DOJ Says No NSA Help Was Needed To Find Dread Pirate Roberts Since He Misconfigured His CAPTCHAs
from the oops dept
The lawyers for Ross Ulbricht have been tossing an awful lot of speculative legal theories at the legal wall in his defense in the past few months, and none of them seem to be sticking. The most recent attempt was to argue that the process by which the DOJ/FBI got access to Silk Road's servers must have violated the 4th Amendment, mainly because it was "hidden" via Tor, and Ulbricht couldn't figure out how else the FBI tracked down the servers. In response, the DOJ has revealed the details of how it tracked down the servers via a very readable court filing where you can almost feel the snark dripping from the US Attorneys' Office, as they mock both the speculative and hyperbolic nature of the claims, and reveal that Ulbricht basically misconfigured his CAPTCHA login feature to leak the IP address.Contrary to Ulbricht’s conjecture that the server hosting the Silk Road website (the “SR Server”) was located by the NSA, the server was in fact located by the FBI New York Field Office in or about June 2013.... The Internet protocol (“IP”) address of the SR Server (the “Subject IP Address”) was “leaking” from the site due to an apparent misconfiguration of the user login interface by the site administrator – i.e., Ulbricht.... FBI agents noticed the leak upon reviewing the data sent back by the Silk Road website when they logged on or attempted to log on as users of the site.... A close examination of the headers in this data revealed a certain IP address not associated with the Tor network (the “Subject IP Address”) as the source of some of the data.... FBI personnel entered the Subject IP Address directly into an ordinary (non-Tor) web browser, and it brought up a screen associated with the Silk Road login interface, confirming that the IP address belonged to the SR Server....Later, the filing points out:
Based on publicly available information, the Subject IP Address was associated with a server housed at a data center operated by a foreign server-hosting company in Iceland.... Accordingly, on June 12, 2013, the United States issued a request to Iceland for Icelandic authorities to take certain investigative measures with respect to the server, including collecting routing information for communications sent to and from the server, and covertly imaging the contents of the server.... The Reykjavik Metropolitan Police (“RMP”) provided routing information for the server soon thereafter, which showed a high volume of Tor traffic flowing to the server – further confirming that it was hosting a large website on Tor.... Subsequently, after obtaining the legal process required under Icelandic law to search the server, and after consulting with U.S. authorities concerning the timing of the search, the RMP covertly imaged the server and shared the results with the FBI on or about July 29, 2013.... Forensic examination of the image by the FBI immediately and fully confirmed that the server was in fact hosting the Silk Road website, i.e., that it was in fact the SR Server.... The server contained what were clearly the contents of the Silk Road website – including databases of vendor postings, transaction records, private messages between users, and other data reflecting user activity – as well as the computer code used to operate the website.
It does not matter that Ulbricht intended to conceal the IP address of the SR Server from public view. He failed to do so competently, and as a result the IP address was transmitted to another party – which turned out to be the FBI – who could lawfully take notice of it.While the DOJ's story is compelling (and while I'm sure some will still insist "parallel construction," it seems like there would need to be a lot more evidence of that happening), there are some other interesting tidbits in the filing. Ulbricht had argued that the search of the server was unconsitutional because his property was searched without a warrant. However, the DOJ points out that since the server was in Iceland, the 4th Amendment doesn't apply. But in defending the lack of a warrant, it's interesting that the DOJ admits that under the Stored Communications Act, a "warrant was not even an option... given that the SR Server was controlled by a foreign data center."
That seems to contradict the DOJ's claims in its ongoing fight with Microsoft over accessing emails stored in Ireland. There, the DOJ insists that a warrant under the SCA is not only very much an option, but that it requires Microsoft to hand over the data. The DOJ says the cases are different since Microsoft is a US entity, and thus the SCA compels the US entity to reveal data no matter where it is, but that doesn't apply since the Silk Road server was controlled by an Icelandic company.
There remain some interesting legal questions raised by the prosecution against Ulbricht, but so far, the extremely speculative nature of his defense doesn't seem particularly likely to get anywhere. Also, the leaky CAPTCHA should serve as a reminder that, despite all the freakouts and concerns from law enforcement about how the internet and things like Tor will make it impossible to catch criminals, people will almost always mess up somehow and reveal breadcrumbs back to who they are.
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: 4th amendment, doj, dread pirate roberts, fbi, investigation, nsa, ross ulbricht
Companies: silk road
Reader Comments
Subscribe: RSS
View by: Time | Thread
Fool me twice...
[ link to this | view in chronology ]
Can't trust any government's story, sorry.
Why would they release the "how they got him"?
Seriously... is that not the type of shit they criticize Snowden for, but worse as it's a literal operational method that they "leaked".
Their operational practices are on a need to know basis, unless they are forced to reveal them. When we know, there is a reason.
-tinfoil- (but not very tinfoil-ey
My bet is on a timing attack of tor. Apparently they have a buffer and can replay traffic over and over again if it's in the buffer. They have a copy of practically all the traffic at the isp level.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Why you should give the DOJ the benefit of a doubt?
Also a leaking capcha does not strike me as something the DOJ or the FBI would come up with as an excuse to make this case. The bad guy was an idiot just does not have the same ring to it as all those made up home grown terrorist plots they keep ringing their own bells about.
[ link to this | view in chronology ]
Re: Re: Why you should give the DOJ the benefit of a doubt?
Protip: If you have to ignore the law to catch the criminals, then you are a criminal, too.
[ link to this | view in chronology ]
Re: Re: Re: Why you should give the DOJ the benefit of a doubt?
The only difference is with a single-action crime where all the evidence came from the NSA.
[ link to this | view in chronology ]
Re: Re: Re: Re: Why you should give the DOJ the benefit of a doubt?
[ link to this | view in chronology ]
Re: Re: Why you should give the DOJ the benefit of a doubt?
Why would they redact a claim that the defendant made a rookie mistake? The government is prone to excessive secrecy, but redacting it doesn't serve any obvious purpose here. Defence counsel would rightly object to such a redaction, so trying to hide this claim would just annoy the judge.
This strikes me as a perfect excuse. It's very plausible. It explains the discovery without the need to claim that law enforcement had some genius on staff or super-secret unmasking technique. It's hard to refute without access to the original server configuration. It's easy to explain to lay people. If true, it's a very defensible technique, since courts have been pretty friendly to the idea that law enforcement is bound by what was concealed, not by what the defendant meant to conceal.
[ link to this | view in chronology ]
Re: Re: Re: Why you should give the DOJ the benefit of a doubt?
[ link to this | view in chronology ]
Re: Re: Re: Why you should give the DOJ the benefit of a doubt?
So that other rookies do not avoid the same the mistake and they can use it to catch them. Their common excuse for redactions is that describing how they got the information makes their job harder by telling the bad guys how to avoid being caught.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
They COPIED his server after having CIRCUMVENTED his method of protecting the contents of that server?
Why isn't ICE knocking down their door right now?
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
https://trac.torproject.org/projects/tor/wiki/doc/TorifyHOWTO/IsolatingProxy
With an isolating proxy, the most that could have leaked from the misconfigured CATPCHA would have been non-routeable private LAN IP addresses.
The nice thing about virtual machines, not only do they anonymize IP addresses. They also anonymize serial numbers and hardware details too.
[ link to this | view in chronology ]
I have to say I haven't been impressed with Ulbricht's attorney Dratel. There was probably a better defense to be put on here by a more tech-savvy attorney. That said, if Ulbricht was lying to him, there's not much more he could do.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
parallel construction, skeptics
Maybe some of us have been getting a bit skeptical every time there's another news report about some drug user/dealer who was stopped by police in some routine traffic stop ("not coming to a complete stop", "following too closely", etc) by a cop who just happened to have a nose like a bloodhound and could smell cocaine hidden inside the left sun visor. (My personal favorite is when police search passengers on a bus because of some traffic violation the driver is accused of -- but never ticketed for)
Maybe we've come to expect authorities to lie in every new case because it would be consistent with the way authorities have routinely lied about their investigative methods in the past.
In the Silk Road case, I've got to wonder if some convicted hacker working for the feds might have broken into and re-configured the server to spill the IP address. Or if there was even a leaked IP address after all. Bottom line -- if the feds had (another) secret backdoor into Tor, would they reveal it?
[ link to this | view in chronology ]
Re: parallel construction, skeptics
[ link to this | view in chronology ]
Re: Re: parallel construction, skeptics
Of course he "fucked up". You find the "how he fucked up" after you get him. Then the story is told of how he fucked up.
Point is... There is no reason to believe that this case isn't parallel construction. The tactic is used. The authorities don't usually devulge how people "fucked up" unless they are forced to.
It's 50/50 that it's paralell Construction..default.
This case it's at least 51/49 that it's parallel construction.(tor,release of operating methods without being forced)
There is more chance of it being parallel constuction than it not being. Can't believe the authority as they openly use that method)
[ link to this | view in chronology ]
Re: Re: Re: parallel construction, skeptics
[ link to this | view in chronology ]
Re: Re: Re: Re: parallel construction, skeptics
The "legal means" doesn't really bother me as that's political. They could have used perfectly legal means anyway. It's the lying about it that is the issue.
Literal secret police. The concequences for normal people will be great if the expansion of those methods come about. They can secretly bend the rules while normal people will get punished for minor infractions.
[ link to this | view in chronology ]
Re: parallel construction, skeptics
(from the West Wing)
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
Re: Re:
Thanks for making it so that you will never convicy anyone else ever again you fucking morons.
[ link to this | view in chronology ]
We know agencies that practice it make a huge deal of never mentioning that it was used and of coming up with plausible-looking happy accidents that would explain the outcome.
We know law enforcement at all levels hates to talk about a technique unless it makes them look good; finding him because he made a stupid mistake is nice, but it is hardly the situation that is typically published for pro-enforcement propaganda.
We know that Ulbricht was caught by Federal law enforcement.
We know that Federal law enforcement uses parallel construction in drug cases.
We know that this is alleged to be a drug case.
What more evidence do you need before you reasonably suspect that parallel construction occurred?
[ link to this | view in chronology ]
Re:
Great, but that has nothing to do with this case.
We know agencies that practice it make a huge deal of never mentioning that it was used and of coming up with plausible-looking happy accidents that would explain the outcome.
Law enforcement not mentioning something is part of your evidence that it happened. Well, I suppose they could have used a psychic in this case since they didn't mention doing it.
We know law enforcement at all levels hates to talk about a technique unless it makes them look good; finding him because he made a stupid mistake is nice, but it is hardly the situation that is typically published for pro-enforcement propaganda.
I'm not sure what this means in this case. They provided a reasonable explanation as to how they came up with the evidence.
We know that Ulbricht was caught by Federal law enforcement.
This is not evidence of anything other than the fact that he was caught by Federal Law enforcement.
We know that Federal law enforcement uses parallel construction in drug cases.
Since we also know they do not use it in all cases, this is meaningless.
We know that this is alleged to be a drug case.
Again, this is not really evidence of anything.
So, what Mike is looking for would be one of two things, something in the investigation that they could not have gathered through the methods they have shown they used, or someone or something related to the investigation showing information about it was gathered in a method other than what they have shown they used.
[ link to this | view in chronology ]
Re: Re:
Parallel construction is designed to provide reasonable explanations, often based on faked happy accidents that, if you were unaware of parallel construction, could be assumed to be law enforcement getting lucky.
The last three statements are links in a chain. If you like, you could simplify it to "Ulbricht is in an alleged drug case and parallel construction is known to be used in drug cases, therefore it is plausible that parallel construction was used here."
Although it is possible that they would field a constructed story that fails to explain the disclosed evidence, that would be sloppy - as sloppy as failing to conceal the real source of information. ;) As for (b), that would be a nice smoking gun, but reasonable suspicion can arise without a smoking gun.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Re:
1. FBI goes to Silk Road server and tries various hacking techniques to see if the server will give up its real IP.
2. The NSA calls and tells them that the server is at X. Then the FBI tries various hacking techniques to see if the server will give up a matching IP.
3. The NSA calls, they get an Icelandic warrant for the server based on nothing but the IP address and then spend weeks with the image of the server in their lab finding a flaw in the setup so they can do parallel construction.
Honestly, in writing it out. I'm going with 1 is actually the simplest explanation. Although 2 is simple as well.
[ link to this | view in chronology ]
Re: Re:
You forgot 4.: FBI locates Silk Road server through unspecified, possibly secret and/or illegal technique, then claims (1) in court filings, whether or not such a weakness was present prior to the seizure. This would constitute lying to the court, but that's the core of parallel construction, which the various law enforcement agencies seem perfectly fine with.
[ link to this | view in chronology ]
Lies, all lies.
It's a fact and has been proven repeatedly.
[ link to this | view in chronology ]
this is true but not how they found them
keep on using tor....we need to start getting rid of idiots
[ link to this | view in chronology ]
[ link to this | view in chronology ]
[ link to this | view in chronology ]
I bet it was the NSA that backdoored the captcha misconfig...
[ link to this | view in chronology ]
Re: I bet it was the NSA that backdoored the captcha misconfig...
[ link to this | view in chronology ]
So let's review:
-Missed 9/11
-Missed Boston
-Played no role in finding Bin Laden
-Did not stop or detect mega thefts from Target and Home Depot.
-Did not help in tracing the Silk Road.
-Cannot secure their own systems enough to have even a vague idea how many documents were leaked and by whom.
Tell me again, what good are they doing for anyone?
[ link to this | view in chronology ]
Re: So let's review:
[ link to this | view in chronology ]
I have no doubt that the analyst that discovered this weakness AFTER the fact was carried around the office on the shoulders of his managers in congratulations afterwards to cheers of "Huzzah! Huzzah!" from his or her fellow analysts.
[ link to this | view in chronology ]
Competence
So, the next time there is a charge that someone has accessed content by circumventing digital protection measures put it place by the copyright holders... can we argue that they (obviously) failed to do so competently?
[ link to this | view in chronology ]
Re: Competence
[ link to this | view in chronology ]
NSA gives FBI dirt on Silk Road
Russ Tice
fmr Technical Intelligence Analyst,
National Security Agency (NSA)
[ link to this | view in chronology ]
What does this sound like?
located the SR Server in the first place. All that mattered was that the FBI had in fact located
it, as its forensic examination of the server had confirmed. How the FBI had done so was not
necessary to establish probable cause for subsequent searches of other property."
Which came first the IP leak or the bogey man?
[ link to this | view in chronology ]