Silk Road forums

Market => Product offers => Topic started by: Looker on November 17, 2011, 01:49 am

Title: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on November 17, 2011, 01:49 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SecuritySolution is proud to be offering v1.0.5 of the SecureVM for SR, it will include:

Vidalia Bundle (Tor/Polipo/Vidalia)

Bitcoin Wallet
*Pre-Configured to generate a new wallet at first startup and configured through tor.

Mozilla Firefox (Pre configured to use tor)

Mozilla Thunderbird (pre configured with tormail.net addresses)
*updated to include all profile data needed for tormail other than the username/password
**Enigmail add-on for integration with GPA pre-configured with gpg-agent and other necessary bits.

Pidgin
*Pre configured with the silc chatroom, you would only need to change your username and generate a new keypair.

GPA - Gnu Privacy Assistant (GPG/PGP)
*gpg4win Pre loaded with public keys for the top vendors with their keys set to the 'Full' trust level. These vendors are currently the participating top vendors on SR who you can expect excellent service and quality from.

TrueCrypt
*pre-installed and upon request whole drive encrypted with AES-Twofish-Serpent cascading filesystem encryption, wiped with 3 passes of DoD 5220.22M Military spec sanitation.
(Standard used by various intelligence agencies for data destruction)

Freeraser pre-installed and set to use 'Forced' destruction mode replacing your trashcan with a DoD 5220.22M 3-pass level file wipe (unrecoverable)

CDBurnerXP (Necessary for creating a 'rescue disc' in the event your truecrypt password is forgotten)

OpenOffice Spreadsheet & Writer
*Spreadsheet - this is useful for various tracking beyond SR's data retention time.
**Writer - This is useful for keeping product/listing descriptions

Password Safe
*This allows you to generate and save random passwords for the various sites you may use (SR/MtGox/Forums/Bitcoin Wallet/PGP Key/Dwolla etc) This adds a level of security where if someone were to obtain one of your passwords they wouldn't also be able to use it to gain access to other sites if you use a single password for multiple things.

Bleachbit
*This application can 'sanitize' your vm if you choose from time to time, performing an extensive cleaning of cookies and/or web browser history among other things. It also will perform a 3 pass 5220.22M wipe of all free space on the VM.

Spybot S&D
*While this should not be necessary this will prevent a large quantity of malware from infecting the VM. Not being necessary in that it's intent is not for general web browsing but for SR

Dropbox
*When used in combination with TrueCrypt it is possible to create a small volume that is encrypted to store all of your PGP/OTR/PasswordSafe db and other sensitive information allowing you to quickly recover in the event of a USB key failure leaving the only specific information in an easily accessilbe place with your phone (Supports both Droid and iPhone platforms) as well as sharing data between the two.


- -----------------------------------------------------------------------------------

Bitcoin will be set to install at first boot, this is to ensure that each user will have unique Bitcoin wallets.

Mozilla Firefox will be configured with torbutton defaulted to 'on' as well as various configuration items to speed up it's use with the tor network.

Mozilla Firefox will also include bookmarks (in the bookmark bar and menu) for Silk Road, Silk Road Forums, Silk Road Wiki, Tormail Web GUI, Tormail Control panel (for changing passwords)

Mozilla Thunderbird will be configured with all server data included and proxied through tor with 'Owner' as the user and all other data populated with valid configuration information (in otherwords they would need only replace owner with their tormail.net account, for those without one we can assist in helping them create one)

Pidgin with OTR (Off The Record messaging) installed as well as enabled. It will also be pre-populated with an 'Owner' account for the SILC 'silkroad' chat room where SecuritySolution often reside and will be available for limited technical assistance and will assist people as much we reasonably can.

GPA Has been selected as the PGP key management tool of choice for now. We have coordinated with vendors at this time who are interested in participating. What this means is their keys are pre-populated in the GPA keyring and have their level of trust set to 'Full'. Mine as well as the 'SecuritySolution' will have our keys set to 'Ultimate' this means that any key signed by either of us is considered a 'Preferred Vendor' and as such you should expect the highest quality product from them as well as the best quality service. These are all long term and highly reputable vendors. Their inclusion in the keyring indicates their willingness to participate. Should you question this validity please contact them and they will confirm that they are indeed participating and authorized the re-distribution of their keys in this fashion. If for some reason a vendor goes rogue they will be immediately removed until they are deemed to be in good standing with the community, there will be no exceptions to this.

Truecrypt by default will not come enabled with whole disk encryption unless the user specifically requests it and the password will be set to one of their own choosing. (More on this later)

CDBurnerXP is installed so when encrypting your disk (if it was not done upon your request) you are able to burn a rescue CD. For those who would like this pre-configured (whole disk encryption) a rescue CD will be provided with the drive.

OpenOffice Spreadsheet has been installed, this is intended for vendor use in order to keep track of orders beyond the standard retention of SR. Buyers may also choose to use it for this purpose or in general for tracking their orders/transactions on SR in general. Use of this in this fashion would make us insist on using Truecrypt whole disk encryption without any exceptions.

Password Safe will also be installed with a blank database provided secured by the default password. This password will be present in a text file on the desktop. For users who would like this pre-populated with their SR username/pw as well as various other sites would need to coordinate with either myself or SecuritySolution for this additional configuration. I highly recommend the use of this tool for ALL users.

Last but not least, upon first start of the VM the home page of Firefox will be set to a local set of browser based instructions providing step-by-step on how to change any and all passwords (if any have been pre-configured) as well as the location of the plain text versions in the order we recommend performing them.

- - - ----------------------------------------------------------------

Please See SecuritySolution's listings for this product:

SecureVM Basic Configuration DVD
Basic Vanilla copy of the VM Compressed and encrypted on DVD with all necessary software included, however you would need to supply your own USB drive

*SecureVM Basic Configuration DVD + USB
Basic Vanilla copy of the VM Compressed and encrypted on DVD with all necessary software included also included is a Basic 32GB USB 2.0 drive (Lower cost alternative with slightly lower performance but about $20 cheaper) USB 2.0 Maximum data rate is 60MB/sec

*SecureVM Advanced Configuration USB + DVD
Basic Vanilla copy of the VM Compressed and encrypted on DVD with all necessary software included also included is a Higher performance Corsair Voyager 32GB USB 3.0 drive (high performance USB 3.0)
Read Speed Up to 70MB/s
Write Speed Up to 39MB/s

*SecureVM Premium Configuration USB + DVD
Basic Vanilla copy of the VM Compressed and encrypted on DVD with all necessary software included also included is a Higher performance Corsair Voyager GT 32GB USB 3.0 drive (highest performance USB 3.0 drive)
Read Speed Up to 135MB/s
Write Speed Up to 41MB/s

**SecureVM Basic Fully Customized Configuration DVD
Fully configured/personalized copy of the VM Compressed and encrypted on DVD with all necessary software included, however you would need to supply your own USB drive

**SecureVM Basic Fully Customized Configuration USB + DVD
Fully configured/personalized copy of the VM Compressed and encrypted on DVD with all necessary software included also included is a Basic 32GB USB 2.0 drive (Lower cost alternative with slightly lower performance but about $20 cheaper) USB 2.0 Maximum data rate is 60MB/sec

**SecureVM Advanced Fully Customized Configuration USB + DVD
Fully configured/personalized copy of the VM Compressed and encrypted on DVD with all necessary software included also included is a Higher performance Corsair Voyager 32GB USB 3.0 drive (high performance USB 3.0)
Read Speed Up to 80MB/s
Write Speed Up to 41MB/s

**SecureVM Premium Fully Custom Config USB + DVD
Fully configured/personalized copy of the VM Compressed and encrypted on DVD with all necessary software included also included is a Higher performance Corsair Voyager GT 32GB USB 3.0 drive (highest performance USB 3.0 drive)
Read Speed Up to 135MB/s
Write Speed Up to 41MB/s

The Basic listing comes on a SanDisk Cruzer USB 2.0 32GB Thumbdrive (Or suitable equivalent USB 2.0 Max speed 60MB/sec)
The Advanced listing comes on a Corsair Voyager USB 3.0 32GB Thumbdrive (Rated at 80MB/sec read 40MB/sec write)
The Premium listing comes on a Corsair Voyager GT USB 3.0 32GB Thumbdrive (Rated at 135MB/sec read and 80MB/sec write)

*Includes support for initial setup not to exceed 30 days

**Includes support for initial setup and post setup not to exceed 90 days

Please see SecuritySolution's Listings for this product in it's various forms:

http://silkroadvb5piz3r.onion/index.php/silkroad/user/103613
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPC6YtAAoJEEMAzoKrkXQ+P1cH/i5TEeXUzp3bjF0OZm/sOG9j
imuokFinbeN0Wk8QksaYpzSfyCvbZ3DFw821cwzET3rf/Q7TWiDxMewVhhoFFCC7
WJC0r4/eqyqd98OxOvDY6V2ESi/EDHsGpNGoiDTA3QW3JuN5P58xkWZCuR/IpChz
D/zkoY/utaD6SoVillnQzHiKkEYV7ghMRdYz/C4T02xVHkFKMqi6HpIppi6eQG7w
4/4Q7KE0/zY9jqjFHWTrYFz7ACsFFaujoFmBb//KPo8e3JpMyNNk5jw5qRla9uMS
8nNBS4FYVk8vN02hb5tou3ZDXY/c3ExR/qaYVQ6aKTm8JirnVcXDmQU6YRV2yvE=
=ZJFl
-----END PGP SIGNATURE-----
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: KingJoey on November 17, 2011, 01:55 am
Its a good idea but people would really have to trust u 2 use a product like this. I mean it would be simple as hell to slip in a program that you could use 2 either monitor all the transactions your self (LE) or that you could use to steal the BitCoins (scammer) or to take control of the seller account. Now I am not at all implying this about you but in all honesty as much as I would love to buy a product like this I wouldnt buy it from some1 that I didnt completly trust. It would be very ironic if some1 bought your product because they wanted to be safer and take an extra step to try 2 avoid LE messing with thier SR stuff when infact this product had a program in the thumb drive that allowed LE to track the users movements and report them back to LE.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on November 17, 2011, 08:49 pm
While I completely understand this concern the intention initially would be for this to be vetted by some of the vendors on the site so the concern of LE or other concerns of this nature should be somewhat alleviated. The VM image would not consist of any personal data other than a simple username chosen by the purchaser. Otherwise it would be about as nondescript or otherwise devoid of identifying data.

Something to bear in mind the same condition exists any time you are purchasing any product from SR, there is a certain amount of implied trust that is provided to the vendor that they will in fact ship what you ordered, unadultered, and not be in some way tied to LE.

Again part of the product would include a pre-populated GPA keychain with vendors keys signed by me (with their permission) as well as mine signed by them (To validate their approval) who would back or otherwise validate that the 'key' or otherwise image is to be trusted as reasonably secure with all tor related precautionary measures pre-configured. This would also allow users of the product to know which vendors are to be trusted and utilized for their transactions and avoid potentially scams from unvetted vendors or vendors who maybe do not put security and anonymity as top priorities keeping the community in many ways safer as a result and hopefully longer living.

Again this is a feeler thread to determine what things would make this a very viable product so any suggestions on how to make this more secure or trusted are very welcome and encouraged. I do this sort of thing professionally in the real world and thus am looking to share my professional skillset so other users can benefit from what SR has to offer betterment and security of the community for a modest price for my time and efforts.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: madamebradley on November 17, 2011, 09:14 pm
It's a very interesting idea.

Why WinXP instead of a custom linux distro?
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on November 17, 2011, 10:14 pm
Linux could be done as well if someone wanted it, but it's really geared for someone who knows very little about this sort of tor/networking and computer thing, so it's a matter of what people are familliar with. I am currently working on a linux based one as well at the moment. I don't want to give away too many details but it basically would be an executable that you would run to start the machine and it's virtualization software that would be contained on the USB drive so you wouldn't need to load anything at all on the desktop. Once the machine starts up tor starts by default and everything is configured to be proxied through tor.

As an aside, in order to get started I would be willing to provide the actual image for use on a thumbdrive to a few forum members to examine and otherwise vouch for freely as being proper and viable. The USB keys however cost ~$45-50USD each so I wouldn't provide the key free of charge but the image yes.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on November 17, 2011, 11:18 pm
Thats in the ballpark I was thinking as well. I am working with another member to also develop a similarly configured linux based one but this is the initial stages of it. Eventually it will also include a security measure where the key will be encrypted as a whole, one password would reveal the vm, and a 'fake' password would reveal what would appear to be a linux livecd with various common diagnostic tools for the average IT guy or perhaps a handful of MP3's or other innocuous data so if you were forced to provide some password it would reveal nothing more than a bunch of files that wouldn't in any way point to SR and the more they (LE) wrote to it they would essentially be over-writing the data that does contain SR relevent data.

I have also contemplated electronic distribution, but in order for me to be ok with that I would want a way to secure it so only the intended recipient would recieve it and it wouldn't end up on the pirate bay lol the irony is that I'm sure a ton of us get oodles of software free via those channels.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on November 22, 2011, 07:37 pm
It looks like this has garnered the support of some vendors and other community members. I'd like to get a few that would be willing to help with testing if it were made available to them. This would be for the purpose of adding/removing features as well as applications.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: eryx2k9 on November 23, 2011, 02:49 am
Verry nice idea :o
i would be willing to test the drive / software.
Furthermore i could spend some time scanning and searching
the distro for suspicious code / functions and provide a detailed report in here.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on November 24, 2011, 01:07 am
I've mostly completed the first revision. It currently includes on the drive upon opening it:

Folder 'Virtual Machine'
Installer for VMWare Player
File README.txt which explains how to install VMWare player and how to start the machine for the first time.

Once the machine starts it also will open a web page with instructions on how to change passwords for:

TrueCrypt
GPA and changing the password for the PGP key
Tormail.net account (as well as instructions for changing them in Mozilla Thunderbird)
SR Forums
Pidgin SILC chat with silkroad pre-added)
Password Safe master combination as well as changing passwords for pre-configured sites within the Password Safe

All applications currently are open source or otherwise freely available with the exception of windows, which is fully activated and updated as of 11/21/2011

If there are applications that people think should be added please let me know and I will investigate the feasibility of this. For vendors I may also install a copy of OpenOffice Spreadsheet (if it's available as a singular application) to keep track of order management.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Bupebuddy on November 24, 2011, 01:39 am
I really like the idea but the trust issue would not let me proceed.  You could slip anything in there from a keylogger to a trojan forwarding you precious data.  And when someone does look it down and ok's it you could still slip something in after final inspection then release.  I do like the idea and hope it does work out but like I said personally I wouldnt purchase.  I'm sure there are people who think it would be perfect and would purchase.I currently have the same deal running on my end but instead of a flash drive I have an old external hard drive running windows 7.  I would much prefer linux but since I have to tether a cell to connnect to internet there is no support for it through linux.

How big are the flash drives you plan on using?
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on November 24, 2011, 04:14 am
Currently I'm using 32GB ones, the one I am testing with now is relatively slow but I would sell it on corsair voyager GT's which are USB3 and supposedly do north of 100MB/sec. I understand your reluctance which is why before it will be offered to the general public there are a few members who will be surveying it for that particular reason. I have no interest in scamming anyone here, any of the vendors I have done business with in the past can attest to that and also some of the guys in the SILC chatroom where you can find me. While slipping in a keylogger would be possible I'm not sure how that would do anything for me once the passwords have all been changed (currently I have firefox as a startup item and it's home page is a step by step guide to change these) while I'm fairly competent I really don't know enough about keyloggers and malware in general to be able to pull something like that off.

In all honesty my motivation for providing this is purely to provide a source of revenue to cover my barhopping costs on the weekends and my SR purchases and of course a little extra cash never hurts.

In time this may be vetted by senior members of the community with regard to the trust issue which I fully expected to be the biggest obstacle really.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on November 24, 2011, 04:25 am
Oh and FWIW a hardened Linux version is also in the plans, it will however be more intended for vendors then buyers and will make use of SELinux among other tools to secure it however that will be considerably more R&D on my part to ensure it meets my security standards.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Ineluctable on November 25, 2011, 04:58 pm
Will the Windows version be able to receive new updates? It sounds like they'd all be using the same serial number, just curious. If not, do you plan to post monthly updates after the Microsoft update release cycle?
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on November 25, 2011, 06:32 pm
That is something that's also still in the works. I'm contemplating offering some sort of update service where you could send it back or some such but that does to some extent compromise the anonymity of things so I'm not sure how I would be able to manage that, and maintain anonymity plus by that time there would be data specific to a user loaded on it and I would not want access to it in any way. I'm thinking of perhaps trying to put together an update pack where there would be a torrent of some sort with updates to all the pre-installed software in one zip but that would also rely on the end user being comfortable with performing that sort of maintenance. I'll be shipping my first test key to a vendor today or tomorrow for testing and we'll see how it goes from there. The first few I will be limiting myself to 2 orders a week to ensure fast turnaround and good service as I am able to streamline the process and make it more assembly line capable I will perhaps move that up but I have no intention of taking on more orders than I can process in my free time. Lead time I anticipate to be ~3-4 days prior to shipment maybe 5 to double check everything works as intended.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: fidocscentral on November 25, 2011, 06:35 pm
I second this idea.  8)
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on November 28, 2011, 09:14 pm
The first test key went out to a vendor this weekend. I'll ask that they post their thoughts to the forum once they have had a chance to review it.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: NOC3 on November 29, 2011, 09:21 pm
I think windows xp might not be the best platform for this type of implementation, but rather a small, lightweight linux distro (there are several out there currently meant for security purposes) that can boot from disk.

This is where I think we should follow the methodology outlined in the summer(?) issue of 2600 (plus some other goodies). First, setup a truecrypt hidden volume and mount it - inside this volume create a virtual machine, the smallest linux distro you can find - doesn't matter which and then make a copy of it in a sub-folder. Now this is where the specialized boot-from-disk distro comes in - boot up the VM from the ISO do what you need to do on Tor and then shutdown the VM. Once the VM is powered off overwrite the VM with the copy you made prior to booting the ISO and unmount the truecrypt volume - restart your computer

Essentially you have then run an operating system from disk which is stored in the virtual memory of your VM that runs in the ram of your computer which is cleared everytime you power off your computer. When you power down the VM and overwrite it with the old copy there are no chances of the ISO or its activities and files being accidentally stored in the VM and all of this is stored in an encrypted volume...
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on November 30, 2011, 02:19 am
While I can definitely appreciate your concerns what you are suggesting is not the intended audience of this particular product and is a bit out of scope.

The audience that this is geared towards is the typical windows user.  This being said for the initial release there will not be a Linux offering. For this offering think 'average windows users' which means a Linux distro is not going to be useful, in fact it will more than likely be confusing and turn people off. I'm not being condescending or arrogant but I make my living working in technical support (in Linux and virtualization in particular) and product management. What this is intended to be is a product that anyone on SR can purchase (at various levels of configuration) in either BTC or possibly MP (yes I am also considering accepting MP directly as well, as this is not legally contraband and I would exchange to BTC myself) and it will allow them a certain level of confidence that if they limit their SR transactions to the guest running on the USB key and only there, that once they complete their transactions and shut down the guest and take the key out of the computer (which should be part of their physical keychain) any data connecting them to SR would be contained within that key and on their person and not on their normal desktop etc. This VM could be run in full screen so it would appear to be no different than sitting at their normal computer. For security purposes this also means if there should ever be a reason they are concerned about them being connected to a transaction on SR, disposal of nearly any and all evidence would be as close as the nearest storm drain/dumpster/trash can. It's intended to be something that can easily be discarded with some level of confidence that this would protect them from prosecution or some kind of difficulty from LE.

Assuming that the device were to be obtained by prying eyes (LE of some kind) the VM should be (and directions are included and display on startup step by step instructions for accomplishing this) encrypted (whole drive) with AES-Serpent-Twofish cascading ciphers. Without that initial password it would be nearly impossible to obtain any useful data from the drive without the password.

Included is also password safe, which I also recommend people use to generate unique strong passwords that they are unable to remember but will allow them to keep unique passwords for any site they use and access them. This adds a further layer of security as what you don't know, you can not disclose.

So while Linux certainly adds value and a higher level of security by design that's beyond the scope of the initial offering. I currently have several hours into this as it is right now (I'd estimate 40-50), and have garnered interest of a few folks as interest grows and I see that it would be a worthy investment of my time to develop a similarly comprehensive device under Linux (Which would take more time to develop than a simple windows VM) I will pursue that avenue as well.

For now this is not specifically intended for vendors, although a more robust, Linux based solution may become available to fill that need. However there are vendors that may be using practices that could compromise our anonymity, this would be effective in minimizing that and eventually if demand is there and a Linux version is provided (May also be a direct boot from USB not a VM) it would be specifically designed for vendors with very strict security measures in place.

Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Rook on December 01, 2011, 09:35 pm
I really want to see this idea succeed, but until someone figures out a way to implement it without us having to place all our trust in a single tor-ified stranger, I simply can't lend my full support.

Maybe if we can setup a distribution center where the hosted file can't be seeded unless it has been audited and signed off on by a couple trusted community members?

I'd be willing to take a copy to a couple IT friends and see if they can assure me of it beneficence, but I don't know how to go about working out a way to insure that everyone gets the same clean copy. 

The final release would have to be somehow removed from the creator's ability change it.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on December 01, 2011, 10:00 pm
Rook,

Send me a signed email at Looker@tormail.net I have something setup for vendors such as yourself and have a final beta release available distributed through an anonymous file hosting service. I've already provided it to several senior members for review. It's currently in a compressed 1.05GB self extracting password and encrypted zip. Once I get your email I'll provide you with the link and password for it. I can also provide you specific highly reputable vendors that are participating intiially in testing and evaluating it. For long standing members on the forums and vendors this is free of course and any and all feedback I only ask is provided here openly on the forums.

Once the drive is shipped it includes instructions that load upon first boot that explain how to change any and all passwords which would prevent me in any way from being able to change it once it's in the hands of the intended recipient. I will also offer to truecrypt it ahead of time (using 3 cipher cascade) for the USB buyers with the password of their choice which again at first boot there are instructions that load as soon as the VM starts that explain how to change it that a 10 year old could follow (I had a friend of mines son verify this, literally).

I also got in touch with nomad today who moved this thread for me and is going to be evaluating it as soon as he is done downloading it. Trust is everything here on the road and I understand that, which is why everything about this will be publicized in the forums to ensure my openness with the community and my intentions. The only secret I intend to withold is my identity which we all do for our own safety. I've also made shipping arrangements from a local business that would normally ship out dozens of packages a day in proper plain bubble mailers with professionally printed labels by them (not me or my printer). Security and anonymity are the top priorities here.

Thanks,
Looker
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Rook on December 01, 2011, 10:36 pm
Well you're certainly off to a good start.

message sent.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: caffeine_me on December 02, 2011, 08:28 am
It will be nice to just refer all these people to your listing when I read 'Is it safe to buy drugs directly from my bank account' (Or pretty much the same thing).  It seems like I am answering some form of that question daily.
I know 90% of them are putting themselves in unneeded situations/danger, because they don't know what they don't know.  Maybe 10% spend the time to make themselves safe with the hardware/software package you will offer.
I have been going off the phrase "you can lead them to the water," which is what I have tried to payback to the community that helped my ass.........but shit, now just sell them the water packaged all nice.

Great idea, thank you for your contribution to the community.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: snapple on December 02, 2011, 09:48 am
The idea of having a professional pre-configure a hardened setup is a seductive one. The reality of having to buy that configuration from a tor-ified stranger is frightening.

That being said, you build this version out with WinXP with the rationale that noob users with little experience can get into the fold quickly. But you need PGP-signed email to buy this, and also obviously, a Tor setup. This initial hurdle means that whoever is buying this can't be a stone cold noob or else he wouldn't have PGPs, Tor browsers, etc. He already has much of what you offer.

You say your job involves linux, and what sellers like me *really* want is the absolute nuts, some slimmed down hardened linux distro like gentoo or liberte with virtual airgaps and all the bells and whistles that come with a balls deep secure setup. If you had something like that and were willing to meet in an anonymous chat for a one-time setup "live support" if I ran into troubles, I'd pay a lot more than $25.

I ran an ad on craigslist that offered $200 cash money for anyone who would meet me at any NYC Starbucks and harden my system "while-u-wait," but only jokers responded. If you truly know this shit inside and out, toss up a pro set-up and price it accordingly.  People will nibble. It's what they really want for Christmas after-all : )

Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: branflakes on December 02, 2011, 10:50 am
I feel that this is something the community should publicly maintain. I don't see you why shouldn't be the first to monetize off the idea though. ;)

How do you plan on selling the drives if the target market isn't on SR yet?

BTW, you can easily use a crack or registry file to bypass WGA; http://all-in-one-stuff.blogspot.com/2008/02/bypass-windows-genuine-advantage-wga.html. Running the OS off of virtual machine leaves it vulnerable to the host machine as well. No amount of security on the virtual machine can protect it.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on December 02, 2011, 05:53 pm
@caffeine_me Exactly, in most cases with minimal precautions SR is fairly secure and it's buyers are relatively safe. However, I aim to make them safer. This is as much for me as it is the rest of the community. I am not claiming to be someone who is simply helping the community for the sake of being a swell guy but in my eyes, the longer SR lives, and the more secure it's users are, the longer I get to use it for my own personal needs/desires. Selfish motivation, sure I suppose so, but with good intentions and integrity, absolutely.

@snapple I will disclose that IRL I work for a very large international software company, in the top 500 largest companies in he world. That said I work specifically supporting their linux product as well as their virtualization product for other companies of similar size and nature. I can assure you my experience professionally is more than sufficient for this sort of task. Prior to that I spent time in the US military specifically in the intelligence field. I am intimately familiar with what methods the NSA and other agencies have and the resources available to them to leverage those methods at their disposal. Purchasing this from a 'tor-ified stranger' is no different than purchasing anything else on SR however what I offer is peace of mind that purchases after mine using my device and methods will result in more confidential transactions than they would otherwise. What is the confidentiality of your transactions on SR worth to you? Are you sure you are taking precautions that would make it very hard for LE to give you some sort of hassle? I can tell you I am very confident in my product. In fact I use it exclusively for everything I do on SR. I eat my own dogfood to speak of and with great confidence.

That said, the reason for this being with XP is I will not only be selling it on SR but also IRL to people locally whom I consider very trusted friends, this is what they are familiar with as are the newbs. In order to purchase this you would not need PGP or even BTC. If you can download the tor browser bundle, register for an account, and find my ad as well as the forums you would not need anything else. In the future I intend to provide it much in the same way ubi-keys are for MtGox. Additionally the keyring will also create a web of trust, modeled after bitcoin-otc on IRC. I would offer this to customers for the sale of MP as well since what I am offering is not legally contraband and could not get me into any kind of real trouble anyways (when was the last time you heard about someone in court for pirating windows XP?). I've consulted with 2 close friends who are attorneys and they also concur with this. The packaging and shipment however would be just as secure as any other transaction you would have with any of the top %10 of SR vendors. My packaging would be just as discreet and trouble free as any vendor on this site, I can guarantee that. Without disclosing too many details about my methods, in order to receive a controlled delivery with my methods a court would need to be willing to violate the same confidentiality that you have with a doctor or lawyer or priest. Which to my knowledge there is no case law supporting this to date. As a buyer I have made several purchases and my packaging is derived from a compilation of techniques from some of the best seen packaging here.

Like I've said previously the first release is more geared towards buyers, with some sellers vetting it for me. Once that happens and it generates me some revenue, then  the interest would be sufficient for me to feel it's worth my time and energy to provide a  linux version which would be considerably more work, it may very well be based off Liberté Linux as that seems to fit the bill quite well. This version may also be (depending on how well I can produce it) a bootable USB drive. eliminating the need for a hypervisor at all.

I'm frequently in SILC chat, normally all day during EST so if you need assistance I will be there to provide it, there will also be a channel specifically for this purpose. Please however understand I am only 1 person so while I will do the best I can for people, I can really only help so many people at once though.

As for your craigslist ad, while that may have seemed like a novel idea, I can tell you that most of the people who would have responded were under qualified and over confident as there would be no way to truly make a bulletproof hardened system in a few hours sitting at a cyber cafe, anyone who thinks they can doesn't know whats truly involved and probably is full of it. I'm not being arrogant here but I know what it takes to truly secure a system in the fashion you suggest and it can't be done in a few hours. I have probably in the ball park of 50-60 hours into this particular release for the purpose of making it reasonably secure (as secure as windows gets anyways) and comprehensive. Keeping in mind windows is 'easy' you would need a multiple of that for linux. Personally I'm not going to spend that kind of time for a linux distro to have it net me a handful of customers and then never more. This needs to prove to be a sustainable and continuous stream of revenue for me to consider making that personal investment. The income I derive from my professional job is plenty sufficient, so I'm not in need of money to speak of therefore this is partially a hobby, but also a business venture, I have no intention of doing it without profit for my troubles.

@branflakes While I feel there are many members that could assist in maintaining this in the community the question is 'who would like to' and more importantly, who would you trust to do this? An example would be microsoft, would you feel better about installing updates from an anonymous third party or directly from the provider of said product? Currently I am still developing a method to create an 'updater' that would allow you to in an automated fashion update all relevant applications on a monthly basis but again this is still in it's early stages and I haven't determined a secure or anonymous (in my eyes) method of accomplishing this. If revenue were sufficient I would host a .onion server for this purpose as well as for maintaining of public PGP keys.

I plan on coordinating with various vendors initially (trusted ones I have already had discussions with) to offer this to their clients for a nominal fee covering roughly 2 hours of my work and my cost in procuring a 32GB USB key. For those that would like to procure their own USB drive, I would offer it at a discount essentially less my cost of the USB key as well as a place they can download it, or I can ship it compressed onto a single DVD-R and password protected with everything included to be installed to a USB drive whichever they like. I intend to provide as many options as possible until such time I have determined which are the most desirable and feasible.

The VM has already been registered/activated so no crack would be needed. The measures taken on this VM would prevent it from being vulnerable to the host machine in several ways and once your business is completed the VM should be put in either standby, or shut down and removed subsequently from the system it's connected to leaving no ties between the user and SR on the host system, at all. The encryption methods used to secure the VM from within the VM have not yet been comprimised. As an example:

http://news.techworld.com/security/3228701/fbi-hackers-fail-to-crack-truecrypt/

This example used 1 cipher to encrypt the data in question, mine uses 3 cascading ones. So I would challenge you or anyone else for that matter to attempt to compromise the security of this VM from the standpoint of decrypting it without the proper credentials or otherwise retrieving data from it. In fact I'd put $500USD on it.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: snapple on December 03, 2011, 09:22 am

I'm not being arrogant here but I know what it takes to truly secure a system in the fashion you suggest and it can't be done in a few hours.

That may be true, but as a seller there's no way you're going to convince me to put my trust in a "secure" setup using Windows XP. I can set that up myself. Why not just harden Ubuntu if BSD or Gentoo is too hard for users? If Ubuntu is "too complicated" for your target market then they shouldn't be selling drugs online IMO. Ubuntu is simpler and easier to use than any Windows OS I've seen. It's idiot-proof.

When I sell locally all I've got to worry about is the local cops. When I sell in the deep web you never know which federal acronym may decide to make an example and spend a few million in white hat to crack down on SR vendors.

If you look at the DEA budget, they are allocating ever-greater sums to bolster their online white hat activities, and all it takes is one taliban fuck who sells on SR to fund some whackjob terror plot and bam, now you've got the NSA, with all their zero day exploits, sniffing around. And then any vendor without a balls deep secure setup is in danger of being exposed. In time it will happen and the weak will get eaten.

If you're a seller and plan on doing this for any length of time, you're crazy to run some patched up Win XP system IMO.

Show your chops and put up a polished setup for vendors who can work beyond XP.

Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on December 03, 2011, 10:53 pm
You seem to be missing the point. This device isn't initially intended for vendors,firstly it's intended for buyers. Secondly I've already made it quite clear that once there is a market and it provides me with enough revenue to justify putting the time and energy into creating a hardened linux one I will. But it's this simple, I'm not going to put possibly 100+ hours into setting it up properly so it can be readily distributed without each one having to be built individually to only end up selling a few here and there.

I'm very much more aware of what the DEA and NSA have at their disposal than I am willing to disclose, and with the methods I have employed them being able to crack the encryption would be extremely difficult if even possible. It doesn't matter what the OS is if the underlying filesystem is not able to be cracked anyways so your argument that windows xp is unsuitable is lacking because the fundamental issue isn't the OS but what protects it from those who would seek to obtain data from it, which is secure.

And like I've already said once there has been enough demonstrated interest in this release through it's sale then I will commit the time to one specifically geared towards vendors who's needs are far more involved. I have begun work on it already but I only have so much free time and I'm not going to devote all of it to another version until I know this one (intended for buyers, not necessarily sellers) sells adequately.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: SecuritySolution on December 07, 2011, 03:04 am
We've made our first few sample sales of this product. We will be expecting some forthcoming reviews/thoughts with regard to it's ease of use and viability however we will not be vending it on SR until the first quarter 2012. Quarter 2 we plan to have an offering similar but slightly more robust based on ubuntu. We also have tentative plans quarter 3 to offer a highly hardened version based on Liberte' or Tails linux. This is highly dependant on demand, the Linux versions may also be lower priced (ubuntu) as they will likely allow the same functionality on a 16GB USB key rather than the 32GB one.
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on December 10, 2011, 10:54 pm
Updated OP with a few more features to include enigmail plugin for mozilla thunderbird pre-configured to encrypt/sign all outgoing mail
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: edballs on December 11, 2011, 01:41 am
I think this is a splendid idea.

Windows XP set up the way you describe should be fine for buyers, tbh.

For people who don't really know what they're doing, a linux system might just lull them into a false sense of security anyway.

I use a very similar setup, actually.

The only issue is the trust issue.

And the only way I see around that is to make it freely and publicly available, and allow a lot of other people to poke around in it.

You could still make money by being the only official source for usb keys, customization, support, etc, though the whole thing will be a lot more involved obviously.

Having said that, with just a few trusted people giving it the all clear, (and re examining it regularly) you might be able to make decent sales without all that hassle.

If the trust issue can be overcome, then it could be a great thing for getting more people involved.

Good luck.

Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: SecuritySolution on December 12, 2011, 02:55 am
SecuritySolutions is proud to offer the first release a vanilla configuration here:

http://silkroadvb5piz3r.onion/index.php/silkroad/item/15598

They will be available in limited quantities intially, if a client would like additional things configured (tormail account created to match SR username and/or configuration of thunderbird profile or perhaps also forum acounts created with passwords pre-populated in password safe) please contact us and we can discuss various options.

Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Looker on December 22, 2011, 07:11 pm
Bump for feedback on distributed copies
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: SecuritySolution on December 24, 2011, 11:44 pm
All offerings and listings have been posted to SR For any of you that were provided a free evaluation please purchase the Custom VM for SR member to provide feedback. If you don't have the coin to spare let us know and we can modify the listing so you may purchase it in order to leave feedback.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: johnnyfried123 on December 25, 2011, 07:20 am
I can see the potential for demand, but personally I'd never risk putting something like that into my PC.

Nothing personal dawg :)
Title: Re: Secure Pre configured Virtual Machine with everything needed for SR feeler
Post by: Variety Jones on December 25, 2011, 09:50 am
This example used 1 cipher to encrypt the data in question, mine uses 3 cascading ones. So I would challenge you or anyone else for that matter to attempt to compromise the security of this VM from the standpoint of decrypting it without the proper credentials or otherwise retrieving data from it. In fact I'd put $500USD on it.

You can just send the $500 to my SR account, thanks.

I will also offer to truecrypt it ahead of time (using 3 cipher cascade) for the USB buyers with the password of their choice which again at first boot there are instructions that load as soon as the VM starts that explain how to change it that a 10 year old could follow (I had a friend of mines son verify this, literally).

From http://www.truecrypt.org/docs/changing-passwords-and-keyfiles
Quote
Note that the volume header (which is encrypted with a header key derived from a password/keyfile) contains the master key (not to be confused with the password) with which the volume is encrypted. If an adversary is allowed to make a copy of your volume before you change the volume password and/or keyfile(s), he may be able to use his copy or fragment (the old header) of the TrueCrypt volume to mount your volume using a compromised password and/or compromised keyfiles that were necessary to mount the volume before you changed the volume password and/or keyfile(s).

...

Also note that if an adversary knows your password (or has your keyfiles) and has access to your volume, he may be able to retrieve and keep its master key. If he does, he may be able to decrypt your volume even after you change its password and/or keyfile(s) (because the master key does not change when you change the volume password and/or keyfiles).

Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on December 25, 2011, 05:19 pm
@johnnyfried123  Nothing gets installed to the PC, only a copy of vmware player. The rest resides on a thumbdrive so I'm not sure where you are geting this notion that this would be installed on the host PC.

@Variety Jones That wouldn't apply as it revolves around having access to the volume, once the product has been shipped and recieved, much like you destroy addresses upon DCN confirmation I would then destroy the copy that was sent to the client just like any other vendor destroys address information as soon as it's delivered so what you are suggesting circles around a few things:

Malicious Intent - None here
Physical access to the shipped product - Nope, once it's received originals are all destroyed
Me retaining the master key somehow - Nope all is destroyed when original is received

More importantly I don't HAVE to do the disk encryption for them, they can do it them selves (and I've provided assistance remotely via chat to walk them through this) which means I would never have had access to the masterkey or password at any point in time which makes your statement completely irrelevant unless your aim is to just spread fear and doubt about a vendor attempting to help make the community safer which is what it looks like to me.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Ivory on December 25, 2011, 06:20 pm
I fully endorse this myself and think Looker has done something extremely valuable for the community. As a vendor I have had to deal with people with massive variation in their IT skills from handling/decrypting/encrypting PGP messages right the way down to asking questions on how to ensure the safety of their sensitive information. This is all in the name of safety, furthermore it is not just a buyer of SR who would benefit from this, I already know of some vendors who have tested this as they felt a little worried about their own personal security and whether there may be faults in the way they do things. I wanted to get involved as I thought there is no hurt in seeing how an expert has set things up as even I could learn from it. I did learn some new things - so I thank Looker for putting this out there and do recommend it to those who aren't as confident/fluent with technology.



Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: TravellingWithoutMoving on December 26, 2011, 02:13 am
...i think the point of the build is that it has all the apps needed esp for newbies...who might want a vm complete system or is battling with some of this gpg/pgp/messaging malarky...

Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: lrp72 on December 26, 2011, 02:32 am
I have been using Looker's device for several weeks now.  I know I am probably too trusting, but I don't have a lot to lose, I'm just a casual personal buyer, and I do trust that Looker isn't doing this with malicious intent.  So, here is what I think at this point:

Pros:
1.  It is comforting to have my whole SR experience in one little device that I could pretty easily dispose of if necessary.  I can also remove it and take it with me, keeping my business away from prying eyes.
2.  Tor works MUCH better on this device than it did via the Tor Browser bundle I was using on my home computer.  Significantly faster, easier connections and disconnects much less frequently. 
3.  Everything I need and more is pre-installed, and the setup instructions were clear and easy.
4.  Things I haven't thought of are installed, like super secure trash can.
5.  Support is great and friendly and quick.  He is very patient with my stupid questions. And that means a lot.  Not all techy people are. (*MOVE*)

Cons:
1.  I was hoping to be able to tote my SR experience around with me from computer to computer, but that doesn't work.  It works great on my Win7 computer, but doesn't work on my VERY old XP (unsure if it will work on XP at all or not) - can't install VMware version that I need to run it.  Sounds like a good excuse to buy a new laptop to me.
2.  I had to upgrade the bitcoin wallet to the newest version, and its not quite working right.  I haven't messed with it more though, because something about my bitcoin wallet remaining on my main computer is more comforting to me than having it so portable. I know it would be better to have on my thumbdrive though, so Ill get more brave with that soon enough.

My opinion is really that this is a great device for those of us that are too lazy (me) or too non-techy to set things up the way they really should be to be nice and stealth.  This is totally the way to go in my opinion if you have more to lose than I do, but I sure understand the level of trust that you must have is a huge factor. Hopefully time will improve trust level, I really do feel confident that Looker has our best interests at heart and is just working to make a little extra coin.

Thanks a bunch for the opportunity to try this, Looker.  It is almost exactly what I had hoped for and is exactly what I need.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: TravellingWithoutMoving on December 26, 2011, 04:05 am
- with vmware you need resources ie memory and fast cpu cos its supposed to virtualise all the guests you have running.
- don't think there's any point trying to run this vm on your old xp hardware, if so might as well run it natively on the hardware unfortunately that means you have to add all
  the apps yourself, or a complex vm guest --> disk imaging...
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: SecuritySolution on December 26, 2011, 07:59 pm
@lrp72

What kind of error do you get with the bitcoin wallet? We have found that setting it to load at boot time can cause it to fail due to booting on this type of device can be somewhat slower unless you have a bit more expensive USB drive than the one you have. If you wanted you could upgrade to a Corsair Voyager GT (a bit pricey) and it may alleviate this, the other and easier solution would be to disable bitcoin starting at boot time and simply start it manually when you need to. If you still get an error then please either post it here or contact either us or Looker on SILC chat and we can figure out what the best solution is.

@TWM

Hit the nail on the head, this may require a fairly recent desktop or laptop running windows xp or windows 7 but if you have older hardware it may not be suitable.


There are some things that can be done to avoid the host machine getting over utilized like reducing the amount of RAM allocated to the guest or quantity of CPU's but we would be more than glad to assist in troubleshooting this on a case by case basis and will do the best we can by our customers.

Thanks,
SecuritySolution
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: lrp72 on December 26, 2011, 08:06 pm
@ SS:  I'm not sure now what the error was, and honestly, Im just not in the mood to mess with it at the moment.  I am pretty sure I can get it going with a reinstall, so Ill try that first, and then come bugging you to help, if I need it. ;) 

@ TWM:  That laptop is old as Methuselah.  ;)  I was expecting too much to expect this to work on it.  No worries, I really do need an excuse to get a new and improved one. 

Thanks guys.  Hope you had a very happy Christmas!
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: SecuritySolution on December 26, 2011, 08:23 pm
I would ensure you are downloading the latest release (Bitcoin 0.5.1 ) as you may have recieved (0.5.0) which had some issues that were resolved but it's probably your best bet to simply start it after the machine is fully booted rather than letting windows start it at boot time.

Thanks,
SecuritySolution
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Variety Jones on December 27, 2011, 05:07 pm
@ Looker (and your alter-ego 'SecuritySolution' as well)

First off, you pretty much owe me $500 by the terms of your offer. Period.

But being the _extremely_ nice guy that I am, I'll let that slide for the moment while we discuss much more serious matters.

OpenPGP and Gnu Privacy Guard (GPG) are subject to manipulable short ID collisions, as announced on 26 December 2011 on asheesh.org.

How are you going to mitigate this collision attack on your collection of 'signed trusted keys'?

How can you prove (hint, you can't) that keys that you've signed the short ID's of, are in fact the correct keys and not intentional collisions masquerading as valid keys?

If you now audit your collection of signed keys, what is you standard method of key revocation, and how can you revoke short ID digital sigs on existing keys?

What secure keyserver does your programs check for key validity confirmation and possible revocations?

Finally, how are you going to go about recalling and repairing existing instantiations of your offering?

The news the above is based upon is over 24 hours old, so would your best practices suggest that anyone that uses your product immediately cease to do so until you have created and tested a patch/replacement?

Or is your plan to just let folks mosey along using your product, with no clue whatsoever of the problem?

In case you weren't counting, that's seven questions that could severely impact the security of anyone using your setup, so I'm going to be expecting seven exacting, precise and verbose responses to them.

*Oh yeah, Merry Christmas!
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on December 27, 2011, 10:55 pm
Firstly, I am the developer (Looker) and SecuritySolution actually consists of more than one individual (2 for now) who those people are (and yes I am included) is not your concern this is both for my safety as well as the anonymity of others.

>First off, you pretty much owe me $500 by the terms of your offer. Period.

Pretty much owe you? Your logic is quite amusing, I owe you nothing until you can provide me an image that you have been able to crack the encryption on or otherwise exploit or otherwise gain access to data on the vm, simply suggesting it can be done and not providing any proof that YOU can do it is meaningless. If you like I would be more than happy to send you one on USB key with all the bits I would send another user with the exception being the correct password and copy of the master key/recovery disk (which is included in the vm) and I would leave a distinctive desktop image on it. If you can tell me what it is or better yet post it then I will forward you the $500 in BTC. However I will not send you a USB key for free, this will cost you ~$50USD. I know you won't crack it so it would be a waste of your BTC, but I'll gladly take it from you.

>But being the _extremely_ nice guy that I am, I'll let that slide for the moment while we discuss much more serious matters.

Actually being an '_extremely_' nice guy generally doesn't include trying to spread fear uncertainty and doubt (aka FUD) about another vendors product for no reason when they are attempting to help protect the community (aka YOUR customers) at large. That's generally called 'gassing off' or 'trash talking or.... I think you and others reading get the point.

>OpenPGP and Gnu Privacy Guard (GPG) are subject to manipulable short ID collisions, as announced on 26 December 2011 on asheesh.org.
>How are you going to mitigate this collision attack on your collection of 'signed trusted keys'?

So your expectation is that I am supposed to safeguard against a problem announced less than 48 hours ago? Even so the solution is to use 64 bit keys however not all versions of PGP applications support this to my knowledge. If you know of a version that support's generating 64 bit key ID's please make a recommendation and if it's useable enough I may include it, otherwise you are not looking to be part of the solution, which leaves only one other option.

>How can you prove (hint, you can't) that keys that you've signed the short ID's of, are in fact the correct keys and not intentional collisions masquerading as valid keys?

Because I have obtained them directly from the vendors who would like to participate and have worked directly with them to obtain their direct consent for my redistribution of their keys. I also have developed a reputation with them to allow this level of trust. At least one of which has already endorsed (hint) this in this thread. This wasn't something I threw together and said 'Hey man can I send your key to people?' I had discussions with the top %10 of vendors and explained my strategy for minimizing new buyers getting scammed (by referring them to participating and trusted/valued vendors) with the added benefit of the top %10 getting more referrals and getting significantly reduced pricing on this product if a vendor offered it and they were interested in purchasing it. In turn I advertise them as being the vendor to choose, and the vendor in turn if the buyer appears to be not as technically inclined (read: as safe as they should reasonably be) are referred to me so the vendors are not burdened with providing tech support and can focus on supplying their product. Although from your attitude it looks more like you are upset that you weren't asked if you wanted to participate.

>If you now audit your collection of signed keys, what is you standard method of key revocation, and how can you revoke short ID digital sigs on existing keys?

Currently the list of vendors is actually ~%50 of the top %10 of vendors (roughly) meaning at most about a dozen keys. This is because not all decided to participate and some I decided to remove (CFMF is an example as well as SYG for obvious reasons). If it's determined a vendor goes rogue or turns on it's buyers I would remove their key from any future image until that issue is resolved and they are in good standing in the community. If you already have their key as a user (from a previous release) then it would be incumbent upon the user to be aware of what may be going on in the forums and community and remove it on their own or re-adjust the trust level. However at the time of sale all keys are considered from trusted members of the community and have the highest quality products and best service.

>What secure keyserver does your programs check for key validity confirmation and possible revocations?

There isn't one at this time, unless you would like to cover the costs of a .onion key-server for now there isn't one. However if this proves sustainable this is something that has already been considered and if/when enough revenue exists to support it will be investigated and a possibility in the future.

>Finally, how are you going to go about recalling and repairing existing instantiations of your offering?

Some of the listings (more expensive) include technical support, if a customer has a problem upon receipt setting some things up or has questions both myself and a few others with SecuritySolution (currently working with an EU vendor to allow for distribution in shorter shipping time frames and possibly assist with support) are both here in the forums usually on a daily/regular basis as well as SILC chat for SR which comes pre-configured in the VM.

Secondly ALL versions come with a compressed copy of the originally supplied VM archived on to a DVD in a password protected AES encrypted self extracting executable (without the truecrypt filesystem encryption otherwise it would not fit). It includes all software and instructions needed (as LRP indicated earlier) so in the event their USB key fails, is lost, etc they would still have the original copy to load on to another USB key and be back up and running in hours rather than days.

Third if you are going to suggest that 'by then all their passwords may be different' (and I hope that they are) there are ways of backing up password safe (the preferred app for password retention) and their various key-pairs in one of several free online storage offerings (Dropbox being one) and before you go all 'Dropbox has been compromised in the past' about it, it's very easy to create a 1.75GB (under their 2GB free account limit) truecrypt volume that stays on there that would contain all public/private key-pairs as well as the password safe database in a relatively secure fashion. So again making the USB key itself completely disposable as the *.tc file without a password would be relatively difficult to compromise and not useful to prying eyes. For this I recommend a minimum two cipher (I use AES-Twofish with whirlpool) encryption technique.

>The news the above is based upon is over 24 hours old, so would your best practices suggest that anyone that uses your product immediately cease to do so >until you have created and tested a patch/replacement?

They are exposed to it whether they use my product or any other, so why is it you think this is incumbent upon me to fix when there are several developers that are working on it now? This is not a problem for me to solve individually but one for the open source community as a whole. Given it's age I don't see a fix coming out tomorrow. So again all you are doing here is looking to undermine a vendor, you really are starting to look like a real positive beacon for the community...

>Or is your plan to just let folks mosey along using your product, with no clue whatsoever of the problem?

In all honesty I would say the vast majority of the users both on the forums and on the site were completely unaware of the problem which you mentioned, secondly I would say even less of them actually understand what this means or how this would directly impact them. This doesn't include the fact that most keys here are not published on PGP servers in clear net (for obvious reasons) so these collisions are less probable than in a standard clear net key-server environment.

>In case you weren't counting, that's seven questions that could severely impact the security of anyone using your setup, so I'm going to be expecting seven exacting, >precise and verbose responses to them.

Nobody has suggested that this device is %100 secure and you could never in any way ever get caught or otherwise get into some trouble for utilizing SR for whatever purchases with LE whilst using it. What has been suggested and IS true is that it provides all the tools commonly associated with using SR in a safe and reasonably secure fashion along with an encryption technique that would prove exceptionally hard to crack even for large scale government agencies (who were unable to prosecute someone using a single tier encryption model where mine uses 3) and that local LE wouldn't have a chance in hell of obtaining data from. Making it a waste of their time and resources and keeping the SR community as a whole a bit safer.

If you would like one to evaluate and cover the cost of the hardware to put it on I'd gladly send you one, but from your posts it looks like you only seek to undermine something that has been designed to help the community not give it a chance.

Oh and I'm not christian, or catholic, and don't celebrate Christmas but I don't suspect you were earnest in your wishes anyways.

Thanks,
Looker
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: DigitalAlch on December 28, 2011, 02:51 am
I'm going to review this product. I will post everything I gleam about it.

Peace,
DigitalAlch
Title: Re: Secure Virtual Machine - gpg collision -Jon, OpenPGP cofounder comment
Post by: TravellingWithoutMoving on December 29, 2011, 03:14 am
Pls read :-

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hello,

my key is:

pub  1024D/38EA4970 2002-10-08
uid  Juergen Schmidt <ju@heisec.de>


I refer to your offer to generate a keypair for
38EA4971

bye, ju
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (GNU/Linux)

iEYEARECAAYFAk758+kACgkQ+JUKGDjqSXBQngCeMMmHlDTSASBlJqO41UHWiTcn
V7cAnjYnjbkJ4j/VGo5pQNPyjoewsoR9
=1JWj
-----END PGP SIGNATURE-----

Posted by Juergen Schmidt at Tue Dec 27 11:41:17 2011
Good on you for drawing attention to this. Full-time security geeks are wondering "What's the big deal?" because they've always known that 32-bit ids were second-preimage-vulnerable in this way. However, normal users could possibly get caught out by this.

The fact that the GPG command-line accepts these as arguments is indicative, in my opinion, of a security/usability flaw -- this means users are encouraged to use these ambiguous identifiers as arguments they communicate to the program (GPG). Presumably they are then supposed to inspect the results to make sure that the unambiguous thing (the fingerprint) is correct. That sounds a lot like the sort of UX/security failure that used to be ubiquitous back when this is designed: "It's secure as long as the users do some extra safety-measure steps that real users never do."

One possibility to consider for the longer term is that using hex to show key fingerprint material is a very inefficient way to show it -- inefficient in the sense of using lots of characters of display to communicate relatively few bits of key fingerprint. In the long run, we could switch over to using a more efficient encoding such as base32. Here's a GPG command-line asking to receive your public key using an ambiguous 32-bit identifier to indicate which public key you want GPG to fetch:


gpg --recv-key 70096AD1

Here's the same thing using the full, unambiguous fingerprint in the current chunked hex encoding:
gpg --recv-key D004 36A9 0C4B D120 0202  0A3C 37E1 C175 7009 6AD1

Or if we remove the spaces:
gpg --recv-key D00436A90C4BD12002020A3C37E1C17570096AD1


Here's the full, unambiguous fingerprint in a hypothetical future zbase32 encoding:
gpg --recv-key 4yndpkecjxe1yyonbe6dxaqbqiay14st


One thing to note is that the PGP command-line that GPG is presumably emulating originated in the early 90's, perhaps as early as 1992. Back then it may have seemed like a lot of effort/expense to generate a 32-bit collision. (Although even then it was perfectly well understood to be possible to do so, using only a few days of computation on a reasonably-priced computer, so this should be seen primarily as a problem in UX design rather than as having to do with the evolution of brute force costs.)

We could also use slightly shorter identifiers if we believe that they are still enough bits to unambiguously identify one public key even in the case that an attacker tries to generate a second matching one. For example, if we believed that 2⁸⁰ was more work than anyone would be willing and able to spend against this in the forseeable future, we could use identifiers with 16 base32 characters, like this:


gpg --recv-key 4yndpkecjxe1yyon

Hi Juergen,

Please enjoy the following PGP private key:

-----BEGIN PGP PRIVATE KEY BLOCK-----
Version: GnuPG v1.4.11 (GNU/Linux)

lQcYBEYoMtUBEAC
xxxxxxxxxxxxxxxxxxx
xxxxxxxxxxxxxxxxxxx
qq5wSTztA/Zl3ONErR
+RlQ9Ww=
=QHZ5
-----END PGP PRIVATE KEY BLOCK-----

Posted by Asheesh Laroia at Tue Dec 27 16:31:50 2011


This isn't nearly the issue you claim, and not an attack at all. It's well-known, and people have created 32-bit collisions for probably about 20 years now. However, even going back to PGP's early days, the software dealt with 64-bit key ids, and software in general does the right thing.

Stephen Paul Weber above points out correctly that if you ever get stuck with with the wrong key, signatures won't be valid, encryption won't work, etc. As he says, it can cause nothing worse than confusion.

In the example you give yourself, GPG does the correct thing! There are now two keys on the MIT key server with the same truncated key id, but they have different 64-bit key IDs. GPG goes and gets both keys, which is exactly what it should be doing.

If you create a key with a 32-bit collision to PRZ's, Werner's, mine, or whomever's, nothing bad will happen. You cannot forge a signature, you cannot mis-encrypt. Sorry, you're wrong on that.  Nothing bad will happen. If you don't believe me, try it.

Lastly, both RFC 2440 and RFC 4480 say:

A Key ID is an eight-octet scalar that identifies a key. Implementations SHOULD NOT assume that Key IDs are unique.

and

Note that it is possible for there to be collisions of Key IDs -- two different keys with the same Key ID.  Note that there is a much smaller, but still non-zero, probability that two different keys have the same fingerprint.

Yes, you're right that the user experience of a command-line program that allows you to type in a subset of a 64-bit number can lead to confusion -- you got led there. But it's not an attack and not a security problem.

Regards,
Jon, OpenPGP co-author and co-founder of PGP.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: madamebradley on December 29, 2011, 05:59 am
I am interested in testing out a SecureVM created for use by vendors provided it is based on a linux distro. Please let me know if I should come back in Q1 or Q2 and ask again, or can you put me on a listing.

Thanks in advance.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: SecuritySolution on December 29, 2011, 05:11 pm
We are currently working on a linux based vm specifically geared towards vendors, because we were able to release this version earlier than expected, we are anticipating that the linux based one may be available by the beginning of Q2 2012 or mid Q1. This being said if it's available beforehand we will certainly add you to the list of folks that would be interested in testing out the initial and likely final release of it as we did with the windows one and let you know as soon as we have something suitable for distribution. For now it looks like it will be ubuntu 10.04 (lucid) based for ease of use although Looker is still investigating using Liberte but he doesn't believe it will be as user friendly as he would prefer. We may post a thread in the upcoming weeks to survery what they community would prefer as well, after all the product provided is intended to be more purposefully built for the community and specifically for vendors anyways and if the demand is for liberte' over ubuntu then we will do our best to accomodate that need.

Thanks,
SecuritySolution
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: branflakes on December 29, 2011, 07:03 pm
I am interested in testing out a SecureVM created for use by vendors provided it is based on a linux distro. Please let me know if I should come back in Q1 or Q2 and ask again, or can you put me on a listing.

Thanks in advance.
Unfortunately there is no such thing as a safe VM. The host machine has access to the entire VM. If the host machine is compromised, so is the VM.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: TravellingWithoutMoving on December 29, 2011, 08:06 pm
I am interested in testing out a SecureVM created for use by vendors provided it is based on a linux distro. Please let me know if I should come back in Q1 or Q2 and ask again, or can you put me on a listing.

Thanks in advance.
Unfortunately there is no such thing as a safe VM. The host machine has access to the entire VM. If the host machine is compromised, so is the VM.

- the vm guest is whats running the tor software bundle (unless i've missed the boat here...) ?!
- access rights are handled by the vmware software; the vmnetx interface is configured and managed by the vmware "server" which the host runs as a service, the
  host manages the vmnet interfaces as if it were a router; traffic is either allowed to exit the vm in either NAT or bridged mode {guest mode vmnet1-x are exclusive
  and aren't going to be allowed "internet" access..
- the guest could still run a firewall and / or anti-virus, the firewall having application / service level filtering too if needed but may be out of the build scope here.
- as long as both the host and guest are kept up to date with patches etc plus above mentioned security the whole vm is as secure as if it were a std pc, but
  obviously the developers of this build can only  do so much and take x amount of responsibility - its up to the user to maintain after that..
{with linux there's going to less chance of the traditional windows security loopholes...}
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on December 29, 2011, 09:51 pm
I am interested in testing out a SecureVM created for use by vendors provided it is based on a linux distro. Please let me know if I should come back in Q1 or Q2 and ask again, or can you put me on a listing.

Thanks in advance.
Unfortunately there is no such thing as a safe VM. The host machine has access to the entire VM. If the host machine is compromised, so is the VM.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I'm not sure what you mean by there is no such thing as a 'safe vm' if the VM is limited to a USB drive and it's not plugged in, running, and logged in when the host machine is compromised how is it you believe the VM is compromiseable? Any machine connected to a network is vulnerable to some extent. Perhaps you misunderstand who this is supposed to be 'safe' from. It's not designed to protect you from every hacker on earth, it's designed to protect any data regarding your browsing etc on SR from those would would seek to persecute you for it, thats all. This isn't some ultimate unhackable OS or anything if thats what you were thinking?

Thanks,
Looker
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJO/N8IAAoJEEMAzoKrkXQ+UvoIAIdFvZ9PGWwWYuUsLx4hj43W
c17unsyvxY+0JG8dnJImzjS+jOHhAtI3x41/3yxa92xN8/wdepZ6r7SHR7zUrGEf
t7VXyny64Ertq0yRTzYO0bLR0Gck+UjXj/TNfBDJXZ02JlXgkJdY6ZOS1xvsglGZ
E2m8VDIevgEbEkxHD2gvWfr43JTzmHP2EnweC753zDUESD/ZyuApCukD57hkybBI
Nccl2zAiGacrPjfkwGA070RoueLBSoo/3rHrii6ZwiSb13wt1dhzo/JyuZxxt9yL
JZ9XYpxyUcbXamdp3KhD2UADoez4nfVcS8YzJ2gjBRwupLvtJKzF5GoYwdByL2U=
=nZ69
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: panic on December 31, 2011, 11:31 am
I'm glad Looker took the time to do this. It's certainly spurred some interest, and hopefully it continues to do so. While I'm looking for something based on a linux distribution perosnally, this certainly was interesting. I approached it as if I were a newb and I didn't find it difficult to get myself up and running.

I can't comment on much beyond that, as far as the actual software is concerned, because I'm sure the others are leaps and bounds ahead of me still and would provide a better audit. Nevertheless, Looker has been helpful in chat, and I'd like to see useful tools develop.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: SecuritySolution on January 03, 2012, 10:51 pm
We shipped a few more units (in various configurations) this week hopefully we will get some more feedback.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: branflakes on January 08, 2012, 04:38 pm
I'm not sure what you mean by there is no such thing as a 'safe vm' if the VM is limited to a USB drive and it's not plugged in, running, and logged in when the host machine is compromised how is it you believe the VM is compromiseable? Any machine connected to a network is vulnerable to some extent. Perhaps you misunderstand who this is supposed to be 'safe' from. It's not designed to protect you from every hacker on earth, it's designed to protect any data regarding your browsing etc on SR from those would would seek to persecute you for it, thats all. This isn't some ultimate unhackable OS or anything if thats what you were thinking?

Thanks,
Looker
What I meant Looker is that if the host machine has been infected with a key logger or has, for example, a malicious app installed and running as a service waiting in the background to spring to life when a VM is launched the VM can never be safe if its being run and emulated by the host system. A virus on the host machine could spread just as easily to the VM and a virus originating from the VM could move over to the host. The only way to prevent that from happening is shutting down the PC and booting that secure OS from the flashdrive, rather than as a VM in a the host machine's native OS.

I'm working on getting Linux Mint installed on a flash drive and encrypting the entire flash drive except for a simple boatloader that mounts and decrypts the OS but also has the portable version of TrueCrypt on it with a VM client so the encrypted volume can be mounted and run in Windows as well as boot from the volume it resides on too. That way you have the option of quickly getting Linux Mint up through virtualization or if you're worried about the security of the existing Windows OS you can boot Linux Mint up from the PC.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 08, 2012, 11:37 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

@Branflakes

This is to some extent true, but it also assumes that the connection between the guest and the external network is using VMWare's NAT feature however it does not. Additionally VMWare has a VMCI interface that allows communications between the guest and the hosting machine which is useful but this has been deliberately disabled in our product further isolating it from the hosting machine. So this being said what you say is true assuming that:

1.) NAT between host -> guest is used for networking
2.) VMCI is left enabled

Neither is the case in the VM being offered.

Therefore this sort of 'cross contamination' you suggest is significantly less likely to occur. I'm not going to suggest anything is completely infallible but you raise a good point and I'm glad you did so I can inform the community that these considerations have been taken into account.

However if the user has adequate anti-virus software installed on the host machine this is not very likely to be a problem. It also wouldn't be difficult for them to install it on the guest if they would like to however if their transactions are limited to SR and maybe the 2-3 other sites needed for use with SR that shouldn't really be necessary. Like I've said this is intended for very limited use.

The bootable linux thumbdrive option with a hypervisor is also something I am working on as well to make things a little more 'portable'. However for now the drive ships with 3 copies of VMWare's player (windows/linux x86_64/linux i686) software so it's easily setup and run anywhere you can install VMWare player.

For the serious *nix users I'm also working on an OpenBSD  option as well however I have to determine if all the tools are available for it yet. Now that myself and SecuritySolution (Who helps me with logistics, yes we are a pair of people, for now anyways) are shipping products this development cycle is a bit slower so I don't know how soon an OpenBSD offering will be available. I'm still shooting to have an Ubuntu version by the end of Q1 for now so thats where a lot of my focus is other than my IRL job.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPCwzSAAoJEEMAzoKrkXQ+QqcIAKGt29bNibELcsVe5t0dFL8H
n9yGNyvUykW9O1Thi2+BhM5Pv7HCs+xV/9ulAzVD6Z9FbzUgOacQvz26pDz4to4W
KaEYpNK0sGV2IfvRACWvVVNw3E+Yz4W+aI+fMF4GJ4Vh1o5RUGwiG5naqrh6o6wY
SDxgwWfF9XpKEaA5U7svfAwvK3qp/tft5JsaBcv5/IQCjy7xgEAcbn8ShX7YK2Lo
jZeu0f/kQOnJ2MjMWL3XofAUQnJMS14ITcYzY7DoncDYxh8l91dVssOjCFPqVAWJ
fYYdSBtffd8crlrPLV8/rGDSjsjjc5ct5iZfm0CcaZfSKCgypJ6/kS4bH3+q8+k=
=yPvv
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 10, 2012, 02:24 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Added the following widgets:

Openoffice Write

SpyBot S&D
*This should not be necessary if you are limiting your use of this VM to SR only but in the interest of being thorough I have added it.

Dropbox* - Useful for storing your PGP keys, Wallet.dat, and other various files small in size that could  cause issues if your drive was lost/failed etc.

*Dropbox has been compromised  in the past however I believe by using the free account option (2GB of storage free) and placing inside it a simple 1.75 AES-Twofish cascading cipher volume that this makes it less prone to security hazard.

Thanks,
Looker
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPDEbdAAoJEEMAzoKrkXQ+vB4H/0+i/K7MnpYuxfoJf49D8JHc
PD6+6ee705yX6VDioelp3FYeihy7i5bh5lrK/zZutjFxbR62Q4kqsP0yeL10nje6
5nqXne06bzOHKm1BnjvSalB6o9EJVw2kOFC76HNUKaAAtHwX0HfY9DBRct7776wa
xqfhztLums4mc07TQe19Vgo5nfFzzs5zsBsYcyLHVARvZswZtpF95I6juCn+p7i/
iLeD3ZkU2JS5oidAvBOcze+BniWeYWuOq+mA8ECG9dsd1mV2NyuU3GtsqjjZrR5G
eCNi0lSn0l7QXbOuKNoXZUQ/YClldtvCOKVjbYpVMZFDS96RFt+HKkC694S5dKg=
=5FlV
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: SecuritySolution on January 14, 2012, 12:37 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


We recently recieved another shipment of drives in and will try to remain in stock, for now we have been able to do this and hopefully in the future as well. Please feel free to contact us with questions if you have them we are happy to assist if you have questions about our products.

Thanks,
SecuritySolution

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQGcBAEBAgAGBQJPEM4rAAoJEKhBWjky5wQCC5AMAJ/95TxG8okyk4uEF53QoV6v
lmB7x1bdxkpCnvVXfN7NNpqi173wwPpTygxPxHP+ffmF7IqGrJHVcB4bkrTAPY94
R7c16qnuRYrvqzQiewRKn06Y+PdZjxtdhIntfH44eCkRRqLA75AbqN/He6tcZNRA
Mf/hwxy8H2AR1vCtbrpRcIhhaXDkKP/JfUt2rmicdGLV3AQkl+G2LwI1LZ4CVWy5
JPR4/pKKzUw0W3jVS/zRE4gR/taxQzlx+3hJXIDue1pQ6ufizI/4nMIMXicmwRcd
R1rjJfq5xC1CNYmIUdAhVl6t62osxA6us6c1+xROm5I+PHIyY5JXU14VKWT+QVkX
Yj9XrXjyazSz3Srjzq989r5ou/UU7q6nHkC9GbDL4kHH7AI94B93/bRQKBefxBqh
4b9imRNwuBFKgl7r2QU8rKFYmaZ6I8Q54trJygJijJPVDZ45yKr+EofBFlXdKDTl
1t/r2HDNolgv6BQ7KAapu4538h9c/4BH2lheNtrA3g==
=w/Vd
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: feverrey on January 14, 2012, 12:53 am
This is an excellent product and a great addition to the safety of the whole community. Thanks for your hard work!
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: mseller on January 15, 2012, 12:20 am
I am happy to see people who are working for our safety. Providing this tool to all members is strongly advised and I am looking forward to review it.
 :)
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: davidd on January 15, 2012, 04:36 am
I feel like this can VERY easily have some sort of backdoor/trojan in it.

I don't like it.

Be careful guys....
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: TravellingWithoutMoving on January 15, 2012, 06:48 pm
I feel like this can VERY easily have some sort of backdoor/trojan in it.

I don't like it.

Be careful guys....

- if its a windows guest run anti-virus plus an application level firewall / decent firewall that will notify you of "rogue" apps / processes...
 ::)
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 16, 2012, 07:04 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Davidd,

Just like I told you in the PM I sent you. One could say the same about any of your products as well (containing unwanted adulterants), but I wouldn't spread that sort of speculation unless I had reason to believe it to be the case. Unfortunately you see fit to do so without ever having even looked at the product or downloaded it, which was offered to you free of charge for your review and this is your response? The current release contains SpyBot Search & Destroy which would pickup on any such things. I have the decency to not run around throwing accusations in your threads I would appreciate it if you gave the same mutual respect.

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPFHSXAAoJEEMAzoKrkXQ+HCgIAJLC6r/UYSPqWRz1tMGwbEvT
fsik0jMUc4TI5TYwV1sFym/0C/o3+D0QqoDktx+QJ5sDCwGDXgvHu9LngyT9YbpL
MOxQ95SDkMAbcN7lGZvcgmA/0nSug2eRWmR+hqE6dY5IHYWOw5ZW97Le8J3kcYUJ
nK7dAhfAjY6BqlALvpNUQGPm+CMAlUztD91ow3epb4UVjBzt15WEPkry8Pyh3V69
0tJFhOVFPOAAoc2GZ+wpwvcMI1kJruQ1FVArDZafY4pcTGZVckFyQlYNKT5T2zyV
P0Kq2wiYQSiembJGyg+3Oj0i9T6nkbZXiD80rdJyWoc3DFHofkt3o2GrYbTyTyc=
=SeXZ
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: davidd on January 18, 2012, 01:44 am
Wait was one of my posts deleted? That is troubling.

Also, I am not making accusations, I am telling my fellow SR'ers things they need to know before they start using your software.

How about you let them judge what I am saying instead of telling them what to think? yes?

People don't know you any more than they know me.  But I am not sending them software that they are supposed to run all their SR activity on though. For the .01% chance that you are DEA, then bam, everyone is fucked. If you are a scammer, then the top SR vendors you are offering your software to for free (so kind of you!) are fucked.

This is a VERY possible situation. People need to realize how easy this would be. I'm not saying this is what WILL happen, but they need to realize it is very possible.

Anyone can write a Trojan that is undetectable to firewalls and antivirus. Heck, you can google it for 5min download one for free. In an environment entirely created by you (this CD), you can have the Trojan server set up and running without the user having to even do anything. A keylogger function can be set up to sent back logs at a certain time. The process can be made to look like anything, and the actual server file can be made to look like anything. They can be updated remotely so that even the newest antivirus/firewall updates won't detect it. This is the only way someone can be scammed since transaction pins were FINALLY put in place.

I HOPE you are legit and make a ton of money...But you are offering something that can very possibly fuck over a lot of people, and the more you try to hide that fact, the more and more troubling it is.

People know me and they know my product, I have over 500 sales. You do not. You are selling a completely different type of product than I am. Do not compare us as we are not even on the same playing field.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Variety Jones on January 18, 2012, 04:39 am
Wait was one of my posts deleted? That is troubling.

Also, I am not making accusations, I am telling my fellow SR'ers things they need to know before they start using your software.

How about you let them judge what I am saying instead of telling them what to think? yes?

People don't know you any more than they know me.  But I am not sending them software that they are supposed to run all their SR activity on though. For the .01% chance that you are DEA, then bam, everyone is fucked. If you are a scammer, then the top SR vendors you are offering your software to for free (so kind of you!) are fucked.

This is a VERY possible situation. People need to realize how easy this would be. I'm not saying this is what WILL happen, but they need to realize it is very possible.

Anyone can write a Trojan that is undetectable to firewalls and antivirus. Heck, you can google it for 5min download one for free. In an environment entirely created by you (this CD), you can have the Trojan server set up and running without the user having to even do anything. A keylogger function can be set up to sent back logs at a certain time. The process can be made to look like anything, and the actual server file can be made to look like anything. They can be updated remotely so that even the newest antivirus/firewall updates won't detect it. This is the only way someone can be scammed since transaction pins were FINALLY put in place.

I HOPE you are legit and make a ton of money...But you are offering something that can very possibly fuck over a lot of people, and the more you try to hide that fact, the more and more troubling it is.

People know me and they know my product, I have over 500 sales. You do not. You are selling a completely different type of product than I am. Do not compare us as we are not even on the same playing field.
Just, like, keeping an extra copy, as davidd seems prone to losing posts.

Hey, it's a public service, and I'm happy to do it.  8)
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: edballs on January 18, 2012, 05:11 am
Spybot S&D is pretty good but it does not catch everything.

If I was buying this I would be running *every* single  reputable spyware/rootkit/keylogger detection available on it, before using it for anything.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 18, 2012, 06:01 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Davidd,

Really? So lets clear a few things up.

No post of yours has been deleted, not by myself anyhow since I don't have rights to delete posts so I don't know what post you think is missing.

First of all, the only software on the drives is all public and freely available (the exception being windows itself), if people want they can look it up themselves nothing here is 'mine' it's simply a compilation of tools.

Second, nobody is telling anyone what to think, all I suggested that before you sling mud on another vendors product you should have some facts to back it up. You have none and it just looks like you are here to spread paranoia at the expense of another vendors business. On my scale of integrity that ranks pretty low.

Third, DEA? Really? Maybe you should check with some of the vendors that have gotten behind this project, do you REALLY think Ivory, or TV or Paperchasing would support this if they thought that was at all the case?

Yes there are people capable of writing all sorts of things, but I can tell you that is not even something I have the skillset to pull off. You don't believe me? Check with warweed another thats been here longer than you.

My motivation is actually quite simple. There are several things I like on SR, however buying bitcoins as we know can be a somewhat tedius process. This being said if I acquire bitcoins (in trade for goods/services) I can then use those bitcoins to procure other goods without having to jump through hoops to get them.

I am not in this to get rich, I am in this to do what I can to preserve SR by providing others a service.  In turn hopefully I also ensure that SR is around a bit longer which means it will continue to be available for my own purchases.

I'm very legit, and before suggesting otherwise maybe you should get some facts to back up your claim. If you would like references why not join in SILC chat and there are several people who can vouch for this as some of them provided ideas and input as to how to make it better before I even started this thread and quite frankly before you were a member on SR.

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPFmArAAoJEEMAzoKrkXQ+AW8H/ArTl419yhgDjk+qWLwFIGbl
Nlm1I6ewXFDywKtksqjtIYZY8e9gaOox9pQd7muReCD9C6li13VkYIPwsHQCK/Aa
OlygQ12yWin0txE0YrumDAu6edaeSTaYjiwijMdadMfDF5WFz0JjrBZverya9wVX
q+ek5jyGo2oR4oWOm/Sbttx0tt9iEPC9i+0FYnU+qtX743MPjXAzGCuVLd/tgFB1
rlcBh2TRdsE+KrymGeZ/qFzqCSlIxNIaPcDbaTNuXpYoHhnmhqZxsgk/QsV9Whlu
2XCSe3KhNqQNMs5oVsX8/m8kaSuuFoiMNCbrzmXuhr67iIVQDiiwjRnD/R2q5Gs=
=51Y7
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: edballs on January 18, 2012, 06:38 am
Don't gt me wrong - I said early on I thought this was a good idea, but davidd's comments are 100% legitimate concerns. I don't think you should be getting so worked up about them.

Maybe he could phrase things a little better if you're the sensitive type, but his analysis is bang on. You should be addressing those concerns with humor, wisdom and a clear, open approach to the concerns he is raising.

this product is obviously for people not so technically minded, but it is probably gonna get analyzed by people with more security knowledge than you, or even people with less knowledge but who spot something you missed. You're gonna have to deal with that without kicking off.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 18, 2012, 08:04 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I have no problem with constructive criticism, and am happy to discuss things and often solicited advice as to what people would like to see changed and offered free copies to anyone who wanted them initially to that end. There were some initial kinks to work out and I am sure there are a few other things that could be add/removed for various reasons. In fact I welcome that sort of suggestion, idea's and discussions.

What I don't appreciate however is offering something to a vendor to evaluate if they are interested and if not, no problem and then have them turn around and try and suggest I'm affiliated with LE or have devised some new method intended to defraud the community. When not a single fact exists to support that. Thats rewarding a good faith gesture with a slap in the face.

All this does is scare people away and breed distrust and undermine another vendor. It's not constructive, if it was he would actually have had to interact with the actual product in some way to provide constructive criticism. That being said he's free to review it and provide an evaluation based on fact rather than speculation as I've already offered to him and every other vendor I've worked with on this project. What he chooses to do with that offer is up to him but until he's actually interacted with it in some way I don't see how his statements are intended to help correct something or offer any suggestion on improving it but simply to try and steer people away from it.

Thanks,
Looker
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPFn0cAAoJEEMAzoKrkXQ+QuoH/0WDpHNPHElMJphGWassn106
yoWO9hmxlHPkomsy2k+jOmAnrKVQpj29N3bLJpdGjGXjQTYOWZT+YYmywLzLel33
1SXrKJIJfe/g/mubrjjsYUQwfAVaXxCTqxg8Kl98aKgWF+6PqRTQ6y4T9vxSS6lM
yODW8BAUG+iwfwBi83sxcGqpMg8Eqs7++ocpCE5deJAcvyaGOpDxcUIa/LmnE0cx
VyPzId5gITgMAo4Ah2oTetbmqlPHn0ueuCoWMlkzH6V6KSIP8HpWNM8VoUrBTftv
UOna7VDbOvPJjEOrfgIXSG1/m4J0YZjhO0zamdlqjjB+1U1q75OciveHckAr11w=
=PSry
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: edballs on January 18, 2012, 08:24 am
The problem with that, is that how can anyone know that the product you offer for review (to a knowledgeable reviewer) is the same you sell to an un-knowlegeable noob?

The only way is if someone who understands the implications and can test for them, orders multiple product from you and tests them, at great expense to themselves.

This is why your development process and builds must be open and verifiable to anyone who is interested in taking a closer look.

Then your proprietary approach begins to fail. How can you commit to a totally open and verifiable build process while retaining the proprietary knowledge that allows you to profit from your work?

I don't know the answer to that question, but you gotta kinda answer it to retain some kind of legitimacy.

Unless your whole build process is open to inspection then the question of whether you are DEA or LE or even just an opportunist scammer is a legitimate one. ne c'est pas?

I hope you can see past this this criticism and find a way to deal with these concerns legitimately, for your sake and for the sake of the SR community.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 18, 2012, 03:49 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

>The problem with that, is that how can anyone know that the product you offer for review (to a knowledgeable reviewer) is the same you sell to an un-knowlegeable noob?

Like I said before, this is not a problem unique to me. You could ask the same question of any product here, especially because it's a black market, it's a matter of building reputation through feedback etc. If I was a new <insert xyz drug> vendor would people not take free samples and then make a determination and post a review based on that? I've offered the same thing here. Yet without trying the product there are people who are seeking to undermine it. For what gain I don't know. I'm just a friendly guy trying to make an honest contribution to the community and recieve a fair pay for my skillset. Nothing more. My motives are simple, this work for me is easy as I do it IRL on a daily basis. For others this seems complex. I'm helping to bridge that gap.

>The only way is if someone who understands the implications and can test for them, orders multiple product from you and tests them, at great expense to themselves.

I don't know what great expense you believe to be the case but there would be no reason to order multiple products from me. All versions of the VM are derived from the exact same base image (in fact are copies of the same set of files). The different levels are purely a matter of how much of the setup is done by myself (time) and the quality/speed of the drive it comes on (cost of shipped hardware). The software however is a clone based on the same set of files. This is what makes it profitable as the cloning process takes very little time. It's the customization that takes time and why I charge more for it and where the money making is.

>This is why your development process and builds must be open and verifiable to anyone who is interested in taking a closer look.

There is nothing closed about my development process. What is closed about it? What questions would you like answered? I've offered it to several people who were interested in taking a look and willing to offer it to several others. I'm not however going to send out $50 thumbdrives to anyone who asks just like any coke vendor isn't going to send out .5g bags of coke to anyone who asks, they'd be out of business! In the earlier stages however I did send out a handful basically at cost but fully configured/customized. However now that I have maybe 2 dozen units out (half of which were purchased, the other half free beta's or at the cost of the drive) I've asked those people to come forward with a fair review and so far some of their responses have been posted in the thread. In this case davidd is none of those. He's never checked it out, never downloaded it, never purchased it or even given it a chance. However I can say that one of the top exchangers on the site rely's exclusively on it. 

>Then your proprietary approach begins to fail. How can you commit to a totally open and verifiable build process while retaining the proprietary knowledge that allows you to profit from your work?

There is nothing proprietary being done here. The image is a vm installed with a pre-activated copy of windows xp, then those tools are all installed. The only exception being bitcoin which is installed but then the wallet.dat is deleted (so it will generate a new one at first start) and they are setup to proxy through tor. Once this is done the machine is effectively cloned from there in that state.

What I profit on is time, nothing more. The software is free so it has no inherent costs to me. My time does not cost me anything but the drives do so ultimately my cost is in the drives and shipping. The 'proprietary' knowledge is only in so much as setting a drive up for a particular user if they would like otherwise they would need to do this themselves and all that they would recieve is a cloned copy of the base image on the drive of their choice. This is as simple as copying files from one location to another. In nearly all cases I will enable and setup the truecrypt encryption prior to copying the files to the drive, otherwise encryption can take a long time (hours and hours) if done on the drive itself.

>Unless your whole build process is open to inspection then the question of whether you are DEA or LE or even just an opportunist scammer is a legitimate one. ne c'est pas?

I hope you can see past this this criticism and find a way to deal with these concerns legitimately, for your sake and for the sake of the SR community.

I disagree to some extent. There is nothing secretive about my build process. In fact it's basically on the first page of the thread which I point forum members to regularly as a guide if they want to create their own. What secret is it you believe I am concealing? The other part of my product is simply a cross promotion network. For vendors who were/are top tier vendors (and in honesty davidd really didn't meet these criteria but I offerd it up anyways, what a mistake that was). I asked if they would like to evaluate the product and in very great detail explained what I was doing and if they liked it or otherwise agreed I would include their key with it as a form of promotion/advertisement to direct new users to them. In return they would refer not so tech savvy customers to me either for technical advice or to possibly buy a drive. This does a couple of things, it lowers the burden on vendors to provide tech support to their customers (they refer them to me) so they can worry about vending their product and as a result it creates advertising for myself through reputable individuals helping me advertise through credible channels. This also means that when questions arise about them in the forums they also have an immediate advocate willing to put their reputation on the line in their defense if someone should call them into question without merit.

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPFuoFAAoJEEMAzoKrkXQ+cy0IALNpQjF4JjtEN2j5NqPRvtc6
Ui6numdzKuriaHIIRHY07xLHhmS2BfNMoHHR6H85FaaJ1+Qpko8DG7K+qW2B2u5R
0rcZ3pgF+FrlOYGX3fMfY6gQLj+KTUo5xQ9KcrZ51Jgc3eDbvA4nRUL72sZwyWrm
Psqd2eDR3f4z/RlDq/TysgPLojo+/5CyZK+U2wtSe4To+3PMgDzjdWS39TUewcqY
pagO51usZdxyIr/3ttc7ySWlN49Na/1fHeXdX6HCkN8j/UP2Z+Atj+746uBGCjk4
uvz+en907mpFlCi9rVBmTsBFROrqfG9KAkTyVmIf4TEgYC9pkT+G/Ghpz+gQRhg=
=dmev
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: edballs on January 18, 2012, 04:52 pm

You are completely missing the point here.

There is no way of anyone verifying that the images you send out for review or to trusted vendors are exactly the same as the ones you sell to other people. Unless they anonymously pose as third party buyers and buy your product to test. Ideall multiple times from different buyer accounts. This is the expense I speak of.

This problem IS unique to you. Sure a coke dealer can send out primo coke samples, get great reviews and then sell a ton of shitty coke off the back of it, but if I buy shitty coke, it's not gonna climb up off the mirror and crawl inside my computer and steal my bitcoins and my self incriminating communications and my address.

Needless to say, I am fully aware there is nothing special about VMware, XP, or the other things on there.

The thing that is closed and proprietary about your build process is that you do it yourself behind metaphorical closed doors, and then ship out the finished product. Buyers must take your word for it that the image is the same as the one you sent Joe Vendor, who OK'd it. And take your word for it that there is not anything dodgy on there.

Say for example, that this was a community led effort, and the image was posted somewhere where people could inspect it, verify it, and people could verify via checksums that the image they were getting was exactly the same as the one that had been OK'd.

This would be approaching the web of trust concept, and allow anyone to judge for themselves how much of a risk they were taking. Unfortunately this would also prevent you from selling many USB sticks, as people could easily make their own.

As I said before, I use a very similar setup myself. It takes very little effort *if* you know what you are doing. But I also know that for a little more effort, I could easily build an image that was compromised somehow, and pretty much undetectable to most users or malware scanners.

I don't think you are LE, or that you have any "secrets". The point is that at the end of the day, a LE officer *could* do this, and would say exactly the same things you are saying.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: edballs on January 18, 2012, 05:05 pm
Ok, here is a suggestion.......

Use a MD5 hash generator like http://www.winmd5.com/ to generate a checksum for the image once you have built it.

The people who receive "review copies", and who are capable of checking this thing out properly can post the hashes of the image they checked out.

Then provide buyers with instructions to use the same software to verify that the file they receive has the same checksum as the files that were OK'd by more experienced users.

This would allow people to know for sure that what they got was EXACTLY the same as the images that have been verified by several trusted members of the community.


Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: TravellingWithoutMoving on January 18, 2012, 06:28 pm
- if edballs and Co don't trust whats in the build cos its been doctored then go ahead a build your own ...
- or spend a month or however long it would take to prove to yourselves its not connecting out to "upload" logs or whatever the fear is...but someone would need to
  commit to proving / testing this instead of the same old argument over and over..
- the point to the build (again) is to help those that want an all in one apps solution cos they may have trouble building it...its a service being provided trust it use it don't
  trust it don't use it.
- remember the majority of the cost is the value of the usb storage / stick.

- its almost like the criticism here is by those who have no intention of buying the solution and if you know enough internet techie hacking buzz words is easy to piss all
  over someone elses good work.



Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: edballs on January 18, 2012, 06:53 pm
- if edballs and Co don't trust whats in the build cos its been doctored then go ahead a build your own ...
i did build my own, and I mentioned that several times already.

- the point to the build (again) is to help those that want an all in one apps solution cos they may have trouble building it...its a service being provided trust it use it don't  trust it don't use it. - remember the majority of the cost is the value of the usb storage / stick.
I agree with this completely. I have said I think it's a great idea from the start, if the genuine concerns are addressed. Also I think the value in this is not the USB stick, I think it's the fact that a noob would take forever to put this together, whereas someone who knows what they're doing can put it together very quickly. That's the value. That's why experts get paid, and I agree that Looker ought to get paid for his expertise.

- its almost like the criticism here is by those who have no intention of buying the solution and if you know enough internet techie hacking buzz words is easy to piss all   over someone elses good work.
I for one, am not pissing all over anything. I am having a discussion about the security of what could be a great product. I won't buy it, correct, cos I don't need it. Doesn't mean I think it's not a good idea. Again I have said this multiple times. In the post right before yours, I even offer a suggestion that might help overcome one of the major flaws that I can see.

I am trying to contribute my thoughts on how to make this a safer product for the community here. Obviously the techie hackie buzz words got you so confused you missed all of the above.

Bearing in mind all of that, it appears it is actually you who is mouthing off here, as you appear to not even know enough about the topic to provide any actual input into the discussion, so you resort to ad hominem attacks on my motives to make it look like you have something worth hearing.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: TravellingWithoutMoving on January 18, 2012, 10:38 pm
...ok then, and providing the build know-how for free or something is a little unfair ....as the overall package is quite cheap considering and not everything is for free, the
  way i look at it pay for some things as it helps support the dude who has put in work over and above his / her day job.

 ;)
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 19, 2012, 12:03 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I'm liking the md5 checksum although I'm not sure it would actually work and before someone claims it's a cop out let me explain why.

When I send a 'review' copy I clone the base image and start it for the first time to make sure everything is in order (just a quick cursory check) and start up bitcoin. Let it sit for an hour or two to pull down and update the blockchain database (otherwise this can take FOREVER over tor)

I think this alone would prevent the md5 checking out as the same between multiple users, but lets assume it didn't. Secondly I poke around make sure all looks well (lets assum this isn't a custom one), I then take that guest (with it's newly created wallet) and shut it down and 'remove' it from VMWare. This removes any of the locks or temp files etc generated at first boot and also disable logging for the VM.

Once this is done I then zip the VM's relevant files and create a self extracting zip with a unique password for the intended recipient and burn it to DVD along with a few variants of vmware player. This ensures that the DVD is useless to anyone except the intended recipient. Thats the DVD backup part.

I then start up the VM again and begin the whole disk encryption process I do this on locally attached disks because even though the higher end thumb drives are pretty fast, this is a slow process anyways and set the password to the same one I set on the self extracting zip.

Lastly I then copy the same files that are on the CD to the USB stick (including vmware player) the only difference is now it takes up the full 24GB of space due to the wipe and encryption process.

So bearing these steps in mind I think this would break a simple md5 checksum because there are several changes that happen before the package is shipped. They also while the 'same' are not identical enough that they would have the same md5 checksum.

However I could post a md5 sum and an untouched image but then we are back to the statement that this isn't 'exactly' what the purchaser would recieve. I'm very open to an idea like this I just don't know how it would be accomplished from a practicality standpoint. Any ideas? I ask because I believe any of these changes would change the hash especially the encryption of the disc.

Like travelling said there is a certain amount of trust involved and while yes coke isn't going to get in your hard drive and steal your btc, it could be cut with something that someone has an adverse reaction to and could end up taking a trip to the ER.

The other thing is if I were to give literal step by step guide on doing this yourself I'd undermine my own expertise. Like I said though I'm open to some way (like the md5 method) of validating there's no 'evil inside' I just don't know how to accomplish this technically but definetly open to suggestions and try things to this end.

Thanks,
Looker




-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPF12sAAoJEEMAzoKrkXQ+ZsUIAJM8yi7mcFFgwa7OiGdVaYM/
Nq/OiCdzHC/AHSRCwIGBO4yndJWd9EM7ZZMqwBkhFQZ27F1E+RNlNAzeaz2x7liI
Z2mFQmUh5JLXj8UeH/CBZT4pH2B76S3fVCYcIVBj4GURlYfaZCdbHO7QUiyaJasp
5EkGqBavEehrMyOWoxAiEQ5Lv1tu7LYIpWba57qdsiWnwzHPjNa3GWjcRK5KzCd0
i5KQCZXkfGsKzgLy3art1iQprZcoi5dEB4ZwL2hevazLtD0ntp7X4nxmOjbrm7+X
5lMBIS7PixivvEu091Wnip6rrubn0FIXr32S+p0+zgvIA53Eiy8Sbm1bELacNlI=
=t6Ky
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: davidd on January 19, 2012, 02:15 am
...ok then, and providing the build know-how for free or something is a little unfair ....as the overall package is quite cheap considering and not everything is for free, the
  way i look at it pay for some things as it helps support the dude who has put in work over and above his / her day job.

 ;)

Stopping the free flow of knowledge, in my opinion, is much more unfair. If he wants to post how to make one of these for free, then who cares. You can't stop him, and quite frankly, shouldn't try to. Its not your place to tell him what to say anymore than it is MY place to tell you what to say.

OP still hasn't addressed the issues, hes only tried to tell us its not a problem and that we should trust him...

Everything I said is a legit concern IS a legit concern for people who use this product. You're taking a huge risk trusting someone this new to the community...  No matter if he has every vendor behind him, that doesn't mean hes legit. By the way, I'm guessing you messaged the top 50 vendors about your product, offering it to them for free? Who all is backing you? Can we have a full list? It seems you only have named 3-4 so far, is it only those vendors?

Looker, you need to GAIN our trust, you don't just get it. Especially with the type of product you are offering. You want people to trust you just because you say so. Also, I just can't imagine someone paying for this product they can make themselves for free and that they have no way to be sure is 100% safe (besides your word, which we should just trust because you say we should). Shit, you're just selling freeware.

There have been way too many people scammed here for people to just be this nonchalant about the possible shit storm of shit this product can create if Looker has a bad intent... ever...
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 19, 2012, 03:04 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

davidd,

Whats ironic is I have been here longer than you have. While not a vendor, longer is in fact longer. So lets not get into who's been here how long because thats a lose/lose for you.

I actually was only messaging the top %10 which would have been roughly the top 25-26. You are currently #29 out of 258 sellers. The way it came about (me contacting you) was I saw you a few vendors below and said 'Well he's got a 99, and over 500 sales, been here a little less than me but seems pretty consistent so I'll reach out and see if he's interested'. Thats pretty much the gist of it and your first response was shall I say, less than pleasant. A simple 'No not interesed' would have been plenty, but lets not argue about the details.

In the interest of being open I have no problem disclosing the list of vendors supporting this (in no particular order):

IvoryUK (See his endorsement earlier)
tetravort
Paperchasing
PuffBuddy (Not in the top %10 anymore, but has always been a top notch vendor IMO)
Rook
warweed
SugarMama
BTC Buddy
Mr.DdroMcGillacutty
godofall (While not in the top %10 I back him as being a good reputable vendor)

I'm not selling freeware, I'm selling the expertise needed to set it up properly and secure enough to make it immune from LE forensic attacks for data recovery.

While I understand your concern I make enough in real life that this is simply a hobby and I'm happy to provide it to people who are happy to purchase it and in the process refer them to vendors who won't scam them or rip them off and in the process some of those larger vendors refer those people to me to help them out with getting the tech part squared away and maybe make a sale from it. Preventing me from having to get bitcoins by transferring money to an exchange and buying them, allowing me to acquire them in a little more anonymous fashion.

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPF4jZAAoJEEMAzoKrkXQ+ScwH/2GZiLAKwgSZ3aRUUvG/Yrmg
/nmLULWZeDiVJs7qlWrrkyPoyEdCFTl6mVj3EnIH0OLBiFE/ZfyG4pJQBE/AcvKU
ASM0Umj4ga5051oSfrPghZX07g+iHc9+ihV07eBjH9n1Mhco4AmehGm6Y9BgaR5e
D2FgEZ863AIsEjVxsvRurus4Iyfx9wy+kgdxX5mKrTttKOp3uewZqe3BPYASx4vV
8tEBdhIuncZfidRDMHpuUwo/fGf5R4yzf2REl7L777RbrxHj9HkEBD2gxkiLaUcq
wZAM3YlxckN1rCE3nwdj+GPa4b+4uslbjT4Ika2pEH0H6O+CJpxh2DGdRMHQxWs=
=NzYo
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: edballs on January 19, 2012, 07:06 am
Looker - yes, you're right, as soon as you started any of those additional steps, you would end up with a unique image and therefore a different checksum.

But I think it is possible to figure out a way to make this work, and the more I think about it, the more I think it is the correct way to go.

A good number of the additional steps you perform could be scripted  on first boot using tools like sysprep (run once, audit mode etc), VMware deploy template wizard, windows scripting host, or take a look at fasttrack scripting host for a not so steep learning curve.....

Yeah, there would be limitations - you might need to rework your steps a fair bit to allow this kind of scripting.

But even the windows gui could be scripted....for example, if truecrypt does not allow you to do the steps you want to do from the command line or a script, (I dunno?) then you can use tools like http://www.autoitscript.com/site/autoit/ to script the actual mouse movements and clicks required to set it up.

Things like the bitcoin blockchain download - thats nice and convenient for the user but I would take security over saving a few hours every time. Let it happen, scripted, on their clock. 

If something *absolutely* required user interaction, then you could knock up a little app in VB or even lightswitch that runs on first load, and allows the client to enter info, click a few things and watch the whole thing unfold in front of them.

This way, you could provide a verifiably secure product without having to give up your hard earned knowledge. Just run the MD5 verified self extractor on the USB key, and let it do it's thing.

I know - this is taking the whole thing to the a whole new level, in terms of the amount of work required. But it would be impossible to call your integrity into question, that alone would be worth it if it was me.

Plus you could legitimately charge twice as much, lol.

Hell, if you set that up right, I would buy it just to see it - it would be poetry in motion....

I think it would have a market outside of silk road too. Some activist groups I know have been asking me to give a lecture on using tor and encryption etc.  I would love to be able to say to them - "just get this". But I would only say that if it was *absolutely* watertight.

As for any talk of me providing the know how to do this for free, well I don't know where this has come from. This is Looker's gig and I would really like to see him pull this off.

If you're a noob to this type of stuff, I could tell you, but you prolly still wouldn't be able to do it, lol. If you want to learn this shit, then all the google keywords you need are right here in this thread - start reading.

TWM - I have re-read your last post several times now and I still don't know what you're trying to say.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: kmfkewm on January 19, 2012, 08:02 am
Dude if you are using Windows you already failed at security, and if you are using Windows XP you ultra failed. Anyone who pays money for this shit is retarded and not secure. It comes preconfigured with spybot and other free open source software? Awesome I can make sure that I don't have any tracking cookies I guess. In addition to being insecure from a technical stand point this is also insecure from all other stand points. People are far far far better off to use Liberte at least he includes a tutorial and lets you configure things exactly the way he did step by step to make sure you are not getting a backdoored distro. Windows XP lmfao. I honestly hope OP was making a joke.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 20, 2012, 02:22 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I actually was looking into autoit initially but wanted to get something out there and to get an idea for demand first (if nobody is going to buy it, I won’t waste time trying to perfect it). However there seems to be enough interest to merit this now and I’d like to be able to automate more of it (more production = more btc) using these methods. I know that there are tools out there for this I just haven’t learned them yet as my profession circles more around the virtualization hypervisor deployment and storage/networks not so much desktop or deployment of the guests.  I’ll look into fasttrack (I need to spend some more time with autoit as well) but the VMware template wizard is for ESX as I understand and there isn’t a comparable option for workstation  but no matter I think a lot could be done in autoit.

I’m not so sure about truecrypt though since the process involves starting the encryption selecting various options and the part where I would expect the hangup is when it prompts you to burn a copy of the recovery iso with your key. It won’t let you actually encrypt the drive until it sees a CD with the iso it generates on it. Currently I have a workaround for this (cd emulation within the guest) so I don’t have to burn the iso and leave that up to the buyer (there are security/privacy reasons why I don’t want to ever be in possession of the recovery iso) but if this would be scriptable too (autoit I would expect) that would be better.

I whole heartedly agree about the blockchain download, from a security standpoint I prefer not to for the same reasons I don’t want to burn or otherwise be in the possession of a recovery iso. However this was born of a few customers complaints, saying basically ‘It’s cool that bitcoin installs at boot, but #1 it’s not torified, and #2 it takes forever to download the blockchain db’. So initially bitcoin wasn’t even installed until they started it for the first time. I set it as a ‘runonce’ to install at boot, and then begin the blockchain download. Now I have a small batch script that deletes the wallet.dat and other unique files at first boot, so as soon as they fire it up (and db is there) updating blockchain is significantly shorter and there is no issue with two people getting a VM with the same wallet. Again however I like the idea of using autoit for this and am looking into it.

As to the idea of writing a vb script that’s to some degree where my expertise is very limited. I’ve never been a writer of code in any form more than a few small bash shell scripts, some perl stuff (over 10 years ago) to handle things like web page forms and obviously batch files which are the simplest ones. Beyond that I really am not a coder so if I needed something like that I would probably try and negotiate payment for a vb app (perhaps to you or someone I know irl) to accomplish this, but I’m not there yet and I can think of a few resources here in the community (other than yourself) that could probably help me with this if need be.

I know - this is taking the whole thing to the a whole new level, in terms of the amount of work required. But it would be impossible to call your integrity into question, that alone would be worth it if it was me.

Keep in mind this is only v1.0.5 of this project so these sorts of improvements are definitely in the works and things I am looking into but this takes a back seat to my irl job which as of late has been taking up a lot of my time. So while I would love to deliver this tomorrow, I’m trying to do it in a consistent fashion (each quarter offer a significantly improved product i.e. 1.1.0) and perhaps a 2.0.0 by 2012 with a lot of these sorts of things done but I only have so much free time. This isn’t to say I’m not going to do it, but the pace isn’t going to be that of a race car either.

For folks that know this sort of thing like I do and you do(and perhaps better) that would want to review it purely for the sake of putting their rubber stamp on it I’d offer a download for nothing. The only challenge is really hosting it, as it sits the guest compressed and compacted as much as possible is still about 2.1GB most free hosting limits you to 2GB downloads etc. Eventually I was going to have warweed host it once I got the automation in place so we (me and him) could work together to automate delivery of a downloadable version on the site at a much cheaper rate and I would be free to do the custom configured ones and not have to do much of anything for the downloadable one using scripting like renton has up for processing an order and sending a PM with the order contents in it to completely automate the purchase and delivery cycle for the download.

The only problem with a market outside of SR (another thing I’ve discussed with warweed in particular) is that involves marketing it on clearnet. I don’t think I could handle the demand there yet and I’m not sure I want it there either, as there would be less anonymity and I’m not sure I want to forfeit that even though what I am selling really isn’t contraband, there is potential for legal liability. That’s considerably less in ‘this’ market environment so it is more friendly to this sort of offering.

I wouldn’t ask you to do anything for free, like the vb script bits, if I hit a wall or some such and thought ‘well let’s see if edballs could whip something like that up for me’ I’d be more than happy to pay you for your work (or whomever it would be) as I would expect to get paid for mine.

I think my focus will be on autoit as that seems to have the highest potential for covering all the bases I just have to take the time to spend learning it. I don’t think it’s going to be very difficult, just not something I have spent a considerable amount of time on yet.

This aside, thanks edballs for pointing out some techniques that might help this improve, that’s what I’m looking for.  I don’t expect someone else to do the legwork etc, but your comments have been useful and constructive and thus both myself and the community at large (those in particular that may be future customers) will benefit and why I started this thread in the first place. I don’t expect everyone to sign off on this as a solution for everyone but the community (because this thread is here) can see when it may meet their particular needs/concerns through a process that others can read openly and freely.

As a side note, these posts are getting to be stupid long so I want to keep this discussion going (this applies to anyone who wants to contribute or make suggestions) but lets try and keep the posts a little shorter (easier to read/reply) as this itself is a huge post.

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPGM/dAAoJEEMAzoKrkXQ+Pk8IAI0hyoqwisNkiRsu7e5BMZUb
4eR8eXhclRM7PravFR7kmhbyaga/wBGyCxATSbrkwk0GHH8veoKo7/JMLBE0d9IQ
zT7Nf9uukBkoSbh3h6qciLWz6DJTWh/LaZJOiQriAZtNE67a2ttKcxQem4oe3iM1
tgYu0tPcrQby6rQ05VkvWEALA0I4UOFLpcFpAgQDhIMZyxtjCNmPop2bIDqBCD8O
OHBx2ucjTEq28SJ/ZV9UXgjLugEjD9BqvFExQXqgftVbNcsMl3FL5w8FkMPteeMn
kziXrzuWLActTHDOjkawn2Ir0EgjhTs3ow7TD3nhCTyg0lhNT6jVfb113qLzvSA=
=lW0U
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 20, 2012, 02:24 am
Dude if you are using Windows you already failed at security, and if you are using Windows XP you ultra failed. Anyone who pays money for this shit is retarded and not secure. It comes preconfigured with spybot and other free open source software? Awesome I can make sure that I don't have any tracking cookies I guess. In addition to being insecure from a technical stand point this is also insecure from all other stand points. People are far far far better off to use Liberte at least he includes a tutorial and lets you configure things exactly the way he did step by step to make sure you are not getting a backdoored distro. Windows XP lmfao. I honestly hope OP was making a joke.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

You are missing the point, you should try reading the thread, but looks like you failed at that so I’ll repeat myself for the 10th time. This device is not intended to be ‘neckbeard’ secure (as you would put it) from any hacker or security exploit while running any more than the average windows machine is on the regular internet with standard a/v protection. It’s intended to be a windows machine (you know that OS over %80 of the world uses? Yea I am interested in a piece of that vast majority customer base) that has all the tools necessary to buy (primarily) and sell (secondarily) on SR. It also has various precautions/software in place that would prevent LE from extracting any data from it in the event it is confiscated, or quickly and easily discarded (and thus discarding of any useful data) to serve the same purpose.  Let me repeat that for you in simpler terms. This device is intended to thwart LE forensic data recovery capability, not some uber ‘leet hacker like your ego indicates from somehow exploiting some security hole known to exist in windows. If you are using it only for SR then spybot isn’t even necessary, this was something that was simply added because it was requested and it is small enough to not impact the overall size of the vm or cost or time to build significantly. This isn’t supposed to be a rock solid hard core un-hackable vm. Never was, and never will be, after all it is windows (as you were so astute to point out).

You say people are far far far better off using liberte, while there is some truth to this (just about any linux is more secure from a hacking standpoint than windows) the problem I’ve found with the linux distro’s is for the average user they are a pain and unfamiliar to use. I support it as part of my irl job so I’m very painfully aware of the gain in security by using a distro like tails/liberte etc. However the customers I am seeking don’t want to learn a new OS, they want to click a few links, order their drug of choice with some level of impunity because they know someone who knows technology far better than them set it up to secure and encrypt their data so as soon as they are done doing their business on SR and turn off the VM it would be exceptionally difficult (and it’s my contention that for local/state LE this would be impossible) to extract any incriminating data from the drive without the proper encryption key and/or password. That’s it, nothing more, nothing less.

What I have no intention of doing is creating a device that’s so secure your fantasy lover Theo de Raadt would have a hardon for. Why? It’s simple because nobody would want to use it and it would be so user unfriendly that I would never sell a single one except to someone like you who is not my target audience. So this being said the only failure here is your own as you fail to see what it’s attempting to accomplish, which is not anywhere near what you would want.

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPGNBIAAoJEEMAzoKrkXQ+Lk4IAKOYt15GtekdPymKVD51G5o6
TXdY5OnaWo3soDhy3SS3ihZBthxkcZO9VCg412IaKmdhfu/7J/xemoPHOaoPDl4+
Syd1n1OjJoZ4hMxL74CVNABhLCPBCNh8tvWgBZUY9B7lRXHy7flbQ9PTIvbXn8fw
wKCightyzlt8nH0+aAW3tqThy9KMaLQ+h+RqaUPCJqd1Wt3Ypp2HaXfhNAx9zh4U
MdBnkjTGZ9fx+rF//gGZC0tcYhxB4nTSdXoJfvoI1c1S4SMHe4Xwt6YoX7AUd9Xc
s2gfNTdO+pE2McV3jXwhf8w+Faa8plPv3H3YGhPxoOq1so+v5iqFjGGxwZ19sZo=
=w7SR
-----END PGP SIGNATURE-----


Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: CoryTrevor on January 20, 2012, 05:05 am
So basically you're just selling freeware on a truecrypt (also freeware) encrypted drive? Am I missing something? And you think the police don't have more capabilities than a stupid hacker?

You're definitely not someone I would trust with my security lol
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: wumg00 on January 20, 2012, 05:41 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

davidd,

Whats ironic is I have been here longer than you have. While not a vendor, longer is in fact longer. So lets not get into who's been here how long because thats a lose/lose for you.

I actually was only messaging the top %10 which would have been roughly the top 25-26. You are currently #29 out of 258 sellers. The way it came about (me contacting you) was I saw you a few vendors below and said 'Well he's got a 99, and over 500 sales, been here a little less than me but seems pretty consistent so I'll reach out and see if he's interested'. Thats pretty much the gist of it and your first response was shall I say, less than pleasant. A simple 'No not interesed' would have been plenty, but lets not argue about the details.

In the interest of being open I have no problem disclosing the list of vendors supporting this (in no particular order):

IvoryUK (See his endorsement earlier)
tetravort
Paperchasing
PuffBuddy (Not in the top %10 anymore, but has always been a top notch vendor IMO)
Rook
warweed
SugarMama
BTC Buddy
Mr.DdroMcGillacutty
godofall (While not in the top %10 I back him as being a good reputable vendor)

I'm not selling freeware, I'm selling the expertise needed to set it up properly and secure enough to make it immune from LE forensic attacks for data recovery.

While I understand your concern I make enough in real life that this is simply a hobby and I'm happy to provide it to people who are happy to purchase it and in the process refer them to vendors who won't scam them or rip them off and in the process some of those larger vendors refer those people to me to help them out with getting the tech part squared away and maybe make a sale from it. Preventing me from having to get bitcoins by transferring money to an exchange and buying them, allowing me to acquire them in a little more anonymous fashion.

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPF4jZAAoJEEMAzoKrkXQ+ScwH/2GZiLAKwgSZ3aRUUvG/Yrmg
/nmLULWZeDiVJs7qlWrrkyPoyEdCFTl6mVj3EnIH0OLBiFE/ZfyG4pJQBE/AcvKU
ASM0Umj4ga5051oSfrPghZX07g+iHc9+ihV07eBjH9n1Mhco4AmehGm6Y9BgaR5e
D2FgEZ863AIsEjVxsvRurus4Iyfx9wy+kgdxX5mKrTttKOp3uewZqe3BPYASx4vV
8tEBdhIuncZfidRDMHpuUwo/fGf5R4yzf2REl7L777RbrxHj9HkEBD2gxkiLaUcq
wZAM3YlxckN1rCE3nwdj+GPa4b+4uslbjT4Ika2pEH0H6O+CJpxh2DGdRMHQxWs=
=NzYo
-----END PGP SIGNATURE-----


 I know I am not a top 10% vendor but I think I hold a lil value to this community and you can def put me on the list on vendors supporting this! 8)
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 20, 2012, 07:44 am
So basically you're just selling freeware on a truecrypt (also freeware) encrypted drive? Am I missing something? And you think the police don't have more capabilities than a stupid hacker?

You're definitely not someone I would trust with my security lol

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

CoryRevor,

Yes the products I include in the vm are all free and publicly available and considered fairly easy to use by most.

The drive itself is not encrypted, the filesystem inside the VM is, so even if they obtained the drive they wouldn't be able to obtain data from the drive using the encryption method I chose. Unless you have evidence to support otherwise, I know AES has been broken before but according to an article previously posted as well as a more recent one:

http://www.mcbsys.com/techblog/2010/08/how-secure-are-truecrypt-and-bitlocker/

That supports my claim with regard to data being forensically recovered. The key thing to remember however is it depends highly on physical security and denyable encryption which is always a concern and hence the reason for putting it on something quickly disposable or otherwise removeable device with encryption of this nature. They would need to obtain a complete memory dump as this article was based on a physical install but there are memory isolation measures put in place with virtualization. Some experts disagree and believe virtualization makes things more vulnerale but there are just as many who believe it offers additional security through isolation and obfuscation and is an effective tool to delay the recovery of data. Ultimately with enough computing power yes the drive could be decryted but with a halfway decent password (say 12 characters) it would take well over 10 years to brute force attack it local/state and even the FBI level do not have those resources at their disposal. Unless you have something that indicates otherwise truecrypt still seems like a very viable mechanism for defeating LE's attempts at forensic recovery of data.

I personally would not however trust BitLocker, because it's MS, but the container the OS sits in (VM disk) is encrypted below the OS level and not developed by MS nor the code available to them or anyone else.

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPGRtAAAoJEEMAzoKrkXQ+m6MH/24s3r9E6/wLNoiErPNINKx2
BHT1XQ0OQrvZdtH6UOGFnjC4mhj780b3kDEyjlRnkFZ7ixG8DGcIVIWPnbt7DEE7
81c8MdybVhF54bCZKRyveDIo5bTtMMlyjAwiygfkxKObPJjaXsC3drlubdiYiCSK
e3ObkpND588gOyeI7KNYTY2xN4Htv4WmgULXOwrEhN4/ReweJ6wRNORGxF+qUg2x
5Vcn/7kxaAPj7Ht6AqmSpuS9olAE4Pgl0XaEMKDjNnyH5NkCTvJP0QwHmsYW+6v1
oZm2AS7fEondMdOdrMAxvQxoymWSMbNlve03nKzkYi0MCg6x1jf/KPphpzfCqSo=
=ZvyT
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: rocketdog on January 20, 2012, 07:13 pm
Looker,

The know-how to put something like this together is not acquired quickly. Most of the people attacking your project probably do not have that knowledge.

If they do, they should be offering technical assessments rather than just nattering on about their negative opinion of your project.

I say keep up the good work.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: CoryTrevor on January 21, 2012, 04:12 am
Looker,

The know-how to put something like this together is not acquired quickly. Most of the people attacking your project probably do not have that knowledge.

If they do, they should be offering technical assessments rather than just nattering on about their negative opinion of your project.

I say keep up the good work.

uhhh yeah it is. All you need is nero or some other burning software and you can create a bootable CD. Wow so hard! Just because you don't know how to do it doesn't mean its hard...

And davidd and edballs and others have given technical assessments... It just happens to be negative because this shit just isn't secure. Everything they have said is a legitimate concern.

Any vendors that are backing this must not realize how easy it is to now be fucked over by using this product. They sell drugs.. computers must not be their strong point.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Paperchasing on January 21, 2012, 08:20 am
There is a lot of users that would greatly benefit from a well designed VM that they could perhaps actually use (sorry, alot of people dont know squat about unix meaning liberte is not really a viable choice for them)  A lot of people send me their addresses plain text, unencrypted in the SR database, ripe to be picked by a government backed hacker or simply a rogue hacker.  The whole system would be way more secure if everyone used PGP... some just don't know how to install and use it so a pre-configured distro would be helpful for them.

Looker, I do agree that a md5 checksum for the compressed distro is probably the only solution to the question of tampering with the image.  That may mean more work for the end user but in the end definitely worth the extra effort on the end users part.

Sure, LE could try to set up something like this to entrap buyers... and LE could spy on them from a Misty class satellite too when they go to their mailbox.  Both are plausible and possible.  Does that mean its true?  Not necessarily lol...

How about instead of creating imaginary boogymen, why don't some of you nay-sayers roll your sleeves back and FIND SOME EVIDENCE OF FOUL PLAY since you appear to be experts at giving all these technical assessments?  THEN come and say "foul" if you do find something that is tangible...  until then spewing off imaginary possibilities amounts to no more than academic bubblegum for the mind.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: kmfkewm on January 21, 2012, 09:22 am
So basically you're just selling freeware on a truecrypt (also freeware) encrypted drive? Am I missing something? And you think the police don't have more capabilities than a stupid hacker?

You're definitely not someone I would trust with my security lol

Most police have substantially less capabilities than even the stupid hackers do, in a cyber environment anyway.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: kmfkewm on January 21, 2012, 09:47 am
Quote
You are missing the point, you should try reading the thread, but looks like you failed at that so I’ll repeat myself for the 10th time. This device is not intended to be ‘neckbeard’ secure (as you would put it) from any hacker or security exploit while running any more than the average windows machine is on the regular internet with standard a/v protection.

I hope everyone can see that you are a total retard. Windows XP doesn't have any modern OS security features you are far better off using the most recent version of Windows if you want security. Using Windows XP for security is a fucking joke and using it in a ful hardware virtualization environment, further reducing security, is an even bigger joke. Your entire "product" is a security death trap and anyone who uses it is retarded. Also earlier you claimed to have done intelligence work and to know so much about the NSA and DEA, despite the fact that you are clearly talking out of the asshole that a random mutation put on your mouth, I would love to know the specific type of intelligence work you did. Certainly nothing related to computer security, and almost certainly nothing related to the NSA if you don't know how to program.

Standard A/V and spyware scanners are essentially entirely worthless at providing you security from an even half competent attacker who targets you. These programs (poorly) protect you from dragnet attacks where "any computer" is the target not "your computer".

Quote
It’s intended to be a windows machine (you know that OS over %80 of the world uses? Yea I am interested in a piece of that vast majority customer base)

Just because Windows has 80% of the customer base for personal computers doesn't mean that it is right to market it as a fucking airplane. Marketing windows XP full hardware VM with some garbage open source spyware scanners on it as a secure solution is about as honest as calling it a fucking dinosaur and justifying yourself based on its market share.


Quote
that has all the tools necessary to buy (primarily) and sell (secondarily) on SR.

No, it doesn't. Windows XP doesn't even have ASLR for fucks sake. You know nothing about computer security. You downloaded a bunch of fucking freeware after searching google for security software and installed a bunch of it to a Windows guest. Whoa, welcome to entry level security, about a step above grandma level security.


Quote
It also has various precautions/software in place that would prevent LE from extracting any data from it in the event it is confiscated, or quickly and easily discarded (and thus discarding of any useful data) to serve the same purpose.  Let me repeat that for you in simpler terms. This device is intended to thwart LE forensic data recovery capability, not some uber ‘leet hacker like your ego indicates from somehow exploiting some security hole known to exist in windows. If you are using it only for SR then spybot isn’t even necessary, this was something that was simply added because it was requested and it is small enough to not impact the overall size of the vm or cost or time to build significantly. This isn’t supposed to be a rock solid hard core un-hackable vm. Never was, and never will be, after all it is windows (as you were so astute to point out).

Spybot is never needed and if you are using Spybot for anything security related its already a huge indication that you failed at computer security. Also, if you are using an anti virus program it is also a huge indication that you have failed at computer security. This doesn't mean I suggest against using an anti virus or anti spyware software if you run Windows, it just means that if you run Windows you already failed at computer security.

Quote
LE forensic data recovery capability, not some uber ‘leet hacker

What are you going to do when LE hacks your shit and steals the encryption key from RAM? You are saying the (limited, although important) security benefit you get from using a single open source freeware system that you had absolutely nothing to do with creating, not the security benefit of using your death trap of a security distro.

Quote
You say people are far far far better off using liberte, while there is some truth to this (just about any linux is more secure from a hacking standpoint than windows)

There is only truth to saying that people are far far far better off using liberte, liberte isn't anywhere near the ideal configuration but it is light years ahead of this shit you are trying to sell.


Quote
the problem I’ve found with the linux distro’s is for the average user they are a pain and unfamiliar to use.


Firefox is firefox


Quote
I support it as part of my irl job so I’m very painfully aware of the gain in security by using a distro like tails/liberte etc. However the customers I am seeking don’t want to learn a new OS, they want to click a few links, order their drug of choice with some level of impunity because they know someone who knows technology far better than them set it up to secure and encrypt their data so as soon as they are done doing their business on SR and turn off the VM it would be exceptionally difficult (and it’s my contention that for local/state LE this would be impossible) to extract any incriminating data from the drive without the proper encryption key and/or password. That’s it, nothing more, nothing less.

The people who use Death Trap VM are not getting any level of security they would be better off to use an operating system that uses modern security technology. From what I can tell your level of technical security knowledge would be gained by searching for Windows security software with google. And once again you are attributing the security benefits of using a freeware open source system you had nothing to do with creating to the (entirely not real) security benefits of paying you for Death Trap VM.

Quote
What I have no intention of doing is creating a device that’s so secure your fantasy lover Theo de Raadt would have a hardon for. Why? It’s simple because nobody would want to use it and it would be so user unfriendly that I would never sell a single one except to someone like you who is not my target audience. So this being said the only failure here is your own as you fail to see what it’s attempting to accomplish, which is not anywhere near what you would want.

You wouldn't sell one to me either because I know to be really secure you need to configure and audit things yourself. You are just trying to make money, you don't know squat about computer security and you have even pretty much yourself admited that making money is more important to you than providing security to your customers, if you even had the technical skill required to provide security to anyone in the first place which you obviously don't. You are selling a steaming pile of shit and anyone who buys it and uses it is both retarded and highly insecure.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: kmfkewm on January 21, 2012, 09:59 am
Also AES has never been directly broken when it is used as a symmetric encryption algorithm with a 128 bit or higher key anyway. But anyway they will just forensically recover the key after it leaks from memory, this can happen in a ton of different ways (did you even take any technical steps against any of the numerous ways keys can leak to RAM?) and one person claimed in the security forum that it is more likely for this to happen in a VM guest than an OS running on hardware, but I don't know if this is true and they have still not yet given me a link to a citation. Even if it isn't true about key leaks being more probable in a VM, it is certainly true that key leaks are very probable even if you are not using a VM especially if you are taking zero precautions against this. So even though you are using freeware that implements strong encryption algorithms, you are not implementing it in a way that is fool proof (or even that secure) against forensics. Secure against cryptanalysis , yes, against forensics, no. Anyone who has done intelligence work related to computer security would recognize the difference between the two methods of attack, but you seem to be using forensics and cryptanalysis interchangeably. Live computer forensics will pwn you by hacking your system and doing a memory dump, dead computer forensics will pwn you when they recover your key that leaked all over the drive from memory.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: kmfkewm on January 21, 2012, 10:02 am
Quote
Some experts disagree and believe virtualization makes things more vulnerale but there are just as many who believe it offers additional security through isolation and obfuscation and is an effective tool to delay the recovery of data.

You obviously have no understanding of how isolation actually works, and all security professionals seem to agree that paravirtualization pwns full hardware virtualization when it comes to security. And if you don't want your guest OS to be pwnt by a hacker you should certainly not be using full hardware virtualization but rather should be using paravirtualization. You really are either a troll, a fed or a complete dumb fuck.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: davidd on January 21, 2012, 10:48 am
So basically you're just selling freeware on a truecrypt (also freeware) encrypted drive? Am I missing something? And you think the police don't have more capabilities than a stupid hacker?

You're definitely not someone I would trust with my security lol

Most police have substantially less capabilities than even the stupid hackers do, in a cyber environment anyway.

  ::) They have full time computer forensic teams just for situations like this. They are paid to do nothing but stuff like this. Hackers, not so much... don't be silly.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: kmfkewm on January 21, 2012, 11:16 am
So basically you're just selling freeware on a truecrypt (also freeware) encrypted drive? Am I missing something? And you think the police don't have more capabilities than a stupid hacker?

You're definitely not someone I would trust with my security lol

Most police have substantially less capabilities than even the stupid hackers do, in a cyber environment anyway.

  ::) They have full time computer forensic teams just for situations like this. They are paid to do nothing but stuff like this. Hackers, not so much... don't be silly.

Have you seen the skill level of the average computer forensic team? Nine out of ten times they are just trained to use forensics applications that were actually designed and implemented by non-law enforcement hackers in the first place. Law enforcement are generally way behind and the only reason they are catching up is because non-law enforcement hackers are starting to sell more sophisticated tools to them.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 21, 2012, 11:04 pm
Quote from: kmfkewm
I hope everyone can see that you are a total retard. Windows XP doesn't have any modern OS security features you are far better off using the most recent version of Windows if you want security. Using Windows XP for security is a fucking joke and using it in a ful hardware virtualization environment, further reducing security, is an even bigger joke. Your entire "product" is a security death trap and anyone who uses it is retarded. Also earlier you claimed to have done intelligence work and to know so much about the NSA and DEA, despite the fact that you are clearly talking out of the asshole that a random mutation put on your mouth, I would love to know the specific type of intelligence work you did. Certainly nothing related to computer security, and almost certainly nothing related to the NSA if you don't know how to program.

Firstly it's not intended to protect you from the hacking elite, I've never made that claim even once. Secondly VMware is NOT full hardware virtualization, it's paravirtualization in this case (Full hardware virtualization is only available in their ESX products). The more you respond the more it's clear that you have a very limited understanding (much more so than I had thought) of virtualization. I've made a career of it and security for well over a decade now, can you make that same claim? I doubt it.

The only claim I've made as to it's purpose is it's intended to keep your data and transactions secure from LE. I never made any claims about the DEA. What intelligence work I did I really can't comment on for a plethora of reasons and you must be out of your fucking skull to think I would disclose any details related to that, I might as well eat a bullet before I disclose those details. The most I can say is I worked in general terms in the information security field, but thats all I will disclose.

Quote from: kmfkewm
Standard A/V and spyware scanners are essentially entirely worthless at providing you security from an even half competent attacker who targets you. These programs (poorly) protect you from dragnet attacks where "any computer" is the target not "your computer".

Again, I only installed it at the behest of a few concerned customers. I don't expect it to protect anyone from someone who has made a conscious effort to compromise another individuals system, it's not going to prevent that and it's not intended to. Do you have ANY clue what 'fit for a particular purpose' actually means?

Quote from: kmfkewm
Just because Windows has 80% of the customer base for personal computers doesn't mean that it is right to market it as a fucking airplane. Marketing windows XP full hardware VM with some garbage open source spyware scanners on it as a secure solution is about as honest as calling it a fucking dinosaur and justifying yourself based on its market share.

This statement is completely obtuse and ridiculous. The whole reason why the initial version is windows is because I wanted to provide something that %80 of the market is ALREADY FAMILLIAR WITH, are you really so fucking stupid that this simple concept escapes you?

Quote from: kmfkewm
No, it doesn't. Windows XP doesn't even have ASLR for fucks sake. You know nothing about computer security. You downloaded a bunch of fucking freeware after searching google for security software and installed a bunch of it to a Windows guest. Whoa, welcome to entry level security, about a step above grandma level security.

ASLR? Really? Are you really going to suggest that ASLR is even REMOTELY necessary for this application? If so go butt fuck your fantasy lover Theo and be done with it already. While ASLR provides levels of security to protect against hacks and the like thats NOT what this device is intended to be secure from as I have said over and over again but apparently that thick skull of yours doesn't seem to allow much data to penetrate it. I guess it's too secure....  ::)

Quote from: kmfkewm
Spybot is never needed and if you are using Spybot for anything security related its already a huge indication that you failed at computer security. Also, if you are using an anti virus program it is also a huge indication that you have failed at computer security. This doesn't mean I suggest against using an anti virus or anti spyware software if you run Windows, it just means that if you run Windows you already failed at computer security.

See above dickbag. Nobody made any claim that spybot was going to protect anyone from a would be attacker, it's a malware tool, thats all. Which if they are only using it for it's intended purpose is completely unnecessary, just like ASLR.

Quote from: kmfkewm
What are you going to do when LE hacks your shit and steals the encryption key from RAM? You are saying the (limited, although important) security benefit you get from using a single open source freeware system that you had absolutely nothing to do with creating, not the security benefit of using your death trap of a security distro.

Again failing to understand how virtualization works. Go do some reading Jr. because even if they had a whole dump of the HOST machines memory it's highly unlikely they would be able to retrieve the key from the guest. Secondly if someone comes bashing in your door, don't you think pulling the plug might be a wise move? Which would prevent them from obtaining a useable copy of what was in memory prior to pulling the plug unless they restore power in less than about 5-6 seconds. Which somehow I don't think the goon squad will be able to do.

Quote from: kmfkewm
There is only truth to saying that people are far far far better off using liberte, liberte isn't anywhere near the ideal configuration but it is light years ahead of this shit you are trying to sell.

Light years? I don't know that I would go that far, but ANY linux is going to be significantly more secure than windows, period. There is no argument here and there never was one so stuff it right back up your ass where you pulled it from.

Quote from: kmfkewm
Firefox is firefox

So all you need for SR is firefox? Weird, if you are such a fucking expert how is it you missed the fact there are several other tools that should ALWAYS be used with SR?

Quote from: kmfkewm
The people who use Death Trap VM are not getting any level of security they would be better off to use an operating system that uses modern security technology. From what I can tell your level of technical security knowledge would be gained by searching for Windows security software with google. And once again you are attributing the security benefits of using a freeware open source system you had nothing to do with creating to the (entirely not real) security benefits of paying you for Death Trap VM.

Against who? Who is this device protecting against? You seem to often go on tangents and lose sight of this very important fact, but the more you punch away at that keyboard the more I realize you really are just another wanna be blackhat with no concept of what is reasonable security measures are and what is completely unreasonable and overkill for a particular application.

Quote from: kmfkewm
You wouldn't sell one to me either because I know to be really secure you need to configure and audit things yourself. You are just trying to make money, you don't know squat about computer security and you have even pretty much yourself admited that making money is more important to you than providing security to your customers, if you even had the technical skill required to provide security to anyone in the first place which you obviously don't. You are selling a steaming pile of shit and anyone who buys it and uses it is both retarded and highly insecure.

You again are talking about security that is extremely overkill for this application. I'm not even going to repeat myself for the 100th fucking time. You have absolutely NO fucking clue what I know about security and what security mechanisms I am familliar with. What I have admitted is that I am interested in making money in exchange for my professional skillset that I use every day in the real world and am compensated quite well for. To cite an example, the clusters that serve out Apple's iOS images, and AppStore applications for mobile devices, was scaled up based on a solution that I was a key contributor in architecting as part of my IRL job. What are you offering? Absolutely nothing but being a dick, congrats you have succeeded admirably but unfortunately I don't make bitcoin donations to fuckwads who live in their mommys basement so they can troll forums and stir up shit without having any basis for it.

Quote from: kmfkewm
Also AES has never been directly broken when it is used as a symmetric encryption algorithm with a 128 bit or higher key anyway.

Your wrong, I know this for a fact. I will not elaborate on this further but AES256 on it's own has been compromised in the past.

Quote from: kmfkewm
But anyway they will just forensically recover the key after it leaks from memory, this can happen in a ton of different ways (did you even take any technical steps against any of the numerous ways keys can leak to RAM?) and one person claimed in the security forum that it is more likely for this to happen in a VM guest than an OS running on hardware, but I don't know if this is true and they have still not yet given me a link to a citation. Even if it isn't true about key leaks being more probable in a VM, it is certainly true that key leaks are very probable even if you are not using a VM especially if you are taking zero precautions against this.

Again showing your lack of comprehension of security in virtualization applications. There is isolation between guest memory and host memory, when was the last time you examined the memory dump of a guest VM generated from the host? If you did it wasn't very useful because it needs to be generated from within the guest to be useful.

Quote from: kmfkewm
So even though you are using freeware that implements strong encryption algorithms, you are not implementing it in a way that is fool proof (or even that secure) against forensics. Secure against cryptanalysis , yes, against forensics, no. Anyone who has done intelligence work related to computer security would recognize the difference between the two methods of attack, but you seem to be using forensics and cryptanalysis interchangeably. Live computer forensics will pwn you by hacking your system and doing a memory dump, dead computer forensics will pwn you when they recover your key that leaked all over the drive from memory.

Nothing is ever %100 fool proof, suggesting anything otherwise would be disingenuous at best. If you are such an expert at cryptanalysis and/or forensics hows about I provide you with a file and a message inside it and when you are able to recover the data then you will have earned some semblance of a leg to stand on, until then you are nothing more than a forum troll spouting off at the mouth about things you don't know anywhere near what you suggest you do about.

Quote from: kmfkewm
You obviously have no understanding of how isolation actually works, and all security professionals seem to agree that paravirtualization pwns full hardware virtualization when it comes to security. And if you don't want your guest OS to be pwnt by a hacker you should certainly not be using full hardware virtualization but rather should be using paravirtualization. You really are either a troll, a fed or a complete dumb fuck.

You clearly (again) demonstrating a significant lack of knowledge about the types of virtualization in use and the mechanisms and features of each. This vm is NOT full hardware virtualization or HVM for those in the industry (like myself) refer to it.

Quote from: funway
Any decent disk encryption software is going to integrate tightly enough with the OS to prevent itself from being swapped out to the hard drive. This will keep the keys safe. If you run encryption software inside a VM this is still true - inside the VM. Outside the VM, on the host machine, the VM itself can be swapped out to the host OS swap file, keys and all.

I'm new to the security forum, so I might not have a lot of credibility here yet, but please for the love of god, all end users should abandon this project. I think it is a wonderful experiment in order to learn how to secure an OS and use VM software, but it is at least 10 complete start from scratch cycles from being a secure product.

I'm not trying to be mean. I think the discussion has been interesting. People have learned a lot. This is all wonderful. Please don't use this though. I'm so horrified by the idea of vendors using it that I am not willing to buy anything from any of the vendors listed as supporting this project until I know for sure that they are not using it.

If you have facts to back up these statements I would be very interested in seeing where you obtained them because from where I am sitting all you are doing is speculating.

The scope of the project is to keep you safe from local/state and FBI LE, thats it. If you have generated enough interest with other 3 letter agencies to merit them digging into your life you have a lot more serious things to worry about than if you are using this VM. Again, this is to make it nearly impossible for some local cops or even state authorities to recover data from the drive that would link you IRL to SR, thats it. It's not a device intended to protect you from would be attackers in a hacking sense. Why is it people seem to keep missing this simple point over and over again?
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: rocketdog on January 22, 2012, 02:07 am
Winows Xp is orphaned now. No more security updates coming from MS as I understand it.

But it appears to me there are a lot of customized/paired down/hardened/cracked XP ISO's out there on bittorrent to the extent that XP is treated by hackers like it's in the public domain. Some of those XP versions may be quite useful.

Extensive hacking is going on with the Windows PE environment too. There are more things Horatio ....
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: davidd on January 22, 2012, 02:18 am
The scope of the project is to keep you safe from local/state and FBI LE, thats it.

And it doesn't. So thats it.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 22, 2012, 05:11 am
Quote from: funway
As far as I know, a paravirtualized XP kernel has never been available to the public. Specific devices like the video card and network adapter are paravirtualized, but that was not what he was talking about.

With VMware workstation the guests are not fully hardware virtualized with 32 bit guests. Full HW virtualization is only available 64 bit guests (running on 64 bit host OS, aka hosts that support 'long mode' and VT/AMD-V), for the footprint of this guest it makes no sense to use 64 bit as it offers no benefit and opens up vulnerabilities like you mention above so these sorts of security risks are mitigated in the fashion it was offered. This was a concern when I started this project and was a factor in deciding what the base platform would be. This makes a few assumptions that the average user doesn't understand what VT is or how to enable/disable it and that the host OS is more likely 32 bit than 64. I haven't recently looked to see what is more common now but I suspect 32 bit is still the majority if even by a small margin.


Quote from: funway
What exactly is it supposed to be secure from? I don't want a vendor clicking a link to some .onion site to see a picture of a drug someone uploaded and then having their VM bugged because of a firefox 0day. What if I order from them? What is this supposed to protect from exactly? Is this supposed to protect anything?

In the unlikely/unfortunate event that the owner/purchaser is in a situation where perhaps their computer is seized as part of a warrant there will not be any evidence of their activities on SR on the hosting machine. In the event that the thumbdrive is also seized the vm residing on it may contain data that LE could be interested in and need, is now contained and heavily encrypted. This gives the owner/purchaser a few options:

1.) Shut your mouth, play dumb and lawyer up (they have no evidence anyways)
2.) Plausible denyability 'I dunno a someone left it here a few weeks ago, no idea whats on it' (although this may be harder to pull off)
3.) In the event you don't provide them your password they are not getting any data off of it. This is well documented unless they have your password (again shut your mouth and lawyer up) or key (very difficult and unlikely)

Those are the situations it's supposed to protect you from. There are MANY users of SR (You would really be alarmed) that simply download the Tor Browser Bundle and surf SR and place orders using nothing more than that and bitcoins on the computer they do everything else on (no bitcoin wallet, or encryption or anythinG). This is extremely risky for a plethora of reasons I doubt I have to explain any of them to you. This is intended for THOSE users, and force them to use more sensible methods including GPG/PGP for address encryption, hard disk encryption (at least within the vm) and tormail etc rather than leave a nice heaping pile of conviction sitting on their desktop. Using this will mitigate that to a significant extend when used properly. I think despite your feelings about XP and virtualiztion, this at least contains these activities to a secured container (the vm's filesystem). This also assumes that people don't start it up and leave it running 24x7 open on their desktop, that they fire it up as needed/desired. Do what they need to maybe surf the forums etc a bit and shut it down and pull it out. In otherwords the heavy reliance on physical security.

It is not (as I have said many many times before) intended to be immune from a would be attacker looking to compromise a running system, not any more so than the average windows system. Which your example would also apply to and thus is not unique to this product. It's simply a tool to prevent LE from obtaining evidence for the prosecution and with the safeguards put in place it will definetly accomplish that.

Quote from: funway
The key is always kept in ram. The issue is, will it be written to swap? Chances are it won't be written to swap inside the guest VM, but what if the host OS swaps out VMware? What protects against the key which is in ram of the guest OS, and therefore the ram of the host OS (in a way that the host OS is completely oblivious of the security implications of) from being written to the host OS swap file? There is a good chance that the crypto key will be waiting for them on the hard drive either in the swap file, or empty space where the swap file was in the past.

If the host swaps to disk then yes there is a possibility but this also depends on the VM running at the time. Which as I've suggested above (and many other times) that the security of this device relies heavily on creating 'smart' user habits, like shutting it down when you aren't actually using it and removing the drive from the computer after you are done. Swapping is also disabled in the guest. If it's left continuously running unattended and connected this creates a security issue in and of itself and this is not unique to this product.


Quote from: funway
They are available for linux. Why not work from a more secure starting point and add them there, instead of adding them to Windows. I know, I know. This is for people who use windows. If they are learning bitcoin, tor, and silkroad though, I'm sure they can cope with a start button that is shaped differently.

Yes this may be true, but apparently you haven't worked in too many general public customer facing roles because people in general are adverse to change and if something is familliar they are more likely to use it. Do I think the users I am focusing on with this would be incapable of using an ubuntu or similar linux distro for this? no not at all, would they be more comfortable using windows and thus more inclined to buy it? absolutely, and thats the point. I'm not going to ask the customer base I am focusing on to learn a new os, just contain their activities to something that adds layers of protection so they remain a bit safer. Nobody here has every claimed infallibility, but you can't possibly suggest that using this VM is LESS secure than what some users are doing now (as mentioned above) as that would definetly not be the case.

Quote from: funway
No, it hasn't. It is weaker than 128bit AES though.

I can't disclose how I know this but I can say with certainty that AES256 has been comprimised in the past 10 years. This has not likely been published anywhere that you would have access to for now, but I can say without any reservation that this is the case. This is the reason for the use of 3 cipher XTS mode. If you want a general idea of when, look into the regulations that were lifted on the exportation of cryptography post cold war. You can choose to believe what you want but I will never trust AES256 for protecting any filesystem on it's own unless it is used in conjunction with whirlpool or as part of a multi-cipher technique.


Quote from: funway
Everything in the guest OS ram has to live inside the host OS ram. There is nothing to cite. If the VM needs to be swapped out because ram in the host OS is getting low, anything in the guest OS can be swapped out. There is nothing to cite here either. The fix is to only use encrypted swap in the host OS. I don't know if this can be done in windows operating systems, but it is easy in linux. Although paravirtualization is clearly better, I don't think it is absolutely essential, or the fix for many of the non-windows flaws in this project. If the goal is to reduce risk, less "extreme" uses of virtualization can do a lot. I just don't believe that using XP is a sane starting place for this in any way other than an early prototyping stage that isn't meant for public consumption.

There are isolation mechanisms in place to prevent the polluting of the hosts RAM from the guests. I am not aware of any swap encryption available for windows either. But simply using encryption on the host OS (i.e. truecrypt) would help mitigate this more in terms of protection from those who I am attempting to protect from. The other issue here is that your presumtion of vulnerability relies on the machine being up and running at the time the attempt at unwanted ingress begins or otherwise a possible memory capture. I myself have examined swap contents on hosts running guests as well as memory dumps of hosts running guests and I can say that it would be very difficult to retrieve data from such a dump allowing for the decryption of a sufficiently encrypted filesystem within a vm. This is the only reason why in the course of my IRL job I am able to obtain memory dumps from virtualization systems (hosts) from customers that would otherwise never allow access to such data for diagnosing crashes etc due to security and confidentiality reasons. This is because the main feature that would make retrieval in the method you suggest significantly more feasible (exrtaction of key) employed by VMware as defaults have been disabled (VMCI and disabling of memory page trimming). This means that the guest takes up the full quantity of RAM assigned to it and the host is instructed NOT to swap those memory pages from this process to disk while the guest is running. This too was taken into consideration.


Quote from: funway
I guess I have to answer that with another question. Why be so half-assed about it? This is barely above a collection of links to handy apps to install in windows without using virtualization. The main difference is that they are already installed inside this VM. It was a good idea, but Windows XP is a terrible starting point. The security minded people here will never agree that this is a good idea. It would be a better use of time to switch to something more secure and work from there than argue about it. That's my opinion anyway.

This is somewhat true and I've not denied that putting this together is simply a matter of installing the tools. This is also why I often point people to this thread as a shopping list. However for those without the technical understanding of how to put the pieces together, or simply don't want to, I charge a very reasonable rate for my time and efforts, far less than I make IRL by about %50. I've been tinkering with windows 7 but here is my concern about it:

Firstly it will continue to have updates for however long MS decides, in these updates there are often 'fixes' that undo activation hacks, leaving a potential customer in a situation where their VM becomes unuseable and thus unable to purchase or vend, causing vendors a loss of revenue or ability to process orders as well as revenue loss to SR. With XP this is hugely unlikely.

This also means the end user would need to actively manage the updates to their system another thing that often causes problems for average users. We aren't talking about IT professionals, we are talking about joe the plumber who wants to order a bag of weed online and not have to worry about getting busted in a f2f transaction. This is a critical piece of information to consider when evaluating the purpose and use of this product.

As much as I have every intention of helping people with whatever issues they run into (as much as I can) with it, I also don't want to increase that workload if I don't have to, using windows 7 has a higher potential for this.
Because the guest is Windows XP it can be run in as little as 1GB of RAM so even a smaller 32 bit system with 3-4GB of ram would still have plenty of resources sufficient for using this preventing issues where the cosumer does not have a sufficiently configured host system. I don't know if that would be the case with 7. I've not tested it out yet, but tonight I may attempt to upgrade a clone of one to 7 and see what it's like, but again please rememeber this is v1.0.5 of this project and there are many possibilities for improvement. To make this happen faster rather than shooting it down, it would be more productive to offer suggestions on how to improve it.

I am working on an ubuntu version but thats going to be after this has gotten to a level of maturity that I would like and I am hoping for Q2 for that. Anyone who is hardcore or otherwise serious about all aspects of security will never support a windows based option anyways. This is because the security concerns of those people (yourself and others, myself included) are broader than simply thwarting LE from getting data to build a case on you, which is specifically what this is intended to prevent. Again, local cops in nearly any jurisdiction and state authorities up to and including the FBI do not have the reasources to forcibly brute force break the encryption employed here. That is a well documented fact. If you are joe the plumber ordering a few oz's of weed here and there local/state authorities (who don't have the technical resources to decrypt this) are not going to waste their time for such a small gain. Secondly the FBI is not even going to consider involving themselves if you are that small. More importantly if you have already garnered the FBI's attention, this is a very very small issue compared to the others you will be facing.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: mseller on January 22, 2012, 03:56 pm
Does truecrypt has utility like bestcrypt software (jetico) what encrypt all windows swap files and has time schedule for wipe it(DoD5200) among with other files like temp, cookies,history etc?
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 22, 2012, 05:55 pm
Quote from: funway
So you are talking about emulation, not paravirtualization. If you don't know the difference, please stop pretending to be an expert.

Well not really, vmware uses a combination of both depending on the platform it's installed on, but I wasn't going to go into the details of the difference which is far above and beyond the scope and the purpose of this thread. Secondly nobody is pretending anything. If this wasn't something I was significantly well versed in my employer wouldn't pay me to do it for some of their largest and most critical customers. That said, when you start writing my paycheck then you can decide what I am, and what I am not a subject matter expert in, until such time I'll take their judgement over yours as they have something to lose by being wrong, you have nothing to lose.

Quote from: funway
They should use encryption in the host OS, and then choose to run a VM or not based on other factors. Although there are some benefits to your approach, they are dwarfed by the approaches taken by the other projects that have been mentioned here that aren't based on XP.

Yes they should but in the event they do not, some is better than none. The other projects mentioned are ones that the customer base I am targeting do not wish to learn or do not want to spend the time to do the same with so whether they are better or not is another cyclic argument. Nobody has claimed this is the 'best' solution only that it is significantly safer than what some people may be doing. Which still remains a true statement.

Quote from: funway
They don't need to be unix gurus as long as steps are taken to make sure tor, firerfox, a nice gpg front end, and things like that are installed already and in the menus.

This is why I am also working on an ubuntu based version, as previously mentioned repeatedly.

Quote from: funway
That is just ridiculous. AES didn't exist at the time that the crypto export regulations were lifted. You are lying about what you know about crypto.

Really? You must be confused or getting your information from a bad source. The Rijndael cipher (winner of the AES program) was made available in late 1997 early 1998 and in 2000 was proposed as the AES standard. It was also the first open source cipher approved by the NSA, do you really think this is purely coincidence? The limitations were lifted in 2001 (or very close to) and between then and now is when I am suggesting it has been broken (aka in the past 10 years). This being said I don't know where you are getting your facts but they are incorrect. You can't claim I'm lying when you yourself don't truly know. Like I said, believe what you want, but based on my own first hand knowledge I will never use it for anything on it's own. Your data, your choice. I am not claiming it's easy or that it would be easy to do again but it has been done thats all. Again, believe whatever you want but I'd rather err on the side of caution for something so easy to safeguard against (i.e. use more than one cipher).

Quote from: funway
If you are able to keep the guest from swapping out, that is one very small point in your favor. I'll be the first to admit that I don't have a lot of experience with VMware products.

So you don't have a lot of experience with VMware products here, but earlier you claim I should 'stop pretending to be an expert' so which is it? Either you are talking about something you don't know as well as you claim or you know better than I? Without knowing my background it's impossible for you to speculate. How long have you been working with VMware? I have since it was a neat 'toy' that could be used on a basic linux desktop and before it was actually offered for sale as a commercial product. I continue to work with it as well as other virtualization platforms as well as architect very large virtualization clusters for large companies. So please stop suggesting I don't know what I am talking about one minute and then suggest you will be 'the first to admit that I don't have a lot of experience with VMware products' the next, it only degrades your credibility.

Quote from: funway
Nobody is suggesting that you switch to win7. They are only saying that XP is a horrible choice, and win7 is a slightly less horrible choice. The fact that win7 is still getting security updates, and this is seen as a bad thing, it makes my head spin.

You just proved my point as to why for this purpose XP is a better choice. As stated previously nobody is suggesting that windows in general is a secure platform against all attack types but for the aim of this project it is plenty suitable. Given various precautions have been put in place and many have. If there are others you think would be wise please do share otherwise you are only providing the same cyclic complaint and offering nothing to actually help or otherwise improve the offering or the community at large.

Quote from: funway
I don't mean this as an insult, but I don't think you are ready to do this. If someone else started a project like that, I would like to see you contribute to it with ideas and code. I don't think that you have the experience and knowledge necessary to pull it off as the lead developer.

Well then since you are so well versed why don't you provide one and help the community rather than simply speculate about how bad someone elses contribution is? Where is your solution? Oh wait according to your own words "I'll be the first to admit that I don't have a lot of experience with VMware products". So perhaps you don't have the experience and knowledge necesssary, yet you clearly claim that you have the experience and knowledge necessary to judge someone elses or otherwise determine how unsuitable someone elses offering is (again without even evaluating or touching it first hand yourself). How is this possible? In the world I live in, in order to make a claim of unsuitability for a particular purpose, that would also require that the criticizing party would have knowledge and experience equal or greater than that of the individual they are criticizing, now I'm not suggesting I know more than you as I don't know what your background is, but what I do know is that by your own admission you don't know a major part of the product as well as I do. This undermines the credibility of your own statement and puts you closer to kmfkewm in terms of making accusations and speculating when you may not really know as much as you need to in order to make this determination.


Does truecrypt has utility like bestcrypt software (jetico) what encrypt all windows swap files and has time schedule for wipe it(DoD5200) among with other files like temp, cookies,history etc?

Truecrypt encrypts the entire disk, however swap memory has been disabled in the guest so that should not be a problem. Prior to truecrypt being run Bleachbit is run to clean the VM and then a 3 pass DoD 5220.22-M wipe completed on all free space. Once this is done the VM is encrypted with truecrypt and a part of this process is another 3 pass DoD 5220.22-M wipe. So in effect using the data destruction used techniques for Secret and above classification data twice. Bleachbit thus accomplishes the same goal as wipe it which offers DoD 5220.22-M wiping of disks (cookies etc as well as 3 pass free space wipe consistent with the same guidelines) and is a bit easier to use IMO.

Thanks,
Looker
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 22, 2012, 08:36 pm
Quote from: funway
Making claims that can't be backed up doesn't impress anyone. Maybe they are true, but none of us will ever know. Consequently, none of us will ever care.

Please stick to the facts. You are talking about emulation, not paravirtualization. The only reason I stuck that jab in there is because the appeals to authority are getting old.

First there are claims that people want security features that are beyond the scope and purpose of the project, now technical details are beyond the scope and purpose of the thread? You were claiming to know so much about this, yet using incorrect terminology. It seems quite within the purpose and scope of the thread.

What claims have I made that can't be backed up? What my profession and responsibilities are IRL? They absolutely can but there is no way I would be stupid enough to openly post that information on this board. There are however people in the community that can backup those claims.

As to emulation vs. virtualization, thats why I said not really, some bits of the guest 'platform' if you will are emulated, some are virtualized, but this depends on the platform and OS the player/workstation is installed on. It also depends on which options are selected in the configuration of the guest.

If you want to engage in a discussion of the various virtualization types and which software stack offers which ones and how thats fine, but thats not the purpose of this thread, thats my point. The purpose of this thread is for (and now it's been successfully sidetracked by you and others)  gathering feedback from people who have used it, suggestions for things to include or modify in it (other than the entire product) and reviews. It was not intended to be an in depth discussion about one virtualization method over another and the merits of its security or lack thereof. This is what I meant by 'beyond the scope' as these while worthwhile conversations are not what this thread is for. You want to have that discussion, great, start a thread FOR that discussion. Now this thread has been filled with technical jargon that the audience of this product largely will not understand. This isn't an attempt at condescention towards those individuals but all it does is confuse them and simply steer them away from something that would likely be better than what they are doing now.

Quote from: funway
Good. Let's talk about that instead of XP.

Once I have finished it, I'd be more than happy to, however having that discussion without a completed prototype to evaluate isn't the best starting point. Once I have one, I will make a similar thread for THAT product, as it will obviously be different. One of the goals however is to make it as similar as possible. My issue thus far is I don't feel that the crypto included with them is sufficient. Secondly truecrypt does not allow for whole disk encryption on linux systems so I'm thinking a hidden partition will be the best approach. However thats a discussion that belongs in it's own thread because it's a different product with a different set of tools etc and additional levels of complexity.

Quote from: funway
I was talking about executive order 13026 in 1996, which does predate AES. If you want to argue that more than one cipher is more secure in theory, I won't argue with that. I do have a problem with this constant appeal to authority. Please give it a rest. Nobody cares that you claim to have proof of AES 256 being broken unless you provide proof. I can claim to have proof that the US government is cooperating with aliens from another planet to turn everybody but the rich into slaves. Nobody is going to believe me, and nobody believes you. Why bother making outrageous claims when you can't prove them? It only wastes time.

If you had any idea of the computing power at the disposal of various agencies you wouldn't think this was an outrageous claim at all. I can say that when I was 'in the know' there were several clusters of cray SV1's very hard at work to work on this sort of thing. I won't even comment on your statement about aliens as that is in no way parallel to mine. Especially given the computing power of things like CUDA and Tesla clusters, again something way beyond the scope and purpose of this thread. I am simply saying I don't believe that AES256 on it's own is sufficient. I have my reasons for this, if you believe otherwise thats fine but you aren't going to convince me that it is.

Quote from: funway
I don't have a lot of experience with VMware. I have a lot of experience with virtualization. Anyone who has experience with virtualization should know that little experience with VMware does not imply little experience with virtualization.

I could make a big list of software that I have experience with, some of it virtualization software that doesn't originate at VMware, but what is the point? I would rather participate.

VMware is not the only virtualization I have experience with. Currently I work the most with Xen. Unfortunately however thats not something that I could see being used in place of VMware in this application at the moment.

I'm sure we both could, but neither would serve any purpose, either way I've not been the one constantly trying to bring my credentials into question as part of the discussion, others have. Unfortunately I've had to spend way more time defending them in this thread that actually working with people to improve the current offering, which I'm quite tired of especially when there is nothing to support that I'm being deceptive or disengenous.


Quote from: funway
Relax. VMware is not the only virtualization solution out there. I would love to see a discussion about a serious project that uses linux. I would be happy to participate. Right now all that is happening is I am wasting my time arguing that XP is insecure. My interest in this thread is fading. Let's talk serious tech, not who has a cooler job.

Show us what you've got. Has the ubuntu project been started yet? Maybe you have some ideas in your head? Share whatever you have. I'll comment.

I'm quite aware it's not the only one, but for virtualization that runs on top of an existing OS install it is currently the most mature, popular, and offers the most in terms of isolating guests running within it. I could have used virtualbox as well but I discussed the security implications of that with various people who are tasked with developing it and they strongly recommended against it. I am not someone who writes code and they are so I will simply take their word for it as they are the professionals paid to know these things.

The ubuntu build is still in it's infancy. There are so many distros out there that I keep changing my mind which would be best. Some are more secure by default (liberte/tails etc) some are more friendly (ubuntu, mint, fedora) so it's a matter of finding a good balance. If you are serious about collaborating on that project, lets not cloud this thread with that, lets have that discussion in the right place.

My current ideas are to gather up the same tools (if possible and most seem available) as what are provided with this one, there are many reasons for this but mostly because it would alleviate the need for completely re-writing the documentation included with it. The other part would be if people wanted to move to the linux version the goal would be that the tools they are accustomed to using would already be present and very similar making the transition a very seamless and easy one. It would also make importation of pertinent data easier like keys, password safe, other applications that would retain data. There has been a lot of 'what if' thinking thats gone into this one so that things like loss of keys, or passwords etc etc, would be recoverable in the event of the need to dispose of the drive or it is damaged. This means if a vendor lost/disposed/destroyed the drive they wouldn't be subject to speculation because they all of a sudden had a new public key or some such, with given the level of paranoia here I would very much expect. Like I said, once I have a working prototype that I am somewhat confident in, I will provide it to various people for evaluation and to determine where it may be lacking etc but that is the first step is to have a working prototype which hasn't been complete and I am hoping to have something by Q2.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: SuperDimitri on January 22, 2012, 09:08 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

davidd,

Whats ironic is I have been here longer than you have. While not a vendor, longer is in fact longer. So lets not get into who's been here how long because thats a lose/lose for you.

I actually was only messaging the top %10 which would have been roughly the top 25-26. You are currently #29 out of 258 sellers. The way it came about (me contacting you) was I saw you a few vendors below and said 'Well he's got a 99, and over 500 sales, been here a little less than me but seems pretty consistent so I'll reach out and see if he's interested'. Thats pretty much the gist of it and your first response was shall I say, less than pleasant. A simple 'No not interesed' would have been plenty, but lets not argue about the details.

In the interest of being open I have no problem disclosing the list of vendors supporting this (in no particular order):

IvoryUK (See his endorsement earlier)
tetravort
Paperchasing
PuffBuddy (Not in the top %10 anymore, but has always been a top notch vendor IMO)
Rook
warweed
SugarMama
BTC Buddy
Mr.DdroMcGillacutty
godofall (While not in the top %10 I back him as being a good reputable vendor)

I'm not selling freeware, I'm selling the expertise needed to set it up properly and secure enough to make it immune from LE forensic attacks for data recovery.

While I understand your concern I make enough in real life that this is simply a hobby and I'm happy to provide it to people who are happy to purchase it and in the process refer them to vendors who won't scam them or rip them off and in the process some of those larger vendors refer those people to me to help them out with getting the tech part squared away and maybe make a sale from it. Preventing me from having to get bitcoins by transferring money to an exchange and buying them, allowing me to acquire them in a little more anonymous fashion.

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPF4jZAAoJEEMAzoKrkXQ+ScwH/2GZiLAKwgSZ3aRUUvG/Yrmg
/nmLULWZeDiVJs7qlWrrkyPoyEdCFTl6mVj3EnIH0OLBiFE/ZfyG4pJQBE/AcvKU
ASM0Umj4ga5051oSfrPghZX07g+iHc9+ihV07eBjH9n1Mhco4AmehGm6Y9BgaR5e
D2FgEZ863AIsEjVxsvRurus4Iyfx9wy+kgdxX5mKrTttKOp3uewZqe3BPYASx4vV
8tEBdhIuncZfidRDMHpuUwo/fGf5R4yzf2REl7L777RbrxHj9HkEBD2gxkiLaUcq
wZAM3YlxckN1rCE3nwdj+GPa4b+4uslbjT4Ika2pEH0H6O+CJpxh2DGdRMHQxWs=
=NzYo
-----END PGP SIGNATURE-----

Do these vendors just support it, or USE it? I am very curious. I am not so smart, and could use a little help, even if it's all freeware, if it's all been pre-configured, and is trusted by trusted vendors, I might be interested, as trying to autodidact all of this information that turns into arguments gets very frustrating.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Paperchasing on January 22, 2012, 10:15 pm
Holy shit, its really too bad all ya'll were not on the elite team of the best of the best intel/cryptography gurus at the DIA and NSA cracking all the crypto codes coming out of the al-quieteda network trying to locate osama binjaden's ass, hell they couldn't even find the only dude that had satellite dishes mounted outside his cave lol....  (spelling errors on purpose)
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: wumg00 on January 22, 2012, 10:21 pm
Holy shit, its really too bad all ya'll were not on the elite team of the best of the best intel/cryptography gurus at the DIA and NSA cracking all the crypto codes coming out of the al-quieteda network trying to locate osama binjaden's ass, hell they couldn't even find the only dude that had satellite dishes mounted outside his cave lol....  (spelling errors on purpose)


lol i love it PC, too funny!  8)
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 22, 2012, 10:37 pm
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

SuperDimitri

All support it, some also use it as well. Please feel free to contact any of them for validation. By and large most already have a similar setup that they built on their own so mine is of little use to them.

That said it's certainly something one could put together on their own as it's not incredibly hard as has already been stated. If you are comfortable enough setting up various software packages to route through tor and setting up truecrypt then thats the majority of the work. I'm hoping to figure how to accomplish the customization with autoit but unfortunately I find myself having to defend the value of this product in this thread more than I would like.

If there are certain aspects you have questions about please feel free to post them and I will answer them as best as I can.

Thanks,
Looker
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPHI9OAAoJEEMAzoKrkXQ+6xcH/iTXJRbN/nQehr9x8kycA3Ux
j1OMrFx+EAC7ovFXOivhkfufAErVSZLyf6SuxYr6hZHGndwi28U+SFbMJt5woHqe
OJUb73V7rvY42ATAOuMXQYaYDyn6ppFA2BB7yUTcOuvXGcU4Efo7SojTyWNbjN6C
DrJa5SVoolQYDH56gfU5FEBsc01pRY8yVNmyH5iZcxec+MtIP08KxCT3G3xRQH5p
+TsRPrad9MniqO9Zhm+fm+zVC5vcQbOwBm3z9N8wGf+PUUp9A/FVtRYqfS+1B12R
2lJt0gFcuT/eXNV74NSyVTM7JjiPzZI1GsIfGHfqpWwzGmweOf0zjOP9t+ASBj4=
=bZeA
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: TravellingWithoutMoving on January 22, 2012, 10:55 pm
Holy shit, its really too bad all ya'll were not on the elite team of the best of the best intel/cryptography gurus at the DIA and NSA cracking all the crypto codes coming out of the al-quieteda network trying to locate osama binjaden's ass, hell they couldn't even find the only dude that had satellite dishes mounted outside his cave lol....  (spelling errors on purpose)

.....what?!...these threads which have been turned into ego fueled arguments....can't wait for it to run out of fuel after its lapped itself ten times over...
 whats the equivalent of a bedroom dj in the computer world?!


 
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: QTC on January 22, 2012, 11:39 pm
.....what?!...these threads which have been turned into ego fueled arguments....can't wait for it to run out of fuel after its lapped itself ten times over...
 whats the equivalent of a bedroom dj in the computer world?!
I agree with you that this thread has gone to irrelevance for the originally intended audience, but you shouldn't discourage the people that do know what they're talking about from dropping some knowledge here and there, lest they end up not caring for trying to educate others anymore. Personally, I don't care because if somebody chooses to be more secure that's cool, we are on the same team after all and I think SR has great potential to become a nigh indestructible network. If not, it's more low-hanging fruit for LE. Better them than me...
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 23, 2012, 12:53 am
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


I'm hoping I will have feedback from a few more sales to get things back in the intended direction. I have 3 folks that are awaiting delivery of their drives so hopefully they will chime in with their thoughts.

In the meantime I'm trying to get my hands on all the parts for AutoIT it seems I can get everything except AU3Record is always missing which seems to be the key component for generating the click through scripts to at least get an idea of it's general work flow. This would take care of some of the manual tasks like setting up truecrypt, although there is a good how-to on that in another section of the forums as well. Thats the main thing is getting that setup properly. The rest in the configuring is mostly generating a pgp key, this is something I expect to be problematic because it doesn't allow ctrl-v type behavior to populate the password field it has to be entered in manually so I don't know that autoit could do that. Then signing up through tor on various websites and setting up the passwords in the safe for those users who want the fully conifugred flavors, so I don't think signing up for the various websites is scriptable but generating the key should be, and the truecrypt piece should be. As far as bitcoin, as long as their is no wallet that should stay the same until first boot. So if I could automate these particular tasks then I could probably provide a MD5 checksummable version.

Does this sound like something people would feel comfortable? While it may not cover everything I think that once those two significant tasks are completed then setting up thunderbird (which the instructions are already written for) for tormail and populating the password safe app would be something that would be entirely left to the user?

This would mean the majority of tasks woudl be scripted so the golden image to speak of (prior to first boot) would be MD5 verifyable?

The issue I recently hit now is that it's just slightly over 2GB in its unencrypted form (for both the 32GB and 16GB versions) and most file hosting services have a limit of 2GB, does anyone perhaps have a recommendation for some file hosting service that doesn't have this limitation, even if it's ftp vs. some kind of http like rapidshare?

Also what would be peoples consensus if the autoit script went as far as prompting for their SR username and pre-populating that for the PGP key with their SR username and srusername@tormail.net? Or should that simply be left (whether to add tormail.net email entry in) to the individual user to fill in manually, along with the password (which I think would need to be anyways)?

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPHLW3AAoJEEMAzoKrkXQ+wt4H/jR4izkWYzp58l+naGILALiE
whdphoGBeCHJycE3tg/jajYU1Bka+UWkGkLZ+7/cwpQ+xUftPv6dCss9qCTrYqPh
aR9ccTa/Px4fSNHcHSvCspy2qh5P6vs0zLeUjVq0BTGwC9h3geDZs4KrmR+guwGS
SCvt/m1CYDRrG6LhLEWLGN26e0+WxmUOls+rj8wxgDGb94zLt15S/W8LoDz8QoFQ
M5ridpoI25aIoVNJ5+m1flHl7eHbScppYHJttz/7kU95jRzjUqKCsN4dexvpN67M
q9AoDP3rPgGFuqT0iJsrjpGXJzGrb7075sZvBsvuezLC9yyhkq8miGe0Wv96dis=
=oMjW
-----END PGP SIGNATURE-----
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: kmfkewm on January 23, 2012, 02:59 am
Quote
Firstly it's not intended to protect you from the hacking elite, I've never made that claim even once.

It really isn't intended to protect from much of anything, that is the main issue with it.

Quote
Secondly VMware is NOT full hardware virtualization, it's paravirtualization in this case (Full hardware virtualization is only available in their ESX products).

I am pretty sure ESX products are actually for paravirtualization, where as vmware workstation etc are full hardware virtualization. You are confusing

Quote
The more you respond the more it's clear that you have a very limited understanding (much more so than I had thought) of virtualization. I've made a career of it and security for well over a decade now, can you make that same claim? I doubt it.

I have only been studying computer security for about six years, but I do find it unlikely that you have ever worked in the computer security industry.

Quote
The only claim I've made as to it's purpose is it's intended to keep your data and transactions secure from LE.


And it will not, which is the issue

Quote
I never made any claims about the DEA. What intelligence work I did I really can't comment on for a plethora of reasons and you must be out of your fucking skull to think I would disclose any details related to that, I might as well eat a bullet before I disclose those details. The most I can say is I worked in general terms in the information security field, but thats all I will disclose.

Actually you did make claims about the DEA and the NSA. I didn't ask for specific details I just am curious which sort of work it was, SIGINT, COMINT, MASINT, etc. I don't think anyone will kill you for saying that will they?!

Quote
ASLR? Really? Are you really going to suggest that ASLR is even REMOTELY necessary for this application? If so go butt fuck your fantasy lover Theo and be done with it already. While ASLR provides levels of security to protect against hacks and the like thats NOT what this device is intended to be secure from as I have said over and over again but apparently that thick skull of yours doesn't seem to allow much data to penetrate it. I guess it's too secure....  ::)

ASLR and a 64 bit OS are at least highly suggested if you want to avoid being pwnt by the nth buffer overflow vulnerability in whichever applications you use. Yes we know you don't think your VM is secure from hackers, that is why it is strange to market it as a security oriented VM. You also have implemented its other security features poorly, and many of them are just eye candy that serve no real security function.

Quote
See above dickbag. Nobody made any claim that spybot was going to protect anyone from a would be attacker, it's a malware tool, thats all. Which if they are only using it for it's intended purpose is completely unnecessary, just like ASLR.

Scanning for malicious tracking cookies and generic spyware is essentially useless for serious security, but being immune to buffer overflow vulnerabilities in all of the applications you run seems like a pretty necessary thing to me.


Quote
Again failing to understand how virtualization works. Go do some reading Jr. because even if they had a whole dump of the HOST machines memory it's highly unlikely they would be able to retrieve the key from the guest. Secondly if someone comes bashing in your door, don't you think pulling the plug might be a wise move? Which would prevent them from obtaining a useable copy of what was in memory prior to pulling the plug unless they restore power in less than about 5-6 seconds. Which somehow I don't think the goon squad will be able to do.

1. They will root the guest VM and dump the key from memory there? After all the guest VM has the network facing applications that they can target already running inside of it.

2. If the key is in the guest VM memory it is also in host VM memory

3. They have much more than 5-6 seconds to forensically analyze the RAM after power is cut

4. I don't think you can likely pull the plug before they restrain you

Quote
So all you need for SR is firefox? Weird, if you are such a fucking expert how is it you missed the fact there are several other tools that should ALWAYS be used with SR?

And all of the tools are more or less the same on Windows or Linux.


Quote
Against who? Who is this device protecting against? You seem to often go on tangents and lose sight of this very important fact, but the more you punch away at that keyboard the more I realize you really are just another wanna be blackhat with no concept of what is reasonable security measures are and what is completely unreasonable and overkill for a particular application.

The more you pound on the keyboard the more I see you are either delusional or an epic troll

Quote
You again are talking about security that is extremely overkill for this application. I'm not even going to repeat myself for the 100th fucking time. You have absolutely NO fucking clue what I know about security and what security mechanisms I am familliar with.

I have no idea because you have not demonstrated any security know how, all you have demonstrated is the ability to install some random stuff (shit) and what is required for SR on Windows XP.

Quote
What I have admitted is that I am interested in making money in exchange for my professional skillset that I use every day in the real world and am compensated quite well for.

It is a shame if you are being paid to do anything related to security, but not that surprising. Most corporate security people blow.


Quote
Your wrong, I know this for a fact. I will not elaborate on this further but AES256 on it's own has been compromised in the past.

When it is used as a checksum AES-256 has had its security substantially reduced, I think there was also an attack that caused significant damage to it when used as a symmetric encryption algorithm, however there are no known cases of AES-128 or higher being directly broken. You can spout off bullshit uncited claims and say you have secret inside info all you want, but at the end of the day it just makes you look like a fuckwad. Citation, technical details, or shut the fuck up, to put it nicely.


Quote
Again showing your lack of comprehension of security in virtualization applications. There is isolation between guest memory and host memory, when was the last time you examined the memory dump of a guest VM generated from the host? If you did it wasn't very useful because it needs to be generated from within the guest to be useful.

1. They will analyze the virtual drive looking for the leak
2. Things in guest memory also must be in host memory



Quote
Nothing is ever %100 fool proof, suggesting anything otherwise would be disingenuous at best. If you are such an expert at cryptanalysis and/or forensics hows about I provide you with a file and a message inside it and when you are able to recover the data then you will have earned some semblance of a leg to stand on, until then you are nothing more than a forum troll spouting off at the mouth about things you don't know anywhere near what you suggest you do about.

I doubt that I can decrypt anything you send me that has been encrypted with a strong algorithm. I also doubt that the NSA can. You are the one claiming that AES-256 can be cracked, not me.

Quote
You clearly (again) demonstrating a significant lack of knowledge about the types of virtualization in use and the mechanisms and features of each. This vm is NOT full hardware virtualization or HVM for those in the industry (like myself) refer to it.

HVM and full hardware virtualization are not the same thing, you can have full hardware virtualization via binary translation without using HVM. This is the way the terms are very commonly used anyway, technically I believe that binary translation is not actually full hardware virtualization, but virtualbox is still called full hardware virtualization even if it isn't getting hardware support from the CPU.


Quote
The scope of the project is to keep you safe from local/state and FBI LE, thats it.

This product will not keep you safe from FBI and is unlikely to keep you safe even from many state and local agencies.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: kmfkewm on January 23, 2012, 03:12 am
Quote
With VMware workstation the guests are not fully hardware virtualized with 32 bit guests. Full HW virtualization is only available 64 bit guests (running on 64 bit host OS, aka hosts that support 'long mode' and VT/AMD-V), for the footprint of this guest it makes no sense to use 64 bit as it offers no benefit and opens up vulnerabilities like you mention above so these sorts of security risks are mitigated in the fashion it was offered. This was a concern when I started this project and was a factor in deciding what the base platform would be. This makes a few assumptions that the average user doesn't understand what VT is or how to enable/disable it and that the host OS is more likely 32 bit than 64. I haven't recently looked to see what is more common now but I suspect 32 bit is still the majority if even by a small margin.

64 bit OS brings at least one advantage, if you use it with full ASLR you are essentially immune to buffer overflow attacks. That is a huge security advantage. Also you can run full hardware virtualization solutions without hardware virtualization support if the product uses binary translation, like virtualbox does.


Quote
In the unlikely/unfortunate event that the owner/purchaser is in a situation where perhaps their computer is seized as part of a warrant there will not be any evidence of their activities on SR on the hosting machine. In the event that the thumbdrive is also seized the vm residing on it may contain data that LE could be interested in and need, is now contained and heavily encrypted. This gives the owner/purchaser a few options:

Anyone who can click next and enter a password can get the same exact benefits just by using Truecrypt without all of this other trash attached to it

 well documented unless they have your password (again shut your mouth and lawyer up) or key (very difficult and unlikely)


Quote
I can't disclose how I know this but I can say with certainty that AES256 has been comprimised in the past 10 years. This has not likely been published anywhere that you would have access to for now, but I can say without any reservation that this is the case. This is the reason for the use of 3 cipher XTS mode. If you want a general idea of when, look into the regulations that were lifted on the exportation of cryptography post cold war. You can choose to believe what you want but I will never trust AES256 for protecting any filesystem on it's own unless it is used in conjunction with whirlpool or as part of a multi-cipher technique.

You know that whirlpool is a hashing algorithm right? It can be used with AES but it isn't adding another layer of symmetric encryption to do so.


Quote
Firstly it will continue to have updates for however long MS decides, in these updates there are often 'fixes' that undo activation hacks, leaving a potential customer in a situation where their VM becomes unuseable and thus unable to purchase or vend, causing vendors a loss of revenue or ability to process orders as well as revenue loss to SR. With XP this is hugely unlikely.

He who puts money over security will be raped in jail
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 23, 2012, 05:15 am
Quote from: kmfkewm
It really isn't intended to protect from much of anything, that is the main issue with it.

Tired old pointless statement, what your suggesting it should protect from is not unique to this product, it exists on every windows xp machine out there. Adding yet again 0 value.


Quote from: kmfkewm
I am pretty sure ESX products are actually for paravirtualization, where as vmware workstation etc are full hardware virtualization. You are confusing

You are mistaken, but thats ok I don't care enough to repeat myself and I'm tired of having to explain things to you that are not consistent with the purpose of this thread. You want to go have a discussion about various types of virtualization, great, so start a thread for it.

Quote from: kmfkewm
I have only been studying computer security for about six years, but I do find it unlikely that you have ever worked in the computer security industry.

Of course, because in your 6 years you have amassed so much professional experience actually doing it in practice that your studies far outweigh real world application. Good to know, I guess I have been wasting my time the past 15 some odd years. I'll make sure I start doing it your way so I get it all figured out as well as you.

Quote from: kmfkewm
And it will not, which is the issue

and then:

Quote from: kmfkewm
I doubt that I can decrypt anything you send me that has been encrypted with a strong algorithm. I also doubt that the NSA can.

So either it's secure from local and state authorites and possibly FBI or its not. By your own statement you just clearly stated that without the key and/or password you doubt even the NSA can decrypt the disk. And there are also plenty of articles stating the same thing. I guess they are all liars and morons too.

Quote from: kmfkewm
Actually you did make claims about the DEA and the NSA. I didn't ask for specific details I just am curious which sort of work it was, SIGINT, COMINT, MASINT, etc. I don't think anyone will kill you for saying that will they?!

Wrong I stated NSA that I was aware of the tools at the disposalt at the DEA which are nowhere near the NSA. And it doesn't matter what you think, I have no intention of disclosing any more details than I already have. Your retarded to think I would be so careless with that sort of information.

Quote from: kmfkewm
ASLR and a 64 bit OS are at least highly suggested if you want to avoid being pwnt by the nth buffer overflow vulnerability in whichever applications you use. Yes we know you don't think your VM is secure from hackers, that is why it is strange to market it as a security oriented VM. You also have implemented its other security features poorly, and many of them are just eye candy that serve no real security function.

Again this would apply to any machine on any other network running the same os and not something this is intended to protect from.

Quote from: kmfkewm
Scanning for malicious tracking cookies and generic spyware is essentially useless for serious security, but being immune to buffer overflow vulnerabilities in all of the applications you run seems like a pretty necessary thing to me.

Lot of malicious tracking cookies on SR are there? Perhaps you should bring that to the attention of the admins. Otherwise your just stating the same irrelevant argument.

Quote from: kmfkewm
1. They will root the guest VM and dump the key from memory there? After all the guest VM has the network facing applications that they can target already running inside of it.

2. If the key is in the guest VM memory it is also in host VM memory

3. They have much more than 5-6 seconds to forensically analyze the RAM after power is cut

4. I don't think you can likely pull the plug before they restrain you

1.) well since your clearly the expert why don't you demonstrate how easy this is.

2.) Why don't you examine a memory dump and then show us all then.

3.) Don't leave it running unattended then. (I may have mentioned this before?)

4.) Move faster then chunky.

Quote from: kmfkewm
And all of the tools are more or less the same on Windows or Linux.

Yeah, there is that one thing though, that whole OS piece thats completely different, but thats a totally minor detail. I think I may have mentioned something about eventually offering a linux one, and I might even have said something to the effect of windows being picked due to the target audience but I've repeated so many things so many times I'm starting to lose track and even interest in feeding trolls like yourself.

Quote from: kmfkewm
The more you pound on the keyboard the more I see you are either delusional or an epic troll

I love how I'm the troll in my own thread, thats even more epic. Don't you have any other threads to troll? You do put in a lot of effort doing it. How do you manage to keep up?

Quote from: kmfkewm
I have no idea because you have not demonstrated any security know how, all you have demonstrated is the ability to install some random stuff (shit) and what is required for SR on Windows XP.

Now your almost getting the point, but I woulnd't want to ask so much of you. So I guess this is as close as it gets.

Quote from: kmfkewm
It is a shame if you are being paid to do anything related to security, but not that surprising. Most corporate security people blow.

Your absolutely right thanks for making this so clearl, I'll make sure to inform my director of this first thing in the morning so they can find someone clearly more capable since I'm so completely inadequte for performing any of this sort of work for the clients I work with.

Quote from: kmfkewm
When it is used as a checksum AES-256 has had its security substantially reduced, I think there was also an attack that caused significant damage to it when used as a symmetric encryption algorithm, however there are no known cases of AES-128 or higher being directly broken. You can spout off bullshit uncited claims and say you have secret inside info all you want, but at the end of the day it just makes you look like a fuckwad. Citation, technical details, or shut the fuck up, to put it nicely.

Fine use it as much as you want It's your data not mine.You simply don't and likely never will have access to the information I used to formulate my decision. Right or wrong 3 cipher XTS mode is stronger than AES on it's own, if you'd like to argue that go start a thread about it. Not having faith in one cipher for whatever my reasons and deciding to use multiple is not a bad decision any way you look at it. Like I said I could give a shit about your data. Thats your problem.

Quote from: kmfkewm
1. They will analyze the virtual drive looking for the leak
2. Things in guest memory also must be in host memory

1. Again kind of hard to do when it's not running but meh, details details.
2. See #1, or if it's so simple why not do a writeup on how to extract said keys from the guest via the host systems memory dump. clearly this is such a simple task.

Quote from: kmfkewm
I doubt that I can decrypt anything you send me that has been encrypted with a strong algorithm. I also doubt that the NSA can. You are the one claiming that AES-256 can be cracked, not me.

I stated it had been comprimised in the past, thats all and again this is based on information you will not likely see anytime soon. So it's a moot point use what you want, I don't trust it on it's own. Nothing you say will change that and there is nothing wrong with taking additional measures. I love that you are faulting something for having additional measures for encryption.

Quote from: kmfkewm
HVM and full hardware virtualization are not the same thing, you can have full hardware virtualization via binary translation without using HVM. This is the way the terms are very commonly used anyway, technically I believe that binary translation is not actually full hardware virtualization, but virtualbox is still called full hardware virtualization even if it isn't getting hardware support from the CPU.

Again, no longer interested in providing virtualization lessons. You have several things confused. HVM is what Xen calls full hardware virtualization, hence the H. Binary translation is actually emulation and thus used in combination with paravirtualization. VirtualBox is worthless from a security stanpoint and I'm not going to argue with you about what it is and isn't, some of it's developers sit less than 10 feet from me, if they think it's not even remotely useful from a security standpoint I'm going to take their word for it.

Quote from: kmfkewm
This product will not keep you safe from FBI and is unlikely to keep you safe even from many state and local agencies.

But before you couldn't decrypt it and neither could the NSA. Guess the FBI must have some pretty fancy tools then, maybe they should show the NSA how it's done.

Quote from: kmfkewm
64 bit OS brings at least one advantage, if you use it with full ASLR you are essentially immune to buffer overflow attacks. That is a huge security advantage. Also you can run full hardware virtualization solutions without hardware virtualization support if the product uses binary translation, like virtualbox does.

Yeah but you would complain about it too so it really it's a moot point. Binary translation is also available in vmware as wel but meh, who cares about details.

Quote from: kmfkewm
Anyone who can click next and enter a password can get the same exact benefits just by using Truecrypt without all of this other trash attached to it

Sure, and if they can set everything up themselves I encourage them to do so. Then maybe they will use things like pgp for communication and encryption and begin using good password habits which will help keep us all safer.

Quote from: kmfkewm
You know that whirlpool is a hashing algorithm right? It can be used with AES but it isn't adding another layer of symmetric encryption to do so.

I thought it was an appliance, thanks for clarifying. Boy this whole computer vs. appliance thing is really got me all confused.

Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: lrp72 on January 23, 2012, 03:09 pm
**passes out rulers**

If you all would lay your dicks out and measure up, we could end this ridiculous battle.  I love Looker's product, it secures me from exactly what I want it to secure me from - the prying eyes of my friends and family who use my computer.  I pull the stick, put it in my purse and my SR secret is mine.  If the popo comes knocking, my computer is relatively harmless looking.  If they decide that my personal buyer self is worthy of that close of an analysis, then so be it.  Maybe they find it, maybe they dont.  But, it will be a much harder find than it was before I started using this thumb drive.  And for what its worth, I have been using it for 2 months almost, and I haven't lost a bitcoin yet.  I continue to trust that Looker is helpful, trying to make a few bucks, and is not out to scam all of SR and would recommend this to any buyer that is maybe too lazy (like me) to create something like this yourself.   Let this ridiculousness come to an end.  If you don't want Lookers product - fine.  You have all made your point.  Throw out your measurements and let it go.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 23, 2012, 03:44 pm
Redacted my worthless post.


Thanks lrp for explaining exactly what this is intended to be for and how well it's worked for you, thats all I am trying to accomplish is help people keep their data a bit more private so they can do things just like you are suggesting.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: wumg00 on January 23, 2012, 05:56 pm
@ Looker

 Personally, if I were you, i would delete this whole Flame-a-thon of a thread and just set up a thread for review and then let your product speak for itself thru the clients who are currently using it or are waiting to try it out. becuase the thread , as it is now, does nothing but confuse and put off potential buyers, I know that if I had read all this stuff I wouldnt want to order either just because its impossibvle to know who is right and for your avg computer user like myself, all the arguing here going bk and forth is almost in another language to us. I do thihnk you have a genraly good idea here but do yourself a favor and delete this thread and just saet one up for reviews cuz thats all future buyers really care about anyways is hearing how other ppl like or dislike the product.
anyways, as always, just mi dos centavos!  8)
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 23, 2012, 06:43 pm
Wumg00

Thats actually what I was thinking too. It's been totally derailed and turned into a discussion about things that are way above and beyond the point of the thread. I originally posted it to get peoples input on what they thought about it based on their actual experience with it. On the other hand I also don't want to lose some of the feedback it's already gotten. Hopefully it will get back on track, we'll just see in the next few days.

Thanks,
Looker
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: TravellingWithoutMoving on January 23, 2012, 09:18 pm
.....what?!...these threads which have been turned into ego fueled arguments....can't wait for it to run out of fuel after its lapped itself ten times over...
 whats the equivalent of a bedroom dj in the computer world?!
I agree with you that this thread has gone to irrelevance for the originally intended audience, but you shouldn't discourage the people that do know what they're talking about from dropping some knowledge here and there, lest they end up not caring for trying to educate others anymore. Personally, I don't care because if somebody chooses to be more secure that's cool, we are on the same team after all and I think SR has great potential to become a nigh indestructible network. If not, it's more low-hanging fruit for LE. Better them than me...

i don't know who you are i have no qualms with you per say well not what i had in mind with my 2 pence worth.
i won't comment on the individuals on reply to your post...but don't give up your day jobs just yet.

I'm not surprised a regular user/buyer can't make head nor tail of this plus the other thread.
i could go into why this point of view but thats what makes others better equipped to do their job.
there are far better ways to structure these points of view (in general) w/o highjacking certain threads and pissing all over them suggesting their own solutions are
better than everything else.



thats all for today.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: randomOVDB#2 on January 24, 2012, 06:12 pm
Just so that we are clear, deleting a thread because someone doesn't like the responses is a bitch move. If you want to sell, be prepared to take criticism.

Thing that bothers me most is people acting retarded. "Regular user doesn't get that", "It's too much to read", "I don't know how to use Firefox in Linux".
If you don't want to read it, just fucking skip it. All this yawning just shows that our educational system has failed. A bit unrelated but if you are not willing to put in a bit of work (setting up GPG comes to mind) go back to buying drugs from the fucking alleys.

Looker, I'm trying to understand what are you trying to do here. Is it help the community or make some money ? If you are a security expert of a sort I can't imagine the latter being a motivation.

If you want to do it for SR then stop hiding behind the "average user" bullshit. I'm being harsh but using Windows  XP because you think the average user is a moron (Linux today is easy) is not a good way to security. Of any kind. Also how is that ever going to change if we keep feeding people the same lazy solution ?

If this is indeed for the community, open up a new thread in the security and invite security versed members to exchange ideas. I'm pretty sure SR has ten security guys that could make/combine a killer SR app combo. And isn't that what we all want ?
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: kmfkewm on January 24, 2012, 11:00 pm
The thing is we are all leaving reviews on this product. I don't need to pay for it to know that it is shit. I also can see clearly that Looker himself is entirely full of shit on many points, which puts everything he says that isn't immediately recognizable as a lie into doubt as well. Use his product if you want but it is nothing more than snake oil bullshit. It amazes me that people are willing to pay money for this! I guess a sucker is born every day. I have met many people like Looker in computer security communities, they are a strange breed and sometimes I honestly think they really believe the absurd bullshit they spew despite the fact that every single other person with security know how disagrees with them. They also all tend to be majorly over selling shit products......

You would be better off using Liberte Live (which is free and comes with everything you need for SR other than bitcoin) and a bitcoin wallet site. Feel free to pay for this worthless security product if you like, but there are free options that are far superior. Also Looker has little to no idea what he is talking about. AES is cracked because of the huge processing power at the disposal of the NSA? Well guess what a 256 bit key can be brute forced if it is Serpent AES or Twofish.

Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: kmfkewm on January 24, 2012, 11:05 pm
The whirlpool thing was funny. He (Looker) says so many weird things that I can't waste time pointing them all out.

Yeah I LOLed

Quote
I'm guessing he reads tech news sites and dabbles on his own.Not an expert, but knows enough to sound like one to someone who isn't.

Exactly this. The scary thing is he probably actually thinks he is an expert.


Quote
I was going to mention this before but forgot to. The triple encryption thing is probably pointless in the AES+serpent combination. I think they are almost the same thing anyway. Twofish is different, so I can understand wanting to combine it with one of the others. I wouldn't bother, but It isn't completely wrong from a paranoid point of view.

Triple encryption is probably pointless no matter how you look at it, none of the algorithms Truecrypt supports have ever been directly broken. Twofish uses a different sort of math than either AES or Serpent though, and will likely be immune to many attacks that effect them. For this reason it makes sense to combine it with AES or Serpent, but I wouldn't say it is required by any means.

Quote
So to talk about how things should be. First of all, you would be a lot more secure avoiding this product and just learning how it is supposed to work. Install apps mentioned here and learn to use them. The VM could easily be backdoored or have malware in it. I'm not going to check. I'd have to pay money to see it anyway. You should not be trusting software that you got from someone on this forum.

Yes

[quote[If only a script was released here, it could be easily inspected and trusted. It would be relatively small and uncomplicated. It might also be too complicated for some people to set up themselves, so the final product of the script could be released alongside it. Since the final product can be created by anyone with the same script, anyone can verify that the final product that is being released is exactly as it should be, with no binaries with incorrect checksums or anything like that. In fact there could be a second script just to verify someone else's installer based on the one that you created yourself, something more experienced users could do to increase the trust in a released version. There would be no single person saying "Hey, run these binaries on your computer, you can trust me, I work for ____ and can benchpress ____ tons while cracking AES."[/quote]

Yes

Quote
This XP VM is a mess. It will never be something that a reasonable person can trust. At best, it gets people who are using the more secure Win7 to do important things in the less secure XP. At worst, it is a project of a cop who has some computer skills and wants to backdoor buyers and sellers.

Yes. What really annoys me the most is he releases a shit product that is totally insecure and then acts like he is the person who invented Truecrypt.
Title: Re: Secure Virtual Machine with everything needed for SR **Now available**
Post by: Looker on January 25, 2012, 04:59 am
Quote from: randomOVDB#2
Looker, I'm trying to understand what are you trying to do here. Is it help the community or make some money ? If you are a security expert of a sort I can't imagine the latter being a motivation.

I will explain this one more time. I've cobbled together a handful of very useful and comprehensive utilities that come pre-configured inside of a VM. In addition to those utils (which are useful for SR as well as other things) I've added some mild security features to make the data in the vm easy to conceal (it's on a usb key) as well as heavily encrypted that for buyers would be far too hard to break for local/state and FBI authorities to waste their time on. Let alone that it's highly unlikely that they would even been able to retrieve data off of it in the first place.

The point is this. There are a large number of users on SR who do nothing more than this:

Install tor browser bundle. Thats it, No PGP, No encryption in email, not using an email service like tormail or other onion email or hushmail/safemail etc, likely running it right on their desktop ripe for the picking without anything protecting that data putting us all at risk by making themselves the easiest target possible. This is the 'low hanging fruit' often referred to for LE and what I am attempting to help lessen.

This is a simple and effective way of helping those users use a few simple utilities, employ some level of isolation from their normal desktop data, make it portable (so it's not left unattended) and use encryption for email, SR, and protecting that with filesystem encryption. These small but effective changes in behavior assist in making that person safer and more secure as compared to the previous description I just provided.

Thats it. It's not some unbreakable uber elite hacker proof anything and I've never claimed it was. However people see fit to ramble on and on about what a failure it is and how it's so easy to hack blah blah blah and susceptible to being rooted, when this is nothing unique to what I am offering, the same is true of ANY windows xp machine running. period, but they act as if this is unique to me, and my problem to solve. Furthermore very few, if any have offered anything more than criticism and continuously make weak attempts to question several things ranging from my competence all the way to up to suggesting I am either some form of LE or looking to strip SR's members of their bitcoins through some elaborate keylogger or malware scam, or some big LE effort to bring down SR as well as my integrity. With no data suggesting even a single one of those things is true and speculating about my competence in my profession. Unless you are the one writing my paycheck (and you are not) I could care less whether you believe me or not, no matter how competent you may or may not think I am if my employer see's fit to pay me in well in excess of six figures for my skillset, that would be a fair enough indication to me that someone thinks my skillset is of value. Clearly neither you nor several others seem to think I am offering anything of value so do everyone a favor either roll up your sleeves as was suggested and put up and provide something equally or more valuable or go find someplace else to troll. If you want to actually offer whatever expertise you may think you have to improve upon it, perhaps even offer some scripting if you know autoit well or whatever I am more than happy to engage in that sort of discussion. But if you aren't here to help then go find someplace else to be a dick.


Quote from: kmfkewm
The thing is we are all leaving reviews on this product. I don't need to pay for it to know that it is shit. I also can see clearly that Looker himself is entirely full of shit on many points, which puts everything he says that isn't immediately recognizable as a lie into doubt as well.

Your not reviewing anything, you've never seen or touched the product and not even open minded enough to consider it. I've been more than open with providing it for free but it would be completely useless anyways. The ONLY thing you are doing is threadjacking and trolling and not offering a single bit of constructive advice nor suggestions on how to improve the existing offering. You're just waving your e-penis around and attempting to sound like some security guru to impress god knows who but it isn't me. Oh and sorry studying for 6 years doesn't amount to shit when you have actually been doing it for 15 years in the field, and worked in some of the places I have worked. You have no fucking concept the sorts of things I have seen, done, or otherwise been involved in and I don't give a flying fuck if you did. Your worth amounts to nothing until you have something of value to provide. You've yet to do anything more than complain and troll.


Quote from: kmfkewm
You would be better off using Liberte Live (which is free and comes with everything you need for SR other than bitcoin) and a bitcoin wallet site.

Yes, liberte as well as some other small utilities would be useful and more secure in many ways. Nobody has denied that. So why don't you go offer something with it for whoever and actually roll your sleeves up and produce something. Thats right your too busy trolling to show off your e-penis.

Quote from: kmfkewm
Exactly this. The scary thing is he probably actually thinks he is an expert.

I've never claimed to be an 'expert' I'm not nearly as arrogant as you. However my employer seems to think quite well of me and pays me accordingly. The only thing you've given is shit. I'll stick with my employers opinion.


Quote from: kmfkewm
Triple encryption is probably pointless no matter how you look at it, none of the algorithms Truecrypt supports have ever been directly broken. Twofish uses a different sort of math than either AES or Serpent though, and will likely be immune to many attacks that effect them. For this reason it makes sense to combine it with AES or Serpent, but I wouldn't say it is required by any means.

If it's pointless then don't bother using it. Nobody said it was required, it's an easy insurance mecahnism. Your own statement is contradictory. First you say it's pointless, then you say it's immune to many attacks (indicatin there would be a point), and then say it's not required (back to pointless?)

Quote from: kmfkewm
Yes. What really annoys me the most is he releases a shit product that is totally insecure and then acts like he is the person who invented Truecrypt.

Funny I don't recally saying I invented anything anywhere. I've never claimed to do more than assemble a collection of tools for people without the expertise or desire to do so.