Silk Road forums
Discussion => Security => Topic started by: onesickpuppy on July 10, 2013, 10:44 pm
-
I have several reasons to believe that SR is now owned by the DEA. The check is best performed from an alternate user account, and then from there going to your home page. If you login as yourself and go to your home page it may be swapped automatically so that you see nothing wrong. Please login as someone else and check the public pgp key on your home page. You may be the victim of a man in the middle attack if SR is now owned by law enforcement. Neither you or your clients would know there's anything wrong, as they would allow transactions to be made so as to collect info on the biggest buyers/vendors etc.
Maybe I'm just paranoid, but very strange things are happening, almost on queue...
-
You are ignorant.
-
are you on meth dude. you need a private key to dercypt address
EDIT: yah what clinton said
-
registered a new acct, checked my page. You are wrong.
-
onesickpuppy, is this because the site went down just...well maybe ownership has changed hands but somebody is just keeping it going how it was
before and it is not in the hands of the DEA!?!
Maybe you are just being paranoid! what reasons do you have for believing in this and what 'strange' things have been happening?
Please tell.
-
You are ignorant.
Hey Jack,
how's it going. Maybe you didn't understand what I meant. You're a vendor here. If LE can hijack pages and change the public key that is displayed there, how would you know? Do you periodically check the first few bytes of what's displayed there to verify? This is what LE would have to do if they can change the public key on a vendor's page.
1. Save vendor X's public key.
2. Create a new public/private key pair and make sure that all the relevant info such as email addy matches
3. Put their public key on the vendor's page.
4. Intercept the buy orders to the vendors which are now encrypted with the DEA's public key
5 Since it's their public key, decrypt the message and re-encrypt using the vendor's public key.
6. Pass that message on to the vendor.
7. The vendor would never know about the man in the middle attack.
Additionally buyers typically place their public key in the buy message. The DEA could easily replace that one with theirs and then do a reverse man in the mddle attack so that when the vendor wants to send an encrypted communication to the buyer the vendor would encrypt using the spoofed buyers public key.
Again, if the DEA controls the platform they could intercept messages and change public keys on vendors pages, and inside buyers messages. Neither vendor nor buyer would know this is going on, unless the vendor periodically checks their page thru a buyer account.
If the DEA doesn't control the platform then they wouldnt be able to hijack pages and do any of that stuff. Just don't think that PGP will protect you if the platform has been ownd.
Think about it.
-
are you on meth dude. you need a private key to dercypt address
EDIT: yah what clinton said
Not on meth.
Yes you do need a private key to decrypt, but if the DEA puts their public key on a vendors page they will also have the corresponding private key that goes along with that.They would have generated both. Naively buyers will encrypt a message against the public key that's displayed on a vendors page. There is no guarantee that the key on the vendors page is the one from the vendor unless the vendor checks periodically thru a separate account.
Since they'd have the original public key form the vendor's page, the DEA would then re-encrypt the message that they just decrypted and send it along to the vendor. The vendor would never know about any of this.
Additionally once the buyers message is decrypted by the DEA they could simply replace the buyers public PGP key that's inside their message, and if the vendor wants to send a message to the buyers they'd use that spoofed public key. So a man in the middle attack would occur in both directions.
Got it?
-
onesickpuppy, is this because the site went down just...well maybe ownership has changed hands but somebody is just keeping it going how it was
before and it is not in the hands of the DEA!?!
Maybe you are just being paranoid! what reasons do you have for believing in this and what 'strange' things have been happening?
Please tell.
Hi Neo,
I don't believe in coincidences. I'm simply saying that should the DEA own the SR platform, PGP won't help at all since they will be able to control what is in a vendor's page. Buyers will be encrypting messages against the key placed on a vendor's page. If this is not happening now, then if the DEA EVER owns this, this is what they'll do. Got it?
-
registered a new acct, checked my page. You are wrong.
I'm happy to be wrong about you. However there's no guarantee that I'm wrong about any one else. I do guarantee that the classic PGP public key swap man in the middle attack will be performed if the SR platform falls into the DEA's hands.
Have a nice day!
-
are you on meth dude. you need a private key to dercypt address
EDIT: yah what clinton said
If a law enforcement agency took control over SR, they could indeed create a new public/private key combination, replace the public key on a vendor page, and decrypt any orders that came in. His logic makes sense, and it's probably a good practice to verify that your public key remains unchanged after a downtime, or if your private key begins to fail to decrypt a few buys in a row.
-
registered a new acct, checked my page. You are wrong.
registered a new acct, checked my page. You are wrong.
Don't you see? The site went down as soon as I exposed that, so that the DEA could swap all the vendors pages back so we'd all think that nothing is wrong! Then you logged in and saw that all was good. Check at a different time and use a different user account! The one you just used has been flagged, since it was a first time use followed by just going to your home page!
Vendors must check the public pgp key displayed on their page at random times. Call me crazy chicken shit, I don't care, this all makes sense. If it hasn't happened yet, this is what will happen. Mark my words
-
An interesting idea for an attack and I would imagine successful. I would think that if the DEA had ownership of the site they would simply shut it down. However should I be wrong, than an easy way to combat this type of attack is register ones key at any of the pgp key registries. Users would pull the key (based of a torrified email address) and use that rather than what is posted on SR.
I highly doubt vendors would go through the trouble though. Would be nice though.
-
are you on meth dude. you need a private key to dercypt address
EDIT: yah what clinton said
If a law enforcement agency took control over SR, they could indeed create a new public/private key combination, replace the public key on a vendor page, and decrypt any orders that came in. His logic makes sense, and it's probably a good practice to verify that your public key remains unchanged after a downtime, or if your private key begins to fail to decrypt a few buys in a row.
Thanks for understanding what I was talking about. Unfortunately for the vendors if the DEA did the man-in-the-middle attack right (MITM) the vendor's private key would always work in decrypting all buys, since the message would then be re-encrypted automatically to the vendor's correct public key. (After being decrypted and stored) .
Just remember that just because I'm paranoid doesn't mean they are not out to get YOU. I'm not a vendor but I hope that in the vendor e-pamphlet that all you vendors got it tells you to periodically check at random time the integrity of the public key on your page.
-
An interesting idea for an attack and I would imagine successful. I would think that if the DEA had ownership of the site they would simply shut it down. However should I be wrong, than an easy way to combat this type of attack is register ones key at any of the pgp key registries. Users would pull the key (based of a torrified email address) and use that rather than what is posted on SR.
I highly doubt vendors would go through the trouble though. Would be nice though.
I don't think they would shut it down immediately. They would collect as many addresses and communications as possible, sort them by highest purchase and then in one fell swoop, go after the biggest purchasers, and then shut SR down all in parallel in a shock and awe maneuver. This is what they do with CP sites, let peds go about their business, until enough info is collected.
Also the problem with key registries is that they are centralized and are subject to infiltration by LEA. They could simply change any public keys stored in any central place should they identify any of them as being the ones from SR vendor pages. Who the hell periodically checks that?
Folks just be careful okay?
-
onesickpuppy,
I understand what you are getting at, and yes it is possible the way you have described it, but it would only really be possible if some automatic system was implemented by a skilled web-programmer. They would have to incorporate a system that automatically decrypts the addresses, saves the data, then automatically reencrypt it to the vendors corresponding public key. They would have to make it do this automatically. This would be incredibly difficult/challenging for a person to code as it would have to pair up the information in thousands of fake DEA keys to the thousands of vendor keys, and update them on a regular basis....
So while this IS possible in an extreme circumstance, it is incredibly unlikely and could be found out/detected simply by checking on an alternate buyer account. Even if they just did one vendor at a time, it would still be a somewhat difficult code to implement, and not worth their time in the first place.
If they wanted to bust buyers and they already had possession of the site... they would just lock vendor/s out of their accounts and intercept purchases.... and then tell buyers their pgp key doesn't work. Etc. Just an example. There are much easier ways for them to bust people if they took control of the site.
-
sickpuppy, don't waste your breath man. You're not going to get through to knuckleheads like jack me hoff, even though he may be right. I tend to side more with you as a long timer.....check the game tape. The numbers don't lie. Check that. Dates. Just the fact that jack me hoff averages 32 posts a day and is a "HERO MEMBER" though he's been around a whole 10 fortnights or so should, at the very least tell you that he is a total and complete douchebag. As a general rule in life, if you're a member of any forum and have more than one thousand posts, you deserve to get punched in the face. Jack me Hoff, make the world a better place, hold your head inside a lit fireplace. Sickpuppy has a legitimate concern, and you ridicule him?
end of discussion. Be safe you guys. And do your research on denouncing your citizenship on foreign soil in front of a consulate official before charges are brought and you close your SR account (if you have one still). Also learn german (luckily for me I was born there and it's my mother tongue). Memo to the United States Department of Justice, Internal Revenue Service, Social Security Administration (hell, anybody who punches a timeclock and does nothing day in and day out): GOLF FOXTROT YANKEE
Jack me hoff, i'll spare you the hours of googling. It means Go fuck Yourself.
-
onesickpuppy,
I understand what you are getting at, and yes it is possible the way you have described it, but it would only really be possible if some automatic system was implemented by a skilled web-programmer.
Which would take hours and hours to do, totally outside of the realm of possibility /me rolls eyes.
They would have to incorporate a system that automatically decrypts the addresses, saves the data, then automatically reencrypt it to the vendors corresponding public key. They would have to make it do this automatically. This would be incredibly difficult/challenging for a person to code as it would have to pair up the information in thousands of fake DEA keys to the thousands of vendor keys, and update them on a regular basis....
Computers are extremely good at doing things automatically. I highly doubt you know how to code anything and therefor your claim that this would be incredibly difficult or challenging is likely directly delivered from your ass. When it comes to computers, thousands is not a big number. Nothing needs to be updated on a regular basis. It wouldn't be hard to do this attack if you have control of the server. It would be hard to do it consistently and get away with it if anybody checks for it though, so long as we have anonymity. It would be hard to detect if it is only done occasionally though.
So while this IS possible in an extreme circumstance, it is incredibly unlikely and could be found out/detected simply by checking on an alternate buyer account. Even if they just did one vendor at a time, it would still be a somewhat difficult code to implement, and not worth their time in the first place.
If they did it with just one vendor at a time it would be absolutely positively trivial to implement and wouldn't need any code at all, a human could do it against a single vendor provided that they have access to the server. They just need to change the vendors public GPG key for a while, then switch it back, then intercept all communications to the vendor and try to decrypt them with the key they put out there for a while. Absolutely trivial.
If they wanted to bust buyers and they already had possession of the site... they would just lock vendor/s out of their accounts and intercept purchases.... and then tell buyers their pgp key doesn't work. Etc. Just an example. There are much easier ways for them to bust people if they took control of the site.
That proposed method will be detected in no time, and would raise all kinds of red flags to any intelligent buyer. The sort of attacker the OP mentioned is widely recognized, it is called a man in the middle attack, it can be automated and carried out on a massive level, and it is irritating to see people calling him a dumbass when they are obviously the ones who don't know what they are talking about.
-
onesickpuppy, is this because the site went down just...well maybe ownership has changed hands but somebody is just keeping it going how it was
before and it is not in the hands of the DEA!?!
Maybe you are just being paranoid! what reasons do you have for believing in this and what 'strange' things have been happening?
Please tell.
Hi Neo,
I don't believe in coincidences. I'm simply saying that should the DEA own the SR platform, PGP won't help at all since they will be able to control what is in a vendor's page. Buyers will be encrypting messages against the key placed on a vendor's page. If this is not happening now, then if the DEA EVER owns this, this is what they'll do. Got it?
Onesickpuppy, what you are describing is a classic man-in-the-middle (MITM) attack. MITM attacks are the reason that the concept of the PGP Web of Trust was developed, to prevent MITM attacks such as you have described. That is the reason that out-of-band confirmation of PGP Key-ID/Fingerprint is so often recommended.
Unfortunately, the problem is that the Web of Trust was originally designed to be applied to non-anonymous real-world identities, where the parties could confirm the key information by alternate means "out of band" means (e.g. in-person, phone, fax, etc.) This becomes problematic when one is dealing with anonymous entities, such as those doing business here on Silk Road.
That said, I suspect that a DEA takeover is a worst-case scenario, and rather unlikely. I believe that if the DEA were able to compromise SR, they would do so in the least-intrusive manner possible, operating it so as to arouse the least suspicion, and thus maximizing their haul from their data mining operations, prior to shutting SR down in the most public way possible.
What I believe to be far more likely would be the bust of one or more large vendors, with law enforcement taking over their accounts and using these to snare some of their larger customers. Even the DEA doesn't have the resources to go after everyone -- there are only so many hours in the day, there are only so many boots that can be put on the ground. Like everyone else, they want the maximum bang for their buck.
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B MIT clearnet keryserver
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
kmfkewm,
I have about 20+ years experience in programming in about 9 different languages; but yes you are right, looking back at my post I can see a couple of my statements were severely short-sighted. I should probably avoid responding to these sorts of posts while I am sleepy, haha. I guess part of my shortsightedness came from the extremely obvious paranoid tone of OP's post that caused me to automatically dismiss it. It's just the DEA has rarely been known to employ all of the technology at their disposal, or they could readily catch every vendor in a few months time, if they wanted to... the fact that they haven't done THAT yet makes OP's proposed scenario practically laughable. It's hilarious really, people themselves constantly post methods on the forums, publicly, in which DEA could use to catch them very easily, and they do it out of paranoia of not getting caught! HA. I won't post any obvious methods that I have read in the past before, for obvious reasons, but if you have been around you know the exact sort of stuff I am talking about as you've likely read it yourself.
Besides, don't you think the DEA is more concerned with catching vendors, than the thousands of small-time buyers and the occasional/frequent bulk buyers. Yeah there's a lot of big buyers here on SR, but I don't think many of them are hitting 6 digits transactions. Sure they could use this to catch people buying small-pounds of weed/coke/etc but it wouldn't really be worth the effort. Soon after so many busts people would realize something was up and many would stop vending....thus they[DEA] loses their chance at busting many of the vendors.
-Miss
-
An interesting idea for an attack and I would imagine successful. I would think that if the DEA had ownership of the site they would simply shut it down. However should I be wrong, than an easy way to combat this type of attack is register ones key at any of the pgp key registries. Users would pull the key (based of a torrified email address) and use that rather than what is posted on SR.
I highly doubt vendors would go through the trouble though. Would be nice though.
I don't think they would shut it down immediately. They would collect as many addresses and communications as possible, sort them by highest purchase and then in one fell swoop, go after the biggest purchasers, and then shut SR down all in parallel in a shock and awe maneuver. This is what they do with CP sites, let peds go about their business, until enough info is collected.
Yep. That appears to be their typical MO.
Also the problem with key registries is that they are centralized and are subject to infiltration by LEA. They could simply change any public keys stored in any central place should they identify any of them as being the ones from SR vendor pages. Who the hell periodically checks that?
Folks just be careful okay?
Part of the problem about the authorities changing keys on keyservers, is that there would have to be a coordinated effort -- ALL of the keyservers would have to have the keys changed. Remember not all the keyservers are in the U.S. Tampering with this would be risky... eventually SOMEONE would notice, and the jig would be up. FWIW, I check my keys periodically, to make sure they haven't changed on the keyserver. (I have, on occasion, noticed dubious signatures have been added to some of my keys, but that's the extent of the changes that I have ever observed take place, and that's over the course of a decade..)
Nightcrawler
4096R/BBF7433B 2012-09-22 Nightcrawler <Nightcrawler@SR>
PGP Key: http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xB8F1D88EBBF7433B MIT clearnet keryserver
PGP Key: https://keys.indymedia.org/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia https: clearnet keyserver)
PGP Key: http://qtt2yl5jocgrk7nu.onion/pks/lookup?op=get&search=0xB8F1D88EBBF7433B (IndyMedia .onion keyserver)
PGP Key Fingerprint = 83F8 CAF8 7B73 C3C7 8D07 B66B AFC8 CE71 D9AF D2F0
-
The only problem with sorting out all the listings by the people who purchase the most expensive things would be that most people working with very large quantities are smart enough not to store all their gear in the place where the receive it, let alone do business there, though there are some pretty unsafe people out there.
-
it's a lot smarter to not be talking about bulk buying in the forums