Oh no, you're thinking, yet another cookie pop-up. Well, sorry, it's the law. We measure how many people read us, and ensure you see relevant ads, by storing cookies on your device. If you're cool with that, hit “Accept all Cookies”. For more info and to customize your settings, hit “Customize Settings”.

Review and manage your consent

Here's an overview of our use of cookies, similar technologies and how to manage them. You can also change your choices at any time, by hitting the “Your Consent Options” link on the site's footer.

Manage Cookie Preferences
  • These cookies are strictly necessary so that you can navigate the site as normal and use all features. Without these cookies we cannot provide you with the service that you expect.

  • These cookies are used to make advertising messages more relevant to you. They perform functions like preventing the same ad from continuously reappearing, ensuring that ads are properly displayed for advertisers, and in some cases selecting advertisements that are based on your interests.

  • These cookies collect information in aggregate form to help us understand how our websites are being used. They allow us to count visits and traffic sources so that we can measure and improve the performance of our sites. If people say no to these cookies, we do not know how many people have visited and we cannot monitor performance.

See also our Cookie policy and Privacy policy.

This article is more than 1 year old

Doubts cast over FBI 'leaky CAPTCHA' Silk Road rapture

Security bod says affadavit makes no sense, omitted exploitation works

Rather than a conspiracy involving NSA wiretaps, the FBI claims the downfall of Silk Road begun with a leaky CAPTCHA.

Responding to a request for information from former kingpin Ross Ulbricht's defence lawyers, the Feds says the CAPTCHA left a trail from the TOR-protected Silk Road servers to the public Internet. That revealed the location of the drug marketplace, which would otherwise have remained hidden behind TOR, according to an FBI affidavit.

FTI Consulting security man Christopher Tarbell revealed that in June last year during his tenure with the US federal police agency he found the CAPTCHA had leaked header information that revealed the IP address of the website.

"In order for the IP address of a computer to be fully hidden on Tor, however, the applications running on the computer must be properly configured for that purpose. Otherwise, the computer’s IP address may leak through the traffic sent from the computer," Tarbell said in the document [pdf].

"The IP address leak we discovered came from the Silk Road user login interface ... upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets.

"When I typed the Subject IP Address into an ordinary web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared [which] indicated that the Subject IP Address was the IP address of the Silk Road server, and that it was leaking because the computer code underlying the login interface was not properly configured at the time to work on Tor."

The CAPTCHA was the only source of non-Tor packets but Ulbricht had struggled with the complexities of online anonymity, Tarbell claimed. The ex-FBI man said Ulbricht's computer revealed he doused IP-leaking spot fires that saw the website subject to distributed denial of service attacks (DDoS) and migrated to new servers.

But security bod Nicholas Cubrilovic who spent significant time probing Silk Road doubted the bust was as simple as a borked CAPTCHA on the grounds that the anti-spam generator was hosted on the Silk Road server, and alleged the affidavit omitted information regarding more direct application exploitation and fuzzing.

"Anybody with knowledge of Tor and hidden services would not be able to read that description and have a complete understanding of the process that the agents followed to do what they claim to have done," Cubrilovic said.

"Were the Silk Road site still live today, and in the same state it was as in back in June 2013 when the agents probed the server, you wouldn't be able to reproduce or recreate what the agents describe in the affidavit ... [the CAPTCHA] theory does not stand up to scrutiny because the Silk Road image CAPTCHA was hosted on the same server and at the same hidden URL as the Silk Road website.

"The idea that the CAPTCHA was being served from a live IP is unreasonable. Were this the case, it would have been noticed not only by me – but the many other people who were also scrutinizing the Silk Road website. Silk Road was one of the most scrutinized sites on the web, for white hats because it was an interesting challenge and for black hats since it hosted so many Bitcoin (with little legal implication if you managed to steal them)."

Moreover, an externally hosted image would still be routed over Tor and any packet sniffer would be unable to detect the Silk Road's IP address.

Cubrilovic claimed it was more likely the FBI found and exploited a security vulnerability or discovered an information leak in the Silk Road login page and application.

Those vulnerabilities which revealed the public IP address including a var_dump likely from inexperienced live debugging were made public on Stack Exchange -- Cubrilovic suggested the FBI may have taken advantage of these errors to locate Silk Road.

"This would explain why the FBI included the statement about 'typing in miscellaneous entries into the username, password, and CAPTCHA fields', because they needed to enter an exploit command to prompt the server to either dump or produce the IP address variable."

In this scenario, the description of packet sniffers and 'inspecting each packet' is all a distraction from what the FBI really did. Technically, saying that a packet sniffer revealed the true IP address of the server is true – what isn't mentioned is the packet sniffer was picking up responses from a request to the login page that was forcing it to spit out the IP address as part of a bug."

He thanked security bods the The Grugq and Harisec for research input, and called for the tech community to share any mirrors they had of Silk Road during 2013. ®

 

Similar topics

TIP US OFF

Send us news


Other stories you might like