Silk Road forums
Discussion => Silk Road discussion => Topic started by: CarlYoung on October 07, 2013, 05:38 pm
-
This part isn't clear to me. Did they have what they needed to just take the site w/o getting DPR? If it was possible to seize it w/o his laptop then there is no reason they can't seize Sheep and BMR. Also they have the wallets but they don't have the private keys do they?
-
Ya he was logged in the server as admin so all they had to do was keep his laptop on and they could do whatever they wanted......should of been running a live OS with a kill plan involved!! idiot.
-
So it is the prevailing opinion, or a known fact, that they needed his laptop to do that? And they don't need the private keys then?
-
I don't think DPR ever envisioned a team of FBI agents pointing guns at his head, while just sitting there logged in. He should have at least snapped his laptop in half at the screen, or smashed it when they got the jump on him. I mean who cares they shoot you for that kind of move, you're spending the rest of your life in prison either way.
-
So it is the prevailing opinion, or a known fact, that they needed his laptop to do that? And they don't need the private keys then?
They needed that laptop.
-
GyroGym thank you! Yeah, I read elsewhere someone said he should've just not had a battery in his laptop so he could've just flicked the power chord out, and I was like ohhhhhhh that would've brilliant! Snapping it in half would've been good too. So the SR had all of our private keys or didn't need them to transfer out of the wallets at any time? I thought EVEN the SR didn't save what peoples' private keys were?
-
I think if he just pulled out the power cord he would still be susceptible to a cold boot attack because his keys would still be stored in the computers RAM. Thats why some live OS systems (like tails) writes random data over the RAM on shutdown.
A normal user probably doesnt have to worry about a cold boot attack but when the FBI is involved looking for someone wanted as much as DPR i bet they would have at least tried it.
-
I think we all need to keep in mind one thing:
While they did get his laptop as he was logged in, he likely did not give them any passwords. I highly doubt his account stays permanently logged in. It can probably time out and it probably asks for the password again when various changes are made to the server. I am still not so sure they have total access to the sites data.... Even if the copy the website from the server directly, most valuable information is encrypted.
Breaking into the Escrow wallet is likely also easy. I assume he has the server pull from the wallet, but also has that wallet private key accessable from his laptop. If this is the case, if he has an average bitcoin client, they could very easily crack his withdrawal password for the Escrow wallet.
If they have access to his laptop they can also easily get which server specifically the site is hosted from, presumably, and if that's the case they can take control of the domain by contacting the server host - though this doesn't mean they have access to the site.
This is all just theory at this point. I could be entirely wrong, but I'm just trying to use reason here.
-
This is interesting. So has anyone who knows who the server host was contacted them to see if they have taken control of the domain? If they haven't taken the domain then couldn't we get it back? You would've hoped where millions and billions were at stake there would have been a conversation with the server host about not ever giving it over and back up protocols. Maybe it would've cost extra but we wouldn't be here now.
-
I don't think DPR ever envisioned a team of FBI agents pointing guns at his head, while just sitting there logged in. He should have at least snapped his laptop in half at the screen, or smashed it when they got the jump on him. I mean who cares they shoot you for that kind of move, you're spending the rest of your life in prison either way.
Yea with those things drawn down on him, he better not have made a move.
-
They had an image of the SR server from July. Which means that in July, they had deanonymized it and knew right where it was. Nobody knows how.
Hidden services are called "hidden" because it's very, very difficult to determine where they really are. Could be in Latvia. Could be in somebody's living room on a cable modem in Omaha.
But since .onion addresses don't rely on a central registry, like traditional domain names, they can't exactly "seize" the domain like they usually do. Normally, they just issue the domain registrar with a court order (we're seizing "bad.com"), and presto, it's their domain. For a .onion hidden service, they need the private cryptographic keys used by the Tor instance to provide the hidden service. They very likely got those keys when they imaged the server. Only exception would be if the Tor instance advertising/connecting the hidden service was on a different node that they somehow missed. At which point, they could easily have rectified that in the past three months. So they already should have been in possession of the private keys to bring up their own SR server with the .onion address.
They may need the laptop for a million other things (and they may very well start stacking charges on him based on evidence from his open laptop if they got it in a usable state), but not to take over SR. Just ask the foreign agency to unplug the real server, bring up their own using the private keys to the .onion address, and all requests to SR's .onion address come to them. Based on This_is_not_SOCA's post earlier, the SR server changed on Sunday. I'd guess they brough up a modified version of the image from July, with the seizure notice on it immediately, then replaced it with another server. Hell if I know why, but I'm sure they have a reason for it.
The real question, and one that nobody can answer, is how they found the real SR server in July. Either they found Ross Ulbricht (or someone with detailed, inside knowledge), and watching him led them to the real server. Or they used technical means to deanonymize the servers. If it's the latter, either they asked NSA to give them the IPs of SR (and FH,etc), then ran it down themselves, which isn't hard given the IP, or they used some variation on the deanonymization attacks everybody quotes from white papers.
My personal opinion is that the most likely explanation is that at some point earlier in the year, NSA (or GCHQ, who seems to have put more effort into Tor) found a way to identify the real IPs of SR, FH, Tormail, etc. It doesn't even have to be some amazing attack. Just find a way to identify hidden service traffic (anything not going to an exit node is hidden service traffic), then find the top nodes receiving hidden Tor traffic. If they can get that far, they're guaranteed to end up with SR and FH. They had to be the top two hidden sites in terms of number of connections and total traffic to them. After that, just handing the FBI a Post-It note with only "SR = x.x.x.x, LolitaCity = y.y.y.y" is more than enough for the FBI to run with it as far as they have. If my guess about how they did it is correct, they may not be able to deanonymize hidden sites with less traffic, so all of SR's replacements that are guaranteed to pop up may be safe for a while.
But it's all just conjecture. Maybe Ross Ulbricht knew the FH guy, and one investigation led to the other. I'm sure the operators of the two largest Tor hidden services on earth at least had some chats together. Hell, maybe a hosting company in some shitty country decided to poke around on their servers, came across FH or SR, and sold that info to the US government. Nobody knows. And at the end of DPR and the FH legal saga, we may still not know.
-
TOR project never claimed they were immune to entities with the ability to do whatever they want to whomever they want. Controlling/viewing mass amounts of traffic analysis and the NSA's general power trip was not what TOR can ultimately withstand without proper security both cyber, and operationally IRL.
As many of us decent folks as possible need to stay out of trouble to a least keep things in balance in our horrid society these days...
I got sloppy on SR
-
not arguing (cause I don't know) but where did you hear they got a copy of the image from July ?
and yeah, who knows what TOR is really doing... I'm not saying its doing anything... but who knows ? has anyone gone through the source code ? We just go to the tor checker page and see a diff source IP comes up and think oh cool its all working (with clearnet sites anyways).
We all just go off information we are told... same as how DPR said there's backup plans and what not.. everyone just assumed he covered all scenario's.. but from the looks of it the backup plan only covered the "ok the cops are after me I better shut her down" scenario. Surely all he needs is a backup of the site (or imagine as others have mentioned) hosted *anywhere*, doesn't even need to be on TOR.. and have someone click the "backup plan" button to have SR withdraw BTC to everyones accounts ?? I suppose the positive is, if its as easy as it is in my mind, maybe in a month, year or 5 years someone will click the button and everyone will get their BTC
-
They had an image of the SR server from July. Which means that in July, they had deanonymized it and knew right where it was. Nobody knows how.
Hidden services are called "hidden" because it's very, very difficult to determine where they really are. Could be in Latvia. Could be in somebody's living room on a cable modem in Omaha.
But since .onion addresses don't rely on a central registry, like traditional domain names, they can't exactly "seize" the domain like they usually do. Normally, they just issue the domain registrar with a court order (we're seizing "bad.com"), and presto, it's their domain. For a .onion hidden service, they need the private cryptographic keys used by the Tor instance to provide the hidden service. They very likely got those keys when they imaged the server. Only exception would be if the Tor instance advertising/connecting the hidden service was on a different node that they somehow missed. At which point, they could easily have rectified that in the past three months. So they already should have been in possession of the private keys to bring up their own SR server with the .onion address.
They may need the laptop for a million other things (and they may very well start stacking charges on him based on evidence from his open laptop if they got it in a usable state), but not to take over SR. Just ask the foreign agency to unplug the real server, bring up their own using the private keys to the .onion address, and all requests to SR's .onion address come to them. Based on This_is_not_SOCA's post earlier, the SR server changed on Sunday. I'd guess they brough up a modified version of the image from July, with the seizure notice on it immediately, then replaced it with another server. Hell if I know why, but I'm sure they have a reason for it.
The real question, and one that nobody can answer, is how they found the real SR server in July. Either they found Ross Ulbricht (or someone with detailed, inside knowledge), and watching him led them to the real server. Or they used technical means to deanonymize the servers. If it's the latter, either they asked NSA to give them the IPs of SR (and FH,etc), then ran it down themselves, which isn't hard given the IP, or they used some variation on the deanonymization attacks everybody quotes from white papers.
My personal opinion is that the most likely explanation is that at some point earlier in the year, NSA (or GCHQ, who seems to have put more effort into Tor) found a way to identify the real IPs of SR, FH, Tormail, etc. It doesn't even have to be some amazing attack. Just find a way to identify hidden service traffic (anything not going to an exit node is hidden service traffic), then find the top nodes receiving hidden Tor traffic. If they can get that far, they're guaranteed to end up with SR and FH. They had to be the top two hidden sites in terms of number of connections and total traffic to them. After that, just handing the FBI a Post-It note with only "SR = x.x.x.x, LolitaCity = y.y.y.y" is more than enough for the FBI to run with it as far as they have. If my guess about how they did it is correct, they may not be able to deanonymize hidden sites with less traffic, so all of SR's replacements that are guaranteed to pop up may be safe for a while.
But it's all just conjecture. Maybe Ross Ulbricht knew the FH guy, and one investigation led to the other. I'm sure the operators of the two largest Tor hidden services on earth at least had some chats together. Hell, maybe a hosting company in some shitty country decided to poke around on their servers, came across FH or SR, and sold that info to the US government. Nobody knows. And at the end of DPR and the FH legal saga, we may still not know.
I've heard rumor that it had to do with Tormail, and somehow information on how to access SR was somehow leaked that way. Also heard that around March or so that the Tormail nodes were given up, so maybe DPR had something in Tormail and the Feds were able to use that to access SR.
There was a mass exodus of vendors on SR (selling accounts and/or leaving) around July....and it was back then that a rumor about all this was circulating.
-
Why log in through a public place like the library? Not enough open wifi connections in SF?
-
ECC_ROT13 I hope the people running Sheep, BMR, and Deepbay and the people using them are aware this may be a possibility
They may need the laptop for a million other things (and they may very well start stacking charges on him based on evidence from his open laptop if they got it in a usable state), but not to take over SR. Just ask the foreign agency to unplug the real server, bring up their own using the private keys to the .onion address, and all requests to SR's .onion address come to them. Based on This_is_not_SOCA's post earlier, the SR server changed on Sunday. I'd guess they brough up a modified version of the image from July, with the seizure notice on it immediately, then replaced it with another server. Hell if I know why, but I'm sure they have a reason for it.
-
He had very poor OPSEC. Never should be in a place where others can get to you before you can shutdown the laptop when admin the site.
They probably had some one walk up to him and ask him a question, when he turn around two guys grab his arms and throw against wall. No time for breaking machines and all other comment here.
Security when this level need to fail safe. USB key tied to neck. Live OS with ram wipe. Not in public library where people can sneak up you.
Laptop like ly treasure trove of information.