Silk Road: Random is the New Normal (Update)

The arrest of Ross William Ulbricht sent shockwaves through the underground internet, even though most of us wouldn’t have the slightest clue that the crimes with which he’s charged ever happened.  He’s alleged to be the mastermind of Silk Road, an online drug marketplace that existed in the deep web.

The what?  Accessible only via the onion network of Tor, payable only with Bitcoin, covered with multiple layers of encryption, false transactions and bouncing from computer to computer around the world so that no IP address can be traced, Silk Road enabled people to buy and sell things without regulation or accountability, except within its own community. It was as wild as the web gets, and what was sold there was drugs.  That wasn’t exactly a secret.

What was a secret was who was Dread Pirate Roberts (DPR), the person behind it all.  The feds say DPR was Ulbricht, as explained in a Maryland indictment and a New York complaint, both well parsed by Ken at Popehat, who explains the allegations and the significance of the magic words used by the government, such as “upon training and experience,” which is the government’s way of saying, “just take my word for it.”  Ulbricht is accused of some bad crimes, and allegations of worse crimes are floated in there as well.

But what the accusatory instruments fail to reveal is how the government figured out that DPR was some guy living in a room he rented for $1000 a month in San Francisco named Ulbricht.  Dan Goodin at Ars Technica suggests that Ulbricht got sloppy and lazy:

What will get you in the end is sloppy opsec. Short for operations security, it encompasses a sprawling list of disciplines, including keeping PCs free of malware, encrypting e-mail and other communications, and placing an impenetrable firewall between public and personal identities.

Note the shorthand “opsec,” which is fascinating in the hacker adoption of military-like lingo to describe the functions of their digital world.  As set forth in the complaint, DPR left a “trail of bread crumbs” in posts and emails that connected Ulbricht to Silk Road.

The complaint reads as a cautionary tale about the asymmetrical challenge in staying truly anonymous on the Internet, even when government agents or other snoops don’t exploit obscure vulnerabilities or wield the massive surveillance apparatus of the National Security Agency. End users have to get it right every single time they go online without slipping up, even once. The FBI and even grassroots investigators with the time to look, need only stay vigilant and wait to get lucky.

As Ken notes, the government has the luxury and funds to engage in massive, long-term investigations into anything that catches its interest.  So it’s true, certainly, that a slip-up in opsec may well be caught if the government is searching hard for you, and they were certainly searching hard for DPR.  But with the billions of bits of data the internet offers, even a slip up in security will hide in plain sight unless someone knows what to look for and where to look.  Or “waits to get lucky.”

At Techdirt, Mike Masnick raises the question of “how lucky” the government was in finding Ulbricht.

At the beginning of the post, we mentioned the whole thing where the FBI was using malware to identify Tor users… but, of course, that doesn’t show up anywhere in the complaint. Instead, the big “breakthrough” was when a “random border search” by DHS turned up those fake identities intended for Ulbricht. However, as Parker Higgins notes, it seems like this could be a case of “parallel construction” whereby the hacking revealed those details, and DHS was then tipped off to check packages sent to Ulbricht, seeking to create “parallel construction” of evidence, in order to launder the fact that the FBI had hacked its way into identifying Tor users. After all, we’d just reported on how the FBI was actively trying to avoid revealing its hacking/malware powers to technologically sophisticated individuals.

Mike refers to what the complaint describes as a random seizure of a package from Canada addressed to Ulbricht that contained fake IDs.  Was it merely a random find, the sort of thing that just happens as the government checks international packages for untaxed sausage?  Did they get “lucky”?

While Goodin is apparently right about Ulbricht having left a trail behind, it seems unimaginable that the government would have found a breadcrumb bearing the name Ulbricht, or even if they had, connected the dots to the extent necessary, by the usual investigatory techniques.  It was just way, way too random in a sea of data far, far too large. While it was both findable and connectable backward, beginning with the name Ulbricht and then scrutinizing the web for all specks of dust he might have touched, the idea of the government stumbling across one such speck, and then realizing that it was more significant than the billion other specks, is absurdly far-fetched.

That the government uses parallel construction is neither new nor a secret. What does come as a surprise, however, is that the government has attained the level of sophistication necessary to break Tor, to identify the users behind the curtain, to track their virtual existence back to the real world, where people have names, live in rented apartments and can be arrested.

Has Tor been compromised?  Has the government broken the last bastion of technological anonymity? That would certainly be a secret the government would want to keep to itself, hidden behind claims of a lucky border search of one of millions of packages that happened to contain contraband and be addressed to a 29-year-old Texan who rented a room in Frisco.

Or would the government like people to believe it’s beaten Tor, and that there is no longer a haven for anonymity on the internet beyond its reach.  As much as the vagaries of the accusatory instrument suggest that the government may be lying through its teeth when it claims that it just got lucky, the questions are now raised. Chances that they’ll be answered, however, look mighty slim at the moment. And that’s good for the government either way.

Update and H/T: Rob Graham, who sent me an email last night and got me thinking about how the feds were so lucky to have stumbled into something as remarkably random as the package of fake IDs from Canada.

Rob’s written about this as well, though I think he might be a bit confused about the initiation of the investigation and the concealment of significant investigative methods by the use of parallel construction and the purported epiphany that DPR is the Ross Ulbricht from Frisco. Needing to bring the virtual world home, they needed a real warm body to connect to physical contraband to connect to the virtual Silk Road. It’s not that the package was the start of the investigation, but that it was critical because of an evidentiary gap that needed to be filled.

 

9 comments on “Silk Road: Random is the New Normal (Update)

  1. pj_cryptostorm

    I believe we can deconstruct the extant technical details, already, and come up with a highly likely scenario for how this was broken (if you’d like to remove the link below, feel free to do so – it just seems silly to copy/paste the analysis into a comment form here):

    https://cryptostorm.org/viewtopic.php?f=14&p=5049#p5049

    tl;dr: it wasn’t poor OpSec, & it’s not a Tor break (although someone did some mighty fine offensive intrusion work server-side, without being noticed) – it was a sting, and a rather cleverly-constructed one at that. And yes, there’s oodles of Parallel Construction going on here.

    1. SHG Post author

      I’ve left the link in, as the technical perspective is quite interesting and you’re right, it makes no sense to copy it here. While I’m not sure some of the assumptions are valid, I’m disinclined toward such speculation. Even if it’s probable, improbable things also happen.

    2. Ultraviolet admin

      Oh this makes sense, when I heard about the hit I was thinking likely honeypot there, but didn’t think both vendors might be honeypots. I think that last big bust a few years ago had them operate as vendors at one point.

      Honestly that email address might of been found ages ago and given them the idea this is the guy but not given them enough to tie him. After that, it’s a matter of researching him, and setting traps for him.

      The Silk road was always interesting to me as a concept, but truth was anything like this gets high profile and will get massive resources invested. The more interesting thing will be how many suppliers will be caught. Many have been before by the simple tactic of buying via silk road and figuring out who shipped it. Or taking a drug sniffing dog to a Fedex some place like Fort Bragg, CA.

  2. jakee308

    I would guess Mr. Ulbricht was “ratted out”.
    The vast majority of crimes are solved not by diligent investigation (although that may be necessary to prove the case) but by inside information that at least points the way to further investigation.

    I wouldn’t pretend to know the percentage but I would be willing to wager some money that other than catching the criminal red handed at the scene, over half of all crimes are solved by inside information. And I’m not talking about bystanders being interviewed by the police. I’m talking about crime partners flipping, spouses and GF’s looking for revenge or out of fear and plain old snitches hearing some casually mentioned details and passing them along.

    Two can keep a secret but only if one of them is dead. (and with forensic science being what it is these days, you can’t even count on that.)

  3. doug nusbaum

    Or you could just be stupid: Of the five items below, 4 were red flags out in the open that a boyscout would have found if he had spend a few days searching. And given a name, and a real physical address, it is a sure bet that all mail going to that address, especially from out of the country, was being searched.

    [Ed. Note: Link deleted per rules.]

    Never assign to a conspiracy what can be described by stupidity.

    1. SHG Post author

      The problem with starting from the supposition that they were able to locate five needles in all the haystacks of the internet, and then work backwards, is that it fails to explain how they found the five needles in all the haystacks of the internet. More importantly, if they did, then they lied about the search of his package being a “random border search,” which is the point of parallel construction, that it’s a lie to conceal the truth of how they discovered his identity.

      Just because someone does some stupid things doesn’t mean there isn’t also a conspiracy.

Comments are closed.