Silk Road forums
Discussion => Security => Topic started by: whatisthismagic on June 05, 2012, 03:56 am
-
I've been wondering this for some time. Basically, in the unlikely event that SR got busted and servers got seized...how much would LE know? Are our messages and purchase history encrypted with the passwords we choose, or is it just sitting there on the servers? I know it's not a good idea to divulge specific details, but a bit of reassurance from the admins would be nice. Just something like "If LE busted in, they won't know a thing", or "If LE busts in, you're fine if your password is strong". Just my thought on the matter...
-
If it was public as to DPR's security measures, we wouldn't be very secure.
I do know that there are backup measures in place, as this is apparent by the backup BTC addresses we have.
Besides that, we use BTC on the site that are tumbled and untraceable. If you use encryption (as you should) then you should have no real worries.
-
I wouldn't want DPR to make his security measures public at all, just give us a vote of assurance. The thing that makes me worried about it when once I transferred coins from MT Gox to my wallet, but somehow I sent like .5 to SR without washing them. The address I sent it to was in my transaction history. If LE were to find that address, it would be pretty easy to see in the blockchain how it went from MT Gox -> My wallet -> that SR address -> a bunch of random dummy transactions.
-
No amount of built-in protection by SR can protect you as much as you can protect yourself if you [all of you] follow one simple rule.
Use GPG 100% of the time. No exceptions.
I don't care if you're just sending someone a PM to say hi, or if you're exchanging the details of some 6-figure IRL meetup, every message you send to someone on SR should be GPG-encrypted. Why? Because then you're taking responsibility for your own security, and even if the SR server(s) get completely pwn3d, you've still got that one final layer of security. More importantly, perhaps, is the fact that doing this will remind you that despite all the layers of security, at the core, this is still a black market operation, and there's always risk involved, so hopefully you'll always remember to be smart about what you do, who you deal with, etc.
-
I was just about to jump in and add to the posters comments about SR not revealing anything about it's self and it's practices, software, problems with said software which gives hints unless that information is leaked out.
I wonder if diplomatic immunity would apply in the case if a head of stat or the like was the head and chief of this org. Also wonder if it could be handled under water because I know the gambling licenses in many states declare it illegal but if you go to the river or lake and set up shop on the water they can;t tough you.
But I am simply making guess judgements off faulty memory and herr say.
-
- i've never heard / read any post of DPR/admins owning up to anything thats happened in the past, nothing more specific than "we had a db issue"
but think admins obviously do deal with a crisis now and again.
- would be interesting though, to get a feel for how LE collectively work against "us" however disclosing too much detail like locations might not
be such a hot idea...each bit of info raises more questions and then someone could drop the wrong bit of info at times....so....the less we
know the better as you as the individual don't know any Silk Road nor representatives, the less you know less chance of being associated to it
as a buyer/vendor when you're being charged yourselves....right?!
..........dunno
-
No amount of built-in protection by SR can protect you as much as you can protect yourself if you [all of you] follow one simple rule.
THIS
-
- SR protects us by investing heavily in time, effort and money {partly paid for by commisions..} and anyone who contributes for free w/o
remuneration, thats how.
-
I've been wondering this for some time. Basically, in the unlikely event that SR got busted and servers got seized...how much would LE know?
Having previously worked for the security services I can tell you that given enough time LE would know everything. It's a game of cat and mouse. LE are only interested in the suppliers not the buyers, so most buyers will be safe.
If LE busts in, you're fine if your password is strong
I'm not going to detail how here, although anyone with advanced IT knowledge will know, but when I used to work for LE we could crack almost any password (even 200 digits long with random characters, numbers & letters) in a matter of minuets, so that affords you no protection.
To be honest for most things you may as well not have a password, all it does is show me there's something juicy there. When cracking wireless networks I look for password protected WPA networks with a hidden SSID (name) as I know they will contain something useful.
-
I've been wondering this for some time. Basically, in the unlikely event that SR got busted and servers got seized...how much would LE know?
Having previously worked for the security services I can tell you that given enough time LE would know everything. It's a game of cat and mouse. LE are only interested in the suppliers not the buyers, so most buyers will be safe.
If LE busts in, you're fine if your password is strong
I'm not going to detail how here, although anyone with advanced IT knowledge will know, but when I used to work for LE we could crack almost any password (even 200 digits long with random characters, numbers & letters) in a matter of minuets, so that affords you no protection.
To be honest for most things you may as well not have a password, all it does is show me there's something juicy there. When cracking wireless networks I look for password protected WPA networks with a hidden SSID (name) as I know they will contain something useful.
Passwords just authenticate to the system, they don't neccesarily encrypt all data. And more likely they don't.
As far as bruteforcing via some generator algo or rainbow tables, it would be very difficult if not computationaly impossible within this decade to crack secure passwords using a secure hashing function.
-
Passwords just authenticate to the system, they don't neccesarily encrypt all data. And more likely they don't.
True
As far as bruteforcing via some generator algo or rainbow tables, it would be very difficult if not computationaly impossible within this decade to crack secure passwords using a secure hashing function.
Clearly you don't know a lot about modern hacking techniques. I'm not going to give away my knowledge here for free, but think outside the box and it's blatantly obvious how you could crack (bruteforce) even "secure" passwords very quickly.
-
"how does SR protect us?"
it keeps you from going to that part of town where, there is a good chance you will get robbed at knife-point or gun-point.
buying from an under-cover.
-
Clearly you don't know a lot about modern hacking techniques. I'm not going to give away my knowledge here for free, but think outside the box and it's blatantly obvious how you could crack (bruteforce) even "secure" passwords very quickly.
Clearly I don't as it's been some time since I've put on my hat. Bruteforcing a password, even an Md5 hashed password is not some trivial task once the passwords reaches sufficent complexity. What modern encryption algorithim is quickly cracked via bruteforce?
-
What modern encryption algorithim is quickly cracked via bruteforce?
You're thinking the wrong way...
Rather than asking "What modern encryption algorithm is quickly cracked via bruteforce?" you should be asking "how can I make the bruteforcing of this algorithm quicker?"
:)
-
What modern encryption algorithim is quickly cracked via bruteforce?
You're thinking the wrong way...
Rather than asking "What modern encryption algorithm is quickly cracked via bruteforce?" you should be asking "how can I make the bruteforcing of this algorithm quicker?"
:)
lol, what are you doing, clustering a botnet? Haha, that would be funny and pretty cool.
-
lol, what are you doing, clustering a botnet? Haha, that would be funny and pretty cool.
No. The way I do it is perfectly legal and accessible to everyone (afterall I learned working for LE). Although a similar concept.
-
lol, what are you doing, clustering a botnet? Haha, that would be funny and pretty cool.
No. The way I do it is perfectly legal and accessible to everyone (afterall I learned working for LE). Although a similar concept.
Ok, I'll bite. How's it done?
-
I've been wondering this for some time. Basically, in the unlikely event that SR got busted and servers got seized...how much would LE know?
Having previously worked for the security services I can tell you that given enough time LE would know everything. It's a game of cat and mouse. LE are only interested in the suppliers not the buyers, so most buyers will be safe.
If LE busts in, you're fine if your password is strong
I'm not going to detail how here, although anyone with advanced IT knowledge will know, but when I used to work for LE we could crack almost any password (even 200 digits long with random characters, numbers & letters) in a matter of minuets, so that affords you no protection.
To be honest for most things you may as well not have a password, all it does is show me there's something juicy there. When cracking wireless networks I look for password protected WPA networks with a hidden SSID (name) as I know they will contain something useful.
Where can I go to nominate you for the full of shit awards, I think you are a shoe in to win
-
What modern encryption algorithim is quickly cracked via bruteforce?
You're thinking the wrong way...
Rather than asking "What modern encryption algorithm is quickly cracked via bruteforce?" you should be asking "how can I make the bruteforcing of this algorithm quicker?"
:)
lol, what are you doing, clustering a botnet? Haha, that would be funny and pretty cool.
Hm I guess you could increase your processing power that is pretty much the only fucking way to increase the speed of a brute force attack. Even if you have every single processing cycle in the universe times a billion working to crack a 200 character password you are not going to do it in your lifetime let alone five minutes. Really have nothing better to do than spout off bullshit online ?
-
Where can I go to nominate you for the full of shit awards, I think you are a shoe in to win
Rather than be rude you could always test me. People's ignorance here never ceases to amaze me.
-
Where can I go to nominate you for the full of shit awards, I think you are a shoe in to win
Rather than be rude you could always test me. People's ignorance here never ceases to amaze me.
f5618e9b23d9c67d0578f53fb7af56bbb370e94e3d66d916b6414d0b38492dce
sha256, have fun
-
Yea, I'd like to see that too. Here's another one.
Sha256:
25c14eff065a9a46a674cb0cb4d23da56f4d70c3788c04143ec076ab908cc634
-
here are some hints:
it is all lowercase
almost all of the words in it can be found in a dictionary with a few exceptions that probably can not be found in most dictionaries
all the words are english or english slang
it is exactly 38 characters long
it only consists of english words / slang words
since you can pwn 200 character passwords that you know nothing about in mere minutes with your leet magic, I figure you should be posting a reply to this in a few seconds with all of the hints I gave you
-
f5618e9b23d9c67d0578f53fb7af56bbb370e94e3d66d916b6414d0b38492dce
sha256, have fun
I'm not going to waste my money doing it. You know full well how it can be done. I didn't want to tell everyone here but it's fairly obvious if I had the money I could simply use Amazon cloud computing power to do this or to brute force any password.
-
wow you might even be able to brute force a twelve character password with that sort of computing power, if it is all lower case and not salted and PKCS5 iterations are not being used, and you have a lot of years to spend on it !
-
wow you might even be able to brute force a twelve character password with that sort of computing power, if it is all lower case and not salted and PKCS5 iterations are not being used, and you have a lot of years to spend on it !
It depends what kind of password.
You can brute force a complex 13 digit WPA password (from handshake) in about 20 mins.
-
wow you might even be able to brute force a twelve character password with that sort of computing power, if it is all lower case and not salted and PKCS5 iterations are not being used, and you have a lot of years to spend on it !
It depends what kind of password.
You can brute force a complex 13 digit WPA password (from handshake) in about 20 mins.
no you can't
-
actually you might be able to if it is only *digits*. that would be equal to roughly a 42 bit ascii password which can be expressed with under 7 ascii characters which is possible to brute force
still a far long way away from being able to crack 200 character passwords in minutes, wow you can crack the equivalent of a 6 character ascii password in half an hour
-
no you can't
Yes, you can:
http://www.techrepublic.com/blog/security/welcome-to-the-future-cloud-based-wpa-cracking-is-here/4097
http://www.infosecisland.com/blogview/11018-Cracking-WPA-Protected-WiFi-in-Six-Minutes.html
There's even commercial services that will do it for you if you aren't confident using Amazon Cloud etc:
https://www.wpacracker.com/
-
in 2011 total GPU power was 6.4x10^18 operations per second. ( 97% capacity )
Let's apply Moore's law and say that we multiply by 2
So, 1.28x10^19 op/s
Sha256 requires 121438 operations.
So, per second we can say that the earths entire gpu proccesing power could produce
1.0540358x10^14 hashes per second. Not including any other logic.
A single password using only [Alpha, alpha, number] with a length of 20 would have about 1.85x10^35 possible combinations.
You can see how this is impossible. My math may be a little off but even so, when dealing with exponentials it gets really big really fast.
-
in 2011 total GPU power was 6.4x10^18 operations per second. ( 97% capacity )
Let's apply Moore's law and say that we multiply by 2
So, 1.28x10^19 op/s
Sha256 requires 121438 operations.
So, per second we can say that the earths entire gpu proccesing power could produce
1.0540358x10^14 hashes per second. Not including any other logic.
A single password using only [Alpha, alpha, number] with a length of 20 would have about 1.85x10^35 possible combinations.
You can see how this is impossible. My math may be a little off but even so, when dealing with exponentials it gets really big really fast.
This only applies to sha 256, not to the majority of encryption methods which are crackable.
-
no you can't
Yes, you can:
http://www.techrepublic.com/blog/security/welcome-to-the-future-cloud-based-wpa-cracking-is-here/4097
http://www.infosecisland.com/blogview/11018-Cracking-WPA-Protected-WiFi-in-Six-Minutes.html
There's even commercial services that will do it for you if you aren't confident using Amazon Cloud etc:
https://www.wpacracker.com/
Yes you can crack a 6 character password in half an hour with amazon cloud, you confused me by specifying that the WPA passwords must be digits only, you can't crack a 13 character WPA password in anywhere near half an hour but 13 digits is roughly equal to 6 ascii characters
-
in 2011 total GPU power was 6.4x10^18 operations per second. ( 97% capacity )
Let's apply Moore's law and say that we multiply by 2
So, 1.28x10^19 op/s
Sha256 requires 121438 operations.
So, per second we can say that the earths entire gpu proccesing power could produce
1.0540358x10^14 hashes per second. Not including any other logic.
A single password using only [Alpha, alpha, number] with a length of 20 would have about 1.85x10^35 possible combinations.
You can see how this is impossible. My math may be a little off but even so, when dealing with exponentials it gets really big really fast.
This only applies to sha 256, not to the majority of encryption methods which are crackable.
just shut up already, you can't crack shit except for 6 character passwords stop spreading bullshit
here is 12 character md5 password made from three words let me know when you pwn it
553336a639dcc0166a95b35cd4b6e7c2
-
Yes you can crack a 6 character password in half an hour with amazon cloud, you confused me by specifying that the WPA passwords must be digits only, you can't crack a 13 character WPA password in anywhere near half an hour but 13 digits is roughly equal to 6 ascii characters
Yes you can.
You're making silly assumptions, such as:
Yes you can crack a 6 character password in half an hour with amazon cloud
Well how do you know how much computing power I've purchased from my cloud service? For all you know I could be running the entire farm. That's why I specified at the beginning that it's money dependent. More money = quicker cracking.
-
a mixed case alphanumeric password that is 13 characters long has a key space of 4.473650959×10²⁵
that is 447365095925 HUNDRED TRILLION
you could guess ONE HUNDRED TRILLION passwords a second and it would take you over 7,000 years to have over a 50% chance of brute forcing the password
are you really ultra stupid or just trolling?
-
Yea, I'm gonna have to throw a bullshit flag here too. Sorry. :)
-
stupid? trolling?
gathering intelligence and information perhaps?
I always assume the worst.
-
State of the art password cracking systems can get something like 100 billion guesses per second
well short of the 100 trillion required to have a 50% chance of cracking a 13 character mixed case alphanumeric password in 7000 years
Hopefully he does gather some intelligence here he is in desperate need of some
-
I refer to LEO's intelligence gathering my friend.
You are allowing a lot of what you know and are capable of doing known to this user..
and to anyone who can read the forum.
I'd keep such things closer to the vest cause all that does is tell them in your profile (likely IT- Programing-possible gamer,geeky profile) you get what I'm saying.
Please do not get offended by the term geeky profile if you are not a geek. I am on.
-
<- was making a joke
-
Gotcha!
-
God I love this thread. lmao.
Oscar... I think you are full of shit too....
I have alot of practical IT experience under my belt 30+ years to be exact. I don't doubt that passwords can be cracked and more systems in a single clustered environment can crack them quicker. You can't however crack anything with just the MD5 or SHA string because you need the source code to see what they did to the password before using SHA or MD5 on it. For Example if a take a password do a specific bit manipulation on it and interleave a repeating word between the characters one character at a time before using MD5 or SHA then to crack it you need to know what manipulations i did first.
And lets just take a step back here.... If LE where to hack SR to the point of getting the password database then they would probably have enough access to embed a trojan and spy on everything. Cracking SHA or MD5 passwords in pointless at that point...
just my 2 bitcoins :)
-
I've totally given up on this thread, just so much fail.
I don't even think the other two understood what I was talking about, although I didn't explain myself very clearly in the first place (on purpose).
I presented factual evidence to back up my claims and it's plastered all over Google how to use cloud computing to crack complex passwords such as a 13 digit WPA password yet they still went on about how it's not possible. Reminds me of holocaust deniers.
-
Just going to throw it in here...one of the things I would like to know about SR, is if they do something smart, like take your password, sha-256 it, and use that as the key to encrypt all your data with AES-256. As far as oscarzululondon goes, if the ENTIRE EARTH was one big processor hashing at the speed of the Intel AES instruction set....it would still take thousands of years to crack that. If SR encrypted our data in this way, LE could not ever, ever, ever ever ever ever ever get our data. It just doesn't work like that. The thing that gets me is if I buy coins on Mt Gox, send them to my SR address, and SR servers get seized. That's my main concern. If they encrypted our data if the way I mentioned, we could fukin send out coins direct to SR from Mt Gox. As long as your password is good. ;)
-
I've totally given up on this thread, just so much fail.
I don't even think the other two understood what I was talking about, although I didn't explain myself very clearly in the first place (on purpose).
I presented factual evidence to back up my claims and it's plastered all over Google how to use cloud computing to crack complex passwords such as a 13 digit WPA password yet they still went on about how it's not possible. Reminds me of holocaust deniers.
Dude, we were talking about SR not WPA, nice straw man. When you offer to prove it, a challenge is presented, then you opt out refering to financial costs. Stop digging a hole for yourself, your not the only one here who talks like they know a thing or two, some of us actually know. It is not a trivial thing to brute force a sufficently complex password using modern encryption algorithims.
-
It doesn't matter even WPA passwords are no different than SHA-256 passwords, the only difference there is the amount of time it takes to see if your guess was correct, when you have to make billions of trillions of guesses it doesn't matter if you can guess and confirm as correct/incorrect hundreds of billions of passwords a second. The article he linked to said they cracked passwords up to six characters in 45 minutes, I don't know where the fuck he is getting 13 character passwords can be cracked from. a purely randomly generated 13 character ascii password is as secure as a 91 bit encryption algorithm that can only be broken by brute force.