From Adrian Chen's Gawker long-read
about that recent bust
of the web's biggest online illegal drug marketplace:
The lesson of the Silk Road takedown isn't that Ulbricht was sloppy about security. It's that the idea of a world famous, anonymous illegal market is fatally contradictory. Ullbricht made some technical mistakes, but his biggest one was conceptual: buying his own hype that high-tech tricks would let him implement a radical free market fundamentalism that could never work politically.
Read the whole piece
. Related: Chen's profile of Ross William Ulbricht
Despite the fact that online anonymity tool Tor was developed with US government funds, the NSA really does not like Tor.
Top-secret documents leaked to the Guardian by former US intelligence contractor Edward Snowden reveal details of repeated attempts by the US and UK governments to crack Tor, the "onion router" that was originally funded in by the US government, and used widely by dissidents and activists around the world. Tor's core network security remains intact, but the NSA has had some success attacking users' computers, according to the report.
Who uses Tor? According to one of the slides in the leaked presentations, "Terrorists!" The NSA is fond of the generous use of exclamation points in these things.
Read the rest
What users who attempt to connect to the Silk Road marketplace see now (HT: Adrian Chen)
Looks like the government shutdown didn't stop federal agents from shutting down the most popular "deep web" illegal drug market. In San Francisco, federal prosecutors have indicted Ross William Ulbricht, who is said to be the founder of Silk Road. The internet marketplace allowed users around the world to buy and sell drugs like heroin, cocaine, and meth.
The government announced that it seized about 26,000 Bitcoins worth roughly USD$3.6 million, making this the largest Bitcoin bust in history. There were nearly 13,000 listings for controlled substances on the Silk Road site as of Sept. 23, 2013, according to the FBI, and the marketplace did roughly USD$1.2 billion in sales, yielding some $80 million in commissions.
According to the complaint, the service was also used to negotiate murder-for-hire: "not long ago, I had a clean hit done for $80k," the site's founder is alleged to have messaged an associate.
Ulbricht, 29, is also known as "Dread Pirate Roberts."
Read the rest
Jacob Appelbaum of the Tor Project and Wikileaks addressed the European Parliament on the issue of surveillance and freedom. It was a remarkable speech, even by Appelbaum's high standards. An amateur transcript gives you a sense of what's going on, but the video is even better: "Is it used for coercion? Is data passed to autocratic regimes? Is it used to study groups? Is it used to disrupt? Yes, yes, and yes. Might they force or forge data? Absolutely."
Read the rest
"It wasn’t ever seriously in doubt," writes Kevin Poulsen at Wired
, "but the FBI yesterday acknowledged that it secretly took control of Freedom Hosting last July, days before the servers of the largest provider of ultra-anonymous hosting were found to be serving custom malware designed to identify visitors." Freedom Hosting was a provider of so-called “Tor hidden service” sites. Their addresses end in .onion, their geographic locations are masked behind layers of routing, and they can be reached only over the Tor anonymity network. [Threat Level] — Xeni
Errata Security CEO Rob Graham has published a blog-post speculating that ninety percent of the traffic on the Tor anonymized network can be broken by the NSA. That's because the majority of Tor users are still on the an old version of the software, 2.3, which uses 1024 RSA/DH keys -- and at keylengths of 1024 RSA/DH crypto can be broken in a matter of hours using custom chips fabbed at an estimated cost of $1B. It seems likely that the NSA has spent the necessary sum and sourced these chips (likely from IBM).
This isn't the same as being able to decrypt all of Tor in realtime, but it does suggest that the NSA could selectively decrypt its stored archives of Tor traffic.
However, the new version of Tor, 2.4, uses elliptical curve Diffie-Hellman ciphers, which are probably beyond the NSA's reach.
Graham faults the Tor Project for the poor uptake of its new version, though as an Ars Technica commenter points out, popular GNU/Linux distributions like Debian and its derivative Ubuntu are also to blame, since they only distribute the older, weaker version. In either event, this is a wake-up call that will likely spur both the Tor Project and the major distros to push the update.
Yesterday's revelations about the NSA's ability to decrypt 'secure' communications were taken by many to mean that the NSA had made fundamental mathematical or computing breakthroughs that allowed it to decrypt securely enciphered messages. But it's pretty clear that's not what's going on.
Read the rest
More information on the malicious software that infected Tor Browser through Freedom Hosting's servers, which were then seized by law-enforcement: it turns out that infected browsers called home to the NSA. Or, at least, to an IP block permanently assigned to the NSA.
Read the rest
Read the rest
HackBB is a popular underground BBS for computer criminals; last March it went down after a prominent user and administrator called Boneless stole all the funds in an escrow service used by criminals to pay each other for services; destroyed part of HackBB's database; and sent blackmail notes to many of the site's users. Prior to the theft, Boneless had been a sterling member of the community, posting well-written, useful guides to using stolen credit cards, defrauding online bookmakers, and going underground anonymously. After two years' worth of winning the community's trust, he raided them and took the site down. But it didn't last long -- today, HackBB is back up and running.
Read the rest
Tor.com, the electronic arm of Tor Books, has published a free-to-members ebook called The Stores: Five Years of Original Fiction From Tor.com
, collecting stories originally published on the site by John Scalzi, Rachel Swirsky, and many other writers (including me!). It costs nothing to sign up for Tor.com, and new signups can get the anthology for free.
The Guardian has published two more top-secret NSA memos, courtesy of whistleblower Edward Snowden. The memos are appendices to "Procedures used by NSA to target non-US persons" (1, 2), and they detail the systems the NSA uses to notionally adhere to the law that prohibits them from spying on Americans.
More importantly, they expose the "truth" behind NSA director James Clapper's assertion that "The statement that a single analyst can eavesdrop on domestic communications without proper legal authorization is incorrect and was not briefed to Congress." This turns out to be technically, narrowly true, but false in its implication, as Declan McCullagh explains on CNet:
Clapper's statement was viewed as a denial, but it wasn't. Today's disclosures reveal why: Because the Justice Department granted intelligence analysts "proper legal authorization" in advance through the Holder regulations.
"The DNI has a history of playing games with wording, using terms with carefully obscured meanings to leave an impression different from the truth," Kurt Opsahl, a senior staff attorney at the Electronic Frontier Foundation who has litigated domestic surveillance cases, told CNET earlier this week.
Read the rest
Molly sez, "I wrote this short essay over at iO9 on what the future of civil disobedience could look like. Though in the past civil disobedience was enacted in the streets, with people placing their bodies in harm's way for their cause, now online activists can engage in digitally-based acts of civil disobedience from their keyboards. I lay out three major lines along which digitally-based civil disobedience is developing: disruption, information distribution, and infrastructure. The future of civil disobedience online lies in affinity groups combining these three styles of activism, and using a diversity of tactics to support a common cause."
Infrastructure-based activism involves the creation of alternate systems to replace those that have been compromised by state or corporate information-gathering schemes. In other words, if the government is snooping on the internet, activists build a tool to make it harder for them to see everything. Tor, Diaspora, and indenti.ca are some examples of these projects, as are the guerrilla VPNs and network connections that often spring up to serve embattled areas, provided by activists in other countries.
Similar to living off the grid, these projects provide people with options beyond the default. Open source or FLOSS software and Creative Commons use a similar tactic: when the system stops working, create a new system. The challenge is to bring these new systems into widespread use without allowing them to be compromised, either politically or technically. However, these new systems often have to fight network effects as they struggle to attract users away from dominant systems. Diaspora faced this issue with Facebook. Without being able to disrupt dominant systems, user migration is often slow and piecemeal, lacking the impact activists hope for.
The Future of Civil Disobedience Online
About this nifty "Onion Pi" HOWTO just published at Adafruit, Phil Torrone says, "Limor and I cooked up this project for folks. We are donating a portion of any sales for the pack we sell that helps do this to the EFF and Tor."
Browse anonymously anywhere you go with the Onion Pi Tor proxy. This is fun weekend project that uses a Raspberry Pi, a USB WiFi adapter and Ethernet cable to create a small, low-power and portable privacy Pi. Using it is easy-as-pie. First, plug the Ethernet cable into any Internet provider in your home, work, hotel or conference/event. Next, power up the Pi with the micro USB cable to your laptop or to the wall adapter. The Pi will boot up and create a new secure wireless access point called Onion Pi. Connecting to that access point will automatically route any web browsing from your computer through the anonymizing Tor network.
Part of the plot in Homeland revolves around "hidden services" on the Tor network. Now, a fan of mine in Norway called Tor Inge Røttum has set up a hidden service and stashed copies of all my books there. He writes:
A hidden service in Tor is a server, it can be any server, a web server, chat server, etc. A hidden service can only be accessed through Tor. When accessing a hidden service you don't need an exit node, which means that they are more secure than accessing the "clearnet" or the normal Internet (if you want). Because then the exit nodes can't snoop up what you are browsing. Hidden services are hard to locate as most of them aren't even connected to the clearnet.
I don't have any servers or computers that I can run 24/7 to host a hidden service, but fortunately there is a free webhost that is hosting websites on Tor: http://torhostg5s7pa2sn.onion.to
After creating the domain I wrote a dirty bash script to download most of Cory's books and create a HTML file linking to them. It's available on pastebin: http://pastebin.com/3YR6j8zJ
How cool is that?
Gwern's "Using Silk Road" is a riveting, fantastically detailed account of the theory and practice of Silk Road, a Tor-anonymized drugs-and-other-stuff marketplace where transactions are generally conducted with BitCoins. Gwern explains in clear language how the service solves many of the collective action problems inherent to running illicit marketplaces without exposing the buyers and sellers to legal repercussions and simultaneously minimizing ripoffs from either side. It's a tale of remix-servers, escrows, economics, and rational risk calculus -- and dope.
But as any kidnapper knows, you can communicate your demands easily enough, but how do you drop off the victim and grab the suitcase of cash without being nabbed? This has been a severe security problem forever. And bitcoins go a long way towards resolving it. So the additional security from use of Bitcoin is nontrivial. As it happened, I already had some bitcoins. (Typically, one buys bitcoins on an exchange like Mt.Gox; the era of easy profitable "mining" passed long ago.) Tor was a little more tricky, but on my Debian system, it required simply following the official install guide: apt-get install the Tor and Polipo programs, stick in the proper config file, and then install the Torbutton. Alternately, one could use the Tor browser bundle which packages up the Tor daemon, proxy, and a web browser all configured to work together; I’ve never used it but I have heard it is convenient. (I also usually set my Tor installation to be a Tor server as well - this gives me both more anonymity, speeds up my connections since the first hop/connection is unnecessary, and helps the Tor network & community by donating bandwidth.)
Using Silk Road
(via O'Reilly Radar)