{"id":20904,"date":"2022-12-10T17:45:53","date_gmt":"2022-12-10T16:45:53","guid":{"rendered":"https:\/\/daniel.haxx.se\/blog\/?p=20904"},"modified":"2022-12-12T10:39:44","modified_gmt":"2022-12-12T09:39:44","slug":"curl-sighting-silk-road","status":"publish","type":"post","link":"https:\/\/daniel.haxx.se\/blog\/2022\/12\/10\/curl-sighting-silk-road\/","title":{"rendered":"curl sighting: Silk Road"},"content":{"rendered":"\n<p>In the 2021 movie <a href=\"https:\/\/www.imdb.com\/title\/tt7937254\/?ref_=nv_sr_srsg_0\">Silk Road<\/a>, at around 19:23-19:26 into the film we can see Ross Ulbricht, the lead character, write a program on his laptop that uses curl. A few seconds we get a look at the screen as Ross types on the keyboard and explains to the female character who says <em>I didn&#8217;t know you know how to code <\/em>that he&#8217;s teaching himself to write code.<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><a href=\"https:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2022\/12\/Silk-Road-2021.png\"><img loading=\"lazy\" decoding=\"async\" width=\"1920\" height=\"804\" src=\"https:\/\/daniel.haxx.se\/blog\/wp-content\/uploads\/2022\/12\/Silk-Road-2021.png\" alt=\"\" class=\"wp-image-20938\"\/><\/a><\/figure>\n<\/div>\n\n\n<h2 class=\"wp-block-heading\">The code<\/h2>\n\n\n\n<p>Let&#8217;s take a look at the code on the screen. This is PHP code using the well known <a href=\"https:\/\/www.php.net\/manual\/en\/book.curl.php\">PHP\/CURL binding<\/a>. The URL on the screen on line two has really bad contrast, but I believe this is what it says:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">&lt;?php\n  $ch = curl_init(\"http:\/\/silkroadvb5pzir.onion\");\n  $ch = curl_init();\n  curl_setopt($ch, CURLOPT_URL, $url);\n  curl_setopt($ch, CURLOPT_RETURNTRANSFER, true);\n  curl_setopt($ch, CURLOPT_PROXY,                \n              \"http:\/\/127.0.0.1:9050\/\");\n  curl_setopt($ch, CURLOPT_PROXYTYPE, 7);\n  $output = curl_exec($ch);\n  $curl_error = curl_error($ch);\n  curl_cl<\/pre>\n\n\n\n<p><code>.onion<\/code> is a TLD for websites on <a href=\"https:\/\/www.torproject.org\/\">Tor<\/a> so this seems legit as it a URL for this purpose could look like this. But then Ross confuses matters a little. He uses <em>two<\/em> <code>curl_init()<\/code> calls, one that sets a URL and then again a call <em>without<\/em> a URL. He could just have removed line three and four. This doesn&#8217;t prohibit the code from working, it just wouldn&#8217;t have passed a review.<\/p>\n\n\n\n<p>The code then sets a proxy to use for the transfer, specified as an HTTP URL  which is a little odd since the proxy type he then sets on the line below is 7, the number corresponding to <code>CURLPROXY_SOCKS5_HOSTNAME<\/code> &#8211; so not a HTTP proxy at all but a SOCKS5 proxy. The typical way you access Tor: as a SOCKS5 proxy to which you pass the host name, as opposed to resolving the host name locally.<\/p>\n\n\n\n<p>The last line is incomplete but should ultimately be <code>curl_close($ch);<\/code> to close the handle after use.<\/p>\n\n\n\n<p>All in all a seemingly credible piece of  code, especially if we consider it as a work in progress code. The minor mistakes would be soon be fixed.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Credits<\/h2>\n\n\n\n<p>Viktor Szakats spotted this and sent me the screenshot above. Thanks!<\/p>\n","protected":false},"excerpt":{"rendered":"<p>In the 2021 movie Silk Road, at around 19:23-19:26 into the film we can see Ross Ulbricht, the lead character, write a program on his laptop that uses curl. A few seconds we get a look at the screen as Ross types on the keyboard and explains to the female character who says I didn&#8217;t &hellip; <a href=\"https:\/\/daniel.haxx.se\/blog\/2022\/12\/10\/curl-sighting-silk-road\/\" class=\"more-link\">Continue reading <span class=\"screen-reader-text\">curl sighting: Silk Road<\/span> <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":5,"featured_media":20945,"comment_status":"open","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[33,109,186],"class_list":["post-20904","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-curl","tag-curl-and-libcurl","tag-movies","tag-php"],"_links":{"self":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/20904","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/users\/5"}],"replies":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/comments?post=20904"}],"version-history":[{"count":16,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/20904\/revisions"}],"predecessor-version":[{"id":20970,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/posts\/20904\/revisions\/20970"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media\/20945"}],"wp:attachment":[{"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/media?parent=20904"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/categories?post=20904"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/daniel.haxx.se\/blog\/wp-json\/wp\/v2\/tags?post=20904"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}