Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 122 123 [124] 125 126 ... 208
1846
Shipping / Re: Tacking packages will get your ip-adress?
« on: March 24, 2013, 10:54 pm »
While it may not be the wisest decision, and there could be ways of tracking it back, there has never been any clear evidence that any problem has occurred by doing this.  In other words, no one has yet shown any proof that any package has been "flagged" by using TOR, but there has been boatloads of speculation since it really wouldn't be that hard to do apparently.

Yes, it's trivial to do. There are only 900 exit nodes. They could run every tracking request against that list of IP addresses, or a more comprehensive list of tens of thousands of known proxies and VPN end points, to flag suspicious packages. That's why it's surprising there's no concrete evidence of it.

Then again, it's surprising that LE fails to do a lot of things, either through incompetence, lack of resources, or just not caring.

More importantly, the threat is entirely avoidable: don't check tracking over Tor. So why would you want to test that?

1847
Silk Road discussion / Re: The main problem with bitcoins......
« on: March 24, 2013, 09:13 pm »
Run your client over Tor.

That problem is easy to fix. To me, the main problem with bitcoin is that only people with computing devices and internet access can use it. I mean, theoretically you could walk around with a paper wallet, and publish transactions by making carrier pigeons deliver pieces of paper with transaction IDs to a physical block chain, chiseled on the side of a mountain,  but that would be impractical.

So over half the world's population is excluded from using this freedom-promoting technology.

1848
SS, did you read this part:

"I received multiple emails from shady individuals asking me to
provide / sell 0day. Some were in poor English. I presume this may
have been a baiting tactic to get me on some technicality. I did not
sell any 0day nor did I accept their request to "help them" with
whatever they were seeking in terms of shady deals."


1849
Off topic / Re: PINE!
« on: March 24, 2013, 05:56 pm »
This feels like the death of superman where afterward there were a lot of different imposter/ clone supermen, etc.

gpg: Signature made Sun 24 Mar 2013 4:05:02 AM GMT using RSA key ID E9094AF9
gpg: Good signature from "PGPClubRevolution (Welcome comrade!) <nosuchemail@nowhere.nada>"


Luckily, we have cryptography on our side.

1850
Security / Re: Tor video chat, audio chat, or text chat?
« on: March 24, 2013, 05:41 pm »
I would be surprised if anyone here has extensive experience with audio over Tor. I don't, primarily because I'm not too keen on random anons, and possibly LE, being able to hear and record my voice.

However, the Tails people have spoken positively about Mumble: http://mumble.sourceforge.net

I've also heard good things about SFLphone: http://sflphone.org

Although that's only available for Linux.

Presumably for any of these solutions, you would have to run your own server as a hidden service for the client software to connect to. Briefly looking at the Hidden Wikis, I don't see any existing VOIP hidden services.

1851
Security / [intel] Target of a National Security Letter Speaks Out
« on: March 24, 2013, 05:20 pm »
Two statements that jumped out at me.

1. "I was in contact with the EFF this month regarding the issue.
They referred me to some lawyers, but basically, the advice to me in
general has been is that no digital information is protected from
snooping unless it is stored in your home and encrypted. But even
then, I am told that silent "black bag" jobs (tampering your home
electronic devices) are a possibility if you are labeled a threat to
national security."

2. "These people don't understand technology and don't understand
what they are asking for many times. They also don't understand even
the most basic concepts of how the Internet works. I presume the
non-field agents (the people that are in operations centers and don't
talk to people) are the ones that penetrate the end-user
electronically, as necessary."

https://www.noisebridge.net/pipermail/noisebridge-discuss/2013-March/035200.html


==========


NSLs were still alive and kicking up until a week of so ago, when the
EFF's successful ruling was announced. The EFF has let me know that
the ruling only stands for 90 days and that there is a possibility the
ruling will be rescinded after that upon appeal. So, we are not safe
yet. I was in contact with the EFF this month regarding the issue.
They referred me to some lawyers, but basically, the advice to me in
general has been is that no digital information is protected from
snooping unless it is stored in your home and encrypted. But even
then, I am told that silent "black bag" jobs (tampering your home
electronic devices) are a possibility if you are labeled a threat to
national security.

Here is some feedback I can share, since I am a rare person to have
realized the snooping was in effect while it was occurring. I also got
confirmation of this due to lack of a confidentiality requirement when
multiple agents attempted to visit me in person and called me on the
phone. They wanted to follow-up after their many months of snooping
revealed that I was not in fact a "terrorist" -- simply a security
researcher that had identified vulnerabilities of a North American
utility company. After half a year of working with the utility
company, they did nothing to protect my own data, so I went online to
blow the whistle about the company being breached and all user data
(including home addresses and names) being compromised. With this
vulnerability, someone could effectively find your home address /
phone / name on account no matter where you lived in North America,
since you are required to provide this when receiving utility service.
To my knowledge, the companies involved have still not gone public
with this information.

Some things the Secret Service did to snoop on me that you should also
be aware of, and some feedback follow:

* SS served Google with an NSL to obtain my account information.

* Around January, upon logging into the Google account, Google showed
a strange NOTICE message asking me to accept the terms of usage of my
account. This was odd, because in a decade of being a Google user, I
had never seen this. I am told that this is Google's way of "telling
you without telling you" that you have been served an NSL. Google, by
law, is not allowed to tell you about the NSL, but they definitely are
within their right to ask you to accept their TOS upon login. This is
the "tell" that everyone here should be aware of. If you see this, you
are likely being monitored.

* My Google account was being operated by someone else, despite
utilizing 2-step and very strong passwords. This may have been limited
to a Google Chat 0day, unpublished vulnerability, or a Google
backdoor. My chat contacts said I was online when I was not online or
had messaged them, when I had not.

* I received multiple emails from shady individuals asking me to
provide / sell 0day. Some were in poor English. I presume this may
have been a baiting tactic to get me on some technicality. I did not
sell any 0day nor did I accept their request to "help them" with
whatever they were seeking in terms of shady deals.

* One of my encrypted Desktop home Linux computers was mysteriously
wiped upon my return from a trip. The RAID array was 'corrupted'.

* People I know started getting strange calls from random numbers at
odd hours. I wonder if this was some attempt to exploit remote
listening flaws in some phones, but I am justly paranoid.

* Someone opened mail / packages at my physical residence to reveal
the contents inside. This was very odd and not something that ever
happens. It occurred at least twice to my knowledge.

* Local police were posted outside my residence the morning I received
numerous calls from SS agents.

* SS confirmed over the phone that they monitored my Google account,
after I told them I knew they were. At first, they would not tell me
they did and denied it. The agent actually said "Google should not
have told you that". When I asked how many other online accounts they
monitored, the agent refused to let me know the details. When asked if
they monitored my financial / banking / health records, they said the
surveillance was limited to electronic records. I presume this
includes my ISP, Google, phone, any accounts signed up via Google
(third-party registration / account emails give it away), etc.

* I was told that my security research activities are a "legal grey
area", but that the investigation was being closed. The SS said that
the data they have on me "is safe" and "will be destroyed" after some
"expiration period". I vehemently expressed my distrust that it would
be held securely or destroyed.

For your background, I have been on the other side of such requests,
as the person providing data to the Secret Service field agents
before. These people don't understand technology and don't understand
what they are asking for many times. They also don't understand even
the most basic concepts of how the Internet works. I presume the
non-field agents (the people that are in operations centers and don't
talk to people) are the ones that penetrate the end-user
electronically, as necessary. Unfortunately, I have no evidence to
support the above other than the strange activity on my account. An
entirely separate and more likely scenario is that the Secret Service
communications are hacked by Nation States that used that surveillance
to target me directly. A scary assumption, but not out of the
question. Mitnick was reading GOV emails long ago and I would have to
presume that adversaries are snooping GOV emails still to this day.

If you have any other insights, I would be glad to hear them. I would
love to speak with anyone else that can come forward as an NSL victim.

On Wed, Mar 20, 2013 at 5:10 PM, Andy Isaacson <adi at hexapodia.org> wrote:
> Did you receive one of the few NSLs without a confidentiality
> requirement, or did you manage to get it set aside, or are you relying
> on Judge Illston's decision in this disclosure?  (Just curious.)

It did not have a confidentiality requirement, to my knowledge. I am
attempting to get the FOIA data on myself, but it has been rejected
thus far.

1852
imagine you are a spy, your messages are intercepted and you are the only one who uses an OSX version of PGP! Admittedly in this case the use of a Mac moderates some of my sympathy, but even so. :D

I did an analysis of the Version strings in the PGP keys that have been posted in the "Post PGP keys here" thread. Many of them are unique.

http://dkn255hz262ypmii.onion/index.php?topic=98140.msg693758#msg693758


1853
Yeah, sorry I scooped you on throw-keyid. Your explanation was more thorough anyway. :)

1854
Silk Road discussion / Re: Ever get bad karma for no reason?
« on: March 24, 2013, 04:30 am »
Thanks ChemCat. I'm humbled. :)

Are you a vendor?

1855
Silk Road discussion / Re: Ever get bad karma for no reason?
« on: March 24, 2013, 04:18 am »
I got -3 in the last 24 hours.  Look through my post history and tell me why.  ::)

1856
Nice explanation, pine. You can also use throw-keyid to anonymize all recipients.

Since you mentioned gpg.conf, here are some other options that make working with gpg easier, safer, or less annoying:

trust-model always
utf8-strings
no-greeting
no-emit-version
no-comments
no-mdc-warning
armor


1857
Off topic / Re: PINE!
« on: March 24, 2013, 03:03 am »
It's... IT'S ALIVE!!! 8)

I don't know, that statement isn't signed... :)

1858
That's a strange service. It's like the bitcoin equivalent of a pre-paid debit card. :)

1859
Silk Road discussion / Re: Bitcoin Crash
« on: March 24, 2013, 01:30 am »
It's really sad to think about all the money you would have made if you would've just put in $5,000-10,000 in bitcoins at their lowest rate, and cash them out when they reach about $100.
Why cash out? Just buy a FUCKING LOT OF DRUGS  8)...only if. Oh well, i'm still happy to be a part of this experience.

Exactly. Avoid all the cash out fees and taxes.

1860
Not sure what the problem is, but why not send the coins to another address in your blockchain.info wallet using the program/service where the addresses were originally stored?

Pages: 1 ... 122 123 [124] 125 126 ... 208