Silk Road forums
Discussion => Security => Topic started by: kmfkewm on September 09, 2012, 08:46 am
-
The people selling pre-configured virtual machines and OS on USB memory stick packages here have approximately a 99.99% chance of not being qualified to properly secure a system.
Approximately 95% of people who are not properly qualified to secure a system think that they are properly qualified to secure a system
Approximately 100% of federal police agencies would try to get vendors to use their virtual machines with bugging software in them, it is a real attack vector to worry about
There are already free operating systems that can be installed to USB memory sticks or used in virtual machines, such as tails and liberte. These are much less likely to be backdoored and although they are not professionally hardened they are very likely to be better than anything you get here.
____________________________
If someone wants you to use their bridge or suggests a VPN service to you, they have a 95.51% chance of being a fed
No matter what, if your entry and exit traffic are monitored by the same attacker, you are deanonymized. Adding more hops results in rapidly decreasing anonymity gains. One hop is a tremendous improvement over none. Two hops is a tremendous improvement over one. Three hops is a significant improvement over two. Four hops is a very slight improvement over three.
People who sell VPNs generally don't have a fucking clue what they are talking about.
A huge number of VPN services keep logs, even if they say they do not.
____________________
Your Anti Virus and Anti Spyware are not good enough to detect viruses or spyware custom made to pwn you.
_____________________
Watch out for sales people. Any jackass with a bit of experience can throw together something and sell it as the best thing since sliced bread. This happens a lot. A lot of them actually believe that they know what they are doing. Don't trust sales people with your security. Don't believe what you are told, research yourself, and please don't research through the resources made available to you by people selling shit.
This is not to say all products that are for sale are insecure or bad. It is simply to say that I want to vomit when I see people selling 'ultra secure virtual machine images!!!' on SR.
-
thanks for this!
+1
answered some questions i've been asking myself lately. :)
last time i tried to learn about a VPN LouisCyphre bashed me into the ground for "not knowing" and asking.
/thumbs
-
If you use no anonymity solution you still have a chance of remaining anonymous in the sense that your IP address may not be linked to your identity. Law enforcement have limited resources, and in fact are only capable of following up on a fairly small percentage of the IP addresses they have identified engaging in illegal activity. Since ISP's only keep records of who is assigned a certain IP address at a certain time for a certain amount of time, if law enforcement does not get around to following up the lead involving your IP address before the record of who the IP address was assigned to is lost, you can maintain anonymity. However, your ISP is capable of seeing every website you go to (if they look), and every website you go to is capable of seeing your IP address (but possibly not using it to determine your identity). You should certainly not expect to remain anonymous from interested parties with any significant capabilities whilst not using any anonymity solution, but it does happen all the time (generally due to overloaded LE resources, which they generally but not exclusively focus towards higher priority targets).
If you use a single hop anonymity solution the situation greatly improves. The websites you visit now can not immediately determine your IP address but rather see the IP address of the proxy you are using. Likewise, your ISP can no longer trivially determine the websites you are surfing, they (ideally) only see that you are connecting to the proxy. However, the proxy provider can see which websites you are surfing to, and so can its ISP. Also, the proxy may keep logs which can be followed up on. Also anyone monitoring the proxy is capable of getting the same information that the proxy gets.
If you use a double hop anonymity solution the situation improves even more than before. Still your ISP can not see the websites you surf, only that you connect to your entry proxy. Also, the websites you surf still can not determine your IP address, only that someone is using your exit proxy to visit them. Now you also have the additional benefit that the entry proxy does not know which websites you are surfing, only that you connect to your exit proxy. Additionally, the exit proxy does not know who you are, only the websites that you surf. Ideally the ISPs of the entry and exit proxy will be different and will not be able to link your IP address to the websites you surf either. Also, now an attacker starting from the website you surf and trying to trace their way back to you will need to get logs from two proxy servers instead of one, and either of the proxy servers might not be keeping logs or not keeping logs long enough to be of use.
If you use a three hop anonymity solution, the situation improves a bit more. Mostly it is the same as using a two hop solution, however now the entry and exit proxy do not know the identities of each other, only the identity of the middle proxy. Now if the entry proxy is run by the US feds and the exit proxy is run by the German feds, even if they have logs that could be used together to deanonymize you, unless they routinely share intelligence they will not know to get in touch with each other regarding specific packets unless they can learn each others identities via the middle proxy. Additionally, an attacker starting at the website you surf and trying to trace their way back to you with log files, needs to get logs from three different proxy servers that may not be logging and may not keep logs for long. Now the biggest attack that you need to worry about is an end point timing correlation. And attacker who can see packets coming from you and packets arriving at the website you surf can use statistical timing analysis to determine that the packets they see in both locations are 'the same', thus linking you to the website you visit.
Past three the benefits of adding more hops very rapidly decrease. The end point timing attack continues to work regardless of the number of middle nodes. Adding additional nodes only really adds additional protection from an attacker who starts at the website you visit and tries to use log files from each proxy on the path back to you.
So the difference between using no proxy and a single hop proxy is huge, the difference between using a single hop proxy and two proxies is tremendous, the difference between using a two hop proxy and a three hop proxy is significant, and after that the benefit of adding more hops is minimal.
-
The people selling pre-configured virtual machines and OS on USB memory stick packages here have approximately a 99.99% chance of not being qualified to properly secure a system.
Approximately 95% of people who are not properly qualified to secure a system think that they are properly qualified to secure a system
I can not believe that anyone would even consider buying a pre-configured USB stick on here, or a bootable CD/DVD There are just too many ways that could be abused. From the feds to some one putting a simple script that steals your bitcoin into it, so every time you use it you loose all or some of your bitcoin.
As to the second line I quoted, Half of the certified "Computer security" people I have worked with were IMO not qualified to secure a system. I can not tell you how many times I have argued with corporate security groups who feel that SSH is not a secure method of communications. I have actually had security "experts" tell me that it is not secure because it does not use SSL. :o
So, just because they are a security expert or work in a corporate computer security group does not mean they are qualified.
-
^ Agreed with the above.
As Guru has said, perhaps we have not emphasized enough that those people selling USB 'security' solutions on here are not to be trusted. Even if the software is validated as legit when you get it, there could easily be a hardware exploit on the chip, these are very difficult to spot, in fact there is famously a political problem between China and America because neither party is quite sure whether to trust each other's hardware. Cisco and others are distrusted by China, and America doesn't trust Huawai, probably correctly. They have numerous sorting plants for analyzing each others stuff to ensure in the event of a war that all our comms wouldn't suddenly melt down when somebody in China or America flips a switch. The Europeans are especially naive in this area to be honest, they rely on American intelligence on this stuff way too much, they seem to think it's somebody else's problem because, well, they're retarded. I mean, UK/Germany/France probably know what's up, but I think it's very unlikely most of their satellite states are being proactive about the potential for a catastrophe. Anyway, that's a bit OT :D
Not only do ISPs and VPNs keep logs (often by being incredibly vague or economical with the truth e.g. not storing your info directly, but info about your info), but they also sell this information to 3rd parties. Whether this is even legal is a moot point, the point is that it happens in practice, this is not conspiracyplanet.com here it's practically standard business practice, so watch it.
A: You cannot trust anybody else.
B: There is an exception to (A) that proves the general rule, you can trust yourself.
So, even if you are not the world's greatest security guru (lowercase 'g'!), you don't need to be. You just need to fully understand what it is that you're doing, and take small incremental steps until you understand more and can do more interesting stuff. I sometimes think people get nervous when they people on the forum talking about hi-tech security concepts, and then maybe they feel the need to shell out $ to some expert to make themselves feel up to date. Don't win a battle and lose the war. In other words, in short:
You cannot outsource your security.
--
More philosophically, we are approaching an era of swarming intelligence, where networks are composed of semi autonomous nodes capable of self determination. The hierarchical structures of organized crime are now obsolete. Today, we are all independent contractors, working in a marketplace. It's going to take quite a while for even ourselves to understand the full implications of this if I'm honest.
LEO will try to categorize us into a "conspiracy" because that's the only thing they know when faced with complex organized crime. But this is not actually a conspiracy, this is a market. We are working for DPR in the same sense a citizen of the world is working for the president of some particular country. There can be many citizens, countries and presidents, but it does not follow that we are all aware of, and being directly told what to do. To categorize SR as a conspiracy, which they almost certainly are thinking of it as, is as stupid as thinking a citizen of the US snorting a line of coke is working for the Colombian cartels. It is connected yes. It is organized, yes. But it is not the same thing.
This is of course difficult for LEO to swallow, since it implies anybody captured or intercepted beyond DPR should not face conspiracy charges. Trouble is that DPR could be literally just one person, and you need >1 person for a conspiracy. So this is somewhat troubling for LE from a legal perspective. Either they adopt somewhat Orwellian approaches (buyers being charged with being part of a criminal network, such that they are responsible for any crimes committed by other members of that network, even if they were unaware of them) or they become much more liberal about online darknet markets. It might stick in their craw, but the second option is preferable to any pragmatist even if they're against decriminalization.
Edit:
http://www.rand.org/pubs/documented_briefings/DB311.html
-
99% of corporate security people i've spoken to blow and know far less than me (self-taught, no qualifications whatsoever, don't even think highly of myself) so it's not surprising
Ditto. Doesn't it just kill ya, that these people have JOBS?
Guru
Just had to add my +1 to this.
I have my off days, like today when I failed at PGP, but the corporate IT security folks really are clueless. They forget everything they learned when they got their various certifications (which mean jack shit IRL), and can only speak for whatever application or server they work with. Some do know what they are doing, but there are far more "amateur" hackers out there that know just as much. They just aren't in the position to land a job like that.
Oh, and for fuck's sake don't buy unverifiable software from an anonymous vendor on a drug website that you will then use to do highly illegal business on said site. Come on!
-
In a (very) modest defense (if you could call it that) of corporate security folks (yes, many of them are clueless, but some of them genuinely have their shit together), one thing I would note is that their threat model is very different from ours. By far and away, the biggest risk to corporate IT is the internal threat, whether intentional or unintentional. Most of their thinking goes like this:
Joe Doofus down in accounting just got fired, what does he have access to? Jane Fuckstick in the marketing department insists on using her own laptop, and she regularly visits online gambling sites. Holy shitballs, what am I going to do?!
It doesn't take an infosec genius to think about those things. Add in a CISSP, and boom, you're instantly employable - because odds are, the person hiring you knows even less about the subject area than you do.
-
Yup, they are only knowledgeable when it comes to the specific, narrow focus of their jobs. You need to know your shit to pass the CISSPs but they forget it after a few years. Like you said, most of their work entails running around cleaning up after ignorant users that a 12 year old reading security blogs could manage with some enterprise security suite. The rest focus on highly specific applications and/or servers and know fuck all about the rest.
There are a few rock star ITS guys out there who can do anything, but the rest get by due to their organization hiring dozens of them, each with their own specialty. That way, you have a coordinated team with overlapping skills rather than one dude who can lock down an IIS server but forgets to disable booting off removable media on his corporate laptop. Companies that employ the later tend to be small and thus not much of a target, so it looks like the guy is doing his job when in reality, no one cares enough to attack the place. Kind of like the old "macs never get viruses" bit.
-
Kind of like the old "macs never get viruses" bit.
My pet theory is that a Macintosh IS the malware. Malware with a PR masterstroke, pretending to be an entire operating system.
-
Can anyone here provide a guide to building a bootable USB that can handle Tor Browser and a bitcoin wallet?
-
Can anyone here provide a guide to building a bootable USB that can handle Tor Browser and a bitcoin wallet?
Check out Tails or Liberte linux. I've only used Liberte, but it's very-well configured and based upon a hardened version of gentoo. There are probably lots of stickies here and elsewhere on both if you search around.
-
Not everyone is capable of understanding how to do most of the 'right' things when it comes to security. Thats why these things exist, it's why tails exists, and liberte and a plethora of other distributions in the linux world (blacktrax comes to mind as well).
Claiming 'The people selling pre-configured virtual machines and OS on USB memory stick packages here have approximately a 99.99% chance of not being qualified to properly secure a system. ' is not backed up by any factual data. Not to mention 'If someone wants you to use their bridge or suggests a VPN service to you, they have a 95.51% chance of being a fed' is equally not supported. It's these kinds of wild claims that do nothing but create an unnecessarily high level of fear and paranoia in an already hostile environment.
Where is there any actual verified data that supports this? It's just the same tired old argument and nothing more than spreading of FUD. The fact is products (of various types) exist simply because there is demand, it's really that simple. Could they be malicious? Of course, so can your toaster oven, and this goes without saying for ANYTHING on this site so a healthy amount of skepticism is completely reasonable but some of the posts here go way beyond paranoid (not specifically in this thread, I'm referring to the security forums in general) to a degree that seems way over the top. Most of my small circle of friends in the technical/security community (mostly people I've worked with in one capacity or another) consider me to be of the 'tin foil hat' and overly paranoid, and I am nowhere near as paranoid as some of the things I see in here. It's really ridiculous at times.
Do you have some kind of personal vendetta against people who are more security capable offering their expertise for a price to those who are not or something? Instead of being hyper-critical of anyone who does, perhaps you should (for once) put your btc where your mouth is and actually provide the community something they can use, perhaps an image or gentoo based distro or even a user friendly torbox type solution. Hell even providing people consulting for btc would be useful (perhaps you do but I've not seen anything listed in the services section like that.
I know I've said this before and suggested the same and in the past 14 months you've not provided it so it's pointless to suggest it but really you just sound like half of the whiney occupy babies who have nothing but complaints and no actual solutions nor offer anything tangible to correct the problem you cry so loudly about.
While I can agree to some extent that outsourcing your security (as pine refers to it) comes with itself some inherent risks, if you take it to an extreme you could go as far as to say that using any security software you didn't write also has risk so the problem isn't whether or not there is risk (there will always be risks to varying degrees) but how much risk you are willing to take and are you (again in a general sense, not YOU specifically) willing to take the chance that perhaps you don't know as well as you think how to properly secure a system.
The same ideal can be applied to a mechanic, you put some trust in them that when they put your wheels back on your car, or install whatever front end part or some such that they do it properly so you don't die in a fiery car crash, that doesn't mean that all of them are not to be trusted.
-
I'm sure you do entertain yourself, given the lack of mental acuity I'm sure it's not very difficult.
All I'm driving at is chastising anyone who vends a vm image or distro or whatever (doesn't really matter) does nothing to actually help. Why is it those with such vast expertise are those who don't do what it is they claim to be so capable of and maybe make a few bucks while at it?
I am quite sure there are a metric fuckton of users on here that would happily trade bitcoins for a few hours of assistance in learning how to use things like pgp and other encryption as well as understanding how public key encryption works (surprisingly there are a lot who really don't understand the concept of it) and even help them with locking down the machine they use to access SR, whether some boot from USB linux distro, a VM on the same, or perhaps a physical machine. I know they exist so why not help them instead of just tell them that there is some 90th percentile chance whoever they are dealing with is the big bad fed and scare them off? Wouldn't the community be better off helping those people than trying to make them believe unless they hide in a warehouse in a faraday cage that they're doomed?
-
99% of corporate security people i've spoken to blow and know far less than me (self-taught, no qualifications whatsoever, don't even think highly of myself) so it's not surprising
Ditto. Doesn't it just kill ya, that these people have JOBS?
Guru
Yes! And I certainly don't consider myself an expert by any means! The heads of IT that I know have trouble understanding the difference between an application and a platform. I'm sure they make well over 150k a year too.
-
^ Agreed with the above.
As Guru has said, perhaps we have not emphasized enough that those people selling USB 'security' solutions on here are not to be trusted.
Protip: hire a security expert from elsewhere if you insist on outsourcing one's security.
Good places to hire freelancers include http://gun.io/ and http://vworker.com/ though there are many others.
Even if the software is validated as legit when you get it, there could easily be a hardware exploit on the chip, these are very difficult to spot, in fact there is famously a political problem between China and America because neither party is quite sure whether to trust each other's hardware.
This is true. There was a huge debate about this earlier this decade.
A: You cannot trust anybody else.
B: There is an exception to (A) that proves the general rule, you can trust yourself.
People here need to constantly remember: this is a black market! the volkspolitzei of every nation wants our blood for if no other reason, then purely due to tax resistance.
This is a huge and continually growing market where millions of dollars worth of bitcoin changes hands regularly.
Do any of you pay taxes in bitcoin? No. That's termed "Tax Evasion / Tax Fraud" by the people's police of any given nation.
Do be aware of this. Anyone could be an undercover cop. Only you know if you are or not.
For your amusement: https://en.wikipedia.org/wiki/Volkspolizei
You cannot outsource your security.
LEO will try to categorize us into a "conspiracy" because that's the only thing they know when faced with complex organized crime. But this is not actually a conspiracy, this is a market. [...] It is connected yes. It is organized, yes. But it is not the same thing.
They will justify it in their own minds as "It's the Law!" but in the end, they'll do whatever they can to tear SR down because it's a threat to the feds of every industrialized nation.
It's a threat to their dominion and control, and a threat to their revenue, which they must now realize is not theirs by right.
Government employees, especially LEOs, they often behave as though their incomes and jobs are justified, but that is a conceit.
Nearly all governments are entirely illegitimate in any reasonable sense of legitimacy.
Bitcoin and Tor when combined offers complete and total tax resistance in a form that is trivial to use.
If you can sustain enough of an income in BTC to ensure that you can always maintain the vast majority of your wealth in BTC, only selling off what you need for basic utilities and necessities such as food, the government you live under will slowly starve for the funds required to pay LEOs to stomp around and menace people.
I will laugh so hard when every major industrialized nation's government all declare bankruptcy at the same time.
Edit:
http://www.rand.org/pubs/documented_briefings/DB311.html