# How to Buy Steroids Online- Your Guide to Electronic Security



## PRIDE (Sep 13, 2011)

by: bigmotherpucker 

Staying secure and anonymous Online is a topic which most people misunderstand. In this hobby/industry security and anonymity are paramount to the safety of anyone involved in buying/selling or the possession of AAS yet it is a topic which has spawned many myths and totally useless concepts. These concepts are blindly followed by new sources and those new to the hobby alike. If you are looking to buy steroids online then please read the following, who knows it may save you some day.

Surfing

Many people overlook anonymity when surfing steroid related websites with the mindset that such would never be used against them. This however may not be entirely accurate. When criminal activity is involved law enforcement may use online communication as evidence that someone was involved in committing a crime or was an accessory to a crime which has been committed. This evidence is often seen as admissible and is easier to get qualified as admissible due to the lack of technical understanding on the part of most judges today.

An example of this occurred in 2004 when the forum shadowcrew was taken down in joint operations between the US and Canada resulting in 38 arrests in total. Now you may be thinking “but we are not thieves” and this is true but you must always remember that according to current laws steroid sales and possession is illegal. You are, according to law enforcement, either drug dealers or drug users and because of this you are at risk even if the risk appears to be a small one. In 2004 their focus was on carders, now and in the future it could be steroid users and sellers.

So how do you protect yourself? The first step is to use a proxy chain to hide your Internet Protocol (IP) address, not a singular proxy as most people are used to as this creates a single point of failure and a single server for law enforcement to commandeer and sniff traffic/read logs as you can guess by now, the typical advice you hear in the AAS community on proxies just isn't up to snuff. What is needed is a SOCKS proxy chain. Lucky for us all of the complicated aspects of this have been done for us by The Onion Router (TOR) team. Start by downloading TOR's Vidalia bundle from Tor: Download. This software bundle contains Tor, Vidalia, Privoxy, Torbutton and more depending on which bundle you choose. To install and configure the bundle follow the instructions found here: Tor: Documentation. Privoxy is used to prevent DNS leaks as well as some sidechannel attacks using TOR exit nodes assuming that flash/cookies/JavaScript are filtered out using the proper configuration and TOR is used to route traffic over several hosts (3 to be exact) before it reaches the final website. This traffic is also encrypted with 128bit AES encryption. You could otherwise use HTTPS://xerobank.com/download/xb-browser/ which does the same thing.

To take this a step further change the DNS server being used to OpenDNS. To do this follow the directions here: HTTPS://www.opendns.com/start/. By doing this you are no longer using your Internet Service Provider's Domain Name Servers (if you don't understand what this means don't worry about it) which in turn adds another layer of security.

More Options

Now don't get me wrong the above will work for most people but if you really want to protect yourself and your family you will want to go the extra mile. Nothing is perfect and even if we do secure ourselves in our electronic storage and communication it is still possible to get caught via a source whom cuts a deal with the police or a number of other situations which end in a controlled delivery and formal charges against you. If this were to happen it is almost guaranteed that your computer equipment will be seized, handed over to a computer forensics expert and gone over with a fine tooth comb. In such a situation it would be best to have all of your data and configuration on a separate device which you could easily hide, or even better destroy. This can be done using a flash drive with a couple of different approaches. The first approach is to install only the software you intend to use for purchase and sale purposes such as the browser and TOR bundle on the flash drive. This is easily done using the Tor Browser Bundle for Windows or xB Browser, both found on the download pages previously mentioned. This method is simple and really should be enough to keep any AAS related communication from being recorded on your computer so long s you use only the software installed on the flash drive for such communication, but what if you want to take this further, to be totally sure?

Option number two is to install Windows (or Linux, BSD etc. But this is a windows based tutorial since it is most popular) its self onto the flash drive and boot from it. To do this with Windows XP you can either follow this guide:Windows In Your Pocket : Introduction - Review Tom's Hardware or find a pre-created version yourself by other means. For Vista or Windows 7 you can follow the steps outlined here: Creating Bootable Vista / Windows 7 USB Flash Drive at Kevin’s Blog. It should be rather obvious that after this has been done you still need to add the Tor Browser Bundle for Windows or xB Browser as well.

Jurisdiction and Other Possible Issues with TOR's Network

Legal jurisdiction and network ownership are key to this entire process. If you route traffic through hosts either in the same jurisdiction or on the the same network as each other or networks which are “friendly” with each other it is rather trivial to trace. ISP's use a technology called netflow which can trace traffic across networks they own (source-destination linking) and if a law enforcement agency only needs the cooperation of a couple network administrators or a couple ISPs, your anonymity is as good as gone, this can be even easier for a law enforcement agency to accomplish if they can gain access to a Internet exchange point (IX). If the proper techniques are followed they still will not see what was transmitted as it will be encrypted but they will trace it back to you which gives some strength to a case. To avoid this we must make sure that each time we connect to a website using TOR that the path used crosses multiple jurisdictions preferably in multiple countries which are not on good terms with your own.

The next issue which comes up is something called a timing attack, without going into detail this attack is preformed by analyzing temporal proximity but can be almost totally avoided in the TOR network due to the varying latency of connections within the network. The reason I bring this up is to mention that setting up your TOR client so that it acts as both a client and relay (server) will increase your odds of avoiding this attack while providing some plausible deny-ability that the connection was even created by you, instead blaming it on someone whom happened to use your TOR relay. Not only does setting up TOR as a server help you avoid timing attacks, it also helps you avoid an attack called fingerprinting, where the destination website maybe concluded by the size of the data packets being sent and received.

The biggest fear however to most people when using TOR is a compromise of the exit node. This is the final node in the chain which decrypts traffic and sends it to the webserver. Although some attacks exist to trace the source IP from a compromised end node these are avoided by using the Privoxy software. The data being decrypted however is a significant risk. To avoid this risk we must always use websites which allow SSL connections. To check this all you need to do is use HTTPS instead of just http. Doing this provides what is known as end-to-end encryption and therefore the exit node can not see the data being sent in either direction. If you happen to find a list of compromised nodes on the net you can also block them from being used in TOR. TOR is not perfect but if you do things right reasonable doubt, legal jurisdictions and encryption can save the day. In spite of these “vulnerabilities” at the end of the day I can't find a single piece of case law where someone actually got convicted of a crime based on an anonymity leakage due to a compromise of TOR or any issue with TOR whatsoever. .

Last Words on Surfing

You may have heard of this technology I am going to mention here, nothing new, nothing fancy, just a little WiFi. Many places offer free WiFi and some cities even have free WiFi. Heck some people even leave their wireless access point open and unprotected for anyone to use. This provides the perfect cover. When combined with TOR and a little magic called MAC address spoofing we can almost guarantee that electronic communication will not be the means in which law enforcement will find us. So what is a MAC address, why do we care and how do we spoof it? MAC address stands for Media Access Control address, it is a unique number given to every network interface card produced and is reported to network devices as an identification mechanism. The reason we want to spoof this number is because it is unique, if you were to be connected to a network as the police were monitoring it and later had been arrested, or if the police asked for the data from a cooperative home network owner it could easily link you to the crime. To spoof your network card's MAC address follow the instructions found here: MadMACs: MAC Address Spoofing And Host Name Randomizing App For Windows.

Finally as we end the surfing section of this article I feel the need to state that although TOR is a great piece of software their are some things it does not do which, if you are a multi-million dollar source you would want included in your anonymity regime, but hey to show just what I meant about plausible denyability while running a TOR node just read HTTPS://blog.torproject.org/blog/fiv...-node-operator. Techniques such as traffic padding, multiplexing, crowding,VPN access, dynamic cascades, jurisdiction aware routing as well as others would be considerations at that point but for your average source or customer the methods contained herein will most likely be well beyond overkill. Better safe than Big Bubba's bitch. To truly understand how these things work and to further protect yourself takes effort even software like TorFlow which I would normally recommend can be too confusing to the average source. The bottom line is that your security depends on just how much of the technology you really understand, this guide is only the tip of an extremely large iceberg.

Email

Email, the mainstay of communication between source and client is by far the most misunderstood component in the entire process with concern to anonymity. Sources usually use and require the use of “secure email” services by their clients. However several issues exist with the current approach to so called secure email. Some of these services such as Safe-mail.net only provide anonymity by policy meaning that although they will not hand over your information to just anybody they state in their policies that they will cooperate with police, I do assume meaning when a warrant is involved however the police may not even need one, it i not anonymity by design but only by policy. Other services such as Hushmail – Free Email with Privacy and it's many sister sites have a proven track record of cooperating with law enforcement even when they are not legally required to.

The risk of disclosure to law enforcement by choice is however not the only issue sources and their customers face by using current “secure” email providers. Many if not all of these providers host their services in countries which will cooperate with each other on legal matters. Cyber-Rights.net :// Free, Secure & Private Email is hosted in Canada and even for-pay service Secure email with web based encryption for internet privacy and anonymity is located in Huston, TX. The one exception is Safe-mail.net as it is hosted in Ramat Gan, Israel, with that being said as previously mentioned they are only secure by policy not by design. Nobody knows exactly how much information is retained by these companies which is a huge risk when you consider that deleted email may not actually be deleted after all but instead maybe sitting in previous backups or a database designed to be used for other purposes. A warrant being presented to these providers may land someone whom is active in the AAS community in some big trouble.

The issues don't stop there. Did you know that emails sent from one provider to another are not encrypted? THEY ARE NOT SECURE this makes using the secure email choices offered at the moment totally useless. The reason they are not encrypted when sending between providers is due to different encryption methods used and the lack of shared keys between the providers whom do use the same encryption methods. Although no clear cut solution exists to all of the problems mentioned their are some methods that could work if all sources and clients had a proper grasp of the issues at hand and a willingness to change how email is done in the AAS trade.

Different approaches could work to provide a truly secure email service but all involved need to get on the same page. The first approach would be for a provider to emerge whom will cater to the AAS industry specifically. This provider would need to host the service in an AAS friendly country which will not be willing to cooperate with authorities from other countries such as the US, Canada, UK or Australia. They would also need to encrypt the email using a key created by you with a easy to use yet secure encryption standard such as OpenPGP, this email would then only be stored/sent encrypted with your key or preferably wiped from all inboxes nightly using a deletion method which goes beyond DoD spec. The receiver would also need the other half of the key pair called a “public key” to decrypt your email but for security purposes they would need to either use the same service or use my 2nd option which is to host email in a similar manner offshore and practice proper security by wiping the data in the same manner and storing your public key in a secure manner (on that flash drive I mentioned earlier). The entire issue of a 3rd party email service is trust so for the technically inclined hosting your own email server with proper security practices would be the better choice.

Watch What You Say

In this final section I want to address the most common sense aspect of security, watch what you say to anyone online or off. Anything you say which can be linked back to you can also be used against you in a court of law. Giving too much information away online may allow authorities to locate you as well as set you up for a controlled delivery. It is my opinion that more people are caught for AAS related crimes by their own big mouths than anything else, so please think before you type, the technical side of security is only useful if you can stop yourself from just telling authorities how to bust you and where to find you to do so.


----------

