good collection of security tutorials and how tos regarding sourcing etc

This was posted here before but the thread got deleted, likely because it was filled with bullshit drama that we don't want here. I think this is a good website and worth checking out though. It is all about techniques and technology, nothing illegal takes place here and it isn't for sourcing per-se, but it has loads of information on how to be safe if you do source. Take it for what it is worth I am sure some will like it =).

http://blackopsecurity.net/wiki/index.php/Main_Page

 

thanks brosef.

 

i didn't open this at first because i thought it was the security thread from a few months back.

Thanks though, this site will probably help me clear up a few things!

their page on tor [http://blackopsecurity.net/wiki/index.php/ToR] was useful.

 

http://blackopsecurity.net/wiki/index.php/Your_Rights_:_USA

kinda amusing... in a sick sort of way

 

some of that stuff is outdated. As far as encryption goes, Encryption is useless dont kid yourself. If they want to read what your saying theyre gonna do it no problem. Its about as stupid as people saying "SWIM" instead of "I", as if that would have any weight in court (it wouldnt).

If you want to protect yourself; Learn how to scan for and pirate wireless signals. Cruise around your town and mark (IN YOUR MEMORY) all the hot spots with unsecured open wireless signals (99% of people dont secure their homes wireless signals, searching residential neighborhoods is best - commercial buisness tend to secure their signals much more often). Get a laptop and remove the wireless card if it has one built in. Purchase a USB plug-in wireless card/modem and use that by plugging it into the laptops USB port. Find several secluded areas in quiet public parks and dig small holes in the ground and embed small airtight and waterproof containers into the holes and conceal the surface disturbances (cutting a flap into a sheet of moss and carving a hole underneath then filled with the box and the flap pressed down works good). Drive to a signal location and park as far away as you can still within the range of the signal. Each time after doing your communications remove the USB wireless card/modem, wipe it down for prints, and place it into one of the waterproof airtight containers pre-buried in a wooded area in a quiet PUBLIC park. Make sure to camoflauge any surface disturbances, and alternate the storage compartments everytime (have as many underground storage units as you can in as many parks as you can across your city). NEVER PUT THESE ON YOUR OWN PROPERTY OR ANYONE ELSES PRIVATE PROPERTY, MUST BE PUBLIC PROPERTY. Eachtime your ready to engage in sensitive communications retrieve the USB wireless device. This makes it impossible to trace an IP number no matter what. By using the USB wireless device instead of the computers internal device and keeping it hidden seperate from the computer, it makes it impossible to link the unique ID number sent from an internet device to the computer in question. By removing the computers built in wireless device, in court it gives the accused the grounds to say that their computer was not capable of wireless internet communications - turning the prosecutors own evidence (seizure of the computer) against them. When communicating with associates, use the same email address and rather than send emails to eachother, login to the shared email address, write the email, then click "save to drafts" and address the email title to the receiver and have it saved into the drafts folder rather than sending to a different email address. This prevents movement of the information out of the host server thereby massively reducing the chance for interception. By sharing an email account the two parties involved can also ensure the other party has deleted all emails after reading them, and in the event one party was arrested and the other was aware of this, they can change the email accounts password and then close the email account to prevent entry should the partner try to cooperate with authorities. This only pertains to certain people here maybe 0000.1% certain vendors who have been going at it for years, and have the time and $$ to do such things

 

what's wrong with swim?
It's avoiding self-incrimination.

and use paragraphs for fucks sake.

 

HAHAH! whatever you say esse.

 

Always wondered this -- Wouldn't it be better to just say "My Friend" instead of I and SWIM all together? Or even better yet, "I seen this TV show where this guy" and then follow a bullshit story context. Yay? Nay?

 

Yay.

 

It is kinda obvious who SWIM is..

 

OMG... I use drugs...

 

Don't all you noobs start some dumb SWIM bullshit on this forum. We don't use that stuff. SWIM is retarded and so is burying a fucking USB cable in a water proof material...

Binary Shadow is old skool and knows what the fuck he is talking about kids, trust me. He posts this shit every now and then to make sure you guys are not wasting time burying cables.

 

swim had a dream where his tree doesn't [wink wink] take drugs all of the time

 

I still use drugs...

 

lmao, I'd love to hear how the encryption methods used in these tutorials are out-dated. Also you can check out the forum (linked to from the wiki) to see upcoming better alternatives, etc..

At the time of writing (about 6 months ago) these were the most advanced (while maintaining good usability e,g; not mixminion).

There are plenty of loopholes in Encryption (keys stored in ram, flash freezing the RAM, careless mistakes but all can be prevented)

Also - SHARING AN EMAIL ACCOUNT WITH A VENDOR IS VERY BAD. There are major flaws in doing this.

 

I never understood why people freak out over security to the point of setting up fake names, addresses, etc.

Unless you're into some heavy shit where you're a major distributor of a clearly illegal substance that's high on the DEA watch list, you probably have nothing to worry about. The cops aren't reading your mail, combing through your internet records, or watching your house if you're doing stuff in the comfort of your own home and aren't blatantly throwing it around for people to see and comment on.

Also, most every vendor I know of is out of the country. Which means that if the Feds really did want to fuck with you they couldn't subpoena any records from that company anyway.

Does anyone know how many cases have been tried with people using research chemicals in America? I only know of two. Both of which helped set up the precedent for the Analogue Law and were AGES ago.

Obviously, be safe, but paranoia just helps the police state keep its white-knuckled fist wrapped around you.

 

Setting up fake names/addresses etc. Is not so necessary if you're small time ordering analogue chems, but Tor and GPG are super easy to set up and use. I don't see a reason not to use basic safety.

 

ditto

 

Yes, in a typical customer/supplier relationship this may not be the best idea, however this is meant for established relationships, re-shippers and what have you. As I stated earlier "Yes, in a typical customer/supplier relationship this may not be the best idea, however this is meant for established relationships, re-shippers and what have you. As I stated earlier;

"When communicating with associates, use the same email address and rather than send emails to eachother, login to the shared email address, write the email, then click "save to drafts" and address the email title to the receiver and have it saved into the drafts folder rather than sending to a different email address. This prevents movement of the information out of the host server thereby massively reducing the chance for interception. By sharing an email account the two parties involved can also ensure the other party has deleted all emails after reading them, and in the event one party was arrested and the other was aware of this, they can change the email accounts password and then close the email account to prevent entry should the partner try to cooperate with authorities. This only pertains to certain people here maybe 0000.1% certain vendors who have been going at it for years, and have the time and $$ to do such things"

 

These discussions are difficult to have because so much technical information is involved, as well as having to look at and evaluate different perspectives of the same problem. Also, one needs to clearly identify an adversary. Because truth of the matter is, much of the world is under so much surveillance (USA, UK, Sweden and Germany especially) that it is almost always a question of "how much do they want me" versus "can they get me".

Q. Is GPG modern encryption?

A. No, but it is strong encryption. GPG uses the RSA and Elgamal algorithms, which are not cutting edge in bit strength. A 364 bit ECC asymmetric key is about as strong of encryption as a 14,000 bit RSA key. GPG allows for keys up to 4,096 bits. A 764 bit RSA key has been factored, it took a distributed super computer and years of time. This means the weakest key size most implementations of GPG support by default is only strong enough to protect you from a concentrated effort of a super computer for a few years. 1,024 bits is the lowest key size considered to be safe anymore, and it is probably going to remain unbreakable for ~ten years or longer is the guess of most experts. Most people I know use 4,096 bit GPG keys, and that is certainly strong enough against classic supercomputers computers available today (and likely any available for the next century, according to moores law increases in CPU power). A powerful quantum computer will break ECC or RSA keys trivially, but quantum computers capable of this are either: not actualized and not possible, not actualized but possible, or actualized and in the realms of military intelligence / classified. Not very worrying for us.


Is strong encryption out-dated / broken / worthless?


Short Answer: No!

Medium Answer: No, as long as it is used correctly. Against FDE there are flash freeze attacks on the RAM chips, non-physical RAM dump attacks, evil maid attacks. Against many sorts of cryptosystems there is also the worry of key loggers of various sophistication (from software key loggers to highly sensitive electromagnetic receivers great distances away picking up signals which are analyzed with frequency charts).

Long answer: No, as long as it is used correctly and you understand its limitations. One thing that not many people realize is what I consider to be an implementation flaw in most communications encryption. I will use skype streaming voice encryption as my example, but the same attack can be done against SSL, encrypted VPNs, etc.

When you communicate over the internet, the data you are sending is broken up into packets. 1,500 bytes is the maximum size of a TCP packet. So if you are getting a 3 kb file, it will be in multiple packets obviously (it can't fit in one). Things like voice are broken up into many thousands of packets when you use VOIP services, and the packets are streamed to their destination. With a system like skype, the voice can be encrypted. This encryption is done on the packets. Now you may think that if you are communicating with someone with encrypted VOIP, no body observing the traffic can tell what you are saying. I would say almost everyone would think this, even most professionals. But the truth is, the packet size and timing data can leak a LOT of information about the conversation.

Certain languages result in different patterns of packet sizes. Even though the packets are encrypted, their size and timing data over the duration of the stream creates a fingerprint. This packet fingerprint can be analyzed to determine the language being spoken over a streaming encrypted VOIP conversation. This attack has gotten so good that people can pick out certain words and phrases from an encrypted data stream, merely by looking for the packet size and timing patterns of the encrypted packets. The encryption is not being broken, but the attacker is getting around it (a side channel attack if you will) to learn information about the conversation.

Naive Bayesian classifiers and hidden Markov models can be used by an attacker to break a great many anonymizers (proxies, encrypted VPNs, by performing traffic analysis on the communications stream (even if it is encrypted, even if SSL is used). An SSL website can be identified with near 100% accuracy, SSL does not protect against traffic analysis. The adversary may not be able to see your credit card number or the post you type, but they can analyze SSL encrypted data and determine with high probability where the encrypted data came from.

These two sorts of attacks together can be really devastating: packet size and timing analysis ('blackbox netflow') to "peek behind" streaming encryption, and Bayesian classifiers / Markov models to determine where the encrypted information came from in the first place (with very high accuracy following a training period).

A paper from late 2009 shows that Tor does a decent job defending against traffic classifiers (3% accuracy, versus near 100% for normal proxies, and 40% for multi-hop encrypted VPNs / cascades). But in reality, Tor probably only does so well against the attack because the attack has not been honed for Tors cell quantization. It is likely that the accuracy will increase greatly if the adversary does this, but by how much is anyones guess. As of now though, Tor is one of the only anonymity solutions that will protect against these sorts of attack.

Traffic padding and morphing can be used to greatly decrease the efficiency of all of these attacks, but hardly anything uses morphing or padding because of the difficulties and expenses of both.

A. Is using cracked wireless networks a good idea?

short answer: Yes

Medium answer: Yes, but make sure you know what you are doing. Spoof your Mac address, dont use static locations (mix up the physical location you connect from), avoid cameras.

Long answer: Yeah, but it is questionable just how much it helps. Against a trace at a future date, it will help you a ton. If you use a cracked wireless network to go to a website, and then two months later some adversary tries to trace you down: they are fucked.


If you are frequenting a server that is under surveillance, contacting undercovers via email, or have an active operation going against you: maybe you are still fucked.

WiFi signals can be traced back to you. The adversary doesn't even need fancy directional antennas, they can use what are called 'simple sensors'. Check out the paper: Modern traffic analysis and its capabilities for more details on these. But pretty much, they can locate the source of your WiFi signal (ie: you) down to your location with scarily high accuracy. And they can use simple sensors (costing very little) to monitor wide swathes of geographic area (10 mile radius per simple sensor is not far fetched). If they detect your general geographic region (there are many scenarios in which this can be done, too many to explain), they could reasonable set up sensors to cover that area. Even if you rotate access points, as long as it is near enough one of your old ones to fall with in the sensors radius, you could be fucked. So WiFi is not a magic shield that will keep you safe no matter what, even if you are using it from dynamic locations selected from a large geographic region. Eventually they will find you if they want to, even if you use WiFi.

I would say WiFi is slightly better anonymity than Tor. Using Tor and WiFi together is probably the best anonymity you can hope for short of mixminion / mixmaster + WiFi.

Also, if you can use open WiFi or crack WEP/WPA to use an access point, a malicious person can sniff open WiFi signals / crack the WEP/WPA to eavesdrop on your communications. Even if there is extra encryption (such as using encrypted VPNs) keep in mind that packet size / timing + Bayesian classifiers / hidden Markov model attacks can be done on the data as it streams through the airwaves to get a fairly good picture of what content you are accessing, and how you are interacting with the content.

________________

Now at the risk of looking like a paranoid schizo to the less technically aware ;-)


.....The question at this point is more, how much do you need to worry about the adversary doing such attacks against you?

Well, you probably do need to worry if you are an American. Because in America almost all traffic on the internet is subject to these sorts of attacks, passively. NSA and possibly lesser agencies have splitter boxes installed at most major peering points (IXes / exchange points) in America. They 'split' the fiber optic back bones of the national internet/telephone system. They do this in such a way that a mirror image of the data on the backbone is 'siphoned' away. They gather nearly all the data flowing through the telecommunications backbones in America, and they analyze all of it with Narusinsight super computers. Much information on this is classified, but it is highly likely they are using Bayesian classifiers and similar techniques to analyze the traffic. They also are creating large network maps of how the communications flow over the telecommunications networks. They don't need warrants for either of these activities due to poorly worded wiretap laws (and the general lack of public awareness of the technical details of how their mass surveillance systems work).


So the question is not: do you need to worry about this. The question is "are they looking for you?". Right now I am guessing Narusinsight is probably being used mostly to keep an eye on the entire internet for such things as classified documents or images being leaked, detection of terrorists attempting to communicate, analysis of encrypted Arabic VOIP calls (remember, they can detect language, and even key phrases and words of VOIP communications, even through military grade encryption via packet size/timing analysis etc). So pretty much spies and terrorists. But who knows how long it will be before FBI decides to use the system to warrantlessly scan all telecommunications for mentions of drug dealing and buying? Then their super computer can add a little tick next to your name every time you say "buy coke" on the phone (and even if it is encrypted you are fucked unless the packets are morphed or padded which they will not be), and then after you get 500 ticks from the super computers analysis an actual agent gets your name on a list. This is not as far fetched as you would hope or imagine, they are already doing it against terrorists (I wonder how many times you can say president or bomb on the phone before you are automatically added to a list) whats to stop them from doing it against big time drug dealers? Hell whats to stop them from doing it against every drug buyer and user in the country and adding all of the information to some datamining style database for use in the future when ever they please? They don't need a warrant for any of this and the technology to do it is already in place and being used to stop terrorists.



Nearly all Americans are under some level of surveillance (USA, as well as sweden, germany, UK, are clearly electronic police states). There are many levels of surveillance, and most of them are managed by super computers analyzing telecommunications / data mining / social networking. The goal is to stay low enough under the radar that you don't get to the point where actual humans are involved.

Here are sources for all the information I have talked about, so you can see for yourself that I am not a conspiracy theorist talking out my ass, and I actually understand the issues I am discussing ;-):


CIA invests in massive social networking surveillance: www.globalresearch.ca/index.php?context=va&aid=15827
Language/phrase identification of streaming encrypted VOIP: cs.unc.edu/~fabian/papers/voip-vbr.pdf
What is data mining?: http://en.wikipedia.org/wiki/Data_mining
The super computer used to analyze nearly all telecommunications that pass through USA: http://en.wikipedia.org/wiki/Narus
The splitter box room of a major AT&T backbone exchange center: http://en.wikipedia.org/wiki/Room_641A
Techniques used to perform mass surveillance on the entire internet: www.blackhat.com/presentations/bh-usa-09/TOPLETZ/BHUSA09-Topletz-GlobalSpying-PAPER.pdf
The whistle blower who brought public awareness of the internet monitoring being performed by NSA/FBI: en.wikipedia.org/wiki/Mark_Klein
Techniques in modern traffic analysis, including tracing of WiFi signals: www.cs.uml.edu/colloquium/2009f/index.shtml
Traffic analysis via packet size and timing characteristics, and how multiple anonymity networks hold up against it: http://www.freehaven.net/anonbib/cache/ccsw09-fingerprinting.pdf
Bayesian traffic classification: http://conspicuouschatter.files.wordpress.com/2009/08/ccsinfer1.pdf