Lets talk about tracking security

A few days ago a post on the Ag piqued my interest and so I joined in on the conversation despite just lurking on there. The topic of this was 'How and when to use tracking? (post here: http://i4rx33ibdndtqayh.onion/index.php/topic,4862.0.html).

I presented a sensible option and was met with some really dumb remarks, some of them indicating that I was LE. This makes me wonder if some of these users even bothered to read my post or if they are ignorant to the methods that are keeping them safe. If the latter is the case, then for fuck sakes we're screwed. First off, my idea was an idea - one to be critqued and see if anyone could punch enough holes in it to invalidate it. You know, science.

Here's the rundown.

The problem:

Checking and giving out of tracking numbers is currently a no-no. If you look on any listing on any DNM it says 'we do not give out tracking numbers for security reasons'. Sure, that makes sense. If some joe schmo looks up his tracking number while using tails/tor it's an instant flag on that package (assuming LE's are actually smart enough to do such a thing. I mean lets be honest, NSA, sure I'll give them that but your average LE is more or less a college graduate with about as much common sense as a high school principal. Just smart enough to lead a group of impressionable teenagers).

So, it makes sense that tracking numbers aren't freely given out and that one should never track an order using Tor and vendors knowing that their buyers are likely as ignorant as they are about how this shit all works, refuse to give it to them. Last thing a vendor wants is a package being flagged which just gets LE that much closer to finding them.

Problem is this is both an inconvenience to the buyer and a security concern. Lets take the example of the kid who ordered E pills and was suddenly willing to run out and get the mail for several days. Mom gets suspicious and shakes the kid down which ends up with mom turning him and the package into the cops. Another example, dear old dad ordered a little bit of reefer off the DNM and doesn't have a clue when it's supposed to show up. He waits patiently and takes off work early and no package and eventually decides it's a loss. He decides to work late and package shows up but his daughter is the one to receive it. She cracks it open and well, the story could go a few ways from there.

Second major issue is that DNM suggests using a proxy or VPN to check a tracking number. The problem with this is that proxies and vpn's are not completely secure. They leak information regardless of how careful you are, on top of the fact that your security is at the mercy of whatever systems admin is running that service. If the package has already been flagged while in transit and you visit up old usps.com using a proxy, it's possible that they are able to see who you are and this creates one more checkmark on the list of 'how much do we need to convict'. I don't know how you guys feel about this, but the fact is that nickle and diming poor security leads to a bad situation fast. Does anyone really want to find out where the threshold is that makes someone a target? Certainly not me.

Why it doesn't work:

The idea is that vendors shouldn't be concerned about giving tracking numbers out. It's a transparency issue for one, if a vendor says he shipped it then if there's a tracking number there is no doubt. Personally I've seen scores of people say the vendor said it was shipped then came back and a week later admits that it never was. It's a security issue because knowing when the package will arrive and shortening the window of when to swoop in and pick it up makes things a lot safer. It's a convenience issue, I paid you for something and would simply like to know if it's going to show up today or in one week. Do I need to get the roommate out of the house for a few hours to make sure he doesn't pick up something he's not suppose to? etc... Pretty simple right?

The fix:

I outlined a basic idea of this in the Ag post, which clearly was not well received. I'm not sure if I was fully alert when I did so, but even going back and re-reading it still seems like a decent idea. I'm sure there would be some issues to be concerned about, but overall it improves opsec. It's one less thing to be concerned about and improves the experience of both vendors and buyers at the same time.

  1. Setup clearnet website (lets call it checkallyourtrackingnumbers.com). This website is promoted as being an easy way to dump a bunch of tracking numbers in regardless of the shipping company and get back all their statuses at once. It is marketed towards anyone that needs to track legitimate packages from ebay, amazon, bobsdildoshop.net etc... NOT just darknet packages.

  2. The twist is that once the clearnet service is hit the server reroutes all those tracking requests to the shipping companies API's back through tor.

  3. This creates a bunch of 'flagged packages' that are actually just dear old mom checking on when her knitting supplies from ebay are going to be delivered.

  4. DNMjoe needs to track his package and uses tails/tor to run this through the same website OR directly via the shipping companies websites. Since there are many legit requests for tracking coming from Tor there is no way to tell what packages should or should not be flagged. Security through obscurity and the same idea behind running a tor relay. Mix that shit all together and no-one knows where or who it came from.


Conclusion

Is this a small part of the big picture? sure is, but it's an area that can be improved and would not be difficult to implement. The most difficult part is convincing non DNM users to use this tracking site. Possibly an effort of all dnm users spreading the good word with legit transactions would do the trick, but there's no doubt it would take time to get to the point where checking your packages via tor is no-longer seen as a security concern and vendors can start providing these to aleviate buyers that need to see what status a package is in.

Please correct me if I'm wrong on something here or let me know if you can poke some holes in this.

I AM NOT SAYING TO GO AND START CHECKING YOUR PACKAGES VIA TOR - I'M SIMPLY OFFERING A SOLUTION SO THAT IN THE FUTURE YOU CAN


Comments


[2 Points] None:

[deleted]


[2 Points] Admiral_8utthead:

I also think this is a great idea. Especially because checking using a vpn can potentially flag a package in the same way TOR can IF someone's actually monitoring tracking sites.

Eg. Sir Charles Cockburn, who lives in her Majesty's UK, wants to order some premium bud from a USA based vendor WeedIsUs. Confident in his opsec, Sir Charles Cockburn logs on using his vpn to check the tracking on his package. His VPN broadcasts an IP address located in South Africa. Our friendly local LE, a mr Anderson, raises his eyebrow at the disparity between the locations of the package's origin, destination and the presumed location of the party who is anxiously checking the tracking every 5mins from South Africa.


[2 Points] ThousandGrams:

Couldn't you avoid all this by going on a 3rd party tracking service like packagetrackr from a library or something? Yes it's inconvenient and you have to log in with a card that's in ur name but there's ways around that too.

I still haven't seen one source of proof that the USPS will "flag" a package because it was tracked thru Tor. Most CDs I've heard about were because LE had prior info that it was on the way or the package was caught by a drug dog, not because of a tracking #.


[1 Points] None:

[deleted]


[1 Points] ahdadhhhhh:

This is a throwaway acct, i dont normally post on here but this is a concern all vendors have, not that it will comrpomise us, we assume cops have ordered from us, but that if the package gets taken we will have to reship.

Ive shipped many packages and on occasion, the smaller stuff, i will check it with tor while in transit just to see if there are any problems, never once have i had one problem or delay.

We all look at security with "what is possible" glasses on but what is possible is often not what is real. It doesnt make sense why they wouldnt use this to flag packages but they dont, maybe they are already overwhelmed with the 3billion packages they have to move and its not worth the effort to scrutinize every tor-check package. On that note:

OP - Instead of trying to establish a complex business that must recruit non-darknet users to create doubt in the postal system, instead you just create a system that randomly checks all possible tracking numbers through tor, the odds of this hitting on so many legitmate packages are pretty high and will inevitably mask the rest of us. And of course because its through tor theres no way to know whose doing it.


[-1 Points] sharpshooter789:

Cut back on the amphetamines lol. You are over complicating things. I don't really have a problem with vendors not sending tracking. Sure it's an inconvenience, but this isn't amazon.