Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 87 88 [89] 90 91 ... 208
1321
There is a way you can prove this story is true without making Chaos's identity public. It would take about 4 days.

Pick a trusted member of the community -- I would recommend a mod who is US-based.

Give that person Choas's name and the address of the jail where he is incarcerated. They write him an anonymous letter with a word or phrase.

He gives you the authentication phrase and you post it back on the forum. The trusted person verifies it.

You might know someone else who is incarcerated right now and willing to accept the letter and give you the phrase. You (the real Chaos) might even offer to give him a cut of the money you make off this scam.

That's where level 2 authentication comes in. With the amounts involved, this is almost certainly a federal case. All federal cases are logged in PACER. The trusted person could search PACER and verify that a case exists for that person in that federal court district, with exactly those charges (marijuana and cocaine).

You need to register an account and provide a credit card number to use PACER (although you can verify the case exists for free), but I can tell you how to do that safely, without compromising your identity.

1322
Off topic / Re: The Waste
« on: May 17, 2013, 05:43 pm »
Post offices are the tip of the iceberg. Every office building is like that. Think about all the 30+ story sky scrapers in every major city. They all run heating and AC throughout the night, when no one except maybe a few guards and maintenance people are in them.

We are spectacularly wasteful, which is why the average American consumes something like 200 times the energy of the average person in the third world.

BTW, how many miles per gallon does that car that you drove to that post office get? :)

1323
I see the problem, like a dingbat I didn't realise that the box had a scroll bar!  What I meant was the personal-cipher-preferences.

However the cert-digest-algo info was something I was shockingly ignorant about. Something else to go and learn about!

I was wondering what you meant by last line, because your question had nothing to do with key server options. :)

So, I interpreted it as "the last line of the block about cipher preferences".

To answer your question, yes that changes the default from CAST5 to AES256. The ciphers are ordered by strength (ie, safety), and as you can see, CAST5 is pretty far down the list. The advantage of using CAST5 is en/decryption speed and compatibility with many encryption programs. I err on the side of safety.

Of course, as always, your encryption scheme is only as good as your password.

1324
Security / Re: Crypto migration plan for hidden services
« on: May 17, 2013, 03:30 pm »
Great info Astor, but as I'm not a technical person in this side of technology (I know only what I need to really with a bit around the sides), doubling the key strength to 2048 wouldn't give double the time it can be used would it as technological capability grows at an exponentially faster rate?

You're not doubling the key space. You're increasing it by 2^1024. A 1025 bit key is twice as big as a 1024 bit key. 

For symmetric encryption, it would increase the time that it takes to brute the key by a factor of 2^1024, or around 10^308, not accounting for Moore's Law. We had a discussion about key strengths a few months ago, and what I learned is that asymmetric encryption, which includes RSA and other schemes used by public key crypto protocols (including PGP), differs in that the key space is the number of primes within some range of numbers, which of course is much smaller than the total range of numbers. That's why 128 bit AES symmetric keys are stronger than 1024 bit RSA asymmetric keys, and won't be cracked until long after 1024 bit RSA keys are cracked.

So for Tor's public key authentication mechanism, it won't increase the brute forcing time by 10^308, but it will future proof the keys for many decades.


So what would a drastic step  in key strength mean for the Tor network? Would it increase loads, slow things down etc? Just want to get some clear answers on this if anyone can help :)

It will increase CPU usage on the relays, and that seems to be the bottleneck on the network right now (not bandwidth). I'm not sure if that increase will result in a noticeable slow down of the network.

1325
The issue isn't what he was actually caught with. That would be less than ten years. The issue is that they are trying to pin all of the drug dealers he was connected to and all of the products they had to him and saying he supplied it. Added all up he would reach kingpin status. Mandatory min of 20 years probably more.

They're throwing RICO charges at him. Fucking hell, 20 years. We all know Chaos was full of shit a lot of times, but nobody deserves this.

The RICO Act is seriously abused these days. It was meant to catch mafia bosses and other people who run extensive criminal operations with dozens of conspirators or more, not drug dealers who supply a few other drug dealers.

1326
Security / Crypto migration plan for hidden services
« on: May 17, 2013, 01:44 pm »
Hidden services currently use 1024 bit RSA private keys for authentication. (An onion address is the base 32 encoded first 80 bits of the SHA1 hash of the public key that corresponds to the hidden service's 1024 bit RSA private key.) 768 bit keys can already be cracked by computer clusters in about 100 days, which is considered reasonable effort for some targets -- which probably includes SR. 1024 bit keys will be cracked in the next 5 years. So, the Tor Project needs to update the crypto mechanism to support larger identity keys (this will affect relays as well as hidden services, but it's more important for the latter).

If the hidden service private key is updated, the onion address will change. This is an issue in our community with so many phishing sites and the general paranoia (mostly justified) about accessing the correct site. So you all should be aware that Silk Road's private key will have to be updated at some point, and the onion address will change. They're starting a discussion about this issue on the tor-dev mailing list. Here's the first email:


https://lists.torproject.org/pipermail/tor-dev/2013-May/004848.html


Greetings,

I'm supposed to write a Tor proposal for the migration of the
long-term identity keys of Hidden Services. When I began writing the
proposal, I realized that some of my choices might not be appreciated by
Hidden Service operators, and that starting a discussion thread might be a
good idea before writing the proposal.

The problem with the current long-term HS identity keys is that they
are RSA-1024 keys which are considered weak, and they need to be
upgraded to a cryptosystem with higher security properties.

One of the main issues with this operation, is whether Hidden Services
will be accessible using their *old* identity keys even after the
migration.

That is, when we change the identity keys of a Hidden Service, its
onion also changes (since the onion is the truncated hash of its
public key). This will be quite problematic for Hidden Services that
have a well-established onion address.

There are basically two ways to do this:

a) After the transition, Hidden Services can be visited _only_ on
   their _new_ onion addresses.

   This is quite brutal, but it's the most secure and unambiguous
   option (might also be easier to implement and deploy).

   This change can be enforced both on the client-side, by rejecting
   any old RSA-1024 HS keys, and on the server-side, by only
   publishing the new keys in HS descriptors.

   To make the transition easier, we could prepare a tool that
   generates a new identity keypair before the flag day, so that
   Hidden Service operators can learn their future onion address
   beforehand and announce it to their users.

b) After the transition, Hidden Services can use both old and new
   onion addresses.

   This might result in a more harmonious transition, where Hidden
   Services advertise their new onion address to users that visit
   them in their old address.

   .oO(It would also be interesting to do a redirection on the Tor
   protocol layer ("I got this descriptor by querying for the old
   onion address, but it also contains a new onion address. I should
   probably use the new one."), but I don't think it's possible to
   redirect the user without knowledge of the application-layer
   protocol (e.g. 302 for HTTP). Still, a Tor log message might be
   helpful.)

   The cons of this approach is that supporting both addresses might
   make the HS protocol more complicated and painful to implement, and
   it might also result in some Hidden Services never moving to the
   new onion addresses since clients can still visit them using the
   old insecure ones.

   This approach has a stricter variant, where the old addresses can
   only be used during a transitionary period (a few months?). After
   that, clients _have_ to use the new addresses. Of course, this
   means that we will have to do two flag days, coordinate Tor
   releases, and other no fun stuff.

I'm probably moving towards the latter option because the former will
make many people unhappy.

Thoughts?

(This is not a thread to select the cryptosystem we are going to
use. It will derail the discussion, and we might also need to select a
specific type of cryptosystem in the end (e.g. a discrete-log-based
system) so that schemes like
https://trac.torproject.org/projects/tor/ticket/8106
can be possible.).

1327
Security / Re: Ex-GF stole computer and is blackmailing
« on: May 16, 2013, 12:55 am »
My psycho ex-girlfriend stole my computer that I have been conducting SR business on for almost a year now and she has had it for a week and a half. The only program I have is TOR and she is extorting me every day saying she is going to "turn it in". Should I be worried? My house is clean and I am getting out of the game.

If the browser bundle is literally the only thing on it, no bookmarks to SR, no text files with URLs or passwords, then that proves nothing.

Even if there is a bookmark, that's something that good draw LE attention to watch you, but you couldn't be prosecuted for it. There are journalists and probably thousands of curious people who create SR accounts and don't buy anything. It's not illegal to browse the site.

Tell her to give it back or you'll call the cops and report her for theft.

1328
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Are you talking about cert-digest-algo?

It forces a specific hash algorithm, for example the SHA512 hash on this clear
signed message. The standard is SHA1 (like in DPR's signed messages), but it is
becoming obsolete. Some PGP programs use MD5, which is retarded.

The GPG manpage does warn that you shouldn't force cert-digest-algo, because
some PGP programs don't support SHA512 for message hashing, but I say fuck em.
If your PGP program fails to verify a signed message because it doesn't support
SHA512, you need a better PGP program.

We shouldn't reduce our safety for the lowest common denominator.

-----BEGIN PGP SIGNATURE-----

iQIcBAEBCgAGBQJRlBNAAAoJENAcophwbuIHGYcQAJSwUhtv825TCVnixETLUDg7
VC4p6ZfMBFQvyeDD4l/WngF3nxHmt+3W0zO8WqRGlQ+XUvxPZeSMUlmnB5e0GTkB
up6zl60ptkBy24k72sV026jWscpBsUm8UqW8wR+WtnPnQ4dUt/0YDowBjbzXJcsz
OO8bvzmaGWlz4HXK8CvGgJufT9P20vp5bIzaM8Ma2dAGaqM8DNJiNNtqeWftN82R
2SFzJfLLsXxMTtP8KmnPg3xrdey5bleuIadjeuvcHWVDdKcH87DkLgdcAArT/Ijz
AqSkei0rnoUGkZ2gv3430L1FqS6qhs6j7wtxl1p6OX2kPvNlRJwT0UIWml3Ac9+f
1kaWeofhJReyRWfJQXaRM+fWV8OmQd7tmBDlc4BmI+EzQaUCRqi31aCtr89cRfh2
i1CgDcANz9G2ICLSir2gm9kZz3mjzPrrEi2J0WxfakYQnUaLTvqGBdB3z309JBfC
t5LWwN6ZorrVPKNOm6MRrwVzZXq2reucZRP87qjLEBCyrwmWFVQdpC2NIuRaQnqb
vmwYDEMBfDA2V2aXEJlVxNO/57bYOCr1j/y5Zb9EcNvzJJZFYfU3eNOQi4ctb6tO
4OVPs2OTEpQTcZkR7PwqD34jP/9GmMgNLK2bzi+WiN6DjUABt2vARGMsIK++sWHw
GMtofrIItdIgqZ9tCrKm
=Wy6i
-----END PGP SIGNATURE-----

1329
People say that because it's not an American company operating on American soil, they can't touch it. Those same people thought all the tax-haven-based online poker sites would be safe for the same reason. Then the US Gov shut them down and washed away an entire multi-billion dollar industry overnight. Not a single one was based in the United States.

Yep. I thought Karpeles was a US citizen. Maybe I'm wrong about that, but even if he isn't, he opened US bank accounts and broke US laws (according to FinCEN), which means he can be extradited.

If anything you do happens on American soil, even if you are never physically on American soil, you can be prosecuted by the US government. Do you think they would have gone as far as to seize the Dwolla account with potentially millions of dollars in it if they weren't planning to prosecute?

I think this is very bad for MtGox.

1330
You know, it's entirely possible that MtGox will be shut down now for FinCEN violations. This would be devastating to the bitcoin market for a while, but from it's ashes many smaller, distributed exchanges could flourish, along with alternative F2F methods of getting bitcoins, which would be more robust to these kinds of shut downs.

1331
Somebody should set up a general Bitcoin exchange site in Russia or somewhere. You get an account and advertise that you want to buy or sell Bitcoins and the amount you are willing to pay or accept.Then you are matched up with other people, and can carry out the deal for cash in the mail or something.

Yeah, it's called localbitcoins.com and Freenode #bitcoin-otc.  :)

The most popular way to exchange on localbitcoins.com is personal meeting with cash, when you hand it over, the other guy has a computer and hits "send" on his bitcoin client to your address. However, there are people who will do cash in mail, MoneyPaks, all kinds of things.

What I fear is stings on those people, at least for large trades.

1332
Re: OTC / localbitcoins.com, the FinCEN rules say that anyone who buys / sells more than $1000 in BTC a day is an MT/MSB and subject to their rules.

So I wouldn't trade more than that on the OTC market, as those are the people they are likely to set up stings against at some point.

1333
Looks like this is part of a FinCEN violations investigation, which probably means the feds don't care about your drug purchases of a couple hundred bucks.

===================

http://arstechnica.com/tech-policy/2013/05/feds-reveal-the-search-warrant-that-seized-mt-gox-account/

Feds reveal the search warrant used to seize Mt. Gox account


The Department of Homeland Security is investigating Mt. Gox, the largest Bitcoin exchange, for violating laws on US money exchange and money transfers—and it's grabbing the exchange's money in the process.

DHS officials refused to comment on the ongoing investigation, but they did provide a copy of the warrant that was used yesterday to seize funds that Mt. Gox had in Dwolla, a money transfer service. Dwolla is a Des Moines, Iowa company that provides one of the most popular ways to move US dollars to Mt. Gox, where they can be used to buy bitcoins.

In the warrant, a special agent with Homeland Security Investigations (HSI), states that there's probable cause to believe Mt. Gox is engaging in "money transmitting" without a license, a crime punishable by a fine or up to five years in prison. The warrant goes on to demand that Dwolla hand over the keys to account number 812-649-1010, which is owned by Mt. Gox subsidiary Mutum Sigillum LLC.

The funds in that account "are those of Mt. Gox customers that withdraw said funds from Mt. Gox and direct their transfer to Dwolla."

Homeland Security used a confidential informant, based in Maryland, to conduct the investigation. The informant simply created accounts with Dwolla and Mt. Gox, bought bitcoins, and then changed them back into dollars. Tracing that money, HSI was able to see that the money passed through a Wells Fargo account, number 7657841313, which was created by a single authorized signer: Mark Karpeles, the president and CEO of Mt. Gox. The Dwolla account shows transfers to Dwolla going back to at least December 2011, according to the warrant.

The special agent then explains what appears to be the smoking gun: Karpeles specifically denied he was going to get into the currency exchange business. The warrant reads:

Quote
As part of the account opening process, Wells Fargo required Karpeles and Mutum Sigillum LLC to complete a "Money Services Business (MSB) Accounts, Identification of an MSB Customer" form. That document was completed on May 20, 2011 and identified Mutum Sigillum LLC as a business not engaged in money services. The application asks several questions; to include, "Do you deal in or exchange currency for your customer?" and "Does your business accept funds from customers and send the funds based on customers' instructions (Money Transmitter)?" Karpeles answered these questions "no," indicating that Mutum Sigillum LLC does not deal in or exchange money, and that it does not send funds based on customer instructions.

Money transmitting businesses are required by 31 USC section 5330 to register as such with FinCEN. According to FinCEN records on May 6, 2013, neither Mt. Gox nor the subsidiary, Mutum Sigillum LLC, is registered as a Money Service Business.

The agent then gives a brief description of how Mt. Gox deals in the "crypto-currency" of Bitcoin:

Quote
Mt. Gox acts as a digital currency exchange where customers open accounts and fund the respective accounts with fiat currency, which is then exchanged into crypto-currency by Mt. Gox; the crypto-currency is known as bitcoin. Fiat currency simply refers to any money that a government has declared to be legal tender. The exchange is bidirectional and allows customers to also exchange bitcoins back into fiat currency, and then withdraw those funds. The exchange of fiat currency and bitcoins incurs a floating rate fee charged by Mt. Gox and is determined by the customer's aggregate amount of funds exchanged on a monthly basis.

We've reached out to Mark Karpeles and will update the story if we hear back.

1334
Off topic / Re: Looking for a quality fake beer supplier
« on: May 15, 2013, 04:51 pm »
I have heard of a few like SuperFakes, EnterTheBeers, and Drinker875 but two of them require FE and the one that has good stealth keeps getting mediocre reviews.

Stay away from Frothy76. Known scammer.

1335
No problem but its Pine and Astor you should be thanking for those gems!

I thought that list looked familiar. :)

Here's my simplified gpg.conf, which I've winnowed down over a few years of using GPG. Some of the stuff only applies to command line GPG, but it's all designed to reduce annoyances, and make GPG easier and safer to use. You can use or modify it to your liking.

Code: [Select]
no-greeting                 # suppress the copyright notice in command line gpg
no-emit-version             # remove the version string from keys and messages
no-comments                 # remove the comment lines from keys and messages

utf8-strings                # interpret all command line arguments as UTF-8 encoded
armor                       # ASCII armor encrypted output

expert                      # allow incompatible actions
trust-model always          # suppress warnings about unsigned keys
no-mdc-warning              # suppress warnings about MDC integrity protection, since no one uses it


## Ordered lists of preferred ciphers. Your GPG will pick the first one that it supports,
## which should be the first one on each list.

personal-cipher-preferences AES256 TWOFISH CAMELLIA256 AES192 CAMELLIA192 AES CAMELLIA128 CAST5 3DES BLOWFISH
personal-digest-preferences SHA512 SHA384 SHA256 SHA224 RIPEMD160 SHA1
personal-compress-preferences BZIP2 ZLIB ZIP Uncompressed
cert-digest-algo SHA512

default-key <keyid>         # set this if you have multiple keys. newbies should not use multiple keys!
#encrypt-to <keyid>         # automatically encrypt with a specific key

## Optional

#throw-keyid                # anonymize all recipients by zeroing out the key IDs
#hidden-encrypt-to          # anonymize a specific key ID


## Use the IndyMedia key server hidden service. This prevents accidentally connecting over clearnet.
## You need an HTTP proxy like Privoxy listening on port 8118, or adjust the lines below accordingly.
## The HTTP proxy forwards to Tor's SockPort. Here's a Privoxy config for that:
## https://trac.torproject.org/projects/tor/wiki/doc/PrivoxyConfig

keyserver hkp://2eghzlv2wwcq7u7y.onion
keyserver-options http-proxy=http://127.0.0.1:8118,debug,verbose

Pages: 1 ... 87 88 [89] 90 91 ... 208