Topic: Silk Road was not seized by the FBI, the site was manually shut down (Read 3437 times)

Who says his strategy had not worked? As of now he has not been found guilty. I think he is likely the person who was behind SR, but I also think there is a good chance that he may get off on a technicality.

Ya it wasn't a bad idea, guess it just didn't work. I wonder if he will ever get out of,jail. Good,luck bro

A better reason to want to have some kind of security feature on your laptop would be because you have the potential for someone actually stealing it from you. If you do not have full disk encryption (or something similar) then your data is essentially controlled by whoever physically has possession of your laptop. This could easily result in you having your bitcoin stolen from you or having other sensitive data leaked to people you don't want to have

how many copies in 17 countries

sounds like the Rise and Rise of the SilkRoad

What I don't understand is why he didn't use TOR to connect to the VPN, instead of connecting to the VPN directly. (I think this is possible?) The government apparently had used pen registers to get routing information from the server in iceland, so I would assume they did the same with the VPN to get his actual IP address. However if TOR exit nodes were all that were connecting to the VPN with his credentials then it would be impossible to make the connection back to him (unless I am missing something). 

I think the reason why Ross was using a insecure location to access SR was to create some level of deny-ability if his connection from SR was to be traced back to his internet connection. Accessing it from public would mean that there could have been potentially several people who could have been the person behind the connection verses just one (actually 4 if you count his roommates) if he used his own internet connection.   

Lol +1

Best tools for anonymity when conducting dubious transactions are..

Balaclava
Remote car park
Being called John or Dave

Oh.. That makes total sense. I guess I'd need to put some sort of time-out / screen saver / auto-log-off thing on my laptop, in case I'm actually operating a hidden site through a VPN in a public library. Cars have this thing called an immobilizer.

That goes back to physical security. You can avoid this by accessing the hidden site only when you are in a secure location, and where you should be able to see law enforcement coming, or at least notified a few seconds before they can serve the warrant.

Nobody yells "Freeze!" anymore. AFAIK all law enforcement is now trained to first create a distraction by e.g. activating the alarm on the suspect's car. There's apparently a great overlap between various computer hackers/fraudsters and the expensive car enthusiasts. Only after the suspect runs away from the computer he gets served with the warrant.

It wasn't "feeble authentication", it was "feeble anti-denial-of-service defense".

What you proposing is workable, but worsens the denial-of-service attacks by increasing the CPU load. The better way would be to lower the number of rounds instead of increasing it, or change other constants that have no influence of the CPU load. If the goal is to simply make an unmodified program unable to connect then the simplest and least CPU intensive solution is to change the handshaking prompts/response. At least the failure will be immediate and will not require any CPU intensive cryptography before the disconnect.

Port knocking (properly, intelligently implemented) is not an authentication measure, but anti-DoS, anti-scan & anti-brute-force measure. Only after successful port knocking the regular, CPU-intensive authentication can be attempted. Without proper port knock nearly all port-scans will fail and nearly all incoming packets are ignored. The objective is to prevent from creating any meaningful load on the defended equipment, no matter what the network protocol is being attacked. I find it quite common that people underestimate the CPU and network load that the SSH daemon under attack can create on a machine.
I don't consider Cisco's implementation (Lock&Key) a "venerable" implementation, it is basically a telnet login (on an alternate port) that always looks like failure. But it is reasonably successful in its main goal: drastically reducing the CPU load on the attacked router/switch and making brute-forcing of any equipment behind it impossible. For any OS different than Cisco IOS there are much better port-knocking implementations available. But the Cisco's implementation is probably the most widely used one and therefore still worth mentioning despite being phased-out and considered obsolete.

Don't forget that you could also use Whole or Full Drive Encryption. TrueCrypt just "died" but the software still works, and there are alternatives that also work.

I'm not sure how much time you would have between "Freeze!" and turning off your computer/laptop. But if you had decent physical security, you'd have more than enough time to shut down (or insta-crash it.)

I wouldn't really know as I've no experience operating hidden services through VPNs in a public library.

That's the whole point of my first post. Read it again. Ulbricht's feeble authentication method was to only allow his VPN IP to connect to sshd. This was his decided method to keep out anybody trying to get into the open SSH port. When the feds found the server (through other means), and had the hosts in Iceland copy the server state they discovered this IP address in sshd_config, traced it and found him.

I suggested that the correct way to do this kind of security by obscurity, instead of pasting in your VPN IP to a remote server for anybody to find is to add x rounds to a specific cipher in OpenSSH, so negotiating with it would be impossible, unless you had the secret client you made yourself that matches sshd's algorithms on the server. SSH is not the only protocol you can tweak either. Add another few rounds to your IpSec solution and ditch the port knocking.

I wouldn't be so quick to venerate Cisco IOS either, considering last year they were caught using unsalted base64 in their so-called new and improved IOS Type 4 hash used for IpSec auth http://tobtu.com/cisco4tosha256.php  

Well, the Svartholm case is still open, but is the good example of "prosecuting a person" is not the same as "prosecuting a computer with certain IP address". There are other cases, where such a defense was successful.

While I don't know the specifics of Ulbrich's case I recognize a pattern in similar cases: getting lazy and mentally attached to the same laptop with favorite OS,  same network adapter, same phone, same SIM-card, etc. Nobody will comment publicly on pending/unsolved cases, but I've heard some non-public comments from my friends in IT. I've also seen what a skilled sys-admin can do on a Windows Home Edition hotel-loaner machine with telnet and IPsec control panel. I think I have a broad understanding of which cases weren't prosecuted and why.

But in general discussing security on an open forum is difficult for a professional. Nearly every person that I know will have the knowledge that is "off record" and shared only with friends. There's this old saying: "Those who know, don't tell. Those who tell, don't know."

Feds already had the server, they didn't need to hack into it. The feds were trying to locate the owner of the server and collect the evidence.

I proposed to use widely known & deployed technologies (IPsec&Kerberos) for which attacks are theoretical/academic or of concern to the paranoia-security-set only. A form of port knocking is still widely deployed and used on nearly all Cisco IOS routers/switches (Cisco Lock&Key) and nobody is proposing that as an only line of defense, only as the first one, essentially a defense against port-scanning and password-brute-forcing.

What you proposed is a textbook example of "security by obscurity": changing a constant in the cipher implementation. I still think that "security by obscurity" is a valuable tool in evasion and counter-intelligence, but not discussed in the cryptography textbooks.

I reread your posts in this thread and I noticed that you've numerous times tried to switch the subject of the discussion. Normally I would suggest the standard "switch to decaf", but this thread is about Silk Road and they didn't sell coffee. So I don't know what you should switch to, sorry.

They had data as of a certain date as well as the routing information. If they knew that the server was accepting connections connections from a certain IP address then they would know with reasonable certainty who was "behind" the website. The government could simply get warrants for the routing data for the IP address who was connecting to the SR servers to figure out who DPR nka Ross is.

IMO a much better way to protect his anonymity would have been to connect to a VPN/VPS via TOR that allows for 2FA via a GPG signed message and/or a bitcoin address signed message.

I will certainly be watching this case very closely.

That hasn't kept Svartholm out of solitary confinement since being shipped back to Sweden, so that's not a very good example. I suspect keeping them 'out' is more useful than not-looking-suspicious on the internet. Ulbrich was in a public library when he was arrested, using what was presumably public wifi, so using public resources does not constitute a good defense--as you've said, it's obvious who dun it.

We need a TorCoin or something to help create a sustainable/more decentralized/more secure onion network. Tor is the weak link in too many stories.

The server running Telnet or sshd, not the client.
  

No, you proposed port knocking, and kerberos and telnet. Wide open to replay and timing attacks. I proposed adding rounds to OpenSSH on the server, and keeping an encrypted custom version of OpenSSH because the server won't even talk to any clients that don't know the algorithm, that you can download, decrypt and run in under 30 seconds with any live CD.


So custom crypto engineering is 'fraternity' level while running telnet and kerberos, behind port knocking will defeat the FBI. I look forward to your white paper

Yeah, mythical omnipotent "Feds" with access to secret OS-independent "0days" that hack back the telnet clients (not the server)! I think this the new height of paranoia that I've encountered.
 

I don't think you have your threat model right for the things you keep proposing. Or maybe you keep changing your threat model, I don't fully understand your writing.

What I proposed was an excellent defense for a single person trying to evade being by using various locations and various machines with various OS-es. As a second line of defense if located that single person wants to hide behind plausible deniability to evade or weaken prosecution.

What you were originally proposing (modifying a cipher by changing an implementation constant) would be a decent defense for an already known group of people (lets say a fraternity) who want to hide their internal communication from competing groups (other malicious pranking fraternity) and also spread and weaken possible prosecution of their own malicious pranks.

The federal agent with the telnet or SSH 0day won't be slowed down by port knocking. A secret algorithm however is a different story.

Also, how would they know you maintained the bitbucket server when you access it through Tor, and the only thing sitting on it is an encrypted file with no knowledge of what's inside. You could also just download regular OpenSSH from the yandex.ru openbsd port mirror and manually edit it, compile and run, all in Tails easily, or another live distro. You could do this on a phone running Replicant, I build my own kernels on the device should be no prob building OpenSSH.

He could of also run a paid botnet with tinyscheme, puppet and emacs receiving ED25519 signed JSON feeds never having to touch http/ssh/anything. Could have automatically moved his servers every x amount of time inside a sea of 300+ decoy gateways and it would have cost him under 1% of his revenues. I guess he also could have lived in Russia too for that matter.

Edit: Use both if you want, port knocking plus make your algorithm secret: http://www.thoughtcrime.org/software/knockknock/