How governments push forward the security of cryptomarkets

Let me introduce myself

  • Cryptoanarchist & voluntaryist focused on technology and society hacking
  • Organizer of the international cryptoanarchist conference Hacker's Congress Parallel Polis (www.hpp.cz)
  • Founder of IT security hacking companies (Nethemba, Hacktrophy)
  • Co-founder of Bratislava's and Prague's hackerspaces
  • Member of Czech contemporary anti-government artistic group Ztohoven

Security of cryptomarkets

  • It is a very sensitive topic - you cannot provide legal IT security consultations to crypto-markets 
  • Bad security of cryptomarkets may lead to imprisonment or death of hundreds / thousand people, massive theft
  • I did not find any serious IT security paper related to cryptomarkets (or they are paid)
  • Some dark markets have better user security than gmail or popular social networks

Silk Road v1.0

  • The first popular cryptomarkets ($1.2 billion in revenue and $79.8 millions in commission)
  • Not very secure:
    • A single server with no decentralization
    • Potentially vulnerable PHP application
    • No 2FA
    • No multisig
    • No true anonymous cryptocurrency support
  • Despite this fact it took more than 2 years for FBI to track down and identity this server and its administrators who definitely underestimated protection of their digital privacy

Sometimes operational security can save you a life

  • You do not need to have PCI DSS to enforce you to implement 2FA :-)
  • 2FA is implemented in all modern crypto markets, for AlphaBay market it's mandatory
  • 2FA is usually implemented as PGP private key owner verification - you need to decrypt some information encrypted by your public key
  • Synchronous OTP (like Google Authenticator) is (still?) not used (probably cryptomarkets do not believe in smartphone security, dependancy on 3rd parties)
  • Using 2FA it is possible to set up "One-Time Passwords"

Two Factor Authentication

  • Mnemonic phrase - generated when the first login
    • you have to remember 8 English words to be able to retrieve your forgotten password
  • Sending "Password reset email" is considered not to be a "good" security practice

Forgotten password

Anti-DDoS protection

  • DDoS attacks are critical for Tor hidden services (very specific flooding attacks to RPs) 
  • If the attacker has access to multiple Tor nodes, using DDoSing he can perform statistical measures and compromise Tor Security
  • Many cryptomarkets implement a special anti-DDOS protection (using CAPTCHA, of course, it can be cracked)
  • Double Tor security (encapsulation of Tor in Tor) - public Tor and private Tor gateways (available to trusted cryptomarket users only - anonymity risk)
  • AlphaBay dark web market is introducing a system that should allow practically any type of deal to be linked to a user’s reputation through the use of "digital contracts" verified by AlphaBay.
  • Each contract costs $5 to initiate, paid to the market administrators, and it’s entirely up to the users what to put in the contract.
  • Buyers and vendors can already make custom agreements. 
  • "Hitmen will never be allowed, as we don’t want this kind of attention. We don’t allow services that are here only to hurt people, like hitmen," alpha02 said.

Contracts

Multisig

  • Multisignature addresses are addresses controlled by more than one person. They are created with a set of requirements, that dictate how the funds in the address can be moved.
  • 2-of-3 signature addresses are jointly controlled by 3 people, say the site operator, the buyer, and the seller, but funds can only be moved if two people authorize and sign a transaction.

 

  1. Both the buyer and the seller must have set their public Multisig key in their profile.

  2. The buyer deposits (e.g. 4%) of the item value in his AlphaBay wallet to cover market fees.

  3. The buyer purchases the item, then a multisig Bitcoin address is generated using the buyer’s key, seller’s key, and a market-generated public key (2/3). 

  4. The buyer sends money to this address, and the seller ships the goods. If the buyer is happy, he finalizes, and the seller received the market private key.

  5. In case of dispute or refund, the buyer receives the private key.

  6. Whoever got the private key will use it, along with his own private key, to claim the coins

  7. With a 2/2 multisig, the vendor cannot get the funds without having the information we have and that is passed to the buyer.

     

Multisig (AlphaBay)

  • BitBlender is a simple Bitcoin blender that uses a randomized fee and offers automatic withdrawing to your clean addresses. They have shown reliability over time and are in for the long run.
    URL: bitblendervrfkzr.onion

    Grams Helix is a tumbler and Darknet content indexer. They are the Google of the Darknet and have a tumbling service. The admins have shown extreme care for their users and their support is prompt to help.
    URL: grams7enufi7jmdl.onion

  • Mixing service through BitMessage (Outlaw cryptomarket)

  • Often integrated for 1% fee

  • Bitcoin-> Monero -> Bitcoin (with the nice service xmr.to)

Tumble your bitcoins

  • Alphabay and Oasis market support Monero (XMR)
  • PRIVATE - Monero uses a cryptographically sound system that allows you to send and receive funds without your transactions being publicly visible on the blockchain (the distributed ledger of transactions). This ensures that your purchases, receipts, and other transfers remain private by default

  • LOW TRACEBILITY - By taking advantage of ring signatures, a special property of certain types of cryptography, Monero enables untraceable transactions. This means it's ambiguous which funds have been spent, and thus extremely unlikely that a transaction could be linked to particular user.

True Anonymous currencies - Monero

Monero Charts

  • Because all crypto markets have access to your public PGP key, your storage (cryptomarket mailbox) can be fully encrypted - "Automatic Message Encryption"
  • It is even possible to have integrated PGP webmail client, but you need to provide your PGP private key to the browser, e.g. HTML5 storage  (which is definitely not a good idea)

Inline PGP encryption, PGP webmail client

  • Anonymous VPN (paid by BTC) + Tor is highly recommended
  • Good crypto markets DO NOT USE JAVASCRIPT and recommend you to disable javascript (historically there were 0-day exploits against Firefox javascript functionality that was used by the governments to attack cryptomarket users)
  • Use Tails privacy and anonymity OS
  • Sometimes it is possible to use Bitmessage (Outlaw market) for secure communication including mixing service
  • Finding "secure" wireless network is quite easy (see Router Keygen YoloSec Android app)
  • Use random MAC addresses

Client-side security

  • All servers (and all clients) should always use full disk encryption (ideally with hidden volumes)
  • Usually servers are virtualized in multiple server housing centers paid by bitcoins in a completely anonymous way
  • There is no association between the servers and cryptomarkets admins - they always use Tor to access their virtual anonymous servers
  • Some cryptomarkets (AlphaBay) use double-tor-security system for extra stealth (exposes the connections to evil exit nodes)
  • Public onion (slower, provides more anonymity) vs private onion gateways (faster, just for specific users, immune against DDoS attacks)
  • Any Bitcoins/Moneros are stored on the completely different server, ideally use cold wallets

Server-side security

  • Still under development wit no/small community
    • Axis Mundi
    • Bit Markets
    • Shadow project (Umbra projects)
    • OpenBazaar v2 with IPFS over Tor (it is supported now!)

 

Decentralized cryptomarkets

  • Theoretically I2P protocol is more secure than Tor
  • But practically there are too few nodes to matter
  • There are also some I2P implementations issues
  • And probably I2P is less interesting for governments
  • Making DDoS is more complicated for I2P
  • I2P addresses are longer than Tor ones and I2P client sucks

Tor vs. I2P

  • Use of multisig, 2FA and PGP, sometimes 2FA is always enforced
  • Some cryptomarkets disallow FE (Finalize Early) unless you get explicit permission later
  • Prefer Monero over Bitcoin (there are also alternatives ZCash, ZCoin, Dash, Shadow coins, ..)

Cryptomarkets best practices

  • OUTLAW offers currency-accounts. These accounts are hedged: they do not change their value when the Bitcoin becomes cheaper or more expensive. You can fund your currency-accounts through the account-page. Please be aware that there is a 5% fee for hedged accounts.

Currency accounts

  • Advertised as "full anonymity - no delivery-address: The buyer does not need to transmit any 'delivery address' and can stay fully anonymous to the vendor"
  • The dropman is the anonymous delivery boy. The dropman places the item into a deaddrop he searches for and finds himself, creates a short video-clip showing exactly where the item is placed, in detail, and panorama-view. He adds the geo-co-ordinates and uploads the data to our upload-server.
  • The buyer of the placed item does not need to enter any personal data, but immediately after payment receives the data uploaded by the dropman. He uses the geo-co-ordinates to find the place and then watches the video-clip to exactly find the item.
  • Question of time: DeadDrops delivery by drones!

DeadDrops (DD)

Deep Dot Web cryptomarket comparison

  • Security of cryptomarkets has been significantly improved over last few years
  • AlphaBay, Dream Market, Outlaw Market, Valhalla, .. and many others are being online for many years without shutdown by government agencies
  • The war on drugs cannot be won
  • Technologically, cryptomarkets are one step ahead to the governments
  • Any government's intervention makes cryptomarkets more resilient
  • Despite this fact DEA, FBI and many other government agencies spend millions of tax payer's money for meaningless War on drugs

 

Summary

Welcome in Parallel Polis & Institute of Cryptoanarchy!

Cryptoanarchists are real!

Parallel Polis in Prague / Central Europe

  • Freedom think tank in the heart of Europe
  • 3-floors building with more than 1000m2
  • The first world's Bitcoin only coffee (no fiat!)
  • Institute of Cryptoanarchy responsible for all cryptoanarchist events

Parallel Polis Congress 2017 during 6-8th of October

 

  • main topic "Liberate!"
  • subtopic "Towards your financial freedom!"
  • focused on true-anonymous cryptocurrencies (Monero, ZCash, Zcoin, Dash, Shadow coins...) a decentralized markets & exchanges

HCPP17 manifesto

Real digital privacy starts with protecting your financial transactions. Leaving no traces. Making impossible to see or intervene your voluntary economic interactions. With the rise of anonymous cryptocurrencies, for the first time in our human history, we can do a global business and stay anonymous.
Anonymous prediction markets, anonymous anti-government insurance, anonymous crowdfunded whistleblowing, decentralized cryptomarkets - all these crypto technologies will undermine the current authoritative systems.
And make the significant change. Silently. With no violence or politicians.

 

It's time. Liberate yourself.

Thanks a lot for your attention!

How governments push forward the security of cryptomarkets

By Pavol Luptak

How governments push forward the security of cryptomarkets

The first popular cryptomarket (Silk Road) was of course unique, but relatively simple - a single server with no decentralization, no multi-sig or anonymous cryptocurrency support. The goal of the presentation is to show that government financial dictatorship leads to significant improvement of cryptomarket security. Police and government agency raids were the main reason all cryptomarkets had to improve their overall security to survive and keep their business running. A new generation of cryptomarket uses multi-sig to prevent governments from seizing it's users deposits by utilizing integrated webmail PGP clients, I2P anonymization networks in addition to ""the government well-known"" Tor. They are fully decentralized (e.g. Axis Mundi, Bitmarkets, Shadow Markets), and therefore practically impossible to shut down by government agencies.The new anonymous, untraceable cryptocurrencies (e,g, monero, zcash) are ready for cryptomarket adoption with no possibility of revealing transaction history. The weakest point - cryptocurrency exchanges that governments can regulate and shut down can be reinforced by the use of decentralized crypto exchanges (e.g. bitsquare).

  • 3,454