[prev in list] [next in list] [prev in thread] [next in thread]
List: nginx
Subject: Re: Reporter looking to talk about the Silk Road Case / Special Agent Chris Tarbell
From: Matthew Phelan <matthew.phelan () gawker ! com>
Date: 2015-02-19 18:54:48
Message-ID: CAAQdb7vv4ugrmuFjPS1YTeJsPs+J0jUNovvFCQ9q4uD+0F1=Ew () mail ! gmail ! com
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
Hey, all.
Firstly, I want to apologize, if anyone finds me trawling for expert
opinions on this list, in any way, irritating.
Secondly, I am still hoping to find someone with thorough knowledge of
nginx who might be able to speak this debate about the Icelandic server in
the Silk Road trial.
Just keeping this thread alive, in case just such a someone turns up.
Warm Regards, Sincerely,
Matthew
On Fri, Feb 13, 2015 at 4:21 PM, Matthew Phelan <matthew.phelan@gawker.com>
wrote:
> Thanks for the interest, B.R.
>
>
>
> *---The only way to understand how the backend server behaves is to see
> its whole configuration, namely 'Exhibit 6' which I cannot seem to find. *
> /* Do you have a direct link to it?*
>
> Sadly, no. Here <http://antilop.cc/sr/#exhibit>, you will find a torrent
> to "all the evidentiary exhibits" introduced during the trial of Ross
> Ulbricht <https://t.co/hhsB3Ykjsz>. Exhibit 6 should be in that torrent
> somewhere.
>
>
> *It would also be interesting to know where the agent attempted to connect
> from. If he already had access to the front-end server through
> comprimission, he could then initiate connections from there successfully.*
>
> *Is it said he managed to connect to that backend directly from outside
> the infrastructure?*
> I may be wrong, but my recollection is that "Yes" it has been said that
> Tarbell managed to connect from outside the infrastructure. This is perhaps
> why certain commentators have found the Tarbell declaration implausible.
>
> ---
>
> Best,
> Matthew
>
> On Fri, Feb 13, 2015 at 4:05 PM, B.R. <reallfqq-nginx@yahoo.fr> wrote:
>
>> Partial information = partial answer.
>>
>> I do not know the case so maybe questions I will ask have obvious answers.
>>
>> The only way to understand how the backend server behaves is to see its
>> whole configuration, namely 'Exhibit 6' which I cannot seem to find.
>> Do you have a direct link to it?
>>
>> It would also be interesting to know where the agent attempted to connect
>> *from*. If he already had access to the front-end server through
>> comprimission, he could then initiate connections from there successfully.
>> Is it said he managed to connect to that backend directly from outside
>> the infrastructure? That looks improbable to me since I consider people
>> behind such activities hiding on Tor network know what they are doing and
>> are most probably paranoid.
>> ---
>> *B. R.*
>>
>> On Fri, Feb 13, 2015 at 8:34 PM, Matthew Phelan <
>> matthew.phelan@gawker.com> wrote:
>>
>>> Hey all, esteemed members of this Nginx mailing list.
>>>
>>>
>>> I'm a freelance reporter (former Onion headline writer and former
>>> chemical engineer) trying to gather some kind of technical consensus on a
>>> part of the Silk Road pretrial that seems to have become mired in needless
>>> ambiguity. Specifically, the prosecution's explanation for how they were
>>> able to locate the Silk Road's Icelandic server IP address.
>>>
>>> You may have seen Australian hacker Nik Cubrilovic's long piece
>>> <https://www.nikcub.com/posts/analyzing-fbi-explanation-silk-road/> on
>>> how it, at least, appears that the government has submitted a deeply
>>> implausible scenario for how they came to locate the Silk Road server. Or Bruce
>>> Scheiener's comments
>>> <https://www.schneier.com/blog/archives/2014/10/how_did_the_fed.html>.
>>> Or someone else's. (The court records are hyperlinked in the article, but
>>> they can be found here
>>> <http://www.scribd.com/doc/238796613/Silk-Road-Prosecution-4th-Amendment-Rebuttall>
>>> and here
>>> <http://ia700603.us.archive.org/21/items/gov.uscourts.nysd.422824/gov.uscourts.nysd.422824.57.0.pdf>,
>>> if you'd rather peruse them without Nik's logic prejudicing your own
>>> opinion. In addition, here
>>> <http://cdn.arstechnica.net/wp-content/uploads/2014/10/horowitzdec.pdf>'s
>>> the opinion of defendant Ross Ulbricht's lawyer Josh Horowitz, himself a
>>> technical expert in this field, wherein he echoes Nik Cubrilovic's critical
>>> interpretation of the state's discovery disclosures.)
>>>
>>> I'm hoping that your collective area of expertise in Nginx might allow
>>> some of you to comment on this portion of the case, ideally on the record,
>>> for an article I'm working on.
>>>
>>> My goal is to amass many expert opinions on this. It seems like a very
>>> open and shut case that beat reporters covering it last October gave a
>>> little too much "He said. She said."-style false equivalency.
>>>
>>> I know this is a cold call. PLEASED TO MEET YOU!
>>>
>>> *Here, below, is the main question, I believe:*
>>>
>>> This portion of the defense's expert criticism
>>> <http://cdn.arstechnica.net/wp-content/uploads/2014/10/horowitzdec.pdf>
>>> of the prosecution's testimony from former SA Chris Tarbell
>>> <http://ia700603.us.archive.org/21/items/gov.uscourts.nysd.422824/gov.uscourts.nysd.422824.57.0.pdf>
>>> (at least) appears the most clear cut and definitive:
>>>
>>> ¶ 7. Without identification by the Government, it was impossible to
>>> pinpoint the 19 lines in the access logs showing the date and time of law
>>> enforcement access to the .49 server.
>>>
>>> 23. The "live-ssl" configuration controls access to the market data
>>> contained on the .49 server. This is evident from the configuration line:
>>> root /var/www/market/public
>>> which tells the Nginx web server that the folder "public" contains the
>>> website content to load when visitors access the site.
>>>
>>> 24. The critical configuration lines from the live-ssl file are:
>>> allow 127.0.0.1;
>>> allow 62.75.246.20;
>>> deny all;
>>> These lines tell the web server to allow access from IP addresses
>>> 127.0.0.1 and 65.75.246.20, and to deny all other IP addresses from
>>> connecting to the web server. IP address 127.0.0.1 is commonly referred to
>>> in computer networking as "localhost" i.e., the machine itself, which would
>>> allow the server to connect to itself. 65.75.246.20, as discussed ante, is
>>> the IP address for the front-end server, which must be permitted to access
>>> the back-end server. The "deny all" line tells the web server to deny
>>> connections from any IP address for which there is no specific exception
>>> provided.
>>>
>>> 25. Based on this configuration, it would have been impossible for
>>> Special Agent Tarbell to access the portion of the .49 server containing
>>> the Silk Road market data, including a portion of the login page, simply by
>>> entering the IP address of the server in his browser.
>>>
>>> Does it seem like the defense is making a reasonably sound argument
>>> here? Are there any glaring holes in their reasoning to you? Etc.? (I would
>>> gladly rather have an answer to this that is filled with qualifiers and
>>> hedges than no answer at all, and as such, hereby promise that I will
>>> felicitously include all those qualifiers and hedges when quoting.)
>>>
>>> Any other observations on this pre-trail debate would also be welcome.
>>>
>>> Thanks for your time, very, very, sincerely.
>>>
>>> Best Regards,
>>> Matthew
>>> --
>>>
>>> *Matthew D. Phelan*
>>> "editorial contractor"
>>>
>>> *Black Bag â–´ Gawker <http://blackbag.gawker.com>*
>>> @CBMDP <https://twitter.com/CBMDP> // twitter
>>> 917.859.1266 // cellular telephone
>>> matthew.phelan@gawker.com // PGP Public Key
>>> <http://pgp.mit.edu/pks/lookup?op=get&search=0x11E842642C4B4E99> //
>>> email
>>>
>>> _______________________________________________
>>> nginx mailing list
>>> nginx@nginx.org
>>> http://mailman.nginx.org/mailman/listinfo/nginx
>>>
>>
>>
>> _______________________________________________
>> nginx mailing list
>> nginx@nginx.org
>> http://mailman.nginx.org/mailman/listinfo/nginx
>>
>
>
[Attachment #5 (text/html)]
<div dir="ltr"><div><div><div><div><div>Hey, all. <br><br></div>Firstly, I want to \
apologize, if anyone finds me trawling for expert opinions on this list, in any way, \
irritating. <br><br></div>Secondly, I am still hoping to find someone with thorough \
knowledge of nginx who might be able to speak this debate about the Icelandic server \
in the Silk Road trial. <br><br></div>Just keeping this thread alive, in case just \
such a someone turns up.<br><br></div>Warm Regards, \
Sincerely,<br></div>Matthew<br></div><div class="gmail_extra"><br><div \
class="gmail_quote">On Fri, Feb 13, 2015 at 4:21 PM, Matthew Phelan <span \
dir="ltr"><<a href="mailto:matthew.phelan@gawker.com" \
target="_blank">matthew.phelan@gawker.com</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div dir="ltr">Thanks for the interest, \
B.R.<i><br></i><div><i><br>---<br><br>The only way to understand how the backend \
server behaves is to see its whole configuration, namely 'Exhibit 6' which I \
cannot seem to find. </i>/<i> Do you have a direct link to it?</i><div \
class="gmail_extra"><br></div><div class="gmail_extra">Sadly, no. <a \
href="http://antilop.cc/sr/#exhibit" target="_blank">Here</a>, you will find <a \
href="https://t.co/hhsB3Ykjsz" target="_blank">a torrent to "all the evidentiary \
exhibits" introduced during the trial of Ross Ulbricht</a>. Exhibit 6 should be \
in that torrent somewhere.<br></div><span class=""><div \
class="gmail_extra"><i><br></i><div \
style="font-size:small;color:rgb(51,51,153)"><i>It would also be interesting to know \
where the agent attempted to connect <b>from</b>. If he already had access to the \
front-end server through comprimission, he could then initiate connections from \
there successfully.<br></i></div><i>Is it said he managed to connect to that backend \
directly from outside the infrastructure?<br></i><br></div></span><div \
class="gmail_extra">I may be wrong, but my recollection is that "Yes" it \
has been said that Tarbell managed to connect from outside the infrastructure. This \
is perhaps why certain commentators have found the Tarbell declaration \
implausible.<br></div><div class="gmail_extra"><br>---<br><br></div><div \
class="gmail_extra">Best,<br>Matthew<br></div><div><div class="h5"><div \
class="gmail_extra"><br><div class="gmail_quote">On Fri, Feb 13, 2015 at 4:05 PM, \
B.R. <span dir="ltr"><<a href="mailto:reallfqq-nginx@yahoo.fr" \
target="_blank">reallfqq-nginx@yahoo.fr</a>></span> wrote:<br><blockquote \
class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid \
rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div \
style="font-size:small;color:rgb(51,51,153)">Partial information = partial \
answer.<br><br></div><div style="font-size:small;color:rgb(51,51,153)">I do not know \
the case so maybe questions I will ask have obvious answers.<br><br>The only way to \
understand how the backend server behaves is to see its whole configuration, namely \
'Exhibit 6' which I cannot seem to find.<br></div><div \
style="font-size:small;color:rgb(51,51,153)">Do you have a direct link to \
it?<br><br></div><div style="font-size:small;color:rgb(51,51,153)">It would also be \
interesting to know where the agent attempted to connect <b>from</b>. If he already \
had access to the front-end server through comprimission, he could then initiate \
connections from there successfully.<br></div><div \
style="font-size:small;color:rgb(51,51,153)">Is it said he managed to connect to that \
backend directly from outside the infrastructure? That looks improbable to me since I \
consider people behind such activities hiding on Tor network know what they are doing \
and are most probably paranoid.<br></div><div class="gmail_extra"><div><div><font \
size="1"><span style="color:rgb(102,102,102)">---<br></span><b><span \
style="color:rgb(102,102,102)">B. R.</span></b><span \
style="color:rgb(102,102,102)"></span></font></div></div> <br><div \
class="gmail_quote"><div><div>On Fri, Feb 13, 2015 at 8:34 PM, Matthew Phelan <span \
dir="ltr"><<a href="mailto:matthew.phelan@gawker.com" \
target="_blank">matthew.phelan@gawker.com</a>></span> \
wrote:<br></div></div><blockquote class="gmail_quote" style="margin:0px 0px 0px \
0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div><div><div \
dir="ltr">Hey all, esteemed members of this Nginx mailing list.<br><div \
dir="ltr"><div class="gmail_quote"><br><div \
dir="ltr"><span></span><div><span><div><br></div>I'm a freelance reporter \
(former Onion headline writer and former chemical engineer) trying to gather some \
kind of technical consensus on a part of the Silk Road pretrial that seems to
have become mired in needless ambiguity. Specifically, the prosecution's
explanation for how they were able to locate the Silk Road's Icelandic
server IP address.<br><div><br></div></span><div>You may have seen Australian hacker \
Nik Cubrilovic's <a \
href="https://www.nikcub.com/posts/analyzing-fbi-explanation-silk-road/" \
target="_blank">long piece</a> on how it, at least, appears that the government has \
submitted a deeply implausible scenario for how they came to locate the Silk Road \
server. Or <a href="https://www.schneier.com/blog/archives/2014/10/how_did_the_fed.html" \
target="_blank">Bruce Scheiener's comments</a>. Or someone else's. (The \
court records are hyperlinked in the article, but they can be found <a \
href="http://www.scribd.com/doc/238796613/Silk-Road-Prosecution-4th-Amendment-Rebuttall" \
target="_blank">here</a> and <a \
href="http://ia700603.us.archive.org/21/items/gov.uscourts.nysd.422824/gov.uscourts.nysd.422824.57.0.pdf" \
target="_blank">here</a>, if you'd rather peruse them without Nik's logic \
prejudicing your own opinion. In addition, <a \
href="http://cdn.arstechnica.net/wp-content/uploads/2014/10/horowitzdec.pdf" \
target="_blank">here</a>'s the opinion of defendant Ross Ulbricht's lawyer \
Josh Horowitz, himself a technical expert in this field, wherein he echoes Nik \
Cubrilovic's critical interpretation of the state's discovery \
disclosures.)<div><div><img><span><br>I'm hoping that your collective area of \
expertise in Nginx might allow some of you to comment on this portion of the case, \
ideally on the record, for an article I'm working on.<br><div><br></div><div>My \
goal is to amass many expert opinions on this. It seems like a very open and shut \
case that beat reporters covering it last October gave a little too much "He \
said. She said."-style false equivalency. <br></div><span><div><br></div>I know \
this is a cold call. PLEASED TO MEET YOU! \
<br><br></span></span></div></div></div></div><span><div><b>Here, below, is the main \
question, I believe:</b><br></div><div><br></div></span><span><div>This portion of <a \
href="http://cdn.arstechnica.net/wp-content/uploads/2014/10/horowitzdec.pdf" \
target="_blank">the defense's expert criticism</a> of <a \
href="http://ia700603.us.archive.org/21/items/gov.uscourts.nysd.422824/gov.uscourts.nysd.422824.57.0.pdf" \
target="_blank">the prosecution's testimony from former SA Chris Tarbell</a> (at \
least) appears the most clear cut and definitive:<br></div><div><br><div \
style="margin-left:40px"><span style="color:rgb(255,0,0)"> ¶ 7. Without \
identification by the Government, it was impossible to pinpoint the 19 lines in the \
access logs showing the date and time of law enforcement access to the .49 \
server.<br><br>23. The "live-ssl" configuration controls access to the market data \
contained on the .49 server. This is evident from the configuration line:<br> \
<span style="background-color:rgb(241,194,50)">root \
/var/www/market/public</span><br>which tells the Nginx web server that the folder \
"public" contains the website content to load when visitors access the \
site.<br><br>24. The critical configuration lines from the live-ssl file \
are:<br><span style="background-color:rgb(241,194,50)"> allow \
127.0.0.1;<br> allow 62.75.246.20;<br> deny \
all;</span><br>These lines tell the web server to allow access from IP addresses \
127.0.0.1 and 65.75.246.20, and to deny all other IP addresses from connecting to
the web server. IP address 127.0.0.1 is commonly referred to in computer
networking as "localhost" i.e., the machine itself, which would allow
the server to connect to itself. 65.75.246.20, as discussed ante, is the
IP address for the front-end server, which must be permitted to access
the back-end server. The "deny all" line tells the web server to deny
connections from any IP address for which there is no specific exception
provided.<br><br>25. Based on this configuration, it would have been
impossible for Special Agent Tarbell to access the portion of the .49
server containing the Silk Road market data, including a portion of the
login page, simply by entering the IP address of the server in his
browser. <br></span></div><br></div><div>Does it seem like the defense
is making a reasonably sound argument here? Are there any glaring holes
in their reasoning to you? Etc.? (I would gladly rather have an answer
to this that is filled with qualifiers and hedges than no answer at all,
and as such, hereby promise that I will felicitously include all those
qualifiers and hedges when quoting.)<br></div><div><br></div><div>Any other \
observations on this pre-trail debate would also be welcome. \
<br></div><div><br><div>Thanks for your time, very, very, \
sincerely.<br></div><div><br>Best Regards,<br>Matthew<span><font \
color="#888888"><br>--</font></span></div></div></span><span><font \
color="#888888"><div><div><div dir="ltr"><div><div><div><div><div><span \
style="color:rgb(102,102,102)"><b>Matthew D. Phelan<br></b></span></div><div><span \
style="color:rgb(153,153,153)"><span style="color:rgb(102,102,102)">"editorial \
contractor"</span><br></span></div><b><a href="http://blackbag.gawker.com" \
target="_blank">Black Bag <span>â–´</span> Gawker</a><br></b><br></div><span \
style="color:rgb(102,102,102)"><a href="https://twitter.com/CBMDP" \
target="_blank">@CBMDP</a> // twitter<br></span><div><div><div><span \
style="color:rgb(102,102,102)"><a href="tel:917.859.1266" value="+19178591266" \
target="_blank">917.859.1266</a> // cellular telephone \
<br></span></div></div></div></div><span style="color:rgb(102,102,102)"><a \
href="mailto:matthew.phelan@gawker.com" target="_blank">matthew.phelan@gawker.com</a> \
// </span><span style="color:rgb(102,102,102)"><a \
href="http://pgp.mit.edu/pks/lookup?op=get&search=0x11E842642C4B4E99" \
target="_blank">PGP Public Key</a> // email<br></span></div> </div></div></div></div> \
</font></span></div></div></div></div> \
<br></div></div>_______________________________________________<br> nginx mailing \
list<br> <a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" \
target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br></blockquote></div><br></div></div>
<br>_______________________________________________<br>
nginx mailing list<br>
<a href="mailto:nginx@nginx.org" target="_blank">nginx@nginx.org</a><br>
<a href="http://mailman.nginx.org/mailman/listinfo/nginx" \
target="_blank">http://mailman.nginx.org/mailman/listinfo/nginx</a><br></blockquote></div><br></div></div></div></div></div>
</blockquote></div><br></div>
_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic