Silk Road Investigation: More Evidence Supports 'Parallel Construction' Theory
#1
Ever since the government first declared it had located the Silk Road server linked to Dread Pirate Roberts (allegedly Ross Ulbricht) thanks to a leaky CAPTCHA, there have been questions about the plausibility of this explanation. Ulbricht's attorneys suggested it wasn't the FBI, but rather the NSA, who tracked the alleged Silk Road mastermind down. This suggested parallel construction, something federal agencies have done previously to obscure the origin of evidence and something the FBI actively encourages local law enforcement agencies to do when deploying cell tower spoofers.

Technical documents filed in response to discovery requests seem to solidify the parallel construction theory. Brian Krebs at Krebs on Security and Robert Graham at Errata Security have both examined the government's filings (the Tarbell Declaration [pdf]) and noted that what the government said it did doesn't match what's actually on display.

Krebs' article quotes Nicholas Weaver, a researcher at the International Computer Science Institute at Berkeley, who points out that where the FBI agents say they found the leak doesn't mesh with the server code and architecture.
Quote:“The IP address listed in that file — 62.75.246.20 — was the front-end server for the Silk Road,” Weaver said. “Apparently, Ulbricht had this split architecture, where the initial communication through Tor went to the front-end server, which in turn just did a normal fetch to the back-end server. It’s not clear why he set it up this way, but the document the government released in 70-6.pdf shows the rules for serving the Silk Road Web pages, and those rules are that all content – including the login CAPTCHA – gets served to the front end server but to nobody else. This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server.”

Translation: Those rules mean that the Silk Road server would deny any request from the Internet that wasn’t coming from the front-end server, and that includes the CAPTCHA.
Weaver says that FBI agents would have been served nothing at all when attempting to access the server without using Tor. The server simply wasn't leaking into the open web. The more likely explanation is that the FBI contacted the IP directly and accessed a PHPMyAdmin page.

Robert Graham's analysis of the documents notes something slightly different than Weaver, but still arrives at the same conclusion.
Quote:Brian Krebs quotes Nicholas Weaver as claiming "This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server". This is wrong, the web server accept all TCP connections, though it may give a "403 forbidden" as the result.
Even with this detail being off, the parallel construction theory still fits. Graham notes that the Tarbell Declaration (the filing that contains the official explanation of how the Silk Road server was accessed) is noticeably light on supporting documentation -- like screenshots, packet logs or code snippets.

Now that the government has been forced to hand over more technical documentation, it's original story is falling apart.
Quote:Since the defense could not find in the logfiles where Tarbell had access the system, the prosecutors helped them out by pointing to entries that looked like the following:

199.170.71.133 - - [11/Jun/2013:16:58:36 +0000] "GET / HTTP/1.1" 200 2616 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

199.170.71.133 - - [11/Jun/2013:16:58:36 +0000] "GET
/phpmyadmin.css.phpserver=1〈=en&collation_connection=utf8_general_ci&token=451ca1a827cda1c8e80d0c0876e29ecc&js_frame
=right&nocache=3988383895 HTTP/1.1" 200 41724 "http://193.107.86.49/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

However, these entries are wrong. First, they are for the phpmyadmin pages and not the Silk Road login pages, so they are clearly not the pages described in the Tarbell declaration. Second, they return "200 ok" as the error code instead of a "401 unauthorized" login error as one would expect from the configuration. This means either the FBI knew the password, or the configuration has changed in the meantime, or something else is wrong with the evidence provided by the prosecutors.
The NSA as the purposefully-missing link makes sense. First off, Ulbricht's back end server was located in Iceland. Graham points out basic authentication was provided by this server via Port 80. If the NSA was monitoring traffic in and out of Iceland (as it is legally able to do), it could easily have captured a password for this server.

Furthermore, the front end server (located in Germany -- also within the NSA's established dragnet) would return "forbidden" errors when accessed outside of Tor, but would not when accessing PHP files (as Weaver noted). To get to the admin page, other possibly non-NSA-related tactics could have been used. (Graham suggests a couple of different methods well within the FBI's technical grasp and abilities -- "scanning the entire Internet for SSL servers, then searching for the string "Silkroad" in the resulting webpage" or doing the same but correlating the results with traffic traveling across the Tor onion connection.) However, none of the above is suggested by Tarbell's recounting of the events. In fact, the official narrative is vague enough that almost any explanation could fit.
Quote:Tarbell doesn't even deny it was parallel construction. A scenario of an NSA agent showing up at the FBI offices and opening a browser to the IP address fits within his description of events.
Graham calls the declaration from Special Agent Tarbell "gibberish" (and points out that Ulbricht's opsec "sucks"). Ulbricht's legal team is still pushing for the government to explain why its declaration doesn't match the details it's handed over during discovery. A new filing by his attorney, Joshua Horowitz, isn't much kinder, calling the declaration "implausible." [pdf link] The presiding judge has given the government until the end of Monday to respond to Horowitz's filing… if it wants to. [pdf link]
Quote:Defendant has submitted a declaration from Joshua Horowitz in support of his motion and request for an evidentiary hearing.

If the Government has any response to the factual statements (and/or relevance of the factual statements) asserted therein, it should file such response by C.O.B., October 6, 2014 (if possible).
The government may not feel compelled to respond. A filing from earlier in September (but added to the docket on Oct. 1st) suggests it's pretty much done discussing Ulbricht's "NSA boogeyman." [pdf link]
Quote:In light of these basic legal principles, the Government objects to the September 17 Requests as a general matter on the ground that no adequate explanation has been provided as to how the requested items are material to the defense. Most of the requests appear to concern how the Government was able to locate and search the SR Server. Yet the Government has already explained why, for a number of reasons, there is no basis to suppress the contents of the SR Server:

(1) Ulbricht has not claimed any possessory or property interest in the SR Server as required to establish standing for any motion to suppress;
(2) the SR Server was searched by foreign law enforcement authorities to whom the Fourth Amendment does not apply in the first instance;
(3) even if the Fourth Amendment were applicable, its warrant requirement would not apply given that the SR Server was located overseas; and
(4) the search was reasonable, given that the FBI had reason to believe that the SR Server hosted the Silk Road website and, moreover, Ulbricht lacked any expectation of privacy in the SR Server under the terms of service pursuant to which he leased the server.


Particularly given these circumstances, it is the defendant’s burden to explain how the contents of the SR Server were supposedly obtained in violation of the defendant’s Fourth Amendment rights and how the defendant’s discovery requests are likely to vindicate that claim. The defense has failed to do so, and the Government is unaware of any evidence – including any information responsive to the defense’s discovery requests – that would support any viable Fourth Amendment challenge. Instead, the defense’s discovery requests continue to be based on mere conjecture, which is neither a proper basis for discovery nor a proper basis for a suppression hearing.
The response document notes that it has already responded with several documents, won't be responding to a host of other requests, but most tellingly, says the government is "not aware" of any supporting documentation for Agent Tarbell's declaration. (As noted by Robert Graham, the declaration as written is "impossible to reconstruct," with the lack of technical details being a large part of that.)
Quote:5. The name of the software that was used to capture packet data sent to the FBI from the Silk Road servers.

Other than Attachment 1, the Government is not aware of any contemporaneous records of the actions described in paragraphs 7 and 8 of the Tarbell declaration. (Please note that Attachment 1 is marked “Confidential” and is subject to the protective order entered in this matter.)

6. A list of the “miscellaneous entries” entered into the username, password, and CAPTCHA fields on the Silk Road login page, referenced in the SA Tarbell’s Declaration, at ¶ 7.

See response to request #5.

7. Any logs of the activities performed by SA Tarbell and/or CY-2, referenced in ¶ 7 of SA Tarbell’s Declaration.

See response to request #5.

8. Logs of any server error messages produced by the “miscellaneous entries”referenced in SA Tarbell’s Declaration.

See response to request #5.

9. Any and all valid login credentials used to enter the Silk Road site.

See response to request #5.

10. Any and all invalid username, password, and/or CAPTCHA entries entered on the Silk Road log in page.

See response to request #5.

11. Any packet logs recorded during the course of the Silk Road investigation, including but not limited to packet logs showing packet headers which contain the IP address of the leaked Silk Road Server IP address [193.107.86.49].

See response to request #5.
Parallel construction matters, but the government claims it doesn't. It will probably continue to declare it a non-issue so long as the courts agree that Ulbricht's Fourth Amendment rights weren't violated. Ulbright's Fourth Amendment defense is admittedly a disaster, making claims that have nearly no chance of holding up under judicial scrutiny. The Silk Road indictment is a lousy test case for challenging parallel construction.

But parallel construction spills over into purely domestic investigations where Fourth Amendment rights are supposedly guaranteed. As long as the "expectation of privacy" isn't violated -- according to the government's definition of what does and doesn't enjoy this "expectation" -- the origin of the evidence isn't really up for discussion, according to the government's own filing. And what the government says here is that what was ultimately obtained matters more than how it was obtained. Parallel construction covers up invasive surveillance and investigative tactics, providing courts with evidence that looks clean but was illicitly gathered.

Originally Published: Mon, 06 Oct 2014 14:58:35 GMT
source
Reply
#2
Judge Katherine Forrest has shot down Ross Ulbricht's defense team's motion to suppress evidence it claims was acquired illegally by the FBI. The FBI asserted in its response to the motion that Ulbricht had expressed no privacy interest in the alleged Silk Road servers located in Iceland. The FBI further claimed that it needed no legal permission (i.e., a warrant) to hack foreign servers during criminal investigations.

Those hoping to hear an argument on the legal merits of the FBI's claims will just have to keep hoping. As was noted earlier, the DOJ's response put Ulbricht in an unenviable position: either claim the disputed servers as your own or kiss any hopes of suppressing evidence under Fourth Amendment claims goodbye. From Judge Forrest's ruling [pdf link]:
Quote:Defendant has, however, brought what he must certainly understand is a fatally deficient motion to suppress. He has failed to take the one step he needed to take to allow the Court to consider his substantive claims regarding the investigation: he has failed to submit anything establishing that he has a personal privacy interest in the Icelandic server or any of the other items imaged and/or searched and/or seized. Without this, he is in no different position than any third party would be vis-a-vis those items, and vis-a-vis the investigation that led U.S. law enforcement officers to Iceland in the first place.
To make this claim and secure the attendant privacy protections (or at least attempt to), Ulbricht would have needed to demonstrate to the court his interest in the Icelandic servers. Doing so would possibly result in him incriminating himself, which would rub up against the Fifth Amendment. Unfortunately, in all the paperwork filed disputing the FBI's evidence and its questionable origins, the possible Fifth Amendment concerns were never raised. Judge Forrest points out one possible remedy, albeit one that seems to have passed its expiration date.
Quote:[D]efendant could have established such a personal privacy interest by submitting a sworn statement that could not be offered against him at trial as evidence of his guilt (though it could be used to impeach him should he take the witness stand). Yet he has chosen not to do so.

In short, despite defendant's assertions and the potential issues he and his counsel raise regarding the investigation that led to the Icelandic server, he has not provided the Court with the minimal legal basis necessary to pursue these assertions. Thus, the declaration submitted by Joshua J. Horowitz, Esq. (ECF No. 70) along with all the arguments regarding the investigation and the warrants based on it are not properly before this Court.
Further down in the ruling, Judge Forrest notes that the court will not be spending any more time trying to discern whether the FBI's hacking of the alleged Silk Road servers falls within the bounds of legality. Again, this decision traces directly back to Ulbricht's privacy interests in the servers themselves.
Quote:Here, the Court does not know whether Ulbricht made a tactical choice because he is-as they say-between a rock and a hard place, or because he truly has no personal privacy interest in the servers at issue. It is clear, however, that this Court may not proceed with a Fourth Amendment analysis in the absence of the requisite interest. If a third party leased a server on which the Government unlawfully intruded in the investigation that led to the Icelandic server, under Katz, Rakas, Payner, and a host of other case law, that is no basis for an assertion by Ulbricht that his Fourth Amendment rights were violated. Thus, whatever methods used-lawful or unlawful-are beyond this Court's purview.
So, whatever the methods were -- whether it was parallel construction used to cover up NSA involvement or the FBI declaring itself above the law when operating outside the US -- the government is free to use them again and again until faced with a better legal challenge.

Originally Published: Tue, 14 Oct 2014 08:11:01 GMT
source
Reply


Possibly Related Threads…
Thread Author Replies Views Last Post
  Is the silk road still operating? Ladyanne3 0 6,590 Dec 04, 2022, 09:09 am
Last Post: Ladyanne3
  Old Town Road (complaint) soulcity 4 14,244 Aug 18, 2019, 12:11 pm
Last Post: soulcity
  The real reason for the U.S. government's Silk Road takedown Hary1946 0 10,135 Jun 03, 2015, 18:37 pm
Last Post: Hary1946
  Police Officer: Sex With A Minor, Theft Of Services And Destruction Of Evidence Mike 0 9,201 Nov 15, 2014, 04:09 am
Last Post: Mike
  Guy Accused Of Operating Silk Road 2.0 Arrested In SF... Just Like The Last One Mike 0 9,420 Nov 07, 2014, 05:11 am
Last Post: Mike



Users browsing this thread: 1 Guest(s)