Silk Road, the underground website where dealers sold illegal drugs, was supposed to be safe. The site was nestled deep in the dark web, accessible only through the anonymizing network Tor. All transactions were done in the anonymizing virtual currency Bitcoin. Its owner-operator, Dread Pirate Roberts, was said to be a criminal mastermind and technical wunderkind who never left a trail. It was all very hackerish and clandestine.
And yet, today the FBI shut down the site and arrested Dread Pirate Roberts. "This is supposed to be some invisible black market bazaar. We made it visible," an FBI spokesperson told Forbes after the bust. "No one is beyond the reach of the FBI. We will find you."
This was all very alarming for the community of Silk Road users who believed that technology was keeping them safe. Actually, it was alarming for anyone who uses the Tor network for privacy — which includes journalists, activists, and even law enforcement. How could FBI take down a site protected by Tor, the gold standard for anonymity?
How could the FBI take down a site protected by Tor, the gold standard for anonymity?
Tor stands for The Onion Router, a reference to its layers of security. Tor has two main functions: one for users, one for website operators. First, Tor protects users who want to mask their activities on the web; connect to Tor, and your data will be bounced around, making random stops, until its true origin is nearly impossible to identify.
"The idea is similar to using a twisty, hard-to-follow route in order to throw off somebody who is tailing you — and then periodically erasing your footprints," according to the nonprofit Tor Project, which leads development on the open source software. Users who bought and sold on the Silk Road were all signed into Tor at the time.
The second use case for Tor is to protect websites by requiring that all traffic to the site be untraceable. These "hidden services" are only accessible through Tor, creating a second, secret internet that some call the "dark web." These sites are invisible to Google's spiders, and there is no search engine for the dark web. Users must be signed into Tor and must know the exact address of where they're going. In theory, assuming other precautions are taken with the actual software running the server, Tor should protect websites from revealing the location of their servers.
The FBI managed to locate the server that was hosting Silk Road, however. So does this mean Tor failed?
"Tor is not broken."
While it is possible that the FBI discovered some vulnerability in Tor that was not disclosed in the criminal complaint, it seems much more likely that this was old-fashioned police work. Dread Pirate Roberts made a number of errors, according to the FBI, including connecting to the Silk Road server using only a Virtual Private Network and not Tor and using an email address that contained his real name in a way that could be traced back to Silk Road. The police even intercepted a Silk Road package containing nine pieces of fake identification with the photo of the man they eventually arrested.
"Tor is not broken," Karen Reilly, development director at the Tor Project, said in an email. "According to the criminal complaint, the accused was found through mistakes in operational security. Tor can not protect you if you use your legal name on a public forum, use a VPN with logs that are subject to a subpoena, or use any other services that collect personal information that is freely given or collected in the background."
In other words, it looks like this was a case of sloppiness.
The FBI says in its complaint that it obtained an "image" of the Silk Road server, which is a technical term in computer forensics that refers to a bit-for-bit copy. That usually means the data was obtained from a service provider, Chester Wisniewski, a senior security advisor for network security firm Sophos, told The Verge. Even if the server was hosted outside the US, Silk Road was trafficking in drugs, guns, hacking software, child pornography, and even murder-for-hire.
"That's the problem with Silk Road," Wisniewski says. "If you're dealing in stolen music and software, you can get away with that all day long. Once you start engaging in the variety of things that were going on at places like Silk Road, there's almost always a violation of the law. Any country at some point will comply with a lawful request for data."
Indeed, the complaint says the image was obtained via a Mutual Legal Assistance Treaty request, suggesting cooperation with a foreign government. Having a copy of the server would have allowed the FBI to comb through private messages and turn up more ways to find Dread Pirate Roberts. The FBI has held back on releasing all the details of its investigative techniques, and some won't be revealed until a trial, if ever. The complaint refers to persons "known and unknown" who helped Dread Pirate Roberts, suggesting that maybe the FBI knew administrators or mods who could have been turned into informants.
The FBI has held back on releasing all the details
It's also possible that the data was obtained from the server through some kind of virus or malware injected by the FBI, which wouldn't be Tor's fault, either. The FBI has in the past used malware to compromise servers for hidden services, as it admitted two weeks ago in connection with the bust of a company that provided hosting for them. However, that doesn't seem to be what happened in this case.
"Tor is still the single biggest leap forward in my lifetime for anonymity on the internet," says Steve Santorelli, a former Scotland Yard detective and spokesperson for Team CYMRU, a security research firm focused on the internet. "Literally, people's lives get saved because of Tor. But there are so many different ducks that need to be lined up for you to be completely bombproof. That's why people go to jail."
We'll email you a reset link.
If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.
Choose an available username to complete sign up.
In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.