[ art / civ / cult / cyb / diy / drg / feels / layer / lit / λ / q / r / sci / sec / tech / w / zzz ] archive provided by lainchan.jp

lainchan archive - /sec/ - 4785

File: 1489462100696.png (134.75 KB, 300x200, wireless-720p-camera-LW3211-L3.png)


Greetings, fellow Lainons.

I am gravely concerned. Regardless of you're OS, regardless if you're using Libreboot and even if you do have 100% open source hardware, it raises a greater question.

How can we stop ISPs from recording our web traffic?

Granted, if you have committed no crime then you have nothing to hide. However, its a matter of principle here. What are steps we can take to privatize our online activity and at least prevent our traffic being monitored? Yes, we can use a VPN, but who is to say they are not recording our traffic as well and not using it against us?

Is this the end of the free internet as we know it?
>inb4 OP is overly melodramatic
I am only concerned for our well being and is all. I apologize if this seems heavily dramatized in anyway.


File: 1489464727363.png (301.96 KB, 200x132, 7proxies.png)

Well you can start by adding as many layers between you and your provider as you can manage.
Connect to VPNs, throw in an anonymizing connection like Tor, etc.

I guess it just depends on how much you're willing to sacrifice in the name of privacy. The free internet is indeed dead. We need to use the tools available to us and hope more reliable methods present themselves.


File: 1489466351833.png (369.23 KB, 200x150, bg8 centralized decentralized distributed network graphic.png)

You can't. They can always just record everything. That's how the infrastructure's setup.

Analyzing the data they get that way is a different story.

They know the first hop at minimum, source and destination. You can encrypt the rest though. Works so long as you aren't contacting someone else under the same ISP, in which case timing analysis is a problem.

Spoofing/dummy traffic would help with that, as would increasing latency. I2P has some suggestions on the topic.


I think using an SSH tunnel would look less suspicious than a VPN, especially combined with benign "normal" traffic that isnt secured (other than the usual SSL) but reveals nothing compromising.

In a sense, living at home (bunch of normals doing normal things obscuring your own activity) might be safer than living at home.


You forgot to mention that certain services are also to be avoided, as they are worse than any ISP.

Overall, one could argue that there is no working solution, as full-on security would require you to deny yourself most of the existing hardware, lots of existing software, and practice a sort of asceticism about what to use and not use online. It's sort of like trying to cure cancer by killing all affected people, and then hoping no new cases show up.


i use blackvpn since 2010 and they never failed me. they are based in hong kong, so there is no way in hell any local authority would ever get access to my data - and the provider claims, that they don't store logs. mostly i'm connected to eastern european servers, so there is one more layer of nobody gives a fuarrrk.

currently i'm using the beta of protonvpn wich looks promising, let's see how this turns out.

in the end, you can just hope nobody is going to fuarrrk you up but i guess if you don't run some criminal network you'll be fine with a more or less trustworthy and well performing vpn.


>i use blackvpn since 2010 and they never failed me
>based in hong kong
go away ching chong advertisers


Not him, but if anyone is going to snoop on my traffic I'd rather it be the Chinese than a western government. At least I know they won't hand it over the US.


the simplest answer I found to this question was
>obfuscate who you are in the first place

buying prepaid sims with straight cash, putting them in 3g/4g modems and then using directional antennas to avoid triangulation is the only answer we have to them not finding out who we are

other than that, I don't see a real solution to MitM attack. Even if it's only meta data they are scooping up they are pretty much unavoidable.

either that or start making your own distributet network with your pals IRL with few antennas and routers.


Use I2P and Tox.



The solution is to have no internet connection at home and to do all of your internet browsing on public wifi while spoofing different MAC addresses everyday. Remember to never access it from the same location multiple times within a short period of time.
Its also important to access it while dressed inconspicuously and never while in plain view of a camera.


File: 1490316460696.png (276.26 KB, 232x300, 1703.02874v1.pdf)

>do all of your internet browsing on public wifi while spoofing different MAC addresses everyday
Unfortunately, this only helps to a degree considering any knowledgeable network administrator can now get your real MAC address even when you're spoofing it due to a flaw in 802.11 wireless chipsets. See the attached for further info.


Would having custom hardware negate this?

Say the hardware was built for randomization of MAC addresses and it doesn't come with a MAC address.


Buy a couple of wireless cards or some of those usb jobs, and swap between them.


I wonder if it'd be possible to eventually just have a layer of dummy traffic always going back when you connected to your isp. I mean that'd certainly make it hard for them to just turn around and say that one individual thing was your traffic. Of course doing anything more shady is going to stand out. I've heard the rumors on tor too, not sure just how secure it really is. Sometimes it'd be nice to just get lost in the crowd a little more.


File: 1490349310023.png (559.93 KB, 200x184, 0A30aB1B6A8d6B02d6648E7CaC3Aa9fe.png)

>any knowledgeable network administrator can now get your real MAC address even when you're spoofing it
Some corrections after refreshing myself on this: I should add the disclaimer that your real MAC address can be obtained by any knowledgeable passive observer--mark out net admin above--/only if/ you are using an affected Android device (96% of the sample set) and are not connected to an AP (access point). iPhones and roughly 4% of the sample set of Android devices are unaffected by the simple passive deanonymization techniques described in the article. However, if an adversary knows your real MAC address then it's game over--even if you're using a laptop, raspi, pocketchip, etc. This is because existing client device chipsets (i.e. isn't an AP) will respond to RTS frames (yes, you read that correctly) with a CTS frame, alerting the adversary that the targeted device/individual is within range. This behavior is impossible for the OS to block, as well.

>Would having custom hardware negate this?
Yes, but you'd have to make it yourself since all existing 802.11 chipsets are thought to be vulnerable.

And make sure that your existing wireless chip is in the DOWN state if still connected.

Basically, it boils down to don't use smartphones unless the real MAC address can't be tracked back to you (buy with cash) and do likewise when purchasing WLAN cards if your threat model includes state actors. Also don't rely on the manufacturer's MAC randomization as that is only used for unauthenticated and unassociated probe requests (i.e. before you are connected to an AP). Even then, though, the situation's kinda fuarrrked because as soon as your real MAC address is compromised you can be tracked no matter where you go, provided that your adversary has the resources to pursue you in this manner of course; I'll let Lain imagine the myriad avenues available to this end.


>How can we stop ISPs from recording our web traffic?
encrypt everything and use something like tor.
most pages on the internet are encrypted anyways so the only thing the ISPs get are DNS and streamed content from third party web plugins (which most browsers will inform you is not secured)

what you should worry about is the fact no matter how "free" you get your software. from this point forth almost all hardware is bugged. can you really trust that intel firmware in your PC?


If you are in the United States, soon all ISP history and logs will be available to advertizers for sale (hopefully not, but let's be realistic, that's how security researchers should think). This means that unless you are using something like tor, i2p, or DNScrypt then these advertizers and whoever else already has access to this info that ISPs probably already collect will know all the sites you visit. How about instead of using 100% encrypted connections, setting up a pi or something to generate bogus web traffic in the clear to make you stand out far less from anyone who only or primarily connects to tor nodes and i2p routers which are fairly publicly known and can call attention to you?
This presents a similair problem to what the TOR Browser has been attempting to deal with along with the EFF, browser fingerprinting versus maximum security browsing that can be profiled. But what I think makes this different is that your ISP, unless you somehow pay them in cash, knows your real life address and your full name. Websites don't and that is why fighting browser fingerprinting is important, but does it matter if they already know who you are?
I'd be interested in what you guys think. I haven't had much time to think about the ramifications of this and it seems pertinent to OP's question.


>Granted, if you have committed no crime then you have nothing to hide.

You have plenty of reasons to hide. Medical Data is important for hiring & insurance, financial data for buying things - online shops started adjusting prices depending on the user profiles - if they know you got money up it goes and if you don't know this happens gg. Political opinions also got people fired. And of course criminals can buy the same data shopping for targets.

Now to the security troubles:
Don't forget that no matter how save your tunnel is you still need to ensure you ain't sending your ID over the tunnel. Browsers are notorious attack targets with most being contaminated themself. If javascript is enabled there is a guaranteed chance to identify you though the tunnel and the web has increasingly more sites disfunctional without enabling the tracking third party crap.

VM's + tunnel might work in a way obfuscating your real hardware wich gives you a second ID one could likewise reidentify unless you manage to change settings constantly for the VM to keep changing your possible ID. Lastly there were exploits breaking out of VM's so they can't offer absolute safety either but it's certaintly more than just allowing your real OS to be read out.

BTW ISPV6 is by design compromised but i don't remember the details. What's important is that it's recommended to stay on ipv4 when possible due to this.