Silk Road forums
Discussion => Security => Topic started by: kmfkewm on November 04, 2012, 04:52 am
-
I believe that disabling new vendor registration is very dangerous. It asks for a large amount of trust from the community, and I do not believe it is a level of trust that we should have in the maliciousness or lack thereof of whoever has the controls of Silk Road at any given time. If the site is ever covertly compromised by law enforcement, I imagine that they may turn new vendor registration off. This is because it will completely remove the possibility of new legitimate vendors joining, and as they compromise vendor accounts over time and legitimate vendors retire, they will be able to skew the percentage of law enforcement run vendor accounts largely to their favor over enough time. The fact that Silk Road was open registration is largely what allowed us to be certain it was not a honeypot from the beginning, it allows us to rationalize that if we are allowed to open vendor accounts here then anyone else must be, and if anyone can be a vendor obviously not all of the vendors will be law enforcement. If the site is closed registration from the start, you can not use that same line of reasoning in your assessment of the risk of utilizing the site.
I understand that there are some traffic issues with the number of new people joining heavily stressing the server and even the Tor network itself. First of all know that many of the problems people are experiencing are limitations of Tor, its hidden services were not designed for such high traffic loads and number of simultaneously connected users. Improvements to Tor hidden services scaling is constantly being made and if Silk Road is using an out of date version of Tor switching to the latest version will probably significantly help it in scaling to a larger user base. Additionally, there are settings in Torrc that can be modified to help aid with scaling, and also some things you may have in Torrc that could be causing issues.
That said, I am not sure if your scaling problems are entirely confined to Tor (but I am certain that you are hitting limitations to Tor hidden service scalability). I am sure that you can afford enough bandwidth and high enough quality dedicated servers to run SR though.
-
your initial logic is confused - it assumes registrations will be off for a long period of time, and unless I missed something it hasn't been stated that that is a plan.
Clearly blocking new anything impedes growth, that is probably helpful while experiments on scaling are done.
At least to me it is suspicious enough that the site is frequently very slow or unavailable, who needs more bizarrely complex scenarios to be paranoid about? Anything that works toward availability is helpful.
-
i agree with his logic actually, i dont think K was saying it will be off permanently, just discussing a potential threat that has arisen should new vendors not be able to register in the future
i am in favor of limiting the amount of new buyers able to register, especially given the recent traffic/connectivity issues - but i feel the registration should remain to be open for vendors which is important to the health of the market in more ways then just the honeypot risk
-
Of course no one outside the SR team knows how the site is being held and protected, we just have an idea. But I'm sure that this methods had a traffic limit before they become unsafe for them and for us. The bigger, the harder is to hide. You may think this is hurting us, I think this is actually protecting us, the only way to keep the site up and secure right now is to close registrations temporarily. I'm sure the team is figuring out a way to fix the presented/discovered issue to open the site again, I'm sure they will find a solution. Be patient and save this type of SR apocalypse paranoia after some time of no solutions found. Be certain that the limit bar will raise but will still be there.
-
Of course no one outside the SR team knows how the site is being held and protected, we just have an idea. But I'm sure that this methods had a traffic limit before they become unsafe for them and for us. The bigger, the harder is to hide. You may think this is hurting us, I think this is actually protecting us, the only way to keep the site up and secure right now is to close registrations temporarily. I'm sure the team is figuring out a way to fix the presented/discovered issue to open the site again, I'm sure they will find a solution. Be patient and save this type of SR apocalypse paranoia after some time of no solutions found. Be certain that the limit bar will raise but will still be there.
The best bet would be to limit new customer registration but not to limit new vendor registration. Perhaps charge a small fee for customer registration for a while and turn off unlimited free registration. That makes more sense to me than turning off new vendor registration, and it doesn't have decreased security as a result. Plus then you can make some more bitcoins DPR ;).
It is true that the size of SR has hurt the anonymity of the clients connecting to it a bit. This is because its introduction points are being DDOSed by its clients. After they go down the hidden service eventually changes to new introduction points. Then clients can access the site for a bit again , until the new introduction points go down. When they go down clients cycle through a huge list of circuits that all fail in an attempt to build a circuit to an introduction point. This causes clients to build a lot more circuits than they would if introduction points didn't go down so frequently. This is also why it appears down for some people while it is up for others, people who have already established a connection to the hidden service prior to its introduction nodes going down remain connected but clients trying to establish a connection cannot. At least this was the theory on why very popular hidden services were having connectivity issues, I think this specific issue was fixed in a version of Tor a few releases back, so if you have not updated Tor recently that would be the first step. There are probably other issues as well and perhaps now you are running into another problem, but keeping Tor up to date is important to keep it so your hidden service can scale to larger numbers of clients.
I don't access the SR market so I have no idea what the connectivity issues look like. Can some people connect while others cannot? That would indicate you are still running into the problem I just described. Or is it down for everyone simultaneously? Perhaps its entry guards recently rotated and it got three low bandwidth ones that cannot handle the number of people who surf SR. The bandwidth of a hidden services entry guards is one of the bottlenecks for how much traffic the hidden service can handle at a given time. Forcing early rotation could solve that, but rotating entry guards speeds up deanonymization of hidden services. You could even manually select some high bandwidth entry guards, but it also isn't really a good idea to override the entry guard selection algorithm of Tor.
-
I don't think vendor accounts only would make much of a difference. Picture completely new potential vendor that have never entered SR without knowing and checking nothing by himself, just rumors. Would he pay and Register as a Vendor? He would if he already knew the site and entered or ordered before, or maybe had a friend recommendation, but would he do it blind? Also, I guess that is a band-aid solution. I think the team is trying for figure out a core solution, vendor only is like plan "C" or something.
-
I don't think vendor accounts only would make much of a difference. Picture completely new potential vendor that have never entered SR without knowing and checking nothing by himself, just rumors. Would he pay and Register as a Vendor? He would if he already knew the site and entered or ordered before, or maybe had a friend recommendation, but would he do it blind? Also, I guess that is a band-aid solution. I think the team is trying for figure out a core solution, vendor only is like plan "C" or something.
It is like "Plan that is secure and accomplishes the end goal"
-
I don't access the SR market ...
You don't get on SR? Can you explain? No offense, I appreciate your high-quality posts. I'm just surprised and curious.
-
I am well on my way into getting a vendor account next month, starting to think i should register before something weird happen. In the beginning many movie/music torrents sites where always open, then as a mass influx of users presented itself, registration was not 24/7. i don't think your going to get a mass influx of vendors willing to pay 150 who won't benefit the community. Prices on sr are not even cheaper than many private forums, so there is not a huge influx of competing vendors.. yet
the most successful vendors are independent of suppliers and make/grow there own product.. i hope such vendors are always allowed to register.
-
I don't access the SR market ...
You don't get on SR? Can you explain? No offense, I appreciate your high-quality posts. I'm just surprised and curious.
I have friends who sell bulk amounts of all the drugs I use, and I can get better prices on personal use amounts from them than I could get at SR. Additionally I have done business with them for quite a few years, so I am not worried about having to trust them anymore. In addition to this, I am not currently vending and even if I decide to in the future I wouldn't bother working with anyone new considering I have friends who buy and sell in bulk. So I have no reason to browse through the market area. On the other hand, I have been participating on drug forums for many years and am rather addicted to them, and SR is the most active drug forum.