Author Topic: Read This!  (Read 5582 times)

0 Members and 1 Guest are viewing this topic.

Online Vesp

  • Administrator
  • Founding Wasp
  • *****
  • Posts: 4,714
    • The Vespiary
Read This!
« on: May 02, 2011, 07:09:38 PM »
Due to a few members talking to me about their concern about other members being "lazy" about security and privacy, and worried that I have perhaps not painted the picture well enough about the security of this site and the importance of staying anonymous on this site when talking about certain things - This is my attempt to do so.
Again - please review the rules: https://www.thevespiary.org/talk/index.php/topic,369.0.html
Strong emphasis on this:
Posts should be timeless and impersonal
and this
ALL Rules Apply to private messages (PM) as well as posts, or any method used on this site for communicating.  DO NOT break the rules in Private Messages!

Now... Some things I would like to point out:

1. You do not need a real email to sign up. Don't use a real one if you are not prepared with a "safe" email. Hide your email if you do not want members to see it! (The default is now to hide the email on registration)
-Suggested Reading:
Read and study this section of the forum: Law & Security

Pay attention to these (but be sure to read others!):
Maintaining your Anonymity Online
pics and prints- possibly a concern
Dont Talk to Police - Good Videos!
Be careful, image hotlinking is dangerous


2. This forum offers NO PROTECTION when it comes to privacy.
(That means PMs can be read by the hosting service, etc - follow the rules, they apply to PMs and exist for a reason! If you use this site
according to its rules there is likely no need to encrypt, but if you don't, you might want to encrypt stuff.

3. The Memoirs of Eleusis I am sure some of the members that used to be here *could* write a similar story - but they are not here anymore.


This site does not take responsibility in keeping/concealing users identities, information sent or anything else... it leaves that responsibility, or burden, on the users.  (Maybe someday this will change, when more able)

The Vespiary is on a server that is NOT in our possession. This can be accessed by other parties besides the site administrator. That is the hosting company, which is subject to the patriot act.

Rules
Disclaimer

Please mention ANY and ALL concerns in this thread that I have missed, that you would like to point out, or that you would like to emphasize again.

« Last Edit: May 02, 2011, 07:19:56 PM by Vesp »
Donate with 40+ cryptocurrencies HERE

It will automatically convert it to Monero &
be sent here: 423c1FAdzQKPQRZEnsK84vSff7M8hCZoR16dvBkzFev3PwEDpLhgneHYyscUgmyVtyXyjMgLjhpGiePKZks16iN95UwXUKk

Easy Client Side PGP key generator: https://pgpkeygen.com/
Improve privacy: https://www.privacytools.io/#about_config & https://www.privacytools.io
Free access to most scientific papers: http://sci-hub.cc/
Free access to many books: http://gen.lib.rus.ec/
Unread Topics

Offline The Lone Stranger

  • Dominant Wasp
  • ****
  • Posts: 288
  • THE SITE HERETIC and DEVILS ADVOCATE
    • YouTopia
Re: Read This!
« Reply #1 on: May 02, 2011, 07:39:29 PM »
Thanks for that i think that it is needed . What about a sticky that explains all the things a person can do to maximise their / our / your / the sites security ? One where people can write and discuss their ideas and the ones that are decided to be good / worthwhile get writen into the first post as they come up .

The reason for them being put in the first post is so that people dont get confused and / or insecure while reading the whole thread . I am sure from what i have read here that the ideas and info we have need clarifying and their advantages and disadvantages pointing out .

OK the ideas are all probably here but they are spread across to many threads and posts . Getting an over view and sorting the wheat from the chaff is then hard .
Je ne suis pas Charlie Fitna ....... Je suis Charlie

Online Vesp

  • Administrator
  • Founding Wasp
  • *****
  • Posts: 4,714
    • The Vespiary
Re: Read This!
« Reply #2 on: May 02, 2011, 07:50:47 PM »
Quote
Thanks for that i think that it is needed . What about a sticky that explains all the things a person can do to maximise their / our / your / the sites security ? One where people can write and discuss their ideas and the ones that are decided to be good / worthwhile get writen into the first post as they come up .

The reason for them being put in the first post is so that people dont get confused and / or insecure while reading the whole thread . I am sure from what i have read here that the ideas and info we have need clarifying and their advantages and disadvantages pointing out .

OK the ideas are all probably here but they are spread across to many threads and posts . Getting an over view and sorting the wheat from the chaff is then hard .

I would be very much for that  - and I will likely add new things to the post above, as I have with others as they get mentioned.

Quote
sorting the wheat from the chaff is then hard .
It is hard to also do in a post - I would be happy if someone wanted to take on that task - but if I must, I can work on that -- but there is always debate - A good example of this is TOR, some people think it is more or less a scam to get all of the "fish" into a shallow pond - but others think it is a good tool... currently there is no conclusive evidence AFAIK. So both sides need to me mentioned, as you said the advantages and disadvantages of each - but than it starts to become a rather long winded confusing post...
Additionally each person has a "Enough is enough" limit - some simply using a proxy is good enough, while others might go as far as proxy, open wifi, live disk, with a bought with cash laptop...

I guess I could say that it is not clear what is the wheat and what is the chaff.

I honestly feel that someone more into computer security than I should write such a thing - I could try to regurgitate what I have read/think I know - but I am surely not the most qualified to write such an article.

Donate with 40+ cryptocurrencies HERE

It will automatically convert it to Monero &
be sent here: 423c1FAdzQKPQRZEnsK84vSff7M8hCZoR16dvBkzFev3PwEDpLhgneHYyscUgmyVtyXyjMgLjhpGiePKZks16iN95UwXUKk

Easy Client Side PGP key generator: https://pgpkeygen.com/
Improve privacy: https://www.privacytools.io/#about_config & https://www.privacytools.io
Free access to most scientific papers: http://sci-hub.cc/
Free access to many books: http://gen.lib.rus.ec/
Unread Topics

Offline The Lone Stranger

  • Dominant Wasp
  • ****
  • Posts: 288
  • THE SITE HERETIC and DEVILS ADVOCATE
    • YouTopia
Re: Read This!
« Reply #3 on: May 02, 2011, 08:45:17 PM »
Thats exactly what i mean . I was thinking about the fors and against TOR and proxys and a few other things .The debates in the thread will of cource be heated and long winded . But after we all agree on the pros and cons the person who organised the first post should write the subject ..... for example TOR , what its suposed to do and the pros and cons in as few words as possible .
Je ne suis pas Charlie Fitna ....... Je suis Charlie

Offline salat

  • Dominant Wasp
  • ****
  • Posts: 276
  • Is it catnip yet?
Re: Read This!
« Reply #4 on: May 02, 2011, 11:31:49 PM »
I think if they want you there isn't a lot you can do to really protect your identity online.  Although I've known some people who took a good stab at it.

If you talk about stuff while it is progress you make an easy target. 

Being poor helps - I've noticed the DEA etc seems to be going more after the money busts these days.

The govt is smart so when they passed the forfeiture laws the way they did, they made a policing drugs a profitable enterprise for local depts.  To sweeten the deal they created HIDTA which is a program that combines Local LE (usually the hotshots get this plum assignment) with DEA agents.  As an added bonus, the local LE gets the officers position paid for by govt grants.

So you might not be big enough to attract Uncle Sam's attention, but if you are in one of the counties with a HIDTA team you might show up on their radar.  Anybody heard about the team that raided a guy and then played bowling on his nintendo?  He's still likely to go to jail and the officers got a slap on the wrist and retraining.  That's your tax dollars at work!

Salat

Salat

Offline psychexplorer

  • Subordinate Wasp
  • ***
  • Posts: 138
Re: Read This!
« Reply #5 on: May 03, 2011, 03:32:14 AM »
Tor is currently the most accessible, most convenient way of staying safe on sites like this. I would consider it a personal minimum level of connection security.

Eventually, we'll probably have to move into the .onion TLD either because government and hosts are too eager to enforce society's standards, to protect morons from their own lackadaisical security practices, or both.

When using Tor, be sure the remote site is SSL/HTTPS if you are communicating any sensitive data, as several Tor exit nodes have been caught sniffing and staging MITM attacks. These vulnerabilities do not apply to properly implemented SSL.

The criticism of Tor is largely inaccurate or inapplicable, but for the sake of the crowd's (drug boosted) paranoia, consider this: Tor is used by many much, much heavier people than are likely to post here. For these people, Tor attacks would make or break the case. For us, it would only be "helpful" to the pigs.

Because of this, the fact that Tor could hypothetically be broken (alleged) would be much too valuable to let slip in the course of busting up a clandestine lab. I doubt "they" would let that gem slip (if it were true) even if it meant they could take down everybody on the Hive back in the glory days.

This is the corollary to the old "the NSA can break [strong cryptography] X." This has been applied to RSA, DSA, AES, the list goes on. If they could, as the discussion goes, they're certainly not going to tip their hand doing it to drag a music pirate into court.

Locals and computers? Forget about it.

Offline Shake

  • Dominant Wasp
  • ****
  • Posts: 283
Re: Read This!
« Reply #6 on: May 03, 2011, 04:40:50 PM »
i turn my tor on here and it the net wont work! nothing loads up ect..


Offline lugh

  • Founding Wasp
  • *****
  • Posts: 952
Re: Read This!
« Reply #7 on: May 03, 2011, 05:25:20 PM »
Your browser isn't configured properly:

h**ps://www.torproject.org/docs/documentation.html.en

clearly you're presently incapable of helping yourself  8)
Chemistry is our Covalent Bond

Offline The Lone Stranger

  • Dominant Wasp
  • ****
  • Posts: 288
  • THE SITE HERETIC and DEVILS ADVOCATE
    • YouTopia
Re: Read This!
« Reply #8 on: May 03, 2011, 05:47:41 PM »
Salat .....when your old man pops off please PM me......... LOL.......

To TOR . How does one get into it and what protects the comunication between client and the network ? The same for that onion wotsit bit ? And poxys........Oooops !!! sorry proxys.........What stops the pigs from scaning the users in and out traffic and rideing piggy back ?

Lugh why is it that very often i cant get in here and post useing a proxy ? Up untill i joined this site and W.D.R. proxys worked very well for me .



Je ne suis pas Charlie Fitna ....... Je suis Charlie

Offline The Lone Stranger

  • Dominant Wasp
  • ****
  • Posts: 288
  • THE SITE HERETIC and DEVILS ADVOCATE
    • YouTopia
Re: Read This!
« Reply #9 on: May 03, 2011, 11:44:31 PM »
"clearly you're presently incapable of helping yourself  "

I have been thinking about that since i read it . Would you have the kindnest to explain that comment please . I ask because if one of my kids said anything like that to someone else i would think that they have a personal problem with the person they are talking to and would feel a little bit like i had failed as a father .

Am i missing something or is that a snoty comment that isnt worthy of a global moderator ? If i am i am sincerely sorry but i`d still apreciate it if you would explain to me . Have i missunderstood ? Have i missed something ?


Je ne suis pas Charlie Fitna ....... Je suis Charlie

Offline psychexplorer

  • Subordinate Wasp
  • ***
  • Posts: 138
Re: Read This!
« Reply #10 on: May 04, 2011, 12:32:42 AM »
Salat .....when your old man pops off please PM me......... LOL.......

To TOR . How does one get into it and what protects the comunication between client and the network ? The same for that onion wotsit bit ? And poxys........Oooops !!! sorry proxys.........What stops the pigs from scaning the users in and out traffic and rideing piggy back ?

Lugh why is it that very often i cant get in here and post useing a proxy ? Up untill i joined this site and W.D.R. proxys worked very well for me .


Torbutton for Firefox plus the Vidalia bundle, regardless of platform. Specific platforms have fully integrated packages. For Windows, OSX, and GNU/Linux, there are both standalone browser bundles as well as Vidalia/Torbutton installation bundles. GNU/Linux (depending on distribution) also has the option of pulling binaries directly from the Tor repos, which is preferable for reasons of convenience, fast updates, and end-to-end code signing. See the Tor site for more info.

The general idea behind Tor's anonymity (not connection security, you need SSL for that) is that all data is randomly mixed around and sent through multiple relays, with each intermediate not knowing if it is speaking directly to the source, before the data finally leaves the Tor network through an exit node. The exit node can deny being the origin, as it is an exit node. Furthermore, the intermediate relay can also deny being the source, as that is the nature of the Tor network, and so on back through the chain.

Think of it like unmarked bills. Each person handling an unmarked bill only knows who they got it from and where they spent it - not where the bill actually originated. With Tor, though, strong cryptography ensures that the data can be passed to and from the destination anonymously by keeping each node in the dark but for those with which they communicate directly.
« Last Edit: May 04, 2011, 12:35:31 AM by psychexplorer »

Offline The Lone Stranger

  • Dominant Wasp
  • ****
  • Posts: 288
  • THE SITE HERETIC and DEVILS ADVOCATE
    • YouTopia
Re: Read This!
« Reply #11 on: May 04, 2011, 01:15:25 AM »
Thanks . Lovely reply .......BUT ....... i`m still puzled ....... i see that once a person is in the network hes safe in the network but i still dont understand how all that would help someone if the pigs were interested in him and were monitoring his traffic ? I mean to go into any form of secure line to anyone there must surely be a key that has to be exchanged between the original poster and the entry point to the TOR network ? So if the pigs were watching him they would have that too and they could very easily follow everything that was sent back and forwards . What i mean is for example when someone uses a wifi network all i have to do is to zap the router so it shits out . Then i start my router pretending to be it and connect to it when it turns back on as one of the network users . That network user when he turns on then conects to my router thinking its the origibnal one and i can watch everything thats comeing in and out and surf as the user . I am tired so i hope i explained what i mean well . Whatever what i`m trying to say is posible and very easy coz i`ve done it and from my way of thinking the pigs if they wanted to could do something similar with the conection between the client and the tor network . OR in another way just like useing a wire tap to tap someones fone and through that be able to watch all the incomeing and out going traffic . OR say like PGP . To use it two people have to exchange a key and untill they do nothing is private . So if i`m watching i can see the key and therfore be able to follow everything thats goin on ?

To be honest i`ve been following TOR since it started and i`ve used it . I`ve also been looking at all the reports about it that i have seen . From what i`ve read TOR is good for keeping a clients IP safe after the comunication enters the network and comes out at the other end BUT the comunication between the client and the entry point isnt safe ?

If that isnt clear or i`m talking crap can you or anyone please explain  . Thanks .
Je ne suis pas Charlie Fitna ....... Je suis Charlie

Offline salat

  • Dominant Wasp
  • ****
  • Posts: 276
  • Is it catnip yet?
Re: Read This!
« Reply #12 on: May 04, 2011, 02:19:24 AM »
Hmmm, the DEA maybe but not your average local cop.  Typical dept has maybe one or two who can do computer forensics.  They might pull all the stops out for someone who presents a good target like Strike, but most on here don't warrant that kind of effort.

I think if they did something like the swap out of the network they'd have to have a warrant.  More likely is someone getting busted and his hard drive confiscated and then they can find your messages and use that as additional evidence.  But even that kind of thing is expensive so you need to have some assets they can take to pay for all of it.

When I worked for the military getting a secure network was just really a bitch.  There were tokens and fancy rooms you had to go into for typing up secret stuff, but I think security on the internet is an illusion and could give you a false sense of security to say dumb stuff.

Lord knows I have....

Salat
Salat

Offline lugh

  • Founding Wasp
  • *****
  • Posts: 952
Re: Read This!
« Reply #13 on: May 04, 2011, 02:29:33 AM »
The key section of the TOR design specification:

The Tor Design
The Tor network is an overlay network; each onion router (OR) runs as a normal user-level process without any special privileges. Each onion router maintains a TLS [17] connection to every other onion router. Each user runs local software called an onion proxy (OP) to fetch directories, establish circuits across the network, and handle connections from user applications. These onion proxies accept TCP streams and multiplex them across the circuits. The onion router on the
other side of the circuit connects to the requested destinations and relays data. Each onion router maintains a long-term identity key and a short-term onion key. The identity key is used to sign TLS certificates, to sign the OR’s router descriptor (a summary of its keys, address, bandwidth, exit policy, and so on), and (by directory servers) to sign directories. The onion key is used to decrypt requests from users to set up a circuit and negotiate ephemeral keys. The TLS protocol also establishes a short-term link key when communicating between ORs. Short-term keys are rotated periodically and independently, to limit the impact of key compromise. Section 4.1 presents the fixed-size cells that are the unit of communication in Tor. We describe in Section 4.2 how
circuits are built, extended, truncated, and destroyed. Section 4.3 describes how TCP streams are routed through the network. We address integrity checking in Section 4.4, and resource limiting in Section 4.5. Finally, Section 4.6 talks about congestion control and fairness issue

Cells

Onion routers communicate with one another,and with users’ OPs, via TLS connections with ephemeral keys. Using TLS conceals the data on the connection with perfect forward secrecy, and prevents an attacker from modifying data on the wire or impersonating an OR. Traffic passes along these connections in fixed-size cells. Each cell is 512 bytes, and consists of a header and a payload. The header includes a circuit identifier (circID) that specifies which circuit the cell refers to (many circuits can be multiplexed over the single TLS connection), and a command to describe what to do with the cell’s payload. (Circuit identifiers are connection-specific: each circuit has a different circIDoneachOP/ORorOR/OR connection it traverses.) Based on their command, cells are either control cells, which are always interpreted by the node that receives them, or relay cells, which carry end-to-end stream data. The control cell commands are: padding (currently used for keep alive, but also usable for link padding); create or created (used to
set up a new circuit); and destroy (to tear down a circuit). Relay cells have an additional header (the relay header) at the front of the payload, containing a stream ID (stream identifier: many streams can be multiplexed over a circuit); an end-to-end checksum for integrity checking; the length of the relay payload; and a relay command. The entire contents of the relay header and the relay cell payload are encrypted or decrypted together as the relay cell moves along the circuit, using the 128-bit AES cipher in counter mode to generate a cipher stream. The relay commands are: relay data (for data flowing down the stream), relay begin (to open a stream), relay end (to close a stream cleanly), relay tear down (to close a broken stream), relay connected (to notify the OP that a relay begin has succeeded), relay extend and relay extended (to extend the circuit by a hop, and to acknowledge), relay truncate and relay truncated to tear down only part of the circuit, and to acknowledge), relay send me (used for congestion control), and relay drop (used to implement long-range dummies). We give a visual overview of cell structure plus the details of relay cell structure, and then describe each of these cell types and commandsin more detail below.

[17] T. Dierks and C. Allen. The TLS Protocol — Version 1.0. IETF RFC 2246, January 1999.


Thus there is encryption except at the exit node, so unless one is using SSL or a TOR hidden service there is a possible issue of vulnerability  :P  The paper published by the developers is attached, when members edit their posts to remove the evidence of what they typed because they're inebriated it might look like harshness but what is being done is what's best for the membership  :-[ It's this sort of nonsense that contributed to the end of the Hive  8)
« Last Edit: May 04, 2011, 02:31:29 AM by lugh »
Chemistry is our Covalent Bond