Silk Road forums

Discussion => Security => Topic started by: quietgirl79 on October 09, 2012, 05:07 am

Title: Paranoia/Newbie Blues
Post by: quietgirl79 on October 09, 2012, 05:07 am
Okay, so I ordered from a vendor four days ago and finally four days later the vendor replies back to me, apologizing that they were out of town.  Not just that, but they said there is a problem with their PGP key and the will have to use one.  (The vendor did ask me to use Privnote, and after some research I've decided against that.)

So how paranoid should I be that this vendor could be compromised, and that LE hasn't been able to decrypt the vendor's key so they so they can generate a new one?  Should I only trust the old key from before the vendor was 'out of town'?  Or is it a common problem that people need new PGP keys from time to time?

The vendor is two months old.  I can name the vendor, but I don't want to breach etiquette. 

Please help, I'm very scared, should I just walk away?  (though if the vendor can be trusted I would like to continue, as I've noticed prices have increased as MtGox values decrease..maybe no relationship?)  :-[
Title: Re: Paranoia/Newbie Blues
Post by: quietgirl79 on October 09, 2012, 06:36 am
Okay...this girl IS being paranoid.  The vendor canceled the order because it was about to expire or something like that.  They said to order, if I wanted to.  Just sucks because the price changed by over a BTC since I ordered :\
Title: Re: Paranoia/Newbie Blues
Post by: pine on October 09, 2012, 01:52 pm
+karma for noticing using Privnote is insanity.
Title: Re: Paranoia/Newbie Blues
Post by: waynegretski on October 09, 2012, 03:07 pm
Learn to make your own decisions. Trust your gut. Educate yourself.

I would of told this vendor to go fuck himself and to get his shit together, If he doesn't realize Privnote is unsafe he's probably going to ship you a handwritten package with tape all over it and too much postage.

Pay attention to little things and follow your instinct.
Title: Re: Paranoia/Newbie Blues
Post by: quietgirl79 on October 09, 2012, 04:41 pm
+karma for noticing using Privnote is insanity.

Oh gosh, thank you!  I owe you (for your helpful post on PGP) some other people +karma as well, and a little digging seems to indicate I need at least 100 posts.  I'll try to remember to give everyone their rightful dues if I ever reach 100 posts, but I'm also trying to maintain a low profile  :-[

I see I also have some negative karma..perhaps I did something wrong or rubbed someone the wrong way?  Not sure what I did though..

Learn to make your own decisions. Trust your gut. Educate yourself.

I would of told this vendor to go fuck himself and to get his shit together, If he doesn't realize Privnote is unsafe he's probably going to ship you a handwritten package with tape all over it and too much postage.

Pay attention to little things and follow your instinct.

Thank you for your advice..I know I should trust my gut as I have been badly burned many times when I didn't listen, but my mind always seems to get in the way!  But I am definitely willing and trying to learn :)
Title: Re: Paranoia/Newbie Blues
Post by: wsg on October 09, 2012, 08:49 pm
I have been in the same boat a vendor has a pgp key posted on there profile then I order and they try to feed the line that there key isnt working use privatenote.......well they lost my order because if they are to lazy or ignorate to try to fix there use of PGP I would not put alot of faith in there ability to stealth package my order they might get lazy and not vacuum seal it or something that is "easier". What vendor is this as I think it is wrong to post a PGP key or anything else on there vendor profile that is misleading or just an out and out lie! I am not saying that there are not good vendors that dont use PGP but am seeing a trend that some say they do...you order....then they dont.  and I think SR should address the issue of vendors misleading buyers!
BTW  it was hard for me to avoid a vendor that wanted me to use privatenote as they have some product that I would really like and decent price I had to pay abit more for a similar order but the shipping/packaging was awesome
Title: Re: Paranoia/Newbie Blues
Post by: pine on October 10, 2012, 04:07 pm
+karma for noticing using Privnote is insanity.

Oh gosh, thank you!  I owe you (for your helpful post on PGP) some other people +karma as well, and a little digging seems to indicate I need at least 100 posts.  I'll try to remember to give everyone their rightful dues if I ever reach 100 posts, but I'm also trying to maintain a low profile  :-[

I see I also have some negative karma..perhaps I did something wrong or rubbed someone the wrong way?  Not sure what I did though..

Oh, I wouldn't worry about it! I certainly don't. :)

Welcome to SR!

I have been in the same boat a vendor has a pgp key posted on there profile then I order and they try to feed the line that there key isnt working use privatenote.......well they lost my order because if they are to lazy or ignorate to try to fix there use of PGP I would not put alot of faith in there ability to stealth package my order they might get lazy and not vacuum seal it or something that is "easier". What vendor is this as I think it is wrong to post a PGP key or anything else on there vendor profile that is misleading or just an out and out lie! I am not saying that there are not good vendors that dont use PGP but am seeing a trend that some say they do...you order....then they dont.  and I think SR should address the issue of vendors misleading buyers!
BTW  it was hard for me to avoid a vendor that wanted me to use privatenote as they have some product that I would really like and decent price I had to pay abit more for a similar order but the shipping/packaging was awesome

Yes, absolutely. I suggest you email the vendor and tell them to get their ship in order. That way you can give them feedback on lost custom.

If they don't change their ways, don't let it bother you. Better to have superior operational security. You'll be feel a whole lot better if it turns out SR server's are compromised by LE hackers.

The entire op should run as if hacking the SR servers doesn't matter. If you use PGP, that is completely true. If you don't, you're fucked. That's putting it in the most pleasant manner I can.

Vendors should get professional or go home. There's no room for amateurs on here. Or rather, there is room, but they have to learn, or they will get busted ASAP. Maybe not now, but like you're saying, if a vendor doesn't take PGP seriously, there's every chance they don't get other elementary precautions seriously either.

Cheers!

Pine

Title: Re: Paranoia/Newbie Blues
Post by: tommygun on October 13, 2012, 01:43 am
Hey Pine,

Why is using privnote insanity in your opinion.  I;m sure I could search for it but it takes so long.  Is it that great a risk for buyer AND seller or just one of them?
Title: Re: Paranoia/Newbie Blues
Post by: wsg on October 13, 2012, 01:28 pm
Let me try a short answer here ....Private note is a 3rd party server that destroys the note from the sender or recipient from being able to view the note again, nobody can guarantee that the server does not have a record of this transaction or could be

 "Three can keep a secret, if two of them are dead.
 Benjamin Franklin

Title: Re: Paranoia/Newbie Blues
Post by: tommygun on October 16, 2012, 10:33 pm
Oh ok gotcha, thanks :)
Title: Re: Paranoia/Newbie Blues
Post by: LetMyPeopleGo on October 17, 2012, 12:48 am
What is your guys opinion on sending addresses in parts through privnote? 

Say

#1: John, 8888, Los Angeles

#2: Doe, 1st ST, California

#3: 80521


Does this in anyway make it more safe?
Title: Re: Paranoia/Newbie Blues
Post by: quietgirl79 on October 17, 2012, 05:41 am
Oh, I wouldn't worry about it! I certainly don't. :)

Welcome to SR!

Thank you! =)  I do have to apologize for responding so late...sometimes it takes a little bit of courage before I feel like I can speak out, so I'll tend to lurk for the most part..

And I do agree with you, the vendors need us as much as we need them, so we all need to practice safety.  And that's one reason I thin its a good idea to research vendors a little before doing anything as working with someone inexperienced jeopardizes everyone, vendor, purchaser, and the SR culture/community.  And there is no reason one should not be a smart consumer ;)

What is your guys opinion on sending addresses in parts through privnote? 

Say

#1: John, 8888, Los Angeles

#2: Doe, 1st ST, California

#3: 80521


Does this in anyway make it more safe?

I'm not a security expert, but even though that might leave a layer of obscurity (but also potential screwups between vendors getting your address right), the arguments I have heard for PGP are far superior.  And not to say PGP is foolproof, but why not use the best body armor if you are going to get shot at, even if it takes a little bit of learning?
Title: Re: Paranoia/Newbie Blues
Post by: vcalderone on October 17, 2012, 07:57 pm
Don't use privnote period. It's unsecure.
2nd there is more than one vendor for virtually anything you might want to buy on SR so if the vendor can't get their act together on PGP etc MOVE ON and order from another vendor. I rather spend extra BTC or 2 and feel secure about the person I'm dealing with.

Title: Re: Paranoia/Newbie Blues
Post by: schlechter on October 17, 2012, 10:39 pm
This happened to me as well...

PGP Problem
Privnote
2 month old vendor...

UK cannabis vendor by any chance?
Title: Re: Paranoia/Newbie Blues
Post by: LetMyPeopleGo on October 17, 2012, 11:38 pm
I'm just curious. I swear by PGP. I've only used Privnote ONE TIME... and it made me really, really uncomfortable.  Never again.  Glad that vendor finally has their act together so I can order in peace.  Warms my heart <3 haha.   

I really do refuse to go with any vendor who has no PGP.  It sketches me the fuck out when they continuously say they're having problems with it.  It confuses me.  I know not everyone has the same OS/PC/MAC whateverthefuck so things are always different, but I feel like there shouldn't be any reason for pgp to be fucked up. It should be really simple to uninstall gpa completely, remove any files that have to do with it and re-install, make a new key. Bam. Done. Plain and fuckin' simple.

Whatever, all the vendors I could ever want to use are 'fuckin' smart' and use PGP. 
Title: Re: Paranoia/Newbie Blues
Post by: quietgirl79 on October 22, 2012, 03:44 am
I agree totally.  And no, not for that particular item, but a lot of sellers I ask these days say they'll have a PGP, but then let ou know later its not working.

The only thing that makes me paranoid about the new key bit is that you don't know if the new key creator is the same person as the person who had the old key (ie., compromised).  Because from a safety point of view, only the person using the PGP would have the proper key to encrypt or decrypt communications, so someone who can recover their old key is hopefully more reliable and hasn't been turned into sa a honeypot

But as consumers I encourage everyone to encourage their vendors to step up and require PGP.  After all, in my head, someone who has PGP is hopefully more educated, more careful, more stealthy, and basically has their shit together better than someone who might now; just theoretically speaking..

Play smart, and play safe yall.   <3
Title: Re: Paranoia/Newbie Blues
Post by: kitkat82 on October 22, 2012, 04:08 am
Can someone tell me what is wrong with privnote?  Does it leave evidence once it is destroyed?
Title: Re: Paranoia/Newbie Blues
Post by: jsmithy123 on October 22, 2012, 06:33 am
honestly speaking IMO nothing is THAT wrong with privnote

It is fine to be uber cautious and avoid it, perhaps the admins of privnote have turned and are keeping a log of everything that the feds are voraciously reading however note that the feds would ALSO have to have hacked SR and thus be connecting orders to privnotes. In my book it is very unlikely privnote is currently operated by the government and multiply that by SR being busted as well? if so it would be the law enforcement hack of the century.

if privnote is an honest attempt to provide a service, and I believe it is, it would be simplicity itself for them to have programmed up their promise of note destruction after reading. It is really trivial to do, and since it is a central part of their business plan why would they have stuffed that up? very unlikely.

If you use privnote over tor, then your note is possibly vulnerable for the time it is unread by the vendor. Depends if privnote encrypt their database of pending messages or not. Most vendors read their privnote within hours or a day, so the window for disaster is very small.

I can agree 100% using PGP is the "correct" way to do things, using privnote adds a small extra risk, but the biggest risk by far is the vendor you are communicating with is either very slack and does not destroy records or has already the cops and they are going to pass on your order and address to local authorities. PGP doesn't protect against that risk, a vendor is going to turn over everything their is nothing in it for them to save your privacy.
Title: Re: Paranoia/Newbie Blues
Post by: quietgirl79 on October 27, 2012, 05:35 am
honestly speaking IMO nothing is THAT wrong with privnote

It is fine to be uber cautious and avoid it, perhaps the admins of privnote have turned and are keeping a log of everything that the feds are voraciously reading however note that the feds would ALSO have to have hacked SR and thus be connecting orders to privnotes. In my book it is very unlikely privnote is currently operated by the government and multiply that by SR being busted as well? if so it would be the law enforcement hack of the century.

if privnote is an honest attempt to provide a service, and I believe it is, it would be simplicity itself for them to have programmed up their promise of note destruction after reading. It is really trivial to do, and since it is a central part of their business plan why would they have stuffed that up? very unlikely.

If you use privnote over tor, then your note is possibly vulnerable for the time it is unread by the vendor. Depends if privnote encrypt their database of pending messages or not. Most vendors read their privnote within hours or a day, so the window for disaster is very small.

I can agree 100% using PGP is the "correct" way to do things, using privnote adds a small extra risk, but the biggest risk by far is the vendor you are communicating with is either very slack and does not destroy records or has already the cops and they are going to pass on your order and address to local authorities. PGP doesn't protect against that risk, a vendor is going to turn over everything their is nothing in it for them to save your privacy.

That's true.  What do you think about the idea that those who have taken the effort to go through PGP may be more likely to be more safety conscious?  In some ways, just thinking about all the extra hoops one has to jump through just to get on SR will hopefully be a good deterrent against one big thing we all fear: some irresponsible/undereducated teen/person accidentally killing themselves while SR unrightfully takes all the blame!
Title: Re: Paranoia/Newbie Blues
Post by: pine on October 27, 2012, 02:02 pm
honestly speaking IMO nothing is THAT wrong with privnote

It is fine to be uber cautious and avoid it, perhaps the admins of privnote have turned and are keeping a log of everything that the feds are voraciously reading however note that the feds would ALSO have to have hacked SR and thus be connecting orders to privnotes. In my book it is very unlikely privnote is currently operated by the government and multiply that by SR being busted as well? if so it would be the law enforcement hack of the century.

It's not as straightforward nor as difficult as you're making it sound. They don't need to hack into the Silk Road specifically, they just need to arrange for an "alternative" code module to be run when accessed via a node from the Tor network. The exit nodes are publicly known. Uninteresting notes would be filtered from those which are from 'persons of interest'. Stop thinking of it as a 'targeting system' specifically created for the sole purpose of destroying SR, it's more like part of a 'trawling system'.

Don't think of Privnote being used as a source of evidence all by itself per se, but as a source of intelligence gathering. Privnote itself is merely an obvious *archetype* of something that could be a honeypot, there are many potential similar suspect services, such as Tormail, Anonfiles or Freedom Hosting. The majority of these services must be honeypots, or it is pragmatic to assume such. We are not believing that they are all DEA honeypots, that would be quite remarkable even though the DEA undoubtedly must have a significant presence judging from its bizarre geographical distribution (it's... not exactly a drug enforcement agency, reports from wikileaks say it is actually part of an intelligence network for a larger concern). In fact we live in a digital jungle we need to navigate, where the DEA's and SOCA's e-crime divisions are merely some of the smaller minnows darting about. This world has literally thousands of private and public intelligence agencies with different agendas, who would be willing to trade data for data.

In fact, LEO does not need to intercept communications to a particular gathering place for information directly (unless it's part of the exploit), they just need to compromise the ISP.

In such a jungle, there is only 1 real defense, and that is public key cryptography. Bitcoin, Tor and PGP come from this.

You have to remember that the ethos of SR is the following:

1. Everybody on SR is an agent.
2. SR is hacked, and is in fact run by a hacker LEA.
3. Conclusion: Don't trust anybody, including Agent Pine.

The strength of our network depends on the understanding that all security is not foolproof, that anything can be hacked, and the only thing it is possible to trust is cryptographic trust. While we may have fellowship in this new universe, this is the cornerstone, so let's not get confused and start imagining "The Hack" of SR would be a notable development. It would not make any fucking sense to close SR if you got control of the servers. I mean the actual hardware could be anywhere on the planet. So any logical adversary is most likely, barring the influence of populist politics, to become a passive adversary and watch all our goings-on and record them all. That is why PGP is our most important weapon. It's not really an optional thing.

Far from being a disadvantage to be this paranoid i.e. paralysis by analysis, the paradox is that this result will give us extraordinary freedom and power.  This cornerstone is solid.
But you must all heed the principals I've explained and not trust in obfuscation as a technique, obfuscation is an Old World technique, in a digital universe cryptography takes precedence.

Can someone tell me what is wrong with privnote?  Does it leave evidence once it is destroyed?

It is known to be used by naive SR users who don't attend to their security, which makes it an attractive target, which means it should be considered compromised. I would not do business with anybody known to use such a service (or anybody who relies on 3rd party encryption services). Privnote is not more secure than plaintext, it is less secure. The concept of Privnote is so laughably insecure it's amazing anybody is credulous enough to fall for it. Even ignoring the probability of it being a method of intercepting information, one of our programmers read the code and found a major flaw in the crypto implementation in about five minutes. Crypto should be left to the experts, or people will get hurt. Whether that flaw was intentional or not is irrelevant. I can't really make it any more clear than I have already done.
Title: Re: Paranoia/Newbie Blues
Post by: kitkat82 on October 27, 2012, 10:51 pm
honestly speaking IMO nothing is THAT wrong with privnote



Don't think of Privnote being used as a source of evidence all by itself per se, but as a source of intelligence gathering. Privnote itself is merely an obvious *archetype* of something that could be a honeypot, there are many potential similar suspect services, such as Tormail, Anonfiles or Freedom Hosting. The majority of these services must be honeypots, or it is pragmatic to assume such. We are not believing that they are all DEA honeypots, that would be quite remarkable even though the DEA undoubtedly must have a significant presence judging from its bizarre geographical distribution (it's... not exactly a drug enforcement agency, reports from wikileaks say it is actually part of an intelligence network for a larger concern). In fact we live in a digital jungle we need to navigate, where the DEA's and SOCA's e-crime divisions are merely some of the smaller minnows darting about. This world has literally thousands of private and public intelligence agencies with different agendas, who would be willing to trade data for data.

In fact, LEO does not need to intercept communications to a particular gathering place for information directly (unless it's part of the exploit), they just need to compromise the ISP.

In such a jungle, there is only 1 real defense, and that is public key cryptography. Bitcoin, Tor and PGP come from this.

You have to remember that the ethos of SR is the following:

1. Everybody on SR is an agent.
2. SR is hacked, and is in fact run by a hacker LEA.
3. Conclusion: Don't trust anybody, including Agent Pine.

The strength of our network depends on the understanding that all security is not foolproof, that anything can be hacked, and the only thing it is possible to trust is cryptographic trust. While we may have fellowship in this new universe, this is the cornerstone, so let's not get confused and start imagining "The Hack" of SR would be a notable development. It would not make any fucking sense to close SR if you got control of the servers. I mean the actual hardware could be anywhere on the planet. So any logical adversary is most likely, barring the influence of populist politics, to become a passive adversary and watch all our goings-on and record them all. That is why PGP is our most important weapon. It's not really an optional thing.

Far from being a disadvantage to be this paranoid i.e. paralysis by analysis, the paradox is that this result will give us extraordinary freedom and power.  This cornerstone is solid.
But you must all heed the principals I've explained and not trust in obfuscation as a technique, obfuscation is an Old World technique, in a digital universe cryptography takes precedence.

Can someone tell me what is wrong with privnote?  Does it leave evidence once it is destroyed?

It is known to be used by naive SR users who don't attend to their security, which makes it an attractive target, which means it should be considered compromised. I would not do business with anybody known to use such a service (or anybody who relies on 3rd party encryption services). Privnote is not more secure than plaintext, it is less secure. The concept of Privnote is so laughably insecure it's amazing anybody is credulous enough to fall for it. Even ignoring the probability of it being a method of intercepting information, one of our programmers read the code and found a major flaw in the crypto implementation in about five minutes. Crypto should be left to the experts, or people will get hurt. Whether that flaw was intentional or not is irrelevant. I can't really make it any more clear than I have already done.

YIKES!  I had better continue with my PGP study tonight.  Thank you for explaining that, it makes a lot of sense and now I feel stupid.  I am having some issues with PGP but that is no reason for me to give up.  Thanks again for the info, that is the kick in the ass I needed to get motivated.
Title: Re: Paranoia/Newbie Blues
Post by: quietgirl79 on October 28, 2012, 02:35 am
honestly speaking IMO nothing is THAT wrong with privnote

It is fine to be uber cautious and avoid it, perhaps the admins of privnote have turned and are keeping a log of everything that the feds are voraciously reading however note that the feds would ALSO have to have hacked SR and thus be connecting orders to privnotes. In my book it is very unlikely privnote is currently operated by the government and multiply that by SR being busted as well? if so it would be the law enforcement hack of the century.

It's not as straightforward nor as difficult as you're making it sound. They don't need to hack into the Silk Road specifically, they just need to arrange for an "alternative" code module to be run when accessed via a node from the Tor network. The exit nodes are publicly known. Uninteresting notes would be filtered from those which are from 'persons of interest'. Stop thinking of it as a 'targeting system' specifically created for the sole purpose of destroying SR, it's more like part of a 'trawling system'.

Don't think of Privnote being used as a source of evidence all by itself per se, but as a source of intelligence gathering. Privnote itself is merely an obvious *archetype* of something that could be a honeypot, there are many potential similar suspect services, such as Tormail, Anonfiles or Freedom Hosting. The majority of these services must be honeypots, or it is pragmatic to assume such. We are not believing that they are all DEA honeypots, that would be quite remarkable even though the DEA undoubtedly must have a significant presence judging from its bizarre geographical distribution (it's... not exactly a drug enforcement agency, reports from wikileaks say it is actually part of an intelligence network for a larger concern). In fact we live in a digital jungle we need to navigate, where the DEA's and SOCA's e-crime divisions are merely some of the smaller minnows darting about. This world has literally thousands of private and public intelligence agencies with different agendas, who would be willing to trade data for data.

In fact, LEO does not need to intercept communications to a particular gathering place for information directly (unless it's part of the exploit), they just need to compromise the ISP.

In such a jungle, there is only 1 real defense, and that is public key cryptography. Bitcoin, Tor and PGP come from this.

You have to remember that the ethos of SR is the following:

1. Everybody on SR is an agent.
2. SR is hacked, and is in fact run by a hacker LEA.
3. Conclusion: Don't trust anybody, including Agent Pine.

The strength of our network depends on the understanding that all security is not foolproof, that anything can be hacked, and the only thing it is possible to trust is cryptographic trust. While we may have fellowship in this new universe, this is the cornerstone, so let's not get confused and start imagining "The Hack" of SR would be a notable development. It would not make any fucking sense to close SR if you got control of the servers. I mean the actual hardware could be anywhere on the planet. So any logical adversary is most likely, barring the influence of populist politics, to become a passive adversary and watch all our goings-on and record them all. That is why PGP is our most important weapon. It's not really an optional thing.

Far from being a disadvantage to be this paranoid i.e. paralysis by analysis, the paradox is that this result will give us extraordinary freedom and power.  This cornerstone is solid.
But you must all heed the principals I've explained and not trust in obfuscation as a technique, obfuscation is an Old World technique, in a digital universe cryptography takes precedence.

Can someone tell me what is wrong with privnote?  Does it leave evidence once it is destroyed?

It is known to be used by naive SR users who don't attend to their security, which makes it an attractive target, which means it should be considered compromised. I would not do business with anybody known to use such a service (or anybody who relies on 3rd party encryption services). Privnote is not more secure than plaintext, it is less secure. The concept of Privnote is so laughably insecure it's amazing anybody is credulous enough to fall for it. Even ignoring the probability of it being a method of intercepting information, one of our programmers read the code and found a major flaw in the crypto implementation in about five minutes. Crypto should be left to the experts, or people will get hurt. Whether that flaw was intentional or not is irrelevant. I can't really make it any more clear than I have already done.

Thanks for your valuable input Pine, I've read many of your helpful posts and I'd try to give you a +karma when I can.  But, I'm trying to maintain a "small digital footprint". 

I do have a concern though.  How wary should we be with third party services, such as Bitinstant, or Instawallet?  I know you mentioned Tormail for example, as being a security concern.  A guide had said not to leave any sensitive information on you, and it is better left in an "anonymous"  Tormail or other account (since you have to collect data somewhere, and my memory is not good enough to memorize it all). 

Also, my ignorance of TOR making me wonder.  I have seen the message that because my connection is "torified", I am safe, and all other non torified connections have their payloads exposed at the exit.  I do not know what that actually means, but I have taken it to imply that as long as I'm using TOR, my payload is still encrypted?  Then how is that different from what you have mentioned about the exit nodes..does this mean that there is some way of decrypting that information, and thus danger and less security?

Sorry about the somewhat complicated question, but inputs that lead to greater enlightenment is always appreciated =)

-quietgirl
Title: Re: Paranoia/Newbie Blues
Post by: pine on November 13, 2012, 02:59 am
Thanks for your valuable input Pine, I've read many of your helpful posts and I'd try to give you a +karma when I can.  But, I'm trying to maintain a "small digital footprint". 

I do have a concern though.  How wary should we be with third party services, such as Bitinstant, or Instawallet?  I know you mentioned Tormail for example, as being a security concern.  A guide had said not to leave any sensitive information on you, and it is better left in an "anonymous"  Tormail or other account (since you have to collect data somewhere, and my memory is not good enough to memorize it all). 

Also, my ignorance of TOR making me wonder.  I have seen the message that because my connection is "torified", I am safe, and all other non torified connections have their payloads exposed at the exit.  I do not know what that actually means, but I have taken it to imply that as long as I'm using TOR, my payload is still encrypted?  Then how is that different from what you have mentioned about the exit nodes..does this mean that there is some way of decrypting that information, and thus danger and less security?

Sorry about the somewhat complicated question, but inputs that lead to greater enlightenment is always appreciated =)

-quietgirl

You should not give 3rd parties any information that can be connected to your RL identity.

Keeping a small digital footprint is easier said than done, it can be messy even for techs sometimes.

You can collect the data you require (Tor browser, GPG4USB software, paperwork) in one place, encrypt the lot and upload it to some digital locker, then overwrite the original file. Then each time you use the data you can download, decrypt, utilize and repeat the previous steps to put it back in the cloud. Obviously you can't be doing that with more than a couple of Gigabytes though.

A more sophisticated technique is to run everything on some remote server as well as storing the data there, but not everybody's Internet connection makes this viable.

Another technique is to use a combination of encryption and obfuscation, by placing data and programs onto a microSD (a tiny piece of memory the size of a fingernail and only slightly thicker) and encrypting it. Then you can destroy/hide it before encryption becomes the last line of defense.

Another technique I was talking about with Bungee (I must get back to you on this Bungee) is to take a small computer and hide it somewhere very hard to reach, but which would be very easy for you to inspect. e.g. use a magnet or otherwise physically attach a laptop to the side of a skyscraper or other tall piece of infrastructure. Then you could invest in a telescope and providing you had good line of sight you could visually inspect whether the item had been interfered with (you could attach a proximity detector to demagnetize or otherwise destroy the device). Then you can use a powerful piece of hardware to reach the laptop and do your business of storage/running programs from that. That way when LE bust you, they only have thin client, no digital footprint. I think overseas intelligence operatives must be doing something like this to stay under the radar, it makes perfect sense on a bunch of levels. It's cheap, it requires no training, the whole thing can be packaged easily for tech newbs etc.

Anyway in practice less exotic techniques like the ones mentioned above work perfectly well.

--

Never store data/programs on Tormail or any other data storage locker unless they are encrypted to the hilt.

The business with "torified connections" and "payloads exposed at the exit", is geeks and regular folk thinking differently about the system, it is this:

In computers we have a thing called 'the OSI stack'. It is an abstraction where there are different 'layers' to the network. At the top is the Application layer, things like Firefox, Apache. Regular programs people and servers run. At the bottom there is the Physical layer, which literally is the 1s and 0s zooming over the copper wires or fiber optic cable.

Tor provides network security, which is sandwiched in the middle of those two layers. It prevents your IP address being known. It does not anonymize the Physical layer (probably impossible) or the Application layer (the programs being used). Well, actually it does try to standardize the Application layer so everybody's 'browser fingerprint' is similar, which is a case for not adjusting the settings on your Tor Browser Bundle very much or at all. But the core thing is that it prevents somebody else obtaining your real IP address, that is the main thing Tor does.

Where people get confused, is that their Internet traffic going into and traversing the Tor network is encrypted, but not at the Application layer because that's impossible. The programs you are running on Tor and the communications they are making are not encrypted in of themselves. I mean if you request a webpage such as this one on Tor, then the program handling the webpage at your end can't be encrypted. You computer would have no idea how to interpret the webpage. First the webpage must be decrypted, then it is sent to your browser to display.

A related issue of confusion over encryption is that if your application like the browser sends your real IP address as part of the data it is sending out at the Application layer. e.g. "e.g. Hello webserver, I am web browser and this is my IP address", then Tor doesn't do anything to stop that because it can't. Notably BitTorrent software does something like this which is why it's not advisable to use BitTorrent with Tor.

Again, Tor only prevents your IP address getting out at the Network Level. Not at the level of Software deciding to give your IP address away. Most of the time this is not malicious on the part of the software, the big problem is DNS leaks, where the software thinks it needs to obtain an IP address of another computer and resolve it to a domain name.

Finally another related issue is that people think Tor encrypts all their stuff. I think this is an extreme example of 'technomagic', a fallacy in the comprehension of how encryption or frankly even logic works. Tor does not encrypt your emails from end to end. Tor does not encrypt your PMs from end to end on a forum such as this. Take this message I am writing for example. As it passes through the Tor network, it will be encrypted multiple times to achieve anonymity. But it when if 'surfaces', or is decrypted, it is plaintext. The fact you are reading it means it's plaintext! Again: application layer is not encrypted, that goes on at the network layer.

Similarly on SR when you send your address to a vendor, it is in plaintext. There is not technomagic wizardry that somehow encrypts it such that only the vendor can read it in plaintext. It has to be stored as plaintext in order for the vendor to read it at all! Anybody, and I do mean anybody, with access can read that message. Hence PGP Club.

The solutions to all those misunderstandings are simple.

A: Always use PGP when doing incriminating things like sending your address to a vendor of illicit contraband!
B: Ensure you don't do exotic (e.g. "To speed up Tor") things to the Tor Browser Bundle or however you're using Tor. You'll stand out if you do. Anonymity is all about being a member of a crowd. Run with the shoals! Swim with the zebras! You get the idea.
C: Assume everything you're writing is being logged and examined by LE agents wasting the public's tax dollars, and behave accordingly.

C means;

No "Wow! What a great TV show last night!".
No "It's a nice morning".
No. "LOL, I was on reddit and..."
No. "Take a look at this youtube video!"
No "I just bought this book/movie/music/software"

No. No. No. No. No. But yes, perhaps you should drop breadcrumbs for your own canary, but don't get too clever either or you'll wind up being more stupid than clever. Millions of people think of nothing but releasing fabulously detailed TMI about the minutiae of their daily lives, it's not difficult to create a believable alt.

A, B are essential, C is for the lulz and wearing down the adversary. I assure you you have enemies and they are very real indeed. This fact cannot ever be forgotten. You are arrayed against the forces of our respective police states. DPR is correct. Merely being on this hidden service is a revolutionary act, whether you all believe it or not. One day they will come with us and we shall wield all the power of the world to create a new social and political order but until then remember we are allied against a powerful adversary. We shall play to our strengths and use the market against them. For the most experienced members of this forum this was never about the money. This is about revenge. Of peers locked in cages and death for some, of being helpless against the absurdity of the Drug War for others.They have never met an enemy like us. In all my life I have never once seen such a powerful force for social and political change as the Darknet.
Title: Re: Paranoia/Newbie Blues
Post by: Bungee54 on November 14, 2012, 10:58 pm
WTF Pine, you give us goosebumps again..


We thought of nothing heavy as we entered our name into the search to check gossip.

And then this heavy hitter as first message ...


Damn ..

No we can' sleep anymore.

Big THANKS  -_-


BIG HUGS!
Title: Re: Paranoia/Newbie Blues
Post by: quietgirl79 on November 15, 2012, 01:48 am

You should not give 3rd parties any information that can be connected to your RL identity.

Keeping a small digital footprint is easier said than done, it can be messy even for techs sometimes.

You can collect the data you require (Tor browser, GPG4USB software, paperwork) in one place, encrypt the lot and upload it to some digital locker, then overwrite the original file. Then each time you use the data you can download, decrypt, utilize and repeat the previous steps to put it back in the cloud. Obviously you can't be doing that with more than a couple of Gigabytes though.

A more sophisticated technique is to run everything on some remote server as well as storing the data there, but not everybody's Internet connection makes this viable.

Another technique is to use a combination of encryption and obfuscation, by placing data and programs onto a microSD (a tiny piece of memory the size of a fingernail and only slightly thicker) and encrypting it. Then you can destroy/hide it before encryption becomes the last line of defense.

Another technique I was talking about with Bungee (I must get back to you on this Bungee) is to take a small computer and hide it somewhere very hard to reach, but which would be very easy for you to inspect. e.g. use a magnet or otherwise physically attach a laptop to the side of a skyscraper or other tall piece of infrastructure. Then you could invest in a telescope and providing you had good line of sight you could visually inspect whether the item had been interfered with (you could attach a proximity detector to demagnetize or otherwise destroy the device). Then you can use a powerful piece of hardware to reach the laptop and do your business of storage/running programs from that. That way when LE bust you, they only have thin client, no digital footprint. I think overseas intelligence operatives must be doing something like this to stay under the radar, it makes perfect sense on a bunch of levels. It's cheap, it requires no training, the whole thing can be packaged easily for tech newbs etc.

Anyway in practice less exotic techniques like the ones mentioned above work perfectly well.

--

Never store data/programs on Tormail or any other data storage locker unless they are encrypted to the hilt.

The business with "torified connections" and "payloads exposed at the exit", is geeks and regular folk thinking differently about the system, it is this:

In computers we have a thing called 'the OSI stack'. It is an abstraction where there are different 'layers' to the network. At the top is the Application layer, things like Firefox, Apache. Regular programs people and servers run. At the bottom there is the Physical layer, which literally is the 1s and 0s zooming over the copper wires or fiber optic cable.

Tor provides network security, which is sandwiched in the middle of those two layers. It prevents your IP address being known. It does not anonymize the Physical layer (probably impossible) or the Application layer (the programs being used). Well, actually it does try to standardize the Application layer so everybody's 'browser fingerprint' is similar, which is a case for not adjusting the settings on your Tor Browser Bundle very much or at all. But the core thing is that it prevents somebody else obtaining your real IP address, that is the main thing Tor does.

Where people get confused, is that their Internet traffic going into and traversing the Tor network is encrypted, but not at the Application layer because that's impossible. The programs you are running on Tor and the communications they are making are not encrypted in of themselves. I mean if you request a webpage such as this one on Tor, then the program handling the webpage at your end can't be encrypted. You computer would have no idea how to interpret the webpage. First the webpage must be decrypted, then it is sent to your browser to display.

A related issue of confusion over encryption is that if your application like the browser sends your real IP address as part of the data it is sending out at the Application layer. e.g. "e.g. Hello webserver, I am web browser and this is my IP address", then Tor doesn't do anything to stop that because it can't. Notably BitTorrent software does something like this which is why it's not advisable to use BitTorrent with Tor.

Again, Tor only prevents your IP address getting out at the Network Level. Not at the level of Software deciding to give your IP address away. Most of the time this is not malicious on the part of the software, the big problem is DNS leaks, where the software thinks it needs to obtain an IP address of another computer and resolve it to a domain name.

Finally another related issue is that people think Tor encrypts all their stuff. I think this is an extreme example of 'technomagic', a fallacy in the comprehension of how encryption or frankly even logic works. Tor does not encrypt your emails from end to end. Tor does not encrypt your PMs from end to end on a forum such as this. Take this message I am writing for example. As it passes through the Tor network, it will be encrypted multiple times to achieve anonymity. But it when if 'surfaces', or is decrypted, it is plaintext. The fact you are reading it means it's plaintext! Again: application layer is not encrypted, that goes on at the network layer.

Similarly on SR when you send your address to a vendor, it is in plaintext. There is not technomagic wizardry that somehow encrypts it such that only the vendor can read it in plaintext. It has to be stored as plaintext in order for the vendor to read it at all! Anybody, and I do mean anybody, with access can read that message. Hence PGP Club.

The solutions to all those misunderstandings are simple.

A: Always use PGP when doing incriminating things like sending your address to a vendor of illicit contraband!
B: Ensure you don't do exotic (e.g. "To speed up Tor") things to the Tor Browser Bundle or however you're using Tor. You'll stand out if you do. Anonymity is all about being a member of a crowd. Run with the shoals! Swim with the zebras! You get the idea.
C: Assume everything you're writing is being logged and examined by LE agents wasting the public's tax dollars, and behave accordingly.

C means;

No "Wow! What a great TV show last night!".
No "It's a nice morning".
No. "LOL, I was on reddit and..."
No. "Take a look at this youtube video!"
No "I just bought this book/movie/music/software"

No. No. No. No. No. But yes, perhaps you should drop breadcrumbs for your own canary, but don't get too clever either or you'll wind up being more stupid than clever. Millions of people think of nothing but releasing fabulously detailed TMI about the minutiae of their daily lives, it's not difficult to create a believable alt.

A, B are essential, C is for the lulz and wearing down the adversary. I assure you you have enemies and they are very real indeed. This fact cannot ever be forgotten. You are arrayed against the forces of our respective police states. DPR is correct. Merely being on this hidden service is a revolutionary act, whether you all believe it or not. One day they will come with us and we shall wield all the power of the world to create a new social and political order but until then remember we are allied against a powerful adversary. We shall play to our strengths and use the market against them. For the most experienced members of this forum this was never about the money. This is about revenge. Of peers locked in cages and death for some, of being helpless against the absurdity of the Drug War for others.They have never met an enemy like us. In all my life I have never once seen such a powerful force for social and political change as the Darknet.

Awesome tips Pine!  Any info I give is misinformation.  Just kidding, I always tell the truth.  Sometimes. 

Thanks for your explanations too.  Without true understanding of how all this technology people do seem to fall back on superstitious behaviors.  Like that change identity button.  Does that do anything?  Or does hitting that more often make me more visible?  The problem for me is that all these computers and things all exist in like an imaginary world.  And sometimes its hard to grasp all this abstract stuff.  And that highlights the problem of "technomagic", where I still meet users that think they are "fully covered" because they are using TOR (on their main machine...).  Or don't want to discuss things in PGP.  Sometimes I wonder how some of these people haven't been caught.

I like the idea of an alt, though.  They are useful in case of a good forensic psychologist.  I had a colleague who could tell you some interesting stories. 

And I see it less as a war (though I do agree with the spirit and it certainly could be seen as a war in terms of battle, ideology, etc) and more as getting goods and services that I require that not only does not harm others, but has health benefits.  In addition, And I agree, the War on Drugs is a big failure.  Funny thing is I was one of their poster childs.  I was really hurt when I realized the authority was lying  :'(

In any case, its almost morning here, and I need to get to bed for a night shift.  Be safe, ya'll