Silk Road forums

An even better bet is to use Qubes OS. It lets you easily configure Tor similar to how Whonix does, and has the option to instantly launch anything you want in a disposable VM. Plus it isolates your hardware with IOMMU. Qubes is configured to launch different applications in different (user defined) security domains that are isolated from each other with Xen virtualization. It also supports windows HVMs and in the next version it will have seamless windows appvms. This means you will be able to seamlessly run Windows applications and Linux applications at the same time, and it will look like they are both natively running on the host OS. 

SSL/TLS session keys are negotiated with asymmetric cryptography, usually RSA or ECDH. You pretty much never use a symmetric algorithm for multi-party communications without also using a key exchange algorithm (or without sharing an original key face to face at least). Usually the only time you use symmetric algorithms alone is for  encrypted data storage like FDE or Truecrypt containers.

Ahhh, so it's a term for a very cool category of intelligence gathering. Van Eck phreaking[1] would fall into this category. Mmmmm, perhaps it's time to re-read Cryptonomicon

[1] en.wikipedia.org/wiki/Van_Eck_phreaking

The intelligence field these attacks fall under is called MASINT, Measurement And Signature Intelligence. It looks like the specific specialization is called unintentional radiation electromagnetic pulse measurement and signature intelligence.

Transient signal attacks (TEMPEST, sometimes said to be an acronym for Transient ElectroMagnetic Pulse Emanation Surveillance Technology) analyze leaking signals to try to obtain information of interest. This could include the sound of keystrokes to determine what is being typed,  or it could be the electromagnetic signals your monitor leaks in order to remotely reconstruct what it displays. The military protects the most classified secrets from this sort of attack by storing the electronics that are used to display them in SCIFs , Secure Compartmentalized Information Facilities. These are usually rooms that are pretty much hollowed out metal boxes, with thick metal walls completely surrounding the machines and people inside of them. You can find pictures of them if you google around. You can also buy specialty equipment that is shielded to some extent from transient signal leakage, although it tends to be pretty expensive. You could take some simple measures to make this sort of attack more difficult though, for example if you have a basement it will probably shield you more adequately than you would be at a coffee shop. Another thing to take into consideration is that a lot of information tends to leak into the power grid as well.

I think that transient signal attacks are really interesting from a theoretical perspective. They have been used in practice by the FBI, but the only case I know of where they did this was against  a Russian spy ring. They are probably more commonly used by intelligence agencies like the CIA etc. The thing about TEMPEST attacks is that the attacker needs to have already identified you to carry them out (since they need to be physically fairly close to you), and if the attacker has already identified you then it is pretty much game over anyway, TEMPEST attacks or not. So the best defense from this sort of attack is actually to maintain your anonymity. These attacks are more applicable to an intelligence agency trying to protect its information secrets from foreign intelligence agents, than they are to a drug dealer trying to protect the content of their communications and computer system. Because the foreign intelligence agency may know where the secrets are stored and not be able to get them covertly due to the SCIF or whatever, but if the feds know where the drugs are stored they are just going to kick the door down or do covert surveillance in less technically sophisticated ways.

I know I am certainly glad that the many vendors I have worked with have no idea what my real identity is. Some of them have been busted. I wouldn't want people who are getting
grilled by the feds and who are facing decades behind bars to know my name and address.

Anti Virus software is pretty much entirely worthless for protecting from this sort of attack. Anti Virus software is largely botnet size limiting software. It is to prevent a botnet virus from spreading to two million machines, not to prevent it from spreading to one million machines and definitely not to prevent it from infecting *you*. In other words, anti virus software is for protecting you decently from old viruses, and to protect from new viruses before the entire set of vulnerable machines become infected. It is not meant to stop a hacker from infecting you, and it fails horribly at doing this. 

This is useful in the 5 percent of cases where you know the package was intercepted ahead of time. You can throw away the mailbox key, never visit that post office again, and you'll be safe because they won't know who are or where to find you. In the other 95% of cases, you won't have a clue that it was intercepted until you're standing in the post office with the package in your hand and a guy with a badge steps out from behind the counter (or pulls you over a few blocks away).

IMO, a residential address is safer because you can passively receive the package and choose when to pull it out of the box. LE isn't going to wait around for hours or days, and at all hours of the night, for you to pick up a small amount. They will either knock on your door and see if you accept it, or not deliver it at all (in which case, it will join the ranks of the infamous missing packages). To that end, it's best not to be home when the mail is delivered.

The reason you give for using a residential address sounds like it is a good reason for using a PMB obtained with a fake ID. If you order a package to a residential address LE doesn't need to wait around for days or hours, they know where you live already. They will either knock on your door and see if you accept it, or they will just raid you anyway because they already know a package with illegal drugs was sent to you and they can probably get a warrant to search your house based on that alone. In the case of a fake ID box, they have no door to knock on and no home to raid until they identify you picking up the package and follow you back to wherever you live or ID your car. And in cases where they are not going to do anything at all, wouldn't it be better for them to not do anything against a fake name and address that isn't linkable to you, than for them to do nothing against your real name and address (other than make a note of it).

Although you may only be tipped of to an interception in advance 5% of the time (I can think of a few examples of this happening, although I agree it is rare overall. Two general themes: tracking let it slip, or everybody who ordered from the vendor starts getting CDed at once), you might learn that a vendor you worked with has been arrested 50% of the time. It is much more common for someone to learn a vendor they worked with has been arrested than it is for someone to learn that a package they had has been intercepted. Or maybe the vendor simply disappears. Maybe this is more common on tighter community oriented forums where everybody talks regularly with each other, and you notice an unexplained absence of a vendor and nobody knows what happened to them (until you check for drug busts in the area they shipped from and piece together what happened. Note that this happened with enelysion, in the case of Joot we learned about it from the court documents very shortly after TFM went down, etc). Then you need to consider some vendors are probably keeping customer shipping information to aide them in plea bargaining. Or maybe the busted vendor even had outgoing package addresses recorded (enelysion did) and your address in on a list. No interception to you has happened yet, but packages to that address are probably way more likely to be intercepted in the future!

And better not order from an asshole who will blackmail you with your real address.

People have proposed using various light sensitive devices that can warn you when the package has been opened. They might be worth it for large orders, but it's also possible for LE to x-ray the package, discover that it contains such a device, and open it in a dark room to field test the drugs. They are also known to use needle-sized poking devices to sample the contents, which leave a hole so small that it probably wouldn't set off the device. To protect against that, you would have to fortify it with a hard internal package, which again isn't worth it for small amounts, when simply mailing the drugs in an envelope is much safer.

Vacuum seal the device with the drugs and have it detect the presence of oxygen then. I would be less worried about LE x-raying the package and finding it has some obscure electronic device in it and more worried about LE x-raying the package and finding that it has some pills or powdery substances wrapped up inside of it.