You don't even need something like Tails. You just need encrypted disk images, and to keep them unmounted when you're not actively using them. This is a capability that is for instance built into Mac OS X.

Well, just as a defense-in-depth, in case of a Firefox 0-day (or 90-day) or something, it'd minimize a leak, slightly?

Edit: Oh, also, since compulsion to reveal keys might be an issue, it's better if there's nothing around. In the US it seems to be if the prosecution can convince a judge that they really did see evidence but you since re-encrypted. I wouldn't want to rely on a judge in that case. Although at this point one is probably cooked but still.

What someone in that situation really needs is the opsec equivalent of a trap door function. Does such a thing exist that is easy to defend and difficult to attack? Could be very useful for e.g. rights activists in remote places of the world.

In the case of OS X this would still mean that the password for the disk is stored in memory, right?

What conclusions did you come to on the body armour? Did you end up walking around with it on day to day? Any other interesting tid bits on your opsec journey?

It can devolve into "Reflections on Trust". I started auditing everything above the OS and VMware on my host. It's intractable. So I just had to start drawing lines.

The beneficial part is to think of every action you do, how many bits is it leaking? What persona are you, at that moment? How is that persona contained? How will the traces you are leaving at the moment look to an investigator? A judge? A super power network analysis and correlation system? For each bit you're leaking, what specific steps are reducing it and how? Are you still in persona? If your persona is from County X, is he on at the right times? If not, and he makes casual comments, so they fit in persona? Eg if on late and the World Cup is being held in his come country, did the persona reference it accurately? (And the searches you performed to find out that info, can they be correlated back?)

I'm sure this has a name but getting in the mindset and making sure you don't break character is key. I think it's probably best to minimize all statements. But, many records show people being found because they slipped up. Like one of the recent hacking groups, he told someone in chat "yeah well I was arrested for pot back in '06". Damn, you just cut your identity space from something like 2^28 to 2^20. Do that a couple more times and your toast. Hell, even picking a username from a great book you're reading might take off several bits (eg if you bought the book on Amazon, and are reading it on Kindle, a well funded adversary could correlate - there's probably many such casual " unrelated " influences that might be detectable.

Personas need to extend to hardware, too. For example, cameras might have somewhat unique noise patterns. If you use your camera to take a pic of <something> , and with the same camera take pics to post on Facebook, it's plausible an adversary could get many bits of your ID. Fingerprints are everywhere, so minimize channels used to avoid surprises.

It's probably good to try to do things in batch. Download data, manipulate on a limited offline device, then batch upload. This is easy to disguise, and could be set on timers to coincide with different personas, establishing alibis. It helps defeat simple traffic correlation, like "let's cut off access to ISP A, and see if our target chat user disconnects". If you were chatting all day on a server, such an attack could be very effective. I didn't do batch mode, because I didn't have any actual work, other than " buy btc and setup a single server hosting a single static page ". (I was thinning of a legal product (something like dropbox) aimed at privacy users and wanted to know how hard it'd be in real live... I decided the Onion service limitations would put my users at too much risk, and many users would fail to follow procedure when using the service, very high risk for them).

The body armor idea was more an overreaction (it was mostly for at home/hotel/sleeping). Once you getting paranoid, it's a spiral. And hey, if you do get raided, there's probably a small benefit to be gained by having some accidental shots not be fatal, right? But no one takes any of this stuff seriously in general, so body armor is likely to get a friend to call the psych ward. Even the BTC or darknet forums. They suggest waking into a bank to buy BTC. Or meeting a stranger in public. Two great ways to link your meatspace and BTC identities! Sigh.

Anyways I recovered by going back to axioms, or trust anchors. Stuff like, "I trust Tor will not reveal my source IP on this persona in under a month", then build from there. The product idea didn't work out, so I dropped the " experiment ". I kept smart cards, FDE, multi VM, and tamper evident seals/stickers, but otherwise went back to normal.

I find it easiest to think in terms of "What cost would it take to defeat security here, and who does this price out of the market?" Defenses raise the cost of attacking, they don't defeat all attacks forevermore.

Thinking things through this way will quickly clue one into the notion that it is much more important to pick a good adversary than to pick good defenses. I strongly recommend not picking the USFG, or any other nation, as an adversary. You will not win. The price of your identity is not measured in aircraft carriers. Their budget is.

Yeah, but where is the fun in that? If you remove state level actors, you get to do all sorts of weak stuff like "yeah I checked my email from a cyber cafe without Tor once".

I do concur though. Basically my analysis came to that any customers that really wanted or needed the level of service I was considering would probably not be around long, even if I stayed hidden (purely to avoid getting subpoenas to expose them - my plans were totally legal). And if they didn't really need that level of safety, then they would not use my product, because the limitations and costs would not be worth it.

On the flip side, look how long SR operated, and how " easy " a job LE had. If Ross would have been content to have a dozen million dollars and move on early, he probably could have gotten away with it.

There's only one way to evade law enforcement for a long time, and that isn't it (in fact, it's kind of the opposite). The key is that doing business requires relationships -- very strong or very weak and everywhere in between -- and every relationship can be exploited. The more evasive you persona is, the more elusive, the less business people will be willing to conduct with you. So the more you try to hide, the less business you'll do and your crimes won't pay even without any enforcement involved -- you'll be punishing yourself for very little reward.

The way police thinks is like this: first they'll find someone close to you and try to flip them by exerting pressure (on them or on you). If you don't conduct business with close relationships but with strangers, they'll plant an agent. The more secretive the crowd you hang with, the higher the chances the man on the other end is an agent. If your strategy is that no one knows anything about you, you'll find that you won't be doing much business anyway, and so wouldn't become a police target anyway, and if that's the case, you've gone through a lot of trouble while simply remaining a small fish without any evasion would have been better. So the hiding technique you describe might work for a one-time crime.

The only technique that works for any significant amount of time actually relies on very strong relationships: organized crime. It is a feudal system of patronship and loyalty -- your employees depend on you and they'll be willing to go to jail for you -- combined with a the very powerful stick of physical intimidation, so that people are afraid to snitch on you.

In the case of this Ross, did he really need to cultivate relationships that required personal details leaking? From his story it doesn't seem much of the case. After some initial startup time, people were just winning to trust SR (the stupid ....). The hustle to sell some initial product looks to be the only exception, and yeah, with no risk you might have a hard time starting a business.

The ideas I've outlined would work for more than one person, though I'd be very hesitant to trust others, and you would need to find such candidates in the first place.

Hiring agents should have been taken as a given. You're paying someone a few thousand bucks, and you don't think they're going to sell out if someone comes along that has far more? SR should have been robust to malicious actors. DPR can keep the root level stuff to himself, while allowing his admins to have limited tools. Periodically review stuff.

I fail to see how organized crime would be an option for someone like Ross, wanting to start SR. So while that may be an option for some (a Mafia style threat profile is not something I'd likely be happy with) it's not really that viable for a random startup. I mean, here's another way to be immune from a lot of regulations: be really rich!

Also, when I say persona, I'm referring to the currently active one that you're using at the moment. Silk Road claimed to have been run by a line of these guys. Yet there was no real evidence of that, eh? If multiple personas would have been properly used, we'd see changes on the site, the staff would know, you be wouldn't have old documents, etc. That's what I mean by fully going into a persona. You might use one disposable persona to buy an order or two of bitcoins. Another to run a server. Etc. Anywhere you need to draw a line between one act d another.