Silk Road forums
Discussion => Silk Road discussion => Topic started by: Thirty_Rox on August 07, 2012, 12:00 am
-
I've seen a few threads reference this paper, but didn't see the entire thing posted here yet. If it is, I apologize:
***Clearnet Warning***
https://bitcointalk.org/index.php?topic=98586.0
Link to PDF removed, and link to thread about SR that contains PDF put in it's place. Thanks you for the info Pine!
-
Please remember to setup an unnetworked virtual machine to view files if you download PDFs like this one. PDFs can potentially deanonymize you or contain LE malware.
-- Paranoid Pine
-
Its a scary read...
Same with updated aussie state laws effective July 1
What laws are you refering to?
-
The PDF is readable online:
https://viewer.zoho.com/docs/urlview.do?url=+http%3A%2F%2Farxiv.org%2Fpdf%2F1207.7139v1.pdf
-
I don't think that the Cornell University Library is likely to be distributing malware -- the shit would certainly hit the fan if it were to be discovered that this were taking place.
All due respect Guru, but I can't agree. I mean I should hope not, but I'm not going to bet the farm either. You seem to be thinking the DEA are like normal cops or something, and that is far from the truth. I can see how the DEA could lean on the university or even bypass them altogether, they are good at bending the law to their purposes even if they rarely break it outright *publicly* within the borders of the United States. It would concern me in this particular case because academic papers are not read by a huge number of people, the set is usually very small (single digits usually).
I think using a virtual machine to contain LE malware attempts is a good idea. Look at the German government's interception software. Flouted the law completely and got away with it so far as I can tell. If anything, the US government is even more arrogant than the German one, so frankly I would expect them to break the law privately and cover it up later (we had an top secret "informant", it was sabu again, he left the backdoor open, trollolololololol!) if the gain was worth it to them. A small risk of pissed off law professors and zero evidence vs a breakthrough in a darknet drug ecommerce site and a possible promotion for the team, yup, I'd say it'd be worth it to them self interest-wise, since they obey the law at their convenience.
I mean, why do you think most of their intelligence comes from CI sources? Some of it is legit, but the rest comes from playing fast and loose with the law, with the excuse that it's easier to do, and then apologize/be forgiven & taken no higher if caught, than to ask permission and be denied. Not all DEA are rotten, but some of them are *really* rotten. In fact some DEA agents see the law as a pointblank obstacle, not as a standardized 'rules of the game'. Some of these righteous dudes have gone on off the record manhunts with South American militias like they were on a Kenyan Safari. That's no hearsay, I've seen evidence for it myself from people I trust who've been in the game for a long time. Lots of people know this stuff down there but it's impossible to bring to trial in the West. They believe they are Christian Crusaders or something insane like that. Even if the rest of the DEA is working by the rules, this attitude permeates from the top down. They had good people back when they started, but now they're completely compromised. Now their operations span the globe and they spy (not passively either, actually operate against the interests of) on foreign governments for US and their own interests, probably others too given the mindset. You can't research the DEA and come away with a sweet taste in your mouth, they are pure fucking cancer, ten times worse than the corruption in NY state where practically entire departments had to go. A lot of people in the intelligence community would be glad to see them go.
They are not true patriots, they're knuckleheads with a god complex. DEA has got to go, one way or the other. Kmfkewn and Shannon's analysis is much closer to the truth than most civilians, even if I am a relatively peaceable person who acknowledges the effects of soft power and NAP.
I simply CANNOT fucking believe that DPR, or whoever he hires to work on this site, would be so mind-bogglingly, criminally STUPID so as to use an unsalted, broken hash function like MD5 -- ye gods, man! This really makes me wonder... what the fuck else is behind the scenes that we don't know about?
Guru
Hey, I'm on your side, but it's better than plaintext, right?! DPR's a great guy but he's human too, and humans don't lend themselves to improvements when they're being called names. They sit and look at you moodily :) I mean, I too would be happy to see some downtime for bullet proofing reconfiguration projects + updating things like that to SHA2 and then SHA3 when it comes out later in the year. Maybe today is a more frustrating day than most but let's rescue the capslock from oblivion please, it is a gentle soul despite its fierce reputation and doesn't deserve to be battered :)
-
i was told to never download pdf's but i dont know how true that is
-
i was told to never download pdf's but i dont know how true that is
Downloading files isn't the issue, but executing them is because some additional script or macro could be nested along with the file. You need to beware of files like pdfs, word documents and similar. But binaries like photos (JPEG/PNG) or plain text files should be fine. There might be some esoteric exception to that rule, but not as far as I'm aware.
-
so do you download them and scan them and then wait until you are offline to view them?
-
so do you download them and scan them and then wait until you are offline to view them?
You can do that too, but it's more secure to adopt these techniques:
- have a machine you view downloaded files on, but which cannot be connected to the net (by which I mean you've literally ripped out any bluetooth, wifi or ethernet cards or disabled any integrated cards)
- have a virtual machine setup in such a way that it cannot connect to the net, put your downloaded files onto that and read them from there.
The 2nd option is cheaper and easier. But if you're going up against a serious adversary (definitely not DEA), then you would choose No.1 and also use that machine as a physical airgap. That is, no USB ports, nothing. Instead you'd type everything over. That kind of security would defeat malware like Flame or Stuxnet (The Iranians did have an airgap, but it failed due to human factors like laziness and stupidity as far as we can tell). Happily, the DEA is incapable of building such software, I think they'd get the chop from a bigger smarter animal if they even tried it on.
I suggest the 2nd option. Pine is paranoid, but very much alive.
Oh, and careful of zip files too. Which sucks, because we often need to use them. Also, whenever I provide a zip file uploaded some place I also provide a checksum so you can make sure no 'extras' were added to the file while it was on the server. But you should still virus scan it etc in case my machine or myself is compromised, and open it or execute any files from it on a virtual machine as we said before.
-
you managed to successfully confuse me i will do some research and sort of understand what you are saying
could you transfer pdfs to no internet enabled ebook reader and safely read them then?
-
you managed to successfully confuse me i will do some research and sort of understand what you are saying
could you transfer pdfs to no internet enabled ebook reader and safely read them then?
Sorry about that. I will try to upload a tutorial on 'local security' to take everybody through their paces sometime when I get a chance. I don't rush, I like to do things properly.
Yes, it would be a good idea if you can be sure that the internet is disabled on your ebook reader. Be absolutely sure of that. You can't be sure that turning off whatever ebook downloading facility the Amazon Kindle might have would do the trick. And don't try this on an Apple product period. Apple is the North Korea of the software world, they think they have the right to surveillance everything, it's their culture. It amazes me they get away with things Google would be hammered by. Other than that, using an e-reader could be a good idea if you can either turn off internet access or better yet it doesn't come with that capability in the first place.
-- Best Practices Thought --
It would be a nice idea to find a 'special file' you have made or obtained yourself (from somebody trustworthy!). This is you deliberately trying to infect your machine with a trojan that will send you an email if it has managed to circumvent your security. I haven't even done this myself, but it sounds like a mighty fine idea to me.
Better forewarned than forearmed.
-
So I've been looking for a way to contribute and think the TOR hidden service idea is pretty cool all around, so I think I might do a site where you can send a link to a PDF and I'll go out, grab it, convert it all to harmless PNG screenshots, then just post it to a certain URL on the service site. Then we could link each other the onion address of documents at no risk. (I would do the conversion at first in a private VM for safety but then look for some way to automate it)
Is this something people would use? Or would I be wasting my time?
-
So I've been looking for a way to contribute and think the TOR hidden service idea is pretty cool all around, so I think I might do a site where you can send a link to a PDF and I'll go out, grab it, convert it all to harmless PNG screenshots, then just post it to a certain URL on the service site. Then we could link each other the onion address of documents at no risk. (I would do the conversion at first in a private VM for safety but then look for some way to automate it)
Is this something people would use? Or would I be wasting my time?
Sure, it'd be great, but you can't use any javascript on the site at all. Just a simple submission of a link and a URL to check back on later, with possibly an update when it's finished loading by sending a note to an optional Tormail field provided (just additional idea, simple service is fine). A lot of people in onionland would like such a service, so it would certainly have to be automated unless you just produced a library of particularly important documents in a self selected way (still too much work tbh). Suggest doing the lazier thing and automate it :)
-
Who says they have to tell anyone about the malware? You would be surprised at how many universities will cooperate anyway. They don't want to lose their federal funding (if any), although I doubt sneaking some CIPAV-like malware into that PDF is worth expending that much political pressure. You'd think the SR management team and popular vendors would take simple precautions like not opening compound document files with highly exploitable viewers.