Silk Road forums

Discussion => Security => Topic started by: Map on November 28, 2012, 04:57 pm

Title: BTC Transfer security risk
Post by: Map on November 28, 2012, 04:57 pm
i've had several users today ask me if they can pay for their orders with bitcoin transfers as opposed to through escrow

obviously i'll not be conducting my business outside SR's escrow system , but i'm concerned there's a security flaw that could mean if these people are law enforcement , they could be using this to track my btc/identity.

is this just me being paranoid, or is this something i should be concerned about?

thanks
Map
Title: Re: BTC Transfer security risk
Post by: farmer1 on November 28, 2012, 06:36 pm
I respond to those questions by explaining that this place is too amazing to not give DPR his cut.

Receiving bitcoins directly is not a security threat in itself, but could be if they can connect that address to your identity. An easy way around this is a coin tumbling service. For example: Bitcoin Fog.
Title: Re: BTC Transfer security risk
Post by: Map on November 28, 2012, 10:32 pm
I respond to those questions by explaining that this place is too amazing to not give DPR his cut.

Receiving bitcoins directly is not a security threat in itself, but could be if they can connect that address to your identity. An easy way around this is a coin tumbling service. For example: Bitcoin Fog.

i'd like to stress, that on each occasion i did inform admin the users were requesting outside payments. truesay DPR deserves every penny and then some

just curious if these are just normal users breaking rules, or LE phishing for vulnerability

Map
Title: Re: BTC Transfer security risk
Post by: woahmang on November 28, 2012, 10:43 pm
LE could send you coins and if you're using the desktop client, watch to see where the transaction spending these coins originates from. If you're sending payments using the desktop client then you should disable UPnP and connect to TOR via the socks proxy settings. If you're using an online wallet then you should only visit it through TOR and in either case the first thing you should do is send to a mixer.
Title: Re: BTC Transfer security risk
Post by: SelfSovereignty on November 28, 2012, 11:04 pm
It's a little bit more volatile than the responses have made it out to be, as far as I know.  Now I don't claim to have written the software or understand its workings intimately, mind you, but as I understand it the situation is this: if they can track a single coin from a known point of origin anywhere, whether it's tomorrow or the next decade, they can directly and mathematically prove that you're tied to the activities you don't want to be tied to.

The problem is that if anywhere along the way they manage to find out who someone is, then from that point on if all the coins aren't sufficiently dispersed and mixed and all that, it's just following a trail of transactions right up to your bank account -- I don't have the problem of cashing out as a buyer, so I don't know too well how you guys end up doing it, but at some point somewhere along the way you have to turn those things into cash and I doubt you're doing it by meeting up with local bitcoiners every Sunday and selling them a few thousand dollars worth of coins anonymously without raising an eyebrow.

You're not being irrationally paranoid.  It's possible that they could find you by transferring directly to a bitcoin address that you then turn into cash without sufficient mixing.  This part is total conjecture on my end, but I imagine it's basically a matter of the coins having to criss-cross each other's trail so many times with so many branches that even a computer can no longer sufficiently calculate where it ended up (because there end up being thousands of possibilities for each coin branching off like moves in a chess game).  But again, that's just my silly picture of it, I could be off by a whole lot.  It does kind of give you an idea of how "not as anonymous as we think," Bitcoins really are.

I'll say this though: for some reason, even though I do sometimes run the client software myself, I've never had my IP show up in the blockchain (and I don't always go through Tor).  I like Bitcoins for their own sake.  Anyway, for some reason I've never been the one first reporting a transaction, which makes no sense to me at all... because if I don't report it first, then who the fuck could -- I'm the one who sent the damn things.  That makes little sense to me, so my understanding is obviously flawed somewhere or other.  I'm happy to be schooled if anybody wants to spare the time :)
Title: Re: BTC Transfer security risk
Post by: woahmang on November 29, 2012, 12:40 am
Quality post SelfSovereignty.

I'll say this though: for some reason, even though I do sometimes run the client software myself, I've never had my IP show up in the blockchain (and I don't always go through Tor).  I like Bitcoins for their own sake.  Anyway, for some reason I've never been the one first reporting a transaction, which makes no sense to me at all... because if I don't report it first, then who the fuck could -- I'm the one who sent the damn things.  That makes little sense to me, so my understanding is obviously flawed somewhere or other.  I'm happy to be schooled if anybody wants to spare the time :)

Sure, the way that your IP ends up in blockchain.info is because they have a shipload of nodes on the network so they get all the latest transactions as soon as possible, if you happen to be connected to one of them then your IP gets put up there as the "originator". If you're not connected you can bet one of your peers is, so as far as blockchain know the peer who sent it to them is the originator instead. In theory the FBI could have a ton of nodes on the network making their own lists of originators, saving the logs up so they can make future correlations between IPs, addresses and sacks of flesh and blood.

What's more likely is some private mercenaries have their own nodes set up to spy on as much of the network as possible, this way they can sell their highly expensive services and intellectual property to the law at a later date. Now if I was a PhD-level statistician looking for a way to sell consultancy services to someone for a grand a day, you can bet that I'd have a ton of nodes out there logging and I'd be scraping blockchain for extra info and cross-referencing them with TOR exit node IPs. So it's safe to assume someone is and that they're your enemy.
Title: Re: BTC Transfer security risk
Post by: Map on November 29, 2012, 01:30 am
so, i'm sure there's a list of posts about this already, but the safest way to use btc is only use online wallets with tor and mix before withdrawal ?
(or to be really safe and avoid prison completely , don't use SR in the first place .....but where's the fun in that ?)

what's the best way to mix properly ?

is there a reputable site?

Map
Title: Re: BTC Transfer security risk
Post by: SelfSovereignty on November 29, 2012, 04:03 am
Quality post SelfSovereignty.

I'll say this though: for some reason, even though I do sometimes run the client software myself, I've never had my IP show up in the blockchain (and I don't always go through Tor).  I like Bitcoins for their own sake.  Anyway, for some reason I've never been the one first reporting a transaction, which makes no sense to me at all... because if I don't report it first, then who the fuck could -- I'm the one who sent the damn things.  That makes little sense to me, so my understanding is obviously flawed somewhere or other.  I'm happy to be schooled if anybody wants to spare the time :)

Sure, the way that your IP ends up in blockchain.info is because they have a shipload of nodes on the network so they get all the latest transactions as soon as possible, if you happen to be connected to one of them then your IP gets put up there as the "originator". If you're not connected you can bet one of your peers is, so as far as blockchain know the peer who sent it to them is the originator instead. In theory the FBI could have a ton of nodes on the network making their own lists of originators, saving the logs up so they can make future correlations between IPs, addresses and sacks of flesh and blood.

What's more likely is some private mercenaries have their own nodes set up to spy on as much of the network as possible, this way they can sell their highly expensive services and intellectual property to the law at a later date. Now if I was a PhD-level statistician looking for a way to sell consultancy services to someone for a grand a day, you can bet that I'd have a ton of nodes out there logging and I'd be scraping blockchain for extra info and cross-referencing them with TOR exit node IPs. So it's safe to assume someone is and that they're your enemy.

A beautiful bit of logic there that I had completely, totally overlooked.  Thank you sincerely for both the clever insight and helping me better arm myself against just such a person :)

I can't give you any advice about mixing or I would, so I'll leave that to others who know more.