Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 86 87 [88] 89 90 ... 249
1306
a dictionary

1307
Security / Re: Any security flaws in this SR business?
« on: April 06, 2013, 08:30 pm »
Someone who is me

1308
Shipping / Re: Howto buy MBB anonymously
« on: April 06, 2013, 06:33 pm »
I think it doesn't matter if someone selling legal or illegal things is selling these bags. The last thing we want is a centralized compromisable node that has the address of every single vendor using MBBs. That goes against security in a very strong way, it creates a single point of failure and no matter if vendors get things shipped to fake ID boxes or not getting product is always the most risky part of this business. For customers it is less risky because they only need to worry about interception for the most part, for vendors there is a concentrated effort to fuck them and having all the vendors ordering bags from a source or even sources on SR is just absolutely horrible for security and I have no doubt whatsoever that it will lead to arrests sometime down the line, regardless of the legitimacy of the person currently selling them. Decentralization is one of our biggest security assets, don't throw it away by linking yourselves to a single point of failure.

1309
Security / Re: creating an onion website
« on: April 06, 2013, 03:18 pm »
The first thing to do is to pay for a server anonymously. You will want a dedicated server for the best security. There are several hosts that accept payment in Bitcoin, Liberty Reserve, Pecunix, etc. You need to make sure that the payment is as anonymous as possible , to prevent anyone who deanonymizes the server from being able to link it to you. Most hosts also accept bank wires and/or western union, and you can use exchanger services to send payments with these services from Bitcoin etc. Also, it can never hurt if the server is offshore in a country that is not known for their cooperation with the world police, Russia is a generally good bet, Panama as well. Of course you need to register with fake information, you will also likely need to get by various systems that try to prevent anonymous registration that are in place to prevent fraud and other illegal usage. Thankfully these systems are generally easy enough to beat. You may need to answer a text send to a phone number in the country that you are pretending to be from. When I do this I just ask a friend in said country to get a burner phone for me. You also may need to hide that you are registering with Tor, this can be accomplished often times by using a free web based proxy service after your Tor circuit, many of these services change very rapidly and never get listed as proxy services in block lists. Actually obtaining the server anonymously is one of the most frustrating processes involved.

You will likely be given a choice of operating systems when you buy the server. Alternatively, and more ideally, you will buy a server with KVM over IP which will let you remotely install the OS of your choice from an ISO. It is much better for security if the server you get supports KVM over IP and lets you install the base operating system. This is also superior in that it will allow you to use FDE, set a BIOS password, etc. Anyway, in regards to the OS you select to use, there are a few choices. OpenBSD is always a good choice, but it doesn't have good virtualization software support for it, so for my example we will choose to not use it. FreeBSD is another good choice, and it supports jails which allow for isolation so if you want isolation it is a superior choice to OpenBSD. The OS that you select will have an affect on the overall security of your hidden service, and different operating systems have different benefits and disadvantages. For running everything on baremetal without virtualization, OpenBSD is the way to go. FreeBSD has jails support as well as an extensive mandatory access control system that will let you fine tune your security to a high degree, provided you take the substantial time required to learn how to use it. Hardened Gentoo is probably the best choice for a Linux OS, in addition to having many of the security features of OpenBSD, it also supports virtualization and has support for extensive mandatory access control systems. However, it is also the hardest of all previously mentioned systems to use, and if you are not already well versed in it then it will probably be extremely frustrating or impossible to use for this. So for someone who is relatively new to this sort of thing, I would suggest Debian or maybe even Ubuntu.

The first thing to do on your server is to install the operating system (if it is KVM over IP, otherwise you will be able to SSH into it right away) and setup basic things like SSH. Of course you should do all of these things over Tor. If it is KVM over IP you will want to encrypt the entire drive immediately, possibly during installation if it is supported by the OS. If it is not KVM over IP you will not be able to use FDE as you do not have access to the boot sequence. Additionally, you will want to set a BIOS password. Preferably you also get a server that has chassis intrusion detection support, in which case you will want to configure the server to shut down in the chassis is breached. This is probably an option in the BIOS settings, which you will again need to have KVM over IP to access. Now we will assume that you have the initial state of you server setup, and can SSH into it.

For security you will want to configure SSH to use RSA instead of password based authentication. Now it is time for basic hardening of the host OS, which you can do with a script such as Bastille. Also, make sure to fully update the OS so that all known security vulnerabilities are patched. The next step is to install VirtualBox. You can control VirtualBox entirley from the command line, although I am not going to get into the exact commands to use here. For your guest OS you can opt to use Debian or Ubuntu as well, although you can also opt to use OpenBSD or similar. The security of the guest OS is not going to be as much as if you ran it on baremetal, but by running it in a virtual machine you will be able to isolate successful hackers from compromising the host system as well as prevent them from obtaining the real IP address of your server. Whatever OS you choose, install it in the guest VM. Make sure that during installation the guest VM has no access to the internet.

 At this point you should install Tor on the host OS. For the guest VM networking you want it to use host only routing. This creates a virtual network adapter when the VM is running, usually its default internal IP address is 192.168.56.1 . Now you need to modify your Torrc and make SocksListenAddress 192.168.56.1 or whatever it happens to be. Set SocksPort to 9100 or whatever you like that is available. Now after launching the VM you can launch Tor, and it will bind to the virtual network adapter. At this point you can configure the guest OS to route its traffic through Tor, which will likely require Privoxy or some other solution for http traffic. You will need to individually torrify all of the applications which require access to the internet. apt-get is one of these. After you have torrified apt-get (or whatever package manager) you will need to update your guest OS and make sure it is fully patched. You should also run Bastille or similar in the guest OS for general server hardening.

Now you need to install the web server. I suggest avoiding Apache and going for a smaller lighter weight alternative, Hiawatha is what I have always used and I have not had any problems with it. It also was designed with security in mind, and to be light weight. At this point there are two choices you can make, either you can use the Tor on the host for your hidden service, or you can run another instance of Tor inside the virtual machine and route its traffic out through Tor on the host. I believe that using Tor via Tor in this manner will increase your anonymity, although it isn't going to remain supported by Tor. So because Tor wants to restrict its functionality, we will use the instance of Tor running on the host. You need to bind Hiawatha to the virtual network adapters internal IP address on whatever port you want to.

Now from the host you need to configure Torrc to have the following lines:

HiddenServiceDir /some/path/to/a/folder/on/host/for/the/keys
HiddenServicePort 80 whatever.virtual.adapter.ip:port-hiawatha-listens-on

now restarting Tor should put the hidden services host name and keys at the HiddenServiceDir path. Connections to that hidden service address on port 80 (ie: the port firefox uses by default) are then redirected to the port that hiawatha in the gust VM is listening on on the virtual network adapter. At this point you should have basic hidden service functionality. Now it is time to harden things up a bit. First of all you will want to look into Suhosin for hardening your PHP up. You may also want to look into various other things such as SQL filters. You can configure whatever you want now just like a normal site, you don't really need to worry about your IP leaking either because the guest VM is incapable of sending traffic outside of Tor and it also doesn't know the hosts IP address to begin with. If an attacker compromises the site they will be stuck inside the VM , which is not good news, but it is much better than if they get to the host. There are a lot of other advanced measures you can take as well, perhaps you use SElinux or similar on the host to further isolate the guest VM for example. If you do this, the attacker will first need to pwn your hardened web server / site / guest OS, then they will need to pwn virtualbox and then they will need to pwn SElinux to get to the host. That is not in the realm of things the FBI or DEA can do, but the NSA probably can, although they don't give a flying fuck about your blog.

This is just the basic run down, the most important step IMO is to isolate the web server from Tor and your real IP address. Once you do that and have done basic hardening etc everything else is just icing on the cake really. There are almost no limits to the ends you could theoretically go to in order to maintain your servers security and anonymity, it is a spectrum that starts somewhere around using Windows Server and a remote desktop GUI and ends somewhere around writing your own mathematically formally verified system from the ground up and putting a modified version of Tor that uses ten nested entry guards between it and the rest of the world.

1310
Security / Re: Show your love for LE here!
« on: April 06, 2013, 12:13 pm »
Sure police have downsides and upsides. On the upside they will allegedly help you if you are burglarized, raped, robbed, etc. They hunt down murderers and child molesters and all kinds of fine shit that is overall quite good for society. On the other hand, they ruin peoples lives over drug crimes, they enforce censorship laws ruining peoples lives over information, they protect the interests of a corrupt power elite that is only concerned with itself and not with what is best for everybody and morally acceptable, they do all kinds of nasty shit. The thing is that these behaviors can be separated! If Bob the plumber fixes my broken toilet then he did a good thing , and since I am not a plumber maybe he even does something that society requires to function at its current state of efficiency. On the other hand, if Bob the plumber fixes my toilet and then ass rapes me , I am not going to defend Bob the plumber on the grounds that he does something good for society as well. Rather, I am going to strongly suggest that we fucking kill Bob the plumber, and replace him with Joe the plumber who does not ass rape his customers. Law enforcement as a theoretical construct is fine and dandy, perhaps even indispensable for a good section of society. The law enforcement that we have in practice, in every single country in the world, is like Bob the rapist plumber. They do not need to be apologized for on the grounds that they offer services that society can not do with out, because these services could just as well be offered by people who are not vicious fucking slave traders. Nobody is really saying fuck law enforcement in general, we are saying fuck these plumbers who ass rape us after fixing our toilets, let's kill them all and replace them with some new plumbers who don't ass rape us after fixing our toilets. 

At the end of the day we are far too passive. We are far morally superior to our enemies, they attack us mercilessly and unprovoked, and most of us are too afraid to even say that they are evil in doing so. Rather, many of us try to apologize for them, we make excuses for what they do, it is like saying Bob the plumber is a damn fine plumber so who cares if he rapes his customers? It is like saying Bob the plumber is just doing his job, who cares that in the process of doing his job he rapes his customers. I think the issue is that psychedelic users in particular tend to be pacified by the drugs they consume, it gives some people a more childlike mentality of naivety and always trying to see the good in things. Don't let that personality profile turn you into a fucking Nazi apologist.

1312
Shipping / Re: Howto buy MBB anonymously
« on: April 06, 2013, 08:11 am »
Something that might work?:

Get a business to stock them for retail sale. Have someone talk a business, possibly in a nearby - rather than your own - town, into selling them. Indoor horticulture supply outlets, headshops, glassblowers,... come to my mind. Choose a national chain and you might help many people with this issue. Could be a bad idea? Anyone see a problem?

This is a good idea. Being able to buy the bags at local stores with cash is the ideal solution, less than ideal is buying them from sites that have NOTHING to do with SR (as in, are not even suggested on SR), and having them sent (preferably a ton at once to not have to repeat the process) to a one time use fake ID box or random mail box not linked to the vendor. Nothing else is acceptable imo.

1313
Shipping / Re: Howto buy MBB anonymously
« on: April 06, 2013, 08:08 am »
Vendors are selling MBB's. ;)

PlutoPete is one.

http://silkroadvb5piz3r.onion/silkroad/item/3e10560aef

Yea, but now I need to trust the vendor.



Your welcome.
If you cant trust a vendor....then you maybe shouldn't be on SR... ;)
Where are my manners, thank you.

However, I am a vendor and anonyminity is imortant.
I'd have to supply some fake address and even then somehow get my hands on the package.

Now let's say that the lot number on those packages is used as tracking.  LE buys from me, gets the lot number and now has a buyer account, and an address.  Sure, it may not be a good address but it may be a start.  I'm just trying to be safe here.

Don't order from your vendor account. Use a dummy account, then Pluto will know you're ordering because you are probably a vendor but what one of the fucking hundreds that use this place daily.

If you can't trust Pluto (the founder of the MBB's on here), the guy who brought MBB's to use to make it safer for vendors and customers, then you shouldn't be here.




LE are not after the small time here. If they are even actually doing anything about the site, they will be trying to shut it down completely, catch DPR and probably the biggest of the vendors.

Your logic is completely flawed. For all we know Pluto brought MBB here simply to get vendors using a product that is hard to come by locally, so they would all give him shipping addresses that can be put under surveillance in order to bust a ton of vendors. We cannot assume the best about people in this trade, or give anybody the benefit of the doubt. Simply ordering MBB, even if from a throw away buyer account, is enough to signify that you are a vendor and warrant further attention, such as surveillance of the pick up spot / box. Also, I love how when customers worry they are told LE is only after vendors, and when vendors worry then they are told LE is only after DPR. I am sure when DPR worries he will be told that LE is only after Mexican Cartel lords. This is not a good mentality to have, it is the mentality of those who get busted.

1314
Shipping / Re: Howto buy MBB anonymously
« on: April 06, 2013, 08:04 am »
Vendors are selling MBB's. ;)

PlutoPete is one.

http://silkroadvb5piz3r.onion/silkroad/item/3e10560aef

Yea, but now I need to trust the vendor.



Your welcome.
If you cant trust a vendor....then you maybe shouldn't be on SR... ;)

From the point of a customer yes, but we absolutely cannot allow vendors security to drop to that of customers or else they WILL get busted. Everybody agrees that LE is really after the vendors, what better way to identify all of them than to be the number one seller of bags that only vendors buy? I cannot stress enough that vendors should not buy shipping materials from other vendors on SR, it will quite definitely turn out to be the Achilles Heel of SR.

1315
Honestly it is an absolutely horrible idea for vendors to all be ordering bags from people on SR. If a single one of them turns out to be a fed they could potentially compromise a shit ton of vendors. I wouldn't even feel safe getting these bags off SR sent to a fake ID box, it is just way too huge of an attack vector for identifying vendors. Either buy them off clearnet sites not linked to SR or suggested on SR and sent to fake ID box or similar, or try to find a local store that sells them. The last thing we need is all the vendors on SR buying their shipping materials from the feds, and I absolutely guarantee you that even if they are not yet, if MBB catches on and people are all buying them off SR, the feds are going to be the number one sellers. It is just a new take on their VPN tactic of getting all the people on a forum to use their VPN to identify them, except in this case it will be getting all the vendors on the forum to buy MBB from them to identify them. I cannot overstate how serious of a threat this could end up being if vendors do not take every precaution when obtaining these bags, and that includes imo never buying them off SR or from sites linked to off SR.

1316
Security / Re: Apple iMessage vs DEA
« on: April 05, 2013, 02:03 pm »
Stupidest shit in the world. I just read about the technical specifications and it looks like the only encryption used is TLS. That means the link up to apples server is encrypted. Could it stop the feds from wiretapping at the local level (ie: observing only your link to the server)? Maybe, if they can't MITM it anyway. But it is completely irrelevant because they can wiretap at apples servers. For one, Apple will immediately bend over backwards for the feds and allow them to tap anyone they want to , especially if the feds have a court order. And for two, we don't even know if Apple keeps logs indefinitely allowing the feds to retroactively tap into the communications. Essentially it is as secure as AIM, XMPP, IRC or any other instant message protocol that allows for TLS encrypted links.

So in short, either the feds complaining about not being able to tap this are fucking hopelessly retarded and should all be fired for being incompetent fuckwads, or they are cleverly trying to get idiots to think TLS links to major American corporation servers are enough to protect them from the feds. Most likely it is misinformation purposely released by the feds.

1317
Philosophy, Economics and Justice / Re: Legalize it, poll shows
« on: April 05, 2013, 12:07 pm »
+1 America!

Sweet now they are at only -99999999999999999999999999999999999999999999999999999999999999999999999999999

1318
Security / Re: Mobile Broadband Untraceable?
« on: April 05, 2013, 08:48 am »
they can still be triangulated

1319
Security / Re: COPS AT MY DOOR.
« on: April 05, 2013, 05:53 am »
Well shit. This thread has my blood pressure up for sure. Ordered MDMA a few times from Canada. Actually, I thought Canada >> US was the easiest on customs. Maybe I was wrong :( Definitely will be cleaning house with this next shipment, just in case. At least with a clean house I know I can handle the cops with a clear conscience. As in keep my mouth closed and keep my nerves under control. Honestly, assuming you're about to get caught is probably one of the best ways of keeping on your toes. This thread has actually kind of reminded me that I have grown lax.

Good luck, op. Keep us updated.

I know about the seizures of MDMA from Canada, at least from one vendor, not sure if it is the same one you guys are talking about though. All of those orders were for multiple kilos of MDMA, and he kept sending out more packages even after he kept getting them seized. I think a lot of people were busted from this, although some of the smarter ones used fake ID boxes and were spared.

1320
Security / Re: How safe is TOR really ??
« on: April 05, 2013, 04:08 am »
you also need to take into account that when clients fail to establish a connection to a hidden service, the user tends to hit refresh and try again. So when you take hundreds of users trying to establish a connection * Tor retrying to establish a connection several dozen times * the user refreshing and restarting the process , that = thousands and thousands of cryptographic operations for the introduction nodes, but the hidden services entry guards only need to process one create cell per successfully established connection.

Pages: 1 ... 86 87 [88] 89 90 ... 249