Documents Released In Silk Road Case Add More Evidence To The 'Parallel Construction' Theory

from the it's-not-HOW-we-got-it,-it's-what-we-HAVE dept

Ever since the government first declared it had located the Silk Road server linked to Dread Pirate Roberts (allegedly Ross Ulbricht) thanks to a leaky CAPTCHA, there have been questions about the plausibility of this explanation. Ulbricht's attorneys suggested it wasn't the FBI, but rather the NSA, who tracked the alleged Silk Road mastermind down. This suggested parallel construction, something federal agencies have done previously to obscure the origin of evidence and something the FBI actively encourages local law enforcement agencies to do when deploying cell tower spoofers.

Technical documents filed in response to discovery requests seem to solidify the parallel construction theory. Brian Krebs at Krebs on Security and Robert Graham at Errata Security have both examined the government's filings (the Tarbell Declaration [pdf]) and noted that what the government said it did doesn't match what's actually on display.

Krebs' article quotes Nicholas Weaver, a researcher at the International Computer Science Institute at Berkeley, who points out that where the FBI agents say they found the leak doesn't mesh with the server code and architecture.

“The IP address listed in that file — 62.75.246.20 — was the front-end server for the Silk Road,” Weaver said. “Apparently, Ulbricht had this split architecture, where the initial communication through Tor went to the front-end server, which in turn just did a normal fetch to the back-end server. It’s not clear why he set it up this way, but the document the government released in 70-6.pdf shows the rules for serving the Silk Road Web pages, and those rules are that all content – including the login CAPTCHA – gets served to the front end server but to nobody else. This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server.”

Translation: Those rules mean that the Silk Road server would deny any request from the Internet that wasn’t coming from the front-end server, and that includes the CAPTCHA.
Weaver says that FBI agents would have been served nothing at all when attempting to access the server without using Tor. The server simply wasn't leaking into the open web. The more likely explanation is that the FBI contacted the IP directly and accessed a PHPMyAdmin page.

Robert Graham's analysis of the documents notes something slightly different than Weaver, but still arrives at the same conclusion.
Brian Krebs quotes Nicholas Weaver as claiming "This suggests that the Web service specifically refuses all connections except from the local host and the front-end Web server". This is wrong, the web server accept all TCP connections, though it may give a "403 forbidden" as the result.
Even with this detail being off, the parallel construction theory still fits. Graham notes that the Tarbell Declaration (the filing that contains the official explanation of how the Silk Road server was accessed) is noticeably light on supporting documentation -- like screenshots, packet logs or code snippets.

Now that the government has been forced to hand over more technical documentation, it's original story is falling apart.
Since the defense could not find in the logfiles where Tarbell had access the system, the prosecutors helped them out by pointing to entries that looked like the following:

199.170.71.133 - - [11/Jun/2013:16:58:36 +0000] "GET / HTTP/1.1" 200 2616 "-" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

199.170.71.133 - - [11/Jun/2013:16:58:36 +0000] "GET
/phpmyadmin.css.phpserver=1&lang=en&collation_connection=utf8_general_ci&token=451ca1a827cda1c8e80d0c0876e29ecc&js_frame
=right&nocache=3988383895 HTTP/1.1" 200 41724 "http://193.107.86.49/" "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/27.0.1453.110 Safari/537.36"

However, these entries are wrong. First, they are for the phpmyadmin pages and not the Silk Road login pages, so they are clearly not the pages described in the Tarbell declaration. Second, they return "200 ok" as the error code instead of a "401 unauthorized" login error as one would expect from the configuration. This means either the FBI knew the password, or the configuration has changed in the meantime, or something else is wrong with the evidence provided by the prosecutors.
The NSA as the purposefully-missing link makes sense. First off, Ulbricht's back end server was located in Iceland. Graham points out basic authentication was provided by this server via Port 80. If the NSA was monitoring traffic in and out of Iceland (as it is legally able to do), it could easily have captured a password for this server.

Furthermore, the front end server (located in Germany -- also within the NSA's established dragnet) would return "forbidden" errors when accessed outside of Tor, but would not when accessing PHP files (as Weaver noted). To get to the admin page, other possibly non-NSA-related tactics could have been used. (Graham suggests a couple of different methods well within the FBI's technical grasp and abilities -- "scanning the entire Internet for SSL servers, then searching for the string "Silkroad" in the resulting webpage" or doing the same but correlating the results with traffic traveling across the Tor onion connection.) However, none of the above is suggested by Tarbell's recounting of the events. In fact, the official narrative is vague enough that almost any explanation could fit.
Tarbell doesn't even deny it was parallel construction. A scenario of an NSA agent showing up at the FBI offices and opening a browser to the IP address fits within his description of events.
Graham calls the declaration from Special Agent Tarbell "gibberish" (and points out that Ulbricht's opsec "sucks"). Ulbricht's legal team is still pushing for the government to explain why its declaration doesn't match the details it's handed over during discovery. A new filing by his attorney, Joshua Horowitz, isn't much kinder, calling the declaration "implausible." [pdf link] The presiding judge has given the government until the end of Monday to respond to Horowitz's filing… if it wants to. [pdf link]
Defendant has submitted a declaration from Joshua Horowitz in support of his motion and request for an evidentiary hearing.

If the Government has any response to the factual statements (and/or relevance of the factual statements) asserted therein, it should file such response by C.O.B., October 6, 2014 (if possible).
The government may not feel compelled to respond. A filing from earlier in September (but added to the docket on Oct. 1st) suggests it's pretty much done discussing Ulbricht's "NSA boogeyman." [pdf link]
In light of these basic legal principles, the Government objects to the September 17 Requests as a general matter on the ground that no adequate explanation has been provided as to how the requested items are material to the defense. Most of the requests appear to concern how the Government was able to locate and search the SR Server. Yet the Government has already explained why, for a number of reasons, there is no basis to suppress the contents of the SR Server:

(1) Ulbricht has not claimed any possessory or property interest in the SR Server as required to establish standing for any motion to suppress;
(2) the SR Server was searched by foreign law enforcement authorities to whom the Fourth Amendment does not apply in the first instance;
(3) even if the Fourth Amendment were applicable, its warrant requirement would not apply given that the SR Server was located overseas; and
(4) the search was reasonable, given that the FBI had reason to believe that the SR Server hosted the Silk Road website and, moreover, Ulbricht lacked any expectation of privacy in the SR Server under the terms of service pursuant to which he leased the server.


Particularly given these circumstances, it is the defendant’s burden to explain how the contents of the SR Server were supposedly obtained in violation of the defendant’s Fourth Amendment rights and how the defendant’s discovery requests are likely to vindicate that claim. The defense has failed to do so, and the Government is unaware of any evidence – including any information responsive to the defense’s discovery requests – that would support any viable Fourth Amendment challenge. Instead, the defense’s discovery requests continue to be based on mere conjecture, which is neither a proper basis for discovery nor a proper basis for a suppression hearing.
The response document notes that it has already responded with several documents, won't be responding to a host of other requests, but most tellingly, says the government is "not aware" of any supporting documentation for Agent Tarbell's declaration. (As noted by Robert Graham, the declaration as written is "impossible to reconstruct," with the lack of technical details being a large part of that.)
5. The name of the software that was used to capture packet data sent to the FBI from the Silk Road servers.

Other than Attachment 1, the Government is not aware of any contemporaneous records of the actions described in paragraphs 7 and 8 of the Tarbell declaration. (Please note that Attachment 1 is marked “Confidential” and is subject to the protective order entered in this matter.)

6. A list of the “miscellaneous entries” entered into the username, password, and CAPTCHA fields on the Silk Road login page, referenced in the SA Tarbell’s Declaration, at ¶ 7.

See response to request #5.

7. Any logs of the activities performed by SA Tarbell and/or CY-2, referenced in ¶ 7 of SA Tarbell’s Declaration.

See response to request #5.

8. Logs of any server error messages produced by the “miscellaneous entries”referenced in SA Tarbell’s Declaration.

See response to request #5.

9. Any and all valid login credentials used to enter the Silk Road site.

See response to request #5.

10. Any and all invalid username, password, and/or CAPTCHA entries entered on the Silk Road log in page.

See response to request #5.

11. Any packet logs recorded during the course of the Silk Road investigation, including but not limited to packet logs showing packet headers which contain the IP address of the leaked Silk Road Server IP address [193.107.86.49].

See response to request #5.
Parallel construction matters, but the government claims it doesn't. It will probably continue to declare it a non-issue so long as the courts agree that Ulbricht's Fourth Amendment rights weren't violated. Ulbright's Fourth Amendment defense is admittedly a disaster, making claims that have nearly no chance of holding up under judicial scrutiny. The Silk Road indictment is a lousy test case for challenging parallel construction.

But parallel construction spills over into purely domestic investigations where Fourth Amendment rights are supposedly guaranteed. As long as the "expectation of privacy" isn't violated -- according to the government's definition of what does and doesn't enjoy this "expectation" -- the origin of the evidence isn't really up for discussion, according to the government's own filing. And what the government says here is that what was ultimately obtained matters more than how it was obtained. Parallel construction covers up invasive surveillance and investigative tactics, providing courts with evidence that looks clean but was illicitly gathered.





Filed Under: captcha, christopher tarbell, doj, fbi, investigation, parallel construction, ross ulbricht, silk road
Companies: silk road


Reader Comments

Subscribe: RSS

View by: Time | Thread


  • icon
    Ninja (profile), 6 Oct 2014 @ 8:11am

    Even if such parallel construction is proven and supposing he gets away a free man because the Fourth was violated we'll only see renewed attempts from the police state crew to further weaken the Fourth (they'd simply delete it if they could but setting up unconstitutional laws already suffice it seems).

    There's really no escape besides having the Congress and the judiciary actually do their jobs. Or have some heads roll, French style.

    reply to this | link to this | view in chronology ]

    • icon
      pixelpusher220 (profile), 6 Oct 2014 @ 11:08am

      Re:

      I've been amazed that Parallel Construction hasn't become a bigger issue. That there is *any* hint of extra-judicial shenanigans going on would seem, on it's face, to introduce 'reasonable doubt' to *any* court proceeding.

      If it's happened once, it's happened every single time because it's impossible to prove it didn't happen.

      How this isn't being handled as a 'the entire system is rigged' concept, even in the main stream press boggles my mind.

      I'd happily appreciate someone explaining me off this cliff I seem to be on :)

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 8:12am

    Well, if true, Agent Tarbell's credibility is shot as a witness, and I think they need him...

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 8:20am

    If the NSA is being used to hunt down server locations, then it's a wonder why The Pirate Bay servers have never been found.

    reply to this | link to this | view in chronology ]

    • identicon
      beech, 6 Oct 2014 @ 8:26am

      Response to: Anonymous Coward on Oct 6th, 2014 @ 8:20am

      There was an awesome write up on torrentfreak a couple weeks back about TPB's technical set up, if you're actually curious I would heartily suggest it. I don't remember any details, but I think they run a bunch of virtual machines on servers in a bunch of different countries. If one of their servers gets raided they can easily set up another virtual machine with very little down time

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 8:21am

    There is no Liberty in Tarbell .

    reply to this | link to this | view in chronology ]

  • icon
    That Anonymous Coward (profile), 6 Oct 2014 @ 8:24am

    And they wonder why when they game the system, they lose the public trust.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 8:45am

    If they are allowed fictional stories about how they got the evidence, how long before they use fictional evidence?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2014 @ 8:57am

      Re:

      Well said. The road to hell is paved with good intentions.

      reply to this | link to this | view in chronology ]

      • icon
        John Fenderson (profile), 6 Oct 2014 @ 9:06am

        Re: Re:

        What are the "good intentions"?

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 6 Oct 2014 @ 10:30am

          Re: Re: Re:

          "To protect and serve The People."

          reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 6 Oct 2014 @ 12:47pm

          Re: Re: Re:

          Whether an intention is good or bad is in the eye of the beholder. Some of these guys may have thought taking silk road down was worth the cost of corrupting due process. Their intentions were good, and sometimes you have to bend the rules for the greater good, and all that happy bullshit.

          This is why 'good intentions' are so dangerous. Combine 'good intentions' with a lack of understanding for why the system is setup the way it is and disaster will follow.

          For the final cliche, those who don't study history are doomed to repeat it. No one in authority should have the ability to be in a position to corrupt due process without first understanding why it exists in the first place. If this means they have to take a four year course focusing solely on that subject before they can ascend to the control panel of authority, so be it, because liberty will not survive with these ignorant, well intentioned, doofuses at the wheel.

          'Course the above assumes that some or all of them were well intentioned.

          reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 6 Oct 2014 @ 8:22pm

      Re:

      Secret evidence, in secret courts and secret trials have been happening for years.

      "we have evidence that shows your guilty, but you are not allowed to see it" "Verdict guilty based on the evidence I as a judge am not allowed to see because the government tells me your guilty, case closed, next"

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 9:17am

    You Just Know

    At some some point during the trial, a government weenie is going to stand up and say "We decline to answer on the grounds of National Security, Your Honor."

    also known as the "Because fuck you." response.

    reply to this | link to this | view in chronology ]

  • identicon
    Jake, 6 Oct 2014 @ 9:39am

    You know, if the FBI were simply to come out and say that the NSA assisted them in finding incriminating information but the exact methodology is too sensitive to reveal in open court, would anyone really have an issue with that?

    reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 6 Oct 2014 @ 9:49am

      Re:

      I would, absolutely. The NSA isn't supposed to be spying on US citizens, and they certainly shouldn't be involved with domestic law enforcement. At the bare minimum, if they "inadvertently" "collect" communications of US citizens that have no connection to terrorism, they should keep that communication as secret as their other big secrets. They should not be revealing (or even summarizing) that communication to any outside parties, whether they're law enforcement or not.

      reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 10:00am

    I'd love to see Ross Ulbricht walk free because of the NSA's illegal surveillance practices.

    reply to this | link to this | view in chronology ]

  • identicon
    David, 6 Oct 2014 @ 10:08am

    Calling Johnny Cochran...

    If the logs don't fit, you must acquit.

    reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 6 Oct 2014 @ 11:47am

    Isn't this the same argument the Executive Branch uses to kill US Citizens overseas, far away from any battlefield? "We killed them on foreign soil, so the US Constitutional protections of due process does not apply to them."

    Yet when it comes to the US Gov warrentlessly searching emails in Dublin Ireland. Suddenly US jurisdiction applies on foreign soil.

    The law has become twisted, nonsensical words on paper. Words who's definitions do not even match the meaning of those words in any known dictionary. "The law is whatever I say it is, and applies to wherever I say it applies or does not apply".

    Lunacy! How am I supposed to respect such laws? Fear, force, and incarceration will make me acknowledge such laws. I will never respect these laws, and I'll hold them in contempt.

    Which is fine with the US Gov. They don't require the respect of the people they rule. They only require obedience and compliance.

    reply to this | link to this | view in chronology ]

  • identicon
    Anon, 6 Oct 2014 @ 2:40pm

    Parallel construction? Let's just call it what it is - evidence laundering.

    reply to this | link to this | view in chronology ]

  • identicon
    Roland, 6 Oct 2014 @ 6:27pm

    4th Amendment

    I just looked at the 4th Amendment, and there is no indication that it is invalid if the ..."persons, houses, papers, and effects" are overseas. So the prosecution's statement that ..."warrant requirement would not apply given that the SR Server was located overseas" is simply bogus.

    reply to this | link to this | view in chronology ]

  • identicon
    Roland, 6 Oct 2014 @ 6:54pm

    4th amendment

    Even if the feds got a search warrant for the overseas machines, there is still the question of whether that search warrant is valid. Microsoft is appealing that very question:
    http://www.businessweek.com/articles/2014-08-01/microsofts-ireland-data-center-subject-to-u -dot-s-dot-search-warrant-court-rules

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 7 Oct 2014 @ 1:06am

      Re: 4th amendment

      The first reason for getting a warrant is for the FEDs to show a judge that they heave sufficient grounds for a search, and that is the part that protects the citizens.

      reply to this | link to this | view in chronology ]

  • identicon
    Michael Yates, 17 Mar 2015 @ 6:27am

    No Support for Parallel Construction

    If allowing unethical practices is the only way left for enforcement of law and order, then it is utterly shameful that we even teach law and order to students in elementary school. And did I forget moral science, moral code, idealism,, and the Church. Sneaking in and then publishing private facts is a crime that will not be forgiven by forces that are not evil. Therefore, if US wants to regain its moral stature globally, it has got to slow down NSA activities. We really need that.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Close

Add A Reply

Have a Techdirt Account? Sign in now. Want one? Register here



Subscribe to the Techdirt Daily newsletter




Comment Options:

  • Use markdown. Use plain text.
  • Remember name/email/url (set a cookie)

Follow Techdirt
Techdirt Gear
Shop Now: Techdirt Logo Gear
Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.