Silk Road forums
Discussion => Security => Topic started by: gaia on January 23, 2012, 07:28 pm
-
I'm thinking ultra security here - which is a little crazy considering the small personal amounts involved - but it would make me feel better so out of interest, if I was to use PAYG broadband from various outdoor locations to access SR and place any orders, how secure would it be?
There is always software associated when installing the sticks. So could this be cynically used when you're at home using IE or similar to access the Internet and transmit your IP address, when you're not using TOR without you knowing?
-
IP addresses are transmitted to every website and server you use directly. Otherwise those websites and servers wouldn't know what part of the network you belong to!
It's a digital 'I'm here' on the network.
Now, if you mean some form of spyware mentioning to LEO that you visited SR and bought drugs? That is extremely unlikely because it implies Big Brother installed the same spyware on every single dongle. Bit of a reach.
I think using a PAYG broadband dongle is a excellent idea however. I wouldn't be giving them any real information however. If you need to falsify documents, then do it. An IP address that leads to nowhere is a good thing IMHO.
Protip: use a prepaid credit card to pay the bill.
-
- performance is not consistent, certain times of day seems to become unworkable / pointless.
- anyone with the tools could track your location to within a few metres whilst you are online, so location plus any public security camera in the area
= not a situation I would want to be in.
- don't know what sort of resources are available to followup on Tor traffic ?! -my guess is very little.
- its worth the risk if you need to connect routinely for up to say 15mins a session
(bear in mind your location can be recorded / measured each time...ie change of location or be evasive.)
working on a laptop on the move would be ideal as location changes and connect times.
i have heard its so accurate (location) they can pinpoint a level in block of apartments and then summise which apartment you would be working from !
security:
- can forget about any security changes like mac address etc as all your traffic is coming from the same isp dongle which is a fixed mobile No, deviceid.
- "you" have no idea what data the dongle is periodically sending to their servers whilst you browse using their software, use the dongle with Linux now thats
smarter as the Linux driver and software are most likely available in source code for everyone to see.
-
Oh the times they are a changing and some seriously scary stuff possible, pays to be paranoid friends. Stating the obvious probably but you also not gotta use the phone with or for anything else.
-
Thanks guys. Some good observations.
I was just curious really. I am probably like a lot of people here....I am not in my teens so have lost all my old drug contacts, I am fed up with the usual crap street deals I am left with, and I have a family that I don't want to endanger any more than necessary. I guess I should grow up and leave the drugs alone, but they've been a part of my life for too long now that it's a part of who I am. Plus it's the only method of escape from chronic pain that I suffer.
I guess anything that minimises the risk is worth exploring. As I said, it would only be for ordering, and I would only ever use the USB dongle and laptop when on the move, and never EVER at home.
@pineappleexpress, what I was getting at is as a result of pure paranioa. But is that a bad thing? :) I was just scared that the software it installs may 'phone home' when not on the move, so as to pass on any fixed IP address. This would then match up with the dongle's SIM that was detected when ordering off SR! The sensible side of my brain tells me this is highly unlikely, and the software would only be used when the USB is active. But I don't have the knowledge to assume this.
The stick was 1GB preloaded, and purchased with cash by the way!
I tried it out today, and it does work a treat with TOR stored on a separate dongle though :)
-
...pinappleexpress is talking about the ipaddress you get when you connect, it is likely to change each time you connect but is the least of your problems since the
dongle deviceid + its sim/mobile No are fixed and are the identifying bits here.
-
Thanks guys. Some good observations.
@pineappleexpress, what I was getting at is as a result of pure paranioa. But is that a bad thing? :) I was just scared that the software it installs may 'phone home' when not on the move, so as to pass on any fixed IP address. This would then match up with the dongle's SIM that was detected when ordering off SR! The sensible side of my brain tells me this is highly unlikely, and the software would only be used when the USB is active. But I don't have the knowledge to assume this.
- the isp could very well switch on the sim by calling it and its not a phone and isn't going to ring not that you would hear anything/
and who knows what they could achieve by this.
- moral of the story, disconnect it from the usb when not in use.
-
- the isp could very well switch on the sim by calling it and its not a phone and isn't going to ring not that you would hear anything/
and who knows what they could achieve by this.
- moral of the story, disconnect it from the usb when not in use.
That's what I was getting at, and as I said, I would only use the dongle when on the move and NEVER at home. But my concern was with the installed software (quite a lot of bloatware!). The paranoid side of me wonders if this could cynically send info back to the ISP as soon as it detects a static IP address, with or without the dongle being active.
Then again, maybe I'm just looking for things to worry about :)
-
- yes its a risk, plenty of those dongles will work under Linux say, but often its model specific ie a cheaper lower speed one might be difficult to get working.
their software could be snooping on your activities unless some hacker out there has spent the time proving it is ok i would by default not trust what vodafone / o2 are
doing.
there is an element that you can't cater for is if the subversive communication is on a lower level ie the dongle / chip level, well there's not much that you are
going to stop unless if perhaps a custom firmware avail on the inter-web somewhere removes that capability.
nothing in IT is straight forward.
ultimately do what you can and accept the level of risk you cannot mitigate.
;)
-
I think... moar research!
-
You're right...in this cat and mouse game, all we can do is work with the knowledge and ability we have. And accept nothing is 100% safe. I suppose the best (though perhaps excessive) thing I could do to minimise my paranoia is to uninstall the software everytime I finish using the dongle.
I guess I was half expecting many other people to be using mobile PAYG broadband though. On the face of it, it would seem to be putting more distance between myself and the snoopers. And that's got to be a good thing.
In the end, I think I need to get perspective on this though....I'm only a very small and uninteresting fish in a sea of entertainers. If they were to catch up with me, I would yield very little, and be a pathetic return for their investment. ;D
-
...you can pm me the payg model No.....not the unique imei nor what could be the unique deviceid...so it should read something like "huwei M108", i'll do some searching
around .....what OS did you want to run?
-
Wow, my opinion of this place, and it's people (mostly) continues to impress.
Thanks TWM.
-
pm sent...
huawei support added / device detected with ubuntu 10.10 & 11.
make sure level 5 updates are selected in the update manager, then simply update the kernel to the latest release.
an option driver was added to kernel 2.6.39-stable and tested ok :-
Tested on Dell inspiron 1764 (i3 core cpu) and brand new Huawei E353 modem, Fedora 15 beta.
was unsuccessfull under Linux Mint (?!)
-
Was just re-reading this and seen, "I am not in my teens so have lost all my old drug contacts, I am fed up with the usual crap street deals I am left with, and I have a family that I don't want to endanger any more than necessary. I guess I should grow up and leave the drugs alone, but they've been a part of my life for too long now that it's a part of who I am." oh dear i couldn't have put that any better myself Gaia.., lol.
Ive just invested in a small netbook which takes a 3g sim card so i can be more mobile and hopefully safer , i also run linux liberte or tails to increase my security. All i need now is to get truecrypt working and i will feel about as safe as i can be for the moment anyway.
btw// Hello TWM , cheers for putting me onto Ivory, abso great guy he is
Good luck Gaia, etc with your security issues, cheers Sunny ;
-
Best bet is to buy one from one of those second hand phone shops that have sprung up in every city in the country, the ones that do the cheapo accessories and unlocking. Also buy a few sim cards (ideally get seven and use a different one each day to connect). Buy top-ups for cash or use an anonymous pre-paid card to pay the bill (does anybody have a link for any UK/EU ones with decent limits).
-
Best bet is to buy one from one of those second hand phone shops that have sprung up in every city in the country, the ones that do the cheapo accessories and unlocking. Also buy a few sim cards (ideally get seven and use a different one each day to connect). Buy top-ups for cash or use an anonymous pre-paid card to pay the bill (does anybody have a link for any UK/EU ones with decent limits).
Hi,
You can go on the O2 website (http://freesim.o2.co.uk) and get a couple of PAYG sim cards for free. They won't let you enter the same address twice but you can change it a little each time to keep on receiving free cards e.g
John Doe
12 Cherry Tree Lane
London
E12 6EJ
Jonathan Doe
Twelve Cherry Tree Lane
London
E12 6EJ
etc. etc.
The SIMS won't be activated until you top up. You can do this by buying a code from a store with a PayPoint using cash. Either find a store which doesn't use CCTV or buy a code and wait for a few months before using it (check to make sure they won't expire!) As most shops wipe their video records after a fixed period of time.
Needless to say you should switch to a new SIM as each one expires and never reuse one.
As for the Dongle I would suggest you go on eBay to find a generic USB dongle - or indeed one where you can install the software yourself as this is quite easy to do. (I have a friend who can give you instructions on how to do this).
As posters have already said here it would be a moot point in any case as although it might be possible to detect your connection is Torified it's a far cry from that to being able to read your specific browsing activities. For this reason I connect to SR and these forums from my home and work machine - all that LE can know is that you're using onion routing, not that you're connecting to SR - and of course every time you switch SIMS, they have to find you all over again.
V.
-
Excellent answers. I am impressed by how intelligent and well informed our community members are. I am learning more and more each day. Thanks for the great answers its really helping me out.
-
all that LE can know is that you're using onion routing, not that you're connecting to SR - and of course every time you switch SIMS, they have to find you all over again.
Exactly.
Tor use DOES NOT prove SIlk Road use. LOTS of different types of people RELY on being able to use Tor for all sorts of different reasons:
- the Law Enforcement agencies themselves use it
- Other civil servants use Tor
- Journalists use Tor
- Commercial companies use Tor
- Scientists and researchers use Tor
- No doubt others I can't think of
The majority of those listed above could also get post delivered to them at the building pertaining to the IP address flagging Tor use. And at that point, the evidence profile between SR users and our non-SR Tor user still looks very similar. Sure, maybe they didn't have as many Get Well Soon cards delivered all year round from their Aunt in Amsterdam, but without treating each and every individual with the same resources as they would use for a more significant drug bust, they still haven't got enough evidence to arrest anyone. (and they don't know before making the decision to bust someone whether ANY physical evidence is going to be left for them)
There are just too many Tor users outright to flag Tor use. And imagine if people that previously used Tor for their job, also now happen to be Silk Road users too! LE have a real headache on their hands (unless they decide they don't care anymore).
-
all that LE can know is that you're using onion routing, not that you're connecting to SR - and of course every time you switch SIMS, they have to find you all over again.
Exactly.
Tor use DOES NOT prove SIlk Road use. LOTS of different types of people RELY on being able to use Tor for all sorts of different reasons:
- the Law Enforcement agencies themselves use it
- Other civil servants use Tor
- Journalists use Tor
- Commercial companies use Tor
- Scientists and researchers use Tor
- No doubt others I can't think of
The majority of those listed above could also get post delivered to them at the building pertaining to the IP address flagging Tor use. And at that point, the evidence profile between SR users and our non-SR Tor user still looks very similar. Sure, maybe they didn't have as many Get Well Soon cards delivered all year round from their Aunt in Amsterdam, but without treating each and every individual with the same resources as they would use for a more significant drug bust, they still haven't got enough evidence to arrest anyone. (and they don't know before making the decision to bust someone whether ANY physical evidence is going to be left for them)
There are just too many Tor users outright to flag Tor use. And imagine if people that previously used Tor for their job, also now happen to be Silk Road users too! LE have a real headache on their hands (unless they decide they don't care anymore).
THEN the drug laws in our country are thankfully that lenient that if I was picked up for posession I would get a slap on the wrist lol. Prob even a caution since I have not been in trouble for over 10 years
For the modest and occasional amounts I will order I am not going to sneak around pretending to be some kind of criminal secret agent lol Maybe if I was in the states with the harsh penalties and prisons they have I would. Although if I was there I prob would not bother at all FUCK THAT
-
I thought I would just add tho that I have not and will not order from outside UK. Just seems like common sense really as any shipment is likely 20x more likely to be intercepted crossing through customs
-
I thought I would just add tho that I have not and will not order from outside UK. Just seems like common sense really as any shipment is likely 20x more likely to be intercepted crossing through customs
This sounds like a good idea although ideally you should also make sure you're not delivering to your home address. I don't do drugs but in the past have dealt with forged money / ID and my usual MO was to grow my beard out for a couple of days and put on some rumpled clothing (not a difficult look to pull off when you're a student!) then go to your local Church.
Put it about that you're in between jobs and when some kindly old do gooder offers to help tell them you'd appreciate somewhere you can pick up the mail for your job applications.
If this sounds too much like hard work, get yourself some fake ID and have it sent to your local Post Office in a false name "Poste Restante" (http://www.postoffice.co.uk/letters-parcels/receiving-letters-parcels/redirection-options/poste-restante). Try to find some nice little rural PO and don't use the same one twice in a row! :-)
I received two PAYG sims in the mail today from O2 although in fairness they did have my first name emblazoned on the front of the envelope. However as I said the most the filth could do is prove that you ordered a SIM card which was later used to access Tor which in itself is not a crime.
V.
-
This sounds like a good idea although ideally you should also make sure you're not delivering to your home address.
This has been discussed back and forth for months on this forum. Having it delivered to your home address is a small risk compared to having it delivered anywhere else. A lot of community members will tell you that having it delivered to your home address, with your real name (or a similar variant) on it, is the best option. If someone starts asking questions, just say that you have no idea what's inside the package and simply remind them that anyone can send you shit in the mail.
-
This sounds like a good idea although ideally you should also make sure you're not delivering to your home address.
This has been discussed back and forth for months on this forum. Having it delivered to your home address is a small risk compared to having it delivered anywhere else. A lot of community members will tell you that having it delivered to your home address, with your real name (or a similar variant) on it, is the best option. If someone starts asking questions, just say that you have no idea what's inside the package and simply remind them that anyone can send you shit in the mail.
I'd love to see someone trying that defence in court - "Well ANYONE could have sent me drugs in the mail!" :-D
V.
-
This sounds like a good idea although ideally you should also make sure you're not delivering to your home address.
This has been discussed back and forth for months on this forum. Having it delivered to your home address is a small risk compared to having it delivered anywhere else. A lot of community members will tell you that having it delivered to your home address, with your real name (or a similar variant) on it, is the best option. If someone starts asking questions, just say that you have no idea what's inside the package and simply remind them that anyone can send you shit in the mail.
I'd love to see someone trying that defence in court - "Well ANYONE could have sent me drugs in the mail!" :-D
V.
Reasonable doubt .. Yep.
Dunno about anywhere else (like USA) but I do not think it would even make it to court in the UK if a one off small amount was intercepted and you refused all knowledge/didnt sign for it too. Of course you would prob then be flagged and risk future scrutiny which would be a pisser >:(
BUT thats why it is best to not risk going outside UK with your home address and real name. Customs will pull a fair amount of packages no matter how small .. Then you may be flagged .. Within the UK via royal mail Its going to be Soooooo unlikely for any well packaged small delivery to be pulled. IMHO
-
This sounds like a good idea although ideally you should also make sure you're not delivering to your home address.
This has been discussed back and forth for months on this forum. Having it delivered to your home address is a small risk compared to having it delivered anywhere else. A lot of community members will tell you that having it delivered to your home address, with your real name (or a similar variant) on it, is the best option. If someone starts asking questions, just say that you have no idea what's inside the package and simply remind them that anyone can send you shit in the mail.
I'd love to see someone trying that defence in court - "Well ANYONE could have sent me drugs in the mail!" :-D
V.
Reasonable doubt .. Yep.
Dunno about anywhere else (like USA) but I do not think it would even make it to court in the UK if a one off small amount was intercepted and you refused all knowledge/didnt sign for it too. Of course you would prob then be flagged and risk future scrutiny which would be a pisser >:(
BUT thats why it is best to not risk going outside UK with your home address and real name. Customs will pull a fair amount of packages no matter how small .. Then you may be flagged .. Within the UK via royal mail Its going to be Soooooo unlikely for any well packaged small delivery to be pulled. IMHO
I have a friend of my mother's who specialises in Criminal Law in the UK.
I think I'm going to ask her how many times her firm has had to deal with people receiving drugs in the mail to their home address and have successfully managed to persuade a Jury they were unsolicited. I have a feeling it will be a nice round number. :-)
Of course everyone is free to take their chances but no one will ever find any contraband in my mailbox. Given the nature of what we do on here it's imperative that publicly we're seen to be whiter than white.
V.
-
I've just pinged an e-mail to my mother's friend who no doubt will enlighten us.
In the mean time, I've been reviewing UK law on this matter, a couple of useful links, firstly Crown Prosecution Service Guidelines on Possession of controlled substances as laid out in the Misuse of Drugs Act 1971:
http://www.cps.gov.uk/legal/d_to_g/drug_offences/index.html#a26
As you can see the burden of proof must be both that the accused has :
- Actual physical possession
- Knowledge of an illegal substance.
The CPS guidelines even cite a case R v Warner (1969) which established on appeal that a person cannot be in possession of something of which he is completely unaware. In this case Warner was pulled over by two Police Officers who found two packages, one of which contained scent and the other amphetamines.
Warner tried to claim he believed both packages contained scent when he took possession of them. The Jury was less than convinced and convicted him after deliberating for less than twenty minutes. On appeal, the judgment was reaffirmed by Lord Pearce. (Source: http://bit.ly/IHLGUL)
The above link is an extract from Crime Line - a periodical for criminal defence Solicitors and anyone interested in Criminal Law. The text is a bit involved, so I will just cite the relevant part here:
There is a defence under section 28 Misuse of Drugs Act 1968. If the defendant
can show that, they neither knew nor suspected nor had reason to suspect that the
substance in question was a controlled drug.
There is an evidential burden on the defendant to show that, they neither knew nor
suspected nor had reason to suspect that the substance in question was a controlled
drug. It is then for the prosecution to prove on all of the evidence the guilt of the
accused.
As you can see, if a defence were to be mounted on this basis, the burden of proof would be on the Defendant to show that if drugs were sent to their house, they had no knowledge of its contents.
Lord Pearce however says that since it is possession of a drug that is illegal, this would not be automatic grounds for acquittal:
The Act forbids possession of these drugs.
Whether he possesses them with an innocent or guilty mind or for a laudable or
improper purpose is immaterial since he is not allowed to possess them. If he
possessed them he is guilty. If a man has physical control or possession of a thing that
is sufficient possession under the Act provided that he knows that he has the thing.
But you do not (within the meaning of the Act) possess things of whose existence you
are unaware. The prosecution have here proved that he possessed the parcel, but have
they proved that he possessed its contents also? There is a very strong inference of fact
in any normal case that a man who possesses a parcel also possesses its contents, an
inference on which a jury would in a normal case be justified in finding possession. A
man who accepts possession of a parcel normally accepts possession of the contents.
But that inference can be disproved or shaken by evidence that, although a man was
in possession of a parcel, he was completely mistaken as to its contents and would
not have accepted possession had he known what kind of thing the contents were. A
mistake as to the qualities of the contents, however, does not negative possession.
On the bright side the Police/Customs would have to be aware of the contents of the package too in order for them to be able to attempt to prosecute. The Act also states you must be in actual physical possession of the goods therefore you'd have to accept the package into your home or collect them from the post office depot yourself in order for them to prove both both possession and control.
Naturally under law using the address of a third party would also not be a basis for a defence if you're caught but this is much less likely to happen in the first place if you don't use your own address.
V.
-
...i had no idea / can't imagine you needed to register a physical / postal address to use a payg data sim?!
-
...i had no idea / can't imagine you needed to register a physical / postal address to use a payg data sim?!
In the UK at least you can buy them over the counter without giving any details.
V.
-
...my mistake, to have them posted ....which i still wouldn't do...to me that defeats the purpose, might as well get a contract then.
-
...my mistake, to have them posted ....which i still wouldn't do...to me that defeats the purpose, might as well get a contract then.
True I would suggest anyone asking for a free PAYG sim in the post have it sent to a Post Office or third party.
As I mentioned before the point is moot in any case. Even if LEO were monitoring your connection all they would be able to see was that you're using Tor.
There's no reliable way for them to prove you visited the SR in particular.
One of the best and most plausible ways to rebut any suspicion is to operate a Tor relay from your own home to make your own Tor traffic indistinguishable from others - this also expands and speeds up the Tor network. You'll find this as an option under Vidalia - obviously don't try and do this on a 3G connection or you'll get a mammoth bill! :-)
V.
-
- ok, i'd rather pick em up from branches and since customers come and go ....safer
- only have them posted if you you're in a flat share and / or communal letterbox - and you can use your imagination here...what to do with them...nudge nudge wink wink