Silk Road forums

anyone who uses any electronics or digital goods they get off SR is retarded

One thing that people seem to forget about when they get caught up in paranoia about Silk Road is that there are bigger fish to fry. There are zillions of CP hidden services. If it's so easy to track down the hosts, why aren't they already shut down? Why did ntisec have to resort to social engineering/phishing in order to get at Freedom Hosting?

I am not a fan of the terrorist United States government on a good day. But if they prioritize SR before CP sites then I really, really fucking hate them.

It isn't like the government can only focus on one issue at a time. DEA doesn't focus on the CP sites at all.

FBI probably monitors all traffic into and out of Freedom Hosting server. If they have not managed to trace it then the average american citizen should feel absolutely ashamed of the fact that they are funding complete retards. Why would they take it down they would rather bust x% of the people who go to them. Then again I have not heard of anyone who used Tor getting busted for CP. They really have their hands full with non-anonymized CP traders though, every year they are only capable of following up on *1%* of *non anonymous* IP addresses that they detect trading CP from  their dragnet traffic analysis of public P2P networks alone.

Half the time they can't even tie the IP address detected trading CP to a customer address, because by the time they focus human resources to any given IP address usually enough time has passed that the ISP doesn't even have a record of who it was assigned to anymore.

this is generally discussed in terms of modern government propaganda, but its human intelligence implications are far more interesting to me (and worrying for SR).

http://www.rawstory.com/rs/2011/02/18/revealed-air-force-ordered-software-to-manage-army-of-fake-virtual-people/

These days, with Facebook and Twitter and social media galore, it can be increasingly hard to tell who your “friends” are.

But after this, Internet users would be well advised to ask another question entirely: Are my “friends” even real people?

In the continuing saga of data security firm HBGary, a new caveat has come to light: not only did they plot to help destroy secrets outlet WikiLeaks and discredit progressive bloggers, they also crafted detailed proposals for software that manages online “personas,” allowing a single human to assume the identities of as many fake people as they’d like.

The revelation was among those contained in the company’s emails, which were dumped onto bittorrent networks after hackers with cyber protest group “Anonymous” broke into their systems.

In another document unearthed by “Anonymous,” one of HBGary’s employees also mentioned gaming geolocation services to make it appear as though selected fake persons were at actual events.

“There are a variety of social media tricks we can use to add a level of realness to all fictitious personas,” it said.

Government involvement

Eerie as that may be, more perplexing, however, is a federal contract (PDF) from the 6th Contracting Squadron at MacDill Air Force Base, located south of Tampa, Florida, that solicits providers of “persona management software.”

Update: The contract has since been taken off FBO.gov. The link above has been updated.

While there are certainly legitimate applications for such software, such as managing multiple “official” social media accounts from a single input, the more nefarious potential is clear.

Unfortunately, the Air Force’s contract description doesn’t help dispel suspicions. As the text explains, the software would require licenses for 50 users with 10 personas each, for a total of 500. These personas would have to be “replete with background , history, supporting details, and cyber presences that are technically, culturally and geographacilly consistent.”

It continues, noting the need for secure virtual private networks that randomize the operator’s Internet protocol (IP) address, making it impossible to detect that it’s a single person orchestrating all these posts. Another entry calls for static IP address management for each persona, making it appear as though each fake person was consistently accessing from the same computer each time.

The contract also sought methods to anonymously establish virtual private servers with private hosting firms in specific geographic locations. This would allow that server’s “geosite” to be integrated with their social media profiles, effectively gaming geolocation services.

The Air Force added that the “place of performance” for the contract would be at MacDill Air Force Base, along with Kabul, Afghanistan and Baghdad. The contract was offered on June 22, 2010.

It was not clear exactly what the Air Force was doing with this software, or even if it had been procured.

Manufacturing consent

Though many questions remain about how the military would apply such technology, the reasonable fear should be perfectly clear. “Persona management software” can be used to manipulate public opinion on key information, such as news reports. An unlimited number of virtual “people” could be marshaled by only a few real individuals, empowering them to create the illusion of consensus.

You could call it a virtual flash mob, or a digital “Brooks Brothers Riot,” so to speak: compelling, but not nearly as spontaneous as it appears.

That’s precisely what got DailyKos blogger Happy Rockefeller in a snit: the potential for military-run armies of fake people manipulating and, in some cases, even manufacturing the appearance of public opinion.

“I don’t know about you, but it matters to me what fellow progressives think,” the blogger wrote. “I consider all views. And if there appears to be a consensus that some reporter isn’t credible, for example, or some candidate for congress in another state can’t be trusted, I won’t base my entire judgment on it, but it carries some weight.

“That’s me. I believe there are many people though who will base their judgment on rumors and mob attacks. And for those people, a fake mob can be really effective.”

It was Rockefeller who was first to highlight the Air Force’s “persona” contract, which was available on a public website.

A call to MacDill Air Force Base, requesting an explanation of the contract and what this software might be used for, was answered by a public affairs officer who promised a call-back. No reply was received at time of this story’s publication.

Other e-mails circulated by HBGary’s CEO illuminate highly personal data about critics of the US Chamber of Commerce, including detailed information about their spouses and children, as well as their locations and professional links. The firm, it was revealed, was just one part of a group called “Team Themis,” tasked by the Chamber to come up with strategies for responding to progressive bloggers and others.

“Team Themis” also included a proposal to use malware hacks against progressive organizations, and the submission of fake documents in an effort to discredit established groups.

HBGary was also behind a plot by Bank of America to destroy WikiLeaks’ technology platform, other emails revealed. The company was humiliated by members of “Anonymous” after CEO Aaron Barr bragged that he’d “infiltrated” the group.

A request for comment emailed to HBGary did not receive a reply.

Update: HBGary Federal among bidders

A list of interested vendors responding to the Air Force contract for “persona management software” included HBGary subsideary HBGary Federal, further analysis of a government website has revealed.

Other companies that offered their services included Global Business Solutions and Associates LLC, Uk Plus Logistics, Ltd., NevinTelecom, Bunker Communications and Planmatrix LLC.

http://ai.arizona.edu/research/terror/

Introducing: The Dark Web Forum Portal

As part of its Dark Web project, the Artificial Intelligence Lab has for several years collected international jihadist forums. These online discussion sites are dedicated to topics relating primarily to Islamic ideology and theology. The Lab now provides search access to these forums through its Dark Web Forum Portal, and in its beta form, the portal provides access to 28 forums, which together comprise nearly 13,000,000 messages. The Portal also provides statistical analysis, download, translation and social network visualization functions for each selected forum.

Interested in accessing the Dark Web Forum Portal?

You may request an account by submitting a Username Request form (available at http://cri-portal.dyndns.org/UserRequest/c?fromurl=http://cri-portal.dyndns.org):
    - Fill out the form completely.
    - Be sure to include your official institutional email address in either the Username or Notes section.

See also the project page for our NSF-funded project

"CRI:CRD - Developing a Dark Web Collection and Infrastructure for Computational and Social Sciences" (CNS 0709338). [Previously located at http://ai.arizona.edu/research/terror/CRDabstract.htm]

See this important book for more information:

    H. Chen and C. Yang, eds. Terrorism Informatics: Knowledge Management and Data Mining for Homeland Security, New York, NY: Springer, 2008.

Research Goal

The AI Lab Dark Web project is a long-term scientific research program that aims to study and understand the international terrorism (Jihadist) phenomena via a computational, data-centric approach. We aim to collect "ALL" web content generated by international terrorist groups, including web sites, forums, chat rooms, blogs, social networking sites, videos, virtual world, etc.

We have developed various multilingual data mining, text mining, and web mining techniques to perform link analysis, content analysis,  web metrics (technical sophistication) analysis, sentiment analysis, authorship analysis, and video analysis in our research.

The approaches and methods developed in this project contribute to advancing the field of Intelligence and Security Informatics (ISI). Such advances will help related stakeholders to perform terrorism research and facilitate international security and peace.

It is our belief that we (US and allies) are facing the dire danger of losing the "The War on Terror" in cyberspace (especially when many young people are being recruited, incited, infected, and radicalized on the web) and we would like to help in our small (computational) way.

Return to Parameters
Funding

We thank the following agencies for providing research funding support.
Defense Threat Reduction Agency    July 2009 - July 2012
* WMD Intent Identification and Interaction Analysis Using the Dark Web (HDTRA1-09-1-0058)
    
Air Force Research Lab    July 2009 - July 2012
* Dark Web WMD-Terrorism Study (Subcontract No. FA8650-02)
    
National Science Foundation (NSF)    September 2003 – August 2010
* (CRI: CRD) Developing a Dark Web Collection and Infrastructure for Computational and Social Sciences (NSF # CNS-0709338)
* (EXP-LA) Explosives and IEDs in the Dark Web: Discovery, Categorization, and Analysis (NSF # CBET-0730908)
* (SGER) Multilingual Online Stylometric Authorship Identification: An Exploratory Study (NSF # IIS-0646942)
* (ITR, Digital Government) COPLINK Center for Intelligence and Security Informatics Research (partial support)  (NSF # EIA-0326348)
 
Library of Congress    July 2005 – June 2008
* Capture of Multimedia, Multilingual Open Source Web-based At-Risk Content
 
DHS / CNRI    October 2003 - September 2005
* BorderSafe Initiative (partial support)

Return to Parameters
Acknowledgements

We thank the following academic partners and colleagues for their support, help, and comments. Many of our terrorism research colleagues have taught us much about the significance and intricacy of this important domain. They also help guide us in the development of our scientific, computational approach.

    Officers and domain experts of Tucson Police Department, Arizona Department of Customs and Border Protection, and San Diego Automatec Regional Justice Information System (ARJIS) Program
    Dr.  Marc Sageman, University of Pennsylvania
    Dr. Edna Reid, U.S. Department of Justice
    Dr. Johnny Ryan, The Institute of International and European Affairs (IIEA)
    Rick Eaton, Simon Wiesenthal Center
    Dr. Joshua Sinai, The Analysis Corporation
    Dr. Shlomo Argamon, Illinois Institute of Technology
    Chip Ellis, Memorial Institute for the Prevention of Terrorism (MIPT)
    Rex Hudson, Library of Congress
    Dr. Chris Yang, Drexel University
    Dr. Gabriel Weimann, University of Haifa, Israel
    Dr. Mark Last, Ben-Gurion University, Israel
    Drs. Henrik Larsen and Nasrullah Memon, Aalborg University, Denmark
    Dr. Katrina von Knop, George Marshall Center, Germany
    Dr. Jau-Hwang Wang and Robert Chang,  Central Police University, Taiwan
    Dr. Ee peng Lim, Singapore Management University, Singapore
    Dr. Feiyue Wang, Chinese Academy of Sciences, China
    Dr. Michael Chau, Hong Kong University

There has been significant interest from various intelligence, justice, and defense agencies in our computational methodologies, tools, and systems. However, we do not perform (security) clearance-level work nor do we conduct targeted cyber space crime or intelligence investigations. Our research staff members are primarily computer and information scientists from all over the world, and have expertise in more than 10 languages. We perform academic research, write papers (see below), and develop computer programs. We sincerely hope that our work can contribute to international security and peace.

Return to Parameters
Approach and Methodology

Claims: Dr. Gabriel Weimann of the University of Haifa has estimated that there are about 5,000 terrorist web sites as of 2006. Based on our actual spidering experience over the past 5 years, we believe there are about 50,000 sites of extremist and terrorist content as of 2007, including: web sites, forums, blogs, social networking sites, video sites, and virtual world sites (e.g., Second Life). The largest increase in 2006-2007 is in various new Web 2.0 sites (forums, videos, blogs, virtual world, etc.) in different languages (i.e., for home-grown groups, particularly in Europe).  We have found significant terrorism content in more than 15 languages.

Testbed: We collect (using computer programs) various web contents every 2 to 3 months; we started spidering in 2002. Currently we only collect the complete contents of about 1,000 sites, in Arabic, Spanish, and English languages. We also have partial contents of about another 10,000 sites. In total, our collection is about 2 TBs in size, with close to 500,000,000 pages/files/postings from more than 10,000 sites.

We believe our Dark Web collection is the largest open-source extremist and terrorist collection in the academic world. (We have no way of knowing what the intelligence, justice, and defense agencies are doing.) Researchers can have graded access to our collection by contacting our research center. 
Web sites

Our web site collection consists of the complete contents of about 1,000 sites, in various static (html, pdf, Word) and dynamic (PHP, JSP, CGI) formats. We collect every single page, link, and attachment within these sites. We also collect partial information from about 10,000 related (linked) sites. Some large well-known sites contain more than 10,000 pages/files in 10+ languages (in selected pages).
Forums

We collect the complete contents (authors, headings, postings, threads, time-tags, etc.) of about 300 terrorist forums. We also perform periodic updates. Some large radical sites include more than 30,000 members with close to 1,000,000 messages posted. See a recent poster summarizing our capabilities in analyzing forums.

We have also developed the Dark Web Forum Portal, which provides beta search access to several international jihadist “Dark Web” forums collected by the Artificial Intelligence Lab at the University of Arizona. Users may search, view, translate, and download messages (by forum member name, thread title, topic, keyword, etc.). Preliminary social network analysis visualization is also available.
Blogs, social networking sites, and virtual worlds

We have identified and extracted many smaller, transient (meaning, the sites appear and disappear very quickly) blogs and social networking sites, mostly hosted by terrorist sympathizers and “wannabes.” We have also identified more than 30 (self-proclaimed) terrorist or extremist groups in virtual world sites. (However, we are still unsure whether they are “real” terrorist/extremists or just playing the roles in virtual games.)
Videos and multimedia content

Terrorist sites are extremely rich in content, with heavy usage of multimedia formats. We have identified and extracted about 1,000,000 images and 15,000 videos from many terrorist sites and specialty multimedia file-hosting third-party servers. More than 50% of our videos are IED (Improvised Explosive Devices) related.
Computational Techniques (Data Mining, Text Mining, and Web Mining)

Our computational tools are grouped into two categories:

    Collection
    Analysis and Visualization

I. Collection

Web site spidering
We have developed various focused spiders/crawlers based on our previous digital library research. Our spiders can access password-protected sites and perform randomized (human-like) fetching. Our spiders are trained to fetch all html, pdf, and word files, links, PHP, CGI, and ASP files, images, audios, and videos in a web site. To ensure freshness, we spider selected web sites every 2 to 3 months.

Forum spidering
Our forum spidering tool recognizes 15+ forum hosting software and their formats. We collect the complete forum including: authors, headings, postings, threads, time-tags, etc., which allow us to re-construct participant interactions. We perform periodic forum spidering and incremental updates based on research needs. We have collected and processed forum contents in Arabic, English, Spanish, French, and Chinese using selected computational linguistics techniques.

Multimedia (image, audio, and video) spidering
We have developed specialized techniques for spidering and collecting multimedia files and attachments from web sites and forums. We plan to perform stenography research to identify encrypted images in our collection and multimedia analysis (video segmentation, image recognition, voice/speech recognition) to identify unique terrorist-generated video contents and styles.
II. Analysis and Visualization

Social network analysis (SNA)
We have developed various SNA techniques to examine web site and forum posting relationships. We have used various topological metrics (betweeness, degree, etc.) and properties (preferential attachment, growth, etc.) to model terrorist and terrorist site interactions. We have developed  several clustering (e.g., Blockmodeling) and projection (e.g., Multi-Dimensional Scaling, Spring Embedder) techniques to visualize their relationships. Our focus is on understanding “Dark Networks” (unlike traditional “bright” scholarship, email, or computer networks) and their unique properties (e.g., hiding, justice intervention, rival competition, etc.).

Content analysis
We have developed several detailed (terrorism-specific) coding schemes to analyze the contents of terrorist and extremist web sites. Content categories include: recruiting, training, sharing ideology, communication, propaganda, etc. We have also developed computer programs to help automatically identify selected content categories (e.g., web master information, forum availability, etc.).

Web metric analysis
Web metrics analysis examines the technical sophistication, media richness, and web interactivity of extremist and terrorist web sites. We examine technical features and capabilities (e.g., their ability to use forms, tables, CGI programs, multimedia files, etc.) of such sites to determine their level of “web-savvy-ness.” Web metrics provides a measure for terrorists/extremists’ capability and resources. All terrorist site web metrics are extracted and computed using computer programs.

Sentiment and affect analysis
Not all sites are equally radical or violent. Sentiment (polarity: positive/negative) and affect (emotion: violence, racism, anger, etc.) analysis allows us to identify radical and violent sites that warrant further study. We also examine how radical ideas become “infectious” based on their contents, and senders and their interactions. We reply much on recent advances in Opinion Mining – analyzing opinions in short web-based texts. We have also developed selected visualization techniques to examine sentiment/affect changes in time and among people. Our research includes several probabilistic multilingual affect lexicons and selected dimension reduction and projection (e.g., Principal Component Analysis) techniques.

Authorship analysis and Writeprint
Grounded in authorship analysis research, we have developed the (cyber) Writeprint technique to uniquely identify anonymous senders based on the signatures associated with their forum messages. We expand the lexical and syntactic features of traditional authorship analysis to include system (e.g., font size, color, web links) and semantic (e.g., violence. racism) features of relevance to online texts of extremists and terrorists. We have also developed advanced Inkblob and Writeprint visualizations to help visually identify web signatures. Our Writeprint technique has been developed for Arabic, English, and Chinese languages. The Arabic Writeprint consists of more than 400 features, all automatically extracted from online messages using computer programs. Writeprint can achieve an accuracy level of 95%.

Video analysis
significant portion of our videos are IED related. Based on previous terrorism ontology research, we have developed a unique coding scheme to analyze terrorist-generated videos based on the contents, production characteristics, and meta data associated with the videos. We have also developed a semi-automated tool to allow human analysts to quickly and accurately analyze and code these videos.

IEDs in Dark Web analysis
We have conducted several systematic studies to identify IED related content generated by terrorist and insurgency groups in the Dark Web. A smaller number of sites are responsible for distributing a large percentage of IED related web pages, forum postings, training materials, explosive videos, etc. We have developed unique signatures for those IED sites based on their contents, linkages, and multimedia file characteristics. Much of the content needs to be analyzed by military analysts. Training materials also need to be developed for troops before their deployment (“seeing the battlefield from your enemies’ eyes”).

I don't see why any attacker would make the captcha be the name of your router. What would they gain by doing that? Sounds like paranoia.

Quote from: kmfkewm on February 17, 2012, 10:38 pm

edit: got bored, will add more later, plus go into deeper analysis with potential solutions to some of the identified problems, and citations to documents supporting the probabilities I gave.

I ride you a lot, because I don't like the way you present yourself sometimes, but this is a good discussion to have, so thanks for starting us off with a nice big list of assumptions.

The only problem I have is that you started with one very large assumption and didn't really do anything to justify it.

Quote

Due to the inherent weaknesses involved with receiving product, and the relatively strong security techniques being used by vendors, it will be much harder for law enforcement to successfully compromise a vendor.

I don't agree with this assumption (upon which a few of your arguments are built on, that buyers are lower hanging fruit).

I don't want to rat out any vendors, but there are a few that I've ordered from that, were I law enforcement, I'm almost positive I could locate with a single man-week of effort. And that's with zero human intelligence, strictly from evidence that arrived in my mailbox.

You are right about this actually. I shouldn't assume that vendors are using proper security. I can say that they are all using Tor though, and that they are not inherently exposing their addresses. Of course they are almost all getting product from someone else. I wonder if the average SR customer exposes their address/activity/nym to more people than the average SR vendor. That is another assumption that needs further analysis (yes, customers inherently give their addresses to get product, but vendors are also inherently giving their information to someone that they get product from, unless they are the chemist/grower). In a discretely measured deal, the customer leaks their address and the vendor does not, however the continuous product flow cycle consists of several discrete deals and all the way to the top this address leaking property is true. What really needs to be considered is how many nodes an address leaks to.

However if we look at the network overlay of SR transactions, and not the wider distribution network(s), it will be easier to get a large number of customer addresses than to get a large number of vendor addresses (since most vendors are not ordering what they sell off of SR but are getting it from private distribution networks). One thing that immediately becomes obvious is that vendors should not be placing orders on SR using the same names that they vend with, or else they will lose this advantage. But really it might not be proper to look at things in such an SR centric way. On the other hand, private distribution networks are more resistant to massive LE infiltrations. If a vendor is buying bulk on screened private forums, it is probably less likely that they are as potentially exposed to LE as compared to someone buying bulk on a public forum.

Also, even with human intelligence ignored, vendors and customers both are much weaker to traffic analysis attacks than I would like. HUMINT is certainly a huge weakspot, especially for customers on non-screened public distribution channels, but SIGINT and FININT are perhaps not significantly protected from for vendors and customers too.

Anyway there you have it...takes probably a few weeks for the feds to locate the hidden service and passively analyze connections to it....and after doing that for a year you will have about 12% chance of not being deanonymized if they have 50 entry guards.

Best way around this attack is frequently changing the physical location of the server, on a monthly basis or faster would be the best option. For clients the best way to deal with this is the use of persistent entry guards, or using WiFi from random locations in addition to Tor.

BTW the hidden service itself changes entry guards just as quickly, so just from that alone the hidden service could be traced with about 88% probability after one year, if the attacker has 50 entry guards. It is certainly going to be faster for them to brute force circuits up to the entry guards and then use legal power to get entry guards monitored though, rather than playing the "wait and listen" game.

Quote from: kmfkewm on February 20, 2012, 02:57 am

nodes with entry guard flag they have. There are ~900 entry guards (citation: https://metrics.torproject.org/network.html) total and you select three at a time, the three you select change about once a month. Someone else can do the math .

I like math.    There are approximately 121 million ways of choosing 3 entry guard nodes from a pool of 900.

Well if you choose one of their entry guards you are fucked, and you pick three, and there is a total pool of 900, and the three you pick change every month. If the attacker owns X entry guards and can monitor all traffic to SR, what is the probability that they can deanonymize you in Y months. This assumes all entry guards have equal usage and equal chance of being selected.