Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 19 20 [21] 22 23 ... 208
301
Security / Re: Other uses for PGP
« on: August 16, 2013, 07:06 am »
Actually you can encrypt binary data and ASCII encode it, so it can be sent via email (like base64 encoded images), but it makes the file much bigger.

302
Silk Road discussion / Re: Forbes interviews Dread Pirate Roberts
« on: August 16, 2013, 06:16 am »
Imagine being DPR and walking into the book store to buy a copy of that magazine. :)

The clerk will be like, "Oh I read that. It's amazing that someone is doing that. Have you heard about Silk Road?"

And he'll have to say, "No, never heard of it."

303
Security / Re: Other uses for PGP
« on: August 16, 2013, 06:04 am »
You can do it. In fact, the default mode of command line gpg is to create binary encrypted data, which lets you encrypt any kind of file, including binary files (Word documents, sound and video files).

I don't think you can do it in a GUI, since they assume you want ASCII armored text, but there might be an option for that in some GUIs.

304
Security / Re: HOWTO: Run a relay and help the Tor network
« on: August 16, 2013, 06:00 am »
Yeah, to be more clear: this is for Windows users to access a Linux server.

I will add the commands for Linux users to access a Linux server.

I'll need help in writing the commands for OS X users to access a Linux server.

You can use a Windows server, but they are more expensive and Tor doesn't work as well on them. I've seen relay operators switch from Windows to Linux server because of problems.

305
Silk Road discussion / Re: Forbes interviews Dread Pirate Roberts
« on: August 16, 2013, 05:56 am »
I also found an interesting tidbit from the Freedom Hosting case. The US's entire extradition argument lies on the fact that the guy used a 'US IP address" to access the main server and generate reseller free accounts for Tor users. I believe that would be a Tor exit node. Might want to edit torrc to prevent any US nodes/relays for however you do maintenance of SR and anything else you are engaged in. Stay safe and crank up the paranoia you will need it, if the site get's exploited and somebody magically appears to help you fix it at exactly the right time: it's the fedz

Citation?

If the guy knew anything about running a hidden service, he would have created a separate one for SSH, with HiddenServiceAuthorizeClient set to stealth. No exit nodes involved, and plausible deniability as to whether the service exists for anyone who crawls the descriptor with a service directory.

306
And the Golden Hoover Award goes to.......

Rossta!  http://dkn255hz262ypmii.onion/index.php?topic=165925

Wow, that is definitely Hoover of the Year material. I can't believe I missed it when it happened.

307
Silk Road discussion / Re: Forbes interviews Dread Pirate Roberts
« on: August 16, 2013, 05:11 am »
Wow. They actually published the URL. I may have to pick up a copy of the next edition of Forbes just for the mindfuck of seeing "silkroadvb5piz3r.onion" in print.

Yeah, it will be the first major American print article about SR. Forbes has a circulation of 925,000. Assuming some of those people will show the article to friends, there could be over a million readers, which is an order of magnitude more than the biggest online articles about it. Exciting times!
 
Quote
Andy Greenberg asked all the right questions. I wouldn't be surprised if he's lurked the forums a bit. In fact, he may be reading this very post. So good job, Andy!

He definitely reads the forum. He quoted a forum post of mine months ago:

http://www.forbes.com/sites/andygreenberg/2013/04/16/founder-of-drug-site-silk-road-says-bitcoin-booms-and-busts-wont-kill-his-black-market/

308
Security / Re: Let's talk about security
« on: August 16, 2013, 04:59 am »
5. Sybil attacks/etc against Tor - Large number of controlled Tor relays/nodes coming online, possibly leveraging weaknesses in Tor.   This would likely be hit-or-miss on an individual user basis.   But with cloud computing, it's not that expensive to do in the grand scheme of things.   Probably affects hidden services more than exit nodes, because bringing a bunch of exit nodes online at once would be an epic pain in the ass.
6. Broad-scale traffic monitoring (and timing analysis) of Tor nodes - NSA has enough views into full traffic flows in the US that if it was a priority, they should be able to get a decent view of more than we realize.  I'm guessing that the correlation is easier for traffic going out exit nodes than hidden services.   But that's a guess.  The good news? You're probably not the droids they're looking for.  Today.

We all seem to agree that network layer attacks are harder than application layer attacks, which is why I focused on the application layer in my guide. I still have my doubts about the effectiveness of the hidden service deanonymization attacks. We'll see what intel comes out of the Marques case. If you think those attacks are effective and they didn't identify the FH server through an attack on the hidden service, you have to explain why. Even longterm entry guards and Tor over Tor only slow down the attack. kmf calculated it increases the time of the 2006 attack from 1-2 hours to about 40 days, but they were investigating FH for a year, so why didn't they do it?

Quote
You can't do shit about 5 or 6.

Sure you can. For #5, get people to run more relays (see the guide I just posted :) ). For #6, diversify the network outside of the cooperating intelligence agencies zone, which is my main suggestion in the relay guide.

Quote
But, while some of us will head miles down Paranoia Lane, it's also important to realize that consistently executing good (even if simple) security practice is often worth more than an elaborate setup you don't really understand the nuances of..   For all of the elaborate mechanisms in this thread and others, I have to wonder how many users here would be better off with just booting Tails from USB, making sure Javascript is off, and having one hell of a password on their persistent volume.

I agree and said so myself. Tails is probably secure enough for most SR users as long as they manually set bridges.

309
Security / Re: Is Bitcoin Fog redundant since SR uses tumblers?
« on: August 16, 2013, 04:34 am »
LOL Jack you're getting to my point. 90% of questions have been asked numerous times, and you can't help but scream UTFSE.

That's why I hate questions about VPNs. There are at least 100 threads about VPNs. A search for "VPN" in the topic subject will find 74 of them.

74 fucking threads about VPNs!

310
Silk Road discussion / Re: Forbes interviews Dread Pirate Roberts
« on: August 16, 2013, 03:53 am »
For the people that were interested in running a relay, here's a guide on how to set one up:

http://dkn255hz262ypmii.onion/index.php?topic=202510.msg1455870#msg1455870

Comments welcome.

311
Security / HOWTO: Run a relay and help the Tor network
« on: August 16, 2013, 03:34 am »
Since people expressed interest in running relays, I've written a guide that can get you set up. There are many ways to run a relay, so for the sake of simplicity, I will focus on virtual private servers running Ubuntu 12.04. Feedback is definitely welcome.

This guide includes instructions for Windows users. I will write Linux instructions in a separate post, and if someone would like to add Mac instructions, I'd greatly appreciate it.


===Finding a Hosting Provider===

In order to run a relay, you will need a dedicated server or a virtual private server. There are two features you should look for:

1. Geographical location
2. Bandwidth

Other specs like RAM and CPU tend not to matter until the bandwidth gets really high, like on an unmetered server. Most of the time, your bandwidth limits will keep the Tor client well below your RAM and CPU limits.

There is no minimum amount that you need to spend on a server. You can lease a VPS for under $10 a month or a dedicated server for hundreds of dollars. I think every little bit helps, especially if the servers are geographically diverse. For this guide, I'm going to assume you don't want to drop hundreds of dollars on your first server, so we'll focus on setting up a small to medium sized VPS. The price range I'm thinking is $10 - $50 a month, which should give you 512 MB to 1 GB of RAM and 200 GB to 1 TB of bandwidth.

I'm not going to make specific recommendations for hosting providers, for obvious reasons, but most relays are in North America and Europe. It would be nice if we had more relays in South America, Asia and Africa. The infrastructure in Africa is the most underdeveloped, so you may want to focus on finding providers in South America and Asia. They will be more expensive than providers in North America and Europe. If you can't find providers in your price range, it's OK to run a relay in North America and Europe. As I said, every little bit helps.

Another thing to consider when searching for a VPS is that there are different virtualization technologies. These include OpenVZ, Xen, VMWare, Virtuozzo, and KVM. For this guide, I'm going to recommend running your relay in an OpenVZ container, because it is one of the most popular virtualization technologies, it is generally cheaper than the others for the same specs, your operating system will be installed for you by the hosting provider, and the OpenVZ connection limits aren't really a problem with low bandwidth relays. If you want your relay to push more than 1 TB of traffic a month, you should switch to something like Xen or KVM, or a dedicated server.

It's a good idea to read reviews of the hosting provider before ordering, but this can be tricky. There are a lot of fake web sites with shill reviews. In general, well-known forums with large communities (like webhostingtalk.com) are a better place to look for reviews than random web sites.

When you find a provider that you like, look for their Acceptable Use Policy (AUP), which will sometimes be part of their Terms of Service (TOS). Most hosting providers have links to these documents on their main page. Read through them to find out if they ban proxies. If there is no mention of Tor, "proxies" or "open proxies" almost always include Tor. Some hosting providers specifically ban Tor. Some only ban exit nodes. The latter case is OK, because we will be setting up non-exit relays. You don't want to waste time setting up a relay that will be shut down a week later because it violates your hosting provider's AUP.



===Ordering a Server===

Once you find a hosting provider, you can create an account and order the VPS. I don't see a problem with leasing a VPS with your real identity. There are 4300 relays at the moment. You will be lost in a big crowd. However, you shouldn't mention that you set up a relay in this thread or anywhere else on the forum! You shouldn't use information (like a username) that links you to your Silk Road identity! If you really want anonymity, at the end of this guide there's a section that offers some suggestions, but keep in mind that takes a lot more work.

During the ordering process, you will be asked to choose an operating system. Select Ubuntu Server 12.04, so we can simplify things. Every VPS provider should have an OpenVZ image for that OS. If the VPS has 512 MB of RAM or less, use the 32 bit version. If it has 1 GB or more, use the 64 bit version.

A common box that you have to fill out is the "domain name". You don't need a domain name to order a VPS. You can fill in anything, like example.org. For the server name, put anything you want, it will become the hostname. If it asks for DNS information, just put ns1 and ns2, it doesn't matter.

Also, lease the VPS on a monthly basis for the first few months, even if there are discounts for longer terms. Your VPS may turn out to have crappy networking or frequent reboots, so you don't want to pay for a year of hosting and be forced to abandon the VPS after a month.

After ordering, you'll get an email with the IP address and login details of your VPS.



===Configuring the Relay===

The first thing we need to do is figure out the RelayBandwidthRate based on the monthly bandwidth limit of the VPS. Keep in mind that most hosting providers count both incoming and outgoing bandwidth, so Tor relay traffic gets counted twice. A VPS that pushes 1 TB of traffic from the perspective of the hosting provider, actually pushes 500 GB of traffic from the perspective of the Tor network (it's the same data, coming and going).

Let's say your VPS is allowed 1 TB of traffic per month. That's 1,000,000 MB. So the rate (per second) that you would use in your Tor configuration is:

1,000,000 / 30 / 24 / 60 / 60 / 2 = 0.192 MB or 192 KB

This is a good place to start. In practice, most relays don't max out their bandwidth. In fact, many relays only use 30-50% of their max bandwidth rate. You can watch the bandwidth of your relay for a few weeks and increase it if you are using much less than your limit. For example, if in the first two weeks it uses 250 GB (and could have used 500 GB, because that's half of your 1 TB per month), then you can double the RelayBandwidthRate. It can take a few weeks of adjusting to find the right balance.

After you get the login information, download PuTTy from the web site:

http://the.earth.li/~sgtatham/putty/latest/x86/putty.exe

This program lets you connect over a protocol called SSH, or Secure Shell, which creates an encrypted connection to a command prompt on the server. Run PuTTy and fill out the following information:

Host name (or IP address): <your VPS IP address>
Port: 22
Connection type: SSH

Before we go any further, click on the words "Default Settings" under "Saved Sessions" and click the Save button to the right of it. That way you don't have to enter the IP address each time.

Then click Open. You'll see a prompt to accept the server's host key, click Yes. You only have do this the first time.

login as: root
password: <what you were given>

Note that you can resize the window if it's too small.

The first thing you should do after logging in is change the root password, especially since it was emailed to you in plaintext. Do that with the following command:

Code: [Select]
passwd

And enter the password twice.

BTW, for all of these commands, you can copy them from this guide and paste them into PuTTy by right-clicking in the command prompt window.

Now type

Code: [Select]
nano /etc/apt/sources.list

Add this line at the end of the file:

Code: [Select]
deb http://deb.torproject.org/torproject.org precise main

Enter the following sequence to save the file and exit: ctrl+x, y, enter

Enter the following lines into the command prompt to install Tor and the relay monitor ARM:

Code: [Select]
apt-get update
apt-get install deb.torproject.org-keyring
apt-get update
apt-get install tor tor-arm

Hit Y[enter] whenever it asks you to confirm an action. The first install command will give you a warning because you haven't imported the PGP key for that software repository yet, which is what you're doing with that command.

Now we'll edit the configuration file to turn our Tor client into a relay. First, backup the original configuration file:

Code: [Select]
cp /etc/tor/torrc /etc/tor/torrc.backup

If you screw something up, you can restore Tor to its default state with the following commands:

Code: [Select]
cp /etc/tor/torrc.backup /etc/tor/torrc
service tor restart

Let's edit the configuration file:

Code: [Select]
nano /etc/tor/torrc

Find the following lines and remove the # at the beginning. Anything that follows a # is treated as a comment instead of an instruction to Tor, so we are adding these instructions.

Code: [Select]
ControlPort 9051              # This is a comment that Tor ignores, but everything before the hash is an instruction that Tor reads
CookieAuthentication 1

ORPort 9001                   # Change this to ORPort 443  !!!!

Nickname ididnteditheconfig   # Change ididnteditheconfig to whatever nickname you want, no spaces, nothing drug or SR related

RelayBandwidthRate 100 KB     # Change 100 KB to whatever you calculated for your server earlier
RelayBandwidthBurst 200 KB    # Make this double the value above. If you server is using too much bandwidth, make this the same as the line above

ContactInfo Random Person <nobody AT example dot com>  # Create a throwaway email address and put it here

ExitPolicy reject *:*         # This line makes your relay a non-exit

Then type: ctrl+x, y, enter

Code: [Select]
service tor reload

Congratulations, you're running a relay!

The RelayBandwidthRate and RelayBandwidthBurst are what you will probably want to adjust after a few weeks of watching your relay's bandwidth.

A note about the contact info. You don't need to enter a name. Remove the "Random Person" part entirely. However, you should enter a real email address. The purpose of providing an email address is if your relay is misconfigured, the Tor people can contact you and tell you about it. On the other hand, this email address will appear in your relay's descriptor, which is public, so use an alternate address from any of your main ones.

There is a program called ARM (Anonymous Relay Monitor) that lets you monitor your relay. To run it, type:

Code: [Select]
arm

You can click the left and right arrow keys to see the different panels of info. To exit arm, type: q, q

Another way to view info about your relay is to search for it on https://atlas.torproject.org

Finally, to exit the SSH session, type:

Code: [Select]
exit



===Securing Your Server===

The following is not necessary, but it's an extremely good idea.

A better way to log in to your server is to create a regular user account, disable root logins, create an SSH key for your regular user, and disable password logins. That makes it virtually impossible for someone to break into your server (people try to hack into servers through SSH all day long).

To create a regular user account, enter this command:

Code: [Select]
adduser <username>

Change <username> to any one-word username you want.

Enter the password for that user twice, and make it different from root's password. Leave the rest of the prompts (like Full Name) blank by hitting enter through them, then hit y at the end.

You can test out your new user. Exit the SH session and launch PuTTy again. Now that you have a regular user, you can add it to the PuTTy configuration so you don't have to type it in every time.

In the configuration window that you get when PuTTy launches, go to Connection -> Data

Auto-login username: <the regular user you created>

Go back to the Session section, highlight "Default Settings", and click Save again. Connect to your server. You should only have to enter the password this time, and of course it will be your regular user's password.

When you login as the regular user, you can't do much outside of your home folder. You can't install or remove software. This is a security feature. You have to become root. In order to do that, type:

Code: [Select]
su

And enter root's password.

To exit being root, type exit, and to completely exit the SSH session, type exit again.

Let's make this even more secure by adding an SSH key.

Download this program and run it:

http://the.earth.li/~sgtatham/putty/latest/x86/puttygen.exe

Next to "Generate a public/private key pair", click Generate. This will take a few minutes. Click around randomly to create entropy and speed it up.

When it's done, it'll say "Public key for pasting into OpenSSH authorized_keys file". Copy the entire thing in the box. Log into your server as the regular user and type this:

Code: [Select]
mkdir .ssh
nano .ssh/authorized_keys

Paste that public key in (by right-clicking once, as before). Then hit ctrl+x, y, enter.

Back in PuTTyGen, enter a key pass phrase and confirm it, then click "Save private key" and save it somewhere on your computer. The pass phrase protects your private key just like with PGP. At this point you can exit out of PuTTyGen.

Now launch PuTTy again, and in the configuration window, go to Connection -> SSH -> Auth.

Find the field that says Private key file for authentication, click Browse and select your private key.

Go back to Session, highlight "Default Settings" and Save.

Connect to your server again. This time it will ask you for the pass phrase to your private key, not the password to the regular user.

If you login successfully, great! You can disable root and password logins. Type:

Code: [Select]
su
nano /etc/ssh/sshd_config

Find these lines:

Code: [Select]
PermitRootLogin yes             # Change it to no

#PasswordAuthentication yes     # Remove the # at the beginning and change it to no

Save and exit with ctrl+x, y, enter.

Restart the SSH server:

Code: [Select]
service ssh restart

Exit completely out and log back in as the regular user. You should login just fine. To test your settings, you can change PuTTy to login as root and it should deny you.

Now think about what an attacker has to do to get into your server. First he has to guess your regular username. Then he has to steal your private key or brute force one that works with your public key. That's like having a 2048 bit password! Then he has to guess root's password. Your server is very secure.



===Server Maintenance===

You should login in to your server every once in a while and update the software. Login as the regular user, change to root (su), and issue these commands:

Code: [Select]
apt-get update
apt-get dist-upgrade



===Purchasing a Server Anonymously===

As I said before, I don't think it's necessary, but if you want to get a server anonymously, here are some ideas that may or may not work. Suggestions are definitely welcome. :)


The first thing you need to realize is that the vast majority of hosting providers use fraud detection services, because hackers and spammers love leasing servers anonymously or with stolen credit cards. You almost certainly can't sign up with a hosting provider from a Tor exit node. A popular fraud detection sevice called MaxMind claims to block VPNs and open proxies too:

https://www.maxmind.com/en/ipauthentication

If you really want to be anonymous, I don't think you should be using a VPN anyway, because you're trusting their word that they don't log, or that LE won't compel them to log in the future. The best way to find a "clean" IP address is to point Tor browser at a web proxy. There are web sites that list thousands of them, but for obvious reasons I won't list them here. You may have try many web proxies before you find one that isn't blocked.

The other issue is payment method. There are a few dozen hosting providers that accept bitcoins, which you could use by anonymizing them your normal way, but all of the ones that I know about are in North America and Europe, which doesn't help the diversity of the Tor network. Again, if you really want to be anonymous, that's fine because a relay in NA or EU is better than no relay.

Other than bitcoins, there are a few potentially anonymous payment methods with fiat currency.

1. Prepaid debit cards
2. e-currency and precious metals exchanges, like Pecunix
3. an anonymous PayPal account

MaxMind claims to block prepaid debit cards:

https://www.maxmind.com/en/ccv_overview

So I don't know if that will work.

As far as e-currency exchanges go, Liberty Reserve is gone, so I don't know what else exists other than Pecunix, but by routing money through several exchanges, you can potentially anonymize it. You'll have to find a hosting provider that takes these payment methods, or cash out to a different payment method.

Also, you might be able to register a PayPal account by pointing Tor Browser at a web proxy, and use fake info that is geographically close to that proxy, then go to Freenode #bitcoin-otc or localbitcoins.com and sell BTC for PayPal credit that gets deposited to your account, then use that to pay for the server.

All of these methods involve some work and a high chance of failure, but you're welcome to try them.


312
Most of these kids will get off fairly easy anyway. They all are young, probably don't have extensive police records or violent pasts, and most likely were not on SR for too long or moving too much product before they Hoover'd themselves.

And with that we invented a verb. Someone add it to Urban Dictionary, quick!

Usage: "Did you see the pic of Tony standing in front of the police station, showing off his weed? LOL that guy totally Hoovered himself."

313
Off topic / Re: Fed Crack Encrypted Drives- Good read if your bored
« on: August 15, 2013, 10:30 pm »
I am 100% for decriminalization of child porn possession (just thought I would add that since everybody else wants to point out their beliefs on the subject), but just talking about the encryption, they probably cracked it because he used a shitty password. Most people are probably not using very strong passwords. Even passwords with 80 bits of entropy are not considered secure anymore, and that is equal to roughly 80 characters of English text (ignoring PBKDF stretching).

This is my concern, if you need a password 80 bits or longer you are not going to be able to memorize it meaning it has to be stored somewhere. I currently keep most of my passwords in an encrypted volume but I need to have a strong password to get into that volume to begin with. Forgive my ignorance but how are people safely storing these 80+ character passwords without fear they could be uncovered? and if that's a stupid question to post feel free to pm me instead.

The subtle but key part to his comment is "English text". English sentences are not random. Some words are much more likely to follow other words, and of course there are only 80,000 configurations of letters to begin with (ie, words).

However, a pass phrase composed of 8 random words is actually pretty strong, over 200 bits of entropy:

http://dkn255hz262ypmii.onion/index.php?topic=106496.msg730353#msg730353

You can memorize 8-16 words.

(And yes I know you just saw that in the Security thread, but I'm making sure people here see it too. :) )

314
[WARNING]
1. For some unknown reason PGP makes problems in Whonix (Whonix is experimental software). You can encrypt messages, but you can't decrypt them. So unfortunately this tutorial is mostly useless for vendors right now.
The tutorial will be updated once a fix has been found.

I couldn't even launch Kpgp, but GPG4USB works well in the Whonix Workstation, or on any 32 bit Linux. A lot of people already have experience with it, too. It's portable, so just download, extract, and use as normal.

315
Yep, pass phrases composed of works are stronger and easier to remember than character strings.

Here's what I wrote about it before:

http://dkn255hz262ypmii.onion/index.php?topic=106496.msg730353#msg730353


Pages: 1 ... 19 20 [21] 22 23 ... 208