They shuttered silkroadmarket.org, which was just a portal page. The actual site, on Tor, appears to be operating as normal.

Hi everyone, glad to see this thread is remaining popular.  Just to address the quote above in case it concerns anyone, the portal page and tor site are completely separate and neither can be traced back to any physical persons at Silk Road in any conceivable way.  The portal page was an afterthought to get more traffic to the site, but did its job too well, over-exposing Silk Road.  We will reopen it when we feel like the site is ready for that kind of exposure.

On another note, I would like to bring this thread back to the "Feedback requested" part of the title.  I am especially interested in hearing from anyone with alot of experience in network security about how to improve the anonymity of the site beyond running it as a tor hidden service.  How would YOU do it?  What are some worse case scenarios?

Thanks everyone for your support

Everyday I look at your website wanting to order something... and everyday I close the browser thinking "no, too risky!"
Is there a discrete way of telling to which country products have been shipped successfully?

Maybe there could be some sort of anonymous country-related feedbacks... dunno

There is also the http://g7pz322wcy6jnn4r.onion/opensource/ovdb/ac/index.php drug market.

Tracing hidden services is trivial for a skilled attacker. The best way to do it is to send a time modulated stream of packets to the hidden service over many different circuits. Hidden services open new circuit for every rendezvous point and the clients can select to use as many rendezvous points as they desire. This makes locating hidden service entry guards easy as you can flood some nodes to the network and look for the pattern in the packets you send to the hidden service. This will locate the three entry guards which can then be trap and traced to find the hidden services location, or tons of other attacks. Don't count on Tor hidden service to give you a server that can't be traced! You should edit the Tor source code to select for a four or five hop circuit, with the first two or three nodes being guards(from a small pool, meaning two-three guard chain). You could select to use a single entry guard, this will reduce the chance that the attacker owns one of them. However it is bad for uptime and there are some other attacks that this could theoretically be weaker to than using three guard nodes. I personally think it is a good idea, others may disagree.

The main risk if the attackers locate the hidden service is that they could take it over and be in a good position for application layer side channel attacks.  All orders must be encrypted with GPG if you want a chance, this helps tremendously because then if the server is compromised the attacker can not impersonate vendors or harvest customer addresses. The hidden service being compromised should be assumed after some time. You can make it harder for the attacker to trace the hidden service on the application layer by using a few techniques. First of all you can run things on an OpenBSD server with ASLR and a 64 bit processor to make buffer overflow attacks all but impossible. If you have some money to spend I suggest you make a tamper resistant case that can detect if it is physically penetrated and wipe the volatile memory, put the ram in encapsulation material and do co-location anonymously. Be careful not to leave DNA fingerprints or other links on the physical server if you go this route. You can isolate the server by putting it on a virtual machine, isolate the processes by using BSDjails style virtualization inside this VM. Tor should be in its own VM separate from the VM the web server is in, with all traffic forced on the host to go through the Tor VM. This way an application layer compromise of the web server can not side channel Tor unless the attacker can go through the hypervisor. You should also use mandatory access control profiles to really lock the web server down as much as possible.

The biggest thing to worry about is geolocation intelligence being coupled with Tor observability. I imagine these sites are going to be attacked by the feds intersecting the crowd of Tor users with the people in a rough proximity of where packages are shipped to narrow in on a likely suspect pool. In other words, you should worry less about the hidden service and more about the operational security of the vendors. Vendors should not connect from home or even use Tor or other anonymizers from home. They should use Tor bridges to offer membership concealment, however it is not known if the FBI or DEA are capable of detecting bridged connections. Using bridges makes you easier to trace through the network but for our threat model membership concealment is quite important....they feds don't need to trace through the network they can look for connections into the network since they can determine geolocation from mail.

I suggest that you make a clear separation between order retrieval and order decryption. Use Tor + Bridges + open wifi in always changing random locations, not from a car but on foot + ASLR + MAC + FDE + General hardening on the machine you use to get orders. Another option is to use a live CD, these will not be as technically secure as you can configure things yourself but they have the huge advantage of leaving no traces as soon as they are shut down which will give you more plausible deniability in court than if you refuse to decrypt a machine. Another disadvantage of live CD is the lack of ability to use bridges usually, open Wifi is not true membership concealment but rather location unlinkability (the attacker will likely be able to determine where Tor connections were made from, but they may not be able to link these geographic locations connections were made from to your base location). You should also use virtual machine with NAT connection so that if your order retrieval machine is hacked they can not access your WiFi adapter and pull near by MAC addresses to geoposition you. Plus Tor Browser seperation via a VM and firewall rules on the host.

After encrypted orders are retrieved you should burn them to a CD still encrypted. The decryption should take place on a fully separate machine with no access to the internet. This way even if they manage to compromise the machine that can connect to the internet, they can only pull ciphertext. If they compromise the decryption machine, they can not communicate back customer addresses. You could build a copper mesh cage to contain the decryption machine and cover it with blankets and generate noise to create a make shift SCIF, to protect from transient electromagnetic signals being used to reconstruct your monitor hidden cameras pulling the screen/keyboard, acoustic analysis of keystrokes. Or you could use an on screen keyboard to protect from audio analysis of keystrokes. These are disadvantages to using a SCIF, primarily you will have a hard time to explain it in court and copper mesh is not cheap. On the other hand, if they do van eck radiation analysis to pull your screen they pretty much win anyway. Your best bet is to make it so they can't find your location to do this sort of attack in the first place.

I would also consider compartmentalising customer support from shipping. Communicate with the shipper using steganography or some covert channel to conceal the link.

I am both scared and amazed all at the same time by these posts.

It's not the first time I read this... for this to work, wouldn't the attacker need to be working together with all ISPs and backbones that route these circuits? If not, how would the attacker track such stream of packets?

The previous posts are over kill security. In practice the federal police agencies fail to compromise much less secure targets. I think that CIA/NSA would have trouble to compromise a target that takes the precautions mentioned, however they might stand a chance. However, I suggest people try their best to follow the tips even though they are currently not required to counter federal police.

Regarding Tor, the attacker does not need the cooperation of ISP or other external attackers. They merely need to do a sybil attack and add some nodes to the network. The attack is essentially the same as this one: http://freehaven.net/anonbib/cache/hs-attack06.pdf

The tor devs added entry guards to counter this attack. However, there is a single entry guard between the hidden service and the attacker, the entry guards are selected from a pool of three nodes. So it is trivial for an attacker to find three nodes that have a direct link with the hidden service. If they can compromise one of those identified nodes, the hidden service is traced.

-.- get TOR and use the URL in SilkRoads signature. Even if it seems so, this is not a topic about "how tor works".

I think that's a great description of why the #bitcoin-otc web of trust is such a valuable tool for our community.