Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 138 139 [140] 141 142 ... 249
2086
Security / Re: Questions about LE/DPR
« on: September 18, 2012, 02:03 am »
Quote
1) How worried are you about law enforcement on Silk Road?

Personally I am not that worried at all as I don't purchase drugs here, having better and more trusted connections through alternative channels with whom I have done business with for several years. From the perspective of a vendor working here, I would not feel exceptionally worried about law enforcement provided that I follow all of the suggested security protocols. It will be extremely difficult for a vendor who does not cut corners in the security department to be busted. Tor is quite decent anonymity and all indications show that the federal police and interpol are incapable of even deanonymizing hidden services, let alone regular clients. GPG offers encryption algorithms that are very widely recognized as unbreakable when proper key sizes are used. Even man in the middle attacks of key exchange are greatly frustrated due to having a publicly viewable anonymously accessible communications channel. I am not aware the specifics of how the server has been secured, however it is a Linux server and DPR at least knows how to run Tor hidden services and write php so it is probably not extremely insecure, at the least. In fact if the server is insecure it only makes a huge difference for people who do not encrypt their addresses, and security is the responsibility of the person who needs to be secure so people should not be relying on a secure silk road server nor do they really need to do so.

Additionally it is apparent that we have the knowledge to send packages without leaving forensic trace evidence on them, and with further precautions being taken we can prevent being linked to the packages via technical means (ie: not carrying phones when dropping packs off prevents location based crowd intersection attacks that rely on knowing where multiple packs were shipped from plus having access to cellphone geopositioning data). A lot can change in several decades, but even the Unabomber who was mailing explosives and killing people was not traced through the mail. Additionally several intelligence operatives have shipped package bombs to assassinate targets and I have not heard of any of them being traced. Even the Anthrax shipper, although allegedly identified, was only identified after a multiple year investigation costing hundreds of thousands of dollars, involving not only the mail but also a presumed limited crowd size and much more intelligence than was obtained via investigating the mail. Someday perhaps the feds will be able to use technology to scan large percentages of mail in the system for contraband, however  even this is not a threat to vendors.

Cashing out Bitcoin anonymously is certainly the most difficult part for a vendor, and even this can be done with proper precautions. Mixing and especially blind mixing of bitcoins can at least cryptographically unlink the identity of a person cashing out bitcoins from a drug deal in which they were sent bitcoins from law enforcement. Immediately this helps in cashing out bitcoins anonymously and obtaining plausible deniability / unlinkability if ever apprehended. I would not rely on mixing alone though, as mixing does not hide that a mix was used and that is valuble intelligence indicating illegal activity in itself, even if it cryptographically unlinks the person who has mixed their bitcoins from any specific illegal transaction. Layering mixing with cashing out via fake ID and money wires or anonymously obtained debit cards will present extreme obstacles to any law enforcement attempts to follow the money to the vendors. Additional cash out techniques exist as well, layering money through multiple forms of electronic currency and exchangers in multiple countries (also through multiple types of traditional money transmission, via exchangers of course) + bitcoin + mixing + fake ID / anonymous ATM debit card cash out will be virtually impossible for law enforcement to untangle. Unfortunately adding so many layers to the cash out procedure can get expensive, but fortunately the drugs sold here are usually marked up enough that it can still be worth it to layer money through so many anonymity increasing hops. Another great technique is simply selling drugs that are cheap in your area at a markup on SR, and then using the bitcoins to buy drugs that are expensive in your area from vendors in areas where they are cheap, and then cashing out by selling the drugs locally. However that does add the risk of doing local face to face dealing.

So in summary, and to reiterate, I would not be afraid of law enforcement on SR if I happened to be a vendor here.

If I were a customer here I would be moderately more worried. Customers can take advantage of the same security enhancing technologies as vendors, but the major downside is that they can be identified by undercover vendors performing reverse sting operations and also their packages can be intercepted. There are technological solutions to prevent interception leading to arrest (in the form of interception detection technology), however this technology is not currently being utilized by the vendors here. There is no known technique (and probably no possible technique) to prevent an undercover vendor performing reverse stings from identifying customers who order from them, however the use of fake ID private mail boxes, and other techniques that create unlinkability between the customer and the point they pick their product up from, can be utilized to drain significant amounts of law enforcement resources. If we can get to the point that it costs thousands of dollars in surveillance / man hours to identify every customer ordering a ten strip of LSD then we may effectively be able to defeat law enforcements attempts to do reverse sting operations, even if we have not actually fully protected from such attacks.

Indeed if you truly want your article to be fair and balanced you should point out that Silk Road and actually the entire online drug scene is/are great examples of how futile the war on drugs is. Law enforcement will never be able to identify or apprehend vendors taking the proper security measures, their best hope will be to bust small time personal use customers, after spending thousands of tax payer dollars on it. So essentially the war on drugs will eventually boil down to a bunch of thugs in the federal government spending thousands of taxpayer dollars (for their own paychecks) to bust mostly educated harmless people who contribute to society, in order to prevent them from privately enjoying in many cases entirely harmless (and in some cases even religiously/spiritually used) drugs. Your article should be about how the DEA is the worst organized crime syndicate in the world, and how its members should be charged with committing crimes against humanity and sentenced to long prison sentences (for which they should feel lucky to get!). The war on drugs is a complete disgrace and the people of the United States need to purge from positions of power all people who have contributed to the ongoing atrocities linked to it, preferably holding them accountable for their actions by severely punishing them. Even though this is unlikely to happen, at least know that we will never be defeated and that if SR is taken down twenty more sites will pop up in its place. Indeed the online drug scene will grow exponentially over the coming years until it becomes the standard channel through which drugs are trafficked. In an ideal scenario from an Agorist point of view, the profits created by this will lead to extremely sophisticated private defense agencies which will hopefully overthrow the police regardless of popular support.



Quote
2) What worries you more - Tor leaks, your Bitcoins being traced, or inflitration of SR?

I am worried that Tor hidden services are not as anonymous as many think, however I am not as worried about Tor clients. Additionally the police are apparently quite far behind the better security folks on this forum , and recently obtained internal law enforcement documents indicate that they can not trace hidden services. The tracing of the server would not be particularly bad although it could spell disaster for people who do not use GPG to encrypt their messages. It would also complete half of a timing attack against the participants of the server, however half a timing attack is not enough to deanonymize anyone and the attackers abilities to deanonymize users would still be largely frustrated.

SR is of course thoroughly infiltrated, it is after all a public market. This is not at all concerned for vendors, the money of the feds is just as good as the money of anyone else after all. For customers it is a concern, however hopefully it is not worth the feds time to attack small personal use customers. it is conceivable that they may do so in an attempt to disrupt the market, however thankfully the charges they could get to stick against these users are likely to be far less than the charges they could get to stick against the actual vendors (although you never really know, it seems that the state has complete control and they can essentially give someone as much time in prison as they like simply by adding more and more charges from a never exhausted supply of laws that must be broken in order to commit any individual crime. Also, the laws of today are severely outdated compared to the crimes of today, they could probably call all of SR one big conspiracy if they wanted to). 

The anonymity of vendors cashing out is something that concerns me, however there are certainly several  ways to securely and anonymously cash out bitcoin.



Quote
3) What do you think of Dread Pirate Roberts?

I think that he is fine :), he has done nothing that I see as bad and additionally we are both Agorists.

Quote
4) Do you think buying on SR is preferable to buying them in real life?

I hate buying drugs IRL. I much prefer internet sourced drugs. They tend to be higher quality and cheaper. Also the people selling them tend to be much more professional. Historically it has been far less risky to source drugs online than IRL, however with LE starting to focus more attention towards the online scene things could start to change a little here. Law enforcement can also take advantage of the anonymous nature of the internet, thankfully we are way ahead of them. One of the biggest concerns I have is nym flooding attacks, however I believe that we can even mitigate this sort of attack.

Quote
*If you could tell me if I could quote you, (either anonymously or by handle), that would be appreciated. My aim here is accurate reporting.

Quote away by pseudonym or anonymously I don't care.

2087
Off topic / simple solution to spam
« on: September 17, 2012, 02:09 pm »
A. Captcha for all new registrations to the forum
B. Captcha for new posts unless account has 100+ posts and has been a member for a month
C. Stay on top of banning the address to the scam sites

all of this can be done with simple php mods

2088
Off topic / Re: Advice on how to get people to like me?
« on: September 16, 2012, 06:41 am »
put out

2089
Off topic / Re: Teen dead after taking Ayahuasca in Peru
« on: September 16, 2012, 06:37 am »
Maybe he was on medication or something. I doubt the Shaman gave a warning about what MAOIs are and why you shouldn't mix them with almost anything

2090
I would have made it for the marketplace but I don't know what the html looks like. I could modify it to work there in an hour tops, although it will need to have a GUI for sure to deal with the captcha.

2091
I don't see anything in there that looks like it addresses the captcha box.  Have you solved that and not included it or am I overlooking something?

This is for the PM system on the forum, however it is easy enough to work with a captcha by just having it display on a GUI and posting the response to the server.

2092
Also I am nearly done with a ruby program that manages ECDH based message encryption and ECDSA authentication, message encryption is done with AES-CTR-256. It doesn't parse  HTML for any of its functionality either, which is a big plus. I can post the source code here and if anyone is interested maybe SR can run a copy of the server script after it and the client are audited. I can have it so that it automatically encrypts outgoing messages, decrypts/authenticates incoming messages and manages key exchange and generation. I can quickly add MITM detection capabilities as well. I also already have a GUI 95% done. Pretty much it is simply a window that contains a 'title' and 'message' input box, and a list box of nyms. I will modify it so that it fetches a list of all registered nyms and their ECC keys from the central server and stores them client side. You simply select a number of nyms from the nym listbox, type your message and title and hit send, and the encryption etc is done automatically and hidden away from the user. It also has a button you can press that checks for new messages to you, lists them by their title and automatically decrypts/verifies them when you select one. It is fully cross platform and uses OpenSSL for crypto operations. If this is worth anything let me know, I can also make modifications to add functionality or whatever is requested.

2093
Okay problem solved :)

2094
Security / Re: Australian LE Report on BC/SR
« on: September 15, 2012, 08:48 am »
kmf - what is your suggestion regarding amounts from international sources? 1gm? 1 ounce? based on what you have read and investigated is there a certain threshold that people should stay beneath?

I would try to keep international orders to Australia 10 grams and under personally.

2095
I don't see why you ask users to wget idea.c considering that has to do with symmetric encryption and I can not in the slightest think of why users would need to do anything with that to change the maximum asymmetric key strength. However if users wget that file without torifying wget they will leak their real IP address when they wget both gnupg-1.4.12.tar.bz2 and idea.c.gz, and I imagine that will be a pretty small crowd of people considering I doubt that barely anyone downloads that combination of files in such a way.

2096
of course you should make sure to torify wget before doing this

2097
Of course if I do make something bigger than this it will be open source and free for everyone to use. I could easily have it check for orders, automatically decrypt them and even print out envelopes / labels as well ;). The main thing is that right now I am working on big projects and it isn't worth it for me to spend much effort on doing things like this for free.

2098
So far it only logs into SR, downloads the first ten pages of your private messages and prints the plaintexts one at a time after piping them to GPG. I can make it so that it shows who the message is from and lets you reply, I can even make it so that it goes to a certain thread on SR forum and downloads public keys from everyone who posts in that thread and automatically manages encrypting outgoing messages sent through it (in addition to automatically decrypting incoming messages). I can also have it automatically generate keys for users and upload their public keys to the post your key thread that it checks for new keys.  I can make a neat little GUI for it with TK as well, and can also make it so that it prints non encrypted messages as well (right now it only cares about GPG ciphertexts). I could also make something like this for the silk road market , however I don't have a vendor account to look at how the HTML there works. This is only a quick little mock up to show that I am capable of such things, if people want a full fledged silk road PM system that manages encryption etc they will have to A. Let me know here and B. See how much bitcoin they can give me to make it worth my time. C. Possibly let me see the html vendors can see so that I can interface it to that as well

Quote
require 'socksify/http'
require 'socksify'


class PMHelper


   def connect
      URI.parse('http://dkn255hz262ypmii.onion')
   end


   def get_private_messages

      puts "enter username"
      username = gets.chomp!

      #password echos to the screen currently, I can fix that if I spend a bit of time on it
      puts "enter password"
      password = gets.chomp!

      puts "connecting to silk road....."
      sr_connection = connect

      Net::HTTP.SOCKSProxy('127.0.0.1', 9050).start(sr_connection.host, sr_connection.port) do |http|
         puts "logging on....."
         login = http.post2("/index.php?action=login2", "user=#{username}&passwrd=#{password}")
         session_key = login['location'].match(/PHPSESSID=.*;action/).to_s.gsub!(";action", "").to_s + "&"


         puts "getting private messages....\n\n"
         #start at PM page 0
         start = 0
         
         #we will put all gpg ciphertexts into this array         
         encrypted_messages_html = []
      
         #go through PM pages obtaining ciphertexts
         loop do
            pm_main_page = http.get("/index.php?#{session_key}action=pm;start=#{start}").body
   
            #add each found ciphertext to the encrypted_messages_html array
            pm_main_page.scan(/-----BEGIN PGP MESSAGE-----.*-----END PGP MESSAGE-----/).each do |message_html|
               encrypted_messages_html << message_html
            end

            #private messages are displayed 15 at a time
            start += 15

            #break after reading the first 10 pages of PMs (this can be made much nicer and more precise if I spend more time)
            break if start == 165
         end


         #html tags are not fun for GPG, let's make an array to put GPG readable ciphertexts into
         encrypted_messages_regular = []

         #let's strip HTML tags from each message, make sure they are formatted properly, and then add them to our array
         encrypted_messages_html.each do |message|
            message.gsub!("<br />", "")
            message.gsub!("-----BEGIN PGP MESSAGE-----", "-----BEGIN PGP MESSAGE-----\n")
            message.gsub!("-----END PGP MESSAGE-----", "\n-----END PGP MESSAGE-----")
            encrypted_messages_regular <<   message
         end


         #lets pipe each of the ciphertexts to GPG and put the output, then block until the user hits enter
         encrypted_messages_regular.each do |message|
            decrypted_message = `echo "#{message}" | gpg -d`
            puts decrypted_message
            puts "press enter to see next message"
            gets
         end
      end
   end
end

s = PMHelper.new
s.get_private_messages

edit: fixed spelling mistakes

2099
Security / Re: Tor based audio conference
« on: September 15, 2012, 05:18 am »
You don't appear to be illiterate so I don't understand why you would want to audio chat

2100
Security / Re: How governments have tried to block Tor
« on: September 14, 2012, 07:58 am »
well your entry nodes will always be three of the same set of nodes and only change once every month to two months, the middle and final node should change more frequently though especially to a hidden service. Although the high bandwidth Tor nodes are of course selected more often than others, so it is not uncommon for circuits to frequently use familiar looking nodes.

Pages: 1 ... 138 139 [140] 141 142 ... 249