Silk Road forums

The package goes to a USPS Mail Recovery Center, which you can read about here:

http://voices.yahoo.com/what-happens-dead-letters-post-offices-mail-28321.html

Today, the cities of Atlanta, Saint Paul, and San Francisco are home to the USPS's three major mail recovery centers, where specialized staff take on near-detective roles, working at a breakneck pace to identify what resulted in dead letters. Their goal is to return potentially valuable mail to its original senders or to forward it on to its intended recipients.

According to the USPS website (www.usps.com), the two MRCs "processed approximately 1.3 million parcels and 73.1 million letters" during 2004. That same year, they "returned a total of 6.1 million pieces of mail to their rightful owners." Although the successfully recovered mail represents only a fraction of the so-called dead letters they receive, it's clear that the mail recovery centers are busy places of reconnection and redirection. The staggering logistics are utterly fascinating.

How does a piece of mail become a "dead letter"?

In short, a letter or package becomes "dead" when neither its sender nor its recipient can be identified, most often because the delivery address is incorrect or absent and the return address is also incorrect or absent. How can people create so many would-be dead letters? Here are some examples:

· Senders use an incorrect recipient address and omit a return address (VERY common)
· Senders use the correct recipient address, but that person is deceased and the return address was omitted.
· Children write letters to fictional characters like the Easter Bunny, Santa Claus, or Tooth Fairy.
· Items are mistakenly dropped into mail boxes with other mail.
· Items not intended to be mailed are mistakenly picked up by postal workers.
· Something happens to obscure the legibility of otherwise valid addresses. (Imagine ink smeared beyond recognition thanks to rain or some other menacing factor.)

Whenever a local post office identifies a dead letter, it is sent to the nearest mail recovery center (Saint Paul, San Francisco, or Atlanta). Oddly enough, even though the official term has been "mail recovery center" for around fifteen years, lots of seasoned postal workers are resistant to change and scrawl "dead letter office" on the ill-fated envelopes and packages. Some postal officials begrudgingly admit that the old term may never disappear, meaning that "dead letters" can live on forever - sort of.

What happens to these dead letters at the mail recovery centers?

The first step in handling a large volume of undeliverable letters (not parcels) is to scan them for items of value. As much as the USPS would love to redirect every single dead letter successfully, the reality is that mail without a detectable item of value is not worth the resources necessary to redirect it. An automated scanning system looks for cash, checks, and important documents (often identified based on the printing method, ink, etc.). These potentially valuable letters are segregated while the rest are destroyed by giant shredders. Workers then review the contents of the chosen envelopes (and the envelopes themselves) to see if a correct address can be identified. Whenever possible, the mail recovery center will bring the letter back to life by specially packaging it and reintroducing it to the world of active mail with no additional fee. They consider it a courtesy.

In the case of packages, which are not scanned, workers actually open up the large envelopes and parcels to see if they can identify the intended recipient or errant sender. They will forward the package when possible, and sometimes they will even contact people by phone to track down a rightful owner. It all depends on the value of the discovered items. If the chattels cannot be forwarded, they are sent to auction for bulk purchase by flea market vendors and others who will buy bundles of similar items and sort through them on their own. These regularly scheduled auctions are especially popular in Atlanta, as that facility handles the greatest volume of dead parcels.

Under some circumstances, the mail recovery center may catalog and temporarily warehouse an item that is clearly "valuable" but not otherwise re-sellable, like an urn of ashes, a personalized piece of jewelry, or anything they suspect someone may call about. That's right - if you think something of value was lost in the mail, you can phone the dead letter staff to see what they haven't tossed or auctioned yet. Just contact your local post office and ask to be connected with the appropriate mail recovery center for your region. Be prepared, of course, to describe your missing item in detail.

Do they really find unusual items at mail recovery centers?

You name it, and they've probably seen it at least once in the dead letter zone: live rodents, clarinets, boxes of rocks, nude photographs, cocaine and other drugs, chocolate chip cookies (which are sadly discarded for safety reasons), ugly snow globes, preserved animal brains, high school yearbooks, weapons, and the most ironic of all: a stamp collector's album of historic US stamps.

Yes, in fact, if you wanted to overwrite everything at once (including the main hard drive), you could plug all storage media into the computer and there's a one click option to "nuke" everything.

I doubt you want to do that, though. You can select the media that you want to overwrite.

I am going to become a vendor. So I need to make sure I am doing everything I can.

I run tails on a CD, connect to my own internet, and then tor pops up through ice weasel and I use SR.

I have never decrypted a message before, I have encrypted plenty, so it should be easy enough once I decide to get a key. There was never a need for one in the past...

What else should I do to ensure I am 100% anonymous? I don't "encrypt" anything and when I switch web pages I get that, "You are sending over and unencrypted connection are you sure you want to continue, etc."
Should I set up bridges?
Should I stay on a CD instead of switching to a USB?

Well, there's no such as being 100% anonymous, but your anonymity is measured by the size of your anonymity set, ie the group of people that you are indistinguishable from. If someone knows nothing about you, your anonymity set would be the 7 billion people on earth, but you appear to be a native English speaker (although I could be wrong), so that narrows you down to a few hundred million people. With other details, people could reduce your anonymity set even further. An anonymity set of a few people, or perhaps a few dozen people, is dangerous to our security because LE has the resources to investigate all of them. Also, a single crucial detail could uniquely identify you, so that's what you want to avoid.

You're using Tails, so that's a good start. It's an open source operating system that is unlikely to be backdoored. The developers aren't going to work with LE. There's basically zero chance of getting infected by malware. It gives you the option to create an encrypted volume and doesn't leave evidence on unencrypted media. It provides transparent proxying of network connections over Tor, reducing the chances of accidental IP address leaks. It even scrambles RAM on shutdown.

The one thing I would strongly suggest you do is start using bridges. You'll have to enter them manually on each boot, since there is no mechanism to make them persistent yet, but you don't want to change entry guards during each session, as that reduces your anonymity by increasing the chances that an adversary owns one of your entry guards.

Of course, this is half the battle. If you want robust anonymity, you need to change your behavior. There are obvious things like not telling anyone your name or logging into sites that are linked to your identity (Facebook), but also less obvious things like providing minor details about yourself. Don't describe the weather where you live, don't tell people you are going to festival X, don't inform people when you are going on vacation, that kind of stuff. Little data crumbs can add up to uniquely identify you, just ask that Hammond guy in Chicago.

As a vendor, you should read through the Shipping forum to get ideas about secure shipping, eliminating smell and fingerprints, discreet packaging, rotating drop points, etc. Don't bring your mobile phone when you mail packages! That's a big one. You'll learn more as you go along.

I think we should spend the rest of this thread discussing how we can minimize the risks of using fake identification for box registration, or even if we should phase out fake ID boxes in favor of using random mailboxes on the street and intercepting incoming mail prior to a legitimate resident.

They do this already in some countries. You can buy master keys on SR. I think the mail is more tightly legally protected in the US though, which makes it harder to find master keys, but I suspect those mass produced mailboxes aren't hard to pick with a little practice.

I can totally see that perhaps I am too focused on Tor, and the scenarios you mention are in fact probably more likely concerns for the average people on this forum. I think the lesson to take from this is that everybodies security model is different, and that people should thoroughly understand what they are trying to accomplish and what they are accomplishing, which pretty much goes without saying.

Agreed.

I personally would never feel comfortable with making myself so much more vulnerable to being deanonymized through traffic analysis, but for many people that is less of a concern than having a CD etc.

So far, every SR user that we've heard about getting busted got nailed either through a CD or because they were dealing in real life. That Casey Jones vendor sold to confidential informants, and when they raided him, they found his bitcoin wallet (presumably, although we don't know exactly what happened there). They may have gotten customer info too. He needed encryption a lot more than he needed entry guards. Of course Tails + persistent bridges is much better than Tails with rotating session guards, but any non-leaky encryption is much much better than no encryption for the threat model of most SR users.

I think part of the issue is that I am used to a private forum mentality, these days people being a member or visiting a site like SR is not seen as a big deal, but I learned about security when there were only private forums largely consisting of big importers and distributors, where being tied to the forum server in itself is bad fucking news. Being tied to SR server might not be as bad simply because of the fact that it is public. I suppose I should keep in mind that threat models change and that the online drug scene is pretty much in uncharted territory as far as shit like this goes, but I think others are equally suited to keep in mind that using Tails like a regular OS without using it like it is meant to be used (between different wifi access points, frequently switching access points) can be counterproductive. If people are really worried about evidence on their drives, as they should be, there is no need to compromise the anonymity of Tor to obtain this, even Ubuntu can be FDE'ed during installation, I just cannot imagine it ever being a good idea to use Tails without persistent entry guards unless it is being used in the very specific "Tails Threat Model" , then again maybe people these days are less likely to have a dedicated machine for criminal activity, back in the day on private forums we took our security very seriously but for a casual user on a forum like SR perhaps there is an acceptable compromise between utmost security and what is conveniant.

Yep, I agree a dedicated computer with a dedicated OS + FDE is better than Tails, it's just not a workable solution for a lot of people. For vendors who make damn good money, there's really no excuse in not buying a $100 laptop in cash off Craigslist + a $60 external hard drive for backups, and encrypting both, but a lot of buyers just don't have the money. Tails + bridges is their best option IMO, and I'll make sure to aggressively point out the bridges part.

Hidden services are meant to hide the location of a server, not to help the clients connecting to the hidden service, and attacks for tracing hidden services to guard nodes have been known for years now, making hidden services at best equal to using three different frequently changing single hop reverse proxies.

And that can be mitigated with Tor over Tor, or persistent layered guards, but you don't know and can't trust what the hidden service operator is doing.

Lack of ability to locate hidden services by the feds could only be deemed sheer incompetence honestly. The good news is that clients are much harder to trace. But they become much less much harder to trace when they are switching entry guards three times a day.

Well yeah. Silk Road exists because of LE incompetence / not caring in more ways than one. If they cracked down on shipping, the market would be gone, but 99% of packages get through the mail. They don't have the resources or don't care enough to crack down on everything, and that's part of our threat model.

Except the chances that the hidden service will be located are already much higher than the chances that a regular client will be located. So that leaves you with a very plausible Tor without guards scenario, where the hidden service is already monitored and the clients are going through entry guards like they are going out of style.

If they find the hidden service, you have much bigger problems to worry about, but LE isn't going to care about tracking down buyers, and vendors should already be using bridges because of the message correlation attack we've described.

Using persistent bridges is a solution though you are right. But I still think for most people tails is only hurting their anonymity, at the very least it is definitely introducing serious hazards that are not being illuminated to their userbase. I would never count on the hidden service or destination site being good in any case though, for all you know the destination is and has always been run by the feds. That leaves you to your own devices for anonymity, and having entry guards changing every day or multiple times a day brings attacks from statistically insignificant to probable. I see tails as largely being a loaded gun without the safety on, definitely the tool for the job in some places but also very dangerous in the hands of people who don't understand exactly what they are doing with it.

Yes, I agree. Entry guards and/or bridges should be made persistent. I believe they will be adding "persistence presets" in the future.

The risk is not relatively low, it is massively increased, by the time it is demonstrated in the wild it will probably be associated with people being sent to prison.

It's lower than visiting clearnet sites. Presumably the hidden service is using entry guards, so think of the connection as being backwards, where your entry nodes are the exit nodes, except you keep them for the whole session, whereas normal exit nodes rotate every ten minutes. So the chances of randomly picking bad nodes at the edges is lower. Now if the attacker lucks out as an entry point or brute forces his way to be an hsdir, then the chances are higher.

In any case, you can use persistent bridges.