Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 149 150 [151] 152 153 ... 249
2251
Drug safety / Re: How young is to young?
« on: August 25, 2012, 08:40 am »
The age of consent in Thailand is NOT 12.   WTF?

It is in parts of Mexico and a couple of other countries though. Too young :(. Maybe they can mix their age of consent with USA's to balance them both out.

2252
Drug safety / Re: How young is to young?
« on: August 25, 2012, 08:36 am »
You know I'm sorry guys, but telling a 15yr old (if that's true anyways) to do the research and be responsible about it is just broken and overshadowed by libertarian bias that displaces reality.

One of the biggest hallmarks, trademarks, traits whatever you wanna call it of the developing, pubescent brain is a marked incapability to properly evaluate risk and consequence.

So kiddo, if you are who you claim, give yourself time, there's no rush. Wait a few years until all the hormonal craziness of puberty is over or at least toning down. You say you are smart, then stay smart and give your brain the time it needs to develop a well defined personality. Then you can go and start meddling with your mind.

I starting using drugs when I was 14 and I always thoroughly researched everything before I took it and practiced as much harm reduction as I do now. Not all teenagers are dumbasses you know.

2253
Off topic / Re: Most Hard Core Binge
« on: August 24, 2012, 12:51 pm »

A a reckless youth, I went on a binge which included the following over a 10-hour period

1 bottle cheap red wine
1 x gram speed
About 6 hash joints
1.5 MDMA pills (average - weak strength)
3 lines cocaine

I felt fucking dog rough the next morning. I learned my lesson and tend to be very moderate in my habits nowadays...

I'm not one to condone drug excesses as a means of establishing and reinforcing my masculinity but can any of you gayboys better this?

That is not much of a binge. My biggest binge was an ounce of ketamine over about three days.

2254
Security / Re: Win7 TorBrowser Vs. Liberte Epiphany
« on: August 24, 2012, 11:12 am »
Would it be encouraged to use the Linux version of TBB on Liberte instead of Epiphany?

Yes. The Tor people actually strongly discourage the use of anything other than TBB, or the Tor FF Browser compiled independently of it. It uses a modified version of Firefox that has been hardened against anonymity compromising vulnerabilities.

2255
If you are really worried about LE malware your best bet is to use air gaps where possible, SElinux where not, make sure to use a 64 bit OS with ASLR, configure a firewall and intrusion detection/prevention system (IPS/IDS) and generally harden your OS and browser.

2256
I still advocate for air gaps they are an insanely powerful security technique. If your plaintexts / private keys / passphrases are never exposed to the internet then you don't have very much to worry about malware. You also do not need to type over every character, you can use disposable one time use media such as a CD to copy over from the machine without internet connection to the machine with internet connection, the only copying you need to do is to bring public keys from the internet connected machine to the isolated by air machine, as if you expose it to a CD that has been exposed to the internet it could be bugged and transmit back via the CD you use to transfer ciphertexts from it.

Using a live CD is not particularly helpful against malware, sure it protects from persistent malware but it doesn't do shit to stop an attacker from deanonymizing you or temporarily being able to eavesdrop on your keystrokes.  A live USB could even have persistent malware installed to it. The best solution is to layer isolation I believe, I am thinking that SElinux is the way to go about this. Of course making sure that you are taking full advantage of ASLR , and hardening your OS and browser, will also go a long way towards protecting you from malware.


Quote
scanned my system with the ESSET Online scanner as well as my system scanner which showed no results for any malware.

The thing to keep in mind about virus scanners is that they are a complete joke and if any half skilled attacker wants to they can circumvent them with a targeted payload that is not released into the wild. Making a virus that is not detected by any anti-virus software is a fairly trivial task, and you can easily confirm when your virus has reached such a state by running anti virus products against it until it becomes undetectable. Ninety nine out of a hundred times an anti virus program is not going to be able to detect a targeted payload that has not been released into the wild for the anti virus people to be able to get a copy of it. Also the first thing a good virus does is disable your anti viruses ability to detect it, so even if the anti virus company does end up protecting from a virus, it isn't likely to do you much good if you have already been infected.

Quote
I agree it's important, but at the same time it's a last resort defense, your primary defense should be your anonymity

Anonymity doesn't protect you from malware (generally speaking, although in some cases it can make life harder for an attacker), and malware can deanonymize you. I imagine you have heard of CIPAV?? You can use the best encryption algorithms in the world and the best anonymity network around and it is all going to do jack shit to protect your plaintexts or identity if an attacker roots you. Having strong data and location security without strong defenses from malware is similar to having a fortified door with an open window next to it.

Quote
In order to compromise a machine, they first need to know where it lives.

This is 110% wrong. In fact, they can find where a machine lives by compromising it. An attacker who manages to root SR and finds a multi-platform exploit for firefox could theoretically take over the computers of everyone using firefox to surf SR, by for example adding malicious javascript to it that exploits a vulnerability in firefox to take over its permissions, which (in most configurations) includes the ability to stop routing through Tor and deanonymize you, and very likely to spy on your plaintexts prior to encrypting them with GPG (through lack of isolation in X for example). In practice it might be more difficult for them to simultaneously pwn every single person here, because some might be using different browsers, some may have javascript turned off, some may be protected by default OS features like ASLR, etc...but it is entirely possible in theory for such an attack to be carried out. So far such things seem like they are far more common for intelligence agencies to do than police forces though.


2257
That does not look like a very sophisticated virus. It requires user interaction. It is apparently using a CNC, and a single server at that. How elaborate does a virus need to be to spread from host to the virtual machine? Not at all. Spreading from internet to virtual machine? Not at all. Surviving through reboots, wowwie that is pretty impressive. The US gov can do shit that makes this look like childs play, and honestly it is not particularly impressive at all.

2258
Security / Re: Quick question re TOR
« on: August 23, 2012, 05:17 pm »
This is not specifically about Silk Road, and more about TOR in general, and I'm really just looking for some confirmation of something I already think I understand.

Am I correct in saying that with the way TOR traffic is structured and sent around the network, if your ISP is keeping track of your data usage they would at best only know that you are connecting to TOR, and not what you are looking at exactly? I ask because there are proposed laws in at least one western country which will make all ISPs record all users traffic for the purpose of stopping cybercrime. So I guess it does relate back to Silk Road, but I'm more interested in my own privacy in this case.

Sorry if this seems obvious, but I basically want to make sure my understanding is correct (or have it corrected if it isn't already.)

That is what Tor attempts to achieve, however there are several scenarios in which it may not actually work out like that. For example, if you use Tor to browse a website that is hosted by the same ISP you use, your ISP would be able to tell you are visiting that website, if they have the proper equipment and such installed anyway. Tor is pretty damn good at giving anonymity, but it actually does not prevent an attacker who can see your traffic at two different locations from linking the traffic together as being the same. This is only a huge concern if the attacker can see the traffic originate at you and end at the destination server you are sending it to though. Tor anonymity comes entirely from having a big and widely dispersed network, preventing an attacker from watching enough of the network to have a high probability of seeing your traffic at two different locations on its route from you to the server that you communicate with. However, an attacker who owns enough high bandwidth Tor nodes or who can place a few well positioned wiretaps on networks that have a lot of Tor nodes, can still deanonymize Tor users. So in summary, Tor does an excellent job of providing anonymity from attackers who add a dozen or two high bandwidth nodes to the network, or who watch traffic at a few small ISP's, but as attackers get more powerful than this it does indeed start to increasingly fail in proportion to how much of the network a given attacker can watch.

2259
Security / Re: Virtual machines
« on: August 22, 2012, 05:11 pm »
Yes if you have an air gap between your private keys / passphrases / plaintexts and the internet , I would still suggest using a virtual machine as a viable option. You essentially increase the risk that an attacker will be able to take total control of the VM while decreasing the risk that an attacker will be able to gain access to the host environment, versus having no additional isolation between applications and the host. It is pretty apparent that using Virtualbox isolation is adequate to protect somewhat from the feds, considering it saved the ass of freedom hosting...but using physical hardware isolation or a proper mandatory access control profile is probably closer to the 'correct' way of accomplishing this regardless.

2260
Security / Re: Virtual machines
« on: August 22, 2012, 04:46 pm »
I am not dead. I also no longer suggest that you use virtual machines in this way. Yes, it is a huge benefit to have firefox isolated away from Tor and external IP addresses. However, virtual machines are much easier to pwn than operating systems running on real hardware. If your virtual machine is easy to pwn, the attacker will just hack it and spy on your address as plaintext to deanonymize you, rather than breaking out of the VM after pwning firefox and getting your IP address to deanonymize you. And most people who are using virtual machines are not even using them in a way that offers any real security advantage, they are just running Tor and everything else in one VM. Xen seems better in some ways than virtualbox, it is used by Qubes after all and I do not think the person who made Qubes has no idea what they are doing, although Theo of OpenBSD fame and some other security researchers have said less than favorable things about the technique of isolating with virtual machines. However, even if the isolation by Xen approach is not inherently flawed, Xen lacks ASLR so even if it is less additionally vulnerable to being hacked than virtual box, you are still not going to be able to take advantage of all of the security of using real hardware. So in general, I believe in the majority of cases virtual machines should simply be entirely avoided. The only exception I would maybe make to this is using jails from FreeBSD.

Right now I am split between two techniques for isolating firefox and other non-tor network facing applications away from Tor and each other. The first would be to run Tor on one dedicated machine and firefox on another, then use a physical wire to connect them and route the firefox machines traffic through the Tor machine and Tor. This will give the exact same benefits as using virtual machines to accomplish this, without any of the disadvantages of virtual machines. The second technique is using SElinux sandbox for x level isolation and then writing a SElinux profile to prevent firefox from gaining access to external IP address in any way or doing geopositioning. Certainly using the two machines approach is a more all encompassing and foolproof solution though. Additionally, these techniques can be combined for a very high degree of isolation. Failing that you may still choose to use virtual machine based isolation, and it will certainly give you benefits, just be aware that it comes at a high cost and in some use cases the cost could actually nullify the benefits. I think for servers it is more suited than for people using firefox, but it still has the same disadvantages.

2261
but what about Autism !!!!!  ;)

2262
Off topic / Re: Was SR started by the FBI or CIA?
« on: August 22, 2012, 06:30 am »
the fbi has started several drug/carding honeypot boards throughout the years, but the admin team on all of them blocked access from tor exit nodes and the use of gpg

Why on earth would they do a thing like that, eh?  <snicker>

Guru

this thread has only one purpose - to give this forum appearance of place for stupid degenerated junkies. Who else can post such stupid title.  Well who is average drug user nowadays - middle 30s, well educated, good income. Obviously if this  place will look like society if idiots, such kind of customers will never buy anything here. Harm to SR trade done by this forum hard to estimate.

Problem here in forum engine it self. If SR is from future this forum engine is from no internet BBS past. Agents and CIs should no be given an opportunity to turn the forum representing SR into such disinformation and defamation platform as it is now.

Twitter type social engine, when fans of some vendor can follow him may be much better and moder social communication platform.

It is true that feds have run a drug forum before, but rather than requiring the use of Tor they banned it and said only scammers used it, and they also were unfavorable towards GPG as well. Feds have also run at least one carder forum although they have taken over several others.

2263
Off topic / Re: Was SR started by the FBI or CIA?
« on: August 22, 2012, 06:20 am »
Stumbled upon a conversation about this the other day which had me thinking all over the place.

I can say pretty certainly that it was not started by the FBI, there is no reason for them to run SR as a sting so long as anyone is able to sell and utilize their own security methods. CIA may have interest in running such an operation as they are the sort of agency that needs to get funding that nobody knows about other than themselves, but I find it extremely unlikely for a variety of reasons.

2264
Off topic / Re: the old forums were better.
« on: August 21, 2012, 04:26 pm »
I think phpbb is the best forum software around by far, although I like punbb for being lightweight and fast.

2265
Off topic / Re: the old forums were better.
« on: August 21, 2012, 04:21 pm »
vbullshit is the worst forum software I have ever had the displeasure of using. I am a big fan of phpbb, punbb is nice quick and lightweight though.

SMF is somewhere between vbullshit and punbb imo. The private messaging system sucks ass, but other than that it is fine, nothing exceptional though. 

Pages: 1 ... 149 150 [151] 152 153 ... 249