Bitcoin Forum
November 04, 2024, 07:51:54 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 8 [9] 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 »
  Print  
Author Topic: Silk Road: anonymous marketplace. Feedback requested :)  (Read 152802 times)
CryptikEnigma
Full Member
***
Offline Offline

Activity: 336
Merit: 101



View Profile
April 13, 2011, 08:51:42 PM
 #161

http://silkroadmarket.org/ says they closed up shop, or has it always been like that to throw people off or something?
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250



View Profile WWW
April 13, 2011, 09:59:05 PM
 #162

http://silkroadmarket.org/ says they closed up shop, or has it always been like that to throw people off or something?

Seems like business is good, don't know why they would.
Can anyone confirm one way or the other?

moneyandtech.com
@moneyandtech @jeredkenna
BitterTea
Sr. Member
****
Offline Offline

Activity: 294
Merit: 252



View Profile
April 13, 2011, 10:00:42 PM
 #163

http://silkroadmarket.org/ says they closed up shop, or has it always been like that to throw people off or something?

Seems like business is good, don't know why they would.
Can anyone confirm one way or the other?

They shuttered silkroadmarket.org, which was just a portal page. The actual site, on Tor, appears to be operating as normal.
Modoki
Newbie
*
Offline Offline

Activity: 22
Merit: 0


View Profile
April 14, 2011, 11:03:15 AM
 #164

Well, I can't view the site with TOR or tor2web.
Also a restart of TOR did not help.
Any advice?
Greets!
silkroad (OP)
Newbie
*
Offline Offline

Activity: 14
Merit: 17



View Profile WWW
April 14, 2011, 05:48:27 PM
 #165

Oops, somebody forgot their whois privacy when they renewed their domain.

I hope that's not the owner's real info...

I seriously doubt the owner of the visable website is directly connected to whoever runs the Silk Road hidden service on Tor.

Oops, it gets worse. Whoever bought the visible website is hosting it with a US company that is reselling server4you.de services. If someone was silly enough to put the Tor hidden service on that server, thinking it safe since it isn't in the US, they're in for a rude awakening when the US company they're paying the bill to grabs the server's data and hands it over to the FBI. I sincerely hope that whoever is running the show didn't make a mistake like that.

Hi everyone, glad to see this thread is remaining popular.  Just to address the quote above in case it concerns anyone, the portal page and tor site are completely separate and neither can be traced back to any physical persons at Silk Road in any conceivable way.  The portal page was an afterthought to get more traffic to the site, but did its job too well, over-exposing Silk Road.  We will reopen it when we feel like the site is ready for that kind of exposure.

On another note, I would like to bring this thread back to the "Feedback requested" part of the title.  I am especially interested in hearing from anyone with alot of experience in network security about how to improve the anonymity of the site beyond running it as a tor hidden service.  How would YOU do it?  What are some worse case scenarios?

Thanks everyone for your support Smiley
FatherMcGruder
Sr. Member
****
Offline Offline

Activity: 322
Merit: 250



View Profile WWW
April 14, 2011, 06:39:52 PM
 #166

Hi everyone, glad to see this thread is remaining popular.  Just to address the quote above in case it concerns anyone, the portal page and tor site are completely separate and neither can be traced back to any physical persons at Silk Road in any conceivable way.  The portal page was an afterthought to get more traffic to the site, but did its job too well, over-exposing Silk Road.  We will reopen it when we feel like the site is ready for that kind of exposure.

On another note, I would like to bring this thread back to the "Feedback requested" part of the title.  I am especially interested in hearing from anyone with alot of experience in network security about how to improve the anonymity of the site beyond running it as a tor hidden service.  How would YOU do it?  What are some worse case scenarios?

Thanks everyone for your support Smiley
After Oink went away, new tracker sites started up to fill the void, kind of like a hydra. Because of open source tracker software, new heads grew quickly. Do you think there's anything you can do, or have you already done things, to facilitate the creation of new hydra heads in the unfortunate case that the authorities shut down Silk Road?

Use my Trade Hill referral code: TH-R11519

Check out bitcoinity.org and Ripple.

Shameless display of my bitcoin address:
1Hio4bqPUZnhr2SWi4WgsnVU1ph3EkusvH
UncleIroh
Newbie
*
Offline Offline

Activity: 4
Merit: 0


View Profile
April 14, 2011, 06:53:19 PM
 #167

Oops, somebody forgot their whois privacy when they renewed their domain.

I hope that's not the owner's real info...

I seriously doubt the owner of the visable website is directly connected to whoever runs the Silk Road hidden service on Tor.

Oops, it gets worse. Whoever bought the visible website is hosting it with a US company that is reselling server4you.de services. If someone was silly enough to put the Tor hidden service on that server, thinking it safe since it isn't in the US, they're in for a rude awakening when the US company they're paying the bill to grabs the server's data and hands it over to the FBI. I sincerely hope that whoever is running the show didn't make a mistake like that.

Hi everyone, glad to see this thread is remaining popular.  Just to address the quote above in case it concerns anyone, the portal page and tor site are completely separate and neither can be traced back to any physical persons at Silk Road in any conceivable way.  The portal page was an afterthought to get more traffic to the site, but did its job too well, over-exposing Silk Road.  We will reopen it when we feel like the site is ready for that kind of exposure.

On another note, I would like to bring this thread back to the "Feedback requested" part of the title.  I am especially interested in hearing from anyone with alot of experience in network security about how to improve the anonymity of the site beyond running it as a tor hidden service.  How would YOU do it?  What are some worse case scenarios?

Thanks everyone for your support Smiley

Everyday I look at your website wanting to order something... and everyday I close the browser thinking "no, too risky!"
Is there a discrete way of telling to which country products have been shipped successfully?

Maybe there could be some sort of anonymous country-related feedbacks... dunno
error
Hero Member
*****
Offline Offline

Activity: 588
Merit: 500



View Profile
April 14, 2011, 08:24:57 PM
 #168

Hi everyone, glad to see this thread is remaining popular.  Just to address the quote above in case it concerns anyone, the portal page and tor site are completely separate and neither can be traced back to any physical persons at Silk Road in any conceivable way.  The portal page was an afterthought to get more traffic to the site, but did its job too well, over-exposing Silk Road.  We will reopen it when we feel like the site is ready for that kind of exposure.

If you say so. Smiley

On another note, I would like to bring this thread back to the "Feedback requested" part of the title.  I am especially interested in hearing from anyone with alot of experience in network security about how to improve the anonymity of the site beyond running it as a tor hidden service.  How would YOU do it?  What are some worse case scenarios?

There exist attacks which can potentially locate a hidden service. Therefore, make sure the server it's running on is also paid for anonymously, and can be relocated quickly if necessary.

3KzNGwzRZ6SimWuFAgh4TnXzHpruHMZmV8
vwckw
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
April 14, 2011, 08:51:07 PM
 #169

There is also the http://g7pz322wcy6jnn4r.onion/opensource/ovdb/ac/index.php drug market.

Tracing hidden services is trivial for a skilled attacker. The best way to do it is to send a time modulated stream of packets to the hidden service over many different circuits. Hidden services open new circuit for every rendezvous point and the clients can select to use as many rendezvous points as they desire. This makes locating hidden service entry guards easy as you can flood some nodes to the network and look for the pattern in the packets you send to the hidden service. This will locate the three entry guards which can then be trap and traced to find the hidden services location, or tons of other attacks. Don't count on Tor hidden service to give you a server that can't be traced! You should edit the Tor source code to select for a four or five hop circuit, with the first two or three nodes being guards(from a small pool, meaning two-three guard chain). You could select to use a single entry guard, this will reduce the chance that the attacker owns one of them. However it is bad for uptime and there are some other attacks that this could theoretically be weaker to than using three guard nodes. I personally think it is a good idea, others may disagree.

The main risk if the attackers locate the hidden service is that they could take it over and be in a good position for application layer side channel attacks.  All orders must be encrypted with GPG if you want a chance, this helps tremendously because then if the server is compromised the attacker can not impersonate vendors or harvest customer addresses. The hidden service being compromised should be assumed after some time. You can make it harder for the attacker to trace the hidden service on the application layer by using a few techniques. First of all you can run things on an OpenBSD server with ASLR and a 64 bit processor to make buffer overflow attacks all but impossible. If you have some money to spend I suggest you make a tamper resistant case that can detect if it is physically penetrated and wipe the volatile memory, put the ram in encapsulation material and do co-location anonymously. Be careful not to leave DNA fingerprints or other links on the physical server if you go this route. You can isolate the server by putting it on a virtual machine, isolate the processes by using BSDjails style virtualization inside this VM. Tor should be in its own VM separate from the VM the web server is in, with all traffic forced on the host to go through the Tor VM. This way an application layer compromise of the web server can not side channel Tor unless the attacker can go through the hypervisor. You should also use mandatory access control profiles to really lock the web server down as much as possible.

The biggest thing to worry about is geolocation intelligence being coupled with Tor observability. I imagine these sites are going to be attacked by the feds intersecting the crowd of Tor users with the people in a rough proximity of where packages are shipped to narrow in on a likely suspect pool. In other words, you should worry less about the hidden service and more about the operational security of the vendors. Vendors should not connect from home or even use Tor or other anonymizers from home. They should use Tor bridges to offer membership concealment, however it is not known if the FBI or DEA are capable of detecting bridged connections. Using bridges makes you easier to trace through the network but for our threat model membership concealment is quite important....they feds don't need to trace through the network they can look for connections into the network since they can determine geolocation from mail.

I suggest that you make a clear separation between order retrieval and order decryption. Use Tor + Bridges + open wifi in always changing random locations, not from a car but on foot + ASLR + MAC + FDE + General hardening on the machine you use to get orders. Another option is to use a live CD, these will not be as technically secure as you can configure things yourself but they have the huge advantage of leaving no traces as soon as they are shut down which will give you more plausible deniability in court than if you refuse to decrypt a machine. Another disadvantage of live CD is the lack of ability to use bridges usually, open Wifi is not true membership concealment but rather location unlinkability (the attacker will likely be able to determine where Tor connections were made from, but they may not be able to link these geographic locations connections were made from to your base location). You should also use virtual machine with NAT connection so that if your order retrieval machine is hacked they can not access your WiFi adapter and pull near by MAC addresses to geoposition you. Plus Tor / Browser seperation via a VM and firewall rules on the host.

After encrypted orders are retrieved you should burn them to a CD still encrypted. The decryption should take place on a fully separate machine with no access to the internet. This way even if they manage to compromise the machine that can connect to the internet, they can only pull ciphertext. If they compromise the decryption machine, they can not communicate back customer addresses. You could build a copper mesh cage to contain the decryption machine and cover it with blankets and generate noise to create a make shift SCIF, to protect from transient electromagnetic signals being used to reconstruct your monitor / hidden cameras pulling the screen/keyboard, acoustic analysis of keystrokes. Or you could use an on screen keyboard to protect from audio analysis of keystrokes. These are disadvantages to using a SCIF, primarily you will have a hard time to explain it in court and copper mesh is not cheap. On the other hand, if they do van eck radiation analysis to pull your screen they pretty much win anyway. Your best bet is to make it so they can't find your location to do this sort of attack in the first place.

I would also consider compartmentalising customer support from shipping. Communicate with the shipper using steganography or some covert channel to conceal the link.
zssuh
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
April 14, 2011, 09:12:08 PM
 #170

After Oink went away, new tracker sites started up to fill the void, kind of like a hydra. Because of open source tracker software, new heads grew quickly. Do you think there's anything you can do, or have you already done things, to facilitate the creation of new hydra heads in the unfortunate case that the authorities shut down Silk Road?

This concept (many hydra heads) is known as Netwar.

http://g7pz322wcy6jnn4r.onion/opensource/polyfront/netwar.html

also check the wikipedia article and maybe read about the RAND groups analysis of it. Netwar is giving power to the people over the hierarchy organization of the state. 
 
The best thing the drug scene can do is embrace Netwar and take it to its pinnacle. We need to remove all the centralization, many hydra heads with every node its own command and control is a vast improvement over the statist organizational models, but full decentralization is what we must aim for. There should be no single point of compromise, or any centralization at all. We need to become a fully decentralized all channel network, with the infrastructure not being run by silk road or open source but rather being run by every node of the network, with each node also being its own command and control. We are currently and have been for some time developing the technology required for this to happen.
Anonymous
Guest

April 15, 2011, 01:45:14 AM
 #171

I am both scared and amazed all at the same time by these posts.
Jaime Frontero
Full Member
***
Offline Offline

Activity: 126
Merit: 100


View Profile
April 15, 2011, 04:48:24 AM
 #172

I am both scared and amazed all at the same time by these posts.

This is how money works...
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
April 15, 2011, 07:18:43 AM
 #173

Tracing hidden services is trivial for a skilled attacker. The best way to do it is to send a time modulated stream of packets to the hidden service over many different circuits.

It's not the first time I read this... for this to work, wouldn't the attacker need to be working together with all ISPs and backbones that route these circuits? If not, how would the attacker track such stream of packets?
Jered Kenna (TradeHill)
Sr. Member
****
Offline Offline

Activity: 420
Merit: 250



View Profile WWW
April 15, 2011, 01:25:29 PM
 #174

Tracing hidden services is trivial for a skilled attacker. The best way to do it is to send a time modulated stream of packets to the hidden service over many different circuits.

It's not the first time I read this... for this to work, wouldn't the attacker need to be working together with all ISPs and backbones that route these circuits? If not, how would the attacker track such stream of packets?

You'd have to really piss someone off (like the government) to go to that much effort or have something really valuable.

The posts above are pretty damn intense. Seems like a lot to go to and one screw up could get you caught. Awesome to read though.
Maybe easier to just locate yourself in a friendlier country.

moneyandtech.com
@moneyandtech @jeredkenna
wzpby
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
April 15, 2011, 01:31:32 PM
 #175

The previous posts are over kill security. In practice the federal police agencies fail to compromise much less secure targets. I think that CIA/NSA would have trouble to compromise a target that takes the precautions mentioned, however they might stand a chance. However, I suggest people try their best to follow the tips even though they are currently not required to counter federal police.

Regarding Tor, the attacker does not need the cooperation of ISP or other external attackers. They merely need to do a sybil attack and add some nodes to the network. The attack is essentially the same as this one: http://freehaven.net/anonbib/cache/hs-attack06.pdf

The tor devs added entry guards to counter this attack. However, there is a single entry guard between the hidden service and the attacker, the entry guards are selected from a pool of three nodes. So it is trivial for an attacker to find three nodes that have a direct link with the hidden service. If they can compromise one of those identified nodes, the hidden service is traced.
glowbandit318
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
April 16, 2011, 03:23:12 PM
 #176

how do we join, and when can we?
JackSparrow
Member
**
Offline Offline

Activity: 116
Merit: 10



View Profile
April 16, 2011, 05:14:11 PM
 #177

how do we join, and when can we?

-.- get TOR and use the URL in SilkRoads signature. Even if it seems so, this is not a topic about "how tor works".
Do not look it in the eye
Newbie
*
Offline Offline

Activity: 1
Merit: 0


View Profile
April 16, 2011, 07:10:51 PM
 #178

The best thing the drug scene can do is embrace Netwar and take it to its pinnacle. We need to remove all the centralization, many hydra heads with every node its own command and control is a vast improvement over the statist organizational models, but full decentralization is what we must aim for. There should be no single point of compromise, or any centralization at all. We need to become a fully decentralized all channel network, with the infrastructure not being run by silk road or open source but rather being run by every node of the network, with each node also being its own command and control. We are currently and have been for some time developing the technology required for this to happen.

I've read with interest the long and informative posts about infosec and so forth in this thread and the "heroin store" thread, but this is a really fascinating idea.

Were you thinking along the lines of a network of anonymous gpg identities, each participant signing the other's key and building a web of trust that can easily be transferred anywhere ASCII goes, so if one venue goes down the next can pop up with the survivors and still maintain much of the credibility of it's predecessor? It seems that this could be quite reliable if a simple framework where gpg was required to participate was implemented.

-.- get TOR and use the URL in SilkRoads signature. Even if it seems so, this is not a topic about "how tor works".
Sorry to sidetrack this discussion further but interesting threads deserve interesting digressions. 
mndrix
Michael Hendricks
VIP
Sr. Member
*
Offline Offline

Activity: 447
Merit: 258


View Profile
April 16, 2011, 10:00:20 PM
 #179

Were you thinking along the lines of a network of anonymous gpg identities, each participant signing the other's key and building a web of trust that can easily be transferred anywhere ASCII goes, so if one venue goes down the next can pop up with the survivors and still maintain much of the credibility of it's predecessor? It seems that this could be quite reliable if a simple framework where gpg was required to participate was implemented.

I think that's a great description of why the #bitcoin-otc web of trust is such a valuable tool for our community.
Grix
Hero Member
*****
Offline Offline

Activity: 536
Merit: 500



View Profile WWW
April 18, 2011, 10:09:40 PM
 #180

This site is majorly bugged.. I can't log in to my account(s). If I have special characters in my password, which all passwords should have, then I get an "Invalid password" even though it's correct. If I don't have special characters and write my password correctly, the site just refreshes and nothing changes.

BTC: 1Fahk2aa4NS4Qds4VDAL4mpNArDEdV2K5K
LaserShowGen Laser Show Software
Helios Laser Show Hardware
Pages: « 1 2 3 4 5 6 7 8 [9] 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 »
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!