Proxy purchasing / RL mixmaster network

[n0m4d]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Proposal
========

I will buy anything on Amazon.com (up to $50 at first) and reship it to you free of shipping charges, in exchange for the current (as of the request) MtGox bitcoin::dollar trade ratio.

I am amenable to using further proxies, cutouts, escrow, etc.  The idea is to set up a web of trust, and to exchange some of my capital for bitcoin.

If you are interested in doing local dead-dropping with me, my area of operations is US ZIP 97502 - I will gladly move packages from one GPS location to another within certain time constraints for bitcoin.


Goal
====

I wish to set up a network of trusted agents in various areas of operations for a physical mixmaster network.  The eventual plan is to charge postage in bitcoins, use dead-drops (geohashing?), and GPG to build a reputation between agents for honest dealings.  I would think a meta-market of auditors could also be set up at some point by sending false packets through the network.



I welcome (hopefully constructive) criticism of these goals, as well as expansion on them.



- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v1.4.10 (GNU/Linux)

mQENBE1IJdoBCAC3K2cmoVjMasNr/KbiBpiz6HWfkTUen4hKVHA4RLt+t7qGIPDP
tBfaqBqCGRtkUm/n3mn1nB5vN6Tybe3gYIvz7StKFfK5kE5NIJ2s5s58oLI88hzU
5HvgXY4CSjtKcjI/sIdUd2Imid52MYxkHvqI5PKFzPePv3Ak3ztuQX4VU9i39ssG
l9xBCgMy1ol9QKhE44RIZGXf1q3HMHHcydRqAIdwTPGhNqCcv8c03ZWTlhgd3Wg/
eJJPOTLp/Bf9SBZhDX1Q4bEDF4W61nGqohf7d3KErcEgZi1OGybtT/B6nAa0sKic
oqx1wNy/4Pm2uh82o0IP84rOP2Z/eCMLpJUBABEBAAG0JU4wbTRkIFRocmVlcGVy
IChuMG00ZCBvbiBiaXRjb2luLm9yZymJAT4EEwECACgFAk1IJdoCGwMFCQHhM4AG
CwkIBwMCBhUIAgkKCwQWAgMBAh4BAheAAAoJECQvuS783MP4Kg4H/AgbkoRoMdeL
2Zs7ji09D4xY61O7+VpXHR0DdHgi/dpeqo4T3KrJmaRO7YOhoQb+bFqYm+hDBrxJ
fbpotGpTDJsToirRELxP7MaoI59H0UpwHYeXCHjlIdSee3LnTy86BiOzMoCsGdRM
aXOh5wkOG7ZdGsiYiXvsZV8kjgXiULF4JtX9CCnOMT1pfeDOH11QuOJZY4SVOuVW
1qxf5z8Kx5ilRBZFOuBSfi9gRop2q7M6vbkO6XuTBDTKQswyxk65Qw5J0mmjIYup
kQ6MLa7mtZpOYLp1WdNKg6aNKpdjlxcOHhM//tI8mGuBE8ME5HiiBM/FYEBXFUqr
9iGfLsH0s5i5AQ0ETUgl2gEIAM8trBk46Qjrh6nRFYtbZc5eEEX8Wtmwr1LM7P1Q
DLXQ6zQ+6dspWy4NJpcG5Cjz3nrI4uZy84NJ7i6wLvC2yPA1YD+/iLLp3krRRM8T
lMRLWcK0TgQCplepxZ/DQDd/8Ep8mOpNHg5QLC2YHoDwIenEe6lQvicqED7KC8jJ
HxMZ5VEBC1XKfQBYuBPsGOm272N3ameFeZ3Dkc+JcpMLyD7h7imAYHXMSBuwZYex
heF5Z+cr5PNfVWx8fwtwaHcIQWBsWeK0DciHYd2Lt7Ol48XEyuYtslXXmZhElKMX
LKXZWFovvZsIxL1uE0HOkdJGace4+CCuEFbzcbNfAr3DPvcAEQEAAYkBJQQYAQIA
DwUCTUgl2gIbDAUJAeEzgAAKCRAkL7ku/NzD+MEtB/9Mva0P4D60vKW78LoAtNmk
kUVAgDtsd0K/eqjpOTVDLS8V2B9nW4SvEpEH0pHlsZ6pRrjNZElVQaa7b/Qrb8C2
qSSPNd3rbNChEwUuKgh/zUw6ZI6WU0Jw8XPfgFOUSYafnKdb64Y3RFYoyiXN/kNs
gKEaLBxyM6XuyDlh6z+zo1hifDK4o0xYAPCir6+iHqeYDoKlVEVRZEc1JI9ITn2N
x8ADA6CFxtVV6O/m86MRC2yT2Zv8Lm/LwPKMJze2IXPo6uc/1sreFwwH/btkvWn5
1GpQwUBGFSYdmsEeRtHUD+jlYYuus2xoXpMA+yQShlzy31J8DwvJHMIlNPztnIma
=eDdw
- -----END PGP PUBLIC KEY BLOCK-----
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNSCrYAAoJECQvuS783MP4ZPkIAIJjBekLm4T1kfdQGfJZ0pqJ
ldQASsjqqsz7hNnYeIzOxXUMpA0zG0ut3UUcfx/5z3dCv4NtWpHk2n2ea/7mOCBr
eJ3AE+n/OMfI6Uz2CdkL+Pav9PJ4FtHMs6AEXK4GgeU0vC8bDo+VwY1G/4J+Ey/+
jG7TgfnKSgA5USjt/OS8INFUtefsRhHy/RmV/vtczFeLcL2fY4gBIIjod7Iswc/9
P46HzVvu8Z3d6kSqAHQrR/h6RcbB+U9eiilv/FdbLwEhsLFQ07fFQRuaVCwOcx3x
0tK6h06zqUEUdjdkgZsSG43iqCZhvc8og9Yf1Cnhbq4oOqw01JYJtwdAjF9bjLU=
=t3FL
-----END PGP SIGNATURE-----

[n0m4d]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Rationale
=========

One of the problems of anonymity, as I see it, is the problem of receipt of goods, anonymously.

Silk road (http://tydgccykixpbu6uz.onion/), for instance, provides a market, but leaves the "last mile" up to the individual customer.

It would seem to me there is room there to provide a service - I'm attempting to do market research before I invest in the creation of a meeting place (tor website / DB) for people also interested in solving this problem / distributing the risk.

No one has commented / followed up on this in 24hr, so I'll presume either the demand for this service is not high, or I have not provided enough incentive.


Incentive
=========

One criticism that's come up is that eating the shipping is not enough of an enticement - people can get free shipping handily.  Agreed. 
The service I'm offering is a layer of deniability, not free shipping.

So, how about this - offering to pay a "postage" for someone to recieve goods and dead drop them for me.  Are there people interested in negotiating in that direction?

Alternately, we can negotiate a trade ratio for BTC that is more enticing.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iQEcBAEBAgAGBQJNSaA8AAoJECQvuS783MP4hSUIAKvQ+3qzgmKnM/Ja6pBx41UT
oKvRuc3lt8Jai/b3xz4n9LOyXQs5UoidKPQ/8xAbR0i57d1+vDH/OpaMHu/VODTM
tHvlfrd22f9f0nmilgYY9tUOJtBvQH4Xbqk+0l6uciHcpClvuk5RclqQEGijCDoF
SyzkfNHt2rIyeo/TSOe2tp5h6jXdFJhYVE3GLMWnq/lwwtp562beSKru5GYNZSlQ
wxgkHraFnvh7RRx81qUUKl5QL+y0iTqNgibKFTle/+vxfJjLf+tquu5XRa67Tg4J
04vTnAb7c1CoxsuJAcuM+hf2wCzJEWPATzmRJtSsrpK1HlFAL5MTqt49XOCBOA4=
=olD/
-----END PGP SIGNATURE-----

[Cusipzzz]

how do you propose to solve the 'last mile' problem?

Sure, trust can be built via ratings, which may be forged/false, and the 'first delivery' for someone new to the network carries a ton of risk if it's something like Silk Road material.

Dead Drop locations can be watched and whoever picks up the material insta-nabbed.

[n0m4d]

how do you propose to solve the 'last mile' problem?

Sure, trust can be built via ratings, which may be forged/false, and the 'first delivery' for someone new to the network carries a ton of risk if it's something like Silk Road material.

Dead Drop locations can be watched and whoever picks up the material insta-nabbed.

Okay, let me rephrase and number those, to see if I can address them properly.

A1) How do we build trust within the network, so that endpoints can send [expensive/extralegal/etc] material, while maintaining "acceptable" risk?

That was why I was limiting my initial bootstrapping effort here to items on Amazon within a certain price range -- that nails down concretely that at first, I will not accept extralegal risk, and I will not accept risk over a certain dollar amount.

However you'll also note that I am amenable to dead-dropping (without restrictions) within my area of operations, for payment in BTC.  This is a risk I am also comfortable with.

B2) How do we lower risk of law enforcement infiltrating and corrupting / capturing nodes?

I am assuming that is who would be doing the nabbing - since the receipt of postage would be to a bitcoin wallet somewhere and not on the courier, and the nabber would already possess the couriered item.

This I was leaving up to the network to figure out - nodes on the net could figure out their own methods for making dead drops more secure, and I would hope would share them.

The problem, I think, devolves into two groups:
The sender is more at risk.
The recipient is more at risk.

I can eliminate sender risk by going out into the woods, burying the goods, and then telling the recipient where it's located.

Recipient risk is harder to mitigate, though I would imagine you have plausible deniability (to an extent) in that you can not be proven to be an exit node.

The strategem I'd come up with was negotiation of the time as close as possible to the actual trade, in a public place.  Perhaps an airport, hospital, shopping mall, etc - where someone carrying a bag large enough to contain the parcel would not raise suspicion.

Flashmobbing several pickups / dropoffs in a short period of time would be another.  This is what I was what I think a central DB would help out with - if I can organize 10 handoffs in one shopping mall inside of an hour, it would seem to me I can seriously spread the risk of being nabbed.

A nabbed courier would also indicate to that area of operations that there was a corrupt node, and they could begin auditing their peers.  If everyone is using GPG, there will be a 'head node' that knew the time/place of the handoff that will be immediately suspect.

[n0m4d]

Sure, trust can be built via ratings, which may be forged/false

I'd missed the part about ratings being forged - I was planning on the nodes using GPG's web of trust.  The problem of forged trust can be solved, I believe.  Probably by someone smarter than I. 

[n0m4d]

Honesty through publicity
=========================

Since essentially this network will be about building trust, I believe that opening the data as well as the mechanism will be the best way to proceed.

The plan is that the courier network database is available at any time - since the only identifiers will be the GPG public key, a BTN account, and an area of operations (AO) code.  The source code will also be made available, though that may be through some sort of threshold pledge system.  :)

The idea is that if anyone wants to fork the courier network (due to loss of faith, or because they have a better UI, or what have you), they can.  This keeps the central database honest and competative, as well as providing some security.

The goal is widespread uptake, not earning a percentage.  By keeping the data open, it is more profitable (in the form of donations, or esteem, or what have you) to maintain the network's trust than abuse it by levying fees.


Proposed database architecture
==============================

Courier { Username, GPG Public key, BTN Account, AO code, ... (probably a backup dead-drop email address or other contact method) }

Handoff { GPG Signature by recipient on Courier's public key, ... (probably a 'comments' field, postage involved in this handoff, etc - all signed by the recipient's key) }

There is a many-to-one relationship of Handoffs to Couriers.


Thoughts on risk mitigation for handoffs
========================================

If each courier is required (perhaps by only recieving a fraction of the postage due them) to 'sign off' on receipt as well as delivery of a package, we set up a chain of trust that we can then test.

If the courier network dictates the place the trade will take place (think geohashing [1]) - we can also send "null packages" to test the courier's reliability rating.  Other nodes in the local AO can also be elected 'auditors' to send test packages as well.

Having these network audits happen randomly as a percentage of packages will help convince couriers to stay honest.


Penalties
=========

Couriers failing an audit will lose their entry in the database, with its accumulated network trust.  As postage fees will scale based on the level of trust, there will be a lot to lose by failing an audit.  Please note that this in no way obligates a courier to take a job - it's failing an audit that drops them from the network.

Couriers that repeatedly try to game the system by dropping their persona and creating a new one can either be punished through charging an entrance fee to become a new courier in an AO, and/or an AO can take up a collection for an audit majure [2].

In future, 'taxes' on couriers in the AO could be gathered for maintenance of an audit/enforcement squad whose job is protecting the network and resolving disputes.

'Taxes' might also be levied in order to provide insurance on packages - though this will likely presuppose the existance of audit squads, as it doesn't appear that there is a way to provide insurance programatically that can't be gamed.


Indoctrination
==============

Couriers just starting out are going to have a trust threshold to cross - there are ways to handle this outside of just scaling postage alongside number of successful trades.

Sponsors are one idea.

Public webcams set up in advance at a location for pickup, and then sending a null package can verify that someone did in fact show up.

Having the courier take a picture of the dropoff location with the package?  This would prove a time/place/package/courier relationship, though not prove that the package was not tampered with or stolen outright.  May be useful for disputation with the local audit squad.

Street view could be used to choose a remote location in advance.  Coupled with the above pictorial evidence and time constraints, we can increase the amount of work it will take to intercept a package.


Uptake
======

I've already gotten PMs from several interested parties, and started making local contacts aware of BTN.  Any commentary on this is welcome - _especially_ any glaring security holes that haven't been addressed, or additional things that should be tracked in the database.


Bibliography
============

1. Geohashing  http://irc.peeron.com/xkcd/map/
             http://www.xkcd.com/426/

2. Audit Majure  http://tinyurl.com/yh5jdd/

[rebuilder]

I sure hope everyone talking about this here is behind the proverbial 7 proxies, because if this takes off, law enforcement will be all over these messages, looking for top-level cell leaders.

[n0m4d]

I sure hope everyone talking about this here is behind the proverbial 7 proxies, because if this takes off, law enforcement will be all over these messages, looking for top-level cell leaders.

The whole idea behind making the data / code public is to decentralize as much as possible, should the worst happen.

If this were to move into production, it will likely go the way of the silk road and live on an eepsite / hidden tor node.

For now, s'just talk.

It's just an RFC - what could go wrong?   

[n0m4d]

Trust in a courier could be measured through some sort of fair (within an AO) local voting scheme - whether that courier gets kicked off the network or voted in.

...was trying to think of a way to use secret sharing, came up with that.

[maxvendor]

Although, theoretically this could be a good idea as I could move drugs through the network for people to pick up in person, and would probably triple sales overnight, I see lot's of potential problems. Particularily a vac sealed product has a specific shelf life and would be prone to dogs after say a week or two in the network. Anybody signing up for this could be unknowingly trafficking drugs or something else that's illegal directly to a DEA agent, and LE would throw the book at them. If you're the last link in the anon chain you're the guy who's going to be arrested handing over the package. However since payment has already happened, technically it wouldn't be trafficking (??) since no transaction occured.

As for safe drops, I wouldn't trust $1700 worth of Cocaine to be dropped somewhere. Also nobody would want to be on film going to pick it up. You could maybe rent a locker somewhere with a combo lock on it, but would always have to replace it to prevent theft. Plus cops would stake it out and watch to see who picked up or delivered.

I would 100% not recommend signing for anything in this network. In court that means you specifically requested/ordered the item and they have a legal signature to prove you intended to receive it for trafficking. Also if you are opening stuff to remail it, your fingerprints would be on the inside packages unless carefull clean gloves are used each time.

I'm also 100% sure authorities would easily get into the network to catch shipments, and prosecute whoever the next in the link was. If it was a large amount of say seeds destined to a possible big grow up bust or cocaine mixing agents, they would slip a GPS or RFID in there and track the package to destination then go pick them up.

A zealous prosecutor would indict everybody in the chain as 'working for a criminal organization' and probably give them 4-10yrs in the US this is pretty risky. Anonymous payments would be a better idea, somebody who wants to buy $30k worth of bitcoins for laundering or drugs spread the money throughout the network to avoid the $1k a day cash limit to buy without ID. that could work, but would be prone to rampant theft

[n0m4d]

First off - I want to thank someone in the field for answering.  It's valuable to find out the concerns of someone that's actually *in* the market for anonymous courier services.

I also want to point out that my interest here is in creating a framework for people, not a fully packaged product of framework AND trusted couriers.

I'm trying to delegate as much as possible things like shipping speed, number of cutouts in the chain, amount of trust in any particular link in the chain, etc - this should be up to the shipper.

The point of the framework is to create an anonymous trust network - let me ask you this: how do you measure trust within your network?  Obviously you're trusting shady folk with valuable items - what are your thresholds?  How does someone enter this network?  Are they free to leave it?  Is the network centralized?

These are questions I am attempting to address here.

Again, thanks for your perspective!