Andrew Auernheimer (weev) wrote,
Andrew Auernheimer

The Silk Road statement: Where are the packetlogs?

There are a number of utilities that log packets for forensic analysis. Every person that deals with the Internet in a serious fashion has used them at one point or another. I've used packetlogs generated by tcpdump to do things as trivial as respond to fraudulent abuse reports against a virtual machine that I use a chat client from. Needless to say, packets which are the basis of a federal criminal complaint are several orders of magnitude more important than me scrolling ANSI goatse on IRC. I'd imagine that a federal investigator citing packets as a basis for a search is going to store them. I'm saying this because in the case of United States v. Ulbricht, the drug conspiracy case involving the Silk Road, many have been concerned that the search methods used were illegal. Parallel construction is a huge issue here, and it turns out packet headers are now a central issue to the case. FBI Special Agent Christopher Tarbell cites data in packet headers in a declaration sworn to the court under penalty of perjury:

"Upon examining the individual packets of data being sent back from the website, we noticed that the headers of some of the packets reflected a certain IP address not associated with any known Tor node as the source of the packets. This IP address (the “Subject IP Address”) was the only non-Tor source IP address reflected in the traffic we examined. The Subject IP Address caught our attention because, if a hidden service is properly configured to work on Tor, the source IP address of traffic sent from the hidden service should appear as the IP address of a Tor node, as opposed to the true IP address of the hidden service, which Tor is designed to conceal.
I have sat in a court and watched federal agents lie about how the Internet works multiple times. Right here Agent Tarball is claiming that he sent a GET request to a Tor hidden service and the Tor hidden service sent back a packet containing its true source address in the TCP header. This is flat out impossible, given how Tor and TCP work. It is very easy for a federal agent to claim something. It is several orders of magnitude more difficult to fake packetlogs of network traffic which include a protocol as complex as Tor. I think the FBI needs to release these in a timely fashion to corroborate their claims here.

In fact, I would challenge them to even provide configuration files from the daemons involved that lead to this happening. They would have those in the hard drive images. They won't be there, because this is not a possible failure scenario at all.

The right to review evidence is pretty central to the Federal Rules of Criminal Procedure. The defense needs to look over these logs very carefully. If the federal government fails to produce them, it is absolutely a matter of evidence destruction. It is the digital equivalent of the FBI destroying potential DNA evidence after running cursory lab tests upon it that are helpful to its claims, but refusing to allow a defense team to perform DNA analysis.

  • Post a new comment


    default userpic

    Your reply will be screened

    Your IP address will be recorded 

    When you submit the form an invisible reCAPTCHA check will be performed.
    You must follow the Privacy Policy and Google Terms of use.