Who here takes those extra precautions?

Well who hear acutally takes all those extra precautions that binary shadow recommends (such as encrypting your email, wearing gloves and a hat when sending your western union thing etc), because it seems like most people here dont even do that and that those precautions are un nessescary if your not in the US (no offense to you binary shadow), im most likely wrong anyways lmfao but i just wanted to see what the consensus was on here.

 

I don't take many of those precautions, mostly because I don't have much to loose at 17. If I was 35 married with a good paying job, I would definitely make more of an effort to cover my tracks. Until then I'll continue sending autographed photos of myself with every payment I send through the mail.

 

No offense taken at all =). I will just say that I have been on source forums with 200+ members where the rule is everyone needs to have a public encryption key on display at all times. Have also been on forums that ran on Tor hidden services which can only be reached by Tor, and 9 / 10 vendors who sell anything more than analogs will not reply to E-mails that are not encrypted.

Is it necessary to take security precautions? No, but necessary needs qualified. It's all about statistics. Dozens of people in the United Kingdom have been raided for getting personal amounts of analog chemicals (I think this was before they were specifically illegal also but not sure, but today essentially all tryptamines and phenethylamines are illegal in the UK):

http://www.guardian.co.uk/technology/2005/may/26/drugs.sciencenews

I bet those people wish they encrypted their E-mail conversations. I know for a fact that these people, the steroid people, wish that they used solid encryption instead of highly flawed hushmail. The steroid scene was structured pretty much exactly the same was as the recreational drug scene is, the only difference was it was ten times bigger, but these days there are source forums with multiple thousand members and that is dangerously close to the size of the steroid forums:

http://sports.espn.go.com/espn/news/story?id=3033532

I mean we already know how trust worthy hushmail is, and its not just a hushmail design flaw its a design flaw of any server side encrypted E-mail system:

http://www.wired.com/threatlevel/2007/11/encrypted-e-mai/

Plus we know SWIM works about as good as nothing (that was a fairly big saying on many steroid forums). As for being a researcher or not for human consumption, let's not forget how good that worked for the pre-webtryp vendors:

http://en.wikipedia.org/wiki/Operation_Web_Tryp

Plus with the HUGE amount of media attention already on the scene TODAY:

United Nations on Internet Drug dealers:

http://www.un.org/apps/news/story.asp?NewsID=30203&Cr=illicit&Cr1=drugs

Drug Dealers use Postal System For Distribution:

[WARNING GOVERNMENT LINK http://www.usdoj.gov/dea/pubs/cngrtest/ct052600.htm {WARNING GOVERNMENT LINK]

they already know people are using crypto, and even admit that it really fucks up their operations:

http://www.radioaustralia.net.au/connectasia/stories/200902/s2496892.htm

Plus I can find literally half a dozen links from British media going on and on about the analog drug trade and calling China out. IMMENSE pressure is on Chinese vendors these days. Oh yeah not to mention BBC is doing a documentary on the scene. Remember what happened after the last documentary?

Dateline X-Files if anyone remembers the Hive and Strike:

here is part on on youtube: https://www.youtube.com/watch?v=Bxk8tRBp1mU

some info about the hive:

anyways yeah I could go on and on. To answer your question better I guess I would say, maybe security precautions are not needed now for the analog market. But do you need to reinforce your house before a hurricane comes? Nah, no hurricane so your house is fine. But then when the hurricane comes you are fucked and it is too late to reinforce. Well a hurricane is coming and there are going to be casualties, and the casualties are going to be the people who don't take security precautions. Vendors take too many security measures for most of them to be busted. Busting of customers is far easier and a number is a number. That's all I am saying, take it for what it is worth.

 

I would have to say I do not use every precaution, but when dealing with vendors I do use some precautions. I use a Flashdrive with Tor, firefox, and thunderbird. I have all java, js, flash, etc... disabled and clear all data after each use. I use my laptop with local wifi connections. As far as the hat and gloves i tend not to use the gloves, but i use that hat! I use a different location for WU everytime and pay cash! I use 3 different P. Mail boxes so that i can rotate at will. That is all. everything else i do on the home computer is pretty open for discussion...

 

i've ordered once and i didn't take many precautions. i'll be more careful next time, but probably won't encrypt my email and all that. if hushmail/safemail is not good enough, how bad is google mail?

 

WORSE gmail has all kinds of "record keeping" on and off the record!

 

Gmail is pretty horrible when it comes to privacy (as is everything related to Google), but at least they don't use Java applets like Hushmail does. Funnily enough I would say Hushmail is one of the least secure E-mail providers there is:

1. They can decrypt your E-mails essentially at will
2. They can get around anonymity technology by using bugged Java applets.

 

Well - then what's the point of hushmail then? I stupidly thought hushmail was more about protection. They even had a stupid story on NPR - National Public Radio. I wish I could just get an encrypted undrugged email address, or somehow make my own with my own server, etc. Screw all the other bullshit - especially hushmail!

 

Hushmail has no point, it is a totally worthless service for ANYTHING illegal or questionable. If you need secure E-mail for legitimate communications, Hushmail is better than most E-mail services as far as security goes, but for things of questionable legality or blatant illegality Hushmail is actually WORSE than most other mail providers.

I think Undrugged WOULD offer secure encrypted E-mail if such a thing as server side E-mail security was a possibility. Here is a quick run down of how encryption works:

Asymmetric encryption is usually what is used to encrypt communications. It is like an open key lock and a key that opens it once it is closed. You give all your friends your open lock, hell anyone you want to really they can't do anything with it but close it. Then they take a metal box (encryption algorithm) and put a message in the box. They then lock the box with your key. Thanks to advanced encryption algorithms, this metal box can not be broken open even by the government, if strong enough encryption is used (although it is arguable agencies such as NSA, if they have quantum computers, could break asymmetric encryption, that is another story and not relevant to any of us anyways). The only realistic way to open the box is to use the key that only you have. People can try to guess the key, but a good crypto set up will have so many possible keys that even a super computer (Short of a quantum computer) can't try all the keys before the end of human life on earth. The most popular asymmetric key systems are based on the RSA problem, which is the difficulty involved in factoring a large composite number that is the product of two primes into two primes. A standard RSA key is probably around 2,048 bits, which means that there are as many possible keys to the corresponding lock as there are prime numbers that are 2,048 bits. There are

8.079251518e+615

numbers that are 2,048 bits but most of them are not prime. Thats why asymmetric encryption needs bit strength to be secure, symmetric encryption takes all numbers into account even if they are not primes (and are immune from quantum computer attacks, but not good for communications as a shared key is needed, there is no open lock like with asymmetric encryption).

Anyways you give your buddy your open lock, he writes a message to you and puts it in a metal box then closes the metal box with your lock. He can't open the box even, only you can. He then sends a messenger (the internet) to deliver the box to you. You know even if the adversary captures the messenger, they can't open the box. Neither can the messenger. When the box gets to you, you open it with your private key and read the message. There is some chance to adversary or messenger will simply find another one of your open locks, write a new message to you and close it in their own metal box and pretend it is the original message to you. For that there are digital signatures, where the signature is like a seal and the key is like a stamp. Once you get the box and open it with your key, you can compare the stamp on the message to a previous trusted stamp and see that it is really from who you think it is. Again, there are quadrillions of possible stampers and it will take an adversary an EXTREMELY long time to forge someone else's stamp. Also, they can't reconstruct the stamp just by looking at the signature, because the message is used as part of the calculation as well.

Usually people keep their private key symmetrically encrypted. Symmetric encryption takes all numbers into account (not just primes) and is much more secure (quantum proof) but can't really be used for communications like I already said (with out fairly complex key distribution hybrid systems). Symmetric encryption is like a combination safe, and the password is the combination. 256 bit encryption has:

115792089237316195423570985008687907853269984665640564039457584007913129639936

possible combinations. Even a quantum computer isn't likely to be able to try that many combinations before we are all dead anyways, although it is worth noting that against a quantum computer 256 bit symmetric encryption is = 128 bit symmetric encryption versus a traditional computer.

So pretty much, Alice wants to write Bob a message. She writes the message, puts her unique stamp on it and puts it in a metal box. She then locks the box with one of bobs open key locks. After she locks it, even She can't get it back. She sends her messenger to deliver the box to Bob. The messenger can't see the message, and he can't simply make a new one as he doesn't have Alices stamper. Bob gets the box from the messenger, goes to his combination safe, dials in his combination (types in his password) and then retrieves his private key and a copy of Alices stamp he trusts is really hers. He uses his key to unlock the box, takes the message out, and compares the stamp to the one he has on record.

Hushmail works in essentially the same way, but they keep your combination safe for you. Hushmail can work with either Java or Javascript. With Javascript, you tell them your combination on an as needed basis, and then they open the safe and hand you your key. When you are done they "forget" your combination, and they put your key back and close the combination safe. The problem with this is, if they are ordered to, they can simply remember your combination and then take your key out whenever the hell they want. The other option, Java, is even worse really. They can simply send you a bugged Java applet that sends your key to them as you type it, then they log it and can access your key whenever the want. The reason Java is even worse is because Java can force a UDP connection (a protocol not supported by Tor) to a server in hushmail (or the feds) possession, and they can log your real IP address.

NO SERVER BASED EMAIL SYSTEM IS SECURE FROM THIS ATTACK. All server based E-mail systems keep your safe on their servers, and there is ALWAYS going to be a way for them to get your key, either by remembering your combination after you log out, not putting your key back in the safe when you are done with it, bugging your computer with their applets, whatever. Server side encrypted E-mail is NOT REAL. It is bullshit advertising that cost hundreds of people their lives when the assholes at hushmail over promoted their shitty product.

If you want encrypted E-mail, you can't trust Hushmail anymore than you can trust Undrugged or your own mother. The only way to have truly secure encrypted email is to do it yourself. The best bet for that is to use GPG which supports RSA problem (two primes) based encryption, and also symmetric (combination lock) encryption. It isn't that hard to learn to use and it could literally save your ass.

Elliptic curve crypto is what really interests me, but thats for another rant =).

 

Oh also, if you are traced down and get your door kicked in in the UK the government can just order you to reveal your keys and if you don't you will go to prison for a long ass time anyways. In the USA the issue is likely to go before the supreme court pretty soon. That's the reason you should use Tor and WiFi too: Encryption so they can't see what you say, Tor + WiFi so they can't find you and demand you give them your key anyways.

There is also a way to encrypt two messages with two passwords so that if you are ever busted you can reveal one password and they can't prove that you didn't reveal the other one or that you even have another password, truecrypt can do this for symmetric encryption, for asymmetric deniable encryption it is much more complex though. A good practice would be to use encryption and steganography (Steganography is where you hide something in something else, usually a picture, so that someone can't prove you are sending messages and not pictures), but AFAIK no vendors use steganography just encryption and Tor.

 

wouldn't that (2 passwords) make it seem to the cops that you just gave them a fake password?

and what's stopping anyone from doing that?

 

They can't tell you have two passwords =).

 

This is very interesting, what email do you recommend i use?

 

I do it a real safe and easy way. I use a little Puppy Linux flash drive that boots up an entire operating system that I can use. The OS is free, and you'd need like a $10 flash drive.

Linux on a flash drive, proxies, encryption, Tor and using a fake name is the safest you could possibly be. However, I tend to use less precautions with trusted vendors that I know are operating pretty safely.

 

Wait, but whats the point of doing all this encryption stuff if your getting it mailed to your house (thats what im doing, and im pretty sure thats what most people do)

And also im in canada, so the DEA wouldnt have jurisdiction to kick my door down

 

No they wouldn't, but they would contact your local police with all the information and investigation material

 

i'm not saying your wrong, cuz obviously i don't know...

it seems to me that if you had two passwords, they'd make you give one, try to use it, it wouldn't work, so they'd say give us the real password or think that you gave a fake one (since they can't tell you have two)

so why not just refuse to give them the password in the 1st place, or give a fake? since that's the end result in the cops' eyes anyways

 

Hehe both passwords decrypt the encrypted file into two different things.

One encrypted file, when I decrypt it with the password "Hereismypassword" it decrypts into a bunch of sensitive things like liberty reserve account numbers and details. When I decrypt it with the password "Decoypassword" it decrypts into some shit I don't care if the cops see, like porn or something I can say I was hiding from my girlfriend or whatever.

If they demand I give a password I give them the one that decrypts the porn, and they can't prove that there is another password that decrypts it to something else.

The same thing can be done with operating systems on the full drive level with Truecrypt. You can encrypt two identical operating systems with different passwords, and at start up you enter "password" to decrypt and load your OS you use for sensitive things (buying drugs) and "decoypassword" to decrypt the OS you use for every day things like playing games and torrentz. If the cops demand you give up a password or you will be thrown in prison (in the UK you must give a password, in USA it hasn't gone to the supreme court yet but is on its way there) you just give them your decoy password and they find nothing incriminating and they can't prove you had a hidden password either.

 

The chances of a package getting intercepted range from fairly low to extremely low depending on what you are getting and where you are getting it from. The chances of a vendor having his E-mail tapped are significant, and when they see your shipping address after watching you place an order with the vendor, they can simply flag your home address and easily intercept the package then kick your door in. Canada the laws are different than USA and UK, you can get away with a lot more research chemicals there and not be at serious risk. Some parts of Europe can get away with research chemicals as well. Still best to use encryption though, who knows when the law will change there and do you want your name to be on a list of people to be cautious about? Also anything less gray than analogs is still illegal in those places (although the lucky people in most of Europe will only get a slap on the wrist if they are caught getting illegal drugs).

 

My vendor seems pretty smart though, they specifically do not ship to the US, so im sure they would also encrypt their emails