Why would it not be able to go through the chain of command? The military and intelligence services for example engage in all kinds of covert and clandestine operations whilst still being government employees.
There are also techniques which may allow tor users to be deanonymized to vary degrees. Browser/OS fingerprinting , flash cookies etc. These will be easier if you control one of the end points.
I've never used silk road, but presumably if you want people to ship stuff to you , then you have to enter an address at some point?
Many Tor users use the Tor Browser Bundle, which blocks flash by default, includes noscript (I forget if it by default activates noscript...), and doesn't retain any information between sessions other than what is manually stored like bookmarks or saved passwords. On SR, buyers communicate their address via PGP. Sellers only communicate an address (which may be fake) on the package they send a buyer. SR is thus blinded to physical addresses.
I guess law enforcement would simply gather as much data as they can. Only need a few guys screwing up their browser settings one day, or maybe you get more sophisticated and start looking at response times, timing jitter etc.
If you control the mechanism for key exchange would this not make MITM possible? Display different keys to different people for the same person.
I'd be interested to see if any more sophisticated techniques have ever been successfully used to uncover a Tor user.
From the webpage I linked, "Security-wise, Silk Road seems to be receiving passing grades from law enforcement agencies internally; a leaked FBI report mentioned no attacks against SR, anonymous anecdotes claim the DEA is stymied4, while a May 2012 Australian document reportedly praised the security of vendor packaging and general site security."
Right now a buyer's address is vulnerable if they don't use PGP when giving it to a seller, or if SR is indeed trying to do a MitM attack by replacing a seller's published public key with their own. But the latter case is easy for a seller to check against simply by creating a second buyer account and verifying the buyer sees the correct key. The buyer and seller can also arrange to exchange keys off of SR. A better plan (also mentioned on Gwern's page) would be to have law enforcement create their own buyer and seller accounts and act like normal users until it was time to start a crackdown -- the problem seems to be that law enforcement, or at least the FBI, either doesn't have permission to engage in mass entrapment and fraud, or it's just not interested in buyers.
Just like in the real world, it wouldn't be hard to pretend to be a seller to catch a few buyers - not hard, but also not worth doing - whereas by pretending to be a buyer you aren't going to find out the address of a seller.
>There are also techniques which may allow tor users to be deanonymized to vary degrees. Browser/OS fingerprinting , flash cookies etc. These will be easier if you control one of the end points.
In addition to TBB foiling all of those tactics, the only one that can done without being traced is fingerprinting. So if any of the others were being used, someone would probably have noticed.
There are also techniques which may allow tor users to be deanonymized to vary degrees. Browser/OS fingerprinting , flash cookies etc. These will be easier if you control one of the end points.
I've never used silk road, but presumably if you want people to ship stuff to you , then you have to enter an address at some point?