[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 3232

File: 1483383632951.png (286.74 KB, 300x215, 1377657181.jpg)


Do you tell friends/family/people on the street about using Signal/ChatSecure/Tox or Tor, etc.? How successful have you been? A few people are grateful for the information and change habits, but most people have a sort of knee-jerk response when I talk to them about using software that protects my privacy, they seem to prefer ignorance to actually being aware of what is going on in the world, as far as dragnet surveillance goes. I mean, they know it happens but they prefer to just act as if everything's okay. Problems don't go away when you ignore them but a lot of people function as if that's the case.


All the people is not possible, but for two people, me and you, is possible to change. How many people are using Tor here on Lainchan?


File: 1483384779911-0.png (39.69 KB, 200x139, 9513180f807f7bc7a841f197dc8ca59dafe2e3635bd57e5a2d8b0d9efbddbe00_1.jpg)

File: 1483384779911-1.png (196.97 KB, 150x200, Richard_Stallman_at_MIT_dancing_1970s.jpg)

Help people that deserve and want to be saved.
Everyone else can burn in lake of fire for all I care.
normal people, filthy normal people.


If you can work the subject into the conversation without preaching, go ahead.
That doesn't mean to say that the listener(s) shall be all open ears by any means for the normority, good habits die hard.

A change will only commonly occur when either an individual | close friend/partner(s) | family member has been directly involved with a case where their data from [INSERT COMPANY HERE] was used against them without their consent, they were a witness to an extreme censorship bias - random post removals of political views, meanwhile video footage of violence against the young remains etc. or they get a moment to dig through past and present leaks which there are plenty and all things click; note, the last one is a rarity out of the three.


Got one of my friends to use signal full time


I have talked to quite a few people and the most unique response was "snapchat deletes your messages so its ok" disregarding the fact they keep copies of everything.


>snapchat deletes your messages so its ok
>snap inc. says so. they wouldn't lie. data recovery is a thing of fiction. they don't have enough human resources to manually look at my sexts. computing clusters don't exist.


>snapchat serves and sends content over http, its fine


File: 1483498855395.png (896.62 KB, 200x134, skatelead.jpg)

I've gotten one friend to start using XMPP+OTR+Tor

but he was already running Arch so


I got my sisters to quit social media after proving that people can easily trace their full names and adresses.

I also got a friend into Linux by showing him Mint and how easy it actually is.


OTR is deprecated. Use OMEMO.



Yeah, pretty much this. I try to just lead by example rather than get preachy. I try to demonstrate to friends and family that I can be a normal, well-adjusted person without any social media. It's not like I'm a recluse; people can call or email me and I'll actually pick up the phone or reply back pretty quickly. I used to do the GNU Social thing, but it felt like "look at me!" karma whoring. I stick to anonymous image boards now.

Fortunately, my dad (a senior cop in his particular service) is another positive influence in my family on this front. He does use Facebook, but only when he's conducting an investigation. He has a set of fake profiles for that purpose. He absolutely refuses to use social media otherwise. He knows how ineffectual the privacy settings are, because that's exactly what helps him do his job.


>because that's exactly what helps him do his job.
here here!
archive.is, people-search and graph make this process a breeze.
just hope he or his department doesn't clone preexisting profiles for the purpose of catfishing suspects; that soykaf is low af.



This particular police service actually builds their fake profiles from scratch, but with details inspired by real ones. They've found that suspects are less suspicious of their fake profiles that way. I think people here would be quite surprised by how many "teenage girl doing a duck face selfie in a high school locker room" photos are actually "30-year-old female cop in a wig doing a duck face selfie in the staff locker room, plus a bit of photoshop to change eye color and shape because that's what people really remember" photos.

The art of building fake profiles is quite interesting. They'll do research on the most common real first and last names of various demographics, build sub-groups networked to other subgroups based on musical tastes (Fake Alice likes country and rap, so Fake Alice sometimes goes to concerts with Fake Britany who likes country and Fake Charlene who likes rap, but Fake Britany and Fake Charlene never go to concerts together), and all sorts of other mimicking of real-life networking patterns to make their fake profiles more authentic. They'll maintain and update these profiles for years. And it works. Suspects are genuinely fooled into friending these fake people they've never met because they seem authentic.

There's an entire network of about a thousand facebook profiles in my area that seem completely authentic, with profiles having been around for several years, with all sorts of friendships and drama. But they're completely fake.

A lot of techies seem to think that all cops are clueless when it comes to the internet. Those techies are quite wrong. Your average cop might not know how to root their phone, but they are really fuarrrking good at social engineering.


Do these profiles ever get removed? Is the work done lost that way? Facebook's policy is against fake profiles and they are regularly removed, though I haven't experienced that yet.

Do you think that from a social standpoint these virtual infiltrators could be as trusted by criminals as real life informants and undercover agents?



If a fake profile is detected and deleted, a quick phone call to Facebook's legal department gets it restored damn pretty quickly. Deleting one of these profiles can fall under the category of "obstructing justice", which is a very very serious charge in my particular legal jurisdiction. Terms of service don't mean squat in that situation.

The purpose of the profiles isn't to communicate directly with suspects. They're typically used to get past "don't show to the public" restrictions and quietly collect info. Geotagged and timestamped photos are particularly valuable.


>builds their fake profiles from scratch, but with details inspired by real ones
>30-year-old female cop in a wig doing a duck face selfie
nuffin wrong. imagining said officers deciding who should do the duck would be quite amusing.

the whole creating and aging a profile is most definitely an art and requires a tonne of patience and due diligence.
just one unfortunate slip up and you have to start over.

>But they're completely fake.

social networks are so heavily dominated with these, plus dumb and smart bots.
twitter bots isn't news but first quarter of last year alone, the numbers bounced exponentially; as in billions to trillions.

not all circles share this viewpoint.
sure them not knowing how to isn't surprising, even though lets face it, following a bunch of steps to get root doesn't really place anyone in the techie bracket.
independently finding a means to get to r15 via a kernel privesc and the titles theirs.

they have to know humint.
without it, all investigations would be moot.


I only have a couple of friends who are even remotely tech savvy, and they usually ask my opinions when they want to be hidden/secure, but they rarely want to go the full distance (or even half way) for security/privacy, because they feel it's too much hassle and/or the threat isn't great enough because "i don't do anything illegal". Of course, they all pirate media, and when i point that out they rationalize "yeah, but no one cares about that". I've never gotten a non-techie young person to improve their security beyond setting a facebook account to private. When informed of the risks and the violations of privacy they get scared for a couple of days, but then either fall into denial or get distracted and forget about it. I've had some success with my elderly family and neighbors though, but i think that is because their digital lives aren't nearly as large or well rooted. Plus, they were already afraid and learning that the reality was worse than their suspicions made the inconvenience of learning some new habits seem minor.

I can't seem to get people to understand it's not about today, it's about a year from now, or 4, or 20, when that huge cache of data about them can be used to hostile ends should law, politics, or public opinion shift against them. I also don't understand how we became conditioned to trust corporations by default and some how the larger and more powerful they become the more non-threatening we view them as. Meanwhile the tech-illiterate elderly barely trust the power company. It's a shame we lost that skepticism just as it would be the most valuable to us.


Over the last 5 years or so:

I got a dozen-ish people into Signal (usually via "hey we should have a group chat for XYZ thing, oh sorry I don't use Facebook, how about you guys get Signal? You can have it replace your text messenger or just have it by itself, and it's secure, we used it for corp chat at $my_old_job_at_reputable_tech_company. You can send gifs and everything!"). Most people fall for it because we need a group chat and whatsapp isn't popular here. Also a few people were legitimately interested in securing their communications and Signal is pretty much the gold standard for balance between security and easy-of-use.

I got maybe 2-3 people using Linux as their main OS now, and a few more interested in it / running VWSes/VMs etc. Most of that's through having a rep for working for a cybersecurity company, and people interested in this kinda stuff ask me where to get started, and I point them towards Linux. Same people showed some interest in Tor et al, so I did some small tutorials on Tor/I2P/Freenet. Don't think any of them use these networks regularly.

Got a few people to uninstall FB from their phones after talking about my concerns with it, and mentioning the whole always-listening-to-your-mic-targeted-advertisements thing.

Mind you, I'm not a social hermit. I still have FB, but I don't have any FB apps, just log in via web browser every fortnight or so. I use snapchat daily. Instagram here and there (lolFB I know). I'm getting there, slowly, and my social circle is coming with me.


Its a generational thing.
Those being born today, have their first interactions with tablets and smartphones at the age of 3-5.
Generation Y raising kids in the now, for the most part, have little to zero guidance in this domain as it was an ongoing development during their educational years.
More focus was made on being proficient in orifice, than safely navigating and interacting with the web, where all average janes would spend more time in the browser with thin apps, than in the the trad legacy landscape.

In Eurasia, specifically Russia and partly China for instance, there has been far more of an effort to make the basics of information security or at least more awareness on the matter part of the curriculum than in comparison to the West.
As for privacy, East Germany understandably is more cautious and weary than most other countries within Europe due to their history with the Stasi.

And people don't think 5-10 years from now, as they'd rather embrace the moment, live in bliss and put off the inevitable as the future is depressing or smth.

Don't dwell and waste time trying again and again to change minds which are stuck in a while.
Take heed in what you know and inform every now and then.


That's actually really fuarrrking cool. I wouldn't half mind selling my soul to join the ranks of these puppet masters.


Got my family using signal. The older ones don't know they're using it other than it looks better than the default sms app and continue to use it as normal unencrypted sms. I think that's funny but it concerns me only 1% of their contacts are using Signal.
Some others had a bad experience getting the messages immediately and said the app was soykaf and refuse to install it again. They are tech illiterate though so I use whatsapp with them instead. Told people to use a vpn because they might want to pirate media, on their... phones. I messaged them in the most vague legal and (lack of) private way to do it because i don't trust their opsec.

I'm hoping to get some good friends to use Rumble

Ask any young women for their number and they'll say no. Ask for their name and you get everything.


And here I was thinking I was crazy because I thought my phone was listening in on me when Pandora played an ad for a specific razor brand about an hour after telling someone I needed razors.

Do you have any articles on which apps listen in on the mic?


File: 1484129948325.png (50.03 KB, 200x132, serveimage.jpeg)

>he was already running Arch
Sorry he's already fairly Lain... i'm gonna have to say it don't count!

>got a friend into Linux by showing him Mint

One of the best pathways for nomies... Mint, start with its free, then simple, then move to its fast, then move to the privacy thing... I find this the best way to bring them in!

its as bad as i feared - entrapment is rife!

>Do you have any articles on which apps listen in on the mic?
Just assume they all do... as much as possible don't use apps, use web interface.

People think because they don't live under the Stasi, that this surveillance is the safe ok type - that gov will never use it against them, because they are not master criminals!

The only reason the west lets people have open internet rather than go full China is it gives the gov a way to keep tabs on em all - because if people believe they are free they will spill the beans more.


File: 1484187491575.png (21.98 KB, 110x200, lainbear.png)

I've tried and I've had little success.
I've linked people to things like https://stallman.org/facebook.html (as in literally saying, "stallman dot org slash facebook dot h-t-m-l")

The usual response is either being ignored, or saying "I don't have anything to hide"

After saying "Well then, let me have your E-Mail address's password, along with all your others", only one has actually done so. His password was a series of numbers. However, after asking him to write it down on a piece of paper, he declined.

I also tend to ask people for their E-Mail addresses, and most decline. For some odd reason, the majority of them seem to think that I'm going to attack them somehow.


I also try to convince people to use things like Protonmail, or XMPP, and most people simply don't have interest (but if it's the latest emoji vomit, people lap it up)

The world is a strange place.


I tried mentioning the Snowden leaks IRL before and learned not to do it again. The people around me seem to believe that only paranoid loons think the government is engaging in any kind of mass surveillance. The small number that do believe it support that sort of thing.

If something sounds "technical" or "weird" people just turn their brains off. Most o not know soykaf about computers beyond the few services they use, and they have no desire to learn about anything new (unless everyone else is doing it).


>"normal people"
God's sake, anon. Please use "normal user" or something, just not that nasty word.


>I also tend to ask people for their E-Mail addresses, and most decline. For some odd reason, the majority of them seem to think that I'm going to attack them somehow.
Then you should ask for their insta or twtr.
If they reveal one of these and you have their full name, dob, nicknames(s) etc. you could always run a password reset on their accounts to get a partial email.
Most end users have no clue that this is a ridiculously trivial means of acquiring emails.
Random example:
Take https://www.instagram.com/jeff/, issue a reset and we get j********k@gmail.com.
We know their full name so we just fill in the blanks and voila, hello jeffwittek@gmail.com.

Then send them a witty email to confuse the fuarrrk out of them, thus debunking the whole 'nerffin 2 haed' myth.


I got my dad to use Signal for a bit with messaging and calls. He went back though and I'm gonna talk to him later about going back to Signal.


You should teach him to use XMPP+OTR


>got dad to use Signal for a bit with messaging and calls. He went back though and I'm gonna talk to him later about going back to Signal
>ignores the fact that he gave up on signal, and suggests xmpp+otr
>magically thinks xmpp and using otr correctly is going to be as user friendly and convenient as signal
>lucky if you make it past one call, if he hasn't already ditched it


You know, it's hard in the country I'm living. Because people here living depend on a social tool named "wechat". Basically it will record all you thing and hand them to the authorities at any time. Most people know that and think that's reasonable.

Most people here bind their credit card to this tool so that you can pay with it. (That's ridiculous - to pay with an IM tool!). If you don't want that, people think you are not human and will not talk to you.

If one day they can not use wechat they gonna kill themselves. When I first time come to this country I found it is like a tragedy in a dark cyberpunk world, or kind of "utopian" world in 1984.



What are peoples perspectives on government surveilliance in China? (I'm guessing you're in China because wechat).

I always wonder what people that have information actively and successfully censored from them think about that fact. Do they simply not care, agree with the govs "harmonization" explanation, or have no idea the internet is censored?


Wait really, can't believe that?


I think people think way too highly of Tor, you're neither completely anonym nor is your data anymore save. If you browse any http site with tor there is quite the chance it will be tampered with.


My sister contacted me yesterday about how to hide files in her hard drive so I showed her full disk encryption and veracrypt since shes on a macbook with OSX told her about VPN's as well. Problem is she asked over snapchat. So she's pretty much screwed already.


File: 1485481565475.png (1.9 MB, 200x143, 22.png)

i had to laugh at that, sorry. the ignorance of some people regarding snapchat as a secure messaging platform makes me want to kill myself.


Well, my girlfriend uses Silence (Signal but actually SMS), as well as all the usual XMPP stuff, most of my friends use ChatSecure or XMPP in other forms, but many of them are on Facebook. I don't tell them that they shouldn't do stuff or anything, I just show them new stuff and they tend to listen.
I guess I'm doing fairly well.


Pretty much zero. I was able to convince my sister to replace Windows 10 with Debian on her computer but that's about it. Unless the person I'm trying to convince is engaged in any illegal activity---besides unauthorized digital copying/sharing---they steadfastly refuse to change their behavior. I've given up evangelizing because people just do no want to learn new things if they don't need to (oh, the irony). I still make comments here and there but I don't lecture since it's a waste of breath; instead, I'll be waiting for them to come to me when the soykaf hits the fan.


implying you also use snapchat


Of course I use snapchat everyone I know uses it so it's basically a necessity. I of course don't do anything too stupid over it.

Anyway my sister uses a mac. You guys know any good software to secure that thing?


Thermite and a new laptop.

Only kidding but there's a process manager out there that monitors all network traffic for any process and reports it. I forget the name.

As far as any Mac OS specifics? Couldn't tell you, I'm def not a mac guy.


She once asked me about linux and I showed her my laptop and all the soykaf I did to it. She didn't want linux anymore



Ok so im not the most technical, or a great linux user , but ive had an idea for a while where i want to use a raspi and basically make it a box that connects to internet where ever i am , and i connect my lap top through it and be somewhat more secure/anonymous while browsing in public.

Can a noob like me that only knows basic use of the command line (like setting up retropie and updating) make this possible?


File: 1485908200164.png (1.99 MB, 200x141, 1433367407290.gif)

converted two friends to xmpp (conversations);
got a few clients using keepassx.

for both I insistently walked them through it and pretty much set everything up.

Really wish I could talk people into using gpg for e-mails.

Normal people just don't understand why you would not want to give all your information to companies.

They go for simple and wrong over complex and right.

Plus they think you're crazy if you attack to many of their underlying beliefs and then categorically reject anything you say after that. Unfortunately have gotten myself in this arena with most of the people I really care about.



Thank you!
will be looking into this, you say requires eth as in from laptop to pi or from wall to pi?


Depends whether you want to jack directly into the pi or you have a usb adapter to connect to the ap wirelessly, all personal preference.


>Really wish I could talk people into using gpg for e-mails.

You should convince people not to use email for private communication instead. Email is a permanently flawed technology for that purpose.


>Email is a permanently flawed technology for that purpose.

How so?

When you make statements such as yours, I'd recommend elaborating on the why or how (or whatever) so people don't have to make such a response as mine (asking why/how so). You don't have to but it's a more efficient way of communicating.


Not 3060, but just chiming in.
Email is flawed seeing as it leaks exif data like a sieve - sender/recipient email/name, timestamp, IP/UA headers - and integrity checks aren't baked in.
Plus, its all too easy for average Jane to fail miserably in key mgmt, and failing to NOT set a subject line which would give a window into what you were trying to keep sekret in your content.

Now if we could roll back pre-email and have gotten everyone on the i2pbote train, the whole metadata calamity would be a no show.


Quick dumbass question for you guys. If I downloaded signal on my smartphone, but then I quit service with my provider, would signal still work through wifi on my phone? If I want to talk to people encrypted, and they're on a smartphone, is wickr the best option? Tox seems very buggy on android.


Thanks again going to try and figure this out.


pretty sure you need SMS service for signal to work correctly.


I agree that exif leaking is/was a "flaw" -- per se.

In a pedantic way, I'd say it's more just plainly outdated and wasn't designed with security in mind.

It's certainly trivially easy to abuse and manipulate, sure.

IMHO, in the beginning days of email (SMTP in 1982, POP and IMAP later in the 80's, *now with ssl support, yaaay :| *), security culture wasn't as important (or mainstream, really) as it is now.

I mean, the first RFC dealing with anti-spam measures for SMTP was in 1999.

>it is flawed, outdated, and wasn't designed to live as long as it has properly.


Zero. Nobody cares until the soykaf goes down.


File: 1486909716177.png (163.12 KB, 200x134, 0x71896ab31.jpg)

I haven't gotten anyone to improve their security, privacy or liberty since I'm on lainchan (2014), but I did get tired of the whole thing and am now one of them, floating among the clouds like a happy little balloon.


My family uses Signal and a password manager. I host their password manager on a file server.


I can't count how many people I've given a lecture to about privacy and security. Granted only a portion of them heeded my advice, but many of the people who needed to, have. My efforts let me feel a sliver of contentment.


smartphones are beyond saving anyway.
For your daily blatter you can use any application that implements end-to-end encryption that you can verify the other person.
Tor messenger is also pretty good.

Sadly enough i have to use whatsapp as no one wants to switch to xmpp or any other application.
It's all about knowing the limitations of your threat model and devices.


I got one of my friends to delete facebook and snapchat, and I got a few people to use whatsapp (I know it's not perfect but it's better than facebook messenger) as their main communication app. And I showed some people how to use tor to access the deep web. In general I get the classic "nothing to hide" response.


facebook owns whatsapp, doesn't it?


Facebook Messenger isn't end to end encrypted ( this makes sense for Facebook if you think about it. ).
Whatsapp is.


Facebook owns whatsapp and it is safe to assume that they are *not* on the side of the user. As their services openly admit to it. Regardless of what they say about their encryption, I'd argue it isn't to be trusted. Even their messenger app has encryption capabilities now, but that means very little when taking into consideration the host and service provider.


Yet Whatsapp uses Signal protocol ( Open Whisper systems even helped them ) so there is end-to-end encryption that is verifyable.
Putting your trust in anything has its risks.
Atleast the users of Whatsapp now have encryption that is strong so they aren't being a victim of mass surveillance.
And being secure goes deeper than a simple application, one would either run CopperheadOS or the newest iOS to be safe.
Android will get there slowly but it will take some till still to be as hard as iOS probably.


I lol'd inside when the people at the job center manipulates me and said they'll find everything.


I treat my threat model as every government btw


glhf with that. You're never going to nail opsec so well that a group can't find you given enough time and money. Nation state groups have both. Especially money.


And people still get away with soykaf. Nobody is omnipotent, which is pretty much the point of any security measure.


Yeah, get away with it, but for how long?

I get what you're saying though and I think it's a good idea to prepare for the worst-case-scenario.

If you prepare yourself for that, you're good for anything less severe so that's good.


>Yeah, get away with it, but for how long?

There are people who were never caught for anything.

Basically, security and anonymity even in the face of modern surveillance states are possible, is what I'm saying.


True, but they are so much the exception and not the rule.

Why do we even have to have this discussion? Kinda sad really that this is the state of affairs we all live in.