Silk Road forums
Discussion => Off topic => Topic started by: astor on December 16, 2012, 04:28 pm
-
Just posted on their blog
https://blog.torproject.org/blog/trip-report-october-fbi-conference
In October I attended an FBI conference, as part of my work to try to keep Tor on good relations with law enforcement. My first goal is to remind them of all the good uses of Tor, so if they ever find themselves lobbying to outlaw anonymity online, they'll understand what they're giving up. The second goal is to make sure they understand what Tor is and how it works, so if they encounter it in their investigations they'll hassle our exit relay operators less. (Here's a great way that one FBI person explained it to me: "I've got 10 leads, and 48 hours before this case doesn't matter anymore. If you can help me understand which leads *not* to follow, I can do my job better.") My third goal is to help them be able to use Tor correctly for their own jobs — remember that diversity of users is part of what makes Tor safe for everybody to use.
Overall, we've been doing a pretty good job at teaching US-based law enforcement about Tor. At the end of the conference, one of the FBI agents took me aside and asked "surely you have *some* sort of way of tracking your users?" When I pointed at various of his FBI colleagues in the room who had told me they use Tor every day for their work, and asked if he'd be comfortable if we had a way of tracing *them*, I think he got it.
I met a nice man from the DEA who worked on the "Farmer's Market" bust. This was in the news a lot back in April, where apparently some people were selling drugs online, and using a Tor hidden service for their website. At the time I thought the news stories could be summarized simply as "idiot drug sellers accept paypal payments, get busted." It turns out they were pretty smart about how to accept paypal payments — they just had random Americans receive the paypal payments, take a cut, and then turn them into a Panama-based digital currency, and the Panama company didn't want to help trace where the money went. The better summary for the news stories should actually have been "idiot drug sellers use hushmail, get busted." Way before they switched to a Tor hidden service, the two main people used Hushmail to communicate. After a subpoena (and apparently a lot of patience since Canada still isn't quite the same as the US), Hushmail rolled over and gave up copies of all the emails. Many more details here:
http://www.scribd.com/doc/89690597/Willemsindictment-Filed-045
I should still note that Tor doesn't introduce any magic new silver bullet that causes criminals to be uncatchable when before they weren't. The Farmer's Market people ran their webserver in some other foreign country before they switched to a Tor hidden service, and just the fact that the country didn't want to cooperate in busting them was enough to make that a dead end. Jurisdictional arbitrage is alive and well in the world.
---------
I find it interesting that the Farmer's Market folks were not found by using PayPal. The operation was more sophisticated than I gave it credit. Still, Hushmail fucked them. This is why you want privacy by design ("we can't identify you") rather than privacy by policy ("we promise not to give your info to the authorities"), and we're better off with hidden services and bitcoin rather than offshore bullet proof hosting and Liberty Reserve.
-
Thanks for posting this :)
-
One should keep this in mind when using Tormail or TorPM. Although these are both tor hidden services and therefore run from servers of indeterminate location, one still has no assurance that the content ON those servers would be secure in the case that the operators got pinched. That information is vulnerable to subpoena, seizure or bartering for the operators freedom.
(Just to head off the inevitable tor arguments, yes I'm aware of tor's security. But busts can happen for reasons other than technological vulnerability.)
All I'm saying is, PGP is still always necessary, even on tor hidden services.
-
This is really interesting. Did this developer let out more information than they were intending to make public? This is the very first time I've seen anyone mention how they actually got them?
-
One should keep this in mind when using Tormail or TorPM. Although these are both tor hidden services and therefore run from servers of indeterminate location, one still has no assurance that the content ON those servers would be secure in the case that the operators got pinched. That information is vulnerable to subpoena, seizure or bartering for the operators freedom.
(Just to head off the inevitable tor arguments, yes I'm aware of tor's security. But busts can happen for reasons other than technological vulnerability.)
All I'm saying is, PGP is still always necessary, even on tor hidden services.
YES, YES, YES! ^ What he said!
Unfortunately, no matter how many times people are told, the message simply doesn't penetrate some peoples' thick skulls. Operation Raw Deal (ORD) 5 years ago, The Farmers' Market bust within the last year or so -- in both cases Hushmail was front-and-center.
Take a look at the Member Search function, and do a search on email address. Put Hushmail in the search field. You will find (at this time) no less than 165 people using Hushmail addresses. What needs to be borne in mind is that these 165 members who are showing up are those people who checked the "allow other members to email me" checkbox. Presumably, these would be active Hushmail users.
The other day, I saw a post from a newbie who was having problems importing a PGP key into their PGP keyring. They wondered aloud:
"I noticed that underneath where it says start pgp key it says HUSH version 3.0 I wonder if this is the reason it wont import to GPA?"
I didn't think about it at the time I made the following reply, but there is probably a better than even chance that this was a vendor, for Christ's sake! Here's what I said to them:
Where it says Hush 3.0 is just the version string. Hushmail-generated keys are fully interoperable with other keys generated by OpenPGP implementations. If they key is not importing, the key could be corrupted -- If that's the case, consider this your lucky day.
The fact that this key has a Hush version 3.0 version string tells me that it was generated by someone using a Hushmail account.
If I were in your shoes, I wouldn't just walk away, I'd RUN! If you want to know why, just read the following clearnet articles:
http://arstechnica.com/security/news/2007/11/secure-hushmail-can-still-talk-to-the-feds.ars
http://blog.wired.com/27bstroke6/2007/11/encrypted-e-mai.html
NC
-
Always makes me happy to see our members doing everything they can to aid DEA in their efforts with tor ;)
-
This is really interesting. Did this developer let out more information than they were intending to make public? This is the very first time I've seen anyone mention how they actually got them?
Doubtful. The blog post links to the indictment on Scribd, which wants you to pay for access, but it's freely available through Wired.
http://www.wired.com/images_blogs/threatlevel/2012/04/WILLEMSIndictment-FILED.045.pdf
I've been skimming through it, and virtually all of the charges against came from "coded language" in their emails. It's a stunningly long and detailed list, but the charge that will put them away for a long time is 63 grams of LSD.
And yeah, all that could have been avoided with PGP.
-
This is really interesting. Did this developer let out more information than they were intending to make public? This is the very first time I've seen anyone mention how they actually got them?
Doubtful. The blog post links to the indictment on Scribd, which wants you to pay for access, but it's freely available through Wired.
http://www.wired.com/images_blogs/threatlevel/2012/04/WILLEMSIndictment-FILED.045.pdf
I've been skimming through it, and virtually all of the charges against came from "coded language" in their emails. It's a stunningly long and detailed list, but the charge that will put them away for a long time is 63 grams of LSD.
And yeah, all that could have been avoided with PGP.
Fascinating. Thanks so much for sharing, Astor: definitely some knowledge that I'm grateful to have.
-
Thanks for sharing, very nice read.
Well, our security awareness should constantly increase through the use of SR, Tor etc.
-
Thanks for posting this was actually really interesting and a good read. Our privacy is constantly going through many changes!
Secretive
-
thanks for sharing that!
-
Good read!
-
hushmail has an encryption tool that does not require saving or emailing content, hence the HUSH version string
-
This is really interesting. Did this developer let out more information than they were intending to make public? This is the very first time I've seen anyone mention how they actually got them?
Doubtful. The blog post links to the indictment on Scribd, which wants you to pay for access, but it's freely available through Wired.
http://www.wired.com/images_blogs/threatlevel/2012/04/WILLEMSIndictment-FILED.045.pdf
I've been skimming through it, and virtually all of the charges against came from "coded language" in their emails. It's a stunningly long and detailed list, but the charge that will put them away for a long time is 63 grams of LSD.
And yeah, all that could have been avoided with PGP.
Yeah I found that a little confusing back when I read the indictment. I guess by "coded" they mean hushmail's encryption?