[jim_dnaley]

They located Silk Road 2.0's server in an unspecified way, not directly related to their undercover agent on the support staff. Given that two other darknet markets (Black Market and Cloud9) have been shut down today, and they didn't specify how they located the SR2 server, it seems plausible that law enforcement have a vulnerability to locate servers over the Tor network.

From the complaint:

"In or about May 2014, the FBI identified a server located in a foreign country that was believed to be hosting the Silk Road 2.0 website at the time. On or about May 30, 2014, law enforcement personnel from that country imaged the Silk Road 2.0 Server and conducted a forensic analysis of it. Based on posts made to the SR2 Forum, complaining of service outages at the time the imaging was conducted, I know that once the Silk Road 2.0 server was taken offline for imaging, the Silk Road 2.0 websites went offline as well, thus confirming that the server was used to host the Silk Road 2.0 website."[1]

Then, as a result of extremely poor OpSec (Benthall accessed the server directly, used his real email for registering the server), they got his IP's and, well, you know where it goes from there.

1. https://pdf.yt/d/RpyX9_xmapTkhmkb (Complaint)

[fleitz]

In this case it appears that they have an insider, however, given the ability to analyze internet traffic, and given the ability to DDOS a hidden service which apparently happens quite frequently when new sites appear, with sufficient network analysis it should be possible to determine the end point of the hidden service.

Understanding of Tor

  1. Hidden services can only exist on one node.
  2. That node has a single IP or few IP addresses.
  

How to locate a hidden service given understanding of Tor.

  1. Send pulses of traffic to the hidden service (DDOS)
  2. Comb through internet traffic logs to identify which IPs saw traffic pulses.
  3. Reduce to a few statistically probable nodes matching the pulsed traffic pattern
  4. Pulse hidden service again to see if it matches the probable nodes.

[DNM_throwaway]

Since the bigger markets (Evo and Agora) aren't down (as of yet) I think it's probably not a general vulnerability that works for every site. If it did I would assume they would go after the biggest markets too, not the smaller ones who were already mostly dead.

[haakon]

They could have located the servers, but not the administrators because they don't do stupid stuff like connect to their servers directly. Perhaps they're just waiting for the admins to make a mistake. Taking down the servers without arresting anyone just isn't the same.

[acveilleux]

The servers may also be located somewhere that is less friendly and will not image the server for them?

[pcthrowaway]

I would argue that makes them more friendly. You would think someone who works for SpaceX would have better sense than to administer is darknet server using his real email address though...

[duaneb]

They could even be on the server—knowing where it is doesn't help prosecute those who run it.

[NoMoreNicksLeft]

> it seems plausible that law enforcement have a vulnerability to locate servers over the Tor network.

They've bugged nearly all of the entrance and exit nodes. This allows them to do trivial traffic analysis. Parallel construction hides the method from the courts which would be reluctant to rule against anyway.

[typedweb]

Or they were just in on it from day 1: https://news.ycombinator.com/item?id=8568765

The failures of modern crypto (and historical) are almost always usage bugs, not the technology itself.

[emcrazyone]

This may be true but it doesn't seem necessary if you believe this:

During the Government’s investigation, which was conducted jointly by the FBI and HSI, an HSI agent acting in an undercover capacity (the “HSI-UC”) successfully infiltrated the support staff involved in the administration of the Silk Road 2.0 website, and was given access to private, restricted areas of the site reserved for BENTHALL and his administrative staff. By doing so, the HSI-UC was able to interact directly with BENTHALL throughout his operation of the website.

[higherpurpose]

Let's see if they take down any more markets, and if all of them have "undercover agents". If not, then it should be clear that wasn't the main method of catching them, but just one to flaunt in front of the press for doing things "old school", and not NSA-style (or with NSA's help).

[celticninja]

Also given the recent decision in the Ulbricht case that their method of obtaining the server location and contents was not enough to throw out the case may have given them confidence to use the same tactic again. Now they know the law does not apply to them they almost have free reign to bust these markets with whatever resources they have at their disposal.

[emcrazyone]

yea, but, there is this tid-bit:

"During the Government’s investigation, which was conducted jointly by the FBI and HSI, an HSI agent acting in an undercover capacity (the “HSI-UC”) successfully infiltrated the support staff involved in the administration of the Silk Road 2.0 website, and was given access to private, restricted areas of the site reserved for BENTHALL and his administrative staff. By doing so, the HSI-UC was able to interact directly with BENTHALL throughout his operation of the website."

I realize it's vague but seems conceivable this level of access would allow you to connect the dots. No?

[legalbeagle]

But how could they know what support staff to infiltrate if they hadn't identified the server? The first step was locating the server. The second step was identifying the individuals and getting evidence against them. The undercover operation couldn't happen (except by accident) until step 2.

[thefreeman]

It seems you read this as support staff for the underlying webhost. However I get the impression the undercover agent had a role akin to an admin or moderator on other user content generated sites.

If that was the case, they didn't need to know where the server is hosted. And the "private" parts of the back end very likely opened up methods of code execution on the underlying host (eg. editing php templates, etc.)

[882542F3884314B]

Interesting read, some highlights from the complaint:

"40. Based on a review of records provided by the service provider for the Silk Road 2.0 Server (the “Provider”), I have discovered that the server was controlled and maintained during the relevant time by an individual using the email account “blake@benthall.net” (“Benthall Email Account-1")."

"b. I have also reviewed a publicly available profile of “Blake Benthall” on Twitter, another social networking website, which includes a photograph of BENTHALL as the user of the account, depicting the same individual associated with the GitHub account, discussed above. I have reviewed a post on that Twitter profile, dated on or about November 6, 2013, the date when Silk Road 2.0 was publicly launched, stating: “All this talk about the #SilkRoad being back up makes me want to watch ThePrincessBride.”"

"a. I have reviewed records provided by a U S.-based Bitcoin exchanger (“Exchanger-1"), for an account registered under the name “Blake Benthall” and linked to Benthall Email Account-1 (“Bitcoin Account-1”). According to transaction records for Bitcoin Account-1, BENTHALL engaged in his first Bitcoin transaction with Exchanger-1 on or about November 7, 2013, the day after Silk Road 2.0 was publicly launched. The transactional records reflect that, since that date, BENTHALL has received a total of approximately 575.58 Bitcoins into the account through on or about October 28, 2014, and that BENTHALL has exchanged approximately 543.63 of those Bitcoins for United States currency, totaling $273,626.60"

"c. I have reviewed emails from Benthall Email Account-1 reflecting that BENTHALL purchased a luxury vehicle with Bitcoins in late January 2014 - approximately one month after Defcon assumed control of Silk Road 2.0. Specifically, email correspondence indicates that, in or about late January 2014, BENTHALL made a down payment of approximately $70,000 in Bitcoins towards the purchase of a Tesla Model S, worth approximately $127,000 in United States currency."

"b. Records provided by Exchanger-1 regarding Bitcoin Account-1 indicate that on the same date, BENTHALL logged into Bitcoin Account-1, using the identical combination of software: Google Chrome web browser version 35.0-1910.3 and the Apple OS X operating system, version 10.9.0.

"c. According to publicly available information, on or about April 6, 2014, Google Chrome version 35 O.1910.3 was a beta version of the browser,L2 and Apple OS X version 10.9.0 was outdated.B Thus, based on my training and experience, this particular combination of software versions would not have been common among Internet users at the time. The information available to the HSI-UC indicates that Defcon was not using Tor to access the customer support interface at the time, which would have caused Defcon’s browser and operating system to appear differently."

[imaginenore]

> I have discovered that the server was controlled and maintained during the relevant time by an individual using the email account “blake@benthall.net”

That's pretty f*ing retarded of him.

No, I mean, what an idiot of epic proportions.

Or he is just a fall guy.

This is such a huge WTF to me. I mean, I can rent a server with Bitcoins completely anonymously right this moment from many providers.

[verroq]

But is the host reliable? Will the server be of decent quality? Does customer support exist?

[imaginenore]

If it isn't reliable, there's plenty of competition.

I've been renting dirt-cheap VPSs recently and had zero problems with them.

[andrewjkerr]

> I have reviewed a post on that Twitter profile, dated on or about November 6, 2013, the date when Silk Road 2.0 was publicly launched, stating: “All this talk about the #SilkRoad being back up makes me want to watch ThePrincessBride.”"

It's interesting because this is a retweet yet it's still mentioned as a "post on [his] Twitter profile". I guess that's true, but shouldn't it be mentioned as a retweet in official court documents?

[bluedino]

>> made a down payment of approximately $70,000 in Bitcoins towards the purchase of a Tesla Model S

Way to lay low.

[tptacek]

This is a lot of major crimes investigations: if you want to participate in an organized criminal effort (which is what SR2.0 is), you're only as secure as the weakest link in that effort. Worth remembering when SR3.0 comes out. Is it being run by someone else who will put out a hit on a rival, or plow $70k of revenue into a Model S.

[patio11]

You are also, by nature, associating with people with a vastly higher than average risk of being arrested independent of your own conspiracy, and hoping that they will not mention your conspiracy for leniency in problems they got into without you.

[steveeq1]

Silkroad 3.0 will probably be this: https://openbazaar.org/

Good luck in taking that down.

[pyre]

Interesting. Are you claiming that OpenBazaar will be free of bugs, exploits, side-channel attacks, etc? Have you done an analysis of the code? Got a link?

[higherpurpose]

I think he just meant that it's like Bitcoin. To stop Bitcoin, you need to seize everyone's computers.

[synchronise]

There's also this: https://github.com/bitxbay/BitXBay

[waterlesscloud]

Sounds like he confessed to everything after being read his rights, but before he even had a lawyer. His lawyer met him for the first time in court this morning.

Odd all around, like he wasn't at all prepared for this to end up here.

http://arstechnica.com/tech-policy/2014/11/prosecutor-silk-r...

[Cthulhu_]

^. Simplest use case I can imagine for big data analysis on financial transactions, detect sudden spikes in income (esp. from different sources) and expenses, flag for further investigation. I'm sure the tax services do this. Banks too, to detect mules and other suspicious activity (repeated transactions of $999 to a different account are suspicious already imo).

[guelo]

You can buy a Tesla with Bitcoins?

[8_hours_ago]

Sure, you could theoretically buy a used Tesla with Bitcoins. But it may be hard to find a dealer willing to do that.

There was a story a while ago about someone buying a Tesla with Bitcoins, but it ended up being incorrect. The Bitcoins were exchanged for US Dollars which were then used to buy the car: http://www.cnbc.com/id/101258152

[spullara]

You can't buy a Tesla from a dealer. There are no Tesla dealers.

[8_hours_ago]

Dealers can sell a used Tesla.

[smsm42]

>>> Google Chrome web browser version 35.0-1910.3 and the Apple OS X operating system, version 10.9.0

Hello browser fingerprinting, not a theoretical concern anymore I guess.

[yourad_io]

I don't think a single-server hidden service is meant to protect against a global, active adversary. If you think it does I would love to hear your thoughts on my question[1]

[1] https://news.ycombinator.com/item?id=8568667

[jamesbrownuhh]

> service outages at the time the imaging was conducted

That whole "correlation is not causation" maxim comes to mind here.

[diminoten]

Evidence is all about correlation. You won't ever find direct causation in a court case.

That's what a jury is for.

[sliverstorm]

It's part of a greater collection of evidence. Evidence doesn't have to be mathematical proof.

A common theme (from what I can tell in law) is that something can never be proven to the rigor of a mathematician, so what happens is you build up piles of "coincidences" until a reasonable person would be hard-pressed to believe they are only coincidence.

[goatforce5]

Hence the idea of reasonable doubt which has a specific meanings in various jurisdictions:

http://en.wikipedia.org/wiki/Reasonable_doubt

None of the items taken by themselves are enough to convict (e.g., other people would be tweeting about Silkroad 2 at the same time), but you add it all together (server in his name, piles of unexplained cash and large purchases, tweeting about it, accessing the servers from his machine, etc., etc.) and it starts to look really bad.

Plus he's also confessed, apparently.

[gwern]

This seems like an excellent example of a 'natural experiment' where the FBI's imaging request serves as an instrumental variable.