It doesn't work like that. All it means it that instead of you being more or less automatically extradited now a negotiation process starts between the two countries. Put another way: extradition is manual instead of automatic.
Plenty of people were extradited from "no extradition treaty" to US.
> One very important takeaway from this article should be that just because a country does not have a formal extradition agreement with the United States, does not mean that the country will not extradite you.
But there's others who never were captured, Hannibal evaded Rome until they almost captured him, but he successfully killed himself so they never got him alive. There's many others on both sides.
I'm not sure if I'd put this one in the "W" column.
This particular one might not be true but the general spirit probably is. This is why I sometimes do things which a drug lord would do even though I am not one (I swear). It's for the benefit of possible-future me where I do have something to hide.
The correlation of the time where you started using Tor extensively and the time a particular Darknet service started operating? Certainly a possible leak of a few precious bits of those ~30 bits that are needed to pinpoint you.
It's a generalization of the rule that you should not restrict encryption to only those messages that are important.
We need robots that do this constantly.
TIL, they're missiles except drone-based instead of rocket-based
And because of the simplified flight infrastructure they're only $6k
That's why they are called loitering munitions rather than missiles.
They probably have a 90% margin on those...
If you want to be a darknet drug lord my advice is of a different flavor: Don't let yourself become too big. Once a (or multiple) governments are after you it is very likely only a matter of time before you get caught. Not because the government is particularly good at tracking people down or somehow nearly omniscient but simply because you likely had or have terrible opsec and finding you is more trivial than you've led yourself to believe. If you believe they are already looking for you it's time to abandon everything and disappear. Live your life like it never happened and whatever you do don't pass on the torch. Let your work die and be buried and someone else build on top of the grave.
> Opsec is incredibly difficult to get correct - especially in the long term
I'd say if you are doing it long term then you are doing it wrong. The longest surviving DNM by far was Dream which I speculate had some nation state backing it.
I agree entirely but it also depends on your threat model. When making my post I didn't have DNM's in mind (though that's the context...) and was actually thinking about the abysmal opsec of many private tracker admins.
Wow, I would have never thought about that to use public-downtime to find/match your service.
So, activity hours and maintenance hours can be used to pinpoint the timezone of the owner and their daily habits. Randomizing every bit of information is important.
Or injecting disinformation: pick a misleading timezone, and only connect at times compatible with that timezone (e.g. 03:00 GMT is 11PM EST). Though that might not be compatible with making all your connections from unconnected locations (not many coffee shops/libraries are open that late).
Googling "satoshi time zone" give a lot resources
OTOH there were many times when Satoshi connected to IRC with non-Tor residential IPs, it’s possible that deanonymization was just one subpoena away.
There is literally zero information you could extract from this besides the fact that he probably didn’t do anything indictment-worthy.
Talk about horrible OPSEC.
I didn't know there was a book, but there was a series of articles a while ago by the same author :
Code running in the work VM can't leak your IP even with root access.
Nobody is advised to run Tails in a VM, only as the host OS, so the dual VM part isn't that relevant.
I've used both, only pointing out how your response didn't match
The article does briefly mention Tails and how it does a RAM rewrite upon shutdown for you
> If you're planning to use TAILS, it will scrub the RAM for you automatically when you shut down.
odd and unlikely attack vector, but always a target
The FBI has publicly burned firefox 0days to deanonymize Tor users at scale.
We're having this conversation under a post titled "So, you want to be a darknet drug lord".
If you want to be even a small time DNM vendor, you should not use Tails but Whonix.
But a browser escape is different than obtaining root on an OS that doesnt even enable root by default
like I said, different harder attack vector, likely under research
save the argument for someone more in denial about that?
This is a meaningless statement. Just because there is no way to log into the root account doesn't mean there isn't a kernel that treats uid 0 specially.
A linux LPE is worth a small fraction of the money a Firefox escape is. Far easier to come by, far weaker defences.
At least tails seems to use network namespaces now, so deanonymization without root might not be as trivial as it was before.
most of the stuff I find on Tor is very outdated, still enough relevant to piecemeal some decent OPSEC, but being able to bounce ideas of people objectively seems to be lacking - or I don't know the communities
there is the tor reddit page, but reddit is periodically hostile to tor connections. dread on tor is often down, so thats annoying, but I found onion services within tor often had the best information on using tor
/d/OPSEC and dread in general is a cesspit with few quality conversations.
It did. Whonix can defend you against malicious code running inside your work environment, Tails can't.
>Nobody is advised to run Tails in a VM, only as the host OS, so the dual VM part isn't that relevant.
This is why it's a bad idea to use Tails at all unless you aren't actually that worried about being deanonymized.
>The article does briefly mention Tails and how it does a RAM rewrite upon shutdown for you
This is meaningless security theatre.
Honestly, it seems like it'd be safer just to run two different machines. IIRC, I saw some instructions a long time back for turning a small travel router into a OpenWrt-based Tor router.
I haven’t touched Tails in years, but they used to have a pretty exotic network stack. I wouldn’t want to try to make that work with VMs.
I thought I read (on hn) of such a community…
lots of content, you gotta weed through a lot to get the good stuff
I wonder how true that is.
Besides, it's not like the NSA doesn't have the capability to scoop all packets from people they've seen visited torproject.org.
I struggle to think of useful ways of cloaking the physical transaction. You can have it shipped somewhere you don't live, but then you have to get there to pick it up, probably leaving a massive trail of GPS data and gas receipts.
I wouldn't be surprised if shipments of gold or cash raise eyes at customs, either.
Meanwhile, there simply is not clear web drug store, so dark web ones don't have to offer anonymity to their buyers
You're effectively locked out from talking to others or reading listings until you KYC.
Okay, so why would I go through all this trouble then? I could think of other hobbies to escape a "cookie-cutter" life.
Wasn't that about street gang members and not the mafia?
I vaguely recall it was something about working at McDonald's pays better than being a street-level drug dealer.
You can't help that you're a famous and wealthy artist.
I never heard of this usecase, which makes me believe it's too convoluted to be true.
It's not convoluted at all; it's actually pretty elegant when you get down to it. It's almost enough to make the entire NFT phenomenon make sense.
Or alternatively, you can double your net worth, because you go from having $200,000 ETH to having $400,000 ($200,000 ETH and a $200,000 NFT). This can then be used to fool naive lenders (or buyers) to giving you money at a fraction of the amount the NFT is worth, which is still a net gain for you.
If you're buying NFTs like they're legitimate "art" and not aware that NFTs exist for these purposes, then you shouldn't be playing the NFT game.
the NFT scam is a tax evasion thing - much like much of fine art.
I wonder if this could be tracked somehow. NFTs used as 'receipts' probably never get sold again.
We make a deal via some marketplace. Doesn't matter. We agree on a price and an amount, and some other specifics.
In a different marketplace, you offer up a jpg of a monkey. I offer thousands of dollars to own it.
In the real world, you ship me a big box full of dope, and email me a hyperlink to a jpg. I send you bitcoin, and all of a sudden, we're both legitimate actors in this little NFT art biz.
Its still better if you already have a lucrative clean-money life, which means it is easier to quickly intermingle uncleaned money into it.
It seems the best way to do it would be to be sponsored by the FBI or whatever in your country - use your expertise to setup a honeypot system with their prior knowledge and you'll feed them data when it is setup... they get info feed to collar criminals, no cost to their budget, are they going to care if you make your cut along the way?
[note the "It seems" — I have zero experience with what the FBI may or may not require for such an operation]
Part of the goal of reducing corruption is having alternative behaviors that are more attractive
But in any case there are lots of useful laundering techniques that can pass scrutiny
Just wait for the next darknet pastebin to have that debate
But maybe that's there to throw us off the scent...
That's an interesting story, this is the best I found about it: https://www.silive.com/news/2018/07/staten_island_wwii_espio...
I'd love to play around with like, a CTF where one side sets up a hidden service and the other side has state-level access to try to uncloak it. something that simulates what powers the US has, e.g. red team has a limited number of raids it can do, ability to patch things into network cables or hack routers, while the blue team has several fake cloud providers in fake countries, a Monero testnet etc.
would anyone else be down?
So how do we proceed? I've noticed there is no contact information in your profile (mine lacks that too), so I've made a new public Matrix room: #torctf:matrix.org
Sometimes people that never looked casually dismiss the idea that there is obscure useful OPSEC information there.
Selling guides like these for $.99 is a great way to get your marketplace reputation up fast, to sell bigger ticket items.
Where the darknet meets linkedin.