Original article by Joseph Cox for Motherboard.com.
In the run-up to the trial of Ross Ulbricht, the alleged owner of Silk Road, an aching question has remained: How exactly did the FBI find the location of the server running the deep web marketplace?
As revealed in court documents and reported by Andy Greenberg at Wired, the FBI claimed it was because of a misconfiguration of the site’s CAPTCHA, which inadvertently revealed Silk Road’s IP address. But now more evidence is putting that narrative under strain, and some experts are suggesting that the FBI may have had some other help.
For the past few months, Ulbricht’s defense, led by Joshua Dratel, has been in the dark regarding how the FBI located the Silk Road servers. It’s a nagging gap in the timeline, and one that led Dratel to argue that the FBI may have broken privacy laws in their investigation.
Last month, the FBI finally described how it apparently found the server. Rather than using any real techno-wizardry, or breaking the Tor network, investigators allegedly found it by typing “miscellaneous entries” into the site’s CAPTCHA, which then, because it wasn’t set up correctly, sent back the site’s IP address to a normal web browser. This was all detailed in a declaration from the lead FBI agent working on the case at the time, Christopher Tarbell.
A slew of experts subsequently scrutinised that series of events, describing Tarbell’s declaration as overly vague and suggesting that the FBI’s tactics may have resembled something closer to hacking than essentially just stumbling across the IP address.
Now, fresh evidence has cast more doubt on the story.
The new details are included in documents released by the US government this week, which were published in response to Ulbricht’s lawyers demanding that the FBI provide more information.
The defense wanted to know which software was used to record evidence of the CAPTCHA leaking the Silk Road’s IP address to investigators. But, according to the FBI’s response, the agency had no additional information to provide.
Brian Krebs, a renowned security and cybercrime journalist, uploaded the government’s responses to the web and asked an expert to weigh in. Nicolas Weaver from the International Computer Science Institute and the University of California, Berkley, took particular issue with a configuration file that was taken from the seized Silk Road servers.
Weaver claimed that because of the way the Silk Road website was set up—with a front-end server and a back-end server, and only data from the former being able to reach the latter—it would actually have been impossible for someone fiddling with the CAPTCHA on the login page to reach the back-end server.
The FBI also provided the defense with the traffic logs from the Silk Road server, but Weaver didn’t like the look of those either. He suggested that the logs didn’t show the FBI getting an IP address from a leaky CAPTCHA, but a PHPMyAdmin configuration page.
So now another question arises. If the FBI didn’t find the server because of a leaky CAPTCHA, how did it find a PHPMyAdmin page instead?
Robert Graham of Errata Security took that up on his blog. He gets into the technical grit around the evidence, and suggests that the logs point to something else, perhaps monitoring of internet ports. If the FBI or an assisting government agency like the NSA were monitoring connections to and from Iceland, where it turned out the admin pages were being hosted, “they could easily have discovered the password and used it to log onto the server.”
As for finding that PHPMyAdmin page, “One way this could have been found is by scanning the entire Internet for SSL servers, then searching for the string ‘Silkroad’ in the resulting webpage,” Graham writes. He also says that the logs provided in the new evidence don’t match up with the pages described in Tarbell’s declaration.
“As an expert in such topics as sniffing passwords and masscaning the Internet, I know that tracking down the Silk Road site is well within the NSA’s capabilities,” Graham wrote.
But the prosecution has maintained it was the FBI, and not the NSA, that found the server.
Some, including Graham, therefore suggest a case of “parallel construction” could be at play—when evidence is presented as obtained in one way to support a court case, but has in fact been sourced by other means.
For example, last year Reuters reported that the DEA used “parallel construction” to hide when their investigations originated with a tip-off from NSA surveillance.
The problem with this tactic is its potential to diminish the fairness of a trial, which largely relies on a defendant knowing how the evidence against them was obtained.
Ulbricht’s trial is set to start next month, and we can no doubt expect the legal drama to continue in force.