Silk Road forums

Discussion => Security => Topic started by: 96z28dude on May 19, 2012, 11:36 pm

Title: Who on SR orders from their home computer?
Post by: 96z28dude on May 19, 2012, 11:36 pm
Hello everyone, I am currently in the process of making my e-mail with a fake name and setting up bitcoin etc. I was just curious as to who on SR actually takes the time to go the library or some other location to order their goods? Or do some of you order from the comfort of your home? I'm just curious  ;D Please comment whether you order from home or where ever and what country you're located in.

Like this
Order from - home (or library or where ever)
Location - USA (or Europe or where ever)
Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on May 20, 2012, 12:04 am
Welcome to SR!

Provided you've encrypted the drive on which your Tor browser is based there's not much harm in accessing SR from your home. Your ISP will be able to detect Torified data packets but they'll be encrypted. If you can do without that publicity I'd suggest you jack into your neighbour's Wifi or pop into the library but I think that's riskier.

As it says on the Tor Project site, the best thing to do is adopt a social approach and make sure that your friends and people near you are also using Tor. Another way of hugely increase your plausible deniability is configuring the settings in your version of Vidalia so that you operate a Tor exit relay - this will mean other users' data will pass through your machine, making it virtually indistinguishable from your own.

V.

Hello everyone, I am currently in the process of making my e-mail with a fake name and setting up bitcoin etc. I was just curious as to who on SR actually takes the time to go the library or some other location to order their goods? Or do some of you order from the comfort of your home? I'm just curious  ;D Please comment whether you order from home or where ever and what country you're located in.

Like this
Order from - home (or library or where ever)
Location - USA (or Europe or where ever)
Title: Re: Who on SR orders from their home computer?
Post by: kmfkewm on May 20, 2012, 12:55 am
running as an exit is a great way to get busted for drug trafficking after you are raided on suspicion of downloading child porn or sending bomb threats

The Tor Project explicitly suggests against running as an exit if you have anything incriminating on your PC, because it might be seized.
Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on May 20, 2012, 01:20 am
But. If. Your. Hard. Disk. Is. Encrypted...

V.

running as an exit is a great way to get busted for drug trafficking after you are raided on suspicion of downloading child porn or sending bomb threats

The Tor Project explicitly suggests against running as an exit if you have anything incriminating on your PC, because it might be seized.
Title: Re: Who on SR orders from their home computer?
Post by: sl1pknot on May 20, 2012, 01:33 am
But. If. Your. Hard. Disk. Is. Encrypted...

V.

running as an exit is a great way to get busted for drug trafficking after you are raided on suspicion of downloading child porn or sending bomb threats

The Tor Project explicitly suggests against running as an exit if you have anything incriminating on your PC, because it might be seized.

This makes sense to me but why run as an exit if you're already encrypted? Does running as an exit stand out to your ISP? Seems unwanted attention...

I also inboxed you, Vlad.
Title: Re: Who on SR orders from their home computer?
Post by: wretched on May 20, 2012, 01:34 am
if.you.are.raided.while.your.encrypted.drive.is.mounted.doesn't.matter.if.it.is.encypted.or.not.

do not run as an exit relay if you have anything illegal stored.
Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on May 20, 2012, 01:41 am
Has the world gone mad? Am I really having to extol the virtues of encrypting your hard disk drive to someone who's ostensibly reached "Hero" status on these forums?

Of course there's a risk that your HDD can be accessed while encrypted if it's mounted - that's probably why you'd only mount it while you're there and gosh I don't know, lock your screen when you're away from the keyboard for a few moments?


V.

if.you.are.raided.while.your.encrypted.drive.is.mounted.doesn't.matter.if.it.is.encypted.or.not.

do not run as an exit relay if you have anything illegal stored.
Title: Re: Who on SR orders from their home computer?
Post by: ILoveLamp on May 20, 2012, 01:44 am
Running as an exit is an awesome way to lose your box and get thrown in jail and held for contempt because you refuse to divulge the key to decrypt your hard drive that they've watched a gigabyte of child porn transfer to. Seriously, unless you are VPNing into a throwaway box that you stashed somewhere in a public place with free wifi you better not be running an exit relay.
Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on May 20, 2012, 01:46 am
Do you really love the lamp, or are you just saying it because you saw it? :-D

Running as an exit is an awesome way to lose your box and get thrown in jail and held for contempt because you refuse to divulge the key to decrypt your hard drive that they've watched a gigabyte of child porn transfer to. Seriously, unless you are VPNing into a throwaway box that you stashed somewhere in a public place with free wifi you better not be running an exit relay.
Title: Re: Who on SR orders from their home computer?
Post by: wretched on May 20, 2012, 01:48 am
but also, why would you want to run an exit relay if you ARE doing something illegal, running an EXIT relay increases your chances of being investigated for anything that might have happened from your exit node, so why invite terrorism investigations, child porn investigations, assassination plot investigations etc into your home? if you run an exit relay, anyone could be using Tor for clearnet communications through YOUR exit relay, and that brings unwanted attention, so encrypt your hd, YES, run an exit relay...NO (at least not from a machine that also contains incriminating evidence that could be used against you.  the encryption thing was not the point of my post, the exit relay being a stupid choice while doing illegal activity was the point.
Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on May 20, 2012, 01:54 am
I think the point is it's security through obscurity - yes of course someone downloading CP could be traced to your IP address, it actually happened in London to a man I knew but the conversation with the Police lasted less than five minutes :

"I run an Apache Home Server running a Tor exit relay Officer, here take a look. "

"Thank you Sir, have a good day."

The Police understand the implications of running an exit relay as well as we do. It may well be the case that someone does something nefarious via your IP, the point is it won't be possible to single you out for LEO's attentions on that basis.

By way of compromise it's also possible to run a Tor non exit relay....!

V.

but also, why would you want to run an exit relay if you ARE doing something illegal, running an EXIT relay increases your chances of being investigated for anything that might have happened from your exit node, so why invite terrorism investigations, child porn investigations, assassination plot investigations etc into your home? if you run an exit relay, anyone could be using Tor for clearnet communications through YOUR exit relay, and that brings unwanted attention, so encrypt your hd, YES, run an exit relay...NO (at least not from a machine that also contains incriminating evidence that could be used against you.  the encryption thing was not the point of my post, the exit relay being a stupid choice while doing illegal activity was the point.
Title: Re: Who on SR orders from their home computer?
Post by: wretched on May 20, 2012, 02:01 am
I think the point is it's security through obscurity - yes of course someone downloading CP could be traced to your IP address, it actually happened in London to a man I knew but the conversation with the Police lasted less than five minutes :

"I run an Apache Home Server running a Tor exit relay Officer, here take a look. "

"Thank you Sir, have a good day."

The Police understand the implications of running an exit relay as well as we do. It may well be the case that someone does something nefarious via your IP, the point is it won't be possible to single you out for LEO's attentions on that basis.


If you don't mind having that chat to begin with


By way of compromise it's also possible to run a Tor non exit relay....!

If you don't want the chat with the pigs at all

Title: Re: Who on SR orders from their home computer?
Post by: kmfkewm on May 20, 2012, 02:47 am
But. If. Your. Hard. Disk. Is. Encrypted...

V.

running as an exit is a great way to get busted for drug trafficking after you are raided on suspicion of downloading child porn or sending bomb threats

The Tor Project explicitly suggests against running as an exit if you have anything incriminating on your PC, because it might be seized.

Let me know when you find a way to encrypt your stash of drugs so the police who raid you over CP going through your exit node can't find it.
Title: Re: Who on SR orders from their home computer?
Post by: kmfkewm on May 20, 2012, 02:51 am
Has the world gone mad? Am I really having to extol the virtues of encrypting your hard disk drive to someone who's ostensibly reached "Hero" status on these forums?

Of course there's a risk that your HDD can be accessed while encrypted if it's mounted - that's probably why you'd only mount it while you're there and gosh I don't know, lock your screen when you're away from the keyboard for a few moments?


V.

if.you.are.raided.while.your.encrypted.drive.is.mounted.doesn't.matter.if.it.is.encypted.or.not.

do not run as an exit relay if you have anything illegal stored.

Locking screen doesn't prevent pigs from getting FDE encryption keys. Running Tor exit is great. But I suggest not doing it unless

A. You are a University
B. You are the EFF or have good lawyers on your team
C. You are some other organization

failing the above three

D. You have absolutely nothing illegal on your PC, and do not have anything illegal in your home
E. You run it off of a server in a data center that can not be traced back to you

too many people have been raided due to what their exit node was seen doing, it just is not worth it to run an exit if you do illegal shit that will be discovered during a raid.
Title: Re: Who on SR orders from their home computer?
Post by: kmfkewm on May 20, 2012, 03:02 am
I think the point is it's security through obscurity - yes of course someone downloading CP could be traced to your IP address, it actually happened in London to a man I knew but the conversation with the Police lasted less than five minutes :

"I run an Apache Home Server running a Tor exit relay Officer, here take a look. "

"Thank you Sir, have a good day."

The Police understand the implications of running an exit relay as well as we do. It may well be the case that someone does something nefarious via your IP, the point is it won't be possible to single you out for LEO's attentions on that basis.

By way of compromise it's also possible to run a Tor non exit relay....!

V.

but also, why would you want to run an exit relay if you ARE doing something illegal, running an EXIT relay increases your chances of being investigated for anything that might have happened from your exit node, so why invite terrorism investigations, child porn investigations, assassination plot investigations etc into your home? if you run an exit relay, anyone could be using Tor for clearnet communications through YOUR exit relay, and that brings unwanted attention, so encrypt your hd, YES, run an exit relay...NO (at least not from a machine that also contains incriminating evidence that could be used against you.  the encryption thing was not the point of my post, the exit relay being a stupid choice while doing illegal activity was the point.

Just fyi, security through obscurity is a derogatory term in most security circles. You want to have security through correctness, security in depth, security via strong cryptographic primitives, security by whatever, but security through obscurity is not something to aim for at all. Unless you are Microsoft and don't want to reveal your source code while still pretending that you are increasing security by keeping it secret :P.

Secondly, running as an exit is bad because you might be raided over it, but running as a relay decreases your anonymity significantly as well and should also be avoided.

if you want to contribute to Tor, buy a VPS and run it as an exit or relay. I would avoid running as an exit or relay on a computer on a network that I use for anything I want to remain anonymized, and I would certainly avoid running an exit if I didn't want to chance being raided over someone elses bullshit. In some cases LE ignore Tor exit IPs entirely because they know they can't trace them and don't want to harass the exit node operator, in other cases they kick in the door and haul your ass off to jail on CP charges and it takes a few days to sort things out plus they keep your PC for a long time for evidence, in some cases people have even been raided by CIA type agencies (not in USA so not actually CIA). Police forces of the world are widely different in their understanding of Tor and their standard procedures, do you want to risk that the police agency that saw your tor exits IP downloading CP + your own local police force have no fucking clue about Tor? If they are not checking Tor exit lists and filtering those off of the lists of IPs they see downloading CP, you will be treated as anyone else who they suspect of downloading CP or sending bomb threats or whatever, and  that means you could wake up with a bunch of thugs pointing guns at your face and ripping your house apart.
Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on May 20, 2012, 11:28 am
I don't do drugs or keep any contraband at my home address  - I've tried to suggest this on here but given that it's mainly drug users perhaps this is a bit optimistic. I suppose you could just consume your entire stash as soon as it arrives in the mail, what do you reckon?

V.

But. If. Your. Hard. Disk. Is. Encrypted...

V.

running as an exit is a great way to get busted for drug trafficking after you are raided on suspicion of downloading child porn or sending bomb threats

The Tor Project explicitly suggests against running as an exit if you have anything incriminating on your PC, because it might be seized.

Let me know when you find a way to encrypt your stash of drugs so the police who raid you over CP going through your exit node can't find it.
Title: Re: Who on SR orders from their home computer?
Post by: tarp on May 20, 2012, 12:03 pm
All this talk about exit relays. Why?  As Vlad implied [impaled :) ], you can run a middleman relay, thereby adding to the obfuscation of the connection you are using.

Furthermore, Tor can be modified to use only specific relays, or relays from specific geographic regions. Hell, it can even be tweaked to utilize more or less than the standard three hops, if you are so inclined.

Your number one weapon is common sense. Don't shoot off your mouth, ensure that communication from public hotspots is done discreetly, use a VM on your PC at home, run regular wipes of temp, cached files and free space.

Greets, from a long time lurker and first time poster.

:)
Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on May 20, 2012, 01:58 pm
Welcome tarp and thanks for your message!

I take kmfkewm's point that doing so could end up being counterproductive as it might attract the attention of LEO to your IP address in the first place whereas previously they may not have taken any interest in you. Having said that Tor packets are unmistakeable so if they did analyse your traffic for any reason they'd know you had a Torified connection although admittedly it would be difficult through fingerprinting of this kind alone to prove you'd accessed a specific hidden service such as Silk Road.

As for the VM, as I said at some length on another thread, I would strongly recommend using full disk encryption on your computer, even if you have a virtual machine installed.

To answer the OP's question, although I access SR from both my home and the office, I would be of two minds about using public Wifi as I'd be concerned about people peering over my shoulder - perhaps this is a bit paranoid?! :-D

V.

All this talk about exit relays. Why?  As Vlad implied [impaled :) ], you can run a middleman relay, thereby adding to the obfuscation of the connection you are using.

Furthermore, Tor can be modified to use only specific relays, or relays from specific geographic regions. Hell, it can even be tweaked to utilize more or less than the standard three hops, if you are so inclined.

Your number one weapon is common sense. Don't shoot off your mouth, ensure that communication from public hotspots is done discreetly, use a VM on your PC at home, run regular wipes of temp, cached files and free space.

Greets, from a long time lurker and first time poster.

:)
Title: Re: Who on SR orders from their home computer?
Post by: randomOVDB#2 on May 20, 2012, 06:52 pm
"I run an Apache Home Server running a Tor exit relay Officer, here take a look. "

"Thank you Sir, have a good day."

Your PC gets seized.

http://p10.hostingprod.com/@spyblog.org.uk/blog/2009/03/passion-and-dalliance-blog-why-you-need-balls-of-steel-to-operate-a-tor-exit-nod.html

https://lists.torproject.org/pipermail/tor-talk/2011-May/020490.html

96z28dude, you don't know who controlls the library computer. You might have your picture taken through the camera, there could be keylogger installed, etc
Title: Re: Who on SR orders from their home computer?
Post by: dmtdoodeelsd on May 20, 2012, 07:21 pm
96z28dude, what a strange original question..??

Who uses SR from their home address, and whereabouts in the world do they LIVE..?!!

and why haven't you posted again in your own thread..!??

obv anyone on these forums isn't dumb enough to answer either of these questions specifically...

hmmm... i smell bacon...!!

 :-X :-X :-X :-X
Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on May 20, 2012, 07:43 pm
I like the "Balls of Steel" bit - Ok, so in retrospect perhaps not the best way to conceal your nefarious dealings, still if no one operated one then where would we be? I think as we've said already if you had a dedicated home server as my friend has, the effect on you wouldn't be quite so pronounced but of course your own computer could be seized too!

V.

"I run an Apache Home Server running a Tor exit relay Officer, here take a look. "

"Thank you Sir, have a good day."

Your PC gets seized.

http://p10.hostingprod.com/@spyblog.org.uk/blog/2009/03/passion-and-dalliance-blog-why-you-need-balls-of-steel-to-operate-a-tor-exit-nod.html

https://lists.torproject.org/pipermail/tor-talk/2011-May/020490.html

96z28dude, you don't know who controlls the library computer. You might have your picture taken through the camera, there could be keylogger installed, etc
Title: Re: Who on SR orders from their home computer?
Post by: _M4LW4R3_ on May 21, 2012, 04:35 am
you shouldn't rely on TOR for security, they can only fix problems they find. millions go to security professionals every year who find security holes "0 days" that dont have a fix and sell them to the highest bidder
its less a question of if it will happen its more a question of when the tor network, the silk road...etc  will become vulnerable.
Title: Re: Who on SR orders from their home computer?
Post by: kmfkewm on May 21, 2012, 07:05 am
Tor and SR already are vulnerable, so is essentially everyone on Tor. There are hackers out there who can completely pwn pretty close to possibly even 100% of  the users here, spying on their plaintexts and getting their real IP addresses. But there are not many of them. The stereotypical really good hacker is not likely to find issue with silkroad, the traditional underground hacker culture of old tends to be quite libertarian (of course the same is true for cypherpunks, probably to an even greater extent), and the modern era ones are into organized crime themselves. The really good hackers who would work for government agencies are far more likely to be hired by military or intelligence agencies than police agencies. The really good hackers who work as civilians develop premade attack combinations and sell them for hundreds of thousands or millions of dollars each often to military and intelligence agencies who prefer to keep them as secret as possible, and they are highly secretive and don't share such things with feds. Look at things like Core Impact, a restricted license to get updates for that penetration testing kit costs $30,000-$60,000 a year, and a lot of companies use this sort of tool for securing their own networks / client networks.  There are hackers out there who could bring SR down, but probably none who can bring SR down and care enough about it to do so.

Not to mention agencies like NSA can not only defeat SR they can do so in a variety of different ways, they employ some of the best hackers in the world and they also have a massive state of the art signals intelligence apparatus that can defeat Tor via traffic analysis (and then after they locate you they will spy on your monitor from down the street with their TEMPEST equipment, making your encryption worthless).

The FBI probably has some good hackers though. I think they may be too busy taking care of very serious shit to focus on most small time drug dealing, although it is worry to think that enough political pressure could force them to do something against the online scene. It is also worrying that they could make prepackaged zero day exploits for lesser skilled police to use, and keep the attacks secret from companies like Mozilla so they are never patched until someone else notices and fixes the vulnerability. However I have seen the quality of hacking toolkits that feds are using and I have not seen much exceptionally impressive yet, they seem to rarely use zero days but that may be because most targets have shit security and unpatched systems. I think they probably work mostly on cases of counter terrorism, counter espionage and cases where there are kidnappings with hostage demands sent through the internet or serial killers contacting police electronically and other shit like that. A lot of them probably focus on tracing people who are abusing their kids and posting pictures online while using strong security measures. Actually a good proof of the limitation of the FBI's technical capabilities is the fact that they fail to technically trace the more secure people who engage in such activities, relying always on the potentially much slower photographic forensics route of identification.  This is a pretty good indicator imo that they do not have any world class hackers. But yeah the real demand for world class hackers is in military / intelligence and the private industry FBI position can't match the power of the first or the pay of the second.
Title: Re: Who on SR orders from their home computer?
Post by: tarp on May 21, 2012, 10:55 am
Quote
To answer the OP's question, although I access SR from both my home and the office, I would be of two minds about using public Wifi as I'd be concerned about people peering over my shoulder - perhaps this is a bit paranoid?! :-D

Hello Vlad. may I suggest sitting in a corner of the room, facing out, into the room itself. That way you can always see who else is there and what they are up to. Furthermore, it goes without saying that the same location should not be used on successive occasions. Move between hotspots if possible, break the days, times etc up as well. :)

Still, I believe that if you are careful. If you exercise some common sense you can operate safely from home. Keep your trap shut.  Maintain a clean and tidy PC. Disk encryption as well is ultimately only worthwhile if you live in a nation where you are not required by law to hand over pass phrases to encrypted drives or containers.

To be sure, running a Tor server is going to raise alarm bells in some way. Remember though that doing so is not (yet) illegal. Many people run servers and have done so for a long time. However there will always be elements of government, LEO, intel etc that believe only kiddy fiddlers and pals of OBL need to encrypt their net data.

Be careful of FUD . There's plenty of folks out there that will say or imply things without backing their statements up, or base such statements more on rhetoric, rumor and supposition.

Quote
Not to mention agencies like NSA can not only defeat SR they can do so in a variety of different ways, they employ some of the best hackers in the world and they also have a massive state of the art signals intelligence apparatus that can defeat Tor via traffic analysis (and then after they locate you they will spy on your monitor from down the street with their TEMPEST equipment, making your encryption worthless).

Now, theres an old adage that goes something like this. Look at where we are technology-wise right now. Folks like NSA etc are at the same time, 10 years ahead of us. Proving such is impossible of course (unless one works for NSA), but I believe this is a fair assumption to make. remember though that Tor is pretty heavy duty. Information readily available at this time suggests that LEO's main arsenal against Tor is either Traffic Analysis or compromised entry and/or exit nodes. Nothing suggests that the encryption itself has been broken.

The SIGINT apparatus mentioned in the quote above is massive, with computational power that most of us cannot fully imagine. Information regarding this is out on the interwebz - all you need do is search for it. Reading the display from screens is also possible, as is 'hearing' the electronic noise each individual key makes when it is depressed. This can be done by attaching equipment nearby to the source of your electricity. In years past, Soviet agents were renowned for attaching sensitive equipment to the chain link fence that surrounded a communication center in order to pick up the the electronic chatter of crypto machines.

LEO is not however going to expend such time and resources on someone buying a gram of pot on SR. They have better things to do.

The guys in Langley, Menwith Hill, Yakima etc probably keep track of every Tor server and every connection made to the Tor network. But they will be looking specifically for entry IP's from areas of interest such as the ME or Afghanistan / Pakistan. Of course, they may be tasked to go after a serious (non terrorist) crim, and there's always diplomatic or trade information that may be channeled through Tor. Still, this doesn't mean that can relax your guard. :)

NSA etc all have their 'hackers' but of course they are not called hackers. Furthermore, these guys will also outsource some of their tasks (remember HBGary?) such as flooding 'social networks' with sophisticated bots that look like real people online in order to stir up dissent etc, building up company profiles (in preparation for a corporate takeover) via trolling the FB accounts of staff and personnel etc etc.

To sum up, just use your noggin, be paranoid, but not too much ;) If in doubt ask - don't go off doing things half-cocked.

EDIT:

I believe this is bullshit, BTW ;)

Quote
There are hackers out there who can completely pwn pretty close to possibly even 100% of  the users here, spying on their plaintexts and getting their real IP addresses.

Where did you get this gem from?


Title: Re: Who on SR orders from their home computer?
Post by: kmfkewm on May 21, 2012, 11:15 am
I think NSA calls their hackers network assault teams or something
Title: Re: Who on SR orders from their home computer?
Post by: kmfkewm on May 21, 2012, 11:24 am
Quote
Where did you get this gem from?

all it would take to pwn most of the people on SR is a remote code execution vulnerability for SR + a non-javascript code execution vulnerability for Firefox. Tor itself has had plenty of remote code execution vulnerabilities. OTR just patched a remote code execution vulnerability. Even the people who are using isolation are just an SR/Apache/Tor exploit + firefox/Tor exploit + hypervisor exploit away. People using airgaps can protect their encryption plaintexts from hackers but not their IP addresses, and once located a really good hacker will know how to carry out a TEMPEST attack to spy on plaintexts. Hackers routinely sell mutli-zero-day combination exploits, for hundreds of thousands to millions of bucks, but they can be reused on all vulnerable targets until they are patched. Hackers of that skill level can penetrate damn near anything that isn't formally verified and I am under the impression that there are even highly advanced physics based attacks against these systems (this stuff is beyond my level). Look at Stuxnet for fucks sake they infected nuclear centrifuges that were not even connected to the internet via a worm that spread from USB device to USB device until they got lucky enough that someone working on the centrifuges exposed a contaminated USB to their network. We would not have any luck against that level of attacker.   

Someone using ASLR, airgaps, mandatory access control profiles, dedicated hardware critical process isolation, nx bit, IDS/IPS, fully patched everything on some minimalist OS (preferably on top of a formally verified microkernel) with a hardened browser and OS who is connecting to a similarly secure server....would make a very hard target for a hacker.  But even this level of security has been penetrated in the past and can be penetrated by some attackers still.
Title: Re: Who on SR orders from their home computer?
Post by: Pharmacopoeia on May 21, 2012, 11:32 am
I use SR on my trueencrypted virtual machines.  That way I use my home comp, but any 'secret' things are done on an encrypted partition I created when I made the virtual machine.

SecuritySolutions offers a great option actually its just so stupidly priced i'd never buy it haha.  They have as far as warweed has said to me given him rights to mass distribute on his bot their product, which is a lil more affordable at like $30 (still a lot, but SS wants $180 !!).

My only impass now is I don't want a virtual machine but a straight up bootable DVD that way so long as I unplug my hard drive, there is no way for data to be stored. 
On that same note, having an application in windows where I can just go to do my 'secret' stuff and keep using windows normally is extremely convenient and has given me some security sleep at night.
Title: Re: Who on SR orders from their home computer?
Post by: tarp on May 21, 2012, 11:49 am
Quote
Where did you get this gem from?

all it would take to pwn most of the people on SR is a remote code execution vulnerability for SR + a non-javascript code execution vulnerability for Firefox. Tor itself has had plenty of remote code execution vulnerabilities. OTR just patched a remote code execution vulnerability. Even the people who are using isolation are just an SR/Apache/Tor exploit + firefox/Tor exploit + hypervisor exploit away. People using airgaps can protect their encryption plaintexts from hackers but not their IP addresses, and once located a really good hacker will know how to carry out a TEMPEST attack to spy on plaintexts. Hackers routinely sell mutli-zero-day combination exploits, for hundreds of thousands to millions of bucks, but they can be reused on all vulnerable targets until they are patched. Hackers of that skill level can penetrate damn near anything that isn't formally verified and I am under the impression that there are even highly advanced physics based attacks against these systems (this stuff is beyond my level). Look at Stuxnet for fucks sake they infected nuclear centrifuges that were not even connected to the internet via a worm that spread from USB device to USB device until they got lucky enough that someone working on the centrifuges exposed a contaminated USB to their network. We would not have any luck against that level of attacker.   

Someone using ASLR, airgaps, mandatory access control profiles, dedicated hardware critical process isolation, nx bit, IDS/IPS, fully patched everything on some minimalist OS (preferably on top of a formally verified microkernel) with a hardened browser and OS who is connecting to a similarly secure server....would make a very hard target for a hacker.  But even this level of security has been penetrated in the past and can be penetrated by some attackers still.

All of this is the realm of Intel agencies and their large corporate and LEO customers. If your average hacker was capable of this every SR BTC wallet would have been emptied long ago.

Stuxnet (although never confirmed) was most probably a joint effort between US and Israeli Intel. Not a Black hat from Hack BB :)

BTW I found this earlier: http://www.wired.com/dangerroom/2010/07/code-cracked-cyber-command-logos-mystery-solved/

Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on May 21, 2012, 12:04 pm
Hi Pharmacopoeia,

Yes I saw this - I've been considering offering an encrypted OS with applications preinstalled on USB myself but surely if you set this up for someone you'd know the password to lock the encrypted partition and so the buyer would have to trust you're not LEO? I've only done this using the Ubuntu Alternate Install CD and Liberte so perhaps there is an OS out there which allows you to do this.

The problem is really one of trust - one of our more seasoned members could easily knock together a modified version of Liberte Linux for instance replete with your very own Bitcoin wallet but of course in so doing you'd only have their word for it the OS is secure. Much better IMHO to take some time to learn to do these things for yourself.

If you want a bootable DVD, I'd suggest you just download TAILS or even Ubuntu itself and run the OS that way. I had quite a heated discussion the other day in another thread with a user about the respective advantages of doing this vs. having an encrypted partition on your USB Drive.

It's true that it may be easier to fingerprint the operating system you're using and peform remote exploits on your computer if you use an encrypted drive. Nevertheless I think you're better off doing this versus using a bootable DVD as you'd have to trust a third party like Drop Box with your private key, book marks and so on and download them into RAM each time.

The user in question actually suggested keeping a copy of your private key in your SR inbox alongside all your encrypted messages - suffice it to say this isn't a very good idea.

I freely admit I'm not a Security Expert but I would say you're better off having an encrypted drive with your private key on it rather than out there in the cloud somewhere. Of course if a way can be found to store all your private data remotely so that only you can retrieve it, no one would be happier than me!

V.



I use SR on my trueencrypted virtual machines.  That way I use my home comp, but any 'secret' things are done on an encrypted partition I created when I made the virtual machine.

SecuritySolutions offers a great option actually its just so stupidly priced i'd never buy it haha.  They have as far as warweed has said to me given him rights to mass distribute on his bot their product, which is a lil more affordable at like $30 (still a lot, but SS wants $180 !!).

My only impass now is I don't want a virtual machine but a straight up bootable DVD that way so long as I unplug my hard drive, there is no way for data to be stored. 
On that same note, having an application in windows where I can just go to do my 'secret' stuff and keep using windows normally is extremely convenient and has given me some security sleep at night.
Title: Re: Who on SR orders from their home computer?
Post by: 12345 on May 21, 2012, 12:19 pm
96z28dude, what a strange original question..??

Who uses SR from their home address, and whereabouts in the world do they LIVE..?!!

and why haven't you posted again in your own thread..!??

obv anyone on these forums isn't dumb enough to answer either of these questions specifically...

hmmm... i smell bacon...!!

 :-X :-X :-X :-X


thanks for this post was thinking the same just from reading the thread title.

But I love the discussions of the guys in here. Most of them always give me the feeling that they know from what they talk. And for me, I cant learn enough and I (hopefully) will never stop learning my whole life.

Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on May 21, 2012, 12:25 pm
96z28dude, what a strange original question..??

Who uses SR from their home address, and whereabouts in the world do they LIVE..?!!

and why haven't you posted again in your own thread..!??

obv anyone on these forums isn't dumb enough to answer either of these questions specifically...

hmmm... i smell bacon...!!

 :-X :-X :-X :-X


thanks for this post was thinking the same just from reading the thread title.

But I love the discussions of the guys in here. Most of them always give me the feeling that they know from what they talk. And for me, I cant learn enough and I (hopefully) will never stop learning my whole life.

A good point buddy - the more we learn, the more we realise how much there is to learn!

V.
Title: Re: Who on SR orders from their home computer?
Post by: JimPooley on May 21, 2012, 02:14 pm
I use my home PC, but short of some serious know how and a lot of computing power, good luck trying to find a trace!

I don't think I'm immune, but I'm confident my tracks are covered!
Title: Re: Who on SR orders from their home computer?
Post by: 12345 on May 21, 2012, 02:20 pm
I use my home PC, but short of some serious know how and a lot of computing power, good luck trying to find a trace!

I don't think I'm immune, but I'm confident my tracks are covered!

have you read the thread? I wouldnt like to "challenge" someone to try it, there are always traces ...
just saying.
Title: Re: Who on SR orders from their home computer?
Post by: JimPooley on May 21, 2012, 02:29 pm
I use my home PC, but short of some serious know how and a lot of computing power, good luck trying to find a trace!

I don't think I'm immune, but I'm confident my tracks are covered!

have you read the thread? I wouldnt like to "challenge" someone to try it, there are always traces ...
just saying.

Well... I did say i don't think I'm immune...

My footprints are very feint, better?
Title: Re: Who on SR orders from their home computer?
Post by: Spedly on May 21, 2012, 04:11 pm
There's some interesting facts in this thread. But it's important to keep perspective too.

Security is like buying insurance. It comes in handy IF you need it. Purchasing life insurance is usually a good idea because some day you are going to die. But there's a reason why accidental dismemberment insurance is optional. You'll probably wish you had it if you lose a leg in a car accident, so to compensate perhaps you'll drive a little more cautiously/defensively and hope for the best.

In this example, think of traditional security practices such as cryptography, technical boundaries, network access, access control, etc. as life insurance. If you don't have the budget to increase the security of any of these services by acquiring new technologies then the best you can do is securing what you have to the best of your abilities. You can spend thousands of dollars to secure your operations but there is a fairly low ceiling where the cost provides diminished returns.

The goal of security is (surprisingly) not to be 100% secure. The goal is to reduce risk to an acceptable level. Everyone has a different risk tolerance. It's up to the individual to determine what their risk tolerance is, assess whether or not their security operations are aligned to that, and if not, apply compensating or mitigating controls.

Secondly, given enough time, resources, and money anything is crackable. Money, again, is the key attribute. It's insane to think that virtually anyone here is worth the time, resources, and money required to nail with such sophisticated (and expensive) methods. The average user here is simply not that important. The only one here who may be worth it is DPR himself.

It's good to be on the forefront of security knowledge and interesting to see that knowledge shared on an online forum, but it's irresponsible to create FUD. Governments and government agencies are businesses too, with finite budgets, limited resources, increased volumes of work, and typical bureaucratic bottlenecks. The average buyer who purchases personal amounts is not going to be anywhere near the radar of the NSA or DHS. They are likely going to be caught due to poor packaging from a vendor - which all of the computer security in the world can't protect.
Title: Re: Who on SR orders from their home computer?
Post by: kmfkewm on May 22, 2012, 12:46 am
Quote
Where did you get this gem from?

all it would take to pwn most of the people on SR is a remote code execution vulnerability for SR + a non-javascript code execution vulnerability for Firefox. Tor itself has had plenty of remote code execution vulnerabilities. OTR just patched a remote code execution vulnerability. Even the people who are using isolation are just an SR/Apache/Tor exploit + firefox/Tor exploit + hypervisor exploit away. People using airgaps can protect their encryption plaintexts from hackers but not their IP addresses, and once located a really good hacker will know how to carry out a TEMPEST attack to spy on plaintexts. Hackers routinely sell mutli-zero-day combination exploits, for hundreds of thousands to millions of bucks, but they can be reused on all vulnerable targets until they are patched. Hackers of that skill level can penetrate damn near anything that isn't formally verified and I am under the impression that there are even highly advanced physics based attacks against these systems (this stuff is beyond my level). Look at Stuxnet for fucks sake they infected nuclear centrifuges that were not even connected to the internet via a worm that spread from USB device to USB device until they got lucky enough that someone working on the centrifuges exposed a contaminated USB to their network. We would not have any luck against that level of attacker.   

Someone using ASLR, airgaps, mandatory access control profiles, dedicated hardware critical process isolation, nx bit, IDS/IPS, fully patched everything on some minimalist OS (preferably on top of a formally verified microkernel) with a hardened browser and OS who is connecting to a similarly secure server....would make a very hard target for a hacker.  But even this level of security has been penetrated in the past and can be penetrated by some attackers still.

All of this is the realm of Intel agencies and their large corporate and LEO customers. If your average hacker was capable of this every SR BTC wallet would have been emptied long ago.

Stuxnet (although never confirmed) was most probably a joint effort between US and Israeli Intel. Not a Black hat from Hack BB :)

BTW I found this earlier: http://www.wired.com/dangerroom/2010/07/code-cracked-cyber-command-logos-mystery-solved/

Although you are right that this level of attacker is usually in the realm of intelligence, there are non-government affiliated hackers out there who are just as skilled. HackBB is pretty much noob central as far as the hacking scene goes. 
Title: Re: Who on SR orders from their home computer?
Post by: kmfkewm on May 22, 2012, 12:56 am
There's some interesting facts in this thread. But it's important to keep perspective too.

Security is like buying insurance. It comes in handy IF you need it. Purchasing life insurance is usually a good idea because some day you are going to die. But there's a reason why accidental dismemberment insurance is optional. You'll probably wish you had it if you lose a leg in a car accident, so to compensate perhaps you'll drive a little more cautiously/defensively and hope for the best.

In this example, think of traditional security practices such as cryptography, technical boundaries, network access, access control, etc. as life insurance. If you don't have the budget to increase the security of any of these services by acquiring new technologies then the best you can do is securing what you have to the best of your abilities. You can spend thousands of dollars to secure your operations but there is a fairly low ceiling where the cost provides diminished returns.

The goal of security is (surprisingly) not to be 100% secure. The goal is to reduce risk to an acceptable level. Everyone has a different risk tolerance. It's up to the individual to determine what their risk tolerance is, assess whether or not their security operations are aligned to that, and if not, apply compensating or mitigating controls.

Secondly, given enough time, resources, and money anything is crackable. Money, again, is the key attribute. It's insane to think that virtually anyone here is worth the time, resources, and money required to nail with such sophisticated (and expensive) methods. The average user here is simply not that important. The only one here who may be worth it is DPR himself.

It's good to be on the forefront of security knowledge and interesting to see that knowledge shared on an online forum, but it's irresponsible to create FUD. Governments and government agencies are businesses too, with finite budgets, limited resources, increased volumes of work, and typical bureaucratic bottlenecks. The average buyer who purchases personal amounts is not going to be anywhere near the radar of the NSA or DHS. They are likely going to be caught due to poor packaging from a vendor - which all of the computer security in the world can't protect.

100% agree, of course NSA doesn't care about SR. DHS is a different story though, people have a lot of misconceptions about DHS. DHS consists of several sub-agencies including customs. When vendors are busted, it is not rare for DHS to play a role.
Title: Re: Who on SR orders from their home computer?
Post by: 46&2 on May 22, 2012, 12:58 am
i plead the fifth! uh, if i was in that country, which i'm not.
direct answers to this question would be absurd ;D
Title: Re: Who on SR orders from their home computer?
Post by: ralph123 on May 22, 2012, 02:07 am
That's why I say if your going to use this site then get on, take care of business, and get off as soon as possible. Make as few transactions as possible in a given time frame.
Title: Re: Who on SR orders from their home computer?
Post by: 12345 on May 22, 2012, 10:58 am
There's some interesting facts in this thread. But it's important to keep perspective too.

Security is like buying insurance. It comes in handy IF you need it. Purchasing life insurance is usually a good idea because some day you are going to die. But there's a reason why accidental dismemberment insurance is optional. You'll probably wish you had it if you lose a leg in a car accident, so to compensate perhaps you'll drive a little more cautiously/defensively and hope for the best.

In this example, think of traditional security practices such as cryptography, technical boundaries, network access, access control, etc. as life insurance. If you don't have the budget to increase the security of any of these services by acquiring new technologies then the best you can do is securing what you have to the best of your abilities. You can spend thousands of dollars to secure your operations but there is a fairly low ceiling where the cost provides diminished returns.

The goal of security is (surprisingly) not to be 100% secure. The goal is to reduce risk to an acceptable level. Everyone has a different risk tolerance. It's up to the individual to determine what their risk tolerance is, assess whether or not their security operations are aligned to that, and if not, apply compensating or mitigating controls.

Secondly, given enough time, resources, and money anything is crackable. Money, again, is the key attribute. It's insane to think that virtually anyone here is worth the time, resources, and money required to nail with such sophisticated (and expensive) methods. The average user here is simply not that important. The only one here who may be worth it is DPR himself.

It's good to be on the forefront of security knowledge and interesting to see that knowledge shared on an online forum, but it's irresponsible to create FUD. Governments and government agencies are businesses too, with finite budgets, limited resources, increased volumes of work, and typical bureaucratic bottlenecks. The average buyer who purchases personal amounts is not going to be anywhere near the radar of the NSA or DHS. They are likely going to be caught due to poor packaging from a vendor - which all of the computer security in the world can't protect.

QFT and bc of this one key point I want to underline.

Quote
The goal of security is (surprisingly) not to be 100% secure. The goal is to reduce risk to an acceptable level.


This one. This is exactly what I tell every one I invite here. Don't just go and buy 100g of coke, so you are done with this for a good time. No don't.
Play the game within the rules. Every single transaction I made wouldn't get me into serious trouble. Perhaps some investigation but most likely just cash I have to pay. I am fine with that. I have a life and I am glad I can manage both.

IF (and this is a big if) I ever consider being a vendor. I have to commit myself with the fact, that I can possibly go in prison for that. Thats the point, and I would never just vent here for a few bucks. No way, 'if' then I have to do it right, and get rich very fast to stop before the downside kicks in.

And somehow I love the USA but I am glad I dont life there. Becoming lifelong in prison for some LSD... WTF! Stupid laws like the 3rd stike one in California?!?! come on the land of the free... yes but only if you have money ... that is how we (non US citizens) see the US. (ok perhaps just me)

Title: Re: Who on SR orders from their home computer?
Post by: PerfectDay on May 22, 2012, 11:15 am
Hello everyone, I am currently in the process of making my e-mail with a fake name and setting up bitcoin etc. I was just curious as to who on SR actually takes the time to go the library or some other location to order their goods? Or do some of you order from the comfort of your home? I'm just curious  ;D Please comment whether you order from home or where ever and what country you're located in.

Like this
Order from - home (or library or where ever)
Location - USA (or Europe or where ever)

I would prefer 2 order from your computer
Title: Re: Who on SR orders from their home computer?
Post by: the renegade on May 22, 2012, 06:28 pm
I use my home computer without much fear or paranoia.. As of this instance, I'm just a small time buyer in LE eyes, so I have no concerns.
Title: Re: Who on SR orders from their home computer?
Post by: hyruleantoker on May 22, 2012, 08:36 pm
I'm a bit silly in this regard, as I use TOR and SR from my laptop at home, without encryption or flash drive.
However, I have yet to make any purchases of any notable size, so I am hardly anywhere near an interest level for LE.

When I get a job soon and start ordering, I'll make sure to have my drive cleared, and I'll have TAILs or Liberte Linux on a flash drive.
Title: Re: Who on SR orders from their home computer?
Post by: 96z28dude on June 20, 2012, 05:19 am
96z28dude, what a strange original question..??

Who uses SR from their home address, and whereabouts in the world do they LIVE..?!!

and why haven't you posted again in your own thread..!??

obv anyone on these forums isn't dumb enough to answer either of these questions specifically...

hmmm... i smell bacon...!!

I didnt mean to answer them specifically lol I meant location as in USA or Spain or Canada or where ever the hell you're at. I kinda just gave up on this website because I cant figure out the bitcoin thing and I just dont wanna take the risk about getting popped lol I'm not out to get anyone haha Im just a noob to this and I was trying to figure it out but I just kind of see this as a lost cause

 :-X :-X :-X :-X
Title: Re: Who on SR orders from their home computer?
Post by: zaphod6969 on June 22, 2012, 12:05 am
Nevertheless I think you're better off doing this versus using a bootable DVD as you'd have to trust a third party like Drop Box with your private key, book marks and so on and download them into RAM each time.

TAILS includes a way of encrypting the unused space of the USB device and auto-mounting it upon boot.
After typing the secret key of course.
Title: Re: Who on SR orders from their home computer?
Post by: bogben on June 22, 2012, 06:47 pm

It's true that it may be easier to fingerprint the operating system you're using and peform remote exploits on your computer if you use an encrypted drive. Nevertheless I think you're better off doing this versus using a bootable DVD as you'd have to trust a third party like Drop Box with your private key, book marks and so on and download them into RAM each time.

I freely admit I'm not a Security Expert but I would say you're better off having an encrypted drive with your private key on it rather than out there in the cloud somewhere. Of course if a way can be found to store all your private data remotely so that only you can retrieve it, no one would be happier than me!

V.


Quite right, but this issue of trust is relatively easy to surmount, only use relatively annonymous places to store this info (eg tormail) and more importantly encrypt all the data before you put in there! The gpg can symmetrically encrypt it for you (the default is CAST5 but there are other options if unlike me you have the knowledge to destinguish between them more than "bruce schnider made blowfish so it must be good"). While this reduces the risk of being caught with something on a disk that you can be forced to decrypt it does mean if a service dissapears so does all your information so redundancies are needed.

I would say the major disadvantage of a live CD is the need to rebuild and complie any packages which are not included with it ( a prime example is obfsproxy on tails which takes over 40 minutes what with updating all the repositories and such like) every single time.



Title: Re: Who on SR orders from their home computer?
Post by: 96z28dude on June 25, 2012, 01:35 am
Okay so if I understand all of this correctly, I can order from home safely as many of you do. But I need to setup a mtgox account or something. I have a few questions.
1. Do I put my real information in the mtgox account?
2. After all of that is done then where should I get bitcoins? I was thinking BTCpal, he seems legit.
3. when I go to get a moneypak from walmart, how do I associate that with SR and bitcoin?
This whole bitcoin thing is very confusing to me. I literally need someone to break it down step by step for me on how to order something. All the way from creating my mtgox account to placing an order with a vendor. Any help would be greatly appreciated. Thanks
Title: Re: Who on SR orders from their home computer?
Post by: MockFrog on June 25, 2012, 01:55 am
Although your friend may have gotten away with just a few-minute conversation with the plod, you can't always count on that being the case.
Guru
Especially in the US. Here the cops will have no qualms in busting you wide open, because there is no freedom left in this country. That's why security here is more paramount than anywhere else.

MockFrog
Title: Re: Who on SR orders from their home computer?
Post by: realXimpact on June 25, 2012, 10:15 am
Okay so if I understand all of this correctly, I can order from home safely as many of you do. But I need to setup a mtgox account or something. I have a few questions.
1. Do I put my real information in the mtgox account?
2. After all of that is done then where should I get bitcoins? I was thinking BTCpal, he seems legit.
3. when I go to get a moneypak from walmart, how do I associate that with SR and bitcoin?
This whole bitcoin thing is very confusing to me. I literally need someone to break it down step by step for me on how to order something. All the way from creating my mtgox account to placing an order with a vendor. Any help would be greatly appreciated. Thanks

I don't have the time for a fully detailed step-by-step, but here's the quick 'n' dirty of how I get my BTCs

-Create a MTGox account on clearnet, DO NOT EVER ACCESS MTGOX VIA TOR - If you do log in via TOR, you will need to provide photo ID to keep using your account. Otherwise, no personal info is needed.

-use bitinstant.com to fund your new MTGox account with US dollars.
  -put in your MTGox username, amount that you want (add in an extra $5-10 for what you want to order) and email address

-TrustCash will show you the nearest Bank of America you can deposit at (create a quick account on TrustCash to make things easier), create the invoice and print it out, or email/sms it to yourself

-Take the printed out invoice to a teller at Bank of America and tell them you need to make a deposit on the invoice (once you get the hang of it, you can take deposit slips and fill them out in advance) and give the cash, anonymously. No BoA account necessary, I fill them out at home and use the drive-thru now.

-Once this is done TrustCash will send you an e-mail as soon as it scans its bank accounts and you'll have US Dollars in your MTGox account

-Log into MTGox !!WITHOUT TOR!! and buy your BitCoins, it may take a few minutes sometimes until the action is done, you might need to cancel the partially-filled order and set a new order to finish it

-Once your MTGox account has all the BitCoins you need, go to Funding Options (on the left) then Withdraw Funds tab, enter in the BTC amount, finally copying your SilkRoad account's wallet address (account page in SR, long string of numbers and letters) and pasting it into MTGox, and send the funds

-Within 1-3 hours, your SR account will be funded and you'll be ready to order.

....Wow, honestly, looking back on that, it seems like a lot of steps. But this is something that I've now done dozens of times. I've started the whole process after starting laundry at the laundromat and have my SilkRoad order done before I finish folding my clothes. It's nerve-wracking and seems difficult at first, but once you get it down, it's easy.

IF you decide to go with a MoneyPak-accepting vendor on here, do your research, and as I understand it, it's quite simple. Talk to the vendor and tell him you want to buy x amount of bitcoins, they tell you how much to put on a MoneyPak, you go and buy it, take the number off the back and send it to your vendor, then they send BTCs directly to you on your SilkRoad account. I've never done it but that's how it seems to go! Good luck!
Title: Re: Who on SR orders from their home computer?
Post by: vlad1m1r on June 25, 2012, 05:21 pm
Nevertheless I think you're better off doing this versus using a bootable DVD as you'd have to trust a third party like Drop Box with your private key, book marks and so on and download them into RAM each time.

TAILS includes a way of encrypting the unused space of the USB device and auto-mounting it upon boot.
After typing the secret key of course.

Nice, I wonder if the USB version can support Truecrypt containers too? Call me paranoid but I like to have the option.

V.