Silk Road forums

Another example would be if you have an install of Windows for example, and then you install Ubuntu with FDE. Just because you have used FDE when installing Ubuntu does not mean that the entire drive has been encrypted. Only the newly installed data related to Ubuntu has been encrypted, and only the space it takes up has been overwritten. Unless you first did a separate full drive overwrite, there will still be plaintext data remnants from the Windows install on the drive.

The exact details of if you can count on an FDE implementation to be equal to a full drive wipe or not will vary from implementation to implementation. But having FDE is not the same as having wiped your drive, so you should not confuse the two things and rely on FDE to be a secure wipe.

Fingerprints ARE enough to get you busted and if you think otherwise you are plain and simple fucktarded.

Additionally, if you see the Canadapost you will see how many people are touching your package without gloves...there is prints all over these things....

Maybe it is outside your field of expertise, but there is a basic forensics technique called intersection that applies to all sorts of things. In this case the attacker would order multiple packages from the vendor, then they would lift prints off of all of them and intersect the crowds until only the vendors prints are remaining. Your fingerprints may hide in a tiny ass crowd on one package, but over two or three or four packages and your prints are the only unique ones left.

Really I am dumbfounded that anybody here would argue against the importance of wearing gloves when packaging things. There is absolutely no debate to be had. My guess is they are either LE trying to create the impression of there being ANY debate in regards to the importance of not leaving fingerprints on shit, or they are trolls, or they are complete fucking idiots. In fact, I am certain that they absolutely must be one of the previously mentioned things.

You could also just do a full disk encryption and then reformat. It would make it impossible to recover any data. An even more secure way would be doing a full disk encryption and then using DBAN, or even using TreuCrypt's secure overwrite option during the full disk encryption.

FDE doesn't inherently overwrite stuff that is already on the drive.

Quote from: kmfkewm on April 12, 2013, 11:33 am

Quote from: pkizenko98 on April 12, 2013, 11:26 am

Quote from: kmfkewm on April 12, 2013, 11:09 am

Quote from: pkizenko98 on April 12, 2013, 11:00 am

Don't let paranoia and propaganda cloud your minds.


(The following paper was the text of a presentation at a training seminar for Los Angeles County Deputy District Attorneys on November 14, 1992)

This is an excerpt.

"Often, detectives are disappointed and prosecutors are frustrated with the lack of the irrefutable evidence of the suspect's fingerprints on a particular item of evidence, which he must have handled. It is unfortunate that, unlike on television, the �suspects� prints don't always appear.  A look at the factors influencing the chances of obtaining prints will assist in understanding the fragile and elusive nature of latent impressions.  Each of the following various factors independently or in combination can account for the lack of prints on a surface:  1) Individuals don't always have a sufficient quantity of perspiration and/or contaminates on their hands to be deposited,  2) When someone touches something, they may handle it in a manner which causes the prints to smear,  3) The surface may not be suitable for retaining the minute traces of moisture in a form representative of the ridge detail, and 4) The environment may cause the latent print to deteriorate. The most important fact dealing with the lack of fingerprints is that it neither suggests, implies, or establishes that any person did or did not touch the item of evidence.  Items which have been witnessed to have been handled and laboratory experimentation repeatedly reiterate this premise".

Don't let the fact that every single case can't be solved with fingerprints cloud your mind into touching everything with your bare hands. That is just beyond fucking stupid.

Why you don't need to wear a condom when banging random prostitutes in Africa:

1. HIV is not always transmitted during sexual intercourse, and it doesn't always take hold and cause an infection
2. Maybe you just get a blowjob, that has a much lower risk of transmitting HIV
3. Not ALL prostitutes in Africa have HIV in the first place
4. Maybe you are a natural resistor, something like 1% of male Caucasians resist HIV infection to such an extent that they are virtually immune

Saying that you don't need to wear gloves when you handle illegal packages is pretty much the same as saying you don't need to wear a condom when you bang random African prostitutes, and then giving the above list of reasons. In other words, it makes you look like a dumb ass who is about to get infected with HIV.

There is a thing called being cautious, and a thing called ignoring common sense and wasting precious time!  I will inform you on what side you are currently on!

Fingerprinting mail?  Really? Ok

Now if your using MBB the only layer you would need to worry about is the last, I hope I don't have to explain why, and you should be wiping it down anyway. 

This leaves the the mailing itself, which is going to pass through at least a couple more hands as it goes thought the system.  Every post office I go too, employees do not wear gloves!

I been in this field for quite some time.  Many family and friends have been in and out of the system for drug charges, known of them convicted over fingerprints!  They would laugh at you and probably shank you for being so easily manipulated by what you see on tv.  Did you even read my post?

Since you are clearly clueless, I will take some time from my busy day to explain to you something called an INTERSECTION ATTACK, one of the fundamental types of forensics (correlation is another!).

Let's say you touch the outside of the envelope and get your fingerprints on it. Now, as you are hopelessly clueless, you incorrectly assume that it doesn't matter because your fingerprints will blend in with the fingerprints of dozens of other people who handle the package. Now when your package is fingerprinted after being intercepted, the detectives find 12 unique prints belonging to 12 different people. Whew, you may say to yourself, I am totally safe! Now, assuming they don't zero in on your prints due to the fact that you have previous drug charges and are not someone who works in mailing, the detectives just wait. Now they intercept another package from you (or they order another package from you, to save themselves some time!). This time they get 20 unique prints! Whew, you may say to yourself, I am totally safe! Except now those clever detectives take the first set of prints and the second set of prints, and they remove all prints that don't show up on both packages (this is an intersection attack!). Oh no, now only your prints are suspect , because none of the original 12 people who handled your first package handled the second package! Now you are totally fucked!

You are obviously new to mailing drugs, and my money is on you being busted in no time if you really don't wear gloves. Welcome to forensics 101.

I wear gloves just to be safe, but your logic is wrong.


Customs will never, ever, ever send your package to forensics if it's a personal amount inside. The governments don't have the money for that. Maybe if they catch a key or something, but no way for that amount. Do you know how much drugs they catch daily?

On top of that the police need to already have your fingerprints on file in the country that caught it (there isn't a world wide system, each country has their own)

If they don't have your prints then they have nothing to go on. They have a location but any good vendors know not to use the same drop all the time.. I personally use 5 different ones, all 3-10 miles apart.


 If they do have your prints, then yes you are right, you are fucked.

Oh really is that factoid straight out of your stinking asshole? Something tells me it is. Customs know that people with kilos might break them down into 10 gram packages. It is called swarming! If customs just completely ignores 10 gram packs, then everyone will just send their kilos in ten gram installments. Also I would like you to read about something called Interpol, through this organization fingerprints can be matched against world databases! Also intelligence sharing between the country of the shipper and country of the recipient is even more likely. Rotating between 5 different drops is pretty shitty security fwiw. Also the chances of you having your fingerprints on file at some point in time are not that low. A lot of people will be arrested for something at some point in their lives, or join an organization that requires fingerprinting. Feel free to leave your biological signature on all of your outgoing packages, but please stop pulling insta-facts out of your ass and generally talking about things you don't really have a clue about. Opinions are like assholes and I really don't want your stinky asshole pushed into my face when I have my nice pleasant smelling facts and logic already there.

Dumb Fucks, stop commenting without thinking, or reading this thread.  It has already been said numerous times throughout this thread.  I will reiterate!

YOU CAN'T MATCH A PRINT UNLESS YOU HAVE SOMETHING TO MATCH IT TOO!!!!!!!!!!!!!

Happy 420!

pkizenko98p

Hurka-durka durka-doo, durrr let me think about ur logic man. So like I should put my real name on return address becuz customs like totally doesn't care about me sending personal use schedule 1 drugs newayz n like uhm they might not find teh fone book to match my name and address. Fuck you are so right! From now on I send my drugs from real name, press fingerprints all over it, maybe I will draw some blood and rub in on inside of the package as well. I should add some hair too, maybe bust a nut in it for good measure.

Really I should mostly blame the government, as they pump out propaganda and indoctrinate the hell out of people. But I blame the people who are indoctrinated just as much. It just more clearly shows the illusion of living in a democracy than anything else does. All the politicians, statists and other government apologists always argue against violence being used against the drug enforcers and the benefactors and beneficiaries of the war on drugs, and their excuse is always that in the US there is a free political system and it is the will of the people for drugs to remain illegal, and enforcers are just doing their jobs. I wonder how many mental gymnastics these people need to do to get around the fact that we have propaganda pumped at us 24/7. If North Korea allowed free elections but the people of the country think that their leader is a fucking God, and have propaganda saying such pumped at them 24/7, would we think that they have a free political system? From the time you are a young child in school being taught lies about drugs, and told to turn your parents in if you know they are drug users, through all the grades of school even up to college in some career paths, people are taught lies about drugs. You know, a person may consider school to be a good source of information, and even otherwise somewhat intelligent people could be indoctrinated into believing the lies about drugs if they are taught lies through an institution of fucking knowledge. Not to mention the media pumps out just as much bullshit about drugs, sometimes overtly and sometimes covertly. So people are taught lies about drugs at school, the media spreads lies about drugs, people believe lies about drugs and repeat the lies to their friends further strengthening the perceived legitimacy of the propaganda. Of course churches also are against drug use, and that is like the third primary source that people get their information from (even though it is all bullshit). So we have people who are born and they go to school where they are taught lies about drugs for years, the media portray drugs in a false light, the churches portray drugs in a false light, people are surrounded by bullshit 360 degrees. And people still say that we have a free political system and that the war on drugs is the will of the people! The war on drugs is entirely manufactured ! It is a modern, artificial phenomenon !

When people have an artificially created ignorance of drugs, and the only 'knowledge' about drugs they have comes from an establishment that has it in its best interests to spread lies about drugs, how the fuck is that freedom? Seriously, most adults hold beliefs about drugs that I can only compare to what beliefs a young grade school kid would hold in regards to sex! The people are like young children in regards to drugs, an artifact of their indoctrination and artificial, manufactured ignorance. It makes me so mad to hear people say that the war on drugs is the will of the people, and that we need to convince people drugs are okay. Why do they give so much power to the government, that the government can decide that drugs are "bad" (not like they really have done this, they have only decided that they want to rob and enslave us), that the government can pump out propaganda about drugs, but then when the brainwashed masses turn us into criminals and viciously attack us, we must then be saintly to them and peacefully convince them otherwise, over decades through which we are prosecuted, enslaved and killed?

I am so sick of hearing people talk about drugs like they have a fucking clue when they are just spewing out bullshit. It makes me mad that these people have control over our lives, despite not living in reality. It is a perfect example of why I hate democracy, it is an insecure form of politics. Democracy is vulnerable to propaganda and ignorance. I do not think people should be able to vote for how things are done, rather there should be a benevolent totalitarian regime (which would inherently be libertarian anarchist, and only for the enforcement of our rights). The war on drugs, and the mechanics through which a select group of elites was able to undermine democracy and turn it into a charade benefiting themselves, is proof enough for me that Democracy is dangerous. In a Democracy the  people vote for what is done, or for who decides what is done in the bastardized American form of democracy, but without the people being protected from propaganda and indoctrination, the propagandists and indoctrinators are really the ones who decide what is done! Even worse, the people are tricked into thinking they decide what is done, because they cannot see their own manipulation. They can not determine that their own knowledge is false, and that their minds have been poisoned and tainted by groups with ulterior motives. And so the people are falsely pacified, they say that we have the power and that the enforcement agencies do our will so they are not our enemies. They do no see that we have no power and that the enforcement agencies are the soldiers of the propagandists. The masses do not see that they are kept stupid so that minorities of them can be sectioned off by the government for sale into slavery, for profit of the government and the interests of those who are in the government.

Everyday we see the results of the evils of Democracy and the evils of the government. We see people needlessly dying from overdoses on drugs that they would otherwise obtain in measured dosages. We see drugs such as PMA sold as MDMA leading to many more senseless deaths. We see the funding of violent cartels leading to tens of thousands more deaths, poverty and other horrors. We see our peers sold into slavery for the profit of psychopaths. We see the spread of disease such as HIV. We see unsanitary and impossible to properly regulate practices of drug distribution leading to many issues. We see nations with citizens who are kept as stupid as small children, it is like the fucking twilight zone. The list goes on and on. Every time somebody says something like "Taking LSD 7 times causes a person to be clinically insane!" I fucking cringe, I cringe at their artificial stupidity and I cringe because I am shown clearly the falsity of Democracy, I am shown clearly that while I am ostensibly free in reality I am a slave.

Isn't this why you don't roll your own encryption and stick with the standards, or is there a problem with one of the standards?

Well they used the standards (AES-128-CBC, PBKDF2, SHA1) , and didn't strictly speaking roll their own encryption (although they did roll their own cryptosystem), but they used the standards incorrectly. It would be like using seeded SHA256 for a PRNG, but only hashing out from the seed, without concatenating the seed to each output iteration before rehashing to get the next output iteration. Although that would be rolling your own PRNG, so it is not a perfect analogy.

At least they knew to use a PBKDF, an even worse situation would happen if they had simply used SHA1 for the key without combining it with a PBKDF. In either case they would have used the standards, but it would be a misuse in either case. In their case the number of iterations was halved, from 1,000 to 500, had they used SHA1 with no PBKDF there would have only been one iteration.

But even though this shows that they didn't know how the mode of operation they used worked, or how to correctly use PBKDF2, the effect on end users should be fairly minimal. PBKDF stands for password based key derivation function. It is used to derive a key, for use in encryption operations, from a password. Generally it works like this:

You provide a salt, a hash function and a number of iterations. Let's say your salt is 'abc' , your hash function is SHA1, your number of iterations are set at 2 (way too low!), and your password is 'def'.

So the first iteration will produce the SHA1 hash of 'abcdef'

bdc37c074ec4ee6050d68bc133c6b912f36474df

the next iteration will produce the SHA1 hash of the first iteration

e3cd537dc0c5da5cc5360dab38faf6fcee29a2f8

and this is the key derived from your password run through that KDF. This is beneficial when you have a lot of iterations, because it makes it so the attacker must use more computational power, which translates into more time, in order to brute force your password. It also protects from rainbow tables because of the salt. Assuming the attacker guesses your password correctly the first time, if there are two iterations of the KDF, it means they must do two hash operations to derive your key. Without a KDF, they would only need to perform one hash operation to derive your key. Since they have to do two operations with the KDF, it doubles the amount of time required for them to crack your password. If you use 1,000 iterations, it multiplies the amount of time required by 1,000. 

This is really nice for slowing down brute force attacks, but it isn't a replacement for a good password. It may make a very bad password into a  bad password, but it will not make a okay password into a strong password.

An 8 bit password has a key space of 256, 2 ^ 8. That means without using a KDF, the attacker has to do at most 256 hash operations to crack your password. With a KDF that uses 2 iterations, they need to do at most 512 hash operations to crack your password.

log2(2 ^ password_strength * KDF_iterations) = password_strength with KDF

Keep in mind that it gets unrealistically slow for a user to generate their keys as you go up orders of magnitude in the number of iterations. Most programs use somewhere in the area of 1,000 iterations.

log₂(2^8×1000)         = 17.96 bits with 1000 iterations
log₂(2^8×10000)       = 21.28 bits with 10,000 iterations
log₂(2^8×100000)     = 24.60 bits with 100,000 iterations
log₂(2^8×1000000)   = 27.93 bits with one million iterations

log₂(2^128×1000)       =  137.00 bits with 1000 iterations
log₂(2^128×10000)     = 141.28 bits with 10,000 iterations
log₂(2^128×100000)   = 144.60 bits with 100,000 iterations
log₂(2^128×1000000) = 147.93 bits with one million iterations

As you can see, adding a single random 8 bit character to a password is more effective at increasing password strength than going up two orders of magnitude in the number of PBKDF iterations you use. Adding 1000 iterations to an 8 bit password more than doubles the bit strength of the password, but adding 1000 iterations to a 128 bit password doesn't anywhere near double the bit strength.

So even though it is best to use a PBKDF to give some extra bit strength to the password, even not using one at all isn't the end of the world if the user has a good password. And adding orders of magnitude more iterations greatly increases the amount of time it takes for the user to generate their key, and is less effective than the user adding a single additional character to their password.

I am pretty sure that 1Password used PBKDF2 twice, once with a salt for the IV and once with a salt for the encryption key. So lets say once they call it with

'1PasswordIV' + 'Password' , for 500 iterations with sha1

and once with

'1PasswordKey' + 'password' , for 500 iterations with sha1.

They were banking on CBC mode requiring the IV for all steps of decryption to see if the password was correct, so they assumed that they were using PBKDF2 with 1,000 iterations. The attacker saw that they didn't understand CBC correctly, and that they used PBKDF2 weirdly, and so they entirely ignored the '1PasswordIV' + 'Password' for 500 iterations step, cutting the amount of effective iterations in halve.

The problem would not have arisen if the 1Password people correctly understood CBC mode decryption, or if they did something like

'1Passwordsinglesalt' + 'password', for 1002 iterations with sha1

and took 256 bits from the last two iterations as their output, using the first 128 for the IV and the last 128 for the key.

Or if they didn't generate the IV from the password at all, and used 1000 iterations for the key. Or if they used sha256 and a single call the PBKDF2, then split the final iteration as I described previously.

OpenSSL allows PBKDF2 to output as many bytes as you tell it to with a single function call, but I am not sure exactly how they achieve that. I should test it and see if it is just hashing x times and discarding the remainder. Considering the OpenSSL implementation of PBKDF2 is likely by far the most commonly used, it seems like this could very well be a flaw in OpenSSL that extended to 1Password.

After reading a bit more about the technical details of this attack, it becomes apparent that it is hardly really a flaw in PBKDF2 though. It is a flaw in the way they used it. If they used it with a cipher in CTR mode this attack would not be possible. It is really a pretty subtle attack, I would have definitely overlooked it myself because I always thought in CBC mode the IV influences every single block, but looking at the Wikipedia diagram of it I can see now that this is only the case for encryption, not for decryption where only the first block is affected by the IV. I would expect a professional cryptographer to never make such a mistake though, or even someone implementing something using CBC mode, as I would hope they look at the diagrams on wikipedia first at least. In CTR mode the IV influences every single output byte, for encryption and decryption. So their mistake was in using two calls to PBKDF2, with one for the IV, when the IV is not required to determine if the key is correct in CBC mode decryption.

Also it seems like he could have used the first set of output bytes of the KDF as the IV and the second set as the key. Then attackers would need to generate the IV associated with a password before they could generate the key associated with it. Or he could have even not generated the IV from the password, and doubled the number of KDF iterations. the IV doesn't need to be secret, and probably shouldn't be based on the same password that is used to derive the key anyway.