Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 25 26 [27] 28 29 ... 208
391
Security / Re: Clearnet via tor security concerns?
« on: August 09, 2013, 04:43 pm »
It's probably best to setup Tor to only use entry nodes in your own country which you trust, and only use exit nodes in countries which are not controlled by the NSA. E.g. South Africa, Taiwan and China.

This is useless if the site you are visiting is located in the USA, which a majority are for English speakers. In that case, you are better off using an exit node inside the USA, since the NSA is less likely to sniff the connection, although it probably will anyway at the major IXes. I just assume there's no way resist NSA surveillance at this point, except to use hidden services that are located outside of the USA.

Quote
To your torrc config file you could add something like this:

Quote
StrictNodes 1
ExitNodes {tw},{za},{cn}
EntryNodes $073F27934762FF8BA956FFCE136AAC1CCF45EA13,$80F870DD215A0C56005266A71C46F92F39F1973B,$6557396CF0EE5B72563A22BCAA0FF26E77FA3D08

If you are always using the same few exit nodes, that could kill your anonymity, because your circuit patterns are significantly different from everyone else's.

392
Security / Re: Whonix
« on: August 09, 2013, 04:36 pm »
You can configure VirtualBox to work with peripherals. The Whonix documentation is some of the best documentation about anonymity and security on the internet. I think everyone should read it:

https://whonix.org/wiki/Documentation

It also discusses adding USB devices to Whonix:

https://whonix.org/wiki/File_Transfer#Adding_USB_device_to_VirtualBox

Apparently there are closed-sourced VirtualBox extensions that will do it. They should allow you to use thumb drives and USB printers.

Whonix is based on the same version of Debian as Tails. Not sure if they use the kernel, but hardware support should be roughly the same.


393
Security / Re: tormail emails content
« on: August 09, 2013, 04:31 pm »
Of course it should, but people get lazy ("this email doesn't have anything sensitive in it, so meh"), or some issue disrupts a busy vendor's workflow and they skip it (like what happened in the case of BlueGiraffe), or they don't have an add-on like Enigmail to automate it, so it takes too much time. People take shortcuts all the time, that's nothing new.

394
so with everything going on i gotta ask are we cool still being here? i mean dont get me wrong i have 100% faith in DPR and SR always, this recent string of shit has me nervous. Im not trying to go to prison.

You could lock down your interaction with the SR web site in such a way that you would be safe, even if it the server was controlled by LE and serving exploits like the FH server was.

First, to prevent being identified, you should encrypt your shipping address and make the vendor encrypt any tracking numbers that he sends you. This resists the simple reading of information that can be used to identify you.

Second, disable scripts and plugins in Tor Browser, and use physical or virtual isolation between Tor Browser and the Tor client. This will resist active attempts to identify you, such as exploits designed to grab your IP and MAC addresses.

Third, separate your identify from SR in the bitcoin trail, either by purchasing coins anonymously or mixing them properly in a trusted mixer, or as a vendor, taking similar steps to cash out in a way that separates your vendor account from your identity.

395
Security / Re: Whonix
« on: August 09, 2013, 03:17 pm »
OK, you experts out there. say I got the VM software ready to go and I got the whonix gateway and the other whonix component, ready to install into my computer. How do I transfer all the SR data (ALL of it) onto the new OS? I mean since it is so isolated from the rest of the computer. How in heavens' name do you do it?

There are 3 ways to do it.

1. Encrypt the data and transfer it to a web site or email account, which you access from inside the Whonix Workstation and download into it.

2. Install the VirtualBox Guest Additions and create a shared folder between the host OS and the Whonix Workstation.

3. Setup SSH forwarding between the host OS and the Gateway, then ssh from the Gateway to the Workstation. On a Linux host OS, you can use scp to transfer the files. On a Windows host OS, you can use the WinSCP application.

Probably option 2 is the easiest, but you should disable the shared folder after you are done transferring the files, because it's a security risk. That is how malware can escape the VM.

396
Security / Re: tormail emails content
« on: August 09, 2013, 03:13 pm »
Tormail consisted of two servers. One was an anonymously rented VPS that communicated directly over clearnet. It hosted the tormail.org/net web site and accepted emails from other clearnet email accounts that were addressed to @tormail.org/net. The other server was the hidden service that you connected to when you checked your email. The clearnet server was a proxy to the hidden service and didn't store emails. The hidden service stored the emails. The problem is that the hidden service turned out to be the Freedom Hosting server, which was seized by LE, so they got the server with the emails.

397
Silk Road discussion / Re: The fate of BlueGiraffe
« on: August 09, 2013, 07:32 am »
Nonsense!

Firstly, BG didn't compromise the security of his customers just recently.  He's been doing it since his first sale by keeping records, and committing that same sin with each subsequent sale.  He's only recently disclosed how he's been compromising the security of his customers the entire time he's been vending.

Secondly, DPR's decision doesn't create any incentive for vendors to come clean.  His account was taken away but he's free to come back.  How is that different from a vendor who gets caught scamming and comes back under a different guise?  The only difference is that BG is leaving but given explicit approval to come back.  What incentive is that to come clean, really, when the net effect is the same?

Thirdly, you need to understand, precisely,  why BG came clean and why that should have no bearing about providing incentives for disclosure for vendors that fuck up.

BG came clean because he's, without a doubt, a fucking really decent person!!!  He's a horrible vendor but a really decent person.  He put his customers in danger and he came here to try to mitigate the damage he might have caused by alerting them to the danger.  The courage to make that disclosure comes from a person who has a fucking conscience and integrity, and that's why he's been so contrite and genuinely willing to "walk the plank."  Vendors will disclose if they have a conscience and courage, not SR incentives. 

Lastly, I haven't been writing to protest BG's punishment but DPR's sentiments regarding it.

How comfortable would you be right now if your name and address were on that spreadsheet?  Would you have any idea how long you would have to wait before you find out if there are to be consequences of the spreadsheet?  What about users who rarely frequent the forums or the market and are totally oblivious to the fact that their information may be in the hands of the feds?  What if some of his customers have criminal liabilities and this would land them back in prison?  Where do I stop?

So if you were one of those people, and you're here reading what, in effect, was DPR patting BG on the back and you, Astor, rationalizing his decision as the right thing to do for potential future indiscretions, I think it would be reasonable to think that DPR, you and others have lost sight of what actually just happened.  That the screw up that has affected you, right here, right now, is being used to benefit some potential future victim(s).  In what fucking world does that make sense?

DPR should have come down HARD on BG, like Old Testament Yahweh hard, for breaking his primary duty and responsibility to his customers.  And he should have left it to those people, whose trust he betrayed, to forgive him and embrace him back into the community under another vendor account.  It's not his place to 'forgive' by sending him on his way with a pat on his back when it wasn't him that was potentially affected in such a fucked up way.

On further reflection, I think you are right. Vendors lose nothing by staying quiet anyway, and allowing BG to come back won't incentivize people to be honest, because it takes extraordinary character to do what BG did in the first place. Of course he could secretly come back under a different account if he was permanently banned, but so can every scammer, and that doesn't stop the admins from banning them.

398
Silk Road discussion / Re: The fate of BlueGiraffe
« on: August 09, 2013, 01:19 am »
Yeah on one hand they did the right thing and on the other they screwed up royally but where is the incentive to NOT do this ever again? How can BG help prevent others from doing this in the future? Some more thinking needs to be done around this I think.

This decision creates incentive for people to be honest when they have compromised the security of their customers. Then at least buyers can be aware of the threat they have been exposed to. The alternative is to swing hammers and then no one will ever admit when they fucked up.

399
It's a formula based on bitcoins:  6.7 * e^(-p/6) + 4

where p is the price in bitcoins. So if the product is priced in another currency, it fluctuates slightly with the exchange rate.

400
Security / Re: Risk of using Tor with Windows
« on: August 08, 2013, 07:27 pm »
They recommended not using Windows because it's the least secure operating system and the biggest target of malware and other attacks. The FH exploit targeted Windows. By simply switching to another operating system, you decrease your attack attack surface by an order of magnitude. If you need to use Windows and can't install another operating system like Linux, even in a separate partition for dual-booting, you should run Linux in a virtual machine and conduct your sensitive activities entirely in that virtual machine. You can even get full disk encryption by encrypting the virtual hard disk, which is usually a ~10 GB file on your hard drive. An even safer set up is to use 2 virtual machines and run Tor in one while conducting your sensitive activities, like web browsing over Tor, in the other VM. Basically, all network connections from one VM are run through the other which has Tor. That would make it incredibly difficult to run an exploit against you to obtain your real IP address.

401
Security / Re: Lavabit closed
« on: August 08, 2013, 07:09 pm »
Three words: National Security Letter.

402
Hi, folks. Just stopping by to mention that my GPG4USB tutorial has a new home:

http://nfm5tbykjg6oijbm.onion/gpg4usb/

403
Silk Road discussion / Re: Security warning and advisory
« on: August 08, 2013, 12:45 pm »
http://www.newstalk.ie/High-Court-to-hear-extradition-request-on-child-porn-kingpin

Looks like we won't be getting any more details about whether he is the FH admin and how they found him until next week.

404
Yeah, I was just thinking last night that he's supposed to see the judge on Thursday, so maybe we'll get some more details about who he is and how they found him. I guess not until next week.


405
Silk Road discussion / Re: Security warning and advisory
« on: August 08, 2013, 06:56 am »
That's true, he outright said "I'm not going to jail for you", but it turns out he is.

Pages: 1 ... 25 26 [27] 28 29 ... 208