Silk Road forums
Discussion => Off topic => Topic started by: Torgeek on December 26, 2012, 02:45 am
-
Hey guys 'n' gals,
I'm a student studying at a University in the UK. I'm currently writing an academic piece about Tor's hidden services.
First of all - and let me make this clear - my study is NOT about trawling through the Silk Road to analyse its growth like the recent work of Nicholas Christin at Carnergie Mellon University (available here) -http://www.andrew.cmu.edu/user/nicolasc/publications/TR-CMU-CyLab-12-018.pdf
Whilst I'm currently in the process of writing up a list of topics I'll be touching on (which I'll post up or PM to those who are interested) I would love to hear some thoughts on Tor, they can be anything that comes to mind. Specifically though I'd like answers to the following.
1.Why do you use Tor and hidden services?
2. Do you think an academic study on hidden services is a good/bad idea, why?
3. Do you think that the Tor Darknet has longevity? How long can you see it lasting?
Finally, is there anything you would like to see included in an academic study on Tor? (I.E more about the positive sides of the Tor community etc?)
You can either post it up here or send it to my email address which is listed with my signature.
I would ask you all to PLEASE not write/send me ANY information that could identify you or your whereabouts. This is because I'm not LE and to make the point I want to state clearly that I'm not after personal data - If any of you have a better method of verification then please let me know.
Also if anyone else is aware of any other darknet denizens who are taking on similar research PLEASE let me know as I'd love to hear from them too!
Thanks for your time and please feel free to ask me any questions you may have
-
1.Why do you use Tor and hidden services?
Obviously almost everybody here uses hidden services to get drugs. Some people use them for other things, like secure email. It depends on what the hidden service offers. Asking on a drug forum will give you a biased sample of Tor users.
More generally, hidden services are useful because they are very censorship resistant. An onion domain can't be hijacked by a registrar like we saw with some piracy web sites. An onion domain is the first 16 characters of a base32 encoded hash of a private key. A hidden service identifies itself to a Tor client with that private key, so the only way to hijack a hidden service is to 1) hack the server and steal the private key, 2) brute force a private key with the same hashed / encoded first 16 characters (a hash collision), 3a) trick people into believing your domain is the domain they desire, or 3b) brute force a private key where a substring of the onion domain resembles a known hidden service, which we've seen with some phishing attempts. 3a,b) are possible because of Zooko's triangle.
https://en.wikipedia.org/wiki/Zooko%27s_triangle
2. Do you think an academic study on hidden services is a good/bad idea, why?
Great idea. There's already a library of academic material on anonymity networks.
http://freehaven.net/anonbib/
Why? Because security through obscurity is a myth. The more we know about the technology we use, including threats to that technology, the safer we are.
3. Do you think that the Tor Darknet has longevity? How long can you see it lasting?
It's a decentralized network, supported by thousands of independent volunteers, spread across ~75 countries. Even if funding to the Tor Project were cut off, the relays would keep running. Eventually bitrot might down the network, but it would take years. As for "darknets" in general, there's an obvious need for privacy-enhancing technology, especially with an increased awareness of state surveillance capabilities.
Beyond that, people increasingly understand the liberating value of this and other technologies (cognitively, financially, and otherwise). Take bitcoin as an example. When governments don't control the money supply, an American can safely do business with a Cuban or Iranian. Let's say you're a publishing platform, like Wordpress. You need to make money as a business to survive, and an Iranian dissident is willing to pay for your service, but he can't because of embargoes between your two governments. This is where superficially well-meaning policies go wrong, but transactions in the bitcoin network are subject to no global policies, except the math that protects the integrity of bitcoin transactions. The coins in your wallet are yours, like actually yours, not just a(n easily revoked) "guarantee" from your government or a bank.
The cat is out of the bag on "darknets" and other privacy-enhancing technologies. A growing number of people understand the value of these technologies and there's no turning back, so no they won't go away, even if Tor isn't the final answer on secure anonymity networks.
Finally, is there anything you would like to see included in an academic study on Tor? (I.E more about the positive sides of the Tor community etc?)
I'd like to know if your colleagues in the CS department can identify a random hidden service of my choosing. :)
-
First of just a big thank you guys.
I've already had quite a few replies to my post by email (torgeek@tormail.org - please send more!) and PM's on Silk Road, seems like people prefer messaging me directly than sharing there thoughts on here. Anyway all these opinions are really helping me think harder about how I frame things and its really appreciated when people post links up too as despite being good at academia I am a bit of a Tor "noob" so explanations (preferably with big letters and bright shiny pictures ;) ) do help alot.
Astor - I'm aware of the bias issue of just asking around on the Silk Road, however I'm currently just doing some homework to get a sense of what people think about things and I thought I'd rather start by speaking to the crowd I'm more familiar with. I'll be posting up the same questions in other places over the next few days to get a better sample. Good point though and thank you for all your really helpful feedback! If you're happy with it I may PM you after the holidays to ask you some more general questions about Tor but if you'd prefer not then that's totally understandable.
Also when you asked me:
I'd like to know if your colleagues in the CS department can identify a random hidden service of my choosing.
Do you mean identify as locating geographically? Cos if so I doubt it haha, but I'm willing to speak to my various CS friends and colleagues and see if I can get the ball rolling on this one. PM me with more details and I'll see what I can do :)
As for the rest of you PLEASE keep the replies coming in! I won't be replying directly to all unless I'm asked to or I have a burning question about it so don't feel I'm ignoring you if you don't hear back, all feedback -positive or negative- is really helpful.
Thanks again!
-
1.Why do you use Tor and hidden services?
Obviously almost everybody here uses hidden services to get drugs. Some people use them for other things, like secure email. It depends on what the hidden service offers. Asking on a drug forum will give you a biased sample of Tor users.
More generally, hidden services are useful because they are very censorship resistant. An onion domain can't be hijacked by a registrar like we saw with some piracy web sites. An onion domain is the first 16 characters of a base32 encoded hash of a private key. A hidden service identifies itself to a Tor client with that private key, so the only way to hijack a hidden service is to 1) hack the server and steal the private key, 2) brute force a private key with the same hashed / encoded first 16 characters (a hash collision), 3a) trick people into believing your domain is the domain they desire, or 3b) brute force a private key where a substring of the onion domain resembles a known hidden service, which we've seen with some phishing attempts. 3a,b) are possible because of Zooko's triangle.
https://en.wikipedia.org/wiki/Zooko%27s_triangle
2. Do you think an academic study on hidden services is a good/bad idea, why?
Great idea. There's already a library of academic material on anonymity networks.
http://freehaven.net/anonbib/
Why? Because security through obscurity is a myth. The more we know about the technology we use, including threats to that technology, the safer we are.
3. Do you think that the Tor Darknet has longevity? How long can you see it lasting?
It's a decentralized network, supported by thousands of independent volunteers, spread across ~75 countries. Even if funding to the Tor Project were cut off, the relays would keep running. Eventually bitrot might down the network, but it would take years. As for "darknets" in general, there's an obvious need for privacy-enhancing technology, especially with an increased awareness of state surveillance capabilities.
Beyond that, people increasingly understand the liberating value of this and other technologies (cognitively, financially, and otherwise). Take bitcoin as an example. When governments don't control the money supply, an American can safely do business with a Cuban or Iranian. Let's say you're a publishing platform, like Wordpress. You need to make money as a business to survive, and an Iranian dissident is willing to pay for your service, but he can't because of embargoes between your two governments. This is where superficially well-meaning policies go wrong, but transactions in the bitcoin network are subject to no global policies, except the math that protects the integrity of bitcoin transactions. The coins in your wallet are yours, like actually yours, not just a(n easily revoked) "guarantee" from your government or a bank.
The cat is out of the bag on "darknets" and other privacy-enhancing technologies. A growing number of people understand the value of these technologies and there's no turning back, so no they won't go away, even if Tor isn't the final answer on secure anonymity networks.
Finally, is there anything you would like to see included in an academic study on Tor? (I.E more about the positive sides of the Tor community etc?)
I'd like to know if your colleagues in the CS department can identify a random hidden service of my choosing. :)
Awesome writeup astor. That seems to sum it all up. Research closed.
Modzi
-
I guarantee you they can trace it up to its entry guards if they have traffic analysis skills worth a damn. Why not for your study see how quickly you can trace a hidden service to its entry guards with an attack like the 06 Locating Hidden Services attack. See how much things have really changed since then. Then maybe try to find a way to get past the entry guards but that will be harder for that level of an attacker to pull off.
-
Modzi - Haha I agree, great write up. Still need more opinions though so please write up anything you'd add if you feel like it :)
kmfkewm - Unfortunately computer science is not my field! I'm much more Humanities focused so my study is more interested in the human dimensions of Tor rather than the technical side. Of course its impossible to talk about Tor without talking about some aspects of the technical side -PGP, Bitcoin, analysing holes in security etc - but I can't do a whole study on its vulnerabilities. I will however talk to some of my computer science colleagues and see if they think that such a study is doable and whether or not they'd undertake it :)
-
I dunno if this is a legit thing to do on the forum, but I can't see any rules against it... so BUMP!
-
Astor - I'm aware of the bias issue of just asking around on the Silk Road, however I'm currently just doing some homework to get a sense of what people think about things and I thought I'd rather start by speaking to the crowd I'm more familiar with. I'll be posting up the same questions in other places over the next few days to get a better sample.
Do you know where to ask? Have you found other forums? I can help point you in some useful directions.
Also when you asked me:
I'd like to know if your colleagues in the CS department can identify a random hidden service of my choosing.
Do you mean identify as locating geographically? Cos if so I doubt it haha, but I'm willing to speak to my various CS friends and colleagues and see if I can get the ball rolling on this one. PM me with more details and I'll see what I can do :)
The IP address would do. I was being facetious with the request, but it is the big outstanding question for all of us. :)
-
Astor-
So far I've posted up in HackBB and BMR. I'm going to do UMB and Intel Exchange later because of the nature of random things that go up on there but if you have any suggestions for solid forums which may give me better feedback then I'd love to hear them. Please PM me with any that come to mind.
I didn't realise you were being facetious! I feel a bit stupid now, not a great start for an academic haha. But if it is a pressing issue than I am happy to challenge my CS department to the job. Can think of a few people that would be up for the task including a good friend of mine who was part of the team that uncovered the hacking of Gmail accounts by the Chinese a couple of years back, but can't promise they'll say yes. Its always worth asking though so I'll let you know what they say when I speak to them :)
Thanks again for your help
-
Am now back in the UK, expect an updated set of questions in a couple of days after I get settled. I'll also give you all a better idea of where I'm going with the work. In the meantime PLEASE KEEP INPUT COMING IN! Again, I ask that you DO NOT INCLUDE ANY PERSONAL INFO because A) I don't need it and B) I don't want anyone thinking thats what I'm after, just a few answers to the questions I've posted at the top and any other observations you may want to include.
Just so people can get an idea of what others have said, here is the posts from BMR and HackBB and the replies that came with them. I will not be posting up what people have messaged to me personally for obvious reasons.
http://fec33nz6mhzd54zj.onion/viewtopic.php?id=2335http://clsvtzwzdgzkjda7.onion/viewtopic.php?f=9&t=11278&p=56115&hilit=academic#p55914
As always, a big thank you to everyone who has written to me already, I haven't had time to reply to you all but for those who are expecting them I WILL get round to it so please bare with me :)
-
Torgeek, you should try some general forums, not specific to drugs or hacking. These come to mind
TorChan
http://zw3crggtadila2sg.onion/imageboard/
TorStatusNet
http://lotjbov3gzzf23hc.onion/
OnionForum
http://65bgvta7yos3sce5.onion/
Also, reddit has a subreddit called /r/onions. Full url is www.reddit.com/r/onions, which is a general forum for people interested in hidden services. I suggest creating a reddit account over Tor, which they let you do.
There are more at http://3suaolltfj2xjksb.onion/hiddenwiki/index.php/Main_Page#Other_forums
-
Thanks Astor! I'll get on that tonight :)