Silk Road forums
Discussion => Security => Topic started by: billiken on March 17, 2013, 11:31 pm
-
Hello everyone, im starting this topic , cause i need your advice to improve my security!!
This is how im currently doing..
Current Devices:
1. Iphone lastest IOS
2. Burner Phone LG android something
3. Desktop Computer
4. Macbook Pro mid 2012..
5. Netbook
1. My iphone, i use it mainly as my personal phone, talk to to family, friends, i try to make it almost no drug related. Only flaw is i have some sensitive information using the app WhatsApp , which i use to talk to my partner, but when it comes to text messages and phone calls its pretty clean.
I only use the lock system that the phone provides, i use a 4 digit password on it. Not the smartest thing i guesss.
2. Burner phone is an LG device with android, i use it only for dealing, i mostly use whatsapp but some people are not up to date when it comes to new phones so i use text messages as well, but NO phone calls at all, i have never ever answered one. No1 of the people i interact with on that phone know my real identity i always use an alias, they DO NOT KNOW my real age, address, real name nor anything that can be directly traced to me.
The only protection that phone has its the 4 digit number aswelll, not very smart!!
3. My desktop computer i think its one of my biggest problems, i do not use it all the time, but it has sensitive information, such as product pictures, i get into my fake facebook and other clearnet forums to show product, talk to customers, send/recieve BTC.
I also get into my real facebook and real email address sometimes and i also buy stuff, i play games on steam, etc.
However i do use Private Internet Access ALL THE TIME. I have the dns kill thing and it wont let me get online unless the vpn client its on and connected to a server.
I only have the windows password thing for protection, lol. My desktop computer runs on Win7 ultimate.
4. Macbook Pro mid 2012, like i ve said, i do not use my desktop computer a lot, so everything i do on it , i also do it on my mac.
But like on the desktop computer i use the VPN ALL THE TIME.
The only protection i have its the password sytem that comes with the OS.
5. Last but not least my netbook. I use it only for SilkRoad, i run tails from a usb drive, and thats the only use the netbook has.
Additional information:
I always stripp metadata from product pictures for my safety.
If you need additional information just ask me. Thanks to those who make this community better everyday.
-
Sounds pretty close to my setup , minus all the extra gadgets like netbooks/lap tops. I use truecrypt on both my main PC and my WD passport (which I do all SR related activity on) , all under a VPN. I don't know what else you could do besides break out wireshark and see what packet/frame info could be discovered by MITM/ISP/ECT. Also your phones, as far as the locks go thats good. There is anti-virus software out there that you can enable yourself to send texts via another phone and shut your phone down or whatnot if lost/stolen. Also you might want to lower setting to like lock my phone every 3 mins. I had mine at 15 in the beginning and I have a droid incredible 4g
If your desktop isnt truecrypted entirely I would suggest that, you didn't mention hard disk encryption. You might just wanna go ahead and truecrypt up if your lookin to tighten your security. *-*
-
If your desktop isnt truecrypted entirely I would suggest that, you didn't mention hard disk encryption. You might just wanna go ahead and truecrypt up if your lookin to tighten your security. *-*
Y'know.... I'm not by any means saying that isn't good advice. (Oh, I can see the karma plummeting from here over what I'm about to say) But.. all this security stuff that's freeware. I mean, last week, my TorChat and my GPG4win went down at the same time. Related? Maybe. I don't know. I uninstalled (I use Revo to uninstall) and reinstall, and nothing. And, support? Support is nonexistent. So, I have truecrypt, and I have a ton of really good shit on an encrypted volume, but I do worry that one day that shit's just not going to work for whatever reason, and all my data, hours and hours of work, just gone (oh, that's why we have backups, right? well, how do we protect them?). I just worry that the "free" part of freeware isn't necessarily a good thing for the end user. I have seriously fucking considered buying Norton PGP. I know. karma plummeting. I'm just worried as fuck that one day Truecrypt will take a shit on me, and have you seen their website? No help. Not responsible for lost data. Not a data recovery service. Screw fucking you, basically, because you downloaded it for nothing.
Use something, billiken, by all means, use something to conceal the illegal shit you're doing. Just make copies of your copies and encrypt them, too. I have had an external drive crash on me before. But, I've never had a BD-ROM go bad on me, and, I've never had multiple externals crash at the same time. So, be smart about it, but do use encryption.
-
@sleepyeyes
You absolutely must use free security software, I don't mean free as in no money but free as in freedom to audit, re-use and improve upon the source code. This is because all the best security minds outside the secret services and none of the charlatans looking to make a quick buck really believe in free software.
To not use auditable software for privacy and security is to entrust that to one private entity who could be compromised, rather than all the hackers and security researchers in the world. Ideally you should be using software that is used internally by competing governments, that's the only way you can be sure it's secure.
-
So you never answered me about TorChat, sleepy. I was all ready to help you and stuff :P
I'm guessing it stopped working because you installed a new browser bundle. They changed the ports Tor listens on. That's not TorChat no longer working, that's the Tor project people fucking everything up for what seemed to be no reason at all (I'm sure they had one, but I honestly don't know what reason is good enough to break any software depending on Tor using the port it always did).
Truecrypt is different. It doesn't go through Tor. It's local only -- if you don't change the version, you don't have to worry about it no longer working unless your CPU melts or your RAM goes bad or some other random hardware failure screws everything up (which would mean even without Truecrypt, you still wouldn't be able to use your computer until you replaced the hardware, at which point Truecrypt would be working again too).
Just use Pidgin's TorChat plugin and make sure Pidgin is configured to use the right port for Tor (9150 now).
Oh yeah, P.S. -- gpg4win is rubbish. Try GPG4USB instead. Astor recommends it, and he kind of took over PGP stuff unofficially for Pine.
-
So you never answered me about TorChat, sleepy. I was all ready to help you and stuff
Sorry, SS. I must've missed the PM or post you sent. I'm all for some help with this. It's not that it just doesn't communicate; the proggy doesn't even load, at least, I can't see it; there's an entry in task manager, but absolutely nothing on the screen or in the tray. If I installed a new browser bundle, I am unaware of it. I did install Firefox Portable and secured it, but I cannot see that being a factor, especially when the problem is irrespective of what's open. I can have everything shut down (you know, not EVERYTHING, but...) except Vidalia and TorBrowser, and TorChat just won't come up for me. I don't .... sob... understand... sob..... why!!!!!
I'm usually pretty good with software diagnostics, actually, but better with hardware, and I haven't run this through all its paces yet, but the lack of an official support thread or staff or guy or whatever is a bit annoying sometimes. They wrote the software; they know best how it runs. In theory, I guess. I wish I were more of a code guy, but since I got blown up in another country in some stupid war, my ability to stick with learning really complicated things has waned a bit. It's more the attention, really. I'd rather build you a computer than write you software to run on it. Anyway, thanks for the heads up on Pidgin's Torchat plug-in (didn't know they had one), and GPG4USB. You are, as always, Da Man.
You absolutely must use free security software, I don't mean free as in no money but free as in freedom to audit, re-use and improve upon the source code.
whiteknight, I never implied anywhere that you shouldn't use security software whose source code has not been made publicly available. Norton PGP costs an assload, and it's a yearly charge, at that. But, they make the source code available to all who wish to see it, if only to prove wrong the myth that PGP has back doors. I did say that when you give your work away to the public you have very little incentive to support it any further. I used the free version of Revo Uninstaller for years because it was so damn good, and one day I thought, hell, this company and their product is worth $30. And, the Pro version really is a little better. Same with WinRAR. And, then, on some things I just download cracked copies because there's no way in fuck I'm paying $30 (or is it $20? But, it's a lot for what it is) for mIRC, and they want my home address. So, I get that my argument is a little inconsistent. But, I would pay $30 or even $60 for a good drive encryption program with solid customer support. It can't be had, though, not for that kind of money.
Truecrypt is different. It doesn't go through Tor. It's local only -- if you don't change the version, you don't have to worry about it no longer working unless your CPU melts or your RAM goes bad or some other random hardware failure screws everything up (which would mean even without Truecrypt, you still wouldn't be able to use your computer until you replaced the hardware, at which point Truecrypt would be working again too).
In theory. I suppose one could believe in God, and go to church if they wanted to, as well. I don't have faith in god, and I don't have blind faith in Truecrypt. I believe it has worked well for me so far, and I hope like hell that it continues to, because there are damned few other options around, and it seems to be working for other people, (25 million downloads to date). But if you have a problem, and there are 20,000 posts in just one subforum of the "Problems" section of the TC forum, there is a forum for that. And, it is clearly stated that it is user-to-user support. Doesn't that, in and of itself, make you wish for the days when Phil Zimmerman (god bless him, peace be upon him) owned PGP and ran the corporation that owned it after that?
We don't all write code in our spare time, and no one should be flamed as a noob or whatever for not knowing how to read source code. Each according to his gifts, as the saying goes, I believe. I guess I just wish that Truecrypt would start offering a Pro version, hire a staff, and start making money. Then, maybe he could say just a bit more than, "well, if your drive is fucked up, it's not my problem. You downloaded Truecrypt for free, and you fucked up your own drive. We are not a data recovery service." Well maybe not, but then again, maybe Truecrypt fucked up the drive, and maybe, just maybe, there's a thing or two you can do for this poor bastard who just lost months' worth of work and data, possibly because of your freeware.
Just sayin'
-
LOL... yeah, alright. I see your point.
So I see that the stand-alone Torchat is a Python application. Here's what you need to do for me: get to a terminal (just running "xterm" is good enough, really). Then I need you to type this:
torchat_py=`which torchat.py`
cd `dirname $torchat_py`
python2 torchat.py
python2.7 torchat.py
python3 torchat.py
Then PM me the output. If "torchat.py" isn't in your executable path, then it won't do me any good -- basically what I want is an easy way for you to run the program with all the different versions of Python you have installed, and to show me the output of them so I know what the problem is. Or one of them might actually run it perfectly, at which point you'll be able to thank me & enjoy your program again, hah.
You can paste the output here if it isn't sensitive info. The PM is just for your peace of mind.
-
SS, I sent you a PM on the particulars. I took your earlier advice and just went the pidgin plug-in, since I use pidgin for ICQ anyway. It works fine, it's just now instead of my earlier TorChat ID (which, I'll be fucking honest - I couldn't tell you what that is without some looking around), I'm just sleepyeyes2k2. I don't know how that works, though, or if ppl will just start adding their old TorChat #'s even though the readme said not to. I don't know, everyone I chat with on TorChat is on HBB, and I honestly barely used it, so if someone wants to send me a PM or add me as a buddy, maybe we can see how it works. I'm always up for a chat!
On another note, just to warn everyone, my avatar is about to change. So, those of you who are afraid of clowns need to just pop a xanax, okay? I'm kind of scared of clowns, too, especially THIS clown, which is why I love him so much...
-
But.. all this security stuff that's freeware. I mean, last week, my TorChat and my GPG4win went down at the same time.
Fuck GPG4Win. Use GPG4USB. Check the tutorial in my signature.
So, I have truecrypt, and I have a ton of really good shit on an encrypted volume, but I do worry that one day that shit's just not going to work for whatever reason, and all my data, hours and hours of work, just gone (oh, that's why we have backups, right? well, how do we protect them?).
With TrueCrypt. The chances of both encrypted volumes getting corrupted at the same time are slim. By your logic, why make backups at all? All hard drives fail at some point (so it may not even be your encryption that fucks you), but the only solution is backups. And if one backup doesn't make you feel safe, make two.
I just worry that the "free" part of freeware isn't necessarily a good thing for the end user. I have seriously fucking considered buying Norton PGP.
The problem with proprietary software is that you can't be sure it doesn't have a backdoor. With open source software, you can.
Anyway, I have come across many people who have had problems with GPG4Win, but I haven't heard of a high(er than proprietary software) failure rate for TrueCrypt. I have used full disk encryption on an internal and external hard drive for a couple of years without any problems.
-
Fuck GPG4Win. Use GPG4USB. Check the tutorial in my signature.
Yeah, that was SS's advice. Looking into it now.
With TrueCrypt. The chances of both encrypted volumes getting corrupted at the same time are slim. By your logic, why make backups at all?
Well, if you'd read the whole of my post, you'd have found that "my logic" actually advocated the use of multiple, encrypted backups. In fact, I made the *exact* same point you just did, except I said the chance of multiple HDDs going bad are slim to none. That said, if your OS updates are what irrevocably fucks up TrueCrypt (for example), then it IS possible for you to lose your data, depending on the particulars of how the interaction messed up the software. And, since it's freeware, there is no user base worth hundreds of thousands or millions of dollars to worry about, so your "slim" chances of losing data for months, or maybe forever, have just risen a bit, I think.
Let me be clear: I USE TRUECRYPT. I am not telling people not to use it. I am just sick of having to depend on freeware that may or may not be garbage after my next OS update or whatever the fuck update, or bug, or what have you, in order to complete necessary tasks.
The problem with proprietary software is that you can't be sure it doesn't have a backdoor. With open source software, you can.
Fabulous. Tell that to Norton, who sells PGP (they are the fifth owner of Phil Zimmerman's epic invention) for a buttload of money per year (it's like, $200 for drive encryption, or, about 4 BTC, to put it into some perspective). And, they make their source code available to the public, so anyone with that skill set can see there are no back doors in PGP. Hell, Truecrypt is "proprietary software"! If you downloaded it and started selling it, you'd be violating the law, because Truecrypt has a trademark on its software. "Free of charge" and "open source" are not the same thing. "Proprietary" and "for a charge" are also nonequivalent terms.
What annoys the fuck out of me is that we depend on this technology for things that are very important to us. And, when the software which we depend on so much stops working, and our attempts to fix the problem have failed, well, with unsupported freeware, we are at the mercy of our own resources. Truecrypt has its user-to-user help forum. Why should they bother with tech support of any kind? For all we know, Truecrypt is the product of one individual who basically works for donations. He says his personal philosophy is that software should always be open source and free of charge. That would be my philosophy, too, if I was worried out the ass about liability, maybe. I just disagree. I think the market would definitely support a Pro version of good, open source crypto, backed by even the tiniest bit of customer support.
Finally, billiken, I owe you an apology for hijacking your thread. For what it's worth, your setup sounds good, and yes, I agree that you do need to add drive encryption. For the moment, your options for that seem to be few and either completely free and completely unsupported, or rather expensive with stellar customer service. I gotta tell you, especially after my 4BTC comment, the Norton option is looking better and better...
-
Thank you guys for the replies, now i have a few things that i can improve, i will be using drive encryption very soon.
-
I second truecrypt. Just encrypt and hide a folder with all of your 'dirt' in it. Backup on a flash drive that you hide offsite somewhere and/or even in the cloud. If you put a backup out there online somewhere, make damn sure that service is only used for that backup and has a secure password.