Cyber Police

[pappy masonjar]

The Washington Post is reporting that according to documents Edward Snowden released, Tor is comprimised. Its complicated, but if you look into it, youll see what I mean.


Babelfish - You seem to know about this stuff. What do you think of the new app called SafeSlinger??

 

[Al Botross]

http://www.washingtonpost.com/world...0f08b6-2d05-11e3-8ade-a1f23cda135e_story.html

 

[babelfish]

The Washington Post is reporting that according to documents Edward Snowden released, Tor is comprimised. Its complicated, but if you look into it, youll see what I mean.


Babelfish - You seem to know about this stuff. What do you think of the new app called SafeSlinger??

again it's trust based - you trust that the person you interact with on the other side is really who you think they are.

Look at the core functionality:

To establish a secure basis for Internet communication, we have implemented SafeSlinger, a system leveraging the proliferation of smartphones to enable people to securely and privately exchange their public keys.

from one of their write-ups:

We observe that individuals often have physical interactions with resources or other individuals before communicating digitally. Often, people communicate over the Internet or via SMS after having met in person. We leverage this physical encounter to bootstrap digital trust. We argue that this is a model that people can intuitively relate to. People who communicate before physically meeting can bootstrap trust through a secure introduction mechanism that is rooted in physical encounters with a common acquaintance.

We present SafeSlinger, a system for secure exchange of authentic information between two smartphones, and a user interface for secure messaging. In essence, SafeSlinger exchanges contact information, containing public keys in addition to standard contact list information such as name, picture, phone numbers, email addresses, etc. Thanks to the association between the individual holding the phone and the public key that is exchanged, users (with the help of the SafeSlinger App) can later associate digital communication with the previously met individual by verifying a digital signature. To make SafeSlinger usable, the cryptographic aspects are mostly hidden from the user (Section 4 discusses challenges), and we have built-in several approaches to make SafeSlinger tolerant to user error.

We envision SafeSlinger as a general approach to bootstrap secure digital communication. (1) First, we enable groups (2-9 individuals) of physically co-located users to securely bootstrap trust by slinging keys between their devices (a one-time operation). SafeSlinger can also support remote setup, as long as users can authenticate the other individual (e.g., via telephone communication or live video conference).
(2) Second, SafeSlinger supports secure phone-to-phone messaging and file transfer, providing both secrecy and authenticity. Once users’ devices hold each others’ public keys, the SafeSlinger user experience is nearly identical to that of traditional SMS and MMS messaging today.
(3) Third, SafeSlinger enables secure introductions without physical meetings by allowing a common acquaintance to facilitate a mutual introduction enabled by SafeSlinger file transfer. (4) Fourth, we enable other applications to use the SafeSlinger API to add their public key to a contact entry. Now, when a user slings its updated contact list entry to another user, each application’s public key is automatically included, and the same application at the other end can extract the public key. This mechanism can enable applications such as secure email, secure SMS, and encrypted file sharing to solve the problem of securely exchanging the public key without requiring a leap of faith.

So, if you meet in person, or are able to do voice/video chat to validate then it will let it happen. Still no solution for a person under duress (gun to head so to speak), but at least you have reasonable faith in the process. They even mention this:

The problem of human-oriented, trust establishment is fundamental; no amount of automation and “fail-safe” defaults can avoid the need for basic trust decisions to be made by humans (system administrators and ordinary users alike), since they ultimately assume the risks of digital communication, accessing remote sites, allowing remote access to their local resources, and employing other users’ services.

if you pick a good enough key then it should be resistant to being compromised by brute force later.. pgp
looking through the faq a couple things look interesting:

How safe is SafeSlinger?
SafeSlinger provides secure communications. Unless a third-party can compromise the operating system on the phone, it cannot access the content of SafeSlinger messages or any other data.

Is it dangerous to provide such high security?
SafeSlinger provides the same high degree of messaging security for end users as PGP which has been available since the early 90's. However, PGP can be slow for users to setup and spend time comparing public keys of every user to ensure that messages they receive using those keys belong to the people you expect. SafeSlinger makes the existing high-security systems easy to use and approachable.

for point a, i would submit there is work to be done by the end user. you can encrypt your whole phone, which means its reasonably safe when off. but when booted and decrypted, there is risk. carrieriq is included in most devices, and is part of a system that phones home. https://play.google.com/store/apps/details?id=com.lookout.carrieriqdetector&hl=en <- this is a program that detects it. For sure this should be removed.

https://wikis.utexas.edu/display/ISO/Handheld+Hardening+Checklists
^- one hardening checklist

http://selinuxproject.org/page/SEAndroid
^- much more work, but you build it so more secure

http://pocketnow.com/2013/02/21/protect-android-from-hacking
^- a nice vid that anyone can follow

http://www.washingtonpost.com/world...0f08b6-2d05-11e3-8ade-a1f23cda135e_story.html

yeah. they've been attacking nodes and users for quite some time, since only a couple years after it went public.

 

[Harry Gypsna]

They way SR got busted was down to Human error.
In the early stages of development, the man in question made posts on the clearnet, connected to his ip and an email addy connected to his real life identity. He went on bitcoin talk looking for coders with experience in setting up bitcoin merchant systems for onion sites, and he also posted advertising the existence of SR, once he had it running. The pigs had him from the very start, all the other stuff re contract killings and fake ids is incidental.
It's a real shame SR is gone, but there is another market still running Baaaa Baaa (BMR has just gone down due to similar security fuckups) and more still on the way. Dark web retail is a Hydra, and they just caused a huge new head growth spurt.

The best bit is, he made 80 million dollars in 2 years, and the pigs can't take it, because they need to get the password to his coin wallet. All the talk of millions in bitcoin seized is only the money people had in their accounts, and what was in escrow for the pending orders.

DEA and homeland security, you can keep the 5 pounds left in my account. buy yourself a sandwich and fucking choke on it.


EDIT
They've got $28 million of his bitcoins, hes still got 52 somewhere .....

 

[babelfish]

btw update on safeslinger: it has exactly the same faults as the apple app they just released.... since a third party exchanges the keys they have the opportunity to subvert the conversation

 

[OGEvilgenius]

He might still have the money somewhere, they have him though. Unless he can figure out a way to escape custody, they will probably have him the rest of his life and they might even end it for him.

 

[Harry Gypsna]

The Washington Post is reporting that according to documents Edward Snowden released, Tor is comprimised. Its complicated, but if you look into it, youll see what I mean.

What I got from the Snowden talk about Tor, is that although they are trying, Tor is sill secure. they did manage to exploit a vulnerability in firefox, but that only affected slack-asses who don't update their Tor browser bundle, which Tor tells you to do on the 1st page you get.

Sheep is legit.

 

[babelfish]

What I got from the Snowden talk about Tor, is that although they are trying, Tor is sill secure. they did manage to exploit a vulnerability in firefox, but that only affected slack-asses who don't update their Tor browser bundle, which Tor tells you to do on the 1st page you get.

Sheep is legit.

no also, there are a lot of nodes that run encryption that is easily cracked.