Quite an interesting read. Summary? Silk Road used a pair of nginx servers, one as front-end, one as back-end. The server images (captured forensically) show that the then-in-place configuration made it impossible for the FBI agent to do what he claims, that is, connect to the back-end by using the server's IP address (the allow/deny settings forbade this). The log files on the servers lack entries to support FBI claims.

Furthermore, FBI agents describe using other techniques to obtain information, e.g., fuzzing and packet sniffing. Not only do server logs NOT contain any evidence of this, but the agents did not preserve any evidence of their packet sniffing activities, despite having training in forensic investigation techniques and claiming expertise in these areas.

While it is possible that there were bugs in either the Ubuntu 12.04 hosts or the nginx servers themselves that would have allowed these activities to occur, unlogged, I suspect it would now be up to the prosecution to establish reasonable grounds for believing this to be the case. Likewise, while it is possible that the handful of lines of log pertaining to FBI activities might have been removed from the several million (yes, you read that correctly) lines of log later captured in forensic image, that does strain credulity; again I suspect the prosecution would have to establish that, somehow.

I've no particular interest in this case or in Silk Road, but I cannot help but conclude that the lawyer filing this brief just seriously schooled the FBI.

Well, fuck. Regardless of the rest, if the government's story changed in a factual way before vs. after the government acquired the Silk Road server ... well, further confirmation that parallel construction is in use and the "foreign tools" are being used in domestic cases.

"the account by former Special Agent Tarbell in his Declaration differs in important respects from the government’s June 12, 2013, letter to Icelandic authorities. For example, that letter (which is Exhibit A to the government’s opposition papers) suggests the possibility of an alternative method for the government’s identifying and locating the Silk Road Server; "

+

"The Government’s response to Mr. Ulbricht’s omnibus motion filed September 5, 2014, contains a Declaration from former FBI Special Agent Christopher Tarbell, attached hereto as Exhibit 2 (Dkt #57). The Declaration contains a vague explanation of how the IP address of the Silk Road server was initially discovered. For instance, former SA Tarbell asserts that, “[w]hen I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared.” Tarbell Decl. at ¶ 8. As explained below, based upon the Nginx server configuration files provided in discovery, that was not possible. "

A tarball is not a disk image and - in my view - is seriously shaky as evidence in a criminal trial.

I had always imagined - apparently incorrectly - that evidence-gathering requirements in this area would have been more along the lines of imaging the disk bit-for-bit in a controlled, well documented procedure onto another disk which is immediately made read-only in hardware before being placed in the chain of custody. Copies provided in legal proceedings should be verifiably identical.

EDIT: Also not only is it insane that they didn't save the sniffed packets but for a one-shot, unreproducible event like the one the FBI describes they really should have preserved the local environment too. Any number of unknown browser/extension/proxy/system behaviours could have caused that captcha to appear on the screen once. Hell, if they only saw it in the viewport and not, say, the DOM source, it could even be a bug in the system graphics renderer - massively unlikely, yes, but I've seen weirder.

It was pretty obvious that the FBI was lying (or misrepresenting or whatever weasel word you want to use) in their original claims. The real question in my mind, which still remains unanswered, is why? The most optimistic explanation is that they just botched the investigation and then spectacularly confused the prosecution as they were preparing their claims. I'd rather not think too hard about the most pessimistic explanation.

Some researchers at Yale have been working on a project [1], due to be presented this weekend, that disables the FBI from gaining any meaningful information via Javascript exploits. The idea is to contain each "pseudonym" in its own virtual "nymbox", and only that one box. Read the paper for more, it's interesting.

[1] http://arxiv.org/pdf/1312.3665.pdf

I'm not a lawyer, but AFAIU the defense has an affirmative burden to prove impropriety. Simply casting doubt isn't enough. They're unlikely to ever get this evidence suppressed on 4th Amendment grounds, so at best it's a tactical maneuver for negotiating a plea deal.

In fact, it's probably not even enough if they prove something as shocking as the NSA helping them. The NSA could always say that they stumbled upon Silk Road in the course of their anti-terrorism operations. And then instructed the FBI to hide the origins of the tip. We know for a fact that this happens regularly, and AFAIK nobody has ever been punished.

A court could technically toss the evidence as a way to punish the government for not playing fair, even if the law doesn't require it to be suppressed. That provides leverage for bargaining with the government. But evidence as central as this, in such a high-profile case where the defendant was clearly guilty, means that's unlikely. It's more likely for a smaller case where a court wants to rap the government on the knuckles without letting a really bad guy (from their perspective) go free.

At this point I feel I'm missing something as we now have two legal documents going "Nuh uh!" - "Yuh huh!"

FBI's Explanation[1] states (Page 4, Footnote #5) that the admin himself kept logs explaining that there were frequent IP leaks due to misconfiguration of the web server.

At this point aren't we lead to believe that he showed multiple cases of mismanagement. From this can we not call bullshit on the very definitive declaration by the defense that the webserver was explicitly configured to deny external connections?

    [1] https://www.scribd.com/doc/238844570/FBI-Explanation-of-Silk-Road-vulnerability

I have limited experience with nginx, but I believe points 12+13 are technically incorrect -- sites/virtual hosts can be configured in the /etc/nginx/conf.d directory or directly in the main nginx.conf file, not only in the sites-available/sites-enabled directories, as is implied. This makes the conclusions of point 19 and others incorrect.

I don't think it necessarily disproves the conclusions of the document, but it calls into question if the author knows nginx as well as he claims to. Id be happy to be corrected if I'm wrong.

This is in response to various comments to the effect of "I can't believe they didn't log, image, etc properly".

Every organization is made out of people. Each person grew up somewhere, had interests, went to school, etc before joining the organization.

Some organizations attract some types of people more than other types of people.

Do you think the FBI attracts the sort of people who stayed home in front of their computers on most Friday nights during the best years of their lives?

...

Said differently: you're better at computers than you realize. Shh.

From a legal perspective, why does it matter how the FBI got access to the server or determined it was a Silk Road server? I assume they got a warrant for the server itself, and therefore the evidence found on the server is a candidate for inclusion in the trial.

Section IV.A.18 shows an extremely technically versed lawyer that I hope one day becomes a judge. Joshua Horowitz was able to find a contradiction in the SAs testimony based on nginx's configuration.

the FBI lied? no way.