Expert Witness For Silk Road Suggests FBI Lied About How They Accessed Back-End Servers
According to a court document released today, expert witness Joshua J. Horowitz, a lawyer and tech expert, believes the FBI is not telling the whole truth when it comes to how they found the back-end server owned by the alleged Silk Road mastermind Ross Ulbricht.
In the document, reproduced below, Horowitz says that his “practice is concentrated on criminal defense matters that require expertise in technology and computer software” and that he has extensive experience in Linux and open source server software – arguably a rare skill for those in the legal profession.
￼(1) based on the Silk Road Server’s configuration files provided in discovery, former Special Agent Tarbell’s explanation of how the FBI discovered the server’s IP address is implausible;
(2) the account by former Special Agent Tarbell in his Declaration differs in important respects from the government’s June 12, 2013, letter to Icelandic
Case 1:14-cr-00068-KBF Document 70 Filed 10/01/14 Page 2 of 18
authorities. For example, that letter (which is Exhibit A to the government’s opposition papers) suggests the possibility of an alternative method for the government’s identifying and locating the Silk Road Server;
(3) former Special Agent Tarbell’s explanation is vague and lacks supporting documentary and forensic evidence that should exist if former Special Agent Tarbell had adhered to the most rudimentary standards of computer forensic analysis, but which he apparently did not follow, or failed to preserve evidence of his alleged work that could substantiate the government’s account (and which the defense has now requested);
(4) several critical files provided in discovery contain modification dates predating the first date Special Agent Tarbell claims Icelandic authorities imaged the Silk Road Server, thereby casting serious doubt on the chronology and methodology of his account; and
(5) the Government’s version contains additional inconsistencies, including items referred to and/or indicated by former Special Agent Tarbell’s Declaration, but not produced in discovery.
In short, Horowitz believes that the FBI could not have accessed the server remotely because it was separated from the front end a firewall that refused external connections. In other words, the front end was easily visible but the back end would have been impossible to access from the outside world. It is, to be fair, a convincing argument.
The crux of the argument is here:
￼7. Without identification by the Government, it was impossible to pinpoint the 19 lines in the access logs showing the date and time of law enforcement access to the .49 server.
23. The “live-ssl” configuration controls access to the market data contained on the .49 server. This is evident from the configuration line: 10
which tells the Nginx web server that the folder “public” contains the website content to load when visitors access the site.
24. The critical configuration lines from the live-ssl file are:
allow 127.0.0.1; allow 220.127.116.11; deny all;
These lines tell the web server to allow access from IP addresses 127.0.0.1 and 18.104.22.168, and to deny all other IP addresses from connecting to the web server. IP address 127.0.0.1 is commonly referred to in computer networking as “localhost” i.e., the machine itself, which would allow the server to connect to itself. 22.214.171.124, as discussed ante, is the IP address for the front-end server, which must be permitted to access the back-end server. The “deny all” line tells the web server to deny connections from any IP address for which there is no specific exception provided.
25. Based on this configuration, it would have been impossible for Special Agent Tarbell to access the portion of the .49 server containing the Silk Road market data, including a portion of the login page, simply by entering the IP address of the server in his browser. As discussed in ¶ 24, the server was configured to refuse connections from all outside IP addresses with only one exception, the front-end server IP. Certainly, the IP address of the machine that Tarbell attempted to connect with did not have this IP address, and the server would therefore have refused his connection attempt.
There was, Horowitz says, a wall between the front end and the back end.
Is Horowitz correct? His assertions, while nuanced, are still going up against the scrutiny of an Internet full of sysadmins. “At this point aren’t we lead to believe that [Ulbricht] showed multiple cases of mismanagement. From this can we not call bullshit on the very definitive declaration by the defense that the webserver was explicitly configured to deny external connections?” wrote one Hacker News commenter. In any case, the jury is still out.
2014 10 01 Declaration of Josh Horowitz Defense Attorney