Silk Road forums

Discussion => Security => Topic started by: runningcat on April 22, 2012, 09:40 pm

Title: Simple Selling Questions
Post by: runningcat on April 22, 2012, 09:40 pm
For starters, sorry for spamming a topic that I am sure you are all fed up with.
I am trying to do my best to protect myself and others as a seller and while it may be an over posted topic, I want to be sure I have done everything possible to be safe.

Does it matter if I have a virtual machine, currently using only windows 7? If so should I use linux or windows 7 or something else?
If I use linux will there be tutorials readily available for encryption as well as other needed aspects of security?
Any other important tips? 
Thanks.
Title: Re: Simple Selling Questions
Post by: flipside on April 22, 2012, 10:13 pm
Good call! :)

Safety first my friend! As a new vendor you are protecting your customers as well.

At the VERY least you need to be able to offer GPG encryption of your customers shipping details (at least), thru the SR PM system/email or otherwise.

Running Linux with Liberte/Tails is generally considered "best", but running Opensource programs like Firefox/Thunderbird/GPG, ect from "any" OS (OSX, Linux, "anything 'UNIX-based' is preferrable) is the next best option.

All Truecrypted on flash medium if possible. Possibly using a LiveOS with multiple read/write flash drives, again, if possible.

Opinions on VM's are kind of "up in the air" as far as I know. Depends on how they are used I believe.

Peace

The Flipside Crew
Title: Re: Simple Selling Questions
Post by: runningcat on April 22, 2012, 10:29 pm
I followed everything but this:
All Truecrypted on flash medium if possible. Possibly using a LiveOS with multiple read/write flash drives, again, if possible.
Are you saying when I encrypt my files to just be sure I do it on my flash drive? Also what do you mean multiple? what purpose does this serve? Also where should I keep my bitcoin wallet? On  a seperate flash drive? Thanks.


Good call! :)

Safety first my friend! As a new vendor you are protecting your customers as well.

At the VERY least you need to be able to offer GPG encryption of your customers shipping details (at least), thru the SR PM system/email or otherwise.

Running Linux with Liberte/Tails is generally considered "best", but running Opensource programs like Firefox/Thunderbird/GPG, ect from "any" OS (OSX, Linux, "anything 'UNIX-based' is preferrable) is the next best option.

All Truecrypted on flash medium if possible. Possibly using a LiveOS with multiple read/write flash drives, again, if possible.

Opinions on VM's are kind of "up in the air" as far as I know. Depends on how they are used I believe.

Peace

The Flipside Crew
Title: Re: Simple Selling Questions
Post by: flipside on April 22, 2012, 11:23 pm
I followed everything but this:
All Truecrypted on flash medium if possible. Possibly using a LiveOS with multiple read/write flash drives, again, if possible.
Are you saying when I encrypt my files to just be sure I do it on my flash drive? Also what do you mean multiple? what purpose does this serve? Also where should I keep my bitcoin wallet? On  a seperate flash drive? Thanks.

Truecrypt allows you to store a second (unnoticable) "hidden-volume" on top of a normal encrypted volume. This allows you to (in a court of law or otherwise) "give up" your 'password' if need be, without compromising any sensitive details stored on the "hidden-volume". Search here or the Truecrypt site for more info.

A LiveOS allows you you to boot a "read-only" OS, run apps, ect while leaving no trace on the host computer. It is no t"required", but recommended.

All sensitive info should be "written" to a portable flash medium (USB, SD, ect.) again (optimally) leaving no trace on the host computer).

Multiple flash drives serve multiple purposes. One, to "back-up" your files. Two, to integrate security measures requiring ("top-secret") measures, requiring two flash drives (like a nuke needing two keys to launch). Search my friend. Although this is just our personal security developments, they WORK!,. VERY nicely. Think about it...

For example. keys on one drive...apps/system essentials on another...while running a LiveOS.....hmmm...

Just sayin'...to protect ourselves, as well as our customers, "this is how we do it". :)

We have our own secure methods of dealing with BTC, so no advice there my friend. Sorry. :(

Peace

The Flipside Crew

 
Title: Re: Simple Selling Questions
Post by: runningcat on April 22, 2012, 11:32 pm
Ok well can you say if leaving htem on a flash drive is at least "acceptable". Also if I am running off of a live cd what is the need for true crypt? I understand the purpose (as you said for court), but using a live cd everything will disapear when I am done so what purpose could this serve?
Are you referring to truecrpt on the information I actually keep which will be on my flash drive?

I realize this is a dumb question, but I already typed so I might as well be sure ;)
Title: Re: Simple Selling Questions
Post by: Prawl42 on April 22, 2012, 11:59 pm
Yes using a true crypt hidden container on a USB flash drive is the way to go to protect any data that you need stored.

With true crypt you can setup a encrypted container that requires a password to gain access to the files.

However with true crypt comes a very handy feature that allows you to have a secret hidden container inside a normal encrypted container.

Why is this needed you might say? In case you were ever forced to give your password to this drive by a court or some rather big and hairy Russian dude all they will get is some slightly important stuff that is of no use.

How is this possible? the hidden container is completely untraceable inside the container seeing as it is displayed as random data and all free space in the container is also random. when you go to access the container you enter your normal password to gain access to the outer "disposable" container that you could happily give up if needed or the password to your hidden container that has all your important stuff :)
Title: Re: Simple Selling Questions
Post by: runningcat on April 23, 2012, 12:10 am
Thanks that helped alot. What kind of fake data do i want to put in the one I don't need? Also what exactly would I put in my important one? I assume this will help my previous business transaction keys as well as a place I could store my bitcoins? Thanks.
Title: Re: Simple Selling Questions
Post by: runningcat on April 23, 2012, 12:16 am
Also the version of truecrypt I use is reliant on the operating system of my bootable cd correct? not my main operating system?
Title: Re: Simple Selling Questions
Post by: Prawl42 on April 23, 2012, 12:31 am
For fake data you could put some passwords to online forums (nothing SR or drug related) some naughty pictures of a spouse or ex, anything that you wouldn't want the public seeing but wouldn't be the end of the world. For your important one, All The data you need for use on SR seeing as you cant save anything to the live CD so PGP keys, other encryption keys, Any wallet info, that sort of stuff. Storing passwords on it is up to you but personally wouldn't. Your main OS doesn't come into play at all, after the container is setup all true crypt is needed for is mounting (opening) the file. I believe tails comes with true crypt? Might be wrong haven't used it in some time.
Title: Re: Simple Selling Questions
Post by: flipside on April 23, 2012, 01:12 am
Storing passwords on it is up to you but personally wouldn't.

Indeed ALL "very" sound advice Prawl! :)

Any REALLY important passwords should be different from "any" other used elsewhere online, and should be stored ONLY in your head (and in your head) ONLY!!!

Using upper/lower case letters, numbers, special charcters, ect...with NO words from the dictionary is the way to go. Really quite simple to make an "easily rememberable"  25+ character password with easilly remembered sentences/phrases (integrating numbers, characters, ect, like:

"ThiZ-iz-$ome-P@zzw0rd~u-PHR3AK!!?"

For example... ;)

Peace

The Flipside Crew



Title: Re: Simple Selling Questions
Post by: 77Tjm on April 23, 2012, 03:20 am
For the decoy, outer volume, the theme is embarrassing, secret, but not illegal. Gay porn, animal porn, people pooping on people porn.

Another approach: a text or spreadsheet file with a hundred or more random passwords.

For the passwords, just google for a password generator, create a whole bunch, save them in a text file, maybe numbered. Don't use the passwords for anything, just hope that they will throw off the scent while the LE goes nuts trying to figure out what they are for.

Some other ideas for truecrypt container storage (In addition to decoy/hidden volumes, which should always be used, IMO, since they offer an opportunity to look for said porn):

Google linux, download as many distros as you can find. That will give you a number of large .ISO files, which can then be turned into truecrypt volumes. Don't even need to use them. Heck, make 30, use 3 at random. Split up your data- create your own 2 factor authentication. Example: to get into ISO 1, you use your passphrase. In ISO 1, there is a text file, with 20 63 character random passwords. You pick a number between one and twenty. 8. You choose the 8th password on the list, copy and paste it into the PW box of truecrypt for ISO 2, then type in a memorized 'PIN' at the end. I know, it's weak 2-factor, but it's still something you have (the 63 character random password), combined with 3 things you know- The file name of ISO 2, that it was password # 8 in the list from ISO 1, and the memorized 'PIN' at the end (or passphrase at the end- as long as it's unique).

Using this method, you could divide up and bury your data in such a way that a specific order would need to be followed, with keys derived from many different encrypted areas (truecrypt and your head).

Just don't put all your eggs in one basket- make sure there is more than one pw between LE and your balance sheet.