Dropgang vulnerabilities

[Steve Kinney]

On 1/13/19 10:43 PM, Mirimir wrote:
> Dropgangs, or the future of dark markets

Here's some ideas about structural vulnerabilities in the Dropgang
protocol, as described at https://opaque.link/post/dropgang/

Dead drop reuse:

To achieve acceptable security each dead drop may be used once only,
because hostile buyers could place 'their' dead drops under video
surveillance  and record every courier and customer visit to the drop
following their own transaction.

Couriers delivering to dead drops can not determine if their supplier
sends them to previously used dead drops, unless they service only dead
drops they set up and document themselves.  Couriers should transmit the
locations of drops they have developed only when presented with an order
to fill, to assure that their distributor can not send other couriers
and customers to use them first.  The added surveillance exposure of
making two visits to the same site - setup and delivery - presents less
exposure than trusting that the anonymous seller will never send a
courier to a previously used dead drop.

Sales layer incentives for reusing dead drops include faster service
during episodes of high demand for their products, and reducing the
payment demands (time & labor = money) of their pool of delivery agents
by reducing the need to develop new dead drops.  Compared to single-use
dead drops, reusing dead drops would enable distributors to reduce the
cost of compensating agents to select and document new dead drops by up
to 1/n the number of delivery agents employed, without disclosing to any
delivery agent that the distributor does reuse dead drops.  Absent an
active and aggressive adversary, reusing dead drops would present few
risks, so distributors may "get away with it" long enough to establish,
in their own minds, that reuse is safe enough, and "either way I am not
personally at risk."

In the context of potential reuse of dead drops by unwitting delivery
agents, isolation of the Sales layer from the Distribution layer via
cryptography and mix networking tends to create potential hazards rather
than removing them:  Exposing delivery agents to drop-dead risks may
cost sales agents some employees but has no other immediate
repercussions as no evidence implicates them in exposing service agents
to hostile actors.  Over time a sales layer actor who burns delivery
agents may run into trouble secondary to "cooperating witnesses"
assisting investigators working their way up the chain of product
custody; faith in the security of the protocol could easily lead some
bad faith actors to dismiss that possibility.

I noted that the article linked above endorses reuse of dead drops as
acceptable, by saying that "An ideal dead drop is however used exactly
once. Only then can the risks of using it be reduced to pure bad luck."
 I would hesitate to make purchases via the Dropgang protocol, because
customers have no way of assuring that hostile buyers did not visit the
same dead drops first - and some Dropgang advocates do not seem to
understand the severity of the risks associated with dead drop reuse in
the Dropgang context.

Dead drop profiling:

I believe the ability of hostile actors to in effect purchase dead drop
locations, and delivery timing information, presents as an Achilles heel
of the Dropgang protocol even with single use dead drops:  Controlled
buys would enable State or other well funded actors to map and profile
dead drop sites, reducing scope of counter-Dropgang surveillance from
"everywhere people can go" to target areas.

The more random-ish and widely dispersed the dead drop sites, the higher
the overhead in developing and servicing new drop sites due to travel
time, orientation to unfamiliar terrain, etc.  In most instances dead
drops will concentrate in the most convenient terrain for delivery
agents and customers.

As geographic clusters of dead drops appear in data from controlled
buys, more effective surveillance of those areas would follow.  This
observation suggests a security advantage when fewer, higher value
transactions are handled, reducing the number of data points available
to hostile buyers, and justifying more travel and effort to service
drops.  Bulk purchasers may also tolerate longer latency between orders
and pickups than end use consumers.  Higher latency reduces exposure to
timing attacks and retroactive surveillance.

Timing attacks:

Controlled purchases in conjunction with surveillance of suspected
delivery agents (distribution layer) enable timing attacks, as buyers
would know that the agent who filled their orders did so between the
times the orders were placed and picked up.  Surveillance State
adversaries could correlate controlled buys with the movements of
individuals in a pool of suspects.  Also, creating spikes in demand
through multiple controlled purchases could prompt increased activity by
delivery agents during time frames of an attacker's choice.  Conducting
intensive surveillance of likely drop areas during induced spikes in
demand presents a more cost effective and less detectable approach than
maintaining intensive surveillance throughout a protracted series of
individual transactions.

Summary:

Because compromising a given Dropgang operation would cost significant
time and money, I can not call the protocol broken - but it does look a
bit leaky.  As others have noted, most of the resulting risks fall on
the customers and delivery agents. However, a patient and well funded
adversary could work backward toward supply sources by carefully
observing known delivery agents and/or developing and recruiting "blown"
distribution layer agents as informants.  Hostile actors not constrained
by legal considerations could also infiltrate the distribution layer
with their own agents to facilitate efforts to work backward and
identify their sales layer controller/suppliers.

Information obtained and/or created though controlled buys, and
correlation of data sets derived from controlled buys and bulk
surveillance sources, seem to present the largest security exposures
inherent in the Dropgang protocol.

Reuse of dead drops presents a drop-dead security exposure for both
customers and distribution agents, so distribution agents should take
positive steps to prevent it.  Because many attacks against a well run
Dropgang operation depend on collecting data from as many dead drop
transactions as practicable, a smaller number high value transactions
present economic and security advantages over a higher volume of lower
value transactions.

I believe mid level distributors of contraband could profitably use the
Dropgang protocol to buy and sell bulk quantities of product, but not
those selling smaller quantities directly to consumers.




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 490 bytes
Desc: OpenPGP digital signature
URL: <http://lists.cpunks.org/pipermail/cypherpunks/attachments/20190122/584978fe/attachment.sig>