Silk Road forums

Quinone who the fuck elected you as the representative of the SR community? Why do you try to give more strength to your argument by acting like you speak for any number of people other than yourself? And if you don't give a fuck what I say why do you waste the time to make a reply.

I have no issues with it really, its a really cool system and she is a smart security researcher. Qubes focuses on isolation, one of the three main strategies used by security professionals. The other strategies are correctness and randomization. Many people prefer defense in depth and like to layer the techniques as much as possible. I talk with some very very good hackers, and it is a bit surprising how much their opinions differ. Some are huge fans of using virtual machines for isolation, others think that it isn't going to stop a determined attacker (after all hackers are apparently penetrating through 8 layers of isolation in some cases). People who are big on correctness tend to use two main strategies, intensive code audits by experts looking for bugs (OpenBSD) and mathematical proofs of correctness (formal verification, like the sel4 micro kernel). The first technique allows for larger code bases to be audited, and is quite good at removing potential security vulnerabilities before they are exploited (and all together after a while). Formal verification apparently allows for a mathematic proof of correctness, but is extremely time consuming to do even for experts, and this has so far limited the ability to verify much more than micro kernels. In either case, only the audited or formally verified components can be expected to have a very high or perfect degree of correctness, and in most cases users are adding applications that have not been held to such high standards. There have not been extremely large code bases with such intensive auditing and very very little has been formally verified. Randomization attempts to protect from attacks like buffer overflows even if there are vulnerabilities in code, unlike isolation it attempts to prevent an attacker from gaining any access to the system (isolation attempts to contain malicious access).

Most operating systems come with a variety of tools for getting security in a few different ways, but some are better for other types. For example OpenBSD has very highly audited code in its base install, and default full address space layout randomization, but it doesn't have much support at all for virtualization solutions and it has no mandatory access control system. The OpenBSD devs are security experts who seem to think pretty lowly of most types of isolation, although they do have two tools for isolation with OpenBSD, systrace and a hardened chroot.

Likewise, Qubes has a minimized code base and probably a significant degree of correctness but they really focus more on the security benefits of isolation than on having intensive code audits. I am not sure if Qubes supports ASLR or mandatory access control systems, I will need to look into it more.

Anyway I think Qubes is great but it really is better as a framework to build something else on top of , or to copy the concepts from. I would prefer to configure things with multiple layers of isolation used.

yeah well it would be very interesting to see how many vendors actually knowingly sold to anyone under the age of 18. I would say fuck all really.
Kids are jailbait when it comes to adult themes

I can see the headlines now...
"Man busted for selling drugs online to a 16 year old" as apposed to "Man busted selling drugs online" just doesnt have the same ring to it.

or "Silkroad!! Underage haven for children"......Sr has become a haven for underage kids buying drugs...

or "Child dies from a MDMA overdose from drugs she purchased online @ silkroad".....Parents of a 16 year old girl are grieving today after their little girl overdosed on MDMA she purchased from an underground site called SilkRoad. It is alleged she consumed 180mg of pure MDMA because they found a print out about  some wanker on the silkroad community forum saying  how he drops 180-220mg at a time. Her friend who purchased the drug is fighting for her life. Police are waiting for her to recover so they can speak to her, so they can pinpoint the SilkRoad vendor she purchased the drug from. The War on Drugs just became the War on SilkRoad.

Always think about the worst case scenario becoming a good possibility.
I stand by what I say and knowingly selling to a minor is fucking bad for this community and buying as a minor is fucking selfish.

Quote from: kmfkewm on January 05, 2012, 07:37 pm

Quote from: Leech on January 04, 2012, 03:38 pm

Quote from: kmfkewm on January 04, 2012, 08:08 am

I started using psychedelics I bought from people on the internet when I was a young teenager, and I turned out fine

i'm glad i always got my drugs and drug info from online instead of from irl friends, it resulted in me being a much more responsible and educated drug user than my peers. I actually think getting drugs online is much safer for highschool kids and it will expose them to intelligent drug users with experience instead of to, for example, gang bangers or retards

Psychedelics and hard drugs are 2 different things. There's difference between taking shrooms and smoking Heroin at 15 years old. "If you take shrooms you'd probably explore the world of psychedelics, but if you do Heroin at 15 you'd probably grow up a retard in prison."

Please read Novocaine's post if you are not clear.

Quote from: novocaine on January 04, 2012, 11:21 am

...
What was the question again?
Oh yeah if you are underage.. fuck off... SR doesnt want you

The reason kids who use drugs end up retards in prison is because of the people they associate themselves with, and the main reason they start to associate themselves with those sorts of people is because drug use is illegal.

Who is spewing the propaganda now?

Nah the reason they MAY end up in prison is because they cannot afford a nice little habit they got going so they go hold up some poor store keeper with a rusty BUTTER knife.... or just maybe they kill 3 of their friends after they wrap their vehicle around a tree because and I quote "I drive better when I am stoned"....

You have 'I ama cop' written all over you. Oh no the horrors of cannabis abuse. LMAO. If they can get SR or vendors for selling to one person they can for selling to another do your point is entirely invalid. Expecting to be secure while breaking federal law simply because you don't think you are as big of a target as the next guy is an excellent way to lull yourself into a false sense of security and fuck yourself. You are the one spewing propaganda.

Kids are jailbait when it comes to adult themes

I think jailbait age people should have the right to consent to sex also

You people have too much USA centric views. Do You really think the SR is located in US or FBI can monitor Tor network worldwide?

.onion is vulnerable to timing attacks, but that's all. I have read all the damn PDF papers, and they will be no use for some US agency to trace servers located overseas. And even if they suspect that server is located There, how will they prove anything in court? Considering the encryption and physical security of server?

As long as the administration of SR will not screw something terribly wrong, the SR will live. Seriously people, order some barbs from SR and calm down!

All I'm worried about is SR webserver getting exploited and coins stolen or administration making unpopular changes to SR policies.

Yes i should be nicer but when i spend all day correcting people online I start to get really irritated when more and more people keep talking about shit they have no idea about. I also feel obligated to correct them lest their bullshit pulled out of their ass information continues to spread and multiply. Re above poster, you are retarded, there is a difference between an active and a passive attack, please learn the difference between you ever talk about the anonymity of Tor again. You have no clue what you are talking about. FBI or anyone else can do an active attack merely by adding nodes to the network, they do not need to do a fully passive attack and they almost certainly will have better luck with an at least partially active attack.

I never knew about even half the stuff kmfkewm posted here. Good go, mate! Thanks for sharing all this knowledge with us.

I feel a bit stupid that I never knew about the possibility of using chroot like this, since I use it daily for other purposes.

I know OpenbSD has a modified version of chroot that offers decent isolation, but many distros are probably still using versions with chroots that can be broken out of fairly easily. Look into the security of chroot on your distro.

Even with disk encryption, if they want to crack it they will.

Welcome to the 'says a bunch of bullshit' club, if you are using a strong encryption algorithm like AES or Serpent with a 128 or 256 bit key, nobody is going to be cracking it. These symmetric encryption algorithms are even highly resistant to quantum computing attacks that are able to break asymmetric algorithms like RSA (which is often used for session key exchange with GPG). An attacker with a quantum computer with enough stabilized qubits can use Shors algorithm to quickly break this sort of asymmetric encryption, but the best known quantum computer attack against symmetric algorithms is grovers algorithm and it only reduces key size by 1/2 (giving a 256 bit symmetric algorithm the still unbreakable key space of 2^128). Even 128 bit symmetric keys are going to be unbreakable by such quantum computers. And anyway it is likely that nobody currently has any quantum computer with such capability, and if anyone does it is the NSA and they are sure as fuck not going to reveal that they have such abilities by using them against you.

Most of the time frame quotes you here about encryption like  "it would take them over a thousand years to brute force that" are bullshit. Those time scales estimations are routinely based on trying to crack the encryption using cpu power. While this does get the job done eventually, the future is in using GPU computing(using your video card's processing power).

GPU does have more processing power for cracking things like encryption than the average CPU does but you still are not going to brute force shit when it comes to strong encryption, even with a large cluster of GPU power.

It's the same hashing method used in the bitcoin protocol itself. When people solve a block, all they have done is generate hashes until one of them matched the transactions that were being verified. Anyone who has ever mined bitcoins can tell you how much faster a GPU can do this when compared to a CPU. Depending on the encryption scheme and the efficiency of the hashing code, it can cut the time needed to crack an encrypted volume by several orders of magnatude. This makes encryption just one part of a layered defense scheme. To rely on it alone is foolish.

If GPU is so powerful then bitcoin is fucked because it relies on algorithms that could then be brute forced, or even the keyspace of the hashing algorithm it uses would be exhausted. You are right that it is foolish to rely on encryption alone, but your reasons for why it is foolish are even more foolish.

This brings me to my original point. VMs have their image files running off of the hard drive most times, so once the volume is decrypted, they can just load the VM up in its normal software and have access to everything in it.

You are entirely missing the point of using a virtual machine for isolation. What you are doing is protecting from an attacker who remotely hacks / roots your VM using whatever network facing applications run in it as the vector. If an attacker does this and you use a virtual machine to isolate the exploited applications, the attacker can not trivially get to the host system from their position in the virtual machine.

Even worse is that you can manipulate the data in a VM's image file without loading it up and completely bypass all access controls and system permissions.

Sure, if you have access to the host OS. Again, you are entirely misunderstanding the benefits of using virtual machines.

So knowing this, what I did was invest in a device called a ramdisk. How does this help? Well RAM don't hold data after the power cuts out. If you VM is stored and run from a ramdisk, when the police show up, you just pull the plug and no more data for them to screw you with. I have my rig interfaced with a garage door remote on my keyring. One button push and my rig cuts off and all the data in the ram disk goes bye bye.

The RAM can be flash frozen for a significant period of time after power is cut, although the exact time frame depends on the specific sort of RAM.

Sorry but it you who is wrong.

I do not know if all RAM can be flash frozen, but I know a lot of it can. I also know different sorts have different data decay rates. However, considering the fact that you have already demonstrated willingness to talk out of your asshole instead of your mouth, I am inclined to think you have no idea what you are talking about. Please show me a citation.

There's only one type of DRAM chip used for actual computer RAM and it is stateless without power being supplied to it.

This I know is not correct, cold boot attacks have been demonstrated against several different sorts of RAM. It is a fairly common misconception that RAM is stateless without power being supplied to it, but it has been demonstrated with several sorts of RAM (all tested afaik) that state decay is not instant upon power being cut, taking as long as ten plus minutes in some cases. I believe this sort of attack was first shown by Jacob Appelbaum.

The actual "memory" in your computer is not like NAND memory used in usb sticks and flash drives. Data stored in NAND is in a persistent state until until altered and requires no power to hold data once it is written. Actual RAM holds nothing persistently.

You obviously have some understanding of computers, but your understanding is that of a 'computer guy' not a 'security expert'. It is a common misconception that RAM instantly loses its state upon power loss, but security professionals have demonstrated and proven that this is not true several years ago now.

This is why RAM constantly has to have the data refreshed every few nanoseconds. Freezing the ram with liquid nitrogen would do absolutely nothing as the only thing moving in the ram is electrons.

Please stop saying as fact things that you have no real idea about. Yes, you are technically correct that the only thing moving in RAM is electrons, however freezing the RAM with liquid nitrogen (or other things, some of which are far easier to work with) will indeed make the state of the electrons persist in RAM for an extended period of time. It also takes a substantial period of time, usually a few minutes, before the state of the RAM decays after power is cut.

It takes quite a bit of time to reach absolute zero (the point at which atoms stop moving as well as their components such as electrons) even using liquid Helium. So lets see here. Power goes off and data is GONE in lets say 25 milliseconds.

Why are you wasting your time making shit up and talking about things you don't know about? Let's try to keep the information here high quality and accurate instead of pulled out of our assholes please.

If the feds have people who can somehow alter the laws of physics and timespace I'm sure we would have heard about it by now so it's not even logical to expect human or machine to be able to remove a physical ramdisk device in that timeframe.

Your entire hypothesis is incorrect so you should stop basing your argument off of it.

On top of that, even liquid hellium could not cool it down fast enough to stop the electrons from dissipating before that data was gone forever. And let's not forget that you'd be shorting out the device by submerging it into Liquid Helium(i keep using helium because liquid nitrogen can't freeze electrons in place so is useless for the scenario you mentioned). So whoever told you that line of bullshit needs to go back to school and get their MS in Comp science as I did and would know what they were speaking about.

Blah blah blah more wrong information. This attack has been demonstrated, you can see the entire thing carried out on youtube for fucks sake not to mention the attack has been in published papers for a few years now. Any computer security should know about this attack by now, so maybe it is you who should go back to school in computer security instead of unrelated computer science fields.

Let's also point out the fact that all modern operating systems use memory address randomization to help counter buffer overflow attacks in poorly written software. Even if by some miracle the data got preserved in ram, once the OS is off there is no way to tell what bits were places where in RAM. All that would be left is jumbled masses of binary values with no real way to correlate them to what they belong to. 16 gigabytes = 17 179 869 184 bytes so if you think anyone could solve that jigsaw puzzle then I've got a really nice bridge in SF I'd love to part with very cheaply.

Not all modern operating systems use ASLR (freebsd comes to mind) and many of the operating systems that use any ASLR do so to a limited extent (thus not having full ASLR). Well, you know the key size of encryption is 128 bits of randomness or 256 bits of randomness, so I guess you could just filter out everything that isn't random and then make a dictionary of all 128 and 256 bit strings of randomness that are left. ASLR doesn't randomize the content of ram it randomizes where data is stored in RAM. Stop talking out your asshole.

Also forgot to respond to this. The registers in your cpu hold data exactly as long as RAM cells do man. They also have to be refreshed like RAM or they also lose their data.

This is true. The only way I have heard of protecting from a cold boot attack when the attacker actually has physical access to the machine is to use encapsulation material to slow their ability to access the RAM, and intrusion detection systems to begin a wipe process in RAM as soon as physical penetration of the case is detected. Even systems that use encapsulation material and similar systems for protecting RAM have been defeated by military hackers, I read about one hacker who worked for the united states government using a combination of I believe liquid helium and an acid wash to remove the encapsulation material from flash frozen RAM, and then he used a highly precise tool with a tip on it about the width of a human hair to obtain the state of the memory. Sorry I can't explain this attack in more technical detail, it is beyond my level of expertise, but I will try to find the article.

Seriously, pick up a book and actually read up on this.

Given the large amount of bullshit that you have said I think you have no place in lecturing other people on reading up on anything.

Also you're arguing with someone with a masters in computer science based on shit you read on fucking wikipedia? You just served yourself son. I can cite thousands of goverment papers and studies claiming weed is as addictive as heroin and causes everything from crime sprees to phsycosis. Does that make them true? Hell no because even idiots get bullshit papers published. The things I've stated here come from actual learning, hands on experience working in this field, and basic damn common sense when it comes to the laws of physics.

If you have a masters in computer science I really am impressed with myself that I have managed to become self educated past the point of a masters degree so quickly! It really is hard to determine my skill level considering that fact, but I routinely do find myself pwning the shit out of anyone who has recieved their computer/security training from a school or corporation. He is basing his argument about RAM on a paper / attack discovered by Jacob Appelbaum, a well known security professional and one of the Tor developers. You really have pwnt yourself very hard if you are not trolling.

I second that. Taking illicit drugs at a younger age will wreck one's brain cells (plus life & relationships) once he got older, over those who use it at an older age. If you work in prison or hospital you will know this is true.

If you work in a prison you are probably retarded but if you work in a hospital you should know the difference between corelation and causation.

It is a good idea but the person who made such a chip would have to be someone you trust. LE could create such a device and then hope that it makes it to sellers. They could use the device to gain information that they may not have access to otherwise. Its always a bad idea to use something created by someone you dont know or dont trust..........even drugs............even technology.

Obviously you would want to make them yourself. You can buy all the components for it with out any problem, but putting them together and making them do what you want is the part we haven't done yet. Enelysion was talking with some people about making an open source design and software required for people to make these themselves.

In an ideal world you would be using multiple layers of isolation as well. Virtualbox being used in this way is merely one layer of isolation. Mandatory access controls are another sort of isolation that can be used for similar goals. jails style virtualization can also be used,application virtualization essentially. chroot also offers isolation. systrace is another isolation tool. You want the attacker who pwns your browser to have to go through as many additional isolation layers as possible before they can get your external IP address. Unfortunately isolation isn't perfect, I have heard of security critical chips that use 8 isolation layers being penetrated by skilled hackers.