Hacker News new | comments | show | ask | jobs | submit login

There is already a race underway for the new winner in this hungry, insatiable market.

It's a cat and mouse game where mouse have an distinct edge.

Actually, I think the cat & mouse metaphor is fairly apt. The cat actually has a powerful set of advantages... but the mice have numbers, persistence, and in violation of the metaphor, a lot of learning capability. This will not be the first market the feds will manage to destroy, but it will get harder each time.

I am neither applauding nor deploring this; just predicting it.

(One of the things the mice may learn is that the slightest identity leak can give them away. One mis-click on a Facebook login or something and that could well be that. If I were a mouse, I would be working on building something like an encrypted VM image that only contains "safe" software on it, like browsers configured with TOR or whatever, and make sure to do all my business in that VM, and only my business in that VM, while maintaining a "normal" identity on the outside of the VM. The best way to prevent identity leakage is not to share it at all. And I would not install clipboard sharing between VM and host, and I would not enable shared windows; I would deliberately leave the VM console up, and distinctly less than full screen, so it is very visibly obvious that I am either in or not in the VM. I would not use any of the conveniences designed to blur that line.)

I get the sense that one of the issues with Silk Road was that the people involved in it didn't really realize how big it would get and how hard the feds would go after it. That's why, at the beginning, there were a lot of rookie/lazy identity leaks that the FBI eventually tracked down.

That is, assuming you don't go for some NSA parallel construction thing. But if that's the case, it will probably become clear after a couple more site busts.

Whoever does this next will know how much of a risk they're at, and will probably take appropriate steps to protect their real identity from day 1.

It sounds like they need to harden the server better too. Not just the code base and platform, but even configuring things such that whatever OS the site is hosted on can only see the outside world through Tor.

There exists an OS designed for similar things: http://qubes-os.org/trac/wiki/GettingStarted

It is probably cheaper to use a dedicated (physical) machine.

You mean safer?

I did mean cheaper (i.e. a low-end machine being cheaper to buy than the time it would take to install and configure the VM.) But yes, it is probably safer as well.

I think you're badly overestimating the difficulty of VMs. This next Friday, we're planning on providing VMs to students to compete in a local programming contest, and we fully expect that for most of them the bulk of the effort involved will simply be the downloading of all the relevant bits (as in, literal bits). After that, it's just "vagrant up" and off they go. If you haven't fiddled with them in a few years (which is what that sounds like), there's been a lot of advances since then. They're almost trivial now.

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | DMCA | Apply to YC | Contact