Silk Road forums

Your best bet is to find a vendor who uses photovoltaic cell triggered interception detection chips and have packages sent to private mail boxes registered with fake ID. Then you can remotely detect if a package has been intercepted on its journey from the vendor to you. However, nobody in the online drug scene is currently using this sort of technology, and as far as I know there is not much attempt being made at getting a design for these devices out.

Vendors should make sure that they wear gloves of appropriate thickness the entire time they are coming into contact with packaging materials and drugs that can hold fingerprints on them (like sheets of LSD, hard tablet drugs, pretty much anything other than weed or power/tars). If they wear thin plastic type gloves then fingerprints can get out through them, because the thin plastic conforms to the contours of their fingerprints and turns the outside of the glove into a rubber stamp of sorts, which then presses debris/dust/etc into the shape of their fingerprints onto the packaging material.

Vendors should ship from different locations and of course do so away from cameras. They should not carry a cellphone (or really any transmitting device) with them when they are shipping product. Also, they should seriously consider using public transportation or non-identifiable transportation. More and more cities have license plate scanners that keep record of the positioning of cars and if LE can identify enough areas shipped from they could carry out an intersection attack with the data from license plate scanners (or from cellphone geopositioning data as well).

Getting more anxious as each day goes by and there's no activity from Vlad. If it is a case of him being unwell I'd like to think he'd at least give us a heads up so that we wouldn't worry. At this point I can't help but feel it's either a scam or bust, though £200 down on my first transaction unless he turns up.

Honestly Vlad does not strike me as a scammer, although I am by no means omniscient regarding such matters. I would bet that either he or his mail pick up person have been detained by the authorities, or possibly he is very sick.

FE FI FO FUM

Busted for what? It is not illegal to buy btc. Vlad is providing a service just like any other btc vendor or provider. What someone chooses to do with their btc has nothing to do with Vlad. I fail to see how what he is doing is illegal.   

It is not legal to facilitate financial transfer for the explicit purpose of helping people anonymously obtain scheduled narcotics, it probably falls under some money laundering statute (vlad and limetless argued against this, but I have a strong suspicion they know accounting better than they know law) but it certainly falls under conspiracy and being a member of a continuing criminal enterprise.

That gave me an idea, probably not an original one.

Actually I made a mistake, you would need to type over ciphertexts from the internet facing machine to the isolated machine as well. You could use CD to copy over ciphertexts and public keys from the internet facing machine to the isolated machine, or ciphertexts from the isolated machine to the internet facing machine, but not in both directions.

What if you collect your encrypted messages and public keys et al, and sum up the total number of bytes for each plain text file. Then you burn to CD. If the CD has > the total number of bytes burnt to it, then a sneaky piece of malware is trying to hop along for the ride.

There's probably some caveats, but this seems fairly foolproof to me. You could pop all the plain text files into a compressed folder and then do a SHA hash or checksum of it, but the problem there is that you might be counting/adding the malware along with the plaintext files without being aware of it (this is all on the internet machine, with any checks to be done at the air gapped machine). Do you have any better ideas than mine for detecting malware stowaways on these read only disks?

What if the malware is encrypted in the GPG message along with an exploit for a vulnerability in the GPG decryption engine , and you are rooted as soon as you decrypt the message? If it sounds far fetched it isn't, there have been a few remote code execution vulnerabilities in GPG that worked in similar ways to this. That would qualify for a sophisticated piece of malware . Also if the internet machine is infected with malware you will need to end up hand counting the bytes instead of just typing them over, and I think it would still be rather risky. Good hackers can do amazing things and they are good at hiding that attacks have taken place.

Also, this air gapped machine. It can't be just any machine. If you're to take this seriously, then you need a machine that physically does not have networking capability, whether wi-fi, Ethernet, or Bluetooth, absolutely anything.

Yup. Iran learned that the hard way with stuxnet. They had a network with no internet and considered it to be air gapped but it had external USB devices plugged into it that had been exposed to the internet.

How is that possible if it's impossible (in some cases live CD setups) to save any files? How can this be possible without making some manner of change to the client end? Or perhaps I misunderstand you, and you mean many situations in which an live-CD or live-USB may have access to the hard disk. e.g. installing a malware to Liberte's ~persist directory?

Well a USB is not a read only device. Also it could be possible for the attacker to write to the hard drive. But primarily what I mean is that the attacker is concerned with your RAM to exploit and root you, everything else is just for persistence. In fact there are some viruses that can hide in persistent memory in locations that you would never expect, such as your keyboards firmware. It is not impossible for you to be pwnt using a live CD, the attacker becomes persistent in your keyboard and then infects your hard drive when you boot into your non-live OS.

Still, I would have thought that this isn't really possible when you have an entire Operating System as being read only with a severely controlled list of possible changes (e.g. like switches on a dashboard, but no alterations to permissions, Liberte if I remember correctly does not allow any permissions changes, unless you quickly enter a certain command/series of steps the second the OS loads, and after a couple of minutes it is impossible to even do this).

Please explain more explicitly how an exploit can occur in the typical environment of a live-USB or live-CD, because we're all interested in preventing just that.

Live CD and USB do absolutely nothing to prevent you from being pwnt, that all happens in RAM. They just make it harder to become persistent. But not impossible, especially for a USB.

Most live-USB OS that people will be running is Linux, open source. So if a live USB could have a persistent malware, then so could the Tor software. At some point you have to trust that something works or you'd never get anything done. I would agree though, that specific distributions tailored to the security conscious ought to be closely watched for any red flags. e.g. Liberte, hardened Gentoo, Tails.

I think you confuse malware and exploits and backdoors. You seem to be worried about a backdoor. In general there are two types of backdoor, code that has vulnerabilities intentionally left in it to be exploited by the creator at a later point in time, and then things like subseven or back orifice where there is actually malicious code included in the software instead of the harder to detect exploitable code intentionally left in the software. I think you may not realize that an attacker can exploit vulnerabilities in code to remotely install software onto your machine. That is the sort of exploit / malware I am discussing, not so much malicious code included in the program from the start. And 99.9999999% of software has vulnerabilities that can be exploited for remote code execution.

I tried using SELinux stuff once. I have to say, it was not exactly accessible and it was a struggle to get anything useful done, even to a geek. Maybe you could point to a tutorial or something that would be the most relevant for what we do here in our situation. Ima practical animal, or at least I try to be.

It is on my list of things to do .

I must admit, I've never even heard of ASLR until now (it randomly pushes your data stuff/programs about in memory folks, so a hacker has trouble pinpointing where to exploit). How do you optimize this ASLR stuff best? Does it just mean having the latest OS? By hardening your OS/Browser, I'm assuming you're talking about using SELinux, and that by Browser you mean the Tor browser. If you modify the TBB or however you've setup the Tor software on your computer, isn't it possible you'll separate yourself from the crowd on the Tor network. e.g. could change your browser settings to ones that are relatively unique, potentially deanonymizing you. Maybe I misunderstand this, but I like to be sure.

Operating systems implement ASLR differently. I think OpenBSD may be the only OS that has full ASLR by default. You need to be using a 64 bit OS to take full advantage of ASLR because with a 32 bit OS it can be brute forced. Some operating systems don't even have ASLR, FreeBSD actually does not although it uses some other technique instead. Some operating systems support ASLR but you need to specifically compile your software with the special PIE (position independent executable) flag for it to be able to take advantage of it.

tldr to lurkers; just use linux, safe against 99.9% of the general malware floating around out there.

Are you worried about general malware or a targeted attack against you? Because just using Linux, although a good step in the right direction, is not enough to protect you from a skilled targeted attack.

I agree hardening security against malware is important, but I think you're overstating the case to illustrate the point. I'm pretty sure anonymity does protect me from malware to some extent, otherwise I doubt I would be typing this. In order for an attacker to place a rootkit and backdoor on my machine, they must first put it on my machine. They cannot do that, unless A: they find my machine or B: they rootkit everybody (I think we call this the Chinese approach, lol).

Anonymity does not protect you from malware unless you are running a bunch of listening network applications like Apache and because they are hidden services an attacker can not port scan the entire server looking for alternative paths to attack instead of only what is directly presented to them. In your case as a non-server client anonymity doesn't do a damn thing to protect you from malware, you are still exposing the exact same amount of attack surface when you browse a website with Tor as when you do without Tor. You have a very fundamental misunderstanding of how hacking works. Let's say that firefox has a vulnerability in it's code, an attacker who pwns SR could then for example craft malicious javascript that runs client side on your computer in memory (RAM) and then buffer overflows into attack code that they then get firefox to run on your system, and which itself installs a virus onto your computer from one of their servers. Hacking is all about remotely installing viruses on computers, you do not need to know their IP address you only need to have some vulnerable path to them, that can be in the form of Firefox, a PDF reader, an instant message program, GPG decryption engine, ANYTHING that you put potentially malicious input into.

Ok. But SR does not need JavaScript and many of us don't have it enabled by default. Unless your rootkit is somehow able to manipulate a scriptless browser.

Rootkits are installed by exploits in order for the hacker to cover their tracks. There are a lot of Firefox vulnerabilities that can be exploited without any scripting being enabled, although by not having scripting enabled you can remove the ability of a hacker to exploit some vulnerabilities and also you can make others harder to exploit.

On that subject, I wanted to ask you from before. Can you physically remove the ability of the Tor browser to use scripts? I mean, removing the actual code that would allow an extension, allow a script to be run etc. Seems to me, if you remove that kind of stuff, the odds of exploitation are zilch. My concern would be that such modification might alter the browser signature though. So I was hoping for some input on that idea, whether it's realistically possible and what the ramifications might be.

Yes that would be possible to do but it does not remove the chance of being exploited. A lot of Firefox vulnerabilities are through font rendering even, there are a lot more areas to cover than just scripts.

Question. If the malicious JavaScript stops you routing through Tor, then how exactly does this help the enemy? I mean, once you stop routing through Tor, you're on clearnet right, so it's not as if you're going to reach a url like http://dkn255hz262ypmii.onion with this newly clearnetted browser, right? I don't get how stopping Tor routing will deanonymize me. Seems like it just kicks me off the Tor network.

You will not reach a website like dkn255hz262ypmil.onion but you will have no trouble reaching fbi-ip-address-gathering-server.gov

And how the hell is a JavaScript, any JavaScript, going to influence the X window system? JavaScript cannot modify the Operating System. JavaScript can't go about editing configuration files since it can't access the local directories and write to the hard disk. So how in the name of fuck it is possible to spy on GPG software via the X Window system? I am seriously dubious in case you couldn't tell. You have surely got to be missing a few steps there. :p

Attacker finds vulnerability in Firefox code. Attacker crafts code that exploits it with javascript. You go to attacker controlled website with this javascript and it runs on your machine client side, exploits the firefox vulnerability. Attack code overflows a buffer and the attacker gets it to execute with the abilities of firefox. Firefox is in a x window. There is no isolation between x windows, every x window gets keystrokes to all other x windows, so the attacker can already entirely keylog you at this point, including getting your root password when you su. Attacker can also have firefox install whatever they want onto your system that it is privileged to do, so they take over root on your computer with the password they just sniffed and install a rootkit and backdoor for persistence.

Lastly; isn't there a special piece of hardware, a particular kind of CPU that makes it really tough to compromise encryption? It might have been while it's being done. Your reference to ALSR reminded me of it but I can't remember the name now.

You do not need a special CPU to make it very hard to compromise properly implemented encryption...but skilled attackers spend less time trying to crack encryption than they do on trying to bypass it by hacking around it.

P.S. Who is the author of PolyFront, was that yourself or some other fellow? Curious mammal is curious. Reply by PM if necessary. Actually PM me anyway, I have some interesting shiny new factoids that came my way I'm pretty sure you'll be salivating over or something.

I made polyfront, although it is out dated and I would not try to keep it alive personally. Someday when I get more time I will write a new one that will be much better, it has been a running thing for several years now actually where I periodically compile my security knowledge and make tutorials and such. I can do way better than Polyfront now. But I am currently busy developing software and learning new things. Maybe in half a year you will start to see a lot of new cool things from me . I hear the feds quite enjoyed polyfront at one of their conferences , glad to know that they were so impressed and circumstances allowed me to hear about it !!

Are the bank notes fresh from the printing press? If not I'm sure the 1000+ other finger prints and traces of cocaine should cover you up

did 1000+ people touch the same combination of bills?

Wow I guess beggars can't be assholes to the people who agree to help them out