Silk Road forums
Discussion => Security => Topic started by: gunitbot6 on July 31, 2013, 10:00 pm
-
IYOUR HARD DRIVE is the most incriminating evidence we have its even worse to get cough with it then weed
How can we change this, besides tales. Its a hastle to instal and figure out how to use. What other way to protect our hard drive, remote hard drive killer, every time you go to your mail box. This is an expensive method, what is an inexpensive method.. I would hook a portable hard drive to my computer.
-
Full disk encryption.
-
Depends.
Magnetic media can be wiped securely by overwriting every sector with a zero. Look for programs like DBAN.
Solid state is trickier, overwriting won't work due to space reserved for wear levelling... but you're in luck. most sata drives have an in built command called secure erase. Programs such as hderase.exe (doesn't work with all drives) or a linux live distro called parted magic can access this for you. Instantly your drive is clean. I've tested this with FTK and Encase. Both couldn't even pull a file header.
A nice big FUCK YOU to LE forensics :)
Of course, encrypt the entire drive with a huge key and format as normal... both will have the same effect.
Edit, I'm not trying to be rude, but how can you find tails difficult to install? simply burn to cd or usb and off you pop.
-
it cleans hard drive of everything , or just tor? You wont have enough time to clean hard drive when you got a CD. You will be in rstraints.
-
IYOUR HARD DRIVE is the most incriminating evidence we have its even worse to get cough with it then weed
How can we change this, besides tales. Its a hastle to instal and figure out how to use. What other way to protect our hard drive, remote hard drive killer, every time you go to your mail box. This is an expensive method, what is an inexpensive method.. I would hook a portable hard drive to my computer.
re encrypting the entire hard drive, with two differing appeals courts' decision regarding the privacy of the individual (one court ruling the defendant had to release his password, the other indicating the reverse), i don' know that encryption is 100% secure, even if you were willing to fund an appeal all the way to the Supreme Court
i'd think TAILS on a USB would be the way to go
if a 60+ yr old fred flintstone like me, with mental blocks to "computerese" can figure it out, not sure what's so difficult about it - go thru Fallkniven's thread, near the end someone posted a "paint by the numbers" install version for me
if you can't work it, pm me, i'll help as much as i can - just passing forward the help others gave me
fwiw
-
Why not just keep an encrypted hidden paritition ala truecrypt?
I like the option better because I can always "give up" my password. ::)
-
One option is to use a fully encrypted virtual disk image mounted with virtual box, fully contained operating system that you can save onto another removable media such as a thumbnail usb which can also be encrypted with truecrypt. Easy to hide, easy to use, leaves no trace on your host computer that I know of.
-
Thing is, if you're ultra paranoid - today's encryption is strong. How do you know what technological advances are due to happen in 10, 20 years?
Theoretically a quantum computer will crack encryption that would take a modern supercomputer hundreds if not thousands of years to break. Remember, if your computer is seized an image of the drive is taken and saved. What's to say they can't revisit it in 20 years ;)
Obviously that's pretty far fetched but nothing is impossible my friend!
The one and only true method of data sanitation is physical destruction, hence why ultra top secret government data is only trashed in this way.
OP, install tails on a usb stick. it's not difficult. destroy it with a hammer at regular intervals. I think you'd be pretty safe then.
edit : what am I talking about, cd's are 10 a penny ;) snap in half, instant data destruction.
-
I wonder what the statute of limitations would be on that.
Also, what would they really have in all pragmatism? Presumably, all those vendors would be gone by then and/or changed names. The bitcoin addresses would no longer be.
Also, FDE with password prompt seems counterproductive in the US, where they are currently deciding if forcing a user to give up a password is legal. It IS legal, however, to detain said person for obstruction if they don't, which means they may be cleared, after the decision is made.
In the UK, they just make you give it up.
-
OP, install tails on a usb stick. it's not difficult. destroy it with a hammer at regular intervals. I think you'd be pretty safe then.
edit : what am I talking about, cd's are 10 a penny ;) snap in half, instant data destruction.
I think you might be mistaken, especially about snapping a CD in half.
-
or you can get a nice small pile of thermite......just saying...
Mr.Black
-
One option is to use a fully encrypted virtual disk image mounted with virtual box, fully contained operating system that you can save onto another removable media such as a thumbnail usb which can also be encrypted with truecrypt. Easy to hide, easy to use, leaves no trace on your host computer that I know of.
That'd work!
-
I use truecrypt for full disk encryption. Then I have a hidden truecrypt volume with all the goods inside. This is surprisingly easy to set up.
-
Here's the all encompassing simple solution:
1) Don't even use your network to connect to tor :) Some special antennaes and additional skills may be required.
2) USB stick is convenient especially if you want to keep an ongoing private PGP key and arn't a vendor but, if you've read the tails website. the obvious most secure option is to use a 1 type write CD-R or DVD-R and run it in a machine that does not even have a hard drive in it (it will run).
Where's the data gonna be stored then? Can't write to an unwritable CD...and ram doesn't save shit. (This is assuming you have more than one computer) and btw...trying to virtualbox tails on your main system in my opinion almost completely defeats the purpose of even using it - its meant to not leave a trace. Virtual machines/boxes leave a trace.
Now you just gota make sure your vendors study those shipping forums and arn't idiots and you should be set.
-
I'm actually shocked you guys are just relying on encrypted drives. If really wanted to, they more than likely could decrypt it. Most of those people were ex hackers themselves. They'e not smart.
Sure, they're ecrypted drives are safe and safer with other cool tricks but what about......NO DRIVE AT ALL? Is the inconvenience of using a shitty $100 laptop with no hard drive in it at all and a 1 time writable DVD for tails THAT much of an inconvenience?
Tails runs great on any sort of shit you try to put it on too. and in this scenario there is a ONE HUNDRED precent chance they CANNO decipher anything with your data as long as you just follow these steps...because you can't decipher what is impossible to be written. IE. You can't decipher or read wha doesn't exist.
any data from your no hard drive tails 1 write only dvd you stick . is possible unless you ovelrlapped shit with your real computer and that'ss you're fault then.
-
OP, install tails on a usb stick. it's not difficult. destroy it with a hammer at regular intervals. I think you'd be pretty safe then.
edit : what am I talking about, cd's are 10 a penny ;) snap in half, instant data destruction.
I think you might be mistaken, especially about snapping a CD in half.
Why? Destroy the foil on the cd and the data is gone. "snap in half" was just a way of saying destroy it, I didn't mean literally. I'm sure it'd be possible to recover data from half a cd.
-
I'm actually shocked you guys are just relying on encrypted drives. If really wanted to, they more than likely could decrypt it. Most of those people were ex hackers themselves. They'e not smart.
Umm, encryption is strong. Use a decent key length and it's nigh on impossible with current technology (the public know of *dons tinfoil hat*
But as I said above, who's to say how powerful computers will be in a decade, what might take a supercomputer of today a thousand years to crack may take a super computer of the future 5 minutes.
ATA secure erase is the best wiping tech. FTK and Encase (the industry standard forensics tools) couldn't pull shit. I know from personal experience a simple 0 zero pass rendered all data gone on forensic analysis when my drive was seized on a drugs raid.
Why's your drive blank? No comment. Simple.
Also, cold boot attacks are quite simple. When you're using your laptop with no harddrive, it takes maybe 10 seconds for the data to drain from the RAM. If they freeze your ram... maybe a few hours - days? Enough to take it back and gather all the info off it. If you hear your door being smashed in your first port of call is pull the power cord ;) longer it's off, less chance there is of recovering anything.
-
my advice, always have your pc case ready to take out the HDD in seconds, anytime, it is 2 cables only.
Whenever you are about to get a delivery, for the time you are out of your house to get it, until you get back in,
handle the HDD to someone who u live with and you trust. tell him / her that If you dont appear back home in 1 -2 minutes he/she must put the HDD in microwave at full temperature and go to another room, with a fire extinguisher ready at hand.
hope that could work. the value of hdd cannot be compared to that of freedom due to NO EVIDENCE when shit time comes.
Also i advise you to use SSD due to their compact size...
seriously, i agree with the title of the thread. as said. So better destroy than encrypt
last, but not least, FUCK THE POLICE!!
-
They cannot break a good encryption with a 20+ character password. Nor would it be likely they would even put in the resources to even try. Tails is fine if you are just ordering stuff (in which case you don't even have to worry that much) but if you are running a business and need spreadsheets and other programs it's not so great.
-
OP, install tails on a usb stick. it's not difficult. destroy it with a hammer at regular intervals. I think you'd be pretty safe then.
edit : what am I talking about, cd's are 10 a penny ;) snap in half, instant data destruction.
I think you might be mistaken, especially about snapping a CD in half.
Why? Destroy the foil on the cd and the data is gone. "snap in half" was just a way of saying destroy it, I didn't mean literally. I'm sure it'd be possible to recover data from half a cd.
Sorry, I thought you meant 'snap in half' rather than 'destroy all the foil completely' because that's what you wrote.
Gandalf: "Frodo, the ring can only be destroyed by THROWING IT AWAY"
Frodo : "Well, that doesn't sound to hard"
Gandalf: "By THROWING IT AWAY I of course mean travelling for many months to the dark heart of Mordor, avoiding orcs, giant spiders, insanely jealous previous owners of the ring, and the all seeing eye of Sauron and casting the ring into a volcano."
Frodo: *gulp* "oh...."
If you have Tails burned to CD it will have no data except the OS itself anyway. I do take your point that it would be handy to be able to, say, throw it in a wood burning stove, should the police show up at your door asking about the envelope full of drugs with your name on.
-
or you can get a nice small pile of thermite......just saying...
Mr.Black
Yes.
-
subn
-
Full Disc Encryption works
https://www.schneier.com/blog/archives/2011/12/full-disk_encry.html
It doesn't work if your computer is seized while turned on, and your crypto disk(s) or containers are unlocked with the key floating around memory in the clear. Cold boot attacks only work on DDR2 RAM and lower, they don't work on DDR3 as it doesn't hold any voltage after being powered off.
It also doesn't work if cops can plant devices on your hardware or bootloader when you are not around or just film you entering passwords. They do this to gang members where I live all the time, and remotely turn on their smartphone mics and cameras too.
It also doesn't work if there are backdoors, like you're using proprietary HP hardware or Windows which is known to give backdoors to law enforcement before patching them.
It also doesn't work if your police are corrupt and just beat the password out of you.
Your 20 character password is meaningless if they are words they will be GPU broken (read Hashcat forums!). You ideally want to use song lyrics so you remember a long password and don't have to write it down, and use the letters of each word and numbers:
Example: Tupac - Me and My Girlfriend lyrics
"Lost in the whirlwind, ninety-six, Bonnie and Clyde
Me and my girlfriend, do one-eighty-five when we ride
Trapped in this world of sin, born as a ghetto child
Raised in this whirlwind (c'mon)"
Becomes: Litw,96,B&CMamg,d185wwrTitwos,baagcRitw(c) which is a 42 char password with 224 bits entropy. After you type this in for a few weeks you'll memorize it forever. You'll never forget it because you just need to listen to the song or look up the lyrics. No GPU farm doing billions of combos per second is going to break that anytime in this century.
-
That's true. Cold boot attacks can indeed render encryption useless. That's why one should always have that part either dislocated or unmounted when not in use.
I think your password method is great but far too complicated.
A simple sentence is more than fine. While, yes they can brute force with dictionary attacks, the heuristic is highly unlikely to know some sentence that isn't common--at very most.
http://correcthorsebatterystaple.net/
based on:
https://xkcd.com/936/
If it were sophisticated enough to go through word combinations: assume a 25 character password. Assume average word length is 5, so it can be any of 5 words in the English Language (more entropy if you mix languages).
Assume use of just 100000 words with the others being rarely used (lower limit).
(100000)^5 = 10000000000000000000000000 combinations.
Assume an average of 1000 guesses per minute, which is in the ballpark for GPUs today, and you see it takes the machine (100000)^5/1000/60/24/365 = 10^16 years (more than a billion).
There's a reason why law tortures as opposed to just strap a seized computer to a supercomputer--it's still infeasible as it stands, and a statute of limitations and their case are on a time-frame.
Used properly, encryption is pretty much uncrackable unless a serious innovation is made within the next 5-10 years.
-
You gotz to read what hashcat forums password breakers have been up to. They're the guys who broke crypto.cat, broke Lastpass, broke 1password encryption, broke the Cisco VPN encryption.....
They recommend using 3 keyfiles and a 50+ char password on Truecrypt that's completely random with no words whatsoever. Nobody here is doing that.
The guy who broke crypto.cat has a 2 terabyte hash table he's been using to break everything. He has rows of 7970s slicing through 'correct horse battery staple' type passwords trying 358 billion hashes per second. PER SECOND.
Passwords are basically becoming extinct. Especially if any large bitcoin ASIC hashing pool decides to help break passwords. There's already a movement to start adding keyfiles to PGP and other older programs. The game has changed in the last 1-3yrs big time. Now we have massive corporations selling 0day spyware, internet wide analytics and data mining, ASICs, FPGAs and GPU farms breaking passwords that are no longer millions of dollars to own, it's a security nightmare. Most people are cruising along like it's still 2003. Welcome to the dystopian future it has arrived. Use keyfiles.
-
You gotz to read what hashcat forums password breakers have been up to. They're the guys who broke crypto.cat, broke Lastpass, broke 1password encryption, broke the Cisco VPN encryption.....
They recommend using 3 keyfiles and a 50+ char password on Truecrypt that's completely random with no words whatsoever. Nobody here is doing that.
The guy who broke crypto.cat has a 2 terabyte hash table he's been using to break everything. He has rows of 7970s slicing through 'correct horse battery staple' type passwords trying 358 billion hashes per second. PER SECOND.
Passwords are basically becoming extinct. Especially if any large bitcoin ASIC hashing pool decides to help break passwords. There's already a movement to start adding keyfiles to PGP and other older programs. The game has changed in the last 1-3yrs big time. Now we have massive corporations selling 0day spyware, internet wide analytics and data mining, ASICs, FPGAs and GPU farms breaking passwords that are no longer millions of dollars to own, it's a security nightmare. Most people are cruising along like it's still 2003. Welcome to the dystopian future it has arrived. Use keyfiles.
I was rummaging through the site and saw claims to being able to break relatively simple sentence 15-charecter truecrypt passwords with AES protection only using multithreaded GUP hashes.
Not saying I don't believe you, but can you link--or better yet--copy paste where this occurred?
And this isn't 2003, it's pretty recent:
http://news.cnet.com/8301-31921_3-57364330-281/judge-americans-can-be-forced-to-decrypt-their-laptops/
As of now, the US is pretty much forcing people to give up their passwords because cracking is difficult and costly.
What people are doing wrong is assuming that anything that requests one and only one password to an encrypted partition is going to be forced to give it up.