Hacker News new | past | comments | ask | show | jobs | submit login

I have a sneaking suspicion that it's a honeypot. Just a hunch.



The Silk Road seizure demonstrated that the only reasonable way to participate in any online drug market is to assume the market itself is compromised and untrustworthy. That means you never upload identifying information in cleartext (e.g., buyers encrypt their addresses with the seller's public key), and you run all bitcoins sent to or received from such a site through a third-party mixer.

Of course, there still has to be some level of trust on the part of a buyer, that the seller they're connecting to is actually a real drug dealer and not an undercover cop. But that was still an issue even on the original Silk Road. It was partially addressed by the feedback/review system -- which does involve a certain amount of trust in the site not to fabricate reviews -- but more importantly by the fact that high-level law enforcement is really only interested in tracking down sellers. And assuming the users are competent, running a honeypot gives you very little information about the sellers.


> It was partially addressed by the feedback/review system -- which does involve a certain amount of trust in the site not to fabricate reviews

Many users over in Europe took to themselves to review sellers on trusted third-party sites, such as flashback.org. There trusted sellers were "greened", as it were, and word was quickly spread when some seller tried a bait-and-switch by giving good drugs to the first buyers and scamming the second wave.

Full Disclosure: I am a user of flashback.org but I never used drugs or silk road.


Is it really illegal to try to buy drugs? Doesn't an actual illegal substance need to be involved/seized for it to be a crime? Honeypot sellers don't really make sense to me.


What good does that do if the sellers are also fake?


Law enforcement would rather go after the vendors than buyers. There are probably too many buyers for officers to deal with, and they would have to make all the arrests simultaneously. In meat-space, they arrest buyers so that they will rat out their dealer. This is not possible on SR because the dealers do not expose any identifying info to buyers.


The fake seller issue is independent of the honeypot issue. There was nothing stopping anyone from creating fake sellers on the original Silk Road. I assume the main reason it didn't happen is that doing so would only help catch buyers, and governments really want to catch sellers.


I think you missunderstand me... I'm saying what if the sellers are also honeypots? Encryption means nothing if the NSA created the "sellers" key in the first place.


My point is that you don't have to control the marketplace itself in order to create honeypot sellers. There was nothing stopping law enforcement from registering honeypot sellers on the original Silk Road. Controlling the marketplace itself would let them avoid the (trivial) registration fee to create a honeypot seller, but doesn't otherwise give them any extra power.


With good opsec (i.e. only PGP-encrypted messages) sellers should still be able to operate safely.

Buyers slightly less, considering that the sellers might be cops (which is also the case on a non-honeypot site), or because the PGP-keys of the sellers might be fake (for MITM).

But considering that feds generally seem to target sellers, I don't think the usefulness of this as a honeypot would be huge. But it's definitely possible, especially given that the feds have the source code and all.


> considering that the sellers might be cops

Why wouldn't law enforcement pose as buyers, as well? This is a common tactic in narcotics enforcement. Entrapment often isn't an issue, as the seller took the first step of advertising the drugs for sale.

Are you getting at the fact that the buyer must have a receiving address, while the seller can ship anonymously? I would be skeptical of that. If I were attempting to track the source of a package, and I had the full force of warrants behind me, I bet I could track down most shippers.

Every shipping company has its own tracking information. Much of this may be opaque to the end user. The tracking might be much more detailed than what you can see as an end user with a tracking number. Assuming the carrier cooperates with law enforcement, tracking could (presumably) be further enhanced for targeted post offices, routes, etc..

For example, suppose I, as a law enforcement agent, receive an order from a Silk Road seller. Let's say it was shipped in an envelope, dropped off at a USPS street-corner box. From the tracking info, I identify which post office first handled the envelope. Thus I narrow my search to a few possible mailboxes served by that post office.

I instruct the carriers at that post office to assist me. As they follow their routes, emptying mailboxes, I have them sort outgoing mail into separate bags, one per box. I have the post office flag any mail going to my address.

I place another order from the same seller. When it hits the post office, it gets flagged, and because of the per-box sorting, I know which mailbox was used.

For round three, I place yet another order, this time with the mailbox under surveillance. I also install a camera inside the mailbox that sees the destination address of every envelope deposited. When the seller drops his shipment, my surveillance team detects it. They then follow the person who dropped the letter. Now I have the shipper's identity.

Can these measures be defeated with appropriate opsec? Maybe, if you know exactly what tactics law enforcement will employ. But you don't. You could spend all your time defending against the tactics I just described, only to get caught because law enforcement came up with a totally different strategy.

My point is, opsec is really, really hard.


This is what made Kaczynski (the Unabomber) so difficult to track. IIRC, he would travel for a few hours (by bus) to a town and deposit his packages in a mailbox there [citation needed]. This made it difficult to track him, since the origin of the package didn't leak any information about the sender.

For sellers, proper OPSec requires that they do not leave fingerprints in/on the package, that mailing locations are reasonably random and not isolated to a small geographic area, and that the sender masks his identity (veiled face, no cellphone, no car) when dropping off the packages. Additionally, a seller should use a variety of packaging types for shipments to make detecting the illicit shipments harder.

Given these precautions, it would likely be infeasible for law enforcement agencies to identify a given seller. However, they would also reduce profits for the vendor.


A good precaution would be to use a range of mail boxes that, when plotted on a map, form a ring around a population centre far removed from the one you are actually residing in.


Even then, there are still possible information leaks.

For example, conceivably when you package the drugs in your warehouse, local pollens and molds could find their way into the insides of the packaging. If the distribution of pollens and molds is unique to a reasonably small area, that would be an information leak.

A bit sci-fi? Sort of. You'd need a database of mold and pollen distributions for the whole country, plus tools to analyze the distribution in a given package. That's daunting, and maybe it's more trouble than it's worth for drug enforcement. But it's not outright impossible. And I have no idea what's the maximum effort DEA is willing to spend to track down Silk Road sellers.

This is just one example of a possible information leak, off the top of my head. I'm sure we could come up with others, if we thought hard enough about it. All of this is to say that it's not the information leak you're worried about, it's the one you haven't thought of that will ruin you.


DEA effort is generally a faster than the slowest person type problem, you don't need to be better than the DEA, just better than someone else.

Agents need to make busts in order to get promoted, therefore 'rational' agents will catch those easier to catch before devoting resources to harder to catch suspects.


In the aggregate, I'm sure this is true. If I were an individual criminal, I'd still be nervous. What if I'm the outlier, i.e. the criminal who gets caught despite an abundance of caution?

Not that I'm disagreeing with you at all. Your point seems spot-on.


Isn't that also a result in the quantity of packages sent? If you want to run a business, you'd need a much larger set of "random" mailboxes then if you are sending out a handful of bombs over years.


Exactly. There's very little incentive to participate as a seller on Silk Road if you have to take these extreme measures for every package you send out. It's not economical.

If you're smart enough to devise these opsec procedures, you're probably smart enough to make a decent living doing something legal. So being a drug dealer is only worth it if you can do it at scale and make serious money. But these opsec procedures would significantly erode your hourly rate, making Silk Road an unattractive proposition. Unless, of course, you're willing to throw caution to the wind and optimize for efficiency rather than security.


Unless the seller is actually a co-op of sellers, distributed world-wide. It would be fairly trivial to make the seller group wide enough, and using a lifestyle type of profit (i.e. each person makes a reasonable amount of money, but no-one becomes a millionaire) it may not be worthwhile for law enforcement to coordinate and monitor so many drop points around the world


Not really, if you take a major metropolitan area there are plenty of mailboxes.

The post office also happens to have a list of these mailboxes, if you use random selection and travel during peak hours they can't reduce much below the 'people who live in the metro area and commute' level.


I'm sure there are other examples, but this method of monitoring mailboxes was used more than a decade ago to catch the person behind the Tesco letterbomb campaign:

https://en.wikipedia.org/wiki/Tesco_bomb_campaign


That guy seems to have been pretty stupid, to be frank. Used the same postbox for all letters, and didn't put enough stamps on some packages. I don't think this in any way suggests somebody with basic common sense couldn't be quite considerably more secure when sending things they don't want traced back to themselves.

   "...while the Royal Mail intercepted several other packages, which had been held up because insufficient stamps had been put on them."

    "After receiving the second letter, which had been damaged by fire, police made enquiries with the Royal Mail and discovered that a fire had been reported in a postbox on Bradpole Road, Bournemouth, leading to speculation that "Sally"—the alias by which all the letters were signed—had changed his mind and attempted to destroy the letter."

    "The police received another letter from "Sally" on 7 December. Once again, the letter was traced back to the Bradpole road postbox, where the surveillance operation had continued. The operation had captured good-quality footage of all the users of the postbox that day, but, as it was close to Christmas, the postbox was busier than normal, with 172 items posted by 38 people. Royal Mail regulations meant that detectives could not open or delay the letters, so they made enquiries with the recipients to identify the senders. They eventually managed to identify all but a small number of the senders."

    "On 17 February 2001—over six months after the receipt of the first demand and three months since the last letter from "Sally"—the police made a major breakthrough. Detective Constable Alan Swanton, a junior detective on the case, spotted one of the people caught by the surveillance of the postbox who had yet to be identified. The man was carrying a fuel container, which Swanton believed had come from a nearby filling station. Officers obtained CCTV footage from the filling station, where their suspect had paid by cheque, and identified the man as Robert Edward Dyer."


> Why wouldn't law enforcement pose as buyers, as well?

And then you end up with covert LEO buying, and covert LEO selling ... and find yourself knee deep in a Philip K Dick novel.


> Why wouldn't law enforcement pose as buyers, as well?

Because as a buyer you don't know who the seller is. You just receive your package.

But as a seller, you know your buyer's mailing address. It becomes trivial to catch the buyer.


As described in my post above, the police don't initially know who the seller is. But the whole point is to find out by working backwards from the package the police receive.


If this is a honeypot, couldn't they conceivably deanonymize users based on timing, using either ISP data or data from honeypotted Tor relays?



Wouldn't it be a great honeypot for one big bust? Delay the launch as long as possible due to "load issues" to bring in as many sellers as possible and then take them all down after their first transaction.


How are you going to find a seller? They use Tor, don't need to enter their details anywhere; they just send packages to addresses they receive in encrypted form.


Most sellers are too lazy/cheap to properly set-up their fulfillment operation with good enough security. If you read accounts of the seller busts from Silk Road 1.0, the authorities can trace where your packages have been sent from and where you bought the postage from. If you don't operate as if the police are actively using this information to track you down, they will be able to.


Sellers don't reveal their personal details to the site - maybe having a honeypot site would make it easier to track them down, but it wouldn't be simple.


It's run by one of the admins of the original SR according to the article.

And would it be even legal for the police to do this?


Since when in recent years has that been a determining factor? The war on Bad People has been the go-to excuse for all sorts of things which we might feel should not be legal, or which are not. The Justice Department can merely choose not to prosecute them, congress can enact legislation granting immunity, or the agencies can flat-out lie about what they are doing.

If the government is running a drug marketplace as a honeypot to catch sellers and buyers, it's possible that some of those buyers and sellers might mount an effective suit ... but I'd say the expected result is much more likely to be jail time for the buyers/sellers.

Moreover, the courts will rule that only people directly harmed by such things can sue for it, and then will deny THEIR suit unless they are able to prove that it happened. Since it'll all be classified up to the moon, the government will deny its existence, and no suits will happen.

This is a deliberately cynical take on how that would go down, but I fear it's probably not inaccurate.


Could be, but would they really dare to mock themselves in the honeypot? If it is a honeypot, it's very convincing and elaborate.


> If it is a honeypot, it's very convincing and elaborate.

There is no other way to run a honeypot. Reminder that the feds ran the two largest carding forums on the web:

http://en.wikipedia.org/wiki/DarkMarket

They almost entirely destroyed English-language US-based carding forums in the process.


I would say, that's exactly what you want from your honeypot.

What I don't really know, I guess, are the legal implications of entraping people on such a mass scale.

I'm also not sure about the usefulness of such a honeypot, since you can't actually track the buyers. Just because someone pays you to send drugs to some address, doesn't mean it's their own address


IANAL, but my understanding of entrapment is that law enforcement has to persuade you to break a law that you wouldn't otherwise have broken - for example if you walk up to a cop and say "sell me some weed" that isn't entrapment, unless he initiated it and persuaded you to try to buy some weed - so if this site was a honeypot, it wouldn't be entrapment, as buyers and sellers are both going there without any persuasion, because they already want to do something illegal.

That said, I agree with other comments here as to why it's unlikely to be a honeypot.


>would they really dare to mock themselves in the honeypot?

Of course they would. The makers of a maximally-effective honeypot aren't going to shy away from making fun of TLAs. They'll do what's most effective.

With that said, I doubt it's a honeypot. Of course I don't plan to test that hypothesis.


To me, that seems like the easiest possible thing to do. If they have the original site code, then it's just a matter of making some superficial changes and re-launching as "Silk Road 2.0".


Would an undercover cop say "fuck the police!" when talking to the people he was angling to bust? Of course he would.


Nah, I believe the motive is money. Did you hear how much was seized from the previous admin? To make such money just sitting behind a computer, without having to worry about guns and the violence that comes with dealing drugs? There are many people who are willing to risk it.


Well, to be clear, you've still got to be worried about guns and violence. They just happen to be wielded by thugs who happen to have a badge and uniform.


You'd have to be a complete moron or a huge addict to use this. How much do you want to bet this is run by the FBI and filled with various browser exploits designed to de-anonymize you? I wouldn't even connect to it, let alone buy or sell drugs on it.


Then there a lot of moron drug addicts on this forum.


Easy way to find out buy something cheap and ship it to your neighbor. Your neighbor will have a bad day but won't won't get in trouble and there won't be any evidence that he bought it only that someone shipped it to him/her.


>Your neighbor will have a bad day but won't won't get in trouble

This may result in your neighbor being raided and possibly being injured (and small chance they might be killed). Please read the description of some of these botched raids http://www.cato.org/raidmap before you willfully endanger people you should be looking out for.


This is one of the most irresponsible things I've ever read.


Why?


Seriously? You don't think that sending a schedule I substance to an unknowing stranger through the mail and across state lines isn't irresponsible? Are you going to valiantly turn yourself in if your neighbors get raided?

If you get drugs shipped to your house, they will charge and probably convict you. Doesn't mean it would hold up in an appeal, but why would you risk an innocent's life, freedom, finances, and social standing just to order drugs off the internet?

https://en.wikipedia.org/wiki/Berwyn_Heights,_Maryland_mayor...


32 pounds of marijuana in that case. If you were going to do a test run in this way, you could send a single schedule IV Xanax or something. I'm not saying it's a good idea but the likelihood of putting your neighbors in danger is probably smaller than many common actions. It's probably less dangerous statistically than giving them baked goods with nuts.

All I was responding to is your statement, "One of the most irresponsible things I've ever read." If I ranked all statements I've ever read in order of irresponsibility, this is pretty middling.


Maybe I should clarify: it's one of the most directly irresponsible things I've seen unironically suggested here.

If you don't see the irresponsibility of implicating an unknowing third-party in a serious life ruining felony, I don't know what to tell you.

Given that this is most likely filled with vendors who are either agents or guys who have been popped and are now confidential informants, your statistics are way off.


If you want to see really un-ironic irresponsible ideas, go read the post on the anarchist solution to healthcare. I'll give you the tl;dr: anonymous healthcare for bitcoins.


I try to avoid anything that would bring the bitcoin crowd out, or I might have an aneurysm.


I'm alright with people buying and selling drugs, as long as they risk their own lives.

But that is just low. What kind of psychopath do you have to be to ruin some innocent persons's life just because you want to check some theory.


While I do agree with your point wholeheartedly, I believe that the mere fact that an innocent person's life can be ruined by these types of shenanigans shows the flaws in our current system. Our system is supposed to protect innocents, but as we have seen too many times, the cops rush in on flimsy evidence and wreak havoc. This is what needs to be addressed.




Applications are open for YC Summer 2019

Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: