Programmers speculate on FBI claims, parallel may not be possible with NetSec

From the declaration of FBI agent Christopher Tarbell, the method that the FBI used to obtain the Silk Road server's IPv4 address, and by extension the full nature of SR's mistakes is entirely unclear. This is important because I think that when the FBI uses exploitation techniques that would otherwise be illegal if it were not being done by them, they do a very poor job of describing it accurately in their declarations and affidavits. By the time it's read by a judge, the process is simplified to the point that it's unrecognizable.

Due to this lack of clarity, on Twitter I've now heard what happened variously described in the following different ways, all of which are vastly different from a technical standpoint:

View source
Packet sniffing
SQL injection
Database error
phpinfo() or SERVER_ADDR leak

I think that if it were really as easy as the agent makes it sound, it would have been found and pointed out a lot sooner, by someone other than the FBI. It's almost inconceivable to me that someone in the community wouldn't have alerted SR to the same elementary vulnerability, unless it were a temporary one. So something is definitely amiss. Or the FBI could be lying -- they're known to do that on occasion.

Now, here's how it's described in the declaration:

We simply were interacting with the website's user login interface, which was fully accessible to the public, by typing in miscellaneous entries into the username, password, and CAPTCHA fields contained in the interface. When we did so, the website sent back data to the computer we were using - specifically, the Silk Road homepage, when we used valid login credentials for undercover accounts we had on the site, or an error message, when we used any username, password, or CAPTCHA entry that was invalid.

Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the "Subject IP Address") was the only non-Tor source IP address reflected in the traffic we examined.

There's a very important footnote, which seems to suggest #2 (packet analysis, like one would do with tcpdump or Wireshark):

All communications on the Internet are broken up into "packets" when they are transmitted from one computer to another; the packets are reassembled when they reach the destination computer. Each packet contains, among other things, "header" information, analogous to the outside of a mailing envelope, which includes the IP addresses of the source and destination computers used to route the packet over the Internet.

If Tor and httpd were configured properly, the server's regular IP address never would have been leaked within the header information of any "packet". But based on my own reading, the technique could also plausibly be a veiled depiction of SQL injection. They reference making "miscellaneous entries" i.e. POST/GET requests (like a tool such as sqlmap might do) and "packets of data being sent back"... In this case input sanitization and escaping would've been relevant. So I think either of these two probabilities are the most likely, perhaps even a combination of the two.

But does Tarbell mean the HTTP header, Tor protocol or TCP/IP packet header? We don't know. weev asks "Where are the pcap files?" as that's the only thing that would settle this debate:

Right here Agent Tarball is claiming that he sent a GET request to a Tor hidden service and the Tor hidden service sent back a packet containing its true source address in the TCP header. This seems to me to be improbable, given how Tor and TCP work. It is very easy for a federal agent to claim something. It is several orders of magnitude more difficult to fake packetlogs of network traffic which include a protocol as complex as Tor. I think the FBI needs to release these in a timely fashion to corroborate their claims here. 

In the database error scenario, PHP error_reporting() would have to be on, and the MySQL database would need to be hosted on a second server so that its IP would be in the grant tables--there'd have to be a reason that it's not connecting on localhost.

The agent also notes that "IP address leaks were a recurring problem for [Ulbricht]". And this interesting post on /r/SilkRoad from a year ago suggests just such a devastating leak. Remember that IP leaks can happen through a variety of vectors, and across the full stack there are many approaches to deanonymizing a hidden service.

What do you think?

https://blog.ageispolis.net/speculating-fbi-silk-road-unmasking-technique/


Comments


[11 Points] dzorror:

Great to see I'm not the only one skeptical of the FBI's statements. Though I know little about the subject matter, it is hard to believe indeed that they would give away their actual methods for everyone to see. Clearly it would harm 'national interests...' Someone needs to help the defense see the vagueness in these claims, if they haven't already.


[3 Points] select1on:

This might have been answered before, but the captcha is not driven by google or anything is it? It's some kind of self hosted solution.. right?


[3 Points] akcom:

We'd be naive to think the fbi doesn't have some 0-day exploits. We'd be equally naive to think they would just spell out those exploits for us. It's a moot point though because there are plenty of documents published on de-anonymizing tor hidden services. The FBI has that capability, period.


[1 Points] whothehoe:

That footnote at the bottom describing how the gov seized his computer and were able to access his administration log makes this whole case seem like it was written post mortem. It's also worth mentioning that the prosecutor has a team of lawyers carefully writing out these stories.

Free Ulbricht.


[1 Points] hrmbus:

I think that if it were really as easy as the agent makes it sound, it would have been found and pointed out a lot sooner, by someone other than the FBI.

Most definitely. Unheard of amounts of people were attempting to break into the proverbial fort knox that was SR. Markets are huge targets.


[1 Points] 666fun:

"I think that if it were really as easy as the agent makes it sound, it would have been found and pointed out a lot sooner, by someone other than the FBI. It’s almost inconceivable to me that someone in the community wouldn’t have alerted SR to the same elementary vulnerability, unless it were a temporary one."

Someone did.

A couple of days ago, someone linked to a story on the SR sub from last June (2013) about how so,e element on he Sr homepage was leaking the servers real ip. The reaction of the community was disbelief, tarring and feathering the OP based on previous comments theyed made, and just general character assassination. There was not one responder who said "hmmm, maybe there's a problem here"

I'd go find the story, but it's late and I'm tired. You can find it though. It was just re linked on one of the recent subs about how the fbinfound the server. Shouldn't take anyone too long to find again.


[1 Points] sharpshooter789:

Another article.

https://www.nikcub.com/posts/analyzing-fbi-explanation-silk-road/