We've Moved! Visit our NEW FORUM to join the latest discussions. This is an archive of our previous conversations...

You can find the login page for the old forum here.
CHATPRIVACYDONATELOGINREGISTER
DMT-Nexus
FAQWIKIHEALTH & SAFETYARTATTITUDEACTIVE TOPICS
PREV12
New members please take notice. Options
 
The Traveler
#21 Posted : 11/22/2014 3:31:50 PM

"No, seriously"

Administrator | Skills: DMT, LSD, Programming

Posts: 7324
Joined: 18-Jan-2007
Last visit: 02-Nov-2024
Location: Orion Spur
Ufostrahlen wrote:
The Traveler wrote:
That why you should have a sincere and valid Security Question/Answer with your account.

That doesn't prevent the spy from reading the mail in plain text.

It prevents the mail from ever been send.


Kind regards,

The Traveler
 

Explore our global analysis service for precise testing of your extracts and other substances.
 
Ufostrahlen
#22 Posted : 11/22/2014 3:37:52 PM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
The Traveler wrote:
It prevents the mail from ever been send.

Look at your server statistics... how many password retrievals does the Nexus get? They are all sent out in plain text.
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
The Traveler
#23 Posted : 11/22/2014 3:40:23 PM

"No, seriously"

Administrator | Skills: DMT, LSD, Programming

Posts: 7324
Joined: 18-Jan-2007
Last visit: 02-Nov-2024
Location: Orion Spur
Ufostrahlen wrote:
The Traveler wrote:
It prevents the mail from ever been send.

Look at your server statistics... how many password retrievals does the Nexus get? They are all sent out in plain text.

Yes, they are send out in plain text, but only after you successfully answered the security question. So if that question is not answered correcly, there is no mail send.


Kind regards,

The Traveler
 
Ufostrahlen
#24 Posted : 11/22/2014 3:43:44 PM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
The Traveler wrote:
Yes, they are send out in plain text, but only after you successfully answered the security question. So if that question is not answered correcly, there is no mail send.

No doubt about that.

So let's say you have 200-300 valid password retrievals by real Nexus members in a year. If a spy monitors the Nexus mail server 24h/365d, how many mails can he read in plain text?
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
The Traveler
#25 Posted : 11/22/2014 3:56:37 PM

"No, seriously"

Administrator | Skills: DMT, LSD, Programming

Posts: 7324
Joined: 18-Jan-2007
Last visit: 02-Nov-2024
Location: Orion Spur
Ufostrahlen wrote:
The Traveler wrote:
Yes, they are send out in plain text, but only after you successfully answered the security question. So if that question is not answered correcly, there is no mail send.

No doubt about that.

So let's say you have 200-300 valid password retrievals by real Nexus members in a year. If a spy monitors the Nexus mail server 24h/365d, how many mails can he read in plain text?

Ah, but there you assume that the nexus mail server is compromised.

Also the mails that are send are not stored anywhere on the nexus server.


Kind regards,

The Traveler
 
Ufostrahlen
#26 Posted : 11/22/2014 4:02:29 PM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
The Traveler wrote:
Ah, but there you assume that the nexus mail server is compromised.

No I don't. Not the Nexus mail server by itself, but the connection between the Nexus mail server and the recipient mail server.
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
1ce
#27 Posted : 11/22/2014 4:03:58 PM

Communications-Security Analyst


Posts: 1280
Joined: 17-Aug-2014
Last visit: 05-Feb-2024
Location: Nirvana
A vulnerability and zero-day interchange group I'm part of uses a forwarding system to their main server. Basically we all bounce off server A to get to our board/IRC. The server will not accept any ingress connections unless they are routed through this system (with a couple obvious exceptions). This also gives everybody the exact same out proxy. And because our IP addresses come from the same exit node, all of us, it makes a confusing mess for anyone that's infiltrated the DMZ of our network.

We have a system of relaying information when the outproxy has changed so we can all update the way we connect. If our intrusion prevention system gave us a reason to panic our primary server could move from pole to pole on this planet and all we have to do is update our forwarding script.

We highly prefer using high traffic websites [e.g. game servers] because with our unknown i dividual IP adresses and the high volume of traffic recieved to the forwarding server by its own use userbase adds another sscurity blanket.

We don't focus on passwords exclusively, we do use an 'individual key' system as well that is used to make sure that the person submiting their password is actually the person that SHOULD submit their login password. If you don't have this key then your password is useless.

Just an example,
1ce
 
The Traveler
#28 Posted : 11/22/2014 4:41:57 PM

"No, seriously"

Administrator | Skills: DMT, LSD, Programming

Posts: 7324
Joined: 18-Jan-2007
Last visit: 02-Nov-2024
Location: Orion Spur
Ufostrahlen wrote:
The Traveler wrote:
Ah, but there you assume that the nexus mail server is compromised.

No I don't. Not the Nexus mail server by itself, but the connection between the Nexus mail server and the recipient mail server.

This discussion triggered a new thought with me for how to do authentication in such cases. I will work this out when I have a tad more time.


Kind regards,

The Traveler
 
Ufostrahlen
#29 Posted : 11/22/2014 4:47:05 PM

xͭ͆͝͏̮͔̜t̟̬̦̣̟͉͈̞̝ͣͫ͞,̡̼̭̘̙̜ͧ̆̀̔ͮ́ͯͯt̢̘̬͓͕̬́ͪ̽́s̢̜̠̬̘͖̠͕ͫ͗̾͋͒̃͛̚͞ͅ


Posts: 1716
Joined: 23-Apr-2012
Last visit: 23-Jan-2017
The Traveler wrote:
This discussion triggered a new thought with me for how to do authentication in such cases. I will work this out when I have a tad more time.

Sweet, I guess that's what it's all about. Maybe 1ce has additional thoughts.

Peace, Ufo.

isaaczibre wrote:
You guys do know that using TOR automatically makes you more suspicious, right?

Yes, I know. But the more ppl use TOR, the more traffic is generated, which helps keeping other users anonymous. If you use TOR you still have a 20% chance to be anonymous. I guess that's better than nothing.
Internet Security: PsilocybeChild's Internet Security Walk-Through(1)(2)(3)(4)(5)(6)(7)(8)
Search the Nexus with disconnect.me (anonymous Google search) by adding "site:dmt-nexus.me" (w/o the ") to your search.
 
1ce
#30 Posted : 11/22/2014 6:50:56 PM

Communications-Security Analyst


Posts: 1280
Joined: 17-Aug-2014
Last visit: 05-Feb-2024
Location: Nirvana
We could always set up the mailing system in a jail (freeBSD). I've always been rather dond of connectionless data transfers (ICMP or UDP for example) to conceal an activitt as something not worth paying attention to.

A lot of very good rootkits have created hell for admins using this strategy. This works extremely well with a VPN, but anything typical requires a client and that adds an impressive challenge/unecesary security risk.
 
1ce
#31 Posted : 11/22/2014 8:54:03 PM

Communications-Security Analyst


Posts: 1280
Joined: 17-Aug-2014
Last visit: 05-Feb-2024
Location: Nirvana
The Traveler wrote:
1ce wrote:
Also, that bit about individual keys: Superb job on describing every password ever. Base 64 is still used very openly even in late 2014.

Uhm, base64 is an encoding and not an encryption. So I'm not sure what you mean with this line.


Kind regards,

The Traveler



I was referring to weak wireless security. And to the delusion that passwords keep us safe. Passwords, at least the way I feel about them, are just a big strong door. If the rest of the infrastructure is weak then they are a totally useless means of security other than a visual deterrent. If I could just open or break a window vs picking the lock and kicking the door down I'll always take that option.

Another note (this time without metaphors) perhaps we can use tokens (that expire) in an email to direct users back to the nexus to view their messages. Rather than use the emails to deliver the messages themselves. There is actually quite a few scripting methods that none of the big name email providers (or web browsers) filter for we can use to do this automaticaly.
 
PREV12
 
Users browsing this forum
Guest (3)

DMT-Nexus theme created by The Traveler
This page was generated in 0.083 seconds.