Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - astor

Pages: 1 ... 157 158 [159] 160 161 ... 208
2371
You might want to remove some more of that info, like the city where the package is sitting and the origin country. There can't be too many packages in that facility from that country, potentially seized.

Edit: Just delete the whole thing, it's unnecessary for your question.

2372
Silk Road discussion / Re: Rocker's retirement thread and giveaway
« on: January 10, 2013, 09:51 pm »
My point was that the post is gone.

2373
Silk Road discussion / Re: Rocker's retirement thread and giveaway
« on: January 10, 2013, 09:42 pm »
Didn't Rocker leave a post a couple of days ago saying that he was going to announce the winners on January 10 and now it's gone, or am I taking crazy pills?

2374
Security / Re: Securing hidden services
« on: January 10, 2013, 09:32 pm »
All good points, and a legitimate looking business is a good cover for anon purchases. :)

2375
Security / Re: What VPN services would you recommend?
« on: January 10, 2013, 09:03 pm »
I would like a single VPN service that I can trust without tor as there are a lot of sites that block the tor exit nodes... I would like a service that won't provide the US gov't with the information they want.

Unfortunately, this "privacy by policy" is not secure. How can you trust a VPN provider short of being given root access to their server and looking at the logs? Even then, how can you be sure they don't start logging as soon as you leave? VPN providers can see their whole network. They can see your IP address and the sites you're visiting, if they choose to look. That they don't look is just a promise.

The whole point of Tor is to send your circuits over independently operated relays, so nobody has a view of the whole network. The entry guard operator can see your IP address but doesn't know which site you're visiting. The exit node operator can see which site you're visiting, but doesn't know your IP address. In the case of a hidden service, nobody knows which site you're visiting. That's not a promise. That's privacy by design.

Furthermore, what's the point of hiding your IP address from PayPal unless you're using a stolen account?

2376
Security / Re: Securing hidden services
« on: January 10, 2013, 08:11 pm »
If you backup over clearnet, then the location of your backup server can be discovered. Port knocking doesn't solve that problem and is not much more secure than RSA keys. Backing up over Tor to a stealth mode hidden service not only hides the location of the backup server, its very existence is deniable, even to anyone who crawls the network and finds its descriptor. Obviously that's a problem if you're backing up gigabytes of data, but there's no simple solution to that. There is no solution that is secure AND fast.

kmf, you bring up some goods points, however most dedicated server providers won't do exotic server configurations, like crossover cables, unless you're willing to pay a lot of money. They have preconfigured packages to choose from. Further, a strange setup like that might draw unwanted attention, since I doubt crossover cables and servers with no internet access are common. The same problem exists for colo'ing as you would have to give the technician special instructions.

Certainly, there are trade offs to hosting at home.

Positives: You don't have to deal with paying for a server/colo anonymously, obfuscating your shipping location, sending your biological data on the server to a remote location, exotic server configurations raising interest or suspicion, capricious third party TOS and AUP, and third parties willing to work with LE (well, you only have to deal with your ISP).

Negatives: bandwidth, and if your server is identified, you're fucked.

IF you're confident that Tor over Tor and perhaps a few anonymously rented VPSes acting as bridges can protect you, and you have a low bandwidth service, I think it's an excellent option. You can basically host a hidden service for free on some old computers.

2377
Security / Re: Securing hidden services
« on: January 10, 2013, 06:39 pm »
1. You need periodically make NTP update on server where hidden service is running. Cause hidden services depend on time sync.

Every Linux distro comes at least with ntpdate by default, which updates the clock once a day. That should be sufficient, since clocks don't drift more than a second or two in a 24 hour period unless you have a really fucked up hardware clock. Alternatively you could run ntp. I don't see a security threat in allowing these services to update over clearnet. Almost every server has them running so there's nothing out of the ordinary about that. However, you would definitely want to keep the time correct, because as you said, Tor needs an accurate clock to run, but also because clock skew is a known attack on hidden services.

2. How Backup-ing data is organized ? Two keypoints for backup, it must be made quick and in safe mannner.

In the case of a multiple hidden service setup, the 3 servers would be backups to each other. If LE seized one, the others would continue operating normally, syncing to each other while getting sync errors to the third server. Also, if an intrusion detection system is configured to destroy the data on the seized server, then LE couldn't prove it was part of the hidden service. Users would observe no change, because the other 2 servers would continue publishing their descriptors and users would connect to them.

However, you probably want a dedicated backup server anyway. One benefit is that you could put it in stealth mode, like the ssh services described above. So even if someone is crawling the Tor network for hidden service descriptors, they would get an error that the hidden service is down whenever they tried to connect to it (unless they had the cookie/password). They couldn't determine what type of service was running on it, let alone that it was the backup server for hidden service X.

As for the backup procedure, there are a variety of backup tools for Linux, but a lot of them are based on rsync. Why not run rsync over ssh? You would have to configure ssh to run over Tor, which can be done with connect-proxy, among other things. So rsync -> ssh -> connect-proxy -> Tor -> backup hidden service. Set an hourly cron job for that.

Possible solution to make it harder for hack:
At some random moment of time, send signaling email to e.g. Tormail showing, that there's some open port-forwarding on gateway to ssh and there's 30-min time window to download backup files, thus service which checking Tormail downloads backup data within given time-frame.

Seems overly complicated for something that should be straight forward, and relies on a third party service that increases the attack surface.

3. Bitcoin wallet and related data must be secured even higher on another dedicated server or VM, than eShop.

I haven't given much thought to that, but yeah, you would probably want to run that on separate hardware.

2378
@ragemyfaceoff

-----BEGIN PGP MESSAGE-----

hQEMAwQRHlzaxlHuAQgAxfuRxpgJ9IAun336uIkNqqVyW78U6S8GT30dqzpcRlBc
2ObrHoD1WFbbkX4OPGFQk/FrIL+oPtpKBiLBxzFAJimqmdMSmQgw4bH6S1A5b1sV
0oLHtFS2wSVn+6bQ9EyNrnjEtIou7jXhbLyWBHaXQ0eAqGslAXc13hRV0K+QLj2m
1KRN4CecYoiS5T6zSRrHhzQHO3v5QPlfEBQyJDNpylXWq7CoLXP2hms7z8KLAaY1
Iz03mqYWGgaAWjIJK28NOLOtQAtGh8wxkbOHC1Uy3DDWKPeF/3m6T31NcvMQIBSI
6gfAh4tnw5ukaJ9sLJa6NRo5wPz7haDIihv7xVsb0YUCDAP/p+UDzJJa1wEP/js0
6TXJbhHN83e6dEr6XZa19EU8Ysp+gCpL+tZRL36jIpPmny0tBoCxVAnbGEKx/07y
w7npuoH/eQ0+fjpaZfVIuo7MHq9KpQsuB9AAm/ONnfkg4L7zg8Ig8Ne19WpGU827
bg0XyPy/pYE9lggfg0eRmZY81gRj8IeZR0mGf+X1YuHb3d/4oMNsrxaDJ3sVT2Wr
TnnLD1by+fDBz05uQGbWtGDdH9P3HMrlifZN2QhsMDcun3Unnz6w/PzSWqJWW1mZ
j18AdttATX9d0URkM2THwoXnZmOKN0NyZsaSr8gpAER7L+VVzD/GM4YfAJfYICFq
CYmbWOtUbxgqVi4e0ZHH+VIHyTRVz9RAxAdX+1BmC11pmTlLgO1jXvR7SLxQm+2T
OZb+JryvVD7ptiHpx9+7gaTAfRvlCcppqqlcCMTKtyp38lNmU8Vy+ILdfEXHGK+n
ZtXmkUD+4sYpkcCN876y98HLWURGxjAiYUDuBjt85/1AXgvtZ2z0EJhyLyemV08C
TMuOmN/MOEY9s02oQFRS5P+Ip/t997cyB6qTTp0hMueMpQjlaf2al/6z4KK83F6w
8BrJhpdT51IAAtL+b3MS+xide9miLe0Q1paD3GRq5euKgpZdMAPNAmujrkUytl4f
qkM8JPriVCWWVVTgbc01wXzh/pHWwwiBpnbXuNan0sBlAVdFf2/07tQnkVinrCak
R1wX8OB0I/tNbOqJtUmFmbt5xECCvwu3ocOYLq6erUYEstwtRiPS/kQQzIuAH8I1
wGBnUwP0zXGnr1KgT2rpiu/f5j/fCiOLIp6x8sWFLlEfOVF8uScggnJihU4j3p7l
R2w1CjyFtj+0DPPqTPr0r/24+R8eQOJKkBYIe7iUamSsPbT+q2qjwOBscZwdKAne
bP1q9DsMTudAEBLeqCJBmzD31/THd1TT5TyqVUHByqNYqIvwhNGtgsyH92/OBVlT
/kxLr14Dkmz/ns8kQev/FzniW258+mSDtGviuu5DSfBwYF7itcjkYfyDm4amefyg
246arjmZXn7p7JZlRDsAW6wM3bI+PL2DgZ0VBkp13fnQ5W6pQDs=
=Wb9j
-----END PGP MESSAGE-----

2379
i disabled the e tag's completely, but when it try to sign into tormail here or sr it just resets the login page when i click submit. i guess stuff needs to b cached?

This is what I was talking about. I haven't experimented with disabling memory cache myself, but I've seen enough people warning against it.

The Tor devs don't want to break the web browsing experience, especially for people who won't understand what's wrong or how to fix it, so allowing JavaScript and memory cache is a necessary evil.

2380
@bowfly007

-----BEGIN PGP MESSAGE-----

hQEMA76MC+CXzCLxAQgAzYR6PhldLFM/gjhNEmBH1pVJh2wHq2tmektfQmMQ0tYa
6yfHopQ3VzR+2YNX63/Un9VY8jBVnvrpAgW7Hsn3KaxspemMQvk2w5YxZjvZDPVF
CC3vA4eLnDR40gwnZZV4TFPxZdO2Q6HIqd8A7A2+wS5y/+OlzETrLJMM7VbBn6bb
IIvdiElMrEaY5XoldO60z9kqBLW83GI8UHgWGk1BIYKf7IL8rX4mEnBQc8oR66bu
sXJfkx/Zm0otz47WZNaLR6tujTP3oIgPyrB9pk7Vh51xMy8o9VKXiywHrStyREPL
T1yFBuUCpYz7qUAreLbxB+BgpHScK+rCGI8wFtWkdIUCDAP/p+UDzJJa1wEP/R/X
46yTRphSbBPii6bJeu7hehiS/DBP21IAWK1GN7MXP/fepl99JKqGsH7NsmbWP3Ci
2FR+AUF8eYyGVTpF64+Rp9JgyuAuke5iRHE94voVOhQJvNUO0lO811JzMHzYc/a4
4bKUvj4KUTHwEb96flNuHabns1iMAXgVg9zDQCOEQvzZu6ZmUpZPAcMekj+9B2DO
oNZe8msrZlFp9jZmfj42bs75zpECQCzMNSseMihz1Ra1OTKigz03JCgGfeEVtPst
K+LGur76xG8YpvlyNGpDEYEE5OIjyySKTUuUiZXY5OvtHrv4707J9QRkcRWwokGJ
XH1/ZEX15PJldVizMupmMYpTg6OstGGgijYjR5ZbIkq7mexRHde4DQqVJKrMKL4k
0M/ajTrEKY2gaI1qvHQoA25Ekc1evJf5y0WOkv4vj13zUYssCDfHm0EFlQ5lf3bn
klsJm9cyTLi7M40kHAlC7mdUjJjwSu4lZAZKkw8OzZ1QpDKFA1y3wOFqjsVg6LOI
AnNMb3krGuB0vjWANDFTSGh2eTbg57xVCpDieUsve9N7g74qhCIJOJZ2Z4bqBUv6
aCQXsxk9FI2SUayAySSVVlzUlP1H5Un0Vvvryx+oueHfIOUxAFXmu2Dlwfegjdb1
x2eOsndc7z806H+UIVfd0bDFV2cQfCvftBsZltam0sBCAcX/EYupA/o0Xpoq9aiD
SsLH816A30YY6/3jN2PxXDlYi9tm6C9YPweBVM6TmLalUZ7u2w5WKgDNmroBAutI
SyFmrxt5IvImmfkH2zRyUT0H4Xj9NBAYTpStDJPUSN5fycsm9b/Gc9+Dfe7vAY8v
MImGJgkAks54obpX89izG48cHyh1kaj0dvg2k+I80/vhWhQ5j1lhbhdcn9R2U1qk
UGszemUmY4u+hax6RUQ3lQODA7CAvP5cWOOS08BJHnXEMy1mwSl+d8xlLXMs86Tp
t0ALwrslsQDbVoqYOcikCB0u2d1VlhSiRd0rY/wnh/c+QhHdvnq7TDt5xyh4zoW7
m3c9
=eT0Z
-----END PGP MESSAGE-----

2381
Security / Re: Securing hidden services
« on: January 10, 2013, 04:26 pm »
Another thing is, the best way to deal with a correlation attack via a blocked internet connection is to run 2 or more hidden services (2 or more sets of servers as described above) in different locations. Consider 3 hidden services with the same private key and corresponding onion domain. The way that works is, whoever publishes their hidden service descriptor last gets the connections. Hidden services publish their descriptors every half hour. So if you start them 10 minutes apart, users will be connecting to a different set of servers every 10 minutes. If LE somehow identifies one of the servers (despite the protections described above) and cuts the internet connection, a few minutes later they will be able to access "the" hidden service again, creating confusion and plausible deniability.

The problem to solve is syncing the databases. For a blog that only gets updated a few times a day at most, that's easy. For a forum like this, that's a lot harder.

2382
Security / Re: Securing hidden services
« on: January 10, 2013, 04:01 pm »
Yep, I forgot about reboots. I guess I assumed a VNC session would be sufficient for that. I'm also assuming that the hardware is colo'd under a real identity so connecting to the machines directly is not a security threat. I was more worried about someone getting into the machines through a public facing sshd. Of course, that can be secured by turning password authentication off and only using RSA keys, but with ssh hidden services in stealth mode, you can deny there is any ssh at all.

What would make this even safer is if you hosted it in your home. The major drawback is the really low outbound bandwidth. It's possible with a forum like this, which is mostly text. Turn off avatars for even better performance. I doubt a few hundred simultaneous users create more than a few 10s of kilobytes of sustained traffic, since they are not requesting data all the time.

The main benefit is that a private residence is the best legally protected location. With dedicated servers, you don't own the hardware and the provider can hijack your servers at their discretion. Even with colo there will be terms and conditions and they can cut service, block your network connection, or shutdown the server whenever LE decides to do a correlation attack.

When the hardware is hosted in your home, locked in a cage, with yourself and a few guns standing by, you can't beat that kind of protection.

Edit: It's also safer for reboots because you do it directly through a keyboard/monitor connected to the machine, and maintenance issues / hardware upgrades are a lot easier to deal with.

2383
@mracid

I haven't used Liberte, but if you're on Linux, go to Applications -> Accessories -> Terminal

Type in:

  gpg --import

and hit enter. You'll see a flashing cursor. Paste the public key there. Hit enter again so you're on a blank line, then CTRL + D.

2384
@ragemyfaceoff

-----BEGIN PGP MESSAGE-----

hQEMAwQRHlzaxlHuAQgA31YhCxWbTqb4tSw84Zz5wNzEK7CasPloDpR0mZWIiI5l
000+7m5GxS75ytwGuUdZ98hpPJx8rVBkhFHW5CLlqDSpk5YyYEke4umLjbzFNInq
lAwS1lg7GN4gMh90SBdTvU9oGji3dF0gBt8FMW+b+/1I2CBjjEcXB5axfvkGyJW4
S1t4Ox3aVHV3Fv61hDUAzmraOY4dOVYJ8g4edvdZC1/EmJ7Tds6fosp1AKRTaEjD
urzPlyujG1TmVlbNcEDWHJp/yhqSyX5A6qQs1DKZPqu/p1g9lVB6zBRCB4P12IDR
Unt6+64Ds3Dx64AIOY88AQlNRL6o/LvuNh04gk99bIUCDAP/p+UDzJJa1wEP/jJQ
fwOeSeXgY7rO8fUVWbOeyZBoJ56JI/DvWJON2SMUrvueCRtLwtCz4p/Kr6VCoNYR
Qk9TUZPU9N6eNz9sCSMCC2edRCDMPI1f0Xqe4uO/YBT5u7TETZ6K5nSSwSe7Fg//
ebVg7g4TmbMcWLdw69ASYEIPG41NfwkLL4JB9eXw+PkkOeur+HJW4ZZJhuT3/P4n
J3sfGfMXUx+4Twvv2qC1jbUC2cGn4rItm+z0WhYaeElMdcD3dqtXJR1zSy8sTr/k
Lv8/72bln48qzyJ58QrRlX3+JcNgPVGpVCKJVrN/ZUJo4JGK6wjuViGDcO2a5hnZ
WjMBTmCxML+bR3ShfoE3yGQXKxPavD29fkgSkNEmxlWt0iWu/EhjlWMh81aPTqJT
SxLih5mf9eOQAIx00f+Icz5aTvZQnbCdfgEISq4VWKOvcwscmT44z2mXGLGuQkKr
y4VQw/9T8bv7XKFg0L55J/pIOzR4tVr9jUYxuMiuJ56lX+05sgYrqXcJFoXybKUS
zhJ4XyiWT/q1khG4HfBQGtzgkvGA9Tbx5O/kpfkRbUWqbzXc79A3TPDJZ/W3cLPQ
9dslBc4krwJZQ1leXce65joJG6Pek0lmjwe5r1u00MhaXYcWw5psInKobswfyWkW
fjlurD4R7x48s19WRTBtsJ1RXSexxKwzgnTuqftp0sAvAanfi5A8IJcW7NFKJbbS
/vQW2o0nrqvL8K48aOp5Ffu+M4sLug6iAYifIAxtamjhw2rpPdWpu/YjrFU5KA5H
DH1r3jWZHAMXhSDcvXa/JURd2aY82dafneDfaKWV52C4BccKAzIxnjDvG2BW+5kY
MBkotqTE7GuxGrdwFkjZhpeGniCyA/80JxhKqLdqz1dfQpySJiCxfpWGYAmN6P9/
Sc9viyXJivCx12f1QKBCn5YY0jmMFGex9fkThwuRwaNf5CJuJ9NFKmvRCGKWqh4B
IxqeUB/fiO9Ygs/all7YBgEXTTLx2dI9rY3WmDqNQOc=
=p6a/
-----END PGP MESSAGE-----

2385
The much scarier version is that someone hacked the forum and is manually deleting posts/forum sliding topics.

Great. While he's at it, maybe he can delete some of the spam too.

Pages: 1 ... 157 158 [159] 160 161 ... 208