Silk Road forums
Discussion => Silk Road discussion => Topic started by: rupertcollins on January 02, 2012, 02:46 pm
-
Despite being totally, 100% brand new to SR, I hope to be a happy member of the SR family, and witness the continued evolution and survival of this wonderful thing you guys have working here.
However, I can't seem to get this perplexing question out of the back of my mind. How is this place still alive? Is it fairly new? How are the world's super powered corporate machines, with their fancy quantum computing power, not cracking down on SR?
It was shockingly easy for myself to wander onto here, I can't imagine that the FBI or CIA, or DEA for that matter, don't know about this place. Do they simply not care?
-
Do they simply not care?
Au contraire, Mr. Collins.
It is simply that we do not care for their rules.
The state is only able to enforce their rules through violence.
But they can't arrest technology, they can't lock up the mathematical secrets of encryption, and they cannot seize the headquarters of an ephemeral website than can be re-hosted 1/2 way around the world at the click of a mouse.
Man, I bet that pisses them off.
-
SR survive and its good place for biz.
FBI and DEA is US agencies and this is global site, pretty safe or better say, safe as can be.
We are pretty small drop in the sea and many of their action relie on public sensibility.
When SR were news then senators screamed how they will shut down SR but as we can see. nothing happened.
-
The site is still up because the government agencies that have the power to take it down have not allocated the resources needed to take the website down. Without a doubt this website would be taken down if it was a top priority.
-
It's only a matter of time before someone, DEA or whoever, puts an effort into shutting SR down. Hopefully we'll have a long happy life of trading drugs until that happens but it will happen eventually.
-
Haha to put it simply, they can't
I remember reading something I found funny, a certain US senator read about SR in some article and "ordered" the DEA to "take it down immediately" I love this hahaha just shows how truly ignorant and small minded these old men are.
This is the revolution my brothers, even if this got ripped down, we all know well enough by now, we've all made enough connections and dealt with the vendors to know a new one, under a new new or new url would pop up again in no time
-
I doubt the DEA will shut this website down. The DEA isn't exactly the brightest law enforcement agency and shutting this website down would require alot of technical skill. The DEA does not have the capabilities to shut down SR they are a bunch of corrupt drug using cops that arrest other people for the same stuff that their agents do daily. It is much more likely that if any US law enforcement agency shuts this website down that it would be the FBI. The FBI is the ONLY US law enforcement agency that might care about shutting this website down AND has the skilled people that it would take to shut this place down along with the money and resources.
As for the DEA, mainly what they do is suck on dick. The FBI though is scary because they are professional cops.
-
ANY government agency can hire people to do this for them. Companies like Lockheed Martin, BAE Systems, TASC, Raytheon etc get contracts from them all the time. The Feds know they are too dumb to do it, but they will eventually find someone to do it for them. Hell, maybe sumyungai or someone lol. Money talks.
-
How can they shut it down if the servers aren't in the US? They don't have jurisdiction. Unless they bribe the country to shut it down, I don't see it happening. Of course he could just move the servers to another location that really dislikes the US like Pakistan and they will tell Washington to kiss their ass.
Fear and terror will be their weapon to take SR down just like the war on drugs. They'll bust a bunch of buyers and sellers one day and post it on all the news networks to scare people away. There are lots of 3 letter government agencies that have the capability to take SR down. It's just a matter of money and priorities.
-
Even better, there is no known technical solution to determine where a TOR-hosted site actually physically gets hosted from.
-
I think that the DEA does care about this site, all of the publicity around SR and the fact that its still up just points to the inadequacy of the alphabet soup of government agencies
-
Do they simply not care?
But they can't arrest technology, they can't lock up the mathematical secrets of encryption, and they cannot seize the headquarters of an ephemeral website than can be re-hosted 1/2 way around the world at the click of a mouse.
Man, I bet that pisses them off.
They could by pass Tor and steal your encryption keys with application layer exploits after identifying a vulnerability in the code of firefox though. They also could trace silk road with traffic analysis, Tor is pretty over rated in its ability to keep a hidden service anonymous, although it is much better for clients.
-
I doubt the DEA will shut this website down. The DEA isn't exactly the brightest law enforcement agency and shutting this website down would require alot of technical skill. The DEA does not have the capabilities to shut down SR they are a bunch of corrupt drug using cops that arrest other people for the same stuff that their agents do daily. It is much more likely that if any US law enforcement agency shuts this website down that it would be the FBI. The FBI is the ONLY US law enforcement agency that might care about shutting this website down AND has the skilled people that it would take to shut this place down along with the money and resources.
As for the DEA, mainly what they do is suck on dick. The FBI though is scary because they are professional cops.
ICE is also worrying. Professional cops don't have technical skills usually. Also, by definition all dea agents are professional cops. So are all other cops. FBI are scary because they have computer people and many of them have intelligence training as well.
-
Even better, there is no known technical solution to determine where a TOR-hosted site actually physically gets hosted from.
New rule: if you say something as a certainty and it turns out to be complete bullshit, you get a 'I can't be trusted at all' title under your name. You get that title, please refrain from flapping your lips about things you know absolutely nothing about because your misinformation is dangerous. There are MANY 'technical solutions' for tracing Tor hidden services, here is a small selection:
http://freehaven.net/anonbib/cache/hs-attack06.pdf
http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf
http://www.cl.cam.ac.uk/~sjm217/papers/usenix08clockskew.pdf
you can find papers on a few dozen other methods of tracing Tor hidden services here:
http://freehaven.net/anonbib/date.html
and of course almost all of these papers are on pure traffic analysis / signals intelligence attacks, let's not forget that application layer attacks being used to by pass Tor are often the best solution for deanonymize Tor using targets....and last I checked these are technical solutions.
Thanks for wasting your time talking out of your asshole though.
-
My opinion is it doesn't matter who you are, if the feds have a hard on for you they will get you. The secret is to stay out of their way. "out of site, out of mind". That's the key to success.
-
The key to success is actually to use security measures that your adversary can not realistically defeat. This used to be easy enough but the surveillance technologies of tomorrow are going to neutralize the privacy software of today, and tomorrow is coming extremely fast.
-
the surveillance technologies of tomorrow are going to neutralize the privacy software of today, and tomorrow is coming extremely fast.
But the privacy software of tomorrow is going to be immune to the surveillance technologies of tomorrow as well - until the surveillance technologies of after-tomorrow neutralize them, and so on and so forth. It's an arms race, by every definition. The trick is to stay ahead of the curve.
-
On that cheerful note...
I'm sure you have something - random key entry person - you certainly seem to know your stuff. But I also guess it's down to how badly they feel a need to 'shut it down'. Or perhaps more importantly, if they can afford the time and financial cost in the knowledge that another site will pop up somewhere anyway. Let's face it, there are an increasing number of ways to source drugs online now.
But aside from a PR coup, shutting this place down (and others) achieves nothing. The traffic here - in the grand scheme of the world drugs trade - is worthless.
I'm pretty sure that SR's life is sadly limited, but maybe it's worth their while to keep it up for a while longer so they can have a good old snoop.
But I don't buy your last point. The surveillance and privacy wars have been going on since we climbed down from the trees. I doubt one side will win anytime soon.
-
I hope SR stays up for a long time. But I wonder how much longer we have? I have been looking on the internet and I couldnt find anything that had to do with SR and LE except for the initial request from the senators to shut it down.
-
I think if cops want to shut down SR it is not that hard to do. Get rid of btc and SR is dead. I believe cops using SR to do their cases
Did they catch any SR sellers? who knows? Its doable also. Its probably just matter of time
-
http://freehaven.net/anonbib/cache/hs-attack06.pdf
http://www.cl.cam.ac.uk/~sjm217/papers/ccs06hotornot.pdf
http://www.cl.cam.ac.uk/~sjm217/papers/usenix08clockskew.pdf
you can find papers on a few dozen other methods of tracing Tor hidden services here:
http://freehaven.net/anonbib/date.html
and of course almost all of these papers are on pure traffic analysis / signals intelligence attacks, let's not forget that application layer attacks being used to by pass Tor are often the best solution for deanonymize Tor using targets....and last I checked these are technical solutions.
Thanks for wasting your time talking out of your asshole though.
Well, you get the "flaming douchenozzle of the day" award.
I'm not convinced of the viability of any of those approaches, and yes I've read them, and many others. Shout when you find a paper published sometime recently with something new in it.
I'm not going to try to convince you, because clearly you're one of those people who makes large unsupported assumptions to puff up your own ego.
Rather than try to convince you that something is secure, because clearly that is a futile point to be made (nothing is "secure"...which is why I used the phrase "no KNOWN technical solution"), I'll instead appeal to a more common sense argument, one that can be followed by people who aren't sure what to make of your blustery hand waving and quick use of google to find research papers from half a decade ago that detail theoretical approaches which can be mitigated and are of questionable use in the first place.
Put simply: If they could crack Tor, who would they go after? The terrorists, the child pornographers, or the drug traffickers?
That, of course, proves nothing. But linking to a bunch of PDFs you found with google doesn't do much more.
-
Put simply:
If hidden sites were traceable, there are several dozen that would have been shut down years ago.
That doesn't mean TOR is secure. It does, however, support my original statement that there are "no known technical solutions for tracing TOR hosted sites".
-
I'm more worried about customs improving their technology to detect drugs in the mail then sites like SR going down...
-
Get rid of btc and SR is dead.
True... But SR is a LOT easier to destroy than the whole Bitcoin economy.
-
Well, you get the "flaming douchenozzle of the day" award.
Funny I also got the "knows about security" prize, and the "provides links to academia for citations" award, you got the talk out of your asshole award for flapping your lips about shit you know absolutely nothing about
I'm not convinced of the viability of any of those approaches, and yes I've read them, and many others. Shout when you find a paper published sometime recently with something new in it.
Well who gives a fuck what you think you are not a SIGINT specialist you are not a MASINT specialist you are not a hacker, the people who wrote those papers have PH.ds in many cases you have your opinion which doesn't mean shit write a paper and get it peer reviewed if you think Tor can resist the theoretical attacks against it and we already know it is weak to many of the documented attacks against it because they have been run on network simulators or in some cases even live on the network.
I'm not going to try to convince you, because clearly you're one of those people who makes large unsupported assumptions to puff up your own ego.
You aren't going to try to convince me because you have absolutely no facts to back up your complete and utter bullshit claim, I gave cites to academic papers on traffic analysis in my post, you gave a pile of shit that you barfed up out of your mouth, if you don't know what you are talking about instead of trying to say something to seem like you are educated on the matter or helpful, shut the fuck up instead lest we turn this forum into a pile of stinking shit instead of a high quality resource with factual information available and easy to filter out of the shit
Rather than try to convince you that something is secure, because clearly that is a futile point to be made (nothing is "secure"...which is why I used the phrase "no KNOWN technical solution"), I'll instead appeal to a more common sense argument, one that can be followed by people who aren't sure what to make of your blustery hand waving and quick use of google to find research papers from half a decade ago that detail theoretical approaches which can be mitigated and are of questionable use in the first place.
Tor does have KNOWN technical solutions for tracing it, just because you don't know them doesn't mean they don't exist you know, I know of several, I gave you links to several I gave you a link to a website with over a dozen, you don't know a fucking thing about what you are talking about and you ignore the evidence I linked to you so go fuck yourself and stop wasting my time please. Quick use of google no I actually have been reading papers from freehaven for the past six years over which time I tought myself computer security and traffic analysis to a professional level, but no I am not as good as the people in the papers I linked to although I certainly put you to shame.
None of the things I linked to have been mitigated, the most serious traffic analysis attack against hidden services was partially mitigated but it only changed tor hidden services on the live network from being traceable in 24 hours by researchers to three nodes each one hop away from the hidden service being traceable theoretically (not live afaik, it hasnt happened yet) in the same time frame. Show a paper showing how tor mitigated these issues or the age of these articles makes no sense. The earth being round was discovered a long time ago do you think it went flat because you haven't seen any breaking academic research regarding it?
Put simply: If they could crack Tor, who would they go after? The terrorists, the child pornographers, or the drug traffickers?
How is this what you said put simply? this is completely unrelated to what you said. If "they" could trace tor they would go after the drug traffickers the child pornographers and the terrorists simultaneously dumbfuck. Guess what, child porn people say the same shit about drug traffickers carders say the same shit about drug traffickers drug traffickers say about carders and child porn people fuck osama bin laden probably thought the nsa was to busy with SR to go after him judging by my experiences with every single other type of criminal, don't fall into this PSYOP cognitive trap...btw your cognitive trap has been identified and labeled in the field of intelligence analysis its called mirror imaging and it means the person who interprets intelligence thinks that his adversary thinks as he does and interprets the intelligence through his eyes instead of his adversaries...you think you are not a target but you are THE target of the DEA not a pedophile
That, of course, proves nothing. But linking to a bunch of PDFs you found with google doesn't do much more.
No I quickly found those pdfs without google because I am extremely well versed in security and particularly traffic analysis and I actually know more about the Tor network than almost anyone else in the world who knows anything about Tor and doesn't work for a signals intelligence agency or do post-grad work in a traffic analysis research group. If PH.d research papers don't prove much about the topics they are written on then obviously you are a fucking retard.
Put simply:
If hidden sites were traceable, there are several dozen that would have been shut down years ago.
That doesn't mean TOR is secure. It does, however, support my original statement that there are "no known technical solutions for tracing TOR hosted sites".
I never said law enforcement can trace tor hidden services right now, just that some people can with varying degrees of ease. Law enforcement are way behind the bell curve when it comes to security and intelligence but guess what they are catching up fast and you shouldnt count on a network with known anonymity vulnerabilities against its hidden services to keep a hidden server anonymous plain and simple. Even Roger dingledine said Tor hidden services are fucked in the #tor IRC room, did you even know #tor had an IRC room? His name is Arma there and he is the lead Tor dev, I suggest you ask him if he thinks there are no known traceability attacks against hidden services but you probably already know better than he does
-
Seriously I am sorry to focus my anger at you but I am *so* sick of people who make factual statements about things they have absolutely no clue about and when they try to justify their totally incorrect position it makes me even more irritated, especially when they shrug off links to papers from field leading experts and instead think their own completely wrong opinions are right
-
Sorry for the epic triple post but here is a link to an article about how the feds traced a few tor hidden services with application layer exploits. There are roughly infinite potential application layer exploits that could be used to trace a Tor hidden service, but even if you don't count that class of attack there are plenty in the field of signals intelligence (and at least two in the MASINT field).
Is late 2011 recent enough for you?
https://www.tmcnet.com/usubmit/-dutch-police-trace-hidden-child-porn-websites-/2011/08/31/5743979.htm
-
Wall of fucking text tldr? 8)
-
Your sense of 'too long' will be redefined when you are in jail because you didn't have enough time to learn basic computer security
-
Your sense of 'too long' will be redefined when you are in jail because you didn't have enough time to learn basic computer security
And not a single fuck will be given ;)
-
Chill bro, u mad as hell.
All that name-calling was uncalled for. Let's be civil, shall we?
-
Sorry for the epic triple post but here is a link to an article about how the feds traced a few tor hidden services with application layer exploits. There are roughly infinite potential application layer exploits that could be used to trace a Tor hidden service, but even if you don't count that class of attack there are plenty in the field of signals intelligence (and at least two in the MASINT field).
Is late 2011 recent enough for you?
https://www.tmcnet.com/usubmit/-dutch-police-trace-hidden-child-porn-websites-/2011/08/31/5743979.htm
That's a rather disingenuous example to use.
In that example, they used an apache exploit to gain root access to a VM. So they 'destroyed' thousands of images by deleting them and pwning the server. But being in a VM, even then they couldn't get the physical location of the hidden service and the hardware it was running on. Rooting a VM won't get you its location.
-
I wish I knew half of what you do kmf...but you do have anger issues my friend :)
-
You give us a whole spiel about how tor isn't secure then link us to an apache exploit as an example ::) (btw, didn't freedom hosting handle all of that pretty well, and arn't those child porn websites up and running again? The best anonymous could do was grab the mysql database and determine the server was somewhere in the USA.(http://pastebin.com/88Lzs1XR)(anon isn't the best example but a quick one to procure and they arnt amazing hackers but there was some skill involved with their attacks)
What you are telling us is that tor hidden services are 'fucked' and can be tracked, but only you and a few other people know how.
Now I'm not saying TOR hidden services are perfect, but they do seem to be holding up atm, and while silkroad may be the sole target of the DEA, all the child porn sites, the 'terrorist' sites, and other illegals are targets of other organizations, and they are still running. So until we start seeing other hidden services get de-anonymized we shouldnt have reason to believe that SR is in imminent danger/compromised.
By the way, calling other people names, being condescending, and tooting your own horn is not a good way to convince people of anything.
-
That said, Silkroad does seem to be the biggest hidden service and the biggest target right now. It would generate tons of PR for taking it down and more interest in sites like these from the wrong people.
Also I am not trying to discredit kmfkewm, he has some good points, just trying to get some discussion going.
-
That's a rather disingenuous example to use.
It is an example of a technical solution for tracing a hidden service isn't it? Application layer exploits are one of the main technical solutions for tracing Tor hidden services. Also, if you remember, I also gave links to three papers, one of which explains traffic analysis based attacks for deanonymizing Tor hidden services, two of which explain measurement and signals intelligence attacks for deanonymizing Tor hidden services, and I also gave a link to freehaven which has over a dozen papers discussing technical solutions for tracing hidden services from a variety of security disciplines. So I think my *abundance* of cited examples showing that there are various methods from various fields which can be used for tracing Tor hidden services is adequate. Seriously what the fuck else do you want to be convinced, I never could understand people that ignore abundances of evidence dumped in front of them or how I can convince them to change their mind about subjects if not by an abundance of documented research from world experts.
In that example, they used an apache exploit to gain root access to a VM. So they 'destroyed' thousands of images by deleting them and pwning the server. But being in a VM, even then they couldn't get the physical location of the hidden service and the hardware it was running on. Rooting a VM won't get you its location.
No in this case the hidden services were not being run isolated in virtual machines, the servers were fully deanonymized and located in the united states. This is not the freedom hosting case, isolation protected them from deanonymization when they had virtual machines rooted. Anyway being in a VM in itself offers zero additional protection from application layer traces, you need to have network facing applications isolated in virtual machines away from external IP address and away from Tor. Also I was the first person to introduce this technique to the scene so please spare your breath trying to explain things to me that you indirectly learned from me anyway.
I wish I knew half of what you do kmf...but you do have anger issues my friend :)
Maybe. I certainly have issues with people spouting off a bunch of bullshit acting like they are experts about things they know nothing about. I also have serious issues when these same people ignore all evidence. These are dangerous people who will lull noobs into a false sense of security, people like this put others lives in serious danger and it pisses me off.
You give us a whole spiel about how tor isn't secure then link us to an apache exploit as an example ::) (btw, didn't freedom hosting handle all of that pretty well, and arn't those child porn websites up and running again? The best anonymous could do was grab the mysql database and determine the server was somewhere in the USA.(http://pastebin.com/88Lzs1XR)(anon isn't the best example but a quick one to procure and they arnt amazing hackers but there was some skill involved with their attacks)
Again, I gave reference to ways hidden services can be tracked with hacking, signals intelligence / traffic analysis and measurement and signature intelligence attacks. I also gave a link to freehaven, which documents many more technical solutions. Nobody specified that the technical solutions for tracing hidden services had to be from any particular field, but I think selecting attacks from three fields, including two which have been carried out on the live Tor network and resulted in deanonymized hidden services, is more than adequate to support my claim that hidden services can be traced with known technical solutions. The police in the mentioned story were not related to anonymous and the hidden services that they deanonymized on the application layer were not hosted by freedom hosting, although similar attacks were done against freedom hosting isolation saved them from being traced.
What you are telling us is that tor hidden services are 'fucked' and can be tracked, but only you and a few other people know how.
Anyone with the time to read through some of the documents on freehaven, who has a basic knowledge of networking and can program, can do many of these attacks against hidden services.
Now I'm not saying TOR hidden services are perfect, but they do seem to be holding up atm, and while silkroad may be the sole target of the DEA, all the child porn sites, the 'terrorist' sites, and other illegals are targets of other organizations, and they are still running. So until we start seeing other hidden services get de-anonymized we shouldnt have reason to believe that SR is in imminent danger/compromised.
If real terrorists used Tor they would be traced by the NSA in a matter of seconds. NSA can break though many layers of isolation and are not stopped by systems like ASLR, they also stockpile very sophisticated exploits and have teams that constantly analyze software looking for vulnerabilities. SR and all Tor hidden services are in imminent danger of having their servers deanonymized, they just don't currently have any competent attackers. DEA doesn't have any Tor experts working for them.
By the way, calling other people names, being condescending, and tooting your own horn is not a good way to convince people of anything.
This is true, although the people I care about will ignore the way I talk and instead be convinced by the huge amount of research papers I have linked to.
Here is the worst traffic analysis attack against tor hidden services:
The attacker adds some nodes to the Tor network, this is called a Sybil attack. Now, the attacker uses a malicious client to open an arbitrary number of connections to the target hidden service. A hidden service opens a new circuit for every connection request, so the client can force the hidden service to open an arbitrary number of new circuits. Now the attacker can send data modulated in a specific pattern to the hidden service, and scan all of the data passing through their sybil nodes looking for that pattern in interpacket arrivial times. Before Tor had entry guards this attack was carried out live against the tor network and it resulted in research hidden services being traced in time periods ranging from 24 hours to one week, exact time required depended on a number of variables. Tor attempted to mitigate this attack by introducing entry guards, three nodes through which a Tor client enters all of its traffic into the network. The theory was that unless the attacker owned one of the entry guards, they would never be in an active position to observe the interpacket arrival pattern reaching the hidden service. However, it is inherently obvious that now this attack will result in the deanonymization of three nodes each one hop away from the server in a matter of time ranging from approx 24 hours to one week (maybe a little longer now the network is bigger than when this attack was carried out). After identification of these servers, the compromise of any of them will allow the attacker to identify the hidden services IP address. This compromise can be legal, technical, etc, probably le will use a trap and trace pen register order and get the ip of hidden service in 24 hours if any of the entry guards are in USA, otherwise it will take a little bit longer for international cooperation but international cooperation will come fairly fast no matter where the entry guards are located. Even if the node owner doesnt participate in the attack, somewhere upsteam will for sure and they will do a passive attack.
That is one of many traffic analysis attacks directly against Tor hidden services. I will explain a few more pure signals intelligence attacks if people are interested.
-
Also I was the first person to introduce this technique to the scene so please spare your breath trying to explain things to me that you indirectly learned from me anyway.
See, this is the kind of thing that makes rational people not take you seriously. Rational people don't care about the messenger, they care about the message. Two plus two is still four, even if a two-year-old who doesn't know his numbers is saying it, and Jesus never mentioned McDonald's in the Gospel of John, even if the Pope says he did. Nobody here cares what you introduced where - except your own head up your ass, apparently - so please don't mention it.
-
Also I was the first person to introduce this technique to the scene so please spare your breath trying to explain things to me that you indirectly learned from me anyway.
See, this is the kind of thing that makes rational people not take you seriously. Rational people don't care about the messenger, they care about the message. Two plus two is still four, even if a two-year-old who doesn't know his numbers is saying it, and Jesus never mentioned McDonald's in the Gospel of John, even if the Pope says he did. Nobody here cares what you introduced where - except your own head up your ass, apparently - so please don't mention it.
Rational people take me seriously because I provide cites with my claims and explain things in detail, rational people don't take the other poster seriously because he said a bunch of bullshit that was quickly proven wrong, and then instead of show a single citation backing up his feelings he said he thinks papers from world professionals are wrong and his completely uneducated opinion should still be taken seriously. He also accused me of simply googling for papers and acted like he is an expert and I know nothing about what I talk of, and I don't have the patience to force myself to be nice to cocky retards. Be cocky all you want if you actually have anything intelligent to say but if you are going to make shit up and act like an expert when you don't know shit at all don't expect me to be nice to you.
Rational people care about the substance of the message, the way the message is delivered may tell them a thing or two about the messenger but it doesn't influence the content of the message. Irrational people ignore the angry person who backs up his claims with citations and years of experience in favor of the somewhat more friendly sounding person who is spewing a bunch of bullshit from his mouth.
As far as virtualization being used for isolation, no it doesn't matter who introduced it, but when someone is going to argue with me that I am giving a bad example
That's a rather disingenuous example to use.
when my example was of a technical solution for tracing tor hidden services, which the other poster claims do not exist
and then they continue to explain that in addition to using a bad example, I am actually WRONG about the trace taking place
In that example, they used an apache exploit to gain root access to a VM. So they 'destroyed' thousands of images by deleting them and pwning the server. But being in a VM, even then they couldn't get the physical location of the hidden service and the hardware it was running on.
But being in a VM, even then they couldn't get the physical location of the hidden service and the hardware it was running on Rooting a VM won't get you its location.
And then they continue to give a technically incorrect explanation of the security benefits of virtualization, which they know about because I explained them in a technically correct way in the first place
I may let them know that they are wasting their breath
-
Ooh I like technical details.
Even though I'll probably be:
http://i.qkme.me/353xnp.jpg
-
kmfkewm, you are a jack ass and you ruined this whole thread. I wish this was clear net because I woulda been snatched your IP and crashed your system so I didn't have to deal with your dumb ass in the Silk Road community. I am usually against malicious hacking but concerning you, I don't feel like you should have the privilege of using the internet. You use the internet to spread your dumb ass ideas. Each person that reads your posts is in danger of trying to think on your level. A very low level that none should aspire to be on.
You are a moron and I hope that you use the same user name on any of the clearnet sites I scour. I hope that I can get some kind of information about you that I can use to take out your system.
-
kmfkewm, you are a jack ass and you ruined this whole thread. I wish this was clear net because I woulda been snatched your IP and crashed your system so I didn't have to deal with your dumb ass in the Silk Road community. I am usually against malicious hacking but concerning you, I don't feel like you should have the privilege of using the internet. You use the internet to spread your dumb ass ideas. Each person that reads your posts is in danger of trying to think on your level. A very low level that none should aspire to be on.
You are a moron and I hope that you use the same user name on any of the clearnet sites I scour. I hope that I can get some kind of information about you that I can use to take out your system.
Winnuke comin.
You ever thought of becoming a comedian Kali Kross? You are hilarious. I almost choked on my food.
But if you were being serious then you should probably check your own level cause it is pretty damn stupid.
Apologies in advance for using the internet to spread my ideas.
-
kmfkewm, you are a jack ass and you ruined this whole thread. I wish this was clear net because I woulda been snatched your IP and crashed your system so I didn't have to deal with your dumb ass in the Silk Road community. I am usually against malicious hacking but concerning you, I don't feel like you should have the privilege of using the internet. You use the internet to spread your dumb ass ideas. Each person that reads your posts is in danger of trying to think on your level. A very low level that none should aspire to be on.
You are a moron and I hope that you use the same user name on any of the clearnet sites I scour. I hope that I can get some kind of information about you that I can use to take out your system.
Watch out, we've got a tough guy here.
-
kmfkewm, you are a jack ass and you ruined this whole thread. I wish this was clear net because I woulda been snatched your IP and crashed your system so I didn't have to deal with your dumb ass in the Silk Road community. I am usually against malicious hacking but concerning you, I don't feel like you should have the privilege of using the internet. You use the internet to spread your dumb ass ideas. Each person that reads your posts is in danger of trying to think on your level. A very low level that none should aspire to be on.
You are a moron and I hope that you use the same user name on any of the clearnet sites I scour. I hope that I can get some kind of information about you that I can use to take out your system.
watch out kmfkewm, he can backtrace you!!!
-
Sorry I just thought this was an underground security subforum not yahoo answers. When people on underground security subforums say retarded shit they get called on it lest their misinformation enter the propagation cycle. Misinformation is dangerous. If people think hidden services are very anonymous they might do retarded things like use TorChat or the message system on Liberte Live and get themselves traced. In reality it is much easier to trace hidden services than regular Tor clients, and there are numerous ways in which it could be done by a significantly motivated and powerful attacker. Tor resists law enforcement well for clients, and fairly well for servers, but it does have known limitations and those limitations are very likely to be more significant than the average Tor user is aware of, particularly for hidden servers.
edit: oh it actually isn't the security subforum
-
On that cheerful note...
I'm sure you have something - random key entry person - you certainly seem to know your stuff. But I also guess it's down to how badly they feel a need to 'shut it down'. Or perhaps more importantly, if they can afford the time and financial cost in the knowledge that another site will pop up somewhere anyway. Let's face it, there are an increasing number of ways to source drugs online now.
But aside from a PR coup, shutting this place down (and others) achieves nothing. The traffic here - in the grand scheme of the world drugs trade - is worthless.
I'm pretty sure that SR's life is sadly limited, but maybe it's worth their while to keep it up for a while longer so they can have a good old snoop.
But I don't buy your last point. The surveillance and privacy wars have been going on since we climbed down from the trees. I doubt one side will win anytime soon.
i never claimed they would trace SR even if they could. They will use it for a human intelligence honeypot long before that. They might never even take the thing down even if they took control of the server. Human intelligence is by far the most worrying thing. Nym sybil attacks are cheap to do on silk road and there is no trust rank system or connection to private groups to prevent someone from flooding nyms. Charging for seller accounts adds somewhat of a limitation to the size of their flood, but they do have a lot of money. Selling accounts is actually a great security measure on SR's part, although if it isnt a flat rate price it should be im not sure if it is currently auctioned off but an auction can be gamed easier by a malicious SR to tilt human intelligence nodes towards the feds. I actually have some good cryptographic solutions for a secure membership recruitment system that attempts to maintain anonymity while verifying presence in a community prior to a certain date (assuming that at some point in time feds will begin massively nym flooding public internet drug discussion forums with nyms to poison the 'probably not a fed' recruitment well)
interception is also always a worry even if you are sound on the human intelligence front, but we were working on developing a technical solution to this based on measurement and signature intelligence themes, check out the interception detection thread in security subforum here if you are interested in the technical details
and of course the privacy wars will go on forever, but all it takes is for their surveillance technology to beat your security implementation a single time before you are fucked, so i dont care if privacy gets ahead sometime in the future if the currently available privacy software wont keep my ass out of prison today
it really is only a matter of time before the feds do a massive technical bust of some sort against people using techniques that were considered to be secure very recently.
-
We are all so lucky that kmfkewm came along to bless us with his knowledge..........Its like dam how the fuck did we ever survive without him
-
We are all so lucky that kmfkewm came along to bless us with his knowledge..........Its like dam how the fuck did we ever survive without him
It would be in your best interest to take what kmfkewm says seriously. Read through his post history and it's clear he has a deep technical understanding of security and is not just speculating. Or ignore him, whatever works for you.
-
I feel like SR will be shut down before the end of the year. But the good thing is there are alot of other sites like this one.
-
they will shut it down soon......lets hope its not to soon
-
Hey, kmfkewm. Even though it's pretty clear that you're a Genius God from the Planet Expert sent from the future to help us with your knowledge and all that, it wouldn't hurt to be a bit more polite. Would it?
We can all tell that you're pretty savvy in computer engineering, but there's another type of engineering - "social engineering" - that teaches us that people respond better to lessons when they don't feel like the teacher is trying to pull out their eyes and skullfuck them.
Just sayin'.
-
The only people bad-mouthing kmfkewm's comments are immature and probably teenagers. It is quite obvious by the way they reply. These are the same people who say 'fuck my teacher' in school and don't pay attention. You are doomed to be retarded for the rest of your life so do society a favor and just blow your brains out and increase the IQ of the overall population.
That said yes sometimes he gets a little hot in his replies, but I don't blame him as you can see this has gotten me a little hot (no need to acknowledge my sexiness). He is right about people spreading dangerous misinformation. You realize that most academic institutions won't even allow Wikipedia as a cited source, because of the fact anyone can edit it. Wikipedia is correct 99% of the time. Now think about that and then think about the people that frequent this forum. Always be skeptical of what you believe on these forums and if someone seems intelligent and a security expert, then they probably are. If someone seems like a teenager who figured out how to install the tor browser bundle, they probably are.
-
Envious i read your post and all I could was about that butt tattoo you have. :P
nomad bloodbath
-
I'll concede this guy knows more about tor and probably network security in general, than I do. Of course, he's an ill-mannered douchebag who probably has no friends beyond the people who he sucks up to on irc, but he does know what he's talking about for the most part. It's a shame he has to behave that way instead of engaging in simple, polite debate. If you think I'm wrong, point it out. Insulting people only detracts from the value of what you're saying, and only encourages people to disagree with you, when your goal is to get people to agree with you.
Nobody was ever suggesting tor somehow protects you from application layer attacks. That's kind of a ridiculous straw-man to even attempt.
So, put your dick back in your pants. You've made your point. You like computers, but not people. You made it clear that you're one of a handful of people that thinks they know how to expose the location of a hidden service using only network layer techniques.
You've successfully stopped the horrible misinformation from spreading. But you might want to shout a little louder...pretty sure that almost everybody who provides a hidden black market service would like to know that they are exposed and vulnerable and probably compromised already and being used as a honey pot by TLAs. You'd think you'd have loftier goals than shouting down somebody on a forum....because while my "misinformation" may have really pissed you off to the point where you slapped your dog, it's "misinformation" that is shared by, oh, I would guess about 95% of the users on tor? With the rest of the other 5% being people who don't know anything about it at all other than that's how you get to silk road?
So, perhaps you could realize that you're not "correcting misinformation", you're actually asserting something that is contrary to the general understanding of almost all of your audience, and therefore you should be taking a tone of "education and explanation" rather than "ego-maniacal ranting".
Oh, and smoke a fucking bowl for christ's sake.
-
Oh, and smoke a fucking bowl for christ's sake.
Best advice in this thread.
-
You people have too much USA centric views. Do You really think the SR is located in US or FBI can monitor Tor network worldwide?
.onion is vulnerable to timing attacks, but that's all. I have read all the damn PDF papers, and they will be no use for some US agency to trace servers located overseas. And even if they suspect that server is located There, how will they prove anything in court? Considering the encryption and physical security of server?
As long as the administration of SR will not screw something terribly wrong, the SR will live. Seriously people, order some barbs from SR and calm down!
All I'm worried about is SR webserver getting exploited and coins stolen or administration making unpopular changes to SR policies.
-
This place feels like how I imagine a cyber-optic wild west would. I bet I'll be telling my kids about Tor years from now and they'll respond in awe, "wow, that used to be rare and relatively unknown?"
Information is being made free, and we are the people freeing it. Its truly a fractalized revolution, spreading wherever it can, and there are infinite places for it to go. And you can't guard infinite space.
-
You people have too much USA centric views. Do You really think the SR is located in US or FBI can monitor Tor network worldwide?
.onion is vulnerable to timing attacks, but that's all. I have read all the damn PDF papers, and they will be no use for some US agency to trace servers located overseas. And even if they suspect that server is located There, how will they prove anything in court? Considering the encryption and physical security of server?
As long as the administration of SR will not screw something terribly wrong, the SR will live. Seriously people, order some barbs from SR and calm down!
All I'm worried about is SR webserver getting exploited and coins stolen or administration making unpopular changes to SR policies.
Yes i should be nicer but when i spend all day correcting people online I start to get really irritated when more and more people keep talking about shit they have no idea about. I also feel obligated to correct them lest their bullshit pulled out of their ass information continues to spread and multiply. Re above poster, you are retarded, there is a difference between an active and a passive attack, please learn the difference between you ever talk about the anonymity of Tor again. You have no clue what you are talking about. FBI or anyone else can do an active attack merely by adding nodes to the network, they do not need to do a fully passive attack and they almost certainly will have better luck with an at least partially active attack.
-
The FBI can build entire circuit by luck when they will have enough nodes. That's why Tor have "family" option in torrc.conf file. That's why there is entry nodes, Tor will always use them to avoid selecting random nodes each time who might be malicious.
And You can get to know where the SR server is located. Now You must decrypt the datastream to prove beyond reason of doubt that the content in question is served from that location. Possible? And then they will need to decrypt TrueCrypt or dm-crypt/LUKS encrypted harddrives of that poor server. Meanwhile the SR backup will be run from another server halfway across globe.
-
The FBI can build entire circuit by luck when they will have enough nodes. That's why Tor have "family" option in torrc.conf file. That's why there is entry nodes, Tor will always use them to avoid selecting random nodes each time who might be malicious.
And You can get to know where the SR server is located. Now You must decrypt the datastream to prove beyond reason of doubt that the content in question is served from that location. Possible? And then they will need to decrypt TrueCrypt or dm-crypt/LUKS encrypted harddrives of that poor server. Meanwhile the SR backup will be run from another server halfway across globe.
It is unlikely that they will build the entire circuit by luck, although they only need to own one out of three key nodes (entry guards) to deanonymize the server. They can find the entry guard by doing the attack I already explained the technical details of. No you don't need to decrypt the stream to prove beyond reason of doubt that the content in question is served from that location, you can just send the SR server a message with a self introduced pattern in the inter packet arrival times and then observe the line looking for that pattern. That will prove beyond a reasonable doubt that the SR server has been located. They would also have pretty good luck using a website fingerprinting attack, CCC made a classifier that can identify a website by analysis of the encrypted Tor stream with 60% accuracy. There are other traffic analysis techniques that can prove to various degrees, often beyond a reasonable doubt, that the server has been located. Another thing they could do is restart the server at the data center and then observe silk road website and see if there is a down time correlation, this is called an intersection attack. So there I gave three examples of how you are wrong, would you like me to continue because I can go on about this all day if need be.
Also they are not going to need to decrypt Truecrypt or DM-crypt because they will just flash freeze the ram and dump it into a forensic laptop, then they will recover the encryption keys. I doubt silk road is even using encapsulation material or physical intrusion detection systems on his server to try to prevent this, but if enough of a fuck was given about Silk Road the military of USA has already gotten around tamper resistant memory systems similar to this.
Anyway they will try to minimize down time as much as possible if they do an attack stemming from physical seizure of the server. After all, they would rather spy on the unecrypted addresses noobs are sending through the SR server, and possibly use SR server as a position to carry out application layer attacks against clients, etc, than they would take down such a valuble intelligence source and scare everyone away from it.
Nice try though. Also I doubt even the FBI is stupid enough to add all of their Tor nodes to the same family, that would prevent them from being used to do a substantial number of attacks against the Tor network. Entry guards help prevent a lot of attacks if you are using them properly (if you are using a live CD that doesn't have persistence, like Amnesia, you are not properly using entry guards). However, entry guards will only slightly slow many attackers down if the target is a hidden service (or if the target has their browser taken over and has used isolation, although if the user has their browser taken over and they are not using isolation techniques they are fucked already).
-
THIS is what I've taken to calling "slurry". I'm not taking the time to outline quotes, but one said doesn't matter who the teacher is, I find this true, as well. Who cares if the dude had a bad attitude? I'm trying to learn shit, here, and it's getting so frustrating because almost every post from every section is filled with arguments, instead of collaboration! I just read 4 pages, and about 30% was information. The rest was Jerry Springer. Don't take it the wrong way, it was entertaining, but a waste of time.
I wish I was only 1/5 as educated as most of you, especially kmfkewm. Lack of knowledge is what is holding me back here,as freedom, as pseudo as it may be, is my favorite thing. Weed is 2nd. :)
Thanks for the info, K.
And smoke a fucking bowl, as was posted before! You can still be a dick and be high. It's fun!
-
The FBI can build entire circuit by luck when they will have enough nodes. That's why Tor have "family" option in torrc.conf file. That's why there is entry nodes, Tor will always use them to avoid selecting random nodes each time who might be malicious.
And You can get to know where the SR server is located. Now You must decrypt the datastream to prove beyond reason of doubt that the content in question is served from that location. Possible? And then they will need to decrypt TrueCrypt or dm-crypt/LUKS encrypted harddrives of that poor server. Meanwhile the SR backup will be run from another server halfway across globe.
It is unlikely that they will build the entire circuit by luck, although they only need to own one out of three key nodes (entry guards) to deanonymize the server. They can find the entry guard by doing the attack I already explained the technical details of. No you don't need to decrypt the stream to prove beyond reason of doubt that the content in question is served from that location, you can just send the SR server a message with a self introduced pattern in the inter packet arrival times and then observe the line looking for that pattern. That will prove beyond a reasonable doubt that the SR server has been located. They would also have pretty good luck using a website fingerprinting attack, CCC made a classifier that can identify a website by analysis of the encrypted Tor stream with 60% accuracy. There are other traffic analysis techniques that can prove to various degrees, often beyond a reasonable doubt, that the server has been located. Another thing they could do is restart the server at the data center and then observe silk road website and see if there is a down time correlation, this is called an intersection attack. So there I gave three examples of how you are wrong, would you like me to continue because I can go on about this all day if need be.
Also they are not going to need to decrypt Truecrypt or DM-crypt because they will just flash freeze the ram and dump it into a forensic laptop, then they will recover the encryption keys. I doubt silk road is even using encapsulation material or physical intrusion detection systems on his server to try to prevent this, but if enough of a fuck was given about Silk Road the military of USA has already gotten around tamper resistant memory systems similar to this.
Anyway they will try to minimize down time as much as possible if they do an attack stemming from physical seizure of the server. After all, they would rather spy on the unecrypted addresses noobs are sending through the SR server, and possibly use SR server as a position to carry out application layer attacks against clients, etc, than they would take down such a valuble intelligence source and scare everyone away from it.
Nice try though. Also I doubt even the FBI is stupid enough to add all of their Tor nodes to the same family, that would prevent them from being used to do a substantial number of attacks against the Tor network. Entry guards help prevent a lot of attacks if you are using them properly (if you are using a live CD that doesn't have persistence, like Amnesia, you are not properly using entry guards). However, entry guards will only slightly slow many attackers down if the target is a hidden service (or if the target has their browser taken over and has used isolation, although if the user has their browser taken over and they are not using isolation techniques they are fucked already).
If what you said is true, which it looks like it could be, wouldn't you be like, helping the fbi learn how to take down SR with that kind of information?
-
This topic is hilarious. Thanks guys.
-
But the good thing is there are alot of other sites like this one.
What other sites like this one exist out there?
Please list them.
Thanks.
-
...its a mixed bag not every SR transaction goes smoothly, i don't believe there is any fool proof buying method anything could go wrong...
;)
-
The FBI can build entire circuit by luck when they will have enough nodes. That's why Tor have "family" option in torrc.conf file. That's why there is entry nodes, Tor will always use them to avoid selecting random nodes each time who might be malicious.
And You can get to know where the SR server is located. Now You must decrypt the datastream to prove beyond reason of doubt that the content in question is served from that location. Possible? And then they will need to decrypt TrueCrypt or dm-crypt/LUKS encrypted harddrives of that poor server. Meanwhile the SR backup will be run from another server halfway across globe.
It is unlikely that they will build the entire circuit by luck, although they only need to own one out of three key nodes (entry guards) to deanonymize the server. They can find the entry guard by doing the attack I already explained the technical details of. No you don't need to decrypt the stream to prove beyond reason of doubt that the content in question is served from that location, you can just send the SR server a message with a self introduced pattern in the inter packet arrival times and then observe the line looking for that pattern. That will prove beyond a reasonable doubt that the SR server has been located. They would also have pretty good luck using a website fingerprinting attack, CCC made a classifier that can identify a website by analysis of the encrypted Tor stream with 60% accuracy. There are other traffic analysis techniques that can prove to various degrees, often beyond a reasonable doubt, that the server has been located. Another thing they could do is restart the server at the data center and then observe silk road website and see if there is a down time correlation, this is called an intersection attack. So there I gave three examples of how you are wrong, would you like me to continue because I can go on about this all day if need be.
Also they are not going to need to decrypt Truecrypt or DM-crypt because they will just flash freeze the ram and dump it into a forensic laptop, then they will recover the encryption keys. I doubt silk road is even using encapsulation material or physical intrusion detection systems on his server to try to prevent this, but if enough of a fuck was given about Silk Road the military of USA has already gotten around tamper resistant memory systems similar to this.
Anyway they will try to minimize down time as much as possible if they do an attack stemming from physical seizure of the server. After all, they would rather spy on the unecrypted addresses noobs are sending through the SR server, and possibly use SR server as a position to carry out application layer attacks against clients, etc, than they would take down such a valuble intelligence source and scare everyone away from it.
Nice try though. Also I doubt even the FBI is stupid enough to add all of their Tor nodes to the same family, that would prevent them from being used to do a substantial number of attacks against the Tor network. Entry guards help prevent a lot of attacks if you are using them properly (if you are using a live CD that doesn't have persistence, like Amnesia, you are not properly using entry guards). However, entry guards will only slightly slow many attackers down if the target is a hidden service (or if the target has their browser taken over and has used isolation, although if the user has their browser taken over and they are not using isolation techniques they are fucked already).
If what you said is true, which it looks like it could be, wouldn't you be like, helping the fbi learn how to take down SR with that kind of information?
It isn't like it is classified. Anyway I have a collection of law enforcement training documents and other manuals and statistics relating to them, and I believe in one of the career path papers I have from FBI it says they start teaching their agents traffic analysis after 8 years at quantico if they go down the cyber crime career path. It isn't like the FBI doesn't have anyone who knows anything about traffic analysis working for them, although in 2008 they did fail to trace Tor clients that were used by a group of violent pedophiles including ones who were posting new material. Then again, tracing clients is a more impressive feat than hidden services, and they got many of the pedos who were using VPN's or posting pictures via photographic forensics.
-
- bankers, management ....stick together and look out for themselves..
- government laws are outdated and antiquated.
-
What a vague topic filled with dick-measuring and name calling. ::)
To sum this all up, SR is alive because it's just secure enough and just discreet enough to stay out of harms way. The day the feds' tech makes a leap and overtakes our security is coming and SR will be taken down when this lines up with a period of inter-agency cooperation if not international cooperation which will probably only happen if SR gets a LOT more traffic.
Just be happy we have it, use it while it lasts, and be careful. Knowledge is power and - in the case of SR - can keep us all out of jail.
knowing is half the battle, knowledge is power, loose lips sink ships, etc. etc.
-
Just how many more would be a LOT, to consider it a LOT more traffic?
Here's a short summary of about the last month:
to give you a break down of Welcome Wagon in the time that it ran it determined there were on average 437 new user registrations a day or roughly 19 new users a hour :) of those users 34% of them actually read the message within 20 min 67 within 24 hours and 73% within 72 hours with the remaining going unread of those users in the duration of running 32,342 Users were sent private messages of those 73% of the 32,342 users only 19% replied to the message of those 19% of users whom replied 98% of them were positive and asked for help or just wanted to thank me 2 % were already users i suspect and were just lik omg wtf ect ect
of those 73% of users in comparison to my personal sales only about 1% give or take were customers
and based of some other stats only about 6% of the users who were sent pm's were return visitors
And full post here:http://dkn255hz262ypmii.onion/index.php?topic=7956.msg75523#msg75523
I'm not discrediting anything you said, but I thought those numbers represented a lot.
-
I will stop posting in this tread. People have no idea about difference in identifying SR server in technical terms and identifying it in legal terms that is representable in court. Any doubt is behalf of defendant. And the swat team flash freezing the memory modules is scene straight from spy action movie or some bad ganja trip. This will never succeed with physical security, even passive ones like hard epoxy and killswitch/boobietrap will easily stop this. And who say the server is located in datacenter? I know many people who run servers from the closet in bedroom and are connected to optical lines. Again, too much USA centric view.
You say that I'm posting shit. You don't know nothing about me and never will. Keep Your opinions to Yourself!
-
I will stop posting in this tread. People have no idea about difference in identifying SR server in technical terms and identifying it in legal terms that is representable in court. Any doubt is behalf of defendant. And the swat team flash freezing the memory modules is scene straight from spy action movie or some bad ganja trip. This will never succeed with physical security, even passive ones like hard epoxy and killswitch/boobietrap will easily stop this. And who say the server is located in datacenter? I know many people who run servers from the closet in bedroom and are connected to optical lines. Again, too much USA centric view.
You say that I'm posting shit. You don't know nothing about me and never will. Keep Your opinions to Yourself!
I imagine it probably is located in a data center or other remote hosting scenario, although it is possible that SR is dumb enough to host a server he has in his physical possession. This would be very bad for him though because Tor hidden services are much more likely to be traced than clients. The memory freezing technique is actually straight out of any basic computer forensics manual published in the past few years. Even before flash freezing they were dumping RAM into forensic laptops. Of course this implies above average law enforcement, many of them have out dated training and still power down machines, but particularly against CP people they have started doing flash freezing and live RAM dumps on targets. It is not in the realm of advanced LE only anymore. Later when I have more time i will link you to several cases where LE used attacks like this. So in short what I am trying to say is welcome to the talk out of your ass about shit you don't know a fucking thing about club. I am not some fucking retard talking about things I have absolutely no experience with, so think about your own credentials before you open your mouth and spew bullshit at me because chances are high you will just be helping me in wasting my time otherwise.
Also, although SWAT teams have in many cases barged in and dumped RAM to forensic laptops, sometimes using flash freezing, if the server is stored in a data center none of the physical security measures are going to do shit against a warrant unless SR has a tamper resistant case with chasis intrusion detection hardware configured to go into a memory wipe when the case is penetrated. I don't know how much luck LE will have against those systems, but the military will likely have little trouble with them.
BTW I have contact with multiple people who have worked for real intelligence and military agencies, I don't need to tell you shit from movies :)
Speaking of which you clearly fail to see the distinction between evidence and intelligence
I will stop posting in this tread. People have no idea about difference in identifying SR server in technical terms and identifying it in legal terms that is representable in court. Any doubt is behalf of defendant.
Intelligence narrows in on evidence, in a criminal intelligence context. The feds may never even use the seized SR server in a court of law, or let it be known that it was seized and taken over. They will use it as a honeypot if enough people send unencrypted addresses. The way the address was targeted never needs to be shown in court, the fact that a package with drugs heading to it was intercepted and a CD took place is enough to fuck the target. The drug package is evidence, the addresses to target gained from the server compromise are intelligence. Usually smart players don't like to compromise their intelligence source by revealing it.
I wonder how many of the retards arguing with me in security threads are federal agents engaging in a disinformation campaign (afraid of SR peeps becoming as secure as OVDB peeps ?) and how many of them are stupid kids who think they know know everything. Try to learn instead of act like you already know shit, you guys are massively degrading the quality of information on this forum and causing confusion, either intentionally or unintentionally.
-
I will stop posting in this tread. People have no idea about difference in identifying SR server in technical terms and identifying it in legal terms that is representable in court. Any doubt is behalf of defendant. And the swat team flash freezing the memory modules is scene straight from spy action movie or some bad ganja trip. This will never succeed with physical security, even passive ones like hard epoxy and killswitch/boobietrap will easily stop this. And who say the server is located in datacenter? I know many people who run servers from the closet in bedroom and are connected to optical lines. Again, too much USA centric view.
You say that I'm posting shit. You don't know nothing about me and never will. Keep Your opinions to Yourself!
This is the first troll I've seen on these forums. Unless you count the gummy stars fiasco.
-
Am I the only one laughing at everyone arguing trying to prove their intellect and protect their ego's?
Wow I didn't know being circumstantially correct would intrigue these users enough to type these erroneous and nonsensical arguments completely diverting from the original question....
Shame.
-DF
drugfather
-
informative as always, kmfkewm, thank you.
-
I imagine it probably is located in a data center or other remote hosting scenario, although it is possible that SR is dumb enough to host a server he has in his physical possession
Hosting server in datacenter is not good idea either, because 1. you still might get traced if server is compromised. Paperwork etc. 2. You have no control over the physical hardware, so this might happen - The feds may never even use the seized SR server in a court of law, or let it be known that it was seized and taken over. They will use it as a honeypot if enough people send unencrypted addresses.
I wonder how many of the retards arguing with me in security threads are federal agents engaging in a disinformation campaign
I suspected someone will say this. If I dismiss someones paranoid dreams and don't wear tinfoil hat and give attention to real security problems, I'm agent right?
-
I imagine it probably is located in a data center or other remote hosting scenario, although it is possible that SR is dumb enough to host a server he has in his physical possession
Hosting server in datacenter is not good idea either, because 1. you still might get traced if server is compromised. Paperwork etc. 2. You have no control over the physical hardware, so this might happen - The feds may never even use the seized SR server in a court of law, or let it be known that it was seized and taken over. They will use it as a honeypot if enough people send unencrypted addresses.
I wonder how many of the retards arguing with me in security threads are federal agents engaging in a disinformation campaign
I suspected someone will say this. If I dismiss someones paranoid dreams and don't wear tinfoil hat and give attention to real security problems, I'm agent right?
Agent Sierra you are off the case.
-
sierraRS you should honor your promise to not post in this thread anymore. kmfkewm is absolutely right
-
Hosting server in datacenter is not good idea either, because 1. you still might get traced if server is compromised. Paperwork etc.
Yeah versus that contract free optical line you have. Even if you use techniques like hosting on hacked / open WiFi the signal can be traced back to your physical machine pretty quickly if you are using a static location particurl, arly as would be the most likely scenario with a server. Your entire argument against data centers here is retarded.
2. You have no control over the physical hardware, so this might happen
You can send in your own hardware to most data centers, if you pay to rent rack space and bandwidth. This has its own risks in the forensics and traceability departments, but it does give a few advantages primarily you don't need to trust a pre-installed configuration from the data center and you can use fancy hardware security systems / techniques, for exampe chasis intrusion detection / memory encapsulation systems. You can also get the advantage of not using a data center installed OS if you buy a server with a KVM switch, this gives remote access to the boot sequence, bios and allows you to install an OS remotely as well, although I am not certain I think it is still not as secure from data center positioned attackers who want to root kit you as sending in your own server is. However sending in your own server has too many other risks imo and isn't worth tamper resistance since most of the benefits you would get by having a tamper resistant case can be gained by using asymmetric encryption systems anyway.
Anyway you are either an agent or one of the dime a dozen retards who argues incorrect bullshit and refuses to believe documented evidence when proven wrong. I still have trouble to differentiate between people who are mentally retarded and federal agents, I think it might be because of the large degree of overlap though.
-
Well kmfkewm you really do look like you know your shit. I say look like as i havent a clue as to most you said hehe....went right over my head.
That said im here to buy a small amount of drugs every now and then (say every few months), if i get caught from a lapse in my own (very limited) security knowledge what will happen? Ill get a slap on the wrist, told not to do it again and thats all.
For your average user all those security related issues dont matter as much as you imply at the end of the day, yes they do to dealers who take more risk etc, but like i said for us buyers the worse we can expect is a slap on the wrist.
Im not bothered if tor can be traced or not, so far i ent been caught and if/when i do there are alternatives
-
they can't do shit unless they pass sopa, which will most likely not happen because corporations such as google, ebay, facebook, ect will lose money and money is everything in the US. ops forgot this shit is internation, there ain't shit anyone can do anyhow!
-
unless they pass sopa, which will most likely not happen
SOPA will pass. It's already been bought and paid for, and there's nothing Google, Wikipedia and their gang of IT pals can do about it. Much less "We, the People". Of course.
-
Well kmfkewm you really do look like you know your shit. I say look like as i havent a clue as to most you said hehe....went right over my head.
That said im here to buy a small amount of drugs every now and then (say every few months), if i get caught from a lapse in my own (very limited) security knowledge what will happen? Ill get a slap on the wrist, told not to do it again and thats all.
For your average user all those security related issues dont matter as much as you imply at the end of the day, yes they do to dealers who take more risk etc, but like i said for us buyers the worse we can expect is a slap on the wrist.
Im not bothered if tor can be traced or not, so far i ent been caught and if/when i do there are alternatives
I wouldn't be so sure of that, if you are in USA getting drugs via mail its automatically a federal crime and you would very likely get at least a few years in prison if you had any amount of schedule one drugs intercepted, although you would probably have your case given to state and do most time on parole. In some states you can probably get very fucked for getting drugs in mail even as compared to federal. Plus you are probably also chargable for federal money laundering which could get you twenty years in prison if they really wanted to fuck you. You probably break a number of other laws also, every time you get drugs in mail pay for them participate in a network that trafficks them (you can probably be charged under RICO for participating in a drug trafficking organization and get a life sentence if they really want to fuck you....SR is probably the largest drug trafficking network that has a formalized name that I have ever heard of but it is still a drug trafficking network and a DTO in the eyes of the DEA. Silk Road is a more modern sort of drug trafficking network, this sort of network and the techniques we use were actually first mentioned in a paper by a US military think tank, it is titled Netwar: the future of crime terrorism and militancy , and discusses concepts such as product swarming (massive network with individual nodes moving small amounts, breaking large amounts up into smaller packets etc) encrypted communication, network overlays etc.
although a lodging of wayfaring men is a nice cypherpunk fiction book that also describes things it might be more appropriate for the SR audience than a serious research paper
-
You have a link to Netwar? I'm gonna google it, too, but links are handy :) Very interesting.
I'm still new to SR, as well, but one positive aspect of SR is that it reduces the risk of bodily injury when acquiring drugs. Some people live in really bad places in the world, USA included, but is least of worries, I think...well, maybe Netherlands, right. Anyway, some people in Africa, or South America have to deal with warring gangs and tyrannical governments to get drugs. I think there are quite a few who now opt for SR, to avoid death squads. Literally.
SR alleviates the crimes that hamper our pursuit of happiness...i.e. legal drugs.
Although legalizing may end much of the violence, it's that same violence that keeps the war alive.
A government can NEVER be wrong, so I do not see legalization anytime in the future. Only the corporation of pharmaceuticals companies. And police networks.
-
Well kmfkewm you really do look like you know your shit. I say look like as i havent a clue as to most you said hehe....went right over my head.
That said im here to buy a small amount of drugs every now and then (say every few months), if i get caught from a lapse in my own (very limited) security knowledge what will happen? Ill get a slap on the wrist, told not to do it again and thats all.
For your average user all those security related issues dont matter as much as you imply at the end of the day, yes they do to dealers who take more risk etc, but like i said for us buyers the worse we can expect is a slap on the wrist.
Im not bothered if tor can be traced or not, so far i ent been caught and if/when i do there are alternatives
I wouldn't be so sure of that, if you are in USA getting drugs via mail its automatically a federal crime and you would very likely get at least a few years in prison if you had any amount of schedule one drugs intercepted, although you would probably have your case given to state and do most time on parole. In some states you can probably get very fucked for getting drugs in mail even as compared to federal. Plus you are probably also chargable for federal money laundering which could get you twenty years in prison if they really wanted to fuck you. You probably break a number of other laws also, every time you get drugs in mail pay for them participate in a network that trafficks them (you can probably be charged under RICO for participating in a drug trafficking organization and get a life sentence if they really want to fuck you....SR is probably the largest drug trafficking network that has a formalized name that I have ever heard of but it is still a drug trafficking network and a DTO in the eyes of the DEA. Silk Road is a more modern sort of drug trafficking network, this sort of network and the techniques we use were actually first mentioned in a paper by a US military think tank, it is titled Netwar: the future of crime terrorism and militancy , and discusses concepts such as product swarming (massive network with individual nodes moving small amounts, breaking large amounts up into smaller packets etc) encrypted communication, network overlays etc.
although a lodging of wayfaring men is a nice cypherpunk fiction book that also describes things it might be more appropriate for the SR audience than a serious research paper
Im not from the us, but even so i doubt first offenders would face jail terms. A friend of mine has been caught trying to import what the USA would say is a schedule 1 (the highest if im correct, if not correct me) drug and all that happened was a letter from customs warning him the contents had an illegal substance in. Not even a call from the police and a warning, nothing!
Im not stupid enough to try and import enough gear at once so it can be seen with the potential to supply, which may end up with a jail term.
When i first heard if this place i seen it as an untraceable marketplace i can get drugs from, and while i dont doubt any of your warnings....you know your stuff, i just havnt heard of anyone get caught (yet!). If and when this happens ill reconsider using this place.
-
Im not from the us, but even so i doubt first offenders would face jail terms.
In the USA? Yes, first offenders totally do face jail sentences. Wherever it is you live? That I don't know.
And Schedule I is indeed the highest rank of controlled substance, reserved for drugs deemed both dangerous and useless for medical/scientific research - which goes to show how much bullshit goes into making these lists.
-
If you are in USA and have any schedule one other than weed intercepted the chances are very high that you will be doing at the minimum a few months locked up but much more likely you will get a few years. Don't fall into the cognitive trap of thinking that you are less of a target than you really are, your body fills a bed and your money will pay for court ordered rehabilitation classes etc just as much as the next guys. To a cop you are just another statistic to bump up their bust rating, fucking your life over is a game to them and they like to compete for the high score (of course imo we should start playing GTA :P )
Nobody thinks they are breaking serious laws until they are arrested it seems. People automatically minimize the extent of their crimes as compared to the exagerated version that the DEA will give. Don't be one of the idiots who only realizes that they are participating in a criminal network when camo and mask wearing paramilitary storm troopers smash their door down and sell them to the prison industrial complex. This is not hyperbole, I know several people who have been raided for getting drugs in the mail and in one case an order of LSD and ketamine for personal use resulted in a home being swarmed by feds with guns drawn. Remember that these are insane and evil people, you may realize that you are not a criminal but aas far as the law or LE cares you are the enemy you are a drug user a waste of life a sick person who needs to be forced into getting help so that your views line up with the states (in China I think they call it re-education) , etc.
Stop thinking that your enemy is at all rational or logical (They wont send me to prison if I have packages intercepted they will just tell me to stop!), your enemy is dangerous and mentally ill and completely out of touch with reality.
-
I disagree. The odds of a first-time offender in the USA getting a *few years in jail* for receiving a small, personal-use amount of some schedule 1 substance in the mail are fairly slim. Does that mean it won't or can't happen? No, of course not - and if you're receiving enough that it could be considered more than a personal-use amount (whatever the law says about that particular substance) - then you might well be in deep shit. But there's a lot that has to happen between the time that the pigs intercept your package and the time they bust down your door in order for that to really be considered much of a possibility.
-
I will enjoy it while it last. I am however comfortable in my current setup.
- ColdFrost
-
I've seen two things concerning this topic in the media.
The first is an article that implies that governments are powerless to stop the silk road because tor connections are encrypted. There's also a mention of PostmanPot.
http://preview.tinyurl.com/7y2m6l9
The second is a youtube video about how governments have attempted to block Tor, and how you can help if you're tech savvy.
http://preview.tinyurl.com/6rs6ufk
The only way that tor could be stopped if goverments try to block connections with certain ip's. Some are already doing this, it could be a matter of time before others decide to do so. Like with SOPA, if they attempt this garbage then we should let them know that we don't agree.
-
kmfkewm, very impressive knowledge.
too bad its cost you a normal social life. Ive never seen so much TL;DR trolling in my life.
seriously man. lets go camping or something.
-
If you are in USA and have any schedule one other than weed intercepted the chances are very high that you will be doing at the minimum a few months locked up but much more likely you will get a few years. Don't fall into the cognitive trap of thinking that you are less of a target than you really are, your body fills a bed and your money will pay for court ordered rehabilitation classes etc just as much as the next guys. To a cop you are just another statistic to bump up their bust rating, fucking your life over is a game to them and they like to compete for the high score (of course imo we should start playing GTA :P )
Nobody thinks they are breaking serious laws until they are arrested it seems. People automatically minimize the extent of their crimes as compared to the exagerated version that the DEA will give. Don't be one of the idiots who only realizes that they are participating in a criminal network when camo and mask wearing paramilitary storm troopers smash their door down and sell them to the prison industrial complex. This is not hyperbole, I know several people who have been raided for getting drugs in the mail and in one case an order of LSD and ketamine for personal use resulted in a home being swarmed by feds with guns drawn. Remember that these are insane and evil people, you may realize that you are not a criminal but aas far as the law or LE cares you are the enemy you are a drug user a waste of life a sick person who needs to be forced into getting help so that your views line up with the states (in China I think they call it re-education) , etc.
Stop thinking that your enemy is at all rational or logical (They wont send me to prison if I have packages intercepted they will just tell me to stop!), your enemy is dangerous and mentally ill and completely out of touch with reality.
Very well said.
-
kmfkewm, very impressive knowledge.
too bad its cost you a normal social life. Ive never seen so much TL;DR trolling in my life.
seriously man. lets go camping or something.
I have a pretty interesting life actually, I spend most of my time talking with major international drug traffickers and security and intelligence experts, and on occasion putting my security knowledge and connections to use for personal profit ;). Why would I go camping when I can learn about computer security 0_0.
I don't really care if you listen to what I say or not, or if you read my posts or not. Seriously what the fuck is wrong with half of this forum do you all have ADHD or something? I bet the average security of a given user here is god damn horrible and it really makes me feel bad for you because you will be the first to find out how long of a prison sentence you get for doing these things when your ass is busted because of your shitty operational security. Then you will have a social life in prison as somebodies bitch and will have plenty of time to think about how you should have (encrypted your messages, used isolation, used linux, used a bitcoin mix, or any of the numerous other things you don't do that puts you at an inherently higher risk of being busted). SR is going to turn into a massive intelligence honeypot at some point in time, it is almost inevitable. Eventually LE will probably root this server and at least start spying on unencrypted addresses, maybe doing man in the middle attacks on encryption keys. Of course this assumes that they bother to go the technical route, they may go primarily with human intelligence and gather target addresses by flooding vending nyms.
Seriously what the fuck is wrong with some of the posters here. Posts here look like this:
"TL:DR, I have shit security who cares i dont care if i go to jail lol send me drugz omg omg VPN pwns Tor'
it makes my head hurt. Do you seriously not grasp that you are engaging in serious federal criminal activity by even being a member of this forum? Even being a member of a drug forum is illegal in the USA under the Ryan Haight act, not to mention the huge amount of other crime you engage in here. If there is one thing I have learned about people who commit crimes it is that none of them thinks they are a target. Prison is FULL of people who thought they were too small time to be targeted.
-
If you're curious about what you might be charged with for ordering drugs in the mail, I searched for news stories regarding this and came up with a few related cases.
Snowmass Village man who
received pot in mail pleads guilty
http://preview.tinyurl.com/73gapgn
The post office workers noticed a suspicious smell coming from the torn package, that's why he was caught. He was charged with possession with the intent to distribute because he received several pounds of weed.
Wilmington couple pleads in receipt of drugs through mail
http://preview.tinyurl.com/7jz2dub
In this case, the couple was charged with distributing drugs because they sent a package to another location. It's important to disguise your address when possible.
Over 25 pounds of pot found; 2 arrested
http://preview.tinyurl.com/7pe6s6e
It seems that in this case somebody told the police that the package was going to be delivered. If you're going to order a mass amount of weed from a stranger, I would think twice. The two were charged with drug trafficking.
Postal Service Delivery Lands Pitt County Man In Jail
http://preview.tinyurl.com/8yrjp3h
This guy was charged with possession, possession of drug paraphernalia, and something to do with maintaining a drug den.
I also found out some strategies used to intercept packages, I don't know how useful this information is however.
Party drugs popular with online shoppers
http://preview.tinyurl.com/8x7tdgf
In Australia, the post office works with the police to find and intercept packages that are suspicious. They also monitor people as well.
International parcels with banned drugs caught at Delhi Post office
http://preview.tinyurl.com/8axhs32
In India they intercepted packages by observing writing patterns and looking for inconsistencies between the content of the packages and the destinations that they were going to.
-
If you're curious about what you might be charged with for ordering drugs in the mail, I searched for news stories regarding this and came up with a few related cases.
Snowmass Village man who
received pot in mail pleads guilty
http://preview.tinyurl.com/73gapgn
The post office workers noticed a suspicious smell coming from the torn package, that's why he was caught. He was charged with possession with the intent to distribute because he received several pounds of weed.
Wilmington couple pleads in receipt of drugs through mail
http://preview.tinyurl.com/7jz2dub
In this case, the couple was charged with distributing drugs because they sent a package to another location. It's important to disguise your address when possible.
Over 25 pounds of pot found; 2 arrested
http://preview.tinyurl.com/7pe6s6e
It seems that in this case somebody told the police that the package was going to be delivered. If you're going to order a mass amount of weed from a stranger, I would think twice. The two were charged with drug trafficking.
Postal Service Delivery Lands Pitt County Man In Jail
http://preview.tinyurl.com/8yrjp3h
This guy was charged with possession, possession of drug paraphernalia, and something to do with maintaining a drug den.
I also found out some strategies used to intercept packages, I don't know how useful this information is however.
Party drugs popular with online shoppers
http://preview.tinyurl.com/8x7tdgf
In Australia, the post office works with the police to find and intercept packages that are suspicious. They also monitor people as well.
International parcels with banned drugs caught at Delhi Post office
http://preview.tinyurl.com/8axhs32
In India they intercepted packages by observing writing patterns and looking for inconsistencies between the content of the packages and the destinations that they were going to.
This is why this forum needs an intelligence subforum, so we can search for stories like this as a community and pool our analytical skills together as well. Also for linking to technical papers on anonymity systems, law enforcement training documents and materials, etc. Not having an intelligence sub-forum is putting this community at a huge disadvantage. Why limit yourselves intentionally?
-
kmfkewm, very impressive knowledge.
too bad its cost you a normal social life. Ive never seen so much TL;DR trolling in my life.
seriously man. lets go camping or something.
I have a pretty interesting life actually, I spend most of my time talking with major international drug traffickers and security and intelligence experts, and on occasion putting my security knowledge and connections to use for personal profit ;). Why would I go camping when I can learn about computer security 0_0.
I don't really care if you listen to what I say or not, or if you read my posts or not. Seriously what the fuck is wrong with half of this forum do you all have ADHD or something? I bet the average security of a given user here is god damn horrible and it really makes me feel bad for you because you will be the first to find out how long of a prison sentence you get for doing these things when your ass is busted because of your shitty operational security. Then you will have a social life in prison as somebodies bitch and will have plenty of time to think about how you should have (encrypted your messages, used isolation, used linux, used a bitcoin mix, or any of the numerous other things you don't do that puts you at an inherently higher risk of being busted). SR is going to turn into a massive intelligence honeypot at some point in time, it is almost inevitable. Eventually LE will probably root this server and at least start spying on unencrypted addresses, maybe doing man in the middle attacks on encryption keys. Of course this assumes that they bother to go the technical route, they may go primarily with human intelligence and gather target addresses by flooding vending nyms.
Seriously what the fuck is wrong with some of the posters here. Posts here look like this:
"TL:DR, I have shit security who cares i dont care if i go to jail lol send me drugz omg omg VPN pwns Tor'
it makes my head hurt. Do you seriously not grasp that you are engaging in serious federal criminal activity by even being a member of this forum? Even being a member of a drug forum is illegal in the USA under the Ryan Haight act, not to mention the huge amount of other crime you engage in here. If there is one thing I have learned about people who commit crimes it is that none of them thinks they are a target. Prison is FULL of people who thought they were too small time to be targeted.
Don't you think using pgp encryption is enough?
-
Don't you think using pgp encryption is enough?
You need to think in layers. The more preventative measures you take to protect yourself, the less likely you are to be put in harms way.
-
I'll concede this guy knows more about tor and probably network security in general, than I do. Of course, he's an ill-mannered douchebag who probably has no friends beyond the people who he sucks up to on irc, but he does know what he's talking about for the most part. It's a shame he has to behave that way instead of engaging in simple, polite debate. If you think I'm wrong, point it out. Insulting people only detracts from the value of what you're saying, and only encourages people to disagree with you, when your goal is to get people to agree with you.
Nobody was ever suggesting tor somehow protects you from application layer attacks. That's kind of a ridiculous straw-man to even attempt.
So because he out argued you, and proved you wrong, you can't admit that he's smarter than you without attacking his character. Your a shitty person at best and honestly you don't belong here. You are a teenager who just happened to stumble onto tor and your super hardcore smoking weed with your little clique of high school friends, as someone in the thread earlier mentioned.
So, put your dick back in your pants. You've made your point. You like computers, but not people. You made it clear that you're one of a handful of people that thinks they know how to expose the location of a hidden service using only network layer techniques.
You've successfully stopped the horrible misinformation from spreading. But you might want to shout a little louder...pretty sure that almost everybody who provides a hidden black market service would like to know that they are exposed and vulnerable and probably compromised already and being used as a honey pot by TLAs. You'd think you'd have loftier goals than shouting down somebody on a forum....because while my "misinformation" may have really pissed you off to the point where you slapped your dog, it's "misinformation" that is shared by, oh, I would guess about 95% of the users on tor? With the rest of the other 5% being people who don't know anything about it at all other than that's how you get to silk road?
So, perhaps you could realize that you're not "correcting misinformation", you're actually asserting something that is contrary to the general understanding of almost all of your audience, and therefore you should be taking a tone of "education and explanation" rather than "ego-maniacal ranting".
Oh, and smoke a fucking bowl for christ's sake.
-
The reason why what I am saying is contrary to the belief of almost my entire audience is because almost all of my audience was exposed to misinformation about Tor from dumbasses like you who talk about things they don't know about. Nobody who actually knows about Tor thinks that there is no technical way to trace a hidden service, so the only people who are saying this are either talking out of their assholes or have been exposed to misinformation from others who do so. I am sorry if you were merely exposed to misinformation and are mindlessly propagating it rather than intentionally making shit up for whatever reason, but really in either case it irritates the fuck out of me and you deserve to be bitched at.
This thread is a perfect example of why I have little tolerance for people who are blatantly talking out of their assholes without even TRYING to properly understand the material or even find the material required to form an opinion (guess what it isn't a news article that says Tor is untraceable). Because of people intentionally talking out of their ass about things they know nothing about, or intentionally spreading misinformation to their adversaries, or people propagating bullshit they hear without verification or deeper understanding, the majority of people running Tor hidden services are at far greater risk than they realize. This irritates me because it puts peoples lives in danger. I am even irritated that the Tor devs only make the 'security pitfalls' of Tor that the user can fix be well known (like cookies, flash proxy by pass attacks, etc) while the real serious attacks on the actual design of Tor are hidden away in TL:DR academic research papers that sometimes are not even directly discussing Tor in the first place. I am also very irritated that they still say "Tor prevents anyone from learning your location or browsing habits." on their homepage, when they know it isn't true (for example they know Tor offers zero protection from a global passive adversary).
I do trust the Tor people though and I think they are some of the best researchers when it comes to anonymity. For what it is worth the lead dev of Tor, Roger Dingledine, used to work for the NSA. This isn't widely known and I think it probably should be. He openly admits it if questioned, but the average user of Tor is not aware of the fact. I personally am not afraid of that fact since Tor is audited by so many other people, but I do find it somewhat strange that he went from working for a signals intelligence agency to working on a tool for countering signals intelligence. Then again, NSA also wants to counter signals intelligence. Also most people who take anonymity seriously realize that the NSA can trace Tor users, either via proxy by pass attacks or in many cases (probably the majority, especially if the target uses Tor regularly for an extended period of time) by actual signals intelligence analysis.
-
This thread is a perfect example of why I have little tolerance for people who are blatantly talking out of their assholes without even TRYING to properly understand the material or even find the material required to form an opinion (guess what it isn't a news article that says Tor is untraceable)
I assume that you're talking about me when you say that posting a news article isn't enough information. By posting it, I wasn't implying that Tor connections couldn't be traced, I was pointing out that current governments aren't aware of how to deal with Tor.
If you want to teach people about these problems, it doesn't help when you start calling everyone who isn't informed a dumbass. Nobody will respect you or care about your opinion after that point.
Anyone concerned: If you want to know more about security problems with Tor it can be as easy as looking up the Wiki page and looking under the weaknesses tab: http://preview.tinyurl.com/ys5wdz
-
Tor is a godsend. I remember back in the day when we used regular browsers to buy drugs online
-
I'm sorry my comments offended you, it was just a smartass remark to the mind blowing realization that you showed me how little I know in that respect.
so much respect.
-King
-
kmfkewm, unlike others, I appreciate your information (even if some of it does go WAAAAAAAY over my head :-\), and I don't doubt you given the Tor site even lists it's security issues.
That said, clearly we're all here for a reason, so a couple of questions if I may; what should we be doing to be more secure, and more broadly for my own curiosity, is there something better than Tor? Or (as I assume) nothing infallible as as been proven to just about every supposedly 'secure' government site in the past?
-
Yes, please give us a detailed post about how to protect ourselves.
-
We are watching you all...
We will find you and we will take you down.
Make your time.
-
We are watching you all...
We will find you and we will take you down.
Make your time.
FAIL TROLL
The DEA wouldn't warn us.
-
We are watching you all...
We will find you and we will take you down.
Make your time.
All your base are belong to us.
You have no chance to survive make your time.
For great justice!
-
We are watching you all...
We will find you and we will take you down.
Make your time.
All your base are belong to us.
You have no chance to survive make your time.
For great justice!
Someone set up us the bomb.
-
Don't you think using pgp encryption is enough?
In addition to that you should be using a secure application (web browser or otherwise) when using Tor to avoid a "bad apple attack". An insecure application can be exploited to reveal the source of an IP address.
You should also be aware that connections exiting the network aren't protected. A Swedish security consultant was able to obtain people's passwords by operating and monitoring exit nodes.
I also heard that you shouldn't use BitTorrent over Tor, because it isn't secure.
I also read that Tor streams can be traced through traffic analysis, but the identity of the user cannot be discovered. Bad apple attacks can discover your IP however.
All of this is coming from the main Wiki article for Tor.
There's also a big ass thing about safety on the Tor download page:
Use the Tor Browser
Tor does not protect all of your computer's Internet traffic when you run it. Tor only protects your applications that are properly configured to send their Internet traffic through Tor. To avoid problems with Tor configuration, we strongly recommend you use the Tor Browser Bundle. It is pre-configured to protect your privacy and anonymity on the web as long as you're browsing with the Tor Browser itself. Almost any other web browser configuration is likely to be unsafe to use with Tor.
Don't enable or install browser plugins
The Tor Browser will block browser plugins such as Flash, RealPlayer, Quicktime, and others: they can be manipulated into revealing your IP address. Similarly, we do not recommend installing additional addons or plugins into the Tor Browser, as these may bypass Tor or otherwise harm your anonymity and privacy. The lack of plugins means that Youtube videos are blocked by default, but Youtube does provide an experimental opt-in feature (enable it here) that works for some videos.
Use HTTPS versions of websites
Tor will encrypt your traffic to and within the Tor network, but the encryption of your traffic to the final destination website depends upon on that website. To help ensure private encryption to websites, the Tor Browser Bundle includes HTTPS Everywhere to force the use of HTTPS encryption with major websites that support it. However, you should still watch the browser URL bar to ensure that websites you provide sensitive information to display a blue or green URL bar button, include https:// in the URL, and display the proper expected name for the website.
Don't open documents downloaded through Tor while online
The Tor Browser will warn you before automatically opening documents that are handled by external applications. DO NOT IGNORE THIS WARNING. You should be very careful when downloading documents via Tor (especially DOC and PDF files) as these documents can contain Internet resources that will be downloaded outside of Tor by the application that opens them. This will reveal your non-Tor IP address. If you must work with DOC and/or PDF files, we strongly recommend either using a disconnected computer, downloading the free VirtualBox and using it with a virtual machine image with networking disabled, or using Tails. Under no circumstances is it safe to use BitTorrent and Tor together, however.
Use bridges and/or find company
Tor tries to prevent attackers from learning what destination websites you connect to. However, by default, it does not prevent somebody watching your Internet traffic from learning that you're using Tor. If this matters to you, you can reduce this risk by configuring Tor to use a Tor bridge relay rather than connecting directly to the public Tor network. Ultimately the best protection is a social approach: the more Tor users there are near you and the more diverse their interests, the less dangerous it will be that you are one of them. Convince other people to use Tor, too!