The arrest of Ross William Ulbricht sent shockwaves through the underground internet, even though most of us wouldn’t have the slightest clue that the crimes with which he’s charged ever happened. He’s alleged to be the mastermind of Silk Road, an online drug marketplace that existed in the deep web.
The what? Accessible only via the onion network of Tor, payable only with Bitcoin, covered with multiple layers of encryption, false transactions and bouncing from computer to computer around the world so that no IP address can be traced, Silk Road enabled people to buy and sell things without regulation or accountability, except within its own community. It was as wild as the web gets, and what was sold there was drugs. That wasn’t exactly a secret.
What was a secret was who was Dread Pirate Roberts (DPR), the person behind it all. The feds say DPR was Ulbricht, as explained in a Maryland indictment and a New York complaint, both well parsed by Ken at Popehat, who explains the allegations and the significance of the magic words used by the government, such as “upon training and experience,” which is the government’s way of saying, “just take my word for it.” Ulbricht is accused of some bad crimes, and allegations of worse crimes are floated in there as well.
But what the accusatory instruments fail to reveal is how the government figured out that DPR was some guy living in a room he rented for $1000 a month in San Francisco named Ulbricht. Dan Goodin at Ars Technica suggests that Ulbricht got sloppy and lazy:
What will get you in the end is sloppy opsec. Short for operations security, it encompasses a sprawling list of disciplines, including keeping PCs free of malware, encrypting e-mail and other communications, and placing an impenetrable firewall between public and personal identities.
Note the shorthand “opsec,” which is fascinating in the hacker adoption of military-like lingo to describe the functions of their digital world. As set forth in the complaint, DPR left a “trail of bread crumbs” in posts and emails that connected Ulbricht to Silk Road.
The complaint reads as a cautionary tale about the asymmetrical challenge in staying truly anonymous on the Internet, even when government agents or other snoops don’t exploit obscure vulnerabilities or wield the massive surveillance apparatus of the National Security Agency. End users have to get it right every single time they go online without slipping up, even once. The FBI and even grassroots investigators with the time to look, need only stay vigilant and wait to get lucky.
As Ken notes, the government has the luxury and funds to engage in massive, long-term investigations into anything that catches its interest. So it’s true, certainly, that a slip-up in opsec may well be caught if the government is searching hard for you, and they were certainly searching hard for DPR. But with the billions of bits of data the internet offers, even a slip up in security will hide in plain sight unless someone knows what to look for and where to look. Or “waits to get lucky.”
At Techdirt, Mike Masnick raises the question of “how lucky” the government was in finding Ulbricht.
At the beginning of the post, we mentioned the whole thing where the FBI was using malware to identify Tor users… but, of course, that doesn’t show up anywhere in the complaint. Instead, the big “breakthrough” was when a “random border search” by DHS turned up those fake identities intended for Ulbricht. However, as Parker Higgins notes, it seems like this could be a case of “parallel construction” whereby the hacking revealed those details, and DHS was then tipped off to check packages sent to Ulbricht, seeking to create “parallel construction” of evidence, in order to launder the fact that the FBI had hacked its way into identifying Tor users. After all, we’d just reported on how the FBI was actively trying to avoid revealing its hacking/malware powers to technologically sophisticated individuals.
Mike refers to what the complaint describes as a random seizure of a package from Canada addressed to Ulbricht that contained fake IDs. Was it merely a random find, the sort of thing that just happens as the government checks international packages for untaxed sausage? Did they get “lucky”?
While Goodin is apparently right about Ulbricht having left a trail behind, it seems unimaginable that the government would have found a breadcrumb bearing the name Ulbricht, or even if they had, connected the dots to the extent necessary, by the usual investigatory techniques. It was just way, way too random in a sea of data far, far too large. While it was both findable and connectable backward, beginning with the name Ulbricht and then scrutinizing the web for all specks of dust he might have touched, the idea of the government stumbling across one such speck, and then realizing that it was more significant than the billion other specks, is absurdly far-fetched.
That the government uses parallel construction is neither new nor a secret. What does come as a surprise, however, is that the government has attained the level of sophistication necessary to break Tor, to identify the users behind the curtain, to track their virtual existence back to the real world, where people have names, live in rented apartments and can be arrested.
Has Tor been compromised? Has the government broken the last bastion of technological anonymity? That would certainly be a secret the government would want to keep to itself, hidden behind claims of a lucky border search of one of millions of packages that happened to contain contraband and be addressed to a 29-year-old Texan who rented a room in Frisco.
Or would the government like people to believe it’s beaten Tor, and that there is no longer a haven for anonymity on the internet beyond its reach. As much as the vagaries of the accusatory instrument suggest that the government may be lying through its teeth when it claims that it just got lucky, the questions are now raised. Chances that they’ll be answered, however, look mighty slim at the moment. And that’s good for the government either way.
Update and H/T: Rob Graham, who sent me an email last night and got me thinking about how the feds were so lucky to have stumbled into something as remarkably random as the package of fake IDs from Canada.
Rob’s written about this as well, though I think he might be a bit confused about the initiation of the investigation and the concealment of significant investigative methods by the use of parallel construction and the purported epiphany that DPR is the Ross Ulbricht from Frisco. Needing to bring the virtual world home, they needed a real warm body to connect to physical contraband to connect to the virtual Silk Road. It’s not that the package was the start of the investigation, but that it was critical because of an evidentiary gap that needed to be filled.