Silk Road forums
Discussion => Security => Topic started by: GreenGiant on May 10, 2012, 10:36 pm
-
OK so i was just having a browse on SR and noticed this section for the first time, then i checked out one of the listings
http://silkroadvb5piz3r.onion/silkroad/item/71ce6c1c96
Yubikeys are currently being beta tested on Silk Road, you will need one Yubikey for each account you wish to secure.
What does this exactly mean? Are these going to be mandatory?
-
Yeah I saw those, any idea what they are?
-
It is a USB security device, I believe they are used to access accounts and make payments etc.
As as vendor I do not really want one laying around my place or on my keychain and I don't want to order one from SR for sure.
-
It is a USB security device, I believe they are used to access accounts and make payments etc.
As as vendor I do not really want one laying around my place or on my keychain and I don't want to order one from SR for sure.
Yeah...fuck that for a game of soldiers. Sound like a sure-fire way to get fucked if bad things happen. Who is selling them again?
-
I noticed this a while back and asked in the forums. Shasta said they were beta-testing it for S.R. I did not get the impression it would be mandatory...
Personally I will use one but I really dig two-token authentication to rule out keyloggers.
Which brings up a point now that I think about it.. would use of a Yubikey make a keylogger useless in accessing another's SR account? Techie people?
-
I'd rather use a key scrambler
-
I noticed this a while back and asked in the forums. Shasta said they were beta-testing it for S.R. I did not get the impression it would be mandatory...
Personally I will use one but I really dig two-token authentication to rule out keyloggers.
Which brings up a point now that I think about it.. would use of a Yubikey make a keylogger useless in accessing another's SR account? Techie people?
Hmm now you say that it does look tempting. It seems like it's basically a toss up of being able to shove the Yubikey up your ass when the storm troopers come through the door (if they do) and having your account protected against keyloggers... decisions decisions.... :-\
-
Hmm now you say that it does look tempting. It seems like it's basically a toss up of being able to shove the Yubikey up your ass when the storm troopers come through the door (if they do) and having your account protected against keyloggers... decisions decisions.... :-\
But that's my Yubiky for Mt. Gox officer.. I don't know why it isn't working on there anymore.. maybe your uniformed goons hurt the insides of it ripping it off my neckchain?
-
I'd rather use a key scrambler
Link or explanation please? Educate me!
-
Hmm now you say that it does look tempting. It seems like it's basically a toss up of being able to shove the Yubikey up your ass when the storm troopers come through the door (if they do) and having your account protected against keyloggers... decisions decisions.... :-\
But that's my Yubiky for Mt. Gox officer.. I don't know why it isn't working on there anymore.. maybe your uniformed goons hurt the insides of it ripping it off my neckchain?
Haha yeah pretty much.
And yeah, what is a key scrambler? Curious George here.
-
well I use to have a program called keyscrambler(does what it says on the tin)
It did have a firefox plugin, but it is no longer available. If you buy the full version from the developer itcovers your whole system i think.
Or just use a virtual keyboard(provided by windows or a third party program like kaspersky)
CLEARNET WARNING
http://www.qfxsoftware.com/index.html
-
firefox virtual keyboard addon - https://addons.mozilla.org/en-US/firefox/addon/keylogger-beater/?src=search
-
A virtual keyboard is not a "hack proof" way of keeping your keystrokes hidden.
The real benefit of using a token is that it's 'two factor authentication'
in other words, something you know (your pin) and something you have (token)
search wikipedia.org for "security token"
They are impervious to a keylogger attack vector as ever 30-60 seconds the token regenerates a new sequence of numbers (the same sequence is also being generated by the software on the authentication server)
It gets haairy though... Some improperly configured auth servers might allow the same token code to be used twice (man in the middle)
And if you are able to somehow compromise the unique seed files that the auth server uses to generate the new strings(see: like when RSA got owned)... game over.
-
Interesting stuff, I still Don't think I'll be getting one.
How are people getting their passwords hacked/phissed anyways?
Edit:that whole USD(not sure if that is the vendors name, i tend to live in my own little bubble) situation is a prime example
-
Personally i run SR on an encrypted windows 7 virtual machine hosted on a ubuntu encrypted LVM. Windows is encrypted with truecrypt, basically you have to type 4 strong password to be able to access the windows VM. If you steal my laptop, i say good chance to you to find anything useful because i do a secure erase of the HDD before installing the encrypted ubuntu system. Oh yeah, the \home folder is encrypted too ;) it's my everyday job to secure computers and i highly recommend Microsoft Baseline Security Analyser 2.2 for newbies that want to scan their windows system for security, this is a "basic" tool but if you want insane security microsoft have a pdf called: Threats and Countermeasures Guide: Security Settings in Windows 7 and Windows Server 2008 R2 (387 pages of tips on how to secure systems).
-
I noticed this a while back and asked in the forums. Shasta said they were beta-testing it for S.R. I did not get the impression it would be mandatory...
Personally I will use one but I really dig two-token authentication to rule out keyloggers.
Which brings up a point now that I think about it.. would use of a Yubikey make a keylogger useless in accessing another's SR account? Techie people?
Yes, pretty close to useless.
It's like the initial SR page says, you can't defend so easily against brute force password guessing attacks on people's accounts because of the anonymous nature of the service.
But with two factor authentication that attack becomes pointless.
With respect to another attack vector: keyloggers, the answer is similar.
A keylogger could obtain your user login, but because of the Yubikey's one time password this only works once, for during your current login session with the Silk Road. After that window is closed it's useless, a replay attack is impossible. It is also highly non-trivial in most cases to impersonate or piggyback onto somebody else's session. Again, man in the middle attacks are still possible, just not very likely.
Note: keyloggers cover a wide variety of technologies with different levels of sophistication, they don't just collect keystrokes, they can also take screenshots, analyze your copy/paste clipboard, use OCR to sniff out characters etc.
--
I know people are worried about the concept of having a Yubikey hanging around the place. Seems like solid evidence that you're a SR user. However, this doesn't necessarily have to be the case, it depends on the implementation. It could be done properly without diminishing any anonymity. I'm pretty sure it's possible to order generic aids to generate one time passwords on the clearweb. Then you might just need to sync them. I'm not 100% certain how it works in practice, but yes it's very possible, there's any number of ways to do it.
-
I noticed this a while back and asked in the forums. Shasta said they were beta-testing it for S.R. I did not get the impression it would be mandatory...
Personally I will use one but I really dig two-token authentication to rule out keyloggers.
Which brings up a point now that I think about it.. would use of a Yubikey make a keylogger useless in accessing another's SR account? Techie people?
Hmm now you say that it does look tempting. It seems like it's basically a toss up of being able to shove the Yubikey up your ass when the storm troopers come through the door (if they do) and having your account protected against keyloggers... decisions decisions.... :-\
They can be made to be very tiny card-like devices, like MicroSDs. Your device for accessing SR, storing incriminating information and a device for generating one time passwords can all literally the same thickness and size as your thumbnail. Also: all of those things are amazing cheap, like $20 the lot.
-- Pine Insurance, protecting your ass since early 2012.
-
I noticed this a while back and asked in the forums. Shasta said they were beta-testing it for S.R. I did not get the impression it would be mandatory...
Personally I will use one but I really dig two-token authentication to rule out keyloggers.
Which brings up a point now that I think about it.. would use of a Yubikey make a keylogger useless in accessing another's SR account? Techie people?
Hmmmm interesting stuff Pine. Can you shoot me some links for them?
Hmm now you say that it does look tempting. It seems like it's basically a toss up of being able to shove the Yubikey up your ass when the storm troopers come through the door (if they do) and having your account protected against keyloggers... decisions decisions.... :-\
They can be made to be very tiny card-like devices, like MicroSDs. Your device for accessing SR, storing incriminating information and a device for generating one time passwords can all literally the same thickness and size as your thumbnail. Also: all of those things are amazing cheap, like $20 the lot.
-- Pine Insurance, protecting your ass since early 2012.
-
I just keep everything on a hidden truecrypt partition on a USB. Due to UK laws regarding with holding passwords i would not want a Yubikey containing any details to do with SR in my possession.
-
I just keep everything on a hidden truecrypt partition on a USB. Due to UK laws regarding with holding passwords i would not want a Yubikey containing any details to do with SR in my possession.
Are you in the U.K too GG? What are the U.K laws on with-holding passwords?
-
Hmmmm interesting stuff Pine. Can you shoot me some links for them?
They can be made to be very tiny card-like devices, like MicroSDs. Your device for accessing SR, storing incriminating information and a device for generating one time passwords can all literally the same thickness and size as your thumbnail. Also: all of those things are amazing cheap, like $20 the lot.
-- Pine Insurance, protecting your ass since early 2012.
If you were referring to the above, then if you google MicroSD (I think they are even 32GB these days) and mini OTP token you should find what you're looking for.
-
Thanks much! :)
-
I just keep everything on a hidden truecrypt partition on a USB. Due to UK laws regarding with holding passwords i would not want a Yubikey containing any details to do with SR in my possession.
Are you in the U.K too GG? What are the U.K laws on with-holding passwords?
Yeah Limetless I am UK based, one of the older UK vendors i would say.
CLEARNET WARNING
http://www.tomsguide.com/us/password-uk-law-encryption-porn,news-8239.html
that is a story of a 19year old boy in a child porn case, the police could not hack his encryption, so they just banged him up for not revealing his passwords. Pretty sure you can be charged as a terrorist instead, In this boys situation i know which charge i would rather have.
If the police came knocking at my door i would rather stick with my hidden partition, which i can reveal the password for the None hidden partition avoiding a unnecessary charge for not disclosing my yubikey password.
edit: I know hidden partition does nothing to protect against keyloggers, but i would rather take my chances with the hackers than being found with physical evidence.
-
Thanks GreenGiant,
Yes sad to say here in the UK we're at the mercy of RIPA (Regulation of Investigatory Powers Act) which was brought in around 12 years ago and requires that a person provide a "key" on request to make encrypted data legible or face conviction and imprisonment of up to two years.
I don't know if this has already been touched on but a key in this sense could be a password, or keyfile on a disk. Some people have even tried to circumvent the problem by having a third party encode their data but obviously RIPA would apply to them too.
As the article rightly states this may be preferable to revealing what is on the computer but the problem can easily be circumvented as GreenGiant rightly says through use of plausible denaibility in encryption - this is very easy to implement with a Truecrypt container.
To my knowledge the legislation has only been invoked twice, where a suspect has actually been convicted. In terms of the Human Rights Act I do think they're on fairly dodgy ground as it erodes the right to silence but don't imagine your case will get as far as the ECHR if you're in this situation!
They Yubikey is a great tool for providing an additional layer of security but obviously should be used in combination with a strong password/keyfiles.
Thanks,
V.
I just keep everything on a hidden truecrypt partition on a USB. Due to UK laws regarding with holding passwords i would not want a Yubikey containing any details to do with SR in my possession.
Are you in the U.K too GG? What are the U.K laws on with-holding passwords?
Yeah Limetless I am UK based, one of the older UK vendors i would say.
CLEARNET WARNING
http://www.tomsguide.com/us/password-uk-law-encryption-porn,news-8239.html
that is a story of a 19year old boy in a child porn case, the police could not hack his encryption, so they just banged him up for not revealing his passwords. Pretty sure you can be charged as a terrorist instead, In this boys situation i know which charge i would rather have.
If the police came knocking at my door i would rather stick with my hidden partition, which i can reveal the password for the None hidden partition avoiding a unnecessary charge for not disclosing my yubikey password.
edit: I know hidden partition does nothing to protect against keyloggers, but i would rather take my chances with the hackers than being found with physical evidence.
-
What if Law Enforcement made these to track all of us?
-
What if Law Enforcement made these to track all of us?
I doubt it would do them much good - the private keys are encrypted with a personalised password and can also be used to create your own static keys if you want to encrypt your hard disk with Truecrypt.
That said, if LE managed to get their hands on your key this would hugely reduce your privacy. They might be useful as a blind i.e if you live in a country like the UK you could use them to encrypt some dummy data, let LE find the key and clap themselves on the back as they crack open your porn collection/personal bank account details.
V.