Silk Road forums

I think most people figured out they should upgrade to Tor 0.2.4 a week or two ago. A bigger issue is the botnet load combining with the daily user surge in the US daytime, which makes the market difficult to access. I was watching my log earlier today and saw a "200" OK message for the rendezvous descriptor fetch, meaning the market's Tor was up and working, but noticed a bunch of "failed to connect to intro N times" messages, along with another message about waiting for intro-ack at the rendezvous.

The message about intros means that the intro points are basically being DOSed by all the users and many of us can't reach them. It may be possible to mitigate this problem if DPR increases the number of intro points, following this: http://dkn255hz262ypmii.onion/index.php?topic=153182.msg1063761#msg1063761

The message about the rendezvous point means that the user's client has established a connection but the market's client is failing to connect to that relay. Not sure what could be done about that. It's a product of the load on the market's Tor client from the users combined with the overall load on the network from the botnet.

We've known it's been happening. That's what the buyer stats are supposed to help you catch. If you see a bunch of reviews from buyers with 1+ purchases and 1+ vendors, be suspicious.

Looks like this was both a DOS and enumeration attack. We need something better.

http://www.reddit.com/r/onions/comments/1mdlre/tormail_is_down_so_now_we_have_this_new_one/cc8g4bx

Bitmessage relies of Proof Of Work to "control spam". In order to send a message you need to do computational work. Everyone gets a copy of every message ever sent too, you just can't read them all.

This design decision is objectively horrible. If you have a cluster or even a CUDA Enabled Graphics card, you have more message sending capacity, you can spam and the rest of the network cannot keep up and basically will eventually only be sending your messages. Basically it's incredibly weak to network wide denial of service. In addition if you have lots of people that need to send messages, i.e. it would attempt to replace email, everyone would have a copy of every encrypted message.

Bitmessage simply will never scale and is incredibly weak to DoS.

http://secupost.net

Alright, the messages sent out a few days ago are starting to expire now. It's time for everyone to learn what the purpose of secupost.net is.

As many of you guessed, this is indeed a Bitmessage address to IP address mapper. Yes, the only thing that webserver would send was a 500 message.

It did alright too, gathering nearly 500 bitmessage users information after sending 15000 messages. Double what I expected.

I've included both a log of each address detected and the first thing to hit it including IP, reverse DNS and useragent as well as raw logs for every valid request. If you need to confirm this signature so you can verify messages from me when bitmessage is down, please see the bitmessage general chan for a copy from my bitmessage address.

So, future lessons:
- - - Yes, all bitmessage addresses are public and can be read from your messages.dat file using a small script.
- - - Don't click links. Even if it looks like a security-related site and uses some technical terms. I am not a nice person, I will publish any information I can gather about you and I don't care if you get lit on fire by terrorists because of it.
- - - Bitmessage does _not_ scale. It took me around 3.5 hours to send ~15k messages but it took the bitmessage network over 18 hours to fully propogate them.

Some of you were smart enough to use tor or VPN providers, but many of these are direct home or server IPs. The information below is more than enough for any government to come after you or any script kiddie to DDoS you. Be more careful next time.

Some of you tried to use scripts to claim addresses which weren't yours and skew the data, of course, you didn't even change your user-agent.

Even without accouting for that your attacks were ineffective because the IDs were generated in a non-linear fashion using a cropped HMAC-SHA256. To find your id:

def gen_mac(addr):
   mac = hmac.new("fuck you", addr, hashlib.sha256).digest()
   return unpack('>I', mac[0:4])[0]

This simple deterministic method means that you would have had to try... (2^32/15000)/2 = 143165 times on average just to get a single collision. Thanks for playing, but no luck this time.

This service has been operated completely anonymously thanks to Tor and Bitcoin. I hope you enjoy the result.

bitmessage.ch is what I use. The hidden service is bitmailendavkbec.onion

You can use Thunderbird+TorBirdy+Enigmail to access your account. And I think it goes without saying to always use GPG with it.

So you don't need to run BitMessage to use it? What's the point then? You're getting a shitty, unreadable email address on a clearnet server, when you could register a readable email address at another clearnet email provider.

Quote from: incogmagnito on September 14, 2013, 08:42 am

check out riseup.net - great ethos and very good service.
the advice on PGP is gold - nobody can be trusted, so encrypt everything, but do assume that not in a very far future it will be possible to read even that.
Be safe,
IM

That's terrible advice. They'll dime you out the moment they suspect anything illegal. You'd be better off using Yahoo and encrypt all your emails than use Riseup.

They are also an American organization with servers in America. Same with Yahoo. If you really need a clearnet email provider, go with something hosted in Russia. Their government and intel agencies are much less likely to cooperate with Western LE. Yandex (mail.yandex.com) and Rambler (mail.rambler.ru) are good examples. Rambler's interface is in Russian, there is no English option, so you'll have to paste stuff into a translation service to figure out what you're doing, and both require JavaScript to use the webmail interface, but you should only need to use the web interface long enough to configure your desktop email client (Thunderbird + Enigmail + Torbirdy) to connect over Tor.

Obviously you should PGP encrypt all messages, so the point of hosting in Russia is to make access to your metadata more difficult.

Perhaps most shocking of all is the McCoy case. The McCoy case is the first successful conviction for text-only obscenity in over 35 years, since Miller v. California, in 1973.

Earlier this year, Frank Russell McCoy was convicted in Georgia Federal Court of obscenity. He wrote a series of stories (NOT illustrated, text-only) involving explicit sexual activity between adults and children. Mr. McCoy is a resident of Minnesota -- the Feds tried having him prosecuted in his home state, and failed. Even in Georgia, they had to judge-shop -- trying no less than 3 judges before they would find one that would sign an arrest warrant.

He has now been sentenced to 18 months in prison, and followed by two years of probation, for writing stories, which were distributed over the Internet. McCoy's stories included disclaimers, describing the types of content to be found in the stories, so no one who read them would be caught unaware. The judge actually argued in his judgment, that the very existence of these disclaimers was evidence that McCoy knew that the stories were obscene. 

This illustrates the absurdity of the law. Going to prison for writing text, where there were no actual victims involved.

A much more widespread absurdity is that shock/violent/gore images are perfectly legal, yet they also contain victims who are emotionally harmed, or whose families are emotionally harmed by the distribution of those photos. Look at the Nikki Catsouras case:

http://en.wikipedia.org/wiki/Nikki_Catsouras_photographs_controversy

Yet there is nothing illegal about hosting pictures of her car accident. So you can have one or the other, either we protect people from speech that may emotionally disturb or offend someone, including the victims of child sexual abuse and of violence who appear in gore pics, or we allow it, but allowing one and not the other is irrational and hypocritical. I would rather the government not make that decision.

seems like they will try to use cp as an excuse to try and take down the drug black market. why can't they just hire chris hanson for the cp and leave us alone.

Well, they took down all the cp in onionland, so that's the next logical step. Not trying to be cliche, but

First they came for the pedos, and I said nothing, because fuck pedos...