On 1/13/19 10:43 PM, Mirimir wrote:
Dropgangs, or the future of dark markets
Here's some ideas about structural vulnerabilities in the Dropgang protocol, as described at https://opaque.link/post/dropgang/ Dead drop reuse: To achieve acceptable security each dead drop may be used once only, because hostile buyers could place 'their' dead drops under video surveillance and record every courier and customer visit to the drop following their own transaction. Couriers delivering to dead drops can not determine if their supplier sends them to previously used dead drops, unless they service only dead drops they set up and document themselves. Couriers should transmit the locations of drops they have developed only when presented with an order to fill, to assure that their distributor can not send other couriers and customers to use them first. The added surveillance exposure of making two visits to the same site - setup and delivery - presents less exposure than trusting that the anonymous seller will never send a courier to a previously used dead drop. Sales layer incentives for reusing dead drops include faster service during episodes of high demand for their products, and reducing the payment demands (time & labor = money) of their pool of delivery agents by reducing the need to develop new dead drops. Compared to single-use dead drops, reusing dead drops would enable distributors to reduce the cost of compensating agents to select and document new dead drops by up to 1/n the number of delivery agents employed, without disclosing to any delivery agent that the distributor does reuse dead drops. Absent an active and aggressive adversary, reusing dead drops would present few risks, so distributors may "get away with it" long enough to establish, in their own minds, that reuse is safe enough, and "either way I am not personally at risk." In the context of potential reuse of dead drops by unwitting delivery agents, isolation of the Sales layer from the Distribution layer via cryptography and mix networking tends to create potential hazards rather than removing them: Exposing delivery agents to drop-dead risks may cost sales agents some employees but has no other immediate repercussions as no evidence implicates them in exposing service agents to hostile actors. Over time a sales layer actor who burns delivery agents may run into trouble secondary to "cooperating witnesses" assisting investigators working their way up the chain of product custody; faith in the security of the protocol could easily lead some bad faith actors to dismiss that possibility. I noted that the article linked above endorses reuse of dead drops as acceptable, by saying that "An ideal dead drop is however used exactly once. Only then can the risks of using it be reduced to pure bad luck." I would hesitate to make purchases via the Dropgang protocol, because customers have no way of assuring that hostile buyers did not visit the same dead drops first - and some Dropgang advocates do not seem to understand the severity of the risks associated with dead drop reuse in the Dropgang context. Dead drop profiling: I believe the ability of hostile actors to in effect purchase dead drop locations, and delivery timing information, presents as an Achilles heel of the Dropgang protocol even with single use dead drops: Controlled buys would enable State or other well funded actors to map and profile dead drop sites, reducing scope of counter-Dropgang surveillance from "everywhere people can go" to target areas. The more random-ish and widely dispersed the dead drop sites, the higher the overhead in developing and servicing new drop sites due to travel time, orientation to unfamiliar terrain, etc. In most instances dead drops will concentrate in the most convenient terrain for delivery agents and customers. As geographic clusters of dead drops appear in data from controlled buys, more effective surveillance of those areas would follow. This observation suggests a security advantage when fewer, higher value transactions are handled, reducing the number of data points available to hostile buyers, and justifying more travel and effort to service drops. Bulk purchasers may also tolerate longer latency between orders and pickups than end use consumers. Higher latency reduces exposure to timing attacks and retroactive surveillance. Timing attacks: Controlled purchases in conjunction with surveillance of suspected delivery agents (distribution layer) enable timing attacks, as buyers would know that the agent who filled their orders did so between the times the orders were placed and picked up. Surveillance State adversaries could correlate controlled buys with the movements of individuals in a pool of suspects. Also, creating spikes in demand through multiple controlled purchases could prompt increased activity by delivery agents during time frames of an attacker's choice. Conducting intensive surveillance of likely drop areas during induced spikes in demand presents a more cost effective and less detectable approach than maintaining intensive surveillance throughout a protracted series of individual transactions. Summary: Because compromising a given Dropgang operation would cost significant time and money, I can not call the protocol broken - but it does look a bit leaky. As others have noted, most of the resulting risks fall on the customers and delivery agents. However, a patient and well funded adversary could work backward toward supply sources by carefully observing known delivery agents and/or developing and recruiting "blown" distribution layer agents as informants. Hostile actors not constrained by legal considerations could also infiltrate the distribution layer with their own agents to facilitate efforts to work backward and identify their sales layer controller/suppliers. Information obtained and/or created though controlled buys, and correlation of data sets derived from controlled buys and bulk surveillance sources, seem to present the largest security exposures inherent in the Dropgang protocol. Reuse of dead drops presents a drop-dead security exposure for both customers and distribution agents, so distribution agents should take positive steps to prevent it. Because many attacks against a well run Dropgang operation depend on collecting data from as many dead drop transactions as practicable, a smaller number high value transactions present economic and security advantages over a higher volume of lower value transactions. I believe mid level distributors of contraband could profitably use the Dropgang protocol to buy and sell bulk quantities of product, but not those selling smaller quantities directly to consumers.