Silk Road forums

Discussion => Security => Topic started by: mrkyitty on March 20, 2013, 02:34 am

Title: Security Audit
Post by: mrkyitty on March 20, 2013, 02:34 am
Been a member for almost a year now, but I was reading a thread about similar issues and apparently I've developed some pretty risky habits when it comes to being identifiable. Namely, when buying BTC I would go from BitInstant>Instawallet>SR. I only just now have installed a bitcoin client and made a bitcoinfog account, and I'm also still unclear on some of the finer points of clearnet/darkweb browsing. For all intents and purposes, I'm only buying at most an ounce of weed at a time for personal consumption (which I know is typically not as high priority as other drugs/volumes). Nevertheless...

- When buying BTC, what all should be done in TOR? It is my understanding that accessing an exchange via clearweb (bitfloor in this case) is okay, and then once the coins go from my wallet to bitcoinfog it's all TOR from there.

- Should TOR be the only application using the internet while it's open? Right now I have Chrome, Steam, and Avast running as well.

- Should a bitcoin client be configured to use TOR? I don't see why it would, but I'm also just now starting to use one.

- I use Windows, and I don't use any sort of encryption. Should I? I've gathered that this is more applicable to dealers/vendors.


I realize this is mostly just paranoia, but just finding out now that I really should've been tumbling coins from day one has thrown me for a loop. Any and all help is greatly appreciated. Thanks
Title: Re: Security Audit
Post by: Jediknight on March 20, 2013, 03:06 am
All your missing is the fake beard. 
Jeese, you make me look like a lax fool.  But really, if your buying less than personal amounts, it's not too likely.  If you present it to a lawyer, there are a lot of doubts and a hard prosecution to land.  It would cost a fortune and would be barely worth it for a dealer let alone a buyer.  But you can never be too careful no doubt.   SR has a pretty good tumbler built in and it's hard to identify any coins after they get split up upon deposit. So SR does the tumbling for you too.  Try and follow he block gain someday from your SR address .  Tricky.
Title: Re: Security Audit
Post by: blahblah1234 on March 20, 2013, 03:06 am
Hi, I am by no means an expert, and am a bit buzzed, so take these with a grain of salt if you know what I mean.

1.  Buying bitcoins in real life is difficult to anonymize if you are using a legit service.  So, if you are using bitfloor, it is going to tie to you.  Sending coins off to bitcoinfog from bitfloor shouldn't be an issue, make sure to get new addresses in bitcoinfog often so you aren't reusing the same destination address.  Never advertise your addresses that you send to in bitcoinfog to anyone else.  The key is that "you paid someone for some service".   That's all you know.
2.  Yes, bitcoinfog requires Tor and so does SR, so Tor from there on out. 
3.  Get a new address in SR for each deposit.  Mixes it up even more.  I also noticed that during the time where SR was having issues with deposits registering a few weeks back, I was unable to generate a new address!  If you get an error generating a new address I would be suspicious and check the forums for issue reports and wait it out if possible.
4.  As for Tor being the only thing open, that shouldn't be an issue.  If you are using the Tor Browser, everything else will use normal internet communications.  As a matter of fact, you probably can't keep your computer from connecting to the Internet without a huge hassle.  The better question is should you be using a normal PC for connecting to Tor.  This is a good question.  If you are a vendor and at high risk for investigation, all your dealings should be from a dedicated Tor OS like Tails or Libert Linux running from a non persistent USB install or a Live CD.  Remove the hard drive from your computer to be real safe.  This will prevent any traces of your activities from residing on your local hard drive indefinitley.  The OSes even wipe your ram clean on shutdown to prevent using the RAM contents from disclosing encryption keys and such.
4a.  OK, so not so paranoid about using your OS?  Be careful with your pgp keyrings, do you store your vendor's public keys?  This could possibly tie you back to SR and specific vendors.
4b.  SSDs don't erase sectors necessarily.  Deleting files don't delete files.  Spinning disks (not hybrid) can be wiped with secure erase programs to get rid of evidence.
4d.  Holy cow, you can get really deep into this stuff do you really want to know?
4e.  I can break your drive encryption by using your firewire port to hack into you ram and extract keys.
4f.  Do you have a hibernation file, it can be used to hack disk encryption too.

(don't forget 4c.)

Many many more things to think about here.  Good news is nobody is spending a million dollars to bust you for an ounce of weed!

Look into Blue Sky Traders for bitcoin purchase.  Use Tails or Liberte Linux on a hard diskless laptop while you are on public internet at Mcdonalds.  Ship to location is the weakest link.  Don't sell drugs.  Good to go.

Title: Re: Security Audit
Post by: mrkyitty on March 20, 2013, 03:09 pm
Many thanks to both of you!
Title: Re: Security Audit
Post by: blowmanthesnowman on March 21, 2013, 07:47 pm
You can browse clear web and use Tor at the same time without a problem. The main thing I would do is true-crypt the computer. It's free and doesn't hurt performance. Also, make sure you use pgp to send the vendor your address. I think the main way consumers would get busted is if the mail people randomly catch it so that's what I would mainly be concerned with. Don't sign for packages and you should be good :).