Tag Archive for: Silk Road

Posts

The Tripartite (At Least) Structure of the Russian Hack Investigation

/22 Comments/in /by

As I mentioned in this post, on Saturday, Reuters offered the most comprehensive description of the structure of the FBI investigation into the DNC hack. As it describes there are “at least” three different distinct probes into the FBI hack: one led by counterintelligence agents based in DC, one in Pittsburgh targeted at the hack of the DNC itself, and one in San Francisco targeted at the Guccifer 2 persona.

That structure is interesting for a number of reasons, not least that, in recent years, FBI has assigned cyber investigative teams to geographical offices that have developed certain expertise. I’m most interested that FBI has split the Guccifer 2 side of the investigation off from the hack of the DC.

DC: The Counterintelligence investigation

Let’s start with the DC investigation. Contrary to what you may think, a good deal of the attention on Trump’s close advisors stems from behavior that barely involves the DNC hack, if at all, but instead focuses on larger discussions of quid pro quo. Here’s what has been publicly alleged, mostly in the Trump dossier. Reminder, these are only allegations! 

Paul Manafort, using Carter Page as a go between, conducts on-going quid pro quo about attacks on Hillary in response for distracting from Ukraine issues. (PDF 8)

Carter Page conducts a meeting with Rosneft CEO (and US sanction target) Igor Sechin in Moscow. The two discuss a quid pro quo tying 19% transfer of Rosneft to Page in exchange for the lifting of sanctions.(PDF 9, 30) On the same visit, Page meets top Kremlin official Diyevkin, where the latter explains to Page what kind of compromising information they had on both Trump and Hillary. (PDF 9)

A Kremlin figure describes Russian efforts to reach out to some in the US, including Jill Stein, Mike Flynn, and Carter Page. (PDF 15)

At a meeting in August, Yanukovych admits to Putin that he had paid off Manafort, but had covered it up. According to Steele’s sources, Putin doubts how well Yanukovych had covered his tracks. (PDF 20-21)

Trump lawyer Michael Cohen meets with Russian Presidential Administration figures, including Oleg Solodukhin, operating under the cover of the Rossotrudnichestvo organization, in Prague in August. According to two pre-election reports, this meeting was to clean up fall-out of prior contacts with Manafort (here described exclusively in terms of his involvement in Ukraine) and Page (described as the quid pro quo on sanctions). (PDF 18, 31-32) According to a post-election report, the meeting also discusses payments and cover-up of Europe-based hackers, who would be paid by both the Russians and Trump. (PDF 34-35) The role of Cohen — whose wife is Russian and whose father-in-law is a key Russian developer — as liaison to Russia is key. Note, information likely indicating intelligence sourcing is redacted in two of these reports. (PDF 30, 34)

The one other Trump figure mentioned in allegations of Russian ties, Roger Stone, is not mentioned in the dossier, though his role has exclusively been described as a potential knowing go-between with Wikileaks. (The error I mentioned I made in my the OTM interview was in forgetting Cohen, whose role is central, and instead mentioning Stone.)

In other words, while allegations of involvement with Russia do touch on the DNC hack, for both Manafort and Page, the evidence focuses more on old-fashioned influence peddling. The evidence against Flynn in the dossier is exclusively that of cultivation.

Only Cohen, though, is strongly and repeatedly alleged in the dossier to have had a role in both the influence peddling and arranging — and paying! — for the DNC hack (though a weak allegation against Manafort is made in an early report).

Yesterday, NYT reported that Cohen tried to pitch a crazy “peace” deal for Ukraine to Mike Flynn not long before the latter was caught on an intercept with Russia’s Ambassador.

A week before Michael T. Flynn resigned as national security adviser, a sealed proposal was hand-delivered to his office, outlining a way for President Trump to lift sanctions against Russia.

Mr. Flynn is gone, having been caught lying about his own discussion of sanctions with the Russian ambassador. But the proposal, a peace plan for Ukraine and Russia, remains, along with those pushing it: Michael D. Cohen, the president’s personal lawyer, who delivered the document; Felix H. Sater, a business associate who helped Mr. Trump scout deals in Russia; and a Ukrainian lawmaker [named Andrii Artemenko].

Note that Sater, who has mobbed up business ties with Trump the latter has denied, also allegedly has worked for the CIA.

All of this is a way of saying that several of Trump’s advisors — especially Cohen — have been alleged to have dodgy ties to Russian, but much if not most of that pertains to influence peddling tied to Ukraine and sanctions imposed in retaliation for Russian involvement in Ukraine. So even beyond the different technical and security requirements of the investigation (not to mention any sensitivity involving the CIA), such an investigation sensibly would reside in FBI’s CI world. Thus the DC investigation.

Pittsburgh: The DNC hackers

As Reuters describes it, the Pittsburgh inquiry is examining who hacked the DNC (curiously, it makes no mention of John Podesta or any other hack target).

The FBI’s Pittsburgh field office, which runs many cyber security investigations, is trying to identify the people behind breaches of the Democratic National Committee’s computer systems, the officials said. Those breaches, in 2015 and the first half of 2016, exposed the internal communications of party officials as the Democratic nominating convention got underway and helped undermine support for Hillary Clinton.

The Pittsburgh case has progressed furthest, but Justice Department officials in Washington believe there is not enough clear evidence yet for an indictment, two of the sources said.

It’s not just that Pittsburgh conducts a lot of cyber security investigations — though it has been involved in some key multinational cybercrime investigations (and perhaps as importantly, infrastructure take-downs). In addition to international partnerships in those investigations, it partners closely with Carnegie Mellon’s CERT, which is best known for developing an attack on Tor the FBI uses (the legal follow-up to the 2014 Operation Onymous operation that exposed it went through SDNY in Manhattan, though that would have been before FBI started assigning investigations by geography).

Pittsburgh is also where the most discussed indictment of a nation-state hacking group — that of Chinese People’s Liberation Army hackers, mostly for spying on negotiations — came through (most of the victim companies were there too, but that was probably because they could all serve as victims without compromising national security). I will be interested to see whether the FBI assigned this investigation to Pittsburgh before or after Crowdstrike declared the DNC hack a state-sponsored hack.

San Francisco: Guccifer 2

Finally, there is the investigation into Guccifer 2, the persona who claimed to have hacked the DNC, who took credit for handing the documents to WikiLeaks, and who allegedly had ties to DC Leaks. Here’s how Reuters describes this part of the investigation:

Meanwhile the bureau’s San Francisco office is trying to identify the people who called themselves “Guccifer 2” and posted emails stolen from Clinton campaign manager John Podesta’s account, the sources said. Those emails contained details about fundraising by the Clinton Foundation and other topics.

The language here is really curious. The strongest case that Russia’s GRU hacked a Democratic target involves Podesta. And Guccifer didn’t post any Podesta emails. Guccifer claimed to have posted Clinton Foundation documents, though the documents appeared to be DCCC documents, my comment on which elicited an unsolicited response from Guccifer.

Reuters is actually not the first outlet to report that San Francisco was investigating Guccifer. I believe credit for that goes to Ellen Nakashima’s report, the day before Obama imposed sanctions, on how the US might retaliate.

Criminal indictments of Russians might become an option, officials said, but the FBI has so far not gathered enough evidence that could be introduced in a criminal case. At one point, federal prosecutors and FBI agents in San Francisco considered indicting Guccifer 2.0, a nickname for a person or people believed to be affiliated with the Russian influence operation and whose true identity was unknown.

In December, at least, it appears the FBI did not know Guccifer’s identity though they still believed it to be tied to Russia. Nevertheless that part of the investigation had already been spun out to San Francisco, the other side of the country from the Pittsburgh hack investigation.

Now, there have always been reasons to doubt the interpretation that Russian metadata invoking Felix Dzerzhinsky was proof that Guccifer was Russian, rather than disinformation casting blame on Russia. Here are two more recent pieces making that argument. And in Guccifer’s most recent posting — posted on January 12 but fairly obviously written and posted in advance — the persona used proper English. Nevertheless, that’s presumably not why this part of the investigation got spun off.

There are several other possibilities explaining why the Guccifer investigation is in San Francisco. That office, too, does a ton of cyber investigations, but virtually all of those involve Bay Area companies targeted as victims. So it’s possible the San Francisco office is leading the investigation because of some tie with an area company. Guccifer posted on WordPress, which is headquartered in San Francisco, so that could explain it. It’s also possible FBI believes there is a tie between Guccifer and Shadow Brokers. The latter persona is not mentioned by Reuters, but they are surely also being investigated, perhaps even separately from the Hal Martin investigation in Maryland. If that’s the case, the victim American firewall companies exposed in the first release are all headquartered in Silicon Valley (though they were initially victimized by NSA’s TAO hackers, unless the companies knew NSA was using those back doors).

There are two other interesting cases that might suggest why the Guccifer part of the investigation is out in San Francisco. First, the corrupt government agents who stole Bitcoin while they were investigating Silk Road were investigated and tried out there. I’ve always suspected that was done to make it harder for Ross Ulbricht to access information on that investigation in discovery (if that was the intent, it worked like a charm!). I’m not suggesting there’s anything like that going on here, but I can imagine reasons why the FBI might want to firewall some parts of this investigation from others.

Finally, note that Yevgeniy Aleksandrovich Nikulin, the credential theft hacker arrested in Prague in October, was investigated out of San Francisco, explicitly because his alleged victims are also located in the Bay Area. There have always been hints that that arrest might tie into the Russian investigation (not least because Nikulin is Russian), but this would seem to suggest there’s a tangential tie to it. So perhaps by the time FBI split up this investigation that theory had been developed.

Update: Laura Rozen reminds me via Twitter that Russia’s San Francisco Consulate was one of the locales from which diplomats were expelled.

A final comment. As interesting as it is that this investigation has split into three, I find it just as interesting that EDVA is not involved in it, which is where most international hacking investigations take place. I’ve got no explanation for why that might be, but it is as interesting a question as why the Guccifer investigation got sent out to San Francisco.

One thing is clear, though: For some reason, FBI thought it best to split two parts of what have widely believed to have been part of the same operation — the hacking and (some of) the leaking — and conduct them completely across the country from each other.

Share this entry

Tuesday Morning: Don’t Drive Angry

/10 Comments/in , , /by

Okay, campers, rise and shine! It’s Groundhog Day! Like that genius film Groundhog Day we are stuck in an unending, repeating hell — like the dark circus that is our general election cycle in the U.S.

The lesson: it’s hell by choice. Let’s choose better. What’ll we choose today?

BPS, replacement for plastic additive BPA, not so safe after all
Here’s a questionable choice we could examine: using BPS in “BPA-free” plastics. A study by Geffen School of Medicine at UCLA found that BPS negatively affects reproductive organs and increased the likelihood of “premature birth” in zebrafish, accelerating development of the embryos. Relatively small amounts and short exposures produced effects.

As disturbing as this finding may be, the FDA’s approach to BPA is worrisome. Unchanged since 2014 in spite of the many studies on BPA, the FDA’s website says BPA is safe. Wonder how long it will be before the FDA’s site says BPS is likewise safe?

Exoskeleton assists paraplegic for only $40,000
Adjustable to its wearer’s body, SuitX’s exoskeleton helps paraplegic users to walk, though crutches are still needed. It’s not a perfect answer to mobility given the amount of time it takes to put on the gear, but it could help paraplegics avoid injuries due to sitting for too long in wheelchairs. It’s much less expensive than a competing exoskeleton at $70K; the price is expected to fall over time.

SuitX received an NSF grant of $750,000 last April for its exoskeleton work. Seems like a ridiculous bargain considering how much we’ve already invested in DARPA and other MIC-development of exoskeletons with nothing commercial to show for it. Perhaps we should choose to fund more NSF grants instead of DOD research?

Patches and more patches — Cisco, Android, Microsoft

Dudes behaving badly

  • Former Secret Service agent involved in the Silk Road investigation and later charged with theft of $800K in Bitcoins has been arrested just one day before he was to begin serving his sentence for theft. This Silk Road stuff is a movie or cable series waiting to happen.
  • Massachusett’s Rep. Katherine Clark, who proposed the Interstate Swatting Hoax Act last November, was swatted this weekend. Fortunately, the local police used a low-key approach to the hoax call. Way to make the case for the bill‘s passage, swatters, let alone increased law enforcement surveillance.

I know I’ve missed something I meant to post, but I’ll choose to post it tomorrow and crawl back into my nest this morning to avoid my shadow. In the meantime, don’t drive angry!

Share this entry

The Heroic IRS Agent Story Should Raise More Questions about Silk Road Investigation

/11 Comments/in , /by

“In these technical investigations, people think they are too good to do the stupid old-school stuff. But I’m like, ‘Well, that stuff still works.’ ”

The NYT got this and many other direct quotes from IRS agent Gary Alford for a complimentary profile of him that ran on Christmas day. According to the story, Alford IDed Ross Ulbricht as a possible suspect for the Dread Pirate Roberts — the operator of the Dark Web site Silk Road — in early June 2013, but it took until September for Alford to get the prosecutor and DEA and FBI Agents working the case to listen to him. The profile claims Alford’s tip was “crucial,” though a typo suggests NYT editors couldn’t decide whether it was the crucial tip or just crucial.

In his case, though, the information he had was the crucial [sic] to solving one of the most vexing criminal cases of the last few years.

On its face, the story (and Alford’s quote) suggests the FBI is so entranced with its hacking ability that it has neglected very, very basic investigative approaches like Google searches. Indeed, if the story is true, it serves as proof that encryption and anonymity don’t thwart FBI investigations as much as Jim Comey would like us to believe when he argues the Bureau needs to back door all our communications.

But I don’t think the story tells the complete truth about the Silk Road investigation. I say that, first of all, because of the timing of Alford’s efforts to get others to further investigate Ulbricht. As noted, the story describes Alford IDing Ulbricht as a potential suspect in early June 2013, after which he put Ulbricht’s name in a DEA database of potential suspects, which presumably should have alerted anyone else on the team that US citizen Ross Ulbricht was a potential suspect in the investigation.

Mr. Alford’s preferred tool was Google. He used the advanced search option to look for material posted within specific date ranges. That brought him, during the last weekend of May 2013, to a chat room posting made just before Silk Road had gone online, in early 2011, by someone with the screen name “altoid.”

“Has anyone seen Silk Road yet?” altoid asked. “It’s kind of like an anonymous Amazon.com.”

The early date of the posting suggested that altoid might have inside knowledge about Silk Road.

During the first weekend of June 2013, Mr. Alford went through everything altoid had written, the online equivalent of sifting through trash cans near the scene of a crime. Mr. Alford eventually turned up a message that altoid had apparently deleted — but that had been preserved in the response of another user.

In that post, altoid asked for some programming help and gave his email address: [email protected]. Doing a Google search for Ross Ulbricht, Mr. Alford found a young man from Texas who, just like Dread Pirate Roberts, admired the free-market economist Ludwig von Mises and the libertarian politician Ron Paul — the first of many striking parallels Mr. Alford discovered that weekend.

When Mr. Alford took his findings to his supervisors and failed to generate any interest, he initially assumed that other agents had already found Mr. Ulbricht and ruled him out.

But he continued accumulating evidence, which emboldened Mr. Alford to put Mr. Ulbricht’s name on the D.E.A. database of potential suspects, next to the aliases altoid and Dread Pirate Roberts.

At the same time, though, Mr. Alford realized that he was not being told by the prosecutors about other significant developments in the case — a reminder, to Mr. Alford, of the lower status that the I.R.S. had in the eyes of other agencies. And when Mr. Alford tried to get more resources to track down Mr. Ulbricht, he wasn’t able to get the surveillance and the subpoenas he wanted.

Alford went to the FBI and DOJ with Ulbricht’s ID in June 2013, but FBI and DOJ refused to issue even subpoenas, much less surveil Ulbricht.

But over the subsequent months, Alford continued to investigate. In “early September” he had a colleague do another search on Ulbricht, which revealed he had been interviewed by Homeland Security in July 2013 for obtaining fake IDs.

In early September, he asked a colleague to run another background check on Mr. Ulbricht, in case he had missed something.

The colleague typed in the name and immediately looked up from her computer: “Hey, there is a case on this guy from July.”

Agents with Homeland Security had seized a package with nine fake IDs at the Canadian border, addressed to Mr. Ulbricht’s apartment in San Francisco. When the agents visited the apartment in mid-July, Mr. Ulbricht answered the door, and the agents identified him as the face on the IDs, without having any idea of his potential links to Silk Road.

When Alford told prosecutor Serrin Turner of the connection (again, this is September 2013), the AUSA finally did his own search in yet another database, the story claims, only to discover Ulbricht lived in the immediate vicinity of where Dread Pirate Roberts was accessing Silk Road. And that led the Feds to bust Ulbricht.

I find the story — the claim that without Alford’s Google searches, FBI did not and would not have IDed Ulbricht — suspect for two reasons.

First, early June is the date that FBI Agent Christopher Tarbell’s declaration showed (but did not claim) FBI first hacked Silk Road. That early June date was itself suspect because Tarbell’s declaration really showed data from as early as February 2013 (which is, incidentally, when Alford was first assigned to the team). In other words, while it still seems likely FBI was always lying about when it hacked into Silk Road, the coincidence between when Alford says he went to DOJ and the FBI with Ulbricht’s ID and when the evidence they were willing to share with the defense claimed to have first gotten a lead on Silk Road is of interest. All the more so given that the FBI claimed it could legally hack the server because it did not yet know the server was run by an American, and so it treated the Iceland-based server as a foreigner for surveillance purposes.

One thing that means is that DOJ may not have wanted to file paperwork to surveil Ulbricht because admitting they had probable cause to suspect an American was running Silk Road would make their hack illegal (and/or would have required FBI to start treating Ulbricht as the primary target of the investigation; it seems FBI may have been trying to do something else with this investigation). By delaying the time when DOJ took notice of the fact that Silk Road was run by an American, they could continue to squat on Silk Road without explaining to a judge what they were doing there.

The other reason I find this so interesting is because several of the actions to which corrupt DEA agent Carl Force pled guilty — selling fake IDs and providing inside information — took place between June and September 2013, during the precise period when everyone was ignoring Alford’s evidence and the fact that he had entered Ulbricht’s name as a possible alias for the Dread Pirate Roberts into a DEA database. Of particular note, Force’s guilty plea only admitted to selling the fake IDs for 400 bitcoin, and provided comparatively few details about that action, but the original complaint against Force explained he had sold the IDs for 800 bitcoin but refunded Ulbricht 400 bitcoin because “the deal for the fraudulent identification documents allegedly fell through” [emphasis mine].

Were those fake IDs that Force sold Ulbricht the ones seized by Homeland Security and investigated in July 2013? Did the complaint say the deal “allegedly” fell through because it didn’t so much fall through as get thwarted? Did something — perhaps actions by Force — prevent other team members from tying that seizure to Ulbricht? Or did everyone know about it, but pretend not to, until Alford made them pay attention (perhaps with a communications trail that other Feds couldn’t suppress)? Was the ID sale part of the investigation, meant to ID Ulbricht’s identity and location, but Force covered it up?

In other words, given the record of Force’s actions, it seems more likely that at least some people on the investigative team already knew what Alford found in a Google search, but for both investigative (the illegal hack that FBI might have wanted to extend for other investigative reasons) and criminal (the money Force was making) reasons, no one wanted to admit that fact.

Now, I’m not questioning the truth of what Alford told the NYT. But even his story (which is corroborated by people “briefed on the investigation,” but only one person who actually attended any of the meetings for it; most of those people are silent about Alford’s claims) suggests there may be other explanations why no one acted on his tip, particularly given the fact that he appears to have been unable to do database searches himself and that they refused to do further investigation into Ulbricht. (I also wonder whether Alford’s role explains why the government had the IRS in San Francisco investigate Force and corrupt Secret Service Agent Shaun Bridges, rather than New York, where agents would have known these details.)

Indeed, I actually think this complimentary profile might have been a way for Alford to expose further cover-ups in the Silk Road investigation without seeming to do so for any but self-interested reasons. Bridges was sentenced on December 7. Ulbricht was originally supposed to have submitted his opening appellate brief — focusing on Fourth Amendment issues that may be implicated by these details — on December 11, but on December 2, the court extended that deadline until January 12.

I don’t know whether Ulbricht’s defense learned these details. I’m admittedly not familiar enough with the public record to know, though given the emphasis on Tarbell’s declaration as the explanation for how they discovered Ulbricht and the NYT’s assertion Alford’s role and the delay was “largely left out of the documents and proceedings that led to Mr. Ulbricht’s conviction and life sentence this year,” I don’t think it is public. But if they didn’t, then the fact that the investigative team went out of their way to avoid confirming Ulbricht’s readily accessible identity until at least three and probably seven months after they started hacking Silk Road, even while key team members were stealing money from the investigation, might provide important new details about the government’s actions.

And if Alford gets delayed credit for doing simple Google searches as a result, all the better!

Share this entry

Chuck Schumer Got Results!

/2 Comments/in , /by

Motherboard has an interesting new detail on the Silk Road investigation from a mostly refused FOIA.

The few pages released show the following timeline:

June 1, 2011: Gawker publishes this story describing Silk Road.

June 5, 2011: Chuck Schumer gives a press conference repeating details from the story and claiming,
The DEA has confirmed they are aware of the site, and while they won’t confirm or deny that an investigation is underway, from my years of experience, I’d bet my bottom dollar in this instance there is one underway,

June 6, 2011: NY Organized Crime Drug Enforcement Strike Force gets tasked with investigating Silk Road.

Screen Shot 2015-08-26 at 12.52.58 PM

June 15, 2011: DEA opened a Personal History Report for its investigation into Silk Road

Screen Shot 2015-08-26 at 12.51.21 PM

 

I find the Gawker to Schumer to New York law enforcement to feds very interesting given yesterday’s events.

Share this entry

A Remarkable Date for the Virgin Birth of the Silk Road Investigation

/2 Comments/in /by

As Wired first reported, there’s been an interesting exchange in the Silk Road prosecution. In September, the former FBI Agent who helped to bust accused Silk Road operator Ross Ulbricht, Christopher Tarbell, submitted a declaration explaining the genesis of the investigation by claiming the FBI got access to the Silk Road server because it became accessible via a non-Tor browser. In response, Ulbricht lawyer Joshua Horowitz submitted a declaration claiming Tarbell’s claims were implausible because the FBI wouldn’t have been able to get into Silk Road’s back end. The government responded by claiming that even if it did hack the website, it would not have been illegal.

Given that the SR Server was hosting a blatantly criminal website, it would have been reasonable for the FBI to “hack” into it in order to search it, as anysuch “hack” would simply have constituted a search of foreign property known to contain criminal evidence, for which a warrant was not necessary .

On Friday, Judge Katherine Forrest rejected Ulbricht’s efforts to throw out the evidence from the alleged hack, accepting the government’s argument that Ulbricht had no expectation of privacy on that server regardless of when and how the government accessed it.

The temporal problems with the government’s story

Most of the coverage on this exchange has focused on the technical claims. But just as interesting are the temporal claims. Horowitz summarizes that problem this way:

[S]everal critical files provided in discovery contain modification dates predating the first date Agent Tarbell claims Icelandic authorities imaged the Silk Road Server, thereby casting serious doubt on the chronology and methodology of his account;

The government claims that server was first imaged on July 23,2013.

As I’ll lay out below, Horowitz and Tarbell provide a lot of details suggesting something — perhaps the imaging of the server, perhaps something more — happened six weeks earlier.

But before we get there, consider the date: June 6, 2013.

June 6, 2013 was the day after the afternoon publication of the first Snowden leak, and the day before the Guardian made it clear their leak included cyberwar materials.

That is, the FBI claims to have officially “found” the Silk Road server at the same time the Snowden leaks started, even while they date their investigation to 6 weeks later.

The June 6 materials

FBI’s Tarbell is much vaguer about this timing than Ulbricht’s team is. As Tarbell tells it, on some unknown date in early June 2013, he and a colleague were sniffing Silk Road data when they discovered an IP not known to be tied to Tor.

In or about early June 2013, another member of CY-2 and I closely examined the traffic data being sent from the Silk Road website when we entered responses to the prompts contained in the Silk Road login interface.

That led them to look further, according to Tarbell. When he typed the IP into a non-Tor browser, he discovered it was leaking.

When I typed the Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared. Based on my training and experience, this indicated that the Subject IP Address was the IP address of the SR Server, and that it was “leaking” from the SR Server because the computer code underlying the login interface was not properly configured at the time to work on Tor.

That led the government to ask Iceland, on June 12, to image the server. Iceland didn’t do so, according to the official narrative, until the next month.

The defense doesn’t buy this — in part, because Tarbell claims he didn’t adhere to forensics standard procedure by keeping copies of his packet sniffing.

Failure to preserve packet logs recorded while investigating the Silk Road servers would defy the most basic principles of forensic investigative techniques.

[snip]

[T]he government’s position is that former SA Tarbell conducted his investigation of Silk Road, and penetrated the Silk Road Server, without documenting his work in any way.

According to the government, the only record of Tarbell’s access to the server from this period is from access logs dated June 11.

[A]n excerpt of 19 lines from Nginx access logs, attached hereto as Exhibit 5, supposedly showing law enforcement access to the .49 server from a non-Tor IP address June 11, 2013, between 16:58:36 and 17:00:40. According to the Government, this is the only contemporaneous record of the actions described by the Tarbell Declaration at ¶¶ 7-8.9

Given that this bears a particular date, I find it all the more curious that Tarbell doesn’t date when he was doing the packet sniffing.

There are a number of other details that point back to that June 6 date. Perhaps most significant is that Iceland imaged a server Silk Road had earlier been using on June 6.

There are a total of 4 tarballs in the first item of discovery: home, var, all, and orange21 – all contained in .tar.gz files. The mtime for orange21.tar.gz is consistent with the July 23, 2013 image date. However, the other 3 tarballs have an mtime of June 6, 2013, as shown below22:

  • root 30720 Jun 6 2013 home.tar.gz
  • root 737095680 Jun 6 2013 var.tar.gz
  • root 1728276480 Jun 6 2013 all.tar.gz
  • root 22360048285 Jul 23 2013 orange21.tar.gz

The modification date of the tarballs is consistent with an imaging date of June 6, 2013, a full six weeks before the July 23, 2013, imaging of the .49 Server, a fact never mentioned in the Tarbell Declaration.

Though — as the defense points out — Tarbell didn’t mention that earlier imaging. He notes an earlier “lead” on the Silk Road server that resolved by May, and he notes that after Ulbricht’s arrest they obtained record of him noting leaks in the server.

5 After Ulbricht’s arrest, evidence was discovered on his computer reflecting that IP address leaks were a recurring problem for him. In a file containing a log Ulbricht kept of his actions in administering the Silk Road website, there are multiple entries discussing various leaks of IP addresses of servers involved in running the Silk Road website and the steps he took to remedy them.  For example, a March 25, 2013 entry states that the server had been “ddosd” – i.e., subjected to a distributed denial of service attack, involving flooding the server with traffic – which, Ulbricht concluded, meant “someone knew the real IP.” The entry further notes that it appeared someone had “discovered the IP via a leak” and that Ulbricht “migrated to a new server” as a result. A May 3, 2013 entry similarly states: “Leaked IP of webserver to public and had to redeploy/shred [the server].” Another entry, from May 26, 2013, states that, as a result of changes he made to the Silk Road discussion forum, he “leaked [the] ip [address of the forum server] twice” and had to change servers.

[snip]

7 Several months earlier, the FBI had developed a lead on a different server at the same Data Center in Iceland (“Server-1”), which resulted in an official request for similar assistance with respect to that server on February 28, 2013. See Ex. B. Due to delays in processing the request, Icelandic authorities did not produce traffic data for Server-1 to the FBI until May 2013. See Ex. A. By the time the FBI received the Server-1 traffic data, there was little activity on Server-1, indicating that it was no longer hosting a website. (As a result, the FBI did not request that Icelandic authorities proceed with imaging Server-1.) There was still some outbound Tor traffic flowing from Server-1, though, consistent with it being used as a Tor node; yet Server-1 was not included in the public list of Tor nodes, see supra n.4. Based on this fact, I believed, by the time of the June 12 Request, that the administrator of Silk Road was using Server-1 as a Tor “bridge” when connecting to the SR Server, as indicated in the June 12 Request. See Ex. A, at 1. (A Tor “bridge” is a private Tor node that can be used to access the Tor network, as opposed to using a
public Tor node that could be detected on one’s Internet traffic. See Tor: Bridges, available at http://torproject.org/docs/bridges.) To be clear, however, the traffic data obtained for Server-1 did not reflect any connection to, or otherwise lead to the identification of, the Subject IP Address. The Subject IP Address was independently identified solely by the means described above – i.e., by examining the traffic data sent back from the Silk Road website when we interacted with its user login interface.

The two other details that point to June 6 may not actually exonerate Ulbricht. Silk Road’s live-ssl config file was altered on June 7, which is the earliest date for the site configuration provided in discovery (though page 23 has some additional dates).

The mtime for the live-ssl configuration file provided in Item 1 of discovery is June 7, 2013, and the phpmyadmin configuration is July 6, 2013.8

8 Since Item 1 is the oldest image provided in discovery the defense does not have site configuration data prior to June 7, 2013.

And, as Horowitz reiterates, the earliest date for which the defense was provided discovery of a server imaging was June 6.

According to the government, the earliest image was captured June 6, 2013, and the latest in November 2013.

From a technical stand point, I’m not sure what to make of this.

A remarkable coincidence

It’s clear, however, that FBI was tracking Silk Road well before June, and for some reason decided to make June the official start date (and, perhaps more significantly, official discovery start date; they’ve refused earlier discovery because it won’ t be used in trial) of their investigation. At the same time, it seems that Ulbricht’s defense seems reluctant to explain why they’re asking for earlier discovery; perhaps that’s because they’d have to admit Ulbricht was aware of probes of the website before then. Forrest rejected their argument because Ulbricht refused to submit a declaration that this was his server.

But I am rather struck by the timing. As I said, the first Edward Snowden story — the June 5, 2013 Verizon release that could have no tie to the Silk Road investigation and, the next day, the WaPo and Guardian PRISM releases (there were very late Google and Facebook requests that seem like parallel construction, but since Ulbricht is a US citizen, his communications should not have been available via PRISM) — was roughly the day before the day Iceland imaged the other server.

I asked both Glenn Greenwald and Bart Gellman, and it seems the earliest the government could have had official notice of that story may have been late on June 4 though probably June 5 (things get funny with the Guardian, apparently, because of Greenwich Mean Time). A more relevant leak to the Silk Road investigation was the President’s Policy Directive on cyberwar — which Guardian published on June 7 (they may not have warned the government until that morning however).

So it may all be one big coincidence — that the government created a virgin birth for the Silk Road investigation that happened to be the same day that a torrent of leaks on the NSA and GCHQ started, ultimately revealing things like the government’s targeting of the Tor network (just days after Ulbricht was arrested on October 2, 2013).

But it certainly seems possible that those investigating Silk Road felt the need to begin to roll up the investigation as that torrent of leaks started, perhaps worrying that the methods they (or GCHQ) were using might be exposed before they had collected the evidence.

Update: A few more points about this. My suspicion is that, if there is a tie between the Snowden leaks and the Silk Road investigation, it stems from the government’s recognition that some of the methods it used to find Ulbricht would become known through Snowden’s leaks, so it moved to establish an alternate means of discovery before Ulbricht might learn of those actual methods. As one example, recall that subsequent to Snowden’s leaks about XKeyscore, Jacob Appelbaum got information showing XKeyscore tracks those who use Tor. While there are a number of things it seems Ulbricht’s lawyers believe were parallel constructed (unnamed “law enforcement officers” got warrants for his Gmail and Facebook accounts in September), they most aggressively fought the use of a Title III Pen Register to track IP addresses personally associated with Ulbricht, also in September. It seems that would have been available via other means, especially XKeyscore, especially since by encrypting communication Ulbricht’s communications could be retained indefinitely under NSA’s minimization procedures.

Additionally, the language the government used to refuse information on a range of law enforcement and spying agencies sure sounds like they clean teamed this investigation.

The Government also objects to the unbounded definition of the term “government” set forth in the September 17 Requests. Specifically, the requests ask the prosecution to search for information within “not only the United States Attorney’s Office for the Southern District of New York, but also the Offices in all other Districts, any and all government entities and law enforcement agencies, including but not limited to the Federal Bureau of Investigation, Central Intelligence Agency, Drug Enforcement Administration, Immigration and Customs Enforcement Homeland Security Investigations, National Security Agency, and any foreign government and/or intelligence agencies, particularly those with which the U.S. has a cooperative intelligence gathering relationship, i.e., Government Communications Headquarters (“GCHQ”), the British counterpart to the NSA.”

Even in the Brady context, the law is clear that a prosecutor has a duty to learn only of “evidence known to . . . others acting on the government’s behalf in the case.”

The government is not denying they had other means to identify Ulbricht (nor is it denying that it worked with partners like GCHQ on this). Rather, it is just claiming that the FBI officers involved in this prosecution didn’t see those methods.

Share this entry