[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

The illegal markets of cyberspace

I guess I'll get a bunch of cypherpunkers on me now,
even though I have the disclaimers/clarifications there.
I am not opposed to anonymous services at all, ok?

The inital idea behind this note, my main conclusion,
is that NSA and others wont be able to estimate the amount
of free computing power available "out there". The note
outlines what I consider a probable scenario that will
invalidate their estimates with a few orders of magnitude.
If that is not enough, one can always bring out the big 
jack hammer: An combiner Internet Worm/SSL Bruter kidnaping
the net for a number of hours.



To: Risks Digest

This is a short note I wrote the other day. It points out
a potential future risk, and also show existing problems
with the FSP "proto-market". 

Also note that I am not opposed to anonymous services per se,
I am only pointing out possible misuses of the technology. 
There are just as big risks in not deploying encryption and
anonymous services, in going forward with a world without 
privacy and private spaces.


by Christian Wettergren, [email protected]

Given the recent Brute-SSL efforts, together with the BlackNets
and an eventual ecash exchange, there is a quite interesting 
situation emerging. The future markets of Cyberspace will
be trading computing power, storage capacity and communications 
bandwidth, in addition to the more usually mentioned goods. This
market for computing capabilities can be used for legitimate purposes
as well as for illegal ones. I will here concentrate on the illegal
uses, since they will prove to be a challenge to control.

Computing power can yield pay-off in actual money, as the bruteSSL
effort has quite convincingly shown. This can create a market for 
hiring computing power for illegal purposes. The actors on such a
market can be quite safe, given the anonymity of the BlackNet and the
tracelessness of ecash (DigiCash). There are other goods on the
market as well; storage capacity and communication bandwidth.

How would such a market be operated?

The supply of "goods" for the market could be created by  hackers
breaking in to other's systems and hiring out the stolen capacity.

The intruder could install a backdoor into a foreign system that would
accept issued cryptographic access codes that would expire after a
certain amount of time or usage. This makes it possible for the
intruder to operate the business without having to go near the "scene
of the crime". There is of course a certain risk that the intruder
might lose the system to the hiring party, but that isn't such a big
deal, since first of all its not his system, and second of all he may
have booby-trapped the system for this case.

The intruder would break into computers en masse, and install the
backdoors as indicated above. They would then offer the stolen
merchandise onto a BlackNet-like arrangement. Potential buyers would
express their interests, and the broker of the BlackNet would connect
the two together.

The buyer and seller would agree on a price. The buyer would deposit
the access codes, the seller the anonymous ecash by the broker, and
the broker would effect the deal, taking a share of the profit. The
buyer can then exchange his ecash for real money, or do whatever he
wants with it. The seller brutes away onto whatever he wants, why not
the SWIFT international banking system?

The usage of stolen CPU cycles must of course be done in a careful
way. The intruder would probably install some safeguards against
excessive use, in his own interest. These safeguards could feature; *
only using spare cycles, * monitoring superuser and sysadm activities,
* hiding the process from system utilities like ps, * backing off
during daytime hours etc. 

Other merchandise

Storage capacity can be traded in a similar way, by setting up
backdoor file server processes that listenes for the proper access
codes. This kind of capacity could be used as anonymous post boxes,
where you store secrets that you don't want to store at home, even if
they are encrypted. It could also be used for bulk storage if it is
cheaper than buying a new harddrive. Since this storage isn't offered
by the proper owner, he can easily be very competetive. :-)

There are of course a number of catches trading with stolen disk
capacity, but they can quite easily be circumvented. To counter the
privacy issue, all stored files will be encrypted by the submitter.
This also eliminates potential evidence, if the proper owner discovers
the illegal use of his resources. 

There is also a certain risk of losing the files if the area is
discovered. This can be countered by storing the files in several

There is a third risk of traffic analysis of the file server. This
analysis can be complicated by having a system of file servers that
exchange files with each other, moving them around. In this scheme a
buyer can submit a file in one location, and it can be stored in a
totally different location. It will take a concerted action by several
system owners to track down all their unwanted guests, so it is more
likely they will only shut down the file server on their own system. 

Underground bases

Trading communication bandwidth is somewhat more involved than the two
previous ones, and cannot be traded without a portion of disk and cycles. 
It can however be worth a great deal to a potential buyer. 

Buyers of communication bandwidth is most likely setting up a service
that is sold for profit. This service can probably not tolerate
day-light and accountability, and hence needs to be anonymous. A good
example of such a service is the emerging FSP-server black market,
which has been souring during the last year and a half. (There have
been lists circulating with several hundreds of FSP servers.)

An FSP server is an anonymous file server where the users can freely
upload and download files. These "black markets" of file exchanges has
been used to trade porn, pirated music and pirated software. A site in
Sweden recently caught students that had started such a server. 3
Gb/day went out through the server, and an estimated worth of $2
million in pirated PC programs were exchanged over it during it's
three weeks of operation. 

The high volumes in the server was mainly due to the large amounts of
available bandwidth out from the site. The example is not entirely
good, since there is no money or ecash exchange in this case. The
thing traded currently in the FSP buisness is instead the mere
existance of a server, trading one piece of server access info for
another. This is mainly because of lack of features in the FSP code,
and not a fundamental feature of any such market.

Communication bandwidth/service space rental is traded in a similar
way as the other merchandise over the BlackNet system, with ecash
exchange. The service provider will probably keep on using the site
until the proper owner discovers it, since it is a hassle to move the
service while running.

What is the size of this potential market?

I consider the estimates below conservative. Any illegal  market would
probably be much bigger, and constantly try to expand. 

Internet now has well over 3 million reachable computers. Lets assume 1
percent of them could be broken into at any one time, i.e 30.000

Each computer is probably good for 5-10 MIPS, but assume we can use on
average 1 MIPS without risk for discoverage. (We can probably use more
during non-office hours, but maybe nothing during the day.) You can
certainly use 10 Mb of ddisk storage on each computer without

This adds up to a constant 30 GIPS in computing power, and 300 Gb's of
storage. And I believe this is a very conservative estimate, as I


I think it is quite likely that markets similar to those described
above will emerge in a few years. There is already one primitive
example of such a market in the FSP buisness, and we will most likely
see more elaborate forms soon. The developement will accelerate once
there is targets which will yield interesting pay-offs.

Another conclusion is that all current estimates on available privately
available CPU power for bruteforcing is likely to be _wrong_ in the
face of such markets. The net has now shown several cases of doing the
supposedly impossible; RSA-129, SSL1, SSL2, RC40 etc.

The SSL2 effort, although impressive, I believe has only revealed a
miniscule piece of what is possible to do. Observe that the current
effort has all used volounteers, has not used any of the easily
accessible super computers on the net, nor has used any intrusion
techniques to round up CPU. 

The ultimate technique would be to have a well-writen worm raid the
Net for CPU power, maybe only being active for a few hours. The worm
could penetrate a substantial fraction of the Internet, if fed the
right database of possible attacks on different vendors.

The last, and most obvious conclusion perhaps, is that all sites
should be concerned about their security. There is more to steal in
your system than your supposedly worthless information, and I would
say that the laws are quite unclear on the issue of liability in any
of the above situations. At least if you haven't taken proper

By the way, the above mechanisms can be used to create perfectly legit
and proper markets as well. Don't confuse the phenomenas with the

[BlackNet is a creation of Tim May <[email protected]>, and possibly
other cypherpunkers. A black market broker announces a public key widely
on Internet, stating the market's existance. Potential buyers and sellers
encrypt their requests and offers with the public key and posts the 
encrypted info in a newsgroup somewhere. The broker can then match up 
buyers and sellers. Ecash can be used to transfer funds, and the broker
will get his share of the deal. This scheme is close to impossible to 
traffic analyse.]