Silk Road forums

Discussion => Security => Topic started by: tina on October 26, 2012, 03:29 pm

Title: how do i decrypt from a different computer?
Post by: tina on October 26, 2012, 03:29 pm
Hi. people have been sending messages to my key for awhile now. i have been able to decrypt thwm just fine. just the other day, i had to go on a business trip and only had a different computer available to me.  I downloaded the software, but I couldn't figure out how to decrypt messages for the life of me.

when i got back to my home office, i was able to decrypt them with zero problems.
Title: Re: how do i decrypt from a different computer?
Post by: tina on October 26, 2012, 04:04 pm
Anyone?
Title: Re: how do i decrypt from a different computer?
Post by: manz on October 26, 2012, 04:17 pm
You have to understand the concept of GPG. To decrypt something you need your private key not just a program. Otherwise anyone who downloads the program would be able to read the messages sent to you.
Your private key looks similar to the gpg block (public key you sent when you want your correspondent to enrypt his message) and it's usually in the folder of the program you use.
You could copy that and import it on the program you use on the second computer.
Title: Re: how do i decrypt from a different computer?
Post by: tina on October 26, 2012, 04:24 pm
Great thank you. i will look into it.
Title: Re: how do i decrypt from a different computer?
Post by: Nightcrawler on October 26, 2012, 04:33 pm
Hi. people have been sending messages to my key for awhile now. i have been able to decrypt thwm just fine. just the other day, i had to go on a business trip and only had a different computer available to me.  I downloaded the software, but I couldn't figure out how to decrypt messages for the life of me.

when i got back to my home office, i was able to decrypt them with zero problems.

At the risk of being blunt, reading your message raised the hairs on the back of my neck, as it betrays a stunning ignorance of how PGP/GPG works.

Having the software alone by itself is insufficient to be able to decrypt anything. If that were not the case, then LE could merely download the software and decrypt anything they wished to on any systems they seized.  In order to be able to encrypt/decrypt you need your public and private keyrings. to be installed on your other computer. 

That said, I would advise you, in the strongest possible terms, NOT to place PGP/GPG on it, and ESPECIALLY NOT to put your public and private keyrings on there.  This only goes double if you travel internationally. Customs personnel can, and have,  cloned traveler's hard drives -- if a Customs and Border Protection (CBP) agent were to do this, then they would have copies of your private keyring, and copies of all your email. It would then only be a matter of attempting to brute-force crack your PGP passphrase. Commercial software already exists to carry out this task.  Unless you have taken extreme care, this is usually much easier than many people think.

Furthermore, unless you are careful to prune your customers' keys from your public keyring, the authorities would have a list of people/identities you have been communicating with. 

I simply cannot stress enough just how dangerous this is.

Title: Re: how do i decrypt from a different computer?
Post by: StrangeHands on October 26, 2012, 05:45 pm
Nightcrawler makes a crucial point about public keys. The gpg keyring does not hide these public keys, they are after all public. The problem is that these keys are pseudonymous identities.

They have software where they describe relationships of identities and it draws maps showing the organization of the group. This is a bad thing.

The best way is to get a secure live operating system. I use TAILS, not only does it make sure you don't accidentally do something outside of TOR, but it also makes sure it forgets what you have done.

It lets you create an fully encrypted persistence volume that will hold your gpg keyring and any other files you may need.

TAILS is installed on a USB stick and can be used to boot nearly any computer into a secure environment. It even provides you with a virtual keyboard in case the computer you are using has a hardware keylogger.

If you use this system then your security is as good as your password. For a secure password I recommend you pick at least 4 random dictionary words(don't just pick words, take them randomly from a dictionary), 6 random letters with mixed case, 6 random numbers, and 3 symbols. Take all of these elements and put them in a random order, then memorize it(do not write it down).

If your password is something like "g0verm3nt" or "chickenwing333" then your password will be cracked. Adding letters or changing letters in a word is easily defeated with password fuzzers.

When you make a backup of your USB stick do a complete drive image mirror and if you need to recover write that image to a new USB stick. Do not just send your files to dropbox.

You really need to understand what you are doing to be secure, if you are just following instructions without understanding the underlying security model then you will make a mistake that the bad guys will take advantage of.
Title: Re: how do i decrypt from a different computer?
Post by: Nightcrawler on October 26, 2012, 07:16 pm
Nightcrawler makes a crucial point about public keys. The gpg keyring does not hide these public keys, they are after all public. The problem is that these keys are pseudonymous identities.

They have software where they describe relationships of identities and it draws maps showing the organization of the group. This is a bad thing.

Palantir makes precisely this type of software, and markets it aggressively to government agencies and police. Just look at the documents uncovered by Anonymous during the HBGary hack. This is PRECISELY the type of thing that turns their cranks.

The best way is to get a secure live operating system. I use TAILS, not only does it make sure you don't accidentally do something outside of TOR, but it also makes sure it forgets what you have done.

It lets you create an fully encrypted persistence volume that will hold your gpg keyring and any other files you may need.

TAILS is installed on a USB stick and can be used to boot nearly any computer into a secure environment. It even provides you with a virtual keyboard in case the computer you are using has a hardware keylogger.

If you use this system then your security is as good as your password. For a secure password I recommend you pick at least 4 random dictionary words(don't just pick words, take them randomly from a dictionary), 6 random letters with mixed case, 6 random numbers, and 3 symbols. Take all of these elements and put them in a random order, then memorize it(do not write it down).

If your password is something like "g0verm3nt" or "chickenwing333" then your password will be cracked. Adding letters or changing letters in a word is easily defeated with password fuzzers.

My personal preference is Diceware: http://www.diceware.com/

8-10 Diceware words will be enough to stop the authorities dead in their tracks.

When you make a backup of your USB stick do a complete drive image mirror and if you need to recover write that image to a new USB stick. Do not just send your files to dropbox.

Good 'ol Dropbox. The people who ensured their users that their files were 'encrypted' -- it's just that Dropbox forgot to tell their users, that _they_ held the crypto keys, and moreover, would turn them over to the authorities at the flash of a badge.

You really need to understand what you are doing to be secure, if you are just following instructions without understanding the underlying security model then you will make a mistake that the bad guys will take advantage of.

The  single biggest asset  that LEA has on here,  is the ignorance and/or stupidity of some of the users.  Those users who know what they're doing are few and far between, and I get the impression that some of them are starting to burn-out.  You can only answer the same question so many times, before you can't take it anymore. There are days I come on here, and my blood pressure spikes -- I feel like my head is going to explode -- I want to bang my fist on the desk in frustration!

There are some excellent guides on here (and some that are in the process of being produced). The problem is, nobody wants to take the time to read them, let alone take the time to really assimilate and understand them. People just seem to be incapable of grasping some of the fundamental concepts, such as the difference between privacy and anonymity.

As we've seen with the original poster in this thread -- they just don't seem to have a fundamental grasp of the concepts underlying the primary security tool in their arsenal. One could excuse or forgive this, in almost any other venue, but here?  On a forum where the sales and purchase of illegal drugs are discussed? The mind literally boggles.