Silk Road forums

Discussion => Security => Topic started by: Miah on May 27, 2013, 05:21 am

Title: Security Advice needed
Post by: Miah on May 27, 2013, 05:21 am
I've pretty much gone through this whole forum looking for a definitive answer on how secure your computer should be. I've concluded that's not an answer that can be provided for you but it depends on the context in which the computer is used and your own personal needs. With that being said what level of security would most people feel comfortable with as a vendor?

There's a plethora of options which is great but going back to the context in which the computer is being used by a vendor then the most secure option should be used. It seems there's two popular choices that I'm aware of:

1)USB with TAILS installed
2)VM hidden with Truecrypt

Now where do VPN's fit into this equation? And if they do why wouldn't why I just roll my own? In the case of LE every triangulating your co-ordinates by narrowing down who uses ToR in the area that your packages get shipped out a VPN could further hide your IP address(correct me if I'm wrong).

I understand it's not viable to secure your computer from threats completely but I'd be interested in hearing different opinions.

Title: Re: Security Advice needed
Post by: P2P on May 27, 2013, 06:03 am
A VPN does not hide your IP address. It directs all traffic toward the servers of the VPN you are using. From there, you browse. I believe you would just run the VPN on whatever OS you are using (it's just a program you download). You need to choose a great VPN though, one you can pay with bitcoin, and one that does not keep records. It's chump change for the level of security it provides. It would protect against an ISP proving you use TOR, but not in the way you think. They could probably prove you use a VPN, but there's not really much they can do from there. And that's certainly no reason to kick someone's door in (neither is tor). Provided you haven't already been convicted of serious drug/computer-related crimes, you don't have to worry about being profiled for using TOR (and this is only if you were under investigation for something else already). Whether or not someone uses tor or a VPN isn't even really a basis for any sort of investigation. You'd have to be suspected of something serious for your browsing habits to even matter to anyone, and even then they'd be a complete side note in any court case. More of a "Yeah he's up to something" that can't really be proved or corroborated with solid evidence (unless they somehow obtained and cracked the encrypted drive you store all your info on).
Title: Re: Security Advice needed
Post by: danny666 on May 27, 2013, 06:32 am


Middle box VM

http://dkn255hz262ypmii.onion/index.php?topic=164295.msg1165034#msg1165034
Title: Re: Security Advice needed
Post by: jase00 on May 27, 2013, 08:12 am
I'm probably wrong (as I am not that familiar with TOR or iptables.. I prefer BSD) but anyways.. in the tutorial doesn't it allow DNS to pass through ?? And if so.. wouldn't DNS be the thing most likely to leak the URL if TOR had an issue ?
Title: Re: Security Advice needed
Post by: danny666 on May 27, 2013, 01:35 pm
No, DNS is forced over tor. I have many leak test and nothing has revealed my real IP yet.
Title: Re: Security Advice needed
Post by: SelfSovereignty on May 27, 2013, 02:24 pm
Soooo... I hate to come off as condescending, but I don't think you guys are really fully aware of how Tor and DNS work.  I sincerely mean no offense, it's just the impression I get.

A domain name server (DNS) holds the IP addresses for all the clients under its domain.  Basically.  A DNS query is what you call it when you send a message to the DNS asking for a client on its domain.  It returns the numeric 127.0.0.1 style IP address to you, and you then address your packet to said IP and send it off into oblivion.  Then it gets routed to the destination.  That's the gist of it.

DNS is not forced over Tor.  Tor simply implements its own system.  The problem is that its system is built on top of the usual internet one, so any program not aware of the fact that it should leave all DNS queries up to the Tor program can just go off and ask for the IP itself.  Not all programs do this, but some do.  What Tails does is just forcibly redirect ALL traffic through Tor, so even if some program tries to do its own address resolution, it doesn't actually contact a DNS and say "hi, address of Silk Road the BIGGEST DRUG SITE EVER plz!"  Or something to that effect anyway :)

A Virtual Private Network is basically something that takes your computer and makes it a part of an abstract, logical (as opposed to physical) network.  It's supposed to be an extra layer of protection, but... I don't know.  I mean it all depends on who you're using, and I have no experience with it at all except for places I've worked to be able to access classified in-network-only data when I was off site.  I don't care for them myself and would avoid that route, but again, my opinion is only semi-informed.  Take it as such.

Personally I think anything except Windows is acceptably secure.  Windows probably is too, I just don't care for how much harder it is to look under the hood in Windows than in Linux.  There's a lot of worrying that goes on about technical security, but really, if you're selling... you should be worried about them charging you for the drugs you possess and the selling of them.  They're very unlikely to want you badly enough to look in this kind of depth at anyone.

My feeling is the only reason they ever even would is if they can't pin the usual stuff on somebody or they think a lot more is going on.  Or maybe throw it in just to scare you into plea bargaining or something, I dunno.

I'm probably wrong (as I am not that familiar with TOR or iptables.. I prefer BSD) but anyways.. in the tutorial doesn't it allow DNS to pass through ?? And if so.. wouldn't DNS be the thing most likely to leak the URL if TOR had an issue ?


I'm sorry, but I can't understand your question or the assumptions that are the basis of it.  A URL is just a Universal Resource Location (locator?  Whatever).  http://something.someone.whatevs is a URL.  HTTP is the protocol, and the rest is the name of something.  The DNS turns that into a numeric location that you then use, but the URL itself doesn't leak anything except... well, that you want a certain site over a certain protocol (HTTP = HyperText Transfer Protocol).

P.S. - it's Tor, not TOR.  It's not technically an acronym, it's just a sort of... moniker I think.  Anyway, for some reason it's Tor, and if you use TOR people assume you don't know enough about it to even know it's "Tor" yet.
Title: Re: Security Advice needed
Post by: jase00 on May 27, 2013, 02:56 pm
I'm familiar with DNS, HTTP URLS etc etc... not so much with Tor but I do appreciate your assistance.
My question wasn't very well written. I meant if your using the Tor browser bundle for e.g and for whatever reason Tor isn't functioning properly.. couldn't your DNS request go out via your normal DNS servers (which could perhaps be your ISP's?) and then I was thinking shouldn't iptables block DNS requests, in case that did happen ?

I imagine the DNS is only pushed through Tor for resolution because you tell the browser to use Tor as a proxy ? The same way as if you use a proxy at work or whatever and all DNS that's not excluded in a proxy.pac is sent through to the proxy to resolve ?

Title: Re: Security Advice needed
Post by: SelfSovereignty on May 27, 2013, 03:04 pm
I'm familiar with DNS, HTTP URLS etc etc... not so much with Tor but I do appreciate your assistance.
My question wasn't very well written. I meant if your using the Tor browser bundle for e.g and for whatever reason Tor isn't functioning properly.. couldn't your DNS request go out via your normal DNS servers (which could perhaps be your ISP's?) and then I was thinking shouldn't iptables block DNS requests, in case that did happen ?

I imagine the DNS is only pushed through Tor for resolution because you tell the browser to use Tor as a proxy ? The same way as if you use a proxy at work or whatever and all DNS that's not excluded in a proxy.pac is sent through to the proxy to resolve ?

Ohhh, I see what you're asking.  Apologies if I was patronizing or anything.  No, it still won't leak even if Tor isn't currently running: Firefox just fails if the proxy you set is unacceptable.  The Tor browser bundle is a version of Firefox.  Though I can't be positive: I know it just fails, but now that I think about it, I never actually checked whether it goes off and does address resolution anyway... I don't think it's that silly or anything, but I've never checked personally.
Title: Re: Security Advice needed
Post by: ProudCannabian on May 27, 2013, 03:30 pm
TOR = The Onion Router
Definitely an acronym.
Title: Re: Security Advice needed
Post by: DoctorFate on May 27, 2013, 04:09 pm
@Miah, you have the right idea.  Tails and Truecrypt are great ways to stay safe but they aren't just about helping you be untraceable, they are about getting caught. 

In the worst case scenario you get caught for something, they take your computers etc but by using tails and or a truecrypt, you drastically reduce the chances of LE finding enough evidence to substantiate their charges.  Not enough evidence may break their case and help you get off. 

That is why its good to keep everything like that in one place ready to be covertly hidden and or destroyed.  I have everything that could incriminate me on a little piece of plastic that I connect when I need access.  I can crush it with my teeth or dispose of it very easily and discretely.   If I can't dispose of it and for whatever reason am caught by LE who found the truecypt volume, I can comfortably give them a tertiary password for some random files making me look less guilty muahaha love trucrypt
Title: Re: Security Advice needed
Post by: SelfSovereignty on May 27, 2013, 04:50 pm
TOR = The Onion Router
Definitely an acronym.

Definitely proved my point.  Tor encompasses the entire project, more or less.  Like the difference between 5 bitcoins and "Bitcoin" with a capital B: one's a coin, one's an entire ecosystem.
Title: Re: Security Advice needed
Post by: Miah on May 27, 2013, 08:33 pm
Great information here guys! That clears up pretty nicely. So it looks like TAILS is the best method and safest then? If LE ever come a knocking just flush that usb bad boy down the toilet. Keep no records on your computer(like that idiot kid that got busted in AU who kept a written ledger of all drug transactions lol) or in your house and don't be an idiot and keep your house clean if your a vendor.

Also if and when I start vending I won't use my home computer for such things. I'll just a laptop and roam for wi-fi or find an a wi-fii that has a WEP key and break into it. Of course I'd have to change my mac address or just buy a cheap second hand laptop with cash and good to go. =)
Title: Re: Security Advice needed
Post by: astor on May 27, 2013, 09:16 pm
Great information here guys! That clears up pretty nicely. So it looks like TAILS is the best method and safest then? If LE ever come a knocking just flush that usb bad boy down the toilet.

Yeah, it's the best out of the box solution.


Keep no records on your computer(like that idiot kid that got busted in AU who kept a written ledger of all drug transactions lol) or in your house and don't be an idiot and keep your house clean if your a vendor.

And be very careful about using mobile phones. So many cases that I hear about where people get busted, a lot of evidence is found on their phone. Even if it's purchased anonymously and the storage medium is encrypted, there's a saying that metadata in aggregate is content. The records of who you called and when and from where tell a story. Really, if I was dealing and had to use a phone, I would change it all the time. That way if the shit hits the fan, they only have records for the last phone, which would go back a short time.


Also if and when I start vending I won't use my home computer for such things. I'll just a laptop and roam for wi-fi or find an a wi-fii that has a WEP key and break into it. Of course I'd have to change my mac address or just buy a cheap second hand laptop with cash and good to go. =)

I would be careful about hacking other people's wifi, because it could get you in trouble for reasons unrelated to dealing, but that could compromise your whole set up. Don't break anymore laws than you have to.

Between hiding your Tor use with a VPN or bridge, and accessing Tor through public wifi, I think the options are about even. There are trade offs to both. Sure, a determined adversary could work with the VPN provider to unmask your Tor use, but they would have to know which VPN provider to contact about which IP address. It is unlikely you'd be identified behind a VPN through a fishing expedition, although there are attacks that LE could do to identify vendors, see here:

http://dkn255hz262ypmii.onion/index.php?topic=159722.msg1129048#msg1129048

Public wifi is a good way to guarantee no Tor use is linked to your home, but there's a really high chance that you will be on camera. Even back alleys have security cameras these days, and if you want to sit in a store or some public courtyard or whatever, you will certainly be on camera. That could be dangerous if someone links your activity to that spot.
Title: Re: Security Advice needed
Post by: Miah on May 28, 2013, 12:47 am
Quote
I would be careful about hacking other people's wifi, because it could get you in trouble for reasons unrelated to dealing, but that could compromise your whole set up. Don't break anymore laws than you have to.

Between hiding your Tor use with a VPN or bridge, and accessing Tor through public wifi, I think the options are about even. There are trade offs to both. Sure, a determined adversary could work with the VPN provider to unmask your Tor use, but they would have to know which VPN provider to contact about which IP address. It is unlikely you'd be identified behind a VPN through a fishing expedition, although there are attacks that LE could do to identify vendors, see here:

http://dkn255hz262ypmii.onion/index.php?topic=159722.msg1129048#msg1129048

Public wifi is a good way to guarantee no Tor use is linked to your home, but there's a really high chance that you will be on camera. Even back alleys have security cameras these days, and if you want to sit in a store or some public courtyard or whatever, you will certainly be on camera. That could be dangerous if someone links your activity to that spot.

Good info.. went through that thread and found the info there useful as well. For the past three months I've just been reading the security forum. The amount I've learnt from reading Astors, kmfkewn, and PINES post is more than I could learn in any book, lol.

From the cases of where supposed dealers on SR get caught the common denominator to me seems to be they were also dealing in real life. I'm not sure why they would do that, most likely greed but that's not something I would do. In my eyes being a vendor is a huge responsibility. From the packaging, shipping, bitcoin laundering. There's are all things that I want to have answers for and a plan that I'm happy with before I even start vending.
Title: Re: Security Advice needed
Post by: yodude420 on May 28, 2013, 01:01 am
idk if this is subbing
Title: Re: Security Advice needed
Post by: astor on May 28, 2013, 01:57 am
From the cases of where supposed dealers on SR get caught the common denominator to me seems to be they were also dealing in real life.

I've anecdotally noticed that as well. Although it should be noted that most vendors don't get their drugs out of thin air. Even the ones who don't sell locally are usually part of a drug distribution network, since they get their drugs from somewhere, so they are exposed to many of the traditional risks of drug distribution in meatspace. Even people who manufacture their own drugs will need to get the regents and precursors somewhere. They could get busted when those networks are compromised.

IMHO, the best and safest drug to vend is mushrooms, because you only need to get the spores from an external source once and you can maintain a self-sustaining colony with products that can be purchased in any department or hardware store. It is possible to grow mushrooms and have zero other people IRL know about it, which is the way I would do it. And if you only sell online, the attack surface against you is very small. That's harder to do with cannabis, and other botanicals don't sell as well.

But hey, sell what you love. :)

In my eyes being a vendor is a huge responsibility. From the packaging, shipping, bitcoin laundering. There's are all things that I want to have answers for and a plan that I'm happy with before I even start vending.

That's a great attitude to have.
Title: Re: Security Advice needed
Post by: Miah on May 28, 2013, 02:37 am
Quote
I've anecdotally noticed that as well. Although it should be noted that most vendors don't get their drugs out of thin air. Even the ones who don't sell locally are usually part of a drug distribution network, since they get their drugs from somewhere, so they are exposed to many of the traditional risks of drug distribution in meatspace. Even people who manufacture their own drugs will need to get the regents and precursors somewhere. They could get busted when those networks are compromised.

You touched on something I've often thought about but forget to mention that too. The biggest weakness in my plan so far is just like you said the drugs need to come from somewhere. Whether they're made, or shipped in, or bought locally if I was LE that's where I would start my investigation and my leg work. So far I haven't come up with a solution to that aspect that I'm happy with. It seems each has a certain level of risk and as much as you plan some things are not in your control. I think the safest vendor would be one that just sells his prescription on SR. He/She can keep the drugs at home because they are his afterall but the only flaw with that solution is I don't know how my Doctor will feel about me asking him for 500 vicodins, lol. But then again I've seen some very creative solutions to that problem as well but that also involves exposure. Like you said earlier break as few laws as possible seems to be a good motto.
Title: Re: Security Advice needed
Post by: astor on May 28, 2013, 03:32 am
You touched on something I've often thought about but forget to mention that too. The biggest weakness in my plan so far is just like you said the drugs need to come from somewhere. Whether they're made, or shipped in, or bought locally if I was LE that's where I would start my investigation and my leg work.

Yeah definitely. LE is a lot more interested in manufacturers and distributors than in buyers, so targeting distribution sources is a useful attack vector. To that end, it's a security risk to buy vendor-specific products from other vendors. There are SR vendors who sell baggies, MBBs, shipping supplies. That's a great place for LE to insert themselves. Even if you buy those products under an alternate buyer account, only vendors buy those products.

Same goes for reagents and precursors. I wouldn't buy sassafras oil from anyone on the internet as they are likely to be LE. From what I understand, the major manufacturers source that stuff in person by traveling to the relevant parts of the world, and building personal relationships with local suppliers.

Anyone trying to make MDMA from a guide they bought on the internet is likely to fail. Anyone making MDMA from precursors they purchased entirely on the internet is likely to get arrested.

So far I haven't come up with a solution to that aspect that I'm happy with. It seems each has a certain level of risk and as much as you plan some things are not in your control. I think the safest vendor would be one that just sells his prescription on SR. He/She can keep the drugs at home because they are his afterall but the only flaw with that solution is I don't know how my Doctor will feel about me asking him for 500 vicodins, lol.

Yeah, that would be safe too, but as you pointed out, limited to whatever you can get legally. You're basically at the whim of your doctor, unless you start doctor shopping and then you open yourself to risk again.