Silk Road forums
Discussion => Security => Topic started by: fyodor on February 22, 2012, 03:14 am
-
I didn't see a post on general security setup; OS, encryption, browser vulnerabilities. Highly recommended for sellers and the very paranoid willing to take the time. Feel free to add, correct, or disagree if you feel there is something lacking.
First off I'd like to clarify two things about anonymity: footprint vs fingerprint. You would think the smallest footprint would be best, but the lack of information, depending on how it's logged may be an identifier itself! Example... blank user-agent versus firefox user-agent. You may be the only user to pass through a tor entry and exit node with no user agent, identifying you. Check out https://panopticlick.eff.org/
First off you can be identified in 3 main ways:
1)ISP (internet service provider)
2)browser fingerprint/vulnerabilities
3)MAC (machine-access-code)
For the most secure/anon setup follow this guide:
1."FDE" Live Persistent Linux USB stick to boot- Full dick encryption with a strong passphrase will ultimately foil all attempts to get data from your system upon a raid; EXCEPT if your machine is already booted during the raid. Forensic Techs can cold boot your machine with freeze spray from its RAM getting it's passphrase. Always shutdown properly. Having it on a Live usb stick insures no data is stored on your local Hard Drive, which upon deletion if not purged/shreded will still exist, just as un-allocated space. Also having it on a usb micro allows you to hide it or toss it easily. The "persistent" part, allows you to save data/programs (tor browser) to the usb stick without it being overwritten upon reboot.
Tutorial (http://www.infosecramblings.com/backtrack/backtrack-5-bootable-usb-thumb-drive-with-full-disk-encryption/)
*Notes: I don't believe this has to be BackTrack "flavor" since BackTrack Runs off Ubuntu, but you will enjoy it's tools anyway ;). Read the full tut before starting. Some things not made entirely clear in the tut...
i)Use a 16g or bigger stick IMO
ii)You are booting from another live cd/usb to create this FDE Live Persistent BT5r1 stick. Use unetbootin to create it, I don't recommend a virtual machine unless familiar.
iii)To help identify your drive at "dmesg | egrep hd.\|sd." it will have the size and typically the brand out to the right in the terminal
iv)As expected I got "..the partition table failed with error 16:..." on first step. He says you need to "re-execute cryptsetup luksOpen" although he never said to initially start this??? I just rebooted and continued
v)(to calrify) At "vi /etc/fstab" my file, once fixed read:
/etc/fstab: static file system information.
#
# Use 'blkid -o value -s UUID' to print the universally unique identifier
# for a device; this may be used with UUID= as a more robust way to name
# devices that works even if disks are added and removed. See fstab(5).
#
# <file system> <mount point> <type> <options> <dump> <pass>
proc /proc proc nodev,noexec,nosuid 0 0
/dev/mapper/vg-root / ext4 defaults 0 1
# /boot was on /dev/sdc1 during installation
vi)After finished entirely reboot, login, "startx", run "apt-get upgrade". Do not run "apt-get safe-upgrade" or "apt-get autoremove". If you do run "apt-get autoremove" running "apt-get install cryptsetup ecryptfs-utils keyutils" may fix it.
vii)You should never use the "root" account regularly. Create a new (encrypted) user: "adduser --encrypt-home USERNAME" where USERNAME is the account name you want. Don't use the same passphrase as your FDE passphrase. Don't give any personal information. Add new user to sudoers: "visudo". Under the line "root ALL=(ALL) ALL" add "USERNAME ALL=(ALL) ALL" where USERNAME is your account name you just created. Hold "cntrl" and "x" to exit, press y to save, press enter to confirm. Change root password: "passwd root".
viii)Download your favorite virtual machine software, if so inclined, although I think it may be a little overkill in this situation.
2)ISP (finally!)
i)Login to the account you created, download tor browser bundle. "tar -xvzf" the file you downloaded to unzip/install.
ii)Use a bridge to access tor if it's blocked by your ISP. You may also want to use it to hide from your ISP that you ever connected to tor. Also use an outproxy when connecting to official "clear internet" bitcoin sites to avoid a Suspicious Activity Report (SAR).
iii)As many know, if the entry and exit nodes are controlled on tor by the same person, one might identify your IP. I still recommend using an open wifi network, with a nifty Yagi antenna from home. Check out the FBI's Carnivore project... With most nodes in the US and how much data their Carnivore is eating, I'm weary.
3)Browser Vulnerabilities (the biggie!)
i)Navigate to http://ip-check.info/?lang=en in your tor browser for an anonymity test for an idea of how anonymous you really are. May have to allow through no-script for full read out
ii)Navigate to "about:config" make sure prefs read as listed below:
browser.cahce.disk.enable, false
browser.cahce.memory.enable false *this one seems to come back to true whenever I restart so be careful*
browser.display.use_document_fonts, 0
browser.sessionhistory.max_entries, 2
dom.storage.enabled, false
**there is a tab-name-eraser toggle I'm missing here if anyone can find it**
iii)Add these firefox extensions:
Adblock Plus
Better Privacy (select your entire user directory for searching of these D4MN flash cookies! They'll reside in your tor-browser directory and your .macromedia folder. Have them deleted every time you exit and start.)
Ghostery (select all trackers and cookies)
RefControl (options>edit block referer)
iv)Firefox>edit pref>privacy> check "tell websites don't track me" and check "always use private browsing" and do not "accept cookies". Under exceptions add SR sites
v)Once restarted go back to http://ip-check.info/?lang=en to see how you rate.
3)MAC and connecting
While MAC address' should never leave the router, and perhaps this is more of a h4x0r trick, but if sh!t hits the fan, it's the true identifier that the connection came from "this here computer." In a court case, when the MAC address' don't match up, it'll be your last line of defense. "Your network was open/hacked when the ISP recorded your ip."
Disconnect from your internet connection, then from terminal run "sudo ifconfig" you'll see all your internet interfaces: eth, lo, and wlan. Wifi=wlan, ethernet=eth. If you connect via wifi adapter it may show up as wlan1.
Run on your interface that you use to connect to the internet "sudo ifconfig wlan0 down" for me. May be eth0 for most desktops.
Run "sudo macchanger -r wlan0" for a random address.
Run "sudo ifconfig wlan0 up" to turn interface back on.
Connect to your internet or "open" neighborhood/starbucks/library/Yagi wifi.
(Run vm software with random macs if you please or want multiple comps up)
Run Tor and have fun.
*I never even use this whole usb stick for anything personal. Also check into getting an overseas non-extraditing VPN to run before tor.
**If anyone has a good tut on setting up a pseudo nym.alias remailer account connection with my overseas email account (neomail or countermail) let us know!
Thanks for reading! Let me know if I forgot something or if you disagree. As for questions, I may not be on frequently, sorry.
---------------------------------------------------------------------------------
"Only to live, to live and live! Life, whatever it may be!"
-
Don't use countermail. Nobody knows who runs it, and they 'encrypt for you' which is disturbing.
At least if you use privacybox.de you know the German Privacy Foundation and affiliated people from the Chaos Computer Club in Berlin won't be screwing with you. You can also up your own GPG key instead of letting countermail generate for you.
The only problem with your setup is if the cops kick down the door and seize your USB key, because there is no brute force protection, and no shielding they can run all sorts of attacks on it. Maybe invest in cryptostick 2.0 when they come out.
I prefer to just use an anonymous live CD in bridge mode with an encrypted usb stick for storage. That way evidence disappears after reboot and usb device has protection against all forensic attacks including brute force timeout
-
The only problem with your setup is if the cops kick down the door and seize your USB key, because there is no brute force protection, and no shielding they can run all sorts of attacks on it. Maybe invest in cryptostick 2.0 when they come out.
Ironkey has been around forever and works just fine.
-
Ironkey is good, but can't buy it outside N. America
Unless somebody here wants to start selling them :) though you would be crazy to do it. Not very hard to find the guy buying bulk Ironkeys from distributors.
-
tl;dr? :)
-
Q: Is hushmail reliable? What about instant msg like privatnotes?
-
Hushmail is even worse than using regular yahoo mail. Not lying. It's a lot harder for them to get a warrant to open your yahoo mail than it is contacting Canada police and having them spill your hushmail account. If you are Canadian, and using Canadian email it's harder for them to get at as they need warrants. But if you're American, then Charter of Rights and Freedoms doesn't apply and they will hand over your info at the drop of a hat. All it takes is a simple request through MLAT
Hushmail has coughed up countless times to the feds, and even admitted their encryption is fully backdoored for law enforcement. It's 100% garbage. They will also cancel any account even suspected of 'illegal activity'.
Use Tormail and encrypt your own mail.
-
Don't use countermail. Nobody knows who runs it, and they 'encrypt for you' which is disturbing.
At least if you use privacybox.de you know the German Privacy Foundation and affiliated people from the Chaos Computer Club in Berlin won't be screwing with you. You can also up your own GPG key instead of letting countermail generate for you.
Thanks for the heads up on countermail. I didn't know CCC had an email service. And @JimPooley, hushmail is sh!t. Not only did they comply to turn data over they installed a back door on the user in question, THEN released it to all the users as a "security update."
there is no brute force protection, and no shielding they can run all sorts of attacks on it. Maybe invest in cryptostick 2.0 when they come out.
I haven't heard of anyone brute forcing FDE aes 512 encryption. Their only saving grace is cold booting. www.sciencedirect.com/science/article/pii/S1742287611000727
---------------------------------------------------------------------------------
"Only to live, to live and live! Life, whatever it may be!"
-
Cheers for this, commenting so I can find it again.