Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 73 74 [75] 76 77 ... 249
1111
And if you have the right hardware you can even game on the windows HVM with only a small (~5%) performance hit, because you can use PCI passthrough with IOMMU to give the virtual machine direct access to the graphics card. This is the same technique that is used to isolate hardware for security purposes, but it can also be used for Windows gaming on a Linux host (by isolating the graphics card to the Windows VM).

1112
An even better bet is to use Qubes OS. It lets you easily configure Tor similar to how Whonix does, and has the option to instantly launch anything you want in a disposable VM. Plus it isolates your hardware with IOMMU. Qubes is configured to launch different applications in different (user defined) security domains that are isolated from each other with Xen virtualization. It also supports windows HVMs and in the next version it will have seamless windows appvms. This means you will be able to seamlessly run Windows applications and Linux applications at the same time, and it will look like they are both natively running on the host OS. 

1113
i think the op has issues with the female race
you need help

I think you have issues with correctly using the word race

1114
SSL/TLS session keys are negotiated with asymmetric cryptography, usually RSA or ECDH. You pretty much never use a symmetric algorithm for multi-party communications without also using a key exchange algorithm (or without sharing an original key face to face at least). Usually the only time you use symmetric algorithms alone is for  encrypted data storage like FDE or Truecrypt containers.

1115
Security / Re: Crypto migration plan for hidden services
« on: May 19, 2013, 08:26 am »
Quote
You're not doubling the key space. You're increasing it by 2^1024. A 1025 bit key is twice as big as a 1024 bit key. 

That is true for symmetric encryption, but not for asymmetric encryption. If I recall correctly, for RSA based asymmetric encryption you are increasing the key space from the number of 1,023 bit prime numbers to the number of 1,024 bit prime numbers. For symmetric encryption you increase the key space from the number of 1,024 bit numbers to the number of 1,025 bit numbers.

What they should really do is switch to ECC. Much faster than RSA, much smaller keys, superior properties over all. RSA is kind of outdated these days.

1116
Security / Re: How to resist transient signal attacks?
« on: May 19, 2013, 07:53 am »
Ahhh, so it's a term for a very cool category of intelligence gathering. Van Eck phreaking[1] would fall into this category. Mmmmm, perhaps it's time to re-read Cryptonomicon :)

[1] en.wikipedia.org/wiki/Van_Eck_phreaking

The intelligence field these attacks fall under is called MASINT, Measurement And Signature Intelligence. It looks like the specific specialization is called unintentional radiation electromagnetic pulse measurement and signature intelligence.

1117
Security / Re: How to resist transient signal attacks?
« on: May 18, 2013, 07:07 pm »
Put another way:

Intelligence agencies use encryption to protect their secret information, which often times does not include the location of where they are operating. They use SCIFs to protect from attackers semi-remotely stealing their encrypted secrets while they are in a plaintext format (ie: displayed on a monitor).

We use encryption to protect our secret information, which almost exclusively consists of the shipping addresses to which drugs are sent. We don't have as much to worry about TEMPEST attacks, because by the time the attacker is semi-remote to our location, they have already identified us and therefor already know our primary secret. Vendors also use encryption in the form of FDE to hide their SR activity, but it will not protect them a whole lot if they are busted with a bunch of drugs anyway. 

We use encryption primarily to aide in our anonymity, and TEMPEST attacks only work against targets that have been identified.

1118
Security / Re: How to resist transient signal attacks?
« on: May 18, 2013, 07:00 pm »
Transient signal attacks (TEMPEST, sometimes said to be an acronym for Transient ElectroMagnetic Pulse Emanation Surveillance Technology) analyze leaking signals to try to obtain information of interest. This could include the sound of keystrokes to determine what is being typed,  or it could be the electromagnetic signals your monitor leaks in order to remotely reconstruct what it displays. The military protects the most classified secrets from this sort of attack by storing the electronics that are used to display them in SCIFs , Secure Compartmentalized Information Facilities. These are usually rooms that are pretty much hollowed out metal boxes, with thick metal walls completely surrounding the machines and people inside of them. You can find pictures of them if you google around. You can also buy specialty equipment that is shielded to some extent from transient signal leakage, although it tends to be pretty expensive. You could take some simple measures to make this sort of attack more difficult though, for example if you have a basement it will probably shield you more adequately than you would be at a coffee shop. Another thing to take into consideration is that a lot of information tends to leak into the power grid as well.

I think that transient signal attacks are really interesting from a theoretical perspective. They have been used in practice by the FBI, but the only case I know of where they did this was against  a Russian spy ring. They are probably more commonly used by intelligence agencies like the CIA etc. The thing about TEMPEST attacks is that the attacker needs to have already identified you to carry them out (since they need to be physically fairly close to you), and if the attacker has already identified you then it is pretty much game over anyway, TEMPEST attacks or not. So the best defense from this sort of attack is actually to maintain your anonymity. These attacks are more applicable to an intelligence agency trying to protect its information secrets from foreign intelligence agents, than they are to a drug dealer trying to protect the content of their communications and computer system. Because the foreign intelligence agency may know where the secrets are stored and not be able to get them covertly due to the SCIF or whatever, but if the feds know where the drugs are stored they are just going to kick the door down or do covert surveillance in less technically sophisticated ways.

1119
Off topic / Re: Vancouver company intercepts LSD-laced mail
« on: May 18, 2013, 06:06 pm »
I don't think the thread should be deleted or locked. What is the point of doing that? The vendor is obviously secure enough that they have not been arrested so far, and they are unlikely to be arrested through what they mailed unless they left forensic evidence like fingerprints on it. The people who had shit sent to wrong addresses are not going to get busted either because they gave incorrect addresses. Hopefully they didn't have it sent to their real names with wrong addresses though!

1120
Security / Re: How to Obtain an Anonymous P.O. box.
« on: May 18, 2013, 05:59 pm »
I know I am certainly glad that the many vendors I have worked with have no idea what my real identity is. Some of them have been busted. I wouldn't want people who are getting
grilled by the feds and who are facing decades behind bars to know my name and address.

1121
Security / Re: How to Obtain an Anonymous P.O. box.
« on: May 17, 2013, 06:05 am »
I have not always even had my fake ID photocopied at mom and pop places. Go to the poorest area around you and find a mom and pop box place. They have the worst security and follow procedure the worst. Getting a box at PO is the worst option, and UPS store or other chains are a bad idea too. You have to be careful about electronic stake outs as well, they could put GPS devices inside the package. Best practice is to open and inspect the package before ever taking it back to a location linkable to you. Grab the package, put in layered anti static bags or similar to kill any included devices ability to transmit, take it to a random location that is hard to quickly access by car, and quickly check it for tracking devices, ditch the packaging somewhere and then go back to your pad. Make sure not to have a cell phone on you as well. I am a fan of using public transportation as much as possible during the entire process as well, from you to the box to the random location and back to your house.

1122
Security / Re: State-sponsored malware can inventory RAM
« on: May 17, 2013, 05:52 am »
Anti Virus software is pretty much entirely worthless for protecting from this sort of attack. Anti Virus software is largely botnet size limiting software. It is to prevent a botnet virus from spreading to two million machines, not to prevent it from spreading to one million machines and definitely not to prevent it from infecting *you*. In other words, anti virus software is for protecting you decently from old viruses, and to protect from new viruses before the entire set of vulnerable machines become infected. It is not meant to stop a hacker from infecting you, and it fails horribly at doing this. 

1123
Security / Re: State-sponsored malware can inventory RAM
« on: May 17, 2013, 05:47 am »
https://xkcd.com/463/

1124
Security / Re: How to Obtain an Anonymous P.O. box.
« on: May 17, 2013, 02:51 am »
This is useful in the 5 percent of cases where you know the package was intercepted ahead of time. You can throw away the mailbox key, never visit that post office again, and you'll be safe because they won't know who are or where to find you. In the other 95% of cases, you won't have a clue that it was intercepted until you're standing in the post office with the package in your hand and a guy with a badge steps out from behind the counter (or pulls you over a few blocks away).

IMO, a residential address is safer because you can passively receive the package and choose when to pull it out of the box. LE isn't going to wait around for hours or days, and at all hours of the night, for you to pick up a small amount. They will either knock on your door and see if you accept it, or not deliver it at all (in which case, it will join the ranks of the infamous missing packages). To that end, it's best not to be home when the mail is delivered.

The reason you give for using a residential address sounds like it is a good reason for using a PMB obtained with a fake ID. If you order a package to a residential address LE doesn't need to wait around for days or hours, they know where you live already. They will either knock on your door and see if you accept it, or they will just raid you anyway because they already know a package with illegal drugs was sent to you and they can probably get a warrant to search your house based on that alone. In the case of a fake ID box, they have no door to knock on and no home to raid until they identify you picking up the package and follow you back to wherever you live or ID your car. And in cases where they are not going to do anything at all, wouldn't it be better for them to not do anything against a fake name and address that isn't linkable to you, than for them to do nothing against your real name and address (other than make a note of it).

Although you may only be tipped of to an interception in advance 5% of the time (I can think of a few examples of this happening, although I agree it is rare overall. Two general themes: tracking let it slip, or everybody who ordered from the vendor starts getting CDed at once), you might learn that a vendor you worked with has been arrested 50% of the time. It is much more common for someone to learn a vendor they worked with has been arrested than it is for someone to learn that a package they had has been intercepted. Or maybe the vendor simply disappears. Maybe this is more common on tighter community oriented forums where everybody talks regularly with each other, and you notice an unexplained absence of a vendor and nobody knows what happened to them (until you check for drug busts in the area they shipped from and piece together what happened. Note that this happened with enelysion, in the case of Joot we learned about it from the court documents very shortly after TFM went down, etc). Then you need to consider some vendors are probably keeping customer shipping information to aide them in plea bargaining. Or maybe the busted vendor even had outgoing package addresses recorded (enelysion did) and your address in on a list. No interception to you has happened yet, but packages to that address are probably way more likely to be intercepted in the future!

And better not order from an asshole who will blackmail you with your real address.

Quote
People have proposed using various light sensitive devices that can warn you when the package has been opened. They might be worth it for large orders, but it's also possible for LE to x-ray the package, discover that it contains such a device, and open it in a dark room to field test the drugs. They are also known to use needle-sized poking devices to sample the contents, which leave a hole so small that it probably wouldn't set off the device. To protect against that, you would have to fortify it with a hard internal package, which again isn't worth it for small amounts, when simply mailing the drugs in an envelope is much safer.

Vacuum seal the device with the drugs and have it detect the presence of oxygen then. I would be less worried about LE x-raying the package and finding it has some obscure electronic device in it and more worried about LE x-raying the package and finding that it has some pills or powdery substances wrapped up inside of it.

1125
Security / Re: How to Obtain an Anonymous P.O. box.
« on: May 17, 2013, 02:37 am »
Although Enelysion as an example goes both ways, as he was arrested using a fake ID box. They staked it out for days and put him under surveillance after they saw him try to pick up a shipment of methylone that had been intercepted (he got a love letter). They kept him under surveillance for weeks after identifying him in that way. Although it was no worse for him than if he got the package sent right to his house, in which case they wouldn't have even had to do surveillance on his fake ID box for days waiting to identify him and covertly follow him back home.

For me the advantages of a fake ID box just strongly lead me to think it is the best option.

1. It requires more police resources to CD someone using a fake ID box (although it can certainly be done)

2. It prevents the vendor from easily learning the real information of the customer (although it could possibly be done with a private detective or similar)

3. It prevents the police from monitoring a vendors outgoing packages and easily compiling a customer list of real customer information

4. It lets people compartmentalize, after a drop has had a lot of packages from a lot of vendors it can be dropped and not all of the old vendors will learn the new drop 

5. It lets people drop boxes in emergency situations, (ie: a vendor they work with gets busted and they find out about it)

6. It opens up all kinds of possibility for the police to fuck up or act too slowly (ie: tracking says the package is seized, it is held by customs for an extended period of time, it is an overnight package that is several days late, etc). I know one case where someone ordered small dealer quantities of marijuana and their package just never arrived, several weeks later they got a knock on the door from the postal inspectors.

those are the advantages. The disadvantages are

1. It has the possibility of adding an additional charge if you are arrested

Pages: 1 ... 73 74 [75] 76 77 ... 249