Being low-tech and confused by ex-FBI agent Tarbell’s explanation of how he found the Silk Road server – as well as the many rebuttals saying it was impossible – I wanted an explanation in plain English. I figured a good person to ask was Joshua Horowitz, Ross’ defense attorney and author of the Horowitz declaration, an 18 page affidavit of detailed information showing why Tarbell’s declaration is implausible. Below is what he said:
The activity that Tarbell describes where he “examin[ed] the individual packets of data being sent back from the website,” is called packet sniffing. This is accomplished using a piece of software called a packet sniffer, which keeps a log of all of the web traffic (packets) that are transmitted and received over a network device. These logs contain a bunch of information about each packet, including the source and destination IP addresses for each individual packet. Looking at that you can tell where each packet is coming from and where it’s going.
Without explicitly saying so, Tarbell’s explanation is that he was looking at logged data of packets he was receiving from the Silk Road server to determine its IP address.
The problem is that the government hasn’t produced any logs of this web traffic. As I explained in the declaration, when you use packet sniffing software such as Wireshark, the most popular tool out there (and the FBI gave us a copy of, so we are sure they know how to use it) it automatically records each individual packet and saves this information onto your computer, unless of course you quit the program without saving the information.
Think of it this way:
You open up your word processor and type a blog entry. Before exiting the program it will automatically ask you if you want to save the document. Common sense tells you to save your work so it’s not lost forever.
Now take that scenario (the blog entry) and think of it in the context of one of the most important law enforcement investigations of your career. Again, common sense would tell you to save your work (100x over in my opinion). The government tells us that this didn’t happen, that Tarbell didn’t save his work! This assumes, of course, that this is how it was all accomplished.
Secondly, Tarbell claims that he, “typed Subject IP Address into an ordinary (non-Tor) web browser, a part of the Silk Road login screen (the CAPTCHA prompt) appeared.” Yet this didn’t happen either. What he got, based on the excerpt from the server logs the government provided to us, was the login page to phpmyadmin.
As I explained in the declaration, this is very popular software installed on millions of web servers around the world for administrating MySQL databases. The fact that it’s installed on a webserver gives no indication of what’s happening behind the scenes on the server, let alone that there’s any criminal activity going on.
In sum, the government’s explanation leaves us with far more questions than it answers.