Silk Road forums

These rankings seem to be biased towards systems that maximise security for individuals who will predominantly be committing their offences from a single location and/or using the same network repeatedly. More bluntly, people sitting at home ordering their drugs to be delivered to their door While the set-ups you've described are brilliant, they're also involved and unwieldy, inelegant.

You're absolutely right. The first 5 setups are beyond the capabilities of the vast majority of people, but I've listed them because they really are the most secure. So now you have a fun challenge. Can you convert an old laptop into a Whonix Gateway, or install PORTAL on your router? If you never try anything hard, how will you ever grow?

In any case, I think Whonix on a Linux host or Tails with persistent bridges are safe enough for most people, and within their capabilities to setup. Either of these options is much safer than running TBB on Windows, which is what most people do right now. I want to lift the collective security of the community, and I've given them a variety of options.

I prefer Tails as not only is it a secure OS, but it's a means of encouraging secure behaviour. Used as recommended, the lack of persistent entry guards isn't really an issue. Used as recommended, I believe, tor bridges may be less safe, at best redundant, as you would want to randomise them as much as possible, also. Spoof your mac address, briefly access  random networks  to conduct your business, ram wiped, away you go. Easy as...

If by "used as recommended" you mean used as a mobile operating system where you log on to different, random wifi spots, then you're correct, your bridges should be different each time so you aren't linked to other logons (of course, you should randomize your MAC address in that case too, which unfortunately Tails doesn't give you an option to do during boot).

However, the vast majority of Tails users in this community don't use it as a mobile OS. They repeatedly connect from home. In that case, you want persistent entry guards, because choosing different ones all the time increases the chances that you pick a malicious node.

Forensic analysts
Traffic Analysts / Signals Intelligence
Network Analysts
Communications Intelligence
Hackers / Live Forensics
Open Source Intelligence

I'm not going to requote the entire thing, but this is great. Exactly the kind of input I was hoping to get.

It is also worth noting that firewall rules could have prevented the freedom hosting attack from working, as could have mandatory access controls. A combination of mandatory access controls + virtual or hardware isolation + firewall rules would have added three different layers of security via isolation that an attacker would have needed to overcome before they could get their payload to phone home.

Yes, mandatory access controls and firewall rules are other forms of isolation that I didn't mention. I was too narrowly focused on VMs.

Also ask yourself "Does this virtualization based isolation tool support ASLR? does it support NX-bit?". Xen is probably the most secure virtualization system in that it will be hardest for the attacker to break out of. This is why Qubes uses Xen. On the other hand, Xen doesn't support ASLR. This means that if you run Firefox in a Xen VM, it is probably more likely that an attacker can exploit its vulnerabilities than it is that the same attacker could exploit its vulnerabilities if it was in a virtualbox VM. On the other hand, it is more likely that the attacker will be able to break out of the virtualbox isolation than it is that they will be able to break out of the xen isolation. I am not sure where the correct balance is, but the answer is probably to use hardware isolation because it is the strongest isolation possible and it also supports ASLR and everything else. Or maybe the solution is to use Hardware isolation + virtual isolation, but then we are back to square one, should we use virtual isolation that is harder to penetrate or virtual isolation that allows us to use other important security mechanisms as well.

Theory meets practice at some point. Since posting this guide, people have admitted to me that running Qubes or setting up an anon middle box (even following the instructions to manually set up the Whonix Gateway on a separate device) is beyond their capabilities. A big difference between Xen and VirtualBox is that there is a preconfigured solution for VirtualBox, and that's better than no virtual isolation at all.

A big plus for qubes is virtual airgapped GPG, but this can be configured manually with Xen or VB as well.

What do you mean by virtual air-gapped?

No persistent entry guards is a massive disadvantage, if you don't set persistent bridges don't use Tails. If they add persistent entry guards I would consider it a fine solution and although not on the level of Whonix or Qubes it would be a solid third place. They shoot themselves in the foot by not having persistent entry guards though, so make sure you use bridges if you use Tails. It is worth noting that had the FH attackers targeted Linux, their payload would have failed to phone home because of their firewall rules (but it didn't target Linux in the first place).

This really needs to be TODO item #1, like out in the next version of Tails.

astor, you should consider teaching a course on this stuff, framed a different way, like cyber safety or something, or how to prevent being tracked by marketers.  it's all equal.

Are you saying I should cancel my Silk Road Security 101 course at the local junior college?

apart from being great information on how to remain anonymous, this is essentially information that the next generation should be equipped with to protect themselves from any interests that aim to invade their privacy without their permission or knowledge.

Thanks. I wanted to put my knowledge on this subject in one place as well as spark a conversation, and writing helps me organize my thoughts.

Quote from: Dread Pirate Roberts on August 14, 2013, 04:30 pm

It is possible to just donate to relay operators, but I think it is much better to run your own.  If one group runs most of the relays, that's not really a distributed network.

Amazon EC2 has pre-made tor relay images that make it super simple for anyone to help tor using the cloud.

Honestly, running bridges on Amazon, which is a US company that will hand over data to the NSA in a heartbeat, or allow them to watch their whole network, is a bad idea. Rent VPSes or servers in non-NATO countries. Most of the Tor network is in North American and Europe, where intelligence agencies cooperate to share data. That's the network's biggest problem right now.

It's interesting how there has been a very noticeable increase in the number of people asking about secure data erasure since the FH exploit.

Maybe that's just a coincidence. Certain kinds of security questions seem to come in waves. We may get a dozen threads about VPNs in a week and then nothing about VPNs for a month. However, this is probably not a coincidence.

Is it possible in qubes to make a proxy vm locked to just a vpn connection?

It already provides a Tor VM. I imagine it's possible to spin up another VM that just runs OpenVPN so you route all traffice through application-specific domain VMs -> Tor VM -> VPN VM -> internet.

Just encrypt the whole hard drive. It's much easier than trying to erase log files, and much safer in the long run.

You can do it with a few clicks at install time on Ubuntu, Debian, the latest version of Linux Mint, along with CentOS, Scientific Linux, and probably Fedora.

Wow, a great, fairly definitive overview!    I think everyone should just point to that post as the answer for "Should I use Tails or Whonix or Windows 95?" questions.

On the Qubes OS front, in the "plus" column for Qubes is that it's fundamentally relying on the Xen hypervisor to enforce isolation, and that's one of the more mature, well-understood VM technologies available.  And the core developer of Qubes OS has as good of a pedigree for VM-related security as anyone on earth.

One observation from some brief use of Qubes.. new users should make sure they understand how it works at a basic level.  Your basic OS/windowing system (the dom0, in Xen terms) that boots up isn't actually on the network.   And you shouldn't ever put it on the network, unless you're applying updates and you're sure you know what you're doing.   Which is really the strong point of Qubes.. it's like Whonix isolation on steroids.   And if I had to pick between trusting VirtualBox or trusting Xen (particularly as configured by Joanna Rutkowska and company), I'd pick Xen and Qubes.

Thanks, this is great info. Yeah, when I was reading the Qubes web site and their blog, I got the sense that the devs knew what they were doing, which is a plus in Qubes' favor, but I wasn't sure how secure their configuration is, and the testing community seems kind of small.

Ok I might be a bit confused. If I'm using windows as the workstation directing everything through the gatway (laptop) then is that basically useless or am I achieving anything? I know I gotta break out of windows it's just hard when I've been using it for work for so many years.

Ok, I guess you could call that Whonix with physical isolation and a Windows Workstation. It's the equivalent of Windows with an anon middle box. That wasn't one of the options I listed above, primarily because I consider Windows insecure, since it's the biggest target of malware by an order of magnitude over OS X and by two or three orders of magnitude over Linux, and because the vast majority of Windows installs are linked to people's real identities (the licenses are linked to the purchases). So you can still leak your identity even though the connection goes over Tor whenever there is a system update. I think even the default Whonix Workstation + Gateway on a Windows host is safer than that.

Since we're at let me ask you this. I tested out Whonix for a bit. What I did was encrypt my system with Truecrypt, created a hidden OS. Installed Virtual box and ran Whonix there in the hidden OS as to not to leave any traces of Whonix on my computer.  Does that set up do anything for me?

That's good, but the VirtualBox configuration files point to the files in the encrypted container, so you are leaking their existence. You should run the portable version of VirtualBox and store it in the encrypted volume too.