Silk Road forums
Discussion => Security => Topic started by: Trippinmonkey on July 03, 2013, 03:50 pm
-
How safe are they actually?
A lot of apps have almost all access to the mobiles. Some use your cache.
Seems pretty risky to visit SR or the forums with all those shit apps?
-
Not illegal to read the forums, or log into the main site. It's only illegal if you sell, offer to sell or order drugs.
So it's fine if that's all you're doing. If you were logging into your vendor account with a phone that's a bad idea unless you have a custom Android build
-
How safe are they actually?
A lot of apps have almost all access to the mobiles. Some use your cache.
Seems pretty risky to visit SR or the forums with all those shit apps?
They're safer than regular un-proxied browsing that's for certain.
That's why you need to use a permission manager like Open-Pdroid and a security manager like SecDroid.
It is rather risky due to the nature of smartphones. I use it to simply browse the internet, not for darknet use. Personally I won't access anything SR related from anything other than my LiveUSB.
Not illegal to read the forums, or log into the main site. It's only illegal if you sell, offer to sell or order drugs.
So it's fine if that's all you're doing. If you were logging into your vendor account with a phone that's a bad idea unless you have a custom Android build
True, but that's not the issue. If that phone is associated with his name, and he logs into his SR pseudonym with that phone he has now correlated his real identity with that pseudonym.
There's a new custom ROM being managed called Guardian ROM. It's a security driven fork of Cyanogen Mod. It comes pre-built with Open-PDroid, SecDroid, hardened kernel, and all Guardian Project apps pre-installed. It looks the most promising for any Android ROM based on security.
-
How safe are they actually?
A lot of apps have almost all access to the mobiles. Some use your cache.
Seems pretty risky to visit SR or the forums with all those shit apps?
Not safe at all. This has been discussed many, many time before. The truth is that using any mobile device to access SR is potentially very dangerous. When SR Support (DPR) responded with a comment (I'm paraphrasing here) "Tor was not designed to be used on mobile devices. I would advise against accessing SR using one of these devices", that's all I need to read to confirm my own doubts. If you do some digging, you'll find these threads here. It's taking a risk that really doesn't need to be taken.
-
How safe are they actually?
A lot of apps have almost all access to the mobiles. Some use your cache.
Seems pretty risky to visit SR or the forums with all those shit apps?
They're safer than regular un-proxied browsing that's for certain.
That's why you need to use a permission manager like Open-Pdroid and a security manager like SecDroid.
It is rather risky due to the nature of smartphones. I use it to simply browse the internet, not for darknet use. Personally I won't access anything SR related from anything other than my LiveUSB.
Not illegal to read the forums, or log into the main site. It's only illegal if you sell, offer to sell or order drugs.
So it's fine if that's all you're doing. If you were logging into your vendor account with a phone that's a bad idea unless you have a custom Android build
True, but that's not the issue. If that phone is associated with his name, and he logs into his SR pseudonym with that phone he has now correlated his real identity with that pseudonym.
There's a new custom ROM being managed called Guardian ROM. It's a security driven fork of Cyanogen Mod. It comes pre-built with Open-PDroid, SecDroid, hardened kernel, and all Guardian Project apps pre-installed. It looks the most promising for any Android ROM based on security.
Guardian ROM? That sounds extremely interesting. If you are interested in ROM flashing etc you have probably heard of multiboot, a new modified boot loader (and modified TWRP) that let's you boot from mutiple ROMs including from external USB storage. It will also let you boot Linux distros. (You need a patched kernel for that) I have been looking into if Liberte or Tails could be booted from USB using this, but I don't know enough Linux to get it running.
Guardian ROM sounds promising.
The question of accessing SR on mobile devices HAS been gone over and over but mostly on the level of "but its got a gps and a camera in it". The legendary PM from DPR was actually a response to someone who had had his account phished and was along the lines of " we don't really know much about accessing Tor via mobile so play it safe and don't". But its constantly referred to as basically proof that android Tor is unsafe.
I think its time we had this discussion. I'm sure there are a fair few people using orbot and orweb to visit forums. I'd like to see some discussion and development of custom ROMs to help the community.
-
Having said that......I don't really know what I'm talking about and I'm not sure why I keep defending the use of mobile devices to browse SR. I'm sure it is less secure. It just seems like a lot of the criticism is knee jerk stuff from people who don't really know either (I don't mean anyone in this thread by that!). And then that gets referred back to as if its established research.
I would just like to see an informed discussion on what the specific security vunerablities are using android phones or tablets, or even I phones.
It often seems that the problems listed would apply equally to laptops etc.
-
As far as I recall, tor on iphones was not secure, tor on android was.
GPS does not matter, you can just turn it off. Or use fake gps coordinates.
Putting on a firewall to block all apps except the stuff from guardian seems safe to me. But I do not know if the apps still use the given access and send it away later on.
I know of a vendor who has been doing all the SR and forum work for at least a year now and nothing bad happened.
To the statement that the same issues would apply to laptops.. This is not true. If you do not use a harddrive which can log at what times which usb device has been used, and use tails or liberte, then you have absolutely no programs that are logging stuff.
There will be a problem if the encryption goes wrong somehow and LE is at your exit node. But I do not see how that is possible with tails or liberte if you go to onion sites, use different identities and stay away from clearnet. Although even visiting clearnet with the same identity you used to visit SR does not have to lead to trouble. I think it's worse if you display the same behavior on darknet as you do on clearnet...
Using tor on a laptop with a drive with windows installed is not a good idea if you want to visit darknet. I'm not sure but if I remember correctly it remembers the websites you visited (as does tails btw). Perhaps that is not so bad if you start tor from an external encrypted device...
I have not read any clear arguments what and why using orweb to visit SR is a bad idea. So it stays unclear if the other apps are a risk which might or not be stopped with a firewall. Then the problem remains that the location of the sim card can be found via sattelites. And that can be solved by removing it and using well encrypted wifi.
No android phone app expert on this forum who can add more info?
-
Well.. this thread sure covers a lot about why android+SR is perhaps not such a smart idea (or use android at all, probably all smartphones steal a lot of your privacy and the series Person of Interest is closer to reality than people might think):
Uncovering Android Master Key That Makes 99% of Devices Vulnerable
http://dkn255hz262ypmii.onion/index.php?topic=179471.0
-
To clarify, I was referring to using a laptop with Tor browser bundle, as I'm sure many do. Of course using tails or liberte is more secure. What I'm interested in is whether a) liberte cans be run from USB on an android device using multirom, (not multi boot as I said earlier) (since other Linux distros can)
b) whether a secure android ROM exists or can be created,
and c) what actual attacks might be made on an android device, caused by using it with Orbot/or web
What I meant by the "apply equally to laptop" comment was that many of the criticisms involve LE "pushing " malware to your device without your knowledge, which will then activate your GPS and camera etc. and call home with your identity. This seems like it could apply equally to someone using a laptop with Tor browser bundle (not Tails or liberte )
I'm really interested in how it might be possible to get a secure version if android/linux running on an android device.
I'm also interested in hearing from experts on the specific vunerablities of android and iOS.
-
To clarify further, whenever I read more about computer security I realise how little I know, for instance, if I open a terminal on my device and type su followed by logcat I get huge reams of possibly incriminating data that is possibly being stored on my device. It sounds like the Guardian ROM is designed to avoid this.
I guess I just want to find out more.
-
As long as your proxied properly, with all your bridge relays in place you'll be fine..
being 'rooted', where you can remove all that GPS tracking, maps, and google BS is essential!!
Don't place orders on a mobile device if you haven't yet removed anything that can track you via sattelite.. duhhh :P
Be safe homies!!
Peace!!
-
I take that back, even with a custom Android build I wouldn't trust Orbot, nor would I trust any Guardianproject.info app whatsoever. Look at them interacting with @moxie on twitter, and moxie's blog calling them out. I don't think the guardianproject guy's know what they are doing at all.
You can however make a pretty safe custom build for encrypted voice with Redphone and using encrypted texts with Textsecure. Safe as in you aren't directly talking about anything illegal, or dropping addresses. You should also have some sort of established code words between you and associates over encrypted text and voice to prove who you are (i learned this from a dial a dope crew in Canada that's still operating).
APG/K-9 is pretty solid too, so long as you aren't generating PGP keys on the phone as the author admits it's experimental. In that case what you would do is generate a master PGP key on whatever normal computer system you have, and make a special key just for mobile use and sign it with your master key. Then copy it to your (hopefully encrypted) phone. If the phone is lost or something else happens you can always sign a new key and prove your identity