If the FBI has been tracking down SilkRoad for years, I find it completely reasonable that they finally find the location of the server just based on traffic analysis. I'm sure that FBI or NSA runs number of exit and intermediate nodes to collect statistical correlations from traffic and track down hidden services given enough time (there is even public research that shows how it can be done: http://epub.uni-regensburg.de/11919/1/authorsversion-ccsw09....).
All that said, its even more likely that they found his identity other way. He seems to have slipped from time to time. I think most people underestimate the amount of boring and tedious chores they must do year after year if they want to conceal their identity from FBI who is actively searching them online. It seems that the main theme in revealed identities seems to be reusing usernames or using the same email in two different contexts that link person to his anonymous identity.
1) Located the first reference to "silk road" on the internet. You can find this yourself on Google:
"silk road" site:shroomery.org Date range: Jan 1,2011 - Jan 31,2011 *
2) The same username, "altoid", showed up on a bitcointalk days later.
3) Later in 2011 "altoid" made a post on bitcointalk with his email address, containing his real name, in it:
https://bitcointalk.org/index.php?topic=47811.msg568744#msg5...
If you search the name on Google it doesn't show up, but if you look at the user's page you can see it in his posts.
That seems like more than enough for a warrant for this individual. Everything after that should be easy.
I've used Google before to locate when a particular word or phrase first appeared. Kind of surprising someone didn't figure this one out quicker.
* Obviously this is a common word, so either adding other keywords with it would be likely.
This does seem plausible, so I almost don't think this is worth mentioning, but don't forget about "parallel construction".
Having the world believe they can't reverse Tor would clearly be more valuable than having the world believe they can. Remember that Tor explicitly doesn't protect against a global passive adversary.
1984 wasn't supposed to be a manual god damn it!
(This is how the main character was caught. He believed in a 'alternative' system. Much like how we like to pretend TOR is untouchable)
That's what they want you to think, so they can snare you in their FBI ran honeypot...
All joking aside, I hope you're right, and that the next few SR alternative sites figure out how to get it right, and that Tor itself isn't fundamentally broken by the FBI.
Agreed - I'd like to think both this, and the Lavabit being coerced to hand over private SSL keys news elsewhere today - indicates that TOR and SSL are still "as secure as needed" against even targeted FBI attacks.
Unfortunately that all now needs to be viewed with the suspicion of "parallel reconstruction" - I'm somewhat less convinced that if the NSA targeted someone specific that SSL and TOR would resist their efforts (and that for something like Silk Road, that the NSA wouldn't happily break and read everything DPR did over his SSL secured TOR connections, and "share" just the right tidbits with the FBI for them to go and create a plausible explanation involving google searches and old forum posts).
Welcome to the post Snowden era - where we know that our governments not only don't have our best interests in mind, but have sophisticated programs in place to lie to us about how they arrive at the evidence they present (in those annoying occasions where they have to use courts who aren't just rubber-stamping everything they're told too).
(Edit: on reflection, it's kinda sad that this might well have been good detective work by diligent, talented, and persistent FBI investigators doing exactly what he taxpayer employs them to do - but that effort is now permanently under the dark cloud of suspicion of unconstitutional dragnet surveillance and morally corrupt processes like "parallel reconstruction".)
exactly what i was thinking, the amount of work involved despite some pretty horrendous slip-ups, implies TOR + basic common sense can be a pretty powerful thing
In principle I agree with what you're saying, but I think it's harder than you realize to maintain basic common sense all the time. People do irrational things, all the time. Even the normal ones.
We don't know that any "parallel construction" is at work here. It seems like most of the information stemmed from the discovery of the Silk Road web server, and I haven't seen how they were able to determine that. If this goes to trial, then the FBI will have to say how it got that information (assuming he has a competent defense team).
That's the thing though. We know that as of very recently the NSA is helping other alphabet agencies construct cases in parallel. If you knew the guy's name or handle or whatever information the NSA could have given the FBI then coming up with an alternate story of how they ID'd the guy (page 24 onwards in the criminal complaint) would be incredibly easy. The point is that we'll probably never know either way.
True, and the next Silk Road owner will certainly take that point into account.
Obviously, the disappearance of such a site leaves a gaping hole on the Web:
Silk Road has proven that the demand/market is there, that people are willing to use the Web to acquire those goods, that they are willing to pay, that the whole transaction works and that this leads to a massive amount of cash.
So, make no mistake, the next Silk Road creator is certainly out there, probably technically more astute and careful, and already building.
...the next Silk Road creator is certainly out there, probably technically more astute and careful...
And almost as certainly: more experienced in the use of serious violence. The next guy won't be hiring hitters without introductions from fellow violent criminals. (Not that undercover cops have never been vouched for in such a manner, but it raises the stakes significantly.) Yay Drug War!
If they used parallel construction, then why didn't they list how they got the information about the location/IP of the Silk Road webserver? I would assume that they would have ParallelConstruction'd a reasonable way for them to have obtained that information, no?
You appear to be missing the point of parallel construction. The point is that they show a true, but-not-the-whole-truth "hand" (the parallel construction) while obscuring the full truth. That is, you spy on someone, and obtain a bunch of evidence, either illegally or that is fruit of the poisonous tree. From that knowledge, you construct a (fictitious or only partially fictitious, but plausible) story about how you gathered enough evidence to incriminate your victim, without revealing that you came across this evidence illegally. See http://en.wikipedia.org/wiki/Parallel_construction.
Yes, they are legally obligated to not lie about the true means of how they came to have the evidence. But if nobody can prove you're lying, they can't call you on it.
Few cases make it to trial, especially in the federal system. He's been charged with at least two capital eligible charges. They'll offer to plead down to life in prision (or 100+ years same difference) and he'll take it. We'll never see the government's full case.
Seems likely to me that NSA found the server and imaged it. FBI's job was pretty easy after that.
Someone asking for help on the bitcointalk forum for a new venture? Happens almost daily. Someone asking a question on SO about how to access Tor? Ditto.
You don't discover who "Dread Pirate Roberts" is from this. But you do discover these types of things pretty easily AFTER the NSA tells you who DPR is.
The Google searches give a hint at DPR's identity. They don't give you the location of the actual Silk Road server.
Obviously there's lots of ways that guessing DPR's identity might allow someone with the FBI's resources to unmask the Silk Road server, though I don't know enough to know whether the forum post on its own would be considered sufficient evidence for a warrant to bug all of Ross Ulbricht's online activities. A lot of the more damning evidence for Ross Ulbricht as DPR (IP logs, the connection to the counterfeit documents, hostname of his personal machine, etc) seems to come from forensics on the captured server image. Analysis of Tor traffic doesn't seem like an implausible hypothesis, especially because that's a capability we'd be expecting the FBI/NSA to be developing anyway.
> 3) Later in 2011 "altoid" made a post on bitcointalk with his email address, containing his real name, in it: https://bitcointalk.org/index.php?topic=47811.msg568744#msg5.... If you search the name on Google it doesn't show up, but if you look at the user's page you can see it in his posts.
It is definitely enough to have CBP flag any packages crossing the border that are associated with that name, for which no warrant is required. After that, well, I'm no lawyer, but I think intercepting a package full of fake IDs is enough to justify a broader criminal investigation.
What is the cut off for using pseudonyms on obtaining a warrant?
I assumed bitcointalk had a small member base when "altoid" joined. A quick look at their tables show 3,694 total new registered users through January 2011.
"altoid" registered on shroomery on January 27th 2011 and the "altoid" who revealed his name publicly registered on bitcointalk on January 29th 2011.
All it takes is just once. I saw a reddit comment that documented how one user determined the real-life identity of another user who was attempting to stay anonymous. The slip up? Two photos posted by the user under two different accounts shared the same background, and the user posted using both accounts in the same comment thread.
I dox'd a guy once knowing only the day that he earned his pilot license and the state he lived in. (FAA publishes a database that contains that info).
For me it was a first name (unusual) and two schools attended (this in the days when universities were much more liberal with posting their student directories.
Let's face it, at most one if your identities can be tied to your actual real-world activities. Otherwise people can find enough correlations to out you. Witness JK Rowling's new book.
JK Rowling's dox was a result of a member of the publishing house's solicitors telling his wife, who then told a close friend who provided the initial leak on twitter, which gave the newspaper breaking the story enough to go on to start drawing those conclusions.
The lesson is that your ability to remain anonymous drops in almost direct proportion to the quantity of content you make available.
A careful user might have a more-shallow slope; they might be able to post more photos, if they're carefully scrubbing EXIF and being mindful of spillage (unintentional details in the frame). But every single posted photo is still inexorably eating away at their potential to remain anonymous.
After publishing the first picture, you might have to throw away the camera... You never know how much unique is the fingerprint of the camera. Might be very useful to crawl profiles to map photos and screen names.
It's funny, i so rarely browse reddit, but i somehow happened upon this story this week - i guess it came up in some kind of mega "what are you most ashamed of" thread or somesuch. Ultimately it was as GP described; a redditor researched one of 'gone wild' big 'stars', poured through her history ,ultimately found another reddit account of a selfie shot that had the same background as the 'gone wild' shot so concluded they were the same or friends, researched back that history and ultimately found her real identity.
>>>> I think most people underestimate the amount of boring and tedious chores they must do year after year if they want to conceal their identity from FBI who is actively searching them online.
Most people don't realize the government can have an army of people working 24/7 to track you down while you're busy trying to cover your tracks. The odds are never in your favor.
Also, having an active social media presence doesn't help either. lol
This should be common sense, but as you stated, people seem to forget. We have supposedly spent a trillion dollars on the war on drugs, it seems silly for this guy to think he didn't warrant at least a multi-million dollar investigation.
From the time the silk road sold it's first product, it was only a matter of time before it's owner went to prison. If he were as smart as he thought he was, he would have gotten out of the business and the country shortly after he became a millionaire.
If the FBI systematically performed traffic confirmation on the Tor network, this would be a rather sloppy sources and methods cover, as they would eventually be forced to disclose the existence of the traffic confirmation system.
If the servers' IPs were obtained as a result of a passive traffic confirmation system that breaks Tor's anonymity, I would expect a detailed parallel construction to demonstrate an alternate explanation for how they unmasked the servers.
Any defense attorney worth his salt is going to request the evidence relating to the method of de-anonymization of the Silk Road servers. If a traffic confirmation system was used, the prosecution would be forced to disclose that to the defense, which could very well raise a solid argument that it violated the defendant's Fourth Amendment rights.
My guess is that the FBI used the gmail account information and early public silk road advertisements to obtain a warrant from a friendly judge to remotely monitor DPR's computer, and waited until he connected to the server. It's also possible that they exploited the web server, as was the case with FreedomHost.
Even after they rumbled his name, I wonder if he could have avoided direct culpability by keeping his net connection three hops away from the source systems, and using forged identity docs for anything official (mobile wifi connection and visa debit card)?
All that said, its even more likely that they found his identity other way. He seems to have slipped from time to time. I think most people underestimate the amount of boring and tedious chores they must do year after year if they want to conceal their identity from FBI who is actively searching them online. It seems that the main theme in revealed identities seems to be reusing usernames or using the same email in two different contexts that link person to his anonymous identity.