"OMG, it's a honey pot I tell you!" - Here's the thing, I really don't care.

I see all these posts saying that because Agora and Evolution are both still running they must be honey pots and that you shouldn't use them.

First, let's get out of the way that that's really just an assumption. There is no reason to suggest that this must be the case. If a site like Evo or Agora are run by different people from Silkroad. They have different code. Their admins fallow different OPSEC (hopefully they don't have their heads up their ass on this one) then when one site is taken down the other will survive parallel as it takes a whole different route to compromise it and shut it down.

Now that we have cleared that up. If it's a honey pot LE is powerless against me and I'm still going to use the site. Let's analyze for a second what LE could do if they seized full control of a darknet market.

If it is a honey pot they can make an image of the servers. They can read all information going in and out of the site. All communication between users and vendors. They can see what Bitcoin where deposited to this site and of course trace their origin via the blockchain. They can take all profit and deposits made to the site and keep it to themselves. They can manipulate data on the site. Charge reviews, change public PGP keys listed on users/vendor profiles. They could also plant malicious code on the server.

LE CANNOT identify the IP address of users due to the TOR network. I trust TOR to not be broken. I acknowledge that there are theoretical attacks all users should be aware of (I recommend you look up the NSA's leaked PowerPoint on TOR). As such I connect to TOR only over a double VPN for added security.

Now. When I send all sensitive information to vendors using PGP in the event of a honey pot LE can't discover who I am as all they get is encrypted text. Any sensitive info a vendor may want to send to me they can encrypt to me with PGP (I suggest you use higher end 4096 bit PGP keys, you should never use a key below 2048 bit). Sure maybe some basic unencrypted text is sent to vendors. So what. I'm still pseudonymous.

I have my vendors PGP keys saved on my computer so I know even if they did change the PGP key listed it wouldn't effect me. As for new vendors pretty much all vendors selling physical goods are on more than one market place so it allows for greater authentication that it's their PGP. Even if by chance they started replacing PGP left and right on all markets the vendors would notice and so would the users when we don't get out drugs.

All Bitcoin I send to a market place is tumbled multiple times though various means. You can use altcoin exchanges in conjunction with CoinJoin to tumble cheaply to add extra security encase on of the tumblers used as a honey pot (it's also useful transferring between altcoin exchanges using an alt, not just because it ensures you don't transfer out same Bitcoin but it makes it far quicker to transfer LTC a few times and trade for BTC for deposit than BTC>BTC>BTC). So even if it is a honey pot LE doesn't know where my Bitcoin came from.

Now they could seize funds. We would start to notice this quick. Regardless I am now going to start learning multisig on Evo to solve this.

So? What are we left with? The ability for LE to run a drug empire and profit? Those sneaky bastards. Next thing you know they'll be funding the Contras.

Sorry if there are typos, I got to leave can't reread this post now, will edit faults later.


Comments


[33 Points] egokuu:

I connect to TOR only over a double VPN

Is this the new "I'm behind 7 proxies"?


[22 Points] sklurgh:

In case of a dispute I wouldn't want to share tracking info with LE admins.


[8 Points] None:

[removed]


[7 Points] Universe_Man:

So? What are we left with? The ability for LE to run a drug empire and profit? Those sneaky bastards. Next thing you know they'll be funding the Contras.

Classic.


[7 Points] DicksWillBeFucked:

If I were LE or the gov, I would tell people to not worry about shit, have fun, post supporting information. Then take down a market I was running. Sure, I may be eating tin foil for breakfast but who cares?

Why would you knock people for being skeptical or for even entertaining the possibility of gov's making honey pots considering the context of international law today? We already rob countries in plain site and very few even see it. We put it under the guise of "democracy" which we don't even have in our country, and then we blanket it with "technocratic" lingo we claim to be objective like ending "poverty".

The idea that LE or the gov is playing a huge role in this isn't a surprising notion, regardless of how improbable you make it out to be. Considering how we've murdered and assassinated people, infiltrated governments, put in puppet regimes, why the hell would this be so farfetched?

Not like your posting authentic pictures of your photo ID on here for us all to see. With records of your existence for us to know who you are and whether or not you are LE. You could give me all the info in the world and I could still rightfully be skeptical. Point is, the majority of the population doesn't know any of this shit or any of this (or would be considered to many average users) highly technical information. It's awesome you do, but we don't.

Our skepticism could save our asses someday when the cookie seems to be sitting right in the counter for us to grab. Damn devil could make you believe whatever the devil wants you to believe. But I say we keep walking and nod this post on our way taking it into consideration.

DicksWillBeFucked and I'll be damned if anyone stops me from fucking them dicks.


[5 Points] cqm:

Yes, as a passive observer it is interesting how diligent people are getting. Think about it: The most expensive international cooperation in history only seized $1.2 million USD and Silk Road 3.0 was up within 24 hours.

Next thing you know they'll be funding the Contras.

So facetious


[7 Points] sapiophile:

Now. When I send all sensitive information to vendors using PGP in the event of a honey pot LE can't discover who I am as all they get is encrypted text.

In a honeypot situation this isn't true, at least if you get your vendor's key from the market site itself. LE could just swap out "vendors'" keys with their own as they serve them to other users, then act as a simple Man-In-The-Middle and intercept all your "encrypted" communications and have no trouble reading any of it. Then they re-encrypt it to the vendor's real key and relay it along, and nobody ever finds out.

This is why I made this post: https://ssl.reddit.com/r/DarkNetMarkets/comments/2d37yd/a_very_important_note_about_openpgp_security_only/

We really need to start working on Key Trust in the darknets. I have a much better solution in mind than what I proposed in that post, now, and I'm going to try and make a new post about it today. Essentially, vendors should include with their shipments a slip of paper with their key fingerprint AND a totally unique string (can be pretty much anything with similar properties to a good password). The buyer then verifies the vendor's key fingerprint with the key they have stored, and sends them a signed and encrypted message with the unique string and their own key's fingerprint. At this point a high degree of key authenticity is assured, and the vendor and buyer can upload trust signatures on each other's keys to a proper keyserver (probably sig2, not sig3).

After a few people have signed various vendors' keys, and people start getting keys from keyservers like they should instead of from markets, a really strong and robust Web of Trust can actually come about.

Also, if you're giving out key creation advice, in addition to key length, definitely recommend that people use RSA as well.

EDIT: I've now made a new submission about this, and how we can prevent it: https://ssl.reddit.com/r/DarkNetMarkets/comments/2loixp/how_le_might_read_our_pgp_messages_and_how_we_can/


[3 Points] Jaymacmac:

Is it ok to FE for LE ?


[3 Points] polvb:

If Agora is a honeypot, then it's doing a shit job, because it's down half the time, and I still get orders from it.


[2 Points] wizdum:

You know a good way to earn the trust of people who run darknet markets?

Be someone who runs a darknet market.


[2 Points] DrFisharoo:

Honestly, I hate people like you. You are so damn arrogant. "What if they took over an entire site? So what" No matter how good your security is, in the end you are trusting that the vender is actually a vendor. In the end, its blind trust. Notice how the arrest are the results of PEOPLE'S fuck ups? Say you do follow all your security and your vendor doesn't. Say he keeps addresses in plaintext or, like what just happened, they catch him with his computer on and decrypted. Then what?

In the end, you do a disservice. DMNs can be relatively safe. But that kind of half cocked arrogance isn't.


[1 Points] None:

[deleted]


[1 Points] None:

I suggest you use higher end 4096 bit PGP keys, you should never use a key below 2048 bit

This makes no sense. Sure a 4096 key is WAY harder to break than a 2048 bit key. But a 2048 bit key is effectively impossible to break by brute force in the life of the universe.


[1 Points] None:

These notions have been irritating the fuck out of me. Perhaps it's a good thing that lots of people think the surviving markets are honeypots, so less will use them, they'll get less publicity, etc., so they will be up for longer.


[1 Points] polvb:

A lot of you overestimate LE. The only people LE are interested in are in this order.

Websites > vendors > bulk buyers

Of course though, you can still get busted if you're some fucking retard, and buy your btc using your Dad's credit card from Coinbase, not tumbling it, then using no PGP.


[-1 Points] None:

tldr version? i dont feel like reading a bitching essay about people bitching about honeypots.


[-1 Points] og_by_monsanto:

Not the Contras, the NSA more likely