Silk Road forums
Discussion => Security => Topic started by: StExo on October 07, 2012, 07:07 pm
-
<removed>
-
<removed>
-
Thanks for sharing. It's obviously written for "the other side", but that makes it all the more an interesting read. Good job posting it here, so that we don't have to follow obscure links to get to it.
You're on my +1 karma list for when I reach 100+ posts.
Most important part:
Luckily, most people are not particularly good at remembering complicated passwords and often write them down or store them on a different medium for backup. People are generally more concerned with ease of use rather than security and so chose passwords that are generally short and contain words or phrases that are memorable to that particular user (Schneier, 2006). Police investigation may also discover passwords used for other services that have also been used for encryption.
Choose long and random passwords people!
-
Hey St,
thanks for the read. When I flicked over it, I remembered I had some pics of my former gf encrypted. Just played around with truecrypt a bit, of course, I forgot the PW for the file. Not the best position if I would get busted anytime soon, god forbid. I just destroyed the harddrive by force = and magnets.
Keep the Karma flowing.
-
<removed>
-
You can always passphrase-encrypt a list of practically unmemorizable passwords on an easily destroyable data medium. Just in case you're ever in the situation of being forced to give them up, you can tell the truth and say you really don't know them and they're gone forever.
-
Thanks for the awesome read.
-
Another concern I've seen a few people do is use the SAME password for both their TrueCrypt volume and PGP password. BIG MISTAKE. If there is a vulnerability in either of them and LEA can find the password, they will most likely try it on all your encrypted devices as even the article says a lot of users use the same password for multiple purposes/sites/applications. Even my PGP password is unhumanly long which I guess 99% of the population would never be able to remember.
True. You should be very careful when using the same password for different purposes. I would recommend that you use unique passphrases for all of the following:
- GPG private key
- Disk encryption
- Silk Road accounts
- Tormail account
Your passphrase should consist of upper and lower case characters, numbers and some special character (@ # $ % & , . ). It should not (exclusively) contain dictionary words.
If you can memorize 40+ characters, that is awesome. However it also puts you at risk of forgetting it. A passphrase in the range of 20 characters (if all guidelines above are followed), is sufficiently strong.
-
Thanks for sharing. It's obviously written for "the other side", but that makes it all the more an interesting read. Good job posting it here, so that we don't have to follow obscure links to get to it.
You're on my +1 karma list for when I reach 100+ posts.
Most important part:
Luckily, most people are not particularly good at remembering complicated passwords and often write them down or store them on a different medium for backup. People are generally more concerned with ease of use rather than security and so chose passwords that are generally short and contain words or phrases that are memorable to that particular user (Schneier, 2006). Police investigation may also discover passwords used for other services that have also been used for encryption.
Choose long and random passwords people!
I found this information about encryption pretty interesting and I use TrueCrypt to store my TOR Browser and Linux Liberte, but aside from interest's sake, like you said, this article is mainly for pedos (which hopefully none of us are). I don't think I have much practical use of this information myself since I don't plan on becoming a vendor, but for anybody trafficking illegal drugs especially Schedule I drugs like cocaine, meth, and heroin, I think this advice might be pretty useful.
If anybody wants to prove my wrong, by all means do so.
-
However, the use of keyfiles is also a massive plus and using some of them from a seperate USB drive which is also encrypted with another password is good, the password doesn't need to be as secure as the main one, but I still recommend 16 characters or more.
I've never understood the value of using a key. Storing it on a thumb drive is as bad as writing down your password. If an adversary has physical access to your stuff, which is the only situation where disk encryption matters, then they can get your key. If you password protect the key, then your encryption scheme is only as good as that password, so you might as well use that password on the disk encryption itself.
Keyfiles are effectively another password yes but are the longest possible password TrueCrypt supports. You're correct in saying it is like writing it down, but this is like 2 factor authentication, you must have something you know (the password you have in your head) plus something you have (the keyfile) and without both then it is not possible to access the data unless by something such as brute force, but to brute force just 1 keyfile plus a password, assuming you don't give up either of them is close to impossible. Even if they have your keyfile and know it is a keyfile to the encrypted volume, they still need the password in your head otherwise it'll be close to impossible to brute-force still until at least Quantum computers arrive, which is when we're really fucked.
-
<removed>
-
what about using those encrypted keyboards to counter keyloggers? and what are keyfiles?
-
<removed>
-
what about using those encrypted keyboards to counter keyloggers? and what are keyfiles?
Encrypted keyboards yes, but the hardware to the transmission device inside the keyboard itself can also be intercepted before it gets encrypted. It would help against primitive hardware based keyloggers but if the government can get a hold of your keyboard model, they can modify it then just replace it when they run into your house whilst you're away.
Keyfiles, I hope you're joking on this, but they contain a password just like your normal TrueCrypt volume mounting process and you need to load it as well as enter your password so that they being combined will make up the correct decryption.
*******CLEARNET WARNING:*********
http://www.truecrypt.org/docs/?s=keyfiles
why the clearnet warning? you do know Tor works just as effectively on www.
-
<removed>
-
what about using those encrypted keyboards to counter keyloggers? and what are keyfiles?
Encrypted keyboards yes, but the hardware to the transmission device inside the keyboard itself can also be intercepted before it gets encrypted. It would help against primitive hardware based keyloggers but if the government can get a hold of your keyboard model, they can modify it then just replace it when they run into your house whilst you're away.
Keyfiles, I hope you're joking on this, but they contain a password just like your normal TrueCrypt volume mounting process and you need to load it as well as enter your password so that they being combined will make up the correct decryption.
*******CLEARNET WARNING:*********
http://www.truecrypt.org/docs/?s=keyfiles
why the clearnet warning? you do know Tor works just as effectively on www.
I always post warnings like that when I link to any site outside the onion network. Anyone like me prefers to stay completely within the Tor network when using it and would only like to go to onion sites. I can't remember exactly where but I read a while ago whilst it is only minor, by visiting both onion and clearnet sites in the same session and identity can pose a very small risk.
DNS leaks wasnt it? By using a standard browser to visit clearrnet links it allows LE to post a honeypot link on these forums to log the IP's of SR users so this practice should in no way be encouraged.
BC
-
DNS leaks wasnt it? By using a standard browser to visit clearrnet links it allows LE to post a honeypot link on these forums to log the IP's of SR users so this practice should in no way be encouraged.
BC
Thanks a lot for this info. I was about to ask how clearnet links should be handled.
-
<removed>
-
DNS leaks wasnt it? By using a standard browser to visit clearrnet links it allows LE to post a honeypot link on these forums to log the IP's of SR users so this practice should in no way be encouraged.
BC
Thanks a lot for this info. I was about to ask how clearnet links should be handled.
TorBrowser is just for Tor :) If I want to visit clearnet stuff using Tor, I close the session and Tor, clean all cache etc (Yes I know TorBrowser handles this itself, but I play it safe), restart, change identity again to be safe and then use. Clearnet and onion never cross over for me.
Say im agent Dickhead from the DEA and i want to find out who uses SR but i cant because Tor masks our IP Adresse. Now there is a general attitude amongst SR users that all clearnet links should be opened without the Tor Browser meaning it can log our real IP's. Now all agent Dickhead has to do is be like ""OmGzzzzz look at this article about a foolproof way to import drugs":
*Clearnet Alert*
www.honeypot.gov/SilkRoad/gotcha/hahahaha
this page was created especially to be posted on this forum and the only way you could possibly access it is by seeing the URL on this forum.
Wallah! SR users flock there in droves all get there real IP's logged and at minimum gives the government/Alphabet Mafia/communists reason to now keep a closer eye on you/ your residence.
BC
-
<removed>
-
Still Tor isnt going to tell you whether its a honeypot or not.
BC