'Forensics & OpSec analysis'
Pattern_Juggled on 03 Oct 2013, 07:33
There’s some excellent questions in this list, and I’m going to see if I can add any value based on what is available currently – i.e. the court documents, mostly, as the reporting all seems to derive merely from the underlying documents themselves.
Guest wrote:
Silk Road (SR) wasn’t hosted at Freedom Hosting (FH). If it was, Dread Pirate Roberts (DPR) would have had a good belief that the entire site was compromised when FH went down.
Completely agreed – I know of no evidence suggesting SR was on FH or connected to it in technical infrastructure. The Baneki tweet above (which I submitted to Baneki’s feed, via the current admin of that account, just to be clear) points out the temporal concurrence here – and nothing more. What does it mean, that these two events were happening within a couple weeks of each other? We don’t know yet. We don’t know causal links, we don’t know if there’s “hidden variables” behind the scenes that are themselves causal determinants of the surface-level facts available for review thus far.
We also don’t know if those dates are accurate, actually: the FBI agent says that was the date they imaged the SR machine; did they have root on it for months beforehand? Did they have dom0 root on the FH machines for months? We don’t know. We know the FBI claims they imaged the machine a mere 9 days before FH went down with the arrest – and, remember, the FBI (or perhaps “FBI” at this point – because, seriously…) admits it had functional root on the FH machines for some time before the Thursday 1 August raid. That’s important to keep in mind.
So we have a temporal congruence here, in which the “FBI” claims to have mysteriously gained full root access to the physical machines running Tor hidden services – without being noticed, mind you – in at least one case gaining a full hard drive image of the running machine without triggering any IDS toolsets or other alarms on the machine. It seems highly probable – although not confirmed – that the same was true on FH.
That’s quite a coincidence, given that – until July of 2013 – not many folks assumed it was a trivial operation to bust through Tor hidden services and find the underlying machines on which they were hosted. Indeed, lots of smart people were pretty damned sure that was not possible – or, if possible, would require the resources and expertise of seriously heavy-hitting technical adversaries.
Not, need we point out, the FBI.
The cover story of the border agents “randomly” opening the package and finding the IDs is, screamingly obviously so, Parallel Construction in the wild: thar she blows! There was nothing random about it, and DPR was (rightly) convinced the chances of a “random” search of a standard postal envelope going across that border – sent by who he thought was sending it, with their reputation and competence – were statistically close to zero.
He was right. But that wasn’t who he thought it was, and the whole ID thing was a setup. Once he asked about getting IDs from R&W, he was done.
Indeed, looking back, could the ID setup have been the start? With that, they have his RL name and identity… and with that, they start tracing the threads back to servers. They find a server, they send in TAO… err “those amazing FBI offensive cyberspercialists that nobody has ever heard of but who magically appeared this summer during the NSA’s Snowden battles – root it, and sit there waiting to gather enough data to hang him and take the whole site down.
4. Why was DPR discussing fake IDs with redandwhite who was related to/could be friendlychemist who just blackmailed him?
Because he assumed he knew who was behind that screen name. And he assumed he’d just successfully ordered a “hit” through them, thus having proved their legitimacy and competence.
Further, nobody would use that alias falsely – nobody with half a fucking brain. So, to someone inexperienced, that gives it a whiff of authenticity. It’d be like walking into a boxing gym and claiming to be Mike Tyson, or something – you are not going to like the results of falsely “fronting” that name.
5. How did Border patrol find the fake IDs with a routine search? Seems like the ID vendor was compromised and they knew what to look for or DPR was already being monitored.
Per above, ID vendor was a setup from Day One – as was the “hit.” As was the “hack.” By logical extrapolation from known data points.
6. The server was imaged in July but SR only kept messages and transactions for two months so how did they see the messages between DPR, friendlyshemist, and redandwhite in March and April?
Because they rooted it earlier? After getting RL identification of DPR, via the fake “hit” and resulting “ID buy,” in April. Once they rooted it, they’d have a back-facing window of 60 days’ messages… thus enabling them to pull the PMs of the entire hit-for-hire shenanigan from the SR side, as well.
7. What information did the employee in the Maryland complaint have that DPR was so worried about? If they were arrested, as DPR believed, and could view all the messages on SR, why would he not think the site was already compromised?
I haven’t read that complaint, yet – been poring line-by-line through the New York complaint.
