Silk Road forums
Discussion => Security => Topic started by: oppyate on December 16, 2011, 01:07 pm
-
I came across this article and it def had me thinking about a few things. It's a little long winded, but Just wanted to see if anything this guy concludes has any Validity? Here's the Link and I cut and paste the article.
http://fskrealityguide.blogspot.com/2011/06/silk-road-was-partial-agoristbay.html
According to that article, Silk Road's operator explicitly calls himself an agorist.
Here's how Silk Road operated. You can only access the website via Tor. The only form of money accepted is Bitcoin. There was a seller feedback rating system. You would receive your drugs via mail.
After the article and mainstream media publicity, Silk Road shut itself down to new users. I wonder how many DEA agents are Silk Road users?
Here are the flaws in Silk Road's design:
1. Tor probably is not secure.
2. Bitcoin probably is not secure.
3. You can only trade Anonymously.
4. It is vulnerable to State infiltration.
5. There should be both a seller feedback system and a buyer feedback system.
6. Not every buyer and seller should be visible to each other. You should only see other trustworthy users.
7. Silk Road itself should be P2P organized, rather than having one central website.
Here's a more detailed explanation.
1. Tor probably is not secure.
I suspect that a large number of Tor exit nodes are run by the NSA/State.
Stories like this one are interesting. Someone runs a Tor exit node. Police raid that person's home, saying he was "downloading child pornography". The person shuts down his Tor exit exit node.
This implies that State thugs are running all the Tor exit nodes. Here's the scam:
1. See if anyone non-approved is operating a Tor exit node.
2. Download child pornography via their Tor exit node.
3. Accuse that person of a crime.
Notice how "child pornography" laws make it illegal for someone to operate a Tor exit node.
With Tor, the "exit nodes" are a vulnerability. If all exit nodes are run by the State, that makes it very easy for State thugs to monitor Tor.
State thugs have the resources to control most Tor nodes. The NSA may have put a backdoor encryption flaw in Tor. Tor is probably untrustworthy. I'm very suspicious. State thugs crack down on anyone running a Tor exit node from their PC.
Another downside of Tor is that Tor is *SLOW*!
I did briefly experiment with Tor. I concluded that it was slow and probably NSA-controlled.
2. Bitcoin is probably not secure.
I already mentioned that I don't like Bitcoin. I'll review the main flaws in Bitcoin.
1. Every client has a copy of the full monetary base.
2. Every client gets a copy of every transaction.
3. Very few people have a Bitcoin client on their PC. State thugs can see who's running Bitcoin, and add them to their "subversive persons" list.
Every client gets a copy of everything! That's like handing your records to the State! All State thugs have to do is run a Bitcoin client, and they get to see what every other Bitcoin user is doing!
Bitcoin seems like an intentionally-flawed design.
I don't like Bitcoin. I would accept bitcoins as payment, only if I could immediately trade them for FRNs or gold or silver.
It was amusing that people accused me of pro-State trolling, for criticizing Bitcoin. Instead of addressing my concerns, they dismissed and ridiculed me. Is Bitcoin secretly run by the State? That is a pretty standard pro-State troll debating tactic, to ridicule someone without addressing their criticism.
I own zero bitcoins. I have no incentive to promote Bitcoin. Suppose you own 1000 bitcoins. Then, you have an incentive to promote Bitcoin. If more people use Bitcoin, then your bitcoins become worth more.
BTW, a simple arbitrage argument says "value of a bitcoin" should be close to "cost of mining". Bitcoins can never be worth more than the cost of mining, because then more people would mine.
If bitcoins were worth less than the cost of mining, then people would stop mining. If I were unethical, I could configure the servers at work to mine bitcoins at no cost to me. In that case, I'd be mining bitcoins at no cost to myself.
However, it is possible for bitcoins to be worth less than the mining cost. As an extreme example, if everyone stopped using bitcoin, then the value would go to zero, even though it would still cost electricity to mine more.
Bitcoins can never be worth more than the cost of mining. They could be worth much less.
3. You can only trade Anonymously.
Silk Road is only useful for Anonymous transactions, especially selling drugs. Silk Road does not facilitate in-person transactions.
You can't do the following on Silk Road:
1. find a good unlicensed plumber/electrician/doctor
2. find a good unlicensed restaurant
3. buy raw milk
4. trade State paper money for gold (but you probably could use bitcoins)
5. find an off-the-books job
Silk Road is focused on destructive transactions, mainly drugs, rather than constructive transactions.
I disagree with "Certain drugs should be illegal." However, most drugs are harmful rather than beneficial.
4. Silk Road is vulnerable to State infiltration.
There almost definitely are some DEA agents and undercover police on Silk Road. It'd be pretty easy to buy some LSD and then trace the package back to the source. Also, DEA agents may pose as sellers. Due to State law, if you're in possession of a certain quantity of a drug, you're treated as equivalent a seller.
Once the DEA identifies a high-reputation user, they can say "give us your account as part of a plea bargain". Once a high-trust account is compromised, Silk Road will completely unravel.
5. There should be both a buyer and seller rating system. The buyer needs to trust the seller, to not cheat him. The seller needs to know that the buyer isn't an undercover policeman.
Silk Road has insufficient protection against infiltration by the State.
For example, a better system is "You only get to join Silk Road if an existing user refers you." Even better, the person who refers you pledges to make a payment, if you turn out to be an undercover cop or otherwise break the trading network rules.
6. Not every buyer and seller should be visible to each other. You should only see trustworthy people.
It's much safer if you only see "trusted partners" rather than everyone. There should be a user referral system, where one person says "I promise this person isn't an undercover cop."
Of course, a "user referral system" only works once you have a certain number of users. If you're starting from zero customers, you need to advertise just to get started!
7. Silk Road still is centralized. It's only one server hidden behind Tor. That's a vulnerability.
Another precaution is to decentralize it in P2P fashion, rather than keep everything on one server. You don't get to see all transactions and sale offers, only those of people who trust you.
Also, if Silk Road were decentralized P2P, then they could use their own encryption system rather than Tor. They could use their own internal accounting system rather than Bitcoin. They would allow pay-in and pay-out via any system. For example, you could send someone some bitcoins or mail someone an ounce of gold.
Silk Road seems like a partial implementation of AgoristBay. It's a nice try. It still has some flaws.
Silk Road has been outed by the mainstream media. Undercover State police have probably infiltrated it. If the site operator is smart, the most trustworthy users should move somewhere else and start over. I'd avoid Tor and Bitcoin. I don't trust them.
"AgoristBay" should use its own encryption and accounting system, and not rely on Tor or Bitcoin.
Silk Road was an interesting partial implementation of "AgoristBay". It was outed by the mainstream media, which makes it very risky now. Silk Road has definitely drawn the attention of the State. The most trustworthy Silk Road users should develop a better system and start over.
Posted by FSK at 12:00 PM
-
While many points of this article are true, I highly recommend using a VPN while using TOR to connect to the internet.
One thing ive learned in this trade and others (fraud), If you are wanted by the authorities they will find you no-matter what. With the domestic mailing system you have lax security and can ship more freely. I used to buy cannabis from a friend who knew someone who had LBs shipped from California. Fedex 2nd Day with signature required. Talk about shitting bricks.
Being completely anon. is next to impossible, since most of us already have an online presence. But if you had completely new hardware or used a RDP to connect to TOR you have a ghost like appearance
Personally I use a VPN on my main machine then I connect to a Remote Desktop from around my area. Next i load another vpn on the other machine and then load TOR and connect. You can call me paranoid but I enjoy my freedom.
-
Not at all Paranoia Red. There's a lot of Gaps that can be exploited. I'd rather be paranoid than wrong/busted.
-
People have been using tor and .onion sites for a long time to avoid being caught doing illegal things. I've yet to hear of someone who was not running an exit node get busted for anything.
-
Yeah, seems mostly sensationalist to me, written by a conservative libertarian (as opposed to one open to new ideas). Some good points, but definitely not in touch with the real picture or experienced with the site. I don't think the criticisms against BTC carry much weight and doesn't even mention the use of tumblers.
sA
-
Im not a computers wiz or know all the ins and outs of computer security so one of the main things I base my safety on is the fact that no ones been busted. But is this a fact? Do we know and how would we know. I don't know about all those things in the article but the bottom line is if no ones been busted this would be enough for me to feel safe. If people have I would then also like to know how.
-
Many things are technically wrong
>> 1. Tor probably is not secure.
>> I suspect that a large number of Tor exit nodes are run by the NSA/State.
Silk road is a hidden service, therefore is not using exit nodes: everything remains within the darknet.
>> 2. Bitcoin probably is not secure.
>> 3. Very few people have a Bitcoin client on their PC. State thugs can see who's running Bitcoin, and add them to their "subversive persons" list.
Using the bitcoin client through tor makes it appear as regular SSL. There is no way to know that one person is using a bitcoin client
The traffic may be tipping as using a lot of SSL, just as someone browsing internet through tor or using a VPN.
I'm not sure if you can tell whether someone is using a VPN or tor with the traces.
>> All State thugs have to do is run a Bitcoin client, and they get to see what every other Bitcoin user is doing!
They know someone is exchanging btc but they don't know who. If you get BTC from someone who has access to your real identity, you can break this link by using a mixing service:
https://en.bitcoin.it/wiki/Category:Mixing_Services
>> Bitcoins can never be worth more than the cost of mining. They could be worth much less.
They're very volatile and subject to offer/demand and speculation; they're not made for investment but for exchange only so the value doesn't matter that much in the end
>> Silk Road is only useful for Anonymous transactions, especially selling drugs. Silk Road does not facilitate in-person transactions.
you can't put a nail into a wall with a screwdriver. That doesn't make the screwdriver a useless tool
>> Once the DEA identifies a high-reputation user, they can say "give us your account as part of a plea bargain". Once a high-trust account is compromised, Silk Road will completely unravel.
Plea bargains are not specific to silk road. I believe most sellers are not in relation with one another so silk road will not unravel, just this seller and his buyers (i doubt they will go after the buyers though)
>> The seller needs to know that the buyer isn't an undercover policeman.
Irrelevant: if precautions are taken, there is no way that the buyer be able to find the seller's identity
>> There should be a user referral system, where one person says "I promise this person isn't an undercover cop."
This is the real life thinking. SR is based on anonymity so typically no one will be able to vouch for anyone!
>> 7. Silk Road still is centralized. It's only one server hidden behind Tor. That's a vulnerability
Who knows, there may be replicated servers
>> Also, if Silk Road were decentralized P2P, then they could use their own encryption system rather than Tor.
Tor works fine there is no need for this
>> They could use their own internal accounting system rather than Bitcoin.
Same
>> They would allow pay-in and pay-out via any system. For example, you could send someone some bitcoins or mail someone an ounce of gold.
That's stupid as it would reveal the identity of the seller.
>> If the site operator is smart, the most trustworthy users should move somewhere else and start over
There is no point in starting from scratch to rebuild the same thing. They would need to pass the information to the current users and the law enforcement ppl at the same time.
-
Thank you sr2013
I've looked at this thread a couple of times, but I've been in the BBC debacle thread, and it was bothering me I hadn't been able to come here to say pretty much what you've very elegantly and succinctly said.
That article was written by someone who hasn't a whit of a clue how any of the technologies he's discussing work in practice. A first year journalism school major would be ashamed to put his name on that drek, and good on you for detailing exactly why.
-
SR2013, excellent pouts. The Bicoin Tumbler Link is awsome..should be mentioned more often!
-
No problem :)
Just a precision so as not to mislead anyone: it's not enough to run the tor browser bundle or the Tor button for the bitcoin client to actually use it: you need to configure the client to funnel everything through tor.
1) In Aurora / Namoroka / Firefox: Menu Edit / Preferences / Advanced / Network / Settings : Get the port number in the "socks host" line
2) In the bitcoin client: Settings / Options : Tick "connect through SOCKS4 proxy"
Proxy IP: 127.0.0.1
Port : the one fetched before
Tick "Map port to upnp"
This port may be changing on each connection depending on what bundle you're using so if the number of connections of the bitcoin client stays at 0 after a couple of minutes, recheck the configuration
Also downloading the blocks may take longer than before obviously...
-
2) In the bitcoin client: Settings / Options : Tick "connect through SOCKS4 proxy"
Proxy IP: 127.0.0.1
Port : the one fetched before
Tick "Map port to upnp"
sorry, I'm confused a little because "map port to upnp" was already ticked when I went into the settings. Are you instructing us to "untick" this box?
-
sorry, I'm confused a little because "map port to upnp" was already ticked when I went into the settings. Are you instructing us to "untick" this box?
if it's ticked it's fine. It may also work unticked
To tell you the truth, i'm not sure it will change anything if upnp is not activated at router level, which is not advised for security reasons.
And even though it were activated, you're not connecting directly to the router here, but rather proxying through your localhost.
Anyways, you can always try with and without and see how fast you're getting new connections.
It works either way for me