Silk Road forums
Discussion => Security => Topic started by: ravenhawk on September 12, 2011, 07:42 pm
-
This guide is not designed for complete newbies, as you should have researched this as on your own as soon as you registered here, thus I don't go into much detail at each step. It's purpose is rather to remind of some things and maybe help improve your security a little.
No matter what, if you are receiving drugs, you have to assume that one day cops will knock on your door. They will probably won't have anything on you YET but they will take your computer to search for incriminating stuff. So, you must ensure the proper protection of sensitive files, which can be done by encryption.
Step 1: Create a TrueCrypt container with hidden volume. Preferably give it an inconspicuous name and extension (windows98.iso) and store it between similar files.
Step 2: Copy some pseudo-sensitive info to the normal volume (porn, old passwords, etc.).
Step 3: Transfer all sensitive info to the hidden volume, and I mean ALL (think hard):
*GPG keys
*SilkRoad, MtGox, TradeHill, and every other password
*BTC wallet
*Text documents with heavy drug related info (this is not incriminating but still better not to let them know you are interested in drugs)
*whatever else you have, don't leave anything to law-enforcement agents!
Step 4: Clean up a little.
*Uninstall GPA software (better download gpg4usb and use it to manage GPG keys directly from TrueCrypt volume)
*Uninstall other cryptographic software if you have. It's not illegal but don't give them reason to think you have something to hide. Better get portable versions of them and store them on encrypted volume.
*Clean browser history, certain bookmarks, cookies, temporary files if needed.
*Delete whatever else that might be suspicious.
Step 4: Wipe free space on all drives! (only 1 pass is necessary)
This is very important so that the moved to TrueCrypt container and deleted files cannot be restored by undelete applications. You can do it with software like Eraser or even CCleaner(>Tools>Drive Wiper). Be sure you are deleting only FREE SPACE!
Step 5: Backup all important data and store it at a friends house. Assume that your PC will be taken at some point. Even though nothing will be found to incriminate you (if you did everything right) but important data might get lost forever.
Also to remember:
1. Don't transfer BTC directly (TradeHill/etc > Online Wallet (or Laundering) > Online Wallet 2 > SilkRoad).
2. Use different BTC address for each transfer.
3. Transfer bitcoins through Tor, use 'New Identity' on the Tor control panel between each transfer.
4. When you have received the package, leave it unopened for a few days (you could always say you didn't order this and were about to throw it out or return to sender).
5. In worst case scenario, do not say ANYTHING to the cops, talk to your lawyer first.
Do you approve it? Did I leave something out?
-
1 pass for disk cleaning may be not sufficient.
If you had sensitive data on HDD and moved it to encrypted volume, make sure to erase all the data with
http://www.killdisk.com/ or Eraser http://eraser.heidi.ie/
Both are free.
-
Why not just encrypt the entire drive? Isn't that a lot easier? Then you don't have to worry about LE getting ANYTHING, as long as you shut down the PC whenever not in use.
-
Why not just encrypt the entire drive? Isn't that a lot easier? Then you don't have to worry about LE getting ANYTHING, as long as you shut down the PC whenever not in use.
+1
Truecrypt + Hidden OS, computer attached to remote controllable power outlets and you are golden. You could also go crazy and "booby-trap" your computer so it powers off instantly if not handled the right way.
Lucky me, rootkits are not legal to use for LE against against drugs dealers, at least.
-
Why not just encrypt the entire drive? Isn't that a lot easier? Then you don't have to worry about LE getting ANYTHING, as long as you shut down the PC whenever not in use.
What are people's general thoughts on FileVault (Lion). Key obviously not stored with Apple.
-
^^what the fuck is up with that link??? i aint clicking that for shit
-
^^what the fuck is up with that link??? i aint clicking that for shit
Good catch -- it's a cleverly disguised clearnet link. Fuck knows what happens if you go there...
-
Step 4: Clean up a little.
*Uninstall GPA software (better download gpg4usb and use it to manage GPG keys directly from TrueCrypt volume)
*Uninstall other cryptographic software if you have. It's not illegal but don't give them reason to think you have something to hide. Better get portable versions of them and store them on encrypted volume.
I think this is too paranoid even for me. I think it's better encrypt all your hard disk. You can use a physical key like a pendrive too, if they get the pc/notebook, just burn the pendrive-key.
You can walk on street with 10 bongs, 20 pipes, and hundreds of rolling papers/roachs. You can even carry a empty marijuana sandwich bag.
If you are not with the drug, you are innocent.
4. When you have received the package, leave it unopened for a few days (you could always say you didn't order this and were about to throw it out or return to sender).
What's the utility of this advice?
-
I think this is too paranoid even for me. I think it's better encrypt all your hard disk. You can use a physical key like a pendrive too, if they get the pc/notebook, just burn the pendrive-key.
Full disk encryption has it's pros and cons, it's a matter of preference. As I said, this guide isn't definitive, you decide what's best for you.
You can walk on street with 10 bongs, 20 pipes, and hundreds of rolling papers/roachs. You can even carry a empty marijuana sandwich bag.
If you are not with the drug, you are innocent.
Of course you're innocent, that's what I said, but still, this would weaken any plausible deniability you had.
What's the utility of this advice?
It's in case LE is watching your house for a few days and then decide to come in. This may not be applicable in every country, but sure is in mine.
-
^^what the fuck is up with that link??? i aint clicking that for shit
Good catch -- it's a cleverly disguised clearnet link. Fuck knows what happens if you go there...
Good for you, guys! That was may way to teach people to watch what they click. So if one goes there, the see a page with a warning not to click url's before reading where they lead. The counter has hit 20, which means there are some people who were potentially to be scammed. I hope they have learned this harmless lesson.
BTW, don't go there. Who knows if I am honest or not ???
-
I think this is too paranoid even for me. I think it's better encrypt all your hard disk. You can use a physical key like a pendrive too, if they get the pc/notebook, just burn the pendrive-key.
Full disk encryption has it's pros and cons, it's a matter of preference. As I said, this guide isn't definitive, you decide what's best for you.
Ok.
You can walk on street with 10 bongs, 20 pipes, and hundreds of rolling papers/roachs. You can even carry a empty marijuana sandwich bag.
If you are not with the drug, you are innocent.
Of course you're innocent, that's what I said, but still, this would weaken any plausible deniability you had.
Well, in my country the cups just bother users if they are with the drug at the time of the approach. If you are not with the flagrant, they will let you go. Yeah, they will know you are a user, even if you say you just smoke tobacco (for me, that's true, I smoke all kind of tobacco), but who cares? Here, cups just spend time and money of an investigation with the sellers, mainly big sellers.
What's the utility of this advice?
It's in case LE is watching your house for a few days and then decide to come in. This may not be applicable in every country, but sure is in mine.
I think this may be true just for big packages (like 1kg), but I don't know the reality of your country.
Here (Brazil), I think they will just ask you some questions about the package, but, if you did everything well done, they will not prove that you ordered it, so they let you go (without the package, of course).
I have a good plausible deniability for bitcoin and liberty reserve cuz I speculate in forex and bitcoins prices sometimes and that's not illegal.
But, anyway, you don't have any other drug in your house? If the cups come in your house, they will find these drugs for sure. So, maybe you can say you don't ordered the package, but how to explain the other drugs? And if you don't ordered the package, why did you take it?
Sorry if you don't understand something. My English is not so good.
-
Step 1: Create a TrueCrypt container with hidden volume. Preferably give it an inconspicuous name and extension (windows98.iso) and store it between similar files.
Step 2: Copy some pseudo-sensitive info to the normal volume (porn, old passwords, etc.).
Step 3: Transfer all sensitive info to the hidden volume, and I mean ALL (think hard):
When i first tried to understand how SR works, i installed all the programs on an usual not encrypted drive. Now, i became smarter and put all suspicious data on encrypted drive. Do you think that the programs left traces where they were first, or do you think i`m fine after copying everything to a safe place?
thx
-
4. When you have received the package, leave it unopened for a few days (you could always say you didn't order this and were about to throw it out or return to sender).
Alternative #4. Consume everything in your package before you get home.
-
lol
-
When i first tried to understand how SR works, i installed all the programs on an usual not encrypted drive. Now, i became smarter and put all suspicious data on encrypted drive. Do you think that the programs left traces where they were first, or do you think i`m fine after copying everything to a safe place?
thx
Of course it left some traces, that's what Step 4 is for. You shouldn't worry much about software traces, but other sensitive files could be recovered if they're not overwritten, so wipe free space on all drives.
-
Thx for your reply.
What means "wiping free space"? Wiping is something like cleaning, right? So after you`ve deleted suspicious data, what do you have to do with the free space you just won?
-
Thx for your reply.
What means "wiping free space"? Wiping is something like cleaning, right? So after you`ve deleted suspicious data, what do you have to do with the free space you just won?
If you simply "delete" files, The actual Data will still be on your harddisk.
Only the the "list" that manages which space is free or used will
set these Clusters to "free" so it can be used to store new information.
So untill you put new data on these clusters the old data will still be there.
"Wiping" is usually reffered to Special programms that
dont just "delete" the data but rather write new/random data on the specific clusters.
So What you do is deleting these files using such a special program.
If you deleted the files a while ago already, most of the progs offer
to Wipe hole disks or just wipe the "emty space" to make shure nothing is left.
I would recommend checking diffrent "shredder"/"wiping" tools to see which one
offers you the options you need.
-
Step 3: Transfer all sensitive info to the hidden volume, and I mean ALL (think hard):
*GPG keys
But as far as I know, PGP-Software has to be installed, where your OS is. When I installed PGP-desktop, it didn“t ask me where it should be installed, it put it automatically on C:\ .
I don`t want to encrypt the whole drive, because i am afraid of forgetting the password and not be able to have access to my whole PC.
In the quote, you only speak about "keys", which should be on an encrypted folder. But all keys are saved in the PGP-program. How can you save just the keys in a special (encrypted) place if PGP-desktop has to be on C:\ ?
Thx
-
Why not just encrypt the entire drive? Isn't that a lot easier? Then you don't have to worry about LE getting ANYTHING, as long as you shut down the PC whenever not in use.
+1 on whole disk encryption! I use TrueCrypt to encrypt my entire drive, and never leave the computer unlocked, and power it off when i leave the house.
-
For the record I've done a good amt of sysadmin stuff, and this probably applies to US only and only under worst case scenarios...
About full-drive encryption:
Law enforcement can detect from the level of randomness that an entire drive is encrypted pretty easily if they get ahold of it (its even easier if you leave the default TrueCrypt boot loader screen on, like I used to!). If they have other reasons against you they can get a court order to get you to reveal the password to your hard drive. It's treated like a locked container and a warrant requires you to hand over the keys. Failure (this is second-hand info, not for certain) can lead to obstruction of justice or something similar and equally lame. Also second-hand, minimally reliable information is that they can hold you until you cooperate. You'll probably have a hard time explaining you forgot the password. Better, but still not good would be to say you used a keyfile and it's long gone, irretrievably.
Either way keeping the fuzz from knowing you encrypt any sensitive data is a far better bet. However, full drive encryption is great for keeping your ordinary data from getting stolen when your laptop does! I recommend it for that alone.
Cheers,
Cubehead
-
For the record I've done a good amt of sysadmin stuff, and this probably applies to US only and only under worst case scenarios...
About full-drive encryption:
Law enforcement can detect from the level of randomness that an entire drive is encrypted pretty easily if they get ahold of it (its even easier if you leave the default TrueCrypt boot loader screen on, like I used to!). If they have other reasons against you they can get a court order to get you to reveal the password to your hard drive. It's treated like a locked container and a warrant requires you to hand over the keys. Failure (this is second-hand info, not for certain) can lead to obstruction of justice or something similar and equally lame. Also second-hand, minimally reliable information is that they can hold you until you cooperate. You'll probably have a hard time explaining you forgot the password. Better, but still not good would be to say you used a keyfile and it's long gone, irretrievably.
Either way keeping the fuzz from knowing you encrypt any sensitive data is a far better bet. However, full drive encryption is great for keeping your ordinary data from getting stolen when your laptop does! I recommend it for that alone.
Cheers,
Cubehead
Cubehead,
Sorry but you're wrong. Police can not make you give them your password. 5th Amendment to the US constitution protects you against self incrimination. Police will however use social engineering to get you to give them, or guess, your password. No obstruction of justice charges apply here either.
BTW, this is first hand information from someone who works with LE ;)
-
Always use PGP and encrypt your hard drive or thumb drive. We always try to get customers to use PGP. SO IMPORTANT!
-
everyone complicating things
tails+mircroSD card=nuffsed
just swallow if worst comes to worst..you couldnt ask for a simpler set up
-
everyone complicating things
tails+mircroSD card=nuffsed
just swallow if worst comes to worst..you couldnt ask for a simpler set up
hah nice. It sucks for those of us for whom this technical shit is way over head...
I'll have to figure it out eventually, I'm sure.
-
But, anyway, you don't have any other drug in your house? If the cups come in your house, they will find these drugs for sure. So, maybe you can say you don't ordered the package, but how to explain the other drugs? And if you don't ordered the package, why did you take it?
this is exactly the question I've been mulling over since I began on SR - all of these precautions are basically useless if LE is able to obtain a warrant for your home and you keep even a personal stash there.
I suppose some of the large scale players have multiple locations from which to work, but average folks are basically fucked in this respect - unless it takes more than the information they can gather on the network, or from intercepted mail, to obtain a warrant.
-
Thats what i thought too so i have kept my ordering now to a minimum and only after i am out of one substance do i order more. So if worst comes to worst i have 3 grams of weed at my house and the amount that i ordered.
-
Rush Limbo,
Thanks for correcting me. I don't like giving wrong info. I hate saying this, but it's kind of good to hear I'm wrong. Then I guess it's just safe to say it's better if they don't suspect you're hiding anything from them whatsoever, data or otherwise.
Cubehead