Silk Road forums

Discussion => Security => Topic started by: ballervision on August 06, 2013, 08:20 pm

Title: Conflicting "Security" Opinions. I'm willing to pay an expert $1000 USD.
Post by: ballervision on August 06, 2013, 08:20 pm
***tl;dr: I am fucking pissed at how scattered the opinions are about what true security is for using SR. I am willing to pay anyone with authority in this kind of knowledge $1000 to answer so I can have things straight in my head.***

There is a massive security scare going on right now, and I've just spent 5 or 6 hours skimming this board trying to answer a few questions to no avail. I want to continue having the feeling of security for myself and my customers. I will find this info out for myself if no one can come forward with the answers but I'd rather take the entreprenurial approach or I will be swallowed in this shit for months.

It took me weeks to learn PGP because of how scattered the information was. I'm trying to cohesively put together something about FULL, INVINCIBLE "FUCK YOU, LAW ENFORCEMENT" SECURITY for myself and for others. It is important that we have a cohesive answer, and if there are differing opinions, then those two opinions need to be listed right by each other so the "reader" can be aware that this is a difference in a school of thought, not a difference of facts.

If you don't know what you're talking about please don't fill this post up with bullshit unless you're trying to keep this thread on the front page. If you want to get paid please contact me to set something up.

I want to make it clear that I already do a lot of "no-brainer" stuff. I've never talked about SR to anyone. I always use PGP for any address I get sent things to and I never drop off my packages near a camera. I've always used some form of "anonymyzing" OS before I started vending, and I've never accessed the darkweb from an IP that is registered to my name. Nothing against the law is located in any place where I access the darkweb. I am not flashy and I don't make expensive purchases.

If any of my data that I have listed here is bad to speak about on the message board please alert me.

Here are my questions:

Tails specific:

#1: How do I randomize my MAC in Tails? Everyone gives a really short answer like it's simple but it's not for me.

#2: Will all of the antennas for boosting WiFi signals automatically work with Tails? Where can I find this antenna that automatically spoofs my macaddress like the one ChristyNugs is talking about?

#3: Will Tails see the usb WIFI dongle or whatever that I need to run Reaper Pro? Will it even run Reaper Pro?

Other:

#1: What is the best "jump-off" OS for operating a VM? Mac, Windows, Linux? Which version? Can it be booted from USB? Does it automatically come with everything I need or will it be a cryptic mind-numbing journey for me?

#2: Is it best to go to a WiFi accessing spot on foot? (or avoiding stoplights by taking side streets). This way you don't leave a license plate trail on cameras?

#3: What are known exploitation avenues for hackers within any OS? Java, Images, bluetooth, etc. How do I stop these from happening?

#4: What is the best OS or "base OS to virtual OS" combo for tards? I'm not really good at thinking.

#5: I know this is kind of all of my questions, but is there just some step by step path for adding "points" to my anonymity? The answer used to be "use Tails from a bootable USB" Now I hear all this shit about obsfproxy (still can't figure what the fuck that even is or how to access it), bridges, VPNs, Whonix-Gateway, Mac-address spoofing that Tails doesn't do, VMs etc etc etc etc. I don't know what half of this shit is, and I don't need to unless it is critical. I just want a "Do this, don't do that" approach.

#6: Can LE even do anything to someone for just using TOR? I mean, there has to be at least a few other people using it in my city. Even if they somehow were waiting for me so they could do a spectrum analysis in a specific neighborhood where I tend to connect to the internet by TOR (sounds so far-fetched...I know it is possible though) and they caught my signal and raided whereever I was at...there is nothing there for them to find except probably some data on a computer that I downloaded or used TOR. What gives? Is TOR actually not secure and they can read what I'm doing if they try hard enough? I'm having a hard time imagining the situation or tactics they could use.

#7: Is mixing your coins necessary for inter-SR transactions? Do I need to mix coins I send to my buyer account? Or is mixing just a good step to take if I want to make my BTC into an Amazon gift card or use Localbitcoins?



Title: Re: Conflicting "Security" Opinions. I'm willing to pay an expert $1000 USD.
Post by: comsec on August 07, 2013, 02:40 am
#1: How do I randomize my MAC in Tails? Everyone gives a really short answer like it's simple but it's not for me.

Use the program macchanger. It's shipped with tails. When you start up Tails, there is options to enter an admin password: https://tails.boum.org/doc/first_steps/startup_options/administration_password/ enter a password and then continue to desktop.

Now choose Applications ▸ Accessories ▸ Root Terminal. and when it loads enter the following

ifconfig

you should see a bunch of interfaces. eth0 is typically your ethernet (hardwire) interface. wlan0 (wireless) is the wi-fi interface. these aren't static numbers, they could come up as wifi0 or wlan2 depends on your hardware. find whatever says wireless (wlan0) and do the following:

ifconfig wlan0 down (you shut down the connection)
macchanger -a wlan0 (the -a option gives random MAC of similar vendor)
ifconfig wlan0 up (activated and ready to go)

Done. Problem is, just by booting with Wi-Fi activated, it's already given away your MAC in that area and left a trail to find. If your laptop has a hardware wifi switch near the keyboard (most of them do) then turn it off during boot, change the mac, and then turn it back on with the switch.

As for the rest of your questions, do you have to use Wifi? Because it's like the #1 thing cops use to find people now. You can't just use regular connection?

A good LE proof system is to first buy a firewall. netgate.com sells open hardware desktop firewalls with PfSense pre installed. You can configure that easily to lock down all traffic except VPN traffic (or Tor traffic). It's also a router with NAT (Network Address Translation), so it gives your desktop computer or laptop an internal IP address which is meaningless to an attacker looking to identify you. You can also make your own firewall and just flash pfsense or openbsd to it, or m0n0wall firewall pf operating system.

At this point you're done, you can just load up Tails like normal and if you run into that federal malware again, and they've altered it to work on the linux kernel instead of just windows, then they get nothing but your internal IP anyways. Because you have a hardware firewall/router, you can now safely change the mac address of your ethernet card too (eth0) without worrying about your service provider freaking out thinking extra connections are happening. Do the above but choose eth0 instead of wlan0. Now that malware literally get's nothing, and is gone when you reboot because you're using tails in memory only.

If you are worried that your local ISP can see you using Tor everyday, then buy VPN access with bitcoins. Your base system, download OpenVPN and set it up. Log into your firewall and configure to lock everything to VPN denying any other connections or pay somebody local to do this for you, like a computer science student at a local university. Don't mention anything about cops or drugs or leave drugs around. Now install qemu and load up Tails on your base system. (Virtualbox a VM program, exposes resolvers and other things from the host, not good for isolation). It will tunnel Tor through the hardware VPN tunnel. ISP will never see anything but your connection to Iceland or Netherlands VPN. It's completely common to have a VPN, every business does. It's not so common to always be running Tor, depending on your city size.

There's a lot more you have to worry about than federal agents injecting spyware on this server. Watch these:
http://www.youtube.com/playlist?list=PL0628506AC2CB8A76

This is the software DEA used to backdoor Z40's phone so they could track him. It's also the same shady software being used by the UK police, Canada police, all of them.