Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 238 239 [240] 241 242 ... 249
3586
Security / Re: Silk Road computer security project
« on: January 25, 2012, 11:30 pm »
kmfkewm (and everybody else): I'll reframe the original wording. The goal is to provide an alternative to Looker's Secure Virtual Machine (so far there is only Liberte) and not to built an entire system from scratch. I didn't meant to give that impression since I think that is way beyond the scope of SR.

I think much of things you talk about will be part of Qubes but here we're talking key in, TOR work, key out. Can something be done or should we just be using Liberte ?

I think that almost nothing of what I talk about will be a part of Qubes other than preconfigured paravirtualization.... what makes you think they plan to do any of the things I just talked about? Certainly nothing any of the Qubes devs has said led you to this conclusion. If you want an alternative to lookers secure VM you could use pretty much any other thing and come away with better security. If you didn't realize Liberte essentially is an entire system built from scratch. I mean, what makes Liberte different from the system I described other than it lacks a few of the applications I would like to see created. Creating Liberte was not a small task either.

3587
Security / Re: MtGOX WTF?? Serious security flaw!
« on: January 25, 2012, 06:18 pm »
SSL encrypts url

3588
Security / Re: why was the arrests and paranoia thread deleted?
« on: January 25, 2012, 06:16 pm »
did highschool let out early today

3589
Security / Re: Silk Road computer security project
« on: January 25, 2012, 06:14 pm »
This project shouldn't be related to SR, but someone really should make a free market system that allows for the decentralized marketing of all goods (think a free market volunteer network of anonymized hidden services working redundantly to mirror the same cryptographically ensured as neutral and 'ignorant' market environment...after all taking out a network of fifty hidden services is going to be a bit harder than taking out one or two servers. Also taking out the admins of fifty hidden services is much harder than pwning the admin of a single site), and includes the ability to communicate via multiple latencies, place orders and product offers, easily create arbitrary network overlays for individual encrypted message distribution (compartmentalization) while allowing for whitelist based mostly open participation communications (some sort of pseudonym based distributed&centralized trust whitelist system for large communication networks / far outreach product advertisement) analyze trust networks, manage bitcoins / mix bitcoins / manage escrows, run auctions, leave reviews and product ratings etc. These things can be done with much higher security and anonymity than we are getting with the currently used tool set, although some components we are currently using should work their way into the new system (Tor for example). The project should aim to avoid all hierarchy in the communications and market components, instead being an 'all channel network' in this aspect (look it up if you care). Users should be the administration and moderation of only their own perception of the market, of course maybe using input from other users to help them make their choices ;) (think distributed whitelists).

This is really good for another reason also. Running a site like SR is illegal. Hosting a server for a network like I describe isn't anywhere near as inherently illegal. There is no law against hosting sophisticated security technology. For the same reason it isn't illegal to run a Freenet server but it is illegal to host CP on a Tor hidden service, even though essentially all Freenet nodes host CP. No Freenet content is associated with any specific Freenet storage node, with Tor there is a direct relation between the site that you host and the server it is hosted on. This isn't to say that Freenet is better than Tor, SR should stay on Tor for now.

It should also come with a preconfigured operating environment. One that has been hardened to the maximum possible degree. It should support multiple 'modes of deployment' ranging from having applications pre-isolated with paravirtualization / mandatory access control systems to being easily usable with physical isolation solutions where components are run on individual machines that are physically networked together. It should include an installation script that puts it deniably encrypted on a thumb drive if you go with the paravirtualization based isolation route instead of physical layer isolation. And to the user it should be point and click simple, easier than using E-bay itself with a really nice shiny intelligently designed for end user simplicity GUI. It should allow users to set their own level of security to an extent, for trade offs between security and ease of use. A prime example of this is multi-latency mixing, where users set their own latency and anonymity requirements. Most of all it needs to hide the technical details from users who could care less, while making them very highly available to and audited by people who care at all. If it is a Silk Road project it will not get a large user base though, it really needs to be fully independent of illegal activity. And it probably needs to be done in a few individual projects that are then combined together, instead of one big project. One tool that looks like it will fit in very nicely is Open Transactions.

3590
Security / Re: Feds use keylogger to thwart PGP, Hushmail (article)
« on: January 25, 2012, 09:20 am »
you don't seem to understand how fake ID is used then

3591
Product requests / Re: Looking for bulk Ketamine
« on: January 25, 2012, 09:00 am »
Do your sources in India use an escrow system that requires them to send you product prior to getting their full payment? For them to make sure they make $10,000 per kilo and don't get reverse scammed, they would need to sell it to you for $20,000. They would also need to raise the price to not lose money to the SR tax. $30,000 is expensive, but it is a totally different story buying on SR and buying directly from sources in India. If people want to risk losing $5,000+ to random anonymous customers online they can be my guest ;).

P.S. : Yes I did hijack this thread to show the major flaw in forced escrow. Sort of, I really do have a friend selling bulk ketamine right now.

3592
Security / Re: why was the arrests and paranoia thread deleted?
« on: January 25, 2012, 08:53 am »
Seriously can we at least know why the thread was deleted, or is it just going to be ignored entirely?

3593
Security / Fun reading
« on: January 25, 2012, 02:03 am »
Fun reading for those who think that using encryption and anonymity solutions, without paying attention to computer security, is enough to keep them safe.

https://secure.wikimedia.org/wikipedia/en/wiki/Cipav
https://secure.wikimedia.org/wikipedia/en/wiki/Magic_Lantern_%28software%29

Quote
The Computer and Internet Protocol Address Verifier (CIPAV) is a data gathering tool that the Federal Bureau of Investigation (FBI) uses to track and gather location data on suspects under electronic surveillance. The software operates on the target computer much like spyware, whereas it is unknown to the operator that the software has been installed and is monitoring and reporting on their activities.[1]

The CIPAV captures location-related information, such as: IP address, MAC address, open ports, running programs, operating system and installed application registration and version information, default web browser, and last visited URL.[1]

Once that initial inventory is conducted, the CIPAV slips into the background and silently monitors all outbound communication, logging every IP address to which the computer connects, and time and date stamping each.[1]

The CIPAV made headlines in July, 2007, when its use was exposed in open court during an investigation of a teen who had made bomb threats against his high school. [1]

FBI sought approval to use CIPAV from Foreign Intelligence Surveillance Court in terrorism or spying investigations.

Quote
Magic Lantern can reportedly be installed remotely, via an e-mail attachment or by exploiting common operating system vulnerabilities, unlike previous keystroke logger programs used by the FBI.[3][4] It has been variously described as a virus and a Trojan horse. It is not known how the program might store or communicate the recorded keystrokes.

Some more fun reading:

https://secure.wikimedia.org/wikipedia/en/wiki/Communications_Assistance_For_Law_Enforcement_Act

https://secure.wikimedia.org/wikipedia/en/wiki/Pen_register

https://secure.wikimedia.org/wikipedia/en/wiki/Trap_and_trace_device

https://secure.wikimedia.org/wikipedia/en/wiki/NarusInsight#NarusInsight

https://secure.wikimedia.org/wikipedia/en/wiki/NSA_warrantless_surveillance_controversy


3594
The whirlpool thing was funny. He (Looker) says so many weird things that I can't waste time pointing them all out.

Yeah I LOLed

Quote
I'm guessing he reads tech news sites and dabbles on his own.Not an expert, but knows enough to sound like one to someone who isn't.

Exactly this. The scary thing is he probably actually thinks he is an expert.


Quote
I was going to mention this before but forgot to. The triple encryption thing is probably pointless in the AES+serpent combination. I think they are almost the same thing anyway. Twofish is different, so I can understand wanting to combine it with one of the others. I wouldn't bother, but It isn't completely wrong from a paranoid point of view.

Triple encryption is probably pointless no matter how you look at it, none of the algorithms Truecrypt supports have ever been directly broken. Twofish uses a different sort of math than either AES or Serpent though, and will likely be immune to many attacks that effect them. For this reason it makes sense to combine it with AES or Serpent, but I wouldn't say it is required by any means.

Quote
So to talk about how things should be. First of all, you would be a lot more secure avoiding this product and just learning how it is supposed to work. Install apps mentioned here and learn to use them. The VM could easily be backdoored or have malware in it. I'm not going to check. I'd have to pay money to see it anyway. You should not be trusting software that you got from someone on this forum.

Yes

[quote[If only a script was released here, it could be easily inspected and trusted. It would be relatively small and uncomplicated. It might also be too complicated for some people to set up themselves, so the final product of the script could be released alongside it. Since the final product can be created by anyone with the same script, anyone can verify that the final product that is being released is exactly as it should be, with no binaries with incorrect checksums or anything like that. In fact there could be a second script just to verify someone else's installer based on the one that you created yourself, something more experienced users could do to increase the trust in a released version. There would be no single person saying "Hey, run these binaries on your computer, you can trust me, I work for ____ and can benchpress ____ tons while cracking AES."[/quote]

Yes

Quote
This XP VM is a mess. It will never be something that a reasonable person can trust. At best, it gets people who are using the more secure Win7 to do important things in the less secure XP. At worst, it is a project of a cop who has some computer skills and wants to backdoor buyers and sellers.

Yes. What really annoys me the most is he releases a shit product that is totally insecure and then acts like he is the person who invented Truecrypt.

3595
The thing is we are all leaving reviews on this product. I don't need to pay for it to know that it is shit. I also can see clearly that Looker himself is entirely full of shit on many points, which puts everything he says that isn't immediately recognizable as a lie into doubt as well. Use his product if you want but it is nothing more than snake oil bullshit. It amazes me that people are willing to pay money for this! I guess a sucker is born every day. I have met many people like Looker in computer security communities, they are a strange breed and sometimes I honestly think they really believe the absurd bullshit they spew despite the fact that every single other person with security know how disagrees with them. They also all tend to be majorly over selling shit products......

You would be better off using Liberte Live (which is free and comes with everything you need for SR other than bitcoin) and a bitcoin wallet site. Feel free to pay for this worthless security product if you like, but there are free options that are far superior. Also Looker has little to no idea what he is talking about. AES is cracked because of the huge processing power at the disposal of the NSA? Well guess what a 256 bit key can be brute forced if it is Serpent AES or Twofish.


3596
Security / Re: Like Truecrypt but with a twist?
« on: January 24, 2012, 10:37 pm »
since when am I a troll? Also if they don't use a writeblocker and fuck with  your actual drive it isn't going to look good in court for them.

3597
Security / Re: Like Truecrypt but with a twist?
« on: January 24, 2012, 10:17 pm »
law enforcement never do anything directly with your seized drive, they copy it using a forensic grade write blocker to make sure they don't modify a single bit of your information and then they do all of what they want to the perfect copy of your drive that they made

3598
Security / Re: How would LEO Attack SR?
« on: January 24, 2012, 10:43 am »
The only real way to attack SR is to find its server and take it offline... which will not be an easy task.

It isn't that hard to trace Tor hidden services actually. And finding the server and taking it off line would be about the most retarded way possible to try and attack SR. They would use it for a human intelligence honeypot before anything. Or trace the server and keep it online to gather unencrypted addresses.

3599
Security / Re: Automatically Change Tor Identity Every X Minutes?
« on: January 24, 2012, 10:34 am »
Correct me if i'm wrong, but doesn't changing your circuit faster opens you up to traffic analysis..?

faster circuit creation means that an attacker will be able to trace one of your circuits faster, but it also means they will only be able to trace your circuit for ten minutes worth of surfing instead of say an hours worth. Hidden services use dedicated circuits though so increasing the speed at which circuits are created will actually hurt your anonymity and give no added benefit.

3600
Security / Re: How would LEO Attack SR?
« on: January 24, 2012, 02:42 am »
If I don't say how they are going to catch you how can you protect yourself 0_0

Pages: 1 ... 238 239 [240] 241 242 ... 249