Silk Road forums
Discussion => Security => Topic started by: Decoy on April 20, 2012, 09:26 pm
-
Hey guys,
I just started to sell over here and i never though in my mind that i would sell that much, it kind of took over my everyday job ! I want to keep selling but at the same time im worried about if i can get caught by ip or any other way. Do any of you guys have any tips so i know how to keep my ass safe? Please let me know thanks
Respect to all our buyers !
-
TOR is generally safe, they won't locate you by the IP-address. Higher chance of doing that by the potential fingerprints you might leave with handling the financial side of the venture (exchanges, constant $ flow of unusual origin into your own bank account, etc) or the physical shipment part. I checked out your profile on SR and I can see that you are assumably using PGP - which is good, I would enforce that as a rule if someone wants to contact you (definitely for shipping addresses). I would also, probably, purchase a VPS or even a dedicated server from some reputable company (i.e. LeaseWeb or OVH) and store all of my 'SR activity'-related stuff over there, on an encrypted partition (which would be even more win if you had an AES-NI capable CPU, that would prevent cold-boot attacks on RAM with TRESOR compared to regular dm-crypt/LUKS encryption, that is if all things come to worst and they attempt such an extreme operation as extracting your encryption key [very unlikely, but might occur in the lowest percentage of cases, if you really pissed them off, but usually a lot more relevant to cyber crimes, instead]). Of course, accessing it with either SSH or SFTP. Basically, I would store jack shit on my own HDD. I would probably even buy an SSD, something like 60G, that is if I wanted to temporarily download/upload something from my local storage to the rented server - because then you could use, i.e., "sdelete", that would zap the unallocated space much, much more quickly (after file deletion) than on the HDD: forensics wouldn't be able to do much with such drive, if all unused sectors have been overwritten with zeroes. Um, in the most bizarre cases your ISP might be doing DPI (deep packet inspection) on your end, meaning, they will be able to tell you're constantly using TOR (even though they wouldn't be able to sniff the traffic, because it's encrypted) - but yeah, that could raise some eyebrows in the long run, but really, I can't see this happening UNLESS you are already a suspect and the LE is working to gather as much evidence as possible (just another minor confirmation of justifying a potential house raid). Even though if you just used SSH for the remote server and TOR over there - that could minimize the effects of such suspicion.
-
As I'm only a buyer atm I only use Tor myself, and I'm otherwise not too worried.
I can suggest a few things I would make certain to do if I started to sell on the road:
1. Tails: This is an operating system that can be booted on a usb drive or a CD. Tails doesn't use your HDD to store any memory, but rather your RAM to store everything. Because of this, when you shut down your computer, all the activity that you did while using Tails is permanently destroyed and impossible tor recover. I wouldn't sell without this!
2. Financial Security: Be careful when converting large amounts of money from bitcoin to cash. If you are receiving lots of income to any traceable account that is under your name, this is a red flag for LE and financial institutions that illegal income is being attained. Make sure you read up on any information you can about withddrawing your cash, because this is one of the most important considerations for your security.
3. There is a shitload more things to consider, but these are what I find to be the 2 most important things aside from proper packing/shipping techniques.
Welcome to the Road! :D
-
Thanks you very much guys for the help. Vlad would consider using escrow if we do an exchange for cash in mail once i receive i release funds?
-
Think my friend was telling me once something about using 3G USB dongles.... perhaps not registered to said friend............................. =)
-
If you are a vendor I would expect that you would be using a VPN service that doesn't keep any logs. VPN's are cheap, even for a triple encrypted connection.
-
Don't use VPNs, use JonDonym instead over wifi or something.
SSD's are notorious for not encrypting properly. You have to first encrypt everything, then add your secret files. If you don't, everything can be accessed that was on that SSD
-
TOR is generally safe, they won't locate you by the IP-address. Higher chance of doing that by the potential fingerprints you might leave with handling the financial side of the venture (exchanges, constant $ flow of unusual origin into your own bank account, etc) or the physical shipment part. I checked out your profile on SR and I can see that you are assumably using PGP - which is good, I would enforce that as a rule if someone wants to contact you (definitely for shipping addresses). I would also, probably, purchase a VPS or even a dedicated server from some reputable company (i.e. LeaseWeb or OVH) and store all of my 'SR activity'-related stuff over there, on an encrypted partition (which would be even more win if you had an AES-NI capable CPU, that would prevent cold-boot attacks on RAM with TRESOR compared to regular dm-crypt/LUKS encryption, that is if all things come to worst and they attempt such an extreme operation as extracting your encryption key [very unlikely, but might occur in the lowest percentage of cases, if you really pissed them off, but usually a lot more relevant to cyber crimes, instead]). Of course, accessing it with either SSH or SFTP. Basically, I would store jack shit on my own HDD. I would probably even buy an SSD, something like 60G, that is if I wanted to temporarily download/upload something from my local storage to the rented server - because then you could use, i.e., "sdelete", that would zap the unallocated space much, much more quickly (after file deletion) than on the HDD: forensics wouldn't be able to do much with such drive, if all unused sectors have been overwritten with zeroes. Um, in the most bizarre cases your ISP might be doing DPI (deep packet inspection) on your end, meaning, they will be able to tell you're constantly using TOR (even though they wouldn't be able to sniff the traffic, because it's encrypted) - but yeah, that could raise some eyebrows in the long run, but really, I can't see this happening UNLESS you are already a suspect and the LE is working to gather as much evidence as possible (just another minor confirmation of justifying a potential house raid). Even though if you just used SSH for the remote server and TOR over there - that could minimize the effects of such suspicion.
I wouldn't trust a VPS provider for the world with my data. I'd rather use a VM running of an encrypted hidden True Crypt partition. I would however use an anonymously bought VPS to conceal my traffic. I'd set up an SSH-tunnel to the VPS and use Tor through that tunnel, so only the VPS is showing Tor traffic (your connection would show a lot of SSH traffic, but that won't be a big give away as a lot of Tor traffic).
Overall you can hide much of the technical stuff. The fact that everything is running through Tor already helps a lot in keeping you safe. I'd be more worried about leaving a paper trail on the financial side of business. Cashing out through your bank account (exchange -> bank account) would be fine for small amounts, but at some point you'll have to cash out another way. There are these anonymous IBAN-bank cards (offered on SR, but you can get them cheaper in other places), which you can use to cash out up to €2500 (or $3000, I believe). Make sure you don't use them too close to your home and wear a motorbike helmet while using the ATM, this will greatly reduce the chances of you being caught.
-
I wouldn't trust a VPS provider for the world with my data. I'd rather use a VM running of an encrypted hidden True Crypt partition. I would however use an anonymously bought VPS to conceal my traffic. I'd set up an SSH-tunnel to the VPS and use Tor through that tunnel, so only the VPS is showing Tor traffic (your connection would show a lot of SSH traffic, but that won't be a big give away as a lot of Tor traffic).
Overall you can hide much of the technical stuff. The fact that everything is running through Tor already helps a lot in keeping you safe. I'd be more worried about leaving a paper trail on the financial side of business. Cashing out through your bank account (exchange -> bank account) would be fine for small amounts, but at some point you'll have to cash out another way. There are these anonymous IBAN-bank cards (offered on SR, but you can get them cheaper in other places), which you can use to cash out up to €2500 (or $3000, I believe). Make sure you don't use them too close to your home and wear a motorbike helmet while using the ATM, this will greatly reduce the chances of you being caught.
I wouldn't trust a "an encrypted hidden TrueCrypt partition" for the world with my data. As I have already pointed out in my post - TRESOR is the way to go, not TrueCrypt. TrueCrypt is an inferior way of encrypting partitions/volumes, as it's subject to cold-boot attacks on RAM: that's where it stores the encryption key for mounted partitions - otherwise, it wouldn't be able to decrypt and supply the contents of that storage on-the-fly. The authorities are now using small SSD-USB/ATA controllers, that are able to boot on the target PC and dump the encryption key out of RAM in seconds, which will almost always yield positive results (due to the way that DRAM contents degrade gradually when not refreshed, not instantly and it's also possible to freeze the modules in order to achieve a higher retention time - this technique is now widespread for particular US LE).
Refer to this research: https://citp.princeton.edu/research/memory/
And this: http://en.wikipedia.org/wiki/Cold_boot_attack
The solution is to keep the encryption key inside the CPU registers: http://en.wikipedia.org/wiki/TRESOR
If you do not have AES-NI support - even an SSE2 enabled CPU will be sufficient, although with some percentage of performance penalty.
Yes, I know that you've said a "hidden" partition - however, once the relevant encryption key is obtained for the according partition, then proper forensics will have no problem identifying the masqueraded storage in question. Using a VM adds nothing more to the equation, unless you are using VM encryption as well, like VMware encryption i.e. - also crackable. Although setting up a VM might be more comforting, because you'd have more options for multiple network configurations (virtual adapters, etc). But nothing that you can't do on a remote dedicated server.
Acquiring an anonymously bought VPS/dedicated is also not that hard, because one can use a prepaid card (http://www.plati.ru/asp/list_pin.asp?id_f=11354).
"I'd set up an SSH-tunnel to the VPS and use Tor through that tunnel, so only the VPS is showing Tor traffic (your connection would show a lot of SSH traffic, but that won't be a big give away as a lot of Tor traffic)." - isn't that exactly what I said, though? Except that I didn't explicitly mention tunneling the traffic, but that was implied: tunneling the port through something like 'Tunnelier' or port-forwarding in Putty and solely usinig the preconfigured portable version of FireFox supplied with the TOR bundle (not running TOR on your machine, but just the FF instance).
-
0x00,
AWESOME information, thanks a lot for sharing.
cheers,
Bridge
-
Thanks you very much guys for the help. Vlad would consider using escrow if we do an exchange for cash in mail once i receive i release funds?
Hi decoy. For small amounts I am more than happy to accept Escrow for GBP provided the buyer covers the fees, please send me a message and we'll work out the details.
V.
-
I wouldn't trust a "an encrypted hidden TrueCrypt partition" for the world with my data. As I have already pointed out in my post - TRESOR is the way to go, not TrueCrypt. TrueCrypt is an inferior way of encrypting partitions/volumes, as it's subject to cold-boot attacks on RAM: that's where it stores the encryption key for mounted partitions - otherwise, it wouldn't be able to decrypt and supply the contents of that storage on-the-fly. The authorities are now using small SSD-USB/ATA controllers, that are able to boot on the target PC and dump the encryption key out of RAM in seconds, which will almost always yield positive results (due to the way that DRAM contents degrade gradually when not refreshed, not instantly and it's also possible to freeze the modules in order to achieve a higher retention time - this technique is now widespread for particular US LE).
Refer to this research: https://citp.princeton.edu/research/memory/
And this: http://en.wikipedia.org/wiki/Cold_boot_attack
The solution is to keep the encryption key inside the CPU registers: http://en.wikipedia.org/wiki/TRESOR
If you do not have AES-NI support - even an SSE2 enabled CPU will be sufficient, although with some percentage of performance penalty.
Yes, I know that you've said a "hidden" partition - however, once the relevant encryption key is obtained for the according partition, then proper forensics will have no problem identifying the masqueraded storage in question.
Cool information, I wasn't aware of the specifics. The reason I mostly suggested to run stuff at home is because you wouldn't want to store your data off site. Imo you have far more control over your own environment as opposed to a VPS somewhere in a datacenter.
Using a VM adds nothing more to the equation, unless you are using VM encryption as well, like VMware encryption i.e. - also crackable. Although setting up a VM might be more comforting, because you'd have more options for multiple network configurations (virtual adapters, etc). But nothing that you can't do on a remote dedicated server.
Acquiring an anonymously bought VPS/dedicated is also not that hard, because one can use a prepaid card (http://www.plati.ru/asp/list_pin.asp?id_f=11354).
Although you can achieve a safe system without using a VM, you have to be extremely careful about leaking information (as you'll be running your regular clearnet stuff as well). Using a VM, you can mitigate any fuck ups by routing all traffic through Tor (which sucks if you do it for your whole computer). In that sense a VM does add extra security (just another layer that has to be broken).
"I'd set up an SSH-tunnel to the VPS and use Tor through that tunnel, so only the VPS is showing Tor traffic (your connection would show a lot of SSH traffic, but that won't be a big give away as a lot of Tor traffic)." - isn't that exactly what I said, though? Except that I didn't explicitly mention tunneling the traffic, but that was implied: tunneling the port through something like 'Tunnelier' or port-forwarding in Putty and solely usinig the preconfigured portable version of FireFox supplied with the TOR bundle (not running TOR on your machine, but just the FF instance).
I thought you were talking about actually storing data in the VPS, not just tunneling your traffic through it. In most cases I'm against storing information off site (in the case of illegal stuff).
-
Make sure you don't use them too close to your home and wear a motorbike helmet while using the ATM, this will greatly reduce the chances of you being caught.
I think enough people aren't aware of this.
There is a CCTV in the back of the majority of ATM machines. I suggest wearing a larger than normal pair of dark sunglasses, a hat/cap and long sleeves. I don't like hoodies, but they work too. Also, you never wear this stuff normally obviously. Halloween is a nice time of year for extracting a lot of moolah I think you'll find.
Also; do your transactions at say 23:50, and then you'll be able to use up two day's allowance of withdrawals within a few minutes, which is always a nice thing.
However having said that, you must always be thinking about the ATM's software searching for suspect activity. For God's sake don't just get a pile of cards and use them at the same ATM everytime! Ideally obtain a rental with cash and drive to the next city and motor about from random ATM to random ATM if you've a lot of cards. Different amounts each time too. And by random, I mean random. As in you pick up the geographical locations of several dozen ATMs and then use an online random generator to regurgitate them back at you in a random order. If you're really paranoid, or have a hell of a lot of moolah to extract, think about obtaining a number plate to swop out.
But ultimately, this method is only good for trivial amounts of capital. After this it gets tricky!
-
Make sure you don't use them too close to your home and wear a motorbike helmet while using the ATM, this will greatly reduce the chances of you being caught.
I think enough people aren't aware of this.
There is a CCTV in the back of the majority of ATM machines. I suggest wearing a larger than normal pair of dark sunglasses, a hat/cap and long sleeves. I don't like hoodies, but they work too. Also, you never wear this stuff normally obviously. Halloween is a nice time of year for extracting a lot of moolah I think you'll find.
Also; do your transactions at say 23:50, and then you'll be able to use up two day's allowance of withdrawals within a few minutes, which is always a nice thing.
However having said that, you must always be thinking about the ATM's software searching for suspect activity. For God's sake don't just get a pile of cards and use them at the same ATM everytime! Ideally obtain a rental with cash and drive to the next city and motor about from random ATM to random ATM if you've a lot of cards. Different amounts each time too. And by random, I mean random. As in you pick up the geographical locations of several dozen ATMs and then use an online random generator to regurgitate them back at you in a random order. If you're really paranoid, or have a hell of a lot of moolah to extract, think about obtaining a number plate to swop out.
But ultimately, this method is only good for trivial amounts of capital. After this it gets tricky!
Thanks Pine, useful info.
V.
-
For extra anonymity, I would be happy to offer 3G dongles for sale on my SR page which could be used with prepay sims bought for cash to access the net. If there is any interest for this but they would have to be shipped from Europe.
V.
-
For extra anonymity, I would be happy to offer 3G dongles for sale on my SR page which could be used with prepay sims bought for cash to access the net. If there is any interest for this but they would have to be shipped from Europe.
V.
Guess it depends on your price. I suppose you can get these anywhere with cash fairly easy (in the Netherlands you can buy them in every phone-shop with cash), so that will probably defeat the purpose of buying through SR.
-
For extra anonymity, I would be happy to offer 3G dongles for sale on my SR page which could be used with prepay sims bought for cash to access the net. If there is any interest for this but they would have to be shipped from Europe.
V.
Guess it depends on your price. I suppose you can get these anywhere with cash fairly easy (in the Netherlands you can buy them in every phone-shop with cash), so that will probably defeat the purpose of buying through SR.
Indeed, the same is true in the UK. I suppose it depends if the shop in question uses CCTV - it's not so much the dongle itself that's an issue as obtaining SIM chips with enough credit for data in an anonymous fashion so I may offer these instead.
V.
-
Hmm, Is it definitely safe to use TOR on one of these? I am not a techie unfortunately, but couldnt LE could possibly locate which cell you are on fairly quickly, then triangulate your position the same way that google maps on the iphone does it (location services)? Actually, the more I think about it, who the fuck would even use it over a mobile connection? Stick out like tits on a bull i expect. How do you know what technology they are using in those 3g towers? I expect every criminal out there has at one time come up with the idea of using payg anonymous phones, and we all know how phones can track your movement very effectivly from cell to cell. Ok its late and my paranoid brain is working overtime but I suspect that LE would have an ace up its sleeve here, could be a trap.
-
Make sure you don't use them too close to your home and wear a motorbike helmet while using the ATM, this will greatly reduce the chances of you being caught.
I think enough people aren't aware of this.
There is a CCTV in the back of the majority of ATM machines. I suggest wearing a larger than normal pair of dark sunglasses, a hat/cap and long sleeves. I don't like hoodies, but they work too. Also, you never wear this stuff normally obviously. Halloween is a nice time of year for extracting a lot of moolah I think you'll find.
Also; do your transactions at say 23:50, and then you'll be able to use up two day's allowance of withdrawals within a few minutes, which is always a nice thing.
However having said that, you must always be thinking about the ATM's software searching for suspect activity. For God's sake don't just get a pile of cards and use them at the same ATM everytime! Ideally obtain a rental with cash and drive to the next city and motor about from random ATM to random ATM if you've a lot of cards. Different amounts each time too. And by random, I mean random. As in you pick up the geographical locations of several dozen ATMs and then use an online random generator to regurgitate them back at you in a random order. If you're really paranoid, or have a hell of a lot of moolah to extract, think about obtaining a number plate to swop out.
But ultimately, this method is only good for trivial amounts of capital. After this it gets tricky!
Sorry, but I had to laugh at this one. No offense but if you are going to go to that much trouble to use an ATM, you mite as well use the default password to access the admin section and redefine the slot with $20 bills as a $5 slot and disable all other bill slots. Then withdraw $75. The machine spits out 15x $20 bills and you have gotten your money plus.
There are easier ways to get bit coins out to USD. Hell, start a website offering Web development/consulting services at $125 an hour.(The going rate where I am) Pay your bitcoin into your website from different wallets. Do invoices for each payment and maintain accounting, Sell your bitcoin on an exchange and deposit it into your account. Remember to claim it on your taxes as well as all your business expenses. It is not out of the ordinary for Web development/Consulting services to bring in 150k a year. Heck I know of a few that are making 1.5m a year with 3 employees. You can push a lot through that simple setup and as long as you pay the IRS there cut, all is golden.
-
I wouldn't trust a VPS provider for the world with my data. I'd rather use a VM running of an encrypted hidden True Crypt partition. I would however use an anonymously bought VPS to conceal my traffic. I'd set up an SSH-tunnel to the VPS and use Tor through that tunnel, so only the VPS is showing Tor traffic (your connection would show a lot of SSH traffic, but that won't be a big give away as a lot of Tor traffic).
Overall you can hide much of the technical stuff. The fact that everything is running through Tor already helps a lot in keeping you safe. I'd be more worried about leaving a paper trail on the financial side of business. Cashing out through your bank account (exchange -> bank account) would be fine for small amounts, but at some point you'll have to cash out another way. There are these anonymous IBAN-bank cards (offered on SR, but you can get them cheaper in other places), which you can use to cash out up to €2500 (or $3000, I believe). Make sure you don't use them too close to your home and wear a motorbike helmet while using the ATM, this will greatly reduce the chances of you being caught.
I wouldn't trust a "an encrypted hidden TrueCrypt partition" for the world with my data. As I have already pointed out in my post - TRESOR is the way to go, not TrueCrypt. TrueCrypt is an inferior way of encrypting partitions/volumes, as it's subject to cold-boot attacks on RAM: that's where it stores the encryption key for mounted partitions - otherwise, it wouldn't be able to decrypt and supply the contents of that storage on-the-fly. The authorities are now using small SSD-USB/ATA controllers, that are able to boot on the target PC and dump the encryption key out of RAM in seconds, which will almost always yield positive results (due to the way that DRAM contents degrade gradually when not refreshed, not instantly and it's also possible to freeze the modules in order to achieve a higher retention time - this technique is now widespread for particular US LE).
Refer to this research: https://citp.princeton.edu/research/memory/
And this: http://en.wikipedia.org/wiki/Cold_boot_attack
The solution is to keep the encryption key inside the CPU registers: http://en.wikipedia.org/wiki/TRESOR
If you do not have AES-NI support - even an SSE2 enabled CPU will be sufficient, although with some percentage of performance penalty.
Yes, I know that you've said a "hidden" partition - however, once the relevant encryption key is obtained for the according partition, then proper forensics will have no problem identifying the masqueraded storage in question. Using a VM adds nothing more to the equation, unless you are using VM encryption as well, like VMware encryption i.e. - also crackable. Although setting up a VM might be more comforting, because you'd have more options for multiple network configurations (virtual adapters, etc). But nothing that you can't do on a remote dedicated server.
Acquiring an anonymously bought VPS/dedicated is also not that hard, because one can use a prepaid card (http://www.plati.ru/asp/list_pin.asp?id_f=11354).
"I'd set up an SSH-tunnel to the VPS and use Tor through that tunnel, so only the VPS is showing Tor traffic (your connection would show a lot of SSH traffic, but that won't be a big give away as a lot of Tor traffic)." - isn't that exactly what I said, though? Except that I didn't explicitly mention tunneling the traffic, but that was implied: tunneling the port through something like 'Tunnelier' or port-forwarding in Putty and solely usinig the preconfigured portable version of FireFox supplied with the TOR bundle (not running TOR on your machine, but just the FF instance).
Excellent advice 0x00!!! Thanks for echoing the points about using a VPS/SSH tunnel to mask tor traffic, and good info all around regarding truecrypt, particularly hidden OSs. Depending on where you live, they can just look at file access dates and various OS log entries and basically "prove" that the outer OS is likely a decoy for a hidden system partition.
The "RAM free" encryption solutions are obviously the way to go as far as mass storage is concerned. About how difficult is to purchase and implement TRESOR-capable CPUs today? I haven't look into those in a little while.
-
Hmm, Is it definitely safe to use TOR on one of these? I am not a techie unfortunately, but couldnt LE could possibly locate which cell you are on fairly quickly, then triangulate your position the same way that google maps on the iphone does it (location services)? Actually, the more I think about it, who the fuck would even use it over a mobile connection? Stick out like tits on a bull i expect. How do you know what technology they are using in those 3g towers? I expect every criminal out there has at one time come up with the idea of using payg anonymous phones, and we all know how phones can track your movement very effectivly from cell to cell. Ok its late and my paranoid brain is working overtime but I suspect that LE would have an ace up its sleeve here, could be a trap.
If only VPN traffic goes through it, people won't suspect a thing. And if you're using it in a crowded place you'd be able to see police coming from miles. Just make sure that people can't look at your screen ;). However, in such a place you can probably use an open wifi as well... much cheaper.
Sorry, but I had to laugh at this one. No offense but if you are going to go to that much trouble to use an ATM, you mite as well use the default password to access the admin section and redefine the slot with $20 bills as a $5 slot and disable all other bill slots. Then withdraw $75. The machine spits out 15x $20 bills and you have gotten your money plus.
I had to laugh at this one... Although I've heard these rumours, I can assure you that this is impossible on most ATMs. Otherwise all ATMs would be spitting out high amounts... it's not as if you'd be able to keep such a thing a secret on the Internet and prevent banks from finding out.
There are easier ways to get bit coins out to USD. Hell, start a website offering Web development/consulting services at $125 an hour.(The going rate where I am) Pay your bitcoin into your website from different wallets. Do invoices for each payment and maintain accounting, Sell your bitcoin on an exchange and deposit it into your account. Remember to claim it on your taxes as well as all your business expenses. It is not out of the ordinary for Web development/Consulting services to bring in 150k a year. Heck I know of a few that are making 1.5m a year with 3 employees. You can push a lot through that simple setup and as long as you pay the IRS there cut, all is golden.
Although this is indeed a good way of laundering your money, you'd be stupid to do this with small amounts. Paying taxes over your little illegal shop doesn't sound smart, if you can withdraw the money without paying taxes. Btw, raking in 150k a year in BTC? Yeah right... not going to happen. And if you pay yourself using exchanges you're going to be fucked if the IRS (or whatever country you're in) smells something fishy and checks your bank statements. Only payments coming from bitcoin exchanges will probably be further investigated...
-
Don't use VPNs, use JonDonym instead over wifi or something.
SSD's are notorious for not encrypting properly. You have to first encrypt everything, then add your secret files. If you don't, everything can be accessed that was on that SSD
JonDonym website:
Surveillance reports
Each year, we will publish a short report of all surveillance actions that were taken and have been reported to us by the operators.
In 2011, no new surveillance court order was given to any operator. The surveillance court order from 2010 (published last year) was going on over turn of the year into 2011.
In 2010 there has only been one surveillance court order to single mix operators that was put into effect during 6 months. It concerned a handful JonDonym account numbers.
In 2009, there has been a surveillance court order to single Mix operators. A total of two web sites or e-mail providers, respectively, where affected. The observation has been stopped after the court order, which was renewed once, expired (after four months altogether) and affected two free mix cascades.
In 2008, no surveillance court order was given to any operator.
In 2007, no surveillance court order was given to any operator.
In 2006, there has been one surveillance court order to single Mix operators. A few exactly specified web addresses were affected. The observation has been stopped after the court order expired (one month) and affected two free mix cascades.
If single mix operators inform JonDos GmbH about a surveillance court order then that does not mean JonDonym as a whole has been under surveillance or JonDos GmbH was involved. Rather, single operators had to comply with these orders.
-
Fucking cops.
-
For extra anonymity, I would be happy to offer 3G dongles for sale on my SR page which could be used with prepay sims bought for cash to access the net. If there is any interest for this but they would have to be shipped from Europe.
V.
How do these dongles help with anonmyity, exactly? Are these the same thing as "air cards?"
-
For extra anonymity, I would be happy to offer 3G dongles for sale on my SR page which could be used with prepay sims bought for cash to access the net. If there is any interest for this but they would have to be shipped from Europe.
V.
How do these dongles help with anonmyity, exactly? Are these the same thing as "air cards?"
They help anonymity about as much as using someone elses WiFi, which means not very much at all unless you only use them from random locations for short amounts of time. And much like bridges, you shouldn't use 3G dongles from vendors on SR.
-
For extra anonymity, I would be happy to offer 3G dongles for sale on my SR page which could be used with prepay sims bought for cash to access the net. If there is any interest for this but they would have to be shipped from Europe.
V.
How do these dongles help with anonmyity, exactly? Are these the same thing as "air cards?"
They help anonymity about as much as using someone elses WiFi, which means not very much at all unless you only use them from random locations for short amounts of time. And much like bridges, you shouldn't use 3G dongles from vendors on SR.
Surely though if the SIM was obtained anonymously using cash and replaced regularly the best LEO could hope for is a rough idea as to the nearest mobile phone antenna? Would this really be less secure than using your home connection where it would be obvious to any fool with access to your ISP's records that you're using Tor?
V.
-
For extra anonymity, I would be happy to offer 3G dongles for sale on my SR page which could be used with prepay sims bought for cash to access the net. If there is any interest for this but they would have to be shipped from Europe.
V.
How do these dongles help with anonmyity, exactly? Are these the same thing as "air cards?"
They help anonymity about as much as using someone elses WiFi, which means not very much at all unless you only use them from random locations for short amounts of time. And much like bridges, you shouldn't use 3G dongles from vendors on SR.
Surely though if the SIM was obtained anonymously using cash and replaced regularly the best LEO could hope for is a rough idea as to the nearest mobile phone antenna? Would this really be less secure than using your home connection where it would be obvious to any fool with access to your ISP's records that you're using Tor?
V.
Of course it is better to use a 3G dongle than to use your own home connection, but they can be positioned pretty accurately and then traced. I would compare them to "portable someone elses WiFi", beneficial sure but if you use it from the same location or in locations that fall into a pattern it isn't going to do much for you.
-
how about if you use a prepaid wireless USB for net connection (purchased and topped up with cash) on a laptop brought with cash that is only used for SR and used from within a large apartment block?
-
how about if you use a prepaid wireless USB for net connection (purchased and topped up with cash) on a laptop brought with cash that is only used for SR and used from within a large apartment block?
I think V is talking about just that when he mentions 3g dongles. But I could be wrong.
-
kmfkewm could you please elaborate? what would your suggestion be for a more anonymous connection?
-
TOR is generally safe, they won't locate you by the IP-address. Higher chance of doing that by the potential fingerprints you might leave with handling the financial side of the venture (exchanges, constant $ flow of unusual origin into your own bank account, etc) or the physical shipment part. I checked out your profile on SR and I can see that you are assumably using PGP - which is good, I would enforce that as a rule if someone wants to contact you (definitely for shipping addresses). I would also, probably, purchase a VPS or even a dedicated server from some reputable company (i.e. LeaseWeb or OVH) and store all of my 'SR activity'-related stuff over there, on an encrypted partition (which would be even more win if you had an AES-NI capable CPU, that would prevent cold-boot attacks on RAM with TRESOR compared to regular dm-crypt/LUKS encryption, that is if all things come to worst and they attempt such an extreme operation as extracting your encryption key [very unlikely, but might occur in the lowest percentage of cases, if you really pissed them off, but usually a lot more relevant to cyber crimes, instead]). Of course, accessing it with either SSH or SFTP. Basically, I would store jack shit on my own HDD. I would probably even buy an SSD, something like 60G, that is if I wanted to temporarily download/upload something from my local storage to the rented server - because then you could use, i.e., "sdelete", that would zap the unallocated space much, much more quickly (after file deletion) than on the HDD: forensics wouldn't be able to do much with such drive, if all unused sectors have been overwritten with zeroes. Um, in the most bizarre cases your ISP might be doing DPI (deep packet inspection) on your end, meaning, they will be able to tell you're constantly using TOR (even though they wouldn't be able to sniff the traffic, because it's encrypted) - but yeah, that could raise some eyebrows in the long run, but really, I can't see this happening UNLESS you are already a suspect and the LE is working to gather as much evidence as possible (just another minor confirmation of justifying a potential house raid). Even though if you just used SSH for the remote server and TOR over there - that could minimize the effects of such suspicion.
+1
very accurate and good anti detection advice!
-
Surely though if the SIM was obtained anonymously using cash and replaced regularly the best LEO could hope for is a rough idea as to the nearest mobile phone antenna? Would this really be less secure than using your home connection where it would be obvious to any fool with access to your ISP's records that you're using Tor?
V.
Hi V,
Thing is, is that it is not a rough idea, it's possible to geolocate a wifi device within 3 meters, and that experiment was done in 2005 so I assume all LE city based divisions have the correct technology in 2012. See Sam Bartels's whitepaper on "WIFI Location System Investigation".
-
Hey guys,
I just started to sell over here and i never though in my mind that i would sell that much, it kind of took over my everyday job ! I want to keep selling but at the same time im worried about if i can get caught by ip or any other way. Do any of you guys have any tips so i know how to keep my ass safe? Please let me know thanks
Respect to all our buyers !
The real question that you need to ask yourself is: Do I know enough about Silk Road to sell safely?
Clearly you already started taking risks, without knowing what those risks actually are. This is a recipe for failure. The penalties for selling drugs are extremely harsh even when compared with violent crimes and even sex crimes. Your more likely to get a harsh sentence for trafficking cocaine for the first time then rape, its fucked up but the entire justice system is fucked up. Honestly, I strongly suggest that you sit down, think about what your doing, then think about the consequences. Its absolutely essential to think about and even plan for the worst case scenario before it happens when conducting illegal business. In fact the only way to operate smartly is to constantly think about what could happen if you fuck up and always work hard so that you dont fuck up. The worst thing you can do is start selling drugs or doing other illegal shit in the hopes of just wingin it with no real plans or an intelligent course of action.
-
Prepaid cdma wireless dongle with 1 month serivice is 70.00, then 30.00 monthly. liberty=priceless
-
Prepaid cdma wireless dongle with 1 month serivice is 70.00, then 30.00 monthly. liberty=priceless
I have seen you post this a few times, Are you aware that the cdma wireless dongles have a built in GPS? They can find it as long as it is powered up/plugged into a usb port.
They are only anonymous in the sense that they do not have a name on the account, They can still track your location.
-
As long as your smart about it, it is as good as or better than someone elses wifi
-
If your worried about gps, just buy a android with cash, turn off its e911 features/gps, and tether that bitch.
This seems somewhat harder to locate than using a yagi or neighbors connection
-
If your worried about gps, just buy a android with cash, turn off its e911 features/gps, and tether that bitch.
This seems somewhat harder to locate than using a yagi or neighbors connection
uhm, if you are connected to the network on your cell they would know where you are within 50m tops, its called triangulation. it's a property of the fact that radio waves take time to travel, and that more then one tower can see you.
-
The real question that you need to ask yourself is: Do I know enough about Silk Road to sell safely?
Clearly you already started taking risks, without knowing what those risks actually are. This is a recipe for failure.
...
It's absolutely essential to think about and even plan for the worst case scenario before it happens when conducting illegal business. In fact the only way to operate smartly is to constantly think about what could happen if you fuck up and always work hard so that you dont fuck up. The worst thing you can do is start selling drugs or doing other illegal shit in the hopes of just wingin it with no real plans or an intelligent course of action.
Agree completely. Have a plan. Have many back-up plans! As many as a squirrel which hoards nuts, Plan B, C etc. e.g. having multiple hidden caches of cash in different currencies, having a good criminal defense lawyer on retainer, having a hollow shoe which contains a mini-mobile device programmed with the right numbers & lots of credit.
There is another side to this though, one must also be wary of 'paralysis by analysis'. Sometimes we can overplan things to the extent that we lose any drive or motivation to accomplish them.
-
The real question that you need to ask yourself is: Do I know enough about Silk Road to sell safely?
Clearly you already started taking risks, without knowing what those risks actually are. This is a recipe for failure.
...
It's absolutely essential to think about and even plan for the worst case scenario before it happens when conducting illegal business. In fact the only way to operate smartly is to constantly think about what could happen if you fuck up and always work hard so that you dont fuck up. The worst thing you can do is start selling drugs or doing other illegal shit in the hopes of just wingin it with no real plans or an intelligent course of action.
Agree completely. Have a plan. Have many back-up plans! As many as a squirrel which hoards nuts, Plan B, C etc. e.g. having multiple hidden caches of cash in different currencies, having a good criminal defense lawyer on retainer, having a hollow shoe which contains a mini-mobile device programmed with the right numbers & lots of credit.
There is another side to this though, one must also be wary of 'paralysis by analysis'. Sometimes we can overplan things to the extent that we lose any drive or motivation to accomplish them.
I would also recommend reading through some of pines post. I dont even know this guy but alot of great information and sound advice can be gained by just reading his posts. I bet pine has a few smart people asking him questions :)