Silk Road forums
Discussion => Security => Topic started by: ShardInspector on December 30, 2012, 11:59 pm
-
At the risk of repeating an attack vector already known and embarrassing myself, there is something I have thought of......
LE could definitely obtain a database of all GPS co-ordinates of road side mail boxes in the USA and other countries LE may do the same for their country.
That information could be used in conjunction with cell phone tracking to 'flag' as suspicious any cell phones that go within say 2 meters of any postboxes more than say three times a week.
From there inquiries could be made to determine if the owner of the cell phone uses tor from their internet connection (use of tor is detectable via data packet pattern analysis), further raising suspicion.
From there traditional land based surveillance of those suspicious individuals may reveal behavior sufficient to be used as probable cause for a warrant to knock your door down.
Suggest leaving your cell phones at home when visiting the post office boxes.
Just putting it out there in case vendors are not aware of what is a definite possibility.
BTW, isn't it getting really freaky high tech, it's just like the movies nowadays !
-
Theoretically this attack could work, but it seems impractical. Telecoms turn over location data quite easily, usually without a warrant, but then LE would have to work with ISPs to watch thousands of internet connections (most don't log your browsing history).
Further, you can mask your Tor activity by connecting to bridges and using pluggable transports such as obfsproxy, which make your encrypted connection look like something other than a Tor connection. Well, Tor already tries to look like Firefox talking to Apache over SSL, but the hand shake is different and a Tor connection can be recognized from that. Pluggable transports try to make the connection look like something else, such a Skype call, and they're working on obfuscating the handshake even more (in Tor 0.2.4).
More on pluggable transports: https://www.torproject.org/docs/pluggable-transports.html.en
Or you could use a VPN, but then you should get something overseas that isn't subject to US laws.
-
At the risk of repeating an attack vector already known and embarrassing myself, there is something I have thought of......
LE could definitely obtain a database of all GPS co-ordinates of road side mail boxes in the USA and other countries LE may do the same for their country.
That information could be used in conjunction with cell phone tracking to 'flag' as suspicious any cell phones that go within say 2 meters of any postboxes more than say three times a week.
With all due respect, that is just crazy. This could flag countless numbers of people who just happen to walk by a mailbox on their way to work, for example.
From there inquiries could be made to determine if the owner of the cell phone uses tor from their internet connection (use of tor is detectable via data packet pattern analysis), further raising suspicion.
From there traditional land based surveillance of those suspicious individuals may reveal behavior sufficient to be used as probable cause for a warrant to knock your door down.
This is most unlikely. Carrying out in-person surveillance is EXPENSIVE, and is resorted to only when there is no other way to gather evidence.
Suggest leaving your cell phones at home when visiting the post office boxes.
Excellent suggestion. Alternatively, you can use a bag designed to act as a Faraday cage and block all access to the phone by radio signals. Example: http://www.idstronghold.com/Cell-Phone-Stronghold-Bag/productinfo/IDSH6001-001/
Just putting it out there in case vendors are not aware of what is a definite possibility.
BTW, isn't it getting really freaky high tech, it's just like the movies nowadays !
The basic premise of your argument appears to be that the authorities have unlimited budgets and/or manpower to conduct investigations. That is most certainly NOT the case. Like every other organization, they have to watch the budgets, and get the most bang for their bucks. Engaging in wild-goose chases such as these, will get anyone fired/demoted very rapidly.
NC
-
At the risk of repeating an attack vector already known and embarrassing myself, there is something I have thought of......
LE could definitely obtain a database of all GPS co-ordinates of road side mail boxes in the USA and other countries LE may do the same for their country.
That information could be used in conjunction with cell phone tracking to 'flag' as suspicious any cell phones that go within say 2 meters of any postboxes more than say three times a week.
From there inquiries could be made to determine if the owner of the cell phone uses tor from their internet connection (use of tor is detectable via data packet pattern analysis), further raising suspicion.
From there traditional land based surveillance of those suspicious individuals may reveal behavior sufficient to be used as probable cause for a warrant to knock your door down.
Suggest leaving your cell phones at home when visiting the post office boxes.
Just putting it out there in case vendors are not aware of what is a definite possibility.
BTW, isn't it getting really freaky high tech, it's just like the movies nowadays !
This is a real attack vector. LE don't even need to get cellphone positioning data from providers, they set up their own covert positioning towers. Vendors should know better than to carry their phones with them when they go to drop off packages. The only reason I have heard why this attack may not work is because LE may not be able to determine the exact drop box a vendor used, even if they can get the sent package. One way they could try and counter this is by spraying chemical markers in all of the drop boxes in a certain radius around where the vendor is known to ship from. The attack would be something like this
A. Order a package from vendor Alice, see that she ships from Bobsville.
B. Spray unique chemical markers in many drop off boxes in Bobsville.
C. Order packages from vendor Alice, analyze the packaging looking for traces of the chemical markers.
D. Determine the exact drop boxes used by Alice, pull cellphone positioning records
E. Intersect the positioning data looking for the individuals who are unique to the crowds of people who were close enough to those boxes to use them.
F. Out pops Alice.
A pretty complicated attack and certainly not something they would do to bust some mid level vendor, probably more in the realm of counter espionage work. But if they can determine the exact box that Alice dropped off the package in, or Alice sends from boxes that are far enough apart that they can be distinguished into groups, then her cellphone positioning information is indeed an attack vector. It is foolish to carry a cellphone with you while you are engaging in illegal activity.
Another attack vector similar to this is exactly the same but using license plate recognition instead of cellphone positioning. The base attack here is an intersection attack, and it works the same way here as it does in the world of traffic analysis. Identify a crowd that you know your target could fall into. If you know the box that the package was sent from, you know that the crowd your target falls into is everyone who was near this box over a certain range of time. This is a lot of people, too many to put under targeted surveillance for most all drug cases. But then when you identify another crowd that your target could fall into, probably the same exact way you identified the first crowd, you can intersect the two crowds together. The target is now narrowed in on from 'someone in crowd A' or 'Someone in crowd B' to 'Someone in crowd A AND in crowd B'. Generally it doesn't take many intersections before you have identified the target.
-
With all due respect, that is just crazy. This could flag countless numbers of people who just happen to walk by a mailbox on their way to work, for example.
People who walk by a mailbox on their way to work will do so in a non-random fashion. Every time they go to work they will likely take the same route and pass by the same boxes. Vendors tend to ship from random boxes that are not in a predictable path. If vendors ship from the same set of boxes, or boxes in a certain restricted geographical area, they will be making themselves much weaker to focused surveillance operations. If they use random locations to ship from, then they will make themselves much weaker to the crowd intersection attack I mentioned above, because people who are going to work do not display so much randomness in their path over time.
Another thing to keep in mind is that people who are going to work are going to show up as going to work. People who drop off packages and then go home are going to show up as dropping off packages and then going home. Remember that they can position your cellphone. So it is actually very easy to filter away the noise.
Anyone who carries a cellphone with them while engaging in illegal activity is just begging for trouble.
From there inquiries could be made to determine if the owner of the cell phone uses tor from their internet connection (use of tor is detectable via data packet pattern analysis), further raising suspicion.
Or they could just get records of who all in an area a vendor is known to work out of uses Tor, and use that as their initial crowd of suspects. This is why it is a good idea to use bridges.
This is most unlikely. Carrying out in-person surveillance is EXPENSIVE, and is resorted to only when there is no other way to gather evidence.
When manned surveillance is carried out generally is determined by a balance of two things: importance of target identification and target crowd size. If they have reason to believe that one out of a hundred people they have identified is involved in selling small amounts of marijuana, there is no chance they will put each of the suspects under manned surveillance in an attempt to identify the actual culprit. If they have reason to believe that one out of a hundred people they have identified plans to detonate an atomic bomb in a major city, you better believe that they will all be under intense surveillance.
Suggest leaving your cell phones at home when visiting the post office boxes.
It is a very good suggestion. Of course people should not carry cellphones with them while engaging in illegal activity! They are tracking beacons for fucks sake.
The basic premise of your argument appears to be that the authorities have unlimited budgets and/or manpower to conduct investigations. That is most certainly NOT the case. Like every other organization, they have to watch the budgets, and get the most bang for their bucks. Engaging in wild-goose chases such as these, will get anyone fired/demoted very rapidly.
NC
Law enforcement already have covert cellphone positioning networks and don't even bother asking providers for geopositioning records anymore:
http://www.technewsdaily.com/4537-embargoed-law-enforcement-tracks-real-phones-phony-cell-towers.html
analyzing that data and carrying out intersection attacks based on known positioning data that anonymous vendors have been in (ie: near boxes) is a serious threat to vendor security and not at all a wild goose chase. It is a serious attack with a lot of potential to fuck those who do not defend themselves against it.
-
Theoretically this attack could work, but it seems impractical. Telecoms turn over location data quite easily, usually without a warrant, but then LE would have to work with ISPs to watch thousands of internet connections (most don't log your browsing history).
Further, you can mask your Tor activity by connecting to bridges and using pluggable transports such as obfsproxy, which make your encrypted connection look like something other than a Tor connection. Well, Tor already tries to look like Firefox talking to Apache over SSL, but the hand shake is different and a Tor connection can be recognized from that. Pluggable transports try to make the connection look like something else, such a Skype call, and they're working on obfuscating the handshake even more (in Tor 0.2.4).
More on pluggable transports: https://www.torproject.org/docs/pluggable-transports.html.en
Or you could use a VPN, but then you should get something overseas that isn't subject to US laws.
Law enforcement would need to work with ISPs in order to determine if one of their clients is using Tor. However the infrastructure for this is already completely in place as mandated by CALEA. Law enforcement will never need a warrant to determine if someone who is not using a bridge is using Tor, trap and trace has no requirement for a warrant as it looks at who the target communicates with rather than what they say. If the target communicates with a known Tor relay, it is quite trivial to determine that the target uses the Tor network without the need for a warrant. Using bridges helps to protect from this though. It is not likely that LE will order trap and traces on thousands of people to narrow in on one target, but it is entirely within the realm of possibility that they will confirm that Alice uses Tor after determining that she is a likely suspect.
-
There is a 0% chance of anything the OP said happening UNLESS he is getting more than $1,000,000 in drugs mailed. Even $100,000 isnt that much and LE will bust you using much cheaper methods. For the kind of crazy shit you are talking about they would have to call in specialist in addition to thier regular cops. Set up some whole operation and do alot of crazy shit.
~Now that I read the OPs name this all makes sense lol
-
Yes, if LE has other evidence linking Alice to criminal activity (and Tor use), then verifying that a person of interest uses Tor is quite damaging. That was the attack used on Hammond. OP's question was more about the feasibility of performing a "fishing expedition" to narrow tens thousands of suspects down to the criminals. I believe that is impractical. How many people visit their PO box a few times a week? How many people use Tor for non-drug activities? The cost-benefit ratio of this attack is very high.
-
There is a 0% chance of anything the OP said happening UNLESS he is getting more than $1,000,000 in drugs mailed. Even $100,000 isnt that much and LE will bust you using much cheaper methods. For the kind of crazy shit you are talking about they would have to call in specialist in addition to thier regular cops. Set up some whole operation and do alot of crazy shit.
~Now that I read the OPs name this all makes sense lol
Several police agencies already have cell phone tracking towers up and running, so it isn't like they don't have all of that data available to them. It would take a significant target for them to use chemical markers though I imagine. Of course the police will set up a 'whole operation' to bust a vendor though, didn't you already realize that? That is what the police do. They set up operations, to bust criminals.
How many people visit their PO box a few times a week? How many people use Tor for non-drug activities?
How many people visit a new drop box that has been identified as a box drugs were sent out of every week? If the vendor uses the same outgoing box for all shipped orders catching them will be trivial. How many people within sixty miles of Alice use Tor at all?
-
OP's question was more about the feasibility of performing a "fishing expedition" to narrow tens thousands of suspects down to the criminals.
With respect, I was not asking a question, I was warning of what I believe to be a realistic threat.
Yes, if LE has other evidence linking Alice to criminal activity (and Tor use), then verifying that a person of interest uses Tor is quite damaging.
That was my point... the "other evidence linking Alice to criminal activity" you mention would be the phone tracking data. Indeed it would be damaging enough imho for LE to consider conventional surveillance.
How many people visit their PO box a few times a week? How many people use Tor for non-drug activities? The cost-benefit ratio of this attack is very high.
You refer to the two (visiting a PO box and using tor) as mutually exclusive, I have painted a scenario where the two can be simultaneously attributed to a single individual/suspect and one becomes a suspect only when the two are confirmed.
kmfkewm has addressed each aspect of the treat, often providing links to the material opined.
He has confirmed that the infrastructure for cell phone tracking is already in place and we all know already through various media reports it is being actively used by LE ('stingers' are a new LE cell phone tracking technology which is even more powerful).
He has confirmed that the infrastructure is in place to determine tor usage at ISP's and that in fact no warrant is required.
This possible avenue of compromising vendors is scary IMHO because both cellphone tracking and tor usage verification can be done in an completely automated fashion electronically, thus providing a list of suspects spat out of a computer. The cost at this point is very little and the suspicion/probability level is very high.
At that point I consider kmfkewm's reality check to be worth considering... to quote what he wrote:
Of course the police will set up a 'whole operation' to bust a vendor though, didn't you already realize that? That is what the police do. They set up operations, to bust criminals.
LE would love nothing more that to be able to announce a SR vendor bust, especially if they accomplished it proactively themselves through their own 'smarts', not like, as has been seen so far, through the IRL stupidity of the unfortunate soul where they happened to deduce SR usage after the fact.
We know they have manpower on SR, we know they could put a lot more on it if they saw an opportunity.
Therefore I don't think any vector should be trivialized... If I were a vendor I would be doubly as adversary conscious as I am being here and taking actual defensive actions to match.
-
The only reason I have heard why this attack may not work is because LE may not be able to determine the exact drop box a vendor used, even if they can get the sent package.
I don't see why identifying the exact box the drop was made to would be necessary to raise suspicion to a level where surveillance may be considered.
Confirmation that they went to (perhaps they can even detect short loitering... depends on the signal resolution I guess) several mailboxes and that they use tor may well be enough IMHO.
LE don't even have to be in a hurry to dedicate resources to surveillance really, it is not like busting something like this is particularly time critical, I mean, it's an ongoing thing... this lowers the threshold that surveillance will actually be performed at some point.
-
kmfkewm has addressed each aspect of the treat, often providing links to the material opined.
He has confirmed that the infrastructure for cell phone tracking is already in place and we all know already through various media reports it is being actively used by LE ('stingers' are a new LE cell phone tracking technology which is even more powerful).
He has confirmed that the infrastructure is in place to determine tor usage at ISP's and that in fact no warrant is required.
That was never in question. We know that mobile phones can be geolocated. My doubts are about the practicality of the attack viz a fishing expedition -- ie, starting from zero knowledge and the assumption that some people are using the mail to ship drugs, LE would obtain all geolocation data and look for patterns to identify suspects for further investigation (which doesn't have to include Tor use, after all, I bet a majority of online drug vendors don't use Tor). I find that scenario utterly impractical. kmf added the idea that a seized package's drop location can be determined. That is a little more practical, but not something worth doing, IMHO, unless you're looking for a major drug distributor.
kmf and I agree that there are trivial ways to defeat the attack, such as not bringing a geolocation device, mixing up your drop locations, and obfuscating your connection to the Tor network.
-
That is a little more practical, but not something worth doing, IMHO, unless you're looking for a major drug distributor.
IMHO LE definitely considers SR to be a platform used by many major drug distributors.
I guess it's a question of ones individual perspective on that one, but I see often the attitude of "we are just little fish" or like earlier up in this very thread a poster stated that even a $100,000 transaction would not be considered that big.
I see that as a dangerous attitude and that people here are starting to come under some sort of illusions. Like I said, my belief is that LE consider many SR vendors to be major drug distributors. Or let me put it this way... in the very least in any media reports that may come about because of any bust, they are going to be referring to the vendor as a major drug distributor and in court the arresting officer is going to refer to the defendant when testifying as a major drug distributor, the prosecutor is going to push the line that the defendant is a major drug distributor and the judge will view the defendant as a major drug distributor and the fact is that in most legal systems anything over around 2 grams is in fact considered to be for distribution and therefore a major drug distribution.
-
AHH second time I try and make this fucking post I hope it sticks this time (copy to clipboard this time at least):
Indeed there are several ways in which you can minimize the risk of this sort of attack. Clearly not carrying a cellphone with you is a good idea, additionally you can use Tor bridges. However, there are still some potential things to keep in mind. One thing is that some cities have license plate geopositioning technology that is nearly as accurate as cellphone geopositioning. Additionally there is always the risk that simply moving in a random fashion could be enough to flag you as a suspect. I imagine that very few people move in a truly random fashion. Of course there are taxi drivers and delivery people, however they can likely be filtered out to a large extent as their movement patterns fall inline with those you would expect of someone who holds such an occupation, they will not be the same movement patterns that a vendor who drops of packs at random boxes will have. This presents a sort of catch-22, on the one hand you may make yourself more vulnerable to geopositioning intelligence flagging you for moving randomly, on the other hand you will certainly make yourself weaker to traditional surveillance if you always follow the same schedule and use the same set of drop boxes for sending outgoing packages. I am inclined to believe that given a choice between the two, it is better for you to make yourself weaker to being flagged for moving randomly than it is to make yourself weaker to traditional surveillance by always sending from the same small set of boxes in a set schedule.
Another thing to keep in mind is that the sort of attack discussed does not entirely rely on cellphone geopositioning data or even on license plate geopositioning data. It relies on geopositioning data in general , without regard to how that data was gathered. For example imagine an assassin, a hitman for hire. One month he kills someone in Alicesville, the next month someone in Bobsville and the next someone Carolsville. For the most part he is secure, except while he is in each city he uses his credit card to purchase a cup of coffee. Now law enforcement with access to financial transaction data can intersect the sets of credit cards identified as used in these cities, and they will see that some number of credit cards were used in all three cities. They will additionally be able to see that some of the credit cards were used in the three cities in the same order that the assassinations were carried out. Depending on the closeness of the cities and how cross contaminated the set size of credit cards used in them is, this attack could very well be enough for them to narrow in to only one person; the assassin. Another possibility is that the assassin has paid for an airplane ticket to each of the three cities in which the hits were carried out. The fundamental attack here is an intersection attack. Intersection attacks can take crowds that by themselves are essentially meaningless and then filter the noise away, leaving only the most likely targets. The list of credit cards used in Alicesville is not going to by itself help the investigators identify their target, the list contains credit cards belonging to far more people than their targeted assassin. However, as soon as they intersect that list with the list of credit cards used in Bobsville, they will filter away an enormous amount of that noise. Normally it doesn't take very many intersections before a target is identified.
This sort of crowd intersecting attack is one of the fundamental methods used in a large amount of intelligence and investigatory work. Another fundamental attack is a correlation attack, whether it involves a correlation between the timing characteristics of packets at two points on an encrypted tunnel or a correlation between tire marks left in the mud at a murder scene and the tires on a suspects vehicle.
Sorry, I wrote this out a bit nicer the first two times, but now I am sick of writing this large post out and just pounded it out from memory the best I could.
-
That is a little more practical, but not something worth doing, IMHO, unless you're looking for a major drug distributor.
IMHO LE definitely considers SR to be a platform used by many major drug distributors.
I guess it's a question of ones individual perspective on that one, but I see often the attitude of "we are just little fish" or like earlier up in this very thread a poster stated that even a $100,000 transaction would not be considered that big.
I see that as a dangerous attitude and that people here are starting to come under some sort of illusions. Like I said, my belief is that LE consider many SR vendors to be major drug distributors. Or let me put it this way... in the very least in any media reports that may come about because of any bust, they are going to be referring to the vendor as a major drug distributor and in court the arresting officer is going to refer to the defendant when testifying as a major drug distributor, the prosecutor is going to push the line that the defendant is a major drug distributor and the judge will view the defendant as a major drug distributor and the fact is that in most legal systems anything over around 2 grams is in fact considered to be for distribution and therefore a major drug distribution.
Someone I know made $100,000 deals and worked via mail online. They busted him with a joint operation between DEA, USPI, CBP and DHS. They had him under manned surveillance for some period of time, and additionally had bugged his vehicle with GPS tracking equipment, and they followed him around with dogs smelling all the boxes he dropped packages off in.
-
I see that as a dangerous attitude and that people here are starting to come under some sort of illusions.
There can be big differences between theory and reality. There are lots of theoretical attacks against SR. Hidden services can be deanonymized more easily and cheaply than the attack outlined here, yet SR is still up. So, if I were a vendor, I would implement the defenses because they are easy to do, but I wouldn't lose any sleep over this attack.
-
Yeah I would worry a lot more about a direct attack on Tor than this. But better to protect from as much as possible.
-
On balance, after all that's been said, I Cant say I disagree with anything in either of the previous two posts...
-
Thanks for this thread.
Are there any precautions vendors could take against an attack on Tor?
-
... my God. I've never seen you sound so... so... coherent and intelligent as you do in one or two of these follow ups, ShardInspector :o
So I guess I've only caught you after 3 days before now, huh. I guess that must be what happens to me too. Jesus man... it's almost enough to make me quit. Almost. ;)
-
I am not even anybody on here, but the forums lately and some simple, simple logic has spooked me out of this place. I'm going to be wiping everything and just forgetting that Tor exists. I'm smart enough (and work with stats/patterns/thought problems for a living) to get the tech side of things, but I think that focusing on them primarily is the wrong approach, I'll throw out a few of my thoughts, as to me these are pretty much not up for debate, even though my math is laughable and my stats are made on the spot:
1. A comprehensive, multi-national Silk Road bust would be the "largest" drug bust of all time. I put largest in quotes because the quantities seized might not even touch a single cartel shipment, but...between the press coverage, the # of countries involved, and comprehensive being say 1000 people when all is said and done....that's big. Skew that 1000 towards the bigger vendors and buyers, along with some of the money-launderers, fake id/carder people, and you've got quite the news story. If spun right, it might even be bigger than that - a full-blown Tor takedown could be presented as the largest blow to internet crime in the history of the world. If I was going to attempt such a task - I'd start right here, thank you Gawker.
2. The modern internet is the wild west of the 21st century. I would bet my life savings that 50 years from now, this era will be looked on with the same disbelief as the early 1900s, when there were no drugs and the world fought itself to death all the time.
If you compare countries to say towns in cliche Western movies, they're each a town with their own sheriff, who enforces the law (or doesn't, if crooked) per their own standards and that of their townsfolk. For lack of a better analogy - the white house likely can't get to the western saloon in time to bust the people committing the crimes there - they put safeguards in place here and there to try, but it fails overwhelmingly, like it did then.
So, what we have is the lax Dutch letting party drugs fly out of their windows like tomorrow is last year, the varying EU countries seemingly watching for now, with the UK proactively making moves and high-fiving the US in an Eiffel-Tower gangbang fuck of shipments, the money, and the occasional in person bust. Canada is stocked to the gills like a Hoarder but has nowhere to go, while Australia South America isn't playing really (not online anyway), and Asia is honestly too complex for Westerners to understand, so I can't speak to what is going on there (sans some stuff I hear in real life from clients or people I know in EU/Asia). It's a wild world, and the internet is one of its heart valves.
3. Let's use the Farmer's Market theory - TFM operated for however long, but, once known by the legal body wanting to bust it, was shut down within 2 years. They had 5600 sales and I think a million dollars or something in transactions...2 years. Now - let's keep it simple and not argue about Paypal/Tor/Payment methods/how they got shut down. They did, 2 years, with a volume that is less than a single month of the road. Technology has evolved all around the line - people aren't often as forward thinking as they believe themselves to be, so despite everyone thinking that BTC, foggers, bridges, and all of the new anti-enforcement gadgets are foolproof - 2 years from now we'll likely be laughing at how fucking stupid people here were. The site is on Google, Wikipedia, and has now been in countless international publications.
So - get dumb with me here for a minute. We can safely assume that law enforcement activity is somewhere around 15-20x that of the farmer's market, when in reality I wouldn't be surprised to find out that the raw amount of "power" being put in to anti-SR efforts is 100x or 1000x that of TFM. Whether it's technologically sound and optimized is pointless - just the man-hours invested is exponentially higher. That means something, even if a huge percentage of it is just beat cops on the lookup for people mailing stuff suspiciously, or lurking the forum.
Ask yourself now - do you think that this site, forum, and other parts of Tor are ever not being watched by a massive amount of "le?" I assume at all times that there is a HUGE le presence, so given that with the dumbed down logic above, and the highly accurate cross-referencing methods mentioned above, and you can ask yourself another question:
Do you think that the site is already compromised, that the tools are in place to make whatever bust the worlds governments' would like to make exist, and that it's not a matter of if/how/when they bust/shut down the site - it's just how...how to choose when, and how to present it to the world.
For every person who is safe, rational, and pre-cautionary, there are 5 hopped up people vending shit horribly with no stealth, little or no PGP, contaminating everyone and everything he or she comes in to contact with. I saw Contagion recently - go with an R-Knot of 2 - for every week that smart people lay low and mind their own business, 2 sign up and ghetto blast the forums with their shit and start using unsafe methods that cross-contaminate every database here.
If I can read these threads, do some of the math (none of it in this post btw) about what it would take to bust it, and logically play it out in my head, alone....I'm sure smarter people with more or "real" authority can also. Also - it almost always starts with the money. Cut off the money, this place is worthless. BI went under, for all intents and purposes, and I imagine the money will keep getting attacked.
Once the money becomes too hard to cash out and in, you're going to be left with nothing but bigger fish. In a way - it's good BI doesn't just take cash deposits from a $0 listing and make it easy enough for a 15 year old to buy #4 from somebody for $50. Difficulty weeds out people, progressively, that aren't smart enough to handle what's in their hands.
I'm curious to see some thoughts to this and a few other posts tonight, but - I'm out. We're all using things that we don't fully understand, and because of that, I think going back a bit to things I do understand isn't a bad idea.
-
You guys are forgetting that there are other simple ways this attack can be mitigated:
1. Always have your phone registered in a fake name.
I pick up my phones from Cash Converters (Australia) as second-hand phones are already registered in someone elses name. They also don't ask for ID. I then get prepaid Sim cards from Asian convenience stores and if they ask for ID I say I don't have any, walk out, and try the next store. Once I have the phone & Sim card I use an internet cafe to register the Sim card with a fake name and address. Some providers ask for a license number but if you put a fake one that's the same length it still works. If your phone
2. Change your phone number regularly.
I change my dealing number and phone every month, costs about $30 for a cheap phone with no internet or GPS, $2 for the Sim card, and $40 for enough pre-paid credit to last a month. When my credit runs out I change numbers.
Through these simple steps it is now impossible for LE to identify a pattern to my phone or link my phone to my internet.
-
You guys are forgetting that there are other simple ways this attack can be mitigated:
1. Always have your phone registered in a fake name.
I pick up my phones from Cash Converters (Australia) as second-hand phones are already registered in someone elses name. They also don't ask for ID. I then get prepaid Sim cards from Asian convenience stores and if they ask for ID I say I don't have any, walk out, and try the next store. Once I have the phone & Sim card I use an internet cafe to register the Sim card with a fake name and address. Some providers ask for a license number but if you put a fake one that's the same length it still works. If your phone
2. Change your phone number regularly.
I change my dealing number and phone every month, costs about $30 for a cheap phone with no internet or GPS, $2 for the Sim card, and $40 for enough pre-paid credit to last a month. When my credit runs out I change numbers.
Through these simple steps it is now impossible for LE to identify a pattern to my phone or link my phone to your internet.
US version of this - use burner phones when anywhere near somewhere you don't want on record, and TURN OFF YOUR WI-FI if you have a smartphone. Android defaults to searching for Wi-Fi networks, so even if you're not on yours, it's open and looking.
Plus, as you drive around some phones reveal your preferred networks.
-
You guys are forgetting that there are other simple ways this attack can be mitigated:
1. Always have your phone registered in a fake name.
I pick up my phones from Cash Converters (Australia) as second-hand phones are already registered in someone elses name. They also don't ask for ID. I then get prepaid Sim cards from Asian convenience stores and if they ask for ID I say I don't have any, walk out, and try the next store. Once I have the phone & Sim card I use an internet cafe to register the Sim card with a fake name and address. Some providers ask for a license number but if you put a fake one that's the same length it still works. If your phone
Doesn't matter, you still carry your phone home with you and will reveal your location in this way.
2. Change your phone number regularly.
I change my dealing number and phone every month, costs about $30 for a cheap phone with no internet or GPS, $2 for the Sim card, and $40 for enough pre-paid credit to last a month. When my credit runs out I change numbers.
Through these simple steps it is now impossible for LE to identify a pattern to my phone or link my phone to my internet.
Doesn't work, LE can identify your new number based on the fingerprint of the collection of numbers that call you, or the fingerprint of outgoing numbers that you call. Thus, you are not the person with phone number 12345678 but the person who always calls 12345679 and 123456777 and 123456666 and 87654321 and 87654311 and 87564321. Of course to identify you in such a way they will need to pen register the numbers you are known to communicate with, but they have done this before to counter this exact technique.
-
Doesn't matter, you still carry your phone home with you and will reveal your location in this way.
I live in an apartment building with at least 250 other tenants and in a densely populated inner city suburb, that likely has 10s of thousands of people sharing any particular phone tower I might use. The phone also has no GPS or Wifi, so how could I possibly be tracked? Also, it would be a huge invasion of privacy for the police to tap and trace thousands of phones just on the off-chance that one of them might be a Silk Road vendor. I don't know how things work in America, but in Australia this would be highly illegal.
Doesn't work, LE can identify your new number based on the fingerprint of the collection of numbers that call you, or the fingerprint of outgoing numbers that you call. Thus, you are not the person with phone number 12345678 but the person who always calls 12345679 and 123456777 and 123456666 and 87654321 and 87654311 and 87564321. Of course to identify you in such a way they will need to pen register the numbers you are known to communicate with, but they have done this before to counter this exact technique.
Most of the people that I communicate with on the phone do the exact same thing, making this method of attack useless. Also, the majority of the communication I receive is coded text messages that don't sound suspicious, or Privnote urls for anything especially suss that needs to be communicated.