I noticed that in the weeks and months before Silk Road went down, we had some interesting things happen:
1. several articles like this one
2. statements from the FBI that it was untraceable
3. the implication in tech media that it was 'safe' to use, with usual caveat emptor verbiage.
I know we have a sample size of one here, and there's no guarantee that steps 2 and 3 above will follow - but to me, it seems that mainstream coverage of anything like this is a sure signal to bail out.
If this is a US operation, don't the US law prohibits entrapment?
Also, doesn't it seem more likely a surge in public interest is what originated the operation, instead of the other way around?
The entrapment defense is pretty much non-existent. The thing is that it's perfectly fine to entrap someone who is willing to commit the crime anyway. A government agent can give you everything you need to commit a crime, beg and plead and nag you to commit the crime, and still prosecute you for doing it -- because it's your job not to commit crimes even when you have means and motive to do so.
What's against the rules is to make someone commit a crime who is unwilling. But you, the defendant, pretty much have to admit you decided to commit the crime in order to convincingly offer an entrapment defense in the first place. ("I wasn't going to do it, but then the government did A, B, and C ...") So how do you also convince the jury that you did it unwillingly? Basically, A, B, and C have to be so compelling that the jury is convinced they themselves would have done the same thing in those circumstances. Short of "the undercover cop pointed a gun at me and ordered me to do it," it's a tough sell.
The bar is not quite that high. I recall hearing about a case where the cops suspected someone so they sent a fair amount of advertisements for an illegal product to their house. The defense basically said, they did not bite the first time or the second, but after a while curiosity got the best of them. The important thing to note is they passed up several opportunity's before trying to commit the crime.
In this case, as long as the cops don't actively advertise people probably can't use the entrapment defense. But, if they setup a large ad-words account then in theory that's a problem.
However, If the jury finds that the defendant was predisposed to commit the crime that he committed, the defendant will not be allowed to use the entrapment defense, no matter how extensive police participation was in inducing the defendant to commit the crime on this particular occasion. So, if the prosecution demonstrates someone is a habitual drug user then the cops can advertise freely. But, if they cops advertise and someone that's been clean for a few months/years calls them up that's a gray area that depends on the jury's interpretation.
I see, so cops can force a drug user to take drugs they brought in front of them, then the DA can get a conviction? Or they can force a pedophile to molest a child by threatening them, and then use the argument that they were predisposed already?
An undercover cop can ask you to commit a crime without entrapping you. It's only entrapment if the police induce you to commit a crime that you wouldn't commit otherwise. Hence, them offering you the opportunity to commit a crime is permitted by law.
What I learned from that: the easiest way to detect undercover cops is to ask them to--or really, entrap them into--committing an unrelated crime, e.g. hurting someone.
Imagine "rewarding" the new member of your drug ring by giving them a hired escort who has been paid to resist all acts upon them, and then locking the new member and the escort in a room together with some extremely brutal S&M "toys." You'll get lots of false positives--people who don't actually get their jollies from harming others--but it's the false negatives that are important here, so maybe populating your organization with sociopaths is a low price to pay.
On the other hand: is the boss committing a crime just by setting up this "reward?" They wouldn't mention anything about having to harm the escort, it'd just be implicit in the setup that if you're that type of person, the situation is easy to take advantage of.
Probably not uncommon for initiation / testing purposes to ask members of evil organization to break the law in some way. Such that they become black-mailable easily.
A large organization would presumably benefit from having hidden away proof of each of its members breaking the law, such that if time comes and that member gets out of line, that can be used against them.
So perhaps an undercover cop would be asked to assassinate someone, or take use illegal drugs and get recorded in the process.
Prosecutors usually break this blackmail ring by offering immunity to one person if they present evidence against others.
That's wishful thinking. Undercover cops must commit minor crimes all day every day to be truly undercover in a drug ring. If the cop had to stop and say, "Sorry, I can't drive over the speed limit", they wouldn't be effective or ever used.
>If this is a US operation, don't the US law prohibits entrapment?
In the same way that it prohibits all other kind of behavior that is regularly acted by law enforcement. From planting evidence to "cruel and unusual punishment" (e.g whatever sadistic game a cop or prison director wants to play on an inmate).
Nope - but I suppose I am implying that significant numbers of people using such services know or care little of protocols. Instead they're happy to go with the idea that it's a nicely packaged untraceable means of getting what they're after.
Correct. The sellers made a huge footprint by mailing so much on such a regular basis. This lead to major sellers getting busted. At which point all the buyers that purchased from them may have their order details released.
nod was found because he (or his girlfriend) dropped off packages over a "wide area" by going into post offices and mailing things. The indictment claims the investigator went to the PO and asked if they had noticed a certain car, and the employees there were readily able to provide details on a individual that made frequent mailings.
A large seller has too many packages to easily avoid leaving a trace. Automated analysis of video recordings near a post drop, for instance, could reveal these patterns.
Apart from that, sellers often mess up on opsec, just because it's so hard to maintain over such a large period of time. That's just how it is.
One thing I'm mildly surprised hasn't shown up more in these types of markets is "pirated" or outright stolen clinical pharmaceuticals. Drugs like Humira or Etanercept are expensive and need to be taken for years ( usually for the rest of your life if you really need them ) and are heavily advertised.
Selling Humira at $200 USD / dose would be profitable if you were using stock diverted from Abbott Labs, and selling a similar product using a black market supply-chain would still be effective; even if the trust in the product would be less than most sensible people would accept.
Of course it would get not just the regular regulators on your tail, but the full panoply of intellectual property and medical enforcement.
From a customers point of view it's pretty easy to justify paying a tenth of the "list price" for a drug that keeps you alive and functional; so the demand is there.
Essentially everyone who needs those gets them through insurance, medicaid, or some such. They are therefore quite price-insensitive (which is it's own problem, of course).
Empirical evidence says that is not the case; and that most people who need them have to fight their insurance company for them on a semi-regular basis. If only that class of drugs were available at a competitive price so that individual consumers had a way to route around the damage that is our healthcare system.
Spending 10-15 hours on the phone two weeks a year to get the insurance company to pay 3K/month of medicine is cheaper for most people than spending 300/month themselves. Even if, as in this example with numbers pulled from nowhere, it's 1/10th the cost in monetary terms, the risk is not worth the savings for a drug that is actually necessary, rather than recreational or mere enhancement.
A flatmate of mine has an immune deficiency disease which requires a drug every week which costs more than 3K/month, which is covered by her healthcare. If she doesn't get it, within a few months she'll be in the hospital with serious infections. She has to fight with the healthcare folks two or three times a year to remind them that this is actually a life-or-death matter for her, and then they grumble and continue paying. It in no way makes sense for her to start paying money out of pocket for questionable drugs from a source that might cease to exist in a month or two. If nothing else, assuming she needed to get it through "legitimate" channels again, they would use the time when she officially wasn't getting it as evidence that she doesn't need it.
The risk around quality and continuing availability mean that there's no good way to use a shadowy market for anything which is actually required for life, if it's even semi-rare.
Imagine you stole the enemy encryption codes, and are listening and waiting for intel on an upcoming invasion that can save your whole country. Instead you hear chatter about how they are going to bomb a single ship.
Do you save the ship and let the enemy know you have access to the encryption codes? Or do you let the ship be destroyed and keep listening for the more important info?
This decision is pretty black and white too. Imagine if your mother was on the ship. Or it was half your navy.
Some of the decisions world leaders need to make are horrible.
In general, you don't want to burn any good intel source. If a bunch of targets mysteriously got out of the way right before an operation, that would let the other side know they had a leak.
Sinking ships may be the least of it. Some say Churchill allowed Coventry to be firebombed to keep from tipping the Germans off to the successful work at Bletchley Park.
I thought the Tor project sort of agreed that Hidden Services could be discovered by a not-that-awesome adversary. Doesn't that vastly increase the risk of being found? After all, with The Silk Road, part of the evidence was that they had imaged the VM -- but they didn't say how they found that VM in the first place.
Yeah, Tor as a whole, and Hidden Services specifically are very vulnerable to traffic analysis attacks.
I'd love to see a project with a real focus on anonymous publishing of content. Tor's original goal was anonymous retrieval of content, with anonymous publishing just added on as a secondary goal.
In order to make anonymous publishing robust against traffic analysis, it may be necessary to sacrifice the "real-time" goal that Tor has.
Agreed. Some ideas for the resistance of traffic analysis in the provision of Tor hidden services: layered architecture with aggressive caching at edge nodes, non-deterministic latency or update fetch algorithm (eg. random) between nodes, use of push rather than pull (edgier nodes have no knowledge of the location of content-publishing parent, only its key to auth inbound updates as they are supplied from unique addresses periodically) where feasible.
I was referring more to the operators of the site. LE probably isn't going to go after individual buyers all that often. But the site will have a record of Bitcoin payments made, so you can link up sellers and buyers. And most people probably don't have untraceable Bitcoin. (I tried to buy $300 of BTC anonymously, and it took hours of work, and still reveals which post office I used.)
Yeah. I am really surprised by statements like that as well as articles that "anonymity is dead" om the internet. Tell that to any pastebin.
You can build any number of fake identities by using a tree of accounts, starting with services that don't track who you are (or using them to launder a tree root) and build from there. The tough part is keeping the identities from leaking, eg by stylistic analysis or other patterns. Sometimes when a network authenticates every account you have to hijack some random accounts and tunnel through that in order to communicate over that network. Like intelligence agencies texting "Pizza!" over SMS - although that was a pretty lame example.
Even getting cash anonymously is dubious, at best. If I withdraw from an ATM or bank, the serial numbers are most likely recorded. (There's no technical reason they wouldn't be.)
Handling the cash may leak DNA or fingerprints.
After that, when I meet someone to exchange cash, that transaction links my identity as well. Making a deposit in someone's account also records my identity via video (and any other leak like fingerprints).
It is prudent to assume that at every transaction, whichever adversary you're trying to remain anonymous from - assume they are the other party.
And even if you assume the party is a good actor, it's not entirely out of the question that a third party could monitor things and try to correlate. It might be computationally infeasible for now, but it'd be folly to bet on that.
In my experiment, I tried to get $300 into BTC. I withdrew $100 notes from the bank, then spent them at small stores to get change. (At which point I found out the bank gave me a fake note, thus losing $100.) I wore gloves during these transactions, and put the change directly into sealed bags. This is obviously super suspicious.
I discovered that mailing things anonymously is also difficult. The stamp machines only accept non-cash payments. Video is recorded at all other points of sale. Priority mail appears to require larger stamps, which are custom printed. With more work, I suppose one could find a small store that sells stamp booklets without recording things.
Obtaining an addressing an envelope also has information leaks.
Only ~33 bits are needed to identify a specific human on earth. Geolocation alone reveals somewhere around 8 bits. Interest in Bitcoin probably reveals another 5 or so. If you're mobile and purchase in multiple cities, that could further reduce things another few bits. Before you know it, you're not that anonymous.
I concluded from my experiment that most people are simply not going to be able to buy BTC and retain strong anonymity. If I was going to use BTC to perform actions critical of a government, let alone do something illegal, I would not feel overly safe. Other people seem to have a different (or missing) assessment.
The best Bitcoin anonymity device I've heard of is ZeroCoin, but I haven't understood the math yet. And it's not getting any traction, it seems, and without significant traction, like Tor, it's not very anonymous.
OTOH, if the encrypted request is found, and you have a key that matches, that's very strong evidence you made the request. This line of reasoning was included in the Silk Road indictment.
I dislike Agora. The site is rarely up and when I do manage to login most of my requests time out.
What I'm interested in is how much money the major sites are making. The much smaller Cannabis Road was recently hacked and robbed of $130k in bitcoin from various escrow and user wallets. I can only imagine what the major players are making.
