Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 35 36 [37] 38 39 ... 208
541
Security / Re: Masking TOR traffic with clearnet streams
« on: July 29, 2013, 09:10 pm »
Browsing clearnet at the same time won't hide your Tor use, because the ISP can easily read the packet headers and discover which streams are going to entry guards. You would need to use bridges (that the ISP doesn't know belong to the Tor network) to hide your Tor use. You can use obfsproxy bridges, which make the connections look like something other than Tor. The obfs3 protocol makes it look like random data.

On a related note, the Chaos Computer Club published an attack a few years ago where they could fingerprint encrypted Tor connections to specific web sites with something like 55% accuracy by watching the user's end of the connection, but it was trivially defeated by browsing with two tabs open. The Tor Project is against padding because they believe it will slow down the network even more, and that's a major complaint about Tor. They accept many usability over security trade offs, because a large, diverse userbase increases your anonymity.

542
Anyway, you're right, someone could use a real gmail account that belongs to someone else - though I don't really see why they would - it's easy enough to just make up a fake one for the PGP key info, it's not like anyone needs to use it.  Besides...  seems as if using someone elses email address would only be asking for trouble?

There's an old saying in behavioral psychology that under carefully controlled conditions, the animal will do as it damn well pleases. :)

When people use a PGP app for the first time, they see that "Email Address" field and interpret it in different ways. Some are informed enough to register an email address (usually a Tormail address) specifically for SR, and put that in their key. Others put completely fake info that doesn't look like an email address. Others, perhaps thinking they are being clever, put a fake address that looks like a clearnet address. If you pick a random address for Gmail or Hotmail, chances are pretty high someone has already registered it. I figure that's what happens quite often.


Quote
Thanks for your informed input...  I enjoy reading your posts astor.  You have so much to contrubute!

Little things like this keep me going. I'm glad a lot of people find my posts useful. Thanks man. :)

543
Off topic / Re: how to build a .onion website for free???
« on: July 29, 2013, 08:19 am »
That's mostly a myth perpetuated in onionland. I don't know where it started, but I first noticed it on the Hidden Wiki, where clearnet links were labeled with big warnings. Then people did it on this forum. For some reason, people believe clearnet sites are more dangerous than hidden services.

A hidden service could supply malicious scripts just as easily as a clearnet site, and a hidden service operator knows that his visitors don't want to be identified, so he may have more interest / reason to try to deanonymize them, whereas random clearnet sites don't give a shit about identifying proxy users. They just block them if they become a nuisance.

The likelihood of getting pwned by some random JavaScript is vanishingly small, while blocking scripts will break a lot of functionality on clearnet sites. I've been using Tor for years, mostly without blocking scripts, and it hasn't been a problem so far. Of course it could be, but the cost-benefit analysis doesn't make me worry about it.

544
You should read StExo's last security audit, which was stickied in this subforum for a while.

I imported 1020 vendor keys a while back and analyzed them for stuff like valid clearnet email address. I think there were about 50 valid addresses that I found. However, just because it's valid (which you can check without sending an email, btw), doesn't mean it belongs to them. They may have accidentally or intentionally used an address that belongs to someone else. They have plausible deniability in that sense, unless LE wants to go on fishing expeditions.

It is a bad practice anyway. You should register an email address for SR purposes only and put it in your PGP key so customers can contact you when the SR server goes offline, as it has for extended periods on several occasions. Then that info is actually useful.

You can set up a clearnet email account over Tor with some providers. There's at least one thread about that on the forum already. Or you can create a Tormail account, which may be the best option, but Tormail has experienced unreliable uptime in the past

545
Off topic / Re: how to build a .onion website for free???
« on: July 29, 2013, 02:15 am »
Yeah, the S should have the circle with the bar going through it -- ie the universal symbol for "no" :) -- on top of it, when scripts are blocked.

546
Silk Road discussion / Re: blacklisting feedbacks of 1/5
« on: July 29, 2013, 02:10 am »
The feedback score is really a qualitative categorization of:  legit vs scammer.

That's how it's used by most people and how it is expected to be used. There is essentially no quantitative score of how good a vendor's product and service is.

If you get low quality product or crappy packaging, you are expected to message the vendor or mention it in your review, but still leave a 5.

You're supposed to leave a 1 only if the product never arrived and the vendor is acting shady, or you got an empty package or something that indicates you got scammed.

547
Silk Road discussion / Re: twitter
« on: July 29, 2013, 01:48 am »
That's what I used. :)

548
It's the same configuration file for GPG4USB. It's located at  \wherever\you\extracted\gpg4usb\keydb\gpg.conf


549
Nightcrawler, I don't think that will work, because adding the driver will probably require a reboot, and it will be lost. Tails is run from a static system image. Only stuff symlinked from $HOME to the persistent volume is stored across reboots.

550
Yeah, it can take a year for open source wifi drivers to be added to the Linux kernel. While it is possible to use Windows drivers with ndiswrapper, I've found that to be buggy a lot of the time. It's better to use native Linux drivers.

You have 2 options here.

1. Return that laptop and buy a used one off Craigslist or Ebay. If it's a few years old, it will be much more likely that the Linux kernel (version 3.2) included with Tails supports the wireless card. You should ask about the hardware details and figure out if it is supported, for example on these sites

http://wireless.kernel.org/en/users/Drivers
http://linux-wless.passys.nl


2. Buy a $10 usb wifi dongle that is supported on Linux. You can search the reviews on sites like Newegg for the key word "Linux" and see what people say about it. You would then plug in the dongle and run Tails.

551
One thing I noticed is that zeroing out the key ID breaks some (crappy) PGP programs. Rather than testing every available private key, they just fail to decrypt the PGP block. Keep that in mind. If you use it all the time, even when you don't have to, you may get complaints or people will think you don't know how to create a PGP message and they may ignore you for wasting their time.

552
hitit, did you rename the file to gpg.conf?

It doesn't matter where you put it in the file, as long as it doesn't a # at the beginning.

553
Shipping / Re: Controlled Delivery
« on: July 28, 2013, 08:53 am »
Did you check the destination address to see if it was delivered?

Tracking info can be wrong sometimes. If an employee doesn't do his job or forgets to scan it, it could be stuck saying one thing. I've seen all kinds of weirdness in tracking info for legal items, but always got the package.

I'm not saying it's not a CD, but it would be hard to tell from the tracking info.

554
Security / Re: IS it safe to use tor using your home network?
« on: July 28, 2013, 03:37 am »
It is worth noting that if you are rooted even if you are using WiFi there is a good chance you will be fucked

This is the main reason why getting people off Windows is the most effective security step they can take, and Tails is one of the easiest ways to do that (along with providing a lot of security and anonymity features out of the box), so overall I consider it an improvement in security, despite that lack of persistent entry points (which can be handled manually for now). Linux is far less vulnerable than Windows, although that may change if it becomes more popular, especially among "criminals".

555
You can use bridges to hide your Tor use.

OpenVPN doesn't work on Tails, but some routers support it. If you can setup the VPN on your router, that will work too.

Pages: 1 ... 35 36 [37] 38 39 ... 208