Silk Road forums

Discussion => Security => Topic started by: pharmaid on June 10, 2012, 12:24 am

Title: question about anonymity
Post by: pharmaid on June 10, 2012, 12:24 am
Being new here and having now made several smooth purchases and sales transactions I've just got this  "this is too good to be true" feeling going on. I take impeccable care in making my drops in different boxes in surrounding towns, wear gloves, stealthily disguise my shipments, etc. I know many of you have been doing this for many months and I haven't heard of a single bust via SR.

But here's what I was thinking today. I know how TOR is supposed to work but maybe I don't understand enough about it.  I have made a lot of sales recently and I read on these forums that LE has probably staged themselves as customers and have made purchases in order to gain location intelligence. So let's take this hypothetical scenario:

Suppose I fill an order and ship it out to a buyer who is actually LE. He receives the shipment and sees the post mark on the package revealing the postal facility where it originated which is a small city or a surrounding town of the small city. So therefore LE now knows for sure that someone in that small city region is conducting sales via SR. So now LE goes to the few ISP providers in the small community and asks (with subpoena) which local IP addresses are signed up to and using the TOR system. I would guess that besides me, there aren't many others. But lets say there are 10 others or even 20 others. Now LE has me narrowed down to one of these 10-20 users. I would think that from this point on it would just be a matter of time before mailboxes are monitored and the pinch is made.

Is this theory plausible? Am I being too paranoid? Could LE actually do what I describe here? Does my local ISP know I am using TOR?   Thanks in advance!

Title: Re: question about anonymity
Post by: Marceline on June 10, 2012, 12:32 am
It's very plausible. Look into tor bridges.
Title: Re: question about anonymity
Post by: rednelb1 on June 10, 2012, 04:23 am
As long as the LE pays you!!


You can't sell to a cop IRL without some jail time.

Title: Re: question about anonymity
Post by: kmfkewm on June 10, 2012, 01:02 pm
That is very realistic attack and is why you should be using obfsproxy bridges.
Title: Re: question about anonymity
Post by: vlad1m1r on June 10, 2012, 01:31 pm
That is very realistic attack and is why you should be using obfsproxy bridges.

This would seem to be easier said than done!

I make a habit of requesting the latest bridges each day by e-mail and have been adding them to my version of Vidalia, however these are publicly available Bridges so there's no way of knowing who's running them. I understand that obfsproxy also encrypts the first "hop" of your connection to the bridge which is the most vital.

I see that one user on SR SarahWalker is actually selling a guide on how to get set up with obfsproxy bridge which is appealing as the current implementation of the browser is out of date so it would be good to know how to do it from scratch - however finding a private bridge which supports obfsproxy is another problem altogether. Would appreciate your thoughts.

V.



Title: Re: question about anonymity
Post by: ProfADaemon on June 10, 2012, 02:42 pm
. I know many of you have been doing this for many months and I haven't heard of a single bust via SR.

Um, where do you think all the vendors disappear to constantly?
Title: Re: question about anonymity
Post by: BlueSkyTraders on June 10, 2012, 03:28 pm
That is very realistic attack and is why you should be using obfsproxy bridges.

We've heard that configuring the Tor client to run as a non-exit relay can help. Anyone with specific knowledge reading this and care to enlighten us?

Thanks!
Title: Re: question about anonymity
Post by: Marceline on June 10, 2012, 06:11 pm
That is very realistic attack and is why you should be using obfsproxy bridges.

We've heard that configuring the Tor client to run as a non-exit relay can help. Anyone with specific knowledge reading this and care to enlighten us?

Thanks!
That's how it's configured by default. Bridges are still important, especially for vendors.
Title: Re: question about anonymity
Post by: kmfkewm on June 10, 2012, 07:40 pm
That is very realistic attack and is why you should be using obfsproxy bridges.

This would seem to be easier said than done!

I make a habit of requesting the latest bridges each day by e-mail and have been adding them to my version of Vidalia, however these are publicly available Bridges so there's no way of knowing who's running them. I understand that obfsproxy also encrypts the first "hop" of your connection to the bridge which is the most vital.

I see that one user on SR SarahWalker is actually selling a guide on how to get set up with obfsproxy bridge which is appealing as the current implementation of the browser is out of date so it would be good to know how to do it from scratch - however finding a private bridge which supports obfsproxy is another problem altogether. Would appreciate your thoughts.

V.

You shouldn't be using so many bridges it lessens the purpose of using bridges and it makes you more vulnerable to end to end attacks as you expose yourself to more entry points. You could always configure your own vps to be an obfsproxy bridge, other than that you need to find yourself :D.
Title: Re: question about anonymity
Post by: kmfkewm on June 10, 2012, 07:41 pm
That is very realistic attack and is why you should be using obfsproxy bridges.

We've heard that configuring the Tor client to run as a non-exit relay can help. Anyone with specific knowledge reading this and care to enlighten us?

Thanks!

That makes it even easier for this specific attack to be done against you. Running as a relay hurts your anonymity in other ways also.
Title: Re: question about anonymity
Post by: goturprints on June 11, 2012, 01:54 am
vendor in a small rural area= fucked

vendor in a metropolitan area= keep it switched up constantly!

use a throw away hard drive less netbook (pawn shop 75.00)
run a boot-able operating system, always use a different WIFI connection, use AT different times.


WEAR GLOVES!!

 DONT LICK B4 U STICK
Title: Re: question about anonymity
Post by: soyyo1114873 on June 12, 2012, 04:21 pm
That is very realistic attack and is why you should be using obfsproxy bridges.

This would seem to be easier said than done!

I make a habit of requesting the latest bridges each day by e-mail and have been adding them to my version of Vidalia, however these are publicly available Bridges so there's no way of knowing who's running them. I understand that obfsproxy also encrypts the first "hop" of your connection to the bridge which is the most vital.

I see that one user on SR SarahWalker is actually selling a guide on how to get set up with obfsproxy bridge which is appealing as the current implementation of the browser is out of date so it would be good to know how to do it from scratch - however finding a private bridge which supports obfsproxy is another problem altogether. Would appreciate your thoughts.

V.
There's the Obf version of vidalia. It comes as a bundle with tor and firefox AND the bridges already come preinstalled, if you will. At least it came that way when I tried it.
Title: Re: question about anonymity
Post by: oscarzululondon on June 12, 2012, 04:58 pm
There's the Obf version of vidalia. It comes as a bundle with tor and firefox AND the bridges already come preinstalled, if you will. At least it came that way when I tried it.

Not good. Contains DNS leaks and old insecure versions of Firefox:

https://www.torproject.org/projects/obfsproxy.html.en
Title: Re: question about anonymity
Post by: soyyo1114873 on June 12, 2012, 05:40 pm
There's the Obf version of vidalia. It comes as a bundle with tor and firefox AND the bridges already come preinstalled, if you will. At least it came that way when I tried it.

Not good. Contains DNS leaks and old insecure versions of Firefox:

https://www.torproject.org/projects/obfsproxy.html.en
I have to disagree with you. It comes with the very latest version of Firefox. I know, I'm using it.
Title: Re: question about anonymity
Post by: oscarzululondon on June 13, 2012, 12:19 am
There's the Obf version of vidalia. It comes as a bundle with tor and firefox AND the bridges already come preinstalled, if you will. At least it came that way when I tried it.

Not good. Contains DNS leaks and old insecure versions of Firefox:

https://www.torproject.org/projects/obfsproxy.html.en
I have to disagree with you. It comes with the very latest version of Firefox. I know, I'm using it.

You're not disagreeing with me, you're disagreeing with Tor themselves. It doesn't contain the latest version of Tor's modified Firefox.

Read the link: https://www.torproject.org/projects/obfsproxy.html.en
Title: Re: question about anonymity
Post by: soyyo1114873 on June 13, 2012, 11:27 am
Is 12 the latest bersion? If there's a 13, then you are right.
Title: Re: question about anonymity
Post by: wakannabi on June 14, 2012, 10:40 pm
would running a VPN with TOR make the process safer?
Title: Re: question about anonymity
Post by: soyyo1114873 on June 15, 2012, 12:23 pm
would running a VPN with TOR make the process safer?
That's what I always thought!
Title: Re: question about anonymity
Post by: wakannabi on June 15, 2012, 12:47 pm
some say it will make it better if u know what ur doing some say it will make it worst if you have no idea how to configure and which one to put first in the setup.

Any IT experts around that can give a little help? The security tutorial is very good but in my opinion is limited. we need to expand it further, unfortunately I do not have the knowledge for that.

hope someone can clear the fog
Title: Re: question about anonymity
Post by: bogben on June 15, 2012, 06:44 pm
I am by no means an expert but from what I understand a VPN would be more secure, though the exact level of that security would depend on the vpn, if its your own all is well, if its a commercial one they may well give up your location if LE ask them.
As I understand it SSH tunneling and VPNs are both pretty secure and using either one in conjuction with tor would give an increase in annonimity
Title: Re: question about anonymity
Post by: Moderndayslave on June 15, 2012, 07:28 pm
That is very realistic attack and is why you should be using obfsproxy bridges.

This would seem to be easier said than done!

I make a habit of requesting the latest bridges each day by e-mail and have been adding them to my version of Vidalia, however these are publicly available Bridges so there's no way of knowing who's running them. I understand that obfsproxy also encrypts the first "hop" of your connection to the bridge which is the most vital.

I see that one user on SR SarahWalker is actually selling a guide on how to get set up with obfsproxy bridge which is appealing as the current implementation of the browser is out of date so it would be good to know how to do it from scratch - however finding a private bridge which supports obfsproxy is another problem altogether. Would appreciate your thoughts.

V.

You shouldn't be using so many bridges it lessens the purpose of using bridges and it makes you more vulnerable to end to end attacks as you expose yourself to more entry points. You could always configure your own vps to be an obfsproxy bridge, other than that you need to find yourself :D.

How does one do this?   Might sound noobish but what is vps?
Title: Re: question about anonymity
Post by: dungoof on June 15, 2012, 11:36 pm
Quote from wikipedia:

Quote
Virtual private server (VPS) is a term used by Internet hosting services to refer to a virtual machine. The term is used for emphasizing that the virtual machine, although running in software on the same physical computer as other customers' virtual machines, is in many respects functionally equivalent to a separate physical computer, is dedicated to the individual customer's needs, has the privacy of a separate physical computer, and can be configured to run server software.[Quote\]
Title: Re: question about anonymity
Post by: onlyin2012 on August 25, 2012, 06:39 pm
Also consider doing what you need to do and write it all down first via notepad. 

Logon, copy past, Log off be done with your business, swiftly.  Don't be logged on if you don't need to be.