Documents Released In Silk Road Case Add More Evidence To The 'Parallel Construction' Theory

from the it's-not-HOW-we-got-it,-it's-what-we-HAVE dept

Ever since the government first declared it had located the Silk Road server linked to Dread Pirate Roberts (allegedly Ross Ulbricht) thanks to a leaky CAPTCHA, there have been questions about the plausibility of this explanation. Ulbricht’s attorneys suggested it wasn’t the FBI, but rather the NSA, who tracked the alleged Silk Road mastermind down. This suggested parallel construction, something federal agencies have done previously to obscure the origin of evidence and something the FBI actively encourages local law enforcement agencies to do when deploying cell tower spoofers.

Technical documents filed in response to discovery requests seem to solidify the parallel construction theory. Brian Krebs at Krebs on Security and Robert Graham at Errata Security have both examined the government’s filings (the Tarbell Declaration [pdf]) and noted that what the government said it did doesn’t match what’s actually on display.

Krebs’ article quotes Nicholas Weaver, a researcher at the International Computer Science Institute at Berkeley, who points out that where the FBI agents say they found the leak doesn’t mesh with the server code and architecture.

“The IP address listed in that file — 62.75.246.20 — was the front-end server for the Silk Road,” Weaver said. “Apparently, Ulbricht had this split architecture, where the initial communication through Tor went to the front-end server, which in turn just did a normal fetch to the back-end server. It’s not clear why he set it up this way, but the document the government released in 70-6.pdf shows the rules for serving the Silk Road Web pages, and those rules are that all content – including the login CAPTCHA – gets served to the front end server but to nobody else. This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server.”

Translation: Those rules mean that the Silk Road server would deny any request from the Internet that wasn’t coming from the front-end server, and that includes the CAPTCHA.

Weaver says that FBI agents would have been served nothing at all when attempting to access the server without using Tor. The server simply wasn’t leaking into the open web. The more likely explanation is that the FBI contacted the IP directly and accessed a PHPMyAdmin page.

Robert Graham’s analysis of the documents notes something slightly different than Weaver, but still arrives at the same conclusion.

Brian Krebs quotes Nicholas Weaver as claiming “This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server”. This is wrong, the web server accept all TCP connections, though it may give a “403 forbidden” as the result.

Even with this detail being off, the parallel construction theory still fits. Graham notes that the Tarbell Declaration (the filing that contains the official explanation of how the Silk Road server was accessed) is noticeably light on supporting documentation — like screenshots, packet logs or code snippets.

Now that the government has been forced to hand over more technical documentation, it’s original story is falling apart.

Since the defense could not find in the logfiles where Tarbell had access the system, the prosecutors helped them out by pointing to entries that looked like the following:

199.170.71.133 – – [11/Jun/2013:16:58:36 +0000] “GET / HTTP/1.1” 200 2616 “-” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36”

199.170.71.133 – – [11/Jun/2013:16:58:36 +0000] “GET
/phpmyadmin.css.phpserver=1&lang=en&collation_connection=utf8_general_ci&token=451ca1a827cda1c8e80d0c0876e29ecc&js_frame
=right&nocache=3988383895 HTTP/1.1″ 200 41724 “http://193.107.86.49/” “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36”

However, these entries are wrong. First, they are for the phpmyadmin pages and not the Silk Road login pages, so they are clearly not the pages described in the Tarbell declaration. Second, they return “200 ok” as the error code instead of a “401 unauthorized” login error as one would expect from the configuration. This means either the FBI knew the password, or the configuration has changed in the meantime, or something else is wrong with the evidence provided by the prosecutors.

The NSA as the purposefully-missing link makes sense. First off, Ulbricht’s back end server was located in Iceland. Graham points out basic authentication was provided by this server via Port 80. If the NSA was monitoring traffic in and out of Iceland (as it is legally able to do), it could easily have captured a password for this server.

Furthermore, the front end server (located in Germany — also within the NSA’s established dragnet) would return “forbidden” errors when accessed outside of Tor, but would not when accessing PHP files (as Weaver noted). To get to the admin page, other possibly non-NSA-related tactics could have been used. (Graham suggests a couple of different methods well within the FBI’s technical grasp and abilities — “scanning the entire Internet for SSL servers, then searching for the string “Silkroad” in the resulting webpage” or doing the same but correlating the results with traffic traveling across the Tor onion connection.) However, none of the above is suggested by Tarbell’s recounting of the events. In fact, the official narrative is vague enough that almost any explanation could fit.

Tarbell doesn’t even deny it was parallel construction. A scenario of an NSA agent showing up at the FBI offices and opening a browser to the IP address fits within his description of events.

Graham calls the declaration from Special Agent Tarbell “gibberish” (and points out that Ulbricht’s opsec “sucks”). Ulbricht’s legal team is still pushing for the government to explain why its declaration doesn’t match the details it’s handed over during discovery. A new filing by his attorney, Joshua Horowitz, isn’t much kinder, calling the declaration “implausible.” [pdf link] The presiding judge has given the government until the end of Monday to respond to Horowitz’s filing… if it wants to. [pdf link]

Defendant has submitted a declaration from Joshua Horowitz in support of his motion and request for an evidentiary hearing.

If the Government has any response to the factual statements (and/or relevance of the factual statements) asserted therein, it should file such response by C.O.B., October 6, 2014 (if possible).

The government may not feel compelled to respond. A filing from earlier in September (but added to the docket on Oct. 1st) suggests it’s pretty much done discussing Ulbricht’s “NSA boogeyman.” [pdf link]

In light of these basic legal principles, the Government objects to the September 17 Requests as a general matter on the ground that no adequate explanation has been provided as to how the requested items are material to the defense. Most of the requests appear to concern how the Government was able to locate and search the SR Server. Yet the Government has already explained why, for a number of reasons, there is no basis to suppress the contents of the SR Server:

(1) Ulbricht has not claimed any possessory or property interest in the SR Server as required to establish standing for any motion to suppress;
(2) the SR Server was searched by foreign law enforcement authorities to whom the Fourth Amendment does not apply in the first instance;
(3) even if the Fourth Amendment were applicable, its warrant requirement would not apply given that the SR Server was located overseas; and
(4) the search was reasonable, given that the FBI had reason to believe that the SR Server hosted the Silk Road website and, moreover, Ulbricht lacked any expectation of privacy in the SR Server under the terms of service pursuant to which he leased the server.

Particularly given these circumstances, it is the defendant’s burden to explain how the contents of the SR Server were supposedly obtained in violation of the defendant’s Fourth Amendment rights and how the defendant’s discovery requests are likely to vindicate that claim. The defense has failed to do so, and the Government is unaware of any evidence – including any information responsive to the defense’s discovery requests – that would support any viable Fourth Amendment challenge. Instead, the defense’s discovery requests continue to be based on mere conjecture, which is neither a proper basis for discovery nor a proper basis for a suppression hearing.

The response document notes that it has already responded with several documents, won’t be responding to a host of other requests, but most tellingly, says the government is “not aware” of any supporting documentation for Agent Tarbell’s declaration. (As noted by Robert Graham, the declaration as written is “impossible to reconstruct,” with the lack of technical details being a large part of that.)

5. The name of the software that was used to capture packet data sent to the FBI from the Silk Road servers.

Other than Attachment 1, the Government is not aware of any contemporaneous records of the actions described in paragraphs 7 and 8 of the Tarbell declaration. (Please note that Attachment 1 is marked “Confidential” and is subject to the protective order entered in this matter.)

6. A list of the “miscellaneous entries” entered into the username, password, and CAPTCHA fields on the Silk Road login page, referenced in the SA Tarbell’s Declaration, at ¶ 7.

See response to request #5.

7. Any logs of the activities performed by SA Tarbell and/or CY-2, referenced in ¶ 7 of SA Tarbell’s Declaration.

See response to request #5.

8. Logs of any server error messages produced by the “miscellaneous entries”referenced in SA Tarbell’s Declaration.

See response to request #5.

9. Any and all valid login credentials used to enter the Silk Road site.

See response to request #5.

10. Any and all invalid username, password, and/or CAPTCHA entries entered on the Silk Road log in page.

See response to request #5.

11. Any packet logs recorded during the course of the Silk Road investigation, including but not limited to packet logs showing packet headers which contain the IP address of the leaked Silk Road Server IP address [193.107.86.49].

See response to request #5.

Parallel construction matters, but the government claims it doesn’t. It will probably continue to declare it a non-issue so long as the courts agree that Ulbricht’s Fourth Amendment rights weren’t violated. Ulbright’s Fourth Amendment defense is admittedly a disaster, making claims that have nearly no chance of holding up under judicial scrutiny. The Silk Road indictment is a lousy test case for challenging parallel construction.

But parallel construction spills over into purely domestic investigations where Fourth Amendment rights are supposedly guaranteed. As long as the “expectation of privacy” isn’t violated — according to the government’s definition of what does and doesn’t enjoy this “expectation” — the origin of the evidence isn’t really up for discussion, according to the government’s own filing. And what the government says here is that what was ultimately obtained matters more than how it was obtained. Parallel construction covers up invasive surveillance and investigative tactics, providing courts with evidence that looks clean but was illicitly gathered.





Filed Under: , , , , , , ,
Companies: silk road

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Documents Released In Silk Road Case Add More Evidence To The 'Parallel Construction' Theory”

Subscribe: RSS Leave a comment
29 Comments
Ninja (profile) says:

Even if such parallel construction is proven and supposing he gets away a free man because the Fourth was violated we’ll only see renewed attempts from the police state crew to further weaken the Fourth (they’d simply delete it if they could but setting up unconstitutional laws already suffice it seems).

There’s really no escape besides having the Congress and the judiciary actually do their jobs. Or have some heads roll, French style.

pixelpusher220 (profile) says:

Re: Re:

I’ve been amazed that Parallel Construction hasn’t become a bigger issue. That there is any hint of extra-judicial shenanigans going on would seem, on it’s face, to introduce ‘reasonable doubt’ to any court proceeding.

If it’s happened once, it’s happened every single time because it’s impossible to prove it didn’t happen.

How this isn’t being handled as a ‘the entire system is rigged’ concept, even in the main stream press boggles my mind.

I’d happily appreciate someone explaining me off this cliff I seem to be on 🙂

beech says:

Re: Response to: Anonymous Coward on Oct 6th, 2014 @ 8:20am

There was an awesome write up on torrentfreak a couple weeks back about TPB’s technical set up, if you’re actually curious I would heartily suggest it. I don’t remember any details, but I think they run a bunch of virtual machines on servers in a bunch of different countries. If one of their servers gets raided they can easily set up another virtual machine with very little down time

Anonymous Coward says:

Re: Re: Re: Re:

Whether an intention is good or bad is in the eye of the beholder. Some of these guys may have thought taking silk road down was worth the cost of corrupting due process. Their intentions were good, and sometimes you have to bend the rules for the greater good, and all that happy bullshit.

This is why ‘good intentions’ are so dangerous. Combine ‘good intentions’ with a lack of understanding for why the system is setup the way it is and disaster will follow.

For the final cliche, those who don’t study history are doomed to repeat it. No one in authority should have the ability to be in a position to corrupt due process without first understanding why it exists in the first place. If this means they have to take a four year course focusing solely on that subject before they can ascend to the control panel of authority, so be it, because liberty will not survive with these ignorant, well intentioned, doofuses at the wheel.

‘Course the above assumes that some or all of them were well intentioned.

Anonymous Coward says:

Re: Re: Re:2 Re:

“Of all tyrannies, a tyranny sincerely exercised for the good of its victims may be the most oppressive. It would be better to live under robber barons than under omnipotent moral busybodies. The robber baron’s cruelty may sometimes sleep, his cupidity may at some point be satiated; but those who torment us for our own good will torment us without end for they do so with the approval of their own conscience.”
C.S. Lewis

http://www.goodreads.com/quotes/19967-of-all-tyrannies-a-tyranny-sincerely-exercised-for-the-good

John Fenderson (profile) says:

Re: Re:

I would, absolutely. The NSA isn’t supposed to be spying on US citizens, and they certainly shouldn’t be involved with domestic law enforcement. At the bare minimum, if they “inadvertently” “collect” communications of US citizens that have no connection to terrorism, they should keep that communication as secret as their other big secrets. They should not be revealing (or even summarizing) that communication to any outside parties, whether they’re law enforcement or not.

Anonymous Coward says:

Isn’t this the same argument the Executive Branch uses to kill US Citizens overseas, far away from any battlefield? “We killed them on foreign soil, so the US Constitutional protections of due process does not apply to them.”

Yet when it comes to the US Gov warrentlessly searching emails in Dublin Ireland. Suddenly US jurisdiction applies on foreign soil.

The law has become twisted, nonsensical words on paper. Words who’s definitions do not even match the meaning of those words in any known dictionary. “The law is whatever I say it is, and applies to wherever I say it applies or does not apply”.

Lunacy! How am I supposed to respect such laws? Fear, force, and incarceration will make me acknowledge such laws. I will never respect these laws, and I’ll hold them in contempt.

Which is fine with the US Gov. They don’t require the respect of the people they rule. They only require obedience and compliance.

Michael Yates (user link) says:

No Support for Parallel Construction

If allowing unethical practices is the only way left for enforcement of law and order, then it is utterly shameful that we even teach law and order to students in elementary school. And did I forget moral science, moral code, idealism,, and the Church. Sneaking in and then publishing private facts is a crime that will not be forgiven by forces that are not evil. Therefore, if US wants to regain its moral stature globally, it has got to slow down NSA activities. We really need that.

Add Your Comment

Your email address will not be published.

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...
Loading...