Silk Road forums
Discussion => Security => Topic started by: mrnoname on July 29, 2012, 05:18 am
-
looking for a side burner phone and i heard metro has the best deals but im only going to use it for mass texts when i re up and simple calls lasting 2-3 min 20 tops a day, metro is owned by the police department?
what are you choices and input for a solid side phone for dealing that is the cheapest and most anonymous ?
gogogogogoggogo
-
the cheapest android phone, that you can make encrypted end-to-end calls on. Otherwise choose carrier with most customers in area.
-
the cheapest android phone, that you can make encrypted end-to-end calls on.
Looks like we have an answer.
-
the cheapest android phone, that you can make encrypted end-to-end calls on.
Looks like we have an answer.
+1
Infact ANY phone that you can make *free* encrypted end to end calls on. Through Wifi.
Does anyone have any suggestions? This is a really good question and the hardware is there - but what software do we use.
Silent Circle costs money (when it comes out)
Here are some links for encrypted VoIP:
http://www.cellcrypt.com/
http://zfoneproject.com/ <- good
But yeah, what hardware will run the software is the question. Also, what hardware/software combo is the best to use?
Some one with actual real world experience please give us some information on this topic.
I personally dont trust anything other than GPG/PGP and OTR. zfone is good _IF_ you can find hardware that will run it (cellphone)
-
What encryption methods are there besides ones where both users must install encryption apps?
-
For mass texting, aren't there online services you could access via Tor and pay with a virtual credit card or even in bitcoins?
If you're using such a service from a carrier, once more, ensure you access a web proxy as a front behind which you're using Tor. Then depending on the level of introspection the carrier has, they either think you're a dude who wants to do mass texting, a dude who wants to be anonymous and wants to do mass texting, which is not exactly illegal, but they don't know that you *really* are an anonymous dude that wants to do mass texting and tracking or picking up server log files is a dead end.
Protip: Either take the batteries out of your phones until usage and ensure they're charged, or else you pop them into a Faraday Bag (each one inside a smaller Faraday cage pouch). This makes cellular tracking and remote microphone activation completely impossible.
Also: Look into steganography and the plausible deniability of pornography.
-
holy tits you guys are informative!
i have never hard of encrypted calling....i have a gx2 which is a decent high end phone but i have been pushing bud on it for like years and getting spooked......
most of my orders are through text i usually call them once i arrive at said destination...
so the online thing might be tricky cause i get contacted first so would theyre be a 3rd party internet source number i give them so when they need product they can text it and it will be forwarded to my phone? and for encrypted calling not ALL customers have smart phone which is kind of tricky.
i just want to make sure i have no loose ends cause the end you control when you get caught, skip a precaution add a risk....
-
texting is one thing
voice communication is another. Im looking for a FREE app that works on a p2p basis (no server to connect to) that allows VOICE communication
Silent Circle looks good, but it's not free and doesn't appear to be p2p
-
Use simvalley phones (throwaway phones cost 15€max) and prepaid cards from retailers where which you can register online. reg them through tor,,only text never call...if you get enough customers to use them as well texts between same prepaid cards are often cheaper or for free...
But as you are working streetlevel there is of course a lot of risk associated because you have to use coms which your customers can use.
Our advice ..stop streetlevel and begin doing some kilos once a month only for a few hrs..you can make any precaution you want but in the end some sucker will snitch you out..
no stress, only personal meetings ..these meetings are settled only face2face weeks in advance...no phones.. product & cash always in seperate meetings..you cant do any wrong with that...
-
For android redphone is opensource and very good voice implentation.
and for text use textsecure.
Those are 5star rated products from our perspective..
-
an always use prepaid cards or free wifi..root the phones and where possible encrypt them..
-
Or..you could buy a scrambled satellite phone.
-
If you are in range, cricket has cheap phones you can just throw away. For less than 40USD. It recycles numbers and you can activate it without any info.
-
I don't think redphone was released yet to the android store, it's the only end to end encryption I would trust.
Same guys also made TextSecure which is available and encrypts texts but only if both of you have it.
I would stay away from phones. If it's just for petty street dealing then sure any burner phone should work but for any serious trafficking a phone is insecure. In Canada they are handing out 20 year sentences for 'Cocaine conpiracy' for idiots talking on a recorded phone or to a police informant. The informant doesn't even have any cocaine just needs to hand over baby powder and can arrest/slam dunk the case.
Now if you organized your cocaine lines using encrypted anonymous SILC irc or jabber, no cocaine conpiracy charges.
-
holy tits you guys are informative!
i have never hard of encrypted calling....i have a gx2 which is a decent high end phone but i have been pushing bud on it for like years and getting spooked......
Not surprised. Most people working the street don't last five years. You're lucky you came here first, you should read this forum in-depth and study up for your black market diploma.
http://dkn255hz262ypmii.onion/index.php?topic=18761.msg188503#msg188503
most of my orders are through text i usually call them once i arrive at said destination...
Yu only have the incompetence of law enforcement to thank for your freedom because your transaction protocol is F2F. You need to study PolyFront's analysis of dead drops. I think the hidden service is down, but if you search my posts and use the keyword 'dead drop' you'll find an informative thread, double posting for good measure;
Project PolyFront::
Product Transfer Topologies:
Smuggling organizations use one or more of the following product transfer topologies; face to face, dead drop or double dead drop.
The face to face (live drop) topology involves a person either going to a source or going to a destination, exchanging money for product, and then returning to their base location. This topology is commonly used by inexperienced networks and low level dealers. The face to face topology is insecure for a variety of reasons. The primary reason that face to face transactions are insecure is due to the risk of dealing with an undercover or an informant and controlled buys (stings) or sells (reverse stings). In a face to face transaction, a vendor must hope that they never deal with an informant or undercover agent because if they do they have zero security to protect themselves from being arrested or identified for further intelligence gathering. Another serious disadvantage of the face to face topology is the fact that product may be vulnerable in transit for significant periods of time. This is the case both with large buys being brought from one geographic area to a more distant geographic area, as well as smaller amounts of product being brought to many destinations within the same geographic area.
The dead drop topology is an improvement on the face to face topology and is ideal for secure local distribution. In a dead drop model, Alice drops (usually shoves a hollowed out spike filled with product into the fround) the product at a given location and records the GPS coordinates. Alice can now give Bob the coordinates, and by using a GPS device Bob can quickly locate the product and make a pick up. GPS is a receive only technology so there is no risk of Alice or Bob being subjected to geopositioning attacks due to the use of a GPS device.
If Alice maintains her pseudonymity/anonymity in other areas (EX: Tor for communications, Bitcoin for financial) , dead drop product transfers offer her tremendous advantages over face to face product transfers. As Bob can no longer determine Alices real identity, or even come into contact with her, Alice is significantly protected from all human intelligence based attacks (informants and undercovers) and the threat model changes to focus on the harder to exploit technical security models (signals intelligence, financial network analysis, etc). Although a malicious Bob can not easily identify Alice if dead drops are used, a malicious Alice can identify Bob. This can be expressed as follows; 'an attacker can move down, but not up'. However, dead drops also have advantages for Bob; for one there is very little risk of interception compared to the double dead drop topology. Also, dead drops do not require Bob to open a box with fake identification or get product sent to an otherwise limited number of boxes in his geographic area. Dead drops also have disadvantages over double dead drops, primarily they are only suited for local product transfers. Long distance dead drops have the same risk of interception in transit as face to face product transfers.
Another product transfer topology is the double dead drop (parasitic smuggling). In this model, Alice will drop product (at a mail box, for example) and then a neutral carrier (mail delivery service) will bring the product to another drop location (mail box) where Bob will pick it up. Double dead drops maintain the primary benefits of single dead drops; Alice is largely protected from human intelligence attacks if she otherwise maintains her anonymity. As with single dead drops, the attacker can move down the network but not up.
Double dead drops also have a variety of advantages and disadvantages as compared to single dead drops. One of the disadvantages for Bob is his requirement to either open a box with fake identification or otherwise locate a box or location suitable for having the product shipped to. Bob may do surveillance on a random house and determine the occupants schedules, by doing this Bob may be able to determine a suitable shipping location with out the requirement of opening a box himself. An advantage of double dead drops over single dead drops is their ability to transfer product over large geographic distances. Another disadvantage of the double dead drop is that the product is vulnerable to interception while it is in transit, customs and postal inspectors actively screen for contraband in the mail system (although due to the very large volumes of mail, they are incapable of detecting much of it, particularly if it does not pass through customs).
The increased risk of interception may be countered by having the ability to detect interception. This can in some cases be accomplished by monitoring the tracking however it is a bad idea to rely on this method of interception detection. A more sophisticated method of detecting interception is the use of technology. By creating RFID devices attached to photovoltaic cells with volatile memory chips, interception can be detected prior to picking up product. The interception detecting devices store a state in memory which can be made to transmit after a period of time. Battery powered RFID tags can transmit a signal over one hundred feet. By configuring the devices to wipe the volatile memory if the photovoltaic cell is triggered, we can detect interceptions. If customs opens the package, the photovoltaic cell triggers a wipe function and clears the key stored in memory. By using a wand to scan for the signal produced by the key, you can thus determine if your package was opened between the vendor sending it and your box (No transmit = opened or RFID tag removed ... Transmit = not opened and RFID tag in place). Customs will not be able to replace the state of the volatile memory after triggering the wipe sequence. More sophisticated devices can also be made in order to trigger upon oxygen and other stimuli. These devices can be created for small sums of money and are quite small.
(Note: It is more precise to say that product moves 'outwards' away from the source, and money moves 'inwards' toward the source)
Product transfer can be seen as taking place over a hierarchial pyramid, from top level suppliers to bottom level consumers. This is true of all distribution networks. A vendor can securely transfer product by using either the dead drop or double dead drop topologies. Additionally, measures can be taken to protect the customer (EX: Avoid mail flags, interception detection technology, fake documentation to open boxes, etc).
Pine Notes::
There's at least five additional methods of securing the buyer's anonymity or security in a very big way [instead of using a naive dead drop, which is a very dangerous idea]. The first three are only applicable for smaller quantities of product, and the others are for larger quantities.
1. You can 'fake' a dead drop. That is; you can just walk up relatively close to the dead drop area e.g. within 10 feet, and pick up the 'contraband'. Then you can just walk off.
Of course, you picked up nothing except some object you carried along which was the same size/appearance as the item you expected to really pick up.
Then, you can wander away. Content in the knowledge that if you're going to get arrested then you've nothing on your person and there is no evidence that you picked up contraband. Once you're happy, having waited a few minutes, hours, days, even weeks, you can pick up the real cache later. This stretches any LE resources to the absolute zenith. Simple but highly effective.
2. You can 'double-fake' the dead drop. That is; you can either do No.1 more than once, or you could send a pal to fake the dead drop in the first place. They can't possibly be implicated so there's no reason for them to worry.
3. You need not really worry about CCTV, hidden cameras etc. Use a hat, sunglasses and swop your clothes + get a new cover bag for your things in a toilet somewhere. Simple, but highly effective, esp. in densely populated metropolitan areas. There is no image recognition technology I am aware of that can circumvent this. Even human eyes trained on you from A to B find it almost impossible to counteract. And did I mention that your pal could be awaiting you in the same restroom? (you could swop clothes/bag here for yet another red herring).
4. You can use technology too! If the seller puts a cheap RFID chip into the cache, you can use a scanner to detect whether the cache is legitimate. Basically the tag is sensitive to interference (shop lifting tech) in some manner, so that it is only if the vendor is in cahoots with LE that the cache could be compromised. There is an entire universe of technology which could be adapted to this method, only imagination is the limit. This has been discussed many times on this forum, just search for RFID.
5. Let's say the RFID tag thing fails completely and there is a tracking device in the cache (a very likely attack vector against dead drops once LE wises up). This is actually trivial to circumvent, you just need to pop the cache into a Faraday Bag. These devices look like regular bags, except that they prevent *any* signal from getting in or out of them. Microwaves, radiowaves, you name it. It's the communications equivalent of carrying a lead safe around, but much more fashionable. *Boom*, off the radar. This in combination with with restroom swop mentioned before would bamboozle even highly tech proficient and intelligent LE.
6. For large deliveries, you can of course deposit fake caches and real caches and mix them up.
--
And I'm sure there's plenty of other ideas out there too.
The only problem I can see with this is some kinds of tracing technologies that aren't about communication e.g. dyepacks, radioactive markers etc
However, all of these technologies I can think of seem very local, you'd need to be quite close by in order to detect their presence by sight, geiger counter etc.
so the online thing might be tricky cause i get contacted first so would theyre be a 3rd party internet source number i give them so when they need product they can text it and it will be forwarded to my phone? and for encrypted calling not ALL customers have smart phone which is kind of tricky.
i just want to make sure i have no loose ends cause the end you control when you get caught, skip a precaution add a risk....
Why not setup text forwarding to a Tormail email or other email account that you access only through the Tor network instead of to your phone? As for encryption, that is a matter of education for your customers. You cannot use 3rd party services for such things. Perhaps it would be easier to show them individually how to steganographically encode a message in a picture (it is extremely simple) and then either email that or send via phone using forwarding such that it winds up in your email account you access via Tor.
Personally though I think phones are a bad business however you look at it in terms of expensive and security. Better to have your customers sending you PGP encrypted emails relayed to your Tormail account, I mean who doesn't know how to use email Jesus Christ. Maybe if your customers aren't smart enough to use PGP they shouldn't be your customers, seems like a good filter to me. Sure you'll have to show them how to do it, but it's a long term investment and they can show other people how to.
Finally, you don't have to give them your Tormail account, you can just give a different email address to different people (also a useful compartmentalization security precaution since you know who's giving what information to who). I recommend using some foreign websites that don't speak english (google translate FTW) ex-USA to setup the forwarding features of webmail accounts and then changing up the email addresses periodically depending on your degree of paranoia.
-
Our advice ..stop streetlevel and begin doing some kilos once a month only for a few hrs..you can make any precaution you want but in the end some sucker will snitch you out..
Or..you could buy a scrambled satellite phone.
I would stay away from phones. If it's just for petty street dealing then sure any burner phone should work but for any serious trafficking a phone is insecure.
Now if you organized your cocaine lines using encrypted anonymous SILC irc or jabber, no cocaine conpiracy charges.
All of this is sound advice. You need to do your homework and radically change up your operation. I find it helps to write a business plan. Helps you brainstorm and come up with good procedures. Maybe there are evening courses for this kind of thing in your area?
Some notes:
Study dead drops. Look at something like those Iridium stat phones (acquire anonymously!) because they would be awesome as a back-up strategy. Of course they are expensive, but so is the opportunity cost of obtaining a criminal record/going to prison, think of it as insurance/investment. Make up a budget and see how much you have to spend and what is the most effective way of investing it. Do not use Skype. Skype is almost certainly compromised by the Microsoft deal, if it wasn't before that it sure is now. Use something like Jitsi instead. Also, if you really must make a phone call, look into voice obfuscation technology so you sound like Batman (weirdly effective way of obtaining respect) :D
-
If anyone`s looking for Iridium sat phones (scrambled) I got a pair...
-
Ok, lets see... This is just off the top of my head and not exactly tested
Anon cloud server --> Asterisk --> sipdroid
Everyone attaches to Asterisk via hotspots and can dial each other.
Does not use standard cell networks. Not sure but I think you can use TLS with sipdroid and I know you can with Asterisk.
Non-standard voice communication with encryption should make it hard to trace, add in the use of hotspots or open wifi routers and you should be untraceable with a simple way to hook up and make a call. Gives your dealers a way to contact you and keeps the communication private.
I wonder if you can use SIP over Tor, now that would be interesting!
-
im having a seizure of information...phew
-
the cheapest android phone, that you can make encrypted end-to-end calls on.
Looks like we have an answer.
+1
Infact ANY phone that you can make *free* encrypted end to end calls on. Through Wifi.
Does anyone have any suggestions? This is a really good question and the hardware is there - but what software do we use.
Silent Circle costs money (when it comes out)
Here are some links for encrypted VoIP:
http://www.cellcrypt.com/
http://zfoneproject.com/ <- good
Cellcrypt also costs money, but you can run your own server(s).
Any VoIP client which supports ZRTP is good, that's the protocol that Zfone uses. Zfone itself is abandoned (Phil dropped it, just like he did with PGPfone and Silent Circle is his latest endeavour with Jon Callas and a couple of ex-SEALs).
The advantage with ZRTP (and SRTP, ideally use a client that supports both) is that you can guarantee end-to-end encrypted calls with anyone using any client that also supports the same protocols. Which means if you use it on an Android phone you may be speaking to someone using their laptop or other device.
-
Honestly the best burner phone (and I didn't use it for drug dealing- I was moonlighting a second job that was a semi COI) is the $8 Virgin Mobile phone from 7-11. Uses Sprint's network, and while it's basic as fuck (phone/text/may have email now on the $20 model).
You get a real number, comes with minutes, no real info required to buy/activate it, and it comes with something like $10 of credit (100 texts of 200 minutes).. They're on the Sprint PCS network, and they're true burner phones. Spend $10, activate it under some bullshit name, when you're done, just chuck it in a dumpster.
-
I would strongly advise against using any kind of smart phone, especially those running Android. First of all, in order to utilize end-to-end encryption for a phone call, the person on the other line needs to be running the software too. If you are only using this phone to communicate with your connects (no public exposure of your phone number) and they are willing to go through the trouble, go for it. If you are looking for a phone to make sales on, then forget it. I doubt your customers will want to deal with it.
Android phones are dreadfully insecure. They are perhaps the easiest modern phone to hack, either locally or remotely. Other smart phones are a bit less susceptible, but in the end they can all turned into remote bugs by LE. All they do is go to your carrier, who then sends the police malware to your phone via remote management updates. Then the cops can turn on your mic and listen to everything you are doing whenever they want, whether you are in a call or not.
If you need a phone to make quick phone calls or texts so that you can meet people, just go to K-mart or whatever and buy the cheapest, simplest prepaid phone they have with CASH. Metro PCS is fine, and so is Tracphone and anything else. Get one of those $30 phones with like 80 free minutes, use it up, then destroy it and buy another one. Don't be afraid to conduct less sensitive business via text either. Service providers don't store the messages for too long (AT&T prepaid only stores them for about a week), they are way cheaper than prepaid calls, and there's no proof you actually sent them.
-
1) you guys are fucking so awesome and informative .....
2)my MAIN phone ive been dealing off is an andriod gx2
i was thinking metro....itts 80$ to activate and you can pay online .....or at amscott, i would like to pay with a credit card, but idk if they would save your credit card name and see that the name on the bill is different so that might be stupid i guess it always has to be cash, which isnt too big of a problem....just wish of a way around it.
but its only 25$ a month unlimited call/text at metro so i could get a decent phone, activate it then pay it in cash online or at amscott and it be unafiliated with my i.d i just heard metro stands for metro police celluar service or sone shit, maybe the k mart is better....hmmm.
you guys have alot of usefull info it kinda mezmerizes me haha
-
The dealers I know get cheap unlocked motorola phones (they're $30-40) and then get Simple Mobile. You go to a local reseller and sign up, all they need is your name and last name but you can say anything and don't need to show ID. You buy a month using cash when you register the sim card at the dealer and then from then on you can either keep paying cash or even use BTC:
http://btcbuy.info/CallingCards.cshtml
You can keep just keep changing sim cars (numbers) every month if you're really paranoid because there are so many resellers.
-
Ohh man I had the best idea ever! I wish I had a team of Cryptologists to get it going.
-
Ok Guys, looks like I found one!!
http://dont-tread-on.me/?p=20301
Guardian project’s OSTN
OSTel
https://guardianproject.info/2012/07/05/a-network-analysis-of-encrypted-voice-over-ostn/
fuck yeah people. This is the one you want (need). You need a droid phone for this.
-
I read the post from pine about Project PolyFront,
Is there any company that sells RFID devices that can be attached to a package?
It will be very nice to use RFID before picking up some stuff.
-
Or..you could buy a scrambled satellite phone.
No. I'm pretty sure you're just joking here. But, just, no.
Satellite phones are simple GSM phones and are monitored by everyone. All the time.
-
How to do free anonymous texting:
Go someplace out of town (doesn't have to be too far away, just preferably not your local city)
1. Go somewhere that there is free WiFi and a payphone close by.
2. Setup a free GMail account & then use your GMail account to login to Google Voice (voice.google.com)
3. When setting up your Google Voice account, use the pay phone number, and have Google Voice call the payphone to confirm your account.
4. Select the option to get a free Google Voice number that will forward to your real number (in this case the pay phone)
5. Once it is setup in the Google Voice settings, un-check the payphone number to no longer have calls forwarded to this number.
Now you can login to Google Voice from any web browser to send/receive free text messages with the Google Voice number, and you may do so using Tor after the account is registered using a public WiFi connection.
As for encrypted VOIP, the end to end encryption applications are pretty much useless unless all of your clients are also using the same exact software as you which I highly doubt they would be using. You might consider using an anonymous VPN service like Trilight Zone http://www.trilightzone.org/ and configure your VOIP software or device to connect through VPN. It would at least provide more a layer of anonymity and would encrypt the call between you and the VPN server so that your ISP couldn't eavesdrop on you.
-
You should never deal drugs via text. It's an extremely bad idea.
-
I would strongly advise against using any kind of smart phone, especially those running Android. [...]
Android phones are dreadfully insecure. They are perhaps the easiest modern phone to hack, either locally or remotely. Other smart phones are a bit less susceptible, but in the end they can all turned into remote bugs by LE. [...]
The sad fact is that feature phones can be turned into remote bugs as well. (E.g., Using wap-sl.)
Even worse, I have circumstantial evidence that the cheap pre-paid phones do not support encryption -- they only use A5/0 and the network accepts that from these phones. To be clear, I was working on something else and I noticed this in passing. I haven't researched this nor have I made any sort of exhaustive study.
Without encryption, it is very easy for LE to monitor your phone without a warrant. (They can do it even with encryption, it is just a lot more expensive.)
Bottom line: burner phones may be more secure; just make sure you burn them regularly.
-
I agree. Some of the older models, like the ancient tracphone motorolas, didn't support remote bugging software unless maybe it was installed locally. You couldn't WAP push malware links or exploit code because the phone was too shitty to run it lol. The cheap burner phones I see now, however, can not only run the software, but many seem to have some kind of framework built in that allows remote bugging and other privacy violations without them having to run any special software at all.
The lack of encryption you mentioned is interesting. Was this recently, and in the US? All commonly used GSM encryption is broken though, including the newer A5/* algorithms. LE can now imitate mobile phone towers in order to tap phones in the field. Some of the tools they use are able to force GSM phones into A5/0 to streamline the data collection process, so it's possible that you came across this kind of tap (or just someone messing with GSM).
For the average mid-level dealer, burner phones should be destroyed after whatever talk time they came with is up. DO NOT reuse the same phone with different SIM cards, especially since phones with included airtime are so damn cheap. The phone company (and thus LE) can easily determine that you are changing SIMs by tracking the unique IMEI number assigned to each handset. Just don't buy a droid or iOS device and use it for a year thinking encryption software or whatever is going to shield you from an insecure, closed OS. Even for driod and iOS buffs that know how to lock down their OS, it's just not worth the trouble. Use PGP and burner phone if at all possible.
-
You'll all probably find this (clearnet) link of interest then:
http://www.cellcrypt.com/gsm-cracking
-
i like the google voice idea.
my problem is i have like 25-30 customers getting texted and called on the regular and have been pushing bud for around 4 years lots old and young and dont have smart phone or know anything about encryption and to require everyone to do certain things i feel like would just make me loose customers considering everyone and their mother sell bud especially in this town, and i have not had any encounters fortunatly with LE.
i just wanted to collect reliable information to avoid LE.
-
I've been investigating google voice as well.
For everyone's consideration.
http://lauren.vortex.com/archive/000979.html
So, I've decided to try this route, I'm going with the tablet as opposed to the phone since I think the tablet will be more useful to me but I see no reason why this can't be adapted to a phone as well. Coupled with TOR and good opsec regarding the making of a stand alone google account through TOR. I'm curious to find out if the tablet will leak any info, such as SSID of the access point or such.
http://www.teamandroid.com/2012/07/29/fix-orbot-tor-android-41-jelly-bean-devices/
I also like the idea of a network of TORified asterisk servers. That bears some further investigation I think.
-
USB VOIP phone $20.
-
SMH paying attention.
-
I still don't understand why people are trying to get so in-depth with this shit. It's very simple. Like a few have said before, just by the most baseline prepaid at a convenient store or Wal-Mart or whatever, activate with some bullshit registry info (if that's even required), only communicate through calls (not texts), trash that shit when you run out of minutes, and repeat. Simple as that, really. I have been pushing for a LONG time and this process has never once let me down.
-
the cheapest android phone, that you can make encrypted end-to-end calls on.
Looks like we have an answer.
+1
Infact ANY phone that you can make *free* encrypted end to end calls on. Through Wifi.
Does anyone have any suggestions? This is a really good question and the hardware is there - but what software do we use.
Silent Circle costs money (when it comes out)
Silent Circle should be starting up in a few weeks. As much as I love Phil, and appreciate what he's done in the past, I wouldn't touch Silent Circle with a bargepole, at least insofar as illegal activity is concerned. Phil was on the Board of Directors of Hushmail when the DEA's Operation Raw Deal went down in 2007. At the time, Phil defended Hushmail, saying they had no option but to cooperate, as they weren't a sovereign country. On Silent Circle's web page, they make mention of having servers in Canada, allegedly out of the reach of American authorities.
Please remember people, this was the very same claim that Hushmail users relied upon, until the DEA made use of the MLAT agreement between the U.S. and Canada to force Hushmail to knuckle-under. Anyone foolish enough to use Silent Circle for drug-related activities may find history repeating itself. (Neither Phil, nor anyone else for that matter, is going to risk going to jail to protect users of their service who are engaged in illegal activity.)
Here are some links for encrypted VoIP:
http://www.cellcrypt.com/
http://zfoneproject.com/ <- good
But yeah, what hardware will run the software is the question. Also, what hardware/software combo is the best to use?
Ufortunately, the Zfoneproject is dead. If you go to the download page, you will see the following message:
Problems with Our Download Server
29 January 2011 - Sorry, but our download server is offline. We were using a download server at PGP Corp for many years, but they were acquired by Symantec in June 2010, and yesterday their download server became no longer available to us. To replace the special functionality of the PGP download server, we need to set up a new download server that is compliant with US export controls. It will take some effort to set up another server with all the "due diligence" checks in place, so this may take quite a bit of time to resolve.
We will remove this error notice when the problem has been fixed..
When we get the new download server running, it will have to implement all the due-diligence measures that PGP Corp used on their server. Their server checks your IP address against the list of embargoed countries (for example, Iran, North Korea, Syria, Sudan), then emails you a link that you must click on to start your download, and checks your IP address again when you follow that link, which presumably means you did not receive your email in an embargoed country, and that the download itself did not go to an embargoed country. The U.S. Government deems this as adequate evidence that we made our best efforts to comply with U.S. export laws, which keeps us out of trouble.
Older versions of Zfone are still floating around the net, and can be downloaded if you look for them. The major problem with Zfone, not to mention all of these other solutions, however, is that while your calls may be private, they are NOT anonymous. The authorities will know that calls were made, and that calls were encrypted. Someone making encrypted calls to 20+ numbers per day is going to fit the pattern of a drug trafficker. They may not be able to snoop on your calls, but this pattern will stick out like a sore thumb -- it is almost guaranteed to attract unwanted attention.
Some one with actual real world experience please give us some information on this topic.
I personally dont trust anything other than GPG/PGP and OTR. zfone is good _IF_ you can find hardware that will run it (cellphone)
Personally, I trust GPG. I don't use IM of any kind, even with OTR. Zfone is good, but bear in mind what I said, above.
-
My questions low level.
1."Faraday Bags"....wouldn't taking out the battery and powering on the phone work the same? any charge would be gone no? no charge then no GPS or ect.
2. tmobile vs AT&t vs metro. which prepaid? forget boost/sprint as i dont trust them.
2. txt vs call. it seems to me text's work out better as if you have a lock code on your phone or have it encrypted if its a higher end phone then they never have your voice. no voice no case? i mean you can swing some real bullshit story you found the phone and ect if its a burner and you pay a good lawyer. Also clearing all texts and records off the phone is very good right before you do a drop.
3. voice changers. Since a lot are main brand then couldn't a voice be unscrambled if you use a default setting? i mean the pitch changes can be found and then you just undue it.
4.whats the best old sim card USA phone? unlocked or what have you. As i get the older the phone the less of a issue. im talking 1999 type phones.
How to do free anonymous texting:
Go someplace out of town (doesn't have to be too far away, just preferably not your local city)
1. Go somewhere that there is free WiFi and a payphone close by.
2. Setup a free GMail account & then use your GMail account to login to Google Voice (voice.google.com)
3. When setting up your Google Voice account, use the pay phone number, and have Google Voice call the payphone to confirm your account.
4. Select the option to get a free Google Voice number that will forward to your real number (in this case the pay phone)
5. Once it is setup in the Google Voice settings, un-check the payphone number to no longer have calls forwarded to this number.
Now you can login to Google Voice from any web browser to send/receive free text messages with the Google Voice number, and you may do so using Tor after the account is registered using a public WiFi connection.
As for encrypted VOIP, the end to end encryption applications are pretty much useless unless all of your clients are also using the same exact software as you which I highly doubt they would be using. You might consider using an anonymous VPN service like Trilight Zone http://www.trilightzone.org/ and configure your VOIP software or device to connect through VPN. It would at least provide more a layer of anonymity and would encrypt the call between you and the VPN server so that your ISP couldn't eavesdrop on you.
i like that idea and anyone can twist it to what they need
-
burner phones dont make any sense, u got 30 clients and u suddenly up and change ur number, do you txt them all ur new number? how is that secure or anon in any way? why not just secure ur setup since the beginning and only use chat+otr over tor. i mean who the hell uses their phone to talk anyways.
-
Disclaimer: I didn't read any of this thread.
I just have to say, though... phones are dumb. I 'get' you need to communicate with certain people — partners, clients, etc — but there are other creative and more secure ways to do that. Are they as convenient? No. But convenience is often what will get you caught.
.Hades.
-
Isn't the whole purpose of burners to combat against CIs? I mean LE isn't going to know what you are up to unless they have some outside information. Once you are done with the burner you obviously need to notify your "clientele" that you changed your number. Isn't that a bit counter-intuitive? I guess I really don't understand how burners add security other then people not knowing your "main" number.
-
If LEO have gotten to the point of tapping ur calls then they already know who you are and what you're up to and are just trying to collect evidence at that point. voice encryption and burner phones only work if everyone using it has their shit straight, which 99% of the time isnt the case. what do you think the NSA got in trouble over with ATT when everyone found out they were tracking calls, they werent tapping the convos, they were creating maps of cell phone connections to figure out terrorist networks. if ur contact ever becomes a suspect you automatically become a suspect by default. be smart, use tor.
-
My questions low level.
1."Faraday Bags"....wouldn't taking out the battery and powering on the phone work the same? any charge would be gone no? no charge then no GPS or ect.
No it's not equivalent. This is a good question. Phones these days will inform HQ that 'the battery was removed' with a timestamp when they power back up again. You want to prevent any anomalous behavior if you're using burners. Removing a battery is a highly suspect act if it's frequent. If they are inside a Faraday cage of some kind then it's just like you walked into a building with poor cell reception or your car went into a tunnel or something like that.
But you shouldn't be using burners except for emergency situations, basically when you believe your comms are compromised and you need to inform your operatives ASAP to get out of Dodge. Masterblaster is correct, using burners in a causal way to keep in contact with distributors or update clientele doesn't make sense, there are better solutions.
-
My questions low level.
1."Faraday Bags"....wouldn't taking out the battery and powering on the phone work the same? any charge would be gone no? no charge then no GPS or ect.
No it's not equivalent. This is a good question. Phones these days will inform HQ that 'the battery was removed' with a timestamp when they power back up again. You want to prevent any anomalous behavior if you're using burners. Removing a battery is a highly suspect act if it's frequent. If they are inside a Faraday cage of some kind then it's just like you walked into a building with poor cell reception or your car went into a tunnel or something like that.
But you shouldn't be using burners except for emergency situations, basically when you believe your comms are compromised and you need to inform your operatives ASAP to get out of Dodge. Masterblaster is correct, using burners in a causal way to keep in contact with distributors or update clientele doesn't make sense, there are better solutions.
So, what is the best way? Get all involved parties to register with tormail, send encrypted conversations through that and maybe text their cell that reads something like, "Check your mail", when you need to engage in a conversation?
-
I read the post from pine about Project PolyFront,
Is there any company that sells RFID devices that can be attached to a package?
It will be very nice to use RFID before picking up some stuff.
Sorry didn't see your post there. You'll have to roll your own basically. There are lots of companies that sell RFID equipment, you just need to look around for the right solution. It is better we don't recommend specific solutions to each other in this regard if you're into this type of thing, because could turn into a red flag to bust you. I think RFID tags are best in the context of dead drops, maybe not so much sending them through the post.
So, what is the best way? Get all involved parties to register with tormail, send encrypted conversations through that and maybe text their cell that reads something like, "Check your mail", when you need to engage in a conversation?
Yes that is one way, except without the sending people text messages with "check your mail". Just send people some random bullshit like "can you pick up my library book" or "are you going to the party tonight", but this back and forth is completely bullshit, randomly made up at a spur of the moment and all it is, is a signal to check your email. Alternatively you could simply be rigorous and arrange for everybody to check their email at a certain time per day. 1pm, 6pm and so on. Some arrangement like that would be much better if you can manage it. It is kinda rare people need like "real time access" to weed, that's just putting convenience in front of security. You have a responsibility to train your customers up so that they know what is what. This way any unpredictable red flag behavior from your clients or dumbasses who can't learn the system don't cause problems for you. This may actually be the greater security precaution of them all! Stupidity is the greatest security liability of them all. Compare Topix to SR. I look at Topix and think: that explains homicide statistics.
-
I'm not sure if its been mentioned, but if you have an Iphone I recommend Wickr its an app that uses 256AES encryption to send text messages between accounts.
its simple to sign up, free, and developed by people who are behind the defcon convention.
Much Love,
Rocker
-
Thanks for the info rocker! I'm on the app store now. And I think the iOS is one of the most secure systems available.
When SR is up im getting some boomies, Rocker!
-
I'm not sure if its been mentioned, but if you have an Iphone I recommend Wickr its an app that uses 256AES encryption to send text messages between accounts.
its simple to sign up, free, and developed by people who are behind the defcon convention.
Much Love,
Rocker
Wow! That is a great tip. Thanks Rocker!
-
I've been building and selling secure phones locally for a while now, because nobody here trusts blackberry anymore. The phones are based off the NSA goldfish phone, which was a regular android build they stripped down and altered for Suite B cryptography. Google 'goldfish NSA phone' you'll end up at a site where they have an entire blueprint how to build your own secure device for Suite B compliance. I'd link it, but probably a bad idea linking the NSA website directly from SR and feeding them a ton of tor traffic. :)
The only thing I changed from that NSA guide was to not use a centralized server with IpSec, instead used end to end encryption and ditched the central server which in this business is essential. Sure the NSA can protect their enterprise servers from being seized but none of us can.
If you can't build your own source with SEAndroid kernel then just get cyanogenmod rom and rip out bluetooth.apk, NFC, GPS, camera ect. though it would be much safer to build it from AOSP source and not include those vendor libraries and packages at all, guaranteeing nobody can activate the camera or gps. Then install Redphone, Textsecure, Orbot if you want tor, encrypt the entire /data partition with android settings for FDE using a decent high entropy pass and good to go. Can also use an ipsec VPN to further tunnel all traffic preventing timing attacks. Redphone works flawlessly on my device through a vpn, and it's doing end to end encryption, so the vpn is just an extra layer. The NSA recommends 4 layers, the SRTP sip protocol, then 3 ipsec vpn's on top of that all using different encryption ciphers, and all on different machines. Redphone isn't using sip and has a safer encryption scheme than asterix and other open source tel programs, also james bond isn't coming after your calls you're pretty much g2g with just using Redphone for street dealing. Another bonus with Redphone is it's impossible to prove who called who.
If you build your own source you can add in special troll features to piss off forensic contractors and cops like automatically wiping the /data and /cache partitions whenever somebody plugs the phone into a usb. Can also rewrite the bootloader and recovery mod so if they try to image or apply an adb sideload they'll get a screen that says 'lolololol device wiped GJGJ'. You can increase the password length from 16 characters too, and run python scripts on the phone using SHA3 encryption without requiring root access. Endless options since you control the phone not some proprietary corporation.
If you're thinking of using Iphones then look up Elcomsoft forensics company and think again. They already bypassed FDE in iOS because of bad implementation, and can brute force lockscreens in a few minutes.
-
I have been pushing for a LONG time and this process has never once let me down.
Same man. Never been close to being caught.
Make rules for yourself, then others, then stick to them
-
Since you'll be using it to communicate with lots of customers who you can't expect to have encryption, an encrypted phone is useless.
I'd stick with the cheapest phone possible, one that has no camera, bluetooth, 3g. Just be able to make phone calls and send sms.
A phone that changes the IMEI everytime you put in a new SIM card is recommended. Otherwise, just get a new phone everytime you change the SIM card.
It's hard to find a basic phone like that in the US, so you might have to order from overseas.
-
Wow. This information is insane. I really like the post about building your own phones, etc. I feel like the people who will be successful at this for years are those who take these precautions to the umpteenth level. It is always those who cut that one corner who, at some point, get caught. I would like to learn more about the basics of buying, paying for, and using burners to communicate sporadically with bigger buyers. I will not have lots of clientelle, just a handful (one per city). Therefore I only need to communicate a couple messages/conversations a month, but I would much prefer that information to be encrypted.
Are there some good beginner threads on this? I want to do things right, from the beginning. No loose ends.
-
Yeah, I think I'm still lost........so I'll just ask.
I send my clients text lists of "available goodies" as I receive them. But if my phone has all the cloaks, daggers, bells and whistles, will that even matter if my clients phones are just regular monthly payment cell phones?
I'm looking at an At&t z221, but I'm not sure if that's the best choice.
I have no clue what other steps to take besides get a pre-paid phone and refill it with pre-paid cards. Other than make sure there aren't any cameras when I buy the phone or the cards.......what else should I do? Just the sentence "encrypt your cell phone from end to end" immediately makes me picture rocket scientists working in a lab. I really suck at this. LOL!
-
Former member and Spam Buster, Guru, wrote a detailed post on the potential dangers of accessing SR from a mobile device. Unfortunately, Guru recently decided to leave the forum for good and never return and as such, deleted all his posts. I couldn't find anything he had written. However, I did find this interview with independent security researcher, hacker, and privacy advocate Jacob Appelbaum, who among other things, talks about mobile phone security. Here is part of the interview and a link will be posted below for the full interview.
Resnick: What should we know about cell phones? It’s hard to imagine going to a protest without one. But like all networked technologies, surely they are double-edged?
Appelbaum: Cell phones are tracking devices that make phone calls. It’s sad, but it’s true. Which means software solutions don’t always matter. You can have a secure set of tools on your phone, but it doesn’t change the fact that your phone tracks everywhere you go. And the police can potentially push updates onto your phone that backdoor it and allow it to be turned into a microphone remotely, and do other stuff like that. The police can identify everybody at a protest by bringing in a device called an IMSI catcher. It’s a fake cell phone tower that can be built for 1500 bucks. And once nearby, everybody’s cell phones will automatically jump onto the tower, and if the phone’s unique identifier is exposed, all the police have to do is go to the phone company and ask for their information.
Resnick: So phones are tracking devices. They can also be used for surreptitious recording. Would taking the battery out disable this capability?
Appelbaum: Maybe. But iPhones, for instance, don’t have a removable battery; they power off via the power button. So if I wrote a backdoor for the iPhone, it would play an animation that looked just like a black screen. And then when you pressed the button to turn it back on it would pretend to boot. Just play two videos.
Resnick: And how easy is it to create something like to that?
Appelbaum: There are weaponized toolkits sold by companies like FinFisher that enable breaking into BlackBerries, Android phones, iPhones, Symbian devices and other platforms. And with a single click, say, the police can own a person, and take over her phone.
Below is the link to the full interview.
http://www.infiniteunknown.net/2012/09/09/leave-your-cellphone-at-home-interview-with-jacob-appelbaum/
Everyone is entitled to their own opinion. Guru first raised these issues and it's a shame he is no longer here to chime in. I won't be accessing SR from my mobile phone, EVER, but if others want to, that's their choice to make. :)
-
Yeah. Thats right. This place sucks!
-
lol.
http://silkroadvb5piz3r.onion/silkroad/item/2cfd44dd26
-
There are a few old Nokia models which have an easy way to change the IMEI-code. The IMEI is the phone's ID used in Europe to track the cells of suspects. Don't know if the same thing applies for the US and Asia.
-
All mobile phones have a IMEI (serial) number, regardless of where you live in the world.
-
All mobile phones have a IMEI (serial) number, regardless of where you live in the world.
What I meant was that I am not sure how they track cellphones in other countries. In Europe the cell-tracking/eavesdropping is basically just done by eavesdropping on a cellphone whose IMEI is known by the law enforcement.
There are a few nokia models from early 2000's whose IMEI was/is really easy to change., which has caused the models to be in high demand by organized criminals.