Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 14 15 [16] 17 18 ... 208
226
Off topic / Re: my PM to OZ about my history in the drug scene
« on: August 26, 2013, 10:36 am »
Eleusis spent a few years in prison but he was released a long time ago. He's out there somewhere and his real name is easy to find. Just sayin. ;)


Bonus points if you can track down Rhodium and get an interview, although there is a very real possibility that the reason he disappeared a decade ago without comment is that he got busted and is serving a long prison sentence.


227
Security / Re: Theory: Blind markets
« on: August 26, 2013, 10:24 am »
Original BitWasp:  https://github.com/Bit-Wasp/BitWasp

The fork called Amped Market: https://github.com/ampedup/AmpedMarket


228
Security / Re: Theory: Blind markets
« on: August 26, 2013, 10:19 am »
Why not put the code on Github and maybe other people will be interesting and help out? Somebody forked Bitwasp, so others are interested in the same concept, although their approach is different. If they don't know how to implement EKS, they could help with the GUI or whatever.

Why not accept donations? Of course, for that it would be nice to have a semi-working example to look at.

229
Security / Re: Theory: Blind markets
« on: August 26, 2013, 02:24 am »
i'm interested in the concept of a blind market, where the market admins don't know what products are being sold. (This reduces their liability as well.) They only know that buyer1 sent 3 BTC to vendor2 for product <hash3>, or something along those lines. If the market were compromised, LE would only see a series of anonymous transactions for unknown products. The only ones they could deduce would be transactions that they were personally involved in as buyers or sellers.


Now we have the exact opposite. Instead of hiding buyer stats from the admins, they are publicly exposed.

KMF, what is the ETA on that decentralized market?

230
And as a buyer, you can opt-out of leaving a review and even a rating and stay 100% private.

Yes, that's a nice change. There should be an option after you finalize, on the page where you click a rating and leave feedback, to "skip feedback" or "leave no feedback".


231
I won't be participating in this. Going forward, I'll simply finalize without leaving a review.

I also object to my buyer stats being retroactively exposed on past purchases without my knowledge or consent.

232
This feedback system opens up buyers to a variety of new attacks.

Someone scraping the site will be able to reconstruct buyer purchase histories. Imagine a pseudonymous buyer with 10 purchases and $500 spent. A few days later there's a review on a $50 product from someone with 11 purchases and $550 spent. A week later on a product that costs $125 there's a review from someone with 12 purchases and $675 spent. User age (conveniently specified to the day) will further confirm this is the same person.

So what? You say. Nobody knows who it is. Then the attacker turns to the forum and looks for reviews on those products, during the same time periods. Stylometry (the use of specific adjectives, punctuation, etc.) will help link the forum user to the pseudonymous buyer. The attacker can employ a variety of social engineering tactics, now that he has a target with a verifiable purchasing history. He befriends the target, tells him he wants to start vending <target's favorite drug> and would like to test the waters with a custom listing for the target. Now he has an address that can be physically linked to the target.

If you have high stats, you should not be participating in this. If you have $50,000 in purchases over a year and you think LE doesn't care about you because you are a "buyer" and not a "vendor", you will eventually find yourself inside a jail cell.

It's unfortunate, because someone in the SR administration once told me that "obscurity is security". They seem to have forgotten that.



233
Off topic / Re: my PM to OZ about my history in the drug scene
« on: August 25, 2013, 10:12 pm »
Ah yeah I read about Eleusis some, was before my time but he is famous and should certainly be included in the history of the scene as well. JFL, was that the poisonous non-consumables site?

Yep, if he wasn't the first online seller of grey market drugs, he was certainly the biggest in the early days. Got busted in 2001, I believe.

https://en.wikipedia.org/wiki/JLF

Eleusis was busted even earlier though, around 1998, so he may have been the first notable bust of an RC supplier. What I find interesting is that he was not a chemist, but learned how to synthesize I wide variety of drugs, including MDMA and RCs. Starkly different from the 37 pages of fail in the the DrDeepWood thread. :)


Quote
Blog: A dynamic message referenced by a long term public identifier string, only you can modify the message and anyone with its identifier string can download it, this would be a spot where people could list products if they wanted to

PM: A fixed message referenced by an ephemeral shared secret identifier string, Alice tags a message for Bob with a secret one time use identifier shared between Alice and Bob, and this allows Bob's client to obtain the message after it arrives at a PKS.

Group PM: The same as regular PM, but instead of tagging a message with an identifier for Bob, Alice tags it with identifiers for Bob and Carol, and encrypts it so both of them can decrypt it.

Forum: The organization of group PM's into a forum like visual structure, which takes place client side, with each user being the admin of their own perspective of a forum, which itself is crafted using the collection of group PM's as its' threads. So when you gain access to a group PM discussing Astor's blog, you can move it to the subforum vendor reviews, which exists entirely client side on your own system, and when you gain access to another group PM discussing the same thing you can merge it into the original group PM, and replies are compartmentalized such that if you respond to a post from the original group PM it only goes to people in the original group PM, and the same for the secondary group PM, but it gives you the impression of a single thread of messages and of participating on a regular forum on which you are the only admin.

Can't wait to see it.

234
Off topic / Re: my PM to OZ about my history in the drug scene
« on: August 25, 2013, 10:47 am »
Very nice write up, kmf.

OzFreelancer, if you are writing a book about the online drug world, be sure to research and include JFL, Eleusis, and the usenet scene. JFL may have been the first bust of an online drug vendor. It was certainly the biggest and most noteworthy of its time. Eleusis is a fascinating character, even more than strike in my view:

https://www.erowid.org/archive/rhodium/chemistry/eleusis/memoirs.html


kmf, so the messaging system you are working on will function as a distributed market? I'm trying to understand how exactly it will function, like vending through email or forums, or like a market with product listings and cart? You say people can click on a name and pay. I'm just don't understand what it will look like.

235
Customer support / Re: What hapend to GreenOvenDoor
« on: August 25, 2013, 09:13 am »
I gotta say that this whole Silk Road thing may not be worth the trouble. I just got my bitcoin back from vendor planetexpress because i didn't FE but apparently he got away with about 30K. Now greenovendoor has my bitcoin and I have a strong feeling that theres nothing in the mail on the way to my house. When I get my bitcoin back this time I may try a new site like Black Market Reloaded or Atlantis. May be the same crap over there, but this here is insane!! I basically just keep my coins in escrow and never get any product!!! Been trying to get some good herb for going on 3 weeks now!!!!!

It is getting bad and the admins need to take a more proactive approach at identifying and stopping scammers. When a vendor can scam $30K in a couple of weeks, the $500 vendor bond is useless at stopping them. SR is simply too big and has too many clueless newbs, so it's a wonderland for scammers. SR users are being ripped off for tens of thousands, perhaps hundreds of thousands of dollars every month. Legit vendors should be pissed about that too, because that's money that could have gone to them.

They can't rely on users reporting scamming vendors and then waiting another week for the evidence to accumulate. They say they can't just ban vendors without solid evidence, but there is a middle ground. They can sandbox sketchy vendors. Block them from withdrawing BTC. Also, it's pretty easy to write a few algorithms to detect potential scammers early. Here are some suggestions:

1. If the average time between marking an order in transit and finalizing drops below 24 hours (or a similar time frame) within any 24 hour period, flag the account for manual review by the admins, and block BTC withdrawals.

2. If the average time between marking an order in transit and buyers finalizing drops more than half a standard deviation from the vendor's overall average, flag the account and block BTC withdrawals.

FE is how all these scammers operate and it's easy to detect. DPR wrote a fairly sophisticated formula for calculating commission, using Euler's constant, and he has algorithms to detect mass BTC withdrawals. I have a hard time believing he can't write a few simple formulas to detect mass FEs and sandbox the accounts. Again, we're not talking about banning them outright, but they can be sandboxed until more evidence is gathered.

There is no excuse for this. As I've said before, the new feedback system is pointless when they do nothing about scammers for weeks anyway. Aggressive identification and sandboxing of sketchy / scamming vendors should be their top priority.

236
Silk Road discussion / Re: Forbes interviews Dread Pirate Roberts
« on: August 25, 2013, 08:13 am »
Ah, you're right. The site looks completely different. That might be why Moritz Bartl used onion.to in his examples of how his Tor mail gateway would work. Looks like he bought the domain, since there's a link to Torservers on it now.


237
Security / GPG4USB Tutorial
« on: August 25, 2013, 07:36 am »
People are still asking me about my GPG4USB tutorial. It was originally hosted on FH so obviously that is gone now. I will probably put it on a hidden service sometime in the future, but I'm not ready for that now. So, I figured I'd post the text here, which should be enough to get people setup.

If you want the screenshots, I found some clearnet mirrors of it. I have nothing to do with these sites. :)

http://befree.blogs.se/2013/06/07/gpg4usb-tutorial-16098773/

http://hacksociety.net/Thread-Tutorial-GPG4USB-Tutorial-Safe-way-to-encrypt-plain-text-in-emails-communication-etc

And if you don't want to visit clearnet sites, here is the text.

================


GPG4USB Tutorial

PGP Basics

A lot of people are confused by public key cryptography. A common mistake is to encrypt messages to other people by using your own public key. That is wrong. Here's how PGP works.

You create a pair of keys that are mathematically related to each other, one is public and the other is private. Never share your private key with anyone. Give your public key to your friends. Collect public keys from your friends. Use their public keys to encrypt messages to them. They use your public key to encrypt messages to you. You use your private key to decrypt messages.

PGP is the name of the encryption protocol. GnuPG (GPG) is the name of a program that performs PGP operations. It's like the difference between DOC, a word processor file format, and Word, a propram that creates DOC files. GPG started as a Linux program, but several ports have been made to Windows. GPG4Win is a popular one, but GPG4USB is better. This tutorial shows you how to use GPG4USB.

GPG4USB

Download GPG4USB from the web site [http://gpg4usb.cpunk.de/download.html] and extract the ZIP archive. GPG4USB is designed to be portable, no installation required. You can copy it onto an encrypted USB thumb drive, for example. Launch the program by double clicking on start_windows.exe.

It will ask you to Choose a Language. Then you should see this screen.

At the top is a toolbar for the most common PGP operations, including Encrypt, Decrypt, Sign, and Verify. There's also a place to write messages, and a panel on the right that shows the keys you have imported. At this stage, we see only the developer's key that is distributed with the program.

We don't have a PGP key pair, so we will generate a new one. Select Keys -> Manage Keys.

The Key Management window is where you can import and export keys, but for now select Key -> Generate Key.

Fill out your name and email address. If you want to stay anonymous, don't use your real name or an email address linked to your real identity. This information is viewable by anyone who imports your public key. You can set an expiration date or select Never Expire. There's debate about whether it's better to let a key expire or not, but most keys are set to never expire.

Important: increase the Key Size from the default 2048 bits to 4096 bits. Also, set a strong password, which is used to symmetrically encrypt your private key. If someone steals your private key, a strong password will be the only thing preventing them from decrypting your messages.

It may take several minutes to generate the key pair. The program collects entropy from your computer, so doing random things speeds the process along. You can browse the web or mash on your keyboard.

When it's done, you'll see your key listed in the Key Management window. You can close the window and return to the main interface.

Next you want to import public keys from your friends. Select Import Key from the toolbar. You have several options: import from a file, the clipboard, or a key server. If you want to stay anonymous, you should never publish your keys to or download other people's keys from a key server. The easiest option is to import from the clipboard. Highlight a public key in an email or forum post, right click and select "copy" to put it in your clipboard.

Important: make sure you highlight the entire beginning and ending lines, with all five dashes on either side of the text:

-----BEGIN PGP PUBLIC KEY BLOCK-----

-----END PGP PUBLIC KEY BLOCK-----

A common mistake is to miss the first or last dash when highlighting. PGP programs won't recognize a public key block without all the dashes.

After copying a public key to the clipboard and selecting Import Key -> From Clipboard, you'll see some details about the key. Click OK to finish importing.

To copy your public key, so you can give it to other people, open the Key Management window and check the box next to your key, then select "Export to Clipboard". You can paste your public key into emails, forum posts, etc. Remember to include the beginning and ending lines with all five dashes. You can also choose "Export to File" and it will create an ASCII armored text file (*.asc). This is a regular text file that can be viewed with any text editor.

Now let's encrypt a message.

Write your message in the text area, then select recipients by checking the boxes next to their keys. In this case, I've selected the GPG4USB developer key. It's common practice to include yourself as a recipient, so you can decrypt the message later if you need to.

Click Encrypt in the toolbar. The plain text will be transformed into an encrypted PGP message.

To send this message, copy the entire block, with the beginning and ending lines, and paste it into an email, forum post, etc.

To decrypt a message, paste it into the text area and click Decrypt. GPG4USB should automatically detect the key that it was encrypted to and use it to decrypt the message. You will have to enter the password for your private key.

Another common procedure is to sign a plaintext message so that others can verify you really wrote it. To do that, write a message and check the box next to your key, then select Sign in the toolbar. The opposite of this is to verify someone else's signature. Copy the entire signed message block into the text area and click Verify.

Lastly, it's a good idea to back up your private key. If you lose it, you won't be able to decrypt messages and they will effectively be lost forever. Right click on your key in the right panel and select "Show Key Details". You'll see the dialog above. Click "Export Private Key" and save the file in a secure location.

238
Silk Road discussion / Re: Forbes interviews Dread Pirate Roberts
« on: August 25, 2013, 04:58 am »
I didn't know that was still going through the feedback system. Sucks. :(

239
Silk Road discussion / Re: Forbes interviews Dread Pirate Roberts
« on: August 25, 2013, 04:49 am »
I never considered this... but of course they'd do that, wouldn't they.  Otherwise half the darknet would be broken links.  Astor makes an excellent point though: Tor replaces SSL on the darknet, more or less, and it's assumed you're using it (which is why the site doesn't use SSL).  Without SSL or Tor, everything you transmit is not only in plaintext, it's also guaranteed to be visible to whoever runs (or controls) the .onion.to site you go through.

Including all the messages you exchange with other people.  Everything they say is plaintext and visible as well, even PMs.

That's kind of mean; you should point that out to people at least  :(

Well yeah, that's why the Atlantis admins were fucking retarded for posting onion.to links to their site on clearnet, like in that reddit AMA.

Remember that Atlantis phishing proxy that sniffed account credentials? onion.to could do the same thing, and that was the officially admin-approved way of accessing Atlantis.

All of these third party services like onion.to, onion.sh, tor2web.org, Privnote, SMS4Tor, etc., should be abandoned because they increase your attack surface, forcing you to trust in the good will of third parties that you know nothing about.


All good points, which I hadn't considered.  I only started using tor2web a little while ago.  Naturally I don't recycle passwords, but i hadn't considered the PM thing.  I'll certainly only do PMs over Tor from now on.

Fortunately I don't think I've had any non-PGP encrypted sensitive discussions over PM.

FYI, onion.to and tor2web.org are different things. :)

240
Security / Re: Anonymous image hosting
« on: August 25, 2013, 03:18 am »
http://torimagesbp2vt3u.onion

Pages: 1 ... 14 15 [16] 17 18 ... 208