Silk Road forums
Discussion => Newbie discussion => Topic started by: dadalifenotfun on August 13, 2013, 01:20 am
-
I was wondering if using TOR by itself and PGP encryption is safe and anonymous. No use of TAILS or VPN. Just the standard Tor browser (with Java disabled) and PGP.
Would LE be able to track/bust me for small personal orders if I'm sending it to a completely different address? How safe is it? I know many people just use TOR and don't even encrypt their address when ordering from vendors. What is your input on this?
Thanks
-
First of all, while Java is a huge security risk it is typically disabled by default. What we are currently watchig out for is "javaSCRIPT". Big difference.
If you are raided and your computer is unencrypted with tor on it you are suspicious.
Think "if I WERE to be raided what could they use against me" and fill in the gaps.
I recommend tails, only because it is a great security solution for people who are not very technology oriented.
If you're using windows or OSX as an operating system i'd abandon ship and get linux mint or ubuntu.
-
I would recommend using a virtual machine (VirtualBox or VMware) with Linux running inside it. Then you set up another virtual machine running Whonix Gateway, for it to connect through.So it's like a Tor Browser inside a virtual linux box, connecting through ANOTHER tor connection (the Whonix VM).
-
thanks
-
What is the risk of using iGolder.com's PGP Encryption tool only to encrypt my address for a purchase. The free PGP Encryption tool is able to be accessed through Tor. They say no info is stored. If its safe its is very quick and easy. That's a big IF though...
-
Don't use crap like that. It can't be trusted. You have no idea what is actually being done with that data.
-
What is the risk of using iGolder.com's PGP Encryption tool only to encrypt my address for a purchase. The free PGP Encryption tool is able to be accessed through Tor. They say no info is stored. If its safe its is very quick and easy. That's a big IF though...
Relying on an external service to encrypt your address for you is very risky. They could be harvesting private data trivially. Considering Tails comes with PGP (gpg, gpgApplet) encryption tools, there is really no point in using (and trusting) anything else.
-
As psyche mentioned turn java scripts off (look for the S in a circle next to the address bar, set it to no scripts globally), you'll also need to deactivate Iframe to protect from some new exploits that are popping up that have to do with links on a page preloading the linked website in the browsers cache in anticipation of you clicking on it (same deal, click the s, then go to options, embeddings, check forbid Iframe).
No Windows, Mac is not really ok, much better to have Ubuntu or similar linux distro. Running Tails is recommended, however there are issues with tails when used as a regular OS using a standard connection. What I mean is when you consistently connect tails to the same network, like your home's wireless, you open yourself to risks.
It's a bit complicated, but tor has a particular safeguard in place called persistent guard nodes, which basically means you're first hop will be to one of a few entry nodes that Tor "remembers" for you for a defined length of time. This reduces the risk, for all users generally, that you'll fall victim to a compromised entry node that can intercept your requests, unmask you, etc,.
Tails doesn't have this capability. Every time you connect to tor you're given a new, randomly chosen entry node. This increases the risk of being routed through a malicious node, increasing the risk that you may fall victim to an attacker who controls both the entry node and exit node you use. It's very unlikely, I've never read of it happening in the wild, but it's a real risk.
It isn't really a flaw, as Tails is designed to be as Amnesiac as possible. Forgetting the persistent guard nodes is in line with the operating philosophy. However, one must remember that tails was not designed for SR heads sitting on the pc at home scouring the Meth listings every night :) It was designed for people who would solely use Tails in anonymous, random locations, like coffee shops and public wifi hotspots, never using the system to do anything that could be linked back to you. When used properly this way the lack of persistent guard nodes is a reasonable idea.
Hopefully in the future Tails will have the option of keeping a persistent, encrypted copy of the guard nodes, making tails safer to use regularly from one location, but as it stands the weaknesses are unlikely to effect anyone, and if you're modifying your mac address before each session and regularly wiping clean your HD and encrypting everything incriminating you send it's the most user friendly method of using tor and SR safely and with confidence.
P.S. Using VM's to isolate processes, running separate VM's for everything you want to do, has definite merits, but one has to be careful. Many VM software keeps extensive data logs on what was running. Possible to organise an amnesiac setup with VM's, but do your research to make sure you're not compromising yourself inadvertantly, Hitch :)
-
Thank you for your responses. But back to the original question:
Theoretically speaking would LE be able to track/bust anyone for small personal orders if it is being sent to a completely different address (only using Tor and PGP) assuming the vendor does everything right and has perfect stealth/packaging? How safe is it to do so?
-
I would say just stay away from unknown tor sites, there have been reports of viruses spreading via tor that reveal your information.
And ordering even a commercial amount is generally safe, even to the stash location. I've had 12+ orders go without a hitch.