FBI version of finding Silk Road server: a lot like hacking

FBI version of finding Silk Road server: a lot like hacking

העמוד הפעיל בזמנו של אתר Silk Road

This post is also available in: heעברית (Hebrew)

Silk Road's formerly active webpage
Silk Road’s formerly active webpage

To hear the FBI tell it, tracking down the secret server behind the billion-dollar drug market known as the Silk Road was as easy as knocking on a door. The bureau’s latest court filing in the case describes how the hidden site accidentally revealed its location to anyone who visited its login page, thanks to a software misconfiguration.

The technical side of the security community, who have long tracked the dark web’s experiments in evading law enforcement, don’t buy that simple story. They read the FBI’s statement differently: as a carefully worded admission that it didn’t knock on the Silk Road’s door so much as hack its way in.

That account of the discovery alone doesn’t add up, says Runa Sandvik, a privacy researcher who has closely followed the Silk Road and worked for the Tor project at the time of the FBI’s discovery. “The way the FBI describe how they found the real IP address doesn’t make sense to anyone who knows a lot about Tor and how web application security works,” Sandvik says. “There’s definitely something missing here.”

iHLS Israel Homeland Security

“If the IP address of the Silk Road was in fact leaking on its login page, there’s little doubt the flaw would have been quickly spotted by others”, says Nik Cubrilovic, an Australian security consultant who has made a hobby of analyzing the Silk Road’s security since just after it launched in 2011. The bitcoin-based market, after all, received millions of visits, fascinated the security community, and represented a tempting target for hackers seeking to steal its cryptocurrency. “Were this the case, it would have been noticed not only by me, but the many other people who were also scrutinizing the Silk Road website,” Cubrilovic writes in a blog post.

As the trial of alleged Silk Road creator Ross Ulbricht approaches, his defense has focused on how the government initially discovered the Silk Road’s server in Iceland, in spite of the site using the anonymity software Tor to hide its physical location. In a motion filed last month, the defense argued that discovery may have represented a search without a warrant and an illegal violation of Ulbricht’s privacy. Then on Friday, the prosecution fired back with a memo claiming that the FBI’s investigation had been entirely legal.