Silk Road forums

Discussion => Security => Topic started by: ECC_ROT13 on August 14, 2013, 03:27 am

Title: Hardware and Anonymity
Post by: ECC_ROT13 on August 14, 2013, 03:27 am
So in a scenario where you're worried about being deanonymized by something exploiting the machine that you're browsing via Tor with.. and setting aside the obvious "minimize attack surface by { disabling Javascript | running super-kinda-secure-OS | etc }", and "use physical isolation to hide your real IP from the workstation":

How do you have unidentifiable hardware?  Obviously, buying a laptop somewhere not traceable (face to face w/ stranger, paying cash from a location w/o surveillance, etc) is Option A.  But has anyone put any effort into scrubbing existing hardware?  i.e. you can find Manufacturer Internal utilities to scrub serial numbers,etc from eeproms.   But on-board ethernet is a problem.   With some vendors (Broadcom, etc) you can find utilities to upload new code to them to reset the stored MAC address, etc, but that's usually going to require a manufacturer boot image for the card.   Wifi cards are often removable or replaceable.

Is anybody aware of any decent recipes or research in this area?

Pick a Linux box (your booted Tails instance is a good starting point), and, as root, start playing with running "dmidecode" and "lspci -v" and looking at the output.  You'll see what I mean. 

Virtualizing the OS is an obvious partial solution (Whonix, Qubes OS, etc), but it doesn't address the core issue.   When something pierces your OS, and your hypervisor, you're right where you started.    And with a licensed copy of VMWare, I'm pretty sure the guest OS can see the serial number.

Are there other data points that I'm missing from a hardware perspective that are accessible at an (exploited, root) software layer?   Anybody headed down this path yet?   
Title: Re: Hardware and Anonymity
Post by: HubertCumberdale on August 14, 2013, 06:22 am
First off, I would go virtual box over VMWare. If you do some googling, you should find ways to add extra protection of your Vlan that can't be added on a traditional Lan port.

That said, you could certainly spoof your MAC address. While this isn't anything spectacular, it's a deterrent for sure. My experience with LE is that they are easily satisfied. "I see that it's this, good enough." - though it's definitely not a fail-safe.

I know they used to have DECAF which was built to contain a bunch of safe guards against the use of COFEE, a computer forensics program. Though I'm not sure what options you have for hardware. There's a book about hardware solutions for computer security. I understand that it's relatively thorough, though I have not investigated it.