Krypt3ia

(Greek: κρυπτεία / krupteía, from κρυπτός / kruptós, “hidden, secret things”)

ASSESSMENT: Black Box Markets On The Darknet

leave a comment »

BBmarket

Darknet Markets:

With the growth of the darknet due to NSA snooping as well as a “libertarian spirit” as some make claim of we have seen the governments and police agencies of the world begin to try and police the new wild west of the internet. To date we have seen dark markets in the style of bulletin boards that you can sign up to as a buyer or seller but that is changing since DPR (Dread Pirate Roberts) and SR (Silk Road I & II) both got popped and people have begun getting arrested. What I personally think lead to these sites and people being busted was not only bad OPSEC but also the fact that they plied their trade in the open so to speak. A bulletin board, even on an allegedly anonymized session like TOR is still rather out in the open where OPSEC is concerned. In essence, even though the vendors and buyers were anonymized they still were pretty out in the open because it was an open forum for the most part. Sure you had to get an account but unlike the tighter credit carding sites in the Baltics, this site would allow anyone onto it to have a bigger market share through ease of access.

If you look out on the darknet today you will see a plethora of these sites and most of them rely on the assumed anonymity that TOR and TORmail provide but that paradigm seems to be changing and OPSEC is becoming more of a contemplated issue. Of course the spectacular failure of DPR I and now DPR II’s cutting and running must have gotten someone thinking and the outcome of that is in effect a black box auction or dead drop model for carrying out one’s illicit business on TOR. The site (pic above) is “The Black Box Market” and it takes its logo as well as it’s idea from the response that the news media had to the NSA programs against whistle blowers and reporters. The New Yorker set up a site in the darknet called “StrongBox” and it has much the same idea of anonymity that the Black Box Market has. except without the illicit trade for money.

Black Boxes For Whistle Blowing:

Screenshot from 2014-01-02 15:03:01

The idea of the black box in the darknet for whistle blowing came along after Wikileaks made their system available and of course after the assailing that they took by the governments of the world as well as others trying to knock them off the clearnet and stop the data from being transmitted. In the case of the StronBox though it is situated in the anonymous TOR network (so called, there are attacks out there to defeat that anonymity) and the basic idea as noted in the graphic that this is to be a “Dead Drop” meaning that the information can be passed safely and secretly because only the two involved know of the place and perhaps the times for the placement of data. However, in the net the idea is a bit different because the “drop” isn’t so secret location wise but the obfuscation that software, crypto, and anonymity provides ostensibly will protect the whistle blower as well as the reporter gathering the data in today’s climate. Today the “Espionage Act” is being leveraged by the Obama Administration to go not only after leakers but also reporters and this is a bad precedent.

This model of dead drops and crypto on an anonymized platform is a nice idea and now one that the black marketeers have finally latched onto as a potential model for doing business. This will really be the test of the security of the dead drop model for the whistle blowers as well because now not only will there be a place to dump docs for a reporter to write about and free the information but also now too a place where a leaker can become a seller of data. Of course that is only one permutation of use for the new Black Box Market idea which I will expand upon below. For now though, suffice to say that this idea in my opinion will make it harder for the law to catch users en mass unless they compromise the host system offering the service and start monitoring all users no matter how temporary.

Security Models:

Screenshot from 2014-01-02 14:38:35

This then brings me to the idea of security models for sites like these. This site claims that no logs are kept and everything is encrypted and in a perfect world that is great. However we don’t live in a perfect world and I am sure that the compromise of the system and addition of software/logging capabilities could be carried out. This would of course lead one to anonymized IP addresses right? Sure, but the issues surrounding de-anonymizing TOR users are being worked on by the likes of the NSA and other agencies with three letters as well as other persons who I have read papers by. Ok so you are anonymized by TOR, you are using a TOR address like TORMail and you should be good to go right? That’s the theory and in practice for the most part it’s true. The next issues become

  • who are you selling to?
  • What information are you giving them?
  • Just how are you sending/getting the goods?
  • How do you collect payment? (bitcoin seems to be the main way here)

This site handles only the “acution” or drop itself and you must work out the other security concerns for yourselves. This leaves the majority of people in the position of having to really understand OPSEC and as we have seen of late, many people aren’t so good at that. So the process goes something like this;

Screenshot from 2014-01-02 15:29:29

So the plan here is to have a site that keeps nothing but a bitcoin transaction as data goes and the sellers/buyers are on their own in transmitting that there is a sale going on as well as how to pay for and exchange the goods. Once the sellers make the connection with the buyers (over an encrypted email say with GPG) it should be VERY silent and there’s no bulletin board bullcrap out in the open for anyone to see. This, if you keep to your OPSEC should be a pretty tight system to sell whatever it is you want to sell and buy whatever it is someone is selling. Of course there is a downside here for both sides of the equation right? Say you are a scammer and you want to sell some snake oil to someone, there is no third party per se that is protecting the interests of either party like those admins in the drug markets. With this system you are on your own and the converse is true that you don’t know who you are really selling to do you? You could in fact be selling or buying from a fed right? I guess that’s the risk you take here. It certainly isn’t a fool proof system but so far it is the best OPSEC versed one that I have seen on the darknet to date.

Black Boxes For Invisible Transactions:

Extending this further out though I can see this framework being used by many more people that just drug dealers. Say you are a data thief, an industrial spook, or even someone with say a Flemish master work to sell and you wanted to have an online silent auction to get rid of it? Seems this place may be the place to do so in an anonymous manner that might actually work. I throw in the art theft thing because it is a pet thing of mine but it is entirely possible that a black market could appear on the darknet for those looking to sell illicit items other than drugs and once again I think this is just the start of the possibilities rising in the onion. Obviously though, if this idea works and people start using this successfully it will then come under scrutiny and attack from the authorities even if there are only legitimate transactions taking place (* cough I’m sure they all are)

Overall I think that what we are seeing here is the maturation of the darknet and those denizens therein. If the technologies keep getting better to protect such transactions it will force the likes of the NSA to continue down the path of the TAO program recently revealed and make the end point the pivot of compromise as SOP. This of course ups the ante for us all in protecting our data and as we have seen with the revelations of late, we may have no real chance of stopping them unless we are constantly ripping our systems apart to insure no stray chip has been installed in our absence. If the darknet isn’t completely de-anonymized by some government agency then we will continue to see the maturation of things like this. Of course the application of selling things could be abused the idea and the learning curve could be very beneficial for us all in the clear net as well…

K.

Written by Krypt3ia

2014/01/02 at 20:57

Posted in DARKNET

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: