Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 191 192 [193] 194 195 ... 249
2881
Security / Re: When to use PGP?
« on: May 07, 2012, 08:30 am »
With hidden services Tor encrypts data up to, but not including, the time that it has already arrived to the server. With non-hidden services, Tor encrypts data up to the point just prior to it arriving at the server, the exit node decrypts the final layer to reveal the plaintext. This means that exit nodes can spy on plaintext data sent through Tor to the normal internet.

2882
Security / Re: Updating TOR - paranoia
« on: May 07, 2012, 08:14 am »
There are two major ways that the Tor developers could fuck us if they really wanted to or were forced to. For one they own the majority if not all of the directory authority servers, it is possible for them to lie and say only nodes they own are part of the Tor network. This would allow them to become a global active adversary, which means that they could entirely defeat all security advantages of Tor for all of its users, but it would require them to own the amount of bandwidth required to relay all Tor users traffic. This would not be possible for them to do without some people noticing all of the node IP addresses suddenly changed, but the Tor client does not warn you if such a strange event happens, and you will need to look for yourself or wait for someone who realizes to point it out. They take some protections from this though, for one the people who run the dirauth servers and the servers themselves are situated in a few different international jurisdictions around the world. Also, four out of nine servers need to agree to a consensus, so at least four of them will need to be compromised (via force or via bribes) by cooperating attackers. The people who run the dirauths seem to be largely libertarian, and I think they are absolutely opposed, with firm moral grounding, to compromising the Tor network in any way. Another possibility is that they could bug the code, but this would eventually be detected in an audit and might never get added in the first place.  I believe they also have the full support of EFF when it comes to dealing with legal matters, and that EFF claims they will take any attempts to force the Tor developers to backdoor their product in any way to court, and they think that they will win in USA anyway.

2883
Back on topic, I still haven't found any solution that claims plausible deniability with relative simplicity other than hidden windows with truecrypt. Hopefully they will fully support Linux in future.

I like Linux but using the terminal and configuring its various oddities are still very confusing to me. It's an added pain that I would rather avoid.

I think for now I'll stick with my current truecrypt, hidden win 7, tor browser bundle. I did manage to get the latest Ubuntu installed along side this setup eventually, but not quite 100% successfully, I think due to my choice of partitions.

I'll use my hidden volume for SR and Ubuntu for everything else except when I need windows for non-sensitive activities.

Are there any extra precautions I could take with my winodws & tor browser bundle setup? I've used SMAC to change its mac address and given it a benign name so my router doesn't hold anything I couldn't deny.

I find that Linux has an initially very steep learning curve that gradually reduces over a very long period of time, although some distros are certainly much harder to use than others. Even after using it exclusively for several years I find that I am realistically fairly intermediate with it, but that is partially because some of the people who have been using it for two decades reach an amazing level of expertise and specialization, especially the ones who know how to actually edit / create parts of the C or assembly code that makes their distro. Linux and BSD have a lot of advantages. Pretty much the only areas they are lacking in are gaming and ease of configuration/maintenance, but virtualization and emulation abilities are constantly improving and there are distros that put a lot of emphasis on being easy to use.

2884
Off topic / Re: War on Drugs... Fighting back
« on: May 07, 2012, 07:37 am »
It takes brains to make it so you don't need to stay one step ahead of law enforcement, but if you are happy just hoping you stay one step ahead and risking your life more power to you I guess. I think police are actually fairly worthless targets, they are the foot soldiers in the war. The generals are politicians and they are funded by corporations, although they also extort money from us to fund the war that they fight against us. The military of a nation generally aims for the generals and the means of funding the war machine, foot soldiers just get in the way of reaching these targeted objectives. Avoiding 'foot soldier' combat is probably the most strategically sound idea, and it lends itself well to decentralized network warfare. Although demoralization and other PSYOP techniques would probably be beneficial. Decentralized war is very interesting, I suggest reading about Netwar if you are interested in learning more about it.

2885
Silk Road discussion / Re: If prohibition is lifted
« on: May 07, 2012, 07:10 am »
How many times have UPS or Fedex agents kicked down the door of someone who ordered drugs to send them off the prison? Do you think that Fedex is going to spend their time and money trying to intercept drug packages and arrest the people responsible for sending them and receiving them, if the government does not force them to do so? Of course not, they are a shipping company not a fucking drug enforcement company. Anyway mail through customs can be inspected without any warrant at all, that only applies to domestic first class letter mail. Government is not protecting us by not searching our mail without a warrant, they are the fucking aggressor we are forced to need protection from in the first place, not Fedex and not UPS. Private mailing companies will of course have contract that they need to follow with the customer, and anyway if Fedex decides it doesn't give a fuck about making profits and want to enforce a ban on shipping drugs you find a new shipping service. If Fedex decides it wants to get into the slave trade or into robbery business and target those with drugs, your private defense agency attacks them and defends you until the aggressor is defeated to the point that they leave you alone and repay for all damages. Nobody is promised to win be they right or wrong, and anarcho-capitalism can not magically protect you from evil people, but any other system ensures that you will lose to them. In USA you have two choices, you can be robbed by people who want to expand the state to insane degrees to the point they force you to buy healthcare "for your own good" and want to "help rehabilitate people" from drugs while funding the shitty near-brain-dead social science and prison industrial complex, or you can be robbed to a lesser degree by people who want to force you to follow the bizarre and completely illogical moral standards that were created two thousand years ago and largely based on a fairytale obviously no more real than any of the Greek or Roman or other myths from ages past. Most of Europe and almost all of the rest of the world are no better in their selections. Enjoy you Statist systems.

2886
Security / Re: When to use PGP?
« on: May 06, 2012, 09:31 am »
he knows this because SR claims to have fully server side encryption of addresses and essentially the only way to do this is to store everything on a mounted encrypted drive

What this means is that SR server securely encrypts addresses only when the power to their server is cut or the drive is unmounted , because the keys must be stored in RAM so data can be dynamically decrypted/encrypted

What this means is that if the attacker locates the server while it is still running, or wait for it to start running again, they can get the keys by cold booting the RAM into a forensics laptop

It also means that if the server is rooted the attacker gains full access to encryption keys

It also means that DPR can decrypt whatever he wants

if you use GPG none of these issues are present.

SR could be using chasis intrusion detection technology and have the RAM secured with encapsulation material, that would make the physical attack harder but not impossible, but I doubt he is doing this because it would mean he almost certainly would have shipped the server to a colocation facility after configuring it himself

2887
Security / Re: Advanced Onion Router: is anyone using?
« on: May 06, 2012, 06:46 am »
I have not heard of this before but it seems to have some of the functionality of LASTor , primarily AS awareness. I think AS awareness is an awesome feature and honestly I think it should be included in the standard Tor package, I used to think it was but it actually is not. I would be extremely extremely hesitant about using anything other than the mainstream tor client, unless it gets the Tor Project seal of approval, and I think LASTor is more likely to get that than this is, especially since it has had papers on it published on freehaven and came out of a university

http://www.cs.ucr.edu/~harsha/papers/oakland12.pdf

2888
I generally get a new identity every hour or couple hours. It keeps you moving and will keep Nomad outta your coins a little better.

Tor automatically selects a new identity every ten minutes

2889
It probably isn't a good idea anywhere, but they can't make you give up keys for a drive wiped with a PRNG stream. Well, you could give them a fake password and just say that of course it doesn't decrypt because it is just a wiped drive. Hey I didn't call it poor mans deniable encryption for no reason ;).

2890
It is possible to get deniable FDE with linux, Truecrypt style, but it is not an easy task.

Poor mans deniable encryption: encrypt the entire drive, put the bootloader on a USB, now if they ask for password say that no password decrypts the drive and it isn't actually encrypted you just wiped it with random data. They shouldn't be able to tell a fully encrypted disk apart from one that was just wiped with a PRNG stream. If they ask why you have a bootloader on a USB stick just tell them you used to boot off of it but you have recently wiped the drive and have not yet installed a new OS :P.

2891
Off topic / Re: how to burn someones house down anonymously?
« on: May 05, 2012, 03:44 pm »
I honestly don't know the details of how it works, but the smart people who I listened to talking about it made it sound like you can pretty much use a laser to make an enormous lightening rod over a target

2892
Off topic / Re: how to burn someones house down anonymously?
« on: May 05, 2012, 03:35 pm »
Use a laser to ionize a path towards his house from the sky during a lightening storm. I can't take credit for this idea though.

2893
Off topic / Re: Using MSN Anonymously
« on: May 05, 2012, 03:33 pm »
Apologies if this should be in 'Security,' it doesn't fully pertain to to SR.

I wondered if anyone knew if you can chat on MSN anonymously? I've not used it since, er, the 90s but for some reason it seems to be growing in popularity amongst my colleagues and friends (does anyone know why? Even just installing it I don't like it and I haven't even used it properly yet).

I've always assumed that IMs sent over MSN (and most other chat clients) could be intercepted and read, as there's not always encryption. I've used pidgin's encryption/privacy features. Does anyone rate these? I have never used any of their security features on a hotmail account. Do they work?

Also, does anyone know if it's dangerous to have MSN loaded while using SR/Tor?

Thanks guys.

Do people still use MSN? Maybe its just teens

Just out of curiosity how old are you OP?

Europeans

2894
Security / Re: The final step in the block chain?
« on: May 05, 2012, 02:34 pm »
http://www.innopay.com/content/changing-dynamics-financial-crime-digital-era

Hm this article differentiates by saying that 'criminal money transfer' is the act of Bob anonymously transferring anonymous Alice finances, and 'money laundering' is the act of anonymous Alice making it seem like her anonymously obtained finances come from a legitimate business venture. I would personally call that entire process money laundering though. 

Quote
In general, we can distinguish between three types of financial crime:

    Terrorism financing: obfuscating the source of the money used by terrorist organizations (money in, point A)
    Criminal money transfer: transferring money from point A to B (within the system), preferably untraceably
    Money laundering: obfuscating the destination of the money laundered by criminal organizations (money out, point B)


Also from this article:

Quote
It can be a daunting task for governments to monitor financial crime. The current anti-crime measures are based on the traditional bank networks. However, with the increasing digitalization the money transfers are increasingly harder to follow. Therefore, it remains important to focus on the end points. No matter what, money will always have to enter and exit the system to be of use to the criminal.

This article probably does the best at summing up some of the points I made, though

http://osaka.law.miami.edu/~froomkin/seminar/papers/bortner.htm

Quote
Obviously, transferring hard currency to ecash and then spending the ecash is an appealing opportunity to potential launderers'. What if the ecash is then transferred back to a regular hard currency account? This may seem a foolish act as the entire purpose is to reap the benefits of anonymous ecash. However, presently, there are no opportunities to purchase automobiles or real property by the exclusive use of anonymous ecash. Thus, the desire to convert private and untraceable ecash into a more functional means of purchasing is understandable.

Whether a regular, non-Internet currency account already exists or must be created to deposit the transferred ecash into may be irrelevant. Filing a CTR would be a legal necessity if the transfer amount is over the $10,000 reporting limit, as the transfer will deposit hard currency in a tangible, institutionalized, and regulated bank account. A transfer from completely anonymous ecash to hard currency might alert law enforcement as to the existence of the ecash account. While this alone would not track down laundered money, it might put a suspicious agent on notice.

AKA E-currency to anonymize the money but then cash out to multiple fake IDs or anonymous ATM cards to avoid having so much unaccounted for money suddenly appear in accounts / transfers tied to your name that you get raided anyway. Making the anonymous cash you have obtained appear to have a legitimate source is a different problem, a different part of the process.

Anyway use whatever techniques you want, but the ones I mentioned are not noob and you wont be able to show me a single report of someone who used them properly being arrested via financial intelligence because it hasn't happened yet. The people who are being busted via financial intelligence are using ONLY western union transfers + fake ID pick up, like a ton of people in the carder scene do. Or they are using Paypal, like TFM. Or they are using fraudulently obtained mainstream reloadable cards and cashing out at ATM with non anonymized loads, like a lot of small time drug vendors use. or they are using CIM money mule networks to fake ID mail boxes, like TFM and a lot of other busted groups have done. Also, even these cases are giving headaches to LE enough that people using these techniques are still usually being busted in ways not related to financial transfer. Actually, I can't even think of a case of someone who used a fraudulently obtained reloadable card being busted via financial intelligence off the top of my head anyway.

2895
Security / Re: The final step in the block chain?
« on: May 05, 2012, 02:21 pm »
Okay enjoy your security by obscurity

Pages: 1 ... 191 192 [193] 194 195 ... 249