Silk Road forums
Discussion => Newbie discussion => Topic started by: astral on April 21, 2013, 02:17 pm
-
In a nube security guide here, it suggests to create Forum account name same as Tor Mail account name. Seems to me that that coupling adds an inter-dependency such that if Tor Mail itself, or the Tor Mail account, gets compromised, then you could be tracked to your account here.
In a different topic here a nube asked about using same account for SR main site and for this forum. The answer was affirmative (do it if you want to), but it looks like the person answering was considering only convenience, not security.
I have a similar concern about adding any real email addr to one's PGP key ID. It's definitely useful, for recognition purposes, to have an email addr in a publicy key used for non-anonymous purposes, but I certainly don't want to link my clearnet email addr with my Tor-purposed PGP keypair, and I wonder if it would add an inter-dependency risk (similar to that explained above) if my Tor-purposed PGP keypair is linked with my Tor Mail addr (by including it in the key ID).
If there is no practical risk, I would prefer the convenience of using same account name in my GPG key, Tor Mail account, SR main site, SR forum. Could a Tor expert or anonymity expert advise please?
-
Are you planning to use that tormail account for anything outside of Silk Road? If not then I'd say that the increase in surface area is minimal and that the convenience is worth it. If you're going to communicate with people outside SR via Tormail or leak any other information that way then I'd recommend using a different one.
Keep in mind that your main SR account is something different to other anonymous aliases in that it's connected to your home region or address, treat it with more care and respect than other throwaway, troll or hacking accounts.
-
Are you planning to use that tormail account for anything outside of Silk Road? If not then I'd say that the increase in surface area is minimal and that the convenience is worth it. If you're going to communicate with people outside SR via Tormail or leak any other information that way then I'd recommend using a different one.
That makes a lot of sense. Thank you. I have made new Tor Mail account and GPG keypair specifically for anonymous Tor net usage, and I know not to leak or share with clearnet usage.
Keep in mind that your main SR account is something different to other anonymous aliases in that it's connected to your home region or address, treat it with more care and respect than other throwaway, troll or hacking accounts.
I don't know what you mean by being connected to home region "or address". There are assurances all over this site that my "address" will not be retained anywhere. Yes, I have set the region in my profile, but I'm fine with being anonymous within the 300,000,000 people living in my country. Can I be identified more specifically than that from my SR account?
-
Your address shouldn't be retained anywhere accessible (and if it is hopefully you encrypted it also) but there's always a chance. Even if the tech is 100% sound that can all go out the window when you involve a person. You never know, some incompetent vendor could be writing your username and mailing address in a notebook (against policy, but still doesn't keep someone from doing it).
As far as tormail goes, I would be sure you're encrypting any communication you wouldn't want anyone else to read. AFAIK we don't know who is running the service and has access to all that info or what info they may provide if they are really pushed by LE or similar. Just be safe, use PGP when sending anything private regardless of service.
-
In a nube security guide here, it suggests to create Forum account name same as Tor Mail account name. Seems to me that that coupling adds an inter-dependency such that if Tor Mail itself, or the Tor Mail account, gets compromised, then you could be tracked to your account here.
In a different topic here a nube asked about using same account for SR main site and for this forum. The answer was affirmative (do it if you want to), but it looks like the person answering was considering only convenience, not security.
I have a similar concern about adding any real email addr to one's PGP key ID. It's definitely useful, for recognition purposes, to have an email addr in a publicy key used for non-anonymous purposes, but I certainly don't want to link my clearnet email addr with my Tor-purposed PGP keypair, and I wonder if it would add an inter-dependency risk (similar to that explained above) if my Tor-purposed PGP keypair is linked with my Tor Mail addr (by including it in the key ID).
If there is no practical risk, I would prefer the convenience of using same account name in my GPG key, Tor Mail account, SR main site, SR forum. Could a Tor expert or anonymity expert advise please?
Those are all good questions I wish people would ask more often. A +k for you.
1. Use an email account, that you setup and access exclusively through Tor. Doesn't have to be Tormail. Such an account should be used exclusively for SR related communications. All communications should be PGP encrypted. Never communicate with somebody using it that you know in real life. We assume that Tormail and every other email provider is potentially a honeytrap by LE agents. So long as we don't use them for normal emails, and so long as we encrypt everything with PGP and access the service only with Tor, then we're good. If you don't want to use Tormail and you feel uncomfortable using a gmail/hotmail/yahoo webmail account in this way, then use an email service from one of America's buddies, such as the PRC or Russia.
2. Put this real email you've setup, into your email field of your PGP public key when you create (or edit) it. This can be useful as a backup in the future if some hidden services are attacked. And widely publicize your PGP public key.
3. Unlike the other person, I say DO NOT use the same username for your SR account as your SRF account username also. If you want to socialize you should be using a different username and style of writing/personality, and keep a SRF username separate for business only e.g. vendor feedback threads (and to prevent "username squatting" so people can't impersonate you so easily).
4. Never ever use a clearnet email address that is your real email address, I only mention so because people have sent me PGP keys with their real names and email addresses in them before. Don't do that, I don't want them, follow the instructions 1,2,3.
5. We assume that SR and SRF are in fact, hacked. So you should be using PGP for sensitive communications, your PMs are not necessarily private. Pretend they are as public as this message you're reading, and that shall give you the correct level of caution.
-
alright so my question is this:
I set up my pgp key w/ gpg a long, long time ago, before I really knew shit about anything. And I still don't know much. But I put a completely fake clearnet address, one that probably exists but in no way could be tracked back to me. Or could it? Is there a good reason not to do this? I have since made a tormail account and could easily make a new key. This is a stupid question but just wanted to clarify...
-
seperates sounds safer