The FBI Always Gets Its Manš±š±
In the science fiction section of the Glen Park branch of the San Francisco Public Library, not far from his apartment, Ross William Ulbricht was engaged in an online customer-support chat for the company he owned. At the time ā October of 2013 ā the person on the other end of the Internet chat thought he was talking to the siteās admin, who went by the Internet name of Dread Pirate Roberts, a name taken from the movie The Princess Bride.
Roberts, also known as DPR, was in fact Ross Ulbricht ā not only the admin but also the owner of Silk Road, an online drug emporium, and as such was the subject of a federal manhunt. Ulbricht frequently used public Wi-Fi locations such as the library for his work, perhaps under the mistaken impression that the FBI, should it ever identify him as DPR, would never conduct a raid in a public place. On that day, however, the person with whom Ulbricht was chatting happened to be an undercover FBI agent.
Running an online drug emporium, in which customers could order cocaine and heroin, and a wide range of designer drugs anonymously required certain moxie. The site was hosted on the Dark Web and was only accessible through Tor. The site only took Bitcoin as payment. And the creator of Silk Road had been careful, but not careful enough.
A few months before Ulbricht sat in the San Francisco Public Library with the FBI circling him, an unlikely hero connected with the federal manhunt came forward with evidence tying Ulbricht to DPR. The hero, an IRS agent named Gary Alford, had been reading up on Silk Road and its origins, and in the evenings he had been running advanced Google searches to see what he could find. One of the earliest mentions of the Silk Road he found was from 2011.
Someone who went by the name āaltoidā had been talking it up in a chat group. Since Silk Road had not yet launched, Alford figured that altoid most likely had inside knowledge of the operation. Naturally, Alford started a search for other references.
He struck gold.
Altoid had posted a question to another chat group ā but had deleted the original message. Alford pulled up a response to the now-deleted query that contained the original message. In that message, altoid said that if anyone could answer his question, that person could contact him at rossulbricht@gmail.com.
It was not the last time that slip-up would be made. There were other posted questions, one to a site called Stack Overflow: the original question had been sent in from rossulbricht@gmail.com, but then, remarkably, the senderās name had been changed to DPR.
Rule number 1 about being invisible: you canāt ever link your anonymous online persona with your real-world persona. You just canāt. There were other linkages established after that. Ulbricht, like DPR, espoused Ron Paulāfree marketālibertarian philosophies. And at one point Ulbricht had even ordered a set of false IDs ā driverās licenses in different names from various states ā which drew federal authorities to his doorstep in San Francisco in July of 2013, but at that time the authorities had no idea they were talking with DPR.
Slowly the evidence grew so compelling that one morning in October of 2013, as soon as DPRās customer-support chat began, federal agents began quietly entering the Glen Park library. Then, in a surgical strike, they seized Ulbricht before he could shut down his laptop. Had he shut it down, certain key evidence would have been destroyed. As it was, they were able to photograph the system administration screens for a site called Silk Road moments after the arrest and thereby establish a concrete link between Ulbricht, Dread Pirate Roberts, and Silk Road, thus ending any future hope of anonymity.
On that October morning in Glen Park, Ulbricht was logged in to Silk Road as an administrator. And the FBI knew that because they had been observing his machine logging on to the Internet. But what if he could have faked his location? What if he wasnāt in the library at all but using a proxy server instead?
In the summer of 2015, researcher Ben Caudill of Rhino Security announced that not only would he be speaking at DEF CON 23 about his new device, ProxyHam, but he would also be selling it at a cost ā around $200 ā in the DEFCON vendorsā room. Then, approximately one week later, Caudill announced that his talk was canceled and that all existing ProxyHam units would be destroyed. He offered no further explanation.
Talks at major security conferences get pulled for various reasons. Either the companies whose products are being discussed or the federal government puts pressure on researchers to not go public. In this case, Caudill wasnāt pointing out a particular flaw; he had built something new.
Funny thing about the Internet: once an idea is out there, it tends to remain out there. So even if the feds or someone else convinced Caudill that his talk was not in the interests of national security, it seemed likely that someone else would create a new device. And thatās exactly what happened.
ProxyHam is a very remote access point. Using it is much like putting a WiFi transmitter in your home or office. Except that the person using and controlling ProxyHam could be up to a mile away. The Wi-Fi transmitter uses a 900 MHz radio to connect to an antenna dongle on a computer as far as 2.5 miles away. So in the case of Ross Ulbricht, the FBI could have been amassing outside the Glen Park library while he was in someoneās basement doing laundry several blocks away.
The need for such devices is clear if you live in an oppressed country. Contacting the outside world through Tor is a risk many take. This kind of device would add another layer of security by masking the geolocation of the requester.
Except someone didnāt want Caudill to speak about it at DEF CON. In interviews, Caudill denied that the Federal Communications Commission had discouraged him. Wired speculated that secretly planting a ProxyHam on someone elseās network might be interpreted as unauthorized access under Americaās draconian and vague Computer Fraud and Abuse Act. Caudill refuses to comment on any of the speculations.
As I said, once an idea is out there, anyone can run with it. So security researcher Samy Kamkar created ProxyGambit, a device that essentially replaces ProxyHam. 4 Except it uses reverse cellular traffic, meaning that instead of your being only a few miles from the device when you use it, you could be halfway across the world. Cool!
ProxyGambit and devices like it will of course create headaches for law enforcement when criminals decide to use them.
