Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - Hux

Pages: [1] 2 3 ... 5
1
Silk Road Discussion / Community Consultation: Future Support
« on: January 27, 2014, 01:19:54 pm »
Notice: This topic is not for addressing our current support backlog or bugs, I am writing this in my free time now the fixes have passed through my department and awaiting implementation. This topic is strictly considering how we could better improve SR Support in the future and everything I propose is my own opinion, not the stance of Silk Road or anything we currently have planned.



With the recent troubles which we know is annoying for many users, we have been forced to reconsider how we structure our support team and what tools we provide them to manage problems. Another issue raised is also the avenues available for users to seek assistance and I believe this side of the problem is something you as our community should have a say in.

Our support team at the moment is split into vendor support and buyer support, each is specialized to best handle the problems they may face and makes for more efficient workflow but all support is done through tickets and therefore can actually take hours or days to resolve issues even without a queue. A quicker line of support could be offered by Silk Road to firstly reduce the load of primary market support staff and secondly increase the response time drastically for minor issues to take them out of the queue.

A practical solution on already available and stable technology is IRC. We could not offer a web-interface for an IRC server of course, but it is possible to connect to a hidden service IRC server with no special changes being made to a client. Such IRC servers already exist on an unofficial basis although their usage remains limited to a small group. For TAILS users, you would only need to paste in a .onion address and connect straight away, and those using only the tor browser bundle having to change 1 additional field (port) to connect.

Possible benefits on an IRC Support option:

    Simple issues (password resets | lost deposits | questions) can be resolved in minutes
    Urgent matters can receive more immediate attention (bugs | exploits)
    Alternative channels can support casual conversation in realtime
    Less of your information is kept on Silk Road servers (Support conversations on IRC will not be recorded)
    Staff & community members can provide live guidance to struggling members
    A direct line of communication can be setup to staff to pass on information (.i.e. suspicious vendor)
    Anyone can speak directly to a developer/administrator to discuss suggestions in detail


I know if I am to present this idea to the management I would need to assess the suitability and demand for such a feature. Therefore I am appealing to you (the community) to let me know your thoughts on such an addition once we have cleared up the current support problems. Would you use this if it was implemented?

2
Silk Road Discussion / Re: Professorhouse- with 1101!!! LISTING!!!
« on: January 27, 2014, 12:28:28 pm »
it seems like this is a hacker group with really good OPSEC and good penetration! [...] This guy / group is very dangerous

Bring it on.

3
Silk Road Discussion / Re: Professorhouse- with 1101!!! LISTING!!!
« on: January 27, 2014, 12:24:38 pm »
If anyone manages to hack Silk Road, they deserve whatever they can get out of it because that would take significant volumes of talent and there isn't much on the live server bitcoin wallet for security purposes. If somebody ever does find a hole in our security, it is just 1 more crack sealed for the future with limited losses which we can cover from the market profits. Although I cannot comment on individual cases, please understand that the senior staff are aware of the presence of particular individuals who may be of interest to watch.

To support what DoctorClu stated; our dev team did converse with backopy to investigate the source of the exploit and it was successfully patched on Silk Road. The error was not in the coding of our markets but the underlying server protocols all web applications are built upon, so backopy could never have been aware of the problem before it occurred. We are grateful for his input of information so that we could locate the source of the hack too as without this it is possible Silk Road may have been vulnerable also - I think this highlights the power that friendly co-operation can have between trusted market operators.

The Silk Road system has many built in fail-safes and we believe the best way to ensure your bitcoin and data is safe is to keep that data encrypted and off the main server. Very little bitcoin is kept on the live server, only enough to balance withdrawals and deposits and is drained every day to keep it low. In the event of a hack and this being lost, SR replenishes this from the profits of the site and the user is fully reimbursed for the loss without them even noticing. There are also over 300 different mechanisms to ensure the integrity of our server and data ongoing at any given moment so we would know (probably faster the hacker would too) if something had breached our systems, which in any case would trigger a lockdown that not even I can reverse, only Defcon.

4
Silk Road Discussion / Re: Silk Road Customer Association
« on: January 27, 2014, 03:04:01 am »
To clarify, the management of SR has made clear access to the vendor roundtable will never be given to non-vendors, nor will a buyer roundtable be created since there will be little point to having one (in the view of the administrators). Although I haven't heard it officially for this matter, I don't think anything where the buyers have influence over the vendors actions (ie limiting FE abilities or sales) will be implemented, but of course you are welcome to challenge it with any suggestions!

5
Silk Road Discussion / Re: Everyone take a deep breath
« on: January 25, 2014, 09:47:33 pm »
how about using that money from your BOOMING succesfull entreprise  to compensate all the poor users getting scammed out of your scamming paradise??

Very few users get scammed if you must know, the ones who do are like yourself who kick and scream for attention so are overly represented. To add, only a small minority of transactions do not finalize but since they build up it gives false impression there are many so you are wrong on the idea that we're just building our funds up too. I can be here all day, I work here and waiting on something to reach my department of development so argue with me all you want because I'm getting paid for it anyway. Alternatively you could do something constructive or just go to another market and not waste your time here since you hate it so much.

6
Silk Road Discussion / Re: Everyone take a deep breath
« on: January 25, 2014, 09:16:01 pm »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Anyone claiming the bugs are killing off SR business, you have no evidence for your claims.

However, from what I can see on the sales data, there has been a 30% rise in business this week over last week, a rate which has been maintained for some time now excluding peaks (ie after the christmas break and post-DDOS week).
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJS5Cl7AAoJEKa1ThTkGTzrEVEP/jDWP8dEkbvCywIgv6lRyBgP
hXiCO6bh6nlX2i/6BKtyleZ798gSKV5Gb5DmL8UbWhD3JJyUp/V49ohDDIgZnulZ
3Sq9YK3bWerE2HzlZxsYMQ5SVVhdnb9hVpWXgxhmQAsORu0EJKj6mRHRX43EW6AO
+aSou7VMzy3PZqreMwqgYPgDo9LY3yH77Rf2i7tCSClr1DvMH6dRn+faHtxLpayv
RhBW4QqrW6O0mI85w31Kjmyvt74jePvjywbUJmuxxivZ9gGl5yUN62qJrK+a5wcl
K45YNyIQOLusKla8xAsy/fum4wx758k6WkDleb9aHZcI8mahGmBYhN/HXAUf9+6l
ytlYxRTiQVQcK7IEZz0Y+FewR4P2qvLYEYgpwnN+QZ0eRSqbo84Tz6tCajMBcdjJ
Xu6rCoZCaRMs3qPHSCdV69Y1N9kcnw/qmEA4Um/qnm2mHtzmE0IOuYSaQq+ks0J1
30ZfhVZ5eNkwqq6rahLK9+0c5zl1pQCPRZayDHh5iIrdS84rKZOhW8DWLle9La5K
ACpSOvG8CSG9I115pzBuYL9ZxH+cDx7mKb0jxkawHQDQ3nH05ZX0nARBJFgLOXXb
tNVe7X8STdxiUJdq7l1D2hbeA7DYbQKahbDtdhZAU4jOchAyG0JSgvHqmAZZEV3C
e63VQ40xvMuSTvpAI0Mi
=nYgz
-----END PGP SIGNATURE-----

7
Silk Road Discussion / Re: Not one Original Mod left?
« on: January 25, 2014, 07:07:38 pm »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

This better then?
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJS5AtzAAoJEKa1ThTkGTzruygQAIhY0w/z37TO6bAFP9hPRRMu
QU31YhpwXY2bFEHEnaBv9z6DL35c7UBOX5JYjeKMSHbpFcakdF6L1xbHGn3xpQKZ
UbNcBUVz9x+SM/4xLj3TRxW3swbVKfj0kwjaBktHoPJylGewoEUZl2+JJJpUjCkK
hoxu/JyZAjK9CXv42KqRh15pzFhc2QJ+Iu6pmIsa5+DtU3nyQwmLdIrMGT8f2PO4
B8eEZrBkvl6FwnTa19IAYZgzSshV9Qc57Zfg8fkQ33mUgjrjMaxQ7pcHeibgW0F3
rKX8v4VOtM5WEKEJHErxNQJoeFnXYTcpVaJzfLFwYQd13Qu1lvfjDYa9gRFjFJCT
91g/qCvAopOLdpFwQJt68sQ8dtMFMnJylGnvhR7/DZIrm81AgEmgFq7NJgmLKbJI
ebUKZP5HXkO6L+fUGggDVLX9sI5aTcViZYwac26VcXp1LZHSl95Ul4XLV+qM0iyv
vANY5vaoQBIC/YEsjXxc+NRIq39yuFXxVoY5vTWOtlvoq5W7Imho02RWTVCiWM61
z6/c3mNCUlu5OpsJ8IQZjt4FItoJ6GA50XnoJ2hE65ngVWBPCbWyO8zcfMfoFuCR
gBgL39vc9SjsieLpgbVfQPTEFkyXFfVv//LVHm9k13VCT0j9UgAlOsJBo/ZcrAgt
pwdn3vjOUrlZYPNz5H0x
=DMXy
-----END PGP SIGNATURE-----

8
Silk Road Discussion / Re: Not one Original Mod left?
« on: January 25, 2014, 07:03:13 pm »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

I change identities often - most back end staff do not have a forum presence and we simply create an account when and where we need one. I can move this account up to administrator status if need be but I am not an administrator on the same level such as DPR2, Defcon and Minx are/were so it is just to help public understanding of where I am in the pecking order. Is Cirrus not an original moderator too?
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJS5AppAAoJEKa1ThTkGTzr0M8P/jRhjRUdfSGW74wTzgzGNcbb
8Xb70UUZQlx9sbYohYx0fw6WEJQt6E+uRX2SrGRfR08zb1yTgPoZPS/mntFqiyHY
nOdCmF+YNgkdlP2SkJBoW9ZFNK9GqVj4NQPKx7qW64sZyiJM7G79fYD0L0JNyo5l
Q3mAGLClqwSGOqkm0CgnWFTE/wkWhKyndcn2D8QeZrTyT9UnkgI8AJJY3vpmuBNB
9PSeiWntdFL9oH4Li0QaGS1Wre268OBjpbfs8NghPDGn/6t+z1uu6P6OlgnPKLwI
FnsM8GvxWMg5xIsub80DimOzIBRKNhfG4PWDRiXBxsJZUZ7pHZGdanWfcu0IP2Tt
UDyIaBUcU2EsU22xI1QYumPpAXvJx56oP/dKPa+grvq1V5d7gLJ/9Rdob+uDBJOP
SoFBfZvdvvRZdIbx0xJykAjJRl8l/7TSJ5sMADWK7DzIMwf5zopMJefM3S5AxwlK
QWkEr0f3ZuicL3kKENZfmX/jGh8K72Y6aQUDao6mtpxu6+cFx/QnuAfeGvOgScte
LT3u9R6pKtzMUlQ6e9LcS8GlmmjhG/Ac7RnRI+YfpQmm3KlgmxcUVcGptRCOhL4l
vJo3uTgp68xXFTN1TGou2gCNzyzCNdAc8BpmxpG5yLYdhnQ69KzPgDDCACRy1Aa8
oyZc27xknyDRhg1haA2M
=9QNT
-----END PGP SIGNATURE-----

9
Silk Road Discussion / Everyone take a deep breath
« on: January 24, 2014, 03:14:59 am »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Community,

we have not formally met before but that is not important right now. I am a part of the mysterious "dev team" people often talk about on the forum and I feel obliged to post an update on current situations coupled with a retort to some of the hooligans running loose.

First and foremost, progress is being made. We do not work on the server live, everything we do is tested extensively before it even sees an internet enabled device and then further scrutinized on a locked down testing server before being pushed into the live environment. Typically development of any feature can take up to a month from finishing up the code to release because of this process. This is inconvenient we understand but we are also the only market which has not been hacked yet for this reason and you can be sure people would be far more upset with us if we were negligent in our duties to protect the users.

Secondly, Defcon is not dead. Like me and the others he is hard at work and typically when one announcement is made, it is followed by a storm of further questions and wild theories which waste valuable time. This perhaps answers why the louder some people kick and cry for us to post, the less we actually do.

When developing a project in the circumstances of Silk Road, we are not merely fixing bugs or dealing with trivial usability problems. Silk Road has a team well beyond the competence of even many professional cohorts that work for three letter agencies and we all have something in common: pushing limits. The problems we face are not something a quick line of code will fix but require changes in the actual Tor network itself and until the next generation of hidden services are released we are having to make do. The fact of the situation is nobody has ever done what we are doing and so we must tread carefully into the unknown. Our recent contributions are for example feeding back information to the right people when we are attacked so such issues can be addressed not only by us but by Tor at large. Anyone who remembers the DDOS not so long ago may find there is odd timing that shortly after this researchers were tipped off to what is now known as the "Sniper attack" - now fixed at a network level so all may benefit on a safer network.

Some users have also taken the liberty to publicly complain of what they deem to be slow progress, then making suggestions such as "Fix the captcha". If you want to know the problems of Silk Road, it is nothing to do with the source code of the site actually, almost all the team work on various layer 3 and 4 (TCP/UDP/SCTP/IPv4) matters and another contingent work on various application layer problems. The sentiment we have poorly coded SR is based on perception only, Silk Road could better be described as a nuclear bunker when it comes to security and stability - it is the network itself which is crumbling (vendors can see this first hand by comparing performance between the public URL and vendor URL).

I have noticed there are others trying to rally an exodus of Silk Road too and move to the other markets as a form of protest. Those calling for such things please do not waste your breath here and just leave instead because frankly I do not care and neither do the management. You have put hope into other markets before, DPR2 made a high profile attack on Tor Market to prove how foolish some of your assumptions are and that was only a speck of effort from a single person in our team so imagine what the full force of our security detail could accomplish. If you want to get into the business of illegal markets on Tor, you have to be prepared for full scale cyberwarfare or you are not going to be able to protect your user base.



Now that part is over, a quick update.

Support: The support system has been rolled out already although we haven't patched it up yet to sync with your accounts. Moderators and market staff already have access to this support system and are working through your tickets as we speak, you will receive their responses as soon as the dev team green light the live patch. This means the moment we do go live, every support ticket will be answered and there will be little or no backlog anymore.

Lost password/PIN: As above, this will be rapidly worked through as soon as we patch up the system to the live server.

Escrow Funds: Same story different system. Once the release is pushed, everything will be running smoothly without a problem and we won't have this issue again.

Login Problems/CAPTCHA: We are aware of this and working on a solution now. I was asked not to reference specific times or days but just be patient as it won't be long.

One of the others will follow this post up with more information soon but until then - everyone calm the fuck down and breathe. In through the nose, out through the mouth people.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJS4doKAAoJEKa1ThTkGTzr68QQAI+5NlqWSnDxUoEggEgGg4QF
IfN77Cd1BKXM7PbZbyBDYg0iIIusaPCMNLOhVaNzFp8bdt2GRVF93uPyHvwG6ebE
+tA2TYmO6iBeYOqr/zJV4WSLbKxwF2yBKpW0/Y9XDLUvEIabEdnC19b8ybITxQS7
nYQIX0lPqkan2drH940MaXi5R5iH5wBKyJDtuCZnH7jyz9Y12x4ZvEZWS3ci9ynU
7Y5Ra/8tu/9oVzQ3cYixkU7gw+p21U0+h7X2Q8DzCcJB0dd2bhQY5oWAY2qitfvZ
fdnWWe6x2yG6QAnBoNaSvFAH9Eye3yhZhbRhr2QRzRdH1KHwIuwBniEDftNOx8ig
GlC4fQ+It1CIenNujmOal9GxQ6rjDwUV5OECtvnQqcChHLQ3bnkTotjmb9WotWSl
NqnxFzyIPrDIDJ48WEgvtpTvDuhyVdOcFRodcTNWm5uteCch0ozlsm8wXY/eOlqz
kw9Z+ROaFzUs0q8XrA/PoUgj6bR2OKhDR3zorIE/gdm3L4lKusn11HYgdv/16LG2
3vx8xpcp37w0sogDiEiQVrn0oCSCg1C5bus09iqGWgvKp84o9vqezlB3qTHD0b9W
GJRAJ+u05RGn4hVYYaQbTha+H4uJy8Kx+kchpQ7I8jy9eHmqhQqT9iQVyOYwx/ZA
DSU8kX24dqosuzKmhdfT
=cuue
-----END PGP SIGNATURE-----

Code: (Code version for PGP signature verification) [Select]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Community,

we have not formally met before but that is not important right now. I am a part of the mysterious "dev team" people often talk about on the forum and I feel obliged to post an update on current situations coupled with a retort to some of the hooligans running loose.

First and foremost, progress is being made. We do not work on the server live, everything we do is tested extensively before it even sees an internet enabled device and then further scrutinized on a locked down testing server before being pushed into the live environment. Typically development of any feature can take up to a month from finishing up the code to release because of this process. This is inconvenient we understand but we are also the only market which has not been hacked yet for this reason and you can be sure people would be far more upset with us if we were negligent in our duties to protect the users.

Secondly, Defcon is not dead. Like me and the others he is hard at work and typically when one announcement is made, it is followed by a storm of further questions and wild theories which waste valuable time. This perhaps answers why the louder some people kick and cry for us to post, the less we actually do.

When developing a project in the circumstances of Silk Road, we are not merely fixing bugs or dealing with trivial usability problems. Silk Road has a team well beyond the competence of even many professional cohorts that work for three letter agencies and we all have something in common: pushing limits. The problems we face are not something a quick line of code will fix but require changes in the actual Tor network itself and until the next generation of hidden services are released we are having to make do. The fact of the situation is nobody has ever done what we are doing and so we must tread carefully into the unknown. Our recent contributions are for example feeding back information to the right people when we are attacked so such issues can be addressed not only by us but by Tor at large. Anyone who remembers the DDOS not so long ago may find there is odd timing that shortly after this researchers were tipped off to what is now known as the "Sniper attack" - now fixed at a network level so all may benefit on a safer network.

Some users have also taken the liberty to publicly complain of what they deem to be slow progress, then making suggestions such as "Fix the captcha". If you want to know the problems of Silk Road, it is nothing to do with the source code of the site actually, almost all the team work on various layer 3 and 4 (TCP/UDP/SCTP/IPv4) matters and another contingent work on various application layer problems. The sentiment we have poorly coded SR is based on perception only, Silk Road could better be described as a nuclear bunker when it comes to security and stability - it is the network itself which is crumbling (vendors can see this first hand by comparing performance between the public URL and vendor URL).

I have noticed there are others trying to rally an exodus of Silk Road too and move to the other markets as a form of protest. Those calling for such things please do not waste your breath here and just leave instead because frankly I do not care and neither do the management. You have put hope into other markets before, DPR2 made a high profile attack on Tor Market to prove how foolish some of your assumptions are and that was only a speck of effort from a single person in our team so imagine what the full force of our security detail could accomplish. If you want to get into the business of illegal markets on Tor, you have to be prepared for full scale cyberwarfare or you are not going to be able to protect your user base.

[hr]

Now that part is over, a quick update.

[b]Support:[/b] The support system has been rolled out already although we haven't patched it up yet to sync with your accounts. Moderators and market staff already have access to this support system and are working through your tickets as we speak, you will receive their responses as soon as the dev team green light the live patch. This means the moment we do go live, every support ticket will be answered and there will be little or no backlog anymore.

[b]Lost password/PIN:[/b] As above, this will be rapidly worked through as soon as we patch up the system to the live server.

[b]Escrow Funds:[/b] Same story different system. Once the release is pushed, everything will be running smoothly without a problem and we won't have this issue again.

[b]Login Problems/CAPTCHA:[/b] We are aware of this and working on a solution now. I was asked not to reference specific times or days but just be patient as it won't be long.

One of the others will follow this post up with more information soon but until then - everyone calm the fuck down and breathe. In through the nose, out through the mouth people.
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJS4doKAAoJEKa1ThTkGTzr68QQAI+5NlqWSnDxUoEggEgGg4QF
IfN77Cd1BKXM7PbZbyBDYg0iIIusaPCMNLOhVaNzFp8bdt2GRVF93uPyHvwG6ebE
+tA2TYmO6iBeYOqr/zJV4WSLbKxwF2yBKpW0/Y9XDLUvEIabEdnC19b8ybITxQS7
nYQIX0lPqkan2drH940MaXi5R5iH5wBKyJDtuCZnH7jyz9Y12x4ZvEZWS3ci9ynU
7Y5Ra/8tu/9oVzQ3cYixkU7gw+p21U0+h7X2Q8DzCcJB0dd2bhQY5oWAY2qitfvZ
fdnWWe6x2yG6QAnBoNaSvFAH9Eye3yhZhbRhr2QRzRdH1KHwIuwBniEDftNOx8ig
GlC4fQ+It1CIenNujmOal9GxQ6rjDwUV5OECtvnQqcChHLQ3bnkTotjmb9WotWSl
NqnxFzyIPrDIDJ48WEgvtpTvDuhyVdOcFRodcTNWm5uteCch0ozlsm8wXY/eOlqz
kw9Z+ROaFzUs0q8XrA/PoUgj6bR2OKhDR3zorIE/gdm3L4lKusn11HYgdv/16LG2
3vx8xpcp37w0sogDiEiQVrn0oCSCg1C5bus09iqGWgvKp84o9vqezlB3qTHD0b9W
GJRAJ+u05RGn4hVYYaQbTha+H4uJy8Kx+kchpQ7I8jy9eHmqhQqT9iQVyOYwx/ZA
DSU8kX24dqosuzKmhdfT
=cuue
-----END PGP SIGNATURE-----

10
A global passive adversary is what we are up against. They are not interfering with Tor (that we know of), they simply observe it which is what they are doing. They are a global passive adversary. External assumes they are not a part of the system but this is incorrect, Tor still builds on the same pathway the Internet in general uses are so they are not at all an external threat since they are inherently on the network and can control it on a larger scale if they did wish to.

11
Security / The Ten Commandments Revised
« on: January 10, 2014, 12:32:15 am »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Too many people here seem unable to grasp the basics, so here are some commandments for traveling the road. Deviate to your own demise and have a nice stay in prison if you want to ignore the advice of the knowledgeable folk around here.

Rule 1: STFU

Shut the fuck up. Is it sunny where you live? How nice. Oh you're in the southern hemisphere I guess as it is summer there now, or are you in a hot country? Oh it is summer - that is interesting, your English is very good so I would think you speak English natively am I right? Your package was intercepted - really what was it? Only 10 pills of MDMA, what vendor were you working with as I've ordered pills before?

If you get to that point and you can't help but talk, congratulations you probably now have the FBI feeding intel to the Australian authorities and there will only be a handful of packages seized recently with exactly 10 pills in it and hell if you have given away what vendor you use then they also have the country of origin. Most people guilty of something like that will also use their home address so now LE probably know who you are and if you are anyone worth chasing you will wind up in a cell sooner or later.


Rule 2: The blockchain is irreversible (so don't fuck up even once)

Ok, you're ordering only a few grams of coke - who gives a shit? But you then buy from Bitstamp and send right to your SR address. Congratulations, now pray SR doesn't keep many logs because if there is even a hint of your bitcoin address tied to the account you ordered to they will have some pretty incriminating evidence against you and they will never prosecute you on that if you do scale up later on. Know the authorities are cunning, they gather evidence over time and your mistake was letting them find you in the first place. Most people let slip the little things and when they become bigger in the game, that comes to bite them in the ass.


Rule 3: Common advice isn't good advice

Why the fuck are you using a public wi-fi connection to browse Tor? If you've paid attention to recent events, you'll know the NSA are harvesting vast quantities of information from public wi-fi and tracking movements even when you have your Wi-Fi disabled (software disabling or not connecting does not prevent them knowing you are in range). Ross was slammed onto a table and they took his laptop to bypass all encryption and have him red handed. If you are going to do anything illegal, do it in your own home where they can't suddenly drag you away and if you don't want Tor on your internet connection, 3G or setting up a private bridge is the way to go. That isn't perfect, but unless you are a very high value target they aren't going to check every single 3G connection in the area or extensive measures like that - it is more likely they will just check your internet history via your ISP for tor connection times and try to correlate your activity. Tor isn't illegal and if you keep your mouth shut then they will have a very hard time to show serious wrongdoing.


Rule 4: Burn your identity - often

Oh you have 2,000 posts and don't want to lose your reputation? Great, we'll end the conversation there because quite frankly I can't stand being in the same conversation as such a self-righteous bastard. This is an anonymous environment, nobody genuinely cares who you are or who you pretend you are and generally a lot of smart guys don't make many posts here as they understand this is all going to be short lived in the bigger picture, whereas prison is not a short time if you are involved with Silk Road. I made a post recently about the life of a PGP key and one addition I may add is if you're changing your PGP key, it may then be a good time to also burn your identity and don't ever cross contaminate - never go near it again not even on the same virtual machine since every visit will leave some kind of trace. If you have bitcoins, lose them or spend them - never ever transfer them and if it is a lot of money such as the proceeds from your activity, use several mixers, methods and spaces of time to create as much separation as you humanly can.


Rule 5: Don't trust mixing services

If you trust a single mixer, you will go to prison one day if you keep walking that line. If bitcoinfog is compromised they may have kept logs all along and that combined with SR logs is going to put most of you in prison. If you want to be safe, buy bitcoins with cash of course, then split the bitcoins up into several wallets and perhaps move them through blockchain.info a few times over several accounts, load your bitcoinfog account wallets through blockchain.info's shared send feature to compound your anonymity and after bitcoinfog, maybe even duck it through another mixer or even through SR itself before reaching your disposable purchase account. If you can't afford to take those precautions because of the fees, perhaps reconsider buying at all.


Rule 6: Don't keep envelopes, it isn't fucking memorabilia

When you get your product, if you are ignorant enough to keep stuff in your house all the time at least make sure the envelope is gone way before you start taking any drugs. Do not throw it in the garbage as law enforcement don't need any authority to go searching your bins, the least you can do is shred it to pieces and burn it to a crisp and then mix it in with other general waste such as food or bury it deep, heck even put it down the toilet if it won't clog it. There is evidence coming through LE are now turning to chemical marking of packages to ensure the packages they find at the scene are the ones they sent the suspect and this is irrefutable evidence in court they are the same package even if you rip off the address and return address, and this isn't some shit you can wash off with a few wipes.


Rule 7: If you don't need a phone, don't have it near you

The leaks by Edward Snowden have shown phones can be used (particularly iPhone's) to watch suspects by turning on the camera and microphone and therefore depending on where you put it they could hear the sound of your typing, maybe see your screen, catch you mumbling words as you are thinking what to reply to a message or even intercept the wireless RF signals if you use Wi-fi or worse, a wireless keyboard and act as a keylogger which is definitely not outside the realms of possibility.


Rule 8: No matter what "gurus" claim, you cannot defend yourself from the NSA

Some LE agencies have ways to plant their packages onto your hard drives, BIOS and other low level systems of your computer so nothing you do with software will protect you. If you use a laptop, remove the hard drive from it before using TAILS and if you need a PGP key, never let it go near an internet enabled device. Data transfer must be one way so do not use the same USB stick to transfer anything from an internet-enabled device to an offline one. There is no need to expose your offline system to attacks from the online one. USB sticks these days for only a few hundred MB are cents and you could even use CD's which are only a few dollars for 100 of them so don't be cheap. One thing to add to that point is once you have transferred the data, dispose of it. Burn the CD to pieces (make sure it is melted, use a gas stove such as the camping cookers is a good idea) or melt the flash memory of the usb stick and then flush the pieces down the toilet once you've broken it down.


Rule 9: Don't use batteries

If you do use a laptop, remove the battery and keep the charger in. If LE break down your door then just pull the plug and the power is completely gone. If you've used a write-only device such as a CD/DVD-R then no data will be on that bit of media and almost everything in the RAM will be gone. So far the only real threats of recovering information from the RAM has been performed under lab conditions which in the field where they will probably take a while longer, have more exposure and not have everything immediately to hand. It is unlikely they will gain much from the residual data if they could recover it (let alone enough to bring to court as evidence).


Rule 10: Man the fuck up

Assuming you are caught, don't be an utter cunt. Keep your mouth shut, let a lawyer do the talking but refuse plea bargains. If you've managed to get yourself in this position, you have let your security slip and it is your own fault, don't bring anyone else down with you (yes Ross, can you hear me?). Say nothing, let them try to put you through a trial and you have a chance you can walk free and if you do get found guilty then it will give you enough time to learn from your mistakes hopefully and not repeat them. Unless you are big game you won't be in jail for the rest of your life so it isn't the end of the world. You chose to walk this tightrope yourself, and you used that rope to hang yourself like a ripe fruit ready for law enforcement to pick. Don't blabber like a little girl and perhaps one day you might be grateful when somebody doesn't drag you down either.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSzz5+AAoJEKa1ThTkGTzrIssP/ig1hPLJSn+wo9GBD61wD4FN
sKcqcEwoin+05/2aEj/d3Kvkv7EF8oicYHb4lAKoswChCnK0DBw2kq8LRhFufAnP
vYqY8Ll6PZCPEyk267cVQW92XYgh13633Hcta3sJJrbEFVQKmM7urcBK1tDr8t1r
j2uxVv+R0MEOnXNYiaM6QspNV7lLNP56r6yh5GZDkyk6nEQjDWKxxCuqKAUKqy71
iOlrvwaIKgTw1o6PeeOY32nj/dft49N6yNpXJ8K9uasTYFDb+QHbukxPZj0N4vrs
2rwh+MYgwJ49sKBMNU1J1J4OksmPPeoKGETry1/CgP5DSxgOQl1KSpXzJhXHY5ux
e4GpMX7x+53229ygdvSzgTk0PDW8VuNgtthdcCWoZFJWACS//zzlxtFaWSksyWTW
Jnt9eqD/eQIuaRs4UkBdbPfOZVwdY4hqBnruUoZpksXLCEpmAS+I+37E749DIGUW
v4g0Ytrpg/4Kx45RYu44ay9+mqJAzheBSsXUqCBN8DnFV94DrlpeU6OoPNVaw1cC
vMbDZEm5pKj8ovaXoAZXL9DdQo1eM9nfTWk5Y/tLrQ9tPV81SnQUls73iAfrUoV0
i/XQmX4mFDgrmHfE8wuSe2Wg3jbZ1fr/cqlp6ieGrqyvBNLlbVV1hXBFKMuBG1lR
k9wxwgx7tsyiKow6h7lD
=hy/0
-----END PGP SIGNATURE-----


Code: (Plaintext with BB codes for signature verification) [Select]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Too many people here seem unable to grasp the basics, so here are some commandments for traveling the road. Deviate to your own demise and have a nice stay in prison if you want to ignore the advice of the knowledgeable folk around here.

[u][b]Rule 1: STFU[/b][/u]

[b]Shut the fuck up.[/b] Is it sunny where you live? How nice. Oh you're in the southern hemisphere I guess as it is summer there now, or are you in a hot country? Oh it is summer - that is interesting, your English is very good so I would think you speak English natively am I right? Your package was intercepted - really what was it? Only 10 pills of MDMA, what vendor were you working with as I've ordered pills before?

If you get to that point and you can't help but talk, congratulations you probably now have the FBI feeding intel to the Australian authorities and there will only be a handful of packages seized recently with exactly 10 pills in it and hell if you have given away what vendor you use then they also have the country of origin. Most people guilty of something like that will also use their home address so now LE probably know who you are and if you are anyone worth chasing you will wind up in a cell sooner or later.


[u][b]Rule 2: The blockchain is irreversible (so don't fuck up even once)[/b][/u]

Ok, you're ordering only a few grams of coke - who gives a shit? But you then buy from Bitstamp and send right to your SR address. Congratulations, now pray SR doesn't keep many logs because if there is even a hint of your bitcoin address tied to the account you ordered to they will have some pretty incriminating evidence against you and they will never prosecute you on that if you do scale up later on. Know the authorities are cunning, they gather evidence over time and your mistake was letting them find you in the first place. Most people let slip the little things and when they become bigger in the game, that comes to bite them in the ass.


[u][b]Rule 3: Common advice isn't good advice[/b][/u]

Why the fuck are you using a public wi-fi connection to browse Tor? If you've paid attention to recent events, you'll know the NSA are harvesting vast quantities of information from public wi-fi and tracking movements even when you have your Wi-Fi disabled (software disabling or not connecting does not prevent them knowing you are in range). Ross was slammed onto a table and they took his laptop to bypass all encryption and have him red handed. If you are going to do anything illegal, do it in your own home where they can't suddenly drag you away and if you don't want Tor on your internet connection, 3G or setting up a private bridge is the way to go. That isn't perfect, but unless you are a very high value target they aren't going to check every single 3G connection in the area or extensive measures like that - it is more likely they will just check your internet history via your ISP for tor connection times and try to correlate your activity. Tor isn't illegal and if you keep your mouth shut then they will have a very hard time to show serious wrongdoing.


[u][b]Rule 4: Burn your identity - often[/b][/u]

Oh you have 2,000 posts and don't want to lose your reputation? Great, we'll end the conversation there because quite frankly I can't stand being in the same conversation as such a self-righteous bastard. This is an anonymous environment, nobody genuinely cares who you are or who you pretend you are and generally a lot of smart guys don't make many posts here as they understand this is all going to be short lived in the bigger picture, whereas prison is not a short time if you are involved with Silk Road. I made a post recently about the life of a PGP key and one addition I may add is if you're changing your PGP key, it may then be a good time to also burn your identity and don't ever cross contaminate - never go near it again not even on the same virtual machine since every visit will leave some kind of trace. If you have bitcoins, lose them or spend them - never ever transfer them and if it is a lot of money such as the proceeds from your activity, use several mixers, methods and spaces of time to create as much separation as you humanly can.


[u][b]Rule 5: Don't trust mixing services[/b][/u]

If you trust a single mixer, you will go to prison one day if you keep walking that line. If bitcoinfog is compromised they may have kept logs all along and that combined with SR logs is going to put most of you in prison. If you want to be safe, buy bitcoins with cash of course, then split the bitcoins up into several wallets and perhaps move them through blockchain.info a few times over several accounts, load your bitcoinfog account wallets through blockchain.info's shared send feature to compound your anonymity and after bitcoinfog, maybe even duck it through another mixer or even through SR itself before reaching your disposable purchase account. If you can't afford to take those precautions because of the fees, perhaps reconsider buying at all.


[u][b]Rule 6: Don't keep envelopes, it isn't fucking memorabilia[/b][/u]

When you get your product, if you are ignorant enough to keep stuff in your house all the time at least make sure the envelope is gone way before you start taking any drugs. Do not throw it in the garbage as law enforcement don't need any authority to go searching your bins, the least you can do is shred it to pieces and burn it to a crisp and then mix it in with other general waste such as food or bury it deep, heck even put it down the toilet if it won't clog it. There is evidence coming through LE are now turning to chemical marking of packages to ensure the packages they find at the scene are the ones they sent the suspect and this is irrefutable evidence in court they are the same package even if you rip off the address and return address, and this isn't some shit you can wash off with a few wipes.


[u][b]Rule 7: If you don't need a phone, don't have it near you[/b][/u]

The leaks by Edward Snowden have shown phones can be used (particularly iPhone's) to watch suspects by turning on the camera and microphone and therefore depending on where you put it they could hear the sound of your typing, maybe see your screen, catch you mumbling words as you are thinking what to reply to a message or even intercept the wireless RF signals if you use Wi-fi or worse, a wireless keyboard and act as a keylogger which is definitely not outside the realms of possibility.


[u][b]Rule 8: No matter what "gurus" claim, you cannot defend yourself from the NSA[/b][/u]

Some LE agencies have ways to plant their packages onto your hard drives, BIOS and other low level systems of your computer so nothing you do with software will protect you. If you use a laptop, remove the hard drive from it before using TAILS and if you need a PGP key, never let it go near an internet enabled device. Data transfer must be one way so do not use the same USB stick to transfer anything from an internet-enabled device to an offline one. There is no need to expose your offline system to attacks from the online one. USB sticks these days for only a few hundred MB are cents and you could even use CD's which are only a few dollars for 100 of them so don't be cheap. One thing to add to that point is once you have transferred the data, dispose of it. Burn the CD to pieces (make sure it is melted, use a gas stove such as the camping cookers is a good idea) or melt the flash memory of the usb stick and then flush the pieces down the toilet once you've broken it down.


[u][b]Rule 9: Don't use batteries[/b][/u]

If you do use a laptop, remove the battery and keep the charger in. If LE break down your door then just pull the plug and the power is completely gone. If you've used a write-only device such as a CD/DVD-R then no data will be on that bit of media and almost everything in the RAM will be gone. So far the only real threats of recovering information from the RAM has been performed under lab conditions which in the field where they will probably take a while longer, have more exposure and not have everything immediately to hand. It is unlikely they will gain much from the residual data if they could recover it (let alone enough to bring to court as evidence).


[u][b]Rule 10: Man the fuck up[/b][/u]

Assuming you are caught, don't be an utter cunt. Keep your mouth shut, let a lawyer do the talking but refuse plea bargains. If you've managed to get yourself in this position, you have let your security slip and it is your own fault, don't bring anyone else down with you (yes Ross, can you hear me?). Say nothing, let them try to put you through a trial and you have a chance you can walk free and if you do get found guilty then it will give you enough time to learn from your mistakes hopefully and not repeat them. Unless you are big game you won't be in jail for the rest of your life so it isn't the end of the world. You chose to walk this tightrope yourself, and you used that rope to hang yourself like a ripe fruit ready for law enforcement to pick. Don't blabber like a little girl and perhaps one day you might be grateful when somebody doesn't drag you down either.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSzz5+AAoJEKa1ThTkGTzrIssP/ig1hPLJSn+wo9GBD61wD4FN
sKcqcEwoin+05/2aEj/d3Kvkv7EF8oicYHb4lAKoswChCnK0DBw2kq8LRhFufAnP
vYqY8Ll6PZCPEyk267cVQW92XYgh13633Hcta3sJJrbEFVQKmM7urcBK1tDr8t1r
j2uxVv+R0MEOnXNYiaM6QspNV7lLNP56r6yh5GZDkyk6nEQjDWKxxCuqKAUKqy71
iOlrvwaIKgTw1o6PeeOY32nj/dft49N6yNpXJ8K9uasTYFDb+QHbukxPZj0N4vrs
2rwh+MYgwJ49sKBMNU1J1J4OksmPPeoKGETry1/CgP5DSxgOQl1KSpXzJhXHY5ux
e4GpMX7x+53229ygdvSzgTk0PDW8VuNgtthdcCWoZFJWACS//zzlxtFaWSksyWTW
Jnt9eqD/eQIuaRs4UkBdbPfOZVwdY4hqBnruUoZpksXLCEpmAS+I+37E749DIGUW
v4g0Ytrpg/4Kx45RYu44ay9+mqJAzheBSsXUqCBN8DnFV94DrlpeU6OoPNVaw1cC
vMbDZEm5pKj8ovaXoAZXL9DdQo1eM9nfTWk5Y/tLrQ9tPV81SnQUls73iAfrUoV0
i/XQmX4mFDgrmHfE8wuSe2Wg3jbZ1fr/cqlp6ieGrqyvBNLlbVV1hXBFKMuBG1lR
k9wxwgx7tsyiKow6h7lD
=hy/0
-----END PGP SIGNATURE-----

12
Security / Re: A few words on the life of a PGP Key
« on: January 03, 2014, 02:38:05 pm »
Some very interesting developments is group OTR. OTR encryption schemes should be used whenever possible of course and to my knowledge you can actually pair up Torchat with OTR through Pidgin which is a very interesting idea but there are still weaknesses with TorChat unfortunately. I do agree to some extent overall El Presidente but the point remains a "password" shouldn't be used for a single exchange but rather a disposable PGP key.

13
Security / A few words on the life of a PGP Key
« on: January 03, 2014, 01:34:38 pm »
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Introduction

I would like just make some words regarding PGP keys and their life expectancy, as well as comment on the poor use of them which is evident on this forum.

After reviewing the last few months some things are evident to us:

1. In almost all cases, brute forcing the password of a PGP key is easier than brute forcing the underlying encryption
2. LE amass large quantities of data against individuals, even if it is encrypted so that when raiding them if they choose to handover their keys (or they may bruteforce the password) they can decrypt the data and therefore prove the entire dataset was belonging to that individual
3. Humans have a habit of using strong crypto and technology to protect themselves but make an utter balls of basic OPSEC, highlighting it is us (not the technology) that is failing



A Fictional Demonstration

Now let us assume a market was started in January 2012 just like SR and the other markets and Vendor 1 operated there from day 1. He was a highly popular vendor who received thousands of orders which was great as all his orders were encrypted so he had a smart customer base. Unfortunately for Vendor 1 he was then busted in December 2012, but this is where the story splits into 2 parts:

The market was seized

In this case we set the date using the time frame that Silk Road was imaged versus being seized, which was 2 months I recall but others have been known to continue operating for over a year so this is actually only a fraction of the real possibilities. Law enforcement had been watching the server since October in our fictional scenario and even though the market actually did delete order data, it was not before each time law enforcement spied on it and stored the encrypted PGP messages elsewhere. At this point for law enforcement data collection is arbitrary.

Upon arresting vendor 1 his laptop was either unencrypted or he used a password which was brute forced using the intelligent keyword analysis which finds all words you have typed onto that computer and combines them like a dictionary attack to yield better results than standard brute force attacks. At this point, law enforcement now have at least 2 months worth of customer addresses (which can then further be used to prosecute others, especially in cases where vendors are selling to each other) and with the private PGP key on the computer that is very strong evidence against them if it reaches a full trial. It would also be reasonable to assume at this point law enforcement will name Vendor 1 as the same person both from the start of the operation in January right up to the end in December with the same PGP key being used throughout.


The vendor stored customer addresses

In this case a vendor had been storing customer addresses, we will use the example period of 3 months assuming he didn't start storing them until after 9 months of business (although this is unusual as most would probably begin from the start of their vending period). During those 3 months of storing data law enforcement made 2 orders from the vendor in their investigations and found both packages arrived to different addresses from different accounts.

Upon the vendor being arrested we again assume the hardware was unencrypted or used a password which can be intelligently brute forced. This yields both addresses which were encrypted to the vendor previously from the purchases through the market and would likely be an address which is not public and indistinguishable from others, therefore there is no way it could be publicly gathered data. Furthermore vendors are likely to store the username along with the address so this would make the case against them stronger.

It is not hard to imagine that law enforcement at this point were also watching any postal items the individual was sending and if the addresses stored matched those they had managed to see them sending out it would be a very strong case for the prosecution.



The case for limiting the life of public key cryptography

In both scenarios outlined in our fictional demonstration of some issues, there are real life comparisons which I don't need to insult your intelligence with by pointing them out. The problem in both cases is that the encryption kept them safe for a while, but the problem with public key cryptography (PKC) is that its use is also the downfall because it can prove a person is who they say they are. Something like this WILL be used against you and you have to assume if the hardware that has been used can be compromised by law enforcement through exploits, unencrypted drives or intelligent brute force methods, then the PGP private key will almost certainly be an easy target.

So - how does limiting the life of keys help?

Ok, it is obvious limiting the life of a key isn't a perfect solution by any means but it certainly will help introduce doubt into any case law enforcement may try to bring against you. In the first case of a market seizure, the information encrypted to the key the vendor held at the time was limited to 1 month if he had chosen to use a monthly key rotation. In the second, the damage control measure is not as useful (another reason not to store data to add to the long list of existing ones), but it at least still provides that the key law enforcement originally encrypted to for the orders they made is not the one currently in use.

How useful that small benefit is on the 2nd case would depend on what way your lawyer wants to fight the case but it is at this point at least useful to point out - AT LEAST IT IS SOMETHING. The accumulation of small difficulties in cases are usually what is going to help you the most if you are unfortunately caught. Lawyers are not there to dispute facts with the prosecution, they are there to undermine the confidence in evidence that the prosecution puts to the jury which ultimately is what they are told to base their decision on.



Final remarks

Is this going to make the ultimate difference in security? No. But if you are looking for a golden bullet then you are probably mistaking the idea of 1-step ultimate security for convenience from what I have witnessed. My own PGP key has a life of 3 months, I am not a vendor and I am nothing to do with the operations of Silk Road either, so it is reasonable to assume this is proportionate to the threat level I face. Vendors should ideally change at least once a month and sign their next key when changing to then put (the obsolete key) in deep storage far away from yourself or outright the secure deletion of it.

Other very knowledgeable people are here volunteering their time to help in matters such as PGP, general OPSEC and specific/more specialized forms of security - make use of what knowledge they are willing to share. I intend to write much more specific and advanced topics in future covering a wide range of issues and I hope if you have read this far then what I have said above will at least get you thinking of some of the threats I outlined.

Hux

Fingerprint: 85B20E7623AAE8D07FF68A79A6B54E14E4193CEB
Topic/Source: http://silkroad5v7dywlc.onion/index.php?topic=13717.0
Profile: http://silkroad5v7dywlc.onion/index.php?action=profile;u=17927
-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJSxr19AAoJEKa1ThTkGTzrym0P/36Fp4cmHomdovC+3QrDh3j3
/lV9ArlHvc9TiKqYB1iRKxpC1OCdQdl9GRQ/O04gHx1V2VLWJty3PTlrqlqhnEek
46mcNwOEV1nEjSLyAFYNqmv2QRpe1z393UOKWeQpO+UctMNQc1FtM/L6o883NIt3
uLYWDKpPRF6+FrlaJv2e09TaB0MzwSULx84+rHA21Kjrv0paq45lpi0boJUocNIh
Gj8xUwsHBfw5NFS46ECH8McOikcpkWTUlTbYwSlwbV01nurC0p1XNQ/iUE7SvQCN
93mrFM5Cl0ImXj/G2He3Tv6r8iOPUmH0SDF8IQlf7OBPHP+RUioIwhKBL0WUGaML
yx0fooTn7ICbVjKc/JlyK6XHV4kNDSOwiQdg9y7k8aom++Hu2d5Royod9873y5bQ
Yv4XqgAPm5nbx99xx48BMRsA13cplIvtTlF1i++ncnZmOHEa/E+GUa3pxocEjKyW
Lo8Yi54nMjHagAE7DbCoxMOwuOdvXOL88ehLV3rjm4OW4ycccTX4m6L0xaCKMcit
FUd7V/M44/kO/w+M+f94M4JpUWZnMF+82aiMWE+i5UXl562OhGvmWltvUYUynbdj
jmD0glcDOzWcN7NDIJj5NY/m2Y8xB1EXFvzX9uiAL2mqf4zEFcXkoCFbmLunq2X/
0YoiyHjh3WzBdmC5ERma
=eD31
-----END PGP SIGNATURE-----


Tip: To verify the above signature, quote the contents into a reply and paste that into your PGP program to verify it as it uses BB coding which will not show up if you copy the unquoted form.

14
Newbie Discussion / Re: **Spam to 50 & Get out of Noobville**
« on: January 03, 2014, 10:09:45 am »
Spam to 50

15
Newbie Discussion / Re: **Spam to 50 & Get out of Noobville**
« on: January 03, 2014, 10:09:37 am »
Spam to 50

Pages: [1] 2 3 ... 5