A+ A A-

The US. Government Funded Your Favorite ‘NSA-proof’ Software.

The Snowden revelations about the NSA’s spying programs have shocked the world. While there was earlier evidence of US government spying, few thought that the NSA would try to wire-tap the entire planet. Basically, our online communications were essentially sitting ducks for curious NSA employees. Soon after the Snowden leaks, software programs were being marketed as “NSA-proof” on websites like Prism-Break. Many people believed that these software programs would make them safer. The truth however is that many of these programs were actually funded by the US government. Recently, the Associated Press published a story on USAID’s plot to fund a twitter-like app named ZunZuneo to help foment unrest in Cuba. USAID is not the only US government agency financing technology projects.

For most software projects, there are no requirements to publish their funding sources. On many of the home-pages and download pages that were visited, there was no clear indication that any of the projects received US government funding. Perhaps the exception was the Tor Project which has a sponsors page, but even that was problematic. Most people would not have known that the Broadcasting Board of Governors, SRI International, or Radio Free Asia are either US government agencies or “quasi” US government agencies. The vast majority of Tor Project’s funding continues to be through US government funding. The Tor Project’s sponsors page also lists “An anonymous North American ISP” and “An anonymous North American NGO” which perhaps leads to even more questions. Even stranger, is a mysterious “Sponsor O” that is on Tor Project’s website. “Sponsor O” appears to be a US government agency (USG is a common abbreviation) that wants to finance a secure chat program. The Tor Project website states, “The contractor shall concentrate efforts on outreach to Iranian end users and potential supporters in the technology community; to include train the trainer sessions, advertising on social networks, and interviews on radio and television stations operated by and for the Iranian diaspora.” Despite numerous requests, Tor Project has refused to reveal the identity of “Sponsor O”.

Actual organizational chart from the Open Technology Fund website.

1970386_520865104699200_905208814_nAnother software program that has recently come into vogue with the NSA revelations is Cryptocat. There is no sponsors page on Cryptocat’s home page to be found. Buried deep in Cryptocat’s blog is an annual report which shows that it received over 95% of its funding from Radio Free Asia in 2012. While Radio Free Asia is listed as a private nonprofit, it largely functions as part of the US government. The US Congress established Radio Free Asia and funds Radio Free Asia under the supervision of the US government agency, the Broadcasting Board of Governors. In addition, the Broadcasting Board of Governors appoints the president of Radio Free Asia, and the US Secretary of State, John Kerry, also serves on Radio Free Asia’s corporate board. The Broadcasting Board of Governors is not a benign US government agency; it sees itself as a strategic part of the War on Terror and part of the US government’s soft power influence abroad. The Broadcasting Board of Governors even sees itself as combatting groups like Boko Haram and al Shabaab which the US government lists as terrorist organizations. The Broadcasting Board of Governor’s even stated in their 2014 Congressional budget request that, “the United States must retain a global information capacity as part of the country’s effective soft power projection.” Radio Free Asia funds many software projects through its Open Technology Fund including Cryptocat with received $184,000 between 2012 and 2013.

Cryptocat’s main developer, Nadim Kobessi tweeted:

 

Open Whisper Systems has built two apps that have gained considerable popularity after the NSA revelations. TextSecure, created by Open Whisper Systems, is a popular app for securing text chats. Open Whisper System’s other Android app called Redphone promises to encrypt phone calls. The RedPhone app actually runs on VoIP (voice over internet protocol), so it uses servers. After emailing Open Whisper System’s main developer, there were some interesting responses. Open Whisper System’s developer said that he does not use any server space provided by the Open Technology Fund, but refused to say who was actually hosting users’ data. When asked why the Open Technology Fund was not listed as a sponsor on Open Whisper System’s website, the developer replied, “RFA has no influence over what we do at all.” It is also important to point out that Open Whisper Systems’ developer sits on the Open Technology Fund’s advisory council. The developer also mentioned that Open Whisper Systems accepts funding from many organizations. So who else is funding Open Whisper Systems? No one knows; there’s still no sponsors listed on Open Whisper System’s home page. The Open Technology Fund listed Open Whisper Systems as accepting $455,000 in 2013.

Mailvelope promises to be an easy tool to help users encrypt their emails. Normally, email encryption programs are either built-in or additions to an email client. Mailvelope is different, because it is actually an extension for Google’s Chrome browser. Yes, that same Chrome browser which is notorious for tracking users and collecting data. Several people have warned not to use Mailvelope. They warned that it would be easy for Google to steal the encryption keys and thus rendering all the email encryption useless. In addition, Google, the maker of Chrome, knew about and participated in the NSA’s mass surveillance programs. Mailvelope does have a very tiny thank you to “Open Tecnology Fund(RFA)” at the bottom of its blog page for sponsoring a security audit. Mailvelope has received $140,320 from the Open Technology Fund.

In perhaps a bizarre coincidence, while the US government has been allegedly trying to extradite Julian Assange of Wikileaks, the US government also has been funding a similar project. Wikileaks and GlobalLeaks have similar sounding names, but they are completely different organizations. GlobalLeaks seeks to build a secure open source platform to make whistle-blowing easier. The GlobalLeaks website leads to Hermes Center for Transparency and Digital Human Rights. The Hermes Center lists USAID Serbia and Radio Free Asia as its sponsors. Seeing USAID Serbia show up as a sponsor is extremely unusual. Back in the late 1990s, USAID Serbia was involved in overthrowing the Milosevic regime by funding protesters and opposition candidates to the tune of several million dollars; perhaps, that will be a story for another day. GlobalLeaks received $108,400 from the Open Technology Fund in 2012.

GlobalLeaks is hoping for more Open Technology Funding this year.

 

The Open Technology Fund also financed GSM Map by SRLabs. The GSM Map’s purpose is to find security vulnerabilities in mobile phone networks around the world with the aim to make mobile networks more secure. Most of the world uses the GSM standard for mobile phone networks: hence, the GSM Map. The financing for the project is not displayed anywhere on the website that could be found. GSM Map even asks users to download software and upload their own data for the project. Several country reports have been published on GSM Maps which shows security vulnerabilities in GSM networks such as the ability to track users, impersonate a user, and the ability to intercept data.

Open Technology Fund, a US government sponsored program comments on the “Cuban twitter” revelations. Irony?
10250290_534237916695252_874634399_n

Perhaps scariest of all is that the Open Technology Fund gave $1.1 million dollars to help build what is called a “Global Secure Cloud Infrastructure”. The Open Technology Fund’s website states that 10 internet freedom projects are now using this cloud. Which software projects are using the US government’s cloud? No one knows, because the Open Technology Fund refuses to tell anyone.

Security-In-A-Box seeks to train activists in the best methods for keeping safe online and their information secure. Security-In-A-Box is created by the Frontline Defenders(partially funded by Irish government) and the Tactical Tech Collective. Security-In-A-Box received $106,164 from the Open Technology Fund in 2013. Jillian C York, who works for the Electronics Frontier Foundation (EFF) and also sits on the Open Technology Fund’s Advisory Council, likes to recommend Security-In-A-Box to activists around the world including in the US. Cryptocat also promoted itself in the US through several hackathons(additional link). Tor Project also markets itself to activists in the US. Two Tor Project employees(additional link) even went to talk to Occupy Wall Street about how to use Tor.

When software projects receive funding from Radio Free Asia and market themselves to Americans, it might actually be illegal. The Smith-Mundt Act prohibited the US government from funding propaganda targeted at Americans. The NDAA 2013 (National Defense Authorization Act) repealed some of the language in the Smith-Mundt Act. Congress’ intent was to make news reports funded by the Broadcasting Board of Governors available on request to Americans. The partial repeal of the Smith-Mundt Act was never intended to fund and market software programs to Americans. In fact, the NDAA 2013 (HR 4310, Section 1078(c)) states, “No funds authorized to be appropriated to the Department of State or the Broadcasting Board of Governors shall be used to influence public opinion in the United States” (Smith-Mundt section).

Technology rights activist, Cory Doctorow, is a proud Open Technology Fund advisor.

 

If the Open Technology Fund had never published the projects that they sponsor, their true funding sources may have never been known. The most commonly used open source license still does not require any financial disclosure at all. Which ultimately leads to a question: who else is the US government funding?

Open Technology Fund’s 2013 annual report.

Published in Police State USA

Encryption and Operational Security for Journalists

Very important caveat: These tools MAY NOT be 100% effective. The latest information we have is that they are likely to help protect your communications, but governments including the U.S. have made progress in breaking or circumventing some cryptographic technologies.

If you or your source is truly a high-value target of a government, protecting yourself will require far more effort. To get an idea of what people do when they are really serious about security, please read this post first:http://grugq.github.io/blog/2013/06/13/ignorance-is-strength/

Now that you have seen what you might need to do in the future, let's move on to what you should download in the meantime.

GoalPlatformTool NameDifficultyWebsite
More anonymous Web browsing Both Tor Browser Bundle * * torproject.org (downloads)
Secure IM Mac Adium * * adium.im
Secure IM Windows Pidgin + OTR * * * pidgin.im
&
cypherpunks.ca/otr
Encrypted email + text Windows GPG4Win * * * * * gpg4win.org
Encrypted email + text Mac GPG Tools * * * * * gpgtools.org
Sending encrypted email Both Thunderbird + Enigmail * * * * * mozilla.org/thunderbird
&
enigmail.net
Protecting files on your computer Both TrueCrypt * * * truecrypt.org
More secure file deletion Both CCleaner * * piriform.com/ccleaner (Windows)
piriform.com/mac/ccleaner (Mac)
Encrypted group chat Both CryptoCat * crypto.cat

Tor Browser Bundle

Installation

Windows

  1. Download the tor-browser-2.4.17-beta-1_en-US.exe file. Make sure you choose to "Download" it rather than "Run", since where you put the file matters. Save it to your Downloads folder or your Desktop.
  2. Once it’s fully downloaded, double-click the file. It will show a prompt asking you where to extract the files to — you shouldn’t need to touch this. Simply click "Extract." You'll see a "Tor Browser" folder appear next to the file you downloaded.
  3. Delete the tor-browser-2.4.17-beta-1_en-US.exe file you originally downloaded.

Mac OS X

  1. Download the TorBrowser-2.4.17-beta-1-osx-i386-en-US.zip file.
  2. Once it’s fully downloaded, double-click the file to unpack it. You'll see a TorBrowser_en-US app appear next to the .zip file you double-clicked.
  3. Move the TorBrowser_en-US app to your Applications folder.
  4. Delete the TorBrowser-2.4.17-beta-1-osx-i386-en-US.zip file you originally downloaded.

Using

  1. Open the Tor Browser application.
    • Windows: Go to the "Tor Browser" folder you extracted, and open the Start Tor Browser program inside it.
    • Mac: Open TorBrowser in your Applications.
      • Mountain Lion users: you might get an error that the app “can’t be opened because it is from an unidentified developer”. If this happens, right-click on the app (or hold down “Control” on your keyboard and then click on the app) to show a menu on the file. Then hold down the "Option (Alt)" button on your keyboard and click the “Open” option in the menu. You will be asked if you are “sure you want to open [the app].” Once you click “Open,” you won’t need to go through these steps again for this app.
  2. You will see a “Vidalia Control Panel” pop up. You can ignore it and simply wait as the Tor software starts to connect to the network. This may take a few minutes.
  3. Once Tor is ready, the browser will automatically appear. It should also load a page that tests whether you are connected to Tor or not.

    To further test out the Tor browser connection, you can try to access the following site in the Tor browser:http://tigas3l7uusztiqu.onion/
    This is simply a copy of my personal website, hosted at a ".onion" address. These addresses are only accessible via Tor, so this is a fairly bulletproof method for testing out your copy of Tor.

    If everything works as expected, then you’re browsing with Tor!

  4. When you are done using Tor, you can close down the browser normally — but make sure you also press "Exit" on the Vidalia window, too.

Details & Gotchas

Tor works by relaying your traffic through three other computers, each of which can only see the traffic that it recevies and the traffic that it relays back out. (Traffic is encrypted three times: the traffic you send out can only be decrypted by the first machine you send it to. The message it decrypts gives it instructions to send the rest of the data to the second computer. The second computer is the only one that can decrypt the traffic at that point. ...And so on. "Tor" stands for "The Onion Router", due to the layered way that this works.)

Tor only tunnels the raw traffic from your browser — it does not sanitize any of the information you actually send. So, if you are logging into websites under your real identity while using Tor, you are likely still leaking this to the website you are visiting — and you are likely leaking it to the final node in the Tor circuit.

Because Tor relies on volunteers providing computers to act as relays, the anonymity that Tor provides has limitations — if an adversary controls a large portion of Tor nodes, they can analyze and correlate Tor traffic.


Adium (Mac OS X)

Installation

  1. Download the Adium_1.5.7.dmg file.
  2. Once it’s fully downloaded, double-click the file to mount it. The window should automatically appear.
  3. Copy the Adium app from inside to your Applications folder.
  4. Eject the "Adium 1.5.7" mount on your desktop, then delete the Adium_1.5.7.dmg file you originally downloaded.

First-time usage

Adium supports using chat accounts of all types, including AOL Instant Messenger, Facebook Chat, and Google Talk. You can use these accounts with Adium and use OTR encryption just fine. But this still gives metadata to the service: AIM/Facebook/Google still knows who you are talking to and how often. (They just don’t have the content of your messages now.)

Instead of using an existing account, we’ll go about setting up a separate “secure” account at jabber.ccc.de. This is a chat service provided by the Chaos Computer Club — a German hacker/activism group known for open data and privacy advocacy — and is used by many in the security community.

  1. The first time you open Adium, a "Welcome to Adium!" window will open. Ignore it and close the window.
  2. In the top-left of your screen, open the "Adium" menu and go to "Preferences."
  3. In the "Accounts" tab, press the "+" (plus sign) button and choose "XMPP (Jabber)".
  4. Pick a username you want (stick to letters/numbers/underscores) and add "@jabber.ccc.de" to the end of it. Enter this in the "Jabber ID" field.
    • i.e.: mtigas@jabber.ccc.de, test12345@jabber.ccc.de, etc.
  5. Enter a password for this account. (Ideally you won't use the same password as on other sites.)
  6. Click "Register New Account."
  7. Enter jabber.ccc.de in the Server field. (Leave Port set to 5222.) Click "Request New Account."
  8. You'll get a message that your account was successfully registered. (If not, repeat steps 4-7 again, but with a different account name.)
  9. Before leaving this menu, go to the "Privacy" tab and change the Encryption option to "Force encryption and refuse plaintext".
  10. Press OK. Adium should connect your account automatically. You can now close the settings window.
    • If you get a "Verify Certificate" warning, click "Show Certificate", check the "Always trust "jabber.ccc.de" when connecting to "jabber.ccc.de", and then press "Continue".

Usage

Adium should automatically connect to jabber.ccc.de and log you in when you open it.

To add someone to your buddy list:

  1. Go to Contact (at the top of your screen) and hit "Add Contact".
  2. Change Contact Type to "XMPP".
  3. Type their username in the Jabber ID field.
    • You can test this out by trying to add me:  This email address is being protected from spambots. You need JavaScript enabled to view it.
  4. You can type their real name in under Alias since usernames aren’t always intuitive.
  5. Press "Add".

When someone adds you to their buddy list, you will see an Authorization Request pop up. Press "Authorize & Add" to accept them and to add them to your own buddy list.

When instant messaging somebody:

The first time you talk to somebody with OTR encryption, you will need to verify that the user you are chatting with is actually the person they say they are.

Adium should prompt you for an OTR Fingerprint Verification. Note the "purported fingerprint" for your buddy. Using some other communication method (phone, etc.), verify this key. Then hit "Accept". If you can't verifiy it right now, you can hit "Verify Later" and simply chat with the person, but this does not prevent someone from pretending to be the buddy you want to talk to.

For more security

You can set Adium to tunnel your jabber.ccc.de connection over Tor. This routes your connection over Tor so that the Chaos Computer Club servers cannot identify you by IP address.

  1. In the top-left of your screen, open the "Adium" menu and go to "Preferences."
  2. In the "Accounts" tab, click on your jabber.ccc.de account and then press "Edit".
  3. Under the "Proxy" tab, check the "Connect using proxy" box and use the following settings. Leave "Username" and "Password" blank.
    • Type: "SOCKS5"
    • Server: 127.0.0.1
    • Port: 9150
  4. Under the "Options" tab, set the Connect Server to okj7xc6j2szr2y75.onion.
  5. Press "OK".
  6. Launch Tor Browser Bundle (as above). Wait for the browser to finish connecting and for the Tor browser to show up.
  7. Uncheck the checkbox for your jabber.ccc.de account and then re-check it.

From now on, you will need to launch Tor Browser Bundle and wait for it to connect before launching Adium. Connecting tojabber.ccc.de will be very slow when you first open Adium, but your chat connections will be tunneled such that your IP address cannot be inferred by the chat server.


Pidgin (Windows)

Installation

TODO

First-time usage

Pidgin supports using chat accounts of all types, including AOL Instant Messenger, Facebook Chat, and Google Talk. You can use these accounts with Pidgin and use OTR encryption just fine. But this still gives metadata to the service: AIM/Facebook/Google still knows who you are talking to and how often. (They just don’t have the content of your messages now.)

Instead of using an existing account, we’ll go about setting up a separate “secure” account at jabber.ccc.de. This is a chat service provided by the Chaos Computer Club — a German hacker/activism group known for open data and privacy advocacy — and is used by many in the security community.

Usage

Pidgin should automatically connect to jabber.ccc.de and log you in when you open it.

To add someone to your buddy list:

TODO

When instant messaging somebody:

TODO

For more security

You can set Pidgin to tunnel your jabber.ccc.de connection over Tor.

TODO


Thunderbird + Enigmail

  • Website:
  • Download:

TODO / DRAFT. Below instructions are early draft-quality at this point.

Installation

1: Install GPG4Win (Windows) or GPGTools (Mac OS X)

  • GPG4Win: Download the full GPG4Win package and then install it as you would a normal program.
  • GPGTools: Download the GPGTools/GPGSuite package and open it. Double-click the "pkg" file inside it to install the toolkit.

2: Install Thunderbird

3: Set up your e-mail account

Open up Thunderbird and set up your Gmail account (or whichever e-mail account you want to use). Thunderbird should prompt you and walk you through it when it starts up (if you haven't already set up an account). If you have issues, see their documentation.

4: Install Enigmail into Thunderbird

  • In the top menu, go to Tools->Add Ons.
  • Click on the "Extensions" tab.
  • At the top of that window, there will be a "gear" icon to the left of the search box. Click it and choose "Install Add-on From File..."
  • Go to the "enigmail-1.5.2-tb+sm.xpi" file you downloaded and choose that to install it.
  • The add-on screen will say that Thunderbird should restart before it’s active, so let it do that.

Now that Thunderbird’s open again, if you’re still in the "Add-ons Manager" tab, close that to go back to your inbox.

5: Generate a GPG key

In the top menu, you'll now see "OpenPGP". Click that and go to "Key Management".

This Key Management screen should be empty unless you already generated a GPG key in another program. To generate a key:

  • While in "Key Management" screen, click on "Generate" in the top menu and then "New Key Pair".
  • Choose the e-mail address you set up and make sure "Use generated key for the selected identity" is checked.
  • Type in a password to protect this key. Leave "Comment" blank. (This is a note that shows up next to your name. If you make multiple keys or if you have an alias or nickname that everyone uses, you can put that info here.)
  • Under "Advanced" tab, change "Key size" to 4096.
  • Generate the key.
  • When it asks you if you want to make a Revocation Certificate, just skip that step for now.

In "Key Management", you'll see a listing for your name & email address. It should be in bold, which means that it’s a key containing the "private" portion of the key.

6: Upload the GPG key somewhere

(NOTE: Skip this step if your e-mail address is sensitive & should not be published in any public directories.)

The "public" part of the GPG key is the part that other people need so that they can send you encrypted mails. You can either upload this to your website or to a "key server" (which is basically an e-mail directory that shows if there are GPG keys available for a given e-mail address). These instructions are for uploading to a key server, since that's usually the easiest way to go.

In the "Key Management" window, right-click on the entry for your name/e-mail. Click "Upload keys to keyserver". Type "pgp.mit.edu" in as the keyserver and press OK to upload. (There shouldn't be any confirmation prompt. An "uploading" screen should appear and then it should just go away.)

You can test if it worked by going to http://pgp.mit.edu/ and searching for your name or e-mail address.

7: How to send an encrypted e-mail to someone.

If you're e-mailing someone who already has a PGP key -- basically, anybody who has done the above steps -- you can start sending them encrypted messages and they can start sending you encrypted messages.

In the "Key Management" window, click on "Keyserver" at the top menu and click "Search for Keys".

  • You can look for someone's e-mail address in here. Test it out on mine: mike AT tig DOT as (change words to punctuation to make it a real e-mail address)
  • Sometimes someone has multiple keys (since old ones sometimes expire or are lost). Mine is 6E0E9923.
  • This ID is very important to verify with people, since nothing stops a person from generating a fake "Mike Tigas <...>" key and uploading it to a server. (They won't be able to send e-mail from my Gmail account, but they can make it confusing & hard for people to find my correct key.) This is why my business cards & website & Twitter bio all mention my key ID.
  • Click the checkbox" next to my 6E0E9923 entry and press OK to download it from the keyserver.
  • Some output will appear. Click OK.
  • Now, there will be an entry for me in your Key Management window. It will not be bold, because you only have the "public" portion of the key.

Now that you have the public key for me, you can test sending an encrypted message.Close the Key Management window and write a message in Thunderbird.

  • Address it to me: mike AT tig DOT as (of course, turn this into a real e-mail address)
  • Write whatever message you'd like.
  • Click on "OpenPGP" in the message window and you'll get some options. You'll want to sign and encrypt the message. (PGP/MIME is useful if you are sending attachments, but it only works with people who have Enigmail, and not with people who use PGP in other ways. So I try to avoid it.)
  • In the bottom-right corner, you'll see a pencil and a key icon -- which represent signing & encrypting. You can use these instead of opening the OpenPGP menu, too. (Make sure to look at these before sending any message — I've heard that Enigmail sometimes turns off encryption randomly, so it's good habit to make sure to explicitly check this every time you need to send a message.)
  • Send the message. Thunderbird will ask you for the password you used when you set up the GPG key (back in step 5).

8: Receiving encrypted mail from others

The other person will have to basically do the things in step 7, but with your e-mail address instead.

When you receive a message, Thunderbird will ask you for the password you used for the GPG key, so that it can unlock it and decrypt that message.

9: Sharing the key with other people

Since you uploaded your key in step 6, you'll need to tell people where to find it and make sure you publish this information in several places so that there's some level of verification. A good way to do this is:

  • search for your name at pgp.mit.edu
  • find the entry for you and click the link where the ID is (not the "Name " part).
  • link to this page on your blog or e-mail people a link to this page.

This isn't the only way to do this.

If you skipped step 6, you'll want to directly share your key and sidestep the whole directory system. You can use the Key Management window and press "Export Keys to File" or "Send Public Keys by Email". Make sure you export the Public Key only. Sharing this file or sending this message will let the recipient add the key to their own computer. (From the Key Management window: File->Import Keys from File, or if received from an e-mail and copied it: Edit->Import Keys from Clipboard.)

When exporting your Public Key to a file, you can upload this file to your blog or somewhere and link to it from a place where folks would be able to find.

Now you basically have a system where people who know about PGP can e-mail you securely:

  1. They can find you in a keyserver and use that key to e-mail you
  2. They can find your key on your website (or if you have e-mailed them that link directly) and have seen that your key ID matches in several places.
Published in Media Watch

Your Crack Is In The Mail

Your Crack Is in the Mail

Why did it take the FBI so long to shut down Silk Road?

On the Silk Road website, every drug you can think of — and a dizzying number of others, too — have been on open sale for years, from crack, heroin, and LSD, to a new generation of “research chemicals” that exist just outside the reach of the law.

Activists, dealers and users have effectively used the site to declare an independent state online where all commerce, within certain boundaries, is permitted, and all under the auspices of the site’s owner, who was — until this week — known as The Dread Pirate Roberts. The FBI allege that his true identity is that of Ross Ulbricht, the 29-year-old who was arrested in a raid on a public library in San Francisco on October 2.

Ulbricht, originally from Austin, Texas, had been living in San Francisco under a fake name, say officials.

Until it was shut down by law enforcement, Silk Road had everything: Norwegians selling Cambodian mushrooms, Canadians selling Afghan heroin, and Brits selling concentrated cannabis tinctures from ancient Nepalese cannabis landraces. Most of the products there were illegal, but whether you wanted a quarter gram of heroin or a gram of glittering Peruvian escama de pescado cocaine, you were in the right place. Buying was as simple as Amazon or eBay: a simple matter of adding the goods to your shopping cart, and paying for them. The money was held in an escrow account hosted at the site, and although you had to supply a delivery address, this could be encrypted, and then deleted as soon as the goods turned up.

Silk Road’s turnover reached $22 million a year within its first year of operation, according to security researcher Nicolas Christin, and the site’s owners took a commission on each sale of around six per cent — or $143,000 per month. In its indictment, the FBI says that Ulbricht pulled in $80 million during his time at the helm.

The site was not just popular for buying and selling, either. Its forum was busy too, with over 100,000 posts, 9,000 topics, and 11,000 users in the bustling community pages. The conversations there would weave around the site’s holy trinity: drugs, smuggling and cryptography. All this had made it the most popular among a growing, hidden network of drug dealers whose activities were hosted online. So how come these services continued to exist, even though they are breaking the law in such a flagrant manner?


Life on the Dark Web

In order for its customers to be completely untraceable, and therefore invulnerable to legal prosecution, the Silk Road was hosted on a hidden service, buried away on the Dark Web, far from the reach of Google. Their home is Tor, an alternative web-like space that swarms with users who travel through virtual tunnels that exist beneath the everyday web. Users — both dealers and their customers — have complete anonymity, and until it was revealed that he had made a series of calamitous errors, so did its owner.

Tor was created in 2001 by two computer science graduates at the Massachusetts Institute of Technology. They took a piece of undeployed software that had been written by the American Navy in 1995 to enable simple, anonymous internet use, and released their own version of it online, with the Navy’s permission.

“The navy had this project called Onion Routing, and it’s still going today,” explains information activist Andrew Lewman, who is the mouthpiece of the Tor organization.

“Its goal is to defeat network traffic analysis, which is the ability to know who you are, who you’re talking to, and how much data you send and receive. If you think of envelope data from your postal system, that’s the basis of intelligence gathering: For whatever reason, the Navy wanted this technology — they started the project but they didn’t have any intention of releasing it publicly. So Paul Syverson, a mathematician who’s still the core researcher for onion routing for the Navy, met grad student Roger Dingledine at a conference.”

“Roger said, ‘Have you ever thought of putting this on the internet?’ At the time the Navy had no plans for deployment. But Paul said sure.”

The original aim of the MIT grad students, Roger Dingledine and Nick Mathewson, was to give users control over their data when they went online. This was during the first dotcom boom, and many companies were giving away services for free — or rather, in exchange for your data and your browsing habits, which they would then sell on to third parties. Information activists rejected that business model and wanted to offer an alternative: so Dingeldine and Mathewson created Tor.

The vast majority of Tor users are simply people who want privacy when they go online, as the information gathered on us by search engines and social media grows daily. When researching sensitive or medical matters, some users don’t want Facebook or Google searches sending unsettlingly accurate adverts back at them. There were 36 million downloads of the software last year, and around one million daily users. In repressive regimes such as Iran, Tor users can access sites that are blocked by the government. But others, as The Dread Pirate Roberts knew, would use it to flout the law.

Inside the system

Like any other successful online retailer, Silk Road had its own reputation system. The forums at the site offered crowdsourced proof of the site’s best vendors and its worst scammers. In June 2012, when I was researching my book Drugs 2.0, reviews for the best LSD vendor ran to 81 pages, and had racked up 50,000 views; reviews of heroin dealers, meanwhile, ran to 22 pages with 8,000 views. Cocaine vendors were highly scrutinized — reviewed in a 292-page behemoth of a thread with over 90,000 views — while MDMA ran in at 129 pages with over 60,000 views.

The vendors themselves were often involved, and some have been happy to talk to me about their involvement with the site. One told me, for example, how dealing drugs on the site came with its own set of moral problems.

“The prospect of a twelve-year-old loaded to the gills on my MDMA is not a pleasant one,” he explained. “Enabling self-destructive/addictive behaviour is also upsetting to me. Dealing IRL, you can recognize abuse and let customers know you’re concerned, but online, there’s no way to tell.”

He admitted, though, that vending on the site was financially much more lucrative than selling in real life.

“IRL, you’re limited by your social circles, but here it’s only a question of supply, capital and hours in the day.”

“Packaging straight-up sucks to do,” he continued. “It’s extremely monotonous and requires a good degree of concentration to avoid making any mistakes that might endanger the customer receiving. Sometimes during especially busy periods, I spend 70, 80, 90 hours a week packaging, all of it extremely dull. Apart from the risk of being locked up for the next decade, it’s definitely the worst part. Dealing in real life is much more pleasant.”

Greater paranoia about the authorities is another downside: “Public drug markets are a giant middle finger to many powerful interests and so the political motivation to shut them down and lock up the people participating is out of proportion to the actual volume of illicit trade taking place. Last summer I was the ‘number one’ (basically highest-volume) vendor on the site for a while, and the fear really crept up on me. I’d lie awake at night thinking about it, worrying I was going to have my door kicked down and be dragged away at any moment. I’m much more comfortable with it now, but if I had known from the start how much mental torment and stress were involved with vending, I probably wouldn’t have started.”

However, there are upsides, he says: “I find the day-to-day grind of vending online worse than dealing IRL, but the human interaction online is often a lot more uplifting in some ways. Most people I sell to IRL are club kids/raver types so they’re more predisposed towards hedonism (which I of course have nothing against!) than using for more spiritual/emotional reasons so the feedback is less touching, which is a definite negative for me. I get emails from Silk Road customers telling me how the drugs I sell have helped them with emotional or spiritual or sexual problems, people mending broken relationships, rekindling intimacy.”


The motivation for people to use the Silk Road was high, given the prevailing legal climate. Mail is a vast trade, and small envelopes and packages are seldom opened, much less X-rayed or sniffed by dogs. That means capture, prosecution, and imprisonment look unlikely.

But if you were worried, one vendor on the site even offered a fake package service for the super-cautious: he’d deliver you an empty box or envelope for a small charge, just to get the mailman used to delivering packages from overseas.

Packaging by many vendors on the site was said to be exceptionally ingenious, and the protocol on the forums and in feedback forms below purchases was that these should never be discussed publicly, even on the Dark Web. What’s more, there are vendors in many countries so there’s no need to worry about international postal or customs issues: users in the US or UK or the Netherlands — or indeed, in dozens of countries worldwide — can buy drugs from dealers in their own countries, removing the danger of border staff targeting your package.

In just under two years, the Silk Road administrators used technology and ingenuity, along with innovative crowdsourcing solutions to internal and external threats, to achieve what thousands of campaigners had toiled since the 1960s to achieve: the right for people to buy and sell natural and artificial chemicals that affect their consciousness in ways they choose without interference from the state. It is a paradigm shift that cannot easily be reversed.

And even though the FBI believes it has arrested the site’s owner, the Silk Road’s payment and communication systems remain essentially impenetrable. It’s here that the early net evangelists’ vision of a world where information flows freely, where no central hierarchy rules, and where the network takes precedence over the individual has finally been realized. Whether you celebrate or lament the fact that drugs such as cocaine, heroin, LSD are now available online with just a little effort and very little likelihood of legal consequences, it is undeniable that we are at a turning point in legal history.

Through a decades-long process of chemical and technical innovation, human ingenuity has beaten the laws made by a political system that has responded to increased drug use by insisting on a harmful, expensive and counterproductive and ultimately failed strategy of criminalization.

Over the course of the century or so that drug laws have existed in any meaningful form, a clear pattern has emerged. As each law to prevent drug consumption is made, a means to circumvent it is sought, and found. Those means can be chemical, legal, social or technological. We stand today at a crossroads formed by those four elements, with the web making possible communication between distant strangers, facilitating the sharing of limitless quantities of information, and enabling the distribution of drugs anywhere in the world. Where do we go next?

Published in The Surveillance State

Media Watch (you're being lied to)

CNN caught inserting fake gunshots into …

CNN caught inserting fake gunshots into broadcast

The Anatomy of a Media Hoax.In this video Voxnews analyzes what appears as fraudulently inserted gun... Read more

Stephen Hawking Says "There Is No G…

Stephen Hawking Says "There Is No God" - Media Ignores Statement

The worlds leading physicist Stephen Hawking categorically announced that there is no god. All major... Read more

Open Letter to Glen Greenwald - Voxnews …

Dear Mr Greenwald,The stated rationale for not releasing the bulk of the Snowden documents is that i... Read more

BP 'trolling' its Facebook critics

Critics using BP America's Facebook page allege they have been harassed [Erika Blumenfel... Read more

Encryption and Operational Security for …

Encryption and Operational Security for Journalists Very important caveat: These tools MAY NOT be 1... Read more

THE POLLS ARE FAKE (have been for a long…

by Andrew StephensHomogeneous News Polls are used to determine the public’s opinion on many topics,... Read more

Richard Dawkins Destroys Bill O'Reilly

Watch Author and Oxford Professor Richard Dawkins, destroy the dissembling imbicile Bill O'Reilly on... Read more

Wall Street Burns - Voxnews Reports from…

Wall Street Burns - Voxnews Reports from Burningman 2012

At the giant annual Burningman Festival, tens of thousands cheered as a six story edifice of Wall St... Read more

copyright 2012 vox information sciences

Login or Register

LOG IN

Register

User Registration
or Cancel