Yeah, you probably should not do your PGP-encryption server-side...
I suppose it's a question of your threat model. Do you trust the website to not do that? Given that FBI is willing to take over and continue operating websites that distribute child porn, the default answer to that question ought to be no. You have no way of knowing if someone else has taken a server over.
Maybe a browser extension would be a good way to do PGP encryption for websites, keeping the key out of their reach but allowing a one-click encryption right in the browser.
Less kindly, one could argue that Tor devs want to increase the anonymity set, in order to better hide US government users. That was, after all, one reason why Tor's initial Navy funders agreed with open release of the software.
There are similar issues around other Tor vulnerabilities. Such as how easy it is for apps to bypass Tor. Which has allowed the FBI's phone-home malware to pwn users.
But I fully agree the main site should make the risks of TBB clearer and promote Whonix/similar.
Encrypting a confidential message for another party is a public key operation. It’s the fact that the plaintext was sent to a remote server that’s problematic.
It's definitely more secure. But depending on your level of paranoia, yeah, it's often not enough.
Doing things in the browser shows customers that it's done properly and verifiably. It also makes attack way more public than being able to do it quietly server-side. I wish people applied security client-side more often.
I mean, if the server is compromised, you're fucked, regardless of whether you applied your crypto in js or on the server. But if it is done client-side, at least there's a chance that you notice you're fucked.
So customers are skilled enough to check the (webpacked together with other stuff and minified) JS code running in their browser before they run it? Even if this was actually feasible, it would be still orders of magnitude easier to just do GPG in a terminal.
And don't forget that, according to the article, we're talking about a crowd where even a lot of the long-standing big sellers are not smart enough to remove GPS meta-data from their product pictures.
>It also makes attack way more public.
You can still serve different (malicious) JS to a select bunch of your users who are least likely to notice and kinda spearfish with that. E.g. it's entirely feasible to just bug new first customers you fingerprinted as using default Tor Browser installs (most likelihood they are tech newbies too).
Even if users make sure the code they run is verified, how do users make sure the public key they are encrypting with is the public key of the party they intent and not a key the (rogue/police) operators of the website put there themselves, doing a good old active MITM key switcheroo? It's not like there is an independent web of trust in the realm of a tor drug market that you can check for that information. Even if the public keys of the big players (most of which would be sellers) are widely known, the key of Joe Newcustomer is not, so you can at least eavesdrop on communication directed to him by replacing his key with your own, look what the seller is writing and also at all those "Joe Newcustomer wrote: >" lines too, and nobody will ever notice until the police knocks on their doors.
Rather than posing the obvious as a question, yes, I am aware that the overwhelming majority of users will not be able to inspect it themselves. But there are also loads of people who are, and we also roam the internet.
And it's not about inspecting before it runs, it's about noticing weird changes before you typed your credentials. Currently it's a strange idea to open an element inspector before regular actions such as logging in, and indeed, it'd be quite the hassle. But if this were commonplace I imagine tools would jump up to aid in this for both experts and laymen. It isn't terribly hard to trace which pieces of code do something with the password field (such as reading out its value, and trace where the variable is used and copied to) and alert on changes to those. Upon such an alert, customers of a bank might wait a few days to see if there was a breach, and security experts of said bank might like to see the diff that the browser detected. Just a thought of what could be if security was applied client-side more often.
Checking code before it runs is possible. What is much easier is watching the network traffic on the web browser and examining it for sensitive material. It's an order of magnitude better to know that a security breach has _just_ happened than to find out much later, possibly when that information is being leveraged against you.
Almost all significant criminal activity leaves some trace. The buyer, by nature, has more trust in the seller because the buyer must pick up a package a specific location in a date range. The seller would be the most significant market players (spearfish targets), but give up less information in each transaction. The best way to attack would be watching for user mistakes (gps meta-data), social engineering, and zero days.
PGP-encryption server-side is meaningless, even if it was done client side, there's a MITM. Eve can replace public keys (though at the risk of exposing her MITM if people are double checking their own public keys listed on the site against their client side public keys)
>They tweaked a feature designed to automatically encrypt messages with users' PGP keys, so that it secretly logged each message's full text before encrypting it
Unless this is Wired's way of saying a MITM as described above.
It's not meaningless, it prevents past messages from being compromised by a future breach. Future messages are still compromised, but past messages are secure.
By your logic you could say that forward secrecy is meaningless. But yet security professionals recommend that you use a TLS key exchange with forward secrecy.
He talks about his „setup“ (old car repair shop), routine to drive to different mailboxes, etc. Got busted when meeting with people offline from Austria to sell larger volume. German police got curious when they read in Mexican internet forums that the most advanced drug seller is located in Germany with 3 day shipping to Mexico.
From what I've heard, people are just selling over Facebook and WhatsApp, and the police just can't be bothered with it because what are they going to do? Arrest people for buying small amounts for what is obviously personal use? Or try and track down and pin a case on someone for posting stuff. I can't see them taking Facebook down.
So, the goal is probably aligned more with career progression than stopping drug trade as such
"Chinese Drug Dealers Are Being Sentenced to Death in Sports Stadiums and Public Squares"
 "On Wednesday, China’s Supreme People’s Court argued that serious drug crimes merit the death penalty. Serious cases involving “drug lords, professional drug dealers or re-offenders” as well as “drug smuggling, organized transnational drug crime and armed or violent drug crime” should all receive capital sentences, according to a circular released by the SPC."
That's what I remembered.
As an adolescent of 12 or so, I remember watching a D.A.R.E. video in school where the fictional character tried marijuana for the first time, but it was secretly laced with cocaine and the fictional character had some kind of unspecified heart condition and hyper-sensitivity to cocaine that caused his first puff of pot to kill him. Remember kids, your first puff of pot can kill you!
They also told us that sometimes PCP is laced with rat poison.
Even as a 12 year-old, the implied frequency of such craziness beggared belief. It would have been more believable if they would have warned us that we shouldn't try hard liquor because it might be tainted with methanol. That at least happens with some frequency back in the Old Country, according to a Bulgarian friend.
Shut down the site, people move to another one, and you've got to start all over again.
Shutting it down is aligned with career progression (gets the big news). Leaving it running gives you some chance of affecting the actual drug trade
I agree with you that this sounds like a sensible strategy, and I don't understand the complaint above about career progression - to the extent that their careers were benefited by focusing on the most serious problems instead of a performative war on drugs, props to the system for enabling them to do this. People always make decisions based on career progressions, the best thing to do is set up incentives so those decisions are also good for society.
No, you should read the article rather than automatically assuming bad faith.
"Since the takedown, Ras says, they've arrested a dozen of Hansa's top vendors, with more arrests planned for coming weeks"
"While most drug vendors who fled AlphaBay showed up soon after on other dark web drug sites, those who fled Hansa didn't—or if they did, they recreated their online identities thoroughly enough to escape recognition"
“State bodies” are not required to pursue and assist with enforcing federal laws, and are generally prohibited from prosecuting under then except when states have been granted special power to do so in federal law. These are fundamental features of the “dual sovereignty” federal system in the US (and the freedom of states to decline to enforce federal law was noted as far back as in cases related to the Fugitive Slave Act prior to the Civil War.)
If the federal government wants to make laws, then it is also responsible for figuring out how to enforce them. Within certain bounds, it can bribe states to do it, but it can't command them to.
> writ of mandamus?
Yes, it exists.
No, it doesn't obligate state bodies to “pursue” or “prosecute” violations of federal law.
Hell, you can buy heroin directly in front of the Tenderloin police station. Not across the street, directly in front.
de facto, I'd say heroin is basically legal in San Francisco.
BTW, are there search engines that allow to search for HTML code of the web pages?
Shodan is a search engine for finding things connected to the internet probably don't want to be found.
Don't rely on IPv6 for protection from scanning.
Censys indexes a lot of these things so you can for example search for the title here. This works very well for sites that try to hide behind Cloudflare but don’t block access to other IPs.
Law enforcement 101. Don't blow your cover. Ignore 95% of the transactions and focus on the few major racketeering cases that matter. Let the IRS go after them for tax evasion instead so your cover remains as long as possible.
I would like to see their productive interventions on child porn and sex trafficking. Instead we get this tedious and unhelpful war on drugs that ultimately is futile.
Hundreds were arrested in the FBI's Operation Pacifier , and their cases are still actively working through the courts. We don't hear much about Operation Pacifier, and I assume that's by design.
For security-aware technologists, however, there is an important detail: the feds have some heretofore-undisclosed exploit that is used to de-anonymize Tor users, which gets referred to as "the malware".
They're so interested in keeping the details of this secret that they dropped all charges on one of Operation Pacifier's biggest offenders, because he had a skilled lawyer who convinced the judge that the government would have to disclose more details about how it unmasked him to ensure that his constitutional rights had not been violated.
It's interesting that the tool used gets referred to as "the malware". Is this a real-world use of the Intel ME or just your run-of-the-mill trojan? Is there a backdoor in the Tor Browser Bundle, and that's why the government still allows such easy access to it? Is the claim of "malware" just a diversion to prevent people from learning that they have a crack for the Tor network itself? Dunno. Would be interesting to find out though.
Tor is reasonably secure but if you run JS or download and execute files from Tor you will probably reveal your IP to a determined attacker.
This gets uploaded to a database for law enforcement to use to find locations when they get images of child sexual abuse that happens in hotels.
And there's also this article about one such takeover of a site that distributed images of child sexual abuse: https://news.ycombinator.com/item?id=12084471
That makes me curious though, it sounds like in the drug takedown the users are largely spared but the dealers are targeted. Is it the same for child porn/trafficking? I would prefer they go after everyone in those rings..
Child pornography is never a victimless crime.
It isn't significantly different.
Not a single one of those, or even all of them put together, is anywhere near the video posted.
Also in case anyone missed it today, corporations have increased the violence they use against their critics (rivals?) . Certainly the cartels are worse with their brutality, but they are no different than any other modern international capitalistic enterprise.
No, they do not. You have absolutely no evidence to back this statement up.
Of course, that doesn't justify child labor.
Do you think the global drug trade 'provides work' for more than 500,000?
Wow, that's some bad opsec.
That's why you should not keep history. All messengers like WhatsApp that save history on the server have zero respect for privacy. A decent messenger should not save anything unless allowed by the user.
You can still do metadata analysis on communication patterns between people, without knowing the content of the messages.
"During their time as black market administrators, the Dutch police only banned one product on Hansa: the highly dangerous opioid Fentanyl. All other drugs on the site continued to flow freely, a circumstance over which Ras and Boekelo seem surprisingly unconflicted. "They would have taken place anyway," says Ras without hesitation, "but on a different market." "
Basically, if the government ran a legitimate darknet marketplace, they could reduce the sales of the worst substances.
Why can't all transactions be removed after say a day after completion? I just don't see the point in keeping all of that data there, sounds like a big liability for everyone involved.