Silk Road forums
Discussion => Security => Topic started by: 1as3df4gh on September 27, 2011, 07:08 am
-
I am trying to protect my system and my data as much as possible, can you run your eye over my setup and let me know what you think please?
OS: Debian based
Hard disk: Fully encrypted 256bit, except /boot partition
AES 256 bit encrypted container on HD holding Tor bundle, copy of all log in details and copy of wallet.dat, password is random 36 characters committed to memory (not as hard as it sounds!)
The above container is mirrored on a USB in my safe, as well as on Dropbox (I know its not secure but if "they" can break AES 256 w/ 36 character pwd they deserve my money!)
Email account is Hushmail with 25 character pwd.
Bitcoins purchased for cash at a branch of a bank which I never use for another purpose.
All login details are unconnected to my RL persona, passwords are all random 25 characters.
All SR related activity is through Tor browser, including registering for Hushmail etc.
I think I have all bases fairly well covered, I welcome any thoughts or opinions on my setup.
-
ETA:
After purchasing Bitcoins I will run them through two online wallets before going in to my Bitcoin wallet on my computer, then run them through two more online wallets before sending them to anyone on SR.
-
Not bad, you understood the general security mechanisms. However, I recommend using something else than hushmail, because they ACTIVELY cooperate with the feds. Of course, like others, you can just say that you don't care because you communicate encrypted anyway, but well - you don't need to serve them with your emails, do you.
On another note, your method of bitcoin laundry does only launder by chance. If you have large amounts of bitcoins to clean, you should consider doing that with a commercial exchanger that will take care you don't get the same coins back that you put in. However, this is expensive and for the normal customer with <200 btc per month it should be sufficient to do it as you wanted to.
Something else is your lack of a bridge, which is again something to consider if you are a vendor or some other high value target. A bridge is a VPN or some kind of tunnel which hides your TOR traffic from eavesdropping on you by your ISP. I.E., you are weak to correlation attacks if you don't use them, for example if you live in a 10k citizen town and are one out of 100 people that use TOR, this reduces the set size LE has to chose their suspicious persons from substantial. A bridge helps you to mix in a larger set size and make correlation attacks via this mostly useless.
However, please note that commercial VPN services may always be very well honeypots and thus you shouldn't trust them too much. I believe that they still are better than no VPN/bridge, but well. Best method would be to rent a VPS in an anonymous way, make it secure and set up a VPN over it, but this is really fucking much of an act.
I hope I could help,
much love and good luck
M
-
Many thanks for the in depth reply there.
I am not some big-time supplier, more a security conscious consumer, so I believe that I have my bases fairly well covered. The VPN thing may or may not be an issue, I live in a city in excess of 8million people so I think one or two may be using TOR.
I will look at changing from Hushmail, although everything I have ever sent through that account has been PGP encrypted and through TOR, so I cant see any trail back home from there?
The only Bitcoins at the moment will be coming from my personal funds, that may change in the future but all I want ATM is to break the connection between me and SR purchases so I think that a couple of splits and recombinations through a couple of wallets would work maybe?
I am new to all this but learning fast, its an exciting place to be!
-
do not use hushmail! they can decrypt your messages.
if you want to know more on this topic, do some research on safe mail, they work in the same way.
-
I understand that they can decrypt messages used with keys stored on their servers, but if I encrypt a message on my computer to Mr X's public key, then copy/pasta into the send field in Hushmail how can they decrypt it? All I am looking for is an IP scrubbing email provider to be honest, I will look at SafeMail.
-
I didn;t recommend safemail... it's even worse than hushmail. It's israeli based, and I bet they have backdoors built in.
Israelis don't like encryption :)
It would work if you paste the encrypted message, but I would avoid anyone who is eager to cooperate with LE.
I recommend tormail.net
-
Yup, experimental333, Tor Mail [ jhiwjjlqpyawmpjx.onion ] is hard to beat: POP3, IMAP, SMTP, web-mail (with or without javascript), and sign-up requires no other e-mail address. Pretty cool.
-
Does somebody have a good free VPN/VPS service to recommend?
-
Not bad. No such agency is the only ones that can crack AES and frankly they don't give a crap about in country non-threat to national security activities. They will never give away their secrets to the other alphabet soup agencies, if they did they would have to institute a new standard for US military comms. Not ever gonna happen. I would add that you should only connect to tor/SR from an anonymous prepaid throwaway 3g cell usb tethered on a laptop while mobile (not while YOUR driving, or driving to your house/outposts hahhaaaa) Track that shit LE <-- Have fun, and be sure to put that in your report to Senators Dip and Stick lol... "Ummm we tracked them all over Atlanta, there everywhere sir" hahahaaaa
This advice is why I laughed so much when I heard the tune "9 Piece" by Rick Ross/lil wayne/MJG (I just had to add it to my signature lol) while I was on SR on my prepaid 3g throwaway rollin around town... I was like, this dude pretty smart in a strange kinda way. Someone needs to tell these rappers about Silk Road, I swear they would advertise for us for free!
We str8 ballin',
Paperchasing
PS - run don't walk away from hushmail, straight up bro.