Phew! What is that awful smell? Some experts claim there is a stench coming from the 58-page DOJ brief that explains how the FBI found the real IP address of the online drug marketplace Silk Road and then located its alleged operator Ross Ulbricht. While the details might sound like a reasonable explanation to a jury of non-hackers, some security researchers say that technically the explanation “doesn’t make any sense.” And legally, the way the feds allegedly accomplished it was prosecuted as “hacking” by the DOJ in the past.
Ulbricht, aka Dread Pirate Roberts, previously claimed the FBI’s methods were unlawful, potentially aided by “non-national security criminal activity” collected by the NSA – which allegedly could use “illegal Tor-cracking techniques,” and should be “inadmissible in court under the ‘fruit of the poisonous tree’ doctrine;” in short, Ulbricht said the feds violated his Fourth Amendment rights.
The entire case could potentially be endless fodder for conspiracy theorists, but former FBI agent Christopher Tarbell claimed, “[Ulbricht's] various claims are bereft of any support in the law. [...] Instead, they amount to a pointless fishing expedition aimed at vindicating his misguided conjecture about the NSA being the shadowy hand behind the government’s investigation.”
For the DOJ, Tarbell explained how the FBI discovered the location of Silk Road's server via a leaky and misconfigured login page.
This did not involve accessing any administrative area or “back door” of the site. We simply were interacting with the website’s user login interface, which was fully accessible to the public, by typing in miscellaneous entries into the username, password, and CAPTCHA fields contained in the interface.
But the feds weren’t the only ones studying Hidden Wiki sites like Silk Road. There were countless “good” guys and “bad” guys looking for security flaws to exploit as well. After all, it’s not like a person who used bitcoin to purchase drugs from Silk Road could go running to the cops if a black hat stole their digital dollars. White hats scrutinized Silk Road because it was an “interesting challenge,” according to Australian security researcher Nik Cubrilovic, who “spent a lot of time investigating and testing the security of Silk Road (for sport) and became familiar with both its architecture and operation over the entire duration that the first site was up.” While the FBI’s explanation may convince a jury, he claims it “doesn’t make any sense technically.”
Cubrilovic looked at the FBI’s technical explanations and then broke down those claims. After setting up a “virtual machine with a web server running a Tor hidden server,” and intentionally mangling the server configuration, Cubrilovic never could reproduce the FBI’s method of finding a “real IP address.” The FBI’s explanation of obtaining an IP address by “typing in miscellaneous entries into the username, password, and CAPTCHA fields (aka fuzzing)” just “doesn’t hold up.”
“The idea that the CAPTCHA was being served from a live IP is unreasonable,” he claimed, since many people would have noticed it. For that same reason, “the second theory, that the agents ‘discovered’ the real IP address by just looking at packet captures produced by a sniffer is similarly impossible.”
He suggested a “much more plausible explanation is that the FBI discovered a security exploit or information leak in the login page, in the same way a number of other people discovered similar security holes or information leaks in both the login page and the Silk Road application itself.”
The FBI have good reason to not mention any bugs or forcing the server to do anything, and to pretend that they simply picked up the IP address from the wire, since such actions would raise concerns about how lawful their actions in uncovering the IP address were. What we do know is that their description of “packet sniffing” for the IP through a “leak” is impossible.
Cubrilovic is not the only security researcher saying the FBI’s explanation is bogus. K.M. Gallagher suggested that the FBI’s account of its “unmasking technique” is “both improbable and imprecise.”
Legal minds like George Washington University Law School Professor Orin Kerr, who previously represented Andrew Auernheimer, aka “weev,” have plenty of questions about the legality of it all as well. “The DOJ brief argues that there was ‘nothing unconstitutional or otherwise unlawful’ about obtaining the inadvertently leaked IP address from the Silk Road server,” Kerr wrote, but does that mean the “DOJ concedes that it would not violate the Computer Fraud and Abuse Act” (CFAA)?
In Auernheimer, "the DOJ took the view that obtaining information at the website addresses was criminal unauthorized access because AT&T had not intended for the public to see it and it was in a place where an ordinary computer user would likely not find it….In defending conduct in the Silk Road case, however, DOJ takes the view that there is ‘nothing . . . unlawful’ about taking advantage of a server misconfiguration to obtain data inadvertently 'leaked' by the server because that information is ‘fully accessible to the public’.”
In Auernheimer, DOJ argued that data on a webserver was protected by law if an ordinary user could not find it. In the Silk Road case, DOJ argues that data on a webserver is unprotected by law if the system administrator configured the network incompetently so that an FBI expert could find the data. It sounds like there’s some significant tension between the government’s position in the two cases.
Did the feds violate CFAA to locate Ulbricht? Not all security experts believe there was “hacking” involved for the server’s IP and location to leak. The average Jane and Joe jurors couldn’t hack their way out of a box, so their eyes may glaze over with the level of technical explanations that experts for both sides will surely delve into during the trial.