Can we please not get distracted by police investigating criminal activity acting within the bounds of individualize specific suspicion of a crime and keep things concentrated on warrantless wiretapping and wholesale surveillance?
The question (probably unanswerable) that fascinates me is: Did the authorities find DPR by analyzing Tor network traffic, or by some other means? The Tor network being ineffective has wide-reaching ramifications.
I know the evidence has presented to make us think they found him via a series of mistakes, but the existence of parallel construction makes me question everything.
Why don't we deal with the widespread corruption and overreach of power on all levels, from blue-clad street thugs, through federal prosecutors who see nothing wrong with pre-trial asset forfeiture, all the way up to and including the military-surveillance complex?
This just in: absolutely no strangers (save statistically insignificant outliers like Nacchio) will go to jail to protect your data during a police investigation - nor should they.
So on one hand, we have the execution of a warrant or subpoena that is narrowly written, specific and reasonable, based on probable cause, and signed by a judge.
On the other hand, we have recently seen much greater evidence about the wholesale surveillance of society under secret law and apparently not accountable in any practical sense to oversight.
The first is normal and appropriate and well within the bounds of civil liberties guaranteed by Fourth Amendment. The second is highly problematic - but one doesn't necessarily lead to the other. Our civil liberties and civil rights have always been subject to appropriate exceptions. The problem is when those exceptions become so broad as to render the freedoms ineffective, not that they exist at all.
Unfortunately the Dunning-Krugerrand crowd seem determined to try to conflate what seems to be a fairly legitimate piece of police work[1] with the Orwellian surveillance state.
[1] Well, obviously one can disagree about the criminalisation of recreational drugs, but they are, so the cops are working within their brief.
While that remains a particularly amazing insult, perhaps it is in fact you who have conflated libertarians with minarchists?
Not all of us, gold/bitcoin stash or no, accept that police are a necessary part of society.
Given that one part of society (the state) has historically demonstrated that it will expand to fill any and all available opportunities to exert destructive power over others, it doesn't make much sense to grant them a monopoly on the opportunity to use violence to uphold the law.
Laws, we need. Cops, we don't. The NSA has nothing to do with it.
Some press on this case implies that the FBI found this person from his activity our site. I can't disprove that, but it is much more likely that they found him through other means, and then tracked his activity on various sites to build enough evidence for an arrest, indictment, etc.
It's hard to know the entire timeline of their investigation, but from how they describe it, the first lead they got was the username "altoid" posting what is apparently one of the first advertisements for Silk Road on a drug forum in January 2011, and then 2 days afterwards, an "altoid" posted on Bitcointalk looking for an IT pro to contact him at rossulbricht@gmail.com.
They implied this was the first thing they did. The interception of the fake IDs may have occurred before or after he was already under heavy suspicion of being Dread Pirate Roberts. I also believe there was some discussion that the fake IDs might've actually sent by an undercover agent.
Either way, I think it's very likely that they already had the idea that Ross Ulbricht == DPR before finding his Stack Overflow post.
Regarding the mailing of fake IDs and other stuff, I heard so many media accounts of Silk Road in the last week or so, and I really didn't understand this part: why bother to go through the trouble of all that crypto and anonymizing if in the end you are going to use your real street address?
I thought this part was the dumbest aspect of the whole arrangement, but then I heard about posting on Stack Overflow to get your bugs fixed, and "contact me at rossulbricht@gmail.com kthxbye", and I begin to think that "criminal mastermind" is not exactly an apt description of this guy. I find it hard to contain my laughter at this.
He was living with people I think he found on craigslist, and gave them a fake name so I guess thought he could disappear from there at anytime. He would've been nailed going to a drop anyways they would have just waited for him.
Why did he even need the fake IDs? They claimed it was to rent servers, which makes zero sense I've never been asked for ID when renting dedicated servers they just ask for money. PRQ certainly doesn't ask for anything except email address and payment.
I guess he didn't read that story about the secret service running a sting operation for years posing as an ID vendor on fraud forums.
> why bother to go through the trouble of all that crypto and anonymizing if in the end you are going to use your real street address?
I would have thought the server seizure demonstrated exactly why you would go to this bother: when you encrypt your address to the seller's public key, and send the encrypted address rather than the plaintext address, now all the FBI gets is an encrypted message they can't read. And the Tor connections means that they can't look up your IP in the logs, and so on and so forth.
> when you encrypt your address to the seller's public key, and send the encrypted address rather than the plaintext address, now all the FBI gets is an encrypted message they can't read.
And how can I trust that the seller isn't an FBI agent? Still seems kind of risky. Even if they aren't an FBI agent, they're going to decrypt the address, and who knows what they'll do with it in plaintext? For one, they will write it on an envelope, leaving open the potential for exactly what happened with the fake IDs.
If not these scenarios involving law enforcement, there's also the risk that the seller, who has my address, will extort me for cash or whatever.
You can't trust that the seller isn't an FBI agent nor that they'll delete your address nor that they won't extort you, but as a basic matter of fact, the seller isn't an FBI agent and hasn't held onto your address (whatever good that would do) nor will extort you. There are thousands of sellers over time on SR, and how many turned out to be FBI agents busting a buyer? So far, it seems like maybe 1, and that was personally targeting DPR/SR staff and not any other buyers. There have been a handful of address leaks, with minimal consequences. Extortion was so rare I can't think of any examples.
And it may seem risky, but that doesn't matter: we have the numbers. We have the statistics. The FBI has kindly told us exact numbers based on the SR database they seized. You can calculate the risk pretty easily. Take the number of sellers and/or transactions, get an estimate of number of buyers busted (for example, count instances in http://www.gwern.net/Silk%20Road#safe ), divide. This is like worrying that flying on an airliner might be really risky since the plane could fall out of the sky or be hijacked - certainly, but the worry is wrong, and you can go to faa.gov and look up the exact numbers and see for yourself how risky flying on an airplane is.
I don't think it's wrong to say that reliance on street addresses and USPS is a weak link in the system. I'll repeat it, maybe phrased a little differently: PGP; Tor; Bitcoin. This is all really good stuff to cover your tracks. Writing a street address on an envelope, and sticking it in a mailbox? It sounds absurd compared to what you are doing to protect yourself on the digital side.
And it seems that I am not the only one who sees something there, as according to media reports DPR himself was extorted over the question of revealing the street addresses of users.
You're probably right that the average Joe doesn't have to worry. But for specific individuals like DPR, they should know that being involved in facilitating a large number of illegal transactions, there is much more likelihood that they specifically will be targeted by law enforcement. I would expect then that they would do more to guard access to their address.
(Even if most people are OK, that doesn't mean it's not still a weakness. In the days before SSH became common, I used to log in over telnet all the time and never once to my knowledge got compromised. I suspect many had the same experience. Does that mean I was safe? Of course not.)
> Writing a street address on an envelope, and sticking it in a mailbox? It sounds absurd compared to what you are doing to protect yourself on the digital side.
I agree, it does sound absurd. And yet...
> And it seems that I am not the only one who sees something there, as according to media reports DPR himself was extorted over the question of revealing the street addresses of users.
DPR was worried (assuming, as usual, that the indictments are reasonably accurate here and their lies, omissions, and insinuations affect only other things) about the reputation of SR as a whole: SR as a viable business was being held hostage. This is not something relevant to an individual buyer being blackmailed one on one, which was the scenario you were asking about.
> But for specific individuals like DPR, they should know that being involved in facilitating a large number of illegal transactions, there is much more likelihood that they specifically will be targeted by law enforcement. I would expect then that they would do more to guard access to their address.
Yep. The ID stuff was remarkably careless. We don't know that it was fatal - I personally suspect the Australia wire transfer may have revealed everything - but it obviously could have been.
The Silk Road and similar protect the seller. There is just no way to protect the buyer, you are buying a physical product and at some point have to take physical possession of it there is no way to avoid this.
Just as with buying drugs face to face you have to trust that the dealer is not malicious, is there a risk? definitely. But just as in the real world law enforcement have little interest in wasting their time on buyers.
No way to avoid this, so we might as well just send everything via USPS to your front door? Sounds like a bit of a copout.
It seems to me if you go out of your way to hide your identity you should, um, hide your identity. That would mean not trusting the post office just as you would not trust a sniffable network. Arrange a drop in a public place or some such. (Or do I see too many movies?)
The NSA et al. know everything. It's just a matter of whether they can figure it out again using legal investigative techniques. I imagine it like the solutions in the back of a math textbook. I'm given the answer but I won't get credit for answering them correctly unless I can actually list every step in deriving the solution. See the recent news stories on NSA-DEA parallel reconstruction.
Specifically to your question, I'd guess they run a large number of Tor exit nodes and from there it was fairly simple to see exactly who was doing what.
Also it's come out recently in the Guardian, the NSA can backdoor machines through special servers running man-in-the-middle attacks.
Basically, the Internet (and planet Earth too) is not secure, so trying to pull off a large-scale crime is kind of foolish.
Parallel construction doesn't actually imply that the NSA is omniscient and that the entire rest of the American justice system is a charade meant to mask its power from the muggles. The NSA doesn't know everything. They don't see everything. They don't whisper words of power into the ears of every prosecutor, and a dark man smoking a cigarette doesn't appear from out of the shadows with fabricated evidence for the Department of Justice and a dossier from ten minutes into the future every time a hacker opens their browser.
It gets mentioned every time a post comes up involving court case or arrest, and it's quite honestly as useless a form of speculation as suggesting divine intervention as a first cause in science. Assuming too much power on the part of the NSA (and by extension, that no other methods used by any other bureau or department are effective except as a smokescreen) is as dangerous as dismissing them entirely.
My 'know everything' comment was a slight exaggeration for effect. I didn't say they fabricate evidence (you said that) or that they divulge their secrets to every prosecutor (those are your words, portrayed as mine).
You have a good point though that maybe my comment is not constructive. I don't wish for this to become a cliche response on HN that it 'must have been the NSA' but we must acknowledge that they posses powers of surveillance the world has never before seen (except if you believe in God... however, we actually have architecture diagrams and proof of the NSA technology... not just 'The Book of Edward').
But yeah, it's dangerous to dismiss the NSA entirely and dangerous to make it a given they're more powerful than they are. However, given their secrecy, that's all a fairly expected situation for us.
Fair enough, I admit I was extrapolating from a number of comments i've seen, and I shouldn't have implied things in your comment that, you're right, weren't there.
From that account, it looks like the key break was likely that the first alias to promote Silk Road (altoid) was at one later point also linked to a real-name gmail address (rossulbrecht@gmail).
Even if that association was brief, plenty of people (and even law enforcement researchers) are likely scraping/archiving or email-subscribed to the bitcoin forum where the association appeared. The same goes for 'tor' forums or tags elsewhere... so an actual law-enforcement approach to StackOverflow/Bitcointalk/Gmail/etc may not have even been necessary.
(OTOH, Bitcointalk.org is currently down after an attack that may have resulted in the leak of username/hashed-password/email records. User altoid's email address there could have been obtained by law enforcement, by subpoena or hack, and also pointed towards Ulbrecht.)
It has been reported in many places that Canadian authorities intercepted a package to him containing several fake IDs with his face on them and passed that along to US authorities. I imagine he was under serious scrutiny after that happened (this may be sourced from the complaint against him, but I haven't personally read the complaint).
The criminal complaint[1] mentioned the FBI searching for the earliest mention of Silk Road. The earliest they found was a user called 'altoid' advertising it in two separate places (including bitcointalk) around the same time. Later, 'altoid' posted a second time on bitcointalk searching for an "IT Pro" and publicly listed the email address "rossulbricht@gmail.com" as the contact info for the gig. This was also the email address he used to register his Stack Overflow account.
A critical hint might be that the code example that DPR used on his StackOverflow post was found on the seized SilkRoad server(s). They might have just googled that, found DPRs post and then asked StackOverflow for the data on that user.
I do not know why any judge would issue one of those searches + gag included orders based on a random code fragment, but then of course I know that judges just robosign these things from the FBI turned intelligence agency.
He's alleged to have paid to have someone tortured to death after they were arrested, on the off-chance that the person might have talked to police (the $80,000 murder). Not because the person talked, but because the person had been arrested.
I don't know about you, but I'm pretty sure any half-decent cop would be using the logs of that conversation to convert that person into a witness.
Since you're asking for speculation ... between FH, Atlantis and SR all going down so quickly, I would guess that TOR is compromised in some way (regardless of what the complaint says). IMHO, the probability that this case was cracked by a random CBP seizure is 0.
Atlantis market disappeared probably because they didn't make any money and risk didn't equal reward, they claimed agents were messaging them looking to find informants but it's likely they just scammed all their users of a lot of escrow coins and disappeared.
Freedom Hosting was likely a NSA op to get a hold of tormail.org messages and history because Snowden was either using it or emailing somebody using it. The FBI will use parallel construction to cover that one.
SR I suspect they simply watched him sitting at cafes and libraries and logging into his virtual cartel. There were also numerous people who had discovered leakage and were able to find the server many of whom ended up working for DPR. Either way it wasn't set up very well, who knows maybe the FBI uploads spyware.js as an image while posting a new order or broke through the php5-mysql plugin. I'm sure they will discover that half his inner circle of close associates were informants too maybe they leaked the address. Remember he once put out applications for database administrators you can guarantee dozens of agents signed up for the job.
And how strongly do you believe your speculation? I think you are completely wrong, so I'm curious. What do you place the odds at that sites similar to Atlantis and SR(namely sheep and bmr) will go down by the end of the year?
This happens very, very rarely. I have more than enough fingers to count the times this has occurred since I started working here a year and a half ago. I wouldn't need a single toe, and I'm pretty sure I wouldn't need both hands.
I'm not sure that I would call multiple times a year "very, very rarely".
For a site that large and well-visited, with almost entirely user-generated content, all of which are on technical problems many of which could involve illegal activity?
It's interesting to note from page 30 of the criminal complaint, StackOverflow was able to record "Ulbricht [changing] his registration email [...] to 'frosty@frosty.com'".
Why do sites like StackOverflow keep audit logs of your account information?
Actually, it's almost certainly as the other person stated - for administrative moderation purposes. There is no other purpose to maintaining historical backups of this sort of data. Especially not when that costs money.
When I built a site that existed for a very long time, was very popular, and involved monetary transactions, I had to track nearly everything. IP addresses, address changes, email changes. Everything I could think of. This was then utilized when I suspected someone of fraudulent behavior. I could pull up an administrative screen that compared data in an archive copy (where I dumped the older information for just this purpose and to specifically keep it inaccessible to the outside world for user security purposes). With that, I could see whether several users were actually the SAME user. I even tracked things like user-agent string and detected screen resolution.
A lot of pieces of data can come together to provide more than circumstantial evidence that someone is shilling, trying to feedback-bomb another user, and so on. Enough correlated points of data can confirm suspicions like this. You'd be surprised how many people use an email address for one account, change that address, then create a second account with the email address they used to have on the first account and then use the second address to drive up the value of their stuff by shill-bidding against another user on their own item.
Don't forget user support. It's not all that uncommon for someone to forget their account, lose a password, or an email address. Circumstantial evidence can support ownership of the account, and let us fix things for them.
There are also errors on our end like account merge bugs, moderation mistakes, dropped/flagged/whatever recovery emails, and so on. Keeping additional historical data can help us recover in those cases.
If you're smart about what you track it's not that much data; we record most changes to user records into a history table (likewise, and for the same reasons on post records). Keeping traffic logs around and queryable forever would be really, really expensive though. We keep some around, but only really recent stuff is easy to query (about 2 days) since that tends to be what's needed when reproducing bugs. I don't even think we have all traffic history, and old stuff would require digging a tape out (if we even move those to tape like we do with DB backups, I honestly don't know; it's never come up).
Moderation is a good reason to keep lots of data around, you're right, but it's not the only one.
"This happens very, very rarely. I have more than enough fingers to count the times this has occurred since I started working here a year and a half ago. I wouldn't need a single toe, and I'm pretty sure I wouldn't need both hands."
Not sure I agree or get your point. Seems like he's doing the best he can to explain what happened without being taken to a secret prison.
My guess is they've gotten one request from the NSA ('give us all your data for everyone... otherwise we will just tap into your fiber lines at ISPs') and one from the FBI ('we are doing some parallel re-construction and it says here we have a warrant for a user by the name of Frosty').
I'm just surprised an admin on the site didn't close the Q&A as non-constructive and speculative :)
> Seems like he's doing the best he can to explain what happened without being taken to a secret prison.
National security letters are only supposed to be used for national security, not random drug busts. If they used an NSL it was unlawful.
If this was just a sealed request it should be open now that the indictment has been handed down. If it was reasonable and lawful they should be asking for it to be unsealed and the request should be granted.
The very boring truth is the feds probably just put the guy's name, usernames, email addresses etc into Google and got a court order to explore certain results. People using SO should be aware of how to google something and able to reach such an obvious conclusion - and this probably happened to 100s or 1000s of sites they encountered and in most other cases since MySpace reached critical mass years ago.
The only question is whether they pay someone to do it manually or they paid someone like a SO user to automate it.
