Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 29 30 [31] 32 33 ... 208
451
Security / Re: Will TorMail Come Back Online?
« on: August 06, 2013, 05:33 pm »
Well, lots of technically proficient people could set up a similar service. I'm just saying I wouldn't use the old Tormail site if it came back online.

However, if technically proficient people are interested in running anonymous messaging services, they should build something different from email servers. I don't think email is the future of anonymous communication. We need a decentralized replacement that has no central point of failure like the Tormail / FH server.

In fact, I see decentralization as the future of all hidden services. A few months ago I wrote a speculative series of posts about a decentralized market that hosts product listings in something similar to Bitcoin's block chain. There is no central authority that runs the market, just as there is no central authority that controls Bitcoin transactions that are added to the block chain, but people could use any escrow service they like, and that's what SR could evolve into.

452
Security / Re: About Clearnet links
« on: August 06, 2013, 05:23 pm »
No, it's not true. It's the biggest myth in onionland. Hidden services can supply malicious code just as easily as clearnet sites. Hidden services are not safer than clearnet sites. In fact, we're standing in the wreckage of the biggest attack on Tor users, and it happened from a hidden service!

You should be *more* cautious when visiting hidden services, because the operators, or hackers who exploit the site, know that the users want to be anonymous for important reasons. Most clearnet sites don't give a shit who you are and they aren't interested in deanonymizing you. If you become a nuisance, they'll start using block lists of Tor exit nodes, problem solved on their end.

453
I agree it seems sloppy. People in that Cryptocloud thread that has been widely cited were saying they didn't think the NSA would be careless enough to hard code an IP address of one of their command and control servers. They would know obfuscation techniques. In other words, it could be some other national intelligence agency (not US based) or some other organization that wanted to frame the NSA. Then it seems like an amazing coincidence that the FBI is trying to extradite FH admin at the same time.

Another interpretation is that they planned to arrest FH admin and seize his server, or they didn't know the location of his server but knew how to hack it, so a couple of days before the arrest, they injected the malicious code to see how many free IP addresses they could get of people visiting CP sites.

454
Security / Re: Short and simple: how to prevent future hacks.
« on: August 06, 2013, 05:12 pm »
An anonymizing middle box solves all your problems without having to disable anything. Basically if we should all start using the Whonix Gateway with any operating system we want in a separate VM, transparently proxied through the gateway.

455
There are still puzzling aspects to this story. I read the original article in the Irish newspaper, which you can find here:

http://www.independent.ie/irish-news/courts/fbi-bids-to-extradite-largest-childporn-dealer-on-planet-29469402.html

It says that FH admin was arrested Thursday, contrary to every other report I've read, which said Sunday.

Can anyone remember when exactly FH went offline? I'm thinking it was Tuesday or Wednesday of last week. Now why would that happen? Did LE seize the server before they arrested the operator? Surely they wouldn't do that or it would tip him off. Did they add the exploit to the server at that time? Maybe he discovered the exploit and took the server offline himself. I'd like to find the answers to these questions.

He's been in custody since his arrest, so when the maintenance page came up, that was definitely run by LE. If they didn't seize the server outright, they had enough control over it to add that page along with the exploit code.

456
To the best of my understanding they did indeed inject it into all sites hosted by freedom hosting.

Interesting. Thanks for the info.

457
Silk Road discussion / Re: Security warning and advisory
« on: August 06, 2013, 12:53 pm »
Does anyone know how FH first became compromised? If the owner was somehow identified and tracked down through the deepweb then the implications are HUGE. If tracked down through human error or "real-world" police work as a result of (un)related off-line activity, then still bad news but not as much of a nightmare situation for us Roadies. I guess the question is, how did they get the guy? Anyone have info?

How was FH admin identified? Was the FH server seized? Those are the questions on everyone's mind. We are all waiting for answers. They have significant implications for the future of the Tor network.

Can someone PLEASE PM me a new mail server?

Check the Security subforum. A user named comsec posted a list of alternatives. As I argued there, ultimately we need a secure, decentralized messaging service, because email servers that interface with the public internet, even by proxy, have a much bigger attack surface. The convenience of sending messages to clearnet accounts isn't worth it.

458
Silk Road discussion / Re: Security warning and advisory
« on: August 06, 2013, 12:46 pm »
Exploiting a certain software flaw enables you to inject your own code into the exploited process's memory. The code you inject is byte code (regardless of the exploit using javascript!) and thus needs to fit the operating system. Also the flaw isn't necessarily present or exploitable on another operating system. It's even possible that the code works only on specific versions of windows.

I saw an analysis of the exploit code. It clearly pointed out several Windows API calls, for example to make the HTTP connection to the command and control server. If the analysis was correct, the exploit was definitely Windows specific.

459
Silk Road discussion / Re: Security warning and advisory
« on: August 06, 2013, 12:43 pm »
The FH server could be hosted anywhere in the world. Gathering the info off it will depend on local laws.

So if it's in Romania then the US would need to get permission from Romanian authorities to access the servers? So they may not have access to shit right now?

Yeah, basically. If the server is in Romania and it was seized, then it was likely seized by local authorities. I know the FBI has started playing global cop like with the raid on Kim Dotcom in New Zealand, but generally they aren't allowed to gallivant around and raid people or seize property in other countries where they have no authority. Of course, with something like CP, it may be easy to get local authorities to cooperate.

460
Silk Road discussion / Re: Urgent Notice for BlueGiraffe Clients
« on: August 06, 2013, 12:39 pm »
What the fuck point is there of PGP encrypting your name and address to a Vendor if they promptly type it up into a spreadsheet?

Yep. In my view, the safest practice is when plaintext customer addresses never touch storage media. You decrypt them in your PGP app in RAM, you copy them over to your label printer software, and then they are discarded. You don't save them a text file. You don't transfer them on a thumb drive. You don't send them by email.

I understand this is not ideal to certain workflows, but it is ideal from a customer safety perspective.

461
Security / Re: Will TorMail Come Back Online?
« on: August 06, 2013, 08:19 am »
Actually, I take that statement back. The more I read about this case, the more suspicious I am that server wasn't actually seized.

It doesn't matter though. I would never use Tormail again.

462
Silk Road discussion / Re: Security warning and advisory
« on: August 06, 2013, 08:14 am »
The FH server could be hosted anywhere in the world. Gathering the info off it will depend on local laws.

On the other hand, it is strange that there hasn't been a press release from the FBI. They usually love to trump this stuff. They are all about PR.

I'm wondering if the exploit was added not by seizing the server, but by hacking the server and the server was taken down by admin because it was difficult to get rid of.

463
Silk Road discussion / Re: Security warning and advisory
« on: August 06, 2013, 08:07 am »
The point is even if the Feds have the FH servers according to the Tormail main page is there is 'apparently' nothing stored on those servers.

Can anyone else please comment on this?

The public facing server that hosted the tormail.net and tormail.org web site and accepted emails sent to those domains, did not host any emails. It was a proxy to the hidden service. But if the hidden service ran on the FH server and the FH server was seized, then LE does have the emails.

464
So, first: Someone asked about emails that have been deleted being read. It depends - most email systems have a recycle bin type system, where you move mail to the trash and then it is deleted after a certain amount of time. It is only deleted if you specifically force it. I could go into the possibility of disk recovery, but chances are tormail does enough data writes to at least make that a little hard for the FBI to do.

The FH main page used to say that they make daily backups which are saved for one month, and I have talked to someone who emailed the Tormail admin and asked for a deleted message to be restored, and it was. It had been deleted a few weeks prior. So I can confirm that deleted messages were saved (probably in back ups on another server) for at least one month.

465
Are we sure that the only way to be exposed to the exploit is visiting an FH website while running a non-recent version of firefox/Tor on a Windows computer?

That seems way too specific for me to believe it.

Unless people who look up CP all use the same setup. It sounds like theyre just trying to round up the low hanging fruit because all of this is easily avoidable with even a modicum of electronic security.

It seems the vulnerability itself is exploited with javascript, so that is why only users with javascript enabled are affected. Who knows why they only targeted Windows, the same exploit works theoretically against Linux as well but the payload was analyzed and it makes several Windows specific OS calls and will not work on Linux. The attack is not a 0-day but rather an exploit that was published a little over a month ago, which explains why the most recent browser is not affected. It is entirely possible that they didn't want to release a 0-day for analysis, and most people using Tor are thought to be using outdated Browser Bundles on Windows. The attacker was probably pretty sure that whatever attack they used would be analyzed to hell and back by a shit ton of security researchers. Also, 0-day attacks are usually used for really really high priority targets, they are more likely to burn one of those on somebody who has like kidnapped a child and is holding them ransom, or a suspected terrorist, than they are somebody who is running even the biggest CP site in the world.

I would add, based on my reading of the exploit, that you would have had to visit the FH main onion address, the Tormail web site, and perhaps some specific CP sites hosted on FH. The exploit set a cookie and had to be run from each site you visited to update your Tor Browser cookies with a specific ID. I haven't seen any evidence that they served the exploit on all onion addresses that were hosted on FH.

I think the bigger issue for this community is all the intel they are going to gather from unencrypted Tormail messages.

Pages: 1 ... 29 30 [31] 32 33 ... 208