

Four UK men arrested over Silk Road links - TwoFactor
http://www.bbc.co.uk/news/technology-24443216

======
blhack
A friend of our hackerspace had something interesting to say about criminals
(he's a former narcotics cop).

I remember finding a card skimmer once. It was attached to an ATM at my local
bank (at the branch!). I yanked it off of the machine (I've made a habit of
pulling on the reader before I stick my card in; you should too.), and tried
calling the bank.

No answer. It was a Sunday, they were closed.

I couldn't really just leave it there...I kindof wanted to keep it and take it
apart, but I'm sure that would be a crime.

So I called the local cops.

In the ~30 minutes it took them to get to the bank, I spent some time
examining the device.

Whoever built this thing was...an idiot. This was the dumbest possible way I
could think of for storing CC information. It just read the tracks and dumped
them into a flash drive. The criminal stealing cards had to physically /come
back/ to the ATM to retrieve them.

No GSM modem, no bluetooth, no wifi...nothing. No way of getting data out of
the thing without placing yourself back at the scene of the crime.

Honestly, I was a little bit offended. If you're going to steal my ATM card,
at least be GOOD at it! C'mon, criminals! You can do better than this, can't
you?

\--

I struck up a conversation with my law enforcement friend about this. Why are
criminals so terrible at being criminals? I mean...I hear about drug runners
getting busted and put in jail it seems like every day. Have seriously none of
them heard of ardupilot? Have they not put the pieces together on this one?

It's because they're lazy.

Most criminals have spent their lives taking short cuts. These are the people
that didn't want to put the time into saving up to buy a cellphone, they just
stole one. Or the people that didn't want to put the time into saving for a
new car, or going to a job every day, or whatever. They just took every
shortcut they could.

So the reason that they suck so badly at stealing my ATM card number is that
doing it badly is easier. It's the shortcut, and shortcuts are what criminals
are all about.

\--

Well what does this have to do with silk road?

I'm not really sure what to make of the people behind SR [in whatever form it
takes in the future]. Ross Ulbricht got caught because he made some really
stupid mistakes.

But he's...definitely _not_ an idiot. And if you read about his history, it
doesn't sound like he's lazy.

I think that the drug war has created itself a really dangerous problem. The
nerds have mostly stayed out of crime because it's not worth it to us. Yeah,
sure, we could build drones to fly drugs across the border, but we don't,
because we don't want to go to jail.

But I think that the drug war has created such a _large_ incentive for people
to get into crime, that some of them aren't going to be able to resist it.

DRP made absurd amounts of money. Drug Cartel levels of money.

And he was a nerd sitting in an apartment in Austin, then SF. SR was an
interesting experiment in libertarianism to him, not a drug empire.

What happens when the nerd who realizes the absurd amount of money that they
can make approaches it like a drug empire? Or rather, what happens when an
engineer starts trying to engineer themselves an anonymous drug empire? Not a
political experiment, but a true-blue drug cartel?

That's what the next [or maybe the next after that] SR is going to look like.

Remember napster? Remember suprnova? What happened when those things, which
seemed to start more as side projects to their founders, were snuffed out?

~~~
adamnemecek
It should also be pointed out that you probably don't hear about the skilled
criminals because they don't get caught.

~~~
grbalaffa
Yeah there is more than a little bit of selection bias going on here.

What percentage of criminals are dumb enough to get noticed and/or caught?
Well, we don't know how many _don 't_ get noticed, so let's call it zero. Bam,
100% get noticed/caught!

------
lectrick
More consenting adults being arrested for consenting. More taxpayer dollars
being spent on imprisonment and enforcement than less expensive treatment, not
to mention the opportunity cost of lost profits from taxation.

When are we going to realize that the drug war for most drugs is fucking
bullshit?

DPR may have gone away but if the law doesn't change eventually, the nerds
WILL figure this problem out. You say the weakness this time was the postal
system? Well here comes APOD, Anonymous Physical Object Delivery
[https://www.cs.columbia.edu/~smb/papers/APOD_PETS09.pdf](https://www.cs.columbia.edu/~smb/papers/APOD_PETS09.pdf)

And lest we forget, here's a statement from
[http://en.wikipedia.org/wiki/Global_Commission_on_Drug_Polic...](http://en.wikipedia.org/wiki/Global_Commission_on_Drug_Policy)
:

In June 2011, the Global Commission on Drug Policy released a critical report
on the War on Drugs, declaring "The global war on drugs has failed, with
devastating consequences for individuals and societies around the world. Fifty
years after the initiation of the UN Single Convention on Narcotic Drugs, and
years after President Nixon launched the US government's war on drugs,
fundamental reforms in national and global drug control policies are urgently
needed."

~~~
CrankyPants
You do realize he (allegedly) paid to have someone killed, right?

~~~
thret
That was his point, the war on drugs creates violence and is not a deterrence.

~~~
al1x
How does the war on drugs have anything to do with DPR hiring a hit on the
hacker who broke into his website and threatened to dump his user database, an
act that would presumably shake customer confidence and lose him business?

------
MichaelGG
"These arrests send a clear message to criminals; the hidden internet isn't
hidden and your anonymous activity isn't anonymous."

Huh? At least in the Seattle case of "NOD", they caught them by gumshoe police
work, noticing patterns in parcels (supposedly tipped off by narc dogs), and
asking postal workers to recall customers and so on. I guess if you think
mailing hundreds of packages of medicines via the postal service is
"anonymous" then maybe they're right.

The real message is: Don't be careless. Don't create huge patterns we can
detect via physical surveillance.

At least, so far. Maybe it'll come out that all these cases were the result of
parallel construction and they really found everyone by defeating Tor. But so
far the complaints seem pretty straightforward.

------
a-priori
It's just a matter of time -- measured in weeks to months, not years -- before
a new Silk Road emerges. And the creator of the next one will not be silly
enough to allow themselves to be traced by a Stack Overflow post.

~~~
paps
It has already happened: Sheep Marketplace,
[http://sheep5u64fi457aw.onion](http://sheep5u64fi457aw.onion)

Most SR vendors are transitionning to this site.

Or it's just a big honeypot.

~~~
gwern
Sheep was set up back in like May (the exact dates aren't clear because no one
was paying attention), so if it's a honeypot, it was a very far-sighted one.
Personally, I strongly doubt it's a honeypot because the Czechs who run it are
less competent than LE would be.

~~~
philangist
What makes you say they're incompetent?

~~~
gwern
The clearnet version of Sheep has already been closely linked to them. Being
in Czechslovakia may impede the investigation, but I still would not want to
be using it...

------
stcredzero
What if hackers everywhere started building an "anarchist cloud" consisting
entirely of small mobile nodes only connecting through wifi or wireless
broadband? Only nodes whose RSA key has been signed by another trusted key
would be allowed to connect. All data would be redundantly stored across
several nodes, and as part of normal operation, all devices would immediately
brick themselves as soon as their accelerometers registered movement. (Done by
overwriting their hard drive encryption key with all 1's then all 0's in both
persistent storage and in memory.) To restore the node's operation, it would
be required to reinstall the OS and sign its new keys.

The point would be to have network infrastructure that would be very difficult
to serve a search warrant on. In many cases, it would be impossible to fill
out the address, and even if they did fill the warrant, it wouldn't net the
authorities any information. By using point to point encryption, it would also
be very difficult to eavesdrop on communications as well.

~~~
kamkazemoose
In that case an LEO would probably go undercover, spend time building
credibility in the scene and eventually get someone to sign their key to be a
part of the network as well. LEOs have infiltrated many groups and I don't see
anything special that would prevent them from doing it again this time.

~~~
stcredzero
True. However, being part of the network wouldn't expose the data on the
entirely of it, only a small sliver. Also, keep in mind that there would be a
network of people who are cloud-maintainers and also of cloud-users. The
cloud-maintainers would be a more insular group than the users, and it would
be these people who would be able to sign new nodes.

On top of that, it could be arranged so that cloud-maintainers had almost no
knowledge whatsoever of what cloud-users were doing. Cloud-maintainers could
abstain entirely from using their own cloud (maintaining a separate one for
their own use). This would mean that LEOs who infiltrate the cloud-maintainer
organization would not gain any information on cloud-user activities, and LEO
that infiltrated a cloud-user organization wouldn't gain any ability to
compromise the network.

Implemented this way, such an infrastructure would be a different order of
difficulty entirely to penetrate. In contrast, Donnie Brasco as a lone agent
could gain access to both operational activities and organizational structure
of the Cosa Nostra. In this scheme, he would have to choose one or the other.
Also, two LEOs attacking the infrastructure from both sides would have to
collude to make sure their intelligence would overlap, and this would make
their activity detectable.

------
atwebb
Poorly worded title considering the context (or punny?). I can't be the only
one who thought hyperlink, can I?

~~~
mumbi
I thought hyperlink.

------
darksweden
In Sweden, at least two people have been arrested for selling drugs on Silk
Road, right after Dread Pirate Roberts was busted. Are the feds going after
all vendors on SR?

[https://hd.se/skane/2013/10/08/haktade-for-knarkhandel-pa-
de...](https://hd.se/skane/2013/10/08/haktade-for-knarkhandel-pa-den/)

[https://hd.se/skane/2013/10/08/langarnas-hemliga-
internetkon...](https://hd.se/skane/2013/10/08/langarnas-hemliga-
internetkonto/)

~~~
gwern
They're trying, but as far as this pair of Swedes goes, it's apparently just
an ordinary SR bust (much like NOD):
[http://www.reddit.com/r/SilkRoad/comments/1nz4uo/two_swedes_...](http://www.reddit.com/r/SilkRoad/comments/1nz4uo/two_swedes_arrested_for_suspicion_of_selling_weed/)

> And as a regular SR-user myself i noticed that SweExpress (the vendor in
> question) stopped sending packages almost exactly one week before SR went
> down.

Not much reason to go after them before, rather than synchronized.

------
ihsw
One has to wonder when our surveillance overlords will hack into torrent sites
and steal user information so that they can easily score hundreds of high-
profile arrests for "IP Theft."

~~~
DanBC
Copyright infringement isn't a criminal offence unless it's done as part of
business.

Thus, someone downloading or uploading torrents is not at any risk of "high
profile arrests for 'IP Theft'".

Most people don't do anything to hide their torrenting, so the information is
all public anyway.

I don't understand your point. Are you really trying to compare copyright
infringement (usually not a criminal offence) with possession of drugs with
intent to supply (a criminal offence, which can carry a prison sentence, and
which has always been a serious crime)?

~~~
harshreality
_Copyright infringement isn 't a criminal offence unless it's done as part of
business._

That's true in practice, mostly, but not true in theory.

[http://en.wikipedia.org/wiki/NET_Act](http://en.wikipedia.org/wiki/NET_Act)

~~~
DanBC
Ah, the context of the thread is UK, so I should have made that a bit more
clear that I'm talking about UK law.

Sorry. Thanks for the link though.

Here's the UK stuff. Section 198
([http://www.ipo.gov.uk/cdpact1988.pdf](http://www.ipo.gov.uk/cdpact1988.pdf))
is the relevant bit here.

~~~
harshreality
198(1)(b), 198(1A)(b), 198(2)(b) say otherwise?

The U.S. law, I think, but I haven't looked to refresh my memory, does
something similar. It says it's only a crime if the value of the work(s) in
question exceeds a dollar amount, on the premise that only someone seeking
commercial advantage would share works of that much value. Ignoring, of
course, that a lot of people who do a lot of p2p filesharing (completely not
for profit) exceed those limits.

------
dobbsbob
If they have the private keys they can go back in time 2yrs ago and match up
every transaction on the blockchain by asking major exchanges like mtgox,
bitstamp ect for records. I'm sure there's a few who directly pulled out
bitcoins to a service that has their identity documents and IP.

The SEC did impressive blockchain forensic work on pirateat40's ponzi scam the
DEA/FBI will do the same to round up all the major dealers.

~~~
gwern
If. But there was no reason for the withdrawal addresses' keys to still be on
file. SR needed to keep the _deposit_ addresses on file, to deal with buyers
sending deposits to old deposit addresses, but that doesn't apply to
withdrawals through the tumbler.

~~~
dobbsbob
We don't know how DPR handled opsec. There could be a file sitting on the
server of every withdrawal pasted into his php app since day 1. He kept a
record of a lot of things he claimed he didn't (PMs, transactions). The
blockchain keeps these transactions forever, so even if they just have the
private keys from his wallets they can figure out withdrawals.

But I'm betting these guys were caught through plain text messaging in the
internal system. Most likely they ordered stuff to themselves from another
vendor and didn't bother to use PGP because most criminals are really terrible
at being criminals.

~~~
gwern
> He kept a record of a lot of things he claimed he didn't (PMs,
> transactions).

Did he? We have seen quotes from messages to government agents (which
obviously don't require DPR to have saved them), we have quotes from
'cooperating witnesses' (likewise), we have addresses/PMs from within a month
or two of the server imaging (consistent with DPR's publicly stated data
retention policies)...

------
at-fates-hands
Not surprising. I'm sure the feds are pouring over the user information they
got from the server files they have.

Big roundup for sure in the coming months. I'm wondering if they're going to
go after all the identity thieves who were rampant on the site, or just stick
with the drug dealers.

~~~
gukov
The guy's Gmail probably has everything they need.

------
ye
I really want to see the evidence they have against the alleged drug sellers.
If they used a good VPN, I don't see how they could've been traced.

I bet every single one of the arrested guys really fucked up (assuming they
are guilty).

~~~
gwern
> I bet every single one of the arrested guys really fucked up (assuming they
> are guilty).

You would be wrong. The Devon guy, the vendor Plutopete, ran a legit business.
He didn't fuck up because he wasn't selling anything illegal.

------
camus
And that' just the beginning ,a lot of sellers are about to get caught now.

~~~
gwern
\-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512

I strongly doubt that. What we're seeing is all the existing investigations
are hurriedly wrapping up and arresting the people they can before everyone
cleans up and protect themselves. The NOD investigation began in early 2013
and had nothing to do with the SR bust, the 3 UK arrests seem similar (and the
Plutopete arrest suggests that they hadn't done their homework on him), the 2
Swedes went silent a week before the bust, and that's everything I know of
right now.

Since I hate cheap talk, I'll even offer you a bet. Because of my interest in
the topic, I track all publicly-known SR-related arrests, prosecutions, and
convictions in
[http://www.gwern.net/Silk%20Road#safe](http://www.gwern.net/Silk%20Road#safe)
. Based on the past history and the circumstances of the currently known
arrests, I am strongly skeptical that there will be as many as... oh, let's
say 30 related arrests after 1 October 2013 and before 1 October 2014 (Should
be more than enough time; this, incidentally, would imply <~1% of active
sellers were arrested.)

I'll offer generous odds: $100 to your $20.

So? What do you say? Are you just engaged in cheap talk and FUD, or do you
have the conviction of your words? \-----BEGIN PGP SIGNATURE----- Version:
GnuPG v1.4.14 (GNU/Linux)

iEYEAREKAAYFAlJUjdQACgkQvpDo5Pfl1oKdUwCfS6SANkaQHj6qRKvIww8Vz+jZ
QrAAnj0UPjs3mco9738UyDLCGNwbsLRz =H6I5 \-----END PGP SIGNATURE-----

~~~
nialo
[http://pastebin.com/raw.php?i=eSkzWm8B](http://pastebin.com/raw.php?i=eSkzWm8B)
because gwern's noprocrast has kicked in.

