Silk Road forums

Has the world gone mad? Am I really having to extol the virtues of encrypting your hard disk drive to someone who's ostensibly reached "Hero" status on these forums?

Of course there's a risk that your HDD can be accessed while encrypted if it's mounted - that's probably why you'd only mount it while you're there and gosh I don't know, lock your screen when you're away from the keyboard for a few moments?


V.

Quote from: wretched on May 20, 2012, 01:34 am

if.you.are.raided.while.your.encrypted.drive.is.mounted.doesn't.matter.if.it.is.encypted.or.not.

do not run as an exit relay if you have anything illegal stored.

Locking screen doesn't prevent pigs from getting FDE encryption keys. Running Tor exit is great. But I suggest not doing it unless

A. You are a University
B. You are the EFF or have good lawyers on your team
C. You are some other organization

failing the above three

D. You have absolutely nothing illegal on your PC, and do not have anything illegal in your home
E. You run it off of a server in a data center that can not be traced back to you

too many people have been raided due to what their exit node was seen doing, it just is not worth it to run an exit if you do illegal shit that will be discovered during a raid.

running as an exit is a great way to get busted for drug trafficking after you are raided on suspicion of downloading child porn or sending bomb threats

The Tor Project explicitly suggests against running as an exit if you have anything incriminating on your PC, because it might be seized.

Your right truecrypt is not the best protection, all it takes is a judge to demand your password. And sometimes even if you give it they could say you have a hidden os, say your holding out on the second password and still put you're ass behind bars. But don't get me wrong doing everything on a unprotected system with no security in place Is just dumb whether you bookmark silkroad or not. You'll just make the cops day. So if your a buyer or a seller you should still have a good plan. I guess it's just a matter of whether you think the time it takes to learn this is worth keeping your ass out of jail. I think the best thing to do is use tails or liberte Linux. If runs in your computers ram and wipes everything when your done. Also try to keep your files in a truecrypt container with a decoy container on a server in a place like Switzerland.

Truecrypt isn't the best protection because there are about ten billion ways to covertly/overtly steal a passphrase, and protecting from all of them isn't very feasible. Truecrypt is also not the best protection because by the time it offers any protection at all you are already identified.

edit: I should preface this by saying that there are two goals when it comes to countering keyloggers, the primary goal is to protect from the attacker being able to get any keystrokes at all, a lesser goal is to protect from the attacker stealing a password that can be used for authentication. Also, I am using keystroke information interchangeably with user input.

There are two types of keylogger, hardware and software. They come in various levels of sophistication. The shittiest hardware keyloggers are just a connection piece that you place between the keyboards USB connector and the computers USB connector. They record all of the keystrokes and then forward them on to the computer. You can spot these simply by looking for them. Virtual keyboards protect from this sort of keylogger because the input comes from the mouse. There are slightly more advanced hardware keyloggers that work in essentially the same way, but which can be hidden better, inside of the keyboard itself for example. These are harder to find but virtual keyboards protect from them as well.

The more sophisticated hardware keyloggers can not so easily be defeated. They use extremely tiny cameras and position them so they can view the keyboard as it is typed on. Or they analyze transient electromagnetic information and use it to pull the entire monitors display from a substantial distance, or to determine keystrokes based on the sounds of typing, also from great distance. Maybe they plug into the power grid and gather keystroke information that leaks into it. Protecting from this sort of attack is much harder, and requires a combination of surveillance technology to detect physical intrusions (or keeping your laptop on you 24/7) and shielded equipment/rooms to prevent information leakage.

Software keyloggers  also come in various forms. The least sophisticated of them will be defeated by a virtual keyboard because they monitor input from the keyboard and ignore the mouse. However most people use much more advanced software keyloggers that also monitor mouse position. Even the mouse/keyboard monitoring software keyloggers can be defeated by using a virtual keyboard that randomly rearranges the position of the keys every time one is clicked. However, even more advanced software keyloggers will take a screenshot every time a mouse button is clicked, and many of them just constantly record what is happening on the screen. You can even get around software keyloggers that monitor everything on the screen by using one time password systems, the password is good for authentication exactly one time and then a new one needs to be generated. The server and the client both have a piece of secret information that allows them to keep synched up with what the appropriate password should be, but the attacker can not guess future passwords from current passwords so they are still screwed. banks use technology like this quite a bit, but it is possible to implement these systems without specialized hardware.

https://en.wikipedia.org/wiki/One-time_password

OTP pretty much defeats a keyloggers ability to steal a password that can be used for authentication at a later point in time.

In the grand scheme of things I think that virtual keyboards are a waste of time. Theoretically they can protect from some simple keyloggers, but in practice no significant attacker uses such primitive keyloggers. IMO virtual keyboards are largely just a marketing gimmick because they make people feel more secure. OTPs can be effective at preventing keyloggers from stealing a password that can be used for future authentication, but they wont protect you from the attacker spying on your keystrokes.

You should certainly encrypt your entire disk. It is more important to use GPG for communications and Tor to protect from traffic analysis, but FDE can protect from sloppy attackers in certain circumstances. At the end of the day if you are a primary suspect and your attacker has the slightest clue what they are doing, Truecrypt will not protect you much, but if they have no clue what they are doing it could save your ass, and if you are a vendor it could save the asses of all of your customers. Usually they have no clue what they are doing too .

I doubt FM only had 3,000 transactions, and it was actually one of the oldest internet drug markets ever if you consider all of its previous incarnations. SR is probably one of the biggest (in member numbers) named drug networks in the history of the world, if not the biggest. But TFM was the biggest online drug market prior to it. It used to be that a forum with a few thousand members was considered enormous, before that a forum with a few hundred members was. The online drug scene is experiencing a truly exponential growth rate.

good keyloggers can see the screen too