Silk Road forums

LOL. In a free market, everything is up for sale.

Yes, they can be used together. Honestly I think it's a toss up if the threat you're worried about is "being identified in a fishing expedition". Both options protect about the same amount against a very unlikely threat.

Out of the 820 vendor keys that I have, 6 of them fail to import because of a radix or CRC checksum error, so that definitely happens. Maybe you copied it wrong? Maybe there's an encoding problem? This seems to be more common on Macs.

So everything i do on tor is anonymous then?

That's a broad question. Like I said, there are lots of ways to be deanonymized besides an attack on the Tor network or your TorBrowser. If you tell someone your name, there's nothing Tor can do to protect you. Someone could social engineer you into giving up your identity. You could get drunk and give out too much info. You could talk to someone frequently and give out little bits of info, which they are able to connect to your read identity. If you use a unique username on this forum that you use on clearnet sites, someone could connect them and figure out your identity. You could download malware or open a document that phones home to someone's server and deanonymizes you.

Rewording the question more narrowly: will Tor in its default state deanonymize you? The chances are extremely small. And remember, it's still your best option among all proxies -- at least if you want to access clearnet.

Because if there is no evidence on my devices how can i be caught, if tor does not leave traces?

Tor on its own doesn't leave traces of your browsing activity, but that's again something you can screw up through unsafe actions, such as saving bookmarks. Unless you live in some place like Iran or Syria, it's not illegal to use Tor. Having TBB on your computer isn't evidence of a crime. Neither is a link to Silk Road on its own. Lots of people, like journalists and bloggers, browse the site and don't buy anything. However, it can be evidence against you in the right context. If LE intercepts a drug package, raids you, and finds a link to SR on your computer, it'll be harder to deny that the package was yours when there's evidence on your computer that you were visiting drug sites. But that's also the case if they find drug paraphernalia in your house, or a lot of cash.

If you leave TBB in the default configuration and don't compromise your identity through your behavior, you should be safe.

Or is there no way except for fucking it up yourself?

The chances of Tor fucking you over are extremely small. You are far more likely to do it yourself.

Printed labels are the minimum requirement these days, even for free shipping.

I prefer envelopes over larger packages. Maybe I'm wrong, but I just think they are safer. It's the most common type of parcel, so it blends into a much larger crowd. I also think an envelope is much less likely to be pulled out and inspected. They want to bust big drug shipments.

Of course, envelopes only work for small orders, which is fine by me.

Tails is a full fledged operating system that comes with TorBrowser and other apps that are pre-configured to use Tor.

https://tails.boum.org

You need to burn it to a DVD, then clone it to a USB to enable the persistent volume.

Here's a thread about it:

http://dkn255hz262ypmii.onion/index.php?topic=114141.0

If an attacker owns your entry guard and an exit node that you use, he can determine that you accessed a specific clearnet site. If you don't use HTTPS, he can see what you are doing.

If an attacker owns your entry guard and an HSDir, or an intro point, or a hidden service entry guard, he can determine which hidden service you are accessing. If he owns your entry guard, theoretically he could use fingerprint analysis to determine which hidden service you are accessing.

You'll notice the common threat in all of these attacks is that the attacker owns your entry guard. Since you keep the same entry guards for about a month, it would take a long time and a lot of resources to perform these attacks, unless you are incredibly unlucky, which is why I say the chances of getting pwned are miniscule and not something I would worry about unless I was an extremely high value target.

These attacks are better at pwning a few random (unlucky) people among a really big group, rather than targeting specific people.

Changing your mac address doesn't make a difference at home. If you go through a router, that's all that your ISP sees anyway. Also, yes, using bridges increases your safety. In fact, as long as they are stable and running, they can be permanent entry guards, so unless you are extremely unlucky in picking a malicious bridge, you would probably never get pwned by these attacks.

Forensic Analysis of Tor on OS X

As part of a deliverable for two Tor Project sponsors (Sponsor J, Sponsor L), I have been working on a forensic analysis of the Tor Browser Bundle. In this three part series, I will summarize the most interesting or significant traces left behind after using the bundle, deleting it, and then shutting down the computer. Part one covered Debian Linux (#8166) and part two covered Windows 7 (#6845). This third, and final, part will cover OS X 10.8 (#6846).

Process

I set up a virtual machine with a fresh install of OS X 10.8, created a normal, non-admin user account, installed available updates, and shut it down cleanly. I connected the virtual drive to another virtual machine, used hashdeep to compute hashes for every file on the drive, and then rsync to copy all the files over to an external drive.

After having secured a copy of the clean virtual machine, I rebooted the system, connected an external drive, and copied the Tor Browser Bundle (version 2.3.25-6, 64-bit) from the external drive to the Desktop. I extracted the package archive by clicking on the archive, then started the Tor Browser Bundle by clicking on the TorBrowser_en-US app.

Once the Tor Browser was up and running, I browsed to a few pages, read a few paragraphs here and there, clicked on a few links, and then shut it down by closing the Tor Browser and clicking on the Exit-button in Vidalia. The Tor Browser did not crash and I did not see any error messages. I deleted the Tor Browser folder and the package archive by moving the folder and the archive into the Trash, clicking on it and choosing Empty Trash. I repeated the steps with hashdeep and rsync to create a copy of the tainted virtual machine.

Results

Using hashdeep, I compared the hashes from the tainted virtual machine against the hashes from the clean virtual machine: 131 files had a hash that did not match any of the hashes in the clean set. I have sorted the most interesting findings into different groups, depending on the location, how they were created, and so on.

Apple System Log (ASL)

The following Apple System Log (ASL) files contain traces of the attached external drive and the Tor Browser Bundle:

    /var/log/asl/2013.05.22.U0.G80.asl
    /var/log/asl/2013.05.22.U501.asl

I have created #8982 for this issue. I have been not been able to open the following two files, but they may contain traces of the attached drive and the bundle as well:

    /var/log/asl/StoreData
    /var/log/asl/SweepStore

Crash Reporter and Diagnostic Messages

The Tor Browser Bundle did not crash or hang, but I still found traces of the Tor Browser Bundle in the following files:

    /Library/Application Support/CrashReporter/Intervals_00000000-0000-1000-8000-000C2976590B.plist
    /var/log/DiagnosticMessages/2013.05.22.asl

I have not been able to open the file StoreData, which can be found in the same DiagnosticMessages directory, but it may also contain traces of the bundle. I have created #8983 for this issue.

FSEvents API

The FSEvents API allows applications to register for notifications of changes to a given directory tree. Whenever the filesystem is changed, the kernel passes notifications to a process called fseventsd. The following file contains the path to the attached external drive, the path to the Tor Browser Bundle on the Desktop, and the path to the Tor Browser Bundle in the Trash:

    /.fseventsd/0000000000172019

Other files in the .fseventsd directory may also contain traces of the Tor Browser Bundle and/or the attached external drive. I have created #8984 for this issue.

HFS+

HFS+ is the default filesystem on OS X; it supports journaling, quotas, Finder information in metadata, hard and symbolic links, aliases, etc. HFS+ also supports hot file clustering, which tracks read-only files that are frequently requested and then moves them into a “hot zone”. The hot file clustering scheme uses an on-disk B-Tree file for tracking.

I have not been able to open /.hotfiles.btree and /.journal, but they might contain traces of the Tor Browser Bundle and/or the attached external drive. I have created #8985 for this issue.

Preferences

OS X applications store preference settings in plist files, and the files below are related to system fonts, the file manager, recent items, and the Tor Browser Bundle. These files contain traces of the Tor Browser Bundle and the attached external drive. I have created #8986 for this issue.

    /Users/runa/Library/Preferences/com.apple.ATS.plist
    /Users/runa/Library/Preferences/com.apple.finder.plist
    /Users/runa/Library/Preferences/com.apple.recentitems.plist
    /Users/runa/Library/Preferences/org.mozilla.torbrowser.plist

Saved Application State

Resume is one of the new features in OS X 10.7 and 10.8. The feature allows applications to save their last known state when they are closed, and then return to this state when they are later reopened.

While the Tor Browser does not use this feature, it does leak information in the files which are written to the /Users/runa/Library/Saved Application State/ directory:

    /Users/runa/Library/Saved Application State/org.mozilla.torbrowser.savedState/data.data
    /Users/runa/Library/Saved Application State/org.mozilla.torbrowser.savedState/window_3.data
    /Users/runa/Library/Saved Application State/org.mozilla.torbrowser.savedState/windows.plist

The windows.plist file contains the HTML title tag of the last active tab in the Tor Browser (or currently active tab, if the browser is still open). If the last active tab was torproject.org, then the following string will be present in the file:

    Tor Project: Anonymity Online

I have created #8987 for this issue.

Spotlight

Spotlight, and the Metadata Server (mds), indexes all items and files on a system and allows the user to perform system-wide searches for all sorts of items; documents, pictures, applications, system preferences, etc.

I have not been able to open the files in /.Spotlight-V100 and /var/db/mds/messages/, but I would say it is likely that Spotlight and mds picked up the Tor Browser Bundle and the attached external drive at some point. I have created #8988 for this issue.

Swap

OS X relies on swap files and paging for memory and cache management. I have not been able to open the swap file, but I would say it is likely that /var/vm/swapfile0 contains traces of the Tor Browser Bundle and/or the attached external drive. I have created #8989 for this issue.
System Log

The system log file, /var/log/system.log, contains traces of the attached drive.

Temporary data

OS X stores per-user temporary files and caches in /var/folders/. The following files contain the path to the attached external drive, the path to the Tor Browser Bundle on the Desktop, and the path to the Tor Browser Bundle in the Trash:

    /var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.LaunchServices-036501.csstore
    /var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.QuickLook.thumbnailcache/index.sqlite
    /var/folders/zz/zyxvpxvq6csfxvn_n0000000000000/C/com.apple.LaunchServices-0360.csstore
    /var/folders/fb/v5wqpgls029d8tp_pcjy0yth0000gn/C/com.apple.QuickLook.thumbnailcache/thumbnails.data

These files also contain strings such as org.torproject.torbrowserbundle, org.mozilla.torbrowser, torbrowser_en-us.app, torbrowser.app, net.vidalia-project.vidalia, and vidalia.app. I have not been able to open the last file, thumbnails.data but it might contain traces of the Tor Browser Bundle and/or the attached external drive. I have created #8990 for this issue.

References

http://encrypted.cc/post/51552592311/forensic-analysis-of-tor-on-os-x
https://trac.torproject.org/projects/tor/ticket/8982
https://trac.torproject.org/projects/tor/ticket/8983
https://trac.torproject.org/projects/tor/ticket/8984
https://trac.torproject.org/projects/tor/ticket/8985
https://trac.torproject.org/projects/tor/ticket/8986
https://trac.torproject.org/projects/tor/ticket/8987
https://trac.torproject.org/projects/tor/ticket/8988
https://trac.torproject.org/projects/tor/ticket/8989