The full vendor count at Silk Road has received considerable attention in recent days from within the Road community and from without.
Over the past few days, the data has put the spotlight on the Road itself. StExo, the man in charge of the crawl, has found numerous “disturbing” instances in which vendors and buyers are putting their security at risk.
The thread was posted yesterday and has been stickied in the Security forum.
StExo described vendors using and sharing their “regular” email addresses (e.g. GMail, Hotmail, Yahoo) that feature or are easily connected to identifying personal details, buyers sharing tracking numbers of packages, weak PGP keys, meta-data on pictures of products, detailed information on personal or vacation locations and, in one particularly egregious example, a direct link to a user’s Facebook account.
“Remember I am not the only person crawling SilkRoad,” he wrote, “and with another 5 things I could add to the above list, this is not a threat avoided at all, some users here are still in serious danger of being identified as the worst of them all is not published in the above, but so you know, it took ~6 seconds for me to find who this person was and his full house address and telephone number.”
The information was published after StExo “learned some very sobering bits of information.” He continued:
SilkRoad has enemies who are the enemies of freedom and privacy and if we are to overcome the threats to our freedom we have to be responsible and take precautions to avoid landing ourselves in prison.
The reaction to StExo’s archival and analyses work has been positive within the community. As one might expect, the reaction to the lack of caution from vendors and customers has been less warm.
“It really blows my mind how some people choose to vend on here without knowing, well, shit,” wrote user HEATfan. “Some of the stuff you posted in the OP was just so ridiculous I have a hard time believe it is true. I cannot believe some people can be so stupid. Honestly, I think the retarded vendors who are doing these stupid things need to be warned first and then if nothing has been done after 48 hours, publicly shamed. Not only do they put themselves at risk but also every single person who buys from them. Its unacceptable, honestly.”
In 2011, Silk Road was “a very unknown part of the web and Tor,” wrote an anonymous SR user, “so only the most tech-savvy of us would be able to find it since step by step how-to guides now popping up everywhere were non-existent. This meant the community were already familiar with many technical aspects of our personal security such as using logless VPN’s to protect ourselves from ISP snooping and using end-to-end encryption to transmit sensitive data.”
However, as we lower the bar on the required competence to join the SilkRoad community, users are effectively becoming less aware of what steps are needed to protect themselves.
“It is important [that] DPR & Co. keep a tight lid on the security of the marketplace,” wrote an anonymous user, but “the most important step in protecting oneself must come from the individual and in almost every case we’ve seen so far, it is the failure of the individual which has lead to trouble.”
Arrests and convictions of Silk Roaders is nothing new: This past February, Australian Paul Leslie Howard was busted after a string of profoundly careless missteps. Arrests have been linked directly to the Road since at least 2012 and have continued into this year.
The consensus is that the problems have always been with the vendors (e.g. poor packaging) or customers (e.g. attempting to resell the drugs) but that Silk Road itself has yet to be compromised by law enforcement.
As Silk Road grows, how will the community approach the problem?
“It is all well and good when somebody who has worked in IT comes here, spots the use of 2048 bit RSA keys and feels right at home,” wrote an anonymous user, “but for the average Joe, learning the ropes can be quite intimidating and too many of them have been skipping over very important points of security so introducing more user-friendly ways of getting this knowledge across to them clearly and concisely should be a talking point right now.”
User slip ups are not the only problems facing the Road. As always, Dread Pirate Roberts and the team behind him have a number of issues on their plate including increasing law enforcement scrutiny, encryption key strength and Tor’s ability to handle large volumes of traffic.
“SILKROAD – GET YOUR ACT TOGETHER,” concluded StExo. “This isn’t a game, this is a struggle and we will not prevail when many of you are almost offering yourselves up as bait! I hope this warning is heeded before more people are caught in expressing their freedom.”