Computer security thread

I decided to make it here actually, but still removed from the 2c-b thread so that it doesn't come off as disrespectful / thread hijacking. I will try and keep the majority of my computer security rants here if at all applicable. The reason I decided to post it here instead of the computer / technology subforum is simply because I think many people would greatly benefit from computer security who are actually here and might never even actually check that subforum (i only have like twice personally). If mods do not like this , my apologies in advanced.

Anyways someone in another thread here asked me about my encryption set up. Here is my full (ideal) routine for computer aspect of sourcing.

First of all I only work with people willing to use GPG or OTR encrypted communications channels. There are two big reasons for this. The first reason is, if I am sending a person an address connected to me, I don't want me to be watched if their E-mail is being watched. Look up operation raw deal if you think this is unlikely to happen: it already did happen, even with "encryption" (GPG is solid, hushmail is shit).

The second reason I require encryption for communications is because it reduces the chances that whoever I am working with will go down hard. If he works with one LE and a million legitimate customers, they will have one email stream of evidence against him instead of a million. This means he is less likely to get in as much trouble to where he plea bargins and giving info is part of the plea.

In general it is great for me, and good for the vendors I work with, and third of all if they don't know enough to encrypt their communications they are not as professional as someone I would like to work with needs to be.

Second on my security line up is Tor, which is an anonymity network, it works in ways similar to a traditional proxy server but is designed in such a way that it is much more secure. It uses cryptography (not end to end unless you use SSL or Hidden Service protocols) but it isn't cryptographically secure from an anonymity stand point. It is however a very strong anonymity asset and its unlikely that anyone short of intelligence agencies can currently break it, although unfortunately and admittedly the ability for lesser agencies to break it is probably increasing at a medium steady pace. They are not there yet though.

The reason I use Tor is because what if the person I just made a deal with isn't really a friend? What if a package I get was seized and I checked the tracking from my own IP address (this has gotten people busted before)? What if the e-mail account of the vendor is being watched, and the email accounts of those who send him emails? Encryption will make it so they can't see your address you tell him to send things to, but if they can just find your real IP it doesn't matter at all anyways. Also for people who connect to websites and email accounts from home, your ISP can see where you are going. It can't if you use Tor. And the websites can't see who you are.

Another thing I use for an anonymity asset is WiFi. Depending on how you use Wifi, it can either mildly or greatly increase your anonymity. Especially if you use it with Tor. Tor and WiFi combo is the holy grail of internet anonymity short of mix networks and WiFi. If every time you place an order to a vendor you use your neighbors open wifi, or maybe you ONLY connect to source related things from random wifi access points around town. There are programs you can use GPS and a wifi antenna with, drive around town for an hour, and it will show you a map and GPS locations of all the open and poorly encrypted WiFi in your area. In a big city there will be hundreds of different spots if not thousands. The only way to do a trace back on WiFi is directional antenna triangulation afaik, and if you use a new spot each time or a handful of spots, they will never get to the spot in time to triangulate the signal you will already be gone, leaving behind a spoofed mac address.

Then for computer I have my entire laptop encrypted with DM-Crypt (its linux). I keep any (very temporary) notes stored encrypted symmetrically with GPG keys, and make heavy use of virtual machines using virtual hard drives stored in the hidden section of plausible deniability encrypted virtual containers. The reason for the crypto are many. The entire computer is encrypted so that if it is seized, it is worthless to the seizer. If the seizer threatens me if I don't release the data, I can give up the first layer of encryption and keep the most sensitive components (virtual machine hard drives that were actually used to do sensitive stuff with) hidden away while maintaining the cryptographically secure illusion of cooperation. I also use non mounted encryption for non critical files simply because mounted drive encryption is weak to certain attacks, such as the flash freezing of ram chips before they have time to have their memory state (and the symmetric encryption keys stored on them) adequately decay.

That is pretty much the holy trinity of being safe online.

1. Make sure everyone you work with is using encryption (OTR and GPG)

2. Make sure you would be extremely expensive to trace down (WiFi and Tor)

3. Keep all your sensitive files encrypted behind multiple layers, with some plausible deniability thrown in for good measure (or if you live in the UK where not giving a crypto password up is years in prison off the bat). [gpg, truecrypt, dm-crypt, luks, etc).

there are other minor things you can do to that are helpful but more of a precaution than an active defense. For example, every two or three months do an anti-forensic hard drive wipe with DBAN, or if you use windows go into the registries and disable all the prebuilt in forensic gathering tools they put in for LE to fuck you with.

As far as this all being overkill, its really not. And as far as me being super l33t haxx0r and "normal" people not being able to do all this, its a crock of shat. I am pretty handy with a computer, but all these precautions could be taken by a nine year old with basic researching skills if he wanted to. Its not as hard to do as people keep telling themselves it is, at all. And it could literally save your ass someday =).

 

Also if anyone here ever tries to use GPG or Tor or Truecrypt or whatever and get stuck on a problem, if you post it here I would be more than glad to help get it fixed for you, and it can help others too possibly. I am working on a pretty massive collection of tutorials right now actually that will have step by step instructions and screenshots and graphical illustrations on dozens of digital security techniques for the three main operating systems (ubuntu linux, mac OS X and windows).

I think once people see graphical screen shots of setting everything up, it will dawn on them that it isn't rocket science, and once they get it set up they soon will question why they ever risked working with sources with out it.

 

from the 2c-b thread we took off topic ;-P :

I personally don't do the server trick with the wires etc, but there are some who do. There is an ecurrency exchanger on the Tor hidden service network who runs a financial mix, which pretty much makes for cryptographically untraceable bearer bonds via blind digital signatures and a remailer style mix network. I believe he has the servers wired to turn off if the room they are in is entered, etc.

I think it would be fun to wire my home computer up like that, but for me would be more of a cool novelty than anything. It is more a trick for servers than for clients. A server is online 24/7 even when no one is there to man it or whatever. A client is usually only on when you are on it, then turned off and the crypto unmounted while you are not around. With a sever if you want it encrypted with full drive encryption, it sort of kills the point because it is mounted 24/7 anyways and no one is around to turn it off if people come looking for it. By hooking it into wiring systems that cut power when the room it is in is accessed, you give the mounted encryption some actual substantiation.

 

just a reminder "my bank" sent an email saying that my account was trying to be accessed by foreign sources--and to click the link and update my info----the shit looked real but of course i didnt do it but im telling u it looked real

 

I have always been the smart guy with comps... It feels weird to think someone knows more than me :\ hehe

OK, I wanted to be you a long time ago, but got burnt out on working with comps all the time in the army, and in my free time,,,,,,,,, (commas!)

First question is, I already have used my comp for dumb shit. How can I purge the free space on my comp? This would make me happy.

Also, TOR doesn't work in Iraq. Advice?

I use a mac. Whats the best info u got for me? (I don't car what you say, mac is based off of BSD and BSD is the most secure system hands down. Prove me wrong )

 

Oh, and what about IMing for mac???

 

Tor will work in Iraq if you find a bridge most likely. I am not entirely sure why it wont work in iraq but I am imagining it is being blocked by the ISPs , or if you are in army using army based internet it is quite possibly being blocked by them too I am not sure how the internet services to those in iraq work.

Regardless though, depending on how throughly they are blocking Tor, you could connect with one of the semi-private bridges. Normally the Tor network lists the IP addresses of all the relay entry and exit nodes in a big database (not all the users, just those who donate bandwidth and jurisdictional locations). This makes Tor pretty weak to censorship, a dictatorship or maybe the army or your boss, can simply block all connections to Tor related IPs up the chain from you.

Tor defends against this a good bit with what are called bridges. There are semi-private bridges, which are volunteer nodes that are not listed in the public directory. You can get a few sent to you by email from the Tor website, and you can load them one at a time on the tor website too. This is not truly private as someone with enough time could simply keep pounding away requesting bridges and eventually get a comprehensive list of them and then block them. Most companies that block Tor wont go this far. The chinese government seems to. I am not sure if Iraq or the army would. I think chances are you could occasionally get on with a semi-private bridge.

Pretty much a bridge works like this:

You ---> Semi-private bridge ---> entry node --> relay node ---> exit node ---> website

If they do go so far as to block a lot of the semi-private bridges, you still have some options. The first option would be to rent a VPS (Can get a cheap one for $20 a month) and set it up as your own private bridge. No one will block it because you will be the only one that knows about it. The next option you can do, is get one of your friends in your home country or maybe some family to set up a private bridge on their home computer, and share the info with you. This even works for people in China and is how they get around china censoring Tor. Anyone with an internet connection and half assed computer can set up as a bridge. Then as long as their computer is up and has tor running, you simply tell your Tor to connect to them, then form them down three random volunteer nodes and back to you through them. This should do a very good job of keeping anyone from censoring your access to the Tor network. But you can only use Tor then if one of your bridges to it is up. You browsing patterns and what you are viewing are kept secret even from the bridge BTW, it would all be encrypted through them and decrypted only when it is back to your machine, and they would be three nodes awa from the destination server.

2.

As far as purging the free space I have no idea how to do this with a mac. Almost all of my experience is with Linux and Windows. With Windows you can use Heidi eraser to do that, but it doesn't work on macs. I would try to google around for heidi eraser mac alternative or some such thing. Sorry I am not very useful with a mac, I only know how to set up truecrypt, gpg, tor and drive encryption with them.

 

Awesome maing. Thanks bunches. I will be googling then.

 

Adium with the OTR plugin. Adium is an instant message program for macs based off pidgin and I am pretty certain it comes with OTR native. Then if you talk to other people with an OTR enabled IM client, your conversations will transparently and automatically be encrypted with very strong and fully deniable encryption and authentication. Adium supports around a dozen IM networks and IRC I think. Keep in mind, sometimes the person you are talking to knowing who you are (via your ip) is just as bad as someone you are not talking to seeing what you are saying (which is all encryption prevents).

 

God I love mac! It had built in encryption for virtual memory (swap space), AND has a disk utility that secure erases free space and files with 1, 7, or 35 passes. It also has an encryption utility built in. All this, for FREE God I knew it was a good idea to get a mac!

 

Honestly I don't bother at all cause I only order non-scheduled chemicals from known sources. I would only use any of these if I were ordering LSD or MDMA or something, otherwise I doubt it matters when buying personal amounts of the quasi legal chems.

 

I think most of the people who even order LSD, MDMA, and K don't even encrypt their stuff, though they should. I guess it's like not going outside during a thunderstorm, the chance is 1/100 000 that you'd get zapped, but people have gotten zapped many times before (dumb analogy lol)

 

A non-trivial amount of vendors who sell scheduled drugs wont even talk to you if you don't have a GPG or OTR key.

 

Well I've found one called ****supply@hushmail.com, so I'm pretty sure if the vendor is using hushamail, I'll just email them with my safe-mail account, which I heard is a safe one to use.

 

You should probably edit the entire vendors name out, even using *s is frowned upon here. That is a legit source last I heard (in case you care hehe), although I have heard reports of them sending crushed up MDMA tabs as molly mostly hear good things, although a tad expensive. Nope they don't require encryption, but they are in the minority when it comes to the products they are handling.

Safe-mail is no better than hushmail or any other web based encryption.

 

I've had much more luck with Tor since I started excluding exit nodes that are banned from Hip Forums. It used to be almost unusable.

(I'm not sure how to do it with the GUI, but with the config file, there's an ExcludeExitNodes and StrictExitNodes setting that can be used to help avoid those exit nodes (sometimes it does still pick them for some reason.) It's only available in more recent versions of tor.)

When I get the "your ip has been banned" message, I check what my tor IP is and add it to the list.

You can also exclude a country from exit nodes. I've excluded the US.

I like the idea of having the exit nodes out of the country....not that anyone would go through the trouble of trying to sort out the onion and stuff...but just in case.

I think in some ways it may make tor a little less secure to exclude some exit nodes, but it was getting to the point that I really couldn't use HF until I did that....and now I do much better.

 

A couple other things about tor that I've noticed:

I usually use Yahoo for search because Google doesn't like tor. (It flags it as a bot since so many people do queries from the same IP.)

Make sure you use the Tor Button or something similar and FF when using Tor because is helps prevent certain leaks that can occur if you just set it up as a proxy. (Things like flash or other plugins downloading stuff directly without obeying proxy settings...or javascript collecting information about the browser or your IP and sending it to the server.)

And....I also like to keep my "special" profile in a separate encrypted volume. This is my FF profile setup to use Tor and with bookmarks and stuff to sites that I don't want anyone to see. This way I don't have to worry about someone coming on my computer and stumbling upon my personal stuff. I'm not sure how to set this up on some OSes, but I just moved my profile directory to the encrypted volume and made a symbolic link to it from the standard FF profile locations.

When I want to use my special profile, I unlock the volume and start FF with the profile manager. This allows me to not be overly protective about my computer but still keep this aspect private. (People might wonder if I never let anyone touch my computer.)

I feel like I'm giving away too much info now........but I'm not a big believer in security by obscurity....more a believer in solid security.

 

Will make sure to hit this thread up if i still have problems with my Key. GPG/GNUPG and other security encryption software is a must. As is awesome Not to leave paper trails like some people do without using their heads. Yep, some say no good things come for free but information cannot have a dollar price on it...that is for sure!

 

A better way to solve this problem is to use persistent exit nodes for hipforums, rather than block all the nodes that hipforums has banned.

 

yah MMT you should edit that post pleaseee
i made an account on a vendors website with a hotmail email address and they sell scheduled substances. well as of this past week they do