log☇︎
906700+ entries in 0.66s
asciilifeform: optimator: if the virtualization scheme has an escape (or even just leaks info) you're just as fucked
ezdiy: the more the tunnel vision, the more blind spots for obvious stuff
optimator: asciilifeform: doesn't it work if you start with the base as the secure OS. Then virtualize your browsing OS, virtualize your bitcoind OS, virtualize your banking OS, but the base is secure
mircea_popescu: my impression of the general truecrypt population is that they're not particularly more secure than average ☟︎
asciilifeform: this is deeply and profoundly true.
mircea_popescu: this may actuallty be true
mircea_popescu: "TC gives you a false sense of security so its worse than no partition encryption."
asciilifeform: it not only lets you sell the same machine many times, but passes the security buck to the chump: "oh, you got rooted? your fault, should have patched yourself"
asciilifeform: but in the pc world it is used as an attempt to paper over the fact that the os sucks
asciilifeform: some machine architectures (ibm mainframes) had virtualization baked in in an intelligent way, vs. the x86 retrofit
asciilifeform: it is like fractional reserve banking for the hosting business.
asciilifeform: so you can rent a "server" to chumps without actually using one up
mircea_popescu: so what's the point of virtualization then
asciilifeform: example of the latter: many (most?) xen installs let you set the virtual nic card into promiscuous mode if you root one running os
asciilifeform: vm escapes run the spectrum from the apocalyptic to the "it always worked this way and we don't give a fuck"
asciilifeform: ok, wasn't me this time. but "I approve of this message (tm)"
mircea_popescu: i was actually thinking, is this our d friend ?
mircea_popescu: "Then running your operating system on the other side of this brand new pile of shit. You are absolutely deluded, if not stupid, if you think that a worldwide collection of software engineers who can't write operating systems or applications without security holes, can then turn around and suddenly write virtualization layers without security holes."
asciilifeform: did I write that?
mircea_popescu: great quote that.
mircea_popescu: "x86 virtualization is about basically placing another nearly full kernel, full of new bugs, on top of a nasty x86 architecture which barely has correct page protection."
mircea_popescu: why do they need to calculate rsa or wut ?
dub: you'll find the same thing at most f500's
asciilifeform: or ought to
asciilifeform: mircea_popescu: yes, the girls calculate RSA signatures for you with paper and pencil
mircea_popescu: dub sux to be you bro.
optimator: asciilifeform: don't forget this approach to compromising ssl sercurity - https://freedom-to-tinker.com/blog/sjs/how-the-nokia-browser-decrypts-ssl-traffic-a-man-in-the-client/
asciilifeform: alternatively, a drive-by is used to make your machine click "yes" for you.
asciilifeform: now you go to a site with routinely botched ssl, like mtgox (at least in the recent past), and then click "what the hell" when your browser complains
dub: almost every ssl cert in this environment is self signed and long epired
mircea_popescu: a linux box, rather than a router, for convenience.
mircea_popescu: asciilifeform the ideea is, suppose i pass all my traffic through your controlled relay
mircea_popescu: i don't think it has anything to do with the 2fa mtgox issue but anyway
dub: I have to run 8 year old java versions
mircea_popescu: anyway, thanks optimator, most entertaining link
mircea_popescu: who the fuck designed this process ;/
mircea_popescu: Used bitcoin-qt and litecoin-qt. For the wallets, those encryption passwords were from memory. The truecrypt password, I always copied and pasted the password from a text file, on a USB drive, inside a password protected winrar file, inside of a password protected winrar file, inside of a password protected winrar file, totaling 3 different password protected rars to reach the .txt file.
asciilifeform: feel free to interpret my silence as proof that I'm full of shit, but personally I'm rather fond of living.
optimator: ah - the empty-wallet-fake-em-out security measure
mircea_popescu: "I figured if I was ever the victim of a wallet stealing program, implementing a dummy in the default location would fool it and upload it, rather than my real one, to the attackers choice, but I was wrong."
asciilifeform: my other point is that btc ups the ante for working on hard targets as well as soft ones. you can do some very nice MITM with a compromised router, for instance.
mircea_popescu: but what the fuck for, seriously.
asciilifeform: and some people shit in their kitchen, yes
optimator: mircea_popescu: 85 * 3.12 = wealth for the masses
mircea_popescu: "I know I've found this one thing that I just have to download and install Java for, then totally forget or put off uninstalling it afterwards, many a time."
mircea_popescu: "In fact, scratch the social engineering, you don't need to convince someone to run your .exe if you can just run your .exe for them via a Java drive-by attack, and admit it, you've left Java installed for extended periods of time, even if you try to keep it uninstalled normally."
asciilifeform: mircea_popescu: believe me (or not, your choice) this is actually very, very easy.
mircea_popescu: always funny when people with 85 ltc speak of the masses.
mircea_popescu: "I haven't nor will I ask for donations. This truly sucks for me, but I only want to find out how this happened. I wish I could see the code/method used for educational purposes. Fuck people who steal. I strive for bitcoins and litecoins to gain popularity among the masses and become an accepted currency in societies eyes." ☟︎
asciilifeform: as far as the world could tell (even if you log all the packets coming out of your home) it will look like you voluntarily donated your stash to X.
mircea_popescu: asciilifeform bitcoind is such a mess it'd be easier to make a million dollars being a janitor.
optimator: mircea_popescu: it's very interesting - I like the conclusion of the time the wallet was stolen
asciilifeform: btw there is never any real need to steal wallet.dat. all you need to do is patch bitcoind (or whatever) on the disk so that it sends everything to address X when you finally key in the passphrase.
mircea_popescu: because of the change issue. wallet.dat was stolen
mircea_popescu: actually this is interesting
optimator: asciilifeform: no - and it kinda freaks me out. I think SSL cert authentication through a PKI is a gapping hole
asciilifeform: optimator: have you personally gone through the trusted public cert store in your browser/OS?
mircea_popescu: I used a random 64 character ASCII character password from this site for my truecrypt password.
asciilifeform: truecrypt in particular is trivially broken on a compromised machine.
asciilifeform: an amoeba colony, but in a public toilet, waiting for the janitor and his chlorine.
mircea_popescu: optimator the reason girl said anything/i'm leading some credence to the claim of 2fa is because this isn't the first case i've heard.
optimator: both had their wallet.dat on truecrypt
mircea_popescu: asciilifeform soft but soft in the sense of amoeba
optimator: it's hard to assess to validity of any claim, but there is a common factor between her story and this one - http://www.reddit.com/r/Bitcoin/comments/1e79ig/how_were_my_encrypted_bitcoin_and_litecoin/
asciilifeform: my only argument, really, is that btc as we know it is a soft target, and that life will become considerably more interesting once the truly competent people take an interest in playing.
asciilifeform: not that I believe the linked thread to be evidence of such, mind you
mircea_popescu: i have yet to see any indication of such wonder in practice.
asciilifeform: so it is entirely conceivable that a yubikey-enabled gox diddler exists but has managed to infect only paupers
asciilifeform: all he has is hope, that some of the chumps will own high-end ATI cards, etc
asciilifeform: I study trojans for money. Most BTC botnets, for example, are quite pitiful (a handful of GH/sec.)
mircea_popescu: that good a trojan ?
asciilifeform: nobody had to, but a trojan
mircea_popescu: for the simple reason that if anyone ever did most of the us would be so very much less lonely.
mircea_popescu: i doubt anyone actually visited the guy's apartment
asciilifeform: or if the switch has bounce
asciilifeform: one more observation: yubi works by emulating usb keyboard. which makes for a very simple man in the middle, esp. if you press the button an extra time.
mircea_popescu: see, but it'd seem to me you readily argue both ends of this rope.
asciilifeform: damned if I know how many times. how many people would even admit that this happened to them, if it had
mircea_popescu: now, returning there : how many times ?
asciilifeform: and to blame their betters when their world burns
mircea_popescu: <asciilifeform> there is only so many times that this can happen without a real effect
mircea_popescu: anuyay, getting back to it. the branch was off
asciilifeform: also remember that chumps have a tendency to lie to themselves
mircea_popescu: but it wouldn't be the first website with a broken 2fa implementation.
asciilifeform: mircea_popescu: you evil tempter, you just made me want to transfer btc to mtgox just to buy their yubikey.
mircea_popescu: fuck me. the idea of a website is ridiculous
mircea_popescu: it wouldn't be the first website
asciilifeform: probably the culprit then.
asciilifeform: or that mtgox has a session remanence bug
mircea_popescu: no, it does not have to be.
asciilifeform: occam's razor suggests that our chump lied about using 2fa
mircea_popescu: 90% of thje top accounts would be hit simultaneously.
mircea_popescu: if indeed this was an attack able to cut through their (braindead) 2fa implementation
asciilifeform: every ion cannon has to be fired at a diseased goat during development
mircea_popescu: you'd have to be born last night to actually believe this.
mircea_popescu: NOW what you do with this ion cannon is steal random 4 btc wallet ?
mircea_popescu: and let's presume for a moment you have no better use for it than btc.
asciilifeform: (that is, the total of all people storing N btc on gox do not actually have access to N btc)
mircea_popescu: listen. suppose you actually have the tech to own yubikeys
mircea_popescu: nope. it'll do exactly the same thing as mtgox lieing about "hacks"