Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 26 27 [28] 29 30 ... 208
406
Silk Road discussion / Re: is the road down again?
« on: August 08, 2013, 06:43 am »
Quote from: RxKing on August 08, 2013, 06:22 am
PGP for all messages is INSANE!

Most of us tech gurus don't advocate for encrypting all messages. I have never said buyers should encrypt all SR messages. In fact, I've repeatedly told people it's a waste of the vendor's time to encrypt all messages, if they are just asking about the product or inquiring when their order will ship.

Where you disagree with us is on addresses (and tracking numbers, although that doesn't come up much in conversation), which are sensitive pieces of information. They identify buyers. Sorry it takes too much time for you to decrypt those encrypted addresses, but I consider my security to be more important than your convenience, and I am never getting one of my shipping addresses on any LE list, especially when it's so easy to avoid. Unlike you, I am not confident that the SR server will never be compromised.


407
Security / Re: he connection has timed out
« on: August 08, 2013, 06:32 am »
Then how did you write this post?

408
Silk Road discussion / Re: is the road down again?
« on: August 08, 2013, 06:13 am »
Quote from: WhiteShark on August 08, 2013, 05:14 am
So i went to a hotspot used the TBB to access SR via the onion.to and it worked,

Withdrew my BTC without issues. Not sure what is going on but it seems weird that the .onion.to link works but the .onion does no.

The BTC have withdrawn without problems.


Did you use HTTP or HTTPS before the URL? Because if you used HTTP, then your connection left an exit node unencrypted before hitting onion.to and being proxied back to the SR hidden service. The exit node could have sniffed your SR credentials.

409
Silk Road discussion / Re: is the road down again?
« on: August 08, 2013, 05:46 am »
Quote from: RxKing on August 08, 2013, 05:36 am
And ALL of the people that preach pgp are doing so based on the fact that one day SR will get compromised and if you do not use pgp for your address, then your address will be on the servers. THAT IS IT!

I for one do not think SR will get compromised. And if I am wrong, and it is then I do not think an address means anything. In fact I KNOW it does not. That not one person would ever get prosecuted or have anything happen to them based on an address.

That depends on the size of the order, or the order history. LE will probably be interested in people who have purchased tens of thousands of dollars worth of drugs. And in any case, LE doesn't throw away intel. Buyer addresses will definitely get filed away and can be used later to build cases.

This is where your opinion differs from most people here, who don't want to take that risk.


Quote
So these idiots always say to only use a vendor with pgp. O.k, fair enough, so you believe there total bullshit and you do that and you believe you are totally safe. Now what happens when that vendor that uses PGP decides to write every address down and save them? How did your pgp help you there? It did not!!! It did nothing for you.

We "security gurus" have repeatedly pointed out it doesn't protect you from that, just as PGP doesn't protect you from every threat you are potentially exposed to on the darknets, like if LE takes over a server and sends an exploit to your browser.


On a related note, regarding this downtime, you say it's nothing and the server has gone down many times before. That's true, but the FH server also went down for maintenance many times in its five year history. It only mattered the last time it went down, and a lot of people got pwned (we'll see what comes of that), but you'll never know which time that is, so it's important to be cautious each time something happens.

It's incredibly careless to believe that the SR will never be compromised, as you said, but that's in line with your general attitude about the technical side of security, it seems.

410
Security / Re: TOR friendly email providers?
« on: August 08, 2013, 03:27 am »
Quote from: caffeine_me on August 08, 2013, 03:16 am
Bitmessage P2P client run through TOR seems interesting.  Also a service that turns those messages into emails that is a .onion site: http://bitmailendavkbec.onion

Seems promising.  Although I would still do my own PGP encryption.

You should read this before you use it: https://bitmessage.org/forum/index.php/topic,1666.0.html

411
Security / Re: TOR friendly email providers?
« on: August 08, 2013, 03:05 am »
Quote from: Nightcrawler on August 08, 2013, 02:42 am
Not if you use a nymserver. All Subject: lines are replaced wiht (No Subject) or a hashed value, and all senders are shown as Anonymous.
(The original information is still contained in the PGP envelope, so it is available when decrypted.)

Yeah, but they are complicated to use compared to webmail or even a desktop mail client. I don't think they'll ever have wide adoption, so good luck finding parties to correspond with.

412
Security / Re: Short and simple: how to prevent future hacks.
« on: August 08, 2013, 02:42 am »
Quote from: P2P on August 08, 2013, 01:03 am
Astor, can you please explain in what specific areas having a whonix VM is superior to tails+bridges?   

Whonix is superior to Tails because Tor runs in a separate virtual machine (the Gateway) from the main operating system (the Workstation), so an attacker has to find an exploit to break out of the Workstation VM to bypass Tor and determine your real IP address. On Tails, an attacker has to find a privilege escalation exploit to gain administrator privileges. Privilege escalation bugs for Linux are more common than VM escape bugs for VirtualBox. If you read through security announcements, you'll see multiple privilege escalation bugs over the last few years, but I haven't heard of any bugs that allow someone to escape a VirtualBox VM.

Both are far more secure than running TBB on Windows or even a regular Linux distribution. The only thing more secure than Whonix is running Tor on a physically separate computer than sits between your main computer and the internet, which we call an anonymizing middle box.

Also, you can configure the Whonix Gateway to use bridges just like with Tails.

Quote
Also, on what OS are you able to have the whonix VM?

Whonix is a pair of VM images that you import into an application called VirtualBox, which runs on Windows, OS X, and Linux. So you can get better security than Tails without leaving your favorite operating system for non-Tor things. Best of all, you don't have to reboot to switch between the two activities.

Quote
Could one pad tails with whonix?

You could "pad" Tails by running it as the Workstation VM and routing its connections through the Gateway VM  but I wouldn't recommend it, because you run into the "Tor over Tor" problem, where one Tor doesn't know what the other is doing, and you might end up with the same relay for your entry guard and exit node, which would kill your anonymity.

413
Silk Road discussion / Re: question about the recent FH event?
« on: August 07, 2013, 11:12 pm »
Please take some time to read the main threads on the forum before you ask a question.

As has been said many times in many threads and on many web sites, yes, only older versions of the browser bundle are affected. If you are using the latest browser bundle, released on June 26, you are safe against that exploit.

I don't know if they knew specifically about that exploit until the reports came in that it was being used on FH, at which point they would have checked with the Mozilla people and confirmed that it was fixed in the version of Firefox that they used to build the latest Tor Browser.

414
Security / Re: Warning on SR front page?
« on: August 07, 2013, 09:46 pm »
Maybe because there's a lot more info in the forum thread that you should read than could be put into a message.

415
Silk Road discussion / Re: Security warning and advisory
« on: August 07, 2013, 09:41 pm »
Quote from: JohnTheBaptist on August 07, 2013, 08:49 pm
I agree, I shouldn't claim that without proof, I'm just assuming the worst, so people realize this is very serious now. Do you think DPR would and could do that? I think the Feds can be persuasive, look what happened with Sabu. Could DPR really be capable. Don't think so.

30 year prison sentences reduced to 15 years can be persuasive.

I don't know if DPR would do that, but I'm not going to base my security on the assumption that he won't.

How do we know FH admin didn't do that? He got arrested on Thursday and the site came back up with an exploit on Saturday. How do we know he didn't tell LE everything, the location of the server, the password to the full disk encryption, and the password to the administrator account, to save himself?

416
Security / Re: In the wake of FreedomHosting, are there any .onion hosts still working?
« on: August 07, 2013, 09:32 pm »
TBH, it's easy to set up a hidden service. You can copy-paste commands from a tutorial to install a web server + PHP + MySQL, then install Tor and uncomment a couple lines in torrc. You can be up and running with a hidden service in under 10 minutes.

It's much harder to set up a *secure* hidden service.


417
Security / Re: Full Tutorial - Installing Tails LiveUSB with a Persistent Volume.
« on: August 07, 2013, 09:23 pm »
Quote from: livestr0ng on August 07, 2013, 07:43 pm
Normally, when I'm using TAILS for about half an hour, it suddenly loses connection and I can't reconnect, even to my wifi. Sometimes when I'm trying to change my settings around and shit I get a message saying "System policy prevents modification of system settings [...]" Then it asks for the "Password for root". What the fuck is this "root" business?

Root is the Linux term for administrator or super user. It's telling you that when you are logged in as a regular user, you don't have administrator privileges, so you can't change system settings. In order to do that, you have to click the option at the login prompt to set an administrator (root) password.

But you shouldn't be using Tails as the administrator. You should do normal activities as the regular user. The fact that root has no password set when you log in as a regular user is a security feature, because an attacker can't get root privileges on Tails by guessing a password. He would have to exploit a privilege escalation bug, which may be considerably harder.

Quote
I'm normally connected to autoetho, then it disconnects and I haven't figured out how to connect again. When not using TAILS, my computer is connected to my wi-fi. I've entered my MAC address and selected "autoconnect" for my wi-fi connection but it still isn't working for me. I'd really appreciate some help.

I'm not sure. It sounds like the Linux driver for your wireless card is buggy. I recommend buying a cheap wifi dongle that works well with Linux. You can search the reviews on a site like Newegg for the key word "Linux" and see what other people have to say. You can find wifi dongles that work excellent on Linux for like $10-15.

418
Security / Re: Full Tutorial - Installing Tails LiveUSB with a Persistent Volume.
« on: August 07, 2013, 09:16 pm »
Quote from: RevDrGod on August 04, 2013, 05:30 pm
I have a question about TAILS.  As I understand it, TAILS "announces" that it is anonymous and that you are surfing anonymously when you use it. If you ask me that attracts attention. So why if your trying to surf anonymously, would you want to announce to the entire world that  your trying not to be noticed, while your trying not to be noticed???

The source of this misinformation seems to be Riseup, since I've seen other people reference it on their web site. When you surf clearnet sites, your connection comes from a Tor exit node, and there are public lists of those relays. In fact, they are added to some block lists, which many web sites use, which is why you might be blocked from accessing some sites when using Tor.

Tails isn't "announcing" that you're anonymous, it's just known by the fact that your connection is coming from an exit node. You can't hide the fact that you are using Tor from the destination site unless you point the Tor Browser at a web proxy, which would stand between the exit node and the destination site. But none of that matters. You are still anonymous within the set of all Tor users, which is millions of people. The destination site knows you're browsing anonymously, but it doesn't know your identity, which is the only thing Tor claims to protect.

The Tor Project is actually against obfuscating the fact that you are using Tor. They believe you have a right to surf anonymously, but site operators have a right to block whoever they want from accessing their site, and you shouldn't be hiding the fact that you are using Tor from them.

419
Silk Road discussion / Re: Security warning and advisory
« on: August 07, 2013, 08:45 pm »
Quote from: JohnTheBaptist on August 07, 2013, 08:34 pm
No use shutting the stable door, when the horse has bolted. Of course the feds have anticipated this ahead of time. They have already been injected. Its a sad time for S,R. We need DPR to re-assure us and keep us secure as we ride these uncharted waters.

Honestly, reassurances from DPR ain't worth shit. He could get busted without us knowing about it, and agree to work with LE to save himself from a long prison sentence. Then he would be giving out public reassurances to keep the investigation going while siphoning all vendor info to LE in the background. You are the only person who can keep you secure, and you are the only person that you should rely on to keep you secure.

And claiming that SR has already been exploited, when there is no evidence of that, is a disservice to the community, because it builds complacency. "Oh well, I'm already screwed. Might as well not do anything to improve my security." No, there's a lot that most people can still do to improve their security.

420
Silk Road discussion / Re: Security warning and advisory
« on: August 07, 2013, 08:05 pm »
Quote from: DrMDA on August 07, 2013, 07:33 pm
I'm a bit confused, why are all you guys acting like the security of your emails are dependent upon the TorMail servers being compromised or not? If you weren't using encryption your info was compromised the second you pushed send. You do realize that many Tor exit nods exist just for the purpose of watching all the clear text data exit don't you?

A lot of those emails -- in fact, I would venture to say a majority of them -- were between Tormail accounts. People were betting on the security and privacy of Tormail, and the assumption that it would never be seized.


I think it's time for all major targets in the SR community to up their game. This is no longer about basic shit like having a strong PGP key and not giving out identifying info in your profile. If you're still doing that, you should be stripped of your vendor privileges immediately. We're on a new level now. We are being actively attacked by LE now. They won't go after all small time buyers, but if you are a vendor, mod or admin, you should be switching to a Whonix like setup, or installing PORTAL on your router, or an anonymizing middle box between your main computer and your router, and the computer you use for Tor should have no identifying info on it at all. And it should absolutely 100% not be Windows based. And it should go without saying at this point that you must encrypt EVERYTHING. Your hard drive, virtual disks, communications, etc.

The arms race is on, and you better be ready before the next exploit is served through the market or forum servers.


Pages: 1 ... 26 27 [28] 29 30 ... 208