Silk Road forums
Discussion => Silk Road discussion => Topic started by: s1llyn355 on June 24, 2013, 01:15 am
-
There is a Silk Road guide, which is considered by some to be 'the' definitive guide to SR.
It is entitled 'Silk Road: Theory & Practice' .. it's actually an excellent read...
you can find it here: http://www.gwern.net/Silk%20Road
Why am i drawing your attention to this?
Well.. because it's been updated recently.. At the top of the article it tells us that the most recent
update was on the 19th of June.
And what does it say ?
What interests me are two particular paragraphs in which the author seems
to be recommending attacks on SR..
<quote>
My belief is that SR can be taken down; however, I am not sure LE (law enforcement) has permission to use the tactics necessary - explaining the lack of suggested attacks or realistic attacks in the leaked FBI Bitcoin paper and summaries of the leaked Australian SR paper (respectively). My two suggested attacks are
1. DDoSing the SR site, rendering it unusable (and congesting the overall Tor network)
2. fake buyer & seller accounts leading up to a single large scam.
Attack #1 would make the site simply unusable, and can be done on any address SR runs on since the address has to be widely known or how will the buyers & sellers know where to go? This would require a few dozen nodes, at least, although I’m not actually sure how hard it is to DDoS a Tor hidden server.
Attack #2 would require a fairly substantial financial investment, but depending on how effective the final step is, may actually run at a profit. Repeated, this would massively destroy buyers’ trust in SR, especially since there are usually only a few hundred active sellers at any point. (pine, commenting on how the competing black-market Atlantis does in-browser encryption which I criticized as security theater & Hushmail redux, points out the Eternal September version of this scenario: the more newbie buyers who are too lazy or arrogant to use PGP (~90% of users, according to the Atlantis administrators) the more attractive an attack on SR becomes to pick up all the buyer addresses being sent in the clear and the more feasible a mass raid becomes.) Fortunately, I don’t think LE is authorized to engage in cyberwar (#1) or mass entrapment & fraud (#2) - and who knows, maybe SR could survive both. We’ll see.
</quote>
Attack #1 has already been suffered here.
Attack #2 might already be 'work in progress'.. we don't know.
I don't know when the quoted paragraphs were added to the article.
I have no access to the document history.. so i can't diff the various versions.
Were they added before or after the DoS attacks suffered by SR ? I don't know.
The worst case scenario is that this is putting ideas into Officer Dibble's head.
Attack #2 is worrying. If LE sign up with seller accounts. They can drag net
hundreds of buyers in one sweep within a very short time frame.
And then announce to the media that they've dealt a crushing blow
to buyer's confidence in using SR.
Using PGP / GPG correctly will not save you if you've used a
public key supplied by Officer Dibble to encode your name and address.
We recently had a case of a new vendor, offering "sweeties" to children,
i.e offering free drug 'samples' .. but only to buyers in the USA.
(Why?.. because it's too much trouble posting samples to Canada, Europe or Australia ?
Or because the DEA doesn't want the complication of prosecuting foreign
nationals ? I don't know.. but in general.. odd behaviour from 'new' vendors isn't
a good sign.
Perhaps it's a good idea for buyers to stick with the established, long term vendors.
i.e. those with over 6 months history here. And yes i know that this suggestion
disadvantages new, struggling vendors. But buyers should prioritise their own
security first.. let vendors look after their own businesses... you don't have to do
that for them.
best wishes.. be safe.
s1llyn355 :)
-
Thanks for the info.
-
Interesting read. Good find mate.
-
Wasn't that in the original article?
-
I'm posting this on behalf of gwern, who is still trapped in the newbie forums:
>>> Well.. because it's been updated recently.. At the top of the article it tells us that the most recent update was on the 19th of June.
Yes; that update was for adding a link to my de-anonymizing of the active SR vendor Casey Jones (specifically, http://www.reddit.com/r/SilkRoad/comments/1gxiv7/srrelated_bitcoin_seizure/caoxlmg ).
>>> I don't know when the quoted paragraphs were added to the article. I have no access to the document history.. so i can't diff the various versions. Were they added before or after the DoS attacks suffered by SR ? I don't know.
You can check revisions in the Internet Archive: http://web.archive.org/web/*/http://www.gwern.net/Silk%20Road The paragraphs in question were originally added 16 September 2012 (you can verify this in the first October archive: http://web.archive.org/web/20121006004502/http://www.gwern.net/Silk%20Road ), that is, before the DoS attacks. I'm a little proud of 'calling it' like that.
I'd also point out that later on I write:
"SR's administrator stated (http://www.theverge.com/2012/11/21/3675278/silk-road-operator-says-fail-whale-not-feds-brought-down-notorious) the downtime was due to "record" numbers of users; but if large numbers of legitimate users can accidentally take down the site, clearly a full-fledged DoS attack is feasible. A real DoS attack by a single attacker in April 2013 degraded access for a week and essentially blocked all access for ~2 days (http://www.reddit.com/r/SilkRoad/comments/1d569v/the_dread_pirate_roberts_discounts_all_items_on/), prompting SR to suspend its commissions for several days to encourage purchases."
-
Wasn't that in the original article?
I'm pretty certain it was. I read that article before I came onto SR/made orders, and I think it was there.
-
Wasn't that in the original article?
I'm pretty certain it was. I read that article before I came onto SR/made orders, and I think it was there.
same
-
about Attack #2. You really believe that if in one month 50 new vendors appear, the whole SR community will try them?? Why just not stick to your favourite vendors, established a long time on SR. How can you lose trust to SR if you do business with 5-10 vendors that you can even FE on the built trust.
Yes fake feedback from fake buyers, can push someone to try out. but here we have forum. If one order is not received we will know it. if more than one, then we will see a panic thread.
Dont forget escrow. This is what makes SR a place to trust. So in worst case the buyer will go to resolution center. and not do business with that vendor again.
And I really believe that someone BIG is behind SR. someone lets this exist. And someone wanted me to meet Silk Road this year. Cause i have always been searching for buying drugs online. and all the results were these herbal legal buds shit. why now?
I am thankful to that though, my life has changed from the day i found SR. But i cant accept that this was not a result of manipulation. Really with all these huge amounts of drugs consumed globally, I dont understand why would LE focus on us, the buyers. I can only think one reason. To make us go to the streets again, to buy THEIR drugs.
Well, the streets have always been too dirty, now at last we have a chance to bring quality home. We will not anyone ruin this!
STICK TO YOUR FAVOURITE - PROFESSIONAL VENDORS.
fuck the police - fucking robots
-
here's a potential defense to Attack #2.
There are certain groups of people who use (snail mail) remailing services.
Travellers.. divorcees.. debtors .. travelling salesman/businessmen
.. exchange students.. agricultural workers..etc.
For example .. some people take 6 or 12 months out of their career to go travelling in asia/africa/europe..etc
.. naturally, their address may change, month to month .. so they have their mail sent to a remailer
and periodically they instruct the remailer to send any newly arrived mail to address X or address Y.
Remailers are legitimate businesses offering a legitimate service to meet a real 'remailing' need.
.. i'm sure you can see where this is going..
The trick.. i think.. is to hire a remailer who is outside of the jurisdiction of your local police force.
...If you're in the USA.. perhaps there are options in equador, panama or mexico.
If you're anywhere in Europe.. try Turkey, Spain, Greece or Italy.
If Officer Dibble gets hold of your remailer's address in .. say... Athens, Greece..
you can be sure Officer Dibble can't simply pop over there with a search warrant.
When you create an account with a suitable remailer..
..use a fictitious name .. Miss Sally Ann Fields (or whatever)
PROs
Vendors will now not know your real name, nor your real address.
Officer Dibble.. even if posing as a vendor.. will not know who you are, or where you live.
CONs
Your SR mail may take considerably longer to arrive.
You may need to press that resolve button to buy extra postage time.
What would be ideal.. is a (snail mail) remailing service which:
.. does not keep a history of account setting changes..
(ie. does not store changes to your postal delivery address, or postal name)
.. which encrypts its database data ... (so the NSA can't 'hack' their way in)
.. which allows payment via bitcoin/litecoin..
.. provides a web interface that clients can log into, to see newly arrived mail..
.. allows clients to select, for each item of mail.. a forwarding name and forwarding address.
and..
.. which would notify you immediately that any inquiries were received from Officer Dibble.
Possibly this ideal remailer already exists. I don't know..i haven't sufficient research to find out.
If this does exist..please tell me.. i will be very grateful !
If you do any research on snail mail remailers.. and make some interesting discoveries.. Please let me know.
(PM me or post a reply to this thread, or both)
Whether this service exists or not.. if you're looking for a good business idea...
here's one that's guaranteed to have a wide field of customers.. and one
that will serve the SR community, and a libertarian agenda, in a significant way.
Best wishes.. be safe!
:-)
-
Using snail mail remailers in a different country is a horrible idea as it doubles customs exposure.
-
The trick.. i think.. is to hire a remailer who is outside of the jurisdiction of your local police force.
...If you're in the USA.. perhaps there are options in equador, panama or mexico.
If you're anywhere in Europe.. try Turkey, Spain, Greece or Italy.
You're proposing that vendors their drugs out of the country (and through customs) to a remailer, who then reships the drugs again (and again through customs) to a customer?
Other CONS:
Your drugs, which might otherwise have avoided customs inspections entirely, will now go through Customs twice, effectively doubling the risk of interception.
Your drugs, which would ordinarily be shipped from the USA or Europe, will now be in a package that seems to have originated in Mexico (etc). Make that triple or quadruple the risk of interception.
You'll need to give the remailer your customer's names and addresses.
Remailer service fees aside, international shipping is not cheap.
kmfkewm is right: not a great idea. I like the spirit of it, though!
-
Great post and great read. Cheers 8)
-
Using snail mail remailers in a different country is a horrible idea as it doubles customs exposure.
It's more than double ...
The Attack #2 scenario imagines LE signing up with a vendor account in your own country.
In your own country Officer dibble can simply drive round a domestic snail mail remailer with a warrant
and extract any customer names and addresses .. including yours (if you're a customer there)
So using a domestic remailer has the problem that it doesn't really hinder Officer Dibble
from finding out your name and address... and then you go to live in a big prison house. Not good.
In the domestic remailer scenario (with a domestic vendor)
the customs exposure is zero... because nothing leaves or enters the country.
In the non-domestic snail mail scenario.. the customs exposure is two.
one for the vendor to the foreign remailer (say in mexico)
and another for the postal journey from mexico to you.
two is more than double zero.
But you're absolutely right.. this idea injects customs exposure... where previously there was none.
And the shipping costs could be significant.
best wishes .. be safe
:)
-
Using snail mail remailers in a different country is a horrible idea as it doubles customs exposure.
It's more than double ...
The Attack #2 scenario imagines LE signing up with a vendor account in your own country.
In your own country Officer dibble can simply drive round a domestic snail mail remailer with a warrant
and extract any customer names and addresses .. including yours (if you're a customer there)
So using a domestic remailer has the problem that it doesn't really hinder Officer Dibble
from finding out your name and address... and then you go to live in a big prison house. Not good.
In the domestic remailer scenario (with a domestic vendor)
the customs exposure is zero... because nothing leaves or enters the country.
In the non-domestic snail mail scenario.. the customs exposure is two.
one for the vendor to the foreign remailer (say in mexico)
and another for the postal journey from mexico to you.
two is more than double zero.
But you're absolutely right.. this idea injects customs exposure... where previously there was none.
And the shipping costs could be significant.
best wishes .. be safe
:)
This is an interesting read. If scenario 2 happens I might resolve myself to some scamming.
-
Your drugs, which would ordinarily be shipped from the USA or Europe, will now be in a package that seems to have originated in Mexico (etc). Make that triple or quadruple the risk of interception.
You'll need to give the remailer your customer's names and addresses.
A remailer doesn't cross out the original address and rip of the original stamps.
A remailer will slip the original package into a fresh envelope, address it and send it on.
So it looks like the package originated with the remailer.
Perhaps you've misunderstood the problem and hence the solution.
Attack #2 concerns the danger, to buyers, of LE signing up with vendor accounts on SR.
Normally, buyers send their names and addresses to vendors so that their orders can be shipped.
If a vendor is actually LE.. then LE can simply go to the buyer's home.. and arrest him or her.
That's the problem.
When you say "You'll need to give the remailer your customer's names and addresses"
You seem to be thinking that this is a solution for vendors. It's not.
The solution is for buyers to NOT give vendors their names and addresses.
Instead they supply the address of a remailer with whom the buyer has an account.
If this remailer is domestic.. then LE can obtain the buyer's name and address by
simply obtaining a warrant .. and going round to the remailer's office. .. Not good !
If the remailer is non-domestic, that's outside of the jurisdiction of your local LE
and so it becomes very much more difficult for LE to obtain your name and address.
(Also.. LE.. might simply ignore foreign buyers .. because it's a legal and logistical headache
to prosecute foreign nationals). Good !
But, as you have rightly pointed out..
..there is a price to pay for this increased security:
1. your package now has to cross customs .. twice.
2. you have to pay the international shipping and remailer's fees.
there's also another cost.. which is the increased delivery time..
(it could turn days into weeks)
There are pros.. and there are cons.. but this is a valid defense to Attack #2.
A simpler and cheaper precaution.. is to stay away from new vendors and
.. i personally... view any vendor that says 'USA only' with suspicion.
From a jurisdictional point of view, that's exactly what LE (posing as a vendor) would say.
Best wishes.. be safe.
:-)
-
Attack #1 has already been suffered here.
Attack #2 might already be 'work in progress'.. we don't know.
I'd like to refute both attacks as they are both unfeasible and unrealistic. Lets start with attack #1.
While DDOS attacks are common place, and performing one on a tor hidden service is not impossible, it can be defended against as we have seen. SR has suffered more than one major DDOS and manged to keep the site alive. A government sponsored DDOS could take down SR but SR has many avenues of communication including reddit. SR would simply change servers and url's. Should the attack continue the responsible nodes would be identified and ignored. Should the government continue an lengthy attack on SR, other markets are standing by to receive customers.
Attack #2
The 500$ account buy ins and feedback system would help defend against this attack. LE would need to spend a large portion of money to set up these accounts but it would only take a few buys before feedback and forums exploded with cries of scams and non delivery.
It is imo that Silkroad itself is no longer the target... SR is not alone in this game. LE knows this. Closing one market just shifts the user base to another and brings more markets to light. LE will likely focus on something they all share in common, and this is cryptocurrency and shipping. I would expect legislation that would attempt to destabilize the currency and make it's use difficult, although in the long run I could not see it being successful. I expect legislation protecting mail from search and seizure to be overturned or severely diminished. Time will tell. In this case the jack is out of the box and the idea has bloomed. SR was a pioneer in this expiriement and it has proven succesful. Others will follow. "Drugs in the mail" for the masses is here to stay for the foreseeable future.
-
Wasn't that in the original article?
I'm pretty certain it was. I read that article before I came onto SR/made orders, and I think it was there.
same
It definitely was. I read that ages ago and remember those paragraphs well.
-
LE has unlimited funds on the drug war. Recently there was an incident where LE set up a vendor account, shipping domestic, waited for the escrow release and then made the bust. Brings to me the question whether it is better to order international rather than make it easy to make it easy for LE to bust within their jurisdiction. Then again, the drug war is global and all they have to do is pass off the info to the area needed, which is what i believe they call a "joint effort". The trick i've seen is just get the mail man used to the fact that you receive a shit load of packages a day from all around the world.
-
Borders are nearly outlaw zones where extra scrutiny is to be expected.
I suggest avoiding them if possible.
Use feedback to find vendors with high rating and long record.
Just my 2 miliBitcoins.
-
Use feedback to find vendors with high rating and long record.
Just my 2 miliBitcoins.
excellent advice +1
-
It is imo that Silkroad itself is no longer the target... SR is not alone in this game. LE knows this. Closing one market just shifts the user base to another and brings more markets to light. LE will likely focus on something they all share in common, and this is cryptocurrency and shipping. I would expect legislation that would attempt to destabilize the currency and make it's use difficult, although in the long run I could not see it being successful. I expect legislation protecting mail from search and seizure to be overturned or severely diminished. Time will tell. In this case the jack is out of the box and the idea has bloomed. SR was a pioneer in this expiriement and it has proven succesful. Others will follow. "Drugs in the mail" for the masses is here to stay for the foreseeable future.
I agree with your take on the situation... Although it depends on whether LE are actually serious about reducing drug markets online or just want a symbolic victory. If they only care for the symbolic (looks good politically, but has no actual effect on the market overall), bringing down an individual marketplace like SR would be a priority. As we know, this would disrupt things only briefly while people moved to another marketplace.
I don't think option 2 (LE posing as vendors) would work. People have their own vendors they trust, and it doesn't take long for untrustworthy vendors to be identified. LE would have to send real drugs in the post to build up a reputation, then after building a large customer base, start their arrests... Can't see LE sending real drugs in the post to people. That would be pretty controversial with the public once it became known!
-
I believe on the last SR exposure broadcast style, there was some computer cat's from various institutions claiming it would take way too long to attack this situation virtually. Then it moved onto an interview with a global feddy type stating that they're just sharpening the mail seizure tech because that's all they really can go on for now. Of course as mentioned before, allocation of funds and political motivation will be what really fuels their tactics on the new war on drugz v.4.7 premium edition ;p
:o 8) ::) :P
-
LE have been here from the beginning, these forums are scraped daily and the information analyzed, always and I mean ALWAYS consider your anonymity and security and navigate SR safely.
-
LE have been here from the beginning, these forums are scraped daily and the information analyzed, always and I mean ALWAYS consider your anonymity and security and navigate SR safely.
+1