>"On that day, a male and female agent started an argument in San Francisco's Glen Park public library, to get Ulbricht's attention. As soon as Ulbricht was distracted, another agent grabbed the open computer"
And that, ladies and gentlemen, is how you defeat crypto. How could you even defend yourself against such a thing? The only thing that comes to mind is never working in public on a computer.
I tried a few weeks of living opsec to get a feel for how practical this stuff is. Really got into it, to the point of wearing disposable gloves to get sorta untraceable currency and looking into body armour and secured living arrangements. It's probably easy to get too paranoid, and perhaps those people never end up launching a successful Onion site.
But just quickly, he should have compartmentalized. Zero need to have all that data decrypted while doing day-to-day admin. A throwaway machine with Tails or something would suffice for management. Then, add some physical security, such as smartcards with removal events set to destroy and then chain it to your neck. Or there's little dongles that do proximity detection.
Then get some physical security so your RAM is never exposed. The commercial phreaking devices were said to have thermite, but something explosive might look too much like terrorism. I'm not sure it'd be out of the question to wire up a short-circuit to your RAM at single click, although that would look bad, versus something less obvious.
But really, this is apparently only because he messed up his server security so badly. Otherwise, they wouldn't have been there in person in the first place, right? It's probably safe to assume that if you're being physically targeted, you're going to have a bad time living a normal life. If you have a bunker or something where you can definitively see all approaches and have many minutes in case of a raid, eh, maybe. But by that time, there's probably some sort of correlation information or real-world bug going on, right? If Ross had been super careful, eventually they'd just bug his every movement, word, etc. Get video or audio on his keyboard, even, right?
So worrying about this is the barn door question after horses have left, it feels.
You don't even need something like Tails. You just need encrypted disk images, and to keep them unmounted when you're not actively using them. This is a capability that is for instance built into Mac OS X.
Well, just as a defense-in-depth, in case of a Firefox 0-day (or 90-day) or something, it'd minimize a leak, slightly?
Edit: Oh, also, since compulsion to reveal keys might be an issue, it's better if there's nothing around. In the US it seems to be if the prosecution can convince a judge that they really did see evidence but you since re-encrypted. I wouldn't want to rely on a judge in that case. Although at this point one is probably cooked but still.
What someone in that situation really needs is the opsec equivalent of a trap door function. Does such a thing exist that is easy to defend and difficult to attack? Could be very useful for e.g. rights activists in remote places of the world.
What conclusions did you come to on the body armour? Did you end up walking around with it on day to day? Any other interesting tid bits on your opsec journey?
It can devolve into "Reflections on Trust". I started auditing everything above the OS and VMware on my host. It's intractable. So I just had to start drawing lines.
The beneficial part is to think of every action you do, how many bits is it leaking? What persona are you, at that moment? How is that persona contained? How will the traces you are leaving at the moment look to an investigator? A judge? A super power network analysis and correlation system? For each bit you're leaking, what specific steps are reducing it and how? Are you still in persona? If your persona is from County X, is he on at the right times? If not, and he makes casual comments, so they fit in persona? Eg if on late and the World Cup is being held in his come country, did the persona reference it accurately? (And the searches you performed to find out that info, can they be correlated back?)
I'm sure this has a name but getting in the mindset and making sure you don't break character is key. I think it's probably best to minimize all statements. But, many records show people being found because they slipped up. Like one of the recent hacking groups, he told someone in chat "yeah well I was arrested for pot back in '06". Damn, you just cut your identity space from something like 2^28 to 2^20. Do that a couple more times and your toast. Hell, even picking a username from a great book you're reading might take off several bits (eg if you bought the book on Amazon, and are reading it on Kindle, a well funded adversary could correlate - there's probably many such casual " unrelated " influences that might be detectable.
Personas need to extend to hardware, too. For example, cameras might have somewhat unique noise patterns. If you use your camera to take a pic of <something> , and with the same camera take pics to post on Facebook, it's plausible an adversary could get many bits of your ID. Fingerprints are everywhere, so minimize channels used to avoid surprises.
It's probably good to try to do things in batch. Download data, manipulate on a limited offline device, then batch upload. This is easy to disguise, and could be set on timers to coincide with different personas, establishing alibis. It helps defeat simple traffic correlation, like "let's cut off access to ISP A, and see if our target chat user disconnects". If you were chatting all day on a server, such an attack could be very effective. I didn't do batch mode, because I didn't have any actual work, other than " buy btc and setup a single server hosting a single static page ". (I was thinning of a legal product (something like dropbox) aimed at privacy users and wanted to know how hard it'd be in real live... I decided the Onion service limitations would put my users at too much risk, and many users would fail to follow procedure when using the service, very high risk for them).
The body armor idea was more an overreaction (it was mostly for at home/hotel/sleeping). Once you getting paranoid, it's a spiral. And hey, if you do get raided, there's probably a small benefit to be gained by having some accidental shots not be fatal, right? But no one takes any of this stuff seriously in general, so body armor is likely to get a friend to call the psych ward. Even the BTC or darknet forums. They suggest waking into a bank to buy BTC. Or meeting a stranger in public. Two great ways to link your meatspace and BTC identities! Sigh.
Anyways I recovered by going back to axioms, or trust anchors. Stuff like, "I trust Tor will not reveal my source IP on this persona in under a month", then build from there. The product idea didn't work out, so I dropped the " experiment ". I kept smart cards, FDE, multi VM, and tamper evident seals/stickers, but otherwise went back to normal.
I find it easiest to think in terms of "What cost would it take to defeat security here, and who does this price out of the market?" Defenses raise the cost of attacking, they don't defeat all attacks forevermore.
Thinking things through this way will quickly clue one into the notion that it is much more important to pick a good adversary than to pick good defenses. I strongly recommend not picking the USFG, or any other nation, as an adversary. You will not win. The price of your identity is not measured in aircraft carriers. Their budget is.
Yeah, but where is the fun in that? If you remove state level actors, you get to do all sorts of weak stuff like "yeah I checked my email from a cyber cafe without Tor once".
I do concur though. Basically my analysis came to that any customers that really wanted or needed the level of service I was considering would probably not be around long, even if I stayed hidden (purely to avoid getting subpoenas to expose them - my plans were totally legal). And if they didn't really need that level of safety, then they would not use my product, because the limitations and costs would not be worth it.
On the flip side, look how long SR operated, and how " easy " a job LE had. If Ross would have been content to have a dozen million dollars and move on early, he probably could have gotten away with it.
There's only one way to evade law enforcement for a long time, and that isn't it (in fact, it's kind of the opposite). The key is that doing business requires relationships -- very strong or very weak and everywhere in between -- and every relationship can be exploited. The more evasive you persona is, the more elusive, the less business people will be willing to conduct with you. So the more you try to hide, the less business you'll do and your crimes won't pay even without any enforcement involved -- you'll be punishing yourself for very little reward.
The way police thinks is like this: first they'll find someone close to you and try to flip them by exerting pressure (on them or on you). If you don't conduct business with close relationships but with strangers, they'll plant an agent. The more secretive the crowd you hang with, the higher the chances the man on the other end is an agent. If your strategy is that no one knows anything about you, you'll find that you won't be doing much business anyway, and so wouldn't become a police target anyway, and if that's the case, you've gone through a lot of trouble while simply remaining a small fish without any evasion would have been better. So the hiding technique you describe might work for a one-time crime.
The only technique that works for any significant amount of time actually relies on very strong relationships: organized crime. It is a feudal system of patronship and loyalty -- your employees depend on you and they'll be willing to go to jail for you -- combined with a the very powerful stick of physical intimidation, so that people are afraid to snitch on you.
In the case of this Ross, did he really need to cultivate relationships that required personal details leaking? From his story it doesn't seem much of the case. After some initial startup time, people were just winning to trust SR (the stupid ....). The hustle to sell some initial product looks to be the only exception, and yeah, with no risk you might have a hard time starting a business.
The ideas I've outlined would work for more than one person, though I'd be very hesitant to trust others, and you would need to find such candidates in the first place.
Hiring agents should have been taken as a given. You're paying someone a few thousand bucks, and you don't think they're going to sell out if someone comes along that has far more? SR should have been robust to malicious actors. DPR can keep the root level stuff to himself, while allowing his admins to have limited tools. Periodically review stuff.
I fail to see how organized crime would be an option for someone like Ross, wanting to start SR. So while that may be an option for some (a Mafia style threat profile is not something I'd likely be happy with) it's not really that viable for a random startup. I mean, here's another way to be immune from a lot of regulations: be really rich!
Also, when I say persona, I'm referring to the currently active one that you're using at the moment. Silk Road claimed to have been run by a line of these guys. Yet there was no real evidence of that, eh? If multiple personas would have been properly used, we'd see changes on the site, the staff would know, you be wouldn't have old documents, etc. That's what I mean by fully going into a persona. You might use one disposable persona to buy an order or two of bitcoins. Another to run a server. Etc. Anywhere you need to draw a line between one act d another.
What you're really seeing here is the limitation of full disk encryption. I talked a little about this here (the article is really about cipher modes, though):
The problem isn't "crypto". The problem is the extent to which full disk encryption overpromises and way, way underdelivers. It's easy to have a cryptosystem that is at least somewhat resilient to this threat. You just can't get it with a UX that "unlocks" your whole computer to use it, and then "locks" it again when it goes idle.
The problem of evil maid attacks is at least trying to be addressed by the QubeOS team, and think it's an interesting concept. Otherwise, yes, FDE is only a part of what should be a holistic approach.
Up to now I had never considered the need for protection against a mid-keystroke attack. Ideally it would have to involve no unusual hardware or software, or you might as well just slap a "I'm a criminal" sticker on your forehead.
Second, I can't see it working properly if you need to do something specific when you're being struck.
Closest thing I can think of:
- headphones must be plugged in to launch a certain program
- if headphones are unplugged before program is closed, lock and begin wipe
- don't, under any circumstances, let go of the headphones
At this level of paranoia you probably also need interrogation training. Ideally you'd also have your sensitive stuff on a machine that is both hidden and protected, and only access it remotely. You want to be able to deny its existence to have any chance of withstanding a torture attack.
Edit: iphone earbuds have a switch that you might be able to use in your hand/mouth as a deadman switch, but I can't see that being workable for more than a few seconds.
Also, if you're in public, they could film your monitor... so that would need to be sanitized somehow as well.
The problem with schemes like this, is that they show premeditated intent to destroy evidence. I hear that courts don't like that. Maybe there wouldn't be evidence that specifically unplugging the headphones is what caused the drive to self destruct. But a good forensic security analyst should be able to show that the system was intentionally destroyed.
If you can come up with a plan for plausible deniability when it comes to, say, permanently deleting the keys for an encrypted drive, then that's worth way more than the deadman's switch is on its own.
You won't know in advance who is going to rob you, in this case it was the FBI but for this attack it could be anyone, even a reasonably organized group of 13 year olds could probably pull this off. For example the situation could be the same but DPR is a tech CEO working in a coffeeshop in Asia, and someone has just ran off with a copy of his email and financials. He chases them out of the door, gets hit in the face with a bike chain, and wakes up in the hospital, not even knowing if they were just aggressive petty thieves, or if he was targeted and someone knows all this plans.
I think that "lock and wipe" might be too much though, and locking only would be more practical, wouldn't constitute destruction of evidence (as far as they know), wouldn't punish mistakes so much. Right now, off the shelf, a computer will lock up on screensaver, or sleep/poweroff. For a high paranoia user, you could add headphone unplug, power cord in/out, any usb in/out, even monitor the mic for certain codewords to trigger the lock. And if it happens it isn't such a big deal, just re-authenticate.
So now it's the locking mechanism that's gotta be made plausibly deniable. The beauty of it being done in software via (say) an HID interrupt is that the software itself is protected by the act of locking the computer.
You have to evaluate the risk: how "expensive" are occasional miss-triggers compared to a failure to trigger when necessary, and where is the optimal balance? (the always/never problem)
Basically, restart an full-disk encrypted device when loss of signal or drop in temperature occurs. Have something similar on your desktop. Wear a BLE Android watch, and make sure your devices restart when they get out of reach, or when put into a Faraday bag, or when dropped in liquid nitrogen :)
Yeah, it's still possible to defeat, especially if someone knows your setup, but it's at least pretty damn close to foolproof. If you sense trouble, just run like hell and lose the signal
Someone should invent a usb dongle that detects a nearby rfid chip that you keep on your keychain. As soon as that keychain is out of range, say 5 feet, the computer locks and encrypts itself. Integrate this into the computer and you wouldn't be able to tell who has one and who doesn't. Think you're being arrested with your computer open? Toss your keys.
You could be grabbed by agents and held there in your chair while another agent starts working on your files.
My idea would be more of a proximity sensor that not only does the RFID-walkaway thing, but also locks the machine up if anyone additional to yourself approaches the device.
But then the LEO agent sees this, and not only does he pick up the keys, he will then proceed to charge you with something for resisting arrest, or obstruction of justice or any of the myriad of ways they have to make your life a living hell.
I think this would be similar to smoking pot in a moving car, then getting a police car to tell you to stop and then you throw the drugs out the window. I believe that's enough of a reason to charge you with all sorts of nasty stuff.
That's my point. If you have your laptop locked depending on whether they are close by or not, then throwing the key away will not help you.
I was trying to say that it seems to me as an ineffective method. Just as ineffective as trying to argue with the police that since you don't have the drugs on you (because you just tossed them) you are not in trouble. The drugs don't disappear just as the keys won't, so the agents would just have to get the keys and unlock your laptop.
It'd be easier to just have the machine lock itself and power down whenever anyone plugged in an unknown HID device. The FBI (and other agencies) use USB mouse jigglers to keep the screensaver from activating while they transport the machine back to their lab.
that's called "security through obscurity". and sometimes it works great! Well, the first time.
Of course, just like the shoe bomber changed airport security forever, an rfid keyfob like you suggested becoming commonplace, would just lead to the cops immediately tazing and tackling you, and treating every single motion of your arms as an attempt to destroy evidence.
I've worked with some pretty sensitive information at places where it's a matter of policy to lock your screen whenever you leave your desk. It's second nature for me to click the screen saver button every time I get up from my computer now. I'm a little surprised that someone as paranoid as Ulbricht didn't have the same sort of habit.
That sounds like a huge hassle to be honest. My android phone had a feature that made the screen stay on as long as I was looking at it - it was a disaster. It just did not work properly. I ended up deactivating all that crap and just set the screen to never go off, unless I explicitly press the button.
I would imagine that if you were up to something like this, the laptop in question wouldn't be your daily driver.
In which case you would likely want to physically disable inputs and sensors like cameras, mics, location hardware, etc.
I seem to also recall once reading that it was good measure to use a laptop with a removable battery, having actually removed the battery and only being powered by your power cord.
Or so I've heard.
isn't facial recognition easily defeated with a picture of the person's face?
that said i concur, the proliferation of built-in cameras should spur us to adopt biometrics such as facial recognition, but it's gotta be better than picking out a few points and doing a simple match like most CV facial recognition systems do. some sort of challenge-response maybe, like "wink your left eye" or "blow a kiss", anything that a simple, static picture couldn't defeat.
but i concur on the larger paradigm - the hardware is common enough to force us to consider biometrics as commonplace.
Given the proliferation of comments about how to avoid linking meatspace and digital personas, having a laptop with a camera constantly filming your face, and a piece of software designed to recognise only your face stored next to your incriminating digital files seems like an escalation of risk to me.
hmm. Do some computers have accelerometers? Maybe you could do something like if you are at a coffee shop or somewhere in public when your computer is picked up before you have that turned off it does the necessary security precautions. Not sure what/if any computers have one though, but you could probably build something via arduino or something.
MacBooks used to have accelerometers that were used to detect sudden motion and park the hard disk head to prevent a head crash. But it looks like they've stopped including the accelerometers in more recent models with SSDs, since there's no equivalent need.
This shouldn't even be that difficult to rig together: Take a small USB key, combine with a wrist strap, and write a script to listen for USB key disconnects. As a bonus, if you want to get fancy, the encryption key itself (or a part of it) could be stored on the USB key.
Proximity sensor (bluetooth or something) + thermite on the disks.
If you get further away from the machine than 5m or so when it's powered up it will melt everything. For extra kicks also wire up another detonator with a case ground wire or something, if the case is opened - it melts.
Flush crypto keys, activate screensaver, kill all active terminal sessions.
If you want to get extra special: scramble the disk keys. Without those, data's good as toast. And that can happen a lot faster than a shred, wipe, or even dd if=/dev/zero of=/dev/sda bs=1g
Have a lanyard around your wrist with the end plugged into a USB port. Set up a daemon that watches for that device to disconnect, and once it does, the computer powers off.
There's no legal requirement I know to show the warrant prior to seizure of material evidence based on a warrant. Do you know of any relevant case law that says otherwise?
And that, ladies and gentlemen, is how you defeat crypto. How could you even defend yourself against such a thing? The only thing that comes to mind is never working in public on a computer.