Silk Road forums

Discussion => Security => Topic started by: Evanescence on February 05, 2012, 09:46 pm

Title: Vendors should always use a remote service
Post by: Evanescence on February 05, 2012, 09:46 pm
I'm starting to come to the conclusion that SR alone is not good enough for vendor security.

The problem is, as discussed on other threads is that postmarks and Tor client traffic can be geographically profiled (http://en.wikipedia.org/wiki/Geographic_profiling).

If you are a vendor what you need is, minimum, a good VPN service.  Or you could rent a whole virtual Windows machine from Microsoft for 10 cents/hour or Linux VM.

Either way the critical factor is this moves the origin of TOR traffic from your house to a server where it cannot be found via profiling (practically speaking).

I'm not a security expert so take this fwiw, but just thinking it through it should be malpractice for a high value vendor to physically touch any computer with TOR on it.


Other thread where this is discussed:
http://dkn255hz262ypmii.onion/index.php?topic=10601.0
Title: Re: Vendors should always use a remote service
Post by: kmfkewm on February 05, 2012, 10:19 pm
You are better off to buy a VPS somewhere random and use it as a private Tor bridge

If you can't afford to do this you can always use one of the semi-public volunteer bridge nodes:

https://bridges.torproject.org
https://www.torproject.org/docs/bridges

only use ones on port 443 if you want the best membership concealment ... I suggest using no more than three bridges at any given time and try not to change the bridges you pick much. Right now bridges focus primarily on reachability and blocking resistance, but they offer membership concealment in the process. Tor plans to revamp its bridge system soon to offer significantly stronger membership concealment.

Using a private bridge you run yourself also gives you the benefit of being protected from active traffic confirmation attacks, since you know the first node you enter traffic through is not owned by an attacker it significantly increases your anonymity and membership concealment.
Title: Re: Vendors should always use a remote service
Post by: Derpasaurus on February 06, 2012, 03:43 am
VPN not safe, they all decrypt your traffic to see what awesome stuff they can find (money) wouldn't you?
Like that guy said build your own VPS bridge node or remote desktop and SSH into it.

Title: Re: Vendors should always use a remote service
Post by: Evanescence on February 06, 2012, 04:29 am
Well I did mention a remote virtual machine as an option, but the real point is

__Vendors should not physically touch a computer sending Tor traffic, and should not even be physically near a computer sending Tor traffic.__

Note if you set up a totally private Tor bridge and try to connect to it via SSL you can still be identified as a Tor client.  You have to totally remove the Tor protocol between you and the first server you connect to (which could be a virtual machine).

I'd be willing to bet lots of vendors are using the Tor browser bundle from their own computer, which seems to be a pretty big mistake given the consequences.








VPN not safe, they all decrypt your traffic to see what awesome stuff they can find (money) wouldn't you?
Like that guy said build your own VPS bridge node or remote desktop and SSH into it.
Title: Re: Vendors should always use a remote service
Post by: PharmerJohn on February 06, 2012, 05:44 am
Well I did mention a remote virtual machine as an option, but the real point is

__Vendors should not physically touch a computer sending Tor traffic, and should not even be physically near a computer sending Tor traffic.__

Note if you set up a totally private Tor bridge and try to connect to it via SSL you can still be identified as a Tor client.  You have to totally remove the Tor protocol between you and the first server you connect to (which could be a virtual machine).

I'd be willing to bet lots of vendors are using the Tor browser bundle from their own computer, which seems to be a pretty big mistake given the consequences.








VPN not safe, they all decrypt your traffic to see what awesome stuff they can find (money) wouldn't you?
Like that guy said build your own VPS bridge node or remote desktop and SSH into it.

What if a vendor bought a new computer specifically for SR work, scrubbed of all personal info, and used it from someone else's IP? Seems safe to me, and even if someone were to get the computer, everything is locked down/ hidden/ encrypted, so... yeah. I might be missing something though, advice?
Title: Re: Vendors should always use a remote service
Post by: kmfkewm on February 06, 2012, 05:52 am
Being near a computer that uses Tor should be fine as long as it isn't tied to you in specific. Even using Tor once or twice is probably fine, although never using Tor from a location or device or IP address that can be linked to you is always the best bet. One of the main things you need to worry about is simply getting the Tor software in the first place, an attacker could very well just monitor the Tor project website and see who all downloads Tor. A lot more people download Tor than regularly use it though. In many cases your usage pattern of Tor will leak to an attacker who can monitor the Tor directory authorities, but your usage pattern will not leak to an attacker who monitors the Tor download site.

I don't like using remote virtual machines. The people who own the remote server can spy on your traffic as it passes through. Plus unless you use Tor to connect to the remote machine you are not going to be getting the cool encryption features of Tor. Almost all VPNs are extremely weak to website fingerprinting attacks because they don't pad their encrypted packets to all be the same size. Tor pads packets to 512 bytes and this significantly distorts fingerprints. Website fingerprinting attacks have in some cases identified that traffic has a 98%+ probability of being a certain preidentified website, even though the traffic is encrypted and can not be decrypted without the proper keys or a currently infeasible amount of computing power. I think the best anyone has done against Tor is 60%.

Tor kind of tries to disguise its traffic as SSL. Although it still sticks out. For example all packets are 512 bytes. It also used to have a unique parameter with its SSL implementation but they changed that after some country (forgot which) started using it to identify connections to bridges. Tor traffic still sticks out but it has gotten more and more disguised over the past few years, and currently it requires a significant amount of resources to passively scan large amounts of traffic looking for Tor traffic. If it was easy to do bridges wouldn't work to by pass the great firewall of China, they would just block all Tor traffic.
Title: Re: Vendors should always use a remote service
Post by: kmfkewm on February 06, 2012, 05:54 am
Well I did mention a remote virtual machine as an option, but the real point is

__Vendors should not physically touch a computer sending Tor traffic, and should not even be physically near a computer sending Tor traffic.__

Note if you set up a totally private Tor bridge and try to connect to it via SSL you can still be identified as a Tor client.  You have to totally remove the Tor protocol between you and the first server you connect to (which could be a virtual machine).

I'd be willing to bet lots of vendors are using the Tor browser bundle from their own computer, which seems to be a pretty big mistake given the consequences.








VPN not safe, they all decrypt your traffic to see what awesome stuff they can find (money) wouldn't you?
Like that guy said build your own VPS bridge node or remote desktop and SSH into it.

What if a vendor bought a new computer specifically for SR work, scrubbed of all personal info, and used it from someone else's IP? Seems safe to me, and even if someone were to get the computer, everything is locked down/ hidden/ encrypted, so... yeah. I might be missing something though, advice?

The main thing you and many others are missing is the simple fact that LE may not even give a fuck about what is on your computer. Having your computer encrypted and locked down isn't going to mean shit if you are deanonymized and they find drugs on you. Not to mention if they really want to get around your full disk encryption they wont have any trouble to do so if they don't fuck up tactically, unless you are taking exceptional security measures that probably almost nobody actually is, like using shielded equipment and carrying your laptop on you 24/7 to prevent it from being bugged with hardware keyloggers etc. They have already pwnt several carders and even a few drug dealers who used FDE simply by bugging their computers when they were left unattended. One technique they use is to make sure a person is online prior to a raid and then they storm the place and flash freeze the RAM / dump the contents of RAM to a forensics laptop, before it has a chance to lose its state entirely, which can take something like five to ten minutes after power is cut. FBI counter intelligence used transient electromagnetic pulse analysis to steal passwords from some Russian spies a bit ago, but they probably spend more resources on them than they will on you.
Title: Re: Vendors should always use a remote service
Post by: QTC on February 06, 2012, 06:20 am
In my experience anybody that recommends that you use a non anonymized connection from your battlestation to a VPN is probably a federal agent.
Title: Re: Vendors should always use a remote service
Post by: TravellingWithoutMoving on February 06, 2012, 01:55 pm
...vendors should take charge and make their own decisions with regards to how they will go about their business specifically their own security..
Title: Re: Vendors should always use a remote service
Post by: Evanescence on February 06, 2012, 03:08 pm
In my experience anybody that recommends that you use a non anonymized connection from your battlestation to a VPN is probably a federal agent.

Probably better to just assume any message here could be LEO.  Evaluate all information on it's merits, and only use it if you think if makes sense.

I'm not suggesting a VPN service to encrypt your data.  I'm just saying it's one way to not use the Tor protocol to the first hop. 

There are a dozen ways to accomplish that, pick your favorite.
Title: Re: Vendors should always use a remote service
Post by: Evanescence on February 06, 2012, 03:13 pm
...vendors should take charge and make their own decisions with regards to how they will go about their business specifically their own security..

Yea people should make their own decisions, but based on being fully aware of the trade offs and risks.

Vendors who use Tor browser bundle on their computer for business on a regular basis, can probably be identified if someone is interested in putting in a little time.

If any vendor decides to not take this advice you're right it's their decision.  But I sure would be interested to know how they think its the best decision for them.