If the nginx configuration for port 443 did indeed not restrict access to [star].php, then that means that index.php would have been accessible to the Internet at large (although HTML elements with other suffixes - e.g. .jpg, .css, .js - would not have been served).
If the CAPTCHA element's URL also ended in .php, then it's not beyond the realms of possibility that Tarbell could type the IP address, followed by /index.php and end up seeing a screwed-up version of the SR home page, with the CAPTCHA as he describes in his testimony.
The log file entries cited are for port 80, whereas the SR webserver ran on port 443.
If the defence already have all the log files, they should grep for 199.170.71.133 in the 443 logs and/or search for a group of log file entries with simultaneous successful serves of anything ending in .php, with "permission denied" failures for things not ending in .php
If the nginx configuration for port 443 did indeed not restrict access to [star].php, then that means that index.php would have been accessible to the Internet at large (although HTML elements with other suffixes - e.g. .jpg, .css, .js - would not have been served).
If the CAPTCHA element's URL also ended in .php, then it's not beyond the realms of possibility that Tarbell could type the IP address, followed by /index.php and end up seeing a screwed-up version of the SR home page, with the CAPTCHA as he describes in his testimony.
The log file entries cited are for port 80, whereas the SR webserver ran on port 443.
If the defence already have all the log files, they should grep for 199.170.71.133 in the 443 logs and/or search for a group of log file entries with simultaneous successful serves of anything ending in .php, with "permission denied" failures for things not ending in .php
Incidentally, the May 3, 2013 webserver IP leak referred to in footnote 5 to Tarbell's testimony syncs up nicely with the date of this thread on Reddit: https://www.reddit.com/r/SilkRoad/comments/1dmznd/should_we_...
Credit to Michael Koziarski for the Reddit link: http://krebsonsecurity.com/2014/10/silk-road-lawyers-poke-ho...