From the declaration of FBI agent Christopher Tarbell, the method that the FBI used to obtain the Silk Road server's IPv4 address, and by extension the full nature of SR's mistakes is entirely unclear. This is important because I think that when the FBI uses exploitation techniques that would otherwise be illegal if it were not being done by them, they do a very poor job of describing it accurately in their declarations and affidavits. By the time it's read by a judge, the process is simplified to the point that it's unrecognizable.
Due to this lack of clarity, on Twitter I've now heard what happened variously described in the following different ways, all of which are vastly different from a technical standpoint:
View source
Packet sniffing
SQL injection
Database error
phpinfo() or SERVER_ADDR leak
I think that if it were really as easy as the agent makes it sound, it would have been found and pointed out a lot sooner, by someone other than the FBI. It's almost inconceivable to me that someone in the community wouldn't have alerted SR to the same elementary vulnerability, unless it were a temporary one. So something is definitely amiss. Or the FBI could be lying -- they're known to do that on occasion.
Now, here's how it's described in the declaration:
We simply were interacting with the website's user login interface, which was fully accessible to the public, by typing in miscellaneous entries into the username, password, and CAPTCHA fields contained in the interface. When we did so, the website sent back data to the computer we were using - specifically, the Silk Road homepage, when we used valid login credentials for undercover accounts we had on the site, or an error message, when we used any username, password, or CAPTCHA entry that was invalid.
Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the "Subject IP Address") was the only non-Tor source IP address reflected in the traffic we examined.
There's a very important footnote, which seems to suggest #2 (packet analysis, like one would do with tcpdump or Wireshark):
All communications on the Internet are broken up into "packets" when they are transmitted from one computer to another; the packets are reassembled when they reach the destination computer. Each packet contains, among other things, "header" information, analogous to the outside of a mailing envelope, which includes the IP addresses of the source and destination computers used to route the packet over the Internet.
If Tor and httpd were configured properly, the server's regular IP address never would have been leaked within the header information of any "packet". But based on my own reading, the technique could also plausibly be a veiled depiction of SQL injection. They reference making "miscellaneous entries" i.e. POST/GET requests (like a tool such as sqlmap might do) and "packets of data being sent back"... In this case input sanitization and escaping would've been relevant. So I think either of these two probabilities are the most likely, perhaps even a combination of the two.
But does Tarbell mean the HTTP header, Tor protocol or TCP/IP packet header? We don't know. weev asks "Where are the pcap files?" as that's the only thing that would settle this debate:
Right here Agent Tarball is claiming that he sent a GET request to a Tor hidden service and the Tor hidden service sent back a packet containing its true source address in the TCP header. This seems to me to be improbable, given how Tor and TCP work. It is very easy for a federal agent to claim something. It is several orders of magnitude more difficult to fake packetlogs of network traffic which include a protocol as complex as Tor. I think the FBI needs to release these in a timely fashion to corroborate their claims here.
In the database error scenario, PHP error_reporting() would have to be on, and the MySQL database would need to be hosted on a second server so that its IP would be in the grant tables--there'd have to be a reason that it's not connecting on localhost.
The agent also notes that "IP address leaks were a recurring problem for [Ulbricht]". And this interesting post on /r/SilkRoad from a year ago suggests just such a devastating leak. Remember that IP leaks can happen through a variety of vectors, and across the full stack there are many approaches to deanonymizing a hidden service.
What do you think?
https://blog.ageispolis.net/speculating-fbi-silk-road-unmasking-technique/
Great to see I'm not the only one skeptical of the FBI's statements. Though I know little about the subject matter, it is hard to believe indeed that they would give away their actual methods for everyone to see. Clearly it would harm 'national interests...' Someone needs to help the defense see the vagueness in these claims, if they haven't already.