I am a security researcher and consultant by trade and know a very good deal of computer security and opsec. I also have a fair amount of experience with computer forensics, cryptography, and many Unix and Unix-like operating systems, including OpenBSD, NetBSD, OpenVMS, Solaris, and a dozen Linux distributions.
I'm opening this thread because I have been noticing a LOT of misunderstandings regarding security and anonymity among Tor pedos, and GH in particular. Some of the misunderstandings are benign, and some are outright dangerous. I've been privately training pedos for a few years now, so I can tell when an online community has a poor grasp of security...
If anyone wants anything clarified or wants to know anything specific about computer security and how to stay safe in this dangerous anti-pedo world, ask me in this thread and I'll answer to the best of my ability. And if you're already very well-versed in computer security, please pop your head in! We need more of you here!
My key ID: CE89029E75756B1A49AC78659CD23646BB0E1F46 Public key: hxxp://infotombjhy7tcrg.onion/mv8kd.txt -----BEGIN PGP SIGNATURE-----
Your OS? Your hardware? Your security software ( 100% complete list. Network, Encryption, Hardening, Firewall, Sandbox, logs etc. ) Your main security concepts ( complete list ). Your chain of downloading and store files. Your online communication. >>OpenBSD, NetBSD, OpenVMS, Solaris, and a dozen Linux distributions.
TP is our resident moron, he thinks he knows opsec but hes just a nooby windows user. I apologise if his questions hurt your brain.
Myself my setup is Whonix Physical Isolation, the gateway is patched grsec, selinux Debian system and runs from a ramdisk (sdcard).
The workstation is a KVM running under AlpineLinux from a USB stick. Both are connected together with physical isolation eg a crossover cable. So I won't get caught by any hypervisor vulnerabilities. AlpineLinux is really ideal because you can encrypt the provisioning file.
Once AlpineLinux has decrypted the provisioning file I run virt-manager, and start my Whonix Workstation, inside that I mount a physical disk inside qemu.
What do you think? way I see it, its amnesic, the vmdir is on an encrypted disk, my cp is on an encrypted disk, and the configs for the VM are in the AlpineLinux provisioning file (also encrypted).
I run all this behind a router on VLAN 2 which has a VPN running persistently. This way more Tor usage patterns are not visible to my ISP. Course I have a managed switch so VLAN hopping isn't possible, at least from the info I've read about that.
The problem seems to be around here is people won't Google shit, and they won't give up on windows and use something that is open source, signed (repository downloads are signed by gpg). TAILS literally couldn't be any easier to install to a USB stick.
I mean ffs there was a guy in here complaining about cryptolocker 3.0 on his windows XP machine. Still not sure if he was a troll.
Apart from that I NEVER use aliases or handles or anything that lets LE build a timeline. I don't use TorChat purely because I know I'm not perfect and know LE is trying to socially engineer us.
I don't link to external sources that I could have visited on an untorified connection like a news article because 2+ of those could allow for a correlation.
I have used my baby girl as a fucktoy (masturbate against her holes - yes I know she's too small to get it in before anyone points that obvious fact to me our I also love her and would never want to hurt her) when the wife is out, cum on her belly, vag and back. I think I'll stop as soon as she starts to talk cos I think the most likely way I'd get caught is by her telling someone. Maybe around 2 2.5 at the latest.
>>753 >Your OS? Tails, but I also have a computer running Gentoo and one running Arch. >Your hardware? Not relevant. >Your security software ( 100% complete list. Network, Encryption, Hardening, Firewall, Sandbox, logs etc. ) I won't give a 100% complete list. But for networking I use NetFilter (through iptables). LUKS encryption. Grsecurity hardening. SELinux sandbox (AppArmor sandbox on Tails, which is the default). Logs are transfered to a remote server encrypted, where they are placed on a filesystem with the +a (append only) attribute set. It uses sftp to prevent any deletion of logs. >Your main security concepts ( complete list ). What do you mean by security concepts? >Your chain of downloading and store files. Not sure what you mean by that either. >Your online communication. XMPP with OTR, and email with PGP. Also anonymous forums like this. >ONLY ONE - tell us what YOU use DAILY and WHY? I use Tails the majority of the time with a few patches. I use it because it is very well put together and very hard to make mistakes with. It also has a very large anonymity set. -----BEGIN PGP SIGNATURE-----
>>755 >Myself my setup is Whonix Physical Isolation, the gateway is patched grsec, selinux Debian system and runs from a ramdisk (sdcard). Do you use the SELinux in enforce mode or permissive mode? >inside that I mount a physical disk inside qemu. Qemu is a large program and as the "Venom" vulnerability taught us recently, it's not perfect. You should always run it with the -chroot on an empty directory, and confine it using SELinux. If you aren't using SELinux in enforce mode, it might be worse than not using a VM. >I run all this behind a router on VLAN 2 which has a VPN running persistently. What does your router run? >This way more Tor usage patterns are not visible to my ISP. Your Tor usage patterns probably are visible to your ISP if they use DPI though. According to hxxps://gitweb.torproject.org/torspec.git/tree/tor-spec.txt, Tor uses fixed sized "cells" that are exactly 512 bytes in length. This can be used to identify when Tor is being used even through most VPNs, if someone goes to the proactive effort of testing if you are using Tor. >What do you think? It sounds secure to me but overcomplicated, and thus prone to accidents. There are also some issues with KVM depending on your kernel config, such as KSM which can be used in a side channel attack from within the VM to verify if any arbitrary memory page exists outside the VM, as explained in hxxps://staff.aist.go.jp/k.suzaki/EuroSec2011-suzaki.pdf -----BEGIN PGP SIGNATURE-----
>>756 >they won't give up on windows That's gotta be the #1 problem with the pedo community. People are too comfortable using what they are use to and put off switching to something else even if that something is proven to be the best bet at saving their asses. >I mean ffs there was a guy in here complaining about cryptolocker 3.0 on his windows XP machine. Still not sure if he was a troll. That was the final straw that made me want to open this thread. I can only hope that he was a troll... >I don't use TorChat purely because I know I'm not perfect and know LE is trying to socially engineer us. That's great! Too many people try to use purely technical solutions to human problems, and it ends up failing badly. No amount of computer security can protect you if you willingly give out too much information. >How safe am I? Your online opsec sounds very good, but if anything is going to get you arrested it will be the activities you do with your girl, because of her age. Read hxxp://xnyvcjj6ybauprjx.onion/handbook/secrecy.html most of all and scroll a little bit down to the Age section. It says that age 3 is the most dangerous age. Age 2 and age 4 are labeled as being moderately dangerous, but still dangerous. I'm no child psychologist, but it sounds about right to me. -----BEGIN PGP SIGNATURE-----
>>Myself my setup is Whonix Physical Isolation, the gateway is patched grsec, selinux Debian system and runs from a ramdisk (sdcard). Do you use the SELinux in enforce mode or permissive mode? Enforce, the Debian ramdisk basically boots the kernel, and starts Tor, it has nothing else installed. >>inside that I mount a physical disk inside qemu. >Qemu is a large program and as the "Venom" vulnerability taught us recently, it's not perfect. You should always run it with the -chroot on an empty directory, and confine it using SELinux. If you aren't using SELinux in enforce mode, it might be worse than not using a VM.
It's important to note this machine is also a single purpose machine. I'm not using anything like 9p. Even if breaking out of the VM were possible there is nothing else on the system besides the AlpineLinux ramdisk. KVM is just a convenient way to protect hardware IDs eg hard disk serials etc. Internet traffic cannot bypass Tor even if you could break out of of the VM due to the fact it is connected to the gateway via a crossover cable. >>I run all this behind a router on VLAN 2 which has a VPN running persistently. >What does your router run? AlpineLinux, from ram disk, simple easy and includes a grsec kernel.
>>This way more Tor usage patterns are not visible to my ISP. >Your Tor usage patterns probably are visible to your ISP if they use DPI though. According to hxxps://gitweb.torproject.org/torspec.git/tree/tor-spec.txt, Tor uses fixed sized "cells" that are exactly 512 bytes in length. This can be used to identify when Tor is being used even through most VPNs, if someone goes to the proactive effort of testing if you are using Tor. Yeah its mostly to get around mandatory data retention. This way it doesn't show that account has been contacting entry node IP addresses that are a part of the Tor network. Its also important to know I throw everything through that VPN including other traffic. In other words it now requires deep packet inspection and someone who knows this. Not sure if there's any products on the market that can be used to do this at the moment. >>What do you think? >It sounds secure to me but overcomplicated, and thus prone to accidents. There are also some issues with KVM depending on your kernel config, such as KSM which can be used in a side channel attack from within the VM to verify if any arbitrary memory page exists outside the VM, as explained in hxxps://staff.aist.go.jp/k.suzaki/EuroSec2011-suzaki.pdf
>>768 >How safe is the average Windows/Tor Browser user that doesn't store files long term? Does software like Eraser remove all traces of files? Very unsafe. Eraser does not erase traces on modern filesystems. Here is a non-exaustive list that is used in real forensic investigations to convict pedos: 1) MFT and journal. Parts of files that are smaller then the block size, and file names get put into special parts of the filesystem. 2) Damaged sectors. If the hard drive detects mild damage it will relocate data elsewhere and then hide the damaged sector. 3) Image viewer and video player logs. They often record most recently used files, even if you disable history. 4) Temporary files. 7zip etc extract these files and and delete them insecurely. 5) Pagefile. Some memory is written to the disk to free up RAM. This can include things like files you are viewing. >What are some security practices that you recommend everyone use to remain as anonymous as possible when browsing/downloading? Use Tails! It's very easy to use. You have no excuse not to use it for CP. >What are some of the misunderstandings that you see regarding security? The big ones: 1) the belief that Eraser tools actually work on modern filesystems and 2), that encrypting only a part of your drive is safe and full disk encryption isn't necessary. -----BEGIN PGP SIGNATURE-----
>>776 >>777 >KVM is just a convenient way to protect hardware IDs eg hard disk serials etc. I was going to mention that in the last post but ran out of space. The character limit for /tt/ is absurdly low. You will have to make sure you don't use -cdrom /dev/sr* on the host, because there are ways to query drive information through /dev/sr*. >Internet traffic cannot bypass Tor even if you could break out of of the VM due to the fact it is connected to the gateway via a crossover cable. The host should have no network cards. Not bluetooth, not WiFi. Otherwise it would be able to query nearby devices if it broke out of the VM. >In other words it now requires deep packet inspection and someone who knows this. Not sure if there's any products on the market that can be used to do this at the moment. At a company I had worked for, there were machines that could do DPI automatically to look for protocols like Tor and SSH to fingerprint them. But it was only ever used to analyze DDoS and network intrusions. >AlpineLinux, from ram disk, simple easy and includes a grsec kernel. You might want to compile your own kernel and use a hardened userland. Hardened LFS and hardened Gentoo can do this, and are especially suited for a minimalistic system that is only needed for a hypervisor. Especially a grsec kernel that is not precompiled will give much more security advantage over one which is precompiled: hxxps://xorl.wordpress.com/2010/11/20/grkernsec_hidesym-hide-kernel-symbols/ -----BEGIN PGP SIGNATURE-----
>>I don't use TorChat purely because I know I'm not perfect and know LE is trying to socially engineer us. >That's great! Too many people try to use purely technical solutions to human problems, and it ends up failing badly. No amount of computer security can protect you if you willingly give out too much information.
yep, and it seems to be the way TLZ was compromised. >>How safe am I? >Your online opsec sounds very good, but if anything is going to get you arrested it will be the activities you do with your girl, because of her age. Read hxxp://xnyvcjj6ybauprjx.onion/handbook/secrecy.html most of all and scroll a little bit down to the Age section. It says that age 3 is the most dangerous age. Age 2 and age 4 are labeled as being moderately dangerous, but still dangerous. I'm no child psychologist, but it sounds about right to me.
aww well good thing she's only months old then. Most of our play just involves me licking her, which she likes even at her tender age.
You can notice how she starts smiling, and sometimes cooing. I love making her happy. She kicks her legs and smiles at me when I lick her down there - it melts me, I'm caught between watching her be cute and licking her.
As for my stimulation, usually happens at bath time, nappy change time after I've cleaned her up, I'll jack off but touch the tip of my penis against her legs and vagina. It feels awesome and I usually come pretty quick before she gets restless. I think as she gets older I won't ejaculate on her because she might not like the icky-ness of it.
Sometimes when I'm particularly horny I'll put a finger in her mouth with some cum on it, she sucks it like a good little girl, makes me so proud.
I'm aware the most dangerous time is when she can speak, toddlers love to tell everyone everything. I might try again when she is 6, but that will depend on whether I think I can trust her.
As for photos, I have taken a few - with a point and shoot camera I bought for that specific purpose. I'm aware that lenses have tiny defects not visible to the naked eye during the manufacturing process.
I won't join any producer circles, because that requires me to have a persistent point of contact. If one of the other producers gets busted LE could use one of those people to socially engineer me.
I smudge out marks on my penis, infect I try to keep that out of the picture (or any part of my body). I mostly do it when I lay her on my bed, making sure to keep everything out of frame. Its just her and the white sheet, which is really good photography (makes her stand out).
She doesn't really have any beauty spots, but I'd smudge those too. I think I would follow the advice here of others and only release some when she's older, and at random times not under a specific identity. We will have to wait and see there.
>KVM is just a convenient way to protect hardware IDs eg hard disk serials etc. >I was going to mention that in the last post but ran out of space. The character limit for /tt/ is absurdly low. yeah I know, quite annoying. > You will have to make sure you don't use -cdrom /dev/sr* on the host, because there are ways to query drive information through /dev/sr*. the computer is literally a motherboard, couple of sticks of RAM, encrypted hard disk 1 (contains vmdir), encrypted disk 2 (contains CP) I back this up to another hard disk with rsync when offline (cold storage backup)
Besides my keyboard mouse and headphones, there's nothing else to this computer. >>Internet traffic cannot bypass Tor even if you could break out of of the VM due to the fact it is connected to the gateway via a crossover cable. >The host should have no network cards. Not bluetooth, not WiFi. Otherwise it would be able to query nearby devices if it broke out of the VM.
No Bluetooth or WiFi. It does have an onboard NIC directly connected to the gateway.
The gateway is in its own VLAN. There is no sshd or any network services on either machine.
> At a company I had worked for, there were machines that could do DPI automatically to look for protocols like Tor and SSH to fingerprint them. But it was only ever used to analyze DDoS and network intrusions. interesting. > You might want to compile your own kernel and use a hardened userland. Hardened LFS and hardened Gentoo can do this, and are especially suited for a minimalistic system that is only needed for a hypervisor. Especially a grsec kernel that is not precompiled will give much more security advantage over one which is precompiled: hxxps://xorl.wordpress.com/2010/11/20/grkernsec_hidesym-hide-kernel-symbols/
Hardened gentoo I use on one of my servers actually. I guess its possible for me to do that it wouldn't really result in less security using a non-ramdisk distribution.
I could then use PIE position independent executables too. I think gentoo hardened also has PaX and better ASLR. It also supports sVirtd, so I could use SELinux to secure libvirtd.
BTW it does seem you genuinely know your shit. Its so tiring seeing all these wannabe professors that try to make the argument about opinion when they are just plain fucking wrong.
I'm confident LE is reading this. I've also had a career in digital forensics mostly for LE, and a few private contracts.
It's actually how I discovered I like CP. I was one day auditing some new evidence that came in and found some of the young girls my daughter's age, very cute. Never thought about kids sexually, but when I saw them all naked and exposing themselves I was just aware how mature they were. When I looked at the faces, I found myself thinking, damn she's gonna be a knockout when she grows up.
It wasn't long after that I found their tiny butts, and smooth chests, and perfect skin arousing. It was something about the innocence, which is lacking in adult porn. Wife is too busy to be sexy these days.
That night I went home, I'd heard a conversation at work about a bust on a Tor site some time ago, (not TLZ).
So I fired up an image board I think it was onionib. Man I had the most explosive orgasm. That's when I knew I was pedo.
I can tell you with a lot of certainty LE does hate Tails. It makes push button forensics basically impossible which drives up costs as we need specialized staff to do covert activity online. It also means we spend more time looking at less evidence, officers usually take everything on a raid, in some cases its resulted in huge portions of useless crap we have to look at.
Using full disk encryption like TrueCrypt/dmcrypt basically means we have to try to trick the perp into incriminating themselves. Or hope we can get the court to request the keys, then put down a contempt charge if they don't comply. Problem is we need some evidence to convince the court this guy even has CP which is fucking difficult if we find nothing.
Typically producers are the easiest targets, if we can de-anon them through photographic databases (child's face). On a few rare occasions we've de-anoned people with social engineering. Eg we use an identity they trust, send them a link to something but it doesn't work on Tor, so they visit it directly! and bam we can subpoena that service, or if its our honeypot we just look at the logs.
and yes, we only usually catch the dumb ones. 90% of the time we don't have to do anything clever, because pedos think with their cocks not their brains.
>>781 >>782 >As for photos, I have taken a few - with a point and shoot camera I bought for that specific purpose. I'm aware that lenses have tiny defects not visible to the naked eye during the manufacturing process. This is long but well worth the read: hxxp://drum.lib.umd.edu/bitstream/1903/14790/1/Garg_umd_0117E_14681.pdf. It explains several other problems other than bad pixels and lense defects. It only applies to video cameras though because there is so much unintended side channel information encoded in there. The paper explains electrical network frequency analysis (aka locating people from the unique mains hum in their area) using both audio and visual data. If you only take photographs it will defeat all of these problems. >Besides my keyboard mouse and headphones, there's nothing else to this computer. Some keyboards keep small internal buffers. After you're done doing on-topic things, bash your keyboard to create random characters to replace the buffer. >the computer is literally a motherboard, couple of sticks of RAM, encrypted hard disk 1 (contains vmdir), encrypted disk 2 (contains CP) I back this up to another hard disk with rsync when offline (cold storage backup) Is your RAM affected by rowhammer? There are public exploits that can be used to break out of VMs using rowhammer: https://www.exploit-db.com/exploits/36310/ -----BEGIN PGP SIGNATURE-----
>>783 >I guess its possible for me to do that it wouldn't really result in less security using a non-ramdisk distribution. Gentoo can be configured to run purely from RAM. >I could then use PIE position independent executables too. I think gentoo hardened also has PaX and better ASLR. It also supports sVirtd, so I could use SELinux to secure libvirtd. You can do a lot more than just PIE+ASLR with a hardened toolchain. You can use bindnow, relro, and more. And yes, PaX does have a much better ASLR that is free of entropy-reduction attacks. >BTW it does seem you genuinely know your shit. Its so tiring seeing all these wannabe professors that try to make the argument about opinion when they are just plain fucking wrong. Sometimes I wonder if half those people aren't just feds... -----BEGIN PGP SIGNATURE-----
>>As for photos, I have taken a few - with a point and shoot camera I bought for that specific purpose. I'm aware that lenses have tiny defects not visible to the naked eye during the manufacturing process. >This is long but well worth the read: hxxp://drum.lib.umd.edu/bitstream/1903/14790/1/Garg_umd_0117E_14681.pdf. It explains several other problems other than bad pixels and lense defects. It only applies to video cameras though because there is so much unintended side channel information encoded in there. The paper explains electrical network frequency analysis (aka locating people from the unique mains hum in their area) using both audio and visual data. hmm, yeah I'd made some videos if her, sound of her making cute noises as i play with her really arouses me. So adorable when I stop she looks at me puzzled like "WHY DID YOU STAWP, I WAS ENJOYING THAT". So cute. Maybe I'm just a proud parent lol. >If you only take photographs it will defeat all of these problems. I had only planned on sharing photos. >>Besides my keyboard mouse and headphones, there's nothing else to this computer. Some keyboards keep small internal buffers. After you're done doing on-topic things, bash your keyboard to create random characters to replace the buffer. as it happens its one of those Filco Majestouch keyboards, I use it in PS/2 mode, its corded and it has no programmable keys or anything like that.
>>>the computer is literally a motherboard, couple of sticks of RAM, encrypted hard disk 1 (contains vmdir), encrypted disk 2 (contains CP) I back this up to another hard disk with rsync when offline (cold storage backup) >Is your RAM affected by rowhammer? There are public exploits that can be used to break out of VMs using rowhammer: https://www.exploit-db.com/exploits/36310/ I'll have to explore this, the ram isn't ECC, but it is a desktop machine >>I guess its possible for me to do that it wouldn't really result in less security using a non-ramdisk distribution. >Gentoo can be configured to run purely from RAM. oh this is good news!
I'll have to give this a try too https://www.whonix.org/wiki/HardenedGentooTG
I'm sure I can get Gentoo Hardened /w sVirtd going on ramdisk to run my Whonix Workstation KVM
>>I could then use PIE position independent executables too. I think gentoo hardened also has PaX and better ASLR. It also supports sVirtd, so I could use SELinux to secure libvirtd. >You can do a lot more than just PIE+ASLR with a hardened toolchain. You can use bindnow, relro, and more. And yes, PaX does have a much better ASLR that is free of entropy-reduction attacks.
yeah id planned on more than just using a hardened profile.
Seems to be some doc here about it https://wiki.gentoo.org/wiki/Hardened/Toolchain#Default_to_marking_read-only.2C_sections_that_can_be_so_marked_after_the_loader_is_finished_.28RELRO.29
>>785 >>786 >I'm confident LE is reading this. I've also had a career in digital forensics mostly for LE It's awesome that there are LE out there who have been converted to the dark side! Since you might know this, how often does LE use subtle stylometry? I know they did to find skee at the very least. But I wonder how much my writing style has to be changed to be safe, as a consumor of CP? Just to maintain good opsec, I sanitize my writing with AnonyMouth whenever I write big or formal posts, but how much is that really necessary? >I can tell you with a lot of certainty LE does hate Tails. I bet that even now that it comes from LE's mouth itself, so many people still won't switch to it. How many of the suspects you've heard of or seen used Tails, and how much did that stump the investigation if they were arrested? How much time will they spend trying to crack the persistent partition? >and yes, we only usually catch the dumb ones. 90% of the time we don't have to do anything clever, because pedos think with their cocks not their brains. I'd be interested to hear a bit of rough statistics about this! Like what things stump LE the most, what things LE get around the most, what tactics they use, etc. Basically just info we can use to protect ourselves from a realistic view of LE as our adversaries. -----BEGIN PGP SIGNATURE-----
>I'm confident LE is reading this. I've also had a career in digital forensics mostly for LE It's awesome that there are LE out there who have been converted to the dark side!
Fact is most of us are men, we have urges and when your job is to investigate CP its difficult. Police are not a race of eunuchs.
The stuff that really gets me mad is when someone causes physical harm to a child, to the point where they want it to stop. In fact I believe it's the moral duty of the adult to have respect for the child's wishes. > Since you might know this, how often does LE use subtle stylometry? I know they did to find skee at the very least. But I wonder how much my writing style has to be changed to be safe, as a consumor of CP? Just to maintain good opsec, I sanitize my writing with AnonyMouth whenever I write big or formal posts, but how much is that really necessary?
rarely, it can be useful for parallel investigation of high value targets if they do something particularly obscure. There is algorithmic software out there but it depends on having it, and something to compare the text to.
Police do lie, often we leave out technical details because we don't want to lose them. When it goes on the record in a court there's a risk of that. Sometimes we infer we found something one way, when it was another way. The court doesn't care too much if its obvious the evidence is legit. Eg a guy raping his own daughter is hard to deny when there's a video of him doing it ;)
>>793 >I'll have to explore this, the ram isn't ECC, but it is a desktop machine A useful program to test this is hxxps://github.com/google/rowhammer-test. The source code is short and easy to skim through. >I'll have to give this a try too https://www.whonix.org/wiki/HardenedGentooTG That looks very interesting. I haven't heard of it before. It'll probably turn out to be useful. BTW you never answered, what do you run for your router, or do you just use the gateway as a router? OpenWRT and dd-wrt aren't so secure (but they are much better than any stock firmware out there). I use NetBSD myself but I'll probably migrate to OpenBSD or Alpine. >I'm sure I can get Gentoo Hardened /w sVirtd going on ramdisk to run my Whonix Workstation KVM In addition to SELinux through sVirtd, you could also use grsec's own access control system: RBAC. It is more secure than SELinux, although not quite as flexible. It is aware of resource limits and PaX though, in addition to filesystem and networking. Because RBAC is built into the kernel and not an LSM, it's fine to use both simultaneously for extra security. -----BEGIN PGP SIGNATURE-----
>>I can tell you with a lot of certainty LE does hate Tails. >I bet that even now that it comes from LE's mouth itself, so many people still won't switch to it. How many of the suspects you've heard of or seen used Tails, and how much did that stump the investigation if they were arrested? How much time will they spend trying to crack the persistent partition?
A lot don't. We usually look for boot media USB/CDs so we can tell a court maybe they used Tails.
We don't bother trying to crack full disk encryption, we might try a dictionary attack but that's about it. Too much work, too little time, next case please. We get in trouble if we spend too long on one case and get no results. >>and yes, we only usually catch the dumb ones. 90% of the time we don't have to do anything clever, because pedos think with their cocks not their brains. >I'd be interested to hear a bit of rough statistics about this! yeah I'm not going to divulge that in detail. The fact is most of the time the perp is made aware to us because of a child's behavior. The problem with Google and Apple making full disk encryption without a backdoor defautly on is that we cannot make it sound like the person purposely tried to out maneuver us if everyone has it. >Like what things stump LE the most, what things LE get around the most, what tactics they use, etc. Basically just info we can use to protect ourselves from a realistic view of LE as our adversaries. If we arrive on your doorstep the best you can do is not tell us anything, work through a lawyer.
Anything you do say we might use as evidence against you - or tell the court. We will try to tell you of course that helping us will be a good idea and that, but realistically no.
>>I'll have to explore this, the ram isn't ECC, but it is a desktop machine >A useful program to test this is hxxps://github.com/google/rowhammer-test. The source code is short and easy to skim through. I shall look at that, I saw the a PoC in the last link. >BTW you never answered, what do you run for your router, or do you just use the gateway as a router?
I use AlpineLinux, but I might look into hardened gentoo. It does not run Tor, it's a border device between me and the ISP. It runs the VPN, and usual network services, dhcp, DNS, vlan, etc. > OpenWRT and dd-wrt aren't so secure (but they are much better than any stock firmware out there). I use NetBSD myself but I'll probably migrate to OpenBSD or Alpine. Yeah I have no need for a web interface. Its easier to harden SSH eg pub/priv key author only, password auth disabled. I also use IPtables to only allow specific IP access anyway. Connections are only allowed from inside the network. >>I'm sure I can get Gentoo Hardened /w sVirtd going on ramdisk to run my Whonix Workstation KVM In addition to SELinux through sVirtd, you could also use grsec's own access control system: RBAC. It is more secure than SELinux, although not quite as flexible.
Would his require me writing my own policy files? AFAIK SELinux on gentoo has libvirtd support. > It is aware of resource limits and PaX though, in addition to filesystem and networking. Because RBAC is built into the kernel and not an LSM, it's fine to use both simultaneously for extra security.
>>797 >The stuff that really gets me mad is when someone causes physical harm to a child, to the point where they want it to stop. In fact I believe it's the moral duty of the adult to have respect for the child's wishes. Does that make you my adversary if I like Tara? I hope not. Then again I don't produce any hurtcore. I don't have it in me to do anything more than view videos of such things. A catharsis, I suppose. >Police do lie, often we leave out technical details because we don't want to lose them. Can you give any examples you are privvy to which are relevant or useful? That is the type of thing I've been searching the internet for years for if I understand what you are saying. >Sometimes we infer we found something one way, when it was another way. And that boils my blood. A corrupt world, we live in.
How often are hardware exploits (firewire DMA, cold boot attacks, USB exploits etc) used in an investigation to acquire encryption keys or damning evidence in the filesystem cache? The reason I wonder about this is that modern RAM is hard to cold boot. It uses mem scrambling as a way to mitigate against rowhammer which makes dumps useless much of the time, although the scrambling is not random in a cryptographic sense. Firewire DMA can and often is defeated by removing the module so DMA cannot be initiated. And USB exploits are things which I expect only the NSA or GCHQ or another high-level hacker would be able to do (USB drivers are pretty secure after all). -----BEGIN PGP SIGNATURE-----
>>799 >Too much work, too little time, next case please. We get in trouble if we spend too long on one case and get no results. I thought so. Confirming that is the best thing I heard all day! >yeah I'm not going to divulge that in detail How come? Is the distribution of even rough statistics sufficient to potentially narrow where you work for down more than you are comfortable with? >If we arrive on your doorstep the best you can do is not tell us anything, work through a lawyer. That much I already knew. I suppose any other information would be too highly dependent on how damming exactly the evidence used to get the arrest warrant is. I guess if all pedos used Tails and waited for their lawyer if they get arrested, it would cut the convictions down to a microscopic fraction of what they once were (excluding of course opsec mistakes made with a real child they know personally). -----BEGIN PGP SIGNATURE-----
>>801 >Yeah I have no need for a web interface. Its easier to harden SSH eg pub/priv key author only, password auth disabled. I also use IPtables to only allow specific IP access anyway. Connections are only allowed from inside the network. I don't even do that. I control it only through a physical serial port, so even if my computer or anything on my local network is compromised, it cannot connect to the router to disable or even attempt to disable the last resort safeguards I have in place. >Would his require me writing my own policy files? AFAIK SELinux on gentoo has libvirtd support. You would not have to write your own policy files from scratch. RBAC has a good learning mode which creates usable policies automatically. Sometimes they need a little tweaking, but the format is very simple and easy to work with, unlike SELinux. The policy format looks similar to AppArmor and SMACK. -----BEGIN PGP SIGNATURE-----
>>The stuff that really gets me mad is when someone causes physical harm to a child, to the point where they want it to stop. In fact I believe it's the moral duty of the adult to have respect for the child's wishes. >Does that make you my adversary if I like Tara? I hope not. Then again I don't produce any hurtcore. I don't have it in me to do anything more than view videos of such things. A catharsis, I suppose.
it gets you more attention from the international LE community, so it puts you higher on the list. Plus it looks good for UA if we take some sick fuck down. >>Police do lie, often we leave out technical details because we don't want to lose them. >Can you give any examples you are privvy to which are relevant or useful? That is the type of thing I've been searching the internet for years for if I understand what you are saying.
Its often the same things you think, like discussed earlier. Usually far less technical. TBH LE doesn't have the resources to employ people like yourself to run investigations. We have people we use when we need them, but they only have so much time for us. >>Sometimes we infer we found something one way, when it was another way. >And that boils my blood. A corrupt world, we live in. well it's a losing battle for us, unlike drugs we can't follow the money or product. The only upside is producers produce evidence for us to arrest them.
> How often are hardware exploits (firewire DMA, cold boot attacks, USB exploits etc) used in an investigation to acquire encryption keys or damning evidence in the filesystem cache? The reason I wonder about this is that modern RAM is hard to cold boot. It uses mem scrambling as a way to mitigate against rowhammer which makes dumps useless much of the time, although the scrambling is not random in a cryptographic sense. Firewire DMA can and often is defeated by removing the module so DMA cannot be initiated. And USB exploits are things which I expect only the NSA or GCHQ or another high-level hacker would be able to do (USB drivers are pretty secure after all).
Our capabilities are mostly limited to off the shelf products. We don't so complicated hardware attacks. There just isn't the time. Some tools can extract keys in memory. So don't keep CP on your regular PC disks you use all the time. If we come and you're doing work, but your PC is on... well that's good. you don't need to look at CP 24/7 >>Too much work, too little time, next case please. We get in trouble if we spend too long on one case and get no results. >I thought so. Confirming that is the best thing I heard all day! :( then we get performance reviews and could lose our jobs and not be able to feed our kids. Think of the children! >>yeah I'm not going to divulge that in detail How come? Is the distribution of even rough statistics sufficient to potentially narrow where you work for down more than you are comfortable with? Yes
>>If we arrive on your doorstep the best you can do is not tell us anything, work through a lawyer. >That much I already knew. I suppose any other information would be too highly dependent on how damming exactly the evidence used to get the arrest warrant is. I guess if all pedos used Tails and waited for their lawyer if they get arrested, it would cut the convictions down to a microscopic fraction of what they once were (excluding of course opsec mistakes made with a real child they know personally). Yes
>>808 >>810 >it gets you more attention from the international LE community, so it puts you higher on the list. Plus it looks good for UA if we take some sick fuck down. Is a hurtcore viewer/distributer higher on the list than a producer of non-hurtcore? >Our capabilities are mostly limited to off the shelf products. Do you know of any exceptions off-hand? The only ones I know of are academic, highly theoretical, or NSA/GCHQ-type tools. >Some tools can extract keys in memory. What such tools are most commonly used by LE to do that? Just the stock firewire readers that are so easy to defeat with ohci1394 module removal? My threat model assumes that I may at some time be presented in a situation where LE busts down my door while I am in the bathroom or otherwise occupied, with my computer with CP unattended but locked. The threat model also assumes they cannot obtain the password to unlock the lock screen. -----BEGIN PGP SIGNATURE-----
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 >The only upside is producers produce evidence for us to arrest them. I would hardly call that an upside. -----BEGIN PGP SIGNATURE-----
>>it gets you more attention from the international LE community, so it puts you higher on the list. Plus it looks good for us if we take some sick fuck down. >Is a hurtcore viewer/distributer higher on the list than a producer of non-hurtcore? Its all really pretty bad in the eyes of LE. You're either considered someone that is a risk to kids or not.
Someone fucking kids with different skin tones would lead us to believe they are not fucking their own kids, but rather someone else's.
This certainly is an issue for us as the public becomes outraged if we don't stop it. From what I've seen publicly this would have put TLZ at the top of the priority list.
Also the active user base of 50k users and rules about posting every 30 days. Shutting down the producer section would have been seen as stopping pedophiles from having a venue to produce, or are encouraged to produce. >>Our capabilities are mostly limited to off the shelf products. >Do you know of any exceptions off-hand? The only ones I know of are academic, highly theoretical, or NSA/GCHQ-type tools.
The NSA/GCHQ have a lot more room to move outside of the law, more so than we do. We can't be so obvious about it because we can't just claim "national security" to the court.
In the case of XKeyScore some information the NSA collects can be used by the FBI. It however isn't unrestricted.
>Some tools can extract keys in memory. What such tools are most commonly used by LE to do that? Just the stock firewire readers that are so easy to defeat with ohci1394 module removal? My threat model assumes that I may at some time be presented in a situation where LE busts down my door while I am in the bathroom or otherwise occupied, with my computer with CP unattended but locked. The threat model also assumes they cannot obtain the password to unlock the lock screen. basically products like FTK, LinEn, Encase etc. Keep your CP in a different compartment to your day to day life. Compartmentalization is one of the biggest and easiest ways to fuck us. >>The only upside is producers produce evidence for us to arrest them. >I would hardly call that an upside. yeah there's really no privacy in the lab, I can't just whip it out and have a tug. I need it to be on the internet so I can do that with some privacy lol.
It seems to be what you want. > Tor operator only has access to minimal information. Finally, since everything runs in ephemeral memory, no information survives a reboot, except for the Tor configuration file and the private RSA key, which may be exported/imported by FTP or SCP. > The only known disadvantage is that it cannot host Tor hidden services which would require other services (e.g. http), and their resources (e.g. hard drive space), in addition to the Tor server itself. However, as a middle or exit node, it is ideal.
If you used Torchat that would be on a service behind this machine. The HiddenService line wouldn't be lost. You would have to upload your HS private key though each session.
Seems very minimal http://opensource.dyc.edu/tor-ramdisk-technical
The build system is here https://gitweb.torproject.org/tor-ramdisk.git
>>818 >>819 >Shutting down the producer section would have been seen as stopping pedophiles from having a venue to produce, or are encouraged to produce. I keep telling the sysadmins for a few producers sites this even when their servers have gaping security holes, but they rarely listen. I would not be surprised if half of those sites were already covertly infiltrated by LE and monitored on a technical level. >basically products like FTK, LinEn, Encase etc. That's what I thought. None of those can extract keys from memory unless they are running on the target system in the first place. BTW, is COFEE ever used anymore? I thought it would be dead by now, and just a passing fad, but I heard some other LE pedo mention a while ago that he still sees it in use which surprised me. Everyone is moving on to SleuthKit now.
>>820 >What about tor-ramdisk? Tor-ramdisk is designed for running relays only. It would take extensive re-configuration to make it suitable to his/her needs. -----BEGIN PGP SIGNATURE-----
>>>>I'm sure I can get Gentoo Hardened /w sVirtd going on ramdisk to run my Whonix Workstation KVM >>>In addition to SELinux through sVirtd, you could also use grsec's own access control system: RBAC. It is more secure than SELinux, although not quite as flexible. >>Would his require me writing my own policy files? AFAIK SELinux on gentoo has libvirtd support. >You would not have to write your own policy files from scratch. RBAC has a good learning mode which creates usable policies automatically. Sometimes they need a little tweaking, but the format is very simple and easy to work with, unlike SELinux. The policy format looks similar to AppArmor and SMACK.
What I'm wondering is if this would require significant manual maintenance? Although I guess the only service I'd be doing it for would be libvirtd.
That's part of the reason I was going to go with SELinux. These policy files are also public, so more scrutiny by people who know this mandatory access control better than I do.
The other thing is tweaking them (assuming I was running Gentoo Hardened as my hypervisor for my KVM image of Whonix Workstation) might be rather inconvenient if its running from ramdisk, changes would require re-making the boot media. AlpineLinux's lbu tool is really great for doing that kind of provisioning. The bonus is you can encrypt it too.
Have you got any information about creating gentoo root in ramdisk tips? I would be keen to keep the build dependencies out of the hypervisor's root.. which wouldn't be possible if it was a installed version of gentoo. Not like I need things like make and GCC kicking about after I've compiled libvirtd and the kernel and what not.
As for the Tor Gateway I did notice was this https://www.whonix.org/wiki/HardenedGentooTG > Grsec, full pie, no RBAC (hardly necessary considering the threat model of the gateway), no disk encryption, no RAM wipe on shutdown (help would be welcome). When not using hidden services, tor log and cache files can be put into tmpfs so we don't need FDE at all. Otherwise we can still use partial disk encryption (loop file or /var). Evil maid attacks apply anyway as long as there's an unencryped /boot (and BIOS, and firmware...) and no TPM >>BTW you never answered, what do you run for your router, or do you just use the gateway as a router? >I use AlpineLinux, but I might look into hardened gentoo. It does not run Tor, it's a border device between me and the ISP. It runs the VPN, and usual network services, dhcp, DNS, vlan, etc.
Part of the reason for doing that and having three devices is it means the border router can operate a VLAN between itself and the Tor Gateway.
I don't like using BSD for such devices because pf is different between FreeBSD, OpenBSD and NetBSD. Whereas iptables is the same onnevery Linux. Even if pf rule writing is easier.
> AlpineLinux's lbu tool is really great for doing that kind of provisioning. The bonus is you can encrypt it too.
Unfortunately that distribution seems to be too small (not enough developers) to have any RSBAC or SELinux support.
I guess I really need to find a way to make a ramdisk. Its not like there's really anything sensitive there. /vm would be a mount point to an encrypted disk where the Whonix Workstation image is (I think I'll build my own without KDE - probably use tinywm or dwm, as all I'd be running in there is my Tor Browser). Wouldn't want anyone forensically undeleting that.
The other files on the boot media would really be non-specific.
This kind of setup would be good for hosting say nginx and some kind of chan. Although I don't really want to be the next Skee. I don't think its a good idea for producers/kiddy lovers to have a persistent entry point on the internet. I guess there's very little forensic evidence when I ram my disk in her vaginal opening (clarification of ram: gently stroke, rub) ;) I make sure to wipe her afterwards. I am very gentle, she sometimes even giggles when I do it.. so sweet makes me cum all the faster.
Anyway, if I understand it correctly, no cp found on your gear = no case. Period. Even if they have your IP supposedly downloading / distributing cp this alone shouldn't be enough to get a conviction in most Western countries. I've seen numerous examples of this in the news and elsewhere. So I don't really see much need for all these sophisticated, time consuming linux-based configurations. If you encrypt your entire system and hard drives with a strong enough password / keyfiles using open source encryption solutions, you may just as well use Windows (firewalled / sandboxed) and not worry too much about it, unless you're a producer or some other high target.
I personally use windows XP but use Sandboxie for everything topic, like torbrowser. I am also running Comodo antivirus / firewall. All my disks are fully encrypted with truecrypt and veracrypt. How safe am I, if I am just a regular cp downloader?
If you want a no hassle solution and your not hosting a hidden service you're still better off using Tails, the reason is purely compartmentalization. You can mount an encrypted disk inside Tails to store your CP. It is documented and designed with your usage case in mind.
Your windows install will certainly have a larger surface area - (things that can go wrong) and likely configuration issues (shit you don't know about). Don't take it personally but if your looking to stay with windows, you probably don't know much about netsec.
You simply should not be using the same OS you use for day-to-day activities for on-topic stuff. If your apply the "windows is safer because I'm used to it", then plainly you are wrong.
Do not rely on any proprietary products, they are probably poorly maintained (internally last the marketing paint). You really don't know, as they are closed source.
That conversation about the Gentoo ramdisk, hardened toolchain, etc is mainly targeted at best case security. Ie trying to mitigate zero days that haven't yet been discovered and patched, which is something your windows install certainly doesn't do and isn't designed to do.
A hidden service operator is likely to very much care about this as they have a persistent point on the internet. LE would be trying to find holes in a CP site they might be running.
> windows XP Do not use this for anything!!!!! EVER
Microsoft no longer supports it which means no updates. > Comodo antivirus / firewall. consider antivirus useless. it is a trivial affair to write malware to bypass this. once infected the malware fan neuter your virus scanner.
Linux is safer in this respect because software comes from a repository, it is signed with a cryptographic key. Community members can do deterministic building to check the binary signed by the maintainer matches the source code. > Anyway, if I understand it correctly, no cp found on your gear = no case. Period.
not necessarily, it depends on the evidence that led them to you in the first place. There is also key disclosure laws around the world, they do vary. You do NOT want to deal with a long tedious legal process and the shame of people knowing you like kids. > open source encryption solutions, if you care enough to not use bitlocker then you shouldn't use windows at all. if your system somehow has malware, eg a simple keylogger then it really won't matter what crypto solution you went with.
Apart from that Tails is literally designed for people with little computing knowledge, reporters, activists etc.
You are also far more likely to get help here about that than windows. Every windows setup is different and its impossible for anyone to know how secure/insecure yours is. > sandboxie while it may solve SOME problems it by no means is an acceptable solution.
>>838 >What I'm wondering is if this would require significant manual maintenance? Although I guess the only service I'd be doing it for would be libvirtd. Very little manual maintenance. Even though it is source-based, compilation and installation failures are very rare, even on full desktop systems and bloated servers. >The other thing is tweaking them (assuming I was running Gentoo Hardened as my hypervisor for my KVM image of Whonix Workstation) might be rather inconvenient if its running from ramdisk It's as easy as mounting the drive that contains the installed system and updating it. Then next time you boot, you boot from the updated system. Grsecurity even contains an option for forced read-only mode, called runtime read-only mounting protection. >Have you got any information about creating gentoo root in ramdisk tips? I would be keen to keep the build dependencies out of the hypervisor's root.. which wouldn't be possible if it was a installed version of gentoo. Not like I need things like make and GCC kicking about after I've compiled libvirtd and the kernel and what not. Build the hypervisor system into an alternate initramfs. It will only require a tiny fraction of what makes a full system, and you can selectively choose what programs and libraries are sent to the alternate initramfs. Use tor-ramdisk's internals as a starting point to learn how to make a minimal, but still functional initramfs. -----BEGIN PGP SIGNATURE-----
Looks like VeraCrypt is not included in Tails, (not in the Debian repositories yet).
TrueCrypt had certain licensing issues that prevented it from being distributed.
However cryptsetup is, it uses crypto code from the Linux kernel and has undergone a security audit.
I use it on the command line, its pretty easy once installed "cryptsetup" with apt-get all you need is luksOpen to open, luksClose to dismounted and luksFormat. Just Google it or look at the man file.
In actual fact this is probably more secure than truecrypt or veracrypt because of the deterministic building mentioned above for all packages in the Debian repository.
Hidden partitions, don't really work these days, LE tools just say that if data is a certain degree of randomness it must be encrypted.
There are tools to do contact sheets. Myself I use vcs for video contact sheets and montage for directories of pictures. While they are command line based they are fairly easy to use.
>>841 >If you encrypt your entire system and hard drives with a strong enough password / keyfiles using open source encryption solutions, you may just as well use Windows (firewalled / sandboxed) and not worry too much about it, unless you're a producer or some other high target. If you use Windows, it will make hacking the browser much easier. If that happens, the encryption keys can be stolen from RAM and exfiltrated to a remote, LE-operated server. It will be used to decrypt your hard drive after the arrest. >Even if they have your IP supposedly downloading / distributing cp this alone shouldn't be enough to get a conviction in most Western countries. There have been many cases where an IP address alone is enough to convict. >>842 >I personally use windows XP but use Sandboxie for everything topic, like torbrowser. I am also running Comodo antivirus / firewall. All my disks are fully encrypted with truecrypt and veracrypt. How safe am I, if I am just a regular cp downloader? DO NOT USE XP. It is not updated anymore and has an insane number of wholes which Microsoft will never fix. Public holes too. Your safety is very low. If you MUST use Windows, upgrade to Windows 7 ASAP! Put it this way: I could send you a website URL. If you clicked it, then no matter how much noscript or antivirus you use, you WOULD be given a rootkit that would steal the encryption keys from your drive. I could write a program like that on my free time. -----BEGIN PGP SIGNATURE-----
>>841 >If you encrypt your entire system and hard drives with a strong enough password / keyfiles using open source encryption solutions, you may just as well use Windows (firewalled / sandboxed) and not worry too much about it, unless you're a producer or some other high target. If you use Windows, it will make hacking the browser much easier. If that happens, the encryption keys can be stolen from RAM and exfiltrated to a remote, LE-operated server. It will be used to decrypt your hard drive after the arrest. >Even if they have your IP supposedly downloading / distributing cp this alone shouldn't be enough to get a conviction in most Western countries. There have been many cases where an IP address alone is enough to convict. >>842 >I personally use windows XP but use Sandboxie for everything topic, like torbrowser. I am also running Comodo antivirus / firewall. All my disks are fully encrypted with truecrypt and veracrypt. How safe am I, if I am just a regular cp downloader? DO NOT USE XP. It is not updated anymore and has an insane number of holes which Microsoft will never fix. Public holes too. Your safety is very low. If you MUST use Windows, upgrade to Windows 7 ASAP! Put it this way: I could send you a website URL. If you clicked it, then no matter how much noscript or antivirus you use, you WOULD be given a rootkit that would steal the encryption keys from your drive. I could write a program like that on my free time. -----BEGIN PGP SIGNATURE-----
>>843 >That conversation about the Gentoo ramdisk, hardened toolchain, etc is mainly targeted at best case security. Exactly true. Don't worry that you have to do anything complicated involving advanced configurations or ACLs. Using Tails will make you 99.9% secure. All the (mostly justified) paranoia around more and more hardened Linux systems only raises that to 99.99% secure. It's not necessary to be safe for a regular CP consumor. >>844 >while it may solve SOME problems it by no means is an acceptable solution. The big problem about sandboxie is it is not a secure solution for this threat model. Anyone with access to the filesystem can invoke SMB services which can be forced to bypass a proxy, even if you use sandboxie to block networking. So even if you sandbox a program so it can only access 2 files, it can still use any of those two files to deanon you. And even moreso, sandboxie does not protect or defend the kernel: the core of the operating system. Linux has a much more secure kernel that even has some self-defense mechanisms built into it. -----BEGIN PGP SIGNATURE-----
>>846 >I use it on the command line, its pretty easy once installed "cryptsetup" with apt-get In Tails, cryptsetup is preinstalled. It is preinstalled in most other distributions as well. >In actual fact this is probably more secure than truecrypt or veracrypt because of the deterministic building mentioned above for all packages in the Debian repository. It is also more secure because it uses a stronger version of a password-strengthening feature called PBKDF2. TrueCrypt only uses one thousand rounds of PBKDF2 (which means it re-hashes your password a thousand times to slow down brute force attacks). Cryptsetup (which is just the command that manages LUKS encryption) does not use such a low and fixed number. On most computers it is on the order of a hundred thousand or more. This will mean that any password will take more than hundreds of times longer to crack using LUKS than using TrueCrypt. >Hidden partitions, don't really work these days, LE tools just say that if data is a certain degree of randomness it must be encrypted. Hidden TrueCrypt volumes do work: hxxps://security.stackexchange.com/questions/9058/is-it-possible-to-infer-that-a-hidden-truecrypt-partition-is-likely-to-be-presen -----BEGIN PGP SIGNATURE-----
>>In actual fact this is probably more secure than truecrypt or veracrypt because of the deterministic building mentioned above for all packages in the Debian repository. >It is also more secure because it uses a stronger version of a password-strengthening feature called PBKDF2. TrueCrypt only uses one thousand rounds of PBKDF2 (which means it re-hashes your password a thousand times to slow down brute force attacks). Cryptsetup (which is just the command that manages LUKS encryption) does not use such a low and fixed number. On most computers it is on the order of a hundred thousand or more. This will mean that any password will take more than hundreds of times longer to crack using LUKS than using TrueCrypt.
Just to note here they increased the number of rounds with VeraCrypt - which is why it is incompatible with TrueCrypt hxxps://veracrypt.codeplex.com/wikipage?title=Header%20Key%20Derivation
>>Hidden partitions, don't really work these days, LE tools just say that if data is a certain degree of randomness it must be encrypted. >Hidden TrueCrypt volumes do work: hxxps://security.stackexchange.com/questions/9058/is-it-possible-to-infer-that-a-hidden-truecrypt-partition-is-likely-to-be-presen
You're right of course. It does disguise the case there is a hidden partition. Most LE will however ask the suspect if they used TrueCrypt or hidden partitions. If they say yes, and the password doesn't give them CP they might just say there could be a hidden partition to a court, although they wouldn't be able to prove it. If you think what you have might cause LE to break out the rubber hose then that might be a different story.
One of the things I do like about VeraCrypt's format/TrueCrypt is that headers are not attached like they are with LUKS volumes. Unless you use DM-crypt without LUKS.
>it gets you more attention from the international LE community, so it puts you higher on the list. Plus it looks good for us if we take some sick fuck down. I imagine Daisy Destruction got on the special list. It still makes me angry to think about that. But part of me is sad for the perp as his brain must be pretty fucked if he thought that was okay to do to another human being. >>Shutting down the producer section would have been seen as stopping pedophiles from having a venue to produce, or are encouraged to produce. >I keep telling the sysadmins for a few producers sites this even when their servers have gaping security holes,
Some of the advice in here really is quite good. I looked at Whonix Physical Isolation, and tbh most of the sites we've seized aren't set up by gurus like yourself. Let alone that other gentoo hardening stuff. This would create significant problems if implemented as we would have to rely on human factor entirely!
From what I know its not usually even XSS or anything like that. Its usually the human factor, like hosting on a VPS - and the VPS provider tips us off etc. People do stupid shit, especially those who've just discovered Tor and think it is the be all-end all thing. I would not run a cp site unless you have a background in netsec. You need more than just your personal opsec when doing that. The sad thing is you have these wonderfully secure operating systems yet, pedophiles are too lazy to learn to use them. Their loss I guess, and our advantage. Least I'll always have a job.
Other factors you should consider: does anyone IRL know your running the site? They could hurt you badly if they wanted to in the future.
If you are a producer, and you get raided because of the child factor will your arrest hurt other producers?
Consider physical security. What might happen if someone happened to come across said server (say a computer in your house and the wife got curious) or in a data center. Locks and case open sensors might be a good idea.
In some cases Freenet is probably more secure as you don't need a persistent presence on the internet. it would certainly solve the share hosts deleting files problem. Producers need to get out of the circle/producer section mentality, it makes them more vulnerable as they not only have physical attachment to the CP but also an electronic one.
Unfortunately I think this is why they get into site hosting eg to "get more private cp" and they do so without technical expertise or patience to fully learn their skill set before setting up their site. You don't get second chances in this business.
Then there is the other sort that "think" they know, usually the ones that defend why they use windows and why not to use Linux are in this category. Realistically it takes quite a lot of tailoring to produce a high security system.
Hoarding, trading privately is literally the worst thing you can do. We don't just have people who do intelligence gathering covertly, we also have behavioral scientists and linguists. Stylometry tends to be employed more when we are trying to impersonate a persona, because it requires qualification thus cost. It is likely someone studied Skee, in order to pretend to be him. As the message on the front page and conversation in the Skee post mortem thread indicated nobody knew. Sometimes we work with people inside a circle that we have busted, that are close to the target.
Information about who knows who, is quite important to us as it tells us where to spend resources.
Secondly you are more likely to share things about yourself inadvertently with a persona you know rather than on a site like this. Keep the distance. If one card falls you won't get caught in it.
If you have rare or new stuff or your a producer then we want in that circle to collect evidence of the children being abused while we can still "save" them. We expend significant resources on this.
It also means the chain of dissemination is much shorter and easier to predict. If you aren't happy with your CP being public, don't send it to anyone. It is best if you remove unnecessary items. Only have sheet, bed etc. Don't have things that can be studied and possibly reveal location even generally eg country/timezone.
In western world many teachers and child carers are taught how to spot an abused child. Inherently kids exposed to sexytime sometimes have urges to satisfy themselves not in private. Stroking your pussy while listening to storytime is one good example.
Sometimes it's kids that say things. Often by accident.
> but they rarely listen. I would not be surprised if half of those sites were already covertly infiltrated by LE and monitored on a technical level.
Possibly, depends on how gaping the hole is. In any case, no hole is good. You should do your best to minimize those. The risk of going to jail for a looooooong time you'd think would be enough to discourage people or encourage them to learn.
Minimize the use of tripcodes. Use them for specific things. Like NotTheGrugq would be smart not to post CP using that tripcode. Use another one and another name, don't get attached to names. Don't concern yourself with what we can prove and what we can't.
This is also why sites like Invision/phpbb etc where anonymous communication under a persona everyone can share eg "Anonymous" isn't possible are bad. Avoid shit like WordPress and large web platforms.
I imagine TinyBoard/ViChan significant simpler code bases. The more features the more risks. >>basically products like FTK, LinEn, Encase etc. >That's what I thought. None of those can extract keys from memory unless they are running on the target system in the first place. Well we can ask you to unlock your workstation to run things. We can be very convincing ;) I would make sure you keep it compartmentalized. You never know how you might react when the officers ply their trade.
>BTW, is COFEE ever used anymore? I thought it would be dead by now, and just a passing fad, but I heard some other LE pedo mention a while ago that he still sees it in use which surprised me. Everyone is moving on to SleuthKit now. believe it or not most PDs don't have all the tools on the market. I never used COFEE. I think it was something Microsoft tried to get PR. They have been known to help us with CP related stuff, training etc.
Sometimes we are even forced to use tools that are not the latest version. Encase forensic for example is thousands of dollars. If we are still convicting (same metrics) its hard to make demands for more tools, and training.
However a that said times are changing, we are living in post-snowden times. It is about time you guys start thinking preemptively rather than reactionary to busts. Our powers are expanding as a need to address new crime.
Especially as a lot believe we can't disseminate CP. This hasn't been true for a while, we usually can if it is part of an investigation eg like TLZ where we need to maintain covert activities.
Unfortunely we can't yet produce it for our "cover" :-( "Sorry hun I'm caught up at the office sticking it in this 9yo for work!"
>>864 >his brain must be pretty fucked if he thought that was okay to do to another human being. The perp for that was a girl. She was the owner of NLF (No Limits Fun). >>866 >As the message on the front page and conversation in the Skee post mortem thread indicated nobody knew. This is one reason why I use PGP. If I ever become a producer or open up a website myself (which I have been considering. Come at me bros!), the PGP will make sure that the only effective way to impersonate me is to force me into giving up my private key. >>867 >Minimize the use of tripcodes. Use them for specific things. Like NotTheGrugq would be smart not to post CP using that tripcode. Use another one and another name, don't get attached to names. Don't concern yourself with what we can prove and what we can't. I post CP with this tripcode only because I want to get into the members section and cam-a-lot. I don't get attached to it and I'll ditch it when I no longer need it, after which I will go back to being anonymous. >>868 >Unfortunely we can't yet produce it for our "cover" :-( "Sorry hun I'm caught up at the office sticking it in this 9yo for work!" Do you ever use unreleased private CP that you found on a pedo you arrested and use it to simulate new content? -----BEGIN PGP SIGNATURE-----
>>his brain must be pretty fucked if he thought that was okay to do to another human being. >The perp for that was a girl. She was the owner of NLF (No Limits Fun). I was under the impression it was Peter Gerard Scully. The mother did have something to do with Peter looking after her girl, but didn't commit the abuse.
>>866 >>As the message on the front page and conversation in the Skee post mortem thread indicated nobody knew. >This is one reason why I use PGP. If I ever become a producer or open up a website myself (which I have been considering. Come at me bros!), the PGP will make sure that the only effective way to impersonate me is to force me into giving up my private key.
Be that as it may, it also means you have no plausible deniability attached to any message, should you be apprehended in some other way outside of the technical sphere.
The less digital footprint you leave the better.
>>867 >>Minimize the use of tripcodes. Use them for specific things. Like NotTheGrugq would be smart not to post CP using that tripcode. Use another one and another name, don't get attached to names. Don't concern yourself with what we can prove and what we can't. >I post CP with this tripcode only because I want to get into the members section and cam-a-lot. I don't get attached to it and I'll ditch it when I no longer need it, after which I will go back to being anonymous.
I hope that does mean you'll (and others) post CP. There are always new pedophiles coming along, so what's old to you, might be new to someone else.
>>868 >Do you ever use unreleased private CP that you found on a pedo you arrested and use it to simulate new content? Every dissemination is seen as a crime against a child and is punishable, so we don't go out of our way to do it.
The problem here is if the victim ever found out we did that, they could take legal action against us. I've not heard of it happening, but I haven't heard of it not happening. I would think it would depend on the investigation and the stakes in it. Mind you, when you become LE you don't just "know everything". Usually there is more than one way to skin the rabbit. I would not depend on the "cops can't to X" argument.
It also depends on which part of the world that LE is from. Some LEA are given much more room to move around the law, because the courts see them as the "good guys" in those countries. Some of that intelligence may end up in the hands of LE closer to the suspect.
There is a lot of internal compartmentalization and you can only look up cases your involved in, as there are auditing processes to locate officers looking up case information they should not be.
>>889 >I was under the impression it was Peter Gerard Scully. The mother did have something to do with Peter looking after her girl, but didn't commit the abuse. The news sites say that a 13 year old girl was forced into hurting the baby. But the girl was clearly older than 13, both in height and physical looks. Very interesting to read the articles though. And to think I chatted with him for hours in an email... It's a crazy thought. He did come off as a bit of a sociopath. >Be that as it may, it also means you have no plausible deniability attached to any message, should you be apprehended in some other way outside of the technical sphere. I had said that but ran out of character space (yet again). I'm glad I'm not use RSA for the signatures now... But yes, the big downside is that I have no ability to claim someone else posted. That's difficult anyways because I am using a tripcode however. But TBH, I also want people to be exposed to PGP. I hope that at least one person will see it, be interested enough to look it up, and begin using it to encrypt their private communications. Seeing a random person using PGP in a place where few others did is exactly what made me interested in starting to use it. >I hope that does mean you'll (and others) post CP. There are always new pedophiles coming along, so what's old to you, might be new to someone else. I regularly do, but only several times so far under this identity. -----BEGIN PGP SIGNATURE-----
Well, from what I understand you can't just remember your private PGP key. You have to have it stored somewhere. If you ever get as unlucky as skee and gets busted with your machine on and decrypted, that means they will also likely get their hands on your private PGP keys.
>>897 PGP private keys are themselves encrypted for that reason specifically. If anyone gets hold of your unencrypted hard drive either with a DMA attack, cold-boot attack, or just cracking your password, they'll need to additionally crack the private key's symmetric encryption key. A high s2k-count option in gnupg makes cracking it even more difficult. The only way that they could get the password for your private key is 1) cracking the password itself, 2) installing a keylogger (which might not apply depending on your threat model), or 3) cold-booting or doing a RAM dump within a fraction of a second of typing in your password (which is utterly impractical). The thing to take away from this is that your private key is still perfectly safe even if you get caught with your computer decrypted and online, like skee.
If skee had been using PGP, LE would have no ability to impersonate him and they would have failed to run TLZ. All the people who have been arrested because of the information they gained by running TLZ for so long would still be free, and all it would have taken is one man studying how to use gnupg for 20 minutes... But due to laziness, arrogance, or simple foolishness, everyone who used his service was only safe trusting him only under the assumption that he remained a free man. An assumption which proved false in the end, with terrible consiquences (for us). -----BEGIN PGP SIGNATURE-----
> If you ever get as unlucky as skee and gets busted with your machine on and decrypted, that means they will also likely get their hands on your private PGP keys.
This is why we compartmentalize. Technically this is done using Tails or Whonix (in an encrypted space). This means if your caught with your PC on - but doing not doing CP you can be sure there won't be any accessable evidence.
>>903 While true technically its seems Skee didn't practice good opsec at all, lacked compartmentalization and therefore was caught with everything - red handed.
Remember full disk encryption only works IF the disk is unmounted. If the whole disk is mounted with no compartmentalization and you are arrested the keys can simply be extracted from RAM. Eg like Ross Ulbricht of silk road.
He thought he was safe. He had information on other people (photographic), ledgers of money transfers and lots and lots of log files. For some reason he thought it was a good idea to go to coffee shops, this was a problem because he lacked physical security of his laptop. Two FBI agents staged an argument to get him to look the other way, and a third swiped his laptop.
As the machine was booted all his full disk encryption keys were in RAM.
Also gpg --list-keys will show the key's fingerprint so keeping that key with that identity in the same compartment as your real identity is stupid. The symmetric encryption only stops someone signing or decrypting with that keypair, it does not protect the fact you own that keypair.
> If skee had been using PGP, LE would have no ability to impersonate him and they would have failed to run TLZ.
Well not with that certainty:
- He would have had to have consistently used it so the LE agent couldn't accidentally give some excuse like "his hard drive died and he lost the key"
- There wasn't any other leverage that could be used on him to make him help/want to help LE for a lighter sentence. He had fucked kids, photographic evidence of that is known to exist, lots of it. You really cannot predict how you might react when you are told you're going to jail for 40 years for sex with a child.
> he thought it was a good idea to go to coffee shops He also thought it was a good idea to ask on stackoverflow for help with some script using an account he hqd used untorified. The script in question even contained the silk road .onion
He also thought it was a good idea to ask on clearnet what people thought of silk road pretending to be a third person.
> All the people who have been arrested because of the information they gained by running TLZ for so long would still be free, and all it would have taken is one man studying how to use gnupg for 20 minutes...
Actually I believe Skee didn't run the website. While he was a administrator, that was on the phpbb side of it. He was not the sysop.
The sysop was believed to be Ioh (man from the Netherlands) mentioned in that news article. Likely he had physical access of some kind and Argos got the servers from the LE in that country, under the "existing investigation" of Skee.
They both used TorChat, so in a way were kind of using a public/private key crypto system. (With the lack or symmetric encryption on the keypair as Hidden Services/TorChat doesn't do that.
The fact is its impossible to know with certainty the person your speaking to one day is not LE the next, especially if the compromised individual is sitting next to the LEA advising them what not to say and what to say for a "lighter sentence". I don't know whether this is legally possible, its better to assume it is than isn't. I'm pretty sure that is what happened with Sabu (Hector Monsegur)
> But due to laziness, arrogance, or simple foolishness, everyone who used his service was only safe trusting him only under the assumption that he remained a free man. An assumption which proved false in the end, with terrible consiquences (for us).
This is the problem with personal extended relationships with people online. Producer circles (which Skee was a part of) cultivate this. It is better to have no digital relation to the production of CP. You can't avoid the physical one.
In short, if you aren't happy conducting your business in public for all to see, you probably shouldn't be sharing that information at all.
Sites which promote forced identities with extended longevity, uploading GBs for "extra" access", threatening users that if they don't keep doing it they will have access revoked and discourage regular cycling of identities are bad news for opsec.
The problem is this way of thinking depended on LE not obtaining that identity and using it to get further information.
Its also driven by greed to have more "new" or "rare" CP. Everybody wants something someone else doesn't have. We try to tell ourselves that's to prevent freeloaders/lurkers having access, but that isn't really true.
It gives you no plausible deniability and you then only have to make one mistake with that identity for the results to be catastrophic.
In regards to the way this site handles that one has the option of using a tripcode to meet his/her necessary requirements for the member section.
One can reduce the link of any textual association/discussion by not using that tripcode when talking in the text areas. Does the members section have a discussion section?
>>905 >>906 >>908 >While true technically its seems Skee didn't practice good opsec at all Why are all CP site owners like this??? It makes me so angry! They have a great responsibility and they act like it is all a fucking game! I wish I had the time and money. I could replace all those terrible CP single-handedly. >- He would have had to have consistently used it so the LE agent couldn't accidentally give some excuse like "his hard drive died and he lost the key" While "I lost my hard drive" might be an excuse that would fly for the masses, it would be very suspicious to people who know him well or more paranoid influential people (such as a smart sysop). >- There wasn't any other leverage that could be used on him to make him help/want to help LE for a lighter sentence. He had fucked kids, photographic evidence of that is known to exist, lots of it. You really cannot predict how you might react when you are told you're going to jail for 40 years for sex with a child. Remember LE did have to impersonate him, so that means he probably didn't give his full co-operation and turn into a backstabber like Sabu became. But, that might also be because LE felt safer impersonating him by themselves instead of risking skee give away that he was in trouble using some covert SOS signal that he had worked out beforehand.
I heard a rumor that the sysop was glove, but I didn't think he had the technical skills. Do we have any information on what the sysop's full name was? -----BEGIN PGP SIGNATURE-----
>>911 >One can reduce the link of any textual association/discussion by not using that tripcode when talking in the text areas. Does the members section have a discussion section? Yes it does. But I don't plan on using it too much. I just want to get cam-a-lot access, and I'm willing to share a lot using a static identity for a time if necessary. I really wish that were not the case though! -----BEGIN PGP SIGNATURE-----
Also sites like this one eg chans, provide a moving target for producers, where as sites like TLZ (forum boards) provide a static point to infiltrate. Both the producer and where they are to be found (the site). Eg will the person come back, was it a once off? Is not a question LE have to ask when dealing with something like TLZ.
LE will get in eventually. There will be some knobhead producer that has zero opsec, thinks with his dick rather than his brain and gets caught balls deep in a child by his wife that will give them access to it all.
If anything not having producer sections will not incentivize the covert continuation of that site should it be physically compromised in some way.
Take the way wooglecute did it. He would have been smart to know about EXIF tags BEFORE making his post. It is fortunate his device didn't add geolocation (longitude/latitude) to the EXIF tags. This did however happen with Gina's dad.
Whether he got busted some other way is unknown. If he released those photos and simply disappeared it is unlikely LE would ever locate that child. Especially as her face was censored.
If however some stupid producer circle tried to get him to join, well then he now has a persistent point to be exploited.
If more new CP appeared publicly by unknown personas or pseudonyms it might also have an effect on the community eg people enjoying child love, why can't I? This might encourage them to do it.
I'd still keep the no hurtcore rules though as that is fraught with danger to the producer and the child. There is also no way you can morally condone hurting someone else, let alone someone smaller, weaker, and less capable of defending themselves.
It might even be a good idea to have some concise guides related to:
* personal opsec - eg use Tails an amnesic distribution * how to use FDE eg dmcrypt, VeraCrypt in conjunction with Tails * explain shredders are not foolproof at stopping modern day digital forensics. * virus scanners won't stop specially crafted malware by police (policeware)
* not to use Windows or MacOSX, lots of moving parts, services that call home (Microsoft license validation, network connectivity, radar.apple etc) - and that they do not force all network traffic into Tor
* redaction of images using free software tools, gimp, exiftool * redaction of videos, and the extra dangers involved with video (background sound, hum etc mentioned in the first part of the thread)
* compartmentalization - Use a special purpose camera - Sanitize sdcards/regularly destroy - only do your shit on limited hardware eg one specific computer so that you can keep track of what devices are clean and what are not.
* how to make thumbnails/cs sheets - Using montage, or totem video thumbnailer - If everyone used the same software for making contact sheets and video sheets then it would prevent fingerprinting (think browser user agent, torbutton does this for all Tor users.
All of this should be in a HTML distributable form like the pedophile handbook, where you can download it and simply open index.html
That way it wouldn't be lost if a site got taken down.
Plan also on it being translated. It would make it less daunting for producers without technical skills, and filter out all the irrelevant, obsolete and bullshit advice some people who "think they know" give.
> All of this should be in a HTML distributable form like the pedophile handbook, where you can download it and simply open index.html Or some non-binary markup language
>>905 >>906 >>908 >>While true technically its seems Skee didn't practice good opsec at all >Why are all CP site owners like this??? It makes me so angry! They have a great responsibility and they act like it is all a fucking game! I wish I had the time and money. I could replace all those terrible CP single-handedly.
My understanding is that he inherited the website from A1 (Dee Keller) a long time ago, back when Marlboroman was around. A1 was arrested and it passed to Skee. The site was hosted on FH at the time. A1 did actually have a PGP key believe it or not. TLZ also had a section where people could post public keys.
I'm also led to believe they ran HH, (Hoarders Hell), but that shutdown. I think the producer section in TLZ became the successor to that, because people were mad that SVIPs didn't have to fuck kids to be a part of it. >>- He would have had to have consistently used it so the LE agent couldn't accidentally give some excuse like "his hard drive died and he lost the key" >While "I lost my hard drive" might be an excuse that would fly for the masses, it would be very suspicious to people who know him well or more paranoid influential people (such as a smart sysop). The thing is when most producers become site owners they are not paranoid enough. They've also been exposing themselves for years making CP and not getting caught thus are desensitized to it.
> Dee Keller Der Keller >>- There wasn't any other leverage that could be used on him to make him help/want to help LE for a lighter sentence. He had fucked kids, photographic evidence of that is known to exist, lots of it. You really cannot predict how you might react when you are told you're going to jail for 40 years for sex with a child. >Remember LE did have to impersonate him, so that means he probably didn't give his full co-operation and turn into a backstabber like Sabu became. But, that might also be because LE felt safer impersonating him by themselves instead of risking skee give away that he was in trouble using some covert SOS signal that he had worked out beforehand. Possibly, or maybe he did have other encrypted devices that couldn't be unlocked. All we know is he was caught logged in to TLZ (if we can trust LEs statement to the media), and that he used TrueCrypt. Maybe helping LE would have required him to unlock everything. Maybe his defence told him not to. We will never know. We will probably never have all the pieces of the puzzle either. > I heard a rumor that the sysop was glove, but I didn't think he had the technical skills. Do we have any information on what the sysop's full name was? Its possible, after the FH bust TLZ was brought back as a discussion forum only temporarily by Ioh, maybe this was his server and he didn't want CP trading going on with his hardware.
I think he did however own the image host.
Maybe then someone else provided the hardware and it got launched for real (reopened trading)
He was the cofounder of the hacker group LulzSec. Worked with the FBI for 10 months as an informant to take down other members. 2 seconds of using a search engine would have told you that. These are some key parts. Whether or not this happens with CP offences is unclear. > Federal agents arrested Monsegur on June 7, 2011. The following day, Monsegur agreed to become an informant for the FBI and to continue his "Sabu" persona. > "Since literally the day he was arrested, the defendant has been cooperating with the government proactively," sometimes staying up all night engaging in conversations with co-conspirators to help the government build cases against them, Assistant U.S. Attorney James Pastore said at a secret bail hearing on August 5, 2011.[14] > A few days after that bail hearing, Monsegur entered a guilty plea to 12 criminal charges, including multiple counts of conspiracy to engage in computer hacking, computer hacking in furtherance of fraud, conspiracy to commit access device fraud, conspiracy to commit bank fraud and aggravated identity theft. He faced up to 124 years in prison.[14] > As an informant, Monsegur provided the FBI with details enabling the arrest of five other hackers associated with the groups Anonymous, LulzSec and Antisec. > The FBI provided its own servers for the hacking to take place.[16] Information Monsegur provided also resulted in the arrest of two UK hackers: James Jeffery and Ryan Cleary.[18]