Silk Road forums
Discussion => Security => Topic started by: mcguire39 on July 22, 2013, 02:09 pm
-
So say you are using Windows, and you have your good files on a TrueCrypt partition, and your secret files inside a hidden partition inside that. Now let's say Windows stupid 'recently used documents' list just happens to show all the files you opened recently from your hidden partition. Wouldn't that be a giveaway to LE if your computer is analyzed?
Maybe they see some of the files from the normal TrueCrypt partition having been opened in your recent file list. Which is fine, you can give them the password for the normal truecrypt partition. But then when they see other files on some other drive letter that they don't see in the TrueCrypt partition you gave them the password to, it just seems like it will be obvious to them that either (a) you have another USB drive or external storage you did not tell them about, or (b) you have a hidden partition that you are denying you have.
It probably goes without saying that Windows isn't the best choice for this application anyway.
-
So say you are using Windows, and you have your good files on a TrueCrypt partition, and your secret files inside a hidden partition inside that. Now let's say Windows stupid 'recently used documents' list just happens to show all the files you opened recently from your hidden partition. Wouldn't that be a giveaway to LE if your computer is analyzed?
Yes, it would. I've mentioned this problem repeatedly and it's the reason I recommend against using Truecrypt files. You should use full disk encryption or Tails, which has a persistent volume but there is no unencrypted area to leak data onto, since the root partition is mounted in RAM and it doesn't touch your hard drive.
Maybe they see some of the files from the normal TrueCrypt partition having been opened in your recent file list. Which is fine, you can give them the password for the normal truecrypt partition. But then when they see other files on some other drive letter that they don't see in the TrueCrypt partition you gave them the password to, it just seems like it will be obvious to them that either (a) you have another USB drive or external storage you did not tell them about, or (b) you have a hidden partition that you are denying you have.
It probably goes without saying that Windows isn't the best choice for this application anyway.
Truecrypt can fully encrypt a running Windows system. Do that or switch to Tails.
-
Now let's say Windows stupid 'recently used documents' list just happens to show all the files you opened recently from your hidden partition. Wouldn't that be a giveaway to LE if your computer is analyzed?
There is a way to not have Windows record your recent used files, histories etc. however some traces would still remain no matter what of the use of ToR or similar (however ToR in itself is not illegal, you can, for example, put it also on the non hidden partition with made ad hoc bookmarks to have plausibility).
Best is naturally to do a full system disk partition if you use Windows, but in places where not giving away the password is illegal (as in the UK) I would actually prefer not doing it and going with the above if you HAVE to use Windows (and if you have you can use a Whonix VM, for example). Naturally if you are a vendor or buying in bulk you should be an idiot to not use something like Tails instead.
EDIT: WHERE IS MY PROFILE PHOTO?? DPR I will kill you! Grrrr
-
I would generally avoid tails without persistent entry guards it is more of a risk than a benefit. If you are not using new wifi access points every time then you are not using tails for what it was made for, it is not a sit at home use it like a normal OS and if you use it like that then you are just going to severely degrade the anonymity that Tor can provide. I thought newer versions of tails had addressed this with ability to have persistent entry guards, but no luck, so fuck tails. They probably do more to hurt peoples anonymity than help them, 95% of people using Tails are essentially needlessly giving up entry guards without any benefit to themselves in doing so.
Giving up entry guards for unlinkability between wireless access points is a fine idea, but when people are not using tails from random wifi access points they are protecting themselves from unlinkability but not really since everything originates from the same connection, but they are definitely sacrificing their entry guards. Using tails like a normal OS for a year could be equal to using Tor regularly for 70 years as far as entry guard churn goes.
I think it is a bit stupid that tails developers don't make this risk more well known, they are aiming for a really special mode of operation and most people don't need an 'amnesiac' OS , are not getting any benefit from it, but are getting serious disadvantage from it by not having persistent entry guards. I am willing to bet that the large majority of people using tails do not use it in a way consistent with what it is trying to do, and that a lot of its users are needlessly sacrificing their anonymity for absolutely no real gain.
If you make heavy use of WiFi in how you go about acheiving anonymity, and especially and particularly if you use different random wireless access points in an attempt to maintain your anonymity, then Tails might be right for you, and in fact it might be the best thing for you with little competition. If you are using your own internet, or internet from a static location such as a neighbors insecure wireless router, then Tails is almost certainly going to do you a lot more damage than good. I don't think people are really clear on how particular it is when it makes sense to use Tails and when using Tails is a sacrifice of Tor anonymity to gain unlinkability between wireless access points and wireless sessions.
-
For a lot of people, it's a practical issue. The risk of getting pwned by an entry node if you are an end user only visiting hidden services (ie, most people here) is relatively low, since it's never been demonstrated in the wild. The risk of LE finding incriminating evidence on your hard drive or of Windows malware infecting your computer and stealing your logins or other sensitive data are much higher, because we've seen both happen many times. Some people can't do full disk encryption for various reasons, so Tails is a good option.
Plus, you can manually add bridges each time you boot, if you're really worried about it, and that's even better than monthly rotating entry guards.
-
Does VirtualBlox plug these leaks? I have a Linux vm on a hidden volume on my Windows host machine. All SR business is done through a Tor connection within that VM.
-
For a lot of people, it's a practical issue. The risk of getting pwned by an entry node if you are an end user only visiting hidden services (ie, most people here) is relatively low, since it's never been demonstrated in the wild. The risk of LE finding incriminating evidence on your hard drive or of Windows malware infecting your computer and stealing your logins or other sensitive data are much higher, because we've seen both happen many times. Some people can't do full disk encryption for various reasons, so Tails is a good option.
Plus, you can manually add bridges each time you boot, if you're really worried about it, and that's even better than monthly rotating entry guards.
The risk is not relatively low, it is massively increased, by the time it is demonstrated in the wild it will probably be associated with people being sent to prison.
-
So, for home users and that however cannot do a full disk encryption what you suggest? A whonix VM?
-
The risk is not relatively low, it is massively increased, by the time it is demonstrated in the wild it will probably be associated with people being sent to prison.
It's lower than visiting clearnet sites. Presumably the hidden service is using entry guards, so think of the connection as being backwards, where your entry nodes are the exit nodes, except you keep them for the whole session, whereas normal exit nodes rotate every ten minutes. So the chances of randomly picking bad nodes at the edges is lower. Now if the attacker lucks out as an entry point or brute forces his way to be an hsdir, then the chances are higher.
In any case, you can use persistent bridges.
-
Well, with a VM, even with an encrypted virtual disk, you're still leaving evidence on your hard drive. VirtualBox will leave logs of when the VM was run, which can be used to correlate your activity. Of course, someone could look at your Windows logs of when you boot up and shut down and infer that for a bootable OS too. Really the best option is a dedicated computer for sensitive stuff, but again that's not practical for a lot of people.
-
The risk is not relatively low, it is massively increased, by the time it is demonstrated in the wild it will probably be associated with people being sent to prison.
It's lower than visiting clearnet sites. Presumably the hidden service is using entry guards, so think of the connection as being backwards, where your entry nodes are the exit nodes, except you keep them for the whole session, whereas normal exit nodes rotate every ten minutes. So the chances of randomly picking bad nodes at the edges is lower. Now if the attacker lucks out as an entry point or brute forces his way to be an hsdir, then the chances are higher.
In any case, you can use persistent bridges.
Except the chances that the hidden service will be located are already much higher than the chances that a regular client will be located. So that leaves you with a very plausible Tor without guards scenario, where the hidden service is already monitored and the clients are going through entry guards like they are going out of style. Using persistent bridges is a solution though you are right. But I still think for most people tails is only hurting their anonymity, at the very least it is definitely introducing serious hazards that are not being illuminated to their userbase. I would never count on the hidden service or destination site being good in any case though, for all you know the destination is and has always been run by the feds. That leaves you to your own devices for anonymity, and having entry guards changing every day or multiple times a day brings attacks from statistically insignificant to probable. I see tails as largely being a loaded gun without the safety on, definitely the tool for the job in some places but also very dangerous in the hands of people who don't understand exactly what they are doing with it.
-
Except the chances that the hidden service will be located are already much higher than the chances that a regular client will be located. So that leaves you with a very plausible Tor without guards scenario, where the hidden service is already monitored and the clients are going through entry guards like they are going out of style.
If they find the hidden service, you have much bigger problems to worry about, but LE isn't going to care about tracking down buyers, and vendors should already be using bridges because of the message correlation attack we've described.
Using persistent bridges is a solution though you are right. But I still think for most people tails is only hurting their anonymity, at the very least it is definitely introducing serious hazards that are not being illuminated to their userbase. I would never count on the hidden service or destination site being good in any case though, for all you know the destination is and has always been run by the feds. That leaves you to your own devices for anonymity, and having entry guards changing every day or multiple times a day brings attacks from statistically insignificant to probable. I see tails as largely being a loaded gun without the safety on, definitely the tool for the job in some places but also very dangerous in the hands of people who don't understand exactly what they are doing with it.
Yes, I agree. Entry guards and/or bridges should be made persistent. I believe they will be adding "persistence presets" in the future.
-
Except the chances that the hidden service will be located are already much higher than the chances that a regular client will be located. So that leaves you with a very plausible Tor without guards scenario, where the hidden service is already monitored and the clients are going through entry guards like they are going out of style.
If they find the hidden service, you have much bigger problems to worry about, but LE isn't going to care about tracking down buyers, and vendors should already be using bridges because of the message correlation attack we've described.
Using persistent bridges is a solution though you are right. But I still think for most people tails is only hurting their anonymity, at the very least it is definitely introducing serious hazards that are not being illuminated to their userbase. I would never count on the hidden service or destination site being good in any case though, for all you know the destination is and has always been run by the feds. That leaves you to your own devices for anonymity, and having entry guards changing every day or multiple times a day brings attacks from statistically insignificant to probable. I see tails as largely being a loaded gun without the safety on, definitely the tool for the job in some places but also very dangerous in the hands of people who don't understand exactly what they are doing with it.
Yes, I agree. Entry guards and/or bridges should be made persistent. I believe they will be adding "persistence presets" in the future.
When it comes to Tor "If they find the hidden service, you have much bigger problems to worry about" means that you have much bigger problems to worry about, because tracing hidden services is trivial. Nobody should operate thinking that the anonymity of a hidden service is doing anything for them. Hidden services are meant to hide the location of a server, not to help the clients connecting to the hidden service, and attacks for tracing hidden services to guard nodes have been known for years now, making hidden services at best equal to using three different frequently changing single hop reverse proxies. Lack of ability to locate hidden services by the feds could only be deemed sheer incompetence honestly. The good news is that clients are much harder to trace. But they become much less much harder to trace when they are switching entry guards three times a day.
-
But again, you have to look at the alternative. A lot of people can't fully encrypt their hard drive or buy a separate computer, so they will be splashing evidence all over their hard drive. If a package gets intercepted and they get CDed (much more common than being identified through an attack on Tor), that evidence could screw them a lot harder than being identified by an attack on Tor as "a person visiting Silk Road". This is especially important for vendors, but even for buyers, unless you can memorize all your passwords, you will be splashing evidence on your hard drive.
-
I would rather that my evidence splashed hard drive is never located than for my pristine hard drive to be located because I made myself 70 times more vulnerable to traffic analysis.
-
Hidden services are meant to hide the location of a server, not to help the clients connecting to the hidden service, and attacks for tracing hidden services to guard nodes have been known for years now, making hidden services at best equal to using three different frequently changing single hop reverse proxies.
And that can be mitigated with Tor over Tor, or persistent layered guards, but you don't know and can't trust what the hidden service operator is doing.
Lack of ability to locate hidden services by the feds could only be deemed sheer incompetence honestly. The good news is that clients are much harder to trace. But they become much less much harder to trace when they are switching entry guards three times a day.
Well yeah. Silk Road exists because of LE incompetence / not caring in more ways than one. If they cracked down on shipping, the market would be gone, but 99% of packages get through the mail. They don't have the resources or don't care enough to crack down on everything, and that's part of our threat model.
-
I would rather that my evidence splashed hard drive is never located than for my pristine hard drive to be located because I made myself 70 times more vulnerable to traffic analysis.
Simply visiting Silk Road is unlikely to get you raided, but CDs are a real possibility for a lot of people.
The problem is, you're too focused on threats on Tor when there are so many other things that are far more likely to get you screwed, like CDs and associates that snitch and stuff like that. It's better not to have evidence laying around.
-
I would rather that my evidence splashed hard drive is never located than for my pristine hard drive to be located because I made myself 70 times more vulnerable to traffic analysis.
Simply visiting Silk Road is unlikely to get you raided, but CDs are a real possibility for a lot of people.
The problem is, you're too focused on threats on Tor when there are so many other things that are far more likely to get you screwed, like CDs and associates that snitch and stuff like that. It's better not to have evidence laying around.
I can totally see that perhaps I am too focused on Tor, and the scenarios you mention are in fact probably more likely concerns for the average people on this forum. I think the lesson to take from this is that everybodies security model is different, and that people should thoroughly understand what they are trying to accomplish and what they are accomplishing, which pretty much goes without saying. I personally would never feel comfortable with making myself so much more vulnerable to being deanonymized through traffic analysis, but for many people that is less of a concern than having a CD etc. I think part of the issue is that I am used to a private forum mentality, these days people being a member or visiting a site like SR is not seen as a big deal, but I learned about security when there were only private forums largely consisting of big importers and distributors, where being tied to the forum server in itself is bad fucking news. Being tied to SR server might not be as bad simply because of the fact that it is public. I suppose I should keep in mind that threat models change and that the online drug scene is pretty much in uncharted territory as far as shit like this goes, but I think others are equally suited to keep in mind that using Tails like a regular OS without using it like it is meant to be used (between different wifi access points, frequently switching access points) can be counterproductive. If people are really worried about evidence on their drives, as they should be, there is no need to compromise the anonymity of Tor to obtain this, even Ubuntu can be FDE'ed during installation, I just cannot imagine it ever being a good idea to use Tails without persistent entry guards unless it is being used in the very specific "Tails Threat Model" , then again maybe people these days are less likely to have a dedicated machine for criminal activity, back in the day on private forums we took our security very seriously but for a casual user on a forum like SR perhaps there is an acceptable compromise between utmost security and what is conveniant.
-
I can totally see that perhaps I am too focused on Tor, and the scenarios you mention are in fact probably more likely concerns for the average people on this forum. I think the lesson to take from this is that everybodies security model is different, and that people should thoroughly understand what they are trying to accomplish and what they are accomplishing, which pretty much goes without saying.
Agreed.
I personally would never feel comfortable with making myself so much more vulnerable to being deanonymized through traffic analysis, but for many people that is less of a concern than having a CD etc.
So far, every SR user that we've heard about getting busted got nailed either through a CD or because they were dealing in real life. That Casey Jones vendor sold to confidential informants, and when they raided him, they found his bitcoin wallet (presumably, although we don't know exactly what happened there). They may have gotten customer info too. He needed encryption a lot more than he needed entry guards. Of course Tails + persistent bridges is much better than Tails with rotating session guards, but any non-leaky encryption is much much better than no encryption for the threat model of most SR users.
I think part of the issue is that I am used to a private forum mentality, these days people being a member or visiting a site like SR is not seen as a big deal, but I learned about security when there were only private forums largely consisting of big importers and distributors, where being tied to the forum server in itself is bad fucking news. Being tied to SR server might not be as bad simply because of the fact that it is public. I suppose I should keep in mind that threat models change and that the online drug scene is pretty much in uncharted territory as far as shit like this goes, but I think others are equally suited to keep in mind that using Tails like a regular OS without using it like it is meant to be used (between different wifi access points, frequently switching access points) can be counterproductive. If people are really worried about evidence on their drives, as they should be, there is no need to compromise the anonymity of Tor to obtain this, even Ubuntu can be FDE'ed during installation, I just cannot imagine it ever being a good idea to use Tails without persistent entry guards unless it is being used in the very specific "Tails Threat Model" , then again maybe people these days are less likely to have a dedicated machine for criminal activity, back in the day on private forums we took our security very seriously but for a casual user on a forum like SR perhaps there is an acceptable compromise between utmost security and what is conveniant.
Yep, I agree a dedicated computer with a dedicated OS + FDE is better than Tails, it's just not a workable solution for a lot of people. For vendors who make damn good money, there's really no excuse in not buying a $100 laptop in cash off Craigslist + a $60 external hard drive for backups, and encrypting both, but a lot of buyers just don't have the money. Tails + bridges is their best option IMO, and I'll make sure to aggressively point out the bridges part.
-
I'm far from a large buyer or vendor, so take this with a grain of salt, but I use a fresh VM on a USB drive. Nothing gets saved/installed on the host computer and it would take me about 2 secs to dispose of the tiny USB drive. Obviously, like I said, not the most secure thing in the world, it is easy to dispose of completely. Add in what I do for a living, and having traces of an old VM wouldn't be out of the ordinary.
Hopefully, I never have to find out that it's not enough.
-
i cant seem to get tail to work with bridges. every time i try to connect with obfs2 or 3 it wont work, are reg brigdes just as good? if tails forgets everything then why does it matter if your using it with tor? you have the same issues with or without tails dont you? wether on windows or tails your running tor! id get it
-
Hiding a partition only helps slightly anyway. If LE gets their hands on your hard drive, it's pretty obvious if you have disk space that's unaccounted for in the partition table. At this point even full disk encryption is only a stop gap measure with the advent of GPU accelerated decryption tools.
-
Hiding a partition only helps slightly anyway. If LE gets their hands on your hard drive, it's pretty obvious if you have disk space that's unaccounted for in the partition table. At this point even full disk encryption is only a stop gap measure with the advent of GPU accelerated decryption tools.
It doesn't look like there is unaccounted for space in the partition table. All the GPU's in the world are not going to brute force AES-256 with a 256 bit password.