No.17785
Anons, what devices, tools, programs and other items do you use to increase and aid your cyber security?
I am thinking about making the full jump from windows onto linux.
No.17797
Gnu macchanger, tails, Tor, Swiss based vpn paid for in bitcoins. It all depends on how much security you need
No.17798
>>17785>>17797>ThisIf you're interested go on /hack/ or /sec/ they're semi dead boards. But none the less have good threads to learn from.
No.17972
>>17797Anon, how do you browse the web? I mean, when you are reading your personal/RL e-mail, you do with the same config that you browse the chan or other things? Can you tell more?
No.17975
>>17797The macchanger that's stable version was released in 2005? Because I've tried using that but it doesn't ACTUALLY change my mac as far as I know; for instance my permanent mac is still displayed when logging into coffee shop/uni internet. So doesn't that make it kind of useless? Or am I missing something…
No.18040
>>17972>that imageI doubt Terry made it, though. No.18170
>>17975it works for me… are you sure you're not seeing your hostname?
No.18183
>>17785I pretty much use crunchbang.org/forums/viewtopic.php?id=24722 with deepdotweb.com/jolly-rogers-security-guide-for-beginners/
But of course it depends on the situation you're in, and your threat model. I like to read about opsec: grugq.tumblr.com/ , grugq.github.io/ & b3rn3d.com/blog/2014/02/17/perspectives-of-opsec/
OPSEC for hackers is a pretty nice introduction for cyber security. Even if you're not a hacker.
https://www.youtube.com/watch?v=9XaYdCdwiWU(http redacted to prevent flood detection)
No.18185
I posted
>>18183
> Tools (Besides what has been mentioned in the thread aleady)PGP/GPG Encryption
PORTAL(Physical Isolation for tor, also available for RPI) - github.com/grugq/portal
Whonix(Virtual Isolation) - whonix.org
There's also a few other interesting things I've gound, like he Mempo Project. rawgit.com/mempo/mempo-websites/master/mempo-main/html/index.html
No.18206
>>18040Terry didn't make it because he knows the font he uses is not Courier but rather a variant of Fixedsys (compare the shapes of uppercase A).
No.18216
>>18170Nah its a MAC address. The permanent one has
(Intel corporate) next to it, so maybe if I want to mess with it I have to use something more complicated, or is the 'new' MAC what is seen by others in the network? Sorry for the questions guys.
No.18254
>>18183Schway links, chummer.
No.18279
>>17972When I login I run a script to setup my connection. The script takes an argument that indicates what level of security i want. 0 is none at all, 1 turns the VPN on and activates a config for firefox that turns on noscript and request policy. 2 runs all my traffic through tor and does everything 1 does except the VPN. 3 is 2+VPN. I use setting 1 for most things. I use 0 for things that are inherently not private and/or it doesn't really need to be. 2 is used when VPNs are blocked. 3 is used when I need more security than usual. Oh and if you are on windows/osx, all of this is pointless if the person you are hiding from is the government. Also encrypt /home with LUKS and dm-crypt. In regards to email mine is hosted on my own server and most emails are encrypted with PGP
No.18284
>>18216i think macchanger only works on cards with good support. IE not intel.
No.20611
>>18183Just watched this.
Hasn't TOR been compromised at this point?
Has anyone used his device, PORTAL? Is there anything else like that out there?
I'd that what a pirate box is?
No.20613
Not OP, but I'm looking at two distros to replace Windows with: #! and Whonix. As someone with a small amount of Linux experience, what would be the better choice to go with? Security is priority, but I'm gunna play my games n drek.
No.20615
>>20613#! is dead.
You should just install Debian Jessie and use tails/whonix inside Virtualbox.
The good thing about Debian is that it doesn't come with closed software by default.
You can enable the contrib and non-free repos if you need proprietary firmware and VBox.
No.20636
>>20611Tor is not comprimised, but its security guarantee is not as strong as previously thought. Still 99% secure.
No.20647
Is EARTHvpn safe?
No.20649
>>18279Could you post a link to that script, anon?
No.21239
No.21417
Alright anons, I'm new to this whole realm of cyber security, and I've been setting up my laptop running linux to reduce tracking. Being the fuckin idiot I am, I decided to download the Tails iso before I set up my VPN server, while connected to my private network.
How fucked am I, realistically? I know the ISP I use tracks this sort of thing, but what can I do to avoid suspicion now? Is a hard drive wipe needed, do I need to change my IP address, or do I need to burn my house down and start from scratch?
No.21422
>>21417
you're on a 10-million-entry long government watchluist. Don't do anything else in the clearnet, and don't do anything illegal in the darknet, and you'll be fine.
No.21431
>>21422
I can live with that, thanks.
No.22513
>>21431
They could only possibly put your IP on the list, unless you somehow gave away your identity like using google to search for tails. If your name is on your internet connection then I guess that might have been added.
Your name was probably added to a handful of lists that you haven't read about. There's nothing anyone can do to avoid being put on "a list" because our whole system runs on lists. Lists of drivers, lists of non-drivers, lists of communists, homosexuals, lists of people who've talked to people who know suspicious people, lists of people who are suspicious because they haven't talked to anyone who knows a suspicious person, fucking everything. The point of their operation is to watch everyone. There are no "persons of interest" because everyone is suspect. You're no more fucked than you were before, the only way you lose is if you let your fear of some jerkoff suits control your life.
Fuck you for being a pussy.
No.23807
No.24223
Does anyone play around metasploit or other frameworks?
No.24428
Thoughts on cryptostorm? From what I've been told it's one of the most secure vpns out there, but I don't know much in the realm of security.
No.24451
>>24428
it's iceland, the website looks srsly convincing, they accept bitcoin and use it themselves and they provide access to tor, i2p and .bit
if torrenting is illegal in your country and you don't have the time to get into private trackers i'd say go for it.
No.24466
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
There is no escape
No.24474
>>24428
It's not actually in iceland, it's just that .is is one of the better TLDs. The North American nodes are run on OVH boxes, and I'd wager that so are the France nodes.
Cryptostorm is actually spread out through numerous jurisdictions and is run by the most notorious dogfucker/coke-smuggler to have lived. The last time he was arrested he agreed to give the FBI full access to any computer systems that he owned, and he "cooperated" with the feds during his coke smuggling conviction. Whether or not this would apply to the cryptostorm service is unclear.
The guy is legit nuts, so it's hard to say whether or not you'll be safe using anything he runs. However, I can confirm that from a raw technological standpoint cryptostorm is well executed compared to most VPNs.
No.24490
If anyone is interested, set up your own secure email on a server.
> NSA-proof your e-mail in 2 hours
http://sealedabstract.com/code/nsa-proof-your-e-mail-in-2-hours/
No.24492
>>24490
>NSA proof
It is mor secure, but it will never, ever be "NSA proof".
No.24505
>>24466
ICARUS HAS FOUND YOU!!!!!
>ICARUS HAS FOUND YOU!!!!!
>>ICARUS HAS FOUND YOU!!!!!
>>>ICARUS HAS FOUND YOU!!!!!
>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>>>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>RUN WHILE YOU CAN!!!!!!!!!!!
>RUN WHILE YOU CAN!!!!!!!!!!!
RUN WHILE YOU CAN!!!!!!!!!!!
No.24510
Gentoo Hardened w/ grsec kernel.
No.24608
I need a /cyber/ hostname for vps.
No.24620
>>24608
Virtual Pussy Sniffer
Your slogan can be "don't get a virus, use VPS"
No.24623
>>24608
InfiniFree Online Security
No.24630
>>24505
Fixed version:
ICARUS HAS FOUND YOU!!!!!
>ICARUS HAS FOUND YOU!!!!!
>>ICARUS HAS FOUND YOU!!!!!
>>>ICARUS HAS FOUND YOU!!!!!
>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>>>>>ICARUS HAS FOUND YOU!!!!!
>>>>>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>>>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>>RUN WHILE YOU CAN!!!!!!!!!!!
>>RUN WHILE YOU CAN!!!!!!!!!!!
>RUN WHILE YOU CAN!!!!!!!!!!!
RUN WHILE YOU CAN!!!!!!!!!!!
No.25883
Has anyone used or have any knowledge on ProtonMail? It claims to be private, but experience tells me that that the majority of things that claim that are lying or at least sorely mistaken.
No.25884
>>25883
I've used it. It's the biggest load of crap. From an objective point of view, it's worse in security (which is why most people migrate there). Combine this with a 90's GUI and it just oozes unprofessional. The GUI is subjective of course but from a design perspective it's not a good move.
No.25942
>>25883
Use god damn PGP. Just fucking use it. All tools are here since 90s. You gain security by using them. Not by super-secure-private-mail. Not by some god damn app.
Does plain text leaves your machine? Yes? You are not secure, no swiss server bullshit will help you.
It does not? You made first step in right direction.
Does your tech stack comes from one party? Yes? You are not secure.
Mail agent and mail service are provided by different parties? Another step.
You are only as secure as you put effort to be. And zero effort will always be zero security.
No.26036
>>25942
I seriously do not get PGP. You what, upload your public key to a server, retrieve your recipient's public key automatically by referring said server, and send your recipient your private key, and they do the same? Last part seems off – I mean if it works like that, couldn't the keys be intercepted and the following conversation can be decrypted trivially? Obviously I got something wrong, so can somebody please clarify?
No.26037
>>26036
People encrypt messages for you with the public key you give them, they can only be decrypted with your private key.
No.26038
>>26036
A private key and public key make up the keypair. The only difference between the two is that one is known only to you. Anything encrypted with one key is only decryptable with the other key. Since only you know your private key, anything encrypted with your pubkey can only be decrypted by you. Conversely, anything encrypted with your privkey can be safely assumed to be authored by you. That's called cryptographically signing.
Never ever let anyone know your private key or its hash. Your key should be encrypted when at rest, and only unlocked when you're using it. PGP email does not have perfect forward secrecy, so it could be used to decrypt any private conversation that you have previously had.
The keyserver is for convenience. That way you can give people your pubkey's hash (usually much smaller than the key itself). They can then look up your key and know it's the right one. Great for business cards due to the low practical information density.
If you prefer not to be listed on a keyserver then just give people your pubkey instead. With the most unweildy keys possible (base64 encoded 8192-bit RSA) it's not much more than a megabyte or so. With ECC your key is well under a kilobyte. You can transfer your keys via QR code, NFC, bluetooth, wifi, ethernet, etc.
Most of your confusion could have been answered if you did a bit of basic reading.
No.26045
>>25942
Stupid question: how and where do I use a PGP key? Do I just get a random one off the internet and like stick it at the end of a message or something? How do I even use one.
No.26271
>>26045
You make it yourself. RSA key is just two random prime numbers.
GnuPG is oss suite for key generation and management.
Simplest use case is one key for identity.
Make key pair, send public key to people you interact with. Ask them to do the same.
If you have recipient’s public key - encrypt with it. If you want to prove your message is sent by you - sign it with your private key.
To read encrypted message, you need private key of recipient. To check signature validity, you need public key of sender.
Assuming you are protecting against passive surveillance ( as opposed to active attacks) and your correspondents are not familiar with PGP too, you can ignore key-signing and web-of-trust stuff for now, but learn about it later
No.26336
>>26036
>send your recipient your private key, and they do the same
That part doesn't happen.
The public key encrypts data in such a way that only the private key can decrypt it.
This is useful for securely sending messages to a specific person.
The private key encrypts things in such a way that only the public key can decrypt it.
This is useful for proving to a person that a message came from the owner of the public key.
No.26343
>>26038
Thanks, now it makes complete sense. I did do basic reading; I've read a lot and already understand many anonymity and privacy tools, and how I should be running what, but for some reason this one always went over my head no matter how much I read. It's that fundamental function that never clicked.
No.26344
>>26271
Oooh boy, that image takes me back. What game was that again?
No.28367
>>24490
that guide is just way too difficult to understand. It pretends to be a step by step guide but it's the most non obvious explanation of how to set anything up.
could they havr simply just made a video
"do this, okay now do this"
No.28368
>>24490
that guide is just way too difficult to understand. It pretends to be a step by step guide but it's the most non obvious explanation of how to set anything up.
could they have simply just made a video
"do this, okay now do this"
No.28402
>>20615
>if you need Vbox
Don't use Vbox, use QEMU.
No.28427
>>17785
>I am thinking about making the full jump from windows onto linux.
That won't do shit other than speed up your computer a bit if you choose the wrong distro. What are you planning on moving too?
No.28430
>>17785
>Anons, what devices, tools, programs and other items do you use to increase and aid your cyber security?
I use exclusively software that releases the sourcecode to me. Doing otherwise means you could very well be using a software that contains malicious features.
You'd be smart to assume all software is malware until proven otherwise.
My current softsetup is this;
Parabola GNU
Linux kernel because there isn't linux-libre firmware for my wireless adapter.
The Bash shell.
SpectrWM
Compton Compositor
Firefox
XFCE Terminal
My current hardsetup is this;
Thinkpad Laptop
External CRT monitor
3GB of RAM - Because poorfag
Intel Core2 Duo - Because poorfag
AMD Mobilty Radeon HD - Because poorfag
Pic related is my desktop.
No.28432
No.28434
>>28432
No need to. My internet is stolen.
>tfw poorfag
No.28446
>>28430
>duckduckgo
enjoy your botnet
No.28477
>>28430
Nice rice. I need to try something like this, at some point… How hard is spectrwm to configure?
No.28483
>>28477
not really. The config file is pretty straightforward.
No.28485
>>28483
Uhm, alright thanks. Btw, any reason why you chose XFCE terminal over, say, UXTerm?
No.28487
>>28485
Oh, I'm not him. I use st.
Spectrwm has a really weird way of managing window tags, so only certain terminals spawn in the correct tag group.
No.28490
>>28430
All your meticulousness is ruined by CuckCuckGo
No.28491
>>25883
Protonmail is just a lavabit clone hosted in switzerland so allegedly the NSA and GCHQ cant force them to hand over their private keys like they did with lavabit. I dont trust it.
No.28492
>>28491
The first reply to OP is shite. Suggesting that Swiss is Safe is fucking awful advice. It's a CIA haven and far from 'bulletproof' in the privacy sense.
No.28554
>>28446
DuckDuckGo is under no circumstances a botnet. You may not trust it, it may not be secure and private, but a botnet it is not.
No.28582
>>28554
I remember it being a big deal that the creator was previously involved in selling user data prior to DuckDuckGo. I don't remember the exact details there but it's fair to say that it's not 100% trustworthy. Still, better than Google I'd say.
No.28583
>>28554
Well can you absolutely be certain duckduckgo isn't one?
No.28596
>>28554
Startpage is superior, in my opinion. It seems to handle searches a bit better than duck duck go and the image search is the next best thing to Google images.
No.28623
>>28596
sometimes shit is censored on google in which case duckduckgo can give mindblowingly different results. ixquick should be fine too in those cases.
No.28710
>>28583
Are people just using the word botnet without knowing what one actually is? From Wikipedia, "A botnet is a number of Internet-connected computers communicating with other similar machines in an effort to complete repetitive tasks and objectives.". DuckDuckGo is a search engine, and does not take control of your computer to do malicious things. Google Search, on its own, is not a botnet. Neither is Google Chrome. The free VPN/proxy add-on Hola, however, was a botnet. It allowed the company in command to use its users as a exit node for a paid VPN service offered by the same company, called Luminati. Please, don't use the term botnet unless it actually involves multiple computers with repetitive tasks or objectives.
No.28711
>>28582
That is correct. It usually gets posted on /tech/ every couple days.
No.28713
>>28710
'botnet' is /tech/ slang for anything that sells/controls your computer/data
No.28717
>>28713
No, actually, it's not, it's a little more specific than that.
A botnet is slang for a group of computers taken over by a single entity and used to perform task(s) at their bidding.
No.28719
>>28710
>>28717
i think you don't understand memes. try lurking moar.
No.28727
>>28710
Looking at history, collecting large amounts of data from people without their consent or understanding, to further the objectives of a government or company, is pretty repetitive.
No.28731
>>28717
Man, I'd hate to have your brain
No.29346
No.30465
No.30476
>>24510
I love that this is the only REAL suggestion on here that is good and it's not even acknowledged.
No.30477
>>28430
No one is going to point out that this is just a rice and has nothing to do with security.
No.30479
>>28487
Suckless is love suckless is life.
No.30837
No.32355
None. My computer is used for stupid stuff, nothing important.
On my laptop I use puppy linux, tho, but it doesn't aid security, either.
No.32380
Well, since SSL is bogus I made my own symmetric crypto algorithm and use it to encrypt my data between myself and my custom remote network services, such as proxies, backups, etc.
> inb4 don't roll your own
I'm a cryptographer, and it's simpler than you think. Know what comp sec calls it when everyone is using the same small set of protocols/algorithms/libs? A gigantic single point of failure. "don't roll your own" == Everyone use a codebase we've compromised, please.
The more ciphers the better. Consider that each new / different encryption method requires manpower to at least setup a cracking tool for it… if they can even figure out what traffic is encrypted with it. Practical security trumps academic "security" every time.
The interesting thing is if you do roll your own, and it's published online, you have to email the BIS and NSA to inform them about the new encryption. This can bring some unwanted attention, esp. if you make frequent anti-authoritarian political statements. It's not so bad if you have a void belt in cyberjudo. Use an attacker's strength and power against them, but only in self defense…
No.32381
>>24223
> metasploit
Yes, but only to pentest that which I have permission to do so.
No.39086