1) Don't engage in businesses that make you a target of the world's best-funded law enforcement agencies.
2) If ignoring lesson 1, don't access servers directly, from home, and don't pay for said servers with personal credit card.
3) Don't pay for your $130K Tesla using BTC a month after you open up a massive illegal drug marketplace that runs exclusively on BTC. Someone may suspect something.
4) When cashing in your ill-gotten gains, don't use your real name.
Seriously, if you're going to do this kind of stuff, paranoia is your friend. "They" probably are, indeed, following you.
That might be right, but there are tens of thousands of people who use their personal email and credit card to buy hosting services. You can't assume they all operate Silk Road 2.x
You're spot on with the Tesla comment. How does the government bust every big drug trafficker, mafioso, or fraudster? Answer: tax evasion. It might be hard to prove in court that this kid was behind SR2 but it's easy to prove that he pulled $70K out of thin air for a Tesla and never paid taxes on that income. Easy federal prison sentence.
You can easily do this in Brazil. Incompetence is so widespread that the data center will need years before they know what you're doing there.
Law enforcement doesn't have a single idea of how to operate on the internet, being the most recent proof of that the fact that the NSA spied on our president's email for years without anyone noticing it.
Just keep your distance from drug cartels, politicians and banks and you'll be safe.
You'd do well to just avoid the U.S. of A. (and friends, I guess). Take those profits and go somewhere safe and manage your newfound business from there. That could be one of the reasons some of the larger markets are still standing.
They catch Russian carding marketplace admins all the time so living in Brazil or Russia is no guarantee you won't end up in jail either. Just takes one mistake and you are on a plane in handcuffs to a federal court. They could bribe local police to pick you up for them too especially if you aren't politically connected in those countries.
Actually, Brazil has very tight control on financial transactions that take place in the country. Especially international transactions are closely monitored. I heard this is the reason why Paypal took so long to get here. In addition, I've read many news which point out close cooperation between Brazilian police and foreign agencies. I think a shady BTC millionaire would have a short run in here, unless he was very insightful of the local system, as well as extremely cautious and creative with the way he handled money.
And let's be honest, if one were to go to jail in the US, Brazil, or Russia, especially as a (formerly) wealthy American, the US is an order of magnitude better than the other two.
Actually most wealthy people live like a king in prison, and if the crime is a financial crime they end up in house arrest after only a short prison term ALWAYS.
if you are russian and living in russia they will not extradite you and as long as you are not targeting russians the police will not care that is why many of these carders dont get arrested and if they do it is usually when they leave russia.
As a guess, it probably means that cartels and the DEA make tons of money fighting each other, and joining or interfering in that fight is a generally bad idea as an independent third party.
Also trust no one and don't give other people you don't know access to your personal details or the server that hosts the website. They could be (and in this case were) Law Enforcement.
This gives me an interesting thought for a startup. Provide training and testing for law enforcement for these scenarios. Would also give you the chance to outsmart law enforcement without getting arrested.
I think that TOR should no longer be considered secure in the wake of so many busts. Either it isn't secure by some flaw, or it is too easy to fingerprint visitors, or some other work around.
I refuse to believe that the FBI is privy to a funamental TOR break that's completely eluded the cryptographic community, and they're risking revealing it with some darknet busts.
If TOR was broken, they'd be encouraging its use while secretly mining it for parallel construction opportunities across the board. Instead, we get warning shots.
TOR is fine, but now that we know that the FBI has its tendrils everywhere perhaps we should be a lot more cautious about trusting people we meet online. At the very least we shouldn't be granting administrator privileges to people we don't know the identities of, which is a mistake some of these operators seemingly made.
> I refuse to believe that the FBI is privy to a funamental TOR break[...] and they're risking revealing it with some darknet busts.
This is probably the best analysis I've heard.
If the Tor protocol was broken in some way, agencies would be sitting on it to vacuum up as much information as possible. If the underlying cryptographic primitives were broken in any way, that information would be restricted to the highest levels of government and used against state actors.
Darknet busts mean JS browser injection attacks, poor development practices on the server side, or bad human factors (probably this one, from what we're hearing).
But more importantly, increasing the frequency of darknet busts gives a hint of what the authorities think about Tor: they don't have fundamental attacks, so it's best to scare people away as much as possible to discourage use.
This rings true. And I think those "bad human factors" are the same as always: the folks slinging the goods are also tasting the goods, which inevitably results in sloppiness.. Good highs and good judgement are seldom seen hand-in-hand.
They don't have to break Tors crypto to figure out where hidden services are. They just need to identify which IPs are consistantly connected to the Tor network, and then prod them and see if the hidden service goes offline.
That is one of the reasons why you're absolutely not supposed to run a relay from the same IP that you run a hidden service from. Because your IP is published if you do that.
If I were to run such a service, I would want to make sure that the IP that the hidden service is running from has as little connection to me as possible.
[edit] If it were my full time job to locate Tor hidden services, I'm pretty sure I could make a decent go of it. Certainly for a lot of them. Given the resources the NSA and GCHQ have, I have to believe that they can do a much better job of it.
"It is generally a better idea to host hidden services on a Tor client rather than a Tor relay, since relay uptime and other properties are publicly visible."
It might be more accurate to conclude that information is a currency in an unregulated market: GCHQ shares with NSA who shares with FBI DITU amongst many other public and private sector customers.
In a world of parallel construction, the most reasonable assumption is that anyone can be privy to anything, or at least information derived from it.
If you have enough of a view of the network it is running over, TOR has major weaknesses.
TOR has always been traceable to anyone with enough resources as it makes no attempt to guard against timing attacks.
TOR has never been a secure defense against a collaboration between rich states, especially if you are running permanent services with lots of users.
Also, I do not quite see the intelligence benefits of trying to hide something that is mentioned in the TOR faq, this is not a secret weakness, but something that has been a known weakness since the project's inception.
The only secret revealed here is that the security services have been busy tapping lots of stuff, but that cat has been firmly out of the bag for a while and has since had kittens.
Couldn't you at least narrow it down to the AS by correlating outages, if you're watching it for an extended period of time?
The rest should be possible with more standard police work, once you know where to look (there are probably not more nodes in an AS that you could check them all, disregard known relays etc.).
It is much, much more likely that law enforcement hacked onion domains because of their improper implementations of TOR procedures and/or general shitty security than it is that they discovered a fundamental security vulnerability in TOR.
The weak link here isn't TOR, it's the doofus who bought the Tesla with $130k worth of BTC.
Which is why I would never mess with darknet sites. I trust the TOR network, but I don't at all trust the individual domain owners.
I can think of at least one very easy way to break Tor, if you have access to a bunch of choke points however I'm nowhere near an expert in security so feel free to beat me to death over exceeding my area of expertise.
In a nutshell: assume that Tor hidden services are not amongst the highest traffic sites, that they still need to be hosted somewhere and that you can make your own traffic to such hosts stand out by sending alternate long-short sequences of packets to a hidden service by crafting requests simply inject a long sequence of such packets into Tor destined for the service you wish to unmask, then monitor your choke points to see where the sequence of long/short packets pops out last. That's the endpoint you're looking for. This undoes all the layers of the onion in one move. It will take some time before you have certainty because that same sequence will likely appear a number of times in a regular bunch of traffic as well but with increasing sequence length you should be able to get to good confidence that you have found the relevant host.
That type of traffic correlation attack is pretty well known and understood. The problem is that Tor simply isn't designed to protect against a global adversary.
If you're the NSA, you can inject traffic through, bisect the network by forcing certain nodes offline, ...
Tor can't defend against that. But we don't have anything right now that would.
I believe this has been a well known underlying problem with Tor for a long time as it only really provides anonymity. If you control enough exit nodes, or alternatively, control the means of transmission in enough places, you can narrow the net and get closer to finding things. At the very least, one could get close enough to allow one to focus more traditional investigatory techniques. The problem is this is a fairly large scale problem. Now any organizations with the capacity to do something like that? I seem to recall lots of speculation around the time Snowden came out.
I think it's several orders of magnitude more probable that several greedy and half-intelligent people (intelligent enough to execute a darknet market and unintelligent enough that they aren't already well-compensated for their intelligence) saw a MASSIVE vacuum open up in the ecosystem when the Silk Road shut down. And they went for it, with varying degrees of success.
Tor is an anonymizing TCP overlay. That is all it is. It will make it so your TCP stream is not connected to your IP address.
But that's all.
I got asked a question, just two days ago, if Tor would make someone anonymous if they logged into their facebook account. Do you think it will? Do you think it's advertised that way?
Further, even the Tor developers acknowledge that hidden services are not a priority for them. Their priority is far and away client usage, because their largest userbase and their funders' priorities are bypassing Internet censorship, not running darknet marketplaces.
What was your reasoning process that lead you to discard the other explanations rather than Tor being weak?
There are some interesting theories being tossed around. I'd like to add one more.
The common thread across all darknet websites is the fact that they generally run from datacenters. Most people don't host websites from their residence.
Further, most people don't colocate servers anymore. I would be surprised if any of the 414 websites operated on boxes that had been colocated. However I won't rule out that colocating is also compromised.
I'd like to posit the following law of nature: You can't run a darknet website from a datacenter and think you've hidden the location of the server, regardless of whether it's using Tor or other anonymity software.
Why not? Because the datacenter has the ability to image servers, along with the ability to notice that you're generating large amounts of outgoing Tor traffic (or other anonymity software).
Here's how the attack may have happened: Step one, collect data about which computers are sending and receiving large amounts of Tor bandwidth. Step two, if the server resides in a datacenter, request an image of the server. Step three, you now know whether the server is a darknet website.
Remember, the point of Tor is to hide the final IP address of a web request or web service. It does not hide the total volume of traffic that must be delivered. And it can't. If you operate a darknet marketplace, you're probably serving a large volume of traffic. Guess who notices? ISPs and datacenters. Guess which datacenters can be trusted not to divulge an image of your server to authorities? None of them.
What do I think the future of darknet opsec will look like? Well, if you're reading this, and you're an individual or group interested in pursuing your ideology through a darknet website, you will need to run your website from a datacenter and not rent your server in your name. In fact, your opsec needs to be so good that there's no way to trace the account back to you. This sounds hard, and it is, but it's possible. Secondly, you must assume at all times that the server you're using is compromised. Assume that aurhorities can access the contents of the server, can manipulate it, and can subvert anything you put on it.
This is a grim situation, to be sure. The above assumption is that you are never safe from authorities gaining a copy of the contents of your datacenter-hosted darknet website (including any databases), and from a takedown of the service whenever authorities deem to do so.
Here's the ray of hope: Just because they takedown your website doesn't mean they take you down. This is where opsec comes into play, and it's our last hope. Every other link in the chain of trust for darknet websites has been broken. The one and only chance is that you can figure out a way to create accounts at datacenters without authorities being able to trace them back to you.
Authorities takedown your service? Okay, start it again at some other datacenter. Authorities get a copy of what's on your server? Okay, no problem: you were assuming it was compromised anyway, right? Authorities install a program to make your software malfunction? That's unfortunate, and will shake the trust in your website, but it's possible to recover from this.
Do your best, and do not get caught. The rest follows from this.
At a minimum, you need to research opsec. Read history of how groups have evaded detection. Do your research using Tor, because associating such Google searches with your home account is a terrible mistake.
One of your biggest problems is going to be anonymous money. No, bitcoin won't help you. You can't rent a server from a datacenter using bitcoin. But you can anonymize your money and then use that money to rent your server.
It's a long shot, but it's all we've got left. Be perfect. There's no room for error. Or realize the truth: If you can't be perfect, you will get caught. And you may get caught anyway. Being perfect sounds impossible, but human history has shown that there are situations in which no or few mistakes are made. I would recommend you research those situations and how to minimize the total number of mistakes you make. Use software to help you do this, while realizing that clever software alone won't be enough. For example, if you're configuring an individual piece of software on your personal computer to connect to your darknet website, even through Tor, you're doing it wrong. You need to isolate yourself from this equation at all times. Sound hard? Oh, it's hard. It will slowly dawn on you how hard this method of operating is. Convenience? No. You don't get to enjoy the benefits of convenience. Convenience is the opposite of security.
Oh, and if you do happen to somehow make a lot of money, you should keep it as bitcoin for the forseeable future. What good is it? Maybe converting small amounts won't be noticed. On the other hand, converting large amounts of bitcoin to dollars will be noticed, and it's extraordinarily dangerous to your opsec.
I'll be around to answer questions if you have them. If you'd like to ask a question anonymously using Tor, create a new HN account and post your question. I'll see it, but it will show up as dead on HN, so I won't be able to reply to it directly. So I'll reply to my own comment with a copy of your question, along with a response. Then you can reply to that, and I'll repeat the process.
HN is one of the few websites that we can even have these kinds of conversations on using Tor. Everything on Reddit is autokilled. 4chan doesn't let you use Tor. Maybe we should work on this problem first: How to make the equivalent of unlisted Tor exit nodes so that Tor isn't so trivially blocked?
There are a lot of ideas in my comment, and some of them are better than others. I hope that the bad ideas can be discarded and the good ones refined until we have someting workable.
> Here's how the attack may have happened: Step one, collect data about which computers are sending and receiving large amounts of Tor bandwidth. Step two, if the server resides in a datacenter, request an image of the server. Step three, you now know whether the server is a darknet website.
This in itself is not sufficient: there are thousand of Tor bridges, relays and exit points. All of them carry lots of traffic and all of them could be hosting hidden services as well. The total traffic in itself doesn't necessarily show that a server hosts hidden services. It could also me masked by generating fake traffic to/from the server.
Knowing that Tor traffic comes and goes through a server isn't enough. Most data centers would not just hand over disk images just because a server is running Tor and a hidden service. You would need good evidence that the particular hidden service you seek is hosted at that particular data center.
You still need detective work to pinpoint the location of the datacenter. This could come from timing attacks or an unrevealed weakness in the Tor protocol itself, but it's more likely that they noticed suspicious activity in real life (large purchases, people already known to be involved in drugs), infiltrated some markets, managed to get some people to talk, ... Once you suspect a particular person and they are under surveillance, you can catch them paying for servers with their CC, connect to their server directly, or watch their BTC transactions.
They would certainly need the cooperation of the involved data centers at some point, but neither Europol nor the FBI can just walk into any data center and request images of any server that handles Tor traffic without a warrant, which would require some tangible evidence to support its release, lest it becomes inadmissible in court.
>This in itself is not sufficient: there are thousand of Tor bridges, relays and exit points. All of them carry lots of traffic and all of them could be hosting hidden services as well. The total traffic in itself doesn't necessarily show that a server hosts hidden services. It could also me masked by generating fake traffic to/from the server.
Relays (exit and non-exit relays) are listed in the consensus, so you can easily rule them out, or just watch the hidden service and the relay and correlate downtime.
Bridges are not listed in the consensus, but they also don't survive very long, and don't carry very much traffic, since they tend to be used by a small number of individuals. So bridges will naturally churn out of your target set.
>neither Europol nor the FBI can just walk into any data center and request images of any server that handles Tor traffic without a warrant,
This seems optimistic at best. They could certainly ask to install a wiretap, or just threaten their way into installing a wiretap (i.e., install this wiretap or my buddy at the EPA is going to be allllll over you for how bad your parking lot is drained, etc). They could just ask and say they suspect the computer is involved in child pornography, which will probably override most people's objections.
But beyond that, people tend to cooperate with authorities. It's either a natural state of humans to be subservient, or we've been indoctrinated through eons of hierarchy, but now, the only thing necessary to get someone to kill someone else is a stern command. If you don't believe me, look up the Milgram experiments.
Knowing that Tor traffic comes and goes through a server isn't enough. Most data centers would not just hand over disk images just because a server is running Tor and a hidden service. You would need good evidence that the particular hidden service you seek is hosted at that particular data center.
They can just enumerate every hidden service, figure out which ones are doing something obviously illegal, then once they locate a datacenter that is likely to be hosting hidden services e.g. accepts payment in Bitcoin, get netflow data and pump traffic at each hidden service in turn. When a synchronised block of encrypted traffic turns up at a host, there's your probable cause to go image the server: it's practically bulletproof evidence that the hidden service corresponding to some black market is running on that machine.
The only bottleneck to this approach is finding the datacenters, but there aren't that many which accept Bitcoin for payment, and I bet intelligence agencies can easily provide a list of every colocation facility that is running long term connections to the Tor network. Heck they can probably identify the precise machines by doing traffic correlation automatically - it's the sort of task they'd be good at, and they have the infrastructure.
neither Europol nor the FBI can just walk into any data center and request images of any server that handles Tor traffic without a warrant, which would require some tangible evidence to support its release
What about with a data request by a judge in Italy, raising a sealed subpoena through a Texas court to get the FBI to physically remove a server from a datacenter in London belonging to a UK organisation, without informing them, the UK government or the UK police, all while keeping the original reasons for this under seal, and then suddenly returning the hardware just as mysteriously as it was first taken, without thinking you should have to explain a single thing?
As long as everyone has someone else to point to who is responsible, these things will continue to happen. It's the same pretty much everywhere in the world.
Agreed, but the sheer scope of this operation forces us to consider whether the authorities are playing by all of the rules. Since we don't know which rules are still reliable, the best defense is simply to assume your server is compromised from the start. And, incidentally, your support staff.
By the way, I'd also like to thank everyone for the thoughtful responses. It's great that people are thinking about this problem.
To be honest, I don't think it is possible to evade the authorities and run a profitable business on BTC.
I think that is really where these markets are running into trouble. They need to spend the BTC they earn to cover their costs and lifestyle, at which point it becomes pretty obvious given I doubt there are many people converting BTC to cash in 6 figure quantities per year. Given the blockchain isn't anonymous, every 3rd party you move your BTC through can receive a warrant until they find the name you withdrew the cash under. They all want your bank account information which means you'd need a fake bank account.
Once you hit the "I need a fake second identity for financial information, etc." you are going to throw up all kinds of red flags.
I think Tor and the Darknet is great when you need to start a revolution or other non-profit-activity. The moment you try to make money you can live off of and cover your costs is the moment you accept you will get caught eventually.
> How to make the equivalent of unlisted Tor exit nodes so that Tor isn't so trivially blocked?
Run a VPN connection through TOR via a service that lets you pay anonymously. [e.g. gift cards you can buy with cash]
Of course, then the VPN can snoop all your traffic but given you are using TOR...you should be expecting that anyway. TOR guarantees technical anonymity, not privacy. You screw up your OpSec and you are screwed anyway. ~
The whole idea of a centralized market, with someone syphoning off large amounts of money and being the major legal target, sets it up for failing. Once it becomes a distributed marketplace with all services replicated it becomes much more secure.
DHTs are susceptible to Sybil attacks. A key/value store based on a cryptocurrency would be a better approach if you're looking for a decentralized key/value store that guarantees that the data is available.
Requesting an image of a paranoid person's server isn't necessarily that great. When I worked for a run-of-the-mill cybersecurity firm, our simulator products were protected with full disk encryption using run-of-the-mill open-source software + light patches and keys bound to specific hardware, software, and configuration states via the TPM. This is for fully automated boot up. If you can accept the risk of needing to be physically close to a machine, you can generate random bytes and store those into your TPM and require both the hardware/software/configuration to be correct as well as knowing your key. This would incidentally also prevent you from being able to give law enforcement the key to an image of your computer (this is actually impossible, you don't know the key).
If you're doing this under a warrant, you could just request that the server's operator unlock the machine. Whether you comply is a legal situation that varies from jurisdiction to jurisdiction (in the US, it seems that you might be held indefinitely in jail if you refuse to divulge your key). The thing is, you should be able to make an extremely strong case (possibly with the EFF's help) that any warrant is false. Anonymous traffic itself should not be enough to compel you to divulge your secrets without other evidence pointing to your machines (standard IANAL, but this seems consistent from everything I've read).
It's an interesting idea. I think physically shipping a server to a datacenter is precarious. Remember, it is known that your server is hosting a darknet website. You can't really hide this fact. Timing correlations make it possible to figure out which server is doing what. The reason that Tor users are generally safe from this is because they're not constantly connected, and an adversary generally can't cause a client to issue a web request on demand. But a webservice is constantly connected, and any adversary can cause it to issue responses since it's a webservice. Whether it's a timing correlation from a global passive adversary, or it's simply noticing that "silk road is extremely popular and this webserver in this datacenter seems to be hosting a huge amount of Tor traffic," you have to assume that it's known that the location of your server is compromised.
And if you assume that, then it suddenly becomes very, very bad if you've personally shipped a computer to the datacenter, colocation-style. First, clever hardware won't protect you if it's a running box. But beyond that, you can be traced simply by the components that you've assembled. You have to order those components from somewhere. You have to assume the worst: that authorities will take your box using a power adapter that lets them physically remove the computer from the datacenter without turning it off (such things exist), dump an image of your server while it's running (so that encryption keys won't help you), and then dismantle your server and trace the origin of the components. Congratulations: you're caught.
I think the model of "rent a bunch of servers using opsec" is also precarious, but less precarious than relying on hardware protections to save you.
Not a bad idea, assuming you don't care about taking other people's property and using it in ways they don't expect for personal gain. But it's difficult. Once you no longer control the underlying hardware guarantees, availability chief among them, it's hard to design a reliable webservice. There has been some research in this area, though I'm not intimately familiar with it. Find it and read up on it. In general, the problem is how to organize some kind of store of data across multiple unreliable machines. That sounds like a solved problem (bigtable et al) until you realize it also needs to be secure, and you're running on an unsecure network of infected computers. At some point, some computer needs to access the secure info. If you're letting infected computers do that, then that means its operator can also do that. Though, in fairness, maybe you don't need to care about that threat. A bigger threat is that the operator would also have write access: they could corrupt your data or forge transactions in your system.
> You have to assume the worst: that authorities will take your box using a power adapter that lets them physically remove the computer from the datacenter without turning it off (such things exist), dump an image of your server while it's running (so that encryption keys won't help you)...
I believe they can keep my server powered on whilst they remove it from the DC (dual PSUs in enterprise servers would make this _extremely_ easy) but how exactly are they supposed to be "dumping an image of the server whilst it's running"?
You can buy servers and server parts anonymously via places like Craigslist with cash. At which point, you just need a fake ID to trick the Colo and pre-pay them for 12 months in cash w/o being recorded. Its possible given I've run into colos that were run by college kids with just a single cage. I'm pretty sure they wouldn't turn the offer down and just say you were "too busy" to set it up yourself due to work.
Then the authorities trace the server component to the person who sold it on Craigslist. And if your opsec isn't perfect, you're busted right there: Did you forget to set up a new email account for all of your craigslist transactions? Did you forget to set them up and connect to them only through Tor?
Did the person you met with write down your license plate number? Seem unlikely? Think again. Cameras write down your license plate number as you drive. Constantly. So the authorities will simply look up where the person drove to meet you (parking lot, etc) and any cars that drove to the area at the time. You'll probably be on a highway at some point, which is a highway of data collection. There weren't that many people who drove a long distance to go to the meetup area. Now the authorities know which of 1,000 people you are. The more times you do this, the fewer the number of suspects there are, until they're down to a number that they can just investigate one by one. Then you're caught.
Or did you take your cell phone with you, and did the person who sold you components take their cell phone? Yes, you're caught. The operation in the previous paragraph, which assumes that you're just driving to meet someone and both parties are leaving their cell phones at home, is already busted. So if you've taken your cell phone on top of it, then it's even easier. Anything involving correlating cell phone movements is trivial for authorities. And if you don't take your cell phone, how are you going to let them know you've arrived? What if they're late? Or you're late? Now you have two problems: Set up a burner phone in an anonymous way (hello, in-store security cameras) and then never, ever use this cell phone in the same place as your main cell phone. Not a good position to be in.
I've ignored the whole "fake ID" aspect, because if you're in a position where someone is putting their face onto a forged legal document, that person is going to be persuaded by authorities to betray you. And if that person is you, then obviously you're caught at this point. Your face is probably on Facebook, and facial recognition software is getting pretty good nowadays.
In general, physical ops are the most dangerous of all ops, and should be avoided until every other avenue has been explored. Better to anonymize your cash (which is also a physical op) and then use that cash to rent a single remote server.
you are probably going to be one of the few people to meet up and do a cash drop for the server. Which is automatically going to make you standout to the hosting guys. Thus, MUCH more identifiable.
> Then the authorities trace the server component to the person who sold it on Craigslist. And if your opsec isn't perfect, you're busted right there: Did you forget to set up a new email account for all of your craigslist transactions? Did you forget to set them up and connect to them only through Tor?
If your opsec isn't perfect you are busted anyway. You already said that in the OP. ;)
> Did the person you met with write down your license plate number? Seem unlikely? Think again. Cameras write down your license plate number as you drive. Constantly. So the authorities will simply look up where the person drove to meet you (parking lot, etc) and any cars that drove to the area at the time. You'll probably be on a highway at some point, which is a highway of data collection. There weren't that many people who drove a long distance to go to the meetup area. Now the authorities know which of 1,000 people you are. The more times you do this, the fewer the number of suspects there are, until they're down to a number that they can just investigate one by one. Then you're caught.
We are assuming a criminal here. You use a fake license plate that you change regularly. You also move regularly and pay cash. Once again, your OpSec needs to be perfect but it is the only real obstacle. If they know which cluster of 1,000 people you are, your license plate gets changed, and you leave at the end of the month forever...they'd have to investigate all 1,000 people to maybe-possibly-id-you then try to figure out who and where you changed your license plate. But you are assuming they can trace the hardware of an anonymous cash transaction on craigslist again. I highly doubt that.
> Or did you take your cell phone with you, and did the person who sold you components take their cell phone? Yes, you're caught. The operation in the previous paragraph, which assumes that you're just driving to meet someone and both parties are leaving their cell phones at home, is already busted. So if you've taken your cell phone on top of it, then it's even easier. Anything involving correlating cell phone movements is trivial for authorities. And if you don't take your cell phone, how are you going to let them know you've arrived? What if they're late? Or you're late? Now you have two problems: Set up a burner phone in an anonymous way (hello, in-store security cameras) and then never, ever use this cell phone in the same place as your main cell phone. Not a good position to be in.
The last time I bought one, I met them at their house and rung the door bell. No phone required. You can also pay a bum to go in and buy the burners for you. Admittedly, I was just buying something to experiment with on the cheap so I didn't really care about anonymity.
However, you are making the assumption these components are easily traced in after market cash sales. I doubt strongly that they are that easy. And given you are trying to be anonymous, you don't care if either party is late since you'd wait a reasonable amount of time and if that failed, setup a new transaction elsewhere.
> I've ignored the whole "fake ID" aspect, because if you're in a position where someone is putting their face onto a forged legal document, that person is going to be persuaded by authorities to betray you. And if that person is you, then obviously you're caught at this point. Your face is probably on Facebook, and facial recognition software is getting pretty good nowadays. In general, physical ops are the most dangerous of all ops, and should be avoided until every other avenue has been explored. Better to anonymize your cash (which is also a physical op) and then use that cash to rent a single remote server.
You can't anonymize your cash for digital transactions given sufficient effort being expended to find you. If you don't do physical ops, you aren't paying cash. If you aren't paying cash, they will find you because the banks [which are intentionally letting things slide to increase business] can't hide it from the regulators forever. They've proven that repeatedly with billion+ dollar fines.
Honestly, it doesn't matter tho. I have no real interest in hiding to that degree. Everything I do is legal. :P Its just a fun mental exercise to me.
This is a perfect illustration of how to get busted. For example, the whole idea of "How can I acquire a burner phone?" is misguided, because as soon as you speak into a burner phone, your voiceprint alone is enough to identify you.
Various assumptions like "I doubt it's that easy" are also the road to getting busted.
Trying to forge or steal legal documents, let alone a license plate that you drive around with and which officers can notice at any time, is also how to get busted.
I'll have to take your word for it. I'm pretty sure you are overthinking this tho.
What you are describing is basically:
1) They find the server [this likely takes months based on their performance so far].
2) They get a copy of the paperwork & server [fake id, so useless information on it and a fake picture. That is assuming they keep a copy at all, they might not.]. Server is commodity and basically untraceable. They trace you via license plate readers to a residential neighborhood with 1,000 people.
3) They see you leave a month later via license plate reader on a major freeway and somewhere along the way you disappear because the entire country isn't monitored, especially rural highways where there aren't traffic cams. You change your license plate in the middle of nowhere.
4) They somehow detect the license plate change and track you from there to your new destination.
I mean its possible, I just don't see it as being likely given how hard they've worked to find people who made publicly visible glaring errors. :P
I doubt you could host a large scale operation on a single server. Given the volume that SR1 && SR2 received, you would need more servers at some point. At that point you either need to hit up craigslist again or host via cloud providers. (of course all of this is assuming that the first guy you met on craigslist was not an undercover agent).
> I doubt you could host a large scale operation on a single server. Given the volume that SR1 && SR2 received, you would need more servers at some point. At that point you either need to hit up craigslist again or host via cloud providers. (of course all of this is assuming that the first guy you met on craigslist was not an undercover agent).
Given I've bought servers for cash on craigslist, I doubt this is really an issue.
You are making a large number of assumptions that in real world situations aren't likely.
They'd need to:
A) Locate you. Assuming good opsec, you'd move and so forth if they imaged/seized your servers and you were aware of it.
B) Seed craigslist across a large enough area to catch you.
Hell, you could just move to Canada on "vacation" and pay cash to rent a room up there as well as buy servers in Vancouver or something.
It's an open question whether Tor has been compromised to the point that it's now trivial for authorities to locate where darknet websites are hosted. I'm simply making the observation that if your opsec is good enough, you shouldn't need Tor's hidden webservice capability to protect you. You could simply run your website as a standard .com website, except for the fact that authorities can take the .com domain from you.
Or, put another way, if you're relying on Tor's hidden webservice capability as your sole defense, then you're in a bad position.
Learn about Tor. A key distinction is that the "crackhead" Alice is only communicating with the "pusher" Bob, but the location of Alice and Bob is a secret.
One potential long term outcome of these highly publicized fed / darknet busts is that future operators will learn from the opsec mistakes of Dread Pirate Roberts, Blake Benthall, Sanu, Lulzsec, Anonsec, etc. Theoretically after enough people cock up, the 'playbook' on how to run a dark service / h4x0r group should be sufficiently fleshed out and there will be fewer and fewer busts.
Remember, the FBI's story about a leaky captcha only came out very recently. SR2 had been running for a long time by then. And there's currently no info about how they found the servers for 414 different onion sites: seems most likely they have beaten hidden service security and can now find most or all of the ones they want. No opsec gonna save you from that.
It looks like I was wrong about this. Will multiple datacenters allow you to continue setting up new accounts using nothing but bitcoin? If you don't need to provide identification, then this might be an interesting avenue to explore. Thank you for fact checking me.
There's the chance that datacenters will be more inclined to image your server for authorities if you've set up a server using bitcoin and are hosting large amounts of Tor traffic, but at this point we must assume authorities will image your server anyway, so there's no reason not to go this route if it's as good as you say.
You may need anonymous money for other things, but server rental was the primary case I had in mind.
>Will multiple datacenters allow you to continue setting up new accounts using nothing but bitcoin?
I don't see how they could stop you. None of the btc hosting sites I've seen ask for real ID (passport, drivers license, etc..) They also allow you to rent by the year, though I suspect you would have to scale up fairly often. Overall though, I think anonymous hosting wouldn't be a problem (tor + ssh + tumbled btc).
The server imaging is a tough problem, however, as long as you ensure that you never upload any info that could point back to you, you should be anonymous.
Hopefully a truly decentralized marketplace will emerge before the next bust...
>> [TOR] does not hide the total volume of traffic that must be delivered. And it can't.
But what about I2P [0]? To my knowledge, it can hide much more than TOR does, including the amount of traffic going through your server. You get a large amount of traffic even if you do not host anything, because you become a relay node.
I just tested it. It looks like I was incorrect. People told me that Reddit shadowbans you if you create a new account using Tor. Maybe that was the case for awhile, or maybe it's true for a certain subreddit, but it doesn't seem to be true anymore. Thank you for fact checking me.
I think that the feds having found and exploited a Tor vulnerability is much less likely than them having violated the law in the process of their investigation and then covered it up with parallel construction.
But Tor should protect against illegal actions as much as against legal ones. Unless, of course, they hacked into the servers (using flaws unrelated to Tor), but the problem is how these servers were even located!
I sincerely hope this was done not through Tor backdoors but through traditional police techniques. It would be a great piece of evidence in support of anonymity if they were able to do all of this without finding/creating exploits.
I've heard reports that Feds were actually moderators of SR2 from the very start. So from the beginning they were actively building a case against the other owners.
If your job is to catch drug dealers on the Internet, I would expect you to be undercover on all these sites.
You could either hire lots and lots of cryptographers and hope for a theoretical breakthrough, or you could hire police officers and let them work undercover.
Tor needs to be run from a live CD with an extended-hop circuit and a text only browser. TBB on regular box considered harmful.
We don't know the situation, so we have to assume that some part of the Tor stack is broken. It's likely to be the integrated web browser that's the weekend, but it could easily be higher or lower level.
Note that this is all about .onion hosted servers. Any flaws might be about locating the servers inside the TOR network and not about identifying individual users.
As much as this story interests me on deeper levels, my brain keeps wanting to think of it as a misspelled or mispronounced "Operation Ominous" rather than subtracting the "an-" prefix to negate "anonymous" (which they undoubtedly thought was very clever).
And I do find it very ominous that apparently the only way that I can speak and act freely over the Internet is to maintain absolutely perfect operational security across an entire group of individuals that I already know enough to trust, thanks to out-of-band signaling.
While I don't really have anything to plan or discuss that would be considered threatening to any current regime, I also know that regimes change and evolve, and the Internet is rather capricious with regard to what it forgets. I have to wonder if someday even my posts on HN will be used against me at a time when prison, or execution, or even just denial of a benefit is a possibility.
Right now, they are busting folks for trading contraband and criminal services. But it somehow feels like the evidence of massive surveillance and interdiction is more threatening to me personally than the existence of the online black markets. Perhaps I'd just like to pretend that in theory, I could defy an objectionable government edict and not get squashed like a bug. I'd like to believe that the spirit of rebellion still lives among the people, and that the underdog can still put up a good fight, even if they can't actually win.
I wonder if these attacks, along with some clever fingerprinting of the server host, and advanced techniques on traffic correlation, were enough to determine the whereabouts of the servers:
“This is something we want to keep for ourselves,” he said. “The way we do this, we can’t share with the whole world, because we want to do it again and again and again.”
That confuses me. How can they prove that the people they arrested are actually connected to these sites if they won't show how they came to that conclusion?
They might have 10x or 100x the evidence they actually need. So they provide the least compromising to their own operation. They don't need to show the courts exactly what vulnerabilities they've targeted if the courts are willing to accept "they got the guy's confession on tape" (and they didn't somehow screw that up to make it inadmissible.)
They say this but why aren't they targetting the real evil shit on the dark web? Why the hell are they wasting their time and resources on drug busts when there are seriously sick dangerous people using those services, hunt them. They're the real dangers to society, not the ones selling weed and ecstasy.
Makes me feel sick all the wasted talent that isn't being used to take down the dark dark corners of this world.
You say that as if organisations involved in the international drug trade are not engaging in "real evil shit". Not all cannabis sold in the United States is grown by long-haired Californians. Much of it is grown in Mexico by violent drug cartels that use slave labour and kill indiscriminately. They are practically the definition of evil, and sites like The Silk Road are pushing their product.
Of course, the ideal way of sucking out the oxygen from these entities is to legalize the product they're pushing. Perpetuating the drug war is some "real evil shit" when you consider the police unions are among the biggest lobbying groups fighting to keep these substances in question illegal..
Prohibition drives prices sky-high, drives out law-abiding brokers, but doesn't affect demand. The Mexican cartels are yet another bad consequence of the war on drugs.
It's the way the game works. Busting drug related things is a lot more lucrative than busting "other evil" things. Did you really think law enforcement cares about principle or morality? It's all about money.
"When WIRED spoke Thursday night with Troels Oerting, head of the European Cybercrime Center, he said his staff hadn’t even had time to assemble the full list of sites it’s pulled down in the sprawling operation."
That sounds a bit cavalier. Are they actually checking whether the sites are involved in illegal activity before they pull them down? Or is merely hosting a website on Tor illegal nowadays?
Edit: I should say that openbazaar hasn't been released, and very little work has gone into allowing for anonymous nodes on the market. The idea is that once openbazaar is released then people can apply Tor anonymity to connecting their market node to the database of all nodes where things are available for purchase.
They probably just use the tried and true method of exploiting flaws in the server, then helpfully offering to fix it. Repeat until trust builds and eventually a fed agent is the Sr technical lead with access to everything.
I think Wired was the first with the first Silk Road bust, too, or in similar FBI operations. Does the Wired have FBI "sources" or FBI PR contacts that give them these almost-exclusives?
but this happened yesterday and there were lots of posts from various sites about it, the criminal complaint has been posted online, I dont see how wired were frist with anything here.
It just doesn't seem right for media sites to "partner" with FBI/the government for a story like this, and give them a platform to spread its propaganda.
For the record I'm one of the people who believe what the FBI did here is wrong. I imagine if they had know what it is and what it can do early on, they would've shut down Bittorrent Inc, too, for "facilitating piracy", "conspiracy to create piracy", "money laundering" (by making money as a company that creates torrent technology), and some other CFAA charges, for good measure - all of them bullshit.
This isn't entirely propaganda, though. Sure, the government's version of events is, but it's also a newsworthy event that Wired's readership would be interested in. Why would they not cover it, or foster partnerships that make it easier to get access to stories like this? It is literally their job.
Some guy in a fedora and freebsd t-shirt hanging around sleazy bars downtown waiting for his flipped FBI agent to come around and drop him some new juicy goss on the latest... TF2 hat update? Sounds legit
Well, Wired is a business, and cybercrime stories are pretty good business, and a lot of people the FBI might want to reach (and let know that they're on to your games, criminal scum) probably read Wired. It would be a mutually beneficial relationship, and this isn't exactly bad press for the government, so it might be more legit than it sounds at first glance.
Europol took over the .onion domains? How does that work technically? And doesn't it sound a little brusque considering Europol doesn't have authority to do anything on the field?
I am curious how a .onion domain seizure works. Does this mean the various law enforcement agencies are in possession of the private keys of the services they shut down?
They somehow find the physical location of the hidden service and then are able to take control (e.g. via a letter to the webhost). After that they have full control over the server and thereby also the key behind the .onion address.
How do they find the physical location? This could be by plenty of technical methods, which is really too elaborate to expand on here, but it's almost certainly not a flaw in Tor itself. It's just very hard to do it all correctly from A through Z, one mistake and you're busted, so that's why so many services can be taken down.
Assuming TOR is compromised, what is to stop someone buying a vps (with fake/disposable credit card etc) hiding the main server behind this vps (with haproxy or stunnel)?
FBI come along and image the vps, but it wont be the main server, connection details could be stored in RAM and if server taken down to image no configs would be left.
Thoughts? obviously buying vps/servers in own name is dumb opsec.
That way even if TOR is compromised you lose just a frontend point.
Don't think that'd add anything. The people investigating you would presumably look at your network traffic and see all of the non-anonymized TLS packets traveling between your VPS and the real server. And they shouldn't need to bring the VPS down to get an image of its disk (or its RAM).
Of course tho' I doubt it be enough for evidence in court especially if everything is bought with fake aliases.
And the saving memory contents (could hold config files on tmpfs for example) seems to be a difficult process, from wikipedia
"Holding unpowered RAM below −60 °C helps preserve residual data by an order of magnitude, improving the chances of successful recovery. However, it can be impractical to do this during a field examination."
It would be interesting to get perspective from any forensic experts.
The key imho is to put as many hoops in attackers path.
It doesn't need to be like that. You can have a frontend server with a public .onion domain that just pulls everything from a different remote and private .onion domain.
Yes, the latency will suck.
I wonder how hard it is to cause a very spiky, targeted temporary network outage (DDoS, etc) and use it to correlate with which Dark web sites relies on which physical network. With enough random events, it's probably possible to pin down the location, unless you have more than a host or move around a bit.
Any post you upvote is saved in your "saved stories" link (https://news.ycombinator.com/saved?id=[your id] -- you can find it in your profile. No, it won't display other peoples' saved stories for you.)
If you must comment, try to at least include something other people will want to read. (And then you can stick a keyword like "saved" or "fleezblort" into your post to make it easy for you to search for.)
1) Don't engage in businesses that make you a target of the world's best-funded law enforcement agencies.
2) If ignoring lesson 1, don't access servers directly, from home, and don't pay for said servers with personal credit card.
3) Don't pay for your $130K Tesla using BTC a month after you open up a massive illegal drug marketplace that runs exclusively on BTC. Someone may suspect something.
4) When cashing in your ill-gotten gains, don't use your real name.
Seriously, if you're going to do this kind of stuff, paranoia is your friend. "They" probably are, indeed, following you.