[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 2679

File: 1480279560873.png (6.49 MB, 300x232, dog.jpg)


This is the simple security questions thread. The intent is that a simple question without a suitable thread already existing can be asked here and someone will probably try to answer or discuss it at suitable length.

If you have an in-depth question that can start a long discussion, a new thread may be more appropriate.

Remember to do some research before asking your question. Few will want to answer a question that a simple search or some insight can resolve easily.


I got a mac mini but dont have the root password
how get password
I wanna install linux on it anyways, but I do think Ill need to do some things I wont be able to as an unprivileged user


depends what version it is but there used to be a really easy way to get root on a mac through recovery mode


mavericks 10.9.5, I think it might work.


If you're going to go linux anyway then just blow away the current OS when you install linux and forget about the current root password.


How can I make my Backdoor be persistent when my ip isn't static? The reverse shell on the penetrated system usually contains my ip so that it can connect back to me.


Three solutions I could think of off the top of my head, so take it with a huge grain of salt... because... they're not great.

get a domain, point said domain to your new IP, make your backdoor resolve the address periodically. (Generates a lot of traffic, I know, so it's not a good option)

Dont use a reverse shell, maybe a bind shell with a user/pass feature. This isn't as great as a reverse shell. At all, but really, if your IP isn't static, maybe rent a CC server?

you -> CC server <- owned box

I mean, depending what you have access to, and what your IR/Blue Team discovery time "threat assessment" looks like, you may or may not care about traffic or visibility. Idk.

DNS requests to shady domains are flagged pretty easily and domains and CC servers leave a money trail.

Bind shells are... well, they're bind shells.

Lurking to see what other lainons suggest. I'm curious.


Sounds like you'd benefit from a Dynamic DNS solution like DuckDNS (free)


When I stick a bootable USB in it just ignores it, and thats the only way I know to do that, so.
either way its not actually starting now, I set it down too hard now it doesnt output any video and gradually ramps the fan up to full speed when I turn it on. Cant try anything till I get access to the proper screwdrivers.
"Apple makes a good product"
"Well made"
"It just werks"


Apple does make good products, they just aren't good for those who prefer to tinker or upgrade their computer later on.

How old is this Mac Mini? It has to be prior to 2012 right?


2010 I think. Not a white top one.
>...does make good products, they just aren't good for those who prefer to tinker or upgrade their computer later on.
This isnt a result of me trying to get inside and upgrade something, its just stopped working from being slightly jostled.


I doubt it was just slightly jostled, either you were rough with it or the previous owner was. Based on my experiences with Apple, it does take a bit to break them (iPhones excluded), sure they aren't Nintendo levels of abuse taking but I think it should be able to survive some random person laying it down unless you were expecting Apple to make a computer on the level of something like a Thinkpad and you treated that Mac Mini as such...


The advice in the "living cleanly anonymous" was "DON'T HAVE PHONE. SEE NO PHONE, HEAR NO PHONE, HAVE NO PHONE."

Believe me, I'd absolutely love to do this. But it just doesn't seem feasible in modern hyper-connected society. People want to be able to contact me. What do I do?

Also, I have a university email account, and the university service uses Gmail, and I'm not supposed to give private email addresses to my professors. How do I access that account while keeping my hands clean? I realize that the messages I send and receive are going to be stored and monitored no matter what, but is there a way to keep any other personal details from leaking through?


>I have a university email account...

use a secure os in a vm, and only access the email through it.


I found a host on my network and I don't know what it is. I scanned it once with nmap and got this output:
user@localhost:~$ nmap -Pn -F

Starting Nmap 6.47 ( http://nmap.org ) at 2016-11-30 21:42 CST
Nmap scan report for
Host is up (0.0051s latency).
Not shown: 89 closed ports
7/tcp filtered echo
106/tcp filtered pop3pw
119/tcp filtered nntp
548/tcp filtered afp
1755/tcp filtered wms
2000/tcp filtered cisco-sccp
5357/tcp filtered wsdapi
5432/tcp filtered postgresql
6646/tcp filtered unknown
7070/tcp filtered realserver
49154/tcp filtered unknown

Nmap done: 1 IP address (1 host up) scanned in 13.09 seconds
I then scanned it again, and got nothing back. The only other time I can think of one of my devices using was a month ago with my laptop. Am I being a paranoid freak or is something actually serious going on?


I also have these ufw logs.
Nov 30 21:23:28 localhost kernel: [10956.371355] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:c0:1a:da:5a:94:3b:08:00 SRC= DST= LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=8935 PROTO=2
Nov 30 21:24:12 localhost kernel: [11000.242721] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:c0:1a:da:5a:94:3b:08:00 SRC= DST= LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=28016 PROTO=2
Nov 30 21:43:06 llocalhost kernel: [12135.178107] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:c0:1a:da:5a:94:3b:08:00 SRC= DST= LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=53979 PROTO=2
Nov 30 21:45:47 localhost kernel: [12296.316242] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:c0:1a:da:5a:94:3b:08:00 SRC= DST= LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=19022 PROTO=2
Nov 30 21:48:35 localhost kernel: [12464.014846] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:c0:1a:da:5a:94:3b:08:00 SRC= DST= LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=20141 PROTO=2
Nov 30 21:49:09 localhost kernel: [12498.045893] [UFW BLOCK] IN=wlan0 OUT= MAC=01:00:5e:00:00:fb:c0:1a:da:5a:94:3b:08:00 SRC= DST= LEN=32 TOS=0x00 PREC=0x00 TTL=1 ID=38051 PROTO=2



but wsdapi and cisco-sccp don't make sense together.....


Just get a small ThinkPad X60S. You can do everything you could with a phone on it plus more and they're incredibly compact.


Can it receive phone calls?


File: 1480616178402.png (36.71 KB, 200x131, confused.jpg)

How are you going to access that when you're out, though? Public spyfi? If really is what you're implying, what about dead zones? I'm not talking about contacting people here; I'm talking about people contacting you.


>People want to be able to contact me. What do I do?
Even a landline is a massive improvement over the tracking devices that are cell phones.

>but is there a way to keep any other personal details from leaking through?

Avoid sending emails with those details (though that might not be possible). Also, use an email client instead of their website.


Its systemd a security concern or just a big issue among sysadmins? My debian jessie 8.6 its running it, I am a noob and want to disable it.



Maybe you can replace it, but i can't test it as i'm on other distro.


>Its systemd a security concern or just a big issue among sysadmins?

Check out: https://wiki.debian.org/Debate/initsystem/systemd (why Debian adopted systemd in the first place),
and: http://without-systemd.org/wiki/index.php/Main_Page (a wiki with information about how and why to get rid of systemd)

tl;dr - I haven't heard of any successful systemd exploits to date, but it wouldn't hurt your security to use any of the modern alternatives.


File: 1480726397501.png (25.53 KB, 200x151, AMIBIOSIntel_CPU_uCode_Error.jpg)

So AMD and Intel run secret micro code, and via that we can all be pwned by the NSA... is the micro code encrypted? and is that the thing that stops "us" all reading it and removing/negating it?

If its encrypted, given the reward/end goal, could "we" collectively start computing the brute for this micro code? (I think the amount of CPU power gone into bit coin is currently enough to be busting lower/mid level encryption) and maybe they just used qwerty as the PW :)

How would one find the micro code, where is it stored? how is it accessed?


most of the computing power in the bitcoin network is not CPU, it's ASICs which can't be reprogrammed to crack encryption.


>and via that we can all be pwned by the NSA
That's debatable. Microcode is running at a very low level so they would be incredibly limited in what they could accomplish, if they could accomplish anything at all.


Is it not a way for them to escalate access from there outwards through the system?

IF not why have it?


I doubt that it is encrypted, but even if it is then the real problem is that it is shipped to the users as pre-compiled binary blobs and machine code is not easy to just read and reverse engineer.

It's not likely that they'd use this to store some large persitent RATs, but that they would engineer in flaws that would allow them to reliably perform RCE and privilege escalation.

Also see intel ME, it's sitting on your die and has access to pretty much everything. Iirc in certain version it even has its own MAC for your NIC and can talk out or be a side channel that anyone with the keys can gain access through.


>Also see intel ME,
The Intel ME and AMD's PSP aren't like the microcode though. Both of those are separate dedicated processors (the AMD PSP being an ARM cortex A5).


Can I run umatrix on Firefox Mobile? I don't have an Android phone around and FF does simply not start in a VM.


You could probably get it to run with some rejiggering, but it wouldn't work. Better to use AFWall or something else from F-Droid.


I guess I wasn't clear, I mean that is where such tools would be held, and is a bigger problem than just the microcode.


I've been wanting to accurately assess my own security and separate actual threats from paranoia, so I figured it be a good idea to create a threat model. However I can't find much on individual/civilian threat modelling, mostly just threat modelling for businesses, which seem a little too comprehensive.

Has anyone here made their own threat model? If so, could you share your experience and perhaps resources you used?

I feel bad asking to be spoonfed like this so here are some resources I've looked at so far:


That's a good start, SSD is comprehensive. ANother one i've found is https://blog.yourultimatesecurity.guide

If you're starting from scratch take notes on your use of tech/opsec as you are now. What kind of information are you willfully giving up thorugh communications with third parties? Once you have a list you can determine if you want to change any of that and how.


>Both of those are separate dedicated processors
As in; on the same die as the main CPU, or as in; we can unsolder that cunt?


Further to this - as i expect its part of the main CPU chip... Could you dissolve the case in acetone, then high power UV laser the area of the CPU required to disable the "daughter processor" if you can identify and locate with microscope that is... which you may just be able to? maybe... shoot me down !

Ok sounds a bit hard core but as long as locating and identifying is possible the rest is a piece of piss, to the point I would start zapping chips for my mates!


I'm not certain if I'd go and zap a nice i7, but I would be willing to remove the OS it runs from my rom.



File: 1480986666039-0.png (1019.68 KB, 200x155, CNRMRM-die.jpg)

File: 1480986666039-1.png (102.61 KB, 200x111, die-comparison.jpg)

File: 1480986666039-2.png (2.86 MB, 180x200, Westmere4.jpg)

fuarrrk my lame fragmented posting... Should have attached these images!


File: 1480987173158.png (234.72 KB, 200x134, images.duckduckgo.com.jpeg)

Oh! very nice... So libreboot is not just BIOS but micro code kill too! wow cool, would that make it 100% freedom? *100%*


How does one get a password hash from a .zip, .7z, .rar and other files? I know what to do with them but how do you get the actual hash you are supposed to attack?


Why is it considered a plus for a server to run open source software? Couldn't the owners still change it however they want without anyone knowing?


1. open source != free/libre
2. having the source code available allows people to pour over it and be able find bugs, flaws and vulnerabilities, along with finding telemetry additions to the software, reducing the amount of bullsoykaf added to servers that should be using their computing power and bandwidth for their appropriate tasks instead of sending data back to the developer.
tl;dr: using FOSS on your server minimizes the amount of bullsoykaf that could be packaged into your software. better for the server and you.


That makes sense as to why I would favor it, but is there any reason one could trust an unknown server more, for claiming it runs open source software?

In other words, is appearently using FOSS a plus for trustworthiness?


what are the risks of running a tor exit node?
should I not bother if Im just a noob who happens to have a spare computer?


Sometimes law enforcement can be lazy when tracking IP addresses, so there can be legal trouble if you get unlucky.
Even in the rare cases like the article people don't get fuarrrked over too hard for it, but if you're afraid of cops or something it's a bad idea.


IP over Twitter/ Telegram/ IRC/ Pastebin/
That's organic.


some retards have been mocking and doxxing a couple of friends of mine in another chan
what am i supposed to do? track them? give them a piece of my mind? find someone that can teach them a lesson?
i wanna help my friends, and they dont know what to do anymore
neither do i
each time they post they reveal more and more info about them, im clueless about this whole thing, and we want them to stop
now what? admins, mods and jannies dont seem to give a fuarrrk about the issue
i even mailed them, and got no response


The root user is disabled by default. Usually you use sudo with your normal users password to do stuff as root.

If you don't know the password of that user, boot in recovery mode (cmd+r) or from install media and run resetpassword from the terminal.

If the drive is encrypted, you can't do anything.


How to create an account on facebook or gmail with tor? I've tried many methods but they're asking for phone and/or ID verification


How do you fuarrrk people over if they post Anon? (can people reverse find info about posters on here? - can you tell my IP?)
They should be using a VM and a VPN hence no real info leak...

Other than that bait n troll em hard...


File: 1482891909728.png (45.7 KB, 200x113, images.duckduckgo.com.jpeg)

>asking for phone and/or ID verification

Never even been to facebook - only seen on other peoples accounts/pcs... but, what do they require? can you just send them a copy of a false driving license or false phone number - fuarrrk it give em a pager n.o. ?

Be careful because in 5-10 yrs time they will probably kill and jail (just to make sure) people who give false info!

So if you create via Tor then you probably should do it with Tails and ONLY EVER access that FB account with Tails so as to never connect it back to any real HW/connection you own (even if you are logging in via another anons wifi - even if from Internet cafe PC, as they will then have you at a known time and place - and can just check cctv from there...).

But i dunno maybe I have too much tin foil... or maybe you can never have too much tinfoil? - But I guess if you want a Tor FB account you want it proper fuarrrkin anon!



Don't use Tor, or use it in combination with a VPN/SOCKS etc where you can choose the location with an IP which isn't blacklisted or identified as a Tor node. Choose a location where phone verification isn't necessarily as expected, Africa, South America, and register as such.

Alternately, Google Voice, but you'll have to jump through quite a few hoops if you want an anonymous google account as well.

Lastly, buying using Bitcoin credits for an online SMS service.


Is there any reason at all to relearn math for security purposes?

I don't see where it might come up, unless you're straight up studying cryptography. In which case, I believe you already need to be a math god just to get started.


Facebook obviously don't care about user's privacy but I don't think that they have tools to track sombeody with basic protection without time and funds. I think I'll make free amazon vps with fake info and set openvpn on it to protect my ip.


So, my less that technology-literate roomate did some stupid soykaf that's probably going to get my ISP subpoenaed.

How do most ISPs handle this sort of thing? I use Tor the majority of the time...

But the thing is though, I tend to use my phone to look at some.. things.. over the clearnet

Is my ISP just going to blindly hand over everything, or are they only going to give the "system" the relevant information?

I looked into it, and EFF doesn't say much about how data-handling is done, but focuses more on how to address being subpoenaed.


Forgot to add that I'm in the United States.


Posted on /sec/ but was told to post here.
I finally decided to get rid of facebook.
The things is, as a person who keeps backups of everything, I'm struggling to save my chats. It's over 500k messages and the facebook security copy won't help. Is there any kind of script that lets me automate the process or what can I do?


Sadly, the best thing you can *probably* do in this situation, is either:

2)Delete it

Facebook does everything it can to prevent scraping. Maybe you could automate the scrolling and copying with something like AutoIT

If you don't mind, why save all those messages? You've got me curious.


Facebook has protections in place to defend against automation at the user interface and API levels.

I want to say you may be able to make a legal request for this information, but that depends on where you live and I'm also inclined to believe this wouldn't work.

Whatever you do, it's bound to be very fragile and probably require some form of human monitoring.


Thanks both for you answer.
I think I'm just going to save the most important ones and move on.

>If you don't mind, why save all those messages? You've got me curious.

I try to keep every single register of me saved, conversations included. That said, there are chats that are important for me and I think I would love to see them in the future.


File: 1483729726743.png (32.16 KB, 143x200, 2017-01-06_200338.png)

I'm trying to setup apparmor for some applications and I noticed that some of them try to access soykafton of stuff in /sys/ (pic related, it's my current qbittorrent profile).
While I have an idea of what /sys/ is, I don't really understand the use and implication of all of those paths (for example why qbittorent would be interested in my pc audio card an speaker or details about the vga?).
Any tips? Where can I learn more?


Any suggestions on what else i should make my ps3 run. I currently have it running dhcp and dns.


File: 1483980250445.png (25.33 KB, 200x146, skeet.jpeg)

How easy/effective is it to bruteforce wp xmlrpc?


>why qbittorent would be interested in my pc audio card an speaker or details about the vga?
Full disclosure, I don't use qbittorrent, but would presume it requires access to the audio card for sound notifications and VGA for any potential external monitors.
As most apparmor profiles are shared and written by someone else for sometimes/not always their own explicit use case, you should take that into account when wondering why certain directories have RO access.
If you want to learn more read through the man pages and then go to https://wiki.archlinux.org/index.php/AppArmor and dissect some of the publicly available profiles, https://github.com/search?o=desc&q=apparmor&s=stars&type=Repositories, https://launchpad.net/+search?field.text=apparmor+profiles&x=0&y=0, http://wiki.apparmor.net/index.php/Profiles


qBittorrent has a preview function (you can watch/listen to some parts of partially downloaded files, etc.) for torrents, so it needs access to audio and video cards to use said function. Not allowing it access to said cards wouldn't break the functionality.


>But the thing is though, I tend to use my phone to look at some.. things.. over the clearnet

ok. if you do something dumb like look at darknet listings on reddit on your phone, you might get raided. to my knowledge an ISP can be subpoenaed for either time specific customer-specific data (eg logs between x and y) or broad customer-specific data (eg all logs relating to this customer).

stay safe.


I know how to write apparmor profiles (I did write the profile in pic myself). I was worried about the security implication of just letting a software read everything in /sys/. It's a pain to "fine tune" the access rules like I did in that profile especially since I don't always understand the use and role of every virtual file in it.

And it uses an internal viewer/player for that? Sounds a bit bloated and dangerous


Is it bad for privacy to use an HTTPS version of a site when a .onion version of it is available? I just feel that the .onion version runs miles slower.


possibly, according to this article you could be subject to ssl stripping attacks from malicious exit nodes:


>since I don't always understand the use and role of every virtual file in it.
to get a better understanding of what files your program requires, you should strace the process and interact with the qbittorrent as normal.

forr any error indications/reasons keep tabs on the kernel ring buffer.


What are some good places (cafes/restaurants are the 2 I've found) for actual anonymity? Personally I'm looking for a place to set up an old laptop with TAILS, but this goes for anything. Obvious concerns would be having to use an email to authenticate, but are there other places you should avoid?


any place with javascript needed to authenticate/log into the wifi would be a big no-no.


What is the best gnu/linux distribution + set-up for security and anonymity, but also has basic desktop features so I can still do any / all other jobs I'd normally do on any other computer.


That would be Fedora


how so?
What makes fedora more secure than alternatives?
For reference, I am currently using sabayon gnome.


File: 1484933606546.png (141.42 KB, 200x151, Qubes_security_domains.png)

tails probably, but all traffic is router to tor and the fact they don't use a grsec-patched kernel bugs me.
Another solution could be Qubes os:
Long story short, it uses xen to isolate various application into different VMs depending on their use.


any place with cameras


gentoo since you can craft it to your needs along with the hardened kernel


Not him and not too knowledgable but I hear SELinux is very good, but hard to set up, and fedora comes wit a good configuration of it by default.



Pretty easy, there's a few POCs on github if you google it. It also lets you try multiple credential pairs per HTTP request, which is an awesome amplification factor. If you're trying to own a WP instance the best place to start would be wp-scan.


Have you tried downloading your information? messages are supposedly included in this.



I was messing around with scapy, a very interesting packet manipulation tool written in python which offer its interactive shell. Unfortunately it requires root permission to actually send packages.
Generally the best practice is to run as root the least amount of code as possible, but here I would be running an entire, internet facing, interactive python shell. Isn't that particularly dangerous compared to other tools which doesn't requires to run an entire interpreter as root for long times?


File: 1485036244114.png (1.17 MB, 200x113, op-is-a-lolicon.gif)

I'm interested in getting a backup browser for my Linux box. I've stayed the fuarrrk away from Google Chrome, but the flash support is tempting -- is Chromium clean? I've tried to get SRWare Iron up and running, but I can't hack it.


>is Chromium clean?
more or less: it likes to "call home" (i.e. google) since apparently it's tied to some google services, look at this project for more information:

It also happened to suffer from some interesting bug which caused the automatic download of some google proprietary voice recognition blob:

Anyway why are you so interested in flash support? In the last years we have finally observed a widespread effort to finally put it to sleep and google itself is planning to disable it by default on google chrome.


Because extracting pepper flash from chrome and getting it to run on firefox is far from foolproof.


Why do you need flash? If you need flash to watch youtube or twitch you can use mpv instead.


or just let it default to the html5 player


I found out that "1B 29 30 1A 0E" in ascii blows up some terminal sessions.

Just why?


Most terminals are controlled by in-band signalling. I could point you to any number of resources, but I'll start you out by telling you to read ECMA-48. I'm currently using this to implement a curses-like library without needing to link to curses.

This is why vomiting a file to the screen with cat can, as an example, cause strange colors and effects to take over your terminal.


been a linux user for a long time now, but was required to work with winblows for work reasons. What are some security basics and software I should install/put into practice? thanks in advance lainanons


In no way am I covering all the bases as the process is never ending, but a list I swear by:
Switch over to LTSB, make use of device guard, UAC, RBAC, ACL, multifactor auth, enable EMET for part 0day mitigation, DEP for all apps, sandboxie all the PEs, disable macros, if you're gonna VNC, tunnel through SSH.



Use the -O flag to try and fingerprint it.


I am not sure if this warrants its own thread, tell me if it does. I want confirmation if my setup is lacking or not.

I want to anonymize myself and look as inconspicuous as possible to everybody I interact with online, essentially look to any service I use like a normal user. Now I've read up on it (mostly on sites discussing online fraud, since they need to appear like other people, but they don't really go into OPSEC too much and most have horrible OPSEC) and have found out this so far:

0. Only use this system for anonymous activities.
1. Use a linux host OS, preferably something hardened like hardened Gentoo.
2. Connect to the internet not on your home connection or a connection that can be traced back to you. Ideally crack a WiFi that is far enough away from your home to not make you traceable if found out.
3. Run all traffic through a VPN that does not keep logs.
4. On top of this use Whonix and only connect to Tor through it.
5. Spoof all the data you can like User Agent and HTML5 canvas and disable any settings that might lead to DNS leaks, preferably make them as inconspicuous and boring as possible (such as running Chrome in Windows 7).
6. Connect to either a RDP or a Socks 5 proxy.
7. Right online behavior, don't give away links to your real identity and all that, basic Tor usage guidelines.

Is this basically it? Or am I overlooking important steps?



Are you looking to be inconspicuous all the time or are you looking to create an alternate persona? How you use those services can also reveal who you are if you use multiple identities. That is, if you login to your IRL login alongside your "bland" profile, at some point the connection can be made. This is assuming the "goverment take all" view on surveillance.

In regards to tor, use a bridge or some sort of tunnel to make the first jump into the tor node. Harvard bomb threat guy was defeated due to the simple correlation the
y did with the University's network traffic.

Depending on what you're doing with your identities and how stringent you want to be, consider a wrist tied usb-deadman switch. That is write a script that checks the presence for a usb fob. Tie it to your wrist and should you get ripped away from your computer, the script should execute a shutdown an unmount and shutdown procedure. Preferably used in conjunction with encrypted volumes.

If you want to get exceedingly paranoid, reboot the computer into a memtest type of partition should you initiate to avoid a cold-boot attack.

Physical security is important too. Rotate MAC addresses upon connecting to disparate AP's. Or keep them consistent with identities.

I do have to say that too many levels of traffic inderiction and you will basically suffer an unbelievably slow connection.

You can automate browsing and randomize it programatically with phantomjs/selenium or even a key/mouse macro recording program. You can then run these scripts while your away to throw off individuals that might be trying to correlate you IRL with online activities.

You might want to also consider stylometry. Statistically you will generate identifiable language. Given how difficult it is to create true entropy from human psychology; trying to artificially force your language to be different might not be enough.

Media you upload to the internet can be indicative of your identity as well. Screenshots uploaded to uguu for example *might* be used to trace you. As well as battlestation pics and what not.

Verify or ensure the content you receive is the content you expect. What I mean by this is how in some instances it is possible to get away with injecting arbitrary payloads when using Socks proxies and sometimes Tor. Tor does attempt to verify through automatic tooling that requested content matches with its true disposition and content. It only takes one JS payload with a cache life time of 32,000 days to permanently place it into your cache. Imagine a jquery download that automatically adds event listeners to keypress events that are sent back home via ajax?

If you're thinking of disabling javascript, it's enough of a separation from the norm that this alone can make you look unique.

I use jquery to look for jquery[version here]_min.js to be replaced with an ipfs version (that is loaded through the loopback address).

Also a distinct lack of DNS requests emanating from your machine on the local network is again seperation from the norm. this is taking into account you're trying to 'look the part' rather than be completely silent.


Every identity I create will be only for one specific site for a limited amount of time with no identifying information attached to it.

Thanks for your post, some helpful reminders in there and the USB dead man's switch is an interesting idea that I will definitely attempt to implement in some form. Happy to see that there was no fundamental criticism about my setup.


The only fundamental criticism or clarification is the mode of obfuscation you mean. Philospohically there are somewhat two prevailing ways to go about it. Either look as germaine as possible. Basically assume the identity of one of the 'plebs'. The other being the strategy of becoming a ghost.

Some of the tips I suggest contradict each other in either regard. For example. Rotating macs while using one identity for one site can raise "metadata" flags. Although all the intervening layers of obfuscation are meant to avoid any sort of correlation to pin point your origin to beg with, assuming they do. That pattern of behavior can then serve as a classifier in the future for those watching. In which case, I would say that for each identity you'll have to develop a consistent set of metadata that'll have to be reproduced for each identity for each unique connection node. So the coffeshop you frequent should have a consistent mac attached to your logins (but barriing your own actual mac). The same holds for the user-agent and various features (like canvas metadata).

Im of the opinion that is hard to be consistent in this sort of approach since there's so much custom configuration tuning that has to be done per identity. Often it's esaier to go for full obfuscation while relinquishing the luxury of looking like everyone else. You mgith stand out, but you'll sure as hell be hard to pin down.

Now that this point has been raised. A tool should be made to make consistent metadata profiles that encompass the entire OSI stack as well as the various incedentals like User-Agent, cookie handling, and what ever sorts of Web API's frameworks can use to fingerprint you.

Luckily, with Javascript it's easy enough to override your browsers API's with your own custom prototypes for those objects. for example, Chrome might have WebGl objects that behave a certain way. Its ostensibly possible to provide the same prototype to mozilla API's to appear as though you have support. You can even redefine the prototype for canvas so that it returns a static and spoofed screen size (it'll throw off any actual use of canvas elements). this could then be trivially included with a user script plugin of some sort.

(This is a good topic for a lainzine article).


Buy a burner phone with cash. Sit in a public wifi location while you set up. Throw the phone in the garbage when you're done.


>Harvard bomb threat guy was defeated due to the simple correlation the
y did with the University's network traffic.

That, and when they compiled the list of people whose tor traffic correlated to the threats and went to ask each of them about it, he folded like a cheap card table and immediately confessed as soon as a cop knocked on his door.


So! is there an archive for lainwiki? http://0xa484e61f/~lainwiki and what did happen to the wiki?



Yes he did. Assuming he didn't though (and another vein of events were allowed to happen) I wonder if the metadata on his computer would have alerted them to the fact. That is showing that the tor browser bundle (exe) loaded in anarrower span of time. Or maybe research that was done into throw away emails in the clear over the last several weeks.


My understanding of it is that looking at how much data someone was sending/receiving over tor at what times is enough to tell you who it was, once you'r looking at a small group of people like Harvard students, but it's not enough to prove it in court. It's not really definitive because there's always a minuscule chance it could be coincidence, so they need something else, like a confession, before they can actually convict.



Cellphone, duh. Don't put anything sensitive on it. If you don't have one you are suspicious. If you have sensitive business, arrange a personal meeting. Oh, and leave the cell phone.

The biggest thing you can do to avoid suspicion is purposefully build a normal footprint of you. Once you have it purposefully built, you can work a system of going "off the record", that doesn't look unusual.



Track Me Not is a web browser plugin that sends off chaff data. It simply uses and RSS feed to generate search phrases from the news at random and spits them back into search engines. Its there to add noise to help deter building a profile on you.

Then install "noscript" on firefox. This allows you to selectively whitelist what pages can run dynamic content. You can keep google-analytics and doubleclick.net and other trackers blocked, while allowing content you want.

Not perfect, but it helps reduce your profile.


If I'm not necessarily a Linux noob, but not too experienced in operating a Linux system, what would be the best OS for me in terms of security? I have tried Qubes OS but it's too clunky for my taste and a hassle when it comes to drivers and other things. Hardened Gentoo feels like too big of a task for me, I've been thinking Hardened Arch (because of its huge documentation and community support), Debian or Fedora, but I'm not really smart when it comes to this. I want to do mostly secure work over a VPN on it, sometimes involving a RDP, I have another machine for the majority of my personal use. Any suggestions?


I created a file with random content, set up on it luks and a filesystem to be able to mount this file as a partition to some directory. Are there any pitfalls? For example, will someone be able to determinate this file is luks partition, e.g. looking at root filesystem logs (if ext4 is the case)? Or may be part of its data saved unencrypted somewhere in /tmp directory or even on hard drive?


Any Linux should be fine as you can adjust anything you want. Security depends on the software you use and on how you behave, so you can use the distributive you are most familiar with and almost nothing else matters.


>will someone be able to determinate this file is luks partition


It looks like Luks put some metadata into incrypted device. So if I'm using only dm-crypt without Luks, nothing revealing is going to happen?


By without you mean plain mode?
No metadata is present, but the trade offs in terms of sound crypto aren't worth it.

If you want your adversaries to not be aware of you using luks or veracrypt, create your xts luks partition, format it, then wrap it with gpg, libsodium, libressl or mbedtls symmetric cipher routines.


Just grabbed the equation_drug dump off the tracker and I want to mess with it on some old hardware I have. Problem is I have no idea how to use it and I'm not sure where to look for guidance.

Any lains have advice?


Well, you have a point. Thanks, lainon.


Is there something like SSH-Keys for the web? I always wondered why we don't just use private keys to log onto websites. So for example instead of entering a password everytime you'd have a browser extension that stores your private keys and sends them to the website you want to login to. Just wondering if something like that exists already (for the web).


PGP keys can be used for 2FA.
Don't see why not for SSH, even though I have yet to come across a service supporting this.
>instead of entering a password everytime
Generate a random password for each account in your password manager and just cp pasta.
>you'd have a browser extension that stores your private keys and sends them to the website you want to login to.
Centralizing all your keys to a third party extension is just asking to get fuarrrked.


What if you have a normal person computer where you create a credible profile of yourself. Then you have a Raspberry where you use the ghost strategy?. And also a big box of acid just in case.

And like you said, you could program your computer to lurk websites meanwhile you are km away doing other things, so you also create a alibi just in case.

What possible problems could you have with this (without mention security cams and police asking you why you have a box with traces of acid)?.



lel. Silly lainon you don't send private keys to anyone. You would sign something the server sent you. For example the server sends you a randomly generated hash based on some form of temporally dependent data (or a rolling key) and you sign it. If the signature can be validated for the public key they have on file, they let you in.

The reason why they don't have this is because generally PKI or any sort of crypto is slow in the prowser. Opengpg.js and slcl.js (stanford's crypto library) are alright, but there are too many ways to screw up crypto.

Currently there is no crypto api that is exposed as a well enough implemented API across enough browsers to do this. Some browsers allow for sending ssl generated keys and such, but again that falls under too many proprietary implementations floating around.

SQRL was a thing for a while, but that exists as a draft proposal.


File: 1486300519752.png (201.99 KB, 200x113, fisheye_placebo_full_environment_test_by_yuumei-dacuyq0.jpg)

Quick Q
Had a VPN way back starting with "cyber" in its name.
It isnt "cyberghost" but I remember their twitter avatar being a globe with lines or something like that and I remember they had Token system on which they made payments.

Anyone can help?


But if you encrypt that partition as a file with gpg, it will contain gpg metadata which never meant to be hidden.


Valid point.
If they're ok with this, setting up a separate key dedicated to this partition, which has its properties spoofed with -batch then should be enough.
Otherwise a strong passphrase or password generated by their passwd mananger for enc, or the aforementioned alt ssl libs should be used.


I think this looks solid but I would add a bit more.

Host -> VPN (I recommend TorGuard) -> SSH with stealth proxy (such as Tor) -> RDP -> proceed to browse normally but anonymize whereever possible.

I recommend Proxifier with 2-3 stealth proxies ending in a SOCKS5 proxy spoofing your location to wherever you want to appear.
Some sites such as PayPal also check for your HDD serial number so you might want to spoof that too.
Obviously everything will be purchased with anonymized BTC (tip: use online casinos AND tumblers).

Not sure how fast the connection would be. Anybody tried this setup before?


File: 1486423830200.png (210.99 KB, 200x174, 1459355205116.jpg)

I'm interested in this.

Wouldn't the easiest setup actually be the safest as well? As in use a VPN in the Whonix Gateway only for whatever you want to do anonymously?

Host Linux -> Whonix Gateway -> VPN -> Whonix Workstation -> RDP

This should safely anonymize you, right? Or am I missing something? The only troublesome thing to setup would be stream isolation for the RDP.


Im not sure if this is really security related, but how would I crack a password when I know most of it already?
I forgot part of my keepassx password but most of it is written down.


If you can remember part of the password, you'll want a wordlist generator.
Have you tried crunch (https://sourceforge.net/projects/crunch-wordlist/)?


What would be the security implications of adding a CA certificate to /usr/local/share/ca-certificates as described on this page?


If I'm not mistaken, wouldn't Volatile be able to maliciously intercept my traffic?

I've tried searching on the topic, my Google-Fu might be bad, though.


>wouldn't Volatile be able to maliciously intercept my traffic?
Just because you install a CA cert doesn't mean that all of a sudden they can mitm you when they wish.
If opal squatted a site with a cert signed by their CA which you happen to visit, yes, they could, but any of the other countless CAs you trust already could do the same thing.


is there a quick way to remove exif/metadata from groups of image files in *nix?


Have you tried mat(metadata anonymisation toolkit)? I don't remebmer if it batch proccesses though/


Download libimage-exiftool-perl pkg, cd into the dir holding your images and strip:
$ exiftool -all= *


This is probably a silly/overly simple question so apologies beforehand.

I recently moved and my ISP gave me a new router.
I've changed the default passwords and would like to know if there are any other steps I can take to increase the security of my home connection.



Buy your own router. Most ISP-given routers are rooted by the ISP, meaning that if they use the same password for every router, everyone's screwed if the password is compromised. I would suggest looking into getting a pfSense (can be made out of an old pc and an ethernet switch) or an OpenWRT-compatabile router. Much more customizable and secure.


I don't know much about infosec or programming in general, but I'd like to be able to keep up with the basics at least, mostly to ensure my own privacy and not be completely clueless.
Are there any good introductory resources for cyber security that don't assume any prior experience?


File: 1487886153188.png (571.59 KB, 200x110, 1487306061331.png)

So, i'm making an android app that lock files (every type of files) for my graduation project, But the HIC i can't chose between GPG and AES. So if you have any idea i will be grateful.


GPG uses AES256 by default, but only for symmetric encryption / password encryption. Otherwise it uses RSA keypairs (public keys, private keys).


So, thank's but what's the best, fast and secure. i dont want an application that increase the size of the files, with RSA i know that it increase the file size!


If your graduation project can sacrifice security in favor of simplicity then you can use AES in ECB mode.

But pay attention to its disadvantage. For real security app this is not acceptable. And if you look at other modes you will see what all of them require Initialization Vector (IV). This IV usually small (16 bytes for AES, size of block) and shouldn't be used twice with the same password.

Then you will generate random IV for each file and store it alongside. Best way is to store it in file itself (as first 16 bytes for example). So encrypted files will be bigger. You can keep this IVs in a database, so files will be the same size. But if database with IVs will be lost you also lose all encrypted files.

Another thing to consider: block ciphers operate on blocks. And this means what in most cases your file must be always padded even if its size already a multiply of block.

To avoid that you can use streaming cipher. AES-OFB for example.

If your App works in this way: user enters password and if it is correct he can read the file, then RSA is not what you need. RSA is more about keys and possibility to exchange public keys on untrusted channels. RSA can be used to encrypt data by its own, but this is very impractical and almost never used. This is why we have this (GPG works in this way):

And last advice: do not use password directly. Use something like pbkdf2 to derive encryption key from password.

This is needed to make password bruteforce harder. Attacker must spent some time with pbkdf2 to derive actual cipher key from his passwords list. Say 500ms. This slows bruteforce down to 2 password checks per second.

If you interested in numbers here you can check this site:

Alphanumeric password of length 8 can be bruteforced (if it is hashed once with sha-256) in 13 days. This is 2.6M checks per second. If pbkdf2 with million iterations is used (two sha-256 per iteration), same password can be bruteforced in 92 thousand years. Feel the difference.


>Use something like pbkdf2 to derive encryption key from password.
Forget to add.

pbkdf2 needs "salt". This is something like IV for ciphers. And this "salt" also must be unique for each file. So for each file you will store IV for encryption and salt for password derivation.


Oo Wow, a real big thank's to you.
But Now and after i read you'r replay i'm very confused, i don't get it wish one i will use for my project, i always used GPG for encrypt my file in my `debian system` but this is the first time i will work with it in application based on Java. So, if you where in my place what you choose.


> if you where in my place what you choose
For deriving encryption key from user password: https://en.wikipedia.org/wiki/PBKDF2
For encryption: AES in CCM mode https://en.wikipedia.org/wiki/CCM_mode
Store IV for AES, salt for pbkdf2 and auth tag for CCM in the file beginning (files will grow a bit).



So, thank,s you helped me a lot i will do what you suggested, cool man


How can I be sure my web browser(firefox) is actually using a proxy?
im using foxyproxy and when I set it to use proxies only according to certain rules it constantly switches back and forth between the color of the proxy I want and the default color and its making me paranoid as hell


do not use a plug in if it worries you set up a proxy properly


what exactly do you mean? is there some other way im supposed to do it besides setting up the proxy and then telling firefox to use it, either with its native proxy settings or the extension?


File: 1488540894087.png (22.31 KB, 80x200, weirdlinode.png)

Hey guys, I'm sorry if this question is a little offtopic but I think I have some problems with my VPS server.
First two months of use the incoming/outgoing network ratio was OK, it was around 500 Mb - 1,5 Gb a month and i installed MySql, mongo and set up flask application that my company used, now 2 days ago it all became too weird and I decided to purge whole server and start with fresh one (Debian8), now the problem still exists, in one day traffic was 700 Mb (500 Mb outgoing) and i didn't do many things on it (certainly not for 500 Mb outgoing data), so i am wondering what is the deal with it ? Is it normal ? How much transfer/month do you have, keep in mind i use this server only for developing/testing and not for production purposes (only 2 people are using it).


Also i forgot to add that I have whitelisted only IP addreses that i connect from all other ports are blocked(ufw), but are there some other ways to do some malicious things/send data to/from my VPS ? Because that much data being send relly tickles my brain.
Thanks for answer.



You need to model your network traffic. What ratio of data is going out which ports. Also what executables are binding those ports. If you only whitelisted those ips inbound, you could have a reverse tcp backdoor in there. Even if you whitelisted outbound too, they could be using your machines as a proxy. Also, be suspicious of common ports with high usage. They could be bridging tor over those protocols.


I'd like to have a barebone OS for virtualisation of other OSs' to run inside.


Main OS boots (minimum software and drivers)
Simple GUI Opens Click on a Link to 'x' OS,
Password entered to decrypt (Veracrypt?) partition which has the OS.
QEMU begins running the OS

I was wondering what would be the best OS to run as the primary emulator, I'm thinking Debian which has been hardened. I'd like to update the main OS as few times as possible.

Software to be installed and configured on the Main OS:
Simple GUI and Scripting
Auto detect OS in future? Maybe some sort of file which points to the encrypted container and settings to run.


File: 1489975860010.png (5.39 KB, 200x126, GUI.png)


A GUI Something Like this

The images could be in the same directory as the descriptor/pointerfile

Can be used with keyboard only


File: 1490381255759.png (104.51 KB, 200x128, brut25.jpg)

so i have found two RDP ports open an connectable to hospital servers(Win Server 2012). Now of course I don't have the login credentials but shouldn't they be using some form of whitelisting? Who should I report this vulnerability to?


The wide majority of linux distributions are somewhat hardened for security, correct? I'm aware that there's additional stuff like GRsec but I'm not familiar with what the default "level" of security is on most distros. Are there any distributions in particular to be avoided aside from ubuntu?


Be smart.

Hospitals have notoriously bad security


What completely (or as complete as it can get) secure hardware is there available for use, freedom nonwithstanding? I know intel me/amd psp means most modern laptops are out of the equation, although coreboot/libreboot should be alright (libreboot has the bonus of freedom), but are RPi/Beagleboard alright for security? Are there alternatives?


I heard that the government can install malicious software on your devices through the public charges (you know, usb-type ones). Is it true and is there any real examples of that?


Devices can be infected through manipulated chargers (if I remember correctly there was something like this for the iPhone.)

This is only good if you want to attack a single target so you don't have to worry about it, it's extremely rare and only used for certain targets.

If you still feel a little paranoid you can get a "usb condom" which only let's energy flow through and blocks data connections. I use this when I travel in trains or buses to not accidentally share any data.


File: 1491410621470.png (693.61 KB, 200x193, 1474994297971.jpg)

Hello I am thinking of perusing security as a career and am wondering what would the more appropriate major be computer science or Information technology.


I think that would depend on your university. My friend and I both started in computer science and later switched to information technology. He chose the cybersecurity concentration in the IT major, and I think that there were a lot of classes related to networking that he took that weren't available to CS majors.

However, maybe your school has different courses for CS/IT and security. I'd recommend doing some research.


By my understanding, microcode is like a translation layer that the manufacturer uses to fix bugs in the architecture. Microcode reroutes around bugs burned into the silicone you will supposedly run into instability issues on these modern CPUs.

Microcode may implement their own class of VERY low level exploits. In my opinion the threat level from microcode is quite low, but that is because I have already entered into a bargain with the devil (amd/intel) when I bought the CPU. If I distrust the microcode then I am being quite inconsistent if I trust the CPU.

Where the management engines come in, it's where the manufacturer DOES put its corporate RATs, with their own direct access to the network interfaces, RAM etc. That is a known threat, but packaged up as a corporate feature, so the IT guys can roll out updates or recover stolen laptops with secrets on them. It has a legitimate use case, but is still scary and unnecessary for most people who own their own computer.

With the ME cleaner used in that article, you can neutralise most of the management engine by zeroing out all the unnecessary functions. If you just yanked the chip containing the ME (or burned it with a laser as earlier lainon suggested..) your computer would reboot after 30 mins of uptime. (on intel, I don't know how amds soykaf works)

So you have to lobotomise the ME but leave enough in there that the whole platform doesn't freak out because it's missing.

Libreboot etc is a separate concern again, as you said basically a BIOS replacement. If you lobotomise ME then you can run your own BIOS, but you will still have to run microcode if you want to fix any of the obscure bugs they supposedly fix.

tl;dr, fresh out of the box your latop has:
- closed bios
- management engine / manufaturer installed backdoor
- needs microcode

You can (in theory, not all laptops, etc) fix the first two and whether you really want to "fix" the last one is not as clear as it first seems.


This is tangential to your post, but I found it worth posting.
>By my understanding, microcode is like a translation layer that the manufacturer uses to fix bugs in the architecture. Microcode reroutes around bugs burned into the silicone you will supposedly run into instability issues on these modern CPUs.
Microcode is the lower level operations the machine language is built from. On most modern processors, it's used for bug fixes and whatnot, but older architectures allowed people to write their own microcode and switch between them for different programs.

So, as an example, a language implementation would be capable of making the CPU directly suit its needs. Doesn't that seem powerful? If you needed an instruction to behave atomically, you could add that. If you wanted very high level instructions, you could add them.


...how hardened do you mean? The big distros (with one exception) are pretty good for desktop "I want to avoid malware while browsing" use cases. You can, of course, go a lot further with stuff like grsec if you want to, and it may pay to if you're running a server. But if you're running a server your first area of attention should be the configuration of the service you're setting up on top of the OS. And for a desktop or server the best thing you can do is to apply updates promptly, before worrying about kernel patches, MAC, etc.

The exception that you ought not to trust is Mint, not Ubuntu. See: