cryptostorm's community forum

Pattern_Juggled

Loving the voodoo concept, but very slow for me on account of both options being on the wrong side of the pond (I presume). I also presume there'll be some this side of the pond soon, but I just wanted to register my enthusiastic pester. MOAR!!! :D More voodoo paths in process of provisioning alrea...

Pattern_Juggled

In case you'd not seen already, there's some feedback on your questions coming in via a pointer to this thread from twitter, which someone took the liberty of creating this morning:

Cheers

Pattern_Juggled

I now know twice as much as I used to know about certs and realize that I know nothing about them at all. I've been messing with x.509 certs as something more than merely sideline - as more of an admittedly unhealthy obsession - for a few years now... and your statement ( "I now know twice as much ...

Pattern_Juggled

SCREEN NAME! wrote:Consider me learned good.

+1 good sport, & appreciate the chatter... it's been fun!

Cheers.

Pattern_Juggled

Also: I still want to KeyChain-cert this.

Badly.

It Shall Be Done. (but prolly not today, alas)

Cheers!

Pattern_Juggled

AirVPN kindly pointed out that the cert at: https://resellers.cryptostorm.org is expired/broken as well. Without calling into question the profound - one might even go so far as to say, moving - kindness to be found in such an unstintingly selfless gesture, it does kind of leave one - even a kind o...

Pattern_Juggled

We use ram disks... I'm at a loss as to the relevance of "ram {sic} disks" regarding logging policies. RAM "disk" is just another kind of physical storage media; in many respects, it's not dissimilar from SSD "hard disks"... though of course a RAM disk is instantiated in "real" Random Access Memory...

Pattern_Juggled

....appears to be being ran by... Now, see... that's not really a proper conjugation (in any known tense or mood) within the confines of conventional English grammar. Were I an obnoxious grammar nerd - which, fortunately for you , I'm most assuredly not - I'd unpack that as, err: present participle...

Pattern_Juggled

So.... after a little troubleshooting with fermi on IRC I removed OpenVPN program and Windows TAP driver and installed everything once again (i deleted the app data also and all folders) and now it works, it's once again that problem with the tun/tap driver in windows 10, after some updates it gets...

Pattern_Juggled

There we go. I gave a long-winded post. It's worth a read. Just follow the OP's link. I might suggest you echo a copy into here... just in case it, you know, gets "accidentally deleted." (not saying that's inevitable, or saying Air specifically has a history of that - I'm actually just making a gen...

Pattern_Juggled

Ohai, it has come to our attention that the current ssl certificate for our IRC chatroom has outlived its expiry date. Specifically, here's the PEM-encoded version of the current cert: -----BEGIN CERTIFICATE----- MIIFUzCCBDugAwIBAgIRAMQhOpL810Yv5/Zpo8tWLEkwDQYJKoZIhvcNAQELBQAw gZAxCzAJBgNVBAYTAkdCMR...

Pattern_Juggled

edit by df: THIS IS NOT ALPHA! this is pre-alpha i.e. not finished yet. Alpha is out and ready to be downloaded. I'll find the link. PJ posted it. Here it is: https://b.unni.es/setup.exe Note that this version linked to above is really, really alpha... nothing wrong with alpha - but remember that it...

Pattern_Juggled

Lurky lurky, huh? Much like Rambo in First Blood, covered in mud, stuck to a small cliff-face... eyes open, and BANG. pwned!!! hqdefault.jpg No no... nothing like that, not at all! (but they did draw first blood!!!11! :twisted: ) IMG_2639.JPG ...'twas more like this , of course! 630x341px-80d7a86b_...

Pattern_Juggled

Khariz wrote:I find that especially odd since its on the whitelist already.

All things DNS are black magic, at core... so the oddness is (partly) expected. Speaking metaphorically, of course!

Cheers.

Pattern_Juggled

DesuStrike wrote:Did a quick client check on SSL Labs with my Windows 7 VM and IE11.
I won't do any testing with this VM though. I don't trust this OS even half as far as I can throw Satya Nadella. Sry...
Selection_118.png

Heh, nice to hear your voice in here, my old friend!

Cheers

Pattern_Juggled

Heya PB - we're getting reports of some cipher mismatches on some browsers. I'm not yet opening the task to formally review these cipher primitives... but I suspect it'll need to be done sooner rather than later. Because c25519, maybe? One can always dream, eh? :-) Any help in pinning down such repo...

Pattern_Juggled

In the mean time, I think the best course of action (for stuff like wtvy.com and v0cdn.net) is a github repo of ours that contains a whitelist. People submit something they need whitelisted, and once staff manually verify that the host isn't evil.com, the server-side scripts automagically update /e...

Pattern_Juggled

This issue only started last week, but has caused me all sorts of headaches having no access and now a week of wasted work time. Consequently I'm not a fan of any blocking feature you may have. Blocking webpages is a show stopper for VPN usefulness if this is the cause. Gah - apologies for the dela...

Pattern_Juggled

It might just be pertinent to wait it out and see if it actually affects users in the long run. Maybe the list will be maintained well enough that it won't be an issue. He did say that it was enabled for a whole week without anyone even having any trouble, maybe we are making too big of deal out of...

Pattern_Juggled

Ps. also http://www.datafilehost.com/ is blocked. Seems a bit much :shock: Do note that we're pulling from an external blacklist - not attempting to create such a thing from thin air. Which would be... eeek. Anyhow, I think the underlying repo is open for pull requests and stuff, so if there's some...

Pattern_Juggled

Hi PJ, first well done. I am loving this. Crypto love! :D I am already using Crypto dnscrypt from start for all my connections, not only vpn. We need to actually announce the public deepDNS resolvers: they're really handy, and it'd be great for more folks to know they exist. It's been on our core t...

Pattern_Juggled

{direct link: cryptostorm.org/TrackerSmacker } {twittery announcement is clicky-here } NEW THING! - there's now a parallel, dedicated forum thread here for the more philosophically-driven critiques of TrackerSmacker... take a look, if that's where you'd like to dip an oar (so to speak). Thanks! Sin...

Pattern_Juggled

For those feeling irresponsibly adventurous, here's the current - NOT EVEN ALPHA - build.

When it breaks your local Win install, don't blame me. Or df. Blame Plesk. Or Graze... or both!

https://b.unni.es/setup.exe

Cheers

Pattern_Juggled

Khariz wrote:When did you get back? I think this is your first post since last fall? Welcome back?

I wasn't gone... I just felt really, really lurk-y this winter.

Heh.

Cheers,

Pattern_Juggled

Welcome back PJ. My genuine thanks for the kind words. It's been... interesting times. Very much glad to be back. Anyway, hope this "cartel spambot" story will not compromise/prejudice the crypto service for the future. ;) Heh, no worries mate! :-P Honestly, we've been dealing with this sort of sil...

Pattern_Juggled

Here's a discussion we've been having with one of our datacentres, which provides a bit of inside-view on how these cartel spambots operate: an extortion scheme, basically. UPDATE : here's the latest reply from the datacentre (which I've also added into the proper message flow, down towards bottom o...

Pattern_Juggled

http://www.download.windowsupdate.com is a dodgy one... more so now than ever before due to the release of Windows 10. The long list of DNS addresses that Windows calls out to also contains the above address. Keeping in mind that this hostname has been formally tied (per above posts) to APT-class m...

Pattern_Juggled

Your critique is pretty much accurate, and on behalf of the team we thank you for posting it here. The bottleneck with our email support responsiveness in the last month or so actually isn't related to finances whatsoever. Indeed, our growth trajectory isn't held back due to any such constraints, bu...

Pattern_Juggled

parityboy wrote:Just tested it with a search term of "VPN" and it worked perfectly.

That's a hell of a surprise... I mean, good - glad to hear it works as expected.

Pattern_Juggled

Also during the shift-over to new infrastructure, some of the permissions masks we've had for years were inexplicably scrambled. We've been de-scrambling as soon as bug reports appear, and it looks like most we've settled by now. But if there's further permissions wtf's, post details as it's likely ...

Pattern_Juggled

We have been integrating a new, less technically intense platform over at [nb]pure.cryptohaven.net[/b] , and to be honest we're still learning how to coordinate information posted there with threads here. In this case, we provided an update on Fenrir and associated Icelandic infrastructure at crypto...

Pattern_Juggled

Amazingly similar design elements getween dotvpn and vemeo.com ... Right down to the "testimonials on dotvpn: The fast speed and exceptional quality I need. I strongly recommend it without any reservations. I hope that in future DotVPN will continue to provide exceptional quality. Maria Gomez Copywr...

Pattern_Juggled

Added direct mapping to the thread, for ease of reference: cryptostorm.org/dotvpn I'd like to unpack that .rar and get the javascript posted up in the cleanVPN repository . If anyone has a minute to do that, meanwhile, that'd be great :-) edited to add : put up a dotvpn directory so it's there and r...

Pattern_Juggled

Thanks for posting up the details, and clarifying wrt the extra "8" - everything I see there is legit, so at this point I'll mark this item closed as it seems we've got things smoothed out fully.

Cheers,

~ pj

Pattern_Juggled

Excellent work, Fermi!

Also forked across into this new repository: github.com/cryptostorm/samizdat-inbound, as an excellent starting point for many other elements soon to join these iptables chains in this repo.

Cheers,

~ pj

Pattern_Juggled

Ok I changed port to random port in the Widget. after that no more problems. Things are working perfectly now after several reboots/Widget restarts. Haven't seen this since. I received mail from some one in support saying they found the problem. I can confirm that we'd added capacity over the weeke...

Pattern_Juggled

UPDATE: This happened to me again today. By changing to a random port , on the widget I got the conn back to green on the test page. To get this working yesterday, I was instructed to change from the default port 'on the widget' to port 88888. This got it working. Somethings going on. :crazy: Hope ...

Pattern_Juggled

I'm having similar funkiness issues. ipleak.net seems to check out, in that all the information seems the same. Only difference is the unfamiliar IP address. That IP address is unfamiliar to https://cryptostorm.is/test as well. I have a suspicion this is a simple oversight on our part. We've been a...

Pattern_Juggled

{direct link: cryptostorm.org/balrog} This essay forms one section of a broader paper describing a global survellance technology we have dubbed Corruptor-Injector Networks (CINs, or "sins") here at cryptostorm. As we have worked on the drafting and editing of the larger paper, we saw as a team the ...

Pattern_Juggled

This is some of the creepier spambot language I've ever seen, tbh - though MM's commentary helps leaven things, and the world is once again in balance

~ pj

Pattern_Juggled

This is what I meant in my previous post about constant disconnections. You have to reload a page constantly - this happens with all nodes. This means that the connection is either slow or unstable and constantly disconnecting Hey there, what you're describing is absolutely not something you should...

Pattern_Juggled

I'm still a bit out of the operational loop, but I did overhear df discussing this issue yesterday and I know there's been some testing work going on meanwhile. That datacentre does get quite a but of packet shrapnel from DDoS attacks running across the backbone interconnects in Frankfurt, but norma...

Pattern_Juggled

{direct link: cryptostorm.org/#sauronseye } ( note : this post continues discussion started in a parallel thread , which provides useful backstory ~pj) I've sat down to write up this summary of recent investigative and sanitization work I've undertaken after identifying a form of polymorphic, brows...

Pattern_Juggled

Ok, well it's been a week since I posted my pre-summary summary note above on what I was then referring to as "svgbola" in recognition of the .svg-based 0day expliots recently patched by Mozilla, and used against visitors to Tor hidden services. At the time, I felt I'd largely gotten to the bottom o...

Pattern_Juggled

{direct link: cryptostorm.org/svgbola } As I've been settling back into things after a few days of largely afk time with the family on an out-of-town trip, I've had a tab open waiting for this post to write itself... and the tab's still largely devoid of text. This suggests to me that there's a nee...

Pattern_Juggled

{direct link: cryptostorm.org/paperchase } Last week, some of our friends in twitter provided an excellent suggestion: why don't we put together a collection of academic papers on network security & cryptography? Having pondered that over the holiday weekend, I concur 100%. As is true for every cog...

Pattern_Juggled

We are available to provide any information you need. We'd missed this post, until a member was kind enough to point us towards it. Our apologies for the delay in reply, no disrespect intended. Under GitHub we release ALL the source code related to our client: https://github.com/AirVPN/airvpn-clien...

Pattern_Juggled

So the next obvious question is also a rather pertinent one. How can we network members support this initiative? Bitcoin and Namecoin server instances? Keyserver instances? Hidden versions of the above? Other things? One of the cool things about what is now known as the much more marketing-friendly...

Pattern_Juggled

Hardware replacement underway - bad hard drive. Details here.

Cheers,

~ pj

ps: you might want to compile up your openVPN build to the current openssl libraries...

Pattern_Juggled

{direct link: cryptostorm.org/keychain } github repository: github.com/cryptostorm/KeyChain Late last week, I made use of the opportunity to lay out some of the ground-level work we as a team have been doing since last fall, via a post at our crypto.cricket blog . As I was "volunteered" for this du...

Pattern_Juggled

Fraudulent issued certificates

The following list of Common Names in certificates are presumed to be generated by the attacker(s):
...
*.windowsupdate.com (3)
...

Pattern_Juggled

What we describe on that link I gave you is a simple protocol using asynchronous key exchange with RSA (PKCS1 padding). We have not rewritten SSL, that would be pretty stupid since is SSL had so many problems throughout its history. We are using the BouncyCastle library for the main crypto function...

Pattern_Juggled

{direct link cryptostorm.org/HMAl2p } {this segment of a longer thread regarding our DA-auth framework is being released here, prior to the full thread's publication, as there's ongoing pre-publication editing taking place with the full thread that's run longer than expected & we felt this informat...

Pattern_Juggled

So I asked from CS team opinion about Countermail and they did reply to me so I posted this reply to countermail and they didn't really explain anything they just attack me by saying. Since they seem to refuse to answer any more detailed answers can anyone of the members here explain? Bascially a s...

Pattern_Juggled

Hey there, I think we just provided more or less the exact same reply in email, but you''l want to take quick read through the Mac howto , here in the forum, if you've not done so already. This not really a scary cryptographic error - it's just some missing step in the login process that's preventin...

Pattern_Juggled

I don't even need to read the details of the above post to know what's happened, as it's one of those universally frustrating things that we have all been thorough - fortunately, it's much easier to get beyond than it might seem. This is a divergence in the mechanism by which openssl reports its ver...

Pattern_Juggled

I see TLS 1.0 in that pic you posted. is that right? I kinda assumed CS was TLS 1.2 and non-backwards compatable. Isn't TLS 1.0 vulnerable to beast and poodle? Nah, there's nothing intrinsically terrible about 1.0. Most all the core patches for the BEAST-class stuff have backported to 1.0 concurren...

Pattern_Juggled

I'd finished most of the research to reply to this a few days back, then managed to get pulled off the project and now I've to gather up the data for posting. I should have that done properly, in short order. Meanwhile, I believe the answer is that there's two closely related OpenSSL cipher suites i...

Pattern_Juggled

Also we have no name for it , apart from "the i2p gateway access thing"... which does, indeed, suck. "eepstorm"? "TI 2 " (Truly Invisible Internet)? :) There's been moves towards "i2pstorm" but that... well, you can imagine. Got2pstorm, etc. ;-P It'll appear, at some point, and we'll be glad for it...

Pattern_Juggled

The mods are going to authorise a post I made earlier... sent it via TAILS. Sorry, from what I can gather, connecting to CS on TAILS is not available at the moment. After setting it all up, I saw in their FAQ they don't support VPN over TAILS... over TOR yes, over TAILS no. Heya, apologies for comi...

Pattern_Juggled

Rollout is complete, but it's sort of been waiting on an official announcement. Which in turn is waiting on some final work on torstorm's public access announcement. Which, in turn, is waiting on... Anyway, marketing stuff - which we suck at. So it takes longer than usual for us to do it... and it's...

Pattern_Juggled

Hi, I'm just testing cryptostorm here, what's the deal with "WARNING: No server certificate verification method has been enabled. See http://openvpn.net/howto.html#mitm for more info." in the logs? I understand you're using a self signed certificate but what about this: http://openvpn.net/index.php...

Pattern_Juggled

{cross-posted to twitter ~admin} Ran it in a sandbox, right clicked to install "CTL"... rundll32.exe kicked up a fuss, wanted to talk to 23.63.99.202 (Akamai)... According to an anti-executable... command line switch - "C:\Windows\system32\rundll32.exe" cryptext.dll,CryptExtOpenCTL D:\Downloaded\au...

Pattern_Juggled

Here's a search query on the "social" side of TechNet that turns up a vast pool of questions relating to this hostname; I've only just begun reading, but wanted to post out the full search so others have easy access meanwhile, as well: https://social.technet.microsoft.com/Forums/en-US/home?filter=al...

Pattern_Juggled

A colleague pointed out a long thread on Microsoft's TechNet site, discussing the http://www.download.windowsupdate.com host and the files it serves. Here's one sample post , from 2009: THIS SOLVED MY PROBLEM downloaded & installed this file..... http://www.download.windowsupdate.com/msdownload/upda...

Pattern_Juggled

I've taken the liberty of splitting off the "funky CRL subdomains" topic into its own dedicated thread , as it had basically taken over this one. I may go back and pull some of the findings still in posts above, relating to the CRLs, and move to the new thread, but that seems a spot of work so I'll ...

Pattern_Juggled

Looks like the two ends of the bridge are coming closer together. Here's a confirmation from Malware Must Die that the hostname crl.comodoca.com is used to deliver a payload 'EssentialSSLCA.crl' - which then gets installed into the trust store, which then... it's quite a chain, isn't it? 012.PNG Thi...

Pattern_Juggled

If you open a website that Windows doesn't have a valid root cert for, that CA/Root cert will be looked up from the list (which is cached localy as far as I understood) I'm still working to integrate the "Certificate Trust List" into this process, because that's the one that actually gets pulled du...

Pattern_Juggled

This additional information regarding the authroot.stl issue has been generously provided by @wneessen (and is echoed over from pastebin ): - CryptoAPI2 fetches a MS signed CAB file from ctldl.windowsupdate.com (Akami hosted) - CryptoAPI2 extracts the CAB and checks the signature. CAB file holds a l...

Pattern_Juggled

Following up on this comment from yesterday: ...with access to cryptostorm, as one example, one can often simply redirect sessions a different pathway to avoid the badness. I ran into a convergent explanation of this solution path from Dr. Green this morning: One option for Google is to find a way t...

Pattern_Juggled

One more quick little note-let... This can work, and work with minimal drama. I know this is true because my PoC for it has been a manual process of doing gut checks of connections to websites, for the last month or so. One can often, after a bit of practice, spot problems as they happen - and with ...

Pattern_Juggled

How can topological routing be verified via tor/i2p pki unless 'janet' is running on tor/i2p? as I understand it- tor/i2p pki only verifies/validates routing within tor/i2p- once traffic exits to clearnet it's back to square one, vulnerability wise. or do you mean just the cert (err fingerprint?) t...

Pattern_Juggled

{direct link: cryptostorm.org/cafree } edit : framework name revised from 'root2root' to 'Decentralised Attestation' because, well, DA sucks alot less :-) "There are these two young fish swimming along, and they happen to meet an older fish swimming the other way, who nods at them and says, "Mornin...

Pattern_Juggled

{direct link: cryptostorm.org/strangeness } {this thread has been split from the Kebrum analytics thread, to improve access and clarity of organization ~admin} Here's some unpolished data relating to an odd file format I found during this analysis: The file in question is authroot.stl Here's one of...

Pattern_Juggled

Test run of post-installation application, not yet analysed: https://mega.co.nz/#!4Rhh3ZhR!Ai1ak6RfokSon_RegwQoNzZIVyu0R357J0i4L-y7l_o Summary created by Wireshark (v1.10.6 from master-1.10) File: Name: /EC2_pcaps/hma_installer.pcap Length: 1019958 bytes Format: Wireshark/... - pcapng Encapsulation:...

Search found 611 matches