Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: [1] 2 3 ... 208
1
First, I'd like to thank everyone in this thread who supported me. I'm glad to see all the help I gave people wasn't destroyed by accusations from some troll.

SSBD, you're right, nanpa spent months on the forum shilling for the Atlantis admins. He's a terrible judge of character.

nanpa, fuck off, douchebag.

Also this is a blatant lie:

    i REALLY TRIED TO GET SOMEONE TO LISTEN .....  IMO  Astor's replies to me were susspect, the ONLY Admin I trusted was Inigo

I was never an admin and never messaged that guy.

As for "ingratiating" myself with DPR, I exchanged all of maybe 5 PMs with him ever.

Finally, and much more importantly than all this bullshit, Tor is dead.

The gaping hole in the criminal complaint is how they identified the servers. We will never find out how they did it, but I don't trust Tor anymore. It is unsafe to run a hidden service that piques the interest of three letter agencies. If you do that, you are going to lose.

I see everyone is going to BMR. I believe that is a mistake. BMR will be next. We need a system better than Tor.

Signing off for the last time.

-astor

2
I've been collecting my thoughts over this tragedy. I may have some final things to say, but I don't feel like dealing with this bullshit.

One of the few things that they admitted in the criminal complaint that actually work is PGP, and that was the biggest thing I advocated in my time here. If I was LE and everyone had taken my advice, then I would have fucked my own investigation. Instead, they have 1.2 million unencrypted messages and who knows how many unencrypted addresses. If the server was being watched since July, they may also have thousands of addresses that are encrypted that would have otherwise been unencrypted, if it wasn't for the efforts of myself and others to challenge people to increase their security.

You can believe what you want. I'm just an anonymous dude on the internet.

3
Security / Re: Safest methods Tails VPN wtf???
« on: October 02, 2013, 03:40 pm »
Running Tails in a VM defeats the two main advantages of using Tails.

1. Leaving no trace on your computer. If you're running it in a VM, then the system image is on your hard drive. The reason most people want to use Tails is so they can put it on a thumb drive that is easily destroyed, swallowed, flushed down the toilet, etc., leaving no trace of Tor activity on their computer. If the shit hits the fan, you won't have time to properly wipe your drive or that file.

2. It's based on Linux, so the attack surface for malware is much smaller. Assuming Windows is your host operating system, your Tails VM is potentially vulnerable to the malware that infects Windows.

If you're going to run something in a VM, you might as well run Whonix, which isolates Tor in a separate VM and gives you a little better security, although you need to store the images in an encrypted container, or install a custom Workstation with full disk encryption, because unlike Tails, data is stored unencrypted in the default Whonix Workstation.

Unfortunately, Whonix hasn't been updated in 6 months and the Gateway VM still uses Tor 0.2.3, and upgrading it to Tor 0.2.4 seems to break the Gateway for a lot of people. I haven't explored it enough to figure out what the safe upgrade path is (ie, which changes should be accepted and which shouldn't during the upgrade), although I did get Tor 0.2.4 working in the Gateway before. Expect Whonix to be slow with Tor 0.2.3 because of the botnet.

OTOH, the latest version of Tails upgraded to Tor 0.2.4, so kudos to them. The main problem with Tails is the lack of persistent entry guards. That should be TODO item number one. I don't know why it isn't. You should manually set bridges to get persistent entry guards.


BTW, Tails isn't the best way to browse SR. Take a look at this thread:

http://dkn255hz262ypmii.onion/index.php?topic=201622.msg1448383#msg1448383

In the two months since that thread was started, a paper came out about external passive surveillance of the Tor network,

http://dkn255hz262ypmii.onion/index.php?topic=209514.msg1512060#msg1512060

and we've learned a lot about massive surveillance by intel agencies. These revelations have changed the game, imo.

I honestly don't know what to tell you now. Tor may not be sufficient to protect you against near-global surveillance by cooperating intel agencies. It seems that all low latency anonymity systems are fucked. The Tor Project web site admits as much, right on the main page:

"For most uses, Tor provides the best available protection against a well-resourced observer. It's an open question how much protection Tor (or any other existing anonymous communications tool) provides against the NSA's large-scale Internet surveillance."

The people I talk to who know a lot about anonymity systems seem to think that high latency mix networks are the only way to get anonymity in the face of this surveillance.

The only thing I can tell you in the mean time is to tunnel out of and/or avoid the countries with the most aggressive surveillance.

4
Off topic / Re: Hey, come chat with us!
« on: October 02, 2013, 01:04 am »
Backup channel is closed. Bring a friend and some party favors to the official server.

Synchronized get-fucked-up-on-whatever-you-want to celebrate the return of silcroad?

5
I guess we are using the term CA differently. A certificate authority to me is one of the 650 countries or companies that get their root certificates installed in various products like browsers. So if the NSA can get any one of those root certificates, they can sign a client certificate to MITM you (unless the certificate is pinned). With OpenVPN you are given one root certificate by your provider. It's a lot harder to MITM because the client certificate has to be signed by that one root certificate, not any one of 650. Unless there are other weaknesses in the protocol, OpenVPN is a lot safer than HTTPS, which can be broken by stealing, hacking, or brute forcing any of the root certs in your browser.

The CA system is shit precisely because it relies on the security of 650 independent entities, and is only as secure as the most insecure one, and we know some of them have been hacked. We can also be 99.9% certain many of them have turned their root certs over to the NSA.


Meanwhile, a random person or organization that signs their own cert is not a certificate "authority" by my definition. I can sign cert for my web server and your browser will act like your computer is going to explode when you encounter it. Although if you accept my certificate, you can't be MITMed there after.

6
Clearnet:
http://www.nytimes.com/interactive/2013/09/27/us/who-goes-to-work-during-government-shutdown.html?_r=0

Sounds like our good ol' Uncle Hank and the rest of his DEA shills won't be taking any time off.

Yeah, everything in the OP is directed at DEA contractors. DEA employees will still be working, even if they aren't paid. Same for:

http://www.washingtonpost.com/politics/government-shutdown-begins-senate-expected-to-reject-latest-house-proposal/2013/10/01/ef464556-2a88-11e3-97a3-ff2758228523_story.html

"Others, including Border Patrol officers, prison guards and air traffic controllers, were required to work but were told they may not be paid."

"The Justice Department will continue criminal law enforcement but suspend many civil cases"

They're never telling LE to go home. Plus this will probably only last a few days to a few weeks at most.

7
Security / Re: Blockchain.info all jacked up for anyone else?
« on: October 01, 2013, 05:05 am »
Yeah, that will work.

The whole point is so anyone watching the mixer doesn't see:

1.327 BTC -> mixer -> (2 or 3 transactions to same address) -> 1.327 * (0.97 to 0.99)

That would be relatively easy traffic analysis.

8
Security / Re: Blockchain.info all jacked up for anyone else?
« on: October 01, 2013, 04:05 am »
No, they still go through Fog.

Whatever wallet they are in now, they go to 2 or 3 different Fog addresses. Then coming out, part of them go directly to an SR address, the other part go to an Electrum address, and then a different SR address.

9
Security / Re: Blockchain.info all jacked up for anyone else?
« on: October 01, 2013, 03:52 am »
The transaction fees may turn out to be less with more transactions, because a single transaction can be charged up to 3%, but with several transactions, the average across them tends to be about 2%.

If you don't have extra coins to split out, send them to different addresses in 2 or 3 transactions, several hours or days apart. For extra safety, you could withdraw part of them directly to your SR address and the other part to your Electrum address, then change your SR address and send the Electrum coins to SR.

That would make it a lot harder to link the coins coming out from the coins going in, which would only require looking for coins going to address linked to the mixer worth 1-3% more than the coins coming out.

BTW, you should edit out that bitcoin amount, because it's very specific and should be easy to identify in the block chain. We would be better off if we all used round numbers like 1.0 or increments of 0.1. That's how Zercoin will work.


10
Security / Re: Blockchain.info all jacked up for anyone else?
« on: October 01, 2013, 03:37 am »
Would I be fine transferring my BTC from Localbitcoins to the Fog, to Electrum, then to SR?

Should be fine as long as you break up the transaction amounts to avoid traffic analysis on the coins going in and coming out of the mixer... and Fog isn't operated by the feds. :)

11
Security / Re: Blockchain.info all jacked up for anyone else?
« on: October 01, 2013, 03:29 am »
None unless you absolutely need to use them. You should be using Bitcoin-QT or Electrum over Tor, although Electrum is only safe when using hidden service Electrum servers. There's a bug that bypasses Tor when connecting to clearnet servers. You don't need JavaScript at all to use desktop apps. :) But if you must use blockchain.info, Tor with JavaScript is better than clearnet.

12
Security / Re: Blockchain.info all jacked up for anyone else?
« on: October 01, 2013, 03:21 am »
NoScript icon in toolbar -> Options -> Whitelist tab

13
Security / Re: Blockchain.info all jacked up for anyone else?
« on: October 01, 2013, 03:08 am »
The site is working fine for me.

Is Blockchain alright to use on the Clearweb? Because I'm trying to create an account on it, and since I have Java and some others disabled with Tor, I can't see the Captcha or even press "Create".

I saw the admin claim in a bitcointalk.org thread that their server has a small SSD drive and can only store 8 hours of logs at time, but I wouldn't take his word for it. If you want to remain anonymous, using Tor with JavaScript enabled is much better than connecting over clearnet. Just whitelist the domain blockchain.info.

14
I would imagine that, for a well resourced attacker able to eavesdrop the VPN initiation traffic, nearly all PPTP VPNs can be cracked on the fly as near as dammit assuming they are MS-CHAP/v2 derived which nearly all are. I assume that the same is true for L2TP where MS-CHAP/v2 is used.

We trust this is not the case with a 'properly' configured IPSec VPN or TLS/SSL VPN. Quite what 'properly' means is open to debate at the moment but potentially excludes SSL/TLS authenticated with mainstream CA issued certificates if recent disclosures are accurate. (Depending on how the certs was configured and installed, the CA may retain a copy of the private key)

Do OpenVPN servers use CA certificates? I know they usually give you a cert called ca.pem, but I thought that was a self-signed cert. Every guide I've seen for setting up OpenVPN servers includes instructions on generating these certs, with no mention of buying them from certificate authorities. Most of these are 2048 bits, so not trivial to brute force, unless there are other weaknesses, or they steal the root certificates of major VPN providers. Perhaps it's a good idea not to use popular providers that everyone talks about, like HideMyAss and Private Internet Access, since these will be big targets for certificate theft.

15
Security / Re: VPN Whonix/Tails
« on: September 30, 2013, 07:39 pm »
Not sure how to use VPN with Tails, but with Whonix you could start the VPN software on the host OS so it would tunnel all the Whonix traffic through the VPN. You should use a clean host OS for that, so there is no unwanted information getting transmitted through the VPN.

Tails doesn't support VPNs out of the box and the developers are against it. Easiest way to use a VPN with Tails is to buy a router that supports OpenVPN and set it up there.

Pages: [1] 2 3 ... 208