The US government’s explanation of how it managed to discover the location of the servers hosting Silk Road, the infamous online black market, is being disputed by a number of security researchers.
Nik Cubrilovic says the explanation doesn’t ring true. For one, the Silk Road image CAPTCHA was hosted on the same server and at the same hidden URL as the Silk Road website, he claims, and this particular fact created problems for Silk Road in the past.
“Since generating a CAPTCHA is resource intensive, there was a DoS attack against Silk Road which did nothing more than continuously request CAPTCHA images. The site was later modified to use cached versions of the CAPTCHA images, but these too were served from the same host and onion as the web application,” he explained, and says he has evidence to prove it, as he “spent a lot of time investigating and testing the security of Silk Road (for sport) and became familiar with both its architecture and operation over the entire duration that the first site was up.”
This fact was confirmed by privacy researcher and Tor developer Runa Sandvik, who also kept an eye on Silk Road during the years.
Secondly, the agents couldn’t have discovered the server’s IP address by just looking at packet captures produced by a sniffer, as they claimed.
“If you are observing a hidden site on Tor, it means you are routing all of your traffic in that session over the Tor network (using your local SOCKS or HTTP proxy server). Even in the hypothetical case where – for some unrealistic reason – the Silk Road hidden site was including an image on an external server by referencing its IP address or hostname, the agents would still observe this traffic as having come from Tor,” he explained.
“There is no magic way that the traffic from a real IP embedded within the HTML of a hidden service would find its way directly to a client without passing over the Tor network and through Tor nodes. Were this the case, it would be a huge vulnerability in Tor, as it would allow the administrator of a hidden site to uncover visitors by including an element that is served directly to the client over clearnet.”
“A much more plausible explanation is that the FBI discovered a security exploit or information leak in the login page, in the same way a number of other people discovered similar security holes or information leaks in both the login page and the Silk Road application itself,” he suggests. “There is a history of users reporting such security exploits and information leaks in Silk Road on various forums.”
But why did the agent lie, you will ask?
“In this scenario, the description of packet sniffers and ‘inspecting each packet’ is all a distraction from what the FBI really did. Technically, saying that a packet sniffer revealed the true IP address of the server is true – what isn’t mentioned is the packet sniffer was picking up responses from a request to the login page that was forcing it to spit out the IP address as part of a bug,” he says.
“The FBI have good reason to not mention any bugs or forcing the server to do anything, and to pretend that they simply picked up the IP address from the wire, since such actions would raise concerns about how lawful their actions in uncovering the IP address were.”