Silk Road forums

Discussion => Security => Topic started by: CarlYoung on December 25, 2012, 09:15 pm

Title: Android Tor guide?
Post by: CarlYoung on December 25, 2012, 09:15 pm
Yes, Tor can work on android and you can get on SR but they give you a list of things you need to do to really be anonymous that are over my head.  Could anyone make a walk-through?
Title: Re: Android Tor guide?
Post by: Wadozo on December 26, 2012, 12:34 am
Using Tor on an Android (or Apple) portable device is not a safe practice. Logging in to SR on a device with an IMEI number is CRAZY! If you value your anonymity, don't access SR and log into your account using an Android or Apple mobile device. Why take a risk when there are much safer ways.
Title: Re: Android Tor guide?
Post by: geeza23 on December 26, 2012, 12:54 am
if you do want to go ahead using tor on android, please make sure you are rooted
Title: Re: Android Tor guide?
Post by: outoftheblocks on December 26, 2012, 06:37 am
FUCK ME!
Alright, I have accessed both my forum and SR account on BOTH an Android and Apple device. I used Onion browser using an Apple device, and Orbot+Orweb on Android. I need to know what to do to ensure my anonymity. I have not encrypted ANY of my communications, as I am only just learning how important it is to keep my info safe (Its actually downright disappointing that I have not yet encrypted my communication, but I don't need a beat down for my bad deeds). I have made only small orders of various drugs ($1500 total, and perfect stats which I hesitate to walk away from). How should I go about this. I am going to be using PGP for every one of my purchases from now on.

I see a few options.
1. Cease to use my SR account and start new, using only Linux/tor combination for access. PGP is mandatory from the beginning of an account to ensure anonymity.
2. Continue to use my account after changing passwords, and pin number. PGP use will cover my ass even if I start to use it now. Cease to access SR on Apple and Android devices.
3. Smash all devices that connect to the internet with a bludgeoning device such as Nomad Bloodbath's chalkboard skull and cower in the corner for Pine to appear and proclaim my incompetence to use PGP over a loudspeaker.
Title: Re: Android Tor guide?
Post by: Wadozo on December 26, 2012, 06:51 am
FUCK ME!
Alright, I have accessed both my forum and SR account on BOTH an Android and Apple device. I used Onion browser using an Apple device, and Orbot+Orweb on Android. I need to know what to do to ensure my anonymity. I have not encrypted ANY of my communications, as I am only just learning how important it is to keep my info safe (Its actually downright disappointing that I have not yet encrypted my communication, but I don't need a beat down for my bad deeds). I have made only small orders of various drugs ($1500 total, and perfect stats which I hesitate to walk away from). How should I go about this. I am going to be using PGP for every one of my purchases from now on.

I see a few options.
1. Cease to use my SR account and start new, using only Linux/tor combination for access. PGP is mandatory from the beginning of an account to ensure anonymity.
2. Continue to use my account after changing passwords, and pin number. PGP use will cover my ass even if I start to use it now. Cease to access SR on Apple and Android devices.
3. Smash all devices that connect to the internet with a bludgeoning device such as Nomad Bloodbath's chalkboard skull and cower in the corner for Pine to appear and proclaim my incompetence to use PGP over a loudspeaker.

As I stated before, using any device with an IMEI number is playing with fire! This was backed up by former member, Guru, who also felt the same way. Accessing your account and making purchases with a mobile device is a risk you shouldn't take and is to be avoided if you value your anonymity. Follow rule No. 2.
Title: Re: Android Tor guide?
Post by: Hungry ghost on December 26, 2012, 10:01 am
I am interested to know more. How is the IMEI number vulnerable through Tor? Please understand I'm not trying to make an argument; it's just this subject has come up numerous times and I am really interested in the ways using Tor from a mobile device is more risky than using it from a PC. 
         What I mean is, at what point in the chain of transmission is my IMEI number visible to prying eyes? How can it be used to deanonymise me if I am using Tor on a mobile device? What about using a 3G dongle with a laptop? Do the same risks apply?
          Let me reiterate I am not disputing anything that has been said, I just want to know the details from someone with technical expertise. Whenever Tor use on iOS/android is brought up there is a lot of "I wouldn't recommend it" but I can never get anyone to explain to me exactly what the vunerabilities are so I can make my own judgement.
           There is a lot of security stuff on here that I would only be concerned about if I was vending large amounts. As an occasional small buyer obviously my need for perfect security is less intense. Can someone please take the time to explain exactly what the vunerabilities of using Tor from a mobile device are? It would be greatly appreciated
Title: Re: Android Tor guide?
Post by: Wadozo on December 26, 2012, 10:10 am
I am interested to know more. How is the IMEI number vulnerable through Tor? Please understand I'm not trying to make an argument; it's just this subject has come up numerous times and I am really interested in the ways using Tor from a mobile device is more risky than using it from a PC. 
         What I mean is, at what point in the chain of transmission is my IMEI number visible to prying eyes? How can it be used to deanonymise me if I am using Tor on a mobile device? What about using a 3G dongle with a laptop? Do the same risks apply?
          Let me reiterate I am not disputing anything that has been said, I just want to know the details from someone with technical expertise. Whenever Tor use on iOS/android is brought up there is a lot of "I wouldn't recommend it" but I can never get anyone to explain to me exactly what the vunerabilities are so I can make my own judgement.
           There is a lot of security stuff on here that I would only be concerned about if I was vending large amounts. As an occasional small buyer obviously my need for perfect security is less intense. Can someone please take the time to explain exactly what the vunerabilities of using Tor from a mobile device are? It would be greatly appreciated

This was brought up by former Spam Buster, Guru, who has unfortunately walked away from this forum forever just a few days ago and in doing so, deleted all his posts. I will endeavor to find my post on the previous thread and post it. Don't have time now as I going to bed soon but I'll find it for you tomorrow and post it here. :)
Title: Re: Android Tor guide?
Post by: Hungry ghost on December 26, 2012, 10:21 am
Aah yes..... I think Guru did actually go through all this with me in the past, but I've forgotten!  I think he made a pretty convincing case but I have carried on accessing forums through mobile because a)it's convenient and b)I'm an idiot.  ;)
      I'll have a trawl through my old posts too and see if anything relevant remains
Title: Re: Android Tor guide?
Post by: Wadozo on December 27, 2012, 11:00 am
Aah yes..... I think Guru did actually go through all this with me in the past, but I've forgotten!  I think he made a pretty convincing case but I have carried on accessing forums through mobile because a)it's convenient and b)I'm an idiot.  ;)
      I'll have a trawl through my old posts too and see if anything relevant remains

As Guru deleted all his posts, I couldn't find anything he had written. However, I did find this interview with independent security researcher, hacker, and privacy advocate Jacob Appelbaum, who among other things, talks about mobile phone security. Here is part of the interview and a link will be posted below for the full interview.

Resnick: What should we know about cell phones? It’s hard to imagine going to a protest without one. But like all networked technologies, surely they are double-edged?

Appelbaum: Cell phones are tracking devices that make phone calls. It’s sad, but it’s true. Which means software solutions don’t always matter. You can have a secure set of tools on your phone, but it doesn’t change the fact that your phone tracks everywhere you go. And the police can potentially push updates onto your phone that backdoor it and allow it to be turned into a microphone remotely, and do other stuff like that. The police can identify everybody at a protest by bringing in a device called an IMSI catcher. It’s a fake cell phone tower that can be built for 1500 bucks. And once nearby, everybody’s cell phones will automatically jump onto the tower, and if the phone’s unique identifier is exposed, all the police have to do is go to the phone company and ask for their information.

Resnick: So phones are tracking devices. They can also be used for surreptitious recording. Would taking the battery out disable this capability?

Appelbaum: Maybe. But iPhones, for instance, don’t have a removable battery; they power off via the power button. So if I wrote a backdoor for the iPhone, it would play an animation that looked just like a black screen. And then when you pressed the button to turn it back on it would pretend to boot. Just play two videos.

Resnick: And how easy is it to create something like to that?

Appelbaum: There are weaponized toolkits sold by companies like FinFisher that enable breaking into BlackBerries, Android phones, iPhones, Symbian devices and other platforms. And with a single click, say, the police can own a person, and take over her phone.

http://www.infiniteunknown.net/2012/09/09/leave-your-cellphone-at-home-interview-with-jacob-appelbaum/

Everyone is entitled to their own opinion. Guru first raised these issues and it's a shame he is no longer here to chime in. I won't be accessing SR from my mobile phone but if others want to, that's their choice to make.
Title: Re: Android Tor guide?
Post by: carbonOC on December 29, 2012, 04:54 am
Thank you wadozo for your input. I havent made any purchases but I have browsed as I am brand new. But I am going to do this the righy way and research for a month or two before I make my first purchase. This has been extremely helpful.
Title: Re: Android Tor guide?
Post by: Wadozo on December 29, 2012, 05:05 am
Thank you wadozo for your input. I havent made any purchases but I have browsed as I am brand new. But I am going to do this the righy way and research for a month or two before I make my first purchase. This has been extremely helpful.

+1 for you carbonOC.  :) Great to see someone new who is prepared to research something thoroughly and make an informed decision instead of jumping in head first without any thought on what they're actually doing. :)
Title: Re: Android Tor guide?
Post by: outoftheblocks on December 29, 2012, 07:56 am
I am somewhat worried about the connection because just two days ago I was on this forum, i posted that I had used mobile platforms. Last night, I tried to use my new pin which i wrote down, and was told it is wrong. I tried until it became reset. I am now waiting to hear from SR support about what is happenin. I changed my password and any malicious activity would be halted by the pin reset. I am thankful for this system and hope to see my issue resolved. I will update if I hear that my account had been compromised through Android or Iphone use.
Title: Re: Android Tor guide?
Post by: CarlYoung on December 30, 2012, 02:16 am
How do we hide our IMEI numbers then? 
Title: Re: Android Tor guide?
Post by: jnemonic on December 30, 2012, 04:48 am
Just finished reading that whole interview, wow some great reading thank you. :)
Learnt a few things thats for sure. ;)
Title: Re: Android Tor guide?
Post by: outoftheblocks on December 31, 2012, 12:32 am
I recieved a message from SR Support last night, Here are the words...

"Usually if your account gets phished, they change the password, not just the pin. Plus they always empty out your account, so if that hasn't happened then I think your okay so far. However, I HIGHLY recommend that you ONLY get on from actual computers and not phones or other mobile devices. Tor is not meant to work with these and there is NO guarantee for ANY anonymity on those devices."

I will surely be heeding their device, because I see how easily those devices could be used to get users info. I would suggest others do the same.
Title: Re: Android Tor guide?
Post by: Wadozo on December 31, 2012, 01:09 am
I recieved a message from SR Support last night, Here are the words...

"Usually if your account gets phished, they change the password, not just the pin. Plus they always empty out your account, so if that hasn't happened then I think your okay so far. However, I HIGHLY recommend that you ONLY get on from actual computers and not phones or other mobile devices. Tor is not meant to work with these and there is NO guarantee for ANY anonymity on those devices."

I will surely be heeding their device, because I see how easily those devices could be used to get users info. I would suggest others do the same.

Hopefully this message from SR Support (DPR) puts the issue of using a mobile device to access Tor Hidden Services to bed, once and for all. Your potentially risking your anonymity should you continue to use a mobile device to access the Silk Road. A big THANK YOU to former member, Guru, who brought this issue to the communities attention. We miss his excellent contributions to all topics and his selfless help offered to others in need.  :)
Title: Re: Android Tor guide?
Post by: gnarlavarius on December 31, 2012, 09:20 am
i am connected to sr with what hungry ghost calls a "3g dongle" through a laptop which does have an imei number but does not run on android or ios. i think i should change my habits then. does anyone have any input on these device's security?
Title: Re: Android Tor guide?
Post by: Wadozo on December 31, 2012, 10:28 am
i am connected to sr with what hungry ghost calls a "3g dongle" through a laptop which does have an imei number but does not run on android or ios. i think i should change my habits then. does anyone have any input on these device's security?

A 3g dongle works in the same way as a 3g smartphone in that it connects to the net over a wireless 3g network, with signals sent and received from the closest mobile Phone Tower to your location, much the same way a phone is used to make calls. A dongle will face similar problems to a mobile phone. Don't panic about it but I would start looking at alternative ways of connecting to the net. That is dependent on where you live and what services are available at your current address (ADSL 2+, Cable, etc). A call to your ISP will let you know what's available.
Title: Re: Android Tor guide?
Post by: nanpa2001 on January 01, 2013, 11:22 am
I don't think that using your phone net connection is inherently more risky than using your home internet connection.

First, make sure that your phone is rooted, and is running a custom ROM that has Over The Air (OTA) updates from the carrier disabled. That will prevent the hijacking of your phone through carrier-pushed malware.

Second, get a VPN anonymously at https://www.privateinternetaccess.com/ It costs $40 dollars worth of bitcoins.

Third, download Open VPN for Android from the playstore. https://play.google.com/store/apps/details?id=de.blinkt.openvpn&hl=en

Fourth, follow the instructions for configuration of Open VPN for Android here: https://www.privateinternetaccess.com/forum/index.php?p=/discussion/108/openvpn-configuration-on-android-instead-of-pptp-ipsec

Fifth, download Orbot: Tor on Android from the playstore: https://play.google.com/store/apps/details?id=org.torproject.android#?t=W251bGwsMSwxLDIxMiwib3JnLnRvcnByb2plY3QuYW5kcm9pZCJd

You can run all your apps through Tor if you want to.

Finally, run your VPN, and then Orbot (Tor) and you have Tor over VPN. That is 2 steps of protection. I don't see why that should be any more risky than using your home computer.

Title: Re: Android Tor guide?
Post by: Wadozo on January 01, 2013, 01:50 pm
Of course the choice is yours to make and live with, but despite my doubts and those of others such as Guru, when you receive a reply from SR Support in relation to using a mobile device to access SR which states -

Quote
"However, I HIGHLY recommend that you ONLY get on from actual computers and not phones or other mobile devices. Tor is not meant to work with these and there is NO guarantee for ANY anonymity on those devices."

I will err on the side of caution and maintain my original position on the subject.  ;D
Title: Re: Android Tor guide?
Post by: Hungry ghost on January 01, 2013, 09:43 pm
My iPhone s jailbroke and has OTA updates disabled. The default password is changed so it cant be SSH'd into. I understand all the stuff about how, if I became a person the police wanted to track, they could use my phone to do so, (especially with GPS) and remotely activate microphone (really? Can they also activate the video camera too? I'm gonna start putting a bit of tape over the fucker!) Leaving aside for now the question of whether they will wish to use their resources do this to put an end to my small SR purchases rather than monitoring subversives and terrorists; I am still not clear on how using Tor from my phone could attract the attention of the police in the first place? I mean They could be intercepting my traffic between me and the nearest cell tower but to do that they'd have to be watching me already? I understand the need for caution, but nothing I have read seems to suggest that using Tor from mobile is 'leaking' my location or identity? I suppose my mobile ISP could identify the Tor packets and report to the police that I'm using Tor, suggesting that I'm either using SR or a peado? The police could then initiate these orwellian techniques on me and assign a umit to monitor me? I remain fairly complacent.
           I guess I'm just a reckless risk taker. I did used to inject myself with heroin fairly regularly, which I guess suggests a certain carelessness about my personal wellbeing! ;)
Title: Re: Android Tor guide?
Post by: Hungry ghost on January 01, 2013, 09:50 pm
I'd just like to add that these other guys above know much more about this stuff than me and I strongly recommend you listen to them rather than me! I basically rely on security through being too small a fish to be worth wasting a hook on!
Title: Re: Android Tor guide?
Post by: eddiethegun on January 01, 2013, 10:09 pm
Cells do not have to be inherently less secure than any other internet connected device. Lock them down just the same.

The IMEI is completely irrelevant. IMEI can be used to track your physical location across the cell network (which is why they're mentioned in that interview -- he's talking about police tracking protesters at OWS type scenarios). It's not IP-layer and it has absolutely nothing to do with onion routing. It's not sent out in packets across tor, if that's what you're thinking.

I've seen far more malware on poorly patched windows boxes than phones. By this logic, Tor Browser Bundle for Windows is a horrendous idea, not orbot.