Silk Road: A Lesson in Information Security

By now you know how the Silk Road, an online marketplace for all things illegal and semi-legal, has been shuttered by the FBI. Ross William Ulbricht, the alleged owner of the anonymously hosted website, is in a lot of trouble.

Silk Road Marketplace CamelUlbricht was caught for a number of reasons, but what first brought him to the attention of the authorities was likely a simple Internet search. After that, the authorities were easily able to connect the dots between Ulbricht’s allegedly different personae – and they didn’t even need any special technology to do it. Let’s take a look at the how investigators were able to connect his s real-world identity with the anonymously hosted website. After, we’ll discuss some simple practices that can be put in place to keep personal information safe.

Background

Authorities allege that the Silk Road acted as the middleman in more than $1.2 billion worth of drug deals, collecting around $80 million in fees. What they neglect to mention is that the sales and fees were made with Bitcoin and that prices were pegged to dollar values. At the time, Bitcoin was worth between five and six times less than it is today. How much the website actually made is hard to say, but it’s fair to assume it made a lot of money. The notoriety of the site, the number of sellers who used it and the grandiose statements of its operator — who went by the name of the Dread Pirate Roberts — all likely helped to put the Silk Road in the crosshairs of the FBI.

The scope of the alleged operation makes for good breakfast reading, but what I find most interesting is how the investigators managed to reach through the layers of anonymity afforded by the Onion Router (TOR) to identify Ulbricht. By all accounts, the NSA has not been able to crack the TOR riddle – so presumably the FBI managed to do all of this the old-fashioned way.

The Trail of Breadcrumbs

Think about legitimate online sales. Why have there been so few successful auction sites? Why are there not more sites trying to replicate eBay’s success? The reason is simple: volume. You need enough sellers to keep the buyers interested, and you need enough buyers to make it profitable for the sellers. You can’t have one without the other. For Silk Road to work, people would need to know about it – and at a time when TOR wasn’t well known, that would mean reaching out to the World Wide Web.

The FBI’s first clues to Ulbricht’s identity came from drug forums. Searching forums for such information may seem like looking for a needle in a haystack, but actually it’s not: If you know roughly when a site launched, then all you would have to do is search for posts that were made around that time. The closer you are to the exact day, the greater the likelihood that people mentioning it are financially involved. You can’t just stumble around and find things on TOR, you need to know where they are first.

To suggest that finding the first posts was as simple as a search engine query is something of an exaggeration — querying Google for posts made on and around the February 2011 launch date only yields historical information about the Silk Road trade route and businesses that incorporate Silk Road into their name. I did create two successful queries in the space of about a minute, but I did it with the benefit of knowing that the first post was on a magic mushroom forum. Given that the FBI is much more familiar with these sites than I am, I would say that hindsight isn’t that much of an advantage. They would have had a bigger list of sites to hit, but they would have been searching for more or less the same key words.

I used Google to search for “magic mushroom forums” and one result after another was dated between Jan. 1, 2011 and March 1, 2011.

When I added the URL of the fifth forum on the list in front of the keywords Silk Road, I hit paydirt. Ditto, when I searched for “magic mushrooms Silk Road” within the same date range.

The top result for either search will take you to the first post of a user named “Altoid,” dated Jan. 27, 2011, who the FBI alleges is none other than Ulbricht himself:

I came across this website called Silk Road,” wrote Altoid, in a post which linked to the site. “I’m thinking of buying off it… Let me know what you think.

The next piece of the puzzle came when the same user name appeared on the Bitcoin Talk forum. You can get to that simply by searching for the terms “altoid bitcoin.” Again, we have the benefit of hindsight, but given that Bitcoin was the Silk Road currency – it would have been a matter of course. The search reveals a few posts by someone with the same user name. Searching the site internally reveals more. Eventually you get to the post that lists Ulbricht’s personal Gmail account.

If Ulbricht did what the FBI alleges he did, then this was a novice mistake, but it’s the sort of mistake that pretty much everyone makes. If he did in fact create the Silk Road, he could hardly have imagined at the time what it would become in the future. Had Ulbricht chosen to use a different handle for his Bitcoin Talk account, the connection to that zero day post might never have been made. It might seem like a stroke of luck or a clever bit of investigation, but it seems like it would be the normal route that agents would take when they hunt online for child predators.

The tacit connection between Ulbricht and that early post is not enough to go to court – it’s not even enough to obtain a search warrant. It is, however, enough to make him a person of interest to the FBI. From there, they started digging through his social media accounts, checking his email and looking for any further clues. As of yet, we have no way of knowing what these early efforts yielded, but at the very least it would have provided investigators with a clearer picture of their suspect.

That would have given the agents a good idea as to who their surveillance should be targeting. Ultimately, Ulbricht went on to make several mistakes: a package containing nine fake identification papers was intercepted, and he was caught using a VPN when a server was compromised that had an IP found in the Silk Road source code (it was used as a security measure, to keep other people from logging in). By the time Ulbricht was arrested, the agents likely felt confident that they had a water-tight case.

Implications for Law-Abiding Citizens

As a gainfully-employed, law-abiding citizen, I don’t have to worry about having the FBI batter down my door – but the investigation that led to Ulbricht’s arrest ought to give pause to anyone who goes to pains to separate their private and professional personae. What we put on the Internet will be there long after we’re gone – Web archival services have seen to that.

So while I don’t have to worry about law enforcement per se, I do have to contend with the possibility that somewhere down the line I might have issues with a stalker, vindictive co-worker, overzealous employer or disgruntled employee. I also have to accept that everything I have written could one day be read by my children. I grew up in a country where foreign citizens were routinely surveilled and had it drummed into me as a child, and later as a teenager, that I should always be extremely careful about anything I put into writing. It’s not so much a matter of what you write being used against you in a court of law; it’s about it being used against you generally.

Keeping Your Public Information Private

If you are doing something risqué, embarrassing or have the need to vent your feelings in a public forum, you’d do well to think very carefully about the personal information that you allow to be attached to the account. If you want to maintain a little privacy, then you need to add some layers of separation between you and your anime collector’s forum account.

A few things that you might want to consider:

  • Never use your Facebook account to access anything other than Facebook.
  • Be careful who your friends are.
  • Don’t be friends with co-workers.
  • Use a secondary (or tertiary) email account when you register for forums.
  • Seriously consider using a different user name for each forum account.
  • Drum the same values into your children.

The Facebook thing is a no-brainer. For one thing, it links you to your account. It also links you to all of your friends and associates, so it pays to know who your friends are. I used to accept friend requests from just about anyone, but not anymore. My wake up call came in the form a former classmate: We used to play rugby together at lunch, where he used his 6’7” frame to batter our opposition into submission. I accepted his request, we reminisced about old times, and then a few weeks later he changed his profile image to a picture of Hitler – and I hit unfriend. From there, I became ruthless. It started with people that I didn’t know and ended with people who I did know, but who had expressed views that I found abhorrent. The result: I actually read my news feed and nobody puts profanity-laced posts on my wall.

I have never been and will never be friends with a current co-worker on any social network, irrespective of my relationship with them in real life. Any worker-worker relationship involves two relationships, one with the workplace and one with the individual. If your relationship with one breaks down, it can affect the other. This applies just as much, if not more, to LinkedIn. Do you really want people at work to know when you start looking for a job?

When it comes to any interest-oriented forums, I create a buffer between myself and the forum by using a secondary email account. Obviously, the need for this varies according to interest – a game forum is much more likely to degenerate into a flame war than a cacti and succulents forum (though people can be very passionate about their Astrophytum). To simplify password recovery, I use the same secondary email address for all accounts and forward mails from the secondary address to my primary account. Finally, with regard to the use of different user names, tempers can flare from the strangest things. A different username can help to prevent spillover from one site to another.

Last but not least, teach your children and teach them young. The next generation of Internet users is growing up fast and will be getting into trouble soon. Most parents tend to take a reactive approach to these things, but by the time their child posts something stupid or objectionable on Facebook, it’s too late. Teenagers do all kinds of stupid things and that’s not going to change – the best we can hope for is that the stupid things they do when they don’t know better are less likely to come back to haunt them when they do.

Conclusions

The investigation into the Silk Road, the Dread Pirate Roberts persona and Ulbricht, looks to be a well-executed piece of detective work. What makes it unsettling is how easily it all happened. The same techniques that investigators used could just as easily be applied by people with nefarious intentions. As such, let this be a reminder to exercise a little more caution when it comes to securing your information. Finally, if you have children, do them a favor and teach them about this sort of thing before they are old enough for it to become a problem.

Post a Comment

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>