Ever since the US government first claimed it found the Silkroad server using a “leaky CAPTCHA,” technical experts have raised doubts about whether this explanation is plausible. Attorneys for alleged Silroad mastermind Ross Ulbricht suggested that this was just a cover story, intended to hide the fact that the NSA found the Silkroad server rather than the FBI. They suggested the CAPTCHA story was an example of “parallel construction,” a law enforcement technique to conceal the true origin of evidence in criminal cases.
Technical documents recently filed by the FBI seem to solidify these theories. According to Brian Krebs (of Krebs on Security) and Robert Graham (of Errata Security) a close examination of these documents reveals that the FBI did something very different from what they originally claimed. Krebs quotes a researcher from Berkeley’s International Computer Science Institute pointing out a simple fact — where the FBI agents claim to have found the “leak” is not consistent with how the server was designed.
The Silkroad system was set up in a fairly complicated fashion. Silkroad had been set up with a split architecture, where traffic from the Tor network went to a front-end server. This server in turn made requests to a back-end server in Iceland. According to documents released by the government, the Icelandic Silkroad server (which is the one that was siezed) was designed so that it would refuse most types of requests from the larger iternet.
According to Weaver’s analysis, the Silkroad server would not have replied with a portion of a CAPTCHA image as the FBI agents in the Silk Road case claimed. It is much more likely that the FBI accessed the Silkroad server’s IP address directly and was given a generic PHP/MyAdmin page.
It is important to note that there was a misconfiguration in one or both of the Silkroad servers that did allow access to PHP files from all over the internet, so it is plausible the FBI received some data back when they put in the IP address.
According to Robert Graham’s analysis, the PHP/MyAdmin explanation fits. Log entries where FBI Agent Christopher Tarbell accessed the Silkroad server showed him accessing the PHP/MyAdmin pages and not the Silkroad login page. Therefore they are not consistent with the FBI’s original explanation. Also, inconsistent with the server’s configuration, they produced a “200 OK” response code instead of the “401 UNAUTHORIZED” error which Graham would have expected to see — this suggests the FBI knew the password or the server configuration had somehow changed.
Graham concludes that the NSA as a missing link in the Silk Road case makes sense. With the Silkroad back-end server located in Iceland, the fact that the system did not use encrypted communications between the two servers means the NSA could easily have captured the password — the NSA is legally allowed (under US law) to monitor traffic between foreign countries, including Iceland.
With respect to the Silkroad front-end server in Germany (which is also known to be monitored by the NSA), while it would have returned a “forbidden” error if accessed outside TOR, it would not have done this when accessing PHP files. Graham suggests there were technical methods the FBI could have used to find this server, such as scanning the whole Internet for SSL servers and looking for the word “Silkroad” in the returned web page.
Graham notes that the original declaration by FBI Agent Tarbell was “gibberish” and so vague that nearly any explanation could fit — vague enough that an NSA agent showing up at the FBI office and typing in the Silkroad server’s IP address could fit within the scenario.