Silk Road forums
Support => Technical support => Topic started by: mito on June 13, 2012, 04:58 pm
-
Yay or nay?
-
Nay, sorry
-
No way, anyway it's a huge security risk to use Tor from any mobile device. You're much better off using your phone to provide your laptop internet and then use the Tor browser bundle from your laptop, but even then that's pretty risky.
-
No way, anyway it's a huge security risk to use Tor from any mobile device. You're much better off using your phone to provide your laptop internet and then use the Tor browser bundle from your laptop, but even then that's pretty risky.
I remember we were chatting the other day about using Orweb + Orbot on an encrypted Android device, do you think that would be secure? In the UK at least you could use it combined with PAYG 3G which could increase your anonymity, what do you think?
V.
-
No way, anyway it's a huge security risk to use Tor from any mobile device. You're much better off using your phone to provide your laptop internet and then use the Tor browser bundle from your laptop, but even then that's pretty risky.
I remember we were chatting the other day about using Orweb + Orbot on an encrypted Android device, do you think that would be secure? In the UK at least you could use it combined with PAYG 3G which could increase your anonymity, what do you think?
V.
That's pretty secure vlad, just make sure the Android device is clean and can't be traced back to you, such as you've never used your own personal SIM in it for example which can be easily used to trace you. Since you're using the Tor browser you don't have to worry about script attacks which is nice too.
Also with the android encryption, you need to choose a long passphrase (over 20 characters) for it to be any good. Over 20 characters and you're phones impenetrable. I know it might seem like a bitch to type in every time you start the phone up, but it's not that bad, and you can still keep your screen unlock code as something sweet and simple.
Make sure you have USB debugging disabled too.
Obviously disable all GPS signals and don't have google account set to sync.
Obviously disable WIFI and NEVER EVER turn it on. If you plan to do your illegal activities through 3G, fine, but as soon as you even smell a wireless network, not even connect, just smell, you're exact position can be worked out instantly.
The worse that could happen to you from a security perspective is that your 3G provider would know you were accessing Tor and would be able to triangulate your position to about 40 square meters. I don't see how the fact you were on Tor or your approximate location could be used against you though.
-
No way, anyway it's a huge security risk to use Tor from any mobile device. You're much better off using your phone to provide your laptop internet and then use the Tor browser bundle from your laptop, but even then that's pretty risky.
I remember we were chatting the other day about using Orweb + Orbot on an encrypted Android device, do you think that would be secure? In the UK at least you could use it combined with PAYG 3G which could increase your anonymity, what do you think?
V.
That's pretty secure vlad, just make sure the Android device is clean and can't be traced back to you, such as you've never used your own personal SIM in it for example which can be easily used to trace you. Since you're using the Tor browser you don't have to worry about script attacks which is nice too.
Also with the android encryption, you need to choose a long passphrase (over 20 characters) for it to be any good. Over 20 characters and you're phones impenetrable. I know it might seem like a bitch to type in every time you start the phone up, but it's not that bad, and you can still keep your screen unlock code as something sweet and simple.
Make sure you have USB debugging disabled too.
Obviously disable all GPS signals and don't have google account set to sync.
Obviously disable WIFI and NEVER EVER turn it on. If you plan to do your illegal activities through 3G, fine, but as soon as you even smell a wireless network, not even connect, just smell, you're exact position can be worked out instantly.
The worse that could happen to you from a security perspective is that your 3G provider would know you were accessing Tor and would be able to triangulate your position to about 40 square meters. I don't see how the fact you were on Tor or your approximate location could be used against you though.
Two things:
I'm pretty sure mobile phone tracking is within 10 square feet now.
And, i'm pretty sure that android phone encryption is not quite like TrueCrypt i'm 90% sure the android encryption system you are talking about has a backdoor which the fbi can use.
-
I'm pretty sure mobile phone tracking is within 10 square feet now.
It depends where you live and the number of cell phone towers you have around you, as obviously the further the distance away from the cell phone towers are away from each other the less accurate the triangulation of your position will be, which is basic trigonometry. For example in the rural UK, it's quite inaccurate, for me it's 40 meters (there's an app you can get which tells you).
And, i'm pretty sure that android phone encryption is not quite like TrueCrypt i'm 90% sure the android encryption system you are talking about has a backdoor which the fbi can use.
No the Android encryption is actually better than TrueCrypt. Truecrypt does have law enforcement back doors and other means of breaking it, although they require lots of effort.
I think what you're referring to, is that most Android users are dumb enough to use their 4 digit screen unlock pin as the phone hard drive encryption password, which is completely pointless and can be brute forced in seconds, every police station in the UK now has a machine to do this and rip all the data, and it does that to iPhones, Blackberry's, Nokia etc too.
You need to choose a complex password of over 20 characters (letters, numbers & symbols) which the machine won't be able to brute force, as this is the only form of attack. Yes it's a bitch to type in every time you start up your phone, but it's not that hard and you don't restart your phone that often. You can still have a simple 4 digit unlock pin, it's just for decrypting your phone when you initially turn it on.
On a funny note, I read an article on the BBC site recently that says that there's a big time drug dealer who got caught a few years ago in the UK and sentenced to the mandatory year in prison for not revealing his laptop True Crypt encryption password to the police when they requested it (idiot should have used hidden containers and a hidden OS), anyway he's been released now, but the police are STILL trying to brute force the password to this day, just incase they get lucky.
-
Neither system should have these supposed backdoors lol. That's just paranoia. If Android is using LUKS, its pretty safe to say its like a bloody fortress with a decent password ;D. Even so it could be using the standard Linux encryption (I forget what its called) But that's usually enough to scare off law enforcement.
-
No the Android encryption is actually better than TrueCrypt. Truecrypt does have law enforcement back doors and other means of breaking it, although they require lots of effort.
bzzt, wrong, just like everything else you say. since truecrypt is open source why don't you show me where these backdoors are?
You can't compromise the kernel on the fly with Android and steal the encryption keys from the clipboard however with an OS such as any version of Winfail running Truecrypt this is childs play.
OK so it may be impossible to break into a laptop using TrueCrypt (assuming they used Blowfish-AES with a good password) which is off, but there's nothing stopping the police from cracking your wifi (yes even WPA using reaver), waiting outside your house for a day until you turn your computer on (which you will eventually, that's the whole point of having it), compromising your computer, stealing your TrueCrypt encryption keys and then raiding you.
For serious investigations such as FBI level investigations this is day to day activity, nothing special.
You can't do this to an Android phone.