Silk Road forums

Discussion => Security => Topic started by: infinitian on June 03, 2012, 06:54 am

Title: security experts, please advise
Post by: infinitian on June 03, 2012, 06:54 am
I'm a noob to SR; glad to be here!

I purchased a flash drive today exclusively for use with SR, and I was initially going to pay cash. After looking at some other things in the store, I eventually forgot and checked out using a credit card. By the time I realized it, I had already shredded the packaging. I'm just wondering, for whatever reason, if my name and credit card can be traced back to this flash drive. Do these things have some type of unique serial number associated with an UPC, or something?

Perhaps I being too paranoid...
Title: Re: security experts, please advise
Post by: nightclubdwight on June 03, 2012, 07:09 am
i'm not exactly a security expert but uhhhh... no way man, "they" could never catch you with something like that-- and they aren't looking for you anyway!

a healthy sense of paranoia is always a good thing when dealing with these kinds of things though...
Title: Re: security experts, please advise
Post by: vlad1m1r on June 03, 2012, 08:56 am
Perhaps I being too paranoid...

In this case yes, but there's nothing like some healthy paranoia to keep you on your toes!

I would suggest you use the Truecrypt program to encrypt all data on the drive before installing your Tor Browser and GPG software there, if you need any help getting set up with this, please feel free to ask.

All the best,

V.
Title: Re: security experts, please advise
Post by: MrVidalia on June 03, 2012, 10:24 am
If serial number are logged and they trace complete supply chain (how they know what store) and you pay in cash in major store there are many camera.

Maybe someone care who haves it and what data is in it, so why anyone cares where the disk sold? If you just shop the store ok but maybe serious like ocean 11 just put your mascot photo on it and get a new disk at a flea market.
Title: Re: security experts, please advise
Post by: oscarzululondon on June 03, 2012, 12:01 pm
No the memory stick can't directly be traced back to your card purchase, however if the police really wanted to get you they could look at your credit card statement, see where you bought stuff, see you purchased something from for example APPLE WORLD for $29.00 then go to APPLE WORLD and ask them what was bought using that card number, whereby they would be told the model of memory stick you have, although not it's exact serial number.

This might sound unrealistic but I know a few people this has happened to, although not with memory sticks but with laptops.

As vlad1m1r wrote you should encrypt your memory stick, Truecrypt is the easiest option although not the best and not 100% secure as it has had law enforcement back doors for about 4 years now. I'm writing a simple guide for the better encryption methods currently and will be publishing it here later this week.
Title: Re: security experts, please advise
Post by: vlad1m1r on June 03, 2012, 02:54 pm
As vlad1m1r wrote you should encrypt your memory stick, Truecrypt is the easiest option although not the best and not 100% secure as it has had law enforcement back doors for about 4 years now. I'm writing a simple guide for the better encryption methods currently and will be publishing it here later this week.

Oscarzululondon,

While I commend your enthusiasm for encryption and agree Truecrypt is vulnerable to cold boot attacks and bruteforcing as with any other encryption software, why do you say it has law enforcement back doors?

The software's open source (http://www.truecrypt.org/downloads2) - I admit my knowledge of C is very limited but I couldn't find any back doors in the source code when I had a peek.

 Are you sure about this? I've not heard anything about this before.

I've taken a quick gander on a few privacy related websites and can't seem to see any cause for worry:

http://www.anti-forensics.com/full-disk-encryption-with-truecrypt-on-windows-xp
http://www.privacy-cd.org/downloads/truecrypt_7.0a-analysis-en.pdf

The beauty of open source software is it can be reviewed. The above analysis of Truecrypt 7 didn't find any backdoors.

The Truecrypt FAQ also says there is no backdoor (well they would say that wouldn't they?! :-D ) but they do link to an article about the Brazilian government and the FBI US being unable to break their encryption :

http://www.webcitation.org/query?url=g1.globo.com/English/noticia/2010/06/not-even-fbi-can-de-crypt-files-daniel-dantas.html
http://news.techworld.com/security/3228701/fbi-hackers-fail-to-crack-truecrypt/

In Southampton where I used to live several drug dealers were arrested last week whose machines were encrypted with Truecrypt but so far the Police have had no joy in breaking the encryption on them. Of course in the UK they can resort to RIPA to force people to hand passwords over so it's a bit of a moot point!

V.





Title: Re: security experts, please advise
Post by: infinitian on June 03, 2012, 10:16 pm
Cool, thanks everybody for your input. I knew there were talented computer people out there, but I had know idea you had to go through this much just to protect yourself. I still have a lot of research to do.
Title: Re: security experts, please advise
Post by: wakannabi on June 12, 2012, 04:13 pm
As vlad1m1r wrote you should encrypt your memory stick, Truecrypt is the easiest option although not the best and not 100% secure as it has had law enforcement back doors for about 4 years now. I'm writing a simple guide for the better encryption methods currently and will be publishing it here later this week.

Where is the source of truecrypt backdoor? I would love to see it proved since that would mean not advising it's use anymore.

What safe alternatives do we have?

PGP by SYMANTEC?  :-\
Title: Re: security experts, please advise
Post by: MarsProtege on June 15, 2012, 04:00 am
So what is the safest safest way to buy bulk?
Title: Re: security experts, please advise
Post by: Delta11 on June 15, 2012, 08:58 am
So what is the safest safest way to buy bulk?
Two forms of fake identification and a 24/7 PO box. Wait a week after your package arrives and then go pick up at random hours, LE will most likely not stake your PO box for more than a week unless they're dying to get you which I doubt. Remember, anything LE does costs money, money they don't have.