Funnily enough, I think it may have been Stack Exchange's (SE) somewhat unintuitive registration procedure that did him in.
Stack Overflow requires an OpenID identity in order to ask questions: you cannot sign up without one (though SE now provides their own you can sign up for). You could easily set up your own (and it's surprising that Ulbricht did not), but you could also use any number of providers (e.g., Facebook and Google) that ostensibly know your real name.
When you link your OpenID to SE, SE automatically fills in your name with whatever your OpenID provider has on file. I believe this is where Stack Overflow got his real name from initially. He probably didn't realize this would happen and when he saw that it did, he quickly changed his Stack Overflow profile to the "frosty" moniker.
Though it was absolutely boneheaded (possibly with a fair amount of hubris that he'd never get caught) to have an OpenID identity somewhere with his real name and then use it on an untrusted (to him) third-party site, had the SE login page indicated that it would pull information from his OpenID identity to create his SE profile or emphasized creating an account with SE over logging in with OpenID, he might not have had his name leak in this manner.
There would have been an interstitial page mentioning that his email was being given to Stack Exchange by his OpenID provider.
Depending on when exactly when he registered, there may have been (and now always is, when using a third party login iirc) another page on the Stack Overflow side that confirms new account creation and again displays the provided email.
Basically, he clicked through at least one "sending personally identifiable information, are you sure?" page. Maybe more than one.
Disclaimer: Stack Exchange Inc. employee, I've done some work on our user login stuff in the past.
As I understand the parent post it is not about the email that is shared, but it asserts that the real name from the OpenID provider is used as the publicly visible user name on SO. I don't think this is accurate, but I can't see the internals.
The mail address is not problematic anyway in my opinion, as it is not publicly shown on SO.
What I was pointing out was that there was a confirmation of some sort presented to the user that indicating something that personally identified them was being shared.
Stack Overflow does take a "full name" (in OpenID attribute exchange terms) as a user name if provided by an OpenID provider, though we explicitly don't demand it (it is not "required" in AX terms). Exactly how a provider deals with "optional" attribute requests is up to them, in practice I think most everyone ignores it unless it's also public information on their service (ie. full name == user name).
Offhand I want to say Facebook is the only login option used by > 5% of our users that provides a name. I did not actually confirm that by testing, just working from memory.
You are correct in that Stack Overflow never displays user emails during normal operation, excepting employees and moderators (who are bound to an agreement before accessing such information: http://stackoverflow.com/legal/moderator-agreement ).
Interesting, though I just went through the on-boarding process with a few different providers: Yahoo!, Google, and Facebook:
- Yahoo!: asked to share my personal information and showed a card with my real name and email address. When I completed the association, Stack Overflow used my real name as the profile name.
- Google: Asked to share my email address. When I completed the association, my real name was not used: instead, I got a randomized (userNNNNNN) name.
- Facebook: asked to share my account and indicated that my public profile would be sent. When I hovered over the words "public profile", it indicated that it would include my name. When I completed the association, Stack Overflow used my real name as the profile name.
In all three instances, the interstitial page on Stack Overflow to confirm the association after I granted access with the third party provider only indicated the email address used, not the full name: http://i.imgur.com/mjwds1m.png
Since the confirmation page on Stack Overflow does not indicate what information would be used and where, it would've been up to his third-party OpenID provider to tell him on the page granting access that his real name would be passed along, and—assuming it did—up to him to make the connection that allowing Stack Overflow access to his name would make it immediately public as his profile name.
I am really dubious that this is really what brought him down.
Do you think they really investigated everyone they could find that ever asked a public question about Tor hidden services?
If not, what role do you think this evidence played in the investigation? They suspected a few people, but then when they found that one of them had asked this question, and then investigated him more deeply? That seems kinda unlikely to me too.
And of course, the lone fact of asking such a question on StackOverflow is not (yet) enough to indict or arrest someone in America.
They included this piece in their list of evidence, sure; they included it in their press release, for sure, it makes good press (because it's more understandable than most of their stuff, and because it makes them look good).
But I suspect it's really a case of "parallel construction"[1] -- they found this piece of evidence long after they had identified him, in part due to NSA information, but are just pretending it's what tipped them off.
This is not what brought him down, it was just a nail in the coffin. The FBI did the fairly straight forward thing:
1. Look for the oldest mentions of SilkRoad 2. Investigate the people talking about SilkRoad before it was established... that's all they had to do, he publicly outed his identity on bitcointalk.org, This article isn't very good...
> Based on forensic analysis of the Silk Road Web Server, I know that the computer code ... includes a customized PHP strip based on 'curl' that is functionally very similar to the computer code described in Ulbricht's posting on Stack Overflow, and includes several lines of code that are identical to lines of code quoted in the posting.
> Oh, and the encryption key on the Silk Road server ended with the substring "frosty@frosty." Whoops.
I don't know if that encryption key was a public key, or if they found it after gaining access to the server. But if it was public, then a search for the username 'frosty' would have turned up the SO profile.
You also can't do 'forensic analysis' on HTML to figure out the PHP code, so they must have used an exploit. Or like you say, it was retrospective, after taking control of the server.
Think about the implications if the court that prosecuted this case threw it out due to unconstitutional intelligence gathering. He doesn't deserve to get off, but wouldn't a decision like that have implications across the US?
I claim no knowledge of legalese other than having watched Law and Order, so if this is ridiculous please edify me.
Think this would fall under "fruit of the poisonous tree". If the source of the evidence is tainted, anything that came from that source is also tainted. This doctrine is well enough established that undermining it would have far greater implications than letting a single lawbreaker go free.
The part where they connected his new StackExchange username to information they pulled from the machine image of Silk Road they'd already made in July.
Finding the machine and busting the VPN that connected to it were the real ways they tracked him down. Oh, and of course the Customs and Border patrol seizure of the forged documents he ordered, during a "routine inspection".
The FBI isn't dumb. They know that 10 SilkRoads will popup in the vacuum they just created. And those new marketplaces won't make the same mistakes SilkRoad just made.
Once they found the server, they had an all-access pass to the most popular black market in modern history. They could just sit back and make bust after bust after bust...
But instead, they exchanged their Palantir for a single arrest of a 20 something San Francisco nerd.
Nah. Cops and prosecutors want the big fish, not the little fishes. The little fishes will always exist, but the harder and more expensive it is to build a place for them to get together, the less likely it is that they'll find places to make their illegal transactions. (Not to mention that big fish make for splashier prosecutions and faster promotions. DAs build a platform from which they can spring into a political career from by nailing big names, not nobodies.)
It's the same reason why they offer plea bargains to low-level drug dealers if they'll give up the people above them in the supply chain: it does more damage to the overall network to take out the one person it all hinges on than to take out lots of people out at the fringes. The network has to reconstitute itself, which is slow and expensive.
"Not to mention that big fish make for splashier prosecutions and faster promotions."
You hit the nail on the head there. Nabbing the "Dread Pirate Roberts" is definitely a career making move for any moderately ambitious investigator or district attorney.
The FBI is just a collection of people. Some dumb, some smart and most fall somewhere in-between.
My guess is the person(s) responsible wanted this on their performance eval ASAP so they can try to make a promotion.
That's just a wild guess of course. Without knowing the team responsible for the bust it's hard to know what the long term goal was but my experience with government work is that most employees are more concerned with their career and paycheck than long term safety and security of the public.
How many of the new Silk Road's will be as successful? The entire idea of this type of marketplace has been tainted and I doubt we'll ever see one of the same magnitude. The feds made a massive bust and simultaneously removed drug money, hurt dealers + buyers, and devauled the bitcoin.
No, but sometimes it does take them a while to re-group and reach mass due to competing markets and segmentation.
Maybe a winning black market site skyrockets rapidly, or maybe this causes trepidation in users and vendors who try to approach things more carefully, test driving many sites instead of flocking en mass to one particular site.
I don't think it's a foregone conclusion that a Silk Road replacement in terms of size and volume will appear in the vacuum; eventually yes, but I'm sure it's probably bought them a few months or years of disruption.
If the FBI sits back, they become complicit in whatever illegal activities were happening. Then you can have situations like the ATF gunwalking scandal (http://en.wikipedia.org/wiki/ATF_gunwalking_scandal) in which the ATF was trying to track smuggled guns up to higher-level suppliers, and had one of those guns used in a murder.
This would presumably go so far as the FBI asking other agencies to cease investigations which might compromise their larger operation. At some point, they will have to act.
Wait - he posted something about php, curl and tor on StackOverflow, using - for less than one minute - his real name? And that is supposed to link to the operator of Silk Road?
I don't know about you, but that seems very far fetched to me. Also, it indicates that SO saves all changes made to a user profile, forever, which I think is a bit unusual.
However, if thy caught the right guy, hats off to the prosecutors for making the link.
SE community mod here; SE devs are good old delete-nothing guys, they collect everything ever posted and a lot of metadata. Likely in good faith to fight spam, but bits are bits.
This sounds like incidental corroborative evidence. It hardly seems like it was what "brought down" the site, as claimed by the linked.
The site was likely brought down because the FBI or others found the server and took an image of it, and everything else seems to be backtracking corroboration from that. How did they find the server? Well therein lies the mystery, and it is likely because the FBI and other three letter agencies have a very strong interest in Tor, almost certainly having thousands of nodes that can statistically winnow down to real IPs.
> According to the criminal complaint, Ulbricht posted the question using his own real name. Less than one minute later, he changed his username to “frosty.”
How was it know then? Did they record the traffic and see it there? Did SO tell them?
This sounds a bit too dumb to be the actual dread pirate roberts. Could he be the third owner of the site? IIRC the original DPR just set it up not with some ideals in mind, but just to sell drugs. Then he left it to the next DPR, the one they allegedly busted. Maybe the one they busted is actually the third one?
Similar to the other comments, this seems virtually unrelated to the actual arrest. This article makes it seem as though the single mistake is what allowed DPR to get nabbed, and yet there is a lot more going on in the investigation.
It was a boneheaded mistake but it's not what got him arrested.
So does the guy who answered this get a "Aiding Criminal Masterminds" badge?
In all seriousness, I know that this feeling is irrational, but I would feel pretty terrible if I helped someone on SO and then came to find out they were running a billion dollar criminal enterprise.
I don't think this is what did him in. Posting advertisements for silk road [1] and then posting his personal email address [2] from accounts with the same name seems the more likely cause.
I've posted questions about Tor on stackoverflow using my real name, but I'm not a criminal nor do I have any desire to be a criminal.
It seems odd to me that questions like this on a technology site could somehow be used to incriminate people. Maybe the goal is to prevent people from asking questions.
I've seen this sentiment in several places, and for some reason people have a trouble understanding what it means for a piece of evidence to be "incriminating" in a criminal prosecution. It does not mean that the evidence is by itself a sign of anything bad or that anyone considers it to be bad.
Let's use a real world example. The feds might present evidence in a murder trial that the defendant checked into a hotel next to where the murder was committed. Nobody would say that there is anything inherently incriminating about checking into a hotel, or that it's terrible that "checking into a hotel can be used against you." It's just circumstantial evidence putting the defendant near the scene of the crime, even though it is otherwise totally innocuous.
Similarly, nobody is saying there is anything incriminating about using Stack Overflow. But posts you make on Stack Overflow can be a piece of evidence in a chain linking you to a crime, just like a whole host of otherwise innocuous things can serve as that kind of evidence.
I know he has been accused of doing very bad things. I just hate to see Tor and its users vilified like this. Bad people use Tor for bad things, but good people use it for good things too.
And making people feel that simply asking questions about Tor will put them in the same category as hardcore criminals is just wrong. We're not all heartless criminals. In fact, most just want a bit of privacy.
In a sense I almost feel for the guy.. Then again, I don't. The tinfoil hat in me wants to believe that this is all one big FBI / CIA set up and they're looking to see who will try and step up.
Many Feds made their bones on the war on drugs and the jobs and reputations of many more still depend on the war on drugs. Then you have some guy that makes tens of millions selling heroin, cocaine and everything illegal under the sun--online.
Safe to say that unofficially he was FBI's top ten person to catch, he was making a fool of them. And if they want they can tighten lots of screws and even have satellites monitor over an area. As I said on another thread, I suspect that NSA or DEA got his name illegally and then whispered it to certain FBI agents.
Of course for the evidence to be admissible FBI has to make believe that they got him by his mistakes (parallel construction.) Not to suggest that you can hide forever, he should have retired after pocketing $10 million
Having trouble using curl in php? Because a environment variable wasn't defined? And then ran to SO before trying to print the variable values?..
/facepalm
Edit: Everyday it's the same old shit. One post goes up in votes, another goes down. Why? Who the hell knows. Must've pissed someone off that doesn't know curl.. I swear I have to walk on egg shells in this place. Either way I'm really starting to get tired of this shit. Pull those marshmallow pants up.
I'm not sure about the downvotes either, maybe HN dislikes things like "/facepalm" (I don't care, btw). However I share your disbelief. The guy was running a fairly advanced, high profile, illegal market online and a key piece of evidence linking him to this crime was down him messing up something really pretty simple in a PHP script and asking on a programming Q&A site - that's pretty astonishing.
It's newbie shit and he got in over his head. What other mistakes did this fool commit?
Think about it. You're setting up a marketplace for dangerous people. People that will kill you if anything goes awry. On the other side are people that want to send you to prison. It behooves you to know WTF you are doing.
I'm not sure what anybody is supposed to get out of your post other than that you claim to know PHP and cURL better than an interesting person did 2 years ago. Why would anyone care?
If you can't work curl you are not the guy to be running an illegal website trying to hide from professionals that most certainly do know how to use curl and every other tool properly. If you can't figure out an environment variable, should you really be building something to handle BTC transactions? No you should not. But he learned that the hard way.
Stack Overflow requires an OpenID identity in order to ask questions: you cannot sign up without one (though SE now provides their own you can sign up for). You could easily set up your own (and it's surprising that Ulbricht did not), but you could also use any number of providers (e.g., Facebook and Google) that ostensibly know your real name.
When you link your OpenID to SE, SE automatically fills in your name with whatever your OpenID provider has on file. I believe this is where Stack Overflow got his real name from initially. He probably didn't realize this would happen and when he saw that it did, he quickly changed his Stack Overflow profile to the "frosty" moniker.
Though it was absolutely boneheaded (possibly with a fair amount of hubris that he'd never get caught) to have an OpenID identity somewhere with his real name and then use it on an untrusted (to him) third-party site, had the SE login page indicated that it would pull information from his OpenID identity to create his SE profile or emphasized creating an account with SE over logging in with OpenID, he might not have had his name leak in this manner.