Silk Road forums
Discussion => Security => Topic started by: Del Ellis on February 08, 2012, 06:58 pm
-
First off, I have a great deal of faith in SR and the administrator(s)' ability to keep everything secure and I wouldn't be surprised if there are "ripcords" that could be pulled if shit hits the fan to render the data unrecoverable by law enforcement.
However, I'm a little curious as to what the implications could be if law enforcement computer forensics types somehow hit the jackpot and could just raid wherever all of this data is sitting in one fell swoop. I'm not trying to speculate or pry for details about how the data is stored if that's what you're thinking reading this.
Forgive my ignorance as my understanding of bitcoin is, well, not very thorough. But since all bitcoin transactions are a matter of public record, what would happen if LE (or some rogue hacker group or anybody) got hold of all of the wallet data, the guts of the dummy transaction tumbler, all of that. Could they even possibly recover the bitcoin addresses used to deposit to this site, all of the bitcoin addresses used to make withdrawals to e-wallets and bitcoin exchanges (many of which are legit clearnet companies,) and subpoena these companies to provide personal information about sellers and customers alike, based on historical data about bitcoin addresses used to send/receive payments from SR?
What I'm mostly concerned about is the little blurb that you can still use your old deposit bitcoin addresses indefinitely even if you have requested a new one. Does that mean somewhere there's a mySQL database or something containing all of these, directly able to link them to our accounts account? Would it not be possible to then trace back all of the "hops" through the tumbler, to whatever exchanges and/or e-wallets we may have used?
Maybe the nature of bitcoin inherently prevents this kind of thing from even being possible or provable from a forensics standpoint. Maybe the dummy transaction tumbler permanently discards all intermediate addresses (or uses some proprietary system that can't be unscrambled or back-tracked) and thereby rendering them completely unable to trace a direct, provable link from exchange/ewallet->SR->exchange/ewallet but is that really the case?
I guess only the administration can answer this definitively, and all we can really do is speculate, and I don't blame the administration for not even wanting to answer these kinds of questions in a public forum. If this has been debated and answered ad nauseum, I apologize. I'm just really concerned and curious about all of this.
-
Forgive my ignorance as my understanding of bitcoin is, well, not very thorough. But since all bitcoin transactions are a matter of public record, what would happen if LE (or some rogue hacker group or anybody) got hold of all of the wallet data, the guts of the dummy transaction tumbler, all of that. Could they even possibly recover the bitcoin addresses used to deposit to this site, all of the bitcoin addresses used to make withdrawals to e-wallets and bitcoin exchanges (many of which are legit clearnet companies,) and subpoena these companies to provide personal information about sellers and customers alike, based on historical data about bitcoin addresses used to send/receive payments from SR?
Buyers who achieved proper unlinkability from their drug money, be it by loading them anonymously or by mixing them, will be all right. Vendors who used mixes or unloaded them anonymously (much more difficult) will also be all right. Most everyone else will be fucked and susceptible to various financial network topology intelligence attacks, although most of them require large amounts of computing power to pull off. It all depends on how bored the feds are and badly they want to get some people behind bars. From my experiences with past criminal networks, the feds have ruthlessly owned people who were easy pickings while people who were still vulnerable but were more difficult targets got away (the specific case I'm thinking of involved VPN use vs. Tor use).
What I'm mostly concerned about is the little blurb that you can still use your old deposit bitcoin addresses indefinitely even if you have requested a new one. Does that mean somewhere there's a mySQL database or something containing all of these, directly able to link them to our accounts account?
Yes.
Would it not be possible to then trace back all of the "hops" through the tumbler, to whatever exchanges and/or e-wallets we may have used?
Maybe, the tumbler is a black box to everybody but the admin so he is really the only person that can comment on it. This is why I tell people that they're responsible for their own security and that they shouldn't expect SR to secure its users properly. :-)
Maybe the nature of bitcoin inherently prevents this kind of thing from even being possible or provable from a forensics standpoint.
Nope.
Maybe the dummy transaction tumbler permanently discards all intermediate addresses (or uses some proprietary system that can't be unscrambled or back-tracked) and thereby rendering them completely unable to trace a direct, provable link from exchange/ewallet->SR->exchange/ewallet but is that really the case?
We may never know.
I'm just really concerned and curious about all of this.
It makes me really happy to see vendors who actually have more than a passing interest in their security... you are obviously smart and know not to take what anybody without a "Ph.D" next to their name says at face value, so here's a couple of papers about stuff you touched on that you might find interesting:
http://supernet.isenberg.umass.edu/articles/finmeasure.pdf
http://arxiv.org/pdf/1107.4524v1.pdf
If it comforts you, there are groups that have been in this scene for a very long time and have had years to refine their operational security... they are basically unbustable unless they buy a key from a fed and are under surveillance while picking up a mail or GPS drop. Look at the arms race between us and our enemy and smile when you see who's winning. :-)
-
Would it not be possible to then trace back all of the "hops" through the tumbler, to whatever exchanges and/or e-wallets we may have used?
That's precisely why I recommend purchasing coins using cash or equivalent -- cash-in-the-mail, bank branch deposit, prepaid card -- or tumble thoroughly *before* forwarding to SR. (Maybe *both* for best security.) If DPR were somehow coerced to cooperate with LE, a DEA agent could be sitting at the front end of SR's mix logging every detail as the coins roll in.
-
Im going on the fact that the creators who made this had security in mind. Its really just blind faith
-
Im going on the fact that the creators who made this had security in mind. Its really just blind faith
Blind faith is a bad thing, especially when it comes to something like this. Everyone needs to assume that SR is compromised at all times.
-
Im going on the fact that the creators who made this had security in mind. Its really just blind faith
Blind faith is a bad thing, especially when it comes to something like this. Everyone needs to assume that SR is compromised at all times.
Why even use this service if you cant trust anyone lol
-
Im going on the fact that the creators who made this had security in mind. Its really just blind faith
Blind faith is a bad thing, especially when it comes to something like this. Everyone needs to assume that SR is compromised at all times.
Why even use this service if you cant trust anyone lol
Because if you utilize it properly, the risk of bad things happening are very low. Why expose yourself to unnecessary risk of jail time?
-
Im going on the fact that the creators who made this had security in mind. Its really just blind faith
Blind faith is a bad thing, especially when it comes to something like this. Everyone needs to assume that SR is compromised at all times.
Why even use this service if you cant trust anyone lol
Because if you utilize it properly, the risk of bad things happening are very low. Why expose yourself to unnecessary risk of jail time?
Exactly so that's why the forums are here.. to give users the chance to get their security situation under tabs
-
The DEA, FBI whatever would face the same problem they have when chasing professional drug dealers of the "normal" variety- it is not enough to see that there has been money changing hands, not enough that an informant says a person is selling, they have to connect any suspect to a transaction by solid evidence- for instance intercepting a sent package or somehow getting a seller's location, which is impossible with Tor if you have done things correctly. Look at the elements of any drug crime and you see that it is not easy, they have an uphill battle trying to prove these beyond a reasonable doubt with legal means that will stand up in court. And they are not going to be posing as sellers and arresting people who buy and send their addresses- that would be an "attempted purchase of a controlled substance" bust and in their and the public's eyes not worth the citation it was written on.
Source: Criminal law paralegal
-
I think all the bigtime sellers would be "analized" by the motherfucking DEA1 Ha!
-
That's precisely why I recommend purchasing coins using cash or equivalent -- cash-in-the-mail, bank branch deposit, prepaid card -- or tumble thoroughly *before* forwarding to SR. (Maybe *both* for best security.)
Ironically cash has the same problem as bitcoin, although it's not as severe. When you take cash out of an ATM, the serial number is tracked. When you deposit it at the bank or buy a greendot card, that's tracked too. Now let's assume that you exchange your moneypak with a vendor that you also buy drugs from (there are at least three vendors I know of who sell both drugs and bitcoins). If they ever get pwnt, there's a money trail leading right back to you.
Im going on the fact that the creators who made this had security in mind. Its really just blind faith
There were some peeps from dzf that had that attitude and they're getting raped in jail now.
The DEA, FBI whatever would face the same problem they have when chasing professional drug dealers of the "normal" variety- it is not enough to see that there has been money changing hands, not enough that an informant says a person is selling, they have to connect any suspect to a transaction by solid evidence- for instance intercepting a sent package or somehow getting a seller's location, which is impossible with Tor if you have done things correctly. Look at the elements of any drug crime and you see that it is not easy, they have an uphill battle trying to prove these beyond a reasonable doubt with legal means that will stand up in court. And they are not going to be posing as sellers and arresting people who buy and send their addresses- that would be an "attempted purchase of a controlled substance" bust and in their and the public's eyes not worth the citation it was written on.
You're conflating evidence and intelligence. It's true that a money chain going back to you isn't indicative of drug trafficking, but it could draw attention that leads to evidence.
-
That's precisely why I recommend purchasing coins using cash or equivalent -- cash-in-the-mail, bank branch deposit, prepaid card -- or tumble thoroughly *before* forwarding to SR. (Maybe *both* for best security.)
Ironically cash has the same problem as bitcoin, although it's not as severe. When you take cash out of an ATM, the serial number is tracked. When you deposit it at the bank or buy a greendot card, that's tracked too. Now let's assume that you exchange your moneypak with a vendor that you also buy drugs from (there are at least three vendors I know of who sell both drugs and bitcoins). If they ever get pwnt, there's a money leading right back to you.
Im going on the fact that the creators who made this had security in mind. Its really just blind faith
There were some peeps from dzf that had that attitude and they're getting raped in jail now.
The DEA, FBI whatever would face the same problem they have when chasing professional drug dealers of the "normal" variety- it is not enough to see that there has been money changing hands, not enough that an informant says a person is selling, they have to connect any suspect to a transaction by solid evidence- for instance intercepting a sent package or somehow getting a seller's location, which is impossible with Tor if you have done things correctly. Look at the elements of any drug crime and you see that it is not easy, they have an uphill battle trying to prove these beyond a reasonable doubt with legal means that will stand up in court. And they are not going to be posing as sellers and arresting people who buy and send their addresses- that would be an "attempted purchase of a controlled substance" bust and in their and the public's eyes not worth the citation it was written on.
You're conflating evidence and intelligence. It's true that a money chain going back to you isn't indicative of drug trafficking, but it could draw attention that leads to evidence.
ATM's track the serial numbers of the bills that come out of the ATM to customers? Didn't know that.. pretty fucked up.
-
It's also possible to figure out where cash goes between withdrawal and re-deposit. If for example you focus tracking on bills moving in and out of banks in a particular region and then further limit your scope by looking only at issuance to people thought to be part of drug networks and deposits from retailers and those same people, you will typically create a thin map that enters a steady state after around a year.
That map will have some holes in it but the feds can always fill it out with human intelligence by busting known important nodes and squeezing them for info on their transactions. Don't fuck with cash. :-)
-
You're conflating evidence and intelligence. It's true that a money chain going back to you isn't indicative of drug trafficking, but it could draw attention that leads to evidence.
Yes this is true. This is a perfect example of a case where an FBI wiretap warrant would be authorized. They have to show to a judge that they are pursuing a suspect that cannot (or likely would not) be caught by traditional means. I'm not sure to what extent they could monitor computer traffic under such a warrant, I believe any unencrypted, above-net communications could be monitored for sure. Intelligence will uncover a trail that will allow them to build a case. Something would have to cause their attention to be focused on you, Silk Road and Tor (and PGP) do a good job of keeping a person anonymous, and cops upon hearing about something like this would be perplexed, I think- they probably wouldn't try to spend the man-hours to make a very difficult case that they know they probably couldn't make anyway because of jurisdictional issues. I would be more afraid of the cops calling the FBI/DEA, but those agencies handle the very big fish. They choose their cases and likely would not spend what would amount to tens of thousands of dollars (federal investigations are very costly) to bust someone selling a little LSD or pot.
-
Ironically cash has the same problem as bitcoin, although it's not as severe. When you take cash out of an ATM, the serial number is tracked. When you deposit it at the bank or buy a greendot card, that's tracked too....
The solution for that would be to break the bills -- buy a bottle of liquor or packet(s) of cigarettes / chewing gum -- between the source (bank / ATM) and destination (other bank / card merchant).
-
There's a point where caution turns into unhealthy paranoia. If LEAs take SR's servers and attempt to arrest its customers, there's a finite amount of effort they're going to be willing to put forth into tracking them down. Now if you don't use any security beyond TOR and ship to your house? Yeah, they'll probably find you.
But no LEA in the world is going to be willing to track down the serial numbers of individual cash bills used in transactions like this, especially not given that they would have thousands of transactions to deal with. They just don't care enough. Now if you were doing something much worse than drug sales, like organizing murders or whatnot, then they might care.
But if all you do is make the occasional purchase or are a small-time vendor, just put just a little bit of extra effort into security and you'll be fine. Your enemy's apathy is the greatest defense you can ever possess.
-
Interesting discussion here. My question is this:
IF SR servers and data were compromised and the data they got off it could possibly link buyers to transactions made and recieved on SR, and then based on that information they got a search warrant of the residence in question, would they still need to actually find the substance in question or at the very least some illegal substance? I might be wrong and probably am but while they may be able to bring charges against you, wouldn't they need to find actual physical evidence against you to make any kind of conviction? So as long as your house is free of illegal substances they will not be able to convict you of anything, despite any evidence they can gather online from prior transactions?
Of course the point is probably moot as most of us probably have drugs in our places at most times anyway, but still I would like to know.
-
If they don't find physical drugs they could still try to charge you for various crimes related to drugs but they will have a much much much harder time getting anything to stick.
-
The DEA, FBI whatever would face the same problem they have when chasing professional drug dealers of the "normal" variety- it is not enough to see that there has been money changing hands, not enough that an informant says a person is selling, they have to connect any suspect to a transaction by solid evidence- for instance intercepting a sent package or somehow getting a seller's location, which is impossible with Tor if you have done things correctly. Look at the elements of any drug crime and you see that it is not easy, they have an uphill battle trying to prove these beyond a reasonable doubt with legal means that will stand up in court. And they are not going to be posing as sellers and arresting people who buy and send their addresses- that would be an "attempted purchase of a controlled substance" bust and in their and the public's eyes not worth the citation it was written on.
Source: Criminal law paralegal
I know I am late but here I personally know someone charged with "conspiracy to attempt to posess". Just sayin.
-
There's a point where caution turns into unhealthy paranoia.
I disagree but whenever I have negative thoughts entering my mind too often I just smoke a bowl or drop some acid and I'm fine. :) Paranoia keeps me on my toes.
But no LEA in the world is going to be willing to track down the serial numbers of individual cash bills used in transactions like this, especially not given that they would have thousands of transactions to deal with. They just don't care enough. Now if you were doing something much worse than drug sales, like organizing murders or whatnot, then they might care.
This is likely true.
But if all you do is make the occasional purchase or are a small-time vendor, just put just a little bit of extra effort into security and you'll be fine. Your enemy's apathy is the greatest defense you can ever possess.
I used to think this way... then I saw the feds go after buyers and small time vendors I knew... I'll never forget the way the fed bastards did some of my friends who are now stretched out in prison for a while and I'll never let them do me the same way.
-
I know I am late but here I personally know someone charged with "conspiracy to attempt to posess". Just sayin.
A lot of times they mess up the charges on the information or indictment- duplicating them or stating them wrong- as long as they quote the statute number then they are alright. Conspiracy involves an agreement between two or more people (and neither of them can be a cop or CI) plus a substantial step taken toward the accomplishment of the crime. Attempt is more general and would be what the LE would charge someone with if one of the conspiring parties was a cop. That said, and while I don't doubt they messed up your friend's charging documents, a person cannot attempt to conspire; if they spoke with someone about the crime and made a substantial step it is conspiracy, if not, they have not committed a crime.
-
My boy called his dealer, said "can I come over?". Dealer said "what you want an eight ball of cocaine" or something equally retarded. The dealers phone was tapped as he was a big (enough) timer in our area. His house was under surveillance and they got my boy's plates coming and going. Never got him with any drugs though. Charged him with "conspiracy to attempt" to get him to roll over on the dealer, he didn't, and the charges stuck. Just sayn', watch your back y'all, don't deal with idiots.
This was local LE in the USA by the way, no feds or anything.