Silk Road forums

What are the odds that MtGox will be shut down in the next year like LR?

It could be as innocent as you messing up the encryption, or them messing up the decryption. If it happens every time, they could have lost their private key and are too embarrassed to admit it. Doesn't matter though, I wouldn't send them my address in plaintext. They need to own up to losing their key or I would shop elsewhere.

Of course, it could be a compromised account. There's no way to tell for sure, unless something obvious happens like buyers start getting arrested.

Also, people don't realize that PGP offers more than communication privacy. In a pseudonymous community like this, it is your identity. It is the only reliable way to prove you are you if something happens like your account is compromised, or you communication with people through out of band channels. Backup up your key in 3 places, because losing it is a huge pain in the ass.

If you need an absolutely clean computer, instead of dealing with swapping out hard drives, put Tails on a thumb drive and use that for sensitive activities. If the shit hits the fan, flush it down the toilet, throw it in a drain, whatever. Thumb drives are easy to get rid of.

You can make the same argument about drugs. LE infiltrates a drug ring and allows dealers to sell to buyers. Suppose one of them dies. Under the law, the vendor gets 20+ years for contributing to the death of a person, not LE.

I'm not saying it's right, I'm just saying that's how liability works under the law. LE gets off for a lot of shit. They basically have no equivalent of a good Samaritan law.

I apologize if this is a noob question, but it wasn't covered in the buyers guide. I am interested in making my first purchase off SR, but when filling in a delivery address to make an order do you need to encrypt it with the sellers pgp key? I don't see why not but I wanted to clarify that this was common practice.

It's like wearing a seat belt. You may not get in an accident today or tomorrow, or in the next year, but the day it happens, it may save your life. Wearing a seat belt costs you nothing, so there's no reason not to do it for that small chance.

Encrypting your address is easy and costs you almost nothing (ok, maybe 30 seconds out of your life), so why not encrypt your address in the small chance there's a big accident, where the SR server is compromised?

Cazzette - Beam Me Up

https://www.youtube.com/watch?v=mp-IZEFqrG0

Mhaura, theoretically Tails could be rooted. An attacker who roots Tails can disable the firewall and bypass Tor. This guide protects against that because Tor runs outside of the VM.

The chances are slim of that happening, but that's the worst case scenario. A more practical approach is that you might not like Tails. In this setup (as well as my Whonix-Gateway guide), you can make any OS the workstation and isolate it behind Tor.

I think there have been other successful direct attacks on Tor. Traffic classifiers have 'predicted'/'identified' encrypted websites loaded through Tor with over 60% accuracy, and that was before hidden markov models were used. I think there was a fairly recent research paper that took into account hidden markov  models, called something like 'missing the forest for the trees'. I don't recall the results, but I am sure that the accuracy jumped up significantly over 60%. Essentially the classifier that got over 60% accuracy only took a single loaded page into consideration to fingerprint a webpage, whereas with hidden markov models classifiers take an entire sequence of loaded pages into account to fingerprint a website. There was also an attack that could fairly accurately geolocate servers by measuring clock skew, not really a direct attack on Tor though. There are probably some others that I am not recalling as well. However as far as purely direct attacks on Tor go, pretty much in all cases they require the target to use at least one attacker controlled or monitored entry guard.

mikeperry isn't convinced by these fingerprinting attacks. To quote him from the Torbutton design doc:

Website traffic fingerprinting is an attempt by the adversary to recognize the encrypted traffic patterns of specific websites. In the case of Tor, this attack would take place between the user and the Guard node, or at the Guard node itself.

The most comprehensive study of the statistical properties of this attack against Tor was done by Panchenko et al. Unfortunately, the publication bias in academia has encouraged the production of a number of follow-on attack papers claiming "improved" success rates, in some cases even claiming to completely invalidate any attempt at defense. These "improvements" are actually enabled primarily by taking a number of shortcuts (such as classifying only very small numbers of web pages, neglecting to publish ROC curves or at least false positive rates, and/or omitting the effects of dataset size on their results). Despite these subsequent "improvements", we are skeptical of the efficacy of this attack in a real world scenario, especially in the face of any defenses.

In general, with machine learning, as you increase the number and/or complexity of categories to classify while maintaining a limit on reliable feature information you can extract, you eventually run out of descriptive feature information, and either true positive accuracy goes down or the false positive rate goes up. This error is called the bias in your hypothesis space. In fact, even for unbiased hypothesis spaces, the number of training examples required to achieve a reasonable error bound is a function of the complexity of the categories you need to classify.

In the case of this attack, the key factors that increase the classification complexity (and thus hinder a real world adversary who attempts this attack) are large numbers of dynamically generated pages, partially cached content, and also the non-web activity of entire Tor network. This yields an effective number of "web pages" many orders of magnitude larger than even Panchenko's "Open World" scenario, which suffered continous near-constant decline in the true positive rate as the "Open World" size grew (see figure 4). This large level of classification complexity is further confounded by a noisy and low resolution featureset - one which is also relatively easy for the defender to manipulate at low cost.

To make matters worse for a real-world adversary, the ocean of Tor Internet activity (at least, when compared to a lab setting) makes it a certainty that an adversary attempting examine large amounts of Tor traffic will ultimately be overwhelmed by false positives (even after making heavy tradeoffs on the ROC curve to minimize false positives to below 0.01%). This problem is known in the IDS literature as the Base Rate Fallacy, and it is the primary reason that anomaly and activity classification-based IDS and antivirus systems have failed to materialize in the marketplace (despite early success in academic literature).

Still, we do not believe that these issues are enough to dismiss the attack outright. But we do believe these factors make it both worthwhile and effective to deploy light-weight defenses that reduce the accuracy of this attack by further contributing noise to hinder successful feature extraction.

https://www.torproject.org/projects/torbrowser/design/#website-traffic-fingerprinting