Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 163 164 [165] 166 167 ... 249
2461
Off topic / omg urgent message to DEA agents
« on: July 07, 2012, 09:06 pm »
I just had a revelation from God!!!!! He told me that if you shoot yourselves in the head as quickly as possible after reading this you will go to Ultra Heaven! Do you really want to take the risk of not immediately killing yourselves??? Ultra Heaven came to me in a vision and it is like regular heaven but even ten times more awesome.

2462
Silk Road discussion / Re: US - Obama Has Already Quietly Begun Revising the Government’s War on Drugs
« on: July 07, 2012, 09:00 pm »
Quote from: anonaddict on July 05, 2012, 11:13 pm
The Republicans are notorious for striping any personal freedoms, and they will do it in the name of SECURITY or CHRISTIANITY. So they think that we need more taxes and harder laws to govern the population but less regulation and taxes on businesses. I vote democratically but I also understand that all of our politicians are bought and paid for by the 1%.

I know I would much rather the government strips freedoms in the name of THE COLLECTIVE or THE GREATER GOOD than SECURITY or CHRISTIANITY.

2463
Off topic / Re: The Fate of History: Are we Experiencing Liminality?
« on: July 06, 2012, 09:27 pm »
I believe that a fundamental shift in human organizational structure is taking place and that it is having a profound effect on all aspects of life. I believe that this shift is happening at an exponentially increasing speed, and that the traditional bastions of power are doing everything they can to prevent it from coming to a peak, because they wish to remain the head of a hierarchy in an increasingly networked world. I think that the inherent structures that their groups must take, in order to allow for the positions of power which they so desperately desire, have fundamental limitations that substantially slow their reaction time. However, they do have a lot of money and a lot of people below them so really who knows what the future holds. I imagine it will either be an Orwellian police state, once the state gets into full gear and puts an end to modern threats to its power, or a libertarian utopia after the concept of the state fades into history (or is at least dramatically modified, in practice).   

2464
Security / Re: how do you open pdf files etc safely, please help
« on: July 06, 2012, 09:17 pm »
Opening PDFs in VMs without access to the internet, or in VMs that can only route through Tor, goes a long way towards protecting yourself when viewing PDFs. It isn't perfect, but it does offer substantial protection.

2465
Security / Re: using privnote is less secure than sending your address plaintext through SR
« on: July 05, 2012, 09:27 pm »
Server side encryption is fail, javascript encryption is less fail but still is fail.

2466
Security / Re: FUCK!! Customs opened my mail!!
« on: July 05, 2012, 09:26 pm »
Quote from: gambino on July 05, 2012, 07:10 pm
Quote from: oscarzululondon on July 05, 2012, 01:36 pm
Quote from: gambino on July 05, 2012, 04:45 am
If your other packages show up, don't sign for anything, write "return to sender" on them, and pray to Jesus Malverde.

The return to sender thing was a joke, it's not a real legal defense. It would only work if the letter wasn't in your name or the name of anyone living at that address or even nearby.

The court simply won't believe that you got a letter in your name, didn't open it to check inside and wrote return to sender on it, then left it lying around not returned to sender. From a legal perspective it just makes things look worse, not better, you're giving them more evidence.

I would never use my real name on an order for Schedule I drugs.  Fuck that.  I really don't give a fuck if a vendor wants me to.  Not doing it.  But hey, that's just me.  You want to order Schedule I drugs in your real name to your real address, go right ahead.

I get shit in my mailbox every day with names of people who don't live here.  Every fucking day.  And I have no control over it.  It just happens.  So it's totally believable/plausible when I write "return to sender" on an envelope that I had nothing to do with it.

BTW, if it came down to it, it's not up to "the court".  It's up to a jury of peers.

Oscar is a troll just ignore it. Of course it makes you look less guilty if you write return to sender on an unopened drug package, versus opening it.

2467
Rumor mill / Re: Sorry Vicious86 will no longer be selling overseas caused by assholes
« on: July 05, 2012, 06:12 am »
People smoke hash out of meth pipes?

2468
Off topic / Re: You ever regret seeing how deep the rabbit hole really goes? (An Acid Story)
« on: July 05, 2012, 06:05 am »
Quote from: Caparino on July 05, 2012, 05:50 am
Passing on good karma as well but I actually haven't smoked in a month now. Although I should probably stop doing acid everyday :-\ It only lasts for a couple hours and I keep redosing. Should I flush it down the toilet? How long do you guys think it'll take my brain to reach homeostasis seratonin and dopamine wise?

Quote from: StanleyYelnats on July 05, 2012, 05:36 am
I feel like this so much man. like where did i go wrong in life, but perhaps its what we've done right?

But then why do I feel socially criminal or insane when it's really their blissful ignorance that carries the problem?

Using acid every single day is a waste of acid and a great way to ensure that you become temporarily disconnected from reality in a bad way.

2469
Security / Re: FUCK!! Customs opened my mail!!
« on: July 04, 2012, 11:52 pm »
It is also possible that some mail employee down the line stole your package and taped it back up with customs tape to make it so you wouldn't report something was stolen, but I don't see why they would do that as you would not report an illegal drug package anyway. In my experience thieves working at sorting facilities are about as good at finding drugs in the mail as customs or USPI are, stolen drugs in the mail is not unheard of.

2470
Security / Re: FUCK!! Customs opened my mail!!
« on: July 04, 2012, 11:48 pm »
Quote from: Foolme2x on July 04, 2012, 11:04 pm
Quote from: Honza on July 04, 2012, 10:55 pm
Quote
I am still expecting domestic/international orders in the mail!!! What the fuck should I do here!!! HELP!!!

OH BOY YOU'RE FUCKING FUCKED!!!!!

FUCK!!!!!!!!!!!!!!!!!!!!!!!!

YOURE FUCKING FUCKED MAN!!!!!!!!!!!!!!!!!!!!!!!!!!!!

IF YOU WAITING FOR INTERNATIONAL MAIL ITS SMUGGLING YOU CAN NOT SAY ITS NOT FOR YOU IF THEY ALREADY FOUND SOMETHING!!!!!!!!!!

YOU SHOULD ADMIT EVERYTHING TO GET A BETTER DEAL!!! JUST SAY THEM YOU GOT IT FROM SILKROAD SAY FROM WHICH VENDOR THEY CAN NOT DO ANYTHING!!!!! BUT YOU WILL GET LESS PENALTY!!!!!!!
Gee. Thanks for helping restore some calm into this scary situation ass-hole.
I know I am fucked here...but that doesn't help.

Are there any decent/experienced folks out there who can help with CALM REASONED MATURE advice???

PLEASE???

Should I remove my lap top from my premises if I haven't data scrubbed it? Thanks.

Seems strange they would remove it and seal it back up with tape prior to sending it on to you. I have heard of people getting very delayed knock and talk visits after having packages go missing, but they did not receive a package with customs tape on it. I have heard of customs tape being on some orders that still had contraband in them that customs had missed, so I would check really closely to make sure the order is not there. Customs uses special tape to tape up anything they have to open and inspect. If you are absolutely sure that your order is not there, I would clean house immediately and quite possibly not accept any incoming orders. I bet you wish you used a PO box with a fake ID.

2471
Security / Re: using privnote is less secure than sending your address plaintext through SR
« on: July 04, 2012, 11:34 pm »
Quote from: Shannon on July 04, 2012, 05:48 pm
Quote from: kmfkewm on July 04, 2012, 07:14 am
Ruby people fucked off, Java people fucked off, I have come to the conclusion that you can trust anonymous people on the internet with money for drugs and you will receive them, but if you pay someone for code they will fuck off.
this reminded me that there's also a (small) group of people mostly from public scene doing paid work on the interception detection stuff that bk talked about. it uses gsm now instead of rfid, so you don't even have to go near your po box. would you like to join us? :)

Yes that sounds fun, although right now I am very busy working on other things.

2472
Security / Re: using privnote is less secure than sending your address plaintext through SR
« on: July 04, 2012, 11:32 pm »
Quote from: Guru on July 04, 2012, 05:21 pm
Quote from: kmfkewm on July 04, 2012, 07:14 am
Ruby people fucked off, Java people fucked off, I have come to the conclusion that you can trust anonymous people on the internet with money for drugs and you will receive them, but if you pay someone for code they will fuck off.

Hopefully scalability would be a problem, fifty people mixing messages together does not lead to much security. If a system is as point and click easy as a php forum and offers anonymity and security better than Tor or GPG, I would imagine it would be used by a decent number of people. Especially since there are so many people who are always complaining about how much a pita it is to use GPG. Those people would love to double click on an icon, have a program that looks nearly identical to a phpbb forum pop up, click on the pseudonyms/groups of their desired message recipient(s), type their message in, press the nice looking send button, and not have to know how to do anything else. People who know how to use GPG will like this as well, although may be more attracted by elliptic curve crypto offering nearly double the strength of RSA 4,096, or by provably secure mixing to protect them from end point timing correlation attacks, or padding to protect them from fingerprinting attacks. 

I do know some about security, particularly traffic analysis, but I have thus far focused far more on learning theory (such as what the types of attacks and defenses are, how they work, etc) than the skills to implement such a system (of attacks or defenses) with any language. The bulk of my "applicable" security knowledge is related to operating system hardening and server administration. However now I am focusing much more on learning implementation skills, and I am pretty satisfied with my theoretical knowledge (especially of traffic analysis, when it comes to crypto I know more than most but less than most who try to learn much about crypto ;) )

The problem, from my perspective, is not so much about technology as it is about people. The weakest link in any security system is the end-user. If you're dealing with unsophisticated end-users.... Like the old saying goes: "Build an idiot-proof system, and nature will come up with a better idiot."

I'm old enough to remember the crypto wars of the 1990s. Then FBI-Director Louis Freeh was crying to all and sundry that the end of the world was nigh. Criminals would soon be using robust crypto, and without a backdoor law enforcement investigations would simply grind to a halt.

The Cypherpunks, for their part, believed that the public would adopt crypto en-masse -- their unofficial (unspoken) motto was, "Build it and they will come."

Both of them were wrong, and for the very same reason -- both camps did not account for human nature, in particular, end-user sloth. In the case of the operators of The Farmers' Market, I have read comments by people who knew them in real life, and they stated that they were told repeatedly what they were doing wasn't safe. Doing things properly would likely have taken them outside their comfort zone, and they preferred to stay with what they were comfortable with.  You'll see the same thing on here, with people asking: "Do I really have to learn to use GPG?"

The FBI found that criminals were not adopting strong crypto, for the most part, as it was hard to use. The Cypherpunks found that the general public were not embracing crypto for the same reason. Furthermore, in general, the public simply did not (and goes not) perceive a need for it. They simply rationalize that the state would never be interested in them or their activities. You'll even see such sentiments expressed here -- the government isn't interested in small time buyers/dealers.

Frankly, very few people have the knowledge (nevermind the discipline) to use the tools appropriately. As you said, people just want to be able to click on a button, and not have to think about what they are doing.  You make a system for these types of people, and you end up with something like Hushmail.

Guru

I think the issue with a lot of the groups making security software is largely one of usability, as you allude to as well. For all of the great security technology they have made they completely neglect a shiny and simple user interface. They are so technically advanced that what they see as a very simple to use system is for others something that is immensely difficult to master, or even if it only requires an hour for the average user to learn to use they do not have an hour to spend on learning it. Instead of 'build it and they will come' the cypherpunks motto should have been 'build it and then make an awesome intuitive GUI for it, and cleverly 'abstract' away the low level details into simpler concepts, and they will come'. For example, I think that the idea of calling public keys 'open locks' and private keys 'keys' would be far more beneficial to the average users ability to understand how public key crypto works, even though to someone even slightly versed in cryptography it sounds stupid. The major hurdle to getting people using security technology is to spend far more time and effort on user interfaces and simplified terminology than has been spent thus far.

A system like Hushmail for idiot-proof encrypted E-mail can very well be secure, it just can not be entirely server side. If there is an application that simply allows a user to double click an icon, select a pseudonym to send a message to, type their message and hit send....the goal of Hushmail is accomplished without the major security flaws. The problem with Hushmail was not the simplicity of using the system, it was the inherently flawed design of the system.

The best security applications are those that do not even appear to be security applications, but rather appear to be applications that the user would use for their non-security features. If you do not have a product that people want to use, it will not be used by anyone other than enthusiasts and smart people in certain situations who know that they need security to protect themselves. This is not to say that usability should come before security,  but where it can be allowed for the most usable security systems should be implemented (IE: User selected delay on messages through a mix, rather than firing cycles of ten hours set by the mixes on the path), and a ton of time needs to be spent on user interfaces. Also a lot of thought needs to go into abstraction / simplification of any underlying security concepts that users are absolutely required to be exposed to, and as much as possible should happen in the background without the user being exposed to it at all. 

2473
Security / Re: Loop holes in TOR?
« on: July 04, 2012, 07:42 am »
Although I should point out that the main use of the middle node is to prevent linkability. Since you always enter using the same set of three nodes for up to 60 days, if Tor used only two hops an attacker with a high bandwidth exit node that you frequently use could see that that set of entry guards is owned by a single entity, and then link your exit traffic to different websites by your entry guard set fingerprint (which is probably not exactly shared by many people). The middle node takes care of that.

2474
Security / Re: using privnote is less secure than sending your address plaintext through SR
« on: July 04, 2012, 07:14 am »
Ruby people fucked off, Java people fucked off, I have come to the conclusion that you can trust anonymous people on the internet with money for drugs and you will receive them, but if you pay someone for code they will fuck off.

Hopefully scalability would be a problem, fifty people mixing messages together does not lead to much security. If a system is as point and click easy as a php forum and offers anonymity and security better than Tor or GPG, I would imagine it would be used by a decent number of people. Especially since there are so many people who are always complaining about how much a pita it is to use GPG. Those people would love to double click on an icon, have a program that looks nearly identical to a phpbb forum pop up, click on the pseudonyms/groups of their desired message recipient(s), type their message in, press the nice looking send button, and not have to know how to do anything else. People who know how to use GPG will like this as well, although may be more attracted by elliptic curve crypto offering nearly double the strength of RSA 4,096, or by provably secure mixing to protect them from end point timing correlation attacks, or padding to protect them from fingerprinting attacks. 

I do know some about security, particularly traffic analysis, but I have thus far focused far more on learning theory (such as what the types of attacks and defenses are, how they work, etc) than the skills to implement such a system (of attacks or defenses) with any language. The bulk of my "applicable" security knowledge is related to operating system hardening and server administration. However now I am focusing much more on learning implementation skills, and I am pretty satisfied with my theoretical knowledge (especially of traffic analysis, when it comes to crypto I know more than most but less than most who try to learn much about crypto ;) )

2475
Security / Re: using privnote is less secure than sending your address plaintext through SR
« on: July 04, 2012, 06:53 am »
Unfortunately, and despite a lot of effort towards achieving it over several years actually, a secure forum system created by/for and funded by people from the drug scene is something that will probably never exist. Two people who were paid to program it fucked off and accomplished nothing. Additionally, despite a lot of effort towards design, it is pretty apparent that professional grade security designs must come from true professionals and not security hobbyists or illegal forum security Gurus (even the best ;) ) ...  (not mentioning Guru, who may be a professional cryptographer for all I know). I am not convinced that anyone in the drug scene has the skills required to make such designs, myself included, and any attempts to do so may very well end up being counter productive and giving a false sense of security when in fact they could harm security.  Furthermore, it is not at all smart to have security software made by illegal groups specifically for protecting illegal activity from law enforcement, merely using such software would cast strong suspicion on any users. Also, only criminals will audit it, and as I said before I am not convinced that the drug scene has the talent required to audit or create such a product in the first place, multiple attempts have failed and a lot of money and time has been wasted. Also, only criminals will use it and that is simply not secure, especially in contexts where security directly correlates with crowd sizes and diversity of crowd sizes.

However I do have some good news. I have been closely following developments of a fairly similar in goal although substantially different in implementation and design and entirely unrelated in association project, and it is nearing completion of the first Beta. It will not be very well suited for a very large forum like SR, because the security comes with a large performance price and this in turn limits the amount of people who can receive a single outgoing message to approx one thousand. Unfortunately, the more messages a person sends through the system the less the security guarantees can be, so simply scaling the number of outgoing messages for every 1,000 members will not be the best idea and sending 20 copies of every message to support a 20,000 member forum will result in substantially worse security versus restricting your group sizes (really better thought of as "message recipient size" since the concept of a group is entirely defined by the sender of a message) to 1,000 members.

I have been spending a *very* large amount of my time learning the language this is being written in so that I can audit the code, and I believe I have achieved proficiency enough to properly assess the correctness and security of the implementation of the algorithms used, as well as the over all design (which is in fact a composite of various algorithms from various academic papers written by true security experts) . I think the end result will at the very least be a much more secure and anonymous alternative to GPG, Tor (although it still uses Tor, it adds mixing on top of it) and E-mail / private messages, with a substantially lower learning curve required to make use of it as compared to GPG (more similar to sending a PM on a forum, or using a forum, with the crypto and anonymity stuff taken care of in the background outside of user awareness). it is also well suited for forumesque structured group communications, for groups consisting of one thousand members or less. It does technically support larger groupings, although it rapidly and linearly-per-extra-thousand-recipients becomes less suitable for secure/anonymous group communications after a message recipient size of 1,000 is reached. I expect a beta as well as the entire source code and some free to use servers running the server component will be publicly available within two months, the message forwarding, mixing, a provably secure cryptographic packet format, other base encryption systems and a lot of other required components are finished (I have gone over it and it looks fine to me, although earlier prototypes had  poor code quality) and now the developers are working on message retrieval, which requires the implementation of a private information retrieval system. After that is accomplished the system will be ready for Beta, although of course it will be unwise to use it until it is audited by as many people as possible, I will give it my seal of approval though (of course pending my review of the rest of the code whenever they are done with it, and as long as my confidence in my proficiency in the language / auditing abilities remains stable for some period of time, I have surprised myself two or three times but generally I am fast learner and spend over a dozen hours every day focusing on learning this ;)   )

It is also nice to note that it uses established cryptographic libraries and only wraps them or composites them together into larger systems, implementation of crypto primitives is best left to very very very skilled people and of course only after an implementation has been publicly audited by many professionals can it be trusted.

Pages: 1 ... 163 164 [165] 166 167 ... 249