Furthermore, FBI agents describe using other techniques to obtain information, e.g., fuzzing and packet sniffing. Not only do server logs NOT contain any evidence of this, but the agents did not preserve any evidence of their packet sniffing activities, despite having training in forensic investigation techniques and claiming expertise in these areas.
While it is possible that there were bugs in either the Ubuntu 12.04 hosts or the nginx servers themselves that would have allowed these activities to occur, unlogged, I suspect it would now be up to the prosecution to establish reasonable grounds for believing this to be the case. Likewise, while it is possible that the handful of lines of log pertaining to FBI activities might have been removed from the several million (yes, you read that correctly) lines of log later captured in forensic image, that does strain credulity; again I suspect the prosecution would have to establish that, somehow.
I've no particular interest in this case or in Silk Road, but I cannot help but conclude that the lawyer filing this brief just seriously schooled the FBI.
Unless I missed something, this is the only point in the document where the defense suggests that they couldn't find the log lines provided by the FBI. It seems like a weak claim, since they could have said "could not locate" or "could not find", and suggests that there could have been multiple non-.onion or non-frontend accesses to the frontend and backend servers respectively. Surely the expert would know to 'grep -v', and that should make it easy to determine any access that came from other than the prescribed addresses. This suggests that the logs contradict the claims of inaccessibility.
"the account by former Special Agent Tarbell in his Declaration differs in
important respects from the government’s June 12, 2013, letter to Icelandic authorities. For example, that letter (which is Exhibit A to the government’s
opposition papers) suggests the possibility of an alternative method for the
government’s identifying and locating the Silk Road Server; "
"The Government’s response to Mr. Ulbricht’s omnibus motion filed
September 5, 2014, contains a Declaration from former FBI Special Agent Christopher
Tarbell, attached hereto as Exhibit 2 (Dkt #57). The Declaration contains a vague
explanation of how the IP address of the Silk Road server was initially discovered. For
instance, former SA Tarbell asserts that, “[w]hen I typed the Subject IP Address into an
ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA
prompt) appeared.” Tarbell Decl. at ¶ 8. As explained below, based upon the Nginx
server configuration files provided in discovery, that was not possible. "
This case now reeks of heavy NSA involvement merely passed to the FBI for the actual enforcement side of things.
I'm not sure if there's actually an angle here, but it would be extremely interesting if the defendants were able to impeach the FBI's evidence to such a degree so as to force an admittance of parallel construction. It's a no brainer that something fishy happened here.
Tbh, I think that is basically their defense if you read between the lines. This defense reads as basically:
"The FBI's explanation isn't technically possible for how they found the IP address therefore this case should be thrown out as they are lying."
The FBI will never admit to parallel construction. They get enough leeway in their testimony, etc. that they can just say "We agree to disagree on what happened" and no one would question them seriously, from a justice system perspective.
If enough doubt is cast, they'll drop this.
I've not been following this closely, so the following question is based just on the above. How do we know that the configuration files that we have now (the ones that would make it impossible to show the login screen to an ordinary browser) were the ones in place at the time Tarbell claims to have seen the login screen via an ordinary browser?
"The mtime for the live-ssl configuration file provided in Item 1 of discovery is June 7, 2013, and the phpmyadmin configuration is July 6, 2013"
I'm not consistent on this. Sometimes I just make a backup with cp, cp the new one in, and cp the backup back if the new one doesn't work.
I honestly have no idea why I mv sometimes and cp sometimes.
I had always imagined - apparently incorrectly - that evidence-gathering requirements in this area would have been more along the lines of imaging the disk bit-for-bit in a controlled, well documented procedure onto another disk which is immediately made read-only in hardware before being placed in the chain of custody. Copies provided in legal proceedings should be verifiably identical.
EDIT: Also not only is it insane that they didn't save the sniffed packets but for a one-shot, unreproducible event like the one the FBI describes they really should have preserved the local environment too. Any number of unknown browser/extension/proxy/system behaviours could have caused that captcha to appear on the screen once. Hell, if they only saw it in the viewport and not, say, the DOM source, it could even be a bug in the system graphics renderer - massively unlikely, yes, but I've seen weirder.
Anything the NSA does is "secret" so the holes in the FBI arguments, in this scenario, would make sense. An interesting result in this case would be if at any point evidence is not permitted for publication. I wonder if the defence could construct a canary for this possible circumstance.
(note how certain civil liberties are dictated by Geo IP location alone -- that is what I mean by "cowboy mode")
Most likely, the NSA got the information around May, tipped off the FBI and the FBI started working on their "PC" story. Unfortunately, Ross was moving his servers and reconfiguring them during this time, making the PC story a bit more difficult to get.
EDIT: I guess the biggest problem here is that the people responsible for actually perpetrating the crimes (e.g. the police officers lying in court) will most likely not be held responsible.
Also, isn't there a new Silk Road already?
(Citation -- wired article I read at some point; maybe someone else can find it.)
We all are wrong sometimes. Shit happens. :)
Not only do you need to obtain access to the server, you also need the private key of its operator. (Which should be kept offline for signing.) If they don't surrender the key, then you cannot compromise their visitors.
This can also be a mitigation for drive-by malware exploits and whatnot.
(I emailed this to LiberationTech last year, no one took any interest in the idea.)
The most secure way right now is to isloate your Tor browsing activities to a virtual machine which is only able to access the internet via Tor.
Create a VM to act as a middle node with 2 NICs, the first of which will connect to the internet and the second of which will connect to the other VM. Disable any unnecessary services, expose only Tor's proxy to the second NIC.
Create the other VM with 1 NIC in the virtual network with the Second NIC on the other VM.
This enforces Tor-only access for the second VM. Any activity must go over Tor or it may not access the internet.
Snapshot the VMs. Always restore the snapshots when beginning a new session.
Setting this up takes some time, but nearly guarantees an exploit cannot escape.
I also recommend disabling unnecessary services which may expose the host to attack (ie: file sharing and video and mouse acceleration) through the second VM. It may be more secure to use a low-level emulation (QEmu, VirtualBox or VMWare with hardware acceleration disabled) rather than a hypervisor-based VM solution for this.
If TOR and Namecoin hooked up, Namecoin could provide a list of page hashes for a given onion address. Better still, interrogate Namecoin's DNS system into TOR and then make Hidden Services accessible via human readable domain names.
I had assumed that everyone would be either on the 'net with their 'net computer or on tor with their tor computer.
Doing both with one computer obviously defeats the purpose, doesn't it?
...Also, the chances of breaking out of a VM into the host are non-zero. Just sayin'.
Or am I missing something?
I don't like the HTTP header idea, 'cause it precludes static content unless you modify the web server. And I don't like external files which are automatically read by the browser because then you run into namespace problems. Keeping everything in the HTML document provides tidy isolation.
My draft specified TOFU; if a site was previously signed and no signature is attached, don't allow any JS. If the signature doesn't match the key cached in the browser, go full noscript.
In fact, it's probably not even enough if they prove something as shocking as the NSA helping them. The NSA could always say that they stumbled upon Silk Road in the course of their anti-terrorism operations. And then instructed the FBI to hide the origins of the tip. We know for a fact that this happens regularly, and AFAIK nobody has ever been punished.
A court could technically toss the evidence as a way to punish the government for not playing fair, even if the law doesn't require it to be suppressed. That provides leverage for bargaining with the government. But evidence as central as this, in such a high-profile case where the defendant was clearly guilty, means that's unlikely. It's more likely for a smaller case where a court wants to rap the government on the knuckles without letting a really bad guy (from their perspective) go free.
FBI's Explanation states (Page 4, Footnote #5) that the admin himself kept logs explaining that there were frequent IP leaks due to misconfiguration of the web server.
At this point aren't we lead to believe that he showed multiple cases of mismanagement. From this can we not call bullshit on the very definitive declaration by the defense that the webserver was explicitly configured to deny external connections?
I don't think it necessarily disproves the conclusions of the document, but it calls into question if the author knows nginx as well as he claims to. Id be happy to be corrected if I'm wrong.
Every organization is made out of people. Each person grew up somewhere, had interests, went to school, etc before joining the organization.
Some organizations attract some types of people more than other types of people.
Do you think the FBI attracts the sort of people who stayed home in front of their computers on most Friday nights during the best years of their lives?
Said differently: you're better at computers than you realize. Shh.
Here's an example:
Suppose you have drugs in your house, and no one knows that but you. The police may suspect that that's the case, but they need some kind of information that provides probable cause in order to obtain a warrant to search your house.
There are two general categories of ways they could then obtain a warrant: either 1.) they happen to see you carrying drugs or someone else does and reports it or 2.) they break into your house, find drugs, and then request a warrant after the fact to do so.
Now typically option 2 isn't so blatant. More likely is that they break in, find drugs, and then make up some other way that they determined you had drugs. This made up story is called "parallel construction", and it's generally a way to lie and cover up the act of illegally obtained evidence.
If the FBI found the Silk Road IP through an example of scenario 1, then everything's legal. But the FBI's story provides fairly strong indication that scenario 2 is far more likely. If that is the case, then the contents of the server are not admissible in court, nor is anything obtained further down the line from that information.
The result: if scenario 2 is indeed what happened, it doesn't really matter the legality of the actions committed by the defendant were under US law as the authorities have no legal knowledge of said activities. Therefore there is no case, and the defendant must be acquitted.
So basically the prosecutors have to explain probable cause to justify the warrant, and that explanation cannot include information that could only be found in the evidence captured as a result of the warrant.
Is there no legal process to ensure that the original warrant request (probable cause justification) is not changed once the warrant is issued? The warrant itself does not have to be public immediately but some aspect of it, like a case# and hash of the document could be preserved as part of the warrant (or embedded in the warrant). I assume these documents form a critical part of the due process.
A better example (albeit more brazen than usual) would be the Federal government illegally breaking into your home. They find the cocaine. That means they can at least tell the local cops that they wouldn't be wasting their time by investigating you.
Perhaps they stumble upon a note on your kitchen table with the name John Garcia. The Feds might also tip off the police that they have reason to believe you may have working with a John Garcia. Maybe the look at the cellular location logs of your cellphone and John Garcia's. They notice that you're both in an abandoned warehouse on the first Sunday of each month. So they tip off the police that they might want to double their previously non-existent patrols in that area on Sundays.
When you eventually get popped, all the evidence presented at trial looks to be on the up-and-up. An officer patrolling the warehouse district noticed two suspicious men meeting regularly and exchanging boxes. When they ran the license plates, they found that your name came up in the files of some other drug investigation. They had no reason to suspect you personally at the time, but with the suspicious rendezvous they decided to put a tail on you, which doesn't even require probable cause. Eventually, given your pattern of behavior, colored by their expert experience chasing bad guys, they can convince a judge to issue a search warrant.
If their local judges aren't sufficiently pliable, maybe they pop a known drug user who may have crossed your path. They ask him if he knows you. They make sure to tell him that they know you're a drug dealer (the scope of the lies cops can tell is for all practical purposes limitless), and if he tells them about you, they'll be lenient with him. So he lies and says he knows you're a drug dealer. So the cops go back to the judge for a search warrant, telling the judge that an informant has fingered you.
_That_ is parallel construction. The government has very limited resources. It's immensely useful even when all the FBI or NSA does is point the cops in the right direction. It can be so incredibly subtle and indirect that many judges, convinced it happened, still might not consider it to violate 4th Amendment warrant restrictions.
And it's plausible that this is what happened here. The NSA decided to point the FBI in the right direction. They could have even done it through an "informant"--e.g. tipped off a hacker working with the FBI. There are myriad ways to do it. And because the defense has very limited resources, it's almost always impossible to trace the origins of tips all the way back to their source. Eventually the paper trail ends at the footsteps of somebody with a fuzzy memory. What can you do?
And the police can't say "Well, we didn't have a warrant, but we were right so who cares" either.
If they never had probable cause to get images of this server, what gave them the right to a warrant for it?
More importantly, the world needs to know how the heck they did know, so that we all know what the government is capable of.
Ulbricht is still an idiot, and it's not surprise he got caught eventually- but we can't let the police bullshit their way into convicting anyone, even idiots.
Yes, origins of evidence matter.
This doesn't even purport to be written by an expert. It's literally by the guys defense attorney. They didn't even bother getting an expert to sign off on it.
It's very common to have two highly qualified expert declarations saying the exact opposite of each other.