Silk Road forums
Discussion => Security => Topic started by: alpine on March 12, 2012, 04:26 pm
-
just wanted to know what people thought about this plan.
1.truecrypt aes/two fish/serpent on all computers
2. all work done from a unhackable, self defending, ironkey flash drive same flash drive used by the Department Of Defense.
3. on the flash drive theres a portable vm liberte linux running from portable virtual box
3. i use a unprotected network to surf while changing my mac address with smac
hows that and if you have any advice its more then welcome thanks, alpine
-
Are you just a buyer or a vendor? Regardless it's pretty solid, it would cost someone a lot of money to get through that security.
-
just a buyer but always looking for new ways to be secure but like you said i dont think i really have to worry about state of the art because i am just a buyer, though you can never be to sure.
-
probably better than 98% of the people on here
-
You got the Pine Seal of Approval (PSA), although I'd recommend a live-usb version of liberte.
To further increase security, you could -
- get a bridge so your TOR traffic is not seen by the ISP, making a much much bigger search space.
- use obufusproxy (diguises TOR traffic as regular web traffic)
At that point, you get the Osama Hide 'n Seek Champion Badge.
-
You got the Pine Seal of Approval (PSA), although I'd recommend a live-usb version of liberte.
To further increase security, you could -
- get a bridge so your TOR traffic is not seen by the ISP, making a much much bigger search space.
- use obufusproxy (diguises TOR traffic as regular web traffic)
At that point, you get the Osama Hide 'n Seek Champion Badge.
How do I "get" a Tor bridge?
-
visit https://bridges.torproject.org/ and pick at most three that use port 443, then tell your tor control app to use them. for obfs2 bridges I grabbed the obfs browser bundle, extracted a list of bridges from there and plugged it into arm.
-
I prefer leave bridges for noblest purposes, like people living in countries without any freedom.
-
Like vendors living in countries without any freedom to sell whatever they want? :)
-
Haha, liked the answer.
But the guy is just a buyer, and he already has a great security system. I don't see how bridges would improve or help it. Maybe if he is in a place that blocks Tor, but it's not the case.
Stimulate everybody who access hidden services to use bridges may kill it.
-
thanks for all the replies makes me feel better now. :) :)
@pine thanks for the badge of approval !! i would do a liveusb but i really wanted to use ironkey as it has security that you just cant get on a normal flash drive but i am kinda going back and forth between live usb and ironkey. unfortunately i dont think i can boot off a ironkey because of its security. and i have a portable virtual box on there but it does not seem to save anything i do so i might just go with any old usb any thoughts on that?
-
I was actually going to post the same question today.
My plan:
- Anon Surfing/Silk Road/Email - Live Liberte USB, if I was forced to give up my pw it's okay because LIberte doesn't store any information (Correct me if I'm wrong)
- Bitcoin/Money - Running Kubuntu on my freshly wiped machine with hidden OS. on the hidden OS have a hidden file container containing VM of Kubuntu with bitcoin wallet. Do all of my bitcoin transactions never going on TOR or SR or any other websites.
Any other ideas would be good, I thought this sounded okay.
Btw, OP I like your idea with the ironusb. If I used TrueCrypt to encrypt the drive would that be just as good, it seems like they use the same technology
**update**
I just realized I can do all of this on the USB stick.
-Run Kubuntu on Encrypted OS, Run Liberte/Kubuntu on multisystem boot US(Hidden OS), keep bitcoin data in an encrypted file container on Kubntu Hidden OS.
-
sounds like a great plan to me!!
to answer some of your questions.
1. the difference between the ironkey and trucrypt are that ironkey has hardware encryption and self defends its self meaning if it detects someone hacking it will basically kill itself with multiple methods including short circuiting its memory meaning data recovery is next to impossible. ironkey has never been hacked. but keep in mind that even the FBI could not break true crypt so it is pretty safe unless you think the CIA or NSA are after you. LOL
2. Correct me if i am wrong but i think if you create a live usb of liberte linux it will save things. becaause i just made one and it saved my text doc i put on the desktop.
3. only thing i would recommend is connecting to unprotected wifi. if theres none around you i would just get a cheap longer range wifi antenna or you could break someones wifi with wep in like 2 seconds lol.
-
thanks for all the replies makes me feel better now. :) :)
@pine thanks for the badge of approval !! i would do a liveusb but i really wanted to use ironkey as it has security that you just cant get on a normal flash drive but i am kinda going back and forth between live usb and ironkey. unfortunately i dont think i can boot off a ironkey because of its security. and i have a portable virtual box on there but it does not seem to save anything i do so i might just go with any old usb any thoughts on that?
Yup, you can't use an Ironkey as a live-usb to boot from. But you can store your Liberte on a regular usb key and encrypt it. Then you can use the Ironkey for any persistent storage you need. It's a little tricky to access Ironkey from Liberte due to Liberte's security precautions, but if you've got this far you'll work it out easily.
-
Hi, I don't want to hijack this thread, but I'd not heard of Ironkey before reading this. Looking at their website, it obviously includes it's own "stealth browser" (based on FF) and it states the following:
"IronKey maintains a secure private Tor network with it's own high-performance servers (separate from the public Tor network). This improves the overall security in at least two ways:
1. Since Ironkey controls the exit-node in your encrypted Tor circuit, we can ensure that no one is injecting unwanted or malicious content into your online communications, such as ads or spyware.
2. Ironkey can also make sure that no exit-node is redirecting your web traffic by providing additional DNS protections. This anti-pharming [sic?] measure can also help mitigate phishing attacks and other threats"
Would there be any benefits, or hazards, to using their "private Tor network" for SR stuff? Seems a bit too good to be true, and an excellent way for LE to connect to a big fat pipe of all sorts of interesting stuff...
-
Why isn't it good to select more than three bridges that use port 443? I was assuming that more bridges means possibly more speed or stability.
443 is for membership concealment since that's the port for ssl/tls which everybody uses at some point. I refreshed my bridge list and got one with port 5555, that's apparently used for a game called rush for berlin (and tor). how many people play rush for berlin regularly, lol?
Also you should select two or three at max and try not to change them too often because this is another membership concealment procedure. The best option of course is to instead use a private bridge which you are running yourself since you are basically immune from non passive traffic confirmation attacks then.
-
Hi, I don't want to hijack this thread, but I'd not heard of Ironkey before reading this. Looking at their website, it obviously includes it's own "stealth browser" (based on FF) and it states the following:
"IronKey maintains a secure private Tor network with it's own high-performance servers (separate from the public Tor network). This improves the overall security in at least two ways:
1. Since Ironkey controls the exit-node in your encrypted Tor circuit, we can ensure that no one is injecting unwanted or malicious content into your online communications, such as ads or spyware.
2. Ironkey can also make sure that no exit-node is redirecting your web traffic by providing additional DNS protections. This anti-pharming [sic?] measure can also help mitigate phishing attacks and other threats"
Would there be any benefits, or hazards, to using their "private Tor network" for SR stuff? Seems a bit too good to be true, and an excellent way for LE to connect to a big fat pipe of all sorts of interesting stuff...
I would also like to know about this. @QTC I'm assuming setting up a private bridge would require running your own server from a different location somehow? Wouldn't it still be traced back to you? Is there any good program or easy way to spoof a mac address on Lion? Im not so good with the terminal
-
@QTC I'm assuming setting up a private bridge would require running your own server from a different location somehow?
yes
Wouldn't it still be traced back to you?
no, the reason why you are doing this is to protect you from active traffic confirmation attacks (you can be assured of this since the first node you are entering the tor network though is a bridge relay that is definitely not being controlled by an adversary). Membership concealment is just a cool side benefit too. I would just buy a VPS somewhere with fake ID to keep yourself anonymous although this is easier said than done these days.
Traffic analysis really isn't my thing though and I hope somebody drops in here with a better explanation.
Is there any good program or easy way to spoof a mac address on Lion? Im not so good with the terminal
airport -z
sudo ifconfig en0 down
sudo ifconfig en0 up
sudo ifconfig <netmask of your network device, probably 'en0'> <interface, either "ether" or "Wi-Fi"> 00:00:de:ad:be:ef
ifconfig en0 | grep ether to verify and then join your network.
-
@QTC I'm assuming setting up a private bridge would require running your own server from a different location somehow?
yes
Wouldn't it still be traced back to you?
no, the reason why you are doing this is to protect you from active traffic confirmation attacks (you can be assured of this since the first node you are entering the tor network though is a bridge relay that is definitely not being controlled by an adversary). Membership concealment is just a cool side benefit too. I would just buy a VPS somewhere with fake ID to keep yourself anonymous although this is easier said than done these days.
Traffic analysis really isn't my thing though and I hope somebody drops in here with a better explanation.
Is there any good program or easy way to spoof a mac address on Lion? Im not so good with the terminal
airport -z
sudo ifconfig en0 down
sudo ifconfig en0 up
sudo ifconfig <netmask of your network device, probably 'en0'> <interface, either "ether" or "Wi-Fi"> 00:00:de:ad:be:ef
ifconfig en0 | grep ether to verify and then join your network.
So I actually wouldn't need the server to be in a different location, right? So I got my mac addy faked when I check it in terminal but when I look under the wifi advanced options, it still lists my normal mac addy. Any suggestions? I connected to the wifi after I changed it.
-
Ironkey is not immune from being hacked. It has a hardware encryption system with some neat features though. It protects from being brute forced because it securely erases your encryption key if too many bad attempts are made. It also is filled with encapsulation material and has a metal skin, to make it difficult to get to the encrypted key without damaging it and erasing it from memory, although (ex)military hackers have gotten around systems like this before:
http://www.nzherald.co.nz/technology/news/article.cfm?c_id=5&objectid=10625082&pnum=0
Tarnovsky needed six months to figure out his attack, which requires skill in modifying the tiny parts of the chip without destroying it.
Using off-the-shelf chemicals, Tarnovsky soaked chips in acid to dissolve their hard outer shells. Then he applied rust remover to help take off layers of mesh wiring, to expose the chips' cores. From there, he had to find the right communication channels to tap into using a very small needle.
The needle allowed him to set up a wiretap and eavesdrop on all the programming instructions as they are sent back and forth between the chip and the computer's memory.
Those instructions hold the secrets to the computer's encryption, and he didn't find them encrypted because he was physically inside the chip.
Even once he had done all that, he said he still had to crack the "huge problem" of figuring out how to avoid traps programmed into the chip's software as an extra layer of defence.
"This chip is mean, man - it's like a ticking time bomb if you don't do something right," Tarnovsky said.
Joe Grand, a hardware hacker and president of product- and security-research firm Grand Idea Studio, saw Tarnovsky's presentation and said it represented a huge advancement that chip companies should take seriously, because it shows that presumptions about security ought to be reconsidered.
"His work is the next generation of hardware hacking," Grand said.
Ironkey is a nice high quality thumb drive with built in encryption and some nice difficult to defeat physical security features, but it is not the completely unhackable magic device you are making it out to be. It is FIPS140-2 level two certified, but the military probably uses level 4 certified stuff mostly. Anything without physical intrusion detection features can only get level 1 certification, level 4 needs to be able to detect any potential physical intrusion.
-
visit https://bridges.torproject.org/ and pick at most three that use port 443, then tell your tor control app to use them. for obfs2 bridges I grabbed the obfs browser bundle, extracted a list of bridges from there and plugged it into arm.
Why isn't it good to select more than three bridges that use port 443? I was assuming that more bridges means possibly more speed or stability.
it does mean those things but it also means less anonymity
-
Hi, I don't want to hijack this thread, but I'd not heard of Ironkey before reading this. Looking at their website, it obviously includes it's own "stealth browser" (based on FF) and it states the following:
"IronKey maintains a secure private Tor network with it's own high-performance servers (separate from the public Tor network). This improves the overall security in at least two ways:
1. Since Ironkey controls the exit-node in your encrypted Tor circuit, we can ensure that no one is injecting unwanted or malicious content into your online communications, such as ads or spyware.
2. Ironkey can also make sure that no exit-node is redirecting your web traffic by providing additional DNS protections. This anti-pharming [sic?] measure can also help mitigate phishing attacks and other threats"
Would there be any benefits, or hazards, to using their "private Tor network" for SR stuff? Seems a bit too good to be true, and an excellent way for LE to connect to a big fat pipe of all sorts of interesting stuff...
Using their private Tor network is about as secure as using any other VPN, maybe a wee bit more since it is actually based on the Tor software, which protects better than most VPN software does from website fingerprinting and such. They also exit traffic through their trusted servers, so you can be more certain that traffic through the exit node wont be modified or spied on by random malicious parties. Of course it also ensures that all of your traffic can be modified and spied on as soon as the feds issue a warrant and force ironkey to cooperate. I don't know how much they have modified Tor or if they use any of its servers other than theirs. I am also not clear on if they are using Tor nodes they have added to the public Tor network or if they are using a fully private Tor network. In any case it is probably about as anonymous and secure as a VPN managed by a company like ironkey can be, which means potentially better than nothing but I certainly wouldn't rely on it. Do they even caim to not keep logs? It seems like they are selling it more as a tool to encrypt your internet traffic than as something to keep you anonymous, but in either case that is all you should really expect from it.
-
kmf +1 you always have great info, much appreciated thanks. if I did a search would I find your preferred security system for just a buyer. Cause I def wanna read something like that.
cheers
-
Thanks a lot KMF, you're clearly the Go-To Man. I'll stick to taking my chances on the savannah rather than in the zoo...