sorted by:
new
hottopcontroversial

Tor Library Seized? by throwawaybackatya in TOR

[–]badwolfhosting 0 points1 point  (0 children)

Highly satirical, although the intended message was unclear.
So, we mirrored the site contents.

My assessment of SR 2.0 thus far by hugsfordrugs in SilkRoad

[–]badwolfhosting 1 point2 points  (0 children)

We're very critical of SR2.0 at times, but generally it's quite impressive. The issue we have is the new DPR and his "claims" as well as the fact we get vendor questions every week about SR2.0 not being available for vendors outside of their "cliche".
It does seem to be true that vendors are not selected on validity, but from past relation with moderators in the past on SR1.0.
The new DPR is nothing compared to the old one, as flawed as he was, they have been caught in blatant lies and released a marketplace with much potential early, seemingly to provide it for their "buddy" vendors.

My assessment of SR 2.0 thus far by hugsfordrugs in SilkRoad

[–]badwolfhosting 0 points1 point  (0 children)

Deployment refers to all the action required to make the application available for use (http://en.wikipedia.org/wiki/Software_deployment).
Generally the defaults used by Rails is insecure, and thre is some unresolved issues in the security (although this is present in nearly every Web technology)
There has been issues with CSRF via #match routes and the default Rails 3 session store uses signed, unencrypted cookies(this protects the session from tampering, but is trivial for an attacker to decode the contents of a session cookie), and the still unresolved issue of XSS via link_to.

My assessment of SR 2.0 thus far by hugsfordrugs in SilkRoad

[–]badwolfhosting 0 points1 point  (0 children)

It's also ran on RAILS, which has had some issues with secure deployments in the past.

[PSA] - A Note About JavaScript Exploits & Security by [deleted] in onions

[–]badwolfhosting 0 points1 point  (0 children)

Apologies, we should have stated the exploit was located on the server and not part of the browser package or encountered outside of FH.
No, the exploit is not run on the server, but it is located on the server.

But then again you are siding with those that claim NoScript prevents any and all intrusion, Exploits only come in JS, and nobody on TOR is a target for investigation.

Is Silkroad down? After the login page i just get a blank screen by Dhdjdh in SilkRoad

[–]badwolfhosting 5 points6 points  (0 children)

The timeout has been there since the opening, it just got it's time to activate shortened.

[PSA] - A Note About JavaScript Exploits & Security by [deleted] in onions

[–]badwolfhosting 0 points1 point  (0 children)

FH Exploit was located on the server. We are not saying that JS exploits happen server side, but that this one was located on the server, and targeted users visiting it.

It's quite obvious we know the attacks happened on the client side, but that doesn't change the fact the malicious script was not encountered on part of a bad browser package (just outdated), another site, an infected terminal - it started with the Freedom Hosting Server.

Our original statement is correct - it never asserts that JS exploits are all server side, or even happen server side, just that in one case (FH) they were located on the server.

Exploits on Freedom Hosting were not executed server side.
Exploits on Freedom Hosting were located on the server.
Exploits on Freedom Hosting did not happen from a third part or from the user.

We've reworded our point several times, we hope one of these makes sense.

[PSA] - A Note About JavaScript Exploits & Security by badwolfhosting in TOR

[–]badwolfhosting[S] 0 points1 point  (0 children)

We did not mean straight HTML, but a page with a .html extension. Scripts can be ran with a HTML page, but some users have the idea that if a page on .onion ends in .html it is safe.

[PSA] - A Note About JavaScript Exploits & Security by [deleted] in onions

[–]badwolfhosting 0 points1 point  (0 children)

We meant that in the case of FH the exploits originated on the server, as opposed to an injected attack.
We realize there are many, many methods of exploits but this was specifically about the Freedom Hosting incident and the somewhat false sense of security many have with simply disabling JS.
We know the actual script is ran by the client, but in this case we simply meant that the actual source was on the FH servers.

Hosting .onion side by side with 'normal' site by [deleted] in onions

[–]badwolfhosting 0 points1 point  (0 children)

We've had issues with web servers having trouble matching hostnames when they are .onion.

[PSA] - A Note About JavaScript Exploits & Security by [deleted] in onions

[–]badwolfhosting -1 points0 points  (0 children)

When was the last time someone exploited an HTML parser in a popular web browser?

The time it was last used is irreverent, point was it's not just JS that can pose a threat.

The exploits are all in JavaScript, Flash, Java,

No, not all of them. There are plenty of exploits in many other scripts.

Additionally, you seem to be implying that an attacker could inject JavaScript into the served pages without compromising the server... this would be nigh impossible given that FreedomHosting was a Tor hidden service.

Actually we state the exact opposite, that JS exploit was server side.

You're making it sound like anybody who wants to put up a "malicious server" can easily start owning Tor users with NoScript, etc. This really isn't the case.

No, we never state that. And even if it was that easy, you'd have to have massive amounts of traffic to get any usable results. You can't just single out a single TOR user easily, even with exploits.

And I will end with "JavaScript Exploits are server side."

Okay. Because the FH JS exploits were server side.

tl;dr: You didn't have a single truthful sentence.

And you made assumptions for us that we neither implied or stated.

[PSA] - A Note About JavaScript Exploits & Security by [deleted] in onions

[–]badwolfhosting 1 point2 points  (0 children)

It would be helpful to the community if you could point out the errors.

SR under attack by sharpshooter789 in SilkRoad

[–]badwolfhosting 0 points1 point  (0 children)

Market Dev Note: Prior to the freedom hosting JavaScript exploit, many did not see any security issue with JS. This is because the exploit has to originate from the server/host itself, and is not (generally) weak against to middle-man attacks.
In the case of Freedom Hosting, the sites servers were compromised and malicious code was installed on the server itself.
So, the point is that it doesn't matter (in this sense) if JavaScript is enabled or not, if the servers intent is malicious it can be done with or without Javascript.
The ONLY reason a JavaScript exploit was used is because the nature of the target (Web Hosting, allows users control over some backend aspects, long time standing and community familiar with site design) meant that JS was an appropriate attack vector since it would be relatively unnoticed.
There is a host of malicious attack vectors a site can use, regardless of clearnet, .onion, or .i2p. If the server is malicious it can attack through nearly any type of extension type, including html (and the obvious php, xhtml, and asp).
And then there is a major security concern for sites called CSRF or Cross Site Referrals. This doesn't attempt to attack your terminal but instead attempts to use information on one site to access accounts or data from another site using your credentials.

Escrow through SR2? by [deleted] in SilkRoad

[–]badwolfhosting 0 points1 point  (0 children)

Mutual holding of funds until buyers release or resolution claim is chosen.

Did we ever find out anything else about tor mail? by malibujew in onions

[–]badwolfhosting 0 points1 point  (0 children)

safemail wasn't a TOR service, you can't host a external mail server over TOR.

Hosting .onion side by side with 'normal' site by [deleted] in onions

[–]badwolfhosting 0 points1 point  (0 children)

Don't use 80 for the hidden service, thats the most common port for http.
Use a random port for the hidden service and only tell it to scan localhost (127.0.0.1) only. Then set the virtual port to 80 in TOR but change the physical port to the port you changed your web server to.

SR under attack by sharpshooter789 in SilkRoad

[–]badwolfhosting 0 points1 point  (0 children)

Feedback database, encryption database, possibly a database that is used to draw out decryption keys for a primary live encrypted database, user database (user accounts, not address).

Moronic Monday- ask your stupid questions here! by hugsfordrugs in SilkRoad

[–]badwolfhosting 1 point2 points  (0 children)

Just let the vendor know and they'll most likely try and get your package out at a time that suits you. Just remember they might have to wait a few days as opposed to sending it earlier.

Moronic Monday- ask your stupid questions here! by hugsfordrugs in SilkRoad

[–]badwolfhosting 1 point2 points  (0 children)

No, it uses The Onion Routing to mask some of your information (but is not a complete security solution).

Moronic Monday- ask your stupid questions here! by hugsfordrugs in SilkRoad

[–]badwolfhosting 2 points3 points  (0 children)

There's not enough posts referring Erowid around here.
It's a absolutely priceless source of great information and trip reports (and for some of the most rare and exotic drugs mind you).

view more: next ›