tor, but as court documents released Friday explain, that wasn’t entirely true: Turns out, the login page for the Silk Road employed an anti-abuse CAPTCHA service that pulled content from the open Internet, thus leaking the site’s true location.

http://krebsonsecurity.com/2014/09/dread-pirate-sunk-by-leaky-captcha/

[1714565327]

1714565327

[1714565327]

1714565327

[1714565327]

1714565327

[1714565327]

1714565327

[CoolBliss]

Link to the whole declaration of FBI agent that lead the SR investigation http://ia700603.us.archive.org/21/items/gov.uscourts.nysd.422824/gov.uscourts.nysd.422824.57.0.pdf

TL;DR:
- CAPTCHA on SR site wasn't configured correctly with TOR and leaked the IP of the server
- Server was in Iceland, Icelandic authorities helped the FBI to get server backups etc
- In that backups there were IPs to other backup servers (some USA, some foreign) and FBI got that too
- At that point, Ulbricht was "only" the lead suspect
- They used pen registers (routing only, no contents) to confirm the identity by checking when he was online on the ISP + IPs/ports used and when he was online at the SR forum
- After that they arrested him

[ForgottenPassword]

- CAPTCHA on SR site wasn't configured correctly with TOR and leaked the IP of the server

Oh my god. When I had a look at SR I remember looking at that captcha and wondering how they were locally generating such a high quality captcha code.

[dankkk]

Link to the whole declaration of FBI agent that lead the SR investigation http://ia700603.us.archive.org/21/items/gov.uscourts.nysd.422824/gov.uscourts.nysd.422824.57.0.pdf

TL;DR:
-snip-
- At that point, Ulbricht was "only" the lead suspect
-snip

I am curious to know how the government made the connection between the servers in Iceland to Ross. It has been previously reported that he used a VPN to connect to SR. I would assume that he did not use his real identity (and likely used fake IDs) to sign up for the hosting service.

One flaw that I have read is the fact that the government says the Ross did not even own the server, but rather leased them from a third party. My understanding of the law is that there is no difference between owing something and being a tenant when it comes to the rules regarding searches. 

[wasserman99]

- CAPTCHA on SR site wasn't configured correctly with TOR and leaked the IP of the server

Oh my god. When I had a look at SR I remember looking at that captcha and wondering how they were locally generating such a high quality captcha code.

I don't think Captcha is ever locally generated, otherwise it would be very easy to "crack" the captcha as someone could just run a script to figure out what the correct text should be.

I am interested to see if this explanation will be accepted by the defense and the court.

[ForgottenPassword]

I don't think Captcha is ever locally generated, otherwise it would be very easy to "crack" the captcha as someone could just run a script to figure out what the correct text should be.

I am interested to see if this explanation will be accepted by the defense and the court.

There are plenty of implementations for locally generating captchas (cool-php-captcha is a popular one). Bitcointalk uses the stock SMF one. They are obviously easier to crack than something like recaptcha, but they do provide some kind of protection. Most Tor hidden services use them, it's generally a bad idea to include external elements on a hidden service and most captcha services use javascript too which is problematic with TBB.

It's a very plausible explanation, in fact according to the FBI Ross had written in his logs that on a number of occasions he had found/introduced similar IP leaks on SR and the SR forums and had to move servers a couple of times and the alleged dates of these incidents seem to coincide with downtime of SR and SR forums.

On top of that it looks like Christopher Tarbell was on this case, he has made a name for himself having taken down many high profile cybercriminals - in fact even for similar mistakes such as this, Sabu (LulzSec hacker) was caught by Tarbell because he leaked his IP when connecting to an IRC chatroom,

I'm not sure why they kept the method of discovery of the server secret until now though. I'm still not entirely convinced Ross is DPR either, their evidence on this end is HIGHLY circumstantial IMO.

[itsAj]

I don't think Captcha is ever locally generated, otherwise it would be very easy to "crack" the captcha as someone could just run a script to figure out what the correct text should be.

I am interested to see if this explanation will be accepted by the defense and the court.

There are plenty of implementations for locally generating captchas (cool-php-captcha is a popular one). Bitcointalk uses the stock SMF one. They are obviously easier to crack than something like recaptcha, but they do provide some kind of protection. Most Tor hidden services use them, it's generally a bad idea to include external elements on a hidden service and most captcha services use javascript too which is problematic with TBB.

It's a very plausible explanation, in fact according to the FBI Ross had written in his logs that on a number of occasions he had found/introduced similar IP leaks on SR and the SR forums and had to move servers a couple of times and the alleged dates of these incidents seem to coincide with downtime of SR and SR forums.

On top of that it looks like Christopher Tarbell was on this case, he has made a name for himself having taken down many high profile cybercriminals - in fact even for similar mistakes such as this, Sabu (LulzSec hacker) was caught by Tarbell because he leaked his IP when connecting to an IRC chatroom,

I'm not sure why they kept the method of discovery of the server secret until now though. I'm still not entirely convinced Ross is DPR either, their evidence on this end is HIGHLY circumstantial IMO.

They appear to have caught him red handed with his laptop open and logged into SR at the San Francisco Library. Sure it would be possible that he was just a moderator that was hired after it opened, but this would not explain how his email address was used for the forum account that posted the first advertisement about silk road (I think it was a weed/drug related forum).

The question is will this be sufficient evidence to prove beyond a reasonable doubt that Ross is in fact DPR, my answer is, I am not sure. The question is was Ross in fact DPR, I would say yes, or at least he was somehow involved in SR at a very high level.

You should remember that the FBI apparently was able to seize several thousand bitcoin when they got his laptop (although this also may have been the result of seizing the servers in iceland). 

[ForgottenPassword]

They appear to have caught him red handed with his laptop open and logged into SR at the San Francisco Library. Sure it would be possible that he was just a moderator that was hired after it opened, but this would not explain how his email address was used for the forum account that posted the first advertisement about silk road (I think it was a weed/drug related forum).

Yeah they got him with his laptop decrypted.

My main concern is that it clearly doesn't PROVE it's him. Just because he was "allegedly" the first person to post a link to the SR (he didn't even advertise it, just said he was thinking of placing an order there) doesn't mean he owns it and the proof that it was him who posted it wasn't so straight forward either. It definitely makes him a suspect, but it definitely doesn't prove he's DPR IMO. Combining it with all the other circumstantial evidence doesn't really prove anything either. I have yet to see any hard evidence tying him to that identity.

Who's to say that circumstantial evidence wasn't planted by the real boss of SR to cover his tracks.

You should remember that the FBI apparently was able to seize several thousand bitcoin when they got his laptop (although this also may have been the result of seizing the servers in iceland).  

30k came from a SR server, 140k came from his laptop. By the way, it's interesting to compare these figures to the estimated volume of the SR mixer.... I have a feeling they didn't find all the BTC, the numbers seemed way off when I looked at it. If I was running a website like SR I sure as hell would have a ton of cash tidied away safely, perhaps a paper wallet or such....

Ross' excuse for the 140k on his laptop was that he was an early adopter and high-frequency bitcoin trader and he earned those Bitcoins from that. This is what his friends and family thought he did for a living too. I haven't seen the FBI come out and say "these coins came from the SR mixer" or prove in anyway they were involved in the SR. It's a plausible excuse, I wish the FBI would investigate this side of the case more but they probably won't seeing as they'll likely win that asset forfeiture so why would they care.

[illymoka]

- CAPTCHA on SR site wasn't configured correctly with TOR and leaked the IP of the server

Oh my god. When I had a look at SR I remember looking at that captcha and wondering how they were locally generating such a high quality captcha code.

From what I remember, the SR captcha was pretty shitty, something I could have coded in a few hours to run locally.

[lovegood]

Link to the whole declaration of FBI agent that lead the SR investigation http://ia700603.us.archive.org/21/items/gov.uscourts.nysd.422824/gov.uscourts.nysd.422824.57.0.pdf

TL;DR:
- CAPTCHA on SR site wasn't configured correctly with TOR and leaked the IP of the server
- Server was in Iceland, Icelandic authorities helped the FBI to get server backups etc
- In that backups there were IPs to other backup servers (some USA, some foreign) and FBI got that too
- At that point, Ulbricht was "only" the lead suspect
- They used pen registers (routing only, no contents) to confirm the identity by checking when he was online on the ISP + IPs/ports used and when he was online at the SR forum
- After that they arrested him

wtf is a 'pen register'?

[master-P]

You should remember that the FBI apparently was able to seize several thousand bitcoin when they got his laptop (although this also may have been the result of seizing the servers in iceland).  

30k came from a SR server, 140k came from his laptop. By the way, it's interesting to compare these figures to the estimated volume of the SR mixer.... I have a feeling they didn't find all the BTC, the numbers seemed way off when I looked at it. If I was running a website like SR I sure as hell would have a ton of cash tidied away safely, perhaps a paper wallet or such....

Ross' excuse for the 140k on his laptop was that he was an early adopter and high-frequency bitcoin trader and he earned those Bitcoins from that. This is what his friends and family thought he did for a living too. I haven't seen the FBI come out and say "these coins came from the SR mixer" or prove in anyway they were involved in the SR. It's a plausible excuse, I wish the FBI would investigate this side of the case more but they probably won't seeing as they'll likely win that asset forfeiture so why would they care.

I would think that he would probably have the bitcoin in a brain wallet instead of on anything physical that could be seized. A paper wallet would provide very little incremental security above having a wallet on his computer to someone in Ross's position. 

Do you have a source as to the estimated volume that went through the SR mixer? Or even any documentation as to how it worked? That is the one mixer that I have seen very little information on as to exactly how it worked (as opposed to how it is much more clear as to how mixers like bitcoin fog and bitmixer, and blockchain shared send all work.

Are you speculating that this is his excuse for having so much bitcoin, or is this something that is public? I would think that a taint analysis of the various addresses of the bitcoin that was found on his laptop would likely connect Ross to SR, as IMO it would be extremely unlikely that he would be able to successfully mix that much bitcoin if it was coming from the site (assuming that Ross and DPR are one and the same).

[bambino]

wtf is a 'pen register'?

"A pen register is an electronic device that records all numbers called from a particular telephone line. The term has come to include any device or program that performs similar functions to an original pen register, including programs monitoring Internet communications."
http://en.wikipedia.org/wiki/Pen_register

Basically they monitored all the internet usage of Ulbricht for a few days, this was "judicially authorized".

"The Pen Registers did not collect the contents of any communications. They collected only routing information, such as the IP addresses being contacted using the account, router, and devices, the ports being accessed, and the MAC addresses of the devices involved.
We used the Pen Registers to track when Ulbricht was connected to the Internet and what IP addresses and ports he was connecting to. By monitoring when Ulbricht appeared to be online, and comparing it to the times when “DPR” appeared to be logged in to Silk Road (as reflected by his activity on the Silk Road discussion forum), additional evidence was collected corroborating that Ulbricht was in fact “DPR.”

More at 18 - 21 in the declaration

[Dr. Pepper]

wtf is a 'pen register'?

"A pen register is an electronic device that records all numbers called from a particular telephone line. The term has come to include any device or program that performs similar functions to an original pen register, including programs monitoring Internet communications."
http://en.wikipedia.org/wiki/Pen_register

Basically they monitored all the internet usage of Ulbricht for a few days, this was "judicially authorized".

"The Pen Registers did not collect the contents of any communications. They collected only routing information, such as the IP addresses being contacted using the account, router, and devices, the ports being accessed, and the MAC addresses of the devices involved.
We used the Pen Registers to track when Ulbricht was connected to the Internet and what IP addresses and ports he was connecting to. By monitoring when Ulbricht appeared to be online, and comparing it to the times when “DPR” appeared to be logged in to Silk Road (as reflected by his activity on the Silk Road discussion forum), additional evidence was collected corroborating that Ulbricht was in fact “DPR.”

More at 18 - 21 in the declaration

Isn't that circumstantial? I'm not computer whiz but how did the captchas leak information to the SR servers. Aren't captchas like an external process ie not hosted on whatever server the website uses?

[itsAj]

They appear to have caught him red handed with his laptop open and logged into SR at the San Francisco Library. Sure it would be possible that he was just a moderator that was hired after it opened, but this would not explain how his email address was used for the forum account that posted the first advertisement about silk road (I think it was a weed/drug related forum).

Yeah they got him with his laptop decrypted.

My main concern is that it clearly doesn't PROVE it's him. Just because he was "allegedly" the first person to post a link to the SR (he didn't even advertise it, just said he was thinking of placing an order there) doesn't mean he owns it and the proof that it was him who posted it wasn't so straight forward either. It definitely makes him a suspect, but it definitely doesn't prove he's DPR IMO. Combining it with all the other circumstantial evidence doesn't really prove anything either. I have yet to see any hard evidence tying him to that identity.

I remember the complaint saying that he had started the site (or maybe it was that he ran the site) but I am not 100% sure if you say otherwise.

I think he was also logged into the admin panel of SR when his laptop was taken from him. I remember reading news reports that said the admin panel had ways to check on various disputes, and site activity. This could mean that he is at the vest least a mod there. If you are correct in saying that he posted that he was thinking of buying something on the site then it would be possible that Ross was an early user and was eventually made a mod.

Who's to say that circumstantial evidence wasn't planted by the real boss of SR to cover his tracks.

Unlikely IMO

You should remember that the FBI apparently was able to seize several thousand bitcoin when they got his laptop (although this also may have been the result of seizing the servers in iceland).  

30k came from a SR server, 140k came from his laptop. By the way, it's interesting to compare these figures to the estimated volume of the SR mixer.... I have a feeling they didn't find all the BTC, the numbers seemed way off when I looked at it. If I was running a website like SR I sure as hell would have a ton of cash tidied away safely, perhaps a paper wallet or such....

Ross' excuse for the 140k on his laptop was that he was an early adopter and high-frequency bitcoin trader and he earned those Bitcoins from that. This is what his friends and family thought he did for a living too. I haven't seen the FBI come out and say "these coins came from the SR mixer" or prove in anyway they were involved in the SR. It's a plausible excuse, I wish the FBI would investigate this side of the case more but they probably won't seeing as they'll likely win that asset forfeiture so why would they care.

I haven't seen anything about this being his rationale for the 140k in bitcon on his laptop. Was it published in the media somewhere or do you have first hand knowledge regarding this?

I remember reading that Ross had claimed to be a currency trader, but I don't think they knew the currency was bitcoin.

[dankkk]

wtf is a 'pen register'?

"A pen register is an electronic device that records all numbers called from a particular telephone line. The term has come to include any device or program that performs similar functions to an original pen register, including programs monitoring Internet communications."
http://en.wikipedia.org/wiki/Pen_register

Basically they monitored all the internet usage of Ulbricht for a few days, this was "judicially authorized".

"The Pen Registers did not collect the contents of any communications. They collected only routing information, such as the IP addresses being contacted using the account, router, and devices, the ports being accessed, and the MAC addresses of the devices involved.
We used the Pen Registers to track when Ulbricht was connected to the Internet and what IP addresses and ports he was connecting to. By monitoring when Ulbricht appeared to be online, and comparing it to the times when “DPR” appeared to be logged in to Silk Road (as reflected by his activity on the Silk Road discussion forum), additional evidence was collected corroborating that Ulbricht was in fact “DPR.”

More at 18 - 21 in the declaration

Isn't that circumstantial? I'm not computer whiz but how did the captchas leak information to the SR servers. Aren't captchas like an external process ie not hosted on whatever server the website uses?

People are convicted on circumstantial evidence all the time. Usually not of crimes that are this serious however it is possible.

Although it is circumstantial, the chances of it being someone other then him does decrease as the number of times he was observed online increases.

[johncarpe64]

wtf is a 'pen register'?

"A pen register is an electronic device that records all numbers called from a particular telephone line. The term has come to include any device or program that performs similar functions to an original pen register, including programs monitoring Internet communications."
http://en.wikipedia.org/wiki/Pen_register

Basically they monitored all the internet usage of Ulbricht for a few days, this was "judicially authorized".

"The Pen Registers did not collect the contents of any communications. They collected only routing information, such as the IP addresses being contacted using the account, router, and devices, the ports being accessed, and the MAC addresses of the devices involved.
We used the Pen Registers to track when Ulbricht was connected to the Internet and what IP addresses and ports he was connecting to. By monitoring when Ulbricht appeared to be online, and comparing it to the times when “DPR” appeared to be logged in to Silk Road (as reflected by his activity on the Silk Road discussion forum), additional evidence was collected corroborating that Ulbricht was in fact “DPR.”

More at 18 - 21 in the declaration

I am not 100% sure it was actually judicially authorized as the defense had challenged the use of the pen register as unconstitutional because the government did not get a warrant.

I would not at all be surprised if this case made it's way to the supreme court because of the super high stakes for Ross. Not only is he facing basically life in prison, but he is disincentived to accept a guilty plea because if he does he would likely end up not being able to find a job (despite likely being a very smart kid) and likely having to give up what is essentially $70+ million dollars at current exchange rates. The defense has made some long-shot motions in the case, and have been ruled against pretty much all the time, but it does bring up some good points that have essentially been ignored.

[herebittybittybitty]

I'd imagine he's the most legendary guy in the whole Pen, though. After he's convicted he's going to spend the rest of his life explaining to every con who comes behind the bars the whole story about everything.