Silk Road forums

thanks for starting this thread.  Security has always been the highest priority for this operation/experiment/enterprise, or whatever you want to call Silk Road.  From early on, it has been a balancing act and learning experience to engage security experts to improve our systems and practices without opening those systems up to the threat of an attacker.  There are pros and cons and risks to every security related decision.  I see nothing wrong with you discussing these matters here, though.  I'm sure some useful ideas will come of it.  Thanks for your interest.

I am glad that you support this thread. I want to congratulate you on the enormous success of SR and helping to protect so many people from LE. Sometimes I may come across as critical of some of the choices you have made but I assure you that I am extremely grateful that you have managed to bring the internet drug scene to the mainstream in a way that nobody else has ever managed to do. SR is an awesome experiment and I think that it is extremely important that you are not defeated by law enforcement, not only for your sake but for the sake of the future of the online source scene, something which you and this site are now very much the face of.

hm looks like Guru already explained a lot of gpg command line magic in the gpg club thread, I guess I should have looked through that thread before writing this instead of immediately after.

In this thread I would like if we bring up and analyze likely threats to the security of SR and the participants engaging in the market here. Let's discuss the vulnerabilities that law enforcement will likely attempt to exploit and brainstorm and present ways to counter them. I will get the ball rolling.

One thing that I enjoyed about OVDB is that sellers had trust status assigned to them and all of the trusted sellers had reputations on private forums to be concerned about. One of the most glaring vulnerabilities SR has is also one of its strengths: anyone can become a vendor and the price of becoming a vendor is relatively cheap as compared to the amount of customer intelligence that can be obtained. As DPR has no presence on the private scene, it will be difficult for him to implement such a system. Additionally, such a system indeed opens up further vulnerabilities: if the person who assigns trust becomes compromised then the trusted vendors will all eventually come to be compromised, at least all additional vendors. Additionally, Tarpaulin and Fairydae clearly show that trust is not perfect security measures, even when long standing difficultly obtained reputations are on the line. I do believe that this sort of system protects from federal infiltration more than it does from scammers. Still, it seems foolish for us to not take advantage of the long standing reputations and history of the private source scene, especially when several of the vendors here have some history and reputation on established private forums. Additionally, the feedback system here is seemingly easily gamed. Some additional system of trust and reputation should be implemented here. One idea is from Undrugged, a site some of you may remember. I believe a similar system is in place on SafeorScam. The system is simply a variant of a web of trust, where participants can cryptographically say how much they trust other participants. A great deal of care must be taken in assigning trust, because if you say that you highly trust a person who later turns out to be a federal agent or scammer, the amount of trust others have in you will be diminished. In fact, I believe that it may be worthwhile to pursue a software system that makes the management and visualization of WoT easy for participants here. This will possibly help us to identify organized scammer and law enforcement infiltration: after one such infiltration is identified we can be more suspicious of the 'nodes' which have assigned trust to the infiltrators. 

Of course the primary threat to customers is that their order will be intercepted and result in a CD or raid. We have long discussed the possibility of interception detection technology, and I am strongly of the opinion that obtaining an easily implemented open source design for such technology is something that should be viewed as a top priority. Perhaps we can find people on SR who have the required skills for such a thing and form a sub group dedicated to the implementation of this technology. When coupled with fake identification or other non-linkable boxes, interception detection technology can potentially remove the risks associated with package interceptions, this would be the single greatest increase possible for the security of SR customers. The entire process of designing this technology absolutely must be publicly viewable and real time.

Another thing I see as a serious threat to security is mis/dis information. This is false information, either unintentionally or intentionally introduced, respectively, in an attempt to degrade the security of participants. Misinformation may come from participants who want to help but who are themselves not as knowledgeable about subjects as they think they are. I see this frequently, users give what they think is good advice but in reality is bad advice. I see this even more on some clearnet forums where even the administrators suggest that people stay away from Tor and instead use VPNs. They may say things like "Tor exit nodes can spy on traffic, you should avoid Tor and use VPNs". This is not applicable here as Tor is essentially required to access SR (in between sites like tor-proxy aside), but is a good example of what could be either mis or dis information. In the cases where this is misinformation, it is largely due to lack of sophisticated security knowledge on the part of the person making the claim: chances are they have read some news article that discusses Tor exit nodes spying on traffic, and have jumped to the conclusion that Tor is not safe. Of course someone with appropriate security knowledge will recognize that VPNs are just as vulnerable to exit node spying as Tor is, making the suggestion at best being based on an incorrect comparison between Tor and VPN's. In the case of disinformation, it will be a federal agent making the claim, possibly even suggesting specific law enforcement agency owned VPN's that ought to be used in place of Tor. Unfortunately mis and disinformation tend to spread at exponential rates, a naive user who is presented with mis/disinformation will tend to take it at face value, and in an attempt to be helpful will propagate the mis/disinformation to other participants. Of course this can be devastating to the security of individuals and even to entire communities.

I would like us all to think of ways to combat mis and disinformation here, but I will present a few suggestions. First it would perhaps be helpful if some users who are widely recognized as being security specialists are given special titles identifying them as such. More value should be given to information coming from them than information coming from people who have not been recognized in such ways. How we can safely and fairly identify such users is a matter that warrants further discussion. Also, in some cases even experts have differing opinions, we need to recognize this as well. Furthermore, it could be exceptionally dangerous if law enforcement manage to gain control of accounts that are titled in such a way that trust is assigned to them.

Another potential way to counter mis and dis information is to expect that citations be included for any claims regarding security, at least where it is possible to provide citations. Additionally, perhaps threads should exist for security discussions where all substantial claims are required to have citations backing them.

Another major attack vector is in the software suggested to users. Without any doubt law enforcement are going to be providing "secured" virtual machines that are actually backdoored. I suggest that the sale of virtual machine images and similar be banned on the silk road market: there is no need for these services as independent secured live operating systems already exist (see Liberte and Tails), and the the time and skill required to audit an entire live operating system is such that we can safely assume that none of the live operating systems offered for sale on the silk road marketplace will be audited. Software is another area that is ripe for exploitation, and although I have previously said that we should not ban the sale of software I now have changed my opinion. I believe that sales of software should be banned on the silk road marketplace, or that we must use a strict auditing process. I can clearly see a benefit to allowing users here to offer software that will assist in the security of vendors and customers, as well as generally make life easier. However the risk of law enforcement exploiting this by encouraging vendors to use restricted access backdoored software is far too great. Software made available through Silk Road absolutely must be open source, publicly available and audited. Preferably we could find how many of the users here are fluent in different programming languages, and create teams of people who audit software. The people creating software are not barred from making profit, nothing stops people from donating to their efforts. One could easily say that this is counter productive to the spirit of a free market, however the fact remains that software distribution is a major attack vector, and I believe that our security is more important than the right of a person to sell software here in a restricted fashion, indeed the model could not be worse than one in which the only people buying a product are the only ones incapable of properly auditing it. A million arguments can be given for keeping closed source or restricted access software available here: vendors could be using advanced security techniques to isolate said software (realistically, almost none of them will be), vendors could independently get the software audited themselves (realistically, none of them will), it is up to the buyer and their responsibility if they are successfully exploited through this attack vector (true enough, but if a vendor is exploited in such a way all of their customers are put at risk, as much as it goes against my beliefs regarding other things I truly believe that regulation for the good of the community is acceptable in this instance, there are far too many vendors who do not appreciate the risk of running unaudited software and far too many vendors who naively trust anyone who makes enough posts and seems friendly).  Additionally, it does not violate the principles of a free market if DPR opts to restrict the sale of closed source and restricted access software: it is his marketplace and he is free to do with it as he pleases.

I believe that a culture of paranoia is essential for the ongoing security of the silk road community. How we can instill such a culture is an open question. A great many of the participants here are naive not only to criminality (most having probably never participated in an organized crime enterprise before, or having had many run ins with authorities), but also to technical security. Particularly it is important for DPR to have mistrust of everyone. I believe that if he places trust in others, that eventually he will trust a malicious party who could do damage to the silk road community. In the past I have seen him engage in activities that strike me as being somewhat naive, offering positions of technical privilege in the form of job offerings (in fact even I was offered such a position fairly early on, based off seemingly nothing other than my apparent skill with server hardening). It is in the best interests of DPR and SR to consider that everyone participating on SR is a federal agent. On the other hand it is also clear that he will need assistance with securing and maintaining silk road. I strongly suggest that he creates a thread for brainstorming and technical assistance in regards to SR, and asks for any help in that thread, to be thoroughly analyzed by the larger community and implemented by him and him alone. every additional person with privileged access to or information regarding the SR server is an additional attack surface for law enforcement to target, every job opening that offers access to privilege or information is a potential opening for federal law enforcement infiltration. He will be wise to recognize this, and to assume that all participants here are interested in deanonymizing him and compromising SR.

Public sites are important, centralization is bad, compartmentalization is key. Nobody can doubt the role of a large public site such as SR. SR has single handedly transformed the online drug dealing community from a comparatively small community to a mainstream phenomenon. Indeed this is a key event, somewhat of a tipping point if you will, and in fact in line with the Netwar theory of such groups: that they will start small and eventually grow to the point that they spiral out into the mainstream. We should always have a public marketplace. That said, having a single point of failure is bad. In fact there are an abundance of private forums and the world of online drug trading will not go away if SR falls. However, I believe it is important for people here to branch off into private forums with restricted membership. There are several advantages to this. For one, it will help keep communication channels open in the event that SR is severely compromised. Even on tight knit private forums, an act such as being hacked or shut down can fragment membership and lose participants as communication ties that rely on the centralized node are cut. An additional benefit is that restricted membership forums inherently grow more resistant to scammers over time, if a private forum consisting of 600 participants on SR is created, as scammers start to be identified the ratio of scammer to legitimate accounts will grow in favor of legitimate accounts. On a public site such as SR, scammer accounts are a fully renewable resource. Even infiltration by law enforcement can be stymied by implementing restricted membership private forums: on SR mass registration of law enforcement accounts can go on indefinitely but on the hypothetical private forum, the ratio of legitimate to law enforcement accounts is unlikely to change much from what it initially is. Additionally, if small groups from SR splinter off into private communities, there are techniques to reduce the damage of even multiple law enforcement infiltrations: requiring multiple people to vote on all new members and keeping records of who votes to grant membership can quickly identify topologies. The effectiveness of this may be limited unless law enforcement nodes can be identified.

Additionally, communications technologies that inherently support compartmentalized and massively distributed group interactions are important. Thankfully a great deal of development time is currently being spent on such technology.

Another thing I would like to mention is the role of intelligence in such an organization. The importance of this is frequently overlooked. It would be strongly beneficial if SR could rally hackers friendly to the cause to try and pwn law enforcement personnel, intercept their communications, identify the law enforcement accounts on SR, etc. All forms of intelligence gathering should be employed against our enemies as information is what wins wars. of course securing our own information is of utmost importance, addresses should be encrypted, hardened systems used, Tor used, great care taken in protecting our shipments from being flagged, etc. However, defensive security is only one half of the battle, and it is equally important for us to gain as much intelligence on law enforcement as we possibly can.

The strength of a public site like SR is certainly in its community. Utilizing the community to its full potential is important, and this importance is reflected in several of the other things I have discussed in this thread.

Another thing we must always be careful about is becoming complacent. We must always remember that we are engaging in illegal activity, and that it is the job of law enforcement to hunt us down and imprison us (of course it being their job does not excuse them from responsibility, and they should be harshly punished for their crimes against humanity). All too often I see people here who seem to have forgotten this. When I see posts from people wanting to use credit cards to pay for their drugs here, it makes me cringe. We should never let convenience out weigh security, and we should never forget that we do indeed need security as we are engaged in highly illegal behavior. This is not E-bay, do not be confused by the friendly nature of this implementation of drug trafficking into thinking it is anything other than drug trafficking. Don't be fooled by friendly posters, the federal agents are sometimes the ones you least expect.

actually I don't think it will work with --decrypt-files because the output is handled differently, I think it it would indeed take more code to do it with that flag being used instead of -d.

If you use no anonymity solution you still have a chance of remaining anonymous in the sense that your IP address may not be linked to your identity. Law enforcement have limited resources, and in fact are only capable of following up on a fairly small percentage of the IP addresses they have identified engaging in illegal activity. Since ISP's only keep records of who is assigned a certain IP address at a certain time for a certain amount of time, if law enforcement does not get around to following up the lead involving your IP address before the record of who the IP address was assigned to is lost, you can maintain anonymity. However, your ISP is capable of seeing every website you go to (if they look), and every website you go to is capable of seeing your IP address (but possibly not using it to determine your identity). You should certainly not expect to remain anonymous from interested parties with any significant capabilities whilst not using any anonymity solution, but it does happen all the time (generally due to overloaded LE resources, which they generally but not exclusively focus towards higher priority targets).

If you use a single hop anonymity solution the situation greatly improves. The websites you visit now can not immediately determine your IP address but rather see the IP address of the proxy you are using. Likewise, your ISP can no longer trivially determine the websites you are surfing, they (ideally) only see that you are connecting to the proxy. However, the proxy provider can see which websites you are surfing to, and so can its ISP. Also, the proxy may keep logs which can be followed up on. Also anyone monitoring the proxy is capable of getting the same information that the proxy gets.

If you use a double hop anonymity solution the situation improves even more than before. Still your ISP can not see the websites you surf, only that you connect to your entry proxy. Also, the websites you surf still can not determine your IP address, only that someone is using your exit proxy to visit them. Now you also have the additional benefit that the entry proxy does not know which websites you are surfing, only that you connect to your exit proxy. Additionally, the exit proxy does not know who you are, only the websites that you surf. Ideally the ISPs of the entry and exit proxy will be different and will not be able to link your IP address to the websites you surf either. Also, now an attacker starting from the website you surf and trying to trace their way back to you will need to get logs from two proxy servers instead of one, and either of the proxy servers might not be keeping logs or not keeping logs long enough to be of use.

If you use a three hop anonymity solution, the situation improves a bit more. Mostly it is the same as using a two hop solution, however now the entry and exit proxy do not know the identities of each other, only the identity of the middle proxy. Now if the entry proxy is run by the US feds and the exit proxy is run by the German feds, even if they have logs that could be used together to deanonymize you, unless they routinely share intelligence they will not know to get in touch with each other regarding specific packets unless they can learn each others identities via the middle proxy. Additionally, an attacker starting at the website you surf and trying to trace their way back to you with log files, needs to get logs from three different proxy servers that may not be logging and may not keep logs for long. Now the biggest attack that you need to worry about is an end point timing correlation. And attacker who can see packets coming from you and packets arriving at the website you surf can use statistical timing analysis to determine that the packets they see in both locations are 'the same', thus linking you to the website you visit.

Past three the benefits of adding more hops very rapidly decrease. The end point timing attack continues to work regardless of the number of middle nodes. Adding additional nodes only really adds additional protection from an attacker who starts at the website you visit and tries to use log files from each proxy on the path back to you.

So the difference between using no proxy and a single hop proxy is huge, the difference between using a single hop proxy and two proxies is tremendous, the difference between using a two hop proxy and a three hop proxy is significant, and after that the benefit of adding more hops is minimal.

By the end of next year Ruby will be 18 years old, nearly old enough to drink (in most places) and it still doesn't have that.  Wow.

Ruby does bytecode but in most implementations of it there is not a (easy , or intended) way to launch programs directly from bytecode. Also I think Ruby is 20 years old not 18.

As far as how many people here know C and can audit it, I assume quite a few actually. I have had no problems finding a whole lot of people to look over any of the code I have ever written. We are on a forum on the darknet where everyone uses crypto, there are probably hundreds to a thousand professional and hobbyist programmers on this forum.

The people selling pre-configured virtual machines and OS on USB memory stick packages here have approximately a 99.99% chance of not being qualified to properly secure a system.

Approximately 95% of people who are not properly qualified to secure a system think that they are properly qualified to secure a system

Approximately 100% of federal police agencies would try to get vendors to use their virtual machines with bugging software in them, it is a real attack vector to worry about

There are already free operating systems that can be installed to USB memory sticks or used in virtual machines, such as tails and liberte. These are much less likely to be backdoored and although they are not professionally hardened they are very likely to be better than anything you get here.

____________________________

If someone wants you to use their bridge or suggests a VPN service to you, they have a 95.51% chance of being a fed

No matter what, if your entry and exit traffic are monitored by the same attacker, you are deanonymized. Adding more hops results in rapidly decreasing anonymity gains. One hop is a tremendous improvement over none. Two hops is a tremendous improvement over one.  Three hops is a significant improvement over two. Four hops is a very slight improvement over three.

People who sell VPNs generally don't have a fucking clue what they are talking about.

A huge number of VPN services keep logs, even if they say they do not.

____________________

Your Anti Virus and Anti Spyware are not good enough to detect viruses or spyware custom made to pwn you.

_____________________

Watch out for sales people. Any jackass with a bit of experience can throw together something and sell it as the best thing since sliced bread. This happens a lot. A lot of them actually believe that they know what they are doing. Don't trust sales people with your security. Don't believe what you are told, research yourself, and please don't research through the resources made available to you by people selling shit.

This is not to say all products that are for sale are insecure or bad. It is simply to say that I want to vomit when I see people selling 'ultra secure virtual machine images!!!' on SR.