How to run a dark market

Transcript

1. DARK MARKETS!

2. Should I even be doing this talk?  I have

   spoken to legal council  Proposed many talks, strongest interest this  This is not a talk about Tor  This is for educational purposes  I don’t run such a Dark Market  Not encouraging you to either  I make no guarantees

3. Where do I actually host this?  Yourself (you own

   the hardware, connection)  Living in your own crime scene  Definitely need for disk encryption  We can make case tamper-proof  We own the hosting company  Fake customer information  Fake billing records  Deniability is poor opsec

4. Where do I actually host this?  Outsourcing (VPS, or

   Cloud)  Run the risk of losing control over site  Need to protect ourselves from the host  Having dedicated hardware no memory snapshots  Jurisdictional boundaries

5. Tor  I lied, this talk is kind of about

   Tor  What is Tor?  Most attacks against clients  Bit of a double standard, many VPNs much worse  Most of this talk still relevant for i2p

6. Middle Node Entry Node Tor User Hosts outside of Tor

   Exit Node

7. What are hidden services?  Uses a .onion TLD 

   16 char base32 encoded sha1 hash  Keypair still limited to RSA-1024  Publishes a descriptor to HSDir  Client queries HSDir for descriptor  Both parties build Tor circuits to RP  End to end encryption, and double blind

8. Rendezvous Request Pushes Descriptor Requests Descriptor HS Directory Builds Circuit

   Builds Circuit Rendezvous Point Hidden Service Host Rendezvous Request Introduction Point Tor User

9. Enumerating onion addresses  HSDir nodes are community run 

   They know what descriptors they are publishing  They DON’T know who does lookup (CMU Attack)  Nodes can position themselves on the hash ring  Various fixes have made this harder  Onion site surveys have been done

10. Hardening hidden services  Connection often from localhost  Think

    about your ACL ( eg: mod_status /server-status )  Throttling and logs not very useful  Service can not be accessible by a real IP  Think SSH host keys  Server should be unaware of a real IP address  Use a virtual machine/network  Disable NAT for virtual network

11. /etc/tor/torrc HiddenServiceDir /var/lib/tor/hidden_service/ HiddenServicePort 80 10.100.120.2:80 10.100.120.0/24 Content Server 10.100.120.2/24

    The Internet 0/0 5.5.5.0/24 Hidden Service Host 10.100.120.3/24 5.5.5.5/24 Tor Bridge 7.7.7.7/24 /etc/tor/torrc Bridge 7.7.7.7:443

12. Scaling onions  We still have scaling issues  Limited

    number of introduction points (10)  Introduction points selected at random  Multiple onion addresses  Replica daemons for same address  OnionBalance  Management Server  Backend Instances  Facebook’s .onion ran on stock code

13. 10.100.120.0/24 The Internet 0/0 5.5.5.0/24 Hidden Service Host 10.100.120.5/24 5.5.5.5/24

    VPN Connection Onion Balance Management Server Only private key for .onion 10.100.130.0/24 4.4.4.0/24 Hidden Service Host 10.100.130.5/24 4.4.4.4/24 MultiMaster DB Replication Content Server 10.100.120.2/24 Content Server 10.100.130.2/24

14. Captcha is the suck  Creating real risk by outsourcing

    captcha  In theory, a magic challenge response can be logged  Usually self hosted ones aren’t any good

15. Client side rate limiting  Make client demonstrate a proof

    of work  Can be sessionless  Proof of work for each guess  We can scale difficulty with failure rates  https://github.com/jsavoie/proof-of-work-login  Check out Bounce: Authentication by @SarahJamieLewis

16. Yes Hash start with Challenge? Username Password Challenge Client Solution

    Challenge No Increment Client Solution Browser WebSite Hash (Username Password Client Solution )

17. Monetizing your crimes

18. Cryptocurrency  Resource based rather than FIAT based  Resource

    in this case is proof of work  Not a talk on bitcoin vs bitcoin-xt vs dogecoin vs whatever

19. Laundering your Satoshi  Blockchain is a public ledger 

    Use a tumbler and different wallets  Pay attention to “taint”, and large transfers  Swap for newly minted coins?

20. I love paying taxes  How do I turn my

    bitcoin into a paycheque?  Revenue services are scary!  Need to find a way to pay taxes  Through a payroll  As a business revenue  As capital gains through equity sale  A company has to put it on the books  Use a cashout service

21. I hate paying taxes  Originally pulled this slide 

    #panamapapers happened (Mossack Fonseca)  Panama  BVI (16 companies per person)  Various regulations to consider  Panama–US Trade Promotion Agreement  Foreign Account Tax Compliance Act (FATCA)  Common Reporting Standard (CRS)  USA (if you're not an American)

22. The role economics plays  No legal recourse in cases

    of fraud  Reputation/Repeat business a big part of this  Usually low margin, high volume items  Costly/one-off purchases more problematic  Typically limits markets to drugs, identities and services  Sites other than market places typically scams

23.  Go follow @thegrugq

24. Why Compartmentalization usually fails  Two separate identities (good guy,

    bad guy)  Cross contamination  Shared accounts/aliases  Shared IP addresses  Shared personal details/linguistic styles  Shared icons/pictures/software versions  Signatures in techniques/code  Misdirection can help  Virtualization can help  Keep "real" identity with minimum footprint

25. Interacting with the authorities  The minimum amount possible 

    You can not help yourself in the room  Police are allowed to lie to criminals  Mens rea isn't a bad thing  What you say WILL we used against you  Evidence is what gets you convicted, not appearances  You don't have friends  Above all; Shut your mouth

26. Opening your mouth  Privacy vs Anonymity  Privacy, without

    anonymity  PGP  Signal  Anonymity, without privacy  Throw away commodity accounts  We want both  OTR over Jabber/XMPP  VPN/Tor to prevent contamination  Easy/quick registration openxmpp.com/jabber.at/jabber.se  Libpurple sucks, virtualize it (or Tor Messenger)  Ricochet looks promising

27.  Twitter @jzsavoie  XMPP [email protected]

28. And if there are no questions  Specialized “Darkweb” hosting

    outfits  x509 certificates for https onions  Deadman’s handle and drive crypto  CMS / General hardening