[srollyson]

Haven't finished the complaint yet, but it looks to me like the FBI found a security vulnerability in the Silk Road website itself. More specifically, it looks like they found a way to have the PHP source code sent as an HTTP response rather than have that PHP code executed and send its output. From page 27 of the complaint:

  Further, based on forensic analysis of the Silk Road
  Web Server, I know that the server includes computer
  code that was once used to restrict administrative
  access to the server, so that only a user logging
  into the server from a particular IP address,
  specified in the code, could access it.

The report later goes on to say that they mapped that IP address to a VPN provider whose account was set up from an internet cafe near the house of a friend of DPR.

It looks like they first started suspecting Ulbricht when one of the forum account usernames he used to market Silk Road, "altoid", posted the GMail address "rossulbricht@gmail.com" when looking for technical help. From page 26 of the complaint:

  From further reviewing the Bitcoin Talk forum,
  Agent-1 located another posting on the forum by
  "altoid," made on October 11, 2011, approximately
  eight months after his posting about Silk Road.
  In this later posting, made in a separate and
  unrelated discussion thread, "altoid" stated that
  he was looking for an "IT pro in the Bitcoin
  community" to hire in connection with "a venture
  backed Bitcoin startup company." The posting
  directed interested users to send their responses
  to "rossulbricht at gmail dot com" - indicating
  that "altoid" uses the e-mail address 
  "rossulbricht@gmail.com" (the "Ulbricht Gmail
  Account").

After DPR's mistake of using the same account to market Silk Road and solicit help with an email address, the FBI seems to have used good old-fashioned legwork to subpoena records and build a case against DPR.

Super interesting read!

[davmre]

Where in the complaint do you see evidence of a website vulnerability? The part you quoted just reads to me as describing DPR's use of a VPN, with the "forensic analysis" part referring to analysis of the disk image after the server had already been identified and imaged.

That said, a security vulnerability in the website does seem like a really plausible conjecture: it's hard to write that much PHP code and not screw up somewhere, especially given that he was probably doing most of it himself, without anyone to do independent QA. And even if the site code itself was fine, the Silk Road is a high-enough value target that the FBI might have thought it worth using a PHP 0-day. Once they're into the site, it's probably not hard to get it to dump an IP address or other externally identifying information.

[srollyson]

Yeah, that was a bit of a logical leap. I can see that the code analysis was probably done after getting a disk image now. I think the original lead probably came from his second bitcointalk "altoid" post, though.

[XorNot]

Don't forget there was a glitch with SR about 8 months ago where it was briefly returning the real IP address of the server on an error page.

[fnordfnordfnord]

> the FBI seems to have used good old-fashioned legwork to subpoena records and build a case against DPR.

That may be; or maybe they just Parallel Constructed a proper looking investigative trail.

[Evolved]

I was thinking the exact same thing. +1 to you sir.

[stelonix]

I was told their Apache's error pages leaked "too much information", including the server's IP address. Maybe no breach was needed if this is true.

[csmatt]

I'm not super familiar with this case or the ATT vs weev one, but I thought I read that the prosecution in the weev trial made the argument that accessing information in the open, like that of server logs is hacking? If that precedent was set, wouldn't that have an effect on when a warrant is required or no? Just curious

[jfoutz]

No. A warrant means you can do extra special stuff, like search someone's house. With a warrant, you can search for whatever you like, however you like.

[dsl]

Told by who?

[uxp]

The FBI Complaint, for one.

  ... I know that, on May 24, 2013, a Silk Road user sent
  him a private message warning him that "some sort of
  external IP address" was "leaking" from the site, and
  listed the IP address of the VPN Server.

The Footnote labeled 4, bottom of page 28.

http://www1.icsi.berkeley.edu/~nweaver/UlbrichtCriminalCompl...

edit and off-topic rant: I really hate searching government PDFs.

[Erwin]

There WAS such an issue generally with PHP installed as CGI: a query arg like ?-s would be passed as a command line -s switch to the PHP interpreter spawned. http://www.php-security.net/archives/9-New-PHP-CGI-exploit-C...

[srollyson]

Well how about that. Thanks for the link.

I remember reading an article in 2600 where someone figured out that quite a few websites took a PHP filename as a query arg to be eval'd... and some subset of those had no mechanism in place to restrict it to local files. Needless to say, they could point that arg to example.com/malicious.php and have it run on the vulnerable box.

The best part was that they constructed a Google query to find sites that would eval remote PHP code. It was something else!

[mattdw]

That was my first lesson in validating any external input. Learned the hard way, in my first six months of building websites professionally. Happily, the hosting provider put me onto a helpful tech guy who walked me through what I'd done and how to avoid it. There was a lot less 'common knowledge' and 'everyone knows' in 2001.

[dsl]

...a vulnerability that affected near zero actual servers. (I know because I scanned for it shortly after the announcement) Everyone uses FastCGI or mod_php and friends.

[meowface]

The agent is discussing source code he inspected likely after acquiring an image of the server. The vulnerability you described isn't how they got their information.

I'm reading through it now, but it's still not 100% clarified how they originally determined the true IP and provider of the server. There are a myriad of different ways, though.

[crb002]

Kind of shocking though if NSA didn't use a PHP vulnerability. PHP has more leaks than Chelsea Manning.

[ye]

Care to name 5?

[dlgeek]

http://www.cvedetails.com/vulnerability-list/vendor_id-74/pr...

[ye]

Actually, all of the severe bugs there are fixed and/or no longer apply.

Linking to ancient bugs that were fixed a long time ago is pointless, every popular piece of server software would have bugs.

So, care to name five?

[gtirloni]

Once bitten, twice shy.

[code_duck]

Sure, do you have $50,000?