Log in

No account? Create an account
log f-list backlog .nfo weev.net back back forward forward
The Silk Road statement: Where are the packetlogs? - Andrew Auernheimer
Oðinnsson. Market abuser. Internationally notorious computer criminal.
The Silk Road statement: Where are the packetlogs?
There are a number of utilities that log packets for forensic analysis. Every person that deals with the Internet in a serious fashion has used them at one point or another. I've used packetlogs generated by tcpdump to do things as trivial as respond to fraudulent abuse reports against a virtual machine that I use a chat client from. Needless to say, packets which are the basis of a federal criminal complaint are several orders of magnitude more important than me scrolling ANSI goatse on IRC. I'd imagine that a federal investigator citing packets as a basis for a search is going to store them. I'm saying this because in the case of United States v. Ulbricht, the drug conspiracy case involving the Silk Road, many have been concerned that the search methods used were illegal. Parallel construction is a huge issue here, and it turns out packet headers are now a central issue to the case. FBI Special Agent Christopher Tarbell cites data in packet headers in a declaration sworn to the court under penalty of perjury:

"Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined. The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal.
I have sat in a court and watched federal agents lie about how the Internet works multiple times. Right here Agent Tarball is claiming that he sent a GET request to a Tor hidden service and the Tor hidden service sent back a packet containing its true source address in the TCP header. This is flat out impossible, given how Tor and TCP work. It is very easy for a federal agent to claim something. It is several orders of magnitude more difficult to fake packetlogs of network traffic which include a protocol as complex as Tor. I think the FBI needs to release these in a timely fashion to corroborate their claims here.

In fact, I would challenge them to even provide configuration files from the daemons involved that lead to this happening. They would have those in the hard drive images. They won't be there, because this is not a possible failure scenario at all.

The right to review evidence is pretty central to the Federal Rules of Criminal Procedure. The defense needs to look over these logs very carefully. If the federal government fails to produce them, it is absolutely a matter of evidence destruction. It is the digital equivalent of the FBI destroying potential DNA evidence after running cursory lab tests upon it that are helpful to its claims, but refusing to allow a defense team to perform DNA analysis.
9 comments / leave comment
maradydd From: maradydd Date: September 6th, 2014 11:33 pm (UTC) (link)
"Agent Tarball" = best (un?)accidental typo ever, given the circumstances.
weev From: weev Date: September 6th, 2014 11:36 pm (UTC) (link)
lolll tru, marking that one WONTFIX
wirelessfantasy From: wirelessfantasy Date: September 7th, 2014 12:24 am (UTC) (link)
Good points, we need a look at those pcap files to figure this out because it's totally unclear. Defense also needs to hire a top-notch computer expert.

Added a link to this post from mine.
From: (Anonymous) Date: September 7th, 2014 12:23 pm (UTC) (link)
Agent "Tarball" (don't correct this typo plz) is obviously lying to get their case through. What he states is technically out of bounds with how Tor, HTTP and TCP works, and they know they can get away with it because the chances of the court knowing how these things work are slim-to-none.
From: lodewijk andré de la porte Date: September 7th, 2014 04:36 pm (UTC) (link)
Additionally, if it is a bug in Tor it should be pointed out how it could have happened. Iow, if it cannot be proven to have happened, it hasn't. (Open) Source code makes it possible to say something could not have happened provided the source runs properly. And that places the demand for proving that it could happen with the prosecutor.

If it is a bug elsewhere It should also be made propable.
weev From: weev Date: September 10th, 2014 11:03 am (UTC) (link)
There is absolutely no way that this happened the way law enforcement describes.
From: (Anonymous) Date: September 18th, 2014 05:43 am (UTC) (link)
Your reply will be screened. - good, d don't publish this
Ypur IP address will be recorded - smh>
weev From: weev Date: February 6th, 2015 08:28 pm (UTC) (link)
every service ever records IP addresses. livejournal is the only one that tells you they are doing so.
From: (Anonymous) Date: February 6th, 2015 01:22 am (UTC) (link)
In the early 2000's, my old party-favors dealer had a real live representative of the "Neilsen Company" knock on his door about becoming a Neilsen family. It involved wiring a box to his TV. He agreed. Why not? He wanted to save Family Guy.

A month later, he was raided by the DEA. After making bail and going home, he noticed that the agents had ripped the "Neilsen box" off his TV. It was a covert surveillance device. Later on in court documents, they referred to the information it provided as an "anonymous informant". The "Neilsen Box" issue required a separate hearing, the DEA denied any knowledge of its existence. The judge ruled it could not be mentioned in front of a jury.
9 comments / leave comment