Why We Shouldn't Be Freaking Out Over Silk Road et. al. getting busted

So the feds busted Silk Road, et. al.

At first glance, this might look bad, awful terrible, a victory of authoritarianism over our gloriful subversive culture. It's not.

Why?

They had it coming.

I don't mean this in a disrespectful way; I feel very sorry for everyone who lost bitcoins and/or their freedom. They weren't bad people and they are now what amounts to being political prisoners and have lost funds for stupid political reasons.

But they were also kind of dumb. Why? Well, with the Silk Road 1.0 bust, who in his right mind would set up another market based on the same technical premise? What is happening is certainly a temporary victory for the feds, but it's also a really strong demonstration that it's a really bad idea to have a centralized market. Please: If you're thinking about it, DO NOT set up another centralized market. Setting up a criminal enterprise is risky enough as it is; the feds can make any number of mistakes and all they get is a delay. Your mistakes, on the other hand, add up, and every one brings you closer to prison. It's like playing "hangman". So the very least you can do if you want to set up a criminal enterpise is to NOT DO IT IN A WAY WITH A PROVEN TRACK RECORD OF VULNERABILITY.

So what was the vulnerability? Occam's Razor teaches us that we should, if in doubt, assume that the simplest explanation is true. Well, so what happened? Did the FBI cooperate with the NSA to attack Tor? It's possible, but think how risky it would be for the NSA to get caught up in more domestic surveillance. They're feeling the heat as it is, and they want to use their unconstitutional powers, to the extent they have them, to catch terrorists, not score a propaganda victory for the FBI. The incentives just don't add up. And if they did, why is Agora still around? If they targeted Tor, why are only some markets down?

Did they infiltrate everyone? Unlikely. Defcon may have made some mistakes, but what do you think Defcon would have done if one of his admins walks up to him and said "Hey Defcon, I would really very much like to know the real IP address of your server, would you tell me please? I can offer flattery in return and I will pretend to belong to your subculture". Well, he might have not attempted to call a bitcoin-funded hit on him, learning that that didn't work out so well for his predecessor, but one suspicious question and the undercover fed dude is no longer an admin. End of the story. It's downright implausible that they got the address via social engineering.

No, it's most likely the feds just used SQL Injection, Cross Site Scripting or another well known attack vector to hack as many sites as they could including Silk Road 2.0 and then OBSCURE THE FACT THAT THEY DID. The judge in the Silk Road 1.0 case essentially gave them a free pass. The feds' story in the 1.0 case looks very suspiciously like they were trying very hard to not say they used an SQL injection vector on the captcha without explicitly lying, and the judge let them get away with it. He might as well have put on a "black hat hacking is good for the law" T-shirt. So off they went with their government-contracted band of script kiddies and fumbled away.

Our current web site programming technologies are insecure by default. It is just too easy to make a small mistake of about 100000000 possible ones that you could make in order for a contemporary dynamic web site to be secure. The only reason that normal dynamic web sites get away with it is because (a) they are too small prizes to justify the work it takes to find the holes, and (2) if a hole is actually found, it's bad, but not catastrophic. You're a normal company and got hacked? Tough. Say you're sorry and fix it and that's that. It happens all the time. Whoops, right, but WHEN WE'RE IN THE DARKNET WE DON'T GET TO FIX THE HOLE. WE END UP IN THE HOLE. There are no secure dynamic websites when the threat level is as high as the feds can muster. If you can make one that secure, you can earn $1000000 a year in the banking consulting industry. You get to be around criminals and you don't have to watch your back all the time. Why bother to set up a darknet market if you're that good?

So please. Don't set up another PHP or Ruby or Python based web site when you're going to become the Nr. 1 priority target for a band of federally funded black hat hackers. Yep, I'm talking to you, who is reading that PHP tutorial right now. Don't do it. It's a loser's game.

So what do we do then? Well, let's learn from history. Napster got busted. Limewire didn't. What was the difference? Napster was centralized, and limewire was not. The feds are always playing whack-a-mole, but the fact is they have a big hammer, not lots of little ones, so they need big moles to whack. If there is no big mole like Defcon, things get much, much more difficult. They have to go after individual small-timers. There is no figurehead plastered across the media that they can score a propaganda victory against. Decentralized markets are an orders of magnitude more difficult problem to fix, from their perspective.

The downside is that a decentralized market is orders of magnitude harder to set up, and it's also hard or even impossible to make a profit off of it. The upside is, it's about the same level of difficulty to set up a SECURE CENTRALIZED MARKET. That's why good people who should really should know better are setting up these centralized death traps all the time and thinking that they're smarter than everyone else. Well, know what's gonna happen? Math says you're going to get busted. I don't care, I'm just a buyer and I encrypt my address and the most I'll get is a fine for possession. I'll buy on your market. But I also feel bad for you while I'm doing it.

The good news is there is a solution in the works that has two really good advantages: It's called OpenBazaar. I don't understand it well enough yet to make recommendations, but at least the premise it's built on is correct:

(1) It mixes legal and illegal applications. They primarily want to replace eBay (which is a social good in and of itself), but they also believe in civil rights, so it means we will be able to use it. Criminals will hack it, but because it's legal the OpenBazaar makers will be able to fill the holes instead of going in the hole. Then we get to profit from all that legally obtained trial-and-error security, so fewer top vendors will get busted than ever before. The fact that not every 12 year old script kiddie has the tools needed to perform a hack adds to the resources the feds will need to make a bust.

(2) It's heavily decentralized. The market is not bank, arbiter, search, customer database, messaging client and shopping cart all in one, all ripe for the plucking with a lowly SQL injection. The feds might be able to find a way to eavesdrop on their top vendors, but all they get is that one vendor, not everyone else.

There. Look for things like OpenBazaar to solve your darknet market problems, and, in the meantime, dear marketeers, test, test, test, test and re-test your web application for any attack vector you can. Start offering bug bounties to fellow criminals. Take security SERIOUSLY, goddammit, and if this is not your day job, maybe you should make it your day job and spend the majority of your day looking for vulnerabilities (but be sure to have a shim business and shim identity like a good criminal and take your offline operational security seriously as well. Then consider the feds may have attacked Tor after all. If you still want to be in this business knowing what you are up against... what's your onion address? I could use some weed right now and it's not me who's going to get busted.

In the mean time, buyers, sit tight, encrypt your addresses, go for Agora or something, never store a lot of money in-market (blockchain.info via Tor is convenient and resonably secure, for the purpose), use Shared Coin to launder your transfers into the market, and patiently wait until something decentralized comes along. You will love to shop without all that bust chaos. But in the mean time, we live with it.

It's all good. It really is!

SL

Edit: al_eberia presented some pretty good evidence for a vulnerability that might involve Tor itself: The dude behind doxbin posted a rather complete post-mortem on how he may have been exposed. He does admit, however, that the PHP code "is a headache-inducing nightmare" and that he "inherited the code and it worked, so [he] just papered over its defects over the years". The doxbin dude could arguably be classified as one of the most competent darknet site operators, and even he was unable to say for sure if his code was secure enough. Time will tell if it was the PHP or Tor, but this is rather compelling evidence for how broken the very idea of a dynamic darknet website really is. We need a an anonymous peer-to-peer application.


Comments


[13 Points] sapiophile:

Word.


[13 Points] al_eberia:

The problem is that they have also seized sites hosted by competent admins, such as doxbin. It was open source, had a very low attack surface and hack attempts have been bouncing off it for years. The admin was running hardened nginx with numerous other security measures. I find it hard to believe that the FBI managed to find a vuln in it that nobody else could. The admin also mentioned finding things in his log files that he suspected could be part of a de-anonymization attack.

Check out twitter.com/loldoxbin


[2 Points] TorIsCompromised:

Web programming is safe by default, SQL injection or html/script injection are not possible if the programmer is not a lowbie.


[2 Points] TheHipHopHippy:

The vendor busts are kinda worrying. The postal services are the weak link. They gotta be ordering and profiling packages. Get the package pattern,(even being super random is a pattern) then go to that zip/region and notify the postal workers who pickup/receive the packages what to watch out for. Once spotted just one under cover could watch and tail sender to house. Then Get an easy probable cause warrant. Don't be shocked if they start picking off vendors more frequently now. If they really focus on that It well be a game changer.


[1 Points] MDMAzing249:

Sexy


[1 Points] saddestsadist:

So please. Don't set up another PHP or Ruby or Python based web site when you're going to become the Nr. 1 priority target for a band of federally funded black hat hackers.

Open Bazaar is built primarily with Python.


[1 Points] Debo242424:

This IS the weak link. Good observation. Problem is they don't care about end user/ small . They may go after them for a short burst to prove a point but it would never be a consistent thing on a federal level.


[1 Points] ysplzthnks:

Just FYI, I've had Javascript errors trying to run Shared Coin over TOR even with Javascript enabled. I had to contact support to try and get my coins back from a middle wallet, and they basically told me the only way I could get them back was by using the Chrome extension which they highly recommend using from now on... I still use them for the plausible deniability extended by the coins moving through an extra wallet, but I use Quick Send to send to Grams for tumbling, because Shared Coin isn't reliable through TOR as confirmed by their support staff.