Silk Road forums

I'm with kmfkewm on this, quite frankly.  They have virtually unlimited resources

No, they don't. They have distinctly limited resources, in terms of money, manpower, intellectual capital, and internal and external political will.

An "infinitely" resourceful state adversary would have taken down SR by now. SR is still up because such an adversary doesn't exist.

The NSA is literally housed in a black box:

https://en.wikipedia.org/wiki/File:National_Security_Agency_headquarters,_Fort_Meade,_Maryland.jpg

Much of their operations are secret. It is the nature of human psychology that in the absence of evidence, wild speculations fly (you need only look at the explanations for weather phenomena in any pre-scientific society). That's basically what that blog post is about.

I submit that if we knew about their internal operations, they would be a lot more mundane than most people assume.

Also, all the resources in the world can't beat logic. While it's possible to compromise the Tor network, it is extremely difficult to do so in a way that won't get you noticed. You can spin up 10,000 exit nodes, but you can't do it without getting noticed. Take a look at the Trotsky section of this page:

https://trac.torproject.org/projects/tor/wiki/doc/badRelays

"Between 17-23:00 (UTC) 226 exiting relays, all with largely identical nicknames ("trotsky*") and exit policies were added to the tor network. No family or contact information was set, and the IPs came from several countries (mostly eastern European) making it look like a potential botnet. They disappeared roughly a week later.

On 10/2/10 between 21-20:00 (UTC) another 383 exit relays were added, this time more gradually. Others have periodically appeared outside these windows. These relays appear to be on residential connections, most having very poor connectivity (rransom reports that some are dialup)."

There is zero evidence that Cogent is a front for American law enforcement or intelligence agencies, and there aren't even that many relays on Cogent autonomous systems. Frankly, I'd be more concerned about Torservers.

I was reading about this yesterday. The main feature is that it scrapes publicly available content, like public Facebook profiles. I don't know why people are continually surprised that stuff they post publicly on the internet can end up in someone's database.

If you don't want to be profiled by government agencies and LE, don't post public content. Actually, don't post to any social media in an identifiable way.

The server that hosted OVDB got rebooted and admin was away. It was using full disk encryption so it had to be booted manually. At that point admin was busy / away or something and had already been having thoughts of shutting it down. Basically he just let it go. This was November of 2011 or so. Some of the old OVDB members came to SR forum which is why there's a subforum for that now (look all the way at the bottom).

OVDB admin has been posting as kmfkewm on this forum.

Congratulations, you just suggested a 5-hop proxy circuit. Why stop there, you could rent out 100 VPN's in every country hostile to yours and make it super difficult for anyone to locate the source of the connection, and by the time they figured it out your first packet would have just made it through. Tor was made as to get past the age old method of proxy chaining (the same method botnet owners use to control their botnets anonymously), and without having to sacrifice ones sanity waiting for the connection to go through.

It's interesting that you mention that, because Tor Project member Jacob Appelbaum, who has a well known state adversary, has admitted to using multiple layered VPNs to access Tor.

Again, depends on your threat model. LE is unlikely to spend as much resources on a low level drug dealer as on an associate of Julian Assange.

Neither a bridge nor a VPN offer perfect security, because

1. Bridges can be identified (although it is difficult to enumerate all of them because of the way they are distributed)

2. VPNs can see your entire connection, who you are (your IP address) and where you're going (the destination IP address). Even if they don't log right now, they could be compelled by LE to log your activity.

However, the way to look at it is that each piece offers an additional layer of security.

So, VPN + bridge + Tor > bridge + Tor  or  VPN + Tor > just Tor

For the best (but not perfect) hiding of your Tor activity, get a VPN in a foreign country (to maximize jurisdictional issues), AND configure your Tor client to use an obfsproxy bridge.


Actually, there's an even better solution, but it's more difficult to implement. Rent a VPS anonymously in another country and turn it into a private (unpublished) obfsproxy bridge. Someone watching your local internet connection won't know what the hell it is. It won't show up in the list of bridges if they enumerate those, and won't show up as a known VPN or proxy provider. The connection won't even look like a Tor connection (although the hand shake will, at least until obfs3 comes out). It will simply look like a box at a random hosting provider.

Here's how to do it on an OpenWRT router:

https://forum.openwrt.org/viewtopic.php?id=27354

Which is cheaper than a second computer. I just don't like the idea of having the middle box face the public internet. I would rather it go

public internet -> router -> anon middle box -> main computer

For that you need to custom build a computer with 2 network interface cards, then install Linux or a BSD, then configure the transparent proxy. There are lots of tutorials on installing Linux and Free/OpenBSD. To configure the transproxy, see here:

Linux
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#AnonymizingMiddlebox

BSD
https://trac.torproject.org/projects/tor/wiki/doc/TransparentProxy#AnonymizingMiddlebox1

Once I finally get up and running properly is there a way to write over deleted stuff on my hard drive so I start a fresh using either liberte or tails knowing that nothing bad is on hard drive?

DBAN it and reinstall the OS.

http://dban.org

http://dkn255hz262ypmii.onion/index.php?topic=99520.msg699299#msg699299

I have recently bought a MacBook, I burned tails onto a disk and also I installed GPGtools nightly build (as thats what I was advised in newbie section) onto my computer and moved onto a USB stick hoping I could boot computer up with tails then open GPG from my USB stick but it didn't work and after googling it found out GPG wont work on tails as tails is linux?

GPG was first written for Linux and later ported to Windows and OS X. Of course it exists for Linux. However, "GPGTools" is a port specific to OS X.

Tails comes with its own GPG programs.

https://tails.boum.org/doc/encryption_and_privacy/gpgapplet/index.en.html

What I have now is Tor browser stored on a USB which I open up from my desktop and also has GPGtools on it.

So with what I have now not using tails is safe providing you never get a visit from LE and laptop taken away right?

Well, if you never get a visit from LE, then it doesn't matter what you do.

The whole point of security measures is to prepare for the worst case scenario. If that thumb drive isn't encrypted, your identity and activity in this community could be revealed to LE.

If everything was booted through tails or liberte nothing would be found on my computer, browsing history, emails etc?

Correct. Tails is designed to be booted from read-only media and save nothing on disk. There is an optional encrypted persistent volume.

The Tor browser bundle doesn't store cache or browsing history on disk either, but if you save bookmarks or passwords, those will be stored on disk.

I'm an expert on computers and security so if anyone can advise me on how to be most secure would be great as I'm really struggling and stressing me out!

There's no simple answer to that question, because people operate with different threat models and computing requirements. Some people share computers with roommates or go to libraries and they can't implement certain security features. Also, from talking to hundreds of people on the forum, I've learned that when people ask to be "most" secure, they really mean some optimal trade off between security and convenience.

Are you using a 64 character password on your SR account? Well, why not? That's MORE secure than a 16 character password. The most secure would be whatever the hardcoded limit is for the password field, probably 256 characters. This feature is easy to implement, so if you're not using a max size password, you don't really want to be MOST secure, you want some convenience.