Computer Security (AKA: prepare yourselfs for more underground forums)

I dont trust any of the private invite boards I have become a member at so far. Seems to me that they are set up and ran by people run a legit company to validate their credibility then scam with another account. I have been ganged up on at a board and it seems kinda fishy to me. I guess some questions I ask hit a little to close to home for them.

Ex: I say that I feel Sony isnt a trust able company because their products look cheaply designed and made from cardboard so I wouldnt order.

Would that hurt sony in any way?
Would that keep you from ordering?
Would you care that I posted that comment about sony?

Anyways I would be careful of a private board while surfing its pages. There is a lot of good info to be found, its just if you can see the patterns of how a scam works. I have been scammed in real life a few times for large and small amounts so I am able to see them coming fairly easy now. There are equations to a scam, its like a magic trick so pay attention to whats going on.

 

Sources usually are not traded so much as they are stock piled on the private source forums. There are sure a lot of scam forums though so do be safe.

I like your idea for a source trading module though. I was thinking one good feature to add is a simple social network analyzing algorithm that can help the administrators know where to focus attention. It is a complex project requiring AI, and purely theoretical with no solid plans to be directly applied.

Example: A common technique that would be used by an infiltrator looking to compromise the individual group members security, would be to set up deals or trades with a lot of the members in private and then create a database of addresses. A way to detect this would be to have the option for orders to be authenticated with two signatures prior to completion, and the server could scan for patterns, for example if someone tried to set up a ton of deals at once the algorithm might detect this and show it as suspicious behavior. Actual deal information would not be recorded, just a record on the server than keyID1 and keyID2 both signed a small token saying they did some sort of transaction.

Could also allow for user feedback on each transaction (transaction being a neutral term no evidence of a crime would be stored) and a sliding scale score for each member. The algorithm could analyze invite patterns with scammers, for example if there are two scammers and both are two hops away on an invite tree from one person, there may be reason to beleive this person is running scams by proxy. This is hard to identify on forums, but an algorithm could easily detect it.

Also my possible favorite is, when people write shit they tend to misspell the same words, and even if they don't misspell words they tend to use the same phonetic structures. If users have the ability to teach the server each others unique typing traits as time passes, the server could get better and better at detecting typing pattern changes between person1 and someone on person1s computer pretending to be him. Not a decider in scores, but just another straw to the pile that determines how the algorithm views them.

Another thing I like is a delayed message service. One of the main ways people are busted is when they go to get a package or right after the package is delivered in a controlled delivery. If people know they have a package coming, they should be able to create an encrypted block with their username, fingerprint, keyid inside as well as the date the message was made and the date and time the person suspects to get their shit. The person can upload the message to the server for delivery to another person at a certain time. For example person1 has a bunch of 2c-b in a fake ID mail box, he knows he is going to the po box place then right back home, he also knows there is a slim chance he will get busted. He knows it will take him at the most four hours to get there and back. So he makes a message saying hey there is a good chance I got busted in a 2c-b pick up, i was getting from so-and-so etc. Then he tells the server to send the message to one of his friends in four hours. If he gets busted at the mail box he wont be back in four hours and the message will go out, sending warning to those in the group. If he does get back before 4 hours are up, he can delete the message off the server and no one will ever know he was out getting shit.

There are just the algorithms I can think of off the top of my head. I really think a good social network analyzing program should be implemented into programs like this though, because they make it a lot easier to identify behavior similar to that used by scammers / feds. At the very least I suspect they would point in the right direction, and give a bit extra warning time than normal.

 

I know but I am sure trading has its uses.
The whole trading idea started as a way to trade exploits between hackers I think (the whole forum started as a way for them to communicate securely). In those circles, knowing that a certain vulnerability/exploit exist can easily be the same as having the exploit itself. It's hard to give enough information to others so that they can decide whether they are interested in it or not without giving away too much so they can find it on their own.

With vendors, it's easier. It would look like this: the third party (let's call him the validator) puts out the cryptographic hashes of every source he has. The participants put out a list of the sources they have and are willing to trade (some info about the carried products and the hash of the vendor) and what they are looking for. They browse each others lists and -after probably some more arrangements- agree to trade (let's say person1 agrees to give source1 to person2 for source2 in exchange). They contact a validator who has both source1 and source2 in his list of vendor hashes, and he verifies that the requirements are met (what person1 and 2 agreed on). Then they exchange the unhashed vendors.

I like this but wouldn't it be more useful in detecting if person1 and 2 are the same? Also, it should be moved to client-side, the server should have no idea about the contents of the threads/messages. The more trusted users (members of the most groups, having access to more posts) could use this more efficiently.

This one is neat too.

While I like the idea, I think it can be dangerous to build and keep databases like those (complete social networks, transaction lists, even invitation trees). If you are going to do that, you need to be extra careful with the design of the system.

 

I thoroughly enjoy reading this internet security thread. Being a paranoid, overly-safe person myself this has been some of the most comforting and useful information I've ever read.

 

Ah yes it would need to be client side, I don't know what I was thinking. All the messages would be encrypted on the server anyways so it wouldn't work server side at all. Thats what I get for making posts when I am too stoned haha.

The delayed PM feature would come in major handy I think, usually when someone gets busted people don't even start to think about the possibility that they got busted for days up to a week sometime, and even then we usually have no idea who they did their last transaction with. With the delayed PM system, we would have first alerts of a possible bust probably with in a few hours after it happened, and a good first guess of someone to keep an eye on. And the longer it takes the more suspicious we would be and the more precautionary measures we can take.


And I agree it is very dangerous to keep social networking systems and transactions. I am trying to think of a way it can be done but not allow for patterns to be analyzed in a way that could hurt peoples security. For example, at first the delayed PM was an idea where two people completign a transaction have one person upload a signed string and then the other set a timer saying if the string isn't signed by them in X time to sound an alarm. But that isn't good because then person2 would know when person1 is going to check their PO box. Se we changed the idea to a delayed PM, no one would know when person1 was going to check their PO box unless person1 probably got busted checking their PO box. Timed PMs can also be used to hinder time analysis of when PMs are sent being used to construct probable geographic maps of members (people tend to be up in the day and asleep at night usually, delayed PMs could make it so you appear to be up whenever you want to be).


Hmm as for the writeprint analysis it is really probably over kill, but keep in mind everything in this post and my last post are purely theoretical things I am thinking of right now. The base system I discussed earlier however is already in the first stages of development and coding.

Nice to know you know of a similar project, maybe we can share ideas and make them both stronger.

 

I was pretty sure that mind-altering substances were involved .

It would indeed be very useful. I'm thinking about possible implementations and some interesting issues already surfaced. For example, would the client keep the delayed PM and send it if you don't delete it in time, or would it forward the request to the server immediately and let the server take care of it. The client-side is more prone to malfunctions, power failures and so on (and also hard to do if you're using public wifis to access the board). If it was stored on the server then the admins would know something is happening (like picking a package up).

It sure wouldn't be top priority but it's interesting nonetheless.

I hope both projects turn out well.

 

Yes the admins might know something is up, but if people frequently send delayed PMs when they are not getting packages then the package based delayed PMs would not stick out.

 

Little blueprint if anyone is interested.

 

Point is, the government is stronger, bigger, faster, and has more resources.

 

But encryption makes use of one way functions. An adult mother is bigger, faster, smarter and has more resources than her toddler. But it is far easier for a toddler to smash a plate to bits (one way function, similar to encrypting a message) than it is for that mother to put the tiny fragments of plate back together exactly as they were before (similar to cracking an encrypted message).

The fastest computer in the world can calculate around 2^24 things per second. a 512 bit encryption key has 2^512 possible keys.

Trying 2^24 keys per second, it will take 7 followed by 55 zeros worth of seconds to brute force.

 

Let the Govt. look at what I say, they have no reason to spend millions to bust a guy like me. They want the dealers and terrorists.

 

The way I see it is like a big 420 smoke in or rainbow gathering it is kind of illegal they know it is going on but it is not worth the time and resources for them to bust tens of thousands of people for something that is semi illegal.

But they are watching and they do bust people from time to time.

Who do they bust? People that attract attention..

So you can put on a Ninja suit but the ninja suit will probably attract more attention then everyone else.

You can use a proxy to write emails but you still have to get stuff in the mail (your name…)..

Personally I wouldn’t rent P.O. boxes under fake names (felony) to get a gray area chemical in the mail (semi illegal probably won’t get fucked with).

If you are getting straight up scheduled stuff in the mail, good luck playing Russian roulette.

 

The mistake I personally see with your logic (in my opinion, this is totally opinion based really although I believe my opinion is supported with facts) is that you think they bust people who attract attention. In my perspective of what I have seen over the years, its not so much the people who attract attention who get busted as it is the people who take no security measures.

I also wouldn't get a PO box for an analog chem btw, the risk of getting busted with the box doesn't work well with the risk of getting busted with the chem. If you are big in the source world though you should use a PO box for anything, because a malicious scammer getting your identity will be just as bad as a cop, since the malicious scammers spam shit on cop forums when you don't meet their demands anyways.

Getting scheduled stuff in the mail is technically the same penalty as if you get 2c-i in the mail. If you think getting scheduled stuff in the mail is playing russian roulette, I wouldn't get unscheduled ones either. That is like relying on a technicality in the law (that HAS been ruled against people in big cases, just not personal amounts so far) to know that the gun you are playing with isn't loaded.

Analogs of schedule ones can be charged as schedule ones. They just have not been so far other than against sellers. If getting scheduled ones is like playing Russian roulette with a gun with only one bullet missing, getting analogs is like playing Russian roulette with a gun with only one bullet in it.

Playing with either of them with security precautions is like playing Russian roulette but instead of a Gun to your head you have a gun to your chest but you are wearing body armor. Still would suck to get shot, could totally fuck you over, but a decent chance it will just hurt a ton and you can get over it.

 

You know security is always good I just think you put way to much faith in what you think is safe.

I usually don’t post in internet drug forums but I saw the subject of security and thought it was interesting but I done with it.