Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 90 91 [92] 93 94 ... 249
1366
to all the people bitching....WELCOME TO RESEARCH CHEMICALS MOTHERFUGGAZ.

1367
Silk Road discussion / Re: Where do the drugs come from?
« on: March 27, 2013, 11:41 am »
Almost all research chemicals originate in China, most synthetic drugs also originate in China, if not the finished product at least the precursors.

1368
Silk Road discussion / Re: Beware my fellow SR's
« on: March 27, 2013, 06:39 am »
Also I just ate so you can keep your word salad :).

1369
Silk Road discussion / Re: Beware my fellow SR's
« on: March 27, 2013, 06:36 am »
Thing is I honestly don't know or give a whole lot of a shit if they are police, I like the SR community and have been here for a good while now, don't use the marketplace of SR and have no plans to use the marketplace of any other site. I am just commenting on it from what I can gather, and although I agree it is entirely possible they are LE , I just don't see the red herring that you seem to see that makes it so they *obviously* are LE, and my honest opinion is simply that you have nothing but a gut feeling to go off of. That said, LE did run a drug forum once, and it was apparently their knee jerk reaction upon discovering the existing drug forums, so it seems like not much of a stretch that they would do the same in the case of public drug dealing websites. However, this new market is a hidden service (the FBI forum blocked access via Tor and said only scammers use it), they allow messages to be encrypted with GPG (even adding a potentially worthless automatic encryption feature, hopefully nobody relies on it, but I am sure almost everybody will, which sucks, as it is quite possibly completely worthless, but better than nothing I suppose) and they allow anybody to be a vendor. None of those things pop out and say police to me, although having all of those things also doesn't pop out and say not police to me, only potentially not police. Just my two cents :D.

1370
Silk Road discussion / Re: Beware my fellow SR's
« on: March 27, 2013, 06:09 am »
It looks like they allow anybody to be a vendor. That makes me suspect that they may not be LE, although it certainly doesn't prove anything at all. If they didn't allow anybody to be a vendor then I would certainly suspect that they are LE. As long as they allow anybody to vend, it shouldn't matter too much if they are LE, because real security is and always has been in the hands of vendors and customers. Having a secure site helps too, but it certainly isn't a requirement, or even something that you should count on. So long as they allow anybody to be a vendor, we can conclude that it is not likely for all of the vendors operating there to be FBI. At this point, although not writing off the notion that they could indeed be LE, I am more inclined to worry that they may be scammers. I doubt that they have a much more secure system than SR, if at all, despite their claims, although it could be possible they have hardened the server a bit more (again, this shouldn't be a whole lot of concern to customers or vendors , provided they are actually making their own security and not foolishly relying on a server to give them security). I see they have some innovative features, the most interesting that I see being automatic encryption of orders and messages to vendors public keys. That wont do shit to protect from an attacker who is already in control of the server, and most certainly shouldn't be relied upon, but in the event that the server is legitimate currently, it will provide forward security of all messages (which means messages sent prior to a compromise will not be compromised, provided it is implemented correctly). SR claims to delete all messages / orders I believe, but I would be more confident in an automatic encryption system that never has plaintext leave memory honestly, in either case the end goal is the same but data recovery off a platter that hasn't been wiped with something like secure erase is much more plausible than breaking a ciphertext that hasn't had its plaintext ever stored on the disk. I believe SR also runs everything out of a mounted encrypted container, and while this is arguably better than nothing, from a technical perspective I have to say that in this particular area I think Atlantis has a more *potentially* secure system (having vendors upload public keys and encrypting all messages that are not already encrypted with that public key). I would actually like to request that SR adds this feature :).

That said the one certain thing that SR has that this site does not have is a history of not running away with all of the Bitcoins in the escrow, and that is something to keep in mind before considering using an alternative marketplace (and its escrow system). Also, it is feasibly an FBI sting still, it is widely known that very few people actually encrypt their addresses on SR (for fuck knows what reason), and if the FBI is in control of a server that has a lot of unencrypted addresses going through it, they could harvest them and lead a significant international bust. But since anybody can vend, we can be pretty confident that not all vendors are LE, and provided the vendors and customers use proper security themselves, it should be roughly no more or less safe than SR , from an LE perspective (provided they always let anybody vend, and of course that customers and vendors are being secure themselves, something that they may be banking on not being true. Also I suppose they could try to MITM GPG key transfers, but it should be just as possible to detect such behavior there as it is here, although if we already have faith in SR it seems like a bad idea to put faith in a competitor site, as the more faith you put in the more things the more likely you are to end up fucked...).

1371
Silk Road discussion / Re: Guy claims to know public IP of SR.
« on: March 27, 2013, 04:50 am »
Honestly regardless of the truthfulness of this particular story, I am a bit disgusted that peoples first reactions are "LIES" instead of "Possible compromise". Especially given that so far everybody commenting on why it is impossible obviously doesn't know what the fuck they are talking about. Professional Penetration Tester is a real job title for white hat hackers, people who would be the ones trying to deanonymize SR by hacking into it (aka: penetrating it) rather than via tracing through Tor (those people would be called Professional Traffic Analysts). Making fun of what he called himself just shows your own stupidity and lack of understanding of the technical community.

I sure hope nobody has compromised SR, but that attitude that it is impenetrable is completely wrong (VERY LITTLE software has been mathematically proven as secure from hackers, and even the software that has been proven to be is only proven to be when a large set of unproven assumptions have been met. Even life critical software is usually not mathematically proven as secure, although it is often crafted with stringent coding standards and intense auditing). Additionally there wouldn't need to be a new exploit for Tor found, strictly speaking an attacker could hack the instance of Tor on SR to obtain its real IP address, or they could hack any of the other available routes to its real IP address, Apache comes to mind. Or it could be from a misconfiguration of something and not require any hacking at all. And there wouldn't even really need to be a new attack on Tor found, there are somewhat practical traffic analysis attacks against Tor that stand various chances of deanonymizing hidden services by themselves.

Anyway that is all I have to say on the matter, I just hate to see people having a default sense of invincibility, it is something that often precedes one being shown that they are incorrect.

1372
Silk Road discussion / Re: Guy claims to know public IP of SR.
« on: March 27, 2013, 04:36 am »
I believe this is false.
Im no expert in the field of computers but how could a public IP have been revealed if all is done over the tor network? DPR specifically said himself that the update was taking longer than expected because he was uploading to the tor network.
Ah whatever. I'm not worried. I trust that DPR has taken the correct precautions.
Also I don't believe this guy because what is he trying to prove? Simply that he has this data? Why the hell you (this reddit user) gonna post it on reddit then?
He appears as if he wants to help the community, yet is willing to post information about such a vulnerability on a very public site! In my opinion it's a troll. If he really wanted to help out he would of contacted DPR and NOT have posted anything.

Just doesn't add up...but you never know!

It is totally possible to get a hidden services IP address by hacking into it, or by it leaking its real IP address if it is misconfigured. One Tor hidden service had a forum with registration that sent confirmation E-mails directly without using Tor, as an example of a misconfiguration leading to deanonymization. Several CP hidden services were hacked into by the Dutch police, leading to several people being arrested actually (apparently they were hosting the servers out of their houses !!). The servers they hacked into but couldn't deanonymize were using virtual machine based isolation, and they resorted to just zeroing them out and posting warnings, as they couldn't break the isolation.

I would really hope that a site like SR is running its web server in a virtual machine that isn't aware of its external IP address, anything less than that would be somewhat foolish really given the high priority of SR. Even in such circumstances it is possible to deanonymize the hidden service by hacking out of the virtual machine, but it becomes substantially more difficult. Using a virtual machine to isolate the web server not only virtually ensures against misconfigured servers leaking the IP address, but also makes it substantially more difficult for hackers to find its real IP address, and for this reason it is very strongly suggested to run hidden services in this way. The server may also leak its real IP address via a php info page, that is the first thought that comes to mind after reading this guys post, but a quick check doesn't reveal such a page at its default location anyway. If it is true, my first guess would be that SR temporarily had a phpinfo page up and it displayed its real IP address.

Also to the people saying SR server changes its IP address at the rate of a bazillion or whatever the fuck times per second, you clearly don't understand how Tor works. Yes, hidden services will appear to have a different IP address to (mostly) each person that accesses them, sort of, if you count their final node as their IP address. But they still have a real IP address as well, and it is actually possible to trace hidden services through Tor with a bit of work (having law enforcement credentials makes the last step much more feasible though).

edit: Actually, given that he said he got its IP address when it went down for maintenance, there are two other scenarios I can imagine. If SR runs as a Tor relay it would be vulnerable to downtime-uptime correlation of the Tor relay and the hidden service, which could deanonymize it (or at least give someone a good guess of its real IP address, which could then be further confirmed with various known remote attacks on Tor). Also it is possible that they hosted with a company that had known down time correlating with the down time of this specific website, in which case the attacker could at least significantly narrow in on where it is being hosted, although they would need to take additional measures in order to get a specific IP address.

 Anonymity and security are hard, complex, complicated and highly specialized fields , and to think that just running as a hidden service magically makes you completely invulnerable is extraordinarily naive.

1373
Security / Re: LE manuals?
« on: March 27, 2013, 03:50 am »
usually you can upload with a false extension and upload whatever the hell you want even if the extension you want isn't allowed.

1374
seems like it would be easier to just store them all encrypted on a Truecrypt container or something. Getting the keys again each time does make you weaker to MITM attacks.

1375
At least I have shipped something international with UPS once and the form required phone number of myself and the recipient. I put fake numbers for both. Package made it through fine although it only had cash in it. Might be best bet to put a real number for both, but not a number associated with either of you obviously, and a cell phone number if possible so it is not tied to an address that does not match where the package is being shipped to.

1376
Shipping / Re: Tacking packages will get your ip-adress?
« on: March 22, 2013, 03:07 pm »
tracking is tricky. Checking it with Tor is a good way to get a package flagged, checking it without Tor is a good way to get your IP address associated with an illegal package. One option is to try one of the third party tracking proxies and hope they do not forward on your Tor IP address, another option is to use open WiFi from random location although even that can be fingerprinted and seen as suspicious and flag worthy.

It is a tricky question too because checking tracking can save the day if you have a box registered to a fake ID. I have seen them say right on tracking that a package has been seized , if going to a fake ID box that means you just drop the box and get a new one.

1377
Sounds like the vendor is just an idiot. I am pretty positive that you often are required or asked to give a phone number when shipping things internationally. Of course it doesn't mean to give your real number.

1378
Security / Re: HackBB has been hacked !
« on: March 22, 2013, 07:16 am »
shit how did they get past all the script kiddies

1379
but what would they have from giving away addresses? they cant know what it is used for. also feds cant start investigating because of some company giving out addresses which they dont know what they are for. its not profitable for them... yet i have not seen anyone got busted for using these companys. and i feel it is needed to be proven before making things up. Im not a professional but as far as i know these companys encrypt the datas and cant even see em themselves. If that wasnt true im quite sure hackers would have already giving out some warnings.

Several scenarios are possible. the feds could hack into SR or otherwise take control of it. The customer sends the vendor his address with a privnote link. Feds intercept the link at the server, get the customers address, make a new privnote message that is identical and forward it on to the vendor. Now the vendor sends drugs to the address and the feds have already identified it, intercept the product and raid the customer. That seems like one of the most likely scenarios. I am still not used to these new javascript based website encryption services, they seem to be a slight improvement over how hushmail was doing things with javascript (in that Hushmail was still sent passwords to asymmetric private keys, afaik privnote is entirely symmetrical with single use keys that are hilariously presumably to be sent through cleartext channels), but I am sure they are full of holes. One hole in particular is that they are constantly sending the javascript app to the client using it and unless the client constantly verifies that it is legitimate they could send a bugged version. There is also the entire "you are presumably to send the symmetric encryption key through a non-encrypted channel" detail, which I find to be a bit hilarious. I mean, asymmetric cryptography is weak to MITM as well but I think not to anywhere near the same extent as something like privnote, especially considering vendors here can post public asymmetric keys publicly and verify them, but you cannot very well post a one time use (or any time use) symmetric key publicly.

Quote
And if it was true it would be an easy way to get someone in trouble. Just post his address 20 times a day and watch him getting raided. i believe these speculations have no real ground to it and should be avoided until proven.

You assume that merely having your address go through privnote would be enough to get you raided. This is highly unlikely, although an address found from privnote may be note worthy it is certainly not enough by itself to warrant much. However, the real risk is that the attacker will take over SR server and do massive MITMing of privnote links in order to enumerate the addresses of all the customers using privnote. Considering protecting from an attacker who pwns the server is the goal of using asymmetric cryptography, it seems like a good indication that you should not use privnote as a replacement for asymmetric cryptography if privnote cannot protect from such an attacker.

Quote
Hushmail clearly stated in their tos that illegal use is forbidden and will be investigated. the one who overreads this its his own fault.

Prior to Hushmail handing over many DVDs worth of E-mails to the DEA, they had no such warning. They acted like they were invincible and were a proper implementation of and replacement for traditional user controlled asymmetric cryptography. Only after Raw Deal did they point out that they cannot actually protect from law enforcement level attackers. This is a common trend actually, you could look at the hidemyass VPN service as well (several VPNs have fallen into the same pattern actually). These services all offer weak protections that were never really intended to stand up against strong attackers, however they need to market their shit so they make really big claims or imply that they can offer strong security or anonymity. When the house of cards comes tumbling down, usually at the hands of law enforcement, these companies shrug their shoulders and call their users idiots for thinking that their company could really withstand law enforcement level attackers.

Quote
Anyway i will keep using privnote. i feel its even safer than pgp. because like i stated in another thread - if someone other than the seller reads these information, then the seller cant read it anymore. so u can know for sure there is something wrong and prepare for it. Something u cant know using pgp i think
If such companys have success with their services it would be dumb to give out addresses or whatever as it would kill their reputation in one day and nobody would use it anymore. I cant believe these rumors, im sorry.

Privnote is certainly not safer than properly used GPG. As I pointed out, an attacker who pwns SR server will intercept the privnote link, read it, copy the message, make a new privnote link to the copy of the message, and let that message get through to the vendor. Nobody can tell that the real message has been intercepted and read by an unintended party. Additionally, you cannot know shit with privnote either, all you can do is have faith in a company. There is no law of mathematics that says privnote must destroy their messages after they are read once. You sound like you may be somewhat interested in the Vanish network, it stores messages for some period of time and then makes them impossible to decrypt at a later date (of course you should additionally encrypt these messages with GPG yourself, Vanish is mostly theoretically useful for protecting from laws regarding encryption keys in countries like the UK). I have not looked at it for quite a while now, last I checked it fell victim (at least theoretically) to a Sybil attack , but they had plans to fix it up I think. Anyway I just throw that out there as something to look into.

Anyway you just need to look at farmers market to see that people kept using Hushmail even after it was known that they will at the drop of a dime hand over as much information to law enforcement as is requested. There are always idiots willing to have faith in the promises of a company, even after the company has been debunked. VPNs turn on their users on a regular basis but they don't go out of business for doing so. The simple fact of the matter is, we have a decade of experience pointing to the fact that companies break under little pressure, the laws of mathematics and well thought out security policy do not buckle to anything.

Quote
At the end of the day feds cant raid everyone for uploading their address to a site. and as your house should be clear of all illegal things nothing can happen to you anyway. as long as u r not hording drugs in your house u should be safe. If they ask u - never forget anybody can use ur address as a drop, u dont know anything. They have to prove it was you ordering. if ur not a pussy giving it all away urself there is nothing to be worry about in my opinion.

As I already pointed out, the feds / police will not use the address by itself as proof of anything. They may use it as an intelligence lead in itself, something leading them to watch the address perhaps looking for other signs of illegal activity. The more worrying thing is that they will intercept the link to the privnote post as it goes through SR server and MITM attack. When they see the customer place an order with the vendor, and then send the vendor the privnote link, that will be enough to use the address the privnote link posts to as evidence of a drug law offense. Also it is quite likely they will do a controlled delivery, and history has shown us that if you accept a package and open it , that is usually enough for them to prove that you ordered it in court.

Quote
most of the drugs getting sold here are self-use drugs not meant for selling. this fact makes it very unprofitable for feds to go after these addresses. one special officer costs more an hour than the average package that gets send from here.

Seems to me that you are merely justifying to yourself the fact that you are too lazy to figure out how to use proper security measures. Either that or you are trying to lead others astray. The fact of the matter is that drugs are still illegal and ordering drugs via the mail is a federal offense. The feds probably do not care about the person ordering personal use cocaine from this site, but in the event that they obtain proof such a thing has happened, it is quite likely they will forward this intelligence on to your local police department. And they are likely to try to arrest you. Most people in prison over drug charges are there over personal use amounts.

Quote
Anyway its late and i might be wrong with some points as i didnt thought them all through. just my 2 cents dont take it to serious :)

Don't worry, I wont.

1380
Maybe I'm missing something, but if SR get's hacked they lose a bunch of money and their reputation. They have a strong incentive to be state of the art secure.
Another app to further encrypt something that's already encrypted and unless open source and widely reviewed for security, seems to me to decrease security, not increase it.

Well, obviously nobody tries to get hacked... and I don't think this is tied to SR at all. It's just PGP related. I don't know if your claim that it's already encrypted is accurate, either, but it may be.

If somebody, either being too young and naive or lazy (pick your poison) doesn't want to use a windows program (PGPwinn) to encrypt something sensitive (like an address) I tend to feel you can't 'save' this person anyway.

The difference is the keys are available remotely. You can't go to somebody else's computer and have your keys be there. With this, they would be. What we're waiting to hear is how that could be done provably securely.

it is provably secure to do it with password based asymmetric key derivation , provided the password is entropic enough.

Pages: 1 ... 90 91 [92] 93 94 ... 249