The above guest poster is, I believe, responding to the news of the
Silk Road shutdown and arrest of someone alleged to be DPR. Plus, a
tweet sent out by Baneki Privacy Labs pointing out that...
(said information coming from a court document justifying probable cause for arrest - the "complaint" - attached; copy attached to bottom of this post)
There's some excellent questions in this list, and I'm going to see if I can add any value based on what is available currently - i.e. the court documents, mostly, as the reporting all seems to derive merely from the underlying documents themselves.
Guest wrote:Silk Road (SR) wasn't hosted at Freedom Hosting (FH). If it was, Dread Pirate Roberts (DPR) would have had a good belief that the entire site was compromised when FH went down.
Completely agreed - I know of no evidence suggesting SR was on FH or connected to it in technical infrastructure. The Baneki tweet above (which I submitted to Baneki's feed, via the current admin of that account, just to be clear) points out the
temporal concurrence here - and nothing more. What does it mean, that these two events were happening within a couple weeks of each other? We don't know yet. We don't know causal links, we don't know if there's "hidden variables" behind the scenes that are themselves causal determinants of the surface-level facts available for review thus far.
We also don't know if those dates are accurate, actually: the FBI agent
says that was the date they imaged the SR machine; did they have root on it for months beforehand? Did they have dom0 root on the FH machines for months? We don't know. We know the FBI
claims they imaged the machine a mere 9 days before FH went down with the arrest - and, remember, the FBI (or perhaps "FBI" at this point - because, seriously...) admits it had functional root on the FH machines for some time before the Thursday 1 August raid. That's important to keep in mind.
So we have a temporal congruence here, in which the "FBI" claims to have mysteriously gained full root access to the physical machines running Tor hidden services - without being noticed, mind you - in at least one case gaining a
full hard drive image of the running machine without triggering any IDS toolsets or other alarms on the machine. It seems highly probable - although not confirmed - that the same was true on FH.
That's quite a coincidence, given that - until July of 2013 - not many folks assumed it was a trivial operation to bust through Tor hidden services and find the underlying machines on which they were hosted. Indeed, lots of smart people were pretty damned sure that was
not possible - or, if possible, would require the resources and expertise of seriously heavy-hitting technical adversaries.
Not, need we point out, the FBI.
There are still so many questions about DPR that have not been answered:
- 1. How did they find the SR server/s?
Absolutely the big question I see at this point, per comment above. This is the big "hail mary" step, after all. And not only did they locate servers, but they got root (admittedly, that could be done - per Baneki's post above - with the assistance of the datacentre staff, but that's a delicate operation)... and did so unnoticed.
Anyone who thinks this is "easy" is welcome to share their ability to do this - I'll specify a hidden service address, and you tell me what sever it's living on physically. Or, if someone says it's a "backdoor in Tor that the NSA - err 'FBI' is using," then please point to the code block in the current Tor build that includes the backdoor, and provide a walk-through of how it is called once in production.
Because, no, it's not easy.
2. The friendlychemist situation is bizarre. Did friendlychemist really hack someone or were they the vendor looking to make some extra $$$? If they did hack someone, how did they find the vendor? Was the vendor lucydrop who claimed to be hacked around the same time?
What if you have two vendors you are running as honeypots? You have one claim to have "hacked" the other - showing proof of it, to boot. This is designed to piss DPR the fuck off, and chivvy him into doing something rash, like threatening violence.
If you're trying to get to DPR, setting up honeypot vendors - who do deliver good stuff to customers, which the DEA has been doing for decades in undercover ops - is basically a given. To create a scheme in which one "hacks" another and threatens to expose customer details... that's a nice little bit of social engineering.
And then, guess who gets "referred" by FriendlyChemist as the "vendor" owed the money? R&W, which as anyone will likely know, is a not-subtle reference to folks who would
NOT use such a name in such a situation. Ever. In a billion, billion years. But one might assume, if one were creating such a sting, that DPR - not being "of that world" - would not know that, and with a bit of Googling would think "oh, wow, I see, yeah that makes sense... now I understand." It's all put there on a plate, ready to be devoured by a hungry man. With hook carefully hidden inside.
Then you have the Canadians saying, "gee we don't have any record of the RL identity of FC, nor of a 'murder' in White Rock, nor of any of this...." because, yeah, it's all fictitious. Why would the U.S. Feds decide to locate their faux "murder" up here in coastal B.C? Cleaner than doing it in the U.S., one supposes. Offshoring the honeypot, as it were. Also far less likely DPR is going to want to do anything real-life to be present, since he'd have to cross an international border and might be paranoid about doing so? Just thinking out loud on that.
What is 100%, totally clear is that R&W is a fake account. Which means, since FC is claiming them as a "supplier" owed money, is by definition a fake account. Which means the "hack" is a setup, either done to another
real SR vendor (with that amazing FBI offensive cyberware capability that's just suddenly, astonishingly, appeared out of
thin air... no explanation offered; sigh) to feed fuel into the setup, or of another straw man honeypot vendor who has been collecting customer IDs all along.
If you take as axiomatic that R&W is fake - further evidence offered below - then the rest is, I believe, logically inevitable.
3. Why did he send the IDs directly to his house and why did those IDs have his own photo on them? Did DPR not know that fake IDs with his own picture are about as stupid as you can get on the darkweb?
Because he was lulled into a false sense of security by a well-run sting campaign. This, to be clear, is the domain of FBI expertise and I've no doubt they put this part together in-house and pulled it off beautifully.
If DPR buys the bait that R&W is who he will, inevitably, think it is - I'm not spelling it out, and please don't do so in this thread - the he's likely to let his guard down. This was not a "SR vendor" we're talking about here... not at all. Based on that reputation, and on the "hit" he's just successfully executed with them - he never hears from (the nonexistent, sham vendor) FriendlyChemist again, and concludes the hit must have been successful - he's going to be far more likely to trust in this deal.
So he decides to go for it, and get some "real" IDs with his photo, for use in serious circumstances. If you're gonna get those docs and trust they'll be done right, that's who'd you trust. Or so I hear.
The mailing address is a bit bizarre; I've no explanation for that. Just really lulled into security?
The cover story of the border agents "randomly" opening the package and finding the IDs is, screamingly obviously so, Parallel Construction in the wild:
thar she blows! There was nothing random about it, and DPR was (rightly) convinced the chances of a "random" search of a standard postal envelope going across that border - sent by who he thought was sending it, with their reputation and competence - were statistically close to zero.
He was right. But that wasn't who he thought it was, and the whole ID thing was a setup. Once he asked about getting IDs from R&W, he was done.
Indeed, looking back, could the ID setup have been the start? With that, they have his RL name and identity... and with that, they start tracing the threads back to servers. They find a server, they send in TAO... err "those amazing FBI offensive cyberspercialists that nobody has ever heard of but who magically appeared this summer during the NSA's Snowden battles - root it, and sit there waiting to gather enough data to hang him and take the whole site down.
4. Why was DPR discussing fake IDs with redandwhite who was related to/could be friendlychemist who just blackmailed him?
Because he assumed he knew who was behind that screen name. And he assumed he'd just successfully ordered a "hit" through them, thus having proved their legitimacy and competence.
Further,
nobody would use that alias falsely - nobody with half a fucking brain. So, to someone inexperienced, that gives it a whiff of authenticity. It'd be like walking into a boxing gym and claiming to be Mike Tyson, or something - you are not going to like the results of falsely "fronting" that name.
5. How did Border patrol find the fake IDs with a routine search? Seems like the ID vendor was compromised and they knew what to look for or DPR was already being monitored.
Per above, ID vendor was a setup from Day One - as was the "hit." As was the "hack." By logical extrapolation from known data points.
6. The server was imaged in July but SR only kept messages and transactions for two months so how did they see the messages between DPR, friendlyshemist, and redandwhite in March and April?
Because they rooted it earlier? After getting RL identification of DPR, via the fake "hit" and resulting "ID buy," in April. Once they rooted it, they'd have a back-facing window of 60 days' messages... thus enabling them to pull the PMs of the entire hit-for-hire shenanigan from the SR side, as well.
7. What information did the employee in the Maryland complaint have that DPR was so worried about? If they were arrested, as DPR believed, and could view all the messages on SR, why would he not think the site was already compromised?[/list]
I haven't read that complaint, yet - been poring line-by-line through the attached New York complaint:
There's always been reverse correlation between security and convenience, and in this day and age hosting solutions are so commoditized, that I think you'd be able to follow this policy without much hassle. Especially considering the stakes.