[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/

[ Catalog ]

File: 1491964085567-0.png (6.49 MB, 300x232, dog.jpg)

No.1 [Reply]

This is new /sec/, the security board. The intent is that this board will be used to discuss means of securing electronics and other machinery. Discussion of securing other types of objects, such as houses, safes, and privacy is very welcomed. Discussion of offensive means, cracking tools, and secret documents is permitted and also very welcomed.

Do remember to be smart when discussing potentially illegal activities.

Relevancy is considered very important in this board. It is expected that every image and file will be strictly relevant to security of this sort.

Do not start a thread designed to collect information concerning the lives, preferences, or other potentially sensitive information of users on this board.

Hide loudly; live creatively; crack happily. Secure well; fear naught.

File: 1492620001479.png (11.56 KB, 225x225, images.jpeg)

No.122 [Reply]

So we just had a discussion on "Simple questions thread" that I think deserves it's only thread.

The discussion is about virtualization vs sandboxing. I'll post the comments bellow and you can contribute to it.
5 replies omitted. Click reply to view.


Capsicum is like kicking dead whales down the beach however, Pledge is the only thing that is being implemented on large scale.
There also is Seccomp for Linux but it isn't being used on large scale few applications use seccomp where Pledge is being used in the entire base already.
I think only OpenBSD does virtualization right with vmm/vmd with Pledge?
What i miss on OpenBSD is a RBAC like grsecurity has.
Anyway i don't think Xen is the right way but OpenBSD can indeed be improved here and there.
Just a reminder that most applications aren't built with security in mind so there is very little priv seperation, the only ones actually doing it are OpenBSD applications ( OpenSSH, OpenSMTP, ect )


Sounds nice in an ideal world where everyone can run the Muen seperation kernel, but in the real world we have linux which is a big security vulnerability, and windows which is an even bigger one.

>big = insecure

many short, easily-understood programs are actually very vulnerable, and many giant projects are airtight. What matters is how well those are designed and maintained, not how tiny they are.

I encourage everyone here to look into genode, which makes sandboxing and application seperation a core part of the OS architecture. I firmly believe it's the future of OS design.

File: 1492647727345.png (915.12 KB, 300x188, Shadowrun.jpg)

No.130 [Reply]

I want to study for ccna. What would be beneficial for me to have in my home network? Such as a cisco router and a cisco switch. Would anything else be beneficial?


Cybrary has a good course on networking for CCNA and Networking+

packet tracer is a good software for learning if you don't have the money for the hardware



You can use GNS3 to virtualize Cisco IOS, you can find the Cisco IOS images via torrent.

Also, I've seen Cisco CSR1000V (Virtual Router) floating around on the internet (They're limited in throughput though).

File: 1492095614995.png (49.91 KB, 300x110, i2p+tor.png)

No.133 [Reply]

Is the future on dark nets (intra-nets under the Internet)? Day after day the design of websites of Internet became more insecure, bloat and invasive in the technical side and political/law side don't see the problems of surveillance in a long run.
While looks pretty complex to fix this on the political side, in technical side looks more promising with refine from some old projects like I2P and Tor.
Well, what is your opinion, lainon?
47 replies omitted. Click reply to view.


The GUI says I have no connections, the terminal gets no results from searching anything. No documentation to get help from online.

Though once I can get the thing working, I'm absolutely happy to help flood it with content. Will look out for GNUnet threads here. Though I wonder if GNUnet will actually get a major release, since it's got GNU in the name...

I thought GNUnet was a single program, not a suite of protocols. If it's possible to develop a "www" like browser for GNUnet, I can see it competing with I2P+IPFS (which isn't even in existence yet).

That's a benefit to I2P, multiple router software. Not sure if IPFS has anything like that though.

But the other poster said that GNUnet is a suite of protocols, so if it's anything like I2P, people can write new routers.


i2p is more prone to traffic analysis, more hops isn't better and everyone using different browser setups make you stand out even more.

File: 1475206944303.png (127.72 KB, 300x300, key.png)

No.1660 [Reply]

this is a $60 HSM thats openPGP compatible and works with NFC devices.

You need it.

also PGP/GPG thread. Pic related: device handles encryption, signature, and authentication subkeys. how do you use PGP?
34 replies omitted. Click reply to view.


> The next billion Internet users do not have an email address, but they have a phone number, because they access the Internet on their mobile devices only

So you don't need email to register for the usual internet nonsense like FB anymore? I guess if you can register on FB with only a phone number you register with everything after that with your FB. Yes, I am this far out of touch with normal people.


>You need it.
fuarrrk off wage slave. I don't need a stick that puts my infosec into the field of physical sec, which I know nearly nothing about.

File: 1492657145862.png (530.07 KB, 300x156, 6HdzmpG.png)

No.168 [Reply]

what do we think about https://njal.la

founded by TPB founder

>registrars cant proxy your info already
>a warrant cant get your information anyway
2 replies omitted. Click reply to view.


>Add funds via Bitcoin or PayPal
no No NO.
When a user buys a domain you only then request payment.
What fuarrrking genius asks users to add funds to a web wallet to hodl for later purchases, after all the fiascos services accepting bitcoin have endured over the years.
This needs to be purged and the above needs to be the replacement.


You don't have to add funds for 10 years, you can add funds and pay the bill and then a year later you add funds again to pay for the bill.

Looks solid, it doesn't require any info while with most registars you legally have to give legit information.

File: 1492668272100.png (195.77 KB, 300x188, q-walker.jpg__1072x0_q85_upscale.jpg)

No.172 [Reply]

Fill free to post more tools and testing or what your working on

android vm boxes - http://www.osboxes.org/android-x86/
Smartphone Pentesting Framework - https://github.com/georgiaw/Smartphone-Pentest-Framework
1 replies omitted. Click reply to view.


Your trivial inconsequential comments are not needed


Let me rephrase this thread then, mobile hacking thread

File: 1492277887512-0.png (4.85 MB, 300x200, windowsprotection.jpg)

File: 1492277887512-1.png (53.91 KB, 300x232, windowsecurity2.jpg)

File: 1492277887512-2.png (103.73 KB, 225x300, windowsecurity3.jpg)

No.174 [Reply]

How make the Windows more security for free beyond installing another O.S.?Even by apply the concept defense in depth, the Windows looks pretty hard to keep well defense.
15 replies omitted. Click reply to view.


Not particularly spoopy when you agreed to them doing that in the EULA. Just a symptom of non-free software.



That is a pretty myopic view.


For the most part, the threat to a regular user will come through the either the web browser, or email.

Keep your browser up to date. Use an ad blocker (ublock/umatrix), specifically umatrix has some nice features. Privacy badger, HTTPS everywhere etc..

Keep your email client updated. Don't click on strange emails, don't click on every link you see. Do not even preview strange emails. Make sure your client has a feature that stops this behavior.

Install EMET, configure it to cover your applications and raise the protections to the maximum.

Do not use an admin account for every day tasks.

Modify your local group policy, a good starting point is https://github.com/iadgov/Secure-Host-Baseline , do not just apply it because it's fairly restrictive, modify and apply it to your needs.

Checking the STIG for Windows 10 is also a good place to look: http://iase.disa.mil/stigs/os/windows/Pages/win10.aspx

Set Windows firewall to deny everything that is not needed. Enable firewall logging and increase the size of the log. Go to your interface settings and disable whatever you don't use, same goes for any services.

Increase the max sizes of your event logs.

This is off the top of my head

File: 1475568932035.png (1.31 MB, 300x214, _0033_Layer-17.png)

No.1742 [Reply]

What do you lains use for encrypted synchronous communication? I've looked into Telegram, Tox, and Wickr, but they all seem like soykaf. Jitsi is encrypted with OTR, but the UI/UX is so bad you're never going to get any unlains to use it. I really enjoy Discord, but building an OTR plugin seems like it would be difficult.

Is there fuarrrking anything out there that is both secure and stylish? Even the former would do in a bind I guess.
114 replies omitted. Click reply to view.


just check the security keys youy baka


Update on neo, I am almost done with basic functions, you can login and receive raw json when an update happens. Basic send/receive will probably be done later this week

File: 1492328028861-0.png (82.6 KB, 300x225, Room_641A_exterior.jpg)

No.2 [Reply]

This is the Simple Security Questions thread for simple questions.

If you have a simple question and a suitable thread doesn't already exist, just post it here and someone will probably try to answer it for you.

Remember to do some research before asking your question. No one wants to answer a question that a simple search can already resolve.
39 replies omitted. Click reply to view.


If you refuse to decrypt, you don't get in, if you happen to be searched. Unless you're a citizen.



I should have mentioned that. I'm a US citizen. I just don't want to be searched and forced to enter a key and refused boarding for the flight I paid for if I don't.

File: 1492749627581.png (1.82 MB, 300x215, Super_Castlevania_IV_-_01.jpg)

No.200 [Reply]

If I'm looking to work with a webdev, like for a website, what would be a good skillset to have? What would make me a good candidate?


This thread would be more appropriate on λ. You can post it here: https://lainchan.org/%CE%BB/res/283.html


Word up.

File: 1477567771007.png (1.57 MB, 300x198, ry81RK0.png)

No.2089 [Reply]

i'm toying with the idea of running a clone of something like riseup or cockli on my own colocated hardware.

anyone have any advice or interest in the topic?
26 replies omitted. Click reply to view.


gain some experience running a mailserver first.
and then gain some experience running a mailserver for other people than yourself.

public mailserver is a whole other thing, if you just start from scratch without prior experience, you'll likely fuarrrk up or get fuarrrked up.



You know I'm not so sure about that. I mean more and more surveillance cameras and consumer cameras come with 'night vision' which picks up IR really well. Not that a laser would be picked up, but let the weather get somewhat occluded and that laser will light up light crazy.

Maybe a longshot, but I think it'll get easier to stumble upon this set up, not that it's bad.

File: 1492868618960.png (512.48 KB, 225x300, njalla.jpg)

No.215 [Reply]

It seems the The Pirate Bay creator launched a service for anonymous domain registration:

But you don't really own your domain, they do.
Seems like bullsoykaf to me, what you think?
Why would someone buy this when you can take a .ga domain for free with fake personal info through tor?
2 replies omitted. Click reply to view.


Was the same subject that the >>168?


Duplicate thread with >>168

File: 1477808469853-0.png (253.16 KB, 169x300, 20161014_234929_resized.jpg)

File: 1477808469853-1.png (197.21 KB, 169x300, 20161014_234940_resized.jpg)

File: 1477808469853-2.png (225.2 KB, 169x300, 20161014_234935_resized.jpg)

No.2170 [Reply]

Seems to me that physical security is just as important as digital security.

Personally, I've never picked a lock, but I'm considering learning. Watching some videos of experts has made me much more conscious of my choice of lock.

On a somewhat unrelated note, this is the setup for a server room at my uni. I kinda want to go in there and poke around, but I don't know what these boxes do. The lock itself seems pretty flimsy, once I learn I could probably break it. I'm more worried about security measures that I don't know about.
24 replies omitted. Click reply to view.


Basic rules of thumb when someone points a gun at you:
1. Assume it's real
2. Assume it's loaded
3. Assume they're willing to use it


I like ur post number, lain.

File: 1492879032161.png (3.99 MB, 200x300, rack2009.jpg)

No.218 [Reply]

Need some advice.
I'm thinking about buy an old (<2005) IBM thinkpad and do it as my HTTP/SMTP server for my personal website and mail. I'm doing it and not paying for a VPS because I could have the control of all the functions my self.
So, my problem is, I can do most of it without wasting money on some service, except that I would need a dynamic dns since my IP wouldn't be static (too expensive on my country). My question is: there's any way I can run a dynamic dns server myself, from the same dynamic IP? If yes, could I do it on the same machine?

I think it should be simple, since the dynamic dns server would just: grepping the actual IP > sending and updating to the domain name network. But I couldn't find this information at all.

That way I could host my server without waste any unnecessary money. The OS, http and smtp server would be free software. The domain could be from freenom. The TLS cert can be from Let's Encrypt. The static html could be something fancy from html5up.net.
3 replies omitted. Click reply to view.


Just search "Free DNS" and you get plenty of them. You can even use CloudFlare! Actually it is a good DNS, just don't turn on their CDN.


I recognise this image. These are the OpenBSD build machines.

File: 1492918411373.png (266.83 KB, 300x172, 13226204.gif)

No.231 [Reply]

Story time thread

Share your experiences and stories about how you popped boxes and shells
>First time hacking
>read a few intro to pentesting books
>download a vm that says easy difficulty
>get on kali start scanning easy machine
>nmap, metasploit aux, smtp user enum for about 30 minutes
>get emails from contact page
>alright lets try bruteforcing some users
>spends 45 minutes trying to crack user passes
>why can't I get this
>check common passwords
>"Try their username"
>bruteforces again
>mfw it takes me 4.5 hours get access to something that should have been a 5 second guess
3 replies omitted. Click reply to view.




I EXACTLY know that feel!

File: 1492918857108.png (2.9 MB, 300x225, Cam2.20170422_221837_1.webm)

No.232 [Reply]

Anyone else enjoy spying on people through ip cams?
7 replies omitted. Click reply to view.


IP cams are soykafs and giggles.
If you don't have a sense of humor I can see why you'd take this mundane stance.

Take this example.
Some guy has setup his android to stream a live feed in a dimmed light store front.
>you figure out the phones light can be set to flash @ set duration's from a given data field.
>you write a one liner to emit flashes in morse code with "the internet of soykaf is here".
>customers start walking up to counter and pointing at the phone.
>guy move towards phone in attempt to stop the flashing.
>you stop.
>guy sits down.
>you start over again.


I never understood the fun behind ip cams
did it a couple of times, but never really had any fun of it
seen naked people, blasted some racist music through the sound system to see their reaction...
never really was THAT entertaining to go back to it really imho

File: 1479070572045.png (499.63 KB, 300x158, laughingman.gif)

No.2445 [Reply]

56 replies omitted. Click reply to view.


i've been building a website for my software engineering class since january with 7 other kids. 6 of them are seniors graduating this semester, so it's super half-assed. should i give you guys a link when it goes live so you can see what you can do to it?


If you want, you can play around with it with w3af auditing software if the website has any functionality.

File: 1492971521476.png (61.5 KB, 300x188, kaneko.jpg)

No.246 [Reply]

https://actu.epfl.ch/news/when-deep-learning-mistakes-a-coffee-maker-for-a-c/ (paper linked in article)
Can we find any way of exploiting this (at least until the algorithms get improved) for image recognition camouflage? Will that even matter with how primitive they are presently?

ITT we discuss use of image recognition to potentially invade our privacy and ways to prevent that
1 replies omitted. Click reply to view.


You could wear images of things that confuse it over your mouth like a surgical mask, right?


File: 1493003541267.png (66.31 KB, 200x120, hyperface.jpg)

>HyperFace is a new kind of camouflage that aims to reduce the confidence score of facial detection and recognition by providing false faces that distract computer vision algorithms.

Basically, Hyperface is a camo pattern that works by providing facial recognition with a soykafload of false-positives in order to distract it from your actual face.

File: 1479272440753.png (27.69 KB, 300x150, 7365254.jpg)

No.2489 [Reply]

Let's say I want to share an image with someone online, but I don't want them to have the ability to plug the file into google's reverse image search, because the source hosting the image(which I have no control of in this hypothetical scenario) contains personal information I'm not interested in sharing.

Obviously, there are ways to distort or otherwise change an image far enough that the algorithm of any reverse image engine can't associate it with the original host, but exactly how severely do I need to change the image to keep it from leaving a trail of bread crumbs back to a sensitive source?

Obviously metadata would need to be wiped, but I don't know how much visual distortion would be necessary. Cropping the image? Slightly changing the colors in an image editor? stretching it by a few pixels? Or are we talking a more blunt method, like adding harsh noise, or some kind of serious image warping?
15 replies omitted. Click reply to view.


This doesn't work retroactively though. If the site has already been crawled, the data they already have will remain indexed for some time. Unless they changed some policy.


despite the advice already provided here, you can send claims to google. I think everyone here should be strongly arguing for legally mandated algorithms to take down personal images after a claim is filed.

File: 1479784872418-0.png (312.41 KB, 213x300, 23.png)

File: 1479784872418-1.png (259.7 KB, 213x300, 180.png)

File: 1479784872418-2.png (310.65 KB, 213x300, 188.png)

No.2563 [Reply]

This is the marked thread for machine code programming and examination. This necessarily encompasses reverse engineering and security to a degree.

Feel free to discuss the nuances and advantages of your preferred architectures and assemblers, along with all else relevant.

In particular, the writing and dissemination of minimal machine code routines is encouraged. Obfuscation and protection techniques are also, of course, relevant.
4 replies omitted. Click reply to view.


So, to get us started on messing with efficient machine code fragments, I give you this arbitrary length integer addition routine written in MIPS III (R4000):

nadd:    lw $6, 0($3)
lw $7, 0($4)
addu $5,$6,$7
sw $5, 0($4)
srl $5,$5,32
addiu $3,$3, 4
addiu $4,$4, 4
addiu $2,$2,-1
bne $0,$2, nadd
jr $31

Arbitrary length numbers are represented as vectors segmented into thirty two bit sections, ascending, the number of which is the length; one number is passed in register three and the destination and second summand is in register four; the length of the shorter number is in register two and must not be zero; registers six and seven are clobbered; register five is clobbered and holds a single bit if overflow occured; register thirty one holds the destination once the routine is finished. All but register thirty one can easily be changed.

I read in a thirty two bit word from each number, add it using bit thirty three as a carry flag, store this result in the destination location, then shift the carry flag into bit 1 and repeat until the addition is done.

I have actual MIPS hardware that I could test this with, but testing machine code routines is so frustrating on UNIX that I've merely given this a few glances over. I don't think there are any flaws, but I could be wrong.

Regardless, feel free to improve on this and point out any mistakes I may have made.


Well, I made a few mistakes I've corrected now, but that's an excuse for more discussion, at least.
I also targeted MIPS64 this time:
nadd:   lwu $6,0($3)
lwu $7,0($4)
daddu $5,$6,$7
sw $5,0($4)
addiu $3,$3, 4
dsrl $5,$5,31
addiu $4,$4, 4
dsrl $5,$5, 1
addiu $2,$2,-1
bnezc $2, nadd
jr $31
add $0,$0,$0
I should really give myself a decent testing environment for these routines.

File: 1480279560873.png (6.49 MB, 300x232, dog.jpg)

No.2679 [Reply]

This is the simple security questions thread. The intent is that a simple question without a suitable thread already existing can be asked here and someone will probably try to answer or discuss it at suitable length.

If you have an in-depth question that can start a long discussion, a new thread may be more appropriate.

Remember to do some research before asking your question. Few will want to answer a question that a simple search or some insight can resolve easily.
157 replies omitted. Click reply to view.


This is tangential to your post, but I found it worth posting.
>By my understanding, microcode is like a translation layer that the manufacturer uses to fix bugs in the architecture. Microcode reroutes around bugs burned into the silicone you will supposedly run into instability issues on these modern CPUs.
Microcode is the lower level operations the machine language is built from. On most modern processors, it's used for bug fixes and whatnot, but older architectures allowed people to write their own microcode and switch between them for different programs.

So, as an example, a language implementation would be capable of making the CPU directly suit its needs. Doesn't that seem powerful? If you needed an instruction to behave atomically, you could add that. If you wanted very high level instructions, you could add them.


...how hardened do you mean? The big distros (with one exception) are pretty good for desktop "I want to avoid malware while browsing" use cases. You can, of course, go a lot further with stuff like grsec if you want to, and it may pay to if you're running a server. But if you're running a server your first area of attention should be the configuration of the service you're setting up on top of the OS. And for a desktop or server the best thing you can do is to apply updates promptly, before worrying about kernel patches, MAC, etc.

The exception that you ought not to trust is Mint, not Ubuntu. See:

File: 1482704038650.png (131.9 KB, 300x125, 8u00qcuynt4y.png)

No.3101 [Reply]

>"We prove that we have published stuff at a particular time by stuffing it in Bitcoin, in the blockchain, and then, if someone were to come and try to modify the material that we have published, to take a particular part, that would be detectable."

>-Julian Assange, Nantucket Project, Sept 28 2104


>"Wikileaks needs to change in order to survive and thrive through the next few months... If necessary of course, if I'm not able to continue or the Ecuadorian people are unreasonably blamed for Wikileaks' publications, I will have to resign as editor, but our publications will continue. The part of the necessary defense of Wikileaks, we have engaged in a new project to recruit people across the world to defend our publication - and we'll give details of that as the weeks go by... ...we will issue guidelines about how you can promote Wikileaks publications without censorship.

>- Julian Assange, Wikileaks 10 Years Press Conference, Oct 4th 2016

18 replies omitted. Click reply to view.


File: 1484701360523.png (185.11 KB, 200x99, orwell.png)

>If Assange was going to use the blockchain as a method of distributing his information instead of just experimenting with it then why didn't he publicly announce it?


File: 1482838196271.png (127.34 KB, 300x102, documentdestruction.png)

No.3114 [Reply]


firefox + greasemonkey plugin

We live in strange times. If you need to "burn" a reddit account. this is the best way of doing it.
1 replies omitted. Click reply to view.


File: 1483141497544.png (2.97 MB, 200x113, eat-the-eggs.webm)

>having a reddit account in the first place
h'wat is this elaborate meme?


File: 1485989806642-0.png (43.68 KB, 200x134, Drakeposting.jpg)

File: 1485989806642-1.png (185.72 KB, 200x134, Stallmanposting.jpg)

File: 1485989806642-2.png (147.39 KB, 200x113, PachaPosting.png)

>Going on reddit

File: 1482976390697.png (491.96 KB, 300x188, sTsP2kg.jpg)

No.3135 [Reply]

Ok, I'm moving into a uni dorm within the month, and was looking at the network policy. It seems to be pretty strict. Not allowing your own routers/switches, banning the use of p2p software entirely, and even has a point that states being anonymous at all is not allowed. Infringement in any of these points and more result in disconnection and being sent to student conduct. What would you do /sec/? I don't think I can get through without use of private trackers, and knowing that everything that I do on the network will be visible to the school staff will gnaw on my sanity and probably alter my usage of the network.
28 replies omitted. Click reply to view.


What is the point of this? If you have access to a VPS then why not just install an OpenVPN server on it and route traffic through that?


There's a chance the uni might have their firewall filter VPN traffic. But that's not to say VPN wouldn't work. I had one set up on my home desktop a long time ago when I was in middle school and use it to watch YouTube poops in class. But I worked at the university I attended in their IT and found those kinds of things to be much more restricted. SSH is normally open for the computer science students at least.

File: 1483383632951.png (286.74 KB, 300x215, 1377657181.jpg)

No.3232 [Reply]

Do you tell friends/family/people on the street about using Signal/ChatSecure/Tox or Tor, etc.? How successful have you been? A few people are grateful for the information and change habits, but most people have a sort of knee-jerk response when I talk to them about using software that protects my privacy, they seem to prefer ignorance to actually being aware of what is going on in the world, as far as dragnet surveillance goes. I mean, they know it happens but they prefer to just act as if everything's okay. Problems don't go away when you ignore them but a lot of people function as if that's the case.
70 replies omitted. Click reply to view.


>Yeah, get away with it, but for how long?

There are people who were never caught for anything.

Basically, security and anonymity even in the face of modern surveillance states are possible, is what I'm saying.


True, but they are so much the exception and not the rule.

Why do we even have to have this discussion? Kinda sad really that this is the state of affairs we all live in.

File: 1483483119501.png (145.45 KB, 300x169, trump-minus-trump.png)

No.3258 [Reply]

I often get the impression that the majority of cybersecurity problems arise from the immense knowledge gap between people who genuinely understand the issue and the general public. I don't mean only the technical intricacies---which are understandably outside the realm of public knowledge---but also the broader, "obvious" concepts, like what constitutes a security breach. Then there's the press who, in a race to see who can get the more click-baity headline, will publish things which are misleading at best or totally fabricated at worst. This kind of sensationalism only expands this gap and, in my view, is making the general discipline of cybersecurity more difficult. The media's recent characterization of the recent election as having been "hacked" is one of the more egregious examples of this behavior.

An election has two parts. In the first part, votes are cast. In the second part, the votes are counted. This is an essential point, because if you do not understand that, then nothing that will follow can make sense to you.

Headlines that read some formulation of "Russia Hacked the US Election" are, to put it bluntly, wrong. They are fantastically wrong. It may be the case that bad actors intended to influence voters to cast their votes in a particular way. However, the continual repeated assertion that the election was "hacked" has given a large percentage of the voting population the impression that the casting or counting of ballots was affected. No credible source has made this assertion. Even if for the sake of argument it were the case that certain districts were hacked, many states do not use machines connected to the Internet, so flipping the election on a national scale would likely not be possible. Yet somehow, that has become a part of the national zeitgeist.

I am probably just ranting. I guess my larger question is, "How do you talk about this subject with people who are fundamentally clueless?" Furthermore, "How do you *unteach* someone who has accepted as fact an incorrect premise?"
73 replies omitted. Click reply to view.


>>Except Kevin Mitnick's actions were to achieve the goal of accessing computers, which is what makes his actions "hacking".
Computers? I'm sorry, I thought we were talking about the far broader domain of "systems?" Or was this >>3575 not you?
>The election "system" is just as much if not more a system of people than it is a system of machines

>>The DNC has yet to deny the veracity of the documents that were leaked. The release of the documents cannot be called an act of fraud.

>No one is talking about this situation involving fraud in that context.
I am asking you that if you think the election outcome was changed as a result of social engineering, where do you see the essential element of fraud? More to the point, if you believe the statement "Russia hacked the US election" is true, I would like you to explain specifically in what way you think that statement is true.


>Anyway the whole thing about Russia hacking the election is way overblown. From all the information I've gathered, what Russia did was psychological operations on the American public in order to get them more on the side of Trump. If you read the emails, you would know that the DNC was running their own psychological operations on the American public as well in order to turn them more towards Clinton (Change the Record comes to mind). Not only that, but psychological operations aren't anything new, and the USA, Russia, China, and countless other countries have been running psychological operations in multiple countries for decades now. Some examples that come to mind is America dropping flyers in the Middle East (yes this is still a psychological operation), Russia in Eastern Europe, China going back to Sun Tzu, etc. You will find countless examples if you just google "psychological operations"

I'd agree with that, but I also think that Russia running psyops on our political processes is something about which we should get upset. I think it's different from the DNC running their campaign because the DNC is a group within this country that openly nominates a candidate. I would think that the middle Eastern countries to which the US does similar things would get angry in exact proportion to how much they think that they can do about it.

File: 1483502515415.png (266.08 KB, 300x225, Taylor-Swift-in-bed-with-Apple-MacBook-Pro-laptop.png)

No.3306 [Reply]

Lainons, what are some free email services (besides yandex) that don't require a phone number for registration?
59 replies omitted. Click reply to view.


Has anyone posted mail.com?

I doubt it's private and secure but you can send and receive and sign up without a number


i just use textnow.com and can get some phone calls and unlimited texts to a phone number in any area code in the usa i choose for free.. i use it to verify accounts all the time. idk what yuo guys are on about.. please fuarrrking duck duck go soykaf before you open your hole

File: 1484080474466.png (13 KB, 300x127, nw-setup-1.png)

No.3506 [Reply]

i'm currently thinking about how to set up an offsite backup in a secure manner. there are essentially two options i'm considering:
* encfs reverse filesystem, then rsync the encrypted files to offsite
* luks encrypted offsite storage, rsync the unencrypted files (still over a secure channel obviously)

my goal is to prevent anyone except me to view my files.

+ files are encrypted before they leave the onsite location
+ i've used it successfully before and know how it works
- encfs has security issues if an attacker has repeated access to encrypted files
- encryption on a per-file level
- makes incremental updates difficult or impossible (?)

+ solid encryption (?)
+ encryption below filesystem level
- needs password entry over network on each boot (so no fully automated boot possible)
- files are only encrypted at offsite location (they are in the clear in offsite memory or with offsite OS access)

* I don't need to encrypt the root partition of the offsite server, encrypting the raid disks is enough
* offsite server has usb port inside case for an usb key boot partition (maybe needed for luks)
* offsite server has case-open detection switch ("tamper switch")
* I can't inspect the server on a regular basis, but I can do so occasionally (every 2-3 months) or when I suspect something is wrong, or when a harddisk fails

attacker model: "incompetent hardware access"
* attacker can do everything on the network, but i'm planning to use ssh or vpn or something anyway
* attacker has hardware access since it's offsite
* attacker has access to harddisks I throw away when they fail
* attacker can shutdown/disconnect server
* attacker cannot open case without shutting down server (tamper switch)
* attacker cannot disconnect server power without shutting down server (tamper detection)
* attacker cannot disconnect/remove harddisk while server is running without triggering a warning (either because of network disconnect or because of raid degradation)

encfs additional drawbacks on attacker model:
* attacker does not repeatedly read out harddisk contents and can determine file contents via encfs shortcomings (one-hit attacker only)

luks additional drawbacks on attacker model:
* attacker is not byzantine, as in he would not cut open the side of the server and access the memory or hardware bus from there while server is running.

Can you recommend one setup over another? Which one makes more sense? Is there some problem with either setup i haven't taken into account? Is the attacker model realistic? Anything i should change? Something else than rsync?

And, most important to me: How have you set up your offsite backups?
12 replies omitted. Click reply to view.


does it support synchronizing filesystems, without versioning or increments? as in, just have the same data (plus/minus encryption) on two servers?

The problem is that incremental takes up same-or-more space than just a duplicate which takes up same space. Which would create the need for more diskspace on the offsite storage than on the onsite storage, and it is difficult to tell in advance how much (as in, at harddisk-buying time).


OP here. what encryption does duplicity use?

which attacker model does its encryption protect against?

File: 1484246520070.png (1.57 KB, 64x64, LibreJS_icon.png)

No.3543 [Reply]

The folks on the Tor website recommend against running add-ons other than the defaults as that could be used to track you. However, recently I've been using LibreJS more and more with the TBB, even though I don't know a lick of coding. How do you Lains feel about whitelisting or running nonfree JS in your browser? I only whitelist a few sites that I need.
12 replies omitted. Click reply to view.


not necessarily, the list of entry nodes is public.


Bridges and Pluggable Transports are different than entry nodes. In fact, all nodes that are not bridges are publicly listed by default.

File: 1484426156574.png (155.31 KB, 298x300, 1467850807262-3.jpg)

No.3599 [Reply]

The Human Trafficking Prevention Act is a piece of model legislation that is currently being advanced in several states. It would set up an opt-in filter for obscene content on the internet. The definitions for pornography in the USA are vague enough that such a law could easily be abused.

The following is an excerpt from the FAQ on their website (http://humantraffickingpreventionact.com/):
"Furthermore, the total prohibition against any form of government regulation is completely unrealistic and would create a state of nature. Consider this: a fish on the grass is not free. It is only when the fish is confined to water that it can swim lightening fast, thrive, and even breath. The same is true with humans. Mankind does not flourish best when child pornography,prostitution hubs, and obscenity are all one click away or unavoidable. Without “truth,” there is no “freedom.” “Freedom” comes from the “truth.” “Freedom” is not the “presence of restrictions” nor the “absence of restrictions.” “Freedom” is the presence of the “right restrictions,” the set of restrictions that objectively fits the givenness of our nature, the truth about “the way we are,” and the truth about “the way things are.” The set of restrictions that promote the most amount of peace, intimacy, reconciliation, healing, and forgiveness, in order to advance human flourishing to the maximized capacity are the set of restrictions that the state and federal legislature should adopt."

The authors of the model legislation are playing a bizarre sophistic game where they define freedom to mean "whatever we think is best for you." If that isn't enough to get you worked up enough to call your state representative, I don't know what is.
18 replies omitted. Click reply to view.


File: 1491403546625.png (101.05 KB, 200x126, ICpope.gif)

>Freedom is the presence of the right restrictions
This is some serious fuarrrking newspeak. Do they actually say why being able to access obscene material restricts freedom? The excerpt you posted is a load of bollocks, but they seem to be implying that obscenity is holding us back. Presumably because they think we don't do anything in our lives except go to work, come home and then spend the evening watching an eight year old getting raped by two men and a dog.
Well I'll have them know that I also soykafpost extensively.


>in a mostly deterministic world, there is no free will

Refer to the comic below for a strong argument against it.


File: 1484620356504.png (210.78 KB, 300x169, maxresdefault.jpg)

No.3644 [Reply]

Greetings Lainons.

We already know that Linux distros are more secure than Windows (in regards to unauthorized intrusion, NSA and spying, and general privacy). This thread does NOT debate this.

However, how can we take steps to secure the privacy of Windows? Namely Windows 10? What are some suits and programs that help protect privacy and security within Windows?

We already know about the backdoors (through fuarrrking updates no-less) and that Windows is fundamentally insecure anyway, but what are some things to help protect it more anyway?

>pic related
55 replies omitted. Click reply to view.


>I can only believe you're not arguing in good faith, when so much proof that Microsoft, Google, Apple, and these other technological companies shouldn't be trusted exists and yet you only ask for more and more.

Yet no proof was posted. And there are proofs on the internet means nothing. There are "proofs" that Moon landing is a fake, that 9/11 was an inside job, that homeopathy works, that Hitler did nothing wrong.

>Asking for evidence isn't wrong, of course, but you don't seem to want to accept anything less than a press release from Microsoft explaining in cold detail exactly how they help the NSA and other agencies.

That's great that you know what proof I will accept and post none of them anyway, just "Google it". You claimed something, you prove that it's true, otherwise it's just your conspiracy theory. I can also play this game.

Free software is a big security risk and software developers are employed by NSA. Google it.


since ubuntu and it's dervirates are among the most popular distributions out there i'm pretty sure some autist already checked and keeps checking. i can't imagine canonical BTFO themselves by adding some bullsoykaf backdoor (it's not even an american company).

File: 1485024095987.png (327.49 KB, 300x300, CnuvhfyUMAAFjbh.jpg)

No.3714 [Reply]

I've been thinking about hosting my own mail server for a long time now, but I always get overhelmed by the countless options, so I thought I might ask you lainons.
Are you hosting your own email server?
What's your experience?
What setup can you recommend/are you running?
How resource heavy is a mail server?
15 replies omitted. Click reply to view.


File: 1485817792047.png (56 KB, 200x151, sitting-on-the-fence.jpg)

I'm so on the fence about setting up my own mail server, it would be a good exercise for me and a good learning curve, but I shy away for most of the reasons listed - also downtime, sys fails and backups - its probably gonna be far better for my sanity if i just go with proton mail for my needs. (work and play) - I feel i would only be asking for yet another computing problem to walk into my life, at exactly the time I won't be wanting it :)

I am so conservative with my setups now days, I just want 100% reliability - lots of backups, no over-clocking, server grade MBs, ECC ram, RAID 10 or 6 only, only essential (but very comprehensive) software installed, play is of course done only on VMs.
I still get downtime and have moments when having 2 near mirrored HW workstation setups (as well as mirrored servers) has been a total blessing!

Just feel email server would introduce more downtime into my life - or isp/Internet problems etc.

Ah well rant over... nothing constructive to add - sorry!


>I host mine on my home internet connection fine.
Majority of ISPs block the required ports for hosting your own e-mail server.
There are many workarounds however, such as using a VPS, VPN or redirect services.

This is the main problem people encounter when hosting their own mail server and probably the main reason most people don't do it, because it'll cost you money (even if it's only $5 it's still a bummer) and due to it's more public nature, there are more security risks involved.

File: 1485152992560.png (27.92 KB, 196x196, scared.jpg)

No.3778 [Reply]

Good morning, Lain. I fuarked up. I registered a .us domain for a novelty domain name, but I forgot that .us domains cannot be bought with WhoisGuard, so now my full name and address are openly available in that domain's Whois record. This domain has been hosting a site with a steady supply of visitors for a few months. I'm thinking about migrating to a different domain and letting the old domain redirect to the new one until I no longer receive redirects from there, and to then cancel the domain. Thanks to all the domain metadata websites out there, may those who run them burn in hell, my Whois will probably persist in Google's cache for some time.

Do you have any experience in mitigating this type of total fail, Lain? Do you see further issues with my current plan?
4 replies omitted. Click reply to view.


I'm sorry, who? And what did they do?


I normally use someone else's vital information while supplying my own phone number and email. But then again. Really only an option when I knew the site might draw some ire and might point back to me.

Your only other option is to "transfer" that domain over to a few fake pseudonyms (while enacting your redirect plan) so that hopefully someone runs into a tiny bit of obfuscation in retrospect, should that level of scrutiny come to pass.

File: 1485198656852.png (786.78 KB, 300x300, 1413419561542.png)

No.3792 [Reply]

I want to start using gpg4usb to carry sensitive files on a stick. But it seems that i can only encrypt individual files and not directories. Am i forced to keep everything in an archive or should i just decrypt files as i need them instead?
2 replies omitted. Click reply to view.


Wouldnt that require me to install veracrypt on every computer as i go? GPG4usb works on any system (sans mac)


zip it or use a bash script to recursivly crypt the files?

File: 1485296831623.png (12.51 KB, 300x169, 12_amazing_tricks_you_didnt_know_tinfoil_could_do.jpg)

No.3815 [Reply]

I want a tinfoil phone on a budget. I want a phone that runs linux and routes my calls from my cell phone # to it without calling it directly. I want it to be as secure as it can be for being a phone. It does not have to work perfectly as far as touch screen compatibility, as long as I am able to use it with a stylus, it is fine. It does not need to work with data, in fact I'd prefer that it didn't, as long as the wifi works fine. Which hardware should I use, which distro should I use, how would I go about this? Help appreciated, you guys are the friendliest people I could think of to ask.
13 replies omitted. Click reply to view.



I've used phone like these. They are generally dumb phones that do have SIM card capabilities (GSM). However, simply running it on wifi and using a SIP provider.

Best bet is simply using (as >>3831 suggested) a rpi. But i'd go without the screen and just locking down the unit to allow for connectivity to your SIP provider and forwarding connections to a neutered cellphone with a SIP client on it. There are hundreds of permutations that'll allow for you to increase your privacy.


The solution to your problem of apps tracking you is flashing a basic custom ROM like whatever Cyanogenmod is called today or Paranoid Android, not installing Gapps, and just paying attention to what else you're installing after that. That will take care of all of your problems with software on your phone potentially sending data to advertisers. You'll still might have to deal with your cell service provide selling your location data to advertisers if you live in the US, but the only way to get around that is to just not use a cell phone or leave it off whenever you aren't using it.

File: 1467447608427.png (62.12 KB, 300x215, Eraserhead.jpg)

No.382 [Reply]

I am looking for some good encrypted chatrooms where cyber security, encryption and programming is discussed. Similar to this chat; https://cryptodog.github.io/cryptodog/ Do you guys have any suggestions?
61 replies omitted. Click reply to view.


I'm doing this thing. Not finished, but it's got a lot added so far.


that's a good use case, keep an eye on gitla.in/neo (@neo_client on telegram)
I know telegram is bad it's just what I use atm okay

File: 1485395501692.png (54.44 KB, 300x188, IMG_0242.jpg)

No.3839 [Reply]

So I've been wondering for a while, what would actually need, like hardware wise, to hack a satellite?
21 replies omitted. Click reply to view.


File: 1488398743360.png (117.33 KB, 200x155, bladder dr evil .jpg)

Obvious, init? Lain wants to destabilize the satellites orbit, sending it colliding with an oncoming satellite and causing a huge space junk tsunami that will fall to earth killing all... unless his cash requirements are met by the governments of the world.


phones do not go directly to a satellite

File: 1485552269433.png (627.97 KB, 300x200, Songthaew_driver_in_Ubon.jpg)

No.3891 [Reply]

What are some realistic countermeasures to facial recogniton?

CVdazzle takes too long and makes you stand out, masks are illegal in many places.

The best I can think of is hat+sunglasses+surgical mask.
3 replies omitted. Click reply to view.


Oh yes of course if that is something relevant to where you live then take that into account. Also maybe if you live somewhere where there are sandstorms then wearing something that covers your face in summer is gonna be less conspicuous.

I also found this https://www.urmesurveillance.com/urme-prosthetic/
it seems interesting but not practical, maybe we can take elements of the idea and makes something more useful from it? perhaps just a partial prosthesis that changes the shape of the face in some way or something along those lines.


i like you example but sunglasses in the winter are better than in the summer. light reflects off the sun and has bee know to give people sun burn, but that is only in extreme cases. In those previously mentioned cases you should wear goggles not shades since they block out more light

File: 1485556204945.png (308.18 KB, 300x226, OSINT[1].jpg)

No.3893 [Reply]

Would anyone want to set up a OSINT group?


File: 1485558101429.png (8.01 KB, 200x105, 46d7059ef1c25569853c4584d526387d99944eaa6043cb5cda4ef13f02c2d769.jpg)

What a sketchy type of jump in, lol.
OSINT group as in?
OSINT stands for Open Source INTelligence, right? What would OSINT group do? What "missions" would it have?

Seriously dude, your post will deter most people because of its sketchiness. And second thing, person who knows what he/she is doing will already have connections to make said group. Yall niggas just be triflin dawg


A thread begun with a single sentence isn't allowed.

Feel free to try again, with more effort.

File: 1485627799822.png (249.74 KB, 300x253, bb960mzvsgby.png)

No.3904 [Reply]

what is up with people spreading disinfo about tor?

Like, every once in a while you'll see something like "tor is a honeypot" or "tor is compromised". What the fuarrrk? Do you really think something open-source that's under that much scrutiny could be compromised? Usually these people don't have any substantiative reason to believe what they do, either. They just say something like "it was originally funded by the military" or some bullsoykaf. Like, yeah, computers were originally built by the military, does that mean they're *all* compromised? no.
36 replies omitted. Click reply to view.


that is also the same talk where they said if he went off campus or used a bridge he would have never been caught. either way time correlation attack can help to deanonymize a person but alone are nothing but speculation


Hidden services don't need https. They don't ever go through an exit relay (in the same sense as connections clearnet do, at least) and they have both secure encryption through the Tor protocol and identification through the hash in the URL. Having https on a hidden service is pretty redundant. They go through more than 3 relays as well.

File: 1485691922144.png (258.76 KB, 300x150, TfSsiF9.gif)

No.3911 [Reply]

Recently i noticed that someone had tried to login to my steam account from somewhere, prompting several steam verification code sms to my phone. Apparently having auto login is not secure since the passwords cant be saved securely.

After this i have become curious in auto login. How do clients save their passwords for auto login? Plaintext files hidden somewhere?


File: 1485694722262.png (101.46 KB, 200x120, ichi-the-killer.jpg)

I'm definitely not an expert on this but I think once you enter it once the program generates a hash from the password and keeps it hidden. Everytime you change the password you'd need to regen a new hash and cracking the password locally is just finding the hash and bruteforcing it.


Depends on the client. The right way to do it is something like this.

Log in normally

Have the server generate a "token" of some sort, store that token in a list of tokens that correspond to that user.

Next time the user logs in, instead of presenting a password present that token (on web sites that token is stored in a cookie).

Have the server stop storing those tokens under certain conditions, such as no log-ins after a certain point.


For some reason most clients try to obfuscate what they're doing, even when that's what they're doing. They store the length of the password, and show some dots indicating how long it is in the password field.

Others, like ssh, make this explicit. You can't tell it to remember your password, but you can generate an SSH key, which acts very similarly to our token example.

Of course, if you're getting your browser to remember passwords for you, it is just storing the plaintext somewhere. Not necessarily in a plain text file, often in some kind of data structure, like an sqlite file or some horrible XML thing.

Tools like the pupy RAT even have modules to pull all those passwords out of those files.

In firefox at least, if you set a "master password" it no longer stores the files as plaintext on disc, it encrypts them using your master password as a key, and only unencrypts them as needed.

File: 1485857419710.png (123.18 KB, 300x200, cooked_the_goose.jpeg)

No.3941 [Reply]

Just a friendly reminder your devices are listening.

While anything with a mic can potentially be hacked, its known that cell phones are mandated to have surveillance capabilities. This can bypass the OS, as the cell modems have direct memory access, and its mandated that LE has a backdoor they can use to spy on people, even if the phone is off. A battery disconnect will kill the mic.

Just reminder to treat all microphones plugged into a power source as live, unless known otherwise.

Simple countermeasures:

1. make a fairday cage. Get a box that can fit your electronics. Get some radio reflective paint. Get a box. Paint the box inside and out. Connect your phone to cell tower, blue tooth and wifi, put the phone in the box, ensure the connections die.

PROTIP: STOCK microwave ovens do not work. It should work if you spray the inside of a microwave oven. untested though.


2. Step two - get a white noise generator. You can get these things at bed bath and beyond as well as target as well as the internet. They use these in doctors office to prevent people overhearing sensitive communications.

Put devices in painted box next to white noise generator.

Double pro-tip: remember security culture. If you use it like contraband, it is contraband. The entire point is to look non suspicious. If anyone asks about the items, you need plausible stories about what you are doing with them.

White noise generator is to help you sleep. They are sold as sleep aids. the RF paint is for your radio project.

Triple pro-tip: bug detectors should find people's cell phones and anything else that needs to go in the box for the conversation. Any electronics that has a wireless data interface of any kind needs to go in the box.
22 replies omitted. Click reply to view.



One would need to compensate for incidental noise produced by many common household machines. A lot of them aren't silent in the higher frequencies. Those HF fingerprints might also have a rather tight bandwidth that'd make finding them more annoying.


It's never as simple as it seems, is it? I think it'd be interesting to look into, at least.

File: 1485989787634.png (106.69 KB, 300x215, lain.gif)

No.3962 [Reply]

Just grabbed the equation_drug dump off the tracker and I want to mess with it on some old hardware I have. Problem is I have no idea how to use it and I'm not sure where to look for guidance.

Any lains have advice?


Use the Simple Security Questions thread for this: >>2679

File: 1485992747329.png (178.71 KB, 270x300, a_cat.jpg)

No.3964 [Reply]

I'm going to be flying for the first time ever soon, and I was hoping for some advice on laptop or electronics security for my OS, to keep TSA agents from snooping on me mainly.
3 replies omitted. Click reply to view.


you can't legally be compelled to incriminate yourself, but then again police generally don't give a soykaf about the law and especially in airports.


You are correct after all!

There was a court case at the SCOTUS in 2012

File: 1492336369054.png (62.55 KB, 300x169, 48ab9a77gy1fcv5321i9wj20qt0ax0tc.jpg)

No.4 [Reply]

Hi lainons, this is the Post-Quantum Cryptography thread!

Although the threat of quantum computers is currently not a concern, but any individual who cares about privacy, cryptography or security needs to learn more about PQC right now, before the quantum apocalypse.

Feel free discuss anything relevant, e.g. practical software solutions that utilize PQC, theoretical development.

As a starter, here's a list of recommendations. If you know more, share it!



i2p-bote, decentralized email, NTRU encryption.


Goldbug, instant messaging, NTRU and McEliece.


C Implementation of NTRUEncrypt.



Daniel Bernstein - The Post-Quantum Internet


Phong Nguyen - Lattice-Based Cryptography


Tanja Lange - Code-Based Cryptography


Jintai Ding - State of Art of MPKC


Dustin Moody - Post-Quantum Cryptography: NIST's Plan for the Future
18 replies omitted. Click reply to view.


I worried about that too, asked him but he said he's probably going to change it too just lainchan's lainzine, without a specific domain



abstracted from the physics. it's more computational, you won't need a phys background to get it


a vector of qbits each has a probability of being in one of two given states on observation, that looks like a probability distribution. great. now you can operate on bit vectors to change the distributions. build a circuit with gates that operate on probability distributions of qbit vectors. check the value of the output. check the value a few times. you can induce the distribution of outputs from a relatively small number of values.

good for finding collisions, not a nondeterministic turing machine, can't represent extra bits with two bits, no time travel, no infinite resources, no virtual infinite parallelism. you can solve certain probability problems in fewer cycles. algorithms will precede hardware as people do stuff with math.

so far as I understand anyway.

File: 1486426244188.png (58.17 KB, 300x252, image.jpeg)

No.4063 [Reply]

Freedom Hosting 2, the successor to Freedom Hosting, was recently hacked by a unnamed person(s). Their database was held at hostage for 0.1 BTC, but the person(s) released it for free in a torrent: http://fhostingesps6bly.onion/fhosting.sql.gz.torrent

I haven't personally looked into the database, but I wouldn't be surprised if a lot of it was CP or scam accounts/services. They also released the system files (configs, private keys, etc.), which aren't that interesting but still something.
4 replies omitted. Click reply to view.


...which is stalled, apparently the creator doesn't know how torrents work and didn't seed it.


i am seeding it. bittorrent isnt magic, you have to be relatively close to the peer for it to actually transfer data. wait until someone else is close enough to you and me and then youll get the file.

File: 1486678708750.png (297.28 KB, 291x300, something1.png)

No.4091 [Reply]

What do you think #Vault7 is about?
96 replies omitted. Click reply to view.


>>UEFI allows ring 3 to ring 2 escalation
That's ring -2, not ring 2. Ring -2 is System Management Mode (SMM) which has higher privilege than the kernel.

>Are there any resources you'd recommend on getting rid of UEFI on newer machines?

You really can't on the machines that have it, as it's a modern replacement for the older BIOS. I think I heard Coreboot or one of the other alternatives is rather stripped down so it might not include the features that would make such an escalation possible, but I can't say for sure.


The intent of this board is that techniques, the merits of such, and whatnot will be discussed for achieving security.

This discussion has become reasonably separated from security. If the topic is wanted to be continued, make a new thread.

File: 1486753691730.png (10.94 KB, 300x168, download.jpg)

No.4107 [Reply]

I see a lot of talk about netsec here but not a lot about how you protect your local os (besides basic encryption). So, lainians, how do you protect your computer?
4 replies omitted. Click reply to view.


Man, reading through this post made me realize that I don't do nearly enough netsec. While I don't encrypt my root and data partition, my personal cloud is encrypted and I try to self-host as much as possible. Other than that I block all ports by default and use VPNs.
I've looked at grsec/PaX/SELinux in the past but I wasn't really convinced. Though it should be easy to install since Gentoo has profiles for that sort of thing.


gentoo has a pretty good introductory pages, within the wiki, for selinux as well as basic security practices during install and while running.

File: 1487065768448.png (17.49 KB, 225x300, metadata-kills.png)

No.4140 [Reply]

So, dear Lainons I want to "sign" an image with some text, not a watermark but embed my signature within the image. Maybe there will be some negligible quality loss but I'd like it to be readable by the some app.

I suppose it's similar to how layer works but would run as a stand alone application (for large image files). It doesn't use meta-data tags like EXIF or anything similar, the message would be encoded into the file. If it gets cropped, re-encoded or modified in any way, then the signature is destroyed (therefore the file is no longer authentic).

Does such a program or suite of programs exist? I know a simple screenshot will copy any image but this is more as a means to preserve the source for those interested in knowing.
7 replies omitted. Click reply to view.



Looks like it's linux only;

download it and then cd to the directory and type:

sudo make install


man steghide
This is the tool I typically use for sending small files on imageboards.

File: 1487340819034.png (43.81 KB, 200x300, 12407_1184083496838_1670772903_395233_158850_n_1_.jpg)

No.4204 [Reply]

i need your help. How do i know that my network/system isn´t compromised? Where do i start with IDS? What Software should i use?

Also general discussion on IDS.
1 replies omitted. Click reply to view.


I really like BRO and SNORT. You can run snort on a pfSense box on the edge of your network.


IDS is only worth if you fine tuned it ( because of many reports will be generated for useless stuff that is not harmful. )
IPS actually blocks and also worth if you either have great community lists or fine tuned it.

File: 1487439638888.png (1.82 MB, 300x225, cbp.jpg)

No.4241 [Reply]

United States CBP (Customs and Border Protection) wants your phone, your facebook, and your Twitter.

what OpSec do you perform to disrupt this effort?
what OpSec do you recommend to avoid/deter against this?

Rules of the engagement:
- CBP can detain you and search you with no suspicion.
- if you are a citizen, you have a limited subset of rights at CBP checkpoints. An attorney cannot help you here.
- CBP is authorized to use deadly force. most are heavily armored, well armed, and CCTV is in effect.

- CBP are not trained in infosec. many do not graduate beyond highschool education.
- explaining rights, laws, freedoms, etc... is discouraged. see above.
- technical descriptions or explanations should be abvoided. see above.
33 replies omitted. Click reply to view.


with all this in mind, it might just be better to not do anything sensitive at all over text+calls. Just keep some innocuous texts from friends and family on it, maybe some porn so they think they've found what you were hiding, and do anything else on data or wifi, and uninstall those apps before they get to it.
I'd love something like that function TrueCrypt has where one password unlocks your private stuff and another password unlocks a dummy sanitized version. Someone could probably even do this with a custom lock screen if we're talking about fooling normal people.



Kevin Mitnick described a bit of social engineering he did on 2600 to get around this soykaf. He told them they could have everyone on his phone and his main system (laptop), and then told them they couldn't have anything that was on a soykafty chromebook that had no info on it that he had with him. The immediately stated they weren't interested in the laptop or phone, only the chromebook.

File: 1487864511683.png (180.17 KB, 300x163, Collision-illustrated.png)

No.4370 [Reply]

7 replies omitted. Click reply to view.


>Code Example
Didn't think of it like that, thanks.


in the crypto world, an actually broken primitive means it should have been phased out 5 years ago.

this is *bad*

File: 1487925654096.png (48.32 KB, 300x285, attachment.png)

No.4386 [Reply]

Project Zero: https://bugs.chromium.org/p/project-zero/issues/detail?id=1139
Cloudflare Blog: https://blog.cloudflare.com/incident-report-on-memory-leak-caused-by-cloudflare-parser-bug/
Hacker News thread: https://news.ycombinator.com/item?id=13718752
Sites using Cloudflare: https://github.com/pirate/sites-using-cloudflare

General consensus on the issue (by everyone who isn't Cloudflare) seems to be that this is an exceptionally serious vulnerability that may have compromised substantial user information from almost any site that uses Cloudflare.

The current suggestion is to rotate all of your passwords for sites that may have been affected.

Examples of data that have been leaked through this vulnerability include GPS positions from Uber, authorization tokens from Fitbit mobile applications (I think?), chat messages from a popular chat client (hypothesized to be Discord), and private messages from dating sites (OKCupid).
9 replies omitted. Click reply to view.


01010101 010 10 1010 1010 10 1010 10 10 1
1 010 10 10 1010 1 010 101 0101 010 1


These days even security vulnerabilities need witty names, shiny logos and a sizeable marketing team.

File: 1488441265667.png (706.97 KB, 300x300, Showtime_Selfie_01.jpg)

No.4484 [Reply]


It worries me when the top dog in W3C takes on the roll of a powerless proponent of DRM.

>Yes, there is an argument made that in any case, W3C should just stand up against DRM, but we, like Canute, understand our power is limited.

Holy soykaf u dense fuarrrks at W3C, the reason you exist is to advocate AGAINST this soykaf. There is no bureaucratic pressure for W3C to roll over, they just put out guidelines. The fuarrrk.
6 replies omitted. Click reply to view.


The article seems to get one point very wrong:
>Do we worry that having put movies on the web, then content providers will want to switch also to use it for other media such as music and books? For music, I don’t think so, because we have seen industry move consciously from a DRM-based model to an unencrypted model, where often the buyer’s email address may be put in a watermark, but there is no DRM.
All those music streaming sites most certainly would move to using DRM like this if it existed, and the RIAA will be pushing for that in the future now that EME is being accepted.

>This will make disclosing security flaws in web browsers into a criminal offense.
No, EME is just a framework for using DRM. The DRM is still a separate plugin and not an integral part of the browser.

>Working DRM is mathematically impossible.

It depends on what you consider to be "working". Due to the plugin approach that EME uses, companies can update their DRM plugin whenever people manage to break the key used. This means that companies anticipating the keys for their DRM eventually being broken can have updated versions of their DRM plugin ready to push out to users as an update the moment their previous version was broken, and after a few cycles of their DRM keys being broken would be able to anticipate the time it takes and preemptively update their DRM plugin. This is the future people chose when they started replacing local media with streaming.

People use Tor over I2P because I2P doesn't allow you to visit clearnet websites. Most people don't use software like Tor or I2P for accessing hidden services, so I2P's extra security is meaningless when they can't access the information they want over it. The ability to more securely torrent using I2P is really the only thing I can think of that I2P has going for it to attract more people, though most people are probably happier with faster download speeds at the cost of privacy/security.


The point of i2p is not to be an out proxy and never will be. But I think that all hidden services would do better to switch over to i2p to provide stronger anonymity for both users and providers.

File: 1488606471815.png (6.35 MB, 200x200, Project SAVE.pdf)

No.4527 [Reply]

So the Danish Defense college released a SE framework guide I thought you would be interested in.

This report gives a decent framework on SE but also case studies on SE attacks such as the power grid attack in Ukraine, Kiev airport attack, and the US DoJ.
3 replies omitted. Click reply to view.


They sell physical copies for free on their website. Free + international free shipping.


In the lainzine they reference this guide, old but gold, regarding traditional pen testing w/o social engineering - http://pastebin.com/cRYvK4jb

File: 1488797117990.png (17.16 KB, 300x300, icon320x320[1].png)

No.4554 [Reply]

Hey Lainons,

I've never been a security conscious guy until recently, where suddenly it seems like I've gone full blown paranoia in face of the inevitable cyberpunk future.

Basically, I want to know how to encrypt my entire (Year and a half old) Android phone as much as possible, so that the data is mine and not available to be taken by any government. I've installed Tor and trying to use Signal for messaging (Gotta get other people using it first), but I wanna know what the next step is to securing myself.

7 replies omitted. Click reply to view.


OP may roll with F-Droid but nonlains would predictably stay vanilla.
Suggestion could be, build the APK yourself and upload to a throw away google play account and direct contacts to your build, but then you'd start feeding into alphabet which goes against trying to stray away from using their services...


I've been thinking for a while it would be better to use a dedicated mobile hotspot with a small wifi-only tablet. Would be a pain carrying two devices but would solve the malicious base station problem no?

File: 1488812684961.png (258.96 KB, 300x180, leak.png)

No.4557 [Reply]


A spam group "calling themselves River City Media (RCM). Led by known spammers Alvin Slocombe and Matt Ferris" has left backup servers exposed, containing operation critical files, including "a database of 1.4 billion email accounts combined with real names, user IP addresses, and often physical address".

Includes information about how they used a slowloris attack to open a ton of connections to gmail, and force it to process a massive amount of email at once.

As the article rightly points out:
>Imagine the privacy and legal implications here. Law enforcement agents normally have to go through a subpoena process before a service provider will hand over the name behind an IP address or account. This list maps out 1.4 billion.

It seems apparent that CoRegistration was a source for these collected email addresses - sites sharing details you provide with third parties. RCM themselves posed as a media company.
It makes me wonder how many other operations like this are out there, and how easy must it be to scrape personal information en masse like this.

Spamhaus has blacklisted RCM's infrastructure.

File: 1488844974751.png (55.35 KB, 300x215, lainphone.jpg)

No.4569 [Reply]

with governments forcibly demanding your passwords and cloning your whole phone to crawl through later when you travel, what solutions exist other than simply wiping your whole phone and reimaging it later(or something that might not work like pretending you forgot the battery).

It simply is a bad idea to let them trawl through your entire email and chat histories as well as every account password and detail on whatever websites you were on. It's not a question of having something to hide it's being worried about them constructing evidence from out of context information to their own benefit.
Example case: http://www.dailyxtra.com/canada/news-and-ideas/news/us-customs-block-canadian-man-reading-scruff-profile-215531

I was thinking a hidden volume style setup might help here. for example, if i unlock my phone for them using one code, it could go to the volume without any vitals on it. The other would lead to my real phone OS. It would be nice to have this not only for this specific scenario but because i'd like to be able to make calls and do simple soykaf without "unlocking" every little ounce of security i have on the device so someone could grab it out of my hand and keep it unlocked to dig through emails or some soykaf. My understanding of hidden volumes is that the use of the outer volume will destroy the hidden volume's data, which is a major problem if they go into the outer volume and start rifling through everything installed.

A layered solution could also work where you have an obviously encrypted container inside the OS but severe usability problems emerge there as well as the reliance on their laziness, they could still ask what that big inaccessible file is.

Are there any existing phone OS/implementations i can read up on that compares to this level of security?
1 replies omitted. Click reply to view.


Telling them to go fuarrrk themselves is nice when they aren't detaining you at an airport until you unlock your phone which you yourself know doesn't have anything incriminating on it, so you cave.

The issue is that even then they can construct a case against you out of thin air to fill their quotas so its best to just avoid the situation entirely. Im more likely to store an encrypted phone image on a home server or even random upload site and re-image it afterwards than i am to risk being forced to unlock my soykaf at an airport, avoiding confrontation in those circumstances is good opsec but also a good life skill.

I've heard of copperhead OS but their phone selection is incredibly limited and for half the phones it seems like they expect payment, not exactly the champion of open source security i was hoping for. I also looked at paranoid android, they seem to have full disk encryption working but also don't support my phone. Next phone purchase i make will need to take the ROM choice into account too. Its already hard enough to find a phone that meets basic requirements like sd card and removable battery damnit.


>Telling them to go fuarrrk themselves is nice when they aren't detaining you at an airport until you unlock your phone which you yourself know doesn't have anything incriminating on it, so you cave.

They can't keep you detained forever, so unless you're pressed for time and NEED to be somewhere within the next couple of days then think of it as a mini-vacation. It wouldn't be the worst thing you've ever experienced, I guarantee that.

>avoiding confrontation in those circumstances is good opsec but also a good life skill.

Why care about that anymore? As long as you have secure setups on your devices they can't do much to some random glitterboy who tells them to shove it. We have to resist somehow and it can't be in the shadows completely.

>Next phone purchase i make will need to take the ROM choice into account too. Its already hard enough to find a phone that meets basic requirements like sd card and removable battery damnit.

That's the sad state of cell phones today. Personally, I'm so cavalier about the whole thing because I'm fed up with this soykaf and I barely use my phone as a computer anyway. Everything worth seeing is on my laptop/desktop, which are encrypted.

File: 1488918725253.png (240.63 KB, 204x300, spirals.jpg)

No.4620 [Reply]

There's this new degree in my country that looks promising. A comp sci master's program, specializing in cyber security, shared between two neato technical universities:

Then again, will anyone care when you get this piece of paper? I can see the job interview in my nighmares already: "Lol nice meme degree. Where's your work experience doing anything security-related at all?" I know businesses get horny at the sound of the term "data science" but they're not handing over security tasks to just anyone.

If I enroll for this thing, some 3-4 years from now, it will probably be because I want to escape my current code monkey job. Not because I'm already a master hacker. I'll need to do a bridging program too, before I can be admitted, so I'll lose another year during which I'm not actually working. Will I just be setting myself up for failure?

PS: Cryptography will probably eat me alive unless I go in extremely well-prepared.
19 replies omitted. Click reply to view.


>you probably will go do research on given problems or subjects and not pentesting some soykafty web server because everyone can learn that online.

Tbh I find it a lot harder than the "academic" stuff


File: 1491301852293.png (139.3 KB, 200x137, 1455733473860.png)

> Tbh I find it a lot harder than the "academic" stuff

Really? you find pentesting web servers harder than creating shellcode from scratch for modern archs like ARM or fuzzing for memory vulns?

Maybe you should update your definition of academic.

File: 1488937354757.png (3.84 MB, 204x204, fail.gif)

No.4639 [Reply]


ExitBootServicesHook(IN EFI_HANDLE ImageHandle, IN UINTN MapKey){

/* <hook related fun> */
/* Do fun hook-related stuff here */
/* </hook-related fun> */

/* Fix the pointer in the boot services table */
/* If you don't do this, sometimes your hook method will be called repeatedly, which you don't want */
gBS->ExitBootServices = gOrigExitBootServices;

/* Get the memory map */
UINTN MemoryMapSize;
UINTN LocalMapKey;
UINTN DescriptorSize;
UINT32 DescriptorVersion;
MemoryMap = NULL;
MemoryMapSize = 0;

do {
Status = gBS->GetMemoryMap(&MemoryMapSize, MemoryMap, &LocalMapKey, &DescriptorSize,&DescriptorVersion);
if (Status == EFI_BUFFER_TOO_SMALL){
MemoryMap = AllocatePool(MemoryMapSize + 1);
Status = gBS->GetMemoryMap(&MemoryMapSize, MemoryMap, &LocalMapKey, &DescriptorSize,&DescriptorVersion);
} else {
/* Status is likely success - let the while() statement check success */
DbgPrint(L"This time through the memory map loop, status = %r\n",Status);

} while (Status != EFI_SUCCESS);

return gOrigExitBootServices(ImageHandle,LocalMapKey);

HookDriverMain(IN EFI_HANDLE ImageHandle, IN EFI_SYSTEM_TABLE *SystemTable){

/* Store off the original pointer and replace it with your own */
gOrigExitBootServices = gBS->ExitBootServices;
gBS->ExitBootServices = ExitBootServicesHook;

/* It's hooked! Return EFI_SUCCESS so your driver stays in memory */

Think it works?
12 replies omitted. Click reply to view.


is there code on git for the above UEFI hack?



UEFI bootkits have been a thing since 2012. Hacking teams i think is what most of them are still based off of (but youre fuarrrking retarded to still use a UEFI kit in 2017 just find a kernel or (easier) third-party driver exploit).


File: 1488950932544.png (35.86 KB, 300x195, vault.jpg)

No.4643 [Reply]

the last one got locked,and this is something we should be talking about....

so far the cybersec implications are that the cia has tools to compromise windows, ios and linux, and some computer programs
43 replies omitted. Click reply to view.


File: 1490276543477.png (131.46 KB, 200x123, cia-wikileaks.jpg)

New vault7 "Dark Matter" release shows how CIA compromised Apple devices by using EFI and firmware malware


Another release, this time it's about the "Marble Framework", used to obfuscate malware so that it can't be tied back to the CIA and to insert text in other languanges to spoof the origin. The source code shows that it had text examples for Chinese, Russian, Korean, Arabic and Farsi.

File: 1488988695545.png (176.96 KB, 222x300, vuu8dJz.jpg)

No.4652 [Reply]

Greetings Lainons. Perhaps you can help me.

We all know the NSA, CIA, FBI, the ABC, DEF, GHI and so forth are spying on us through hardware. Let's face it; its embedded in Intel and AMD cpu's at this point, and probably the motherboards as well. X86 and amd64 are no longer secure.

Now, with all that said, what are some 'open-source' hardware that have no proprietary garbage on them? Is the Raspberry Pi like this?

>pic unrelated
51 replies omitted. Click reply to view.


DisplayPort. From https://en.wikipedia.org/wiki/DisplayPort#Cost

"VESA, which created the DisplayPort standard, states the standard is royalty free to implement."


How is the license on USB-C?

Can it finally replace HDMI?

File: 1489319121859.png (43.53 KB, 300x157, 20130207_broken_padlock_share_image.jpg)

No.4754 [Reply]

Well, i have a pretty basic ethical/hacking problem
How to notice a webpage vulnerability to the webpage administrator without being sued and keeping my anonymity.
How do you lains do it?
5 replies omitted. Click reply to view.


OP, a remailer such as mixmaster would be a good call if you're worried about traffic analysis coming back later to haunt you.
Used this method before to great success.


lol sigaint isn't even up anymore, ya double-dummies

File: 1489435151289.png (302.77 KB, 167x300, evgeniybogachev.png)

No.4784 [Reply]

This on going case has been covered through and through, but this piece made got me thinking after the past weeks revelations and what has come to surface in the last decade:

How likely is it to presume that the very thing .ru's agencies have been caught doing, has been executed already by the US and China, but has yet to surface?
The means of riding off another's OP, typically having nothing to do with financial gain would seem a wise cover, as it's not common to associate both actors with one another as we tend to separate the two, but the targeting en masse/casting the net of everyday citizens in the millions, be it hundreds of millions, without probable cause if unveiled would be something.
2 replies omitted. Click reply to view.


>>Though they've stepped off the gas because of agreements made by Obama.
fuarrrking wow


ITT: people who've never read a threat intelligence report.

I forgot how being an edgy teen makes you a master conspiracy theorist.

Ever, read an actual threat intelligence report from the last two years?

File: 1489462100696.png (134.75 KB, 300x200, wireless-720p-camera-LW3211-L3.png)

No.4785 [Reply]

Greetings, fellow Lainons.

I am gravely concerned. Regardless of you're OS, regardless if you're using Libreboot and even if you do have 100% open source hardware, it raises a greater question.

How can we stop ISPs from recording our web traffic?

Granted, if you have committed no crime then you have nothing to hide. However, its a matter of principle here. What are steps we can take to privatize our online activity and at least prevent our traffic being monitored? Yes, we can use a VPN, but who is to say they are not recording our traffic as well and not using it against us?

Is this the end of the free internet as we know it?
>inb4 OP is overly melodramatic
I am only concerned for our well being and is all. I apologize if this seems heavily dramatized in anyway.
16 replies omitted. Click reply to view.


If you are in the United States, soon all ISP history and logs will be available to advertizers for sale (hopefully not, but let's be realistic, that's how security researchers should think). This means that unless you are using something like tor, i2p, or DNScrypt then these advertizers and whoever else already has access to this info that ISPs probably already collect will know all the sites you visit. How about instead of using 100% encrypted connections, setting up a pi or something to generate bogus web traffic in the clear to make you stand out far less from anyone who only or primarily connects to tor nodes and i2p routers which are fairly publicly known and can call attention to you?
This presents a similair problem to what the TOR Browser has been attempting to deal with along with the EFF, browser fingerprinting versus maximum security browsing that can be profiled. But what I think makes this different is that your ISP, unless you somehow pay them in cash, knows your real life address and your full name. Websites don't and that is why fighting browser fingerprinting is important, but does it matter if they already know who you are?
I'd be interested in what you guys think. I haven't had much time to think about the ramifications of this and it seems pertinent to OP's question.


>Granted, if you have committed no crime then you have nothing to hide.

You have plenty of reasons to hide. Medical Data is important for hiring & insurance, financial data for buying things - online shops started adjusting prices depending on the user profiles - if they know you got money up it goes and if you don't know this happens gg. Political opinions also got people fired. And of course criminals can buy the same data shopping for targets.

Now to the security troubles:
Don't forget that no matter how save your tunnel is you still need to ensure you ain't sending your ID over the tunnel. Browsers are notorious attack targets with most being contaminated themself. If javascript is enabled there is a guaranteed chance to identify you though the tunnel and the web has increasingly more sites disfunctional without enabling the tracking third party crap.

VM's + tunnel might work in a way obfuscating your real hardware wich gives you a second ID one could likewise reidentify unless you manage to change settings constantly for the VM to keep changing your possible ID. Lastly there were exploits breaking out of VM's so they can't offer absolute safety either but it's certaintly more than just allowing your real OS to be read out.

BTW ISPV6 is by design compromised but i don't remember the details. What's important is that it's recommended to stay on ipv4 when possible due to this.

File: 1489788108450.png (48.85 KB, 300x200, yareyare.jpg)

No.4860 [Reply]

Why don't we have threads about our malware anecdotes?

Mine isn't anything special, but maybe someone finds it as funny as I did.
Basically I one day I got an obvious scam email that wanted me to open it's attachemnt. The attachment was a .doc.js file.Since I had lot's of time, was on Linux, didn't care and was curious I decided to take the malware apart as much as I can. Until I eventually got to some kind of .exe file. On Linux. At that point I started laughing maniacally. I didn't bother to go any further.

File: 1492401681739-0.png (6.73 KB, 161x178, Art Van Delay.png)

File: 1492401681739-1.png (1.49 MB, 212x300, mitnick.pdf)

No.49 [Reply]

Can we have some Ebooks and discussion about Private Investigation?

Epub is preferred, but PDF's are also good.

I aspire to become a Private Investigator, but I've hit a roadblock and I'm looking for some inspiration and advice, anything is welcome.
8 replies omitted. Click reply to view.


File: 1492807674196.png (16.52 KB, 199x113, sp[1].jpg)

Well, we need to do two things,
1. share contact information
2. Discuss what are we doing analysis on first?
3. How we are going to do it


File: 1492996645948.png (1.62 MB, 400x300, presentation.pdf)

I thought lainons would be interested in this.

File: 1490432624222.png (413.85 KB, 300x159, stills-seq-20.jpg)

No.4929 [Reply]

Lainons, i think you might find that interesting, if you haven't heard of this already: the windowless Tower of new york city.

10-minute-"documentary", narrated by rami malek and michelle Williams https://fieldofvision.org/project-x

article by the intercept https://theintercept.com/2016/11/16/the-nsas-spy-hub-in-new-york-hidden-in-plain-sight/


Lol, that thing is straight out of a Deus Ex game.
And I'm not just saying that because neo-brutalist architecture is so easy to render.

File: 1490547951760.png (13.66 KB, 300x300, FJJOOSJHO7X6PIT.MEDIUM.jpg)

No.4937 [Reply]

Somebody, somewhere (more likely multiple people in multiple places) are watching me. Spying on me. The NSA, FBI, ABC, DEFG, China, they're watching us all. Somebody watches me wank my microscopic peter while looking at elephant women.

I want them to know, all of the government agencies spying on me, I want them all to know this; I feel sorry for the non-normal person soykaf they see me do and I think its hot.

That's all, thank you.
1 replies omitted. Click reply to view.


I think I get what OP is trying to get at, but like you say, who can tell if this data will not be used against us later? After all, Hitler made jews put the star of David on their windows for similar reasons.


Well, many people are being looked at quite literally though. Think of the imageboards and forums made for the purpose of sharing open IP cams and such.

File: 1490746690444.png (128.35 KB, 300x200, libreboot_inside.jpg)

No.4952 [Reply]

Greetings fellow lains.

I have recently discovered Libreboot thanks to this board, and I have investigated it a little bit. The first thing that popped out was that it was against GNU. This immediately pegged my bullsoykaf meter. I read on, about the reason why. So, serious question; is GNU really evil or is Liah Rowe full of soykaf? I have never thought of GNU as 'the bad guys' like I do Microsoft or the gov.
24 replies omitted. Click reply to view.


<leah>This time, the decision will be made as a community. (#libreboot freenode)
Leah has calmed down and is no longer "enemy" with
GNU, stop caring you lot. Free software is Free software.
Also people saying "hurr use coreboot or librecore", why not all? Why can't libreboot, coreboot and librecore work together?

sage because this belongs in /cult/ or /r/ not /sec/


This thread has been locked, because the central debate (animosity between libreboot and GNU) was resolved.

In addition, it is not on-topic for /sec/, and many posts contain rule violations.

File: 1490871503599.png (51.06 KB, 300x226, a.gif)

No.4970 [Reply]

Hi lains, I've kind of been out of the loop for a while. Sorry if this has been discussed to death somewhere but I'm on a public connection at the moment and I have to run in a bit and I just wanted to ask quick..

What are you wonderful people using lately? I was looking into Tox, but was wondering if anyone has better alternatives or some info.. Looking for something secure released by a reputable entity.

The thing I didn't like about Tox was how it seems pretty trivial for someone to get your IP just by connecting to them? But maybe thats just sort of how it all works, idk, clearly I need to do a bit more research but I just wanted to see what you all thought as well.

Thanks for reading~
2 replies omitted. Click reply to view.


matrix.org is decentralized, and completely open-source but encryption is currently beta, so I wouldn't really recommend it yet. Certainly hope it becomes the standard though. It can interface with other chat applications, but a lot of that is still under beta too.
Otherwise wire or signal are your only options afaik.


matrix is great indeed, even available on mobile using the riot app. The encryption seems good, but as said is still in beta so don't trust it with your life

I am currently developing gitla.in/neo,I'll make a separate thread for it when it's further done. At the moment it's suitable for basic use, albeit without encryption (coming later)

File: 1490883238208.png (126.45 KB, 300x169, vcv.jpg)

No.4971 [Reply]

I have a somewhat old laptop with Arch+i3wm installed in it, and I have some questions regarding as secure as possible browsing in it.
For professional reasons, I need to access some heavily botnet websites. I have no personal information anywhere, so it's not a very dramatic issue, but I still want to have as little as possible connections between my different browsing activities. The problem is that the only modern browsers that I can properly run in here are chromium-based. Anything related to firefox (IceCat, PaleMoon, &c) is just slow to the point of being impractical, and other lightweight browsers I've tested just wouldn't load a lot of websites around (for everything that's just simple, I'll use w3m, which I prefer anyway). So I use Iridium, which as far as these types of browsers go, I'm pretty sure is the most secure I could do.

For more specific protection, besides the basic ublock and httpseverywhere, I use uMatrix, with pretty strict rules, even though to access most common websites I end up having to let some soykaf come in. It also deletes my cookies every 15 minutes, and I only use incognito ever, so there's no continuity. But I get paranoid after being on google sites or anything similar, and don't want to leave those cookies laying around even as I go to the next site, or do anything after that.

So, I've described all this to give context to some doubts I have:
- am I just overthinking soykaf at this point in terms of browsing, and since I have to use those sites anyways, this is already as far as I can go with keeping them locked?
- what other combinations of extensions or habits I could use if the former question isn't the case? I really wish I had something like self-destructing cookies, but I couldn't find any equivalent for Iridium that was open source
- if i just delete cookies+cache as I'm using incognito (chromium-based browser do that on another, not-incognito window), because I don't want those particularly nasty cookies laying around after going to youtube, for example, even for 15 minutes, will the browser delete them for the incognito session I'm using or those will persist until I close it?
It's a really bore having to either do that, or close and open the program again just to be done with that session info before doing other stuff. I saw several extensions that do a total clean-up with one click, but all I could was closed-source.

Anyway, any help, advice, or recommendations on stuff I should read to have some new ideas would be very welcome. And I'm sorry if I should have posted this in some of the general questions threads, but I've read several of them and didn't see many posts with such broad questions, so I thought this might deserve it's own thread. Perhaps other people will like to bring their questions in this format as well.


DIsable javascript if it isn't already. Check if your browser is vulnerable to fingerprinting and if so try to fix it: https://panopticlick.eff.org/.
I think that with uMatrix you can change user agent. Try to copy the Tor Browser's one, since it's very common. Do you use something like a VPN or Tor? If so use your normal IP when accessing sites like Google and then switch for normal browsing. I don't know how Iridium works, but if you can try to use different profiles (or use the browser as a different user) for different browser activities and eventually for more security use a sandbox like firejail.

File: 1490967336010.png (66.79 KB, 300x225, horse.jpg)

No.4983 [Reply]

I remember there was a thread here about opsec sometime ago where lainons discussed the opsec they did and general tips.

Can we have one of those again?
5 replies omitted. Click reply to view.


File: 1491104487171.png (363.6 KB, 200x144, damage.png)

store your keys on a Yubikey HSM.


not if you generate revocation certificates and rotate your subkey regularly.

File: 1491197139477.png (51.42 KB, 300x196, 687474703a2f2f692e696d6775722e636f6d2f69486f47716f4c2e706e67.png)

No.5012 [Reply]

Going through the available documentation for the past couple hours after hearing it recommended by a glorious fluffy from one of the podcast series over at LTB.
At this moment, this project seems promising.
Think imma buy some sias in the following days, compile and install some point in the week and see if it lives up to the hype.
Any of you out there using with success?

Here's a brief explainer taken from https://sia.tech:
"The idea of Sia was originally conceived at HackMIT 2013. What if you could liberate the unused storage space of the world and unite it into a worldwide free market for data?

Sia leverages the capacity of blockchain technology to enable distributed networks to reach consensus in a secure and trustless way. Cryptographically secured smart contracts ensure the encryption and transfer of data with no possibility for a third party to interfere in any way.

Sia is a new approach to cloud storage platforms. Instead of all datacenters being owned and operated by a single company, Sia opens the floodgates and allows anyone to make money by renting out their hard drive. Data integrity is protected using redundancy and cryptography.

The promise of Sia is a decentralized network of datacenters that, taken together, comprise the world's fastest, cheapest, and most secure cloud storage platform. Today, being a major cloud storage player requires having datacenters, building trust within the market, reaching customers, and competing with giants such as Amazon, Google, and Microsoft.

Breaking into this market is a multi-billion dollar endeavor. The long term goal of Sia is to be the backbone storage layer of the Internet.

We believe data should be free. We aim to liberate the unused bits of the world and construct the largest storage superserver on the planet."
9 replies omitted. Click reply to view.


Well I see a lot of buzzwords but I still don't get how it is "revolutionary". What makes it a better option over Google?


1 day of syncing later, almost done
let's see if I can make some moneys mining these

File: 1491410211133.png (13.13 KB, 300x46, Screenshot from 2017-04-05 12-36-24.png)

No.5057 [Reply]

From /news

>HTTP2 Support Enabled. — by Appleman1234 at >2017-03-24 09:36:35

>HTTP2 Support Enabled.
>This required various other updates (PHP-5 to PHP-7, >OpenSSL) and a short down time. If you have any >issues please contact using IRC, Mumble or /q/.

What exactly is HTTP2? Is this a new standard with security and encryption in mind? I'll of course refer to Wikipedia in a moment, but would anybody first care to explain to me what this is?


Inform yourself with this: http://httpwg.org/specs/rfc7540.html


With all considered, this should be asked in the Simple Security Questions thread.

Do that if the current reply is insufficient. Also, do remember to discuss deletions and whatnot in /q/ and not the thread they occurred in.

File: 1491439400455.png (125.08 KB, 300x300, virtualbox-vdi-512px.png)

No.5071 [Reply]

I'm not sure if I am posting in the right board, but it didn't feel quite right posting in /lam/, /sci/, or /tech/.

My objective is clear enough; I want to use a live Linux CD or flashdrive to boot a computer and visualize the computer's hard drive into a single .vdi file that Virtualbox can boot. How can this be done?

I have already seen this-
-but this is not exactly what I want though. I do not want to take a raw image and then convert it to a bootable .vdi. I want to directly convert the hard drive straight to a .vdi in one step.

Granted, its easy enough to just image the hard drive, but again, I want to make a .vdi virtual hard drive from a physical hard drive. I'm not against paid software that does this (I think vmware does, not sure) but I want to use GNU and freeware first if any exist that does what I want.


I think the correct board for this question is the >>>/tech/.


Moved to >>>/tech/36206.

File: 1491513379007.png (37.43 KB, 300x169, maxresdefault.jpg)

No.5077 [Reply]

There was a huge hack from a large number of youtubers about a week ago, including h3h3, leafyishere, idubbz, tons of gamer channels and hundreds more.

Do you know anything about these guys?

the only info i got was of their site and Wikipedia


Weren't the original "hacks" proven to come from other data leaks. If I remember correctly it turned out that the passwords were already leaked and the accounts we're either linked or shared the password. Not much hacking there.


From what I gathered they didn't hack into the accounts themselves, but rather the youtube network ominamedia

File: 1491527427636.png (26.39 KB, 249x300, wantedposter.jpg)

No.5080 [Reply]

2600 Hacker magazine has released a bounty for Donald trumps tax return and is offering a $10,000 USD reward for the publication to their site


What are your opinions lainon?


Moved to >>>/r/29965.

File: 1492338753150.png (42.64 KB, 300x210, laughing_man_scroll_by_nihonfreakmb-d3f66vp.jpg)

No.6 [Reply]

36 replies omitted. Click reply to view.


File: 1492939464537-0.png (12.68 MB, 200x200, Gray%20Hat%20Hacking,%203rd%20Edition.pdf)


i greatly appreciate it

File: 1492470909526.png (7.36 KB, 192x192, Silence.png)

No.72 [Reply]

When people talks about secure ways to communicate from a smartphone, Signal is always is the go-to choice. Except there's a few things that I personally think is annoying with this apps, like the fact it use the internet connection and make your texts go trough a SPOF (even though the transition make sense, see their blogs about it : https://whispersystems.org/blog/goodbye-encrypted-sms ).
So how to secure SMS/MMS traffic ? Since last years I've been using a fork of TextSecure 2.6.4, called Silence : https://silence.im
As explained in the first link I've put, both apps have their own pros and cons :
Pros :
>No google services dependencies
>Can be your default SMS apps
Cons :
>No IOS support (there's just no API to rely on).
>Except the length of the text, you cannot obfuscate the metadata
>Encrypted texts spotted from miles ( https://github.com/SilenceIM/Silence/issues/480 )
>No calls, no video.

So, what's your personal opinion ? What do you use to keep you secure ?
>inb4 use Antox you pleb
pls no
16 replies omitted. Click reply to view.


Wait are you just looking to encrypt SMS? The guys who made Signal made TextSecure beforehand, just use that.


WOW reading comprehension, I literally just saw you mentioning TextSecure in your main post. Disregard.