Silk Road forums
Discussion => Off topic => Topic started by: havingfun on September 21, 2011, 06:30 pm
-
Yesterday I was reading the newspaper and I read an article about a man being caught for having CP. I'm glad they catched this asshole, dont get me wrong! But the article also said the police was now analysing all chats he had been doing in TOR chatrooms. I'm just interesting in how they do that? Can they see what chatrooms people visit via or in TOR chatroom? Or did this man save his chats?
Just curious :D
-
If they aren't using GPG then anyone can see their chat. The only way its encrypted is if they use GPG. So, just because they are using tor and a forum doesn't mean that they are safe in any way or form....
-
The only assumption you should operate by is the security is broken and everything is logged either inside or outside Tor.
It's possible to prove after the fact someone used a certain hidden service chat, but as long as you don't slip out secret info, and don't fall to social engineering tactics, you're safe.
-
I think they rely on self incrimination by finding an account linked to that specific user and then going through and finding the information that that account admitted to. If it was in a chat room logged they can go through and find anything that that person said under a certain alias and tie it back to them. They can then use that information as self incrimination evidence in a case against that person. Even though the connection was anonomized if they can tie a specific user name or account to that person anything posted by that user name or account can then be tied to the person that posted it.
-
Thanks for all your ideas and information!
-
Dumbass should have used OTR chat: http://www.cypherpunks.ca/otr/otr-wpes.pdf
Also, this whole PGP/GPG encryption going on between sellers and buyers is a joke and is extremely insecure. There's no "perfect forward secrecy" going on on SL.
I'm actually thinking about a longer write up on this sometime soon, and possibly a development of better, more secured order placing software. After an order on SL, seller would generate a token, that would later be used inside my program to exchange shipping info etc. Software would provide perfect forward secrecy; one time session keys, etc.
-
I agree with homerred. They would have linked the person to the username, then after the fact, looked at logs for that username. Doubting they accesses the chat logs on the actual chat system, but rather, they previously logged in real-time since it was public available (not pgp'd).
Gall Anonim your statement about pgp is a bit on the vague (with descriptiveness). How specifically is it not right?
Are you suggesting that pgp itself is flawed, or they way we are using it?
-
There is no way PGP/GPG is flawed. There are no "backdoors" (in GPG anyway..) the only weak point is and always will be down to the human that set it up in the first place (not enough characters for your passphrase).
However, the implementation here is not ideal..
The reason i can think of: The idea is that if you are getting busted then your computers and everything on them will be confiscated and gone over with a fine tooth comb so say goodbye to your private keys...
"But I use a virtual machine that is stored on an encrypted disk with a super secure passphrase"
Fine, but if you fail to give the police the pass phrase for that encrypted volume you can go to prison for up to 10 years for "failing to disclose an encryption key" - in the UK anyway. People have and will continue to go to prison for it. This has happened to people suspected of being in possession of indecent pictures of children and involved in rings of some kind, but you can bet your arse they will pull this shit on suspected big time sellers too (if these sellers have lost their plausible deniability anyway..)
Now I LOVE the idea of having one time generated token pairs. This could mean that each message have completely different tokens, and even better than that, Silkroad could destroy the messages once you have decrypted/read them. Think inspector gadget style "this message will self destruct in 5..4..3..2..1)
But the software, the encryption routine (can still be based from GPG i guess - open source baby!) and the backend that silkroad would have to adopt would have to be so damn robust its not funny.
-
LexusMiles, ForgotMyPass,
Here's what I think Gall had in mind...
PGP encryption is used to secure the message. Signatures are used to prove authenticity. Here's the problem: IFF a seller is not computer savvy and forgets to delete all communication from a buyer, all PGP encrypted messages can be decrypted using sellers private key. If a buyer signs a message, and his/her computer is later confiscated, LE can prove that a message found on sellers computer was in fact sent by the buyer, since it was signed and now LE is in possession of both seller's and buyer's private keys. This is incriminating evidence!
Enter the Off-the-Record messaging described here: http://www.cypherpunks.ca/otr/otr-wpes.pdf
The greatest benefit of OTR messaging is that it provides "perfect forward secrecy". Meaning that all communication (chat session) is first initiated using either PGP or key agrement protocol, and then a one time session key is generated for that session only. After the session is over, the key is destroyed. SO, even is LE is monitoring and storing the encrypted traffic, there will be no data on seller's nor buyer's computers that can decrypt the ciphertext (encrypted communication captured by LE). Also, since the messages are not signed, both parties can claim that traffic was fabricated by a malicious third party.
This would provide extremely high level of security if it was adopted by sellers and buyers. Imagine that instead of PGP encrypting your delivery address and attaching it to the order notes sent to seller, you sent NOTHING, or you provided a screen name on a chat server. Later, the seller would initiate a chat session with the buyer, using OTR protocol (supported by a plugin inside Pidgin software), and the buyer would then instant-message the delivery details to the seller. Now, seller could still save this information locally, but at least it would be harder to prove by LE who initiated the communication , or who sent what.
Of course you can achieve similar results by not signing the PGP encrypted message to the seller, MINUS the benefit that those can be decrypted later. OTR traffic, once the session is over, can NEVER be decrypted (unless brute force approach is used, which is impractical to say the least).
This could be easily achieved if:
1) A chat server was provided on TOR network.
2) Buyers and sellers would have screen names that correspond to screen names on the Silk Road (for simplicity sake)
3) Buyers and sellers would use Pidgin with OTR plugin to exchange shipping information, protocol would look like this:
a) Buyer purchases an item, and includes a unique ID / token with the order, ex.: 67AB0692
b) Once the envelope is ready to be labeled, seller contacts buyer and asks for shipping details, and provides the token back.
c) Buyer sends back a message, ex.: "For order 67AB0692, ship to Joe Schmoe 123 Main St, Sin City, XYZ 12345
d) Seller prints shipping label then disconnects the session, effectively destroying all communication.
Now one could argue that seller could always copy and paste the info and save it. That's true, but at least there's no record of transmission ever taking place.
OR, a special program could be written (and open sourced for community to review) that would make it difficult to store such info; copy-and-paste it out. A special order confirmation / tracking software would be very fun to write, and it would work something like this:
1) No central server would be needed, sellers and buyers would run it locally and hook it up as an .onion service effectively exposing it on tor network.
2) A seller would provide his .onion address
3) A buyer would add seller's .onion address to his/her seller list
4) Seller could "ring" the buyer with token and request for info
5) Buyer would type in shipping info for particular token and send to seller (here's where it could get interesting, the information on the seller's side could be presented in form of a captcha, to make it harder to copy and paste out)
OR the same (minus copy-paste ability) could be provided using .onion chat server where sellers and buyers create accounts and exchange shipping details and other info using OTR messaging where perfect-forward-secrecy is provided, as opposed to PGP messages, where all past communication can be decrypted if sellers private key is compromised.
Thoughts?
-
In short, and in an attempt to simplify my incoherent rumbling from previous post, it would be VERY beneficial if shipping and other communication between sellers and buyers was exchanged in instant messages encrypted inside the Off-the-Record protocol, rendering any and all communication scrambled to LE, even in the event when sellers, buyers, or both computers were to be compromised (assuming sellers and buyers are smart enough not to keep copies of their communication laying around).
Any sellers / buyers willing to adopt this schema? I would be willing to provide a designated box to host a chat server on...
-
Rush Limbo, amazing insight, thank you. Yes, I think that is what Gall would have had in mind. Seems to match up. Seems like a heavy duty process to be asking of the SR admins to go for right now... it would require co-ordinated collaboration of all buyers and sellers for a consistent outcome.
To me, this seems like the best idea for an SR2.0 scenario.
ForgotMyPass: the subpoena for your password and threat of jail time for not revealing it -- there is a way to decrease the leverage of law in that respect *I think*.... like this -- delete the truecrypt bootloader from the MBR of the drive. Have it on a CD or USB instead. If PC's are ever confiscated, the encrypted drive looks like a blank drive with no data on it. Even if the USB or CD is found and identified as a recovery disk, there is no evidence is to which HDD the USB/CD pairs with (if *any*, see you may have re-formatted, who knows).... Now I see it as being unlikely you can be forced to reveal a password to a partition that does not exist. Just some food for thought. A good practice none the less.
Also, rush, in the mean time it seems a good practice not to sign PGP's.. is this correct? I never sign anyways, but only cause its easier not to.
-
LexusMiles,
That's right, never sign!
And this wouldn't really be a hard thing to adopt by sellers and buyers. Instructions on how to install Pidgin are super simple, and so is the configuration for Off-the-Record plugin.
The hard part would be setting up chat server with .onion address, which I would be more than happy to roll out using a designated headless box and Linux or OpenBSD for super security, and finally convincing sellers and buyers to sign up on the chat server (it could use standard protocol like Jabber or something) and explain what the protocol is:
1) Buyer places an order, includes an optional token.
2) Seller contacts buyer, provides optional token*.
3) Buyer provides shipping details.
4) Both parties disconnect; communication even if captured by LE is useless. Confiscation of seller's and/or buyer's computers is useless (assuming both parties don't store any info locally) since no information exists that could decrypt the communication captured by LE.
*token is only really needed in case of multiple orders from one buyer, OR as a mechanism to verify that seller is who he/she says (assuming token was delivered to seller using PGP). Instead of token, silk road order # / transaction # could be used instead, freeing the buyer from having to generate anything; buyer would only have to look up his/her transaction history to quickly associate the seller's request with actual order.
Anyone interested in doing this?
-
I could chip in efforts for the testing phase, ultimately you will need sellers on board though. Another question: if someone were to rent a VPS with root access linux/bsd etc.. *but* has no physical presence at the server (typical for a VPS scenario).. can they run a tor hidden service on it so that all the file structure is encrypted?
So if the owners/admins of the VPS cluster want to snoop among the files on HDD, they wont see, "Oh look, this is the HTML for a drugs website" ?
-
I could chip in efforts for the testing phase, ultimately you will need sellers on board though. Another question: if someone were to rent a VPS with root access linux/bsd etc.. *but* has no physical presence at the server (typical for a VPS scenario).. can they run a tor hidden service on it so that all the file structure is encrypted?
So if the owners/admins of the VPS cluster want to snoop among the files on HDD, they wont see, "Oh look, this is the HTML for a drugs website" ?
cool! be on a lookout for a new thread in Security section once I set up a server. it may take a while (days, weeks maybe) since i have to get a new hardware box. i'll keep you guys posted.
also, the phishin scenario is not valid, since all communication going through the chat server would be encrypted, AND it would not be hosted on the same box as SL site is. i'm not planning to rent a VPS, i plan on hosting this myself, it's just a chat server after all :) nothing illegal about it :)
-
I'm thinking about a separate but related scenario. If there was a SR website on a VPS, is there a way to serve the website (in onion-land) but with all the disk files encrypted. So any super-admins of the VPS cluster just see scrambled garbage files. I guess it would be some variant of apache that takes encrypted files as input, and serves them as regular html.
-
I'm thinking about a separate but related scenario. If there was a SR website on a VPS, is there a way to serve the website (in onion-land) but with all the disk files encrypted. So any super-admins of the VPS cluster just see scrambled garbage files. I guess it would be some variant of apache that takes encrypted files as input, and serves them as regular html.
i wouldn't store anything on a VPS. i bet you the admins/owners/providers reserve the right to snoop around.
-
Yes assuming they do snoop around (I know they do), is there a websever (apache, lighttpd, nginx) that takes encrypted files as input?
I know this solution will not stop a forensic team in any case, but it is a good solution for preventing 'stumble-upons'. Rather than looking at the better alternatives (such as hosting at home), I'm just curious if this technology exists.