[emidln]

Requesting an image of a paranoid person's server isn't necessarily that great. When I worked for a run-of-the-mill cybersecurity firm, our simulator products were protected with full disk encryption using run-of-the-mill open-source software + light patches and keys bound to specific hardware, software, and configuration states via the TPM. This is for fully automated boot up. If you can accept the risk of needing to be physically close to a machine, you can generate random bytes and store those into your TPM and require both the hardware/software/configuration to be correct as well as knowing your key. This would incidentally also prevent you from being able to give law enforcement the key to an image of your computer (this is actually impossible, you don't know the key).

If you're doing this under a warrant, you could just request that the server's operator unlock the machine. Whether you comply is a legal situation that varies from jurisdiction to jurisdiction (in the US, it seems that you might be held indefinitely in jail if you refuse to divulge your key). The thing is, you should be able to make an extremely strong case (possibly with the EFF's help) that any warrant is false. Anonymous traffic itself should not be enough to compel you to divulge your secrets without other evidence pointing to your machines (standard IANAL, but this seems consistent from everything I've read).

[devconsole]

It's an interesting idea. I think physically shipping a server to a datacenter is precarious. Remember, it is known that your server is hosting a darknet website. You can't really hide this fact. Timing correlations make it possible to figure out which server is doing what. The reason that Tor users are generally safe from this is because they're not constantly connected, and an adversary generally can't cause a client to issue a web request on demand. But a webservice is constantly connected, and any adversary can cause it to issue responses since it's a webservice. Whether it's a timing correlation from a global passive adversary, or it's simply noticing that "silk road is extremely popular and this webserver in this datacenter seems to be hosting a huge amount of Tor traffic," you have to assume that it's known that the location of your server is compromised.

And if you assume that, then it suddenly becomes very, very bad if you've personally shipped a computer to the datacenter, colocation-style. First, clever hardware won't protect you if it's a running box. But beyond that, you can be traced simply by the components that you've assembled. You have to order those components from somewhere. You have to assume the worst: that authorities will take your box using a power adapter that lets them physically remove the computer from the datacenter without turning it off (such things exist), dump an image of your server while it's running (so that encryption keys won't help you), and then dismantle your server and trace the origin of the components. Congratulations: you're caught.

I think the model of "rent a bunch of servers using opsec" is also precarious, but less precarious than relying on hardware protections to save you.

[tormeh]

How about hosting your website on a botnet? Using infected machines to handle requests and sending the compressed order info over TOR to suppliers?

[devconsole]

Not a bad idea, assuming you don't care about taking other people's property and using it in ways they don't expect for personal gain. But it's difficult. Once you no longer control the underlying hardware guarantees, availability chief among them, it's hard to design a reliable webservice. There has been some research in this area, though I'm not intimately familiar with it. Find it and read up on it. In general, the problem is how to organize some kind of store of data across multiple unreliable machines. That sounds like a solved problem (bigtable et al) until you realize it also needs to be secure, and you're running on an unsecure network of infected computers. At some point, some computer needs to access the secure info. If you're letting infected computers do that, then that means its operator can also do that. Though, in fairness, maybe you don't need to care about that threat. A bigger threat is that the operator would also have write access: they could corrupt your data or forge transactions in your system.

[BuildTheRobots]

> You have to assume the worst: that authorities will take your box using a power adapter that lets them physically remove the computer from the datacenter without turning it off (such things exist), dump an image of your server while it's running (so that encryption keys won't help you)...

I believe they can keep my server powered on whilst they remove it from the DC (dual PSUs in enterprise servers would make this _extremely_ easy) but how exactly are they supposed to be "dumping an image of the server whilst it's running"?

[opendais]

I'm not sure this part is true.

You can buy servers and server parts anonymously via places like Craigslist with cash. At which point, you just need a fake ID to trick the Colo and pre-pay them for 12 months in cash w/o being recorded. Its possible given I've run into colos that were run by college kids with just a single cage. I'm pretty sure they wouldn't turn the offer down and just say you were "too busy" to set it up yourself due to work.

[devconsole]

Then the authorities trace the server component to the person who sold it on Craigslist. And if your opsec isn't perfect, you're busted right there: Did you forget to set up a new email account for all of your craigslist transactions? Did you forget to set them up and connect to them only through Tor?

Did the person you met with write down your license plate number? Seem unlikely? Think again. Cameras write down your license plate number as you drive. Constantly. So the authorities will simply look up where the person drove to meet you (parking lot, etc) and any cars that drove to the area at the time. You'll probably be on a highway at some point, which is a highway of data collection. There weren't that many people who drove a long distance to go to the meetup area. Now the authorities know which of 1,000 people you are. The more times you do this, the fewer the number of suspects there are, until they're down to a number that they can just investigate one by one. Then you're caught.

Or did you take your cell phone with you, and did the person who sold you components take their cell phone? Yes, you're caught. The operation in the previous paragraph, which assumes that you're just driving to meet someone and both parties are leaving their cell phones at home, is already busted. So if you've taken your cell phone on top of it, then it's even easier. Anything involving correlating cell phone movements is trivial for authorities. And if you don't take your cell phone, how are you going to let them know you've arrived? What if they're late? Or you're late? Now you have two problems: Set up a burner phone in an anonymous way (hello, in-store security cameras) and then never, ever use this cell phone in the same place as your main cell phone. Not a good position to be in.

I've ignored the whole "fake ID" aspect, because if you're in a position where someone is putting their face onto a forged legal document, that person is going to be persuaded by authorities to betray you. And if that person is you, then obviously you're caught at this point. Your face is probably on Facebook, and facial recognition software is getting pretty good nowadays.

In general, physical ops are the most dangerous of all ops, and should be avoided until every other avenue has been explored. Better to anonymize your cash (which is also a physical op) and then use that cash to rent a single remote server.

[virtue3]

you are probably going to be one of the few people to meet up and do a cash drop for the server. Which is automatically going to make you standout to the hosting guys. Thus, MUCH more identifiable.

[opendais]

'course. But how else are you going to pay? Stolen credit card?

[opendais]

> Then the authorities trace the server component to the person who sold it on Craigslist. And if your opsec isn't perfect, you're busted right there: Did you forget to set up a new email account for all of your craigslist transactions? Did you forget to set them up and connect to them only through Tor?

If your opsec isn't perfect you are busted anyway. You already said that in the OP. ;)

> Did the person you met with write down your license plate number? Seem unlikely? Think again. Cameras write down your license plate number as you drive. Constantly. So the authorities will simply look up where the person drove to meet you (parking lot, etc) and any cars that drove to the area at the time. You'll probably be on a highway at some point, which is a highway of data collection. There weren't that many people who drove a long distance to go to the meetup area. Now the authorities know which of 1,000 people you are. The more times you do this, the fewer the number of suspects there are, until they're down to a number that they can just investigate one by one. Then you're caught.

We are assuming a criminal here. You use a fake license plate that you change regularly. You also move regularly and pay cash. Once again, your OpSec needs to be perfect but it is the only real obstacle. If they know which cluster of 1,000 people you are, your license plate gets changed, and you leave at the end of the month forever...they'd have to investigate all 1,000 people to maybe-possibly-id-you then try to figure out who and where you changed your license plate. But you are assuming they can trace the hardware of an anonymous cash transaction on craigslist again. I highly doubt that.

> Or did you take your cell phone with you, and did the person who sold you components take their cell phone? Yes, you're caught. The operation in the previous paragraph, which assumes that you're just driving to meet someone and both parties are leaving their cell phones at home, is already busted. So if you've taken your cell phone on top of it, then it's even easier. Anything involving correlating cell phone movements is trivial for authorities. And if you don't take your cell phone, how are you going to let them know you've arrived? What if they're late? Or you're late? Now you have two problems: Set up a burner phone in an anonymous way (hello, in-store security cameras) and then never, ever use this cell phone in the same place as your main cell phone. Not a good position to be in.

The last time I bought one, I met them at their house and rung the door bell. No phone required. You can also pay a bum to go in and buy the burners for you. Admittedly, I was just buying something to experiment with on the cheap so I didn't really care about anonymity.

However, you are making the assumption these components are easily traced in after market cash sales. I doubt strongly that they are that easy. And given you are trying to be anonymous, you don't care if either party is late since you'd wait a reasonable amount of time and if that failed, setup a new transaction elsewhere.

> I've ignored the whole "fake ID" aspect, because if you're in a position where someone is putting their face onto a forged legal document, that person is going to be persuaded by authorities to betray you. And if that person is you, then obviously you're caught at this point. Your face is probably on Facebook, and facial recognition software is getting pretty good nowadays. In general, physical ops are the most dangerous of all ops, and should be avoided until every other avenue has been explored. Better to anonymize your cash (which is also a physical op) and then use that cash to rent a single remote server.

You can't anonymize your cash for digital transactions given sufficient effort being expended to find you. If you don't do physical ops, you aren't paying cash. If you aren't paying cash, they will find you because the banks [which are intentionally letting things slide to increase business] can't hide it from the regulators forever. They've proven that repeatedly with billion+ dollar fines.

Honestly, it doesn't matter tho. I have no real interest in hiding to that degree. Everything I do is legal. :P Its just a fun mental exercise to me.

[devconsole]

This is a perfect illustration of how to get busted. For example, the whole idea of "How can I acquire a burner phone?" is misguided, because as soon as you speak into a burner phone, your voiceprint alone is enough to identify you.

Various assumptions like "I doubt it's that easy" are also the road to getting busted.

Trying to forge or steal legal documents, let alone a license plate that you drive around with and which officers can notice at any time, is also how to get busted.

[opendais]

I'll have to take your word for it. I'm pretty sure you are overthinking this tho.

What you are describing is basically:

1) They find the server [this likely takes months based on their performance so far].

2) They get a copy of the paperwork & server [fake id, so useless information on it and a fake picture. That is assuming they keep a copy at all, they might not.]. Server is commodity and basically untraceable. They trace you via license plate readers to a residential neighborhood with 1,000 people.

3) They see you leave a month later via license plate reader on a major freeway and somewhere along the way you disappear because the entire country isn't monitored, especially rural highways where there aren't traffic cams. You change your license plate in the middle of nowhere.

4) They somehow detect the license plate change and track you from there to your new destination.

I mean its possible, I just don't see it as being likely given how hard they've worked to find people who made publicly visible glaring errors. :P

[JoeAltmaier]

I'm probably naive, but any computer a crack-head customer can find, can not be rocket science for the FBI to find. Right?

[devconsole]

It's an open question whether Tor has been compromised to the point that it's now trivial for authorities to locate where darknet websites are hosted. I'm simply making the observation that if your opsec is good enough, you shouldn't need Tor's hidden webservice capability to protect you. You could simply run your website as a standard .com website, except for the fact that authorities can take the .com domain from you.

Or, put another way, if you're relying on Tor's hidden webservice capability as your sole defense, then you're in a bad position.

[unchocked]

Learn about Tor. A key distinction is that the "crackhead" Alice is only communicating with the "pusher" Bob, but the location of Alice and Bob is a secret.

http://en.m.wikipedia.org/wiki/Tor_(anonymity_network)