Silk Road forums

Discussion => Newbie discussion => Topic started by: fije on June 12, 2013, 12:06 am

Title: Ultimate SR setup guide for Mac users (inc. PGP/GPG) - pls try to pass around
Post by: fije on June 12, 2013, 12:06 am
Hi guys,

Most PGP stuff is PC-related so I thought I'd provide a guide and expand on it with my setup best practices for Mac users  8)
A lot of this will be useful for PC users as well however.

Hope it helps some folks out there. Obviously this is my guide/opinion on best practice from a security standpoint, if you have any other ideas or suggestions to improve, please post away.

**NB: The links below are normal/clearnet links, so be careful mixing that with your TOR traffic/IP address.**


Virtual Machine
-----------------

To keep things separate from your day to day Mac use, I'd recommend using a virtual machine. This is where a full OS (operating system ("OS X")) operates within an application by itself and is separate from the rest of your computer.

This gives you a few advantages:
 - it can be setup to not share the clipboard or any file sharing features between it and its host computer
 - you can configure it to be an encrypted file that requires a password to start up each time. This means that the entire file the virtual machine is stored within is secured, not just an OS password that can be circumvented
 - you can quickly switch between TOR and clearnet browsing on different IP addresses
 - you can save 'states' of the virtual machine (a timeline) and switch back and forth to them, so if you fuck something up, in a few clicks you can go back to an older snapshot when it worked previously
 - you can move and copy your guest OS to other Macs if you like

> I recommend Parallels Desktop for Mac (http://www.parallels.com/), which is pretty cheap and a worthwhile investment IMO.

Once Parallels is installed, press the add (+) button to setup a new guest OS. From here you can choose to install your own copy of Windows, or use Parallels links to download Ubuntu Linux. I recommend however choosing the "Install OS X Mountain Lion Using the Recovery Partition". This option is obviously only for Mountain Lion [OS 10.8] users. It may be present for previous versions, but I'm not sure. Assuming you're a Mountain Lion user this will provide you with the OS you're used to, otherwise you'd need to install Linux or Windows. Even if you do have to do that you get the same advantages as above but won't be able to follow most of the rest of this guide.

OS X Mountain Lion will take quite some time to download as its coming directly from Apple (thinking you're trying to do a recovery).

Once its download and installed, shutdown the new guest OS (if it starts automatically). When its shutdown, in the list of OS', right-click (or control-click) the guest OS name and select 'Configure...' from the menu.

Go through the options. In the first tab 'General' I would just make sure the guest OS has the recommended memory and just one or two processors - you're not going to be using it for anything too demanding so it doesn't need much resources.

Under 'Options':
- In Optimization: choose 'Faster Mac' under Performance. If you choose 'Faster Virtual Machine' I find it doesn't speed it up much but will make your Mac quite a bit slower if you need to switch between it and the guest OS frequently.
- In Security: check the option to 'Isolate mac from virtual machine.' This will prevent file and clipboard sharing just to make things that little bit more secure
- In Hardware: select Network (this might be called Network 1, 2, etc.). Change the 'type' from Bridged to the network card/device (such as WiFi) that you're using. This will ensure your router provides you with a separate internal IP address. If for whatever reason you have more than one 'Network' available in the list on the left, I'd recommend disabling the extra ones

There's also an option within guest OS settings to choose not to back up the guest OS volume (which is saved in your user folder within the host OS as a folder which is disguised as a single file). I'd recommend doing that if you use things like time machine.

Now you can boot up your new guest OS!

When Apple wants you to register the product, choose to not sign-in with an Apple ID or any iCloud features. You can skip entering your address - even when you get a warning to enter registration text into the fields, just select the next button again to skip it. I'd recommend you choose a system username and password that's separate from your host OS to be on the safe-side.

Install all the usual OS X updates from the Apple menu.

I recommend you open System Preferences within the guest OS (under the Apple menu) and go to 'Security & Privacy' select 'Firewall' and enable it. Under the 'Firewall options' button, choose 'enable stealth mode.' This will ensure your guest OS is further secured on your internal network. Back in all the system preferences option, choose 'Sharing' and make sure everything is turned off.


TOR Browser
--------------
Your new, isolated, OS X is now ready for use, starting with downloading the TOR browser bundle for OS X. This will not only provide you with TOR access but a supplied secure version of Firefox.

> https://www.torproject.org/projects/torbrowser.html.en

Make sure the HTTPS Everywhere always-on SSL option is switched on using the dropdown menu on the far right of the TOR browser when it fires-up upon connection to the TOR network.


Extra downloads
------------------

*F or password generation and storage I'd recommend 1Password

> https://agilebits.com/products/1password

I'd keep this outside the virtual machine. You can generate and store your virtual OS password within it. It can also store and share its database securely in Dropbox - handy for sharing passwords across machines and your iPhone/Android devices


* A good text editor is useful for typing out addresses and other messages to be encrypted with PGP (below). Sublime Text is great and free. Just be careful that it keeps tabs open when you next open the application unless you specifically close them before quitting the program.

> http://www.sublimetext.com/


* For extra security download TrueCrypt (free) and follow the instructions to create a secure Volume (the "...Create an encrypted file container" option after clicking 'Create Volume', about 100mb volume size will be fine). Choose the best encryption method (ideally 'AES-Twofish-Serpent') and a strong password. You can opt for a hidden volume but I don't think its necessary. Choose the option to not save a history during the setup.

Assuming you've set this up on the desktop, just drag it into to TrueCrypt to mount the drive, which will work like a USB stick (you can keep it on one if you like).

> http://www.truecrypt.org/downloads

You can now safely keep bookmarks, files, files with your SR username and password in here (rather than having to go back and forth to your host system for 1Password, especially as the clipboard wont copy and paste over.)

Don't forget to close any open files and unmount the secure volume when you're finished with it. There's an option in TrueCrypt for it to do it for you on quitting.


PGP Encryption (known as 'GPG' for Mac)
----------------------------------------------

Download the 'GPGTools Installer' from https://gpgtools.org/projects.html which will install GPG/PGP on your system and provide some apps to help. The one we will be using is 'GPG Keychain Access.' Open it from your Applications folder once GPGTools is installed.

> https://gpgtools.org/projects.html

*Import vendor public key*
Now you need to log into SR and copy and paste the PGP/GPG Public Key from the vendor you want to communicate with (or anyone else using PGP), usually found on their respective SR vendor page or sometimes within a selected product page.

Open a new text document (ideally in Sublime text) and paste in their key. Save this to your desktop as a txt file.

Now open the 'GPG Keychain Access' application if its not opened already. Click on Import and select the txt file that has the vendor's public key in it. It will now be imported and ready for use. You can import as many keys as you want.

Now your vendor's key is imported, you can close GPG Keychain Access.

*Prepare message*
Now we have the tools in place to communicate with your vendor. Prepare the message you want to send (either via messages) or your mailing address for the shopping cart when you're ready to place an order.

Save your message to the desktop as a txt file.'

*Encrypt message*
Now open Terminal (found in the Applications > Utilities folder, or just do a Spotlight search for 'terminal'.

Once its open, you need to navigate to your desktop to access your message txt file. Do do this in terminal enter (without the quotes):

"cd desktop" and press enter

Now you're on the desktop folder from within Terminal, you're ready to encrypt the message txt file you saved there. To do this enter the below command with the single quotes and the correct public key (usually the email address visible in GPG Keychain for the public key you have imported) and the name of your message file:

"gpg -e -a -r 'email address here' 'message.txt file here'" and press enter.

You have now created an encrypted copy of your message file! This should now be on the desktop with an .asc filename. You can now drag this to Sublime text to open it, ready to copy and paste into SR.

If you've made an address file that's going to be the same each time, you could move this into your secure volume ready for use next time.

I would recommend now moving the plaintext (unencrypted) version to the trash and right-click (or control-click) on the trash icon and choose 'Secure empty trash', which will write over the space it took up with random 1's and 0's so that file cannot be ready again with any kind of file recovery software.

A little explanation of what's going on above...

"gpg" is the program we're executing to make the encrypted file. "-e -a and -r" are options we've selected; 'e' is for encryption, 'a' is for "armor" which is PGP's way of making an ASCII formatted text file, rather than binary, and 'r' is the recipient, basically making sure you're choosing the right public key you wish to encrypt with.

More info for GPG users, which uses slightly different options to PGP on PC's, can be found here: http://www.physics.purdue.edu/PCN/doc/wiki/wiki:procedures:encrypt:mac


TIPS
-----
Don't forget some vendors will change public keys from time to time - you'll always need to import their latest one and encrypt using it for them to be able to decrypt and read it on their end.

If everything goes tits-up you can delete your entire guest OS by shutting it down and navigating to the folder its stored in on your guest OS. This is usually in a folder within your username 'home' folder. When you empty the trash choose the 'Secure empty trash' option by right-clicking (or hold down control and click) on the trash icon. This will completely wipe your entire SR/TOR setup and it wont be recoverable with any software.

If you want to copy or move your guest OS, navigate to its folder and right-click to make a zip file ('Compress [filename]'). Moving it without zipping it up usually messes things up on the destination machine.

If you have deleted the drive but haven't done so securely, go to Disk Utilities in the Applications > Utility folder. This has an option to erase free space for disc-based hard drives which will save over free space with random 1's and 0's to ensure any previously deleted files cannot be recovered. This wont affect the availability of free space on the drive.

For the super-paranoid you can choose to enable FileVault from your host OS System Preferences. This will slow things down however as encryption is done on the fly. I have no doubt that Apple will have the facility to aid LE such as the NSA with decrypting such drives using master keys however. Personally I think an encrypted Virtual Machine and TrueVault secure volume within should suffice as a secure system with the ability to easily and securely dispose of it when necessary with just a few clicks.


Finally
-------
If you've made it to the end, well done! I hope this guide has been useful for you. Please feel free to reply with any suggestions or corrections and link it from other forums.

Oh, and never FE (Finalize Early), which will release your funds from escrow to the seller who can then fuck you over by keeping your money and not sending the goods.

Enjoy SR  ;D
Title: Re: Ultimate SR setup guide for Mac users - please try to pass around the forums
Post by: goatfisher on June 12, 2013, 12:08 am
Great guide!
Title: Re: Ultimate SR setup guide for Mac users - please try to pass around the forums
Post by: fije on June 12, 2013, 04:37 pm
Great guide!

Cheers!
Title: Re: Ultimate SR setup guide for Mac users (inc. PGP/GPG) - pls try to pass around
Post by: abitpeckish on June 12, 2013, 06:05 pm
If you're going to do your business in a virtual machine (you should), you should just use Tails[1].



---
[1] https://tails.boum.org (clearnet)
Title: Re: Ultimate SR setup guide for Mac users (inc. PGP/GPG) - pls try to pass around
Post by: fije on June 12, 2013, 06:30 pm
If you're going to do your business in a virtual machine (you should), you should just use Tails[1].



---
[1] https://tails.boum.org (clearnet)

Now that is interesting...
Title: Re: Ultimate SR setup guide for Mac users (inc. PGP/GPG) - pls try to pass around
Post by: fije on June 12, 2013, 06:37 pm
If you're going to do your business in a virtual machine (you should), you should just use Tails[1].



---
[1] https://tails.boum.org (clearnet)

Does it work on Macs?
Title: Re: Ultimate SR setup guide for Mac users (inc. PGP/GPG) - pls try to pass around
Post by: fije on June 12, 2013, 06:45 pm
If you're going to do your business in a virtual machine (you should), you should just use Tails[1].



---
[1] https://tails.boum.org (clearnet)

Does it work on Macs?

Yes, you can make a bootable Tails LiveCD/DVD and run it at boot.

That's cool. I like to swap between my TOR and normal sessions instantly tho.
Very useful tool to be aware of tho, thanks.
Title: Re: Ultimate SR setup guide for Mac users (inc. PGP/GPG) - pls try to pass around
Post by: abitpeckish on June 12, 2013, 06:50 pm
Now that is interesting...

Indeed.

* Reboot and poof everything is gone
* Worry less about whether or not your true location could be leaked, as Tor is shoved into as more of the low-level OS than any other distro I've seen
* You can still keep your Tor-related info in your 1Password, though I suggest doing it as notes
* You can configure virtual disks for persistent storage
   ** e.g. storing your keyring and mounting it at ~/.gnupg
* You could even get fancy and have it always running on another machine and set up the Tails firewall to accept connections from certain computers
   ** you could then use an ssh proxy to connect from others
   
Tails is awesome.
Title: Re: Ultimate SR setup guide for Mac users (inc. PGP/GPG) - pls try to pass around
Post by: DrWalterB on June 15, 2013, 02:41 pm
thx ...
Title: Re: Ultimate SR setup guide for Mac users (inc. PGP/GPG) - pls try to pass around
Post by: ididnotdoit on June 18, 2013, 11:27 pm
i need help with this please i have a mac and cant figure it out help me PLEASE!!!
Title: thanks
Post by: snapplecaps on June 19, 2013, 12:11 am
thanks for the help !
Title: Re: Ultimate SR setup guide for Mac users (inc. PGP/GPG) - pls try to pass around
Post by: smegheadrimmer on June 19, 2013, 12:28 am
thanks a ton.