Dropgangs, or the future of darknet markets

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

The Internet is full of commercial activity and it should come at no surprise that even illegal commercial activity is widespread as well. In this article we would like to describe the current developments – from where we came, where we are now, and where it might be going – when it comes to technologies used for digital black market activity.

The other major change is the use of “dead drops” instead of the postal system which has proven vulnerable to tracking and interception. Now, goods are hidden in publicly accessible places like parks and the location is given to the customer on purchase. The customer then goes to the location and picks up the goods. This means that delivery becomes asynchronous for the merchant, he can hide a lot of product in different locations for future, not yet known, purchases. For the client the time to delivery is significantly shorter than waiting for a letter or parcel shipped by traditional means – he has the product in his hands in a matter of hours instead of days. Furthermore this method does not require for the customer to give any personally identifiable information to the merchant, which in turn doesn’t have to safeguard it anymore. Less data means less risk for everyone.

The use of dead drops also significantly reduces the risk of the merchant to be discovered by tracking within the postal system. He does not have to visit any easily to surveil post office or letter box, instead the whole public space becomes his hiding territory.

From when I first learned about the existence of The Silk Road and its successors – places on the dark web where it’s possible to pseudo-anonymously make illicit purchases of e.g. drugs, weapons, fake ID and the like in exchange for cryptocurrencies like Bitcoin – it always seemed to me that the weak point was that the “buyer” had to provide their postal address to the “seller”. While there have, as this article describes, been a number of arrested made following postal inspections (especially as packages cross administrative boundaries), the bigger risk I’d assume that this poses to the buyer is that they must trust the seller (who is, naturally, a bigger and more-interesting target) to appropriately secure and securely-destroy that address information. In the event of a raid on a seller – or, indeed, law enforcement posing as a seller in a sting operation – the buyer is at significant risk.

That risk may not be huge for Johnny Pothead who wants to buy an ounce of weed, but it rapidly scales up for “middleman” distributors who buy drugs in bulk, repackage, and resell either on darknet markets or via conventional channels: these are obvious targets for law enforcement because their arrest disrupts the distribution chain and convictions are usually relatively easy (“intent to supply” can be demonstrated in many jurisdictions by the volume of the product in which they’re found to be in possession). A solution to this problem, for drug markets at least, with the fringe benefit of potentially faster-deliveries is pre-established dead drops (the downside, of course, is a more-limited geographical coverage and the risk of discovery by a non-purchaser, but the latter of these can at least be mitigated), and it’s unsurprising to hear that this is the direction in which the ecosystem is moving. And once you, Jenny Drugdealer, are putting that kind of infrastructure in place anyway, you might as well extend it to your regular clients too. So yeah: not surprising to see things moving in this direction.

I recall that some years ago, a friend whom I’m introduced to geocaching accidentally ran across a dead drop (or a stash) while hunting for a ‘cache that was hidden in the same general area. The stash was of clearly-stolen credit cards, and of course she turned it in to the police, but I think it’s interesting that these imaginative digital-era drug dealers, in trying to improve upon a technique popularised by Cold War era spies by adding the capacity for long-time concealment of dead drops, are effectively re-inventing what the geocaching community has been doing for ages.

What will they think of next? I’m betting drones.

Asymmetric Cryptography: Works Like Magic

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Asymmetric Cryptography: Works Like Magic (cyberhoboing with dominic tarr)
It’s a common complaint that cryptography is too hard for regular people to understand - and that all our current cryptographically secure applications are designed for cyborgs and not humans. While...

It’s a common complaint that cryptography is too hard for regular people to understand – and that all our current cryptographically secure applications are designed for cyborgs and not humans. While the latter charge may well be correct, I argue that the former most certainly isn’t, because we have been teaching children the basic security principles behind asymmetric cryptography for probably thousands of years.

What am I talking about? A fairly tail called Rumplestiltskin, which is actually about bitcoin!

You probably heard this fairly tale as a child – but let me refresh your memory.

There is a miller, who drunkenly brags that is daughter can spin straw into gold.

probably, he was posting about his half baked cryptocurrency ideas on bitcointalk, and creating money “gold” from pointless work “spinning straw” sounds A LOT like bitcoin mining.

Anyway, the king is very impressed with his story.

the king is a venture capitalist?

And wants to see a demonstration, oh and if it doesn’t work he will cut off both their heads.

I have not heard about venture capitalists being quite this evil, but it seems some of them are into this medieval stuff

Of course, the miller and his daughter don’t actually have the ability to create gold by magic, so they are in big trouble! but just then a magic imp appears.

a hacker, who understands cryptography

The imp says he can spin straw into gold, but for a price: the daughter’s first born child.

in the modern version he wants her naked selfies

It’s a terrible deal, but the alternative is death, so they reluctantly accept. The imp spins straw into gold in 3 increasingly dramatic episodes.

The kind is satisified, and marries the daughter, making her queen.

their startup is aquired

One year later, the first child is born. The imp returns demanding his prize. Because they love their baby, the King and Queen pleads with the imp to get out of the deal. They offer him all their riches, but the imp is not interested! Desperately, they ask is there any other way? any at all? The imp replies, “Of course not! not unless you can guess my True Name”

the true name is actually his private key. If they can guess that, the hacker looses his magical power over them

“Okay I will try and guess your name” says the Queen. The imp just laughs! “you’ll never guess it!” “but I’ll give you three days to try!”

The imp skips off into the forrest, and the queen trys to think of his name for 3 days… but can’t figure it out.

The queen trys to brute force his private key. but there is not enough compute in the entire kingdom!

But then, the a messenger is travelling through the forrest, and he happens past a strange little man, dancing around a camp fire, singing:

ha ha ha!
te he he!
they’ll never guess my private key!
just three days! not enough to begin,
to guess my name is rumplestiltskin!

Being a messenger, he had a good memory for things he heard. When he arrived back at the castle, he mentioned the curious story to the queen.

the hacker had been careless with his private key

When the imp arrived in the morning, the queen greeted him by name. He was furious! He stamped his foot so hard the ground split open and then he fell into the gaping hole, never to be seen again. The king, queen, baby lived happily ever after, etc, etc.

they stole all his bitcoin


The simularities between this fairly tale and cryptography is uncanny. It has proof of work, it has private keys, it has an attempted brute force attack, and a successful (if accidental) end point attack. The essential point about your private key is captured successfully: the source of your magic is just a hard to guess secret, and that it’s easy to have a hard to guess name, but what gets you in the end is some work around when they steal your key some other way. This is the most important thing.

It’s not a talisman that can be physically protected, or an inate power you are born with – it’s just a name, but it must be an ungessable name, so the weirder the better.

“rumplestiltskin” is the german name for this story, which became wildly known in english after the brothers grim published their collection of folktales in the early 19th century, but according to wikipedia there are versions of this story throughout the europe, and the concept that knowing the true name of a magical creature give one power over it is common in mythology around the world.

How did the ancients come up with a children’s story that quite accurately (and amusingly) explains some of the important things about asymettric cryptography, and yet we moderns did not figure out the math that makes this possible this until the 1970’s?

Since the villian of the story is magical, really they have chosen any mechanism for the imps magic, why his name? Is this just a coincidence, or was there inspiration?

The astute reader has probably already guessed, but I think the simplest (and most fun) explaination is the best: extraterrestials with advanced cryptosystems visited earth during prehistory, and early humans didn’t really understand how their “magic” worked, but got the basic idea

To be continued in PART 2…

“I Forgot My PIN”: An Epic Tale of Losing $30,000 in Bitcoin

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

In January 2016, I spent $3,000 to buy 7.4 bitcoins. At the time, it seemed an entirely worthwhile thing to do. I had recently started working as a research director at the Institute for the Future’s Blockchain Futures Lab, and I wanted firsthand experience with bitcoin, a cryptocurrency that uses a blockchain to record transactions on its network. I had no way of knowing that this transaction would lead to a white-knuckle scramble to avoid losing a small fortune…

A hacker stole $31M of Ether – how it happened and what it means for Ethereum

This article is a repost promoting content originally published elsewhere. See more things Dan's reposted.

Yesterday, a hacker pulled off the second biggest heist in the history of digital currencies.

Around 12:00 PST, an unknown attacker exploited a critical flaw in the Parity multi-signature wallet on the Ethereum network, draining three massive wallets of over $31,000,000 worth of Ether in a matter of minutes. Given a couple more hours, the hacker could’ve made off with over $180,000,000 from vulnerable wallets.

But someone stopped them…

Hacker figure among code