Silk Road forums

isn't this just stealing shit? Are they legitimate coupons or cracked coupons? I thought SR had rules against stealing. Why not allow credit card dumps too then?? 

Interesting attack.

Clients send most of their circuits through high bandwidth nodes, which maintain hundreds to thousands of simultaneous connections. So, what is the circuit close frequency on those nodes? If it is at least once per second, then a timing attack probably would not be effective. This also requires that your entry guard is pwned, and you cycle through them very slowly.

It doesn't require your entry guard to be pwnt for an attacker to enumerate your entry guards, although it does require a pwnt entry guard for it to be used to link a client to their destination. As far as I am aware, the current research shows that a single packet is enough to link two parts of an observed stream together. There are millions of packets going across the Tor network at any given time but this does not prevent an attacker who can see only two packets from linking them together. For this reason I highly doubt that noise of other users exiting Tor will be enough to protect from this attack. Also it doesn't require compromised entry or middle node if it is used to compromise circuit isolation for exit traffic linking.

Nice kmf, always good to read your technical posts.

I am a little confused though. In the next scheme :
"
     001
     000
     100
     000
     000
     001
|=____
      101 == compromised (exit traffic from circuits in pattern xx1 is linkable to you)"

One of those compromised nodes will know it's an exit node, but the other one how does he know he's an entry node and not a middle node? As far as I know a relay has no knowledge if you originated the data or you just passed them to him, right?
Did you put 2 compromised entry nodes for that reason, to narrow it down?

Also does this apply to both clearnet and hidden service traffic?
Thanks

Middle nodes know they are not exit nodes, that leaves them as either middle or entry nodes. Middle nodes only get connections from Tor relays and bridges, Entry nodes only get incoming connections from clients. A node operator who knows they are not an exit node could get connections from Tor relays, clients or bridges. If they are getting a connection from a Tor relay they know they are a middle node. If they get a connection that isn't from a Tor relay it could be from a client or a bridge. They can try to use the connecting party as a bridge to confirm if it is one, if the connecting party acts as a bridge then they know they are a middle node and if it doesn't then they know they are an entry node.

Or they could just count the number of extend cells they have forwarded on. If they forwarded two extend cells they are an entry, if one they are a middle node.

I am not sure if it applies to hidden service connections, I don't know if circuit shut down cells will end up being forwarded all the way up to the hidden services entry node or if they will stop at the clients exit node. If they are forwarded all the way to the hidden services entry nodes then it would work against hidden services as well.

C = client
H = Hidden Service
M = Malicious Node
G = Good Node

(open unused circuit)
Client <-> CM <-> CG <-> CG

(active circuit to hidden service)
Client <-> CG <-> CG <-> CG <-> HG <-> HG <-> HM <-> Hidden Service

if the circuit tear down cell goes all the way out to HM, which it PROBABLY does actually since hidden services make a new circuit per client and there would be no point in keeping the hidden services circuit up after the clients circuit is torn down (but I am not positive I will look into it more), then if the client exits Tor while the connection to the hidden service is still active, the attacker who owns CM and HM will see a shut down circuit packet at CM and then shortly after they will see a shut down packet at HM. All the current research I have read points to a single packet being enough to utilize a timing attack, and thus I believe that this attacker could probably link the client to the hidden services IP address. Of course the attacker in this scenario will need to additionally identify the hidden services IP address, but as they are one of its entry guards they could just send the .onion address of interest a watermarked stream and wait to see if they observe themselves relaying that stream back to the hidden service they are an entry guard for.

Russia, Malaysia, Panama

make sure they host is bulletproof.

I think a better question is will you find any legit RC *labs* that are NOT on the clearnet.

Most them take bank and money wires, although some accept traditional e-currency like Pecunix or LR. Some also take credit cards but I would avoid that. Most of them are based in China and also make non-recreational chemicals as well. Also if you really are trying to find a lab be prepared to buy kilo minimums of whatever you are looking for. On the bright side expect to pay only a few dollars per gram .

Churches are exempt PRECISELY for the reason of church and state separation under the principle that there is no surer way to destroy the free exercise of religion than to tax it. This is not a separation between church and corporation, or church and citizen, but church and state. So where do you see the contradiction? Of couse individuals and corporations are taxed. You could make the claim any tax exempt organization, not just churches, are being paid by individuals and organizations by proxy. So? What's your point?

Okay you have a point that other non-profit organizations also have tax exempt status.

Again, this looks to me like the state is providing people the freedom to exercise their religions.

Yes and the constitution mandates that they do this, but it also mandates that they do not make laws respecting any religion , and thus ANYBODY being prohibited from using DMT or Mescaline is having their rights unconstitutionally infringed upon. It is a law respecting a certain religion to say that a certain religion has an exception from the law but nobody else does.

So what? Can you really not see that they have the right to pass laws and govern the state as they want? The fact that they're religious is incidental. There is no guaranteed right to drink alcohol in the bill of rights. If someone doesn't like the alcohol laws in Utah, they can move.

So what exactly do you think separation of church and state means if not "No laws shall be passed favoring religions"? Religious based laws are prevalent, and that is largely why there is no real separation of church and state. It is impossible to have separation of church and state in a pseudo-democracy that consists overwhelmingly of religious people. Why do you think gay marriage is banned? Because the Bible says that Homosexuals are an abomination and marriage is between a man and a woman. If the Bible said Homosexuals can marry, there would be no laws in USA against gay marriage. I don't understand how you can not see that this means there is not really separation of church and state. Enforced separation of church and state would prohibit the masses from passing laws that have their roots entirely in religion. There is absolutely no reason to outlaw homosexual marriage other than the fact that it pisses off God according to Christians, and actually the fact that this is why they want homosexual marriage outlawed is widely known and admitted to by all of them. How is it separation of church and state when there are state enforced laws saying that gay people cannot get married, and these laws are openly based on the fucking Bible?

So what? Dude are you serious? These are your reasons for why there is no church and state separation in this country? That some states have business op hours on Sunday? OK, something's weird here, like we're not on the same page with terms. What do you think the "state" part means when I say "church and state"?

If there was really enforced separation of church and state, the state would not be able to limit business operating hours on Sunday solely because it is the Sabbath. There is no other reason to restrict business operating hours on the arbitrary ass day of Sunday, and only an idiot would think that they do this for any reason other than as a nod to the christian faith. They cannot make laws respecting religions, why should Buddhists be subjected to laws that are based on the Christian faith?

So what? How does this violate "congress shall make no law respecting an establishment of religion"? There is no specific religion referenced.

By law public currency is stamped with "In God we Trust" , God is obviously a reference to the Christian God. It doesn't say in Allah we trust, it doesn't say in Buddha we trust, it says In God we Trust. Additionally it makes a claim that all people in the US are theists, which is complete bullshit. It is clearly unconstitutional for the government to have an official policy of putting Christian slogans on everything, they are PROHIBITED from establishing a state respected religion but only an idiot would think that they are not full supporters of Christianity in an official capacity.

You have a right to just "affirm" that you will tell the truth, the whole truth, and nothing but the truth. No gods, Bibles, or anything else religious need to be involved.

Okay.

Only place I could see you have a point, although the wall of church state separation rolled back during Bush in religious charities is being rolled out again it's not happening as fast as I would like.

I'll point out also that with 80% of the population Christians, in your militant Libertarian world Christians would still own and dominate large swaths of land where you'd have even less freedom from Christian influences and be subject to their rules when on their property. And in this part of a world with no public property, that would be often.

In my militant libertarian world the Christians can feel free to live in their backwards ass cities, persecuting gays and staying stuck in the past. They also will be prevented from harassing non-Christians who stay away from their backwards asses. I will move to some area full of young people (who are atheist in much larger numbers) and chill with gays and druggies and other generally-not-insane-people, and they can all move to the south and condemn each us all to hell .

So the fuck what? The rehab facilities are not state institutions. AA might be a freak cult and use similar language to Christianity, but 'God' in AA can mean the higher power of the group itself and atheists in AA use it to mean that.

It does not matter if the facilities are state institutions or not, the people who sentence you to attend them are acting in the official capacity as representatives of the state. By your logic it doesn't matter if judges sentence us to go to Catholic Church for ten years, because the Catholic church is not a state institution. Nonsense. Also AA is a christian cult, you can pretend they say God to mean some higher power but they say the lords prayer for fucks sake.

Do you realize that there can be a separation of church and state while the majority of people allowed to practice their religion of choice are Christians?

Sure and they can feel free to practice their religion, but right now they pass laws that are based on little more than their religious brainwashing and this oppresses the rest of us. Pretty much all vice laws are based on either religion or ultra-liberal philosophy (most liberals are actually pretty against vice laws).   The laws about store operation times on Sunday are certainly because of Christianity. The laws about alcohol are from Christianity. And anyway, these more abstract examples aside, the government routinely funds religious institutions, allows and engages in religious discrimination and promotes Christianity in general.

an assassination market would need something like this I think. sans math formulas (at least properly formatted) and graphs.

1
Introduction
This work contributes to the understanding of covert communications on de-
ployed networks such as the Internet. We show that if any shared state can be
accessed and influenced by two parties they can use it to communicate indirectly,
making it hard for observers to correlate senders and receivers of messages. We
also present a very common feature of the IP protocol [28, 27], based on the IPID
packet field, that can be used to implement such covert communications. As a
result our scheme does not require a dedicated infrastructure (as mix networks
do), but uses any of the large number of deployed machines to relay messages.
We further show that the ‘noise’ produced by other, innocuous users, can
be used to enhance covertness – given the observer does not know the shared
key it becomes difficult to assess whether there is a communication at all. To
achieve this we are inspired by techniques close to DSSS, that allow for low
power signals to be hidden and uncovered from high noise environment. Finally
we note that our scheme allows for covert communication despite, even stringent,
data retention. This is partly due to the low level mechanisms we rely on (raw
IP packets) and the very low signal power that would require prolonged, very
costly, observation to allow the identification of a communication.
We first introduce in Section 3 the requirements of a cover communication
systems, and discuss why established technologies only partially satisfy them. In
Section 4 we present the basic TCP/IP mechanisms on which we shall build two
systems: a basic one based on ICMP Echo requests (Section 4.2) and a second,
more covert one, based on TCP circuits (Section 4.3). We discuss extensions and
open issues in Section 5 and present our conclusions in Section 6.
2
Background and Related Work
Covert and jamming resistant communications are a well studied discipline in
the field of military and civilian radio communications. Low probability of in-
tercept and position fix techniques like frequency hopping and Direct Sequence
Spread Spectrum (DSSS) have been developed to force an adversary to spend
a lot of power to jam a signal, as well as to hide altogether the existence of a
communication from those that do not know a shared key [5]. Such technolo-
gies have been deployed in military tactical radios, but have also become part
of civilian communications with frequency hopping being used in GSM phones,
and CDMA (a variant of DSSS that uses orthogonal codes) being used in mobile
communications and high-speed modems.
Yet relatively little attention has been directly payed to the covertness of
communication in the context of the Internet. The field of anonymous communi-
cations, as started by David Chaum’s [13] proposal for mixes and mix networks,
attempts to provide unlinkability of senders and receiver. These anonymity prop-
erties fall short of full covertness, in that an observer is in a position to determine
that some form of communication is taking place. Jamming resistance is also dif-
ficult to achieve, since the anonymous communication infrastructure in deployed
systems [14, 23, 15], can easily be targeted and rendered inoperable by a pow-
erful adversary. A peer-to-peer approach [18, 29] to providing anonymity may
change this, but so far no such system was found to provide strong anonymity
properties.
Steganography [6], the embedding of ciphertext into innocuous data, also pro-
vides some form of covertness. An adversary observing a communication cannot
determine its content with certainty, and messages can be transferred under
the cover of ‘normal’ traffic. Yet steganography does not hide the acts of com-
munication themselves, or the communicating parties. Therefore traffic analysis
techniques that map social structures [30, 21] to extract information would still
be able to uncover information. Such techniques often ignore content and are un-
likely (in the absence of cover traffic – which would bring us back to anonymous
communications) to be affected by steganographic techniques.
Despite the little attention payed to covertness properties, traceability of
communications has become a policy hot topic. National legislatures, often af-
ter terrorist incidents, have imposed ‘traffic data retention’ requirements on the
telecommunications and Internet service provider industries [12, 20, 24], forcing
them to log call, information access and location data (not content). At a Eu-
ropean level EU Directive 2002/58/EC [3] (Directive on Privacy and Electronic
Communications) and its December 2005 amendment [4] respectively allowing
and making retention mandatory, replaced Dir. 1995/46/EC [1] (Data Protec-
tion Directive) and Dir. 97/66/EC [2] (Telecommunications Privacy Directive)

that prohibited such practices. The granularity of the retained data is variable,
and the directives and laws often refer to communications in an abstract man-
ner to allow for technology independence. As a rule of thumb for this work we
shall assume that everything that is routinely logged in deployed systems shall
be available for inspection. This requirement is much more stringent than the
most draconian data retention schemes proposed, that usually only require log-
ging high (application) level communication events and user identification events
(when the user is authenticating to an ISP). Relaxing the attacker models would
make covert communication more efficient, yet the principles to achieve a secure
scheme would be the same as presented in this paper.
There exist other, simpler, approaches to circumvent traffic data retention
and achieve covert communications in practice. The simplest approach would
be to use one of the many open relays documented in the SORBS list, for anti-
spam purposes. These include SMTP (email) and SOCKS (any TCP stream)
relays that would allow two parties to get in contact and talk. Another more
ambitious solution would be to establish a bot-net, composed of many compro-
mised machines, and deploy a parallel communication infrastructure that does
not log anything. These solutions rely on the assumption that the relays are
not observed by the adversary, which is most probably true. The solutions we
propose on the other hand allow covert communication even when under some
forms of surveillance. In this sense our techniques take advantage of the funda-
mental limits of traceability versus covertness, and raise significantly the cost of
surveillance.
3
Covert Communication Requirements
Alice and Bob would like to communicate without Eve, the adversary, being
able to observe them. They share a symmetric key K, unknown to Eve, and can
use established cryptography techniques to protect the secrecy and integrity of
exchanged messages. In addition to this they would like the mere act of commu-
nication to be unobservable to Eve: Eve should not learn that Alice or Bob are
communicating with each other, or engaging in an act of covert communication.
Hiding the fact that Alice and Bob are communicating with each other could
be achieved using anonymous communication protocols [13, 23, 14, 15]. Yet these
protocols (like encryption itself) are very easy to detect, therefore jeopardising
covertness. They use standard handshakes, fixed message sizes and formats, a
more or less fixed and public infrastructure. As a result, it is easy for Eve to
determine that Alice and Bob (along with many others) are taking part in an
anonymous communication protocol – which in many cases would give rise to
suspicion. Due to their dependence on mixing infrastructure such systems may
also be prone to legal compulsion (to log or reveal keys), targeted denial of
service attacks or blocking.
The straight forward composition of steganography and anonymous com-
munications comes also short of providing both anonymity and covertness. A
message, that possibly contains steganographic embedded information, that is
transported anonymously is already very suspicious, and a clear indication that
the sender and the receiver (although not linked) are taking part in some covert
communication. On the other hand a mere steganographic message might pro-
vide covertness of content, in that the true message is not revealed to Eve, but
also provides a clear link between Alice and Bob.
We therefore propose that covert communication mechanisms should have
certain characteristics.
Definition: A covert communication system has to make use of unintended
features of commonly used protocols, in a way that does not arise suspicion, in
order to unobservably relay messages between two users.
The use of common communication protocols is essential in not arousing sus-
picion, since any deviation from the norm may indicate an act of covert commu-
nication. The challenge is to find generic enough features of common protocols
that allows messages to be relayed through third party machines. Any direct
communication between Alice and Bob would create a link between them, that
may in the eyes of Eve contain a covert channel or steganographicaly embedded
information. On the other hand the use of an intended communication channel
provided by a third party can be subject to logging and interception. As a result
the only option for implementing covert communications is to use unintended
features that allow relaying of messages. Furthermore these features should be
exploitable without giving rise to suspicion to an observer (which again would
jeopardize covertness).
Given all these requirements it is surprising that such features, not only exist
in deployed communication protocols, but they are abundant.
The security of any covert communication scheme is dependent on the ob-
servation capabilities of the adversary. We wish to mostly consider an adversary
that observes the world through retained traffic data. Furthermore, we would
ideally want to provide security against a global passive observer, that has ac-
cess to any information transiting on the network. We present a spectrum of
systems, protecting Alice and Bob from an Eve with increasing surveillance ca-
pabilities. As we expect the more we bound and reduce Eve’s capabilities the
more efficient our systems can be, while still remaining covert.
There are also inherent advantages to finding and exploiting low level network
mechanisms to provide covert communications. First low level mechanisms are
likely to be used in a variety of ways, depending on the protocols that are
stacked on them. This adds variance to the network behavior that would allow
communications to be more effectively hidden. Secondly, low level mechanisms
are also more abundant – more machines run vanilla TCP/IP than a particular
version of a web-service. This allows for more choice when it comes to finding
a relay, which in turn increases the cost of an adversary that has to observe
all potential hosts for communication. Finally low level protocols produce high
granularity traffic data, the storage of which is orders of magnitude more costly
than storing high level network events – compare the cost of storing web access
logs versus the cost of storing the header of every single IP packet traversing a
network.
In the next sections we concentrate on a particular feature of many Internet
Protocol (IP) implementations, namely sequential IPID values, that is low level
and exhibits all the necessary characteristics to facilitate covert communications.
4
A Covert Communications System
Our key contribution is to show that there is a ubiquitous feature of deployed
IP networks that allows for covert communication. The Internet is a collection
of networks that ‘talk’ the same Internet Protocol (IP) [27] to exchange packets
containing information. Each packet starts with a header that contains routing
information, but also a special identification IPID field. The IPID field is 16 bits
long, and is used to detect duplicate packets and perform fragmentation and
reassembly of IP packets in the network. The creator of the IP packet sets its
identification field to “a value that must be unique for that source-destination
pair and protocol for the time the datagram will be active in the Internet sys-
tem.” [27]
Many deployed operating systems and TCP/IP stacks use a simple counter
to set the value of the IPID field on outgoing packets. This feature has been
used in the past to perform security sensitive monitoring in a manner of ways.
Steven Bellovin uses the serial nature of the IPID field to monitor the number of
different machines behind a Network Address Translation (NAT) gateway [10].
The IPID can be determined either by a global or a ‘per-host’ counter. The
availability of some machines with global counter makes possible a techniques
known as ‘idle scan’ or ‘dump scan’ [8], that determines which TCP [28] ports a
machine is listening to, without sending any direct traffic to it. This technique
is implemented in the Nmap [19] network scanner. Applications of serial IPID
fields to remote monitoring and traffic analysis have also been proposed [7, 9,
25].
We are going to use the serial nature of IPID fields of many Internet con-
nected computers in order to allow for covert communications. We explain how
to implement covert communications using an intermediary that uses a global
IPID counter.
Alice wants to talk to Bob, with whom she shares a key K, over an inter-
mediary called Charlie. Charlie implements an IP stack that selects IPID values
using a global counter. Note that if Alice an Bob can force Charlie to emit pack-
ets, and if they are able to observe any packet from charlie they will be able
to communicate. More concretely, Alice will at each time 2ti force Charlie to
emit n packets, while Bob will observe a packet from Charlie at times 2ti + 1 to
retrieve n. The number of packets n is the information that has been transferred
between Alice and Bob. By repeating this process Alice can transmit to Bob
arbitrary messages.
The first question that arises is: how can Alice and Bob force Charlie to emit
packets, and receive packets from him. We shall present two ways in which this
is possible based on ICMP Echo [26] and TCP [28], in subsections 4.2 and 4.3.
A second worry is that Charlie will also be generating traffic with third
parties, incrementing the IPID counter, and adding noise to the observation of
Bob. We note that this is a great opportunity for cover traffic: if Alice and
Bob were the only parties that Bob would be receiving and sending information
to, they may be linked easily by an observer. On the other hand if Charlie is
engaging in multiple conversation, including with Alice and Bob, it is difficult
for even a direct observer to establish who may be communicating with whom.
Furthermore we shall make it difficult for other clients to establish that there is
any signal in the IPID data, by using the shared key K to allow Alice and Bob
to communicate over that noisy channel.
4.1
Transmission over a noisy IPID counter
Assume that Alice and Bob want to communicate the binary symbols n0 = 0
or n1 = 1, over the channel. They use their secret key K in order to produce
two psedo-random traffic patterns v0 and v1 of length l corresponding to each
symbols n0 and n1 respectively:
v0i = H(0, i, K), ∀i ∈ [0, l − 1] (1)
v1i = H(1, i, K), ∀i ∈ [0, l − 1] (2)
We assume that H is a good hash function that takes bit strings and produces
uniform values in the interval [0, 2μ]. As a result each symbol is mapped into a
traffic pattern, which is a sequence of l values in the interval [0, 2μ]1 . Alice sends
in each round the number of packets specified in the sequence of the symbol she
wishes to emit one value at each time period time. For example to transmit the
string ‘0110’, the sequence v0 , v1 , v1 , v0 should transmitted, which would take 4·l
time periods.
Bob observes packets from Charlie with IPID increments, from one time
period to the next, of ui for i ∈ [0, l−1]. How does Bob determine the symbol sent
by Alice? Based on the knowledge of K, Bob can construct a filter to determine
if the traffic pattern v0 or v1 is embedded in the noise. To differentiate between
the two symbols Bob calculates the values r0 and r1 , for each candidate symbol:
rj =
vji ui ,
j ∈ {0, 1}
(3)
i∈[0,l−1]
The difference between the value of r associated with the correct symbol,
versus the value of r associated with other symbols grows linearly with the
length of l. It can be shown (full derivation in Appendix A) that, if the selection

of traffic levels v follows a probability distribution D (in our example the uniform
distribution D = U (0, 2μ)), this difference is:
(∆r) =
(rcorrect − rincorrect) = l · Î(D)
(4)
The function Î denotes the variance of the distribution D.
It is therefore clear that, if the key K is known, Bob can reconstruct the
appropriate traffic patterns v to extract the correct symbols from the IPID in
the long run, despite any noise. Furthermore by increasing the length l of the
traffic pattern we can afford to keep the additional traffic injected by Alice low
and make it difficult for an observer to detect that any communication is taking
place.
Our results hold for any distribution D, and therefore we are also free to use
a traffic distribution that looks realistic i.e. that mimics the characteristics of
some type of innocuous traffic. In fact the covertness our this scheme depends
on the adversary’s ability to distinguish between the distribution D used and
‘normal’ traffic, not containing any covert information.
4.2
An ICMP Echo realization
We have established that if Alice can force Charlie to emit any packets, and
Bob can receive any packets from Charlie, Alice and Bob can communicate
through Charlie using information encoded in the IPID field. The simplest way
for Alice and Bob of achieving this is using the ICMP Echo [26] protocol, often
referred to as ‘ping’, that must be implemented by a compliant TCP/IP stack
(although some firewalls block it). ICMP Echo allows a host to send a packet to
a destination address, which in turn echos it back to the original sender. Alice
can therefore send ‘ping’ messages to force Charlie to increment his counter since
responding increases the counter by one. Bob can use the same facility to receive
messages from Charlie and determine the state of his IPID field.
This simple minded approach provides surprisingly good results, yet has some
security shortcomings as we shall see. Figures 1, 2 and 3 illustrate a single run
of our prototype in a low noise environment. For this experiment we used 30
second long traffic patterns of length 30 (which indicates a time interval of at
which Bob must observe the counter of one second) from a uniform distribution
U (0, 100), to transmit one symbol out of an 8 bit alphabet.
We first collect the data sent by Alice (figure 1). This data is likely to contain
some low frequency noise, that can be filtered out, since it is not likely to contain
any useful information. To eliminate its effects we calculate the predictors r using
a randomly generated traffic pattern, and use this as the baseline for detection
(this is equivalent to subtracting from rcorrect a random rincorrect providing us the
result we expected). The values of rincorrect for all times are shown in figure 2.
Note some patterns emerging, that are due to the traffic patterns not being
orthogonal. These might represent a security problem since they leak the message
content and their regularity would leak the existence of a message. We shall
discuss how to avoid them in the discussion section.