'Silk Road Reloaded' Launches On a Network More Secret Than Tor

rossgneumann writes A new anonymous online drug market has emerged, but instead of using the now infamous Tor network, it uses the lesser known "I2P" alternative. "Silk Road Reloaded" launched yesterday, and is only accessible by downloading the special I2P software, or by configuring your computer in a certain way to connect to I2P web pages, called 'eepsites', and which end in the suffix .i2p. The I2P project site is informative, as is the Wikipedia entry.

can sombody say....

[ganjadude]

Honeypot???

Re:can sombody say....

[TWX]

Yes. I have no speech impediments in English.

Don't ask me to properly say, "burrito," in Spanish though, as I cannot roll my Rs...

Re:can sombody say....

[Ed+Avis]

As an English speaker learning Spanish I found it easiest to start with the word 'corrida'. Somehow the O vowel before helped to roll the RR. After that, 'corrida de burritos'. More difficult still, 'corrida de perritos'.

Re:can sombody say....

[ShanghaiBill]

Honeypot???

I downloaded it from www.fbi.gov/downloads/i2p.exe and it looks okay. Why do you think it is a honeypot?

Re:can sombody say....

[Immerman]

You ever make engine noises while playing with toy cars as a kid? Flutter your tongue against the roof of your mouth/back of your top teeth and go nuts for a while. RrrrRRrRRRrRRRRRRRrrrrrrRRRrrRR... Keep it up - you want to get your tongue comfortable with the motion.

Now say burrRRrrito. Then dial it back a bit and you're golden. Well, bronzed at least.

Re:can sombody say....

[cayenne8]

Now say burrRRrrito. Then dial it back a bit and you're golden. Well, bronzed at least.

I've never had a problem with this. No matter how I pronounce burrito, rolled R's or not....they give me what I want at Taco Bell, no problems, no big deal.

:D

Re:can sombody say....

[Cito]

If so, they deliver.

To test it out ordered little pot and a single dose of DMT

Items received

Re:can sombody say....

[Immerman]

But then if you're only eating at Taco Bell, you've never had a real burrito (or any kind of actual food for that matter), so why should it matter if you can pronounce it or not?

Re:can sombody say....

[nuckfuts]

Can somebody spell "somebody"?

Re:can sombody say....

[Applehu+Akbar]

Let's just introduce the new top-level domain .nsa, and have done with it.

Re:can sombody say....

[ganjadude]

no

Re:can sombody say....

[Strangely+Familiar]

Big deal. Intelligence agencies deal in drugs to accomplish their own ends. It's called establishing trust. Look at the team members on the development of this project. They are all anonymous, as far as I can tell. I have no idea who KillYourTV is. Nor do I know who you are. For me personally, a typical citizen, I have no idea where to go or what to do to maintain my privacy. This goes beyond wanting to look up medical conditions without my ISP and government looking over my shoulder. I don't know who to trust. I think I can trust Snowden, Drake et. al., but when it comes to Phil Zimmerman, the maker of PGP, or Bruce Schneier, I wonder just a little bit more. They are public figures, and I have good confidence in them, but only like 95%. How many people and programs can I trust before my odds of misplacing my trust approach 1? How about all the developers of the major operating systems? That's literally thousands of tons of people. Can I trust that ALL the developers of Windows, Linux, Android and OSX are not paid by the NSA? I think not. I am feeling sick over this. Not for me, but for all the republics of the free world. I'll probably get most of my kicks before the whole shithouse goes up in flames. I probably already have. But my daughters might not. If the government makes sure it can get to all criminals, it also makes sure it can get to all dissenters. Even ones that blow the whistle on systemic problems, like Snowden. What government wants all its systemic problems exposed? Every democratic republic should, in theory, want all its systemic problems exposed, but in practice?

Re:can sombody say....

[Crashmarik]

Imagine how big the NSA's porn collection must be.

Re: can sombody say....

[anagama]

It isn't called Taco Hell for nothing you know.

Re:can sombody say....

[Strangely+Familiar]

Oh, Anonymous Coward, you are funny! I wish I had mod points today.

Re: can sombody say....

[anagama]

Nice -- that's even better.

Re:can sombody say....

[WorBlux]

i2p isn't meant to be very good at being an out-proxy, so no.

Re:can sombody say....

[RuffMasterD]

Sumbodee... shit. Sumebodie... dammit. Sombodii... fuck. Summ... far out. Say it again? My dicklessia playing up something orfull.

Re:can sombody say....

[AmiMoJo]

We know for a fact that if you live in the UK or talk to anyone in the UK over Yahoo webcam chats, you are part of GCHQ's porn collection. You don't need to be naked, just hot enough for the wank bank.

Re:can sombody say....

[OurDailyFred]

I've found it amazing that many otherwise intelligent people will believe that Taco Bell got its name because it was originally owned by the Mexican telephone company.

Try mentioning it the next time you drive past a TB when you have non /. readers in the vehicle.

Re: can sombody say....

[cayenne8]

True..b.ut they are open till after 2am i the morning and when driving home from the bar...it can taste mighty good.

That leftover couple of burritos helps during the hangover the next day too.

Infamous Tor Network?

[hodet]

One crappy drug site and the whole Tor network is now infamous.

Re:Infamous Tor Network?

It wasn't one crappy drug site, but yes the prominent "dark web" front leader is as a result infamous. There are plenty of innocent and justified uses for systems like tor, but for the average person associates tor with drugs by mail, child porn and murder for hire thanks to the media.

Re:Infamous Tor Network?

[GameboyRMH]

For drugs, and not child porn. I call that progress!

Re:Infamous Tor Network?

[Great+Big+Bird]

How would you do a traffic study on a network that is encrypted or otherwise as private as it is?

Re:Infamous Tor Network?

[rmstar]

here are plenty of innocent and justified uses for systems like tor, but for the average person associates tor with drugs by mail, child porn and murder for hire thanks to the media.

Truth be told, it's not the media. We live in a world that is far freer than many would like to acknowledge, and for most purposes tor is a hassle or pointless. The end result is that tor is mostly only used when there is a very good reason for it, and since we live in fairly free society, that reason tends to be stuff that gives tor a bad reputation.

There is also this paradoxon that, if we lived in a society where tor would make a difference, tor would most likely not exist or be useless. This is the situation in Saudi Arabia and other similar places. This is so because the real weakness of tor is that, since it is not possible to hide the exit or entry nodes themselves, the network is easy to shut down or to filter out.

Re:Infamous Tor Network?

[rot26]

"There was a study done recently" that shows anything you want it to.

Re:Infamous Tor Network?

As a sysadmin, Tor was infamous for the attacks coming from exit nodes. So much that it became a policy to block all traffic coming from those IPs at the routers, application level, and even the OS level via group policies or recipes. This way, if someone was using TOR for C&C, there was a good chance, something somewhere would block it.

IP blocks are a wise thing in any case for every single public service. If there is no need for Elbonian sites to connect to a VPN service, they get blocked by IP. Even better is finding what IP ranges actually have a right to connect and shitcan everything else.

Of course, one can use TOR, then a VPN past the exit node to give their IP address some legitimacy.

Re:Infamous Tor Network?

[IamTheRealMike]

Why don't you watch the talk and find out?

Actually I'll just summarise it for you. If you run a lot of Tor nodes you will eventually get picked to host a hidden service directory. Then you can measure lookups for the entries of hidden services to measure their popularity, and crawl them to find out what's on them.

Re:Infamous Tor Network?

[jythie]

One of the things that makes pointing this out difficult for some people though is that there are a non-trivial number of people who use it for ideological reasons, so they always have their own small community to point to as examples for legitimate use. But just like the other groups you point out, ideological usage is still not common usage since it provides an inferior network experience for mostly symbolic gains, which the average user has no use for.

Re:Infamous Tor Network?

[jythie]

It is more likely to become quickly forgotten then infamous. The more technologically difficult you make it to access services, the fewer people will actually use them. Sure you will get technolibertarians and other people with both the skill, money, and incentive to use it, but given the extra hassle people are unlikely to bother unless they have some ideological or subculture reason to even consider it. Thus I2P will likely remain niche and probably quickly forgotten outside rather small circles.

Re:Infamous Tor Network?

[Immerman]

Bit of cognitive dissonance there. Even if the overwhelming majority of usage really is for nefarious purposes, that still implies a non-negligible minority of usage for legitimate purposes. That's not "in theory", that's in practice.

Couple that with the fact that I suspect such claims of "overwhelming majority" are looking at bandwidth, and porn is liable to be much more bandwidth-intensive than accessing information suppressed by oppressive regimes, and you could end up with a very different picture.

But hey, stamping out kiddie-porn is a much bigger priority than coordinating people fighting against oppressive governments that would casually murder those children instead, right?

Re:Infamous Tor Network?

[mi]

for the average person associates tor with drugs by mail, child porn and murder for hire thanks to the media.

That's what I for one think of this entire newfangled "internet" thing, thank you very much...

Re:Infamous Tor Network?

They insist on you using your real name for your accounts, but let you use Tor. Priceless.

Re:Infamous Tor Network?

[cayenne8]

Whatever happened to Freenet?

I thought that was supposed to be the big deal with anonymous websites, etc?

Re:Infamous Tor Network?

[Em+Adespoton]

It got closely linked with kiddie porn, has abysmal throughput and drops "non-fresh" content.

It actually seems like the perfect solution for hosting torrent magnet files though (not so good for static content you want to sit around for any given amount of time).

Re:Infamous Tor Network?

[jareth-0205]

How would you do a traffic study on a network that is encrypted or otherwise as private as it is?

Well I imagine you run an exit node and see what comes through it. Exit nodes are unencrypted (necessarily) so it should be fairly easy to do.

Re:Infamous Tor Network?

[morgauxo]

I do my best to lower that percentage by using it to post anonymous trolls.

Re: Infamous Tor Network?

[ben2027]

Except the study was on hidden services, not through traffic. The study was somewhat flawed (not that I'm claiming I could have done any better) in that lookups do not necessarily mean genuine traffic. A lot of the lookups may also have been LEA monitoring known scumpots. They also only checked whether services were legit at the end of the study, so any non-scummy sites that dissappeared in the meantime weren't counted.

Re: Infamous Tor Network?

[ben2027]

Although it gives your IP some semblance of legitimacy, having a fixed endpoint after Tor (as would be the case with a VPN through tor) is a bad idea in practice - though obviously the measure of bad depends on what your exact threat model is.

Re:Infamous Tor Network?

[sudon't]

Right. There were already drug markets on I2P, and mostly flying under the media radar. Now, Silk Road will bring the same notoriety to I2P that was brought to Tor. I don't blame Silk Road, of course. But, here's to hoping we're approaching the day when it's no longer thought appropriate to lock people in cages, simply because they want to get high.

Re:Infamous Tor Network?

[lgw]

That measures hidden services traffic, not TOR traffic. I'm not surprised, with Silk Road gone, that 80% of the remaining hidden server traffic is CP - hidden services are mostly for protecting the host (which they've historically done a suspiciously terrible job of), so you expect hidden services to mostly be serving stuff that's illegal for the host. I'd guess the main use of TOR is anonymous access to normal web sites - sites which may be illegal (or just embarrassing) where the client is, but not where the server is. (Or to do something illegal or unwanted to said legal sites - in the early days, TOR was quite popular for forum trolling).

You could probably look at total exit node traffic vs an estimate of hidden services traffic to get real numbers.

Re:Infamous Tor Network?

[sudon't]

But I2P is not more difficult to use than Tor. There is no "extra hassle".

With the Tor Browser, there's almost no setup involved, just a few preference settings as I recall. My mother could use Tor if she needed to. I can't imagine her figuring out how to setup I2P on her own. So sure, if you know your way around a computer you can do it, but it's definitely more involved than Tor.

Re:Infamous Tor Network?

[rmstar]

but I have seen it used in the real world to protect those dissenting against their government.

That's good news, and I'm happy to be wrong on this count. I worry, though, that TOR usage tells the SA secret service who is a dissenter.

Re:Infamous Tor Network?

[WorBlux]

A large chuck was porn, not specifically child porn. Makes since as several countries try to filter all explicit material from the Internet, and one of the main aims of the tor project is to bypass filters and firewalls.

Re:Infamous Tor Network?

[WorBlux]

Freenet is a little too anonymous. A freesite isn't hosted on a particular computer, rather it is just released and migrates and is cached based on people looking accessing it. You can't delete a listing, and updates can take a while to propogate.

Re: Infamous Tor Network?

[jareth-0205]

Ah, shame then that everyone took traffic to equal hidden services... Of course hidden services are likely to be dodgy, but that is itself a proportion of tor traffic, I would expect most tor traffic is evetually accessing public websites.

Re:Neat

[gstoddart]

You should have Bennett Haselton pay the site a visit and do a write-up.

You know, tweaking would explain a lot ...

What's that saying again?

[OzPeter]

Two people can keep a secret, but only if one of them is dead

But then, from the I2P page

I2P is beta software since 2003. Developers emphasize that there are likely to be bugs in the software and that there has been insufficient peer review to date. However, they believe the code is now reasonably stable and well-developed, and more exposure can help development of I2P.

So while "More secret than TOR", may be true, actually being secret is unknown by the users. But I bet the TLA LEAs will be keeping an eye on it and directing resources to test I2P limits (if they already haven't - they kinda don't like communications they can't tap)

Yeah, until just now

[wonkey_monkey]

'Silk Road Reloaded' Launches On a Network More Secret Than Tor

*sigh* Sure was a nice secret network we had going up until five minutes ago. Thanks a bunch, timothy!

TL;DR - shut uuuuuuup!

Re:Yeah, until just now

[Rosco+P.+Coltrane]

Oh come on: anyone with a passing interest in trying to get away from ubiquitous corporate and state tracking knows of i2p. It takes a minute of googling to find Tor first, and i2p second.

Re:Yeah, until just now

[OzPeter]

Oh come on: anyone with a passing interest in trying to get away from ubiquitous corporate and state tracking knows of i2p. It takes a minute of googling to find Tor first, and i2p second.

Do you hear that close-by whooshing sound? It's gotta be pretty loud where you are.

Re:Yeah, until just now

[smallfries]

Only if he is close to the first echo. Otherwise it could be any volume when it finally passes him by. That is just the price that he pays for his privacy.

Re:Yeah, until just now

[Immerman]

Okay, so, what exactly do you need torrent-friendliness for on a "secret" network? Aside from the obvious distribution of illegal porn and pirated movies I mean.

I'm assuming there must be *some* legitimate common usage - you make it sound like an important feature, and I just can't see anyone really caring who knows that they're downloading the latest version of Ubuntu.

Re:Yeah, until just now

[Immerman]

Are there really that many hour-long videos used for such things? Because unless I'm much mistaken there's just not much use for torrenting a website or similarly tiny file.

I suppose a Snowden-style information dump could qualify though.

Security by obscurity?

[gstoddart]

So, does this provide any actual additional security, or is is just security by obscurity because nobody is using it?

If it's just security by obscurity ... well, good luck with that.

Re:Security by obscurity?

[quietwalker]

I was going to post this. It's not some secret, kept hidden from folks. It's just simply neither popular nor well known.

i2p has been around for a while

[nimbius]

I2P has been the successor to Tor for more than a decade, but people continue using Tor thanks to a successful campaign by media/state to maintain the protocols use in an effort to continue exploiting it and avoid having to deal with more secure alternatives. Check out fdroid.org for open source apps that enable i2p on android as well, and expect a wholesale ban on i2p traffic in the near future.

Re:i2p has been around for a while

[Rosco+P.+Coltrane]

Tor has something i2p doesn't: exit nodes (or outproxies, in i2p parlance). That's what keeps me on Tor, despite the fact that most exit nodes are probably ran by state surveillance agencies: I use it to throw Google and other nosy corporations off my tracks when I browse the regular internet, not to escape state surveillance or buy drugs. There's no escaping the latter anyway...

Re:i2p has been around for a while

[crow]

I run a Tor relay, but I set it up to also allow exit for specific sites, such as Google.

I don't use Tor much myself, but I figure I'm a step ahead of the game by being in the habit of opening most links in a private browser (killing tracking unless I'm tethered to my phone--thanks Verizon).

Re:i2p has been around for a while

[jythie]

As the saying goes, 'standard is better than the best solution'.

Tor is more well known, so it has more people and services on it, which makes it a better protocol to actually use if you want to connect to other people and services. i2p, no matter how much additional technical advantage it has, is useless unless there is a critical mass of users to make it worthwhile. It does not take shadowy state or media manipulation to keep it on top, just simple emergent behavior.

Re:i2p has been around for a while

[Paco103]

Peer pressure. . . .you ever try saying no?

Re:i2p has been around for a while

[rdnetto]

I'd say the bigger issue is that Java is not as portable as C, partly because of its overhead. The difference is really only negligible on a desktop.

the hard work is the cryptography

Agreed, and if there's one thing the OpenSSL folks have shown, it's that doing it right is hard. The more components you have in your stack, the more opportunities there are for bugs to slip in. (e.g. the infamous OpenSSL allocator). Java has a very thick stack (especially due to its tendency to use layers of objects for everything) - I'm not sure I'd rely on it for something security critical like this.

What site do we read this on?

[houghi]

by configuring your computer in a certain way to connect to I2P web pages

Is it really needed to make it sound as if something magical needs to be done?

I am sure that some technical information about what this "certain way" is would be understood by the readers of /.
(perhaps not the moderators, but that is something else altogether.)

And in what way is it more secure then Tor? It uses something lesser known? That is security through obscurity.

Using something less known by configuring my PC in a certain way does convince me this will be more secure. I can buy most drugs legally if I want to, so I am interested in the technical aspect. This sounds as if was written by somebody at the FBI to use entrapment to get their quota in arrests.

You want to go to silk road?

[BarbaraHudson]

"You want to go to Silk Road 2.0? You're either nuts or on drugs."

Russian honeypot?

I have tried I2P several times for torrent and iMule to avoid university anti piracy regulations and it was ridiculously slow, download times were about 10KB/sec and that is not good for movies. EEpsites are also quite slow first time they are loaded. Most nodes were in Russia, some were also in Romania and similar east european countries, also some in India and Brazilia. If it is a honeypot, it is most probably Russian honeypot as there are many Russian IPs. Not good for political activism, good enough for Silk Road I suppose...

What makes it 'more secret'?

[fuzzyfuzzyfungus]

Given that size is a fairly useful attribute for an 'anonymous' network(if the system is so small that a little traffic analysis can identify the 10 cypherpunks and couple of dozen kiddie porn enthusiasts that actually use it, it isn't too useful no matter how elegant the design), what does i2P fix about TOR to be worth the greater obscurity?

Re:What makes it 'more secret'?

[Em+Adespoton]

In reality, the only thing making it "more secret" is the fact that you can split the communications up into small UDP packets instead of a TCP stream. That means that for certain uses, it can be more secret; but performing HTTP transactions isn't one of them.

Yet Another X-Bone

[jd]

People have been designing virtual networks for decades. I2P is well advertised on Freenet, itself a well-known secure network.

Nothing new here. The security and reliability of none of this software is proven, it may not even be provable due to the distributed nature. That reduces the problem to one of how many people you're ok with knowing what you're doing.

Secret?

[mbone]

If we are discussing it on Slashdot, it's not secret.

Re: Copping

That involves:
- Leaving your basement
- Knowing what areas to go/people to ask
- Having a network of real world friends who can point you to the above
- Having a basic level of street smarts and socialisation to reduce your chances of being scammed/robbed/murdered/busted by cops
- Not being shit scared of approaching people who could personally harm you

You may think the above isn't such a big deal, but to a large number of people to whom silkroad etc appeals, it is as daunting to them as setting up an encrypted currency exchange network and hidden virtualised proxy server that can withstand attacks from both law enforcement and the online equivalent of your local gangland thugs is to you.

Re:It's not the network.

[gweihir]

Indeed. I am pretty convinced the propaganda implying TOR had been broken serves mainly to drive people to less secure alternatives like I2P. Would not be the first time this happened. A while ago, "they: even succeeded in causing some jihadists to make the terminally stupid decision to roll their own ciphers. Of course, with that the NSA can actually break encryption itself.

Just to be sure, compile it from source

I downloaded it from www.fbi.gov/downloads/i2p.exe and it looks okay. Why do you think it is a honeypot?

You should download the source code and compile it yourself. Be sure to use the compiler that is supplied as part of the package.

www.fbi.gov/downloads/i2p/sources/WindowsFullPackage.zip .

Re:Just to be sure, compile it from source

[beastofburdon]

But if you are using the supplied compiler then it could still be compromised. The compiler could be programmed to inject the malicious code.

Re:Just to be sure, compile it from source

[slashdotwannabe]

But if you are using the supplied compiler then it could still be compromised. The compiler could be programmed to inject the malicious code.

I felt a great disturbance in the Force, as if millions of voices suddenly cried out WHOOOSH and were suddenly silenced. I fear something terrible has happened.

Re:It's not the network.

propaganda implying TOR had been broken

TOR's own developers admit that PRISM-level metadata collection is sufficient to break the anonymity of TOR.

Millions of idiots pay for millions of servers with credit cards in their own names. What made this idiot special, other than being able to track the packet to the server through the onion?

Was this the case where the government claimed they connected to the server and got an IP address? Where other people took the computer configuration the government released in the trial and discovered that they got a mysqladmin page but no IP address?

Re:It's not the network.

[tnk1]

The minute the government presented a valid means of compromising the network, it ceased mattering whether they actually had or not. The resources to make the compromise happen are relatively trivial compared to cracking/bypassing the actual scheme. Those resources are completely within the capability of the government to allocate, so as long as they *can* overwhelm the network with their own nodes, they can do so any time they wish to.

It's much like demonstrating that you can break a previously unbreakable padlock by defeating a weakness in it with a few flathead screwdrivers used in the right way. Yeah, you need a screwdriver, but you can get those. At that point, you don't bother asking yourself whether someone has actually done it. If the method is valid, you get a new padlock.

   

Re:It's not the network.

[linuxrocks123]

I think the Tor developers personally keep track of who's running the exit nodes. They've been able to catch fake exit nodes and ban them before.

Re:It's not the network.

[gweihir]

You do not get a new padlock that is even easier to defeat....

Some people think citations are for the lazy

[tepples]

In the past, some Slashdot users have responded to a request for clarification or citation by trying to shift the burden of proof: "This isn't Wikipedia; if you want a citation, do your own search. It's not my job to teach you how to choose and use a search engine."

Re:Some people think citations are for the lazy

[gweihir]

Well said. There is a host of literature on security of TOR and I2P. Basically all cannot really be understood by non security-experts and basically all is easy to find for security-experts. Hence I see indeed no reason to elaborate. What I can see here is a lot of people that jump on everything they do not like, regardless of whether it is true or not. That is the "head in the sand" tactics that is typically employed by fanatics. It is also quite telling that these people often do not even have the minimal decency to post with their alias. This should tell anybody immediately how much credit these people deserve.

Re:It's not the network.

[tepples]

Tell us what about I2P makes it "even easier to defeat" than Tor and we'll address that.

Re:Copping

[sudon't]

Can't you just cop dope on the street corner in the hood like the rest of us joes? I suppose thats harder if you live in a really rural area though...

The street corner in the 'hood typically has one of two products, neither of which some people will want. Online drug markets have a wide selection of interesting and unusual products. For instance, opium is almost never imported into the US because of the bulk vs profit factor. Thanks to prohibition, it's much more profitable to turn it into heroin, and so it's rarely seen "on the street." But, you can order yourself a nice chunk online, and be assured of the quality because of the site's rating and comment system. Online, you have access to a World market where you can pick and choose from a wide variety, whereas, on the street - not so much.

At least, that's what I've heard.

please re-write in C

[SethJohnson]

Not trying to launch a debate here. I do like Java for a LOT of things. But a software router needs to be lightweight so it can run in very low-overhead environments. Tor runs nicely on settop boxes and many SOC hardware opportunities like RaspberryPI or low-end VPSs.

The memory footprint of a JVM is going to keep a java-based software router like i2p off those devices.

Well, if you are eating American food

[publiclurker]

why would you feel the need to roll your R's?

Is the article serious?

[Champaklal]

"Naturally, Silk Road Reloaded has its own forum as well. At the moment, there isn't a single posting, but it seems to function normally."

what was that supposed to mean?

Re:It's not the network.

[gweihir]

Have a look into the relevant security research literature. Really.

Re:It's not the network.

[gweihir]

Really, mindless propaganda. TOR is not developed by the US government. You should as Roger Dingledine how that funding came to pass (I did in 2002). Turns out that if TOR was an US government project, it would have been really easy to hide the source of funding. They did not.

What people like you do it drive people to less secure alternatives. That tells me a lot about your motivation.

Re:It's not the network.

[tepples]

Neither I nor a lot of other users who have posted comments to this story know how to find which items of security research literature are relevant to this claim. Where should we start?