Silk Road forums

Discussion => Security => Topic started by: d0z3r on May 14, 2013, 11:06 pm

Title: Trusting TOR with your freedom
Post by: d0z3r on May 14, 2013, 11:06 pm
I was just curious about how many vendors trust TOR enough to use it from home. I know everyone will be guessing but what percentage of vendors do you think do this?  It seems like it would be quite a hassle to run to the  nearest hotspot to check orders and what not. What are your guys thoughts on this topic?
Title: Re: Trusting TOR with your freedom
Post by: Mercury31 on May 14, 2013, 11:44 pm
its never safe to sell or purchase illegal drugs
there is always a risk of getting caught
to be a vendor on SR isnt only selling and packing drugs safe i
the security is number one
i think a lot of vendors can say this also
many hours packing with gloves in clean rooms
establishing a secure conection for internet etc
only using tor isnt good enough for a vendor
much customers do not appreciate the time a vendor needs to put in SR to keep
him/her self safe and the customer
but that is what a vendor chooses for
its a risk..

regards,mercury31
Title: Re: Trusting TOR with your freedom
Post by: astor on May 14, 2013, 11:57 pm
@d0z3r

What are you afraid can happen?
Title: Re: Trusting TOR with your freedom
Post by: CHROOT on May 15, 2013, 12:14 am

only using tor isnt good enough for a vendor


I've wondered about this. If you read up on the main way a vendor is vulnerable in these forums it seems the most likely sequence would be for LE to intercept packages to draw a mailing radius and then see who within the radius is using Tor. Not exactly easy or definitive.

I've yet to read of a single instance where LE has caught a SR vendor based solely on hacking.
Title: Re: Trusting TOR with your freedom
Post by: Mercury31 on May 15, 2013, 12:19 am

only using tor isnt good enough for a vendor


I've wondered about this. If you read up on the main way a vendor is vulnerable in these forums it seems the most likely sequence would be for LE to intercept packages to draw a mailing radius and then see who within the radius is using Tor. Not exactly easy or definitive.

I've yet to read of a single instance where LE has caught a SR vendor based solely on hacking.


i read somewhere about a year ago a German vendor that used SR was caught
i dont know how if it was because of tor or it was of a reckless money transfer orso
i would send you the link but i dont have it anymore and i dont want to google such things

 
Title: Re: Trusting TOR with your freedom
Post by: SelfSovereignty on May 15, 2013, 01:22 am
So here's the real problem... they don't exactly teach cryptography, data communications, or networking fundamentals in police academy.  It takes somebody a wee bit more knowledgeable than your average flat foot to even know how the fuck Tor works let alone how to dismantle the protection it provides.

Can they do it?  Yes.  It can be done, and everyone knows how.  Lots of ways have been published and some have been shown effective in laboratory settings.  That's different than the real thing though: we aren't a controlled environment with manageable traffic, we're a lot bigger than that.

But they can do it; so what's stopping them?  Nobody cares enough to spend the money and burn the man hours on it.  I mean I don't regularly take tea with the head of the DEA or anything, but that's the only logical conclusion in my opinion.  If you're going to get caught, it's almost certainly going to be from fucking up and getting arrested the old fashioned way.  That's true today, mind you: it may or may not be true a year from now.  Our safety depends pretty heavily on them not having any reason to waste the amount of resources it would take to bring SR -- and all of us addicts and dealers just minding our own damn business -- down.

It's just a stupid waste of resources when SR is such a small portion of the national drug trade.  But if it appears to be a large portion because it's in the news constantly, well... then they may change their minds and invest the time and money; that's why I say it's true today but maybe not a year from now.  Who knows.

Bottom line: today you're safe.  Just don't talk to cops and don't be naive about your drops and you're good :)
Title: Re: Trusting TOR with your freedom
Post by: sirius on May 15, 2013, 01:37 am
Our safety depends pretty heavily on them not having any reason to waste the amount of resources it would take to bring SR -- and all of us addicts and dealers just minding our own damn business -- down.
I have noticed that this goes for real life dealings as well.. its a good thing to remember when doing risk assessments. The law is only human, they have limits too.
Title: Re: Trusting TOR with your freedom
Post by: d0z3r on May 15, 2013, 03:20 am
@d0z3r

What are you afraid can happen?

Im not sure if you are serious but i guess i will bite......If i were a vendor I would be worried about LE being able to figure out my real ip.

I understand what you guys are saying in regards to resources and i agree with you that it would not be worth the time/$$/effort.  Would you feel any different if you lived in a more rural area where there probably are not that many people in your area using TOR?

I should have asked my question differently so more people could actually answer without pulling a random number out of their ass. If you were a vendor, would you feel safe enough to do your business from home using TOR? What are other ways to give you more anonymity?

Thanks for the responses so far! 
Title: Re: Trusting TOR with your freedom
Post by: itsthecops on May 15, 2013, 03:28 am
I trust it with my life.  and why not?
All security issues were/are man made mistakes.  Slip ups that could have been avoided
Title: Re: Trusting TOR with your freedom
Post by: SelfSovereignty on May 15, 2013, 03:58 am
I trust it enough to make nearly thousands of posts on these silly forums blatantly admitting that I willfully and repeatedly break the law to feed my addiction; I also order very nearly all of my drugs through it while trusting the encryption of in-Tor-network communications; I also transmit my real name and address via RSA encryption (PGP) and trust that too (well really I should say a real name tied to the address).

I'll have over 40 orders by week's end.  I haven't lost a single one, either.  If I were a vendor I'd do all my business from home, yes.  Does that answer your question about trusting Tor?  :)  Frankly what worries me quite a bit more is the server getting pwned or some sneaky federal agency posing as a vendor or some silly thing like that.  Tor I have no concerns with -- none based in reality, anyway.
Title: Re: Trusting TOR with your freedom
Post by: astor on May 15, 2013, 04:42 am
I've wondered about this. If you read up on the main way a vendor is vulnerable in these forums it seems the most likely sequence would be for LE to intercept packages to draw a mailing radius and then see who within the radius is using Tor. Not exactly easy or definitive.

This may be easier than it looks, since the number of users who fit the behavioral profile of SR vendors (ie, logging on daily) is about 20 in a city with 100K people, and 200 in a city with 1M people:

http://dkn255hz262ypmii.onion/index.php?topic=158464.msg1124077#msg1124077

Read that post, then read the one below it where I update my estimate.


I've yet to read of a single instance where LE has caught a SR vendor based solely on hacking.

Here's what LE could do. They find a vendor who is selling a range of drug amounts, like 1 gram up to an ounce of cocaine. They check the reviews to make sure the vendor is getting sales and actually pushing that product. This would be someone with many ounces of cocaine. Then they buy 1 gram off the vendor. Only costs $150 and they know the vendor's city.

They hand the ISP a list of Tor entry guards and known bridges, and request the subscriber info of everyone who connects to those IP addresses, say 5 days out of the next 7 days. In a week they are down to a list of 10 - 200 people. They start watching those subscribers and messaging the vendor, looking at the response times, so it's basically a low grade correlation attack, similar to what they did to this guy:

http://arstechnica.com/tech-policy/2012/03/stakeout-how-the-fbi-tracked-and-busted-a-chicago-anon/

They watched his local network with a tap and trace device installed in his computer and correlated it to his IRC activity (which he accessed over Tor).

What percentage of those daily users will be online at the specific hour when a message is received from the vendor? 10%, 20%, 50%? Even in the "worst" case scenario for LE, they can exclude half the people on their list every time they receive a message. How many halvings does it take to get down to one person that they can start investigating IRL?

Even if they start with a list of 200 people, surprisingly it takes only 9 halvings, which is 9 messages. Unfortunately for them, there is a small percentage of users who stay online all the time (like on IRC), so those people will never be excluded from the list. LE would have to investigate all of them.


I should note that it's easy to defend against this attack. Use a VPN or rent a VPS and set up a private bridge.


So why hasn't this happened yet? Surely the computer experts that they employ have thought of it.

I think SS is right, LE either doesn't care, or it's too inefficient. Maybe the the last leg isn't worth it. ie, they reduce 200 users to 20 or 30 who are always online, but investigating all of them is too much work to bust someone pushing the amounts of drugs that SR vendors push.

And if anything I said is remotely true, then you can help vendors by using Tor all the time. ;)

Title: Re: Trusting TOR with your freedom
Post by: chemdog on May 15, 2013, 09:32 am
I've wondered about this. If you read up on the main way a vendor is vulnerable in these forums it seems the most likely sequence would be for LE to intercept packages to draw a mailing radius and then see who within the radius is using Tor. Not exactly easy or definitive.

This may be easier than it looks, since the number of users who fit the behavioral profile of SR vendors (ie, logging on daily) is about 20 in a city with 100K people, and 200 in a city with 1M people:



In the first week of joining Silk Road, I did a large-ish reverse engineering thought session on how I or another vendor could be caught. Astors view was basically what I came to. Basically multiple layers of triangulation and correlation, narrowing the net each time.

A range booster/cantenna/repeaters etc and some physical access controls will give you a very good safety net if you are paranoid. These even work with cell signals if you want to bounce your 3g connection off a different cell tower and can do the required maths and practical butchery involved.

Learn how all the technologies work, even basically, and think about how future technologies will be used. This is a war by people on people and as people, we must know how to defend ourselves. Semantic search, location awareness, geo-spatial mapping and mining blah blah blah.

But that responsibility is on the head of individual alone.
Title: Re: Trusting TOR with your freedom
Post by: PerPETualMOtion on May 15, 2013, 01:42 pm
If I were a vendor....

...I would hire a trusted IT professional...

...I would stash cash for a runaway trip before/after bail...

...I would call Saul... and keep him on retainer....

...I would investigate the political hierarchy of federal prosecutors/investigators...

...I would not do drugs...

...I would definitely hire top shelf prostitutes (call girls)...

...I would do drugs...

...I would work out so that if I got pinched, then I wouldn't be a bitch.
Title: Re: Trusting TOR with your freedom
Post by: Jack N Hoff on May 15, 2013, 03:04 pm
I've used TOR since 2004 with no problems.  I can't imagine how many more people use it than in 2004.  I know I used to have to change my identities a lot for years just to get decent speeds.  It is not like that anymore.  So many people use TOR that I really can't see it being a problem.  I'm not a SR vendor but that is just how I feel about it.
Title: Re: Trusting TOR with your freedom
Post by: CHROOT on May 15, 2013, 04:20 pm
Basically multiple layers of triangulation and correlation, narrowing the net each time.


Right, this is basically what all these "is tor safe?" posts come down to. No matter how sophisticated the government's cyber arsenal is, they're still going to have to do some old-fashioned gumshoe detective work to triangulate a vendor.

And if the gov is sitting on the nuclear option zero day tor exploit, are they really going to waste it tracking down a vendor?
Title: Re: Trusting TOR with your freedom
Post by: Veetano on May 15, 2013, 08:44 pm
You guys forget that Tor is not only used for onion sites, it, in general is proxy software. I know a LOT of people who use it who have never even heard of an onion site.

Anyways, this seems to be a very interesting topic I plan to follow. I just imagine that, if it were that easy to catch some of these vendors, why would they not have done it?

Title: Re: Trusting TOR with your freedom
Post by: Jack N Hoff on May 15, 2013, 09:02 pm
You guys forget that Tor is not only used for onion sites, it, in general is proxy software. I know a LOT of people who use it who have never even heard of an onion site.

Anyways, this seems to be a very interesting topic I plan to follow. I just imagine that, if it were that easy to catch some of these vendors, why would they not have done it?

Because it's not that easy lol.  I would say there is more than a million people using TOR 24/7.  Yes those numbers did come out of my ass.  Pure speculation.
Title: Re: Trusting TOR with your freedom
Post by: d0z3r on May 16, 2013, 03:50 pm
Thanks everyone for your input
Title: Re: Trusting TOR with your freedom
Post by: PerPETualMOtion on May 17, 2013, 01:44 am
Quote from: Red Blooded American

In the end, I put my trust in my Bushmaster, AR-15, and Glock.

Title: Re: Trusting TOR with your freedom
Post by: londonpride2 on May 17, 2013, 02:57 am
I was just curious about how many vendors trust TOR enough to use it from home. I know everyone will be guessing but what percentage of vendors do you think do this?  It seems like it would be quite a hassle to run to the  nearest hotspot to check orders and what not. What are your guys thoughts on this topic?

I will never use my own PC (I like a nice public place, perhaps a duck pond) and will always make sure I have my tinfoil hat on. Safety first!