Mr. Ulbricht’s defenses have made arguments last week saying that the FBI had illegally hacked a Silk Road server in Iceland without a warrant. If this were the case, it would be an invasion of Mr. Ulbricht’s privacy and fourth amendment rights. The case would be thrown out and, more than likely, Ross would be facing different charges. They’re not gonna give it up that easy!
The defense’s request was rejected based on a technicality – and that’s where things get a bit scary. These types of decisions tend to become a precedent and will strongly influence future court rulings. While Judge Katherine Forrest dismissed the defense’s motion to suppress evidence, there’s been a clause – effectively side-stepping the issue of hacking and creating a catch-22 for Mr. Ulbricht. An “even if” argument (is that even a thing?) was added to the case. The Justice Department told the judge that even if the FBI had broken into the server remotely without a warrant, it would still be legal according to government filing… So the government now has the right to hack without a warrant?
The Justice Department might think it’s okay to hack without a warrant, so long as the server isn’t located in the USA, but not everyone agrees with this. Stanford Law professor Jennifer Granick has spoken out on the topic reminding the world that this “even if” argument doesn’t float – or at least it shouldn’t.
Which brings us to the main argument, did the FBI hack or not? They didn’t have a warrant, and if they hacked then the evidence would have been obtained unlawfully and is now inadmissible in court – or, once again, it should be.
I have a background in IT and know a thing or two about network security, so I decided I’d take a deeper look into what the FBI said they did – just to see if it even made any sense. Spoiler Alert! It doesn’t.
I realize other people have gone through this process as well and come to the same conclusion. Rather than regurgitate information out there, I’ve tried to pull sources and arguments together and bring you a concise, comprehensive and straightforward article on why the FBI’s story swims like a brick.
There are a number of theories right now on how the FBI actually discovered the IP address and location of the server, but one thing is for sure – the theory that the FBI exploited the CAPTCHA to gain the IP address is bogus. To put this in the simplest of ways I know how, the CAPTCHA was hosted on the server and not a third party CAPTCHA. You couldn’t have obtained the information from the CAPTCHA to get the IP – at least not how they claim to have.
If the server was a house and the CAPTCHA a key to that house, the FBI is essentially saying they found the key outside, under a rock, and entered the house. In reality, the key was in the house, and they broke into that house, stole the key and claimed, “Look, we have the key, we didn’t break in!”
We know that the CAPTCHA was hosted on the server because Silk Road had problems with this in the past. Hosting the CAPTCHA on the server opened it up to DoS attacks that prompted Silk Road to modify the CAPTCHA to use a cached version – which also was hosted on the same server.
Having the CAPTCHA hosted anywhere else would be like leaving the keys outside. Even if you hide those keys, all it takes is someone stumbling onto them or knowing where to look. For a website like Silk Road, an online black market, you can imagine the scrutiny it was under at all times. How many people would have tried to hack Silk Road knowing there was no legal repercussion for their actions? And the FBI is claiming this huge flaw was just sitting out there? I don’t buy it – someone else would have discovered it and exploited it a long time ago.
The second theory that fails to hold water is that the FBI used a packet sniffer to discover the real IP address. A packet sniffer is a program that intercepts and logs traffic passing over the network. Think of it like a hidden cop recording all the cars that go in and out of your business.
The FBI claims that the Silk Road site included images from an external server by referencing its IP address or hostname. Perhaps the FBI doesn’t understand the Tor network – or is hoping the judge and jury won’t. The Tor network allows users to access the internet without giving out their real IP address; they do this through bouncing your traffic through nodes (other computers). For our purposes, that’s all you need to know right now about the Tor network.
If this were the case, and Silk Road was including images from an external server, this traffic would still come through the Tor network, and you’d lose the IP address information. In fact, if this were the case and the FBI did obtain the server’s IP address this way, we’d be looking at a flaw in the Tor network, not Silk Road. But fear not Tor users, there is no such flaw in the Tor network.
“No matter how much the agents entered “miscellaneous entries” into the login form fields, and no matter what they caused the server to respond, at no time would it have been possible for a layer 3/4 sniffer to see the real IP address – it only ever would have seen Tor nodes, even if it had been accessing the real IP address.” – Nik Cubrilovic
I’ll count this as a two holes poked in their explanation.
Let’s suspend all logic and common sense for one moment and pretend that the FBI, in fact, did find a flaw in Silk Road (and substantially the Tor network). Where are the packetlogs? If packet headers are going to be a central issue in the case, then we’re going to need to see the packetlogs. Think back to the analogy of the cop recording every car that came in and out of your business. The packetlog is the book he’s writing everything into – we’ll want to see that. The FBI claims;
“Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined. The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal.“
The FBI has failed to produce any evidence of this – they’ve failed to produce the packetlogs. Either they’re holding on to them or they don’t have them because, surprise surprise, they don’t exist.
Maybe they do exist and exposing them would show us exactly what we already know, that this isn’t how they obtained the IP address. Could they fake this report? – Yes, but not very easily. That’s why it’s important the FBI releases the information in a timely manner. Ooppps! That boat has already sailed.
For those of you that know a little about Tor and Httpd, so long as they were configured properly, the server’s real IP address would never have been leaked out within the header information of these packets. Another theory is that the FBI is claiming this in order to cover up SQL injection – hacking.
While the Tor network is incredibly powerful and secure, it’s not perfect. As the cited wiki page on the Tor project website lists points out, there are a number of potential security flaws on the Tor network, but these flaws are for users and not services. The FBI cited leak issues for end users of Tor browsing – not services.
It’s like saying that because your credit card information can be stolen, the entire bank is at risk… With the recent JPMorgan Chase hack, that may not be the best analogy; however. It’s also similar to saying that because your watch can be stolen, all jewelry shops are at risk too – for the same reason.
What’s that you say? Maybe the FBI linked to the page because it was the most relevant? It’s not. There is, in fact, another page on the main Tor Project website to list potential leaks for servers, and, well, it doesn’t have much to say.
“You need to configure your web server, so it doesn’t give away any information about you, your computer, or your location. Be sure to bind the web server only to localhost (if people could get to it directly, they could confirm that your computer is the one offering the hidden service). Be sure that its error messages don’t list your hostname or other hints. Consider putting the web server in a sandbox or VM to limit the damage from code vulnerabilities.”
And according to Cubrilovic, The reason there isn’t more text is there isn’t much to add:
“Tor operating as a hidden service doesn’t leak information directly, the risk is at the application layer.”
If you understand the Tor networks and have read the FBI filing, you know that what they are claiming is not just impossible, it’s technical mumble jumble. The worst part is that most people won’t know this. I can just see the judge’s eyes glazing over while reading the filing. It sounds good, right? It sounds possible and has been explained in a basic way, so it’s easy to believe… But it’s not what happened. I don’t know what happened, but we can speculate. The best speculation includes both what the FBI has described they have done and what we know to be true about the Tor network.
We know that Silk Road wasn’t the most secure website out there. It had suffered several attacks and more than once had compromised personal data of users and vendors. Ross Ulbricht was not a vetted programmer, and allegedly “learned on the job” – adjusting and implementing Silk Road as he went along. These security flaws allowed for hackers to get in – a hack, not a sniffer or the flaw in the CAPTCHA the FBI described.
What’s more likely than there being an obvious and hideous flaw in the Tor network, or Silk Road using a third party CAPTCHA, is that the FBI exploited a security flaw on the login page. Chances are the FBI attacked Silk Road, forcing it to reveal its IP (possibly by forcing it to display debugging information that gave away the IP address). By entering programming commands into the entry fields on the login page or the main website – SQL injection. But this would be hacking… Which means the FBI would not be able to use such evidence in court.
That’s probably why the FBI is claiming they used the packet sniffer and brought up the CAPTCHA in the first place. It’s a good guess that they used one of both of these to determine the IP of the server. It’s just not how the FBI is saying they did – otherwise known as parallel construction.
Add this to your list of “speculative theories” because that’s all it is. I’m not a network security expert, and there are more qualified individuals than myself who have weighed in. After digging around I was pleased to see experts such as Cubrilovic and Sandvik came to the same or similar theory.
To be clear, neither Cubrilovic and Sandvik are accusing the FBI of lying – they just share a similar theory. To be clear, I am not accusing the FBI of lying, but for right now something isn’t adding up. Either I’m missing a piece of the puzzle or they’re not telling the truth. Whatever the case might be, both sides need highly technical experts to evaluate the claims made – and someone to explain it to the jury in plain English. Have any thoughts on the FBI’s Silk Road case? Comment below!
Images from Shutterstock.
Last modified (UTC): October 17, 2014 00:53