Silk Road forums

1. Human error. Including not using GPG to encrypt your address.
2. Massive state level SIGINT agency traffic analysis
3. Hackers
4. Lack of anonymizing Bitcoin enough
5. Random interceptions


Human error is certainly a weak part of SR. Lots of users don't even encrypt their addresses I hear. But this is fine by itself, up to the point that the server is seized, pwnt by hackers, or the admins are busted. So it is hard to say it is the weakest part of SR, since before it manifests itself as a weakness another issue will need to trigger it. Massive traffic analysis by NSA and similar agencies is a big concern and there is a lot of worry that these attackers can deanonymize most Tor users. If they actually feed the intelligence to the feds, that is somewhat of a different question, although I am not as optimistic as I once was. Hackers are a real threat as well and it is hard to say they are less of a threat than SIGINT agencies. Even though a global external attacker is near a death blow against SR, it might be that we actually have more to worry about from hackers. Random interceptions are always a threat as well, but they happen rarely without some other form of intelligence pointing to the package or individual.

It is really hard to say which of these is the greatest threat to SR, but together they are the primary threats to keep in mind.

1. Hidden services are a must. While i enjoy browsing porn with tor the only real reason i use it is SR. If the system cant support the hosting of sites then there is very little usefulness to it and we might as well resort to freenet.

Freenet isn't a bad choice. Tor is a featherweight boxer, quick but easily knocked out by a heavyweight attacker. Freenet is kind of a medium weight boxer. Mix networks are the heavyweights, slow but powerful. But it is likely if the NSA can pwn Tor they can pwn Freenet as well. It is a bit harder to pwn Freenet, but an attacker who can watch most links on the internet + who owns a decent number of Freenet nodes can break Freenet. We are assuming that the NSA can watch most links on the internet, it isn't going to be hard for them to own a decent number of Freenet nodes as well. In the case of Tor the attacker doesn't need to own a single Tor node if they can watch the majority of links on the internet. So the cost to attack Freenet in a major way is more than the cost to attack Tor in a major way, but it might in this case be the difference between someone in the Forbes top 100 buying a ten million dollar house or a twenty million dollar house.

2. Low latency. If people are to make any real use of this it needs to be accessible and responsive. Having a big clunky system that protects against SuperSaiyanNSA9000 wont do us any good if it takes forever to do anything.

This is not a realistic goal to have if you want strong anonymity. The only systems that allow for strong bidirectional anonymity and low latency require so much bandwidth that they only exist on paper. Strong unidirectional anonymity is in the realm of possibility, but even that doesn't scale so well in most cases. BitMessage is a good example, since everybody gets every message it has ideal receive anonymity, and it isn't very high latency either since messages are only slightly delayed at each node. But it wont scale very large and has a host of other problems with it.

3. Invariance or more variance? You make a point that if all traffic were uniform in size and timing then it would be all but impossible for even two bad nodes in the chain to track it. But then this creates massive overhead that is impracticable with current tech. So lets fudge that idea, we have packet encryption and packetsize invariance, this protects our contents, but when it comes to timing what we need is more variance, that is if every node added a random number of seconds to most of their packet then while it might slow down the network a bit it will be impossible for even a global adversary to determine the flow of a packet just based on timing. Packet numbers can be fudged this way too, add a few more or less packets here and there, not everything needs to be manipulated, just enough that an attacker wont know what has or hasnt been manipulated.

It is not impractical for many applications. For E-mail is certainly is not impractical there have been deployed mix networks for E-mail that removed all message variance. I think in many cases it is not impractical at all. For uploading and downloading high definition movies it isn't really practical, but for posts on a forum? For small and simple websites? For E-mail? For sharing small files like .pdf? For a blog?

The general rule of thumb is that uniformity is always good, and randomness is good sometimes but much less often. This can be seen in timing attacks against cryptographic systems as well. Random variance can often be filtered, invariance can never be filtered. In the case of layered encryption, randomization is secure. When it comes to inserting random jitter at each hop, I think it would either be insecure (in that even if it makes attacks harder, they would be realistic to carry out), or require such a massive range of time delays that it would actually be many orders of magnitude faster to just use a mix network and remove variance. I am sure some of the literature on anonymity discusses the idea of adding random jitter in depth, but I cannot off the top of my head think of a paper for you. The following paper on flow watermarking has demonstrated that attackers can filter substantial amounts of jitter in low latency networks though:

http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.123.3789&rep=rep1&type=pdf

Fortunately, our interval centroid-based watermarking
could self-synchronize the decoding offset with the encod-
ing offset even if 1) the clocks of the watermark encoding
host and decoding host are not synchronized; 2) there is
substantial network delay, delay jitter or timing perturba-
tion on the watermarked flows.

 

Actually they did an analysis on a rather sophisticated low latency system that utilized mixing, artificial jitter, dummy packets, etc, and were still able to insert readable interpacket fingerprints. So I think we will not have luck with this approach, and rather must take care to make messages totally uniform between hops (which means obtaining all packets before sending them forward to the next mix, to remove any interpacket timing fingerprint. which means significant time delay).

   Despite of the significant flow transformations (i.e.,
repacketization, flow mixing, and packet dropping) and net-
work delay jitter introduced by www.anonymizer.com to the
Web traffic, we were able to achieve surprisingly good re-
sults in linking the information sender and receiver through
our flow watermarking technique. When we decoded the
32-bit watermark from a network flow, we allowed a few
bits mismatched with the watermark we were seeking. The
number of allowed mismatched bits is called the Hamming
distance threshold in our watermark decoding. Figure 11
shows that we can achieve a 100% watermark detection rate
with a Hamming distance thresholds of 5, 6, 7, and 8, re-
spectively, and redundancy of 20 from the Web traffic re-
ceived at the client side. This only requires less than 11 min-
utes active browsing. With less than 6 1/2 minutes of active
browsing traffic, we were able to achieve a 60% watermark
detection rate with a Hamming distance threshold of 5.

What i want to know is what exactly protects against an attacker that owns the majority of relays in a network?

Mix networks are actually much better protected from attackers who own a lot of nodes. This is because a single good mix on a messages path buys it significant anonymity, and there is no hard limit to the number of mixes on a path. This is in contrast to systems like Tor, where adding more nodes to a circuit doesn't help from some of the most dangerous and easy to carry out attacks. If you have three nodes or fifty nodes it doesn't matter if packet streams can be linked regardless of their location on the circuit. The attacker who owns the entry and exit can still link clients to destinations. In the case of a mix network, the attacker can own 49 of the mixes on your messages path and still not be able to deanonymize you if your message went over a single good mix at any point in time.

^Mixnets are effective against timing correlation attacks because they are nowhere near real time. Problem is, no one wants high latency communication, and that's one of the biggest limiting factors of networks such as Freenet.

I think kmf makes a good point though. Would you rather wait an hour to refresh a page, or have your door busted in by the feds?

The problem is partially that you are thinking in a browser oriented way. Nobody says it needs to take an hour to refresh a page. You can refresh the page in real time if you want. But what you are refreshing is what the page would have looked like exactly an hour ago if it was low latency. When you think of it in that way, and design systems in that way, it becomes less painful. Nobody is saying you need to click on a thread and then wait an hour for your browser to load it. You can click a thread and have it loaded immediately still. But the result that you see will be an hour behind the posts that people have made to it in the mean time. If someone made a post 59 minutes ago, and you click the thread, the thread loads right away still. But it doesn't have that post. When you hit refresh a minute later, it loads instantly again, and now you see the post. Doesn't seem quite as bad when you think of it that way does it?

Quote from: kmfkewm on September 21, 2013, 10:05 pm

Freenet is the only network I am aware of that provides plausible deniability. It is kind of mid-latency. Mix networks do prevent timing correlation attacks, but they also prevent a hell of a lot of other attacks. Also, I see no reason why they cannot be used for commerce. Do you really need to get updates every two seconds? Or can you wait an hour or two after someone makes a post before you can see it? Do you need your posts to be visible right after you hit post, or can you wait and hour or two for people to see it? Even adding an hour or two of delay between messages being posted and messages being available will give the possibility of having exponentially more anonymity than Tor has.

An hour? People get pissed when it takes more than 15 seconds to load a page.

People gonna be even more pissed when feds kick their doors down.

That might be true for tor and i2p, but its not true for freenet. I believe this isnt due to the high latency or the fact that they are just relays, but the fact the network is designed to relay data randomly and automatically (for data redundancy), therefore even if an attacker had a full view of the network they wouldnt be able to tell who requested what.

Freenet would be more resistant to it but maybe not immune. I am not Freenet expert, but I think many attacks against Freenet require a local external attacker (IE: the users ISP) in order to easily get around plausible deniability. Freenet is the most resistant of all the current networks to anonymity attacks. Even I2P seems like it would be more resistant than Tor, because I2P has some plausible deniability except in the face of an external attacker as well. If you are the ISP of the target, you can see all traffic into them and out of them. If you are not the ISP, you cannot tell for certain if traffic from them is being forwarded through them or if it originates from them, even if you are all nodes connected to them you cannot really be certain of this without an external position. Tor is actually pretty weak to internal attackers in this regard, due to the fact that clients are not relays.

The problem with tor/i2p is everything is on a command basis, so its trivial to say "well this server received a request for this data and this node sent a request for something within x timeframe therefore there is a high probably they are linked". I suppose this is the problem with low latency systems, it always comes down to resources otherwise the relays could just send junk data all day and it would be impossible for an attacker to tell what is real.

Constant rate cover traffic is a technique that can provide perfect anonymity in low latency. But it requires too much bandwidth to be feasible. It pretty much has the same anonymity as a DC-net.

edit: wait, you are saying that all it would take is for the botnet owner to set all his zombies to run as relays to deanonymize TOR?

Well, if the botnet owner had all his nodes are relays he could easily deanonymize Tor 100% instantly. But he cannot get all of his nodes to be relays because nodes are screened by directory authority servers that have mechanisms in place to protect from botnet flood attacks. Unlike I2P and unlike Freenet.

the problem as i understand it is that the authorities are trying to kill off the mdma trade by restricting movement of ingredients, as a result less safe compounds are being passed off as mdma and subsequently the mortality rate rises.....brilliant harm reduction result there from the twats in charge.

dont worry, we'll save your kids from the horrors of clean mdma...by killing the little fuckers in a heatstroke pma nightmare.

and then when the kids die from the PMA everybody says it is MDMA and they all rally around the war on drugs to restrict it even more, and then even more kids die.

High latency networks (like mixnets, Freenet to some degree) don't provide instant gratification.   You request a resource (a message, a copy of a static website, whatever), and that message gets bounced around for a while, and the content works its way back to you.  Maybe in a minute, maybe in a day.   Maybe in 30 seconds.   But the key here is that it's not establishing a *connection* between two points (you and your server/destination) and grabbing the content.  It's you, sending a message, waiting for a response.  Email is high-latency.  Usenet is high-latency.  Downloading a video, then watching it is high-latency. 

How long traffic mixes for is less important than how much other traffic it mixes with. If a message is delayed for two weeks but nobody else mixes traffic on that node, it might as well have been mixed for two seconds. If your traffic is mixed for two seconds but ten thousand other people sent traffic over that node, then it would be just the same as mixing for two weeks with ten thousand other people sending traffic over the node. So the more heavily used a mixnet is the faster it can go while still providing the same level of anonymity. Another technique is called alpha mixing, which is where the messages themselves have user defined time delays per hop. Old mixnets had various other strategies where the user was not in control of their own latency but it was decided by the individual mix nodes. Alpha mixing allows us to lower latency a little bit as well, provided not everybody does. Some people routing high latency traffic over the mixnet gives an anonymity benefit to everybody using the mixnet, including the people routing lower latency traffic over it. This isn't to say that you can use it with no time delays and be fine, but there are techniques to shave some latency away while still keeping anonymity intact.

When you're talking about an adversary the size of NSA, they're always going to be able to see enough network traffic to follow *connections* around the Internet.   High-latency Mix/etc networks separate the connection from the actual conversation.  This lets them chop the conversation up into pieces, toss it in with other pieces of other people's conversations, and keep an adversary from saying "Aha!  That specific request is from X!  He's sending a message to Y!"

The issue is that, because the NSA can watch most of the links between nodes on any given network, they can indeed follow the packets around. Low latency networks do not mix traffic, they get packets and forward them on as they come. If the attacker watches Alice send a packet to a server and then Bob sends a packet to the same server, he knows that the first packet out of the server belongs to Alice and the second packet out belongs to Bob. So he can follow their traffic around easily. In a mix network, Alice and Bob send their packet to the server as before, but the mix network holds them long enough that it can randomize their output order before sending them on. Now the first packet out has a 50% chance of belonging to Alice and a 50% chance of belonging to Bob. Throw in some randomly generated dummy packets between mixes, and it becomes even harder for the attacker to tell what is going on. 

No technology is going to keep NSA from seeing that *your IP* is making connections and participating in an anonymity network.   Nor is it going to keep someone that size from seeing what servers you're connecting to.  Or seeing who else is connecting to the same server, and possibly correlating that traffic.

There are covert channel technologies that could make it harder for them to tell, something sort of like bridges on steroids could be made, but it is going to be really hard to protect from a global external attacker anyway. There are systems for Alice and Bob to talk with an extremely low probability of their act of communication being identified, even by an attacker who watches the links of the entire internet. But I think these techniques would work better for a spy to funnel information back to his home country than they would work for bridges to an anonymity network. 

But it can provide massively better protection against those agencies identifying what you're doing.   In some perfect, "everybody uses a perfect high-latency anonymity technology" world, NSA can still see that you're using anonymity technologies.  Just not what you're doing.  Maybe you're sending an message.  Or participating in a group chat.  Or downloading a catalog of products from a vendor and sending a message to transmit an order.

Pretty much.

However, we're not just one missing piece of technology away from that happening this week.  kmfkewm's project to build a PIR/etc system is fantastic.  But even if he finishes it tomorrow, and it's ready for production, and he stands one up on the Internet, what you have is a single PIR server, sitting on the Internet, able to securely route messages from Client A to Client B, with nobody else able to see what they're doing.   But they'll still be able to see all the clients connecting to the server.   They can't know what they're doing, but they'll know they're using that server.

A single mix is only good to protect from external attackers anyway. If the mix is bad it can link communicating parties. But a single good mix on a messages path can buy it significant anonymity. With CPIR (which PSS seems to be a type of) it doesn't matter if the server is bad. It is essentially cryptographic anonymity, nobody can tell the messages you download unless they can solve a hard math problem. Also, people would connect to the server via Tor anyway, so nobody who cannot break Tor can tell they are connecting to the server. But hopefully a network of volunteer nodes springs up pretty quickly.

One single perfect PIR server doesn't fix the problem.  It's a key part of the equation, but it's nowhere near the whole equation.  Sure, it's cryptographically awesome, but from a practical anonymity perspective, if there's just one single server sitting on the Internet, doing amazing crypto stuff, it's really not that much better than a hidden webserver just routing PGP messages between users.   If someone seizes that server, and backdoors it, they're going to be able to see that Client A sent something encrypted to Client B, and because of their NSA-level view of the world, they probably will know who Client A & B are.  Not what they said, but everything else about their conversation.

Well, one of the reasons it is better is because if a server routes GPG messages between users, it knows who is talking to who, and unless the users connect to it with Tor it can easily tell which IP address belongs to which person. With single PIR server the server cannot tell who communicates with who and it cannot link messages to IP addresses. No, even if somebody seizes the server they cannot tell anything. PSS assumes a malicious server the entire time. Unless they can solve a hard math problem, having the server buys them next to nothing. On the other hand if they seize a single mix it is game over because the owner of a mix can follow traffic through their own mix. A mix network needs at least two nodes operated by different individuals to protect from internal attackers, although a single mix can protect from external attackers like the NSA, unless they take the mix over.

A hundred isolated PIR servers, acting as little individual islands of communication, still basically have the same problem.  They have to be able to communicate with each other, forming a meshed network of mixing and content delivery, that actually decentralize the network.

Certainly they need to form a mesh network. A hundred isolated PIR servers wouldn't work very well.

kmfkewm, I'd love to know where you see those technologies evolving, and how you see the world working after the actual implementation of PIR/etc technologies.  Is every user node routing traffic for others? Or are they connecting to central servers?  Do PIR storage servers talk to each other, or are they islands?

I see things evolving past the point of browser based applications in many ways, and toward custom security oriented software packages for specific goals. The anonymity of a mix network is actually hurt if it is too big, pretty much the opposite of Tor. The theoretically ideal mix network would consist of one node, from a traffic analysis perspective (or two nodes if you want protection from internal attackers), but in practice it needs more nodes to ensure the two people running nodes don't turn to the darkside etc. The more concentrated traffic is over the mix nodes the better, and the more mix nodes there are the less concentrated traffic over them is. If all users are mix nodes, traffic wont be mixing with much other traffic at any given hop.

I envison a mesh network of maybe 50 or so nodes, each node being a mix and a PIR server, with messages being distributed through the servers with everybody gets everything PIR or something. The shittiest part of this system is the fact that all PIR servers need to have the same database, and that means they need to share all messages they get with each other similar to how BitMessage shares all messages with all users of the system. It would be much nicer if we could have messages segmented and spread across the network to different nodes, instead of a single database mirrored over each node. Doing it this way is kind of crappy, because for one it wastes probably hundreds of terabytes of storage space that will be dedicated to the same mirror, for two it opens up the risk of DDoS attacks since sending a packet to a single node echos it to all nodes, etc. And it is hard to keep good content that is accessed a lot, because the protocol itself prevents anybody from knowing what is being accessed and what is not. So this is not ideal, but I cannot think of a better system that doesn't introduce traffic analysis vulnerabilities. Certainly we can not have different messages tied to different PIR servers, or else Alice could cause Bob to access the various servers in a pattern that she can then identify. Bob could have a single server associated with his pseudonym where all messages to him are sent, but then his anonymity set size immediately falls to the users using that node, and what happens when that node is taken down? If it is malicious it doesn't matter because of PIR, but if it is taken down he needs to go to a new server, this will introduce traffic analysis vulnerabilities as well. So I cannot think of a way to do it other than a mirrored database over all the servers, but what to do about the risk of DDoS , plus it is a fucking shame to waste so many terabytes of space mirroring the same thing over and over again. The biggest win from mirroring the database instead of having it on a single server is that the bandwidth load of clients downloading messages will be distributed, but in reality a single CPIR server is no more insecure than 100 CPIR servers. It doesn't matter if your CPIR server is compromised or not.

If you can think of a better way to manage inter-CPIR server communications etc please let me know.

And everyone who said "We need an easy way to do that" is hitting the nail perfectly on the head.  Even if the world's best anonymity network is built, if only two people are using it, then it's still not anonymous.  You need more widespread adoption to get the true benefit from mix technologies.   Basically, I have to have enough "other" traffic to mix my traffic with with before I can hide in that traffic.

Yeah one of the hardest issues will be bootstrapping an anonymity set to start with. I will probably suggest people run it sending dummy traffic, but not using it for anything, until it has at least a thousand members.

Guys this has been in the "issues" and changelog documentation for ages, at least implicitly. It's saying something though when they come out and state it explicitly.

Why are you saying to scrap TOR and start from scratch?? The problem with PUBLIC networks such as tor is that ANYONE can access them. The most secure model could be one that relies on requiring PHYSICAL access. But this doesn't seem at all realistic now does it? We got to stick with the interwebs for now.

that is not the problem with networks like Tor, at all. The more people who use an anonymity network, the better it is. Physical anonymous communication sounds, well, not feasible at all for a large group of people around the entire world to do? Not very anonymous probably, depending on how it is implemented? We saying scrap Tor and start from scratch because Tor model is fucked. I2P model is fucked. VPN model is fucked. Proxy model is fucked. These were always toy technologies to begin with. The real anonymity has always been in the mix network designs. When they made these low latency solutions they said "high latency is not really that user friendly, but it assumes a super strong attacker. Let's try to make it user friendly by assuming a vastly weaker attacker, and hope that there are no super strong attackers". There was a super strong attacker, it was NSA. And GCHQ. And other SIGINT agencies. And they shared intelligence with police, which was a surprise to many including myself. And they networked together into essentially international massive intelligence cooperatives, Australia + UK + Canada + USA SIGINT = tremendously powerful attacker, the type of attacker that the mix networks hoped to protect from but way way past what Tor was ever meant to protect from, way way past what I2P or proxy or VPN was ever meant to protect from. Not only that, but research into these technologies ended up showing over time that they were not even as good against the weaker attackers they set out to protect from as they hoped to be at first. And that research is just stacking up paper after paper. They aimed to add user friendlyness to anonymity by making these technologies, and the cost was to protect from a much weaker attacker than the mix networks. But they under estimated the strength of the attackers in reality and they under estimated how much their designs would weaken the anonymity properties of their networks against the weaker attackers they aimed to protect from. The end result is that their networks are not safe to trust your life to, because not only are there big powerful attackers in reality who they thought they didn't need to protect from because they thought they didn't exist, but the weaker attackers they tried to protect from who they knew existed turned out to be able to do a lot more against their networks than they originally thought they would be able to do. It is a double whammy combo punch and the result is these technologies are KO'ed. Time to bring in the heavy weight boxers, and those are the mix networks, the PIR based solutions, the DC-net based solutions, the covert channel based solutions, etc. Not the low latency proxy with some fancy encryption and padding solutions.