Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - kmfkewm

Pages: 1 ... 241 242 [243] 244 245 ... 249
3631
Also AES has never been directly broken when it is used as a symmetric encryption algorithm with a 128 bit or higher key anyway. But anyway they will just forensically recover the key after it leaks from memory, this can happen in a ton of different ways (did you even take any technical steps against any of the numerous ways keys can leak to RAM?) and one person claimed in the security forum that it is more likely for this to happen in a VM guest than an OS running on hardware, but I don't know if this is true and they have still not yet given me a link to a citation. Even if it isn't true about key leaks being more probable in a VM, it is certainly true that key leaks are very probable even if you are not using a VM especially if you are taking zero precautions against this. So even though you are using freeware that implements strong encryption algorithms, you are not implementing it in a way that is fool proof (or even that secure) against forensics. Secure against cryptanalysis , yes, against forensics, no. Anyone who has done intelligence work related to computer security would recognize the difference between the two methods of attack, but you seem to be using forensics and cryptanalysis interchangeably. Live computer forensics will pwn you by hacking your system and doing a memory dump, dead computer forensics will pwn you when they recover your key that leaked all over the drive from memory.

3632
Quote
You are missing the point, you should try reading the thread, but looks like you failed at that so I’ll repeat myself for the 10th time. This device is not intended to be ‘neckbeard’ secure (as you would put it) from any hacker or security exploit while running any more than the average windows machine is on the regular internet with standard a/v protection.

I hope everyone can see that you are a total retard. Windows XP doesn't have any modern OS security features you are far better off using the most recent version of Windows if you want security. Using Windows XP for security is a fucking joke and using it in a ful hardware virtualization environment, further reducing security, is an even bigger joke. Your entire "product" is a security death trap and anyone who uses it is retarded. Also earlier you claimed to have done intelligence work and to know so much about the NSA and DEA, despite the fact that you are clearly talking out of the asshole that a random mutation put on your mouth, I would love to know the specific type of intelligence work you did. Certainly nothing related to computer security, and almost certainly nothing related to the NSA if you don't know how to program.

Standard A/V and spyware scanners are essentially entirely worthless at providing you security from an even half competent attacker who targets you. These programs (poorly) protect you from dragnet attacks where "any computer" is the target not "your computer".

Quote
It’s intended to be a windows machine (you know that OS over %80 of the world uses? Yea I am interested in a piece of that vast majority customer base)

Just because Windows has 80% of the customer base for personal computers doesn't mean that it is right to market it as a fucking airplane. Marketing windows XP full hardware VM with some garbage open source spyware scanners on it as a secure solution is about as honest as calling it a fucking dinosaur and justifying yourself based on its market share.


Quote
that has all the tools necessary to buy (primarily) and sell (secondarily) on SR.

No, it doesn't. Windows XP doesn't even have ASLR for fucks sake. You know nothing about computer security. You downloaded a bunch of fucking freeware after searching google for security software and installed a bunch of it to a Windows guest. Whoa, welcome to entry level security, about a step above grandma level security.


Quote
It also has various precautions/software in place that would prevent LE from extracting any data from it in the event it is confiscated, or quickly and easily discarded (and thus discarding of any useful data) to serve the same purpose.  Let me repeat that for you in simpler terms. This device is intended to thwart LE forensic data recovery capability, not some uber ‘leet hacker like your ego indicates from somehow exploiting some security hole known to exist in windows. If you are using it only for SR then spybot isn’t even necessary, this was something that was simply added because it was requested and it is small enough to not impact the overall size of the vm or cost or time to build significantly. This isn’t supposed to be a rock solid hard core un-hackable vm. Never was, and never will be, after all it is windows (as you were so astute to point out).

Spybot is never needed and if you are using Spybot for anything security related its already a huge indication that you failed at computer security. Also, if you are using an anti virus program it is also a huge indication that you have failed at computer security. This doesn't mean I suggest against using an anti virus or anti spyware software if you run Windows, it just means that if you run Windows you already failed at computer security.

Quote
LE forensic data recovery capability, not some uber ‘leet hacker

What are you going to do when LE hacks your shit and steals the encryption key from RAM? You are saying the (limited, although important) security benefit you get from using a single open source freeware system that you had absolutely nothing to do with creating, not the security benefit of using your death trap of a security distro.

Quote
You say people are far far far better off using liberte, while there is some truth to this (just about any linux is more secure from a hacking standpoint than windows)

There is only truth to saying that people are far far far better off using liberte, liberte isn't anywhere near the ideal configuration but it is light years ahead of this shit you are trying to sell.


Quote
the problem I’ve found with the linux distro’s is for the average user they are a pain and unfamiliar to use.


Firefox is firefox


Quote
I support it as part of my irl job so I’m very painfully aware of the gain in security by using a distro like tails/liberte etc. However the customers I am seeking don’t want to learn a new OS, they want to click a few links, order their drug of choice with some level of impunity because they know someone who knows technology far better than them set it up to secure and encrypt their data so as soon as they are done doing their business on SR and turn off the VM it would be exceptionally difficult (and it’s my contention that for local/state LE this would be impossible) to extract any incriminating data from the drive without the proper encryption key and/or password. That’s it, nothing more, nothing less.

The people who use Death Trap VM are not getting any level of security they would be better off to use an operating system that uses modern security technology. From what I can tell your level of technical security knowledge would be gained by searching for Windows security software with google. And once again you are attributing the security benefits of using a freeware open source system you had nothing to do with creating to the (entirely not real) security benefits of paying you for Death Trap VM.

Quote
What I have no intention of doing is creating a device that’s so secure your fantasy lover Theo de Raadt would have a hardon for. Why? It’s simple because nobody would want to use it and it would be so user unfriendly that I would never sell a single one except to someone like you who is not my target audience. So this being said the only failure here is your own as you fail to see what it’s attempting to accomplish, which is not anywhere near what you would want.

You wouldn't sell one to me either because I know to be really secure you need to configure and audit things yourself. You are just trying to make money, you don't know squat about computer security and you have even pretty much yourself admited that making money is more important to you than providing security to your customers, if you even had the technical skill required to provide security to anyone in the first place which you obviously don't. You are selling a steaming pile of shit and anyone who buys it and uses it is both retarded and highly insecure.

3633
So basically you're just selling freeware on a truecrypt (also freeware) encrypted drive? Am I missing something? And you think the police don't have more capabilities than a stupid hacker?

You're definitely not someone I would trust with my security lol

Most police have substantially less capabilities than even the stupid hackers do, in a cyber environment anyway.

3634
Security / why was the arrests and paranoia thread deleted?
« on: January 21, 2012, 09:16 am »
A bunch of people have private messaged me wondering why this thread was deleted, they seem to think it may be because I mentioned that there are thousands of people who have been arrested for getting drugs in the mail, and that this may scare people away from placing orders and have a chilling effect on noobs.

I would like to think it got moved to a moderation forum where they are now discussing adding an intelligence subforum like I suggested, for pooling law enforcement documentation / case studies / research papers etc related to online drug trafficking and such. But who knows. I do know that I don't like to see entire threads censored though, particularly without just locking them and giving an explanation.

3635
Off topic / Re: Are you satisfied with the existing drug policy?
« on: January 21, 2012, 09:09 am »
Quote
So why not legally?  Its not like anyone can stop us.  They can close down our corners, bust our dealers, our websites, they even bust us.  But we keep on...they CANT stop us 100%.

They don't want to stop us 100% then they would be all out of jobs and the prison industrial complex would suffer, and they would need to start formulating propaganda for the up coming war on people who eat carrots (and in about twenty years people who eat carrots will be commonly seen as sick, and carrots as poisons from the devil).

3636
Security / Re: PGP and internal SR message system
« on: January 21, 2012, 09:03 am »
If SR server is pwnt by someone malicious they can certainly intercept all communications through the PM system.You also need to worry about an attacker who pwns SR server doing man in the middle attacks on GPG key exchange, this sort of attack may go undetected for a very long time. You shouldn't need to register to view this forum and you should add a profile option for GPG key so users can load it to their profile. Then only clicking the user name to go to their profile is required to get their GPG key. If the forum is open for all to view and has a place for GPG keys in user profiles you can periodically check your own listed GPG key against your known as legitimate GPG key. This is the best way to protect from SR or someone who pwns it doing MITM attacks on key exchange.

3637
Security / Re: What's the point of BTC "laundering"?
« on: January 21, 2012, 08:57 am »
Isn't it true that if someone tried to dissect a BTC transaction, they can't tell where it came from and where it's going to?
No.

It depends on the layer of abstraction you are talking about. Certainly all bitcoin transactions can be linked on the bitcoin address layer. On the IP layer you can prevent linking by using Tor. On the meatspace identity layer you can avoid linking if the method used for buying or cashing out bitcoins is itself anonymous, and you use Tor, but anyone can always still see that your bitcoin address sent coins to another known bitcoin address. You can use bitcoin mixes to offer unlinkability on the'who actually paid who' layer (the attacker will still be able to see your bitcoin address and five hundred others sent a bitcoin to a mix, and they can still see that five hundred bitcoin addresses took a coin out of the mix, but they can no longer tell who gave a coin to who through the mix). Of course mixing is money laundering and it might not be of particular importance that the feds can't tell what you needed to launder money for if they can tell you laundered money in the first place. In general you should be trying to pay for and cash out bitcoins as anonymously as possible and through as many additional layers as possible, and you should certainly be mixing your bitcoins using blind signature mixes if possible.

3638
Quote
furthering development of cables communication (which is absolutely fantastic).

Cables is actually the worst part about Liberte, hidden services are generally much easier to trace than clients are and cables requires you to run as a hidden service. Running as a hidden service is probably a worse hit to your anonymity than not using persistent entry guards. At least you don't need to use the cables system, so it still pwns Amnesia.

3639
Read this thread to see why you should NOT be using full hardware virtualization systems like virtualbox

http://dkn255hz262ypmii.onion/index.php?topic=8524.0

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

There are hypervisors that allow leverage of the HVM (hardware virtualization) featureset but also provide added security with PVM drivers giving you a fairly decent mix of both so you aren't forfeiting all of the upside of HVM but also not as vulnerable to it's security downsides. I'm sure you are more than aware of this and this wasn't intended to inform you but others who might be reading.

Xen in particular does this very well. Well, well enough that very large companies use it on clusters of up to 32 physical hosts and several hundred TB of storage (about 500TB-550TB per cluster simply to give you an idea of the scale) and the one I am thinking of has 11 of these clusters deployed in datacenters across the country. They chose Xen with PVHVM guests for security reasons because of the customers (of theirs) that would be leasing or otherwise using them. These VM's safeguard a large quantity of very sensitive data (think hospitals and insurance companies and the hosting companies own financial records). I'm not saying virtualization is the most secure solution, what I'm saying is it is used in some very strict environments and if it's good enough for them and used properly it can add security where there otherwise might be a gap. If it's acceptable for these types of environments I think it's quite ok for anyone here. I'm specifically referring to a company who generates over $100 billion a year in revenue so these are no small players and while normally the primary purpose for virtualization is the ability to consolidate your servers on to less hardware, however that does not mean it can't be used in a secure or otherwise sensitive environment as some security professionals would have you believe. There are also others that believe while it does come with it's own risks they don't negate it as being a useful tool. It's certainly not a new concept and has been around since the late 60's early 70's.

VirtualBox was never intended to be secure, it was intended to be light and fast and simple to use. This combination of things does not lend itself to being highly secure in any application. Security really isn't about any one factor alone and people should take this into consideration. I'm not suggesting that you don't kmfkewm but it's a matter of a combination of layers and the 'whole stack' if you will that ultimately lead to a more secure system of any OS.

This being said you can take security as far as you want but at some point there is a point of diminishing returns where even though you may go to great lengths from a technical aspect but thats only one piece of the pie. Physical security and security through obscurity are still major factors in determining if a system is truly 'secure'.

You may disagree with me, but thats simply my .02btc

Thanks,
Looker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)

iQEcBAEBAgAGBQJPGhBeAAoJEEMAzoKrkXQ+94AH/j1iqkOSYm//0W/9jeHvMXzX
JdLe++ueSCsmXYXajyYPbEayv6RyXgyn5vpx3gJ8o8Tk484leM8Bf3hQLXq8R86w
rIdXeka2nYWVV2y/z6NANkSpWZ8d8qrseCDxhV8/Gk7YtBfNPnc7+KvqBRYDwm0z
ihPnc/5Lw0ItcDdEi6OlUmaXf+VLGdxFfVJsun7QIQLdS1WVq8afrQ+sxdiwN7fm
LoB8CIvnS1nnfBijkuflndqeKM6+2VpdyoPmXDpCHRTYS65sPmMqUrqgk0xTziP6
goIz1xcoYY+mkZiZce6l4MIVldziMW56VjWbaKmpU7O7Q7e0MCU3Cof5ETVpTxI=
=H0dP
-----END PGP SIGNATURE-----

Xen is paravirtualization and I suggest using it over anything else other than physical layer isolation. Full hardware virtualization like Virtualbox is where the danger is. I agree that paravirtualization is secure enough, and that it is certainly better to isolate apps from external IP address with paravirtualization than not to isolate apps from external IP address at all. I also recognize that paravirtualization and OS virtualization are fairly common security techniques used by people who are very good at security. I knew virtualization could be used for isolation like this (and it should be if you are not using physical layer isolation), but I didn't realize that paravirtualization was the best choice or that full hardware virtualization caused a substantial hit to guest OS security before.

3640
Security / Re: Tor bridges secure?
« on: January 21, 2012, 08:13 am »
Quote
As I understand it, an attacker operating a Tor relay (and this includes bridges) can use sophisticated monitoring techniques to see what sites you're visiting, but they can't decipher the content of your communication.  So an attacker monitoring your web traffic could see, for example, that you went to www.safe-mail.com, but couldn't see what you're doing there.  That could change because people are always trying new hacks that might allow them to monitor Tor traffic.

Very true, nice to see someone who knows a bit about Tor. Website fingerprinting attacks analyze patterns in encrypted traffic, looking for preidentified fingerprints associated with certain websites. This sort of attack may be used to identify encrypted Tor traffic with 60% accuracy. This doesn't mean the attacker can tell the difference between your upload of the word dog and the other posters upload of the word cat to some forum, it just means that they can with about 60% accuracy determine that you sent something to that forum. Of course this assumes they are only doing website fingerprinting attack and are monitoring traffic at your entry guard / infrastructure, if they do other things they can of course learn other things. Also I don't think the traffic classifier that CCC used against Tor (getting the 60% accuracy results) used hidden markov modeling (which takes into account not only the fingerprint of a single page, but the multiple possible fingerprints created by browsing through networks of interlinked pages), if it did the accuracy would probably be substantially higher.

Quote
But here's a strategy to use if you want to be sure the bridge you're connecting to is safe:  run your own bridge.

Using a private (or public via the bridge distribution mechanisms) bridge node that you run yourself is a great way to majorly increase the anonymity offered by the Tor network. For one, you will never be traced by an active attack unless whoever your attacker is takes control of your bridge node somehow (and knows how to target it in the first place).

Quote
On another computer on a different network (say a friend's PC or a PC at work or school), set up the Tor software to function as a bridge.  Then copy the bridge IP address and port used to connect, which will be entered in the Settings -> Network tab of Vidalia on the PC you use to connect to the Tor network. The bridge is your first hop connection to Tor, and if you are the one controlling that first hop you can feel a little safer using Tor.

If you control the first hop you can feel a hell of a lot safer about using Tor.

3641
Security / Re: Tor bridges secure?
« on: January 21, 2012, 07:35 am »
QTC allow me to point out that the network is actually named Tor and that it is no longer an acronym for the onion router. Tor is actually not technically an onion router either, although it is very frequently called one. These points are mostly unimportant trivia.

Bridges are imo very important for vendors to be using. When you load Tor your client directly bootstraps at one of about eight directory authority servers. These servers are run by people that the Tor devs trust (and they need to trust them because if four of them are pwnt by the same attacker at any given time, and the attacker also has access to a (fairly) large amount of bandwidth, they can deanonymize large percentages of the Tor network as well as intercept large percentages of exit traffic. It is worth noting that they could not do this without being detected in a fairly short period of time). It is probably not that hard for an attacker to monitor some of the directory authority servers, the federal police of a country can almost certainly monitor all connections to and from any directory authority server in their country. I think several are in USA and Germany. Monitoring connections to and from directory authority servers allows an attacker to enumerate Tor client IP addresses, an attacker who can Monitor all directory authority servers can enumerate the IP address of every single non-bridged Tor client.

When you use bridges they act as directory guards as well as entry guards. Unlike Tor directory authority nodes and normal entry guards, there is not an easily available list of all bridge node IP addresses (although some of the Tor devs have access to this information, as well as hackers who can pwn bridge distribution servers or mechanisms) and most attackers can only enumerate some percentage of bridge nodes (I think China blocked something like 85% of them last time I checked). Also, there are several hundred bridge nodes (maybe even over a thousand now) so it is much harder to monitor all of them than 8 directory authority servers, even if you could enumerate all of their IP addresses.

Why do you not want your IP address to be identified as connecting to the Tor network? This is mainly a problem for vendors and for those who use fake ID boxes to maintain anonymity. There are really not that many Tor users in the grand scheme of things, versus the total world population. Also Tor users are fairly widely dispersed through out the world. In any given fifty mile radius there are not likely to be many Tor users. Since vendors must leak rough geolocation intelligence when they ship, an attacker who can place an order from a vendor (and make a one hundred mile radius around where it was shipped from) and can also enumerate Tor client IP addresses, can then intersect these two datasets together to narrow in on 'people who are likely the vendor'. The two datasets are A. Lives within a one hundred mile radius of where the package was shipped from and B. Is a user of the Tor network. The resulting crowd from this attack is not likely to be substantially large, particularly in more rural areas with less population density. It may even be the dreaded crowd size of one.

This sort of attack is generally called an observability or membership revealment attack (as it relates to enumerating Tor client IP addresses). The other part is called an intersection attack (taking two or more datasets and removing items that do not appear in both to make a third dataset, as a technique for narrowing in on a target that is associated with a few data points of a known or estimated uniqueness).

Bridges also increase security from a number of other attacks. They also reduce anonymity from a number of other attacks. One thing to worry about is an attacker who can identify bridged connections. If you use bridges in a country that doesn't restrict access to the Tor network, particularly from a residential location, the chances of you trying to protect from the previously mentioned sort of attack are high. In this case using a bridge would be worse than not using a bridge, since in addition to being identified as a Tor user you are identified as a Tor user who is worried about this sort of attack. Anyway, if you are worried about the very serious attack I mentioned I suggest that you use bridges. Also, bridge use probably slightly reduces your protection from a few sorts of attack, however it also increases protection from a few sorts of attack, and it also adds *any protection at all* against numerous other attacks.

3642
Security / Re: What's the point of BTC "laundering"?
« on: January 19, 2012, 11:41 pm »
Unless you mix bitcoins they are as anonymous as the method you used to pay for them. Unless you mix bitcoins they ar as anonymous as the method you use to cash them out. Bitcoin offers absolutely no anonymity what-so-ever in and of itself, infact the entire transaction history is available for anybody to see.

3643
Dude if you are using Windows you already failed at security, and if you are using Windows XP you ultra failed. Anyone who pays money for this shit is retarded and not secure. It comes preconfigured with spybot and other free open source software? Awesome I can make sure that I don't have any tracking cookies I guess. In addition to being insecure from a technical stand point this is also insecure from all other stand points. People are far far far better off to use Liberte at least he includes a tutorial and lets you configure things exactly the way he did step by step to make sure you are not getting a backdoored distro. Windows XP lmfao. I honestly hope OP was making a joke.

3644
And so begins another round of slurry.
Everyone has a different method. And everyone else is wrong.

Some things are proven facts. Full hardware virtualization being insecure is a fact. Multiple expert level security professionals have weighed in on this matter (including the lead dev of OpenBSD) and you can read all about it in the thread I linked to. The only reason you would even want to consider using full hardware virtualization is if you are using it to isolate applications from the external IP address, and even in this case it brings serious added risks because it makes it easier for someone to pwn the operating environment in your guest VM and spy on your plaintexts, even if they can not get your external IP address. Paravirtualization and OS virtualization are much safer ways to get isolation, and if you want to go full out you should be using physical layer isolation to isolate apps from tor and external IP address.

Quote
It would be nice to get a SOP on security, instead of 100 different versions.

Yes it would. I have written many things like this over the years, adding to my tutorials and adding techniques and fixing mistakes as I learn more. I think my skills and knowledge have increased by such a degree that it is time for a new set of tutorials. I will start work on a comprehensive SOP tutorial set soon, I also welcome haxxtheplanet to join by writing a tutorial for physical layer isolation if he wants. If not I will. But I also will write tutorials for OS virtualization and paravirtualization.

Quote
The slurry will continue, until those with knowledge jump down from the perch, and those without start paying attention.

That is pretty much what happened in the thread I linked to. Someone claimed that all virtualization is bad and dangerous and that led me to find out that paravirtualization and OS virtualization should be used over full hardware virtualization. I wasn't aware full hardware virtualization was so insecure before (although I really should have as it is obviously a massive increase to complexity. I guess I was thinking of guest machines as being actual machines, instead of being applications. Bad and wrong way to look at it!). After doing research I found that the poster was about 95% right about what he said, although I did come to a slightly different conclusion than he did (suggesting paravirtualization and OS virtualization over no isolation, although we both agree physical layer isolation is the ideal solution). Many security experts are quoted in the thread and we all reach more or less similar conclusions about many of the points discussed.

Quote
@kmfkewm: from reading your posts, it seems as though you are hacker elite, and nothing is safe. Maybe YOU should write out a standard operating procedure, and have affluent SR community, i.e, Mods & Staff approve, or disapprove, and THEN all of this shit can cease, and all of you geniuses can quit your picking on the newbs, and all the newbs can be safe SR travelers, and we can all be a happy fucking family of drug addicts, and gun nuts. JFCOAC!!

I think all the experts have presented the evidence and valid (if different) conclusions from the evidence are also presented. The only point left with some arguement around it is if no isolation is better than using OS or paravirtualization, we all agree physical isolation is best and we all agree that full hardware virtualization is best avoided. This is ten thousands time more true if you are using full hardware virtualization for any security related purpose other than isolation of apps from external IP address. Yes I will make a guide. Yes I am pretty good with computer security. I really shine at traffic analysis and server administration though, I am not an expert on virtualization (although I have talked with some about the issues, you should really read the thread that I linked to)


3645
Read this thread to see why you should NOT be using full hardware virtualization systems like virtualbox

http://dkn255hz262ypmii.onion/index.php?topic=8524.0

can you point me to specific post? I read the thread and found lots of nonsense on how VM+truecrypt isn't secure.
thanx,
psilocin

You obviously didn't read the entire thread

Pages: 1 ... 241 242 [243] 244 245 ... 249