Silk Road forums

Discussion => Security => Topic started by: readyrock on October 28, 2011, 01:36 am

Title: Who washes their coins before buying?
Post by: readyrock on October 28, 2011, 01:36 am
I am curious.  Does everyone wash before buying?  Trying to see how many people actually do it or just buy and spend.

Title: Re: Who washes their coins before buying?
Post by: MrRibena on October 28, 2011, 03:08 am
I don't on the basis that a bitcoin address is not associated to a website in any way. I upload to MtGox than transfer to SR. Theres nothing tying my bank transfer to SR. Also SR does this (apparently):

"No personal information is associated with your bitcoins at all, making them ideal for anonymous transactions. Additionally, Silk Road employs a built-in tumbler that mixes all incoming bitcoins through a series of dummy transactions before they ever leave."
Title: Re: Who washes their coins before buying?
Post by: phubaiblues on October 28, 2011, 03:10 am
yup: instalwallet.org....a very good link...always make sure to bookmark...sometimes handy to have two...
Title: Re: Who washes their coins before buying?
Post by: ablebaker on October 28, 2011, 10:30 am
I suppose I should, but I figure if we can't rely on SR protecting our anonymity we're screwed anyway.
Title: Re: Who washes their coins before buying?
Post by: pulpfictionbro on October 28, 2011, 10:55 pm
I am curious.  Does everyone wash before buying?  Trying to see how many people actually do it or just buy and spend.

Umm everyone? I hope :P

But seriously its just a better practice to tumble your money around either on your own computer or on instawallet. Dunno if its really necessary or not but just helps me sleep a little better at night :)
Title: Re: Who washes their coins before buying?
Post by: awesome1126 on October 28, 2011, 11:04 pm
I always run my coins through 4-5 instawallets before sending them to SR. Overkill? Maybe. I don't think the hassle of an extra 10-60 minutes is that bad..
Title: Re: Who washes their coins before buying?
Post by: dothisthing on October 29, 2011, 04:40 am
I suppose I should, but I figure if we can't rely on SR protecting our anonymity we're screwed anyway.

This is false. You should assume SR is run by LE, or at least capable of being compromised by LE. You have no way of knowing how secure SR's web server is, but you can learn about PGP. The only person that should have any personal information about you is the one person that you have no choice but to provide it to and that is your vendor. Send it encrypted with your vendors key and no one but your vendor can read it. Would you really post identifying information unencrypted on a website for illegal activities? Take care of yourself.

To put it another way: if you use PGP to hide identifying information then, assuming vendors keep their private keys safe, it would make no difference if the site was a public forum, no one other than your vendor would know who you are.
Title: Re: Who washes their coins before buying?
Post by: dothisthing on October 29, 2011, 04:51 am
I always run my coins through 4-5 instawallets before sending them to SR. Overkill? Maybe. I don't think the hassle of an extra 10-60 minutes is that bad..

Do you, and the others, do this because your original bitcoin source is linked to you? Would you still do this if your source was a moneypak or bank deposit (like exchb and get-bitcoin) -> instawallet rather than a bank account?

Also, is there any difference between sending it to 2 instawallets and five? As I understand it, anyone can actually trace the money from your original source all the way to your SR wallet even through 10 instawallet. The advantage of sending it through an instawallet is that no one can prove you owned that instawallet so you could claim you sent the bitcoins to a friend who then sent them to SR and no one could prove otherwise. Is that not right?
Title: Re: Who washes their coins before buying?
Post by: phubaiblues on October 29, 2011, 04:59 am

Do you, and the others, do this because your original bitcoin source is linked to you? Would you still do this if your source was a moneypak or bank deposit (like exchb and get-bitcoin) -> instawallet rather than a bank account?

Also, is there any difference between sending it to 2 instawallets and five? As I understand it, anyone can actually trace the money from your original source all the way to your SR wallet even through 10 instawallet. The advantage of sending it through an instawallet is that no one can prove you owned that instawallet so you could claim you sent the bitcoins to a friend who then sent them to SR and no one could prove otherwise. Is that not right?

We just don't know.  It's too new, we haven't anything but rumor and hope.  So we protect as much as we can.  I presume the weakest in the herd, will be the ones picked off, whether it's ripoffs or LE, both of which I know operate on here.   We've got a crew who really likes using live linux distros, and protect our computers as best we can.  Others use a good Vm on top of a linux OS, figuring that will put up some protection...others use a live distro and take a drive somewhere, at least for drives.  Many of us use pgp when the vendor makes it available.

Again: we aren't sure hope we're doing enough.  It's an easy enough jump to instalwallet, and yes, it's to put something between us and our money.  We can't answer all your questions because it would be too revealing, but you get the idea...
Title: Re: Who washes their coins before buying?
Post by: happytree on October 29, 2011, 06:13 am
Well, I know I'm going to get my ass handed to me for daring to suggest this:

But, here is my argument against using PGP key encryption for name/addresses in transactions. If you are, in fact, using your real/name address, which is what's most commonly done/understood is the safest around here. Then, suffice to say, IF in the situation a controlled delivery were to take place, you have the ability to claim complete ignorance that you made the order: (hey, it was my roommate, pissed off ex-bf, ex-gf, or a junky neighbor).

LE's have no ability to tie you to your order, UNLESS they also have a copy of the vendor's downloaded key logs with your information - do you really think seller's DON'T print out those PGP text files? Because, then, your story about a pissed off ex bf/gf or junky neighbor seems less plausible. Why? Because, why would anyone BUT you go through the trouble of encrypting YOUR personal information?

As a matter of fact, I recall a seller doing a sale for a buyer after a sent encrypted address had been sent in for a previous ransaction, and the seller still had the buyer's information/address - and it had been a week or so.

My overreaching point here, is that yes, by proxy it's the "most safe". However, it's also the most extensively a sure-fire indicator that you yourself did the ordering, if that seller's system/info were ever compromised.

~kisses
Title: Re: Who washes their coins before buying?
Post by: Hermione on October 29, 2011, 01:20 pm
Do you, and the others, do this because your original bitcoin source is linked to you? Would you still do this if your source was a moneypak or bank deposit (like exchb and get-bitcoin) -> instawallet rather than a bank account?

I'm wondering the same thing.
Title: Re: Who washes their coins before buying?
Post by: phubaiblues on November 01, 2011, 07:22 am
Good point, HappyTree!  Hadn't thought of that, and deniability is everything...same as the argument against getting a fake-name p.o. box and shit...if u *do* get nailed a pgp key would be a hard-to-defend bit of evidence....I think sometimes a lot of this shit just makes us feel better, like the more encrypted we are, the safer we are, when really, such might not be the case at all...I think, as I've said, we just don't know what we are up against...

but yeah, I've got to have a few things that don't look good, Tor and whatever distro I'm using...but pgp...well, I just think more about packet sniffing and such, and don't want anything floating around in plaintext....
Title: Re: Who washes their coins before buying?
Post by: pulpfictionbro on November 01, 2011, 08:00 pm
I havent heard of any internet seller getting busted (except ene) and they got busted because someone tipped off the cops and then they just put the guy under surveillance and track your drop routes, search your house for drugs etc and nail you with that. I havent yet seen any digital proof being provided (i.e. Tor, gpg keys etc.)
Title: Re: Who washes their coins before buying?
Post by: lazypeepsarebusted on November 01, 2011, 08:26 pm
I suppose I should, but I figure if we can't rely on SR protecting our anonymity we're screwed anyway.

You certainly should. Bitcoin is not anonymous. You either need to load money to it anonymously, or you need to mix the money properly. SR doesn't properly mix your money. Also it is retarded to think that SR is responsible for your security. SR is responsible for the security of his server only. You are responsible for your security. Do you really think SR magically protects you? Don't be naive.
Title: Re: Who washes their coins before buying?
Post by: lazypeepsarebusted on November 01, 2011, 08:39 pm
Well, I know I'm going to get my ass handed to me for daring to suggest this:

But, here is my argument against using PGP key encryption for name/addresses in transactions. If you are, in fact, using your real/name address, which is what's most commonly done/understood is the safest around here. Then, suffice to say, IF in the situation a controlled delivery were to take place, you have the ability to claim complete ignorance that you made the order: (hey, it was my roommate, pissed off ex-bf, ex-gf, or a junky neighbor).

LE's have no ability to tie you to your order, UNLESS they also have a copy of the vendor's downloaded key logs with your information - do you really think seller's DON'T print out those PGP text files? Because, then, your story about a pissed off ex bf/gf or junky neighbor seems less plausible. Why? Because, why would anyone BUT you go through the trouble of encrypting YOUR personal information?

As a matter of fact, I recall a seller doing a sale for a buyer after a sent encrypted address had been sent in for a previous ransaction, and the seller still had the buyer's information/address - and it had been a week or so.

My overreaching point here, is that yes, by proxy it's the "most safe". However, it's also the most extensively a sure-fire indicator that you yourself did the ordering, if that seller's system/info were ever compromised.

~kisses

This is an example of law enforcement trying to degrade the quality of proper information on this website, trying to lure members into making poor choices. Anyone who has any idea what the fuck they are doing will tell you that you should use GPG. This is not a matter of opinion, it is a fact. Law enforcement use the previously demonstrated tactic to try to degrade the quality of information in the network. For example, here is a small bit of info from "Netwars: The future of crime, terrorism and militancy"

Quote
It is also possible to initiate internal attacks on
criminal networks, however, where the objective is to create dysfunc-
tional relations that seriously degrade the capacity of the network to
function effectively. One option, for example, might be to destroy
trust through misinformation and actions designed to create suspi-
cion and acrimony. One way of doing this would be to identify some
of the network crossovers and, rather than remove them, use them to
feed misinformation into the network. Not only could this have a cor-
rosive internal effect, but also it could encourage the criminals to
move in directions that make them increasingly vulnerable to exter-
nal attack.

Also, using your own name box is not the safest. Using a fake ID box is by far the safest. Look at enelysions bust. He had outgoing packages intercepted. People knew about his bust before others were busted. All of his customers who dropped fake ID boxes are not worrying. All of his customers who used their real boxes are now in LE databases. Using in state fake ID is the best though, using out of state can make you weak to intelligence attacks, as most people don't use out of state boxes if you have an out of state box you are statistically more likely to be a drug trafficker. I still suggest using fake ID over not, even if it is out of state.

also from the same document

Quote
The creation of false documents facili-
tates the movement of various kinds of contraband and people and
offers an extra layer of protection for those involved in criminal activ-
ities.

Read about information operations. They are a powerful LE tool. Use your brains people.

I suggest everyone reads this paper on Netwar if they care about understanding the advantages our mode of operation has, as well as the weaknesses to look out for.

faculty.cbpp.uaa.alaska.edu/afgjp/padm610/networks%20and%20netwar.pdf

download it via tor, open in a vm with no internet access after it has been downloaded.

PS: If this person was not LE and actually a security expert, they would say you should use FDE to encrypt your entire drive, including your GPG keys, to protect yourself from this attack.

But if you want to rely on application layer security (constantly compromised, essentially impossible to perfectly secure) to keep your information safe from LE as it transfers through the SR server, instead of rely on strong encryption (mathematically ensured security from a number of attacks...pretty much impossible to break with out quantum computers that currently don't exist and when they do exist will only be in the hands of agencies like NSA for a long time), be my guest.
Title: Re: Who washes their coins before buying?
Post by: phubaiblues on November 01, 2011, 10:15 pm
Thanks for that article: I think  we are mostly just not sure, whether to protect ourselves too much, and therefor look obviously guilty, or to protect ourself not enough, and attract heat.  We just aren't sure yet, and everybody who posts sounds reasonable, so it's hard to tell...I feel I'm pretty secure online, but worry mostly about complacency and laziness, as some of this stuff is timeconsuming...on the other hand, getting cracked is one of the most miserable things that can happen to a persron...it's just all new area....
Title: Re: Who washes their coins before buying?
Post by: faggot on November 01, 2011, 10:25 pm
cant help you there..i dont deal in coins :D...

but if i was to deal in coins...i wouldnt bother..not if im only buying...if im selling i would....

if you have a hardcore setup at home in regards to security, like i know you do, then its just a fuckin waste of time imo.lol...
Title: Re: Who washes their coins before buying?
Post by: lazypeepsarebusted on November 02, 2011, 12:15 am
Thanks for that article: I think  we are mostly just not sure, whether to protect ourselves too much, and therefor look obviously guilty, or to protect ourself not enough, and attract heat.  We just aren't sure yet, and everybody who posts sounds reasonable, so it's hard to tell...I feel I'm pretty secure online, but worry mostly about complacency and laziness, as some of this stuff is timeconsuming...on the other hand, getting cracked is one of the most miserable things that can happen to a persron...it's just all new area....

First of all, No. It is not an all new area, you are just all new to it. There have been source forums online for a long time. The first one I know of was around in the late 90's. The first modern-era (post webtryp) source forum started in ~2005. This is just the online drug trade scene we are talking about. If you take into consideration other illegal groups, like CP scene or hacker scene, the same techniques have been being used by them going back even longer. There have been dozens of drug source forums, dozens of CP groups, dozens of hacker forums, dozens of carder forums, etc. The techniques being used here are not new. We have ample case studies, legal paper work from busted people, etc to show which techniques work and which fail.

Second of all, there is no such thing as protecting yourself too much. You don't look suspicious by using GPG. If you are using Tor the attacker can't even tell you are using GPG, as your GPG ciphertext is encrypted by Tor until it gets to SR server. If you use FDE the attacker can't tell you are using GPG unless they gain access to your hard drive in its decrypted state, or use various techniques to remotely root your box or eavesdrop on you in other sophisticated ways. Not to mention it isn't illegal to use GPG. Your entire mindset is the exact opposite of how it should be. You want to protect from two things: evidence and intelligence.

Evidence = solid data that can be used to convict you of a crime
Intelligence = data that can be used by a skilled analyst to narrow in on evidence

Example of evidence: A drug package is in your mail box
Example of intelligence: You checked tracking with Tor (not illegal in itself). Statistically speaking, you are far more likely to have drugs coming to you if you check the tracking information with Tor.

Intelligence leads to evidence. You want to counter intelligence to keep the attacker away from evidence. You need to take various scenarios into consideration. You may say that it is intelligence that you are using GPG, because drug traffickers use GPG. The crowd size of GPG users is so large that it is weak intelligence at best, using GPG is not enough to realistically identify you as a drug trafficker. Not using GPG makes your address susceptible to interception at the SR server. SR server security is out of your hands, and preventing a hacker from rooting a given server is quite impossible. You can make it harder, but it is so far always possible to hack anything. Application layer attacks are far more likely to happen than GPG being cracked. If your address is intercepted from SR, it is intelligence. It is really evidence also, but I think looking at it as intelligence is best as you likely will not be convicted off of this information by itself. But it will be used to intercept your drug package, and lead to a CD, which is evidence that you ordered the package as far as the legal system is concerned. It is not up for debate, using GPG is by far the better choice. Anyone who says anything else either doesn't know what they are talking about or is a law enforcement agent engaging in information operations, trying to mislead people into making their job easier, a known and documented tactic for combating networked criminal organizations such as this one.

As far as mixing bitcoins goes, it is also provable that this is the smart choice to make. You just need to understand the technical details of bitcoin and mixing to understand this.. If you don't load your coins anonymously and don't mix them, LE is not going to have any trouble to fuck you, particularly if vendors use the same bitcoin account for multiple customers (centralization is bad). This is simply truth. Until they are mixed, your bitcoins are as anonymous as the method you used to get them.

Also, a lot of the security systems and techniques here have been evaluated by academic researchers. If you want to know what the best security choices are, I suggest you study security. Reading academic papers on anonymity is the reason that I know you should use Tor instead of VPN for anonymity. The people who suggest VPN tend to sell VPN (or work for LE, lol). The people who suggest Tor tend to have Ph.D next to their name and study traffic analysis in academic settings. Read some papers on mixing. Learn security yourself, the information is already out there and if you resort to trying to learn by trial and error you ARE going to end up in prison before you end up secure. This arms race has been ongoing for a long time now, and slow as they may be our adversaries are slowly but surely catching up. If you start today using hushmail you are going to be busted a lot faster than the first vendors who were using hushmail. Look at how the arms race has progressed ;) and then smile when you see who is winning ;P.
Title: Re: Who washes their coins before buying?
Post by: Blackwilly on November 02, 2011, 12:33 am
thanks!

but tl;dr
Title: Re: Who washes their coins before buying?
Post by: phubaiblues on November 02, 2011, 06:28 am
Thanks lazypeeps: you took some time to make a good case for protecting ourselves, and I appreciate it.  We've got a pretty determined crew of Tails users on here lately, and I've learned to update and upgrade as soon as I boot up,as they recommend.  Before IId used privatix, and liberte for a while, but Tails is just right on top of things, so I think they are fine...did you have an opinion on that?  Tail.s doesn't have persistant data storage but I've gotten used to that, and I like it that nothing is stored on computer
 
On btc I was totally ignorant, but after reading what you wrote, I'm more determined to learn how they work, as that seems to be so vital.  I don't keep mine on pc anymore, but strictly online, moving and splitting and tumbling, so I think that is covered fairly well. 

As you said, we  new to this, but we are determined to do our part in protecting ourselves, and it's just a matter of a little application, and we will learn what is necessary. 
Title: Re: Who washes their coins before buying?
Post by: dothisthing on November 06, 2011, 06:07 am
thanks!

but tl;dr

I recommend you read it anyway.

tl;dr Use PGP to encrypt identifying information! PGP is not illegal and is not evidence that you are doing anything wrong but not using it means your identifying information is just waiting to end up in LE hands.

tl;dr;tl;dr USE PGP!
Title: Re: Who washes their coins before buying?
Post by: anchientlib on November 06, 2011, 12:01 pm
I Wouldn't transfer my bitcoins to SR from mtgox.  I send bc to wallet and then to SR.

Peace 8)