Silk Road forums
Discussion => Security => Topic started by: a_blackbird on April 23, 2012, 09:07 am
-
Ok, standard disclaimer. The stuff I'm about to say *should* be painfully obvious to all of you. Unfortunately, I don't think it is.
Background: The CFP went out last week for the skytalk track at DEFCON 20, and as a result I've been thinking a lot about attacks on Tor, anonymity, privacy, bitcoin, our security here on SR, and all sorts of other related topics. Earlier today, I got a little curious, and so I decided to do a little digging around on the clearnet just to see what I might find.
1. The clearnet website http://tor2web.org actually gets indexed by Google. Maybe some of you knew that. I didn't, up until earlier today. More importantly, this forum is in it. So imagine my surprise when I typed into Google a fairly uncommon username that belongs to a fairly prolific poster on these forums. I wasn't expecting to get any hits at all, but instead, what's the first hit? A link to dkn255hz262ypmii.tor2web.org which contains a thread that this particular person has posted in. I've suggested to the powers that be that this forum really ought to not allow anonymous browsing; if you want to come in and read the shit we're talking about, an authenticated session should be mandatory.
2. For the love of all that is good and holy, don't use a handle on this forum or an email address which is in any way whatsoever connected to anything you do IRL, legitimate or not. Some of you may know the recent story of a vendor (read the rumor mill if you don't know who I'm talking about) who used to have really top marks and has since disappeared due to blackmail threats from some supposed "hacker". Well, that so-called "hacker" didn't do jack shit except put this vendor's username into Google and logically extrapolate from there. There wasn't any "hacking" involved, the guy was just a fucking script kiddie. This vendor made the mistake of linking his IRL business (which, AFAICT, had nothing at all to do with the illegal chemical trade) with his SR business via usernames. Let's be realistic here - "coveryourass1234@tormail.net" isn't much of a disguise when your regular email address is "coveryourass1234@gmail.com" and your YouTube account name is also "coveryourass1234". I feel really bad for the vendor that this happened to, and I hope he's OK, because he seemed like a really good dude - but Jesus H. Christ, wise the fuck up.
What makes this worse is that it's not an isolated incident. With the very next username I tried (also a well-known vendor that has had a good reputation) the first hit that came up (again, a fairly uncommon handle) turned out to be the dude's profile on the dating site PlentyOfFish - full-color photo, age, location, clearnet email addresses, and expressed love for smokin' up the 420 right there for anyone to see. *facepalm*
I'm sure there are more - there are certainly a lot more names that just come up on tor2web.org's mirror. In any event, given the recent chaos with TFM and some of those other sites that I'd never heard of before last week, it seems to me that this would be a good time for everyone to really give a critical assessment to their security protocols and making sure that their SR identities are as decoupled from their IRL identities in every way possible. If a bored, over-tired, under-slept, and mildly curious chap like myself can uncover this kind of thing with but a modicum of work, imagine what a more interested and determined adversary might be able to find.
This has been a public service announcement. We now return you to your regularly-scheduled programming.
-
I'm blown away by the idea that a vendor on SR could be so stupid as to use a handle that they use on clearnet. I mean come on. I feel bad for him/her, and I wish it hadn't happened, but in a way they kind of deserve it for being that fucking stupid. How can you be a vendor here and not be smart enough to figure that shit out?
Good post, OP.
-
Very good post, thanks OP.
My mind boggles that anybody would be so stupid as to sell stuff using any info that can be linked back to their IRL identity, I do not even have the same username between SR and the forums!
-
"The quieter you become. the more you are able to hear .." Backtrack wisdoms
-
I've suggested to the powers that be that this forum really ought to not allow anonymous browsing; if you want to come in and read the shit we're talking about, an authenticated session should be mandatory.
I am suggesting this too, this forum should NOT allow private browsing!
-
I've suggested to the powers that be that this forum really ought to not allow anonymous browsing; if you want to come in and read the shit we're talking about, an authenticated session should be mandatory.
I don't see how disabling anonymous browsing is going to protect this forum and the community in any way. Those who wish to browse and see what we're up to can easily create a throwaway account.
-
Ok, standard disclaimer. The stuff I'm about to say *should* be painfully obvious to all of you. Unfortunately, I don't think it is.
Background: The CFP went out last week for the skytalk track at DEFCON 20, and as a result I've been thinking a lot about attacks on Tor, anonymity, privacy, bitcoin, our security here on SR, and all sorts of other related topics. Earlier today, I got a little curious, and so I decided to do a little digging around on the clearnet just to see what I might find.
1. The clearnet website http://tor2web.org actually gets indexed by Google. Maybe some of you knew that. I didn't, up until earlier today. More importantly, this forum is in it. So imagine my surprise when I typed into Google a fairly uncommon username that belongs to a fairly prolific poster on these forums. I wasn't expecting to get any hits at all, but instead, what's the first hit? A link to dkn255hz262ypmii.tor2web.org which contains a thread that this particular person has posted in. I've suggested to the powers that be that this forum really ought to not allow anonymous browsing; if you want to come in and read the shit we're talking about, an authenticated session should be mandatory.
2. For the love of all that is good and holy, don't use a handle on this forum or an email address which is in any way whatsoever connected to anything you do IRL, legitimate or not. Some of you may know the recent story of a vendor (read the rumor mill if you don't know who I'm talking about) who used to have really top marks and has since disappeared due to blackmail threats from some supposed "hacker". Well, that so-called "hacker" didn't do jack shit except put this vendor's username into Google and logically extrapolate from there. There wasn't any "hacking" involved, the guy was just a fucking script kiddie. This vendor made the mistake of linking his IRL business (which, AFAICT, had nothing at all to do with the illegal chemical trade) with his SR business via usernames. Let's be realistic here - "coveryourass1234@tormail.net" isn't much of a disguise when your regular email address is "coveryourass1234@gmail.com" and your YouTube account name is also "coveryourass1234". I feel really bad for the vendor that this happened to, and I hope he's OK, because he seemed like a really good dude - but Jesus H. Christ, wise the fuck up.
What makes this worse is that it's not an isolated incident. With the very next username I tried (also a well-known vendor that has had a good reputation) the first hit that came up (again, a fairly uncommon handle) turned out to be the dude's profile on the dating site PlentyOfFish - full-color photo, age, location, clearnet email addresses, and expressed love for smokin' up the 420 right there for anyone to see. *facepalm*
I'm sure there are more - there are certainly a lot more names that just come up on tor2web.org's mirror. In any event, given the recent chaos with TFM and some of those other sites that I'd never heard of before last week, it seems to me that this would be a good time for everyone to really give a critical assessment to their security protocols and making sure that their SR identities are as decoupled from their IRL identities in every way possible. If a bored, over-tired, under-slept, and mildly curious chap like myself can uncover this kind of thing with but a modicum of work, imagine what a more interested and determined adversary might be able to find.
This has been a public service announcement. We now return you to your regularly-scheduled programming.
Good post, +1.
-
I don't see how disabling anonymous browsing is going to protect this forum and the community in any way. Those who wish to browse and see what we're up to can easily create a throwaway account.
Enough said.
Peace
The Flipsde Crew
-
A great PSA, thank you. Identity sandboxing is the first thing I instructed people to do in my password security thread, and with the recent developments it has become even more important.
-
I've suggested to the powers that be that this forum really ought to not allow anonymous browsing; if you want to come in and read the shit we're talking about, an authenticated session should be mandatory.
I don't see how disabling anonymous browsing is going to protect this forum and the community in any way. Those who wish to browse and see what we're up to can easily create a throwaway account.
Would at least keep it from being as simple as a google search. I agree, it wouldn't make us miles more safe but a little more protection is better than none.
-
How do you know these vendors aren't one step ahead of you?
If I was choosing a vendor name I'd go to some weed themed site, find someone in my location, and then use their name. That way its a massive red herring
-
I've suggested to the powers that be that this forum really ought to not allow anonymous browsing; if you want to come in and read the shit we're talking about, an authenticated session should be mandatory.
I don't see how disabling anonymous browsing is going to protect this forum and the community in any way. Those who wish to browse and see what we're up to can easily create a throwaway account.
Would at least keep it from being as simple as a google search. I agree, it wouldn't make us miles more safe but a little more protection is better than none.
That's exactly it. Obviously anyone can create as many fake accounts as they want - but at least keep forum posts off the damn search engines. (Unfortunately, they're just going to end up on pastebin.com anyway.)
-
What makes this worse is that it's not an isolated incident. With the very next username I tried (also a well-known vendor that has had a good reputation) the first hit that came up (again, a fairly uncommon handle) turned out to be the dude's profile on the dating site PlentyOfFish - full-color photo, age, location, clearnet email addresses, and expressed love for smokin' up the 420 right there for anyone to see. *facepalm*
Are you sure that they are the same people though? I mean just because the same username is used and the profile may seem like a match that doesn't mean they are the same person. Case in point, I just thought of the name Calitrees like a month ago so this is the only place I've ever used it. But if you google it you'll find a lot of calitrees out there. Probably even a PlentyofFish account too. I bet they are all males from california that enjoy marijuana and in a very similar age range. But they aren't all the same people.
-
lets all use real first and last names of anti drug (freedom) politicians
-
lets all use real first and last names of anti drug (freedom) politicians
I like this idea.
Imagine if RickSantorum was in the top 1% of sellers?
-
Are you sure that they are the same people though? I mean just because the same username is used and the profile may seem like a match that doesn't mean they are the same person. Case in point, I just thought of the name Calitrees like a month ago so this is the only place I've ever used it. But if you google it you'll find a lot of calitrees out there. Probably even a PlentyofFish account too. I bet they are all males from california that enjoy marijuana and in a very similar age range. But they aren't all the same people.
I see your point, sure, but CaliTrees isn't really that unique of a name, either. Probably more unique than "blackbird" to be sure, but not as unique as, say, "kmfkewm" (note, I'm just using his handle as an example - I did not find KMF on a dating site).
Do I know with absolute 100% certainty that this person on PlentyOfFish is the same person that sells here on SR under the same name? No, I suppose not, but if you put together all the factors, and then you start comparing the writing styles of the PoF account with the posts that this person has made on this forum, it paints a pretty scary picture. Part of me would like to say who it is so that you can go check for yourself and make up your own mind, but I feel like doing that would just be seriously uncool all around. Sorry.
-
I've suggested to the powers that be that this forum really ought to not allow anonymous browsing; if you want to come in and read the shit we're talking about, an authenticated session should be mandatory.
I don't see how disabling anonymous browsing is going to protect this forum and the community in any way. Those who wish to browse and see what we're up to can easily create a throwaway account.
Would at least keep it from being as simple as a google search. I agree, it wouldn't make us miles more safe but a little more protection is better than none.
That's exactly it. Obviously anyone can create as many fake accounts as they want - but at least keep forum posts off the damn search engines. (Unfortunately, they're just going to end up on pastebin.com anyway.)
Security by obscurity?
-
Not security by obscurity. Simple, low-hanging fruit. I never claimed that we'd suddenly become supersekritsekure by eliminating anonymous reads on the forum. I just don't think you should be able to find posts on this forum in Google, and if we can take a small step that could go a long way to preventing that from happening, why not do it? Even better if we could add a captcha. Officer LEO can already come in here, create an account, and write a scraper to pull down all the messages in this forum - but why make it any easier for them by letting what is supposed to be a darknet forum get mirrored by a clearnet site?
Since you don't seem to like the idea - let me ask you this - can you think of any good reason why the forums should stay as they are and not require a login? Do you think DPR should just open up the whole SR market site to allow unauthenticated guests to browse what's for sale?
-
Kinda agree with this. I mean, when SR appeared LE was caught with their collective pants down. They're bound to try everything they can think of to further exploit vulnerabilities. It just makes sense for us to continue tightening up opsec and *not* pick unique usernames. If you google mine, you'll see what i mean. Picking nyms which are generic words, names or something out of pop culture guarantee a pretty messy google pile...
-
Nyms are sometimes best used to "blend in" with the majority. Google "The Flipside". We are one of a million. See?
Aka, MUCH "harder" to track down. :)
Obscurity works as well of course, but you are much more likely to be "identified" from your "unique" name...ya know? ;)
Just sayin... ;)
Peace
The Flipside Crew
-
There have been several vendors from private scene who after they were busted, we discovered that their pseudonym consisted of their first initial followed by their last name , lol.
-
What about using the same username on these forums and on the SR site, is that too much of a security risk?
-
kmf...WOW. That REALLY sucks! :(
But still 'kind of' their own fault though is suppose, yeah?
RE: usernames
Use different usernames between the sites 'if you like', but MUCH more importantly, use different "passwords" for the forums vs. the main SR site. ESPECIALLY if you are a vendor.
Just use a REALLY GOOD "unique", long (upper/lower case/numbers/characters, ect. ->NO<- words from the dictionary. Kept ONLY in your head, and used NOWHERE else!) for your primary SR account.
This applies to buyers as well. :)
Just our advice! ;)
Peace
The Flipside Crew