Confusing Privacy with Security: The Fatal Mistake16th November 2018
On a recent long-haul flight, I took the opportunity to devour a, quite frankly, insane volume of podcast episodes. Keeping up-to-date with so many different series means I am never short of something to listen to, with compelling -- albeit one-sided -- conversation just a touch of my phone screen away.
Eventually, I got to an episode of the true crime podcast, Casefile. This dramatic, no-holds-barred series (complete with an ominously-voiced and nameless host) delved into a topic that fascinates even the most knowledgeable and savvy technologists: the deep web, and the cataclysmic ascension of contraband trade website, Silk Road. Split into two parts, those familiar with the rise and fall of Silk Road would have undoubtedly followed news on the case, but the podcast divulges every little detail, in delicious, edge-of-seat narrative.
The Silk Road: Lessons From The Deep Web Dungeon
If you’re not intimate with the ins-and-outs of Silk Road, the TL;DR summary is that a man built a trade website on the deep web, hidden from the prying eyes of the general public and unviewable without the use of special software - the Tor browser, to be exact. The site initially only offered his homegrown magic mushrooms, but, virtually overnight, exploded with vendors offering everything from hardcore drugs to illegal weapons and stolen credit card details. You can get up to speed here. The creator and site admin went by the Princess Bride-inspired pseudonym, Dread Pirate Roberts. He was everyone, he was no-one. All users traded a veritable bounty of illegal goods, and they did it completely anonymously (and in the process, got Bitcoin a reputation as the drug dealer currency of choice; a moniker it is only just beginning to shake).
However, Dread Pirate Roberts’ anti-establishment experiment was a beast unto its own. Soon, hitmen were advertising their services. Bad people were doing bad things… and he was intoxicated by his newfound unfathomable wealth. He even tried to utilize the services of an advertised hitman to dispose of a former employee. Long story short, this was one of many knuckle-headed decisions that brought about his undoing. He has been unmasked as Ross Ulbricht and he is currently rotting in a US jail cell, serving a double life sentence plus forty years without the possibility of parole.
But, how was he caught if everything was completely private and anonymous?
Well, to put it bluntly: he was a pretty crappy coder. The Silk Road site itself was like a leaky old barge marooned in the ocean. Considering it was a hub of illegal activity (and all the data behind that activity) it was not secure at all; it was a sitting duck just waiting to be exploited by an opportunistic hacker. To be fair, when you’re the mastermind of a huge, illegal drug trafficking business, it’s probably not easy to find competent employees who would like to get involved with your operation. He made no secret of his skill-gap, either - he even posted under his real name on Stack Overflow (yep, that’s his user account), asking for help to properly configure his site code to connect with Tor using Curl in PHP. He changed his real name to the handle “frosty” less than a minute after posting, but this clearly didn’t help… in fact, it probably did further damage: the encryption key on the Silk Road server ended with the substring "frosty@frosty”, thus implicating him further once the FBI caught wind of his scent.
Despite such a huge push for privacy, with encrypted messaging, currency and explicit instructions on securing the contraband itself in transit and delivery, the site was not the impenetrable fortress of libertarian fantasia that Ulbricht may have envisioned. Those with the skills (read: programmers employed by the FBI) slowly, but surely, unraveled it to reveal everything… including the identities of thousands of people who transacted on the site. It’s possible that those who purchased naughty goods many years ago are still going to get a knock on the door from long arm of the law at some point, like this guy in Germany. Yikes.
The FBI released documentation outlining how they were able to penetrate Silk Road, with the general explanation being that of utilizing an IP address leak. A misconfiguration of the Silk Road login page revealed the IP address and thus the physical location of its servers, without any underhanded hacking required. A rookie error, to be sure, and one which eventually led the FBI straight to Ross Ulbricht.
There is speculation that this flaw - if it did exist - would have been spotted long before this moment in time, by one of the many security professionals monitoring the site. Nik Cubrilovic, an Australian security consultant, claims it simply wasn’t there in an interview with WIRED:
"There’s no way you can be connected to a Tor site and see the address of a server that’s not a Tor node. The way they’re trying to make a jury or a judge believe it happened just doesn’t make sense technically."
Cubrilovic then goes on to allude that the information may have been obtained by illegal hacking practices. That practice seems to be SQL injection, an unproven rumor that has been discussed as a plausible method of extraction on many sites since.
The legalities surrounding the tactics of the FBI are an entirely separate discussion. The fact the information could be obtained at all is indicative of Silk Road’s poor security practices, despite the general user understanding of the site being “private”. When privacy is confused with security, the possibility of exposure to vulnerabilities is most certainly increased.
There is also the possibility that the site would still be running (in its original form, anyway; it has been resurrected several times, and there are even larger sites just like it operating right now) if Ross Ulbricht had made the distinction between privacy and security, actively working to ensure both before it grew into a giant heat lamp, attracting every unsavory crook with slightly above-average tech knowledge on the planet. Instead, the private club and all its secrets were revealed the moment someone found a way to open the door.
You’re not a drug lord, so why should you care?
The loss of Silk Road and imprisonment of its founder is not a sad, sympathetic tale, but it is a fascinating case study into the nuanced differences between privacy and true, robust site security. There are many legitimate operations that require transactions and information to be private - think digitized medical records, or even the millions of credit card numbers held by a large bank - but if they are not also secured with iron-clad software development, that information could be cherry-picked by an attacker (and, ironically, end up on a site like Silk Road). Privacy does not exist without security.
The good guys, like you, could have software that is vulnerable to SQL injection attacks and other vulnerabilities from the OWASP Top 10, so it is vital that these are prepared for and mitigated efficiently. If developers are trained to code securely from the very start of the process, these flaws won’t see the light of day. It is imperative that organizations are focused with a security mindset, and empowering their dev teams to code securely. We can show you how to do it the fun, measurable and gamified way. Are you ready?