Silk Road forums
Discussion => Security => Topic started by: StExo on August 08, 2013, 03:05 am
-
Don't get too excited, this isn't the vendor audit or backup project (just yet). However, 3 issues on my mind which are really bugging me that we can all improve on.
1: The use of mixers
Mixers are a good way of obfuscating bitcoin paths, they aren't perfect, but they do a good enough job for most people when used properly. However, the unfortunate truth is bitcoinfog has 1 error I have for a long time now suggested they correct because it leads to seriously misplaced confidence. Vendors often use bitcoinfog in their own username, go try it and create an account in your favourite vendors username and see if you can, even I have one although I don't think I've ever used it. Now, let's say the NSA can get into Bitcoinfog, with or without their knowledge, and associate the flow of coins through it. The blockchain won't help them, but internal server records will show which withdrawal matches which incoming deposit and therefore you are traceable.
DO NOT use the same account for more than 1 deposit/withdrawal! Always make a new account for every withdrawal. Vendors I am aware of the auto-withdraw option, disable it and then just withdraw once a day or once every few days.
2. Tracking codes
DON'T ever under any circumstances send a client their tracking code in plaintext. Use PGP or privnote if you need to. SR retains copies of mails for months after we delete them so if SR is compromised, you're in a world of trouble. Take this into account, in the UK the post office keeps footage of CCTV for 30 days, after than it is sent to HQ for storage for 5 years. A lot of tracking numbers means you are easy pickings so don't send them plaintext, you are endangering yourself and your clients.
3. SilkRoad's mail retention policy
Ok, you need information to resolve matters, but tell me, what exactly do you need 6 months down the line from now? This goes hand in hand with the tracking code problem. If both buyer and sender press delete, remove it from the server as it is sending a clear message they don't want to keep it. Although it is good practice to encrypt sensitive info, several months worth of mails is still a very good tool to acquire writing style, small bits of data gathering over long periods of time etc. I see no reason SR keeps mail this long, or order history. Give us the ability to control our own data retention and if we delete it and we want something investigated we deleted, it's our own fault.
That's all for now. Back in 24 hours with something cool for you all ;)
-
Well, those buyers who don't use PGP won't be getting their tracking anymore. Probably no one will because what vendor wants to waste the time importing an impatient and panicky buyer's public key just to send them tracking for something that will arrive soon anyway?
But what about in resolutions when a vendor has to prove they sent a package and post the tracking in the resolutions? Can't PGP that. Has to be cleartext unless SR reso people have a pgp key. Do they?
-
Vendors often use bitcoinfog in their own username, go try it and create an account in your favourite vendors username and see if you can, even I have one although I don't think I've ever used it.
That is idiotic, but it's solved by an even better security practice. You should never use the same account for more than one mixing operation. Create a new account each time you want to mix coins, and obviously use different usernames each time.
-
The SEC did some impressive Bitcoin auditing when they slammed Pirateat40 with a lawsuit for his ponzi scheme.
Most if not all of this was from cashing out using an exchange though, not localbitcoins. MtGox had his history and real name attached to his bitcoin addresses which made this much easier.
I don't think any vendors will be caught here through bitcoin tracing. More likely they will slip up mailing out product and get it intercepted, then either they find a picture of the guy mailing the package, his fingerprints, or they put in a tracking device and then return it to sender indicating 'Insufficient postage'. That's a great trick LE can use because the vendor won't expect anything fishy with the return for insufficient postage (this happens a lot) and will most likely go and retrieve it out of greed. Many vendors are using a return address that they can still get to if something goes wrong (greed). If they used an apartment building with no suite# they can wait outside for the postman with the returned parcel and social engineer him or present fake ID to pick it back up then get busted.
They might also bust the customer, and use his online identity to social engineer the vendor into taking something besides bitcoins. 'Hey great product.. I need to order $50k worth but can't buy that much bitcoin.. can I mail you cash?'
-
Yes, account names like...
Silkroadvendor01
Silkroadvendor02
Silkroadvendor03...
Ya being a smart ass.
On point 2, we're generally reluctant to give out tracking but sometimes we get the "can I have tracking so I don't have to drive over to my drop every day to check?" So I guess now we'll ask for a public key first. But what a PITA that will be for everyone involved. So I guess we'll revert to the "no tracking given out so don't ask" policy.
MojoRizen brings up a good point; what to do when it comes to resolutions? We've had a few cases where we had to supply the tracking to SR support in resolutions. I don't recall seeing a public key for SR resolutions. Does SR resolutions delete all that detail posted in resolutions once resolved or is that archived too?
-
Everyone should have the staff's PGP key on their keychain should SR ever go down! Here it is for those who don't:
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.12 (MingW32)
mQENBE2VWMwBCADcoI5qldde46EI80fHSTCS4CuJn1Py4AQjJvpAqFColeAm9xb1
/hb0ZUsG3vwod7uiPJdMlq3+1o3TSv9JlO3DPf7I50owQ9+S1ixXebouTvfpEKSb
dq1IWAu+O4PtlmFEb76MOmjOzoeV8We8kCRFq8ThoK979A1DR09KsaDfSjCITdsU
mQyVaRN0dCaj33V/QAPQybYAjNDEiNd0e1tV22n1dl6z2oVUgfJiuTVI5C0FhSKP
c3odexbKUSVk9tkUWcfnk8+9HF5jGNHnUSjWxMkG1uZUDdWKl4yJqQhBHdYqcz8A
hcJ6xADbFeoYEO6z5NEjXV0KmoDRCi4C7gdfABEBAAG0JFNpbGsgUm9hZCA8c3Rh
ZmZAc2lsa3JvYWRtYXJrZXQub3JnPokBOAQTAQIAIgUCTZVYzAIbDwYLCQgHAwIG
FQgCCQoLBBYCAwECHgECF4AACgkQAiJCO2e3+iVfzwf/dg6wj6an8xehD7tYOjMb
f9/RAKLCq+GMJlROQ7mPoOqUdnTrQ375Ld0MUJFEQUHsmijkDbl7rOLw0IuJHJsx
w9wy5nNANMEMxjspdGvi8HalDrXJC+EiD2xM0gz/XrDmTsHhpAZEgwddygZFuHxW
wxpBHGB2clLf4xYMX5TC7Z8QJLEdXx9DW5mZ1K9XuC+6fkMpUblzoRizmzk1NJ+y
g27mYo4KigysleshF3yyQ62as5apqIfgyYrJ/udwa4JQ8Le6dzB0d3o8mrrDXqHS
uxSdLGNLh1B7lDphdsQxrx1W/468EubG+5PEf2DLqqbUYLDCxS3m4DN46woO/INt
5A==
=kHyk
-----END PGP PUBLIC KEY BLOCK-----
You can encrypt info with that in SR resolution if you need to. I simply offer no tracking code as it can get you caught very quickly and I am tempted to add an example to my audit of how easily you can be found, where I pick a vendor at random and see if I can have them hunted down IRL (obviously not by police, just by me of course) and once I've found them, post them a picture of them carrying their mail and their vendor username or just a PGP encrypted message to send the message home to them. I won't go into how here, but if you use tracking, I can find you very easily.
-
Vendors often use bitcoinfog in their own username, go try it and create an account in your favourite vendors username and see if you can, even I have one although I don't think I've ever used it.
That is idiotic, but it's solved by an even better security practice. You should never use the same account for more than one mixing operation. Create a new account each time you want to mix coins, and obviously use different usernames each time.
Yup, says that in the original, use each account once and then dispose of. Use a unique password for each one too, I know many people use the same password across the entire deepweb and also their real life accounts too.
-
Don't get too excited, this isn't the vendor audit or backup project (just yet). However, 3 issues on my mind which are really bugging me that we can all improve on.
1: The use of mixers
Mixers are a good way of obfuscating bitcoin paths, they aren't perfect, but they do a good enough job for most people when used properly. However, the unfortunate truth is bitcoinfog has 1 error I have for a long time now suggested they correct because it leads to seriously misplaced confidence. Vendors often use bitcoinfog in their own username, go try it and create an account in your favourite vendors username and see if you can, even I have one although I don't think I've ever used it. Now, let's say the NSA can get into Bitcoinfog, with or without their knowledge, and associate the flow of coins through it. The blockchain won't help them, but internal server records will show which withdrawal matches which incoming deposit and therefore you are traceable.
DO NOT use the same account for more than 1 deposit/withdrawal! Always make a new account for every withdrawal. Vendors I am aware of the auto-withdraw option, disable it and then just withdraw once a day or once every few days.
2. Tracking codes
DON'T ever under any circumstances send a client their tracking code in plaintext. Use PGP or privnote if you need to. SR retains copies of mails for months after we delete them so if SR is compromised, you're in a world of trouble. Take this into account, in the UK the post office keeps footage of CCTV for 30 days, after than it is sent to HQ for storage for 5 years. A lot of tracking numbers means you are easy pickings so don't send them plaintext, you are endangering yourself and your clients.
3. SilkRoad's mail retention policy
Ok, you need information to resolve matters, but tell me, what exactly do you need 6 months down the line from now? This goes hand in hand with the tracking code problem. If both buyer and sender press delete, remove it from the server as it is sending a clear message they don't want to keep it. Although it is good practice to encrypt sensitive info, several months worth of mails is still a very good tool to acquire writing style, small bits of data gathering over long periods of time etc. I see no reason SR keeps mail this long, or order history. Give us the ability to control our own data retention and if we delete it and we want something investigated we deleted, it's our own fault.
That's all for now. Back in 24 hours with something cool for you all ;)
this is a very very good read, StExo.. i am glad i logged in tonight.. lol.
as far as Vendors sending tracking numbers plaintext, i would like to disagree and not believe this...
but honestly i've seen it done, so this is definitely not too farfetched.
i thought everyone with a pinch of logic knew to send it only via PGP/GPG.. fuck privnote..
as for everything else.. spot on sir, very good read. +1 +1 +1 +1
and as far as LE sending a package back with "insufficient funds"... i would personally never see that pack again, if i were a Vendor..
because obviously every package would have sufficient funds if not a few decade of cents more ya' know?
too much over isn't too bad.. :)
but you can't fix stupid..
and some people are going to succumb to the sanctity of the state.
hope everyone has a fucking beautiful night. :)
/thumbs
-
NB: Every tracking code is tracable to the point of sale, in every country. It may not be something your postie or even the post office can do, but it's possible. That is why I express concern. Also remember the US photographs every piece of mail, they then wanted to pull the tracking code and find the photo of that piece of mail, boom there is the address. Concerns my darling :) I've looked into this longer than SR has been around for many reasons.
-
NB: Every tracking code is tracable to the point of sale, in every country. It may not be something your postie or even the post office can do, but it's possible. That is why I express concern. Also remember the US photographs every piece of mail, they then wanted to pull the tracking code and find the photo of that piece of mail, boom there is the address. Concerns my darling :) I've looked into this longer than SR has been around for many reasons.
When I ran a local mail operation I used bitcoin->prepaid visa (one time use) and just printed out online expedited post w/tracking and slapped it on a box small enough to fit in a street redbox and dropped it. I also ordered supplies to a drop but stopped that after figuring out I can just buy them online with a virtual visa. At the time I was chaining socks proxies to avoid Tor exit node giving me away.
-
NB: Every tracking code is tracable to the point of sale, in every country. It may not be something your postie or even the post office can do, but it's possible. That is why I express concern. Also remember the US photographs every piece of mail, they then wanted to pull the tracking code and find the photo of that piece of mail, boom there is the address. Concerns my darling :) I've looked into this longer than SR has been around for many reasons.
I must be missing something. Where does the risk stem from here? If you're showing your face plainly to a post office camera when buying your prepaid envelopes or stamps, then you are being stupid in the first place. Who cares if they know where the postage was purchased?
I would like to know how exactly you think you could find... say, me... with just a tracking number from a package sent by postrex? Is that what you are claiming?
-
I think it's very important for everyone to define a personal security policy and to always follow it.
Sure, your security policy can be updated with better techniques and practices as they are discovered, but don't become lazy. A security policy can help prevent the most common slip-ups caused by greed, emotions, and downright laziness.
Be well informed and always operate with discipline.
-
Great read +1 for posting. All vendors need to refine their methods and stay ahead of the curve. When it's all on the line it makes absolute sense to constanly study/implicate new stealth/security.