Silk Road forums

- I view this as fundamentalist thoughts and this is also what seperates me from those "so-called" liberatarians who abuse the fight for freedom and try to push them to nonsense extremes on certain topics that opens the gates to situation where alot of us actually have LESS freedom then we had before.
Your freedom ends where the one of others begins.

Pure libertarians are for the decriminalization of CP possession. Maybe you hold libertarian beliefs on some things, but you are not a pure libertarian if you want to censor peoples access to information, plain and simple. The official position of the libertarian party is for legalizing CP viewing, even the ACLU wants to decriminalize CP viewing AND distribution.

-Kmf,you are not the very first to rationalize your views and thoughts on this.
Many caught pedo's,those that accually commit atrocities,go into the same direction.

It is completely incorrect to characterize my arguments as those typically attributed to pedophiles. Notice the difference:

"I didn't really hurt that child, because children actually really like to suck cock, and it is only because of the religious people that I am in trouble"

vs

"Look at all of this abundance of information showing that people who view CP are not child molesters, and all of these studies showing that legalizing CP possession results in less child molestation, and listen to all of these perfect arguments by analogy as to why it is immoral to send people to prison for possessing information"

Did you ever stop to think that maybe you and the people arguing against me are the ones rationalizing why you want to send people to prison for looking at pictures? Because the facts are not on your side. There is no evidence that every time somebody looks at a picture of molestation the molestation happens all over again, and any sane person would realize that this is bullshit of the highest degree. There is no evidence that people looking at child porn without paying for it causes more children to be molested, and there are studies showing that every country that allows people to do this has lower child abuse rates as a result. You are the people rationalizing your barbaric behavior, I am not the one making baseless claims or putting out laundered statistics or claiming that I am right because of magical processes that can not be measured or observed but must be believed in with faith, contrary to all evidence.

When you compare cp to bankrobbery pics bull or the war on drugs you compare apples and oranges.
You going it is a "tomato,tomato"-thing accually made me laugh out loud.
When you try to abuse arguments like holocaust pictures,it once again boils down to ..INTENT.Pathetic variation on usual Goodwin in my book.

Godwin is a thought terminating cliche that was invented to stop people from comparing the atrocities of their own societies to the atrocities committed by the Nazi's , if every time an analogy to fascism and totalitarianism is made you invoke Godwin's law, you are merely trying to deal with your own cognitive dissonance. I don't need to use thought terminating cliches because I don't simultaneously hold contradictory beliefs ("It is bad to look at images of child abuse!", "It is not bad to look at images of children running naked with their skin burning off from US bombs dropped on their villages!"). The fact that you need to use thought terminating cliches is just an artifact of your own cognitive dissonance and is strongly indicative of YOU as being the person who needs to rationalize your thoughts.

Saying vegetarian Modus operandi is flawed is so short-sided since there is accually real improvement when it comes to that eventhough it's a combined effort of their own action,society evolution and climate change etc etc.
Plus it is also an individual decision so trying to bring in that logic in your CP propaganda is neither here nore there.
So please refrain from stretching your examples when it has little to do with it.

What? LOL my CP propaganda. Did you not read the statistics launder report on CP? Look who is making the propaganda, is it me or is it the media and the government with their hundreds of papers and numbers that have been debunked? Am I the one making propaganda or is it the media by saying all people busted with CP are child pornographers (oh are you a pornographer for looking at adult porn?) and the media for saying that all child porn viewers are child molesters. I am fucking insulted that you claim I am the one making propaganda about CP when there is propaganda about CP everywhere you fucking look other than from me. Is it not propaganda to claim that every time an image of CP is viewed the child in it is molested all over again? Or are you really so fucking retarded that you believe in magic?

-Bottom-line,intent DOES matter when it comes to these things.
I don't care if CP isn't 100% the act of rape or accual sexual depiction.
It is the intent that matters.
You are full on defending the intent to sexualize children for the benefit of those that don't dare (..yet) to accually do this themselves or your other examples etc etc.
Thus you are trying to normalize the traffic and business of abusing children.
With your reasoning there is accually no limits.

I am defending the right of people to look at whatever pictures they want without worrying about being ruined for life for an act that caused absolutely no harm to a single fucking person.

The war on drugs kills the right an individual has to make an INFORMED decision to consume a substance at their own risk.
The war on cp fights against those that kill the right a child has to make an INFORMED decision to engage in activity with pornographic intent at his own risk.

Sorry dude but when you buy some drugs you are almost certainly funding cartels that kill innocent people who have no say in the matter. People using drugs funds the cartels and the cartels kill innocent people. People viewing CP doesn't even fund child pornographers unless they pay for it. You can say that it is not your fault that the people who you ultimately buy your drugs from are killing innocents, and I agree entirely. But you are a hypocrite to hold yourself to a different standard than somebody who is looking at images produced by people who rape children. It is not the fault of somebody who views an image what the person who created the image did, any more than it is your fault what the people who you pay for drugs do with the money from the drugs.

Now here's the catch,a child can not give consent the way those of age can give.
Especially not to an elder that has the upperhand of knowledge,full understanding of the situation and experience.
It does not fully grasp the sexual concept,it's implications and consequences.It will when he/she grows up.

Yes a great reason why the age of consent should not be 8 years old and also a great argument against production of CP. What does this have to do with people who view CP? I understand nobody has a real argument against them other than that they make them feel sick or emotionally disturbed, but please enough with the strawman arguments already.

-You say YOU would not care if you were molested and pictures of it would surface and be passed around in the pedo-"community".You have no idea or clue this statement is true.

Even if I did care it makes no difference. My caring about pictures of myself has nothing to do with another persons right to view any image without being sent to prison. You do not have a right to control who views every picture of you on the internet, people have a right to view any image on the internet that they want to. Anyway how the hell do I even know that anonymous people are looking at my picture? At best you have an argument against distribution here, nobody can know if somebody anonymously downloads and views a file. Oh I know how about to save all these children we stop having the police hunt down child porn viewers, then the children depicted can be kept in the dark and never know that people were viewing their images.

For fantasy purposes ,use your brain only.
It is said that most of the time reality never is as good as fantasy right:).
Stick to your brain,you can't be incarcerated for that and no child suffers from it.

No child suffers from some anonymous fucking person looking at already created and available pictures.

- Now do i feel ALL pedo's should be put to death??
I have always said no but the older i get ,i sometimes catch myself thinking it.But that is probably an emotional reaction you get when you see all the evil and bad things in life. I sometimes think the same about those that do things less serious things like just being utterly stupid or with shameless flawed logic . It is just a thought.

Big surprise that you want to put all pedophiles to death you fucking Nazi.

So no, not simply put away,i believe incarceration as we know it has no point if there is no scientific studying involved with the intention of one day being able to handle individuals like yourself in a way  that children are no longer endangered.
Also emphasive should be on case by case studies.

People like myself? In many first world countries I am not even attracted to anyone who would be illegal for me to have sex with, and in many of those countries it is not even illegal for me to look at CP if I wanted to. Sorry to break it to you but your little cultural sense of morality that you have been indoctrinated into is not universal and in fact is pretty specific to a few countries in particular.

-Now you go ahead with your rationalizing.
You guys are well known for putting yourselves in victim position 24/7 no matter what awfull deeds have been done or to what extremes.

Yes the awful extremely horrible deed of looking at pictures must never go unpunished 0_0.

I feel only sorry for the pedo's that live with these urges against their will (they DO exist folks) and that aren't helped by society or science.
And also feel sorry for those with other sexual orientations that fall victim of guys like kmf rationilizing their bull and have the agenda to equate their urges to all other sexual orientations.
It's not the same for the reasons mentioned above.

Every study done on penile response shows that average males have the same sexual reaction to those 12-16 as they do to those 17+ buddy.

BTW You accuse other of going full emotional on this topic,i'm glad that with your apoligies you expressed you did/do the same and hopefully you won't act as if you are superior to others when it comes to logic and reason ever again.

They got emotional for a different reason than I did, I got emotional because it was frustrating trying to talk logic to people who think they can make shit up and then use it as a basis for attacking me from.

Them: Random Unrelated Bullshit
Them: LOL YOU LOSE
Me: On Topic Related Facts
Them: Random Unrelated Bullshit
Them: YOU WERE WRONG SEE

is an incredibly frustrating experience.

The application layer attack that we witnessed is much worse than any network layer attack that we know about. All of the network layer attacks against hidden service users are statistical attacks that identify a random sample of users (although one could argue it's not completely random if technically savvy people mitigate it while less savvy people don't). If LE hacked the SR server and distributed a similar exploit, they could correlate IP addresses with specific users, because they would serve cookies to people who are logged into their accounts. So they wouldn't have to waste time investigating OzFreelancer or somebody who has never made a purchase. They could directly correlate IP addresses to the top vendors. That's why it's much more dangerous, and top vendors absolutely must protect themselves with more secure setups than TBB on Windows.

If LE hacked the SR server they could do traffic analysis and link anyone who uses their entry guards to individual accounts without cookies. I am not sure that the application layer attack is really that much worse than network layer attacks. Certainly application layer attacks are more in our control to defend against, and network layer attacks are statistical probabilities over time. But both are serious threats. The feds got some subset of people who visited FH by hacking them from FH, but the feds could also get some subset of people who visited FH by owning their entry guards and doing end point traffic correlation. For all we know they did both in this case, it is just easier to identify application layer attacks than it is to identify traffic analysis. And isolation etc could have protected people from the application layer attack, but Tor itself is totally incapable of protecting people from correlation attacks if they have a bad entry node and go to a compromised server, at best it can decrease the probability that the victim has a bad entry guard by getting more good users to run relays. But what if the NSA does a passive attack and feeds the intelligence to DEA? Then it no longer matters if your entry guards are good or not if you are in USA or your entry guards are or your traffic passes through USA on the way to your entry guards.

In the past I put more faith in Tor than I currently do, and was more worried about application layer attacks. And I did think the feds would do application layer attacks prior to traffic analysis attacks, and was apparently correct about it. Now I am worried about traffic analysis and application layer attacks, and I bet the feds start using both.

Application Attacks: Easier to add defenses that mitigate, theoretically possible but unrealistic to fully protect from
Traffic Analysis: Harder to add defenses that mitigate, theoretically possible but unrealistic to fully protect from

Application Attacks: More likely to be noticed
Traffic Analysis: Much less likely to be noticed

Application Attacks: Capable of taking full control of remote system and stealing private keys, plaintexts, etc
Traffic Analysis: Only capable of obtaining suspect IP address to a high degree of certainty

Application Attacks: Constantly evolving threat with no end in sight, new zero days all the time thousands and thousands waiting to be discovered, attacks are fully protected from shortly after they are discovered

Traffic Analysis: Largely understood, slowly evolving with few new attacks, old attacks are rarely able to be fully protected from

Application Attacks: Security advances are making application attacks more and more difficult
Traffic Analysis: Passive surveillance is making traffic analysis harder and harder to protect from

Application Attacks: Are more likely to deanonymize all *vulnerable* users immediately
Traffic Analysis: Is more likely to slowly deanonymize *ALL* users over time

Application Attacks: Are more likely to target a subset of users rather than all users, but likely to compromise all targeted users
Traffic Analysis: Is more likely to target all users but only compromise a subset of targeted users

Application Attacks: Are trivial and cheap to do against users who do not stay on their toes and keep fully patched
Traffic Analysis: Is not usually easier to do against users who are not fully patched, but it can be (ie: the introduction of guards)

Application Attacks: Are expensive to do against users who stay fully patched and very expensive to do against users who stay fully patched and use layers of isolation and other defense mechanisms, cost increases substantially as subset of users to target increases.

Traffic Analysis: Can be made more expensive to do in some cases but there is a hard and low ceiling tied to the anonymity technology being used, is usually roughly as effective against all users regardless of their configuration (with some variance but not nearly as much as compared to application attacks), cost correlates directly with time, the more the attacker spends the less time they need to wait to deanonymize their targets, the less they spend the longer they need to wait


Application Attacks: Quickly identify all vulnerable users but become less effective over time as users patch and awareness spreads
Traffic Analysis: Identifies targets with various speed depending on amount spent on it, the more time that passes the more targets are identified

Application Attacks: Have a one time cost to obtain but become less valuable as time passes
Traffic Analysis: Has continuous cost to maintain but becomes more valuable as time passes

Honestly this article is not really saying much and seems like the person who wrote it probably doesn't have a good understanding of the subject. It isn't like a wireless car ignition system transmits a password, they use zero knowledge proof of knowledge and allow for a total interception. The most I can get out of this article is that some new understanding of entropy has been arrived at, and it probably means that non-randomly generated passwords are easier to crack than previously thought, and perhaps that some cryptographic systems are also easier to directly break than was previously thought. I would need to read the paper and not this article to see what is up though, because the article doesn't really do a very good job of giving me the raw information.

I'm arguing on the fact that you put the Whonix Gateway in a Windows Host in the insecure field just because of Windows but it is not necessarily so and it depends on the circumstances. Given how many newcomers use Windows it is important imo that they can understand how to better use that OS instead of just saying "it's insecure to use it" because if the change is too great it will just turn them aside. Understanding how they can use what they know in the best way possibles is a lesser jump than going immediately to uncharted ground at beginning, it is a smoother learning curve, and as such it is something they can think "oh yes, I can do this without many problems to increase my security" instead of doing nothing because the jump required is too high.

This is the logic the Tor developers went with when they decided to leave javascript enabled. Oh , new users wont know to turn javascript on if they need it and so much of the internet needs javascript and there are other ways to be attacked anyway. So they left javascript on to cater to the noobs, and the noobs got fucked by it since the people who know to harden their browsers turned it off manually. There is a line between easy to use and secure, and when people head too far toward easy to use they get pwnt. We should not cater our tutorials to people who do not want to be secure. If they want to be less secure than we know how to be, they can still be more secure than the average user. Using Whonix from Windows is much more secure than using the TBB alone. Using Tails could be seen as an improvement as well, and certainly would have been for users accessing FH when it was pwnt. Users can pick their own trade offs, but we should always suggest the most secure solutions just like Tor Project should have had javascript disabled by default. People warned them months prior to the FH attack that having javascript on by default was going to lead to compromise of users and they always waved their hands talking about how people want to watch videos of cats on youtube.

We all seem to agree that network layer attacks are harder than application layer attacks, which is why I focused on the application layer in my guide. I still have my doubts about the effectiveness of the hidden service deanonymization attacks. We'll see what intel comes out of the Marques case. If you think those attacks are effective and they didn't identify the FH server through an attack on the hidden service, you have to explain why. Even longterm entry guards and Tor over Tor only slow down the attack. kmf calculated it increases the time of the 2006 attack from 1-2 hours to about 40 days, but they were investigating FH for a year, so why didn't they do it?

There is no doubt about the hidden service deanonymization attacks, they have been carried out on the live network and they work. Hidden services have crap anonymity, they are traced to entry guards in no time at all and then it is a single court order (at most) from that point on to get its real IP address. And it isn't even that good because in reality the hidden service has THREE entry guards each of which can be quickly located and each of which can be used to obtain the hidden services real IP address. For all we know it took the FBI 5 years to even figure out that this attack is possible, and I wouldn't be at all surprised if they traced his hidden service with this attack then put him under passive surveillance and using a timing correlation attack to ID him as FH admin after he made the Tor Bank post. Then two weeks of paper work later they raided him. That is one of my top theories. Then they could have deanonymized anyone who accessed FH whose Tor entry guard they owned. They did not need to do only application layer attacks that is only all we know about. They were positioned for 1/2 of timing attack against anyone accessing FH server, anyone who used bad entry guard to connect to FH during that time would be deanonymized just as much as anyone who was pwnt by the javascript. There is a good chance they used traffic analysis as well as application layer attacks, and pwnt those who used their entry guards as well as those who had vulnerable browser and OS targeted by the payload.

Application layer attacks are a big worry but direct attacks on Tor are also a big worry. At least with application layer attacks we can use things like isolation to protect from them, direct attacks on Tor are even more worrying because there isn't a whole lot we can do short of hacking the Tor source code, and even if we make Tor as ideal as possible it is still limited by its fundamental design.

Sure you can. For #5, get people to run more relays (see the guide I just posted ). For #6, diversify the network outside of the cooperating intelligence agencies zone, which is my main suggestion in the relay guide.

Doesn't matter where the relays are if you are in US your traffic always enters through networks the NSA monitors.

But, while some of us will head miles down Paranoia Lane, it's also important to realize that consistently executing good (even if simple) security practice is often worth more than an elaborate setup you don't really understand the nuances of..   For all of the elaborate mechanisms in this thread and others, I have to wonder how many users here would be better off with just booting Tails from USB, making sure Javascript is off, and having one hell of a password on their persistent volume.

None of them would be better off with tails in  regards to anything other than possibly forensic analysis, if they don't boot tails with a persistent volume. Qubes and Whonix are superior when it comes to protection from essentially all other forms of attack. And I do really understand the nuances of computer security I studied it for many years and continue to do so.

KMF would you be interested in offering this as a paid service down the line?

Nope I don't want your pictures and you shouldn't want me to have them anyway. It is trivial to photoshop a passport photograph, it is so small that most changes you make when it is blown up X 50 are not even noticed at all when it is at its normal size. Just cut out your features, drag and drop them a bit, then fill in any blank area with copied chunks of skin tone from the area around it and blur it together. By the time you zoom out it isn't even detectable.

Quote from: samesamebutdifferent on August 15, 2013, 08:11 pm

Quote from: kmfkewm on August 15, 2013, 08:32 am

I am 100% for decriminalization of child porn possession (just thought I would add that since everybody else wants to point out their beliefs on the subject), but just talking about the encryption, they probably cracked it because he used a shitty password. Most people are probably not using very strong passwords. Even passwords with 80 bits of entropy are not considered secure anymore, and that is equal to roughly 80 characters of English text (ignoring PBKDF stretching).

This is my concern, if you need a password 80 bits or longer you are not going to be able to memorize it meaning it has to be stored somewhere. I currently keep most of my passwords in an encrypted volume but I need to have a strong password to get into that volume to begin with. Forgive my ignorance but how are people safely storing these 80+ character passwords without fear they could be uncovered? and if that's a stupid question to post feel free to pm me instead.

The subtle but key part to his comment is "English text". English sentences are not random. Some words are much more likely to follow other words, and of course there are only 80,000 configurations of letters to begin with (ie, words).

However, a pass phrase composed of 8 random words is actually pretty strong, over 200 bits of entropy:

http://dkn255hz262ypmii.onion/index.php?topic=106496.msg730353#msg730353

You can memorize 8-16 words.

(And yes I know you just saw that in the Security thread, but I'm making sure people here see it too. )

And it only takes about 20 random ASCII characters to have a secure password. Being conservative, you should aim for 20 random ASCII characters, an English phrase with 128 characters or 10 randomly selected words from a large word list. In practice you can usually get away with less than this, but that is the goal to aim for and you don't want to have much less than that.

14 - weed and various research chems

The first time I got high was on weed. two kids at school hid a tiny little metal pipe in some bushes by where I lived and asked me to look for it for them. I did and eventually found it. I guess technically the first time I smoked weed is from the resin of that pipe, but later when they came to get it from me we ended up smoking a little weed. After that I smoked about ten dollars worth of weed with them a week, we would each put ten dollars down and get half an 8th a week. I started hanging out with them and their other friends a lot.

It wasn't much later that one of my older friends who was a class above me told me about DXM in cough syrup. The drug users in my class never really got into DXM but the class above us was heavily into it. One day a few of us got together and bought a bunch of cough syrup and drank it. I remember the first time I drank cough syrup it hurt really bad when I was coming up, but I got used to it after that. I started to drink cough syrup on a pretty regular basis after that. Problem is the stores started being always out of stock and also some of them stopped selling to young people because it was such a popular high.

One day I looked up on the internet to see if I could buy cough syrup and instead I stumbled on a site that sold pure DXM powder and tons of research chemicals. Although at first I only orded DXM powder I later tried out several of the research chemicals as well. Let's just say that my highschool was soon awash with psychedelics .