[OPSEC/Computer] Current Flaws/Potential Attack Vectors

I feel a discussion like this is long overdue. What are the attack vectors that LE can potentially use, and what can we do to address them? In my opinion there are 2-3 main categories to analyze. I've come to conclusion that the amount of vectors are too much for almost anybody to manage. I focus on the one that impacts the buyers and vendors the most, and that is shipping. As a vendor, a good chunk of these should be basic practices. If they are not you will want to re-evaluate your position as a vendor.

Shipping:

This is just a chunk of what needs to be thought of in regards to the shipping process. If this is all executed well, the shipping vector should be almost irrelevant. If you are a vendor and looking for a TLDR, or can't take the time to read this then please for the love of drugs stop putting people at risk and just be a local dealer.


Comments


[9 Points] CookyDough:

From "The Art of Smuggling" (an excellent, must read, if dated document) written by one of the biggest proponents of smuggling drugs in the history of the net markets. Written pre-Silk Road, around 2009:

Customs Mail Flags
* No return address
* Restrictive markings (such as writing "Personal!" on the envelope)
* Misspelled words
* Poorly typed or written text
* Excessive postage
* Addressed to an incorrect title
* Sent from a foreign country
* Sealed with tape
* Emits a strange odor (Including masking agents such as coffee, perfume and fabric softener sheets)
* Lopsided, uneven, rigid, bulky or otherwise uneven weight distribution
* Oily stains, discolorations and crystallization's on packaging
* Packaging appears to be re-used
* Package looks generally poorly prepared for shipping
* addresses are hand written
* addresses contain misspelled information (such as names, streets or cities)
* Originate from a drug source state
* Are addressed as being sent from an individual to an individual
* Return address ZIP code does not match ZIP code of the post office the package is being sent from
* A fictitious return address is used
* List a sender or receiver name of a common type (Such as John Smith)
* Make use of names that are not connected to either address
* Package makes noise when shaken
* Redistribution of weight is felt when package is moved or tilted

Also, a single latex glove is not enough. You can still leave latent prints through a single layer of latex! Try the blue nitrile gloves with the grip tips, or multiple layers.

This "drug source state" flag is REAL. I have seen an affidavit where one of only three of the supsicious elements listed to establish probable cause for a warrant to open the box was that it was mailed from California.


[8 Points] sharpshooter789:

Weed vendors need to start putting some rocks in the boxes. I can always identify a parcel of bud since its what I call "feather" box's.


[7 Points] None:

[deleted]


[5 Points] None:

[deleted]


[6 Points] Vendor_BBMC:

" You need to be always using gloves, and switching them out frequently. Should be stored in a sterile environment.

This is just a chunk of what needs to be thought of in regards to the shipping process. If this is all executed well, the shipping vector should be almost irrelevant."

The "shipping vector" IS almost irrelevant. That doesn't stop you american reddit kids from obsessing over the mail to the point where you almost forget how a letter works.

Ordering your drugs from a mail-order business and paying with bitcoin is a great idea, the main problems of buying drugs - getting shot, stabbed, robbed at gunpoit, kidnapped for days behind the steel door of an insane crack dealer your friend owes money to, killed in a mexican standoff in a miami hotel because of a suitcase filled with newspaper, beheaded or hung from a bridge in a local gang turf war - have been completely eliminated.

I think this was worthy of mention

There is an age-old OPSEC practice that kept most people safe from gettig chainsawed in the shower by Columbians, it is STILL THE MOST IMPORTANT OPSEC RULE.

We take it for granted that every drug user and seller knows this, but when I see people panicking to the point where they become TOO SCARED AND STUPID TO GET MAIL, i realize that knowledge of the number 1 rule can't be assumed.

Even a box can get a letter without thinking too much then fucking it up somehow. You worry too much about postmen already. Oh, here the number one OPSEC practice.

IF YOU ARE GOING TO BUY, SELL OR USE ILLEGAL DRUGS, YOU'VE GOT TO BE COOL

Go back and read that again, like its the second rule of fight club.

"Being cool" means not freaking out about the postman, refusing to sign for the tracked mail that allows escrow to be used, and hyping each other up into hysteria, to the point where you try to give mail order businesses sterile area advice, like some insane Howard Hughes trying to make us all walk on tissues and shouting "You're wrong! We don't worry about invisible germs ENOUGH" through his surgical mask, blinking at the light through a crack in the curtains.

YOU CAN'T DO ANYTHING ABOUT THE POST. You can't control it with your mind, because dead people still get mail without fucking it up. You can't control what anybody posts to you, or make any changes to become a better recipient of mail.

You can only fuck it up by not being cool. Look at yourselves, carrying on like little girls. You're men. I aught to come round to your house and cut you - but that would be uncool.

See? It can happen to the best of us. But remember what I said too - I will cut you on your pretty cheek if I hear one more squeek about how scared you are of your postman.

ONLY JOKING! Ha ha! You should have seen your faces! Stop being so seriouuus amigos.

So what is the second most likely "attack vector", after not being cool?*

LIVING IN THE USA, AND USING A DARKNET MARKETPLACE WITHIN AMERICAN JURISDICTION (like the "Silk Road" franchise).

I haven't made the basic opsec mistake of living in the US, but I have made the mistake of being a vendor on Silk Roads 1 and 2. I could still be making that mistake, because Agora could be i any english-speaking country

We only lost bitcoin on Sheepmarketplace. Nobody got arrested

We all lost bitcoin when the Silk Roads were infiltrated, and each was followed by waves of arrests. The Feds weren't after you drug customers. Why should they? You're just some punk kid.

Unless you were uncool and sent the same encrypted information 50 weeks in a row to the same vendor, instead of sending it ONCE and asking him to write it down on a piece of paper. You WANT the vendor to know who you are. Its LE you want to avoid. He's your accomplice like the postman who also isn't the police, and also needs your shipping details.

As for BITCOIN, that is for the vendor's anonymity, which is actually important. We can't give our bank details or an address to send cash. Let US worry about money laundering (buying legal everyday things with money earned through illegal activity). Nobody cares about your sub-10 btc transactions, but if you think LE patrol the blockchain like sharks, DON'T GO SPLASHING AROUND IN TUMBLERS.

Just do a low key single wallet to wallet transaction from your android phone wallet to the marketplace. You all know that iphones are just bossy toys that want you to use ipay, forcing you to use web wallets that watch you and rob you. Right?They insist on having your bank details even for free apps, and have a built-in NSA back door. Apple, Google, facebook and american phones and bitcoin exchanges are all uncool. Learn from Snowden, not this fool.

Snowden didn't even mention the postman.


Now that we've established that you can't improve the post or control it with your mind, and that it only goes wrong when you think about it, STOP THINKING ABOUT THE POSTAL SERVICE.

The young chap who wrote this well-meaning post has been getting every shape and size of letter and package since his 1st birthday without arousing suspicion. Now he's a man. If he doesn't shave he grows a beard.

He sends his apologies for freaking out so publicly. he would do it himself but he cut himself shaving and is waiting to get stitches in his pretty cheek.

SSSSSHHHHHHHHH!!. Hush your mouth now.

I know you want to talk some more about how letters work. You're confusing guilt about drug use and what mom and dad would think if they found out, with fear of our whistling drug-carrying friend. Fear causes bad decision-making and a loss of focus on what to prioritize. Hes just a regular postman, and not some guy I sent to have you whacked. or cut you.

If you are cool, i will put a little extra in. Lets keep using our friend, because you do not want to meet me. Plus, worrying about my choice of envelope is buzz killington, uncool, and I wasn't joking.

If I have to cut every one of you to give you a reminder not to think about the postman, every time you look in the mirror, I will. So help me. I will slice you up good.

I'M JOKING! You should see your faces in the mirror!

Did anybody tell you that you have nice skin?


[4 Points] Hank_Vendor:

Return addresses (These need to be swapped EVERY SHIPPING BATCH

This is bollocks. I mean - the whole thing is largely bollocks as I will point out. but this is particularly dangerous bollocks. All the things you list below this to avoid your package getting detected are mostly pointless if you do this. SOONER OR LATER - either you or the customer will make a mistake in the address. Or it will be send to someone who reads reddit - who refuse to sign it! Then it will go to the dead letter office and be opened. Then they will discover drugs have been sent. Use a real return address. Who cares where. Somewhere real ghetto. So the chavvy little cunt it arrives at will steal - open it - and consume all the evidence for you!

Shipping stealth (This needs to be rotated or completely changed, should be minimum 3 vac seal + mylar + 1-2 VBB.)

Hahahahahahahahahahahahahahahahahahahaha. Minimum of 3 Vac seal??? + Mylar + 1-2VBB??? How fucking high are you. We're not shipping fucking plutonium

Contamination of Shipping Supplies

Wear gloves. Don't bag up in the greenhouse. Try not to bleed or cum on the packages

Effectiveness of vac seals and mylar bags in regards to drug dogs, and potentially machines made to sniff. This second thing I could see becoming big and it wouldn't be much to implement them into the sort facilities automated sorting machines.

Machines made to sniff??? Just stop and read this back. Youre making a wally out of yourself now. Visualise the AMOUNT of mail in any postal facility at any one time. The man hours it takes - the cost - the price of posting something. Then have an educated guess at how many dog teams they have patrolling. And how likely any of them are EVERE to come into contact with your package

Zip codes MUST MATCH THE ZIP CODE OF SOURCE CITY. This is a huge red flag I can't really preach anymore. If its priority mail, pictures are taken of them at the blue box they are picked up at. First class mail is rumored to avoid this. We need to assume the worse.

NO THEY ARENT!!!! Go outside and watch a postman collect the mail from a mailbox. And tell me when exactly he photographs it. You are annoying me now with your nonsense. Packages can be tracked back to the area they were sent because they dont go from the box - straight to the destination. DO YOU ACTUALLY KNOW HOW MAIL WORKS??? Its goes to the local sorting office, where it is scanned if it is a tracked (Barcode scanned) and into a sorting machine if it normal mail. Sorted by hand or machine if its a parcel thats not tracked

Thermal Transferred labels are a NO (We should be at a point where First Class mail should be printed directly onto envelopes with Inkjet printers, and Priority Mail should be using labels. You need to be incredibly creative on how you pay for these labels though, mass profiling is an option if you use the same method for each batch eg: same reloadable polish debit card.)

Why would thermal printers - which are WITHOUT DOUBT the most popular method of labelling for the type of businesses you are trying to immitate - be "a NO" ???

Weight should be added onto common known drug weights, such as QP and stuff alike.

HAVE A FUCKING WORD WITH YOURSELF! Seriously?

Packaging should be done in a sterile environment, where drugs are not used and air filters and lots of bleach should be used.

Yes everyone - take your post into your clean room. Dont forget suit up and scrub all the bags of drugs down in your air lock. You should change yours suit and air lock filters 62 times every 11 weeks. Too regular and you will be profiled

Drops should be made to blue boxes only not covered by cameras, and it needs to be at night. Never re-use, if you do re-use the same blue box should be ignored for at least 2-3 months since last drop. There are plenty out there.

Yeah - but its alot easier to spot the one guy that uses the box the whole night - than the HUNDREDS of people who use it during the day. Not to mention the increased risk of getting your collar felt with a car full of drugs drivings around with a ton of packages on your passenger seat at 3am. You are an IDIOT!

This is more of an IMO, 9 digit zips should be required. This allows for more direct routing, and quicker delivery times. And usually if the person runs the address through the USPS Zip code lookup, it also formats it exactly how the machines want it as well as cutting down on user error with addresses since it also verifies the address.

I dunno. maybe your right here. Sun ever shines on a dogs arse somedays, as they say

Names should be real, when you move into a house or new apartment USPS is supposed to give you a paper to give the names of people receiving packages. This happens usually if Public Records or anything aren't up to date. The more concerning factor with this is your local delivery person, and how well they know the place they are delivering the parcel to.

I dunno about you guys in america. but i have several different post men through out a course of 6 months. AND NONE OF THEM LOOK LIKE THEY GIVE TWO SHITS ABOUT THEIR JOB

Tracking numbers should not be tracked via TOR or any confirmed proxy. Use a third party tracking site that uses the USPS API if you plan on using TOR or a proxy.

I dunno - sure why not. (Nut job!)

Automated postal machines take pictures each shipment of the person using the machine.

Just cover camera with an envelope... Or is it "an invisible camera"????

You need to be always using gloves, and switching them out frequently. Should be stored in a sterile environment.

Yes, if they detect you are wearing latex gloves - thats all they need to be kicking your door down within hours. Only 4 people in the world buy latex gloves

OK, now you need to go home and think about what youve done. You were trying to show off in front of the bigger boys - but it backfired. So come on now. Don't be giving it the charlie big potatoes on reddit when youve had a few beers ok? go lie down before you hurt yoursef


[3 Points] bipolarzoned:

I would like to interject that dropping packages off in the middle of the night in post boxes whilst wearing gloves is shady.

Someone should copy and paste and send this to every vendor. I'm utterly dumbfounded by how many people seemingly have no fucking idea what they're doing.

The next vendor who sends me a fucking Click and Ship label is getting kicked in the virtual balls.


[2 Points] noonehear:

You should totally post this pubically so LEO can learn!!!!

Biggest issues I see is fingerprints and glove usage... simple isopropyl wash will rid of both and I'm far from a vendor.


[2 Points] 666fun:

It's grwt to think about about all that sort of stuff' from the buyers perspective,,but I'm sure that most vendors are going to cut some corners here and there, unless buyers are are willing to shoulder a significant part of the cost.

The thing that has always made little sense is the visual barriers. Sure, the buyer opens the package and feels nice seeing a plastic toy or box of candies or sonethjbg, but reality is, if LE or the postal inspector has a warrant and is going through your mail, you're already dead man walking,!a magic marker thrown in for good measure wont save you.


[2 Points] AllJoociedUP:

A vendor (not that I know one or am one) is one who rotates stealth every single order. Alternates between several forms of stealth. Always drops close to pick up boxes with address that are real in the area of the box. Always wears black leather gloves (for fashion-ability) when handeling any sort of packing. Vendor wouldn't be one to walk into a line of sight wearing those blue fucking gloves. Uses multiple visual barriers when packaging Item is enveloped hidden into inside stealth that is inside envelope that is inside another envelope that is inside a box. Never personally buys postage and never drops 2/3 to a box decentralizing risk incase one box is compromised. More often then not uses a pair of dice when picking boxes to drops 1 for every box in a designated area. Ritualistically the dice are tossed and the box is chosen, dropped, repeat. Vendor never drives, he is driven or walks. Vendor is alert. AT ALL TIMES of ANYTHING that looks to hard at him/her upon leaving until arriving. Vendor drops in broad daylight with eveyone else's mail. Obviously only the 'dumb' vendors would drop at night. Most importantly Vendor is using classical tactical 'evasion' techniques. Every order is given as much attention as the one before it and it must not be the same. Vendor often contaminates local non-use blue boxes with a little colla or #4 open baggie style.... the dog will hit on everything in that box allowing the packages to move easily. Vendor use the human element to maintain safety. LE should be chasing them, implying as in Vendor is 'running' ahead of them.


[1 Points] Tony_Two_Tusks:

I had glanced over this but wanted to spend some time on reading and going through it before I sent a response. I think you have a lot of great information, especially about USPS, and sending packages. That definitely is one of the higher risk challenges that vendors deal with.


[1 Points] None:

[deleted]


[1 Points] None:

[deleted]