Silk Road forums

Good thread.

However I don't agree necessarily that Whonix on a Linux Host is *fundamentally* better than the same on a Windows Host to the point of making the second insecure in EVERY case.

Sure, a Windows host with no malware is about as secure as a Linux host, but I think you are downplaying the difference. Most people will be running Whonix on a Windows host that they use for other purposes. If they can spare a computer for SR activities only, why would they run Whonix on Windows anyway? They have all the more freedom to install Linux and run Whonix on it, or turn that computer into a Whonix Workstation with physical isolation (using Tor on the router or a middle box as the Gateway). No part of SR requires Windows.

So it is extremely likely that anyone running Whonix on Windows will be using Windows for other reasons, like normal activities tied to their real identities. It's also a fact that Windows is a bigger target of malware and exploits by two or three orders of magnitude over Linux. In the 5+ years that I've been using Linux, I've never heard of Linux-specific malware in the wild. There have been a few cross-platform Java exploits, which were easy enough to protect against (don't install Java).

Under what I predict to be the normal use case, I consider that setup to be insecure.


I should also point out that my cut off is a bit arbitrary. Tails or Whonix on a Linux host can also be exploited, but I think the difference between #7 and setups below it, in terms of the probability of that happening, is much bigger than the difference between #5 through #7, so I drew the line there (the difference between any setup that uses physical isolation and any setup that doesn't is probably also very big). Since posting that guide, people have told me that they feel insecure because they are using Tails, because it's so far down the list. I think Tails with bridges is fine for the average SR user if they are incapable of setting up something higher on the list. There is no magic cut off line that makes you "secure enough", although the probability of getting pwned decreases as you go up the list.

The formal extradition request was filed today, but no evidence was presented in court. Looks like they will make their case on September 11.

http://www.irishmirror.ie/news/irish-news/extradition-case-child-porn-accused-2170785

It's more likely that he used a shitty password. The password crackers are getting really good. They iterate on dictionary words, so turning your password from "potato" to "p0t4to34" isn't much help.

Here's an Ars Technica article about it:

http://arstechnica.com/security/2013/05/how-crackers-make-minced-meat-out-of-your-passwords/

The best is probably to have two machines for encryption. Machine 1 has your private key on it and is used for decrypting messages, it can have ciphertexts from the internet brought over to it via one time use CD's (so can be infected), but never has any outgoing patch to the internet (so cannot phone home). Machine 2 is used for encrypting messages, it can have ciphertexts sent from it via one time use CD's (so can phone home) but it cannot have anything brought to it by media that has accessed the internet (so cannot be infected).

Like what the Armory does with cold storage of bitcoin wallets. That is certainly secure, but it's hard enough to get people to use PGP.

To DPR or any other members here, how hard is it to run a tor relay to help out? How much knowledge would one need to run one, resources, expenses, upkeep and security possible problems? Any info would be very helpful.

As far as expenses go, you can get a VPS for a few dollars a month, or even as cheap as $10 a year, which would be adequate for a bridge, but for a normal relay, you'd want something bigger. That can cost anywhere from $5 a month for a small VPS to hundreds of dollars a month for a dedicated server with unmetered bandwidth. I think any little bit helps the Tor network, though.

I'll post a tutorial on how to setup a relay, probably tomorrow.  It will be *almost* copy-paste easy, but you'll have to change some things for your specific server, like the bandwidth limits.

Unfortunately, it looks like if you want to see the captcha or use a lot of the site functionality (like the "collapse comment thread" button), you have to whitelist reddit.com and something like reddit.s3.amazonservices.com. Forgot the second domain, but it's something like that. Reddit is hosted on Amazon.

If anyone wonders what's more secure, Tails or Whonix, have a look at this comparison:
http://zo7fksnun4b4v4jv.onion/wiki/Comparison_with_Others

That's a nice overview. Looks like Whonix with physical isolation and Qubes OS with physical isolation are about even. You might still prefer Qubes OS so you can create disposable VMs to open untrusted files, or store your passwords in text files that are in a separate encrypted VM from your browser. I guess Whonix with virtual isolation is less secure that Qubes OS because VirtualBox is less secure than Xen. Are kernel exploits to gain root privileges more of a threat than VirtualBox exploits to escape the VM?