What are the possibilities

atsuyim · January 12, 2016, 08:54:37 AM

Ok this question are based on hypothesis but is there any way possible for the FBI or NSA to deanonymize SMF(which uses tor network).

Do you think it's possible for NSA/FBI to deanonymize SMF? If so how?
Do SMF have any kind of 0day vulnerability?
If i'am a hacker and i want to deanonymize SMF which runs on TOR. What should i look for to deanonymize SMF?
How can one find some mismatch source code in SMF and take that advantage out of it?
Are there any other way's to deanonymize SMF?

Kindred · January 12, 2016, 09:21:10 AM

there are currently no known vulnerabilities on SMF v2.0.11

And, like any other source of data -- of course it can be "deanonymized"
you have usernames and emails in the basic installation... sometimes admins add additional fields like location, or even more... in which case, it can all be used to identify the user, if the individual doing the identification has enough other sources to check.

that's the same for *****ANY****** data source.
(and a tor network is no protection at all)

atsuyim · January 12, 2016, 09:37:34 AM

QuoteAnd, like any other source of data -- of course it can be "deanonymized"
you have usernames and emails in the basic installation... sometimes admins add additional fields like location, or even more... in which case, it can all be used to identify the user, if the individual doing the identification has enough other sources to check.

How in the world is this possible because they admin will be using some bullet proof hosting provider which is like 100% sure. And even if someone find's the location it will be of hosting provider and not the ip address of the admin or user's.

Quote(and a tor network is no protection at all)

How can you say that? Have to deanonymized any forum yet? What are the boldest hack you've done in your life??

Kindred · January 12, 2016, 09:49:02 AM

If a hacker or the government gets hold of your database records, and they have a whole bunch of other data to mine - of course they are going to kind matches.

user with username "blabla" registers on your site, using email address [email protected]
your site also collects location, which this user fills in with "NYC"

these are three datapoints.

The FBI gets your database (we'll assume, though legal means)

they compare the data for the user using the email address [email protected]

he has registered on another site, giving his name as "Tom Jones", but using the same email address
he registered on a third site, using the username "blablah" and location NYC (but a different email) -- and on that site, he listed his birthdate as 14-Jan-1993

etc etc etc...

IP address tracking is the fastest (which is what I assume you are trying to bypass when you mention tor nodes)
-- but if you have a sufficient pool of data and the capability to mine it - you can positively identify almost any individual, given at least 2 data points.

atsuyim · January 12, 2016, 09:55:12 AM

that is only if they compromise the data. which is the question? How can they compromise the data?

Kindred · January 12, 2016, 09:59:22 AM

there are any of a hundred ways...

although SMF 2.0.11 currently has no known security vulnerabilities --

Someone could get access to an admin account because one of your admins used the same password on another hacked site...
someone could get in through another piece of software (like WordPress)...
The FBI could serve a subpoena to your host, requiring them to turn over your database and files...

etc etc etc.

Any encryption can be broken, given enough computing power and time...

no data is ever actually safe - if it is connected to a network in any way.
the best we do is make it "as safe as possible"

atsuyim · January 12, 2016, 10:07:06 AM

although SMF 2.0.11 currently has no known security vulnerabilities
i wasn't talking about the known vulnerabilities which you can buy but rather i was talking about 0day vulnerabilities which even then developer of the SMF doesn't know about. Example Adobe Flash etc etc.

QuoteSomeone could get access to an admin account because one of your admins used the same password on another hacked site...
someone could get in through another piece of software (like WordPress)...
The FBI could serve a subpoena to your host, requiring them to turn over your database and files...

No one here is fool enough to use same email and password on any other forum unless you are like DPR(Silk road admin)

Quoteno data is ever actually safe - if it is connected to a network in any way.
the best we do is make it "as safe as possible"

This i agree "Security is just a myth" all we can do is try and make the best

margarett · January 12, 2016, 10:10:04 AM

SMF only sees what the client "gives" to the server. So if the proxy(ies) correctly clean the client information, no matter what you add to SMF's code, you will never be able to identify the client through IP.

As Kindred said, though, usernames, email addresses, etc, are stored in the database. And if that is compromised, then such info can be used to identify the members.
And remember that the human factor *is* the main culprit in all recent hacks we know of (SMF and not just SMF). So it's more likely that private info is leaked because an admin account was compromised, than because of a security issue in the software.

Usernames are even visible in the forum. So if I would register in one of those "deep web" site with my regular username (assuming that anyone really cares about me

) it is possible that someone might get to me through the "regular web".

edit: ninja'd several times

margarett · January 12, 2016, 10:11:21 AM

Quote from: atsuyim on January 12, 2016, 10:07:06 AM
although SMF 2.0.11 currently has no known security vulnerabilities
i wasn't talking about the known vulnerabilities which you can buy but rather i was talking about 0day vulnerabilities which even then developer of the SMF doesn't know about. Example Adobe Flash etc etc.

There are no vulnerabilities that we know of. Honestly. But even if there were, we would patch them before letting you know

atsuyim · January 12, 2016, 10:18:32 AM

Quoteedit: ninja'd several times

That's the only option left if i was running my forum in deep web

but i don't have my forum on deep web tbh. But it's just that i want to deanonymize some forum which is out there.

QuoteThere are no vulnerabilities that we know of. Honestly. But even if there were, we would patch them before letting you know

Is there any bounty program on this? Because i would like to work on this, only if i get paid from SMF and i bet i will find something which might sock you

margarett · January 12, 2016, 10:31:01 AM

No, there isn't. You can never get paid by SMF, we are all volunteers. But there are some sites out there which are selling supposed vulnerabilities. If you're up for it, go searching!

atsuyim · January 12, 2016, 10:35:51 AM

Quote from: margarett on January 12, 2016, 10:31:01 AM
No, there isn't. You can never get paid by SMF, we are all volunteers. But there are some sites out there which are selling supposed vulnerabilities. If you're up for it, go searching!

like darkode

well thanks for your input margarett i really appreciate it...

News:

What are the possibilities