/cyber/ - Cyberpunk & Science Fiction

If you love your own ass, disable the fucking WPS.

Encrypt everything.

Use passphrases, not passwords. Use diceware and physical dice to determine your passphrase (at least 6 words, 8 is good, more than 10 is unnecessary). Write down each passphrase when you create it, then shred and burn it after you memorize it.

Never reuse the same passphrase.

Use randomly-generated passwords and a password manager for as many passwords as possible. Only use memorable passphrases when it would be disastrous to lose them, e.g. your hard drive encryption keys, your password manager, your email, etc.

Enable 2 factor authentication whenever possible. Make a code backup, print out the codes, and lock them up or hide them.

make sure all your software is up-to-date, attackers almost never use zero-day exploits because those are sold to the NSA to be used for targeted attacks.

use hardened gentoo for good protection against buffer overflow exploits.

use different user accounts for administrator and regular usage (this one even work on windows, unless you have like, a privilege escalation bug in the scrollbar code, and a bug in the patch that was supposed to fix that http://www.bit-tech.net/news/bits/2015/02/12/microsoft-kernel-bug/1)

>>24167

Question, does the button on the back of my router that allegedly encrypts my internet traffic do anything?

>>24172

I have a 1-line script that generates a different sha512 hash for every online service I use. It hashes the service name with an easy-to-remember passphrase.

Also, make a pgp key *now*

>>24200

Care to share, chummer?

The script, not the passphrase.

>>24200

>>24206

keep in mind that this kind of password is not secure as it's security through obscurity and will only defend you against standard attacks.

it wouldn't surprise me if this way of password generation is used often enough to be already included in state of the art password crackers but I'm not up to date with that kind of stuff.

use a password manager like keepassx instead. if you've got a keylogger it's game over anyway so why not use secure passwords in the first place instead of this obscure bullcrap?

>>24211

>security through obscurity

that's why you have the base passphrase be a good one. It's like using a password manager but it uses a cryptographically secure algorithm.

>>24206

echo $1 <your password here> | openssl sha512

I hardcoded the password in because it protects against people looking over your shoulder. Remember to set its permissions to –x——.

>>24233

okay you're right it's not that bad.

>>24194

Does it look like a lock? Usually that is for wps, which is an easy way to setup wireless printers and other things without typing the password to your WiFi on them.

The only way they could encrypt all your traffic would either be by sending it through a secure proxy or VPN. Neither of which I would trust, btw, because that only means it's encrypted until it gets to their endpoint, so between them and the website there's no encryption. Plus, you'd have to route all of your traffic through a server of their choosing, where it will be unencrypted for them to sniff through before being sent to the destination website. That just screams red flag to me.

>>24288

Eh, i said only way, there are a few more ways you could encrypt your data, but none i could really see a router company using

What's the most secure OS I can use?

I've got a Thinkpad X60T with Libreboot installend, and I've been deliberating over whether I should take the "free software" philosophy and install Parabola, or if i should use hardened Gentoo, which is what most people seem to recommend for that.

I think I've plugged up any hardware-related things that could compromise my system, but I don't know where to go from here in securing my computer.

>>24339

And I mean this as a daily use OS… I think that I'd probably just need to use TAILS on a flash drive on a computer with no hard drive if I REALLY want to be secure, right? Is that all it takes? What dimensions am I not considering?

>>24339

hardened gentoo is pretty cool and really easy to set up but you can use hardened kernels with other distros too. gentoo has use flags to patch certain packages to work with PaX, idk how it is with parabola. also gentoo has a use flag to deblob the kernel but i haven't tried it yet.

>>24339

I heard openBSD is pretty secure and it's a daily use (?) OS.

>>24422

>Another option is install Alpine Linux w/XEN as your base system. Now start up Xen and install OpenBSD for your firewall. PCI passthru the network card to the OpenBSD VM. It will control the network and hand out IPs to all your other Xen VMs. Spin up whatever you want, Arch, Ubuntu, Windows, anything. It will all be passed through the OpenBSD firewall and allows you to learn any OS you want easily. The XEN dom0 base system won't have any outside internet access.

that's…. actually a good idea.

>>24423

once you start using emacs shell you no longer need to pipe anything since it's all spit into the editor buffer and you can run all kinds of scripts/commands on the output. You can also write a script that performs any shell command like fetching, configuring and building a custom kernel.

If you decide to play around with Emacs get the prelude configuration for it, makes it much easier to use. Here's an Emacs good guide http://tuhdo.github.io/emacs-tutor.html

I use Emacs for auditing code a lot lately. You can go through Org mode and set bookmarks, highlight anything you want and automatically match it up so if looking for any call to some login service presto there it is.

More instructions how to replace your windows manager with Emacs http://www.howardism.org/Technical/Emacs/new-window-manager.html

You can also read pdfs on one side of the screen and run an interpreter/shell/REPL on the other side to punch in commands as you read along

>>24173

>scrollbar

LOL, I really have no excuse for having payid for Windows.

>>24563

Changing from Windows to any other OS is a big step in increasing your security, the decrease in attack vectors alone is worth it. And besides that, you gain more control over your machine once using anything non-MS or -Apple.

>>24572

Microserf products if you know what you're doing, do not have adobe junk installed anywhere, AND you run said products behind a separate firewall (get an ARM box and load it with OpenBSD or pfSense) are some of the most securely written programs out there.

For example they hired mathematicians to formally verify all of their drivers so they are guaranteed not to crash the OS, in fact large amounts of the kernel has been formally verified and is still ongoing. They also directly incorporate all of OpenBSD's memory protection, as per Theo's RuBSD con paper last year on modern exploit mitigations. Even the guy who maintains GrSecurity patches admits to using Microserf himself and running Linux in a VM because he laments how shitty/commercialized it's become lately so he simply uses a commercial product now.

If you learn Powershell, and use Emacs or Curl to script away any suspicious websites and avoid blindly using IE/outlook or any other graphical browser or email client you will never have issues. The worst part about Microserf security however is how incredibly complex it all is, the insane levels of user/admin policy and security shit they put in there are all designed so you have to purchase M$ educational materials in order to figure any of it out which is why I just use OpenBSD, all documentation is self contained in the release itself.

tl;dr lot's of formal verification of the kernel, privseg done (mostly) correctly, memory protections more advanced than FreeBSD or kernel.org, the most reverse engineered kernel in existence so guarantee of no suspicious backdoors.

>>24167

In windows and Linux (where applicable) disable the ability for remote connection. Usually this is for if tech support needs to access your PC to help you or something but with it blocked, you nearly guarantee that people trying to break into your PC will be unlikely to do it. It isn't perfect but it ads that extra layer of security.

Re: This Thread

Basic precautions anybody can do:

- use some kind of open source firewall to prevent hanging yourself by having malware phone home or having ports open to abuse. There is all kinds of largely open ARM products you can buy with small form factor to run any Linux/BSD OS you want on them to act as a firewall like Wandboard, Cubieboard, PcDuino, CuBox-i4Pro, Soekris boxes ect. Or just run any old dumpster dived used system for a firewall it doesn't matter.

- if you're involved in business (stock trading, cryptocurrency exchanging, selling scripts, whatever)then try QubesOS. Daniel J Bernstein a world renown cryptographer and expert in cross-vm leaks and timing attacks, uses Qubes himself on a laptop if you read their mailing list. He wrote a small little python program to manage VMs on Qubes without needed the bloated "VM manager" GUI shit they have. https://groups.google.com/forum/#!topic/qubes-users/7-gm_q3nkQ8

Qubes is designed for business use, don't be running your secret darknet with it or anything. The idea is you spawn up a different VM for everything, so one for your online banking, one for semi-trusted sites and IRC, one for not trusted sites, one VM that holds all your PGP keys separate from the other VMs ect.

- avoid Nvidia cards. Use ATI/Radeon or even internal Intel video cards as their "open" drivers are much more robust than the ultra shitty shim that is the Nvidia garbage so-called free drivers. You will hate them so much you'll end up using proprietary drivers and thus not secure. It's possible to privseg X completely on OpenBSD with Radeon/Intel cards.

- use tarsnap for backups, like if you need to backup VM snapshots. It's intelligent backup that only sync's what you changed, and designed/operated by one of the best crypto engineers around Colin Perceival of FreeBSD.

- do not rely on full disc encryption. It's an all or nothing security. In addition to FDE, individually encrypt very important things with GnuPG so you have security in depth and nothing fails open.

Most important of all is never blindly follow online step by step guides without knowing exactly what the commands do. Where I work often people would use CurL plaintext over standard http to grab some rubygems or other software and pipe them right into the main work server, or install them directly without even thinking about what they were doing because they saw some guide online somewhere.

>>24587

>if you know what you're doing

the same could be said of any OS, except it's almost certainly better. Microsoft is definitely on the low end of the security pole.

>>24591

I wouldn't recommend Qubes. It's a nice idea, but really it's not much better than running a well-secured linux with Wayland.

>>24593

It's not easy to break into a patched Microcock system anymore, if it was Paypal, stock exchanges and every other major financial corp running Windows Server would be pwned daily.

Ask anybody in the box popping industry on twitter that works for those shady state contractors like VUPEN and they will agree, Microsoft is hard to pop which is why the rewards are so big. Can also follow the pwn2own contestants and they also agree the XP reputation of Microsoft isn't deserved anymore with their new kernels.

I wouldn't touch MS products because they are proprietary but to get the equivalent memory protections that come by default with Microsoft you have to patch kernel.org stable releases with PaX and tweak a bunch of knobs with paxctl (like disabling almost all protections just to get Chromium to work). These memory protections come by default with MS now.

MS upped their game significantly last couple of years on the hardened stack front. Most of the problems we still hear about are the millions of pirate unpatched systems out there filled with adobe and proprietary java plugins.

>>24597

>like disabling almost all pax protections just to get Chromium to work

so why are you even using a spyware browser like that then?

firefox works fine with all protections enabled.

>24593

>qubesOS is not much better than running a well-secured linux with Wayland.

interesting. how does wayland improve security? afaik one of qubes' big advantages is that programs running on the same X session can't keylog each other's input, is that because of wayland?

>>24597

>MS upped their game significantly last couple of years

true that, windows zero-days are worth a shitload of brouzouf (thanks, NSA) but nobody runs a "clean" windows version at home, and as soon as you install non-ms software you run into the problem of having to manually update it whenever it's vulnerable by downloading most likely unsigned binaries, possibly over an unencrypted connection.

but at least most websites display an md5 hash for security conscious windows users.

don't die now i need you. i have questions.

>>32206

nice life-saving bump.

Bumping with knowledge

https://crypto.stanford.edu/~dabo/cryptobook/draft_0_2.pdf

What options does one have if they don't have access to the network hardware? Student living, for instance. All I get is a single ethernet port and a bridge I brought from home. Also, there are several wireless access throughought each floor of the buildings.

Where do I start?

>>24600

Wayland doesn't grant access to the input group to all programs run by the user by default. In order to, for example, let your WM capture all key pressings, you must explicitly allow it to do so, and then the WM will (hopefully) pass those keys just to the window you have in first plane.

This solves the problem of userland keyloggers since it would only be allowed to capture your keys if you select its window and type in it, which pretty much negates all damage it could do.

Furthermore, Wayland runs without root by default, so exploiting it wouldn't automatically compromise the whole system.

I heard all these things can be done with X.org, but the process isn't exactly pleasant. However, I think Qubes OS achieves a similar effect by simply running all programs in different VMs. Exploiting a program would only compromise the target VM, so it shouldn't be very dangerous.

>>32309

Personally i just generate a random password and put words inbetween the letters.

Example:

PPenisSSex6nNipplesZzenzizenzizenzic93jJiggly

>>32312

Maybe even add symbols in the words. PP!enisSSe\x6nNip▲plesZzenz£izenzizenzic93jJiggl¤y

>>24422

I don't recommend OpenBSD. Finding exploits is as simple as grepping for fix mes in the their source code. Their security is like the 90s.

Alpine with Xen is not a bad idea, but be some parts may be vulnerable, eg if you pass X11 or audio to your dom0.

Hardened gentoo is a good way too if you can configure it correctly.

>>32314

>>32312

That's actually kind of cool. My personal habit is to make up a sentence that I can remember involving a significant date in my life, and then I turn it to the first letter of each word and the numbers in it, as well as punctuation. For example;

My Little Brother Was Born On The Month April, The Day 19, The Year 1988.

- becomes -

MLBWBOTMA,TD19,TY1988.

According to https://howsecureismypassword.net/ that would be a sextillion years to crack. Obviously it's probably much shorter due to more's law, but you get the shit.

>>24233

I would personally require you to input a password along the domain name, since anyone that could get a brief access to your computer could copy the hardcoded password.

If you require a "volatile" password, anybody peeking over you would only learn half the secret, just like if they got a hold of your computer.

keep posting guys, I need more screencaps for our cringe thread over at /tech/

>when making passwords, dont use plain words, mix them up by switching letters out with other letters or numbers

>make a habit of always locking/turning off your computer when leaving it

>>32450

oh hai

>>32339

>SHA512 with extra symbols

>Possible Combinations: Infinity

>>32323

Arch also has hardened goodness if you want it. Ubuntu isn't terrible if you know what to disable.

>>32209

schway.

>>32230

noob here, How would one go about launching things via Wayland by default and not X?

>>24172

I always use complex keyboard patterns so I can legally say that I don't know my passwords.

>>24167

Change your router's LAN.

Disable/change any PIN access.

Don't hide your SSID, or your laptops/phones will leave a trail of pings.

>>24172

>more than 10 is unnecessary

shill?

>>24211

>pls use my password manage so it can hold all yur poosward

I don't trust you

On the topic of passwords, I've been told that multi-word passwords (for instance, "correcthorsebatterystaple") are much, much more secure than single words with symbols ("c@rr3ct"), at least against dictionary cracking. Is this true?

>>32212

I'm a dumb shaz who doesn't know the first thing about actually setting up firewalls, but if you can put up a firewall on your bridge, then you'll have some measure of control.

Figure out how to keep your ports closed. Learn which apps use what ports, some games will use unusual ports for their multiplayer shit. For the love of god, keep a close eye on port 22.

>>32323

>their security is like 90s.

No. OpenBSD cares and is really the only system i can think of that really deploys mitigation techniques throughout. Another shill who tries to say that OpenBSD is unsafe and then recommends some other OS that doesn't place security anywhere near no. 1 priority.

Also, OpenBSD is the right kind of Just Works. Sane defaults throughout, ships with 2 great window managers by default and the installer is a matter of hitting enter a few times.

>>37289

I noticed that too, my guess is that they are trying to set large scale correlation attacks in the name of "la liberte".

>>37289

>>37304

Maybe the solution is to get the chinese, french, russians and NATO to all attempt large scale sibyl attacks, but because each one can only control 1/5th of the network they're not able to correlate anything important. I only listed three organizations, because the remaining 1/5th are genuine Tor nodes.

Of course this falls apart if at any point those four decide to cooperate.

>>37289

>>37304

>>37312

[11:03:34] <Chocolate_Chip> Is anyone here? I have concerns over what this person said: https://8ch.net/cyber/res/24167.html#37289

[11:03:40] <Chocolate_Chip> I have had the same experience

[11:05:37] <cacahuatl> Probably the result of anecdata :)

[11:06:13] <Chocolate_Chip> anecdata?

[11:06:19] <Chocolate_Chip> What does that mean?

[11:07:59] <cacahuatl> Anecdotal evidence, possibly bolstered by confirmation bias and paranoia.

[11:09:17] <Chocolate_Chip> It's just that I have had the same experience

[11:09:29] <Chocolate_Chip> Two or three nodes ALL in France

[11:09:50] <cacahuatl> See: Anecdotal evidence

[11:11:09] <cacahuatl> A) GeoIP isn't accurate B) Running all their relays in the same country would be silly if they wanted to perform such an attack C) It doesn't look like there'd been a large jump in relays and even if there had been it's unlikely they'd *already* be in a position to perform such attacks.

(Source: #tor in the OFTC IRC Network)

>>24233

> hardcoded

Its a script. run it while looking at htop and tell me if thats really a good practice.

If security is #1 above all else then then its OpenBSD. It is the maximum tinfoil OS.

http://www.openbsd.org/security.html

Its small and easy to understand. My system normally only has less then 25 processes running. You can look though and understand exactly what is going on at all times.

The whole OS install ISO including X is only 230megs.

It doesn't use binary blobs. If your hardware vendor wont publish specs then oh well. Not sacrificing security for support. OpenBSD wont even support Bluetooth.

The documentation and man pages are unmatched in quality. You can do anything just by reading the built in docs.

The source code is written in a standard easy to understand style called KNF. KNF dates back to Ken Thompson and Dennis Ritchie. OBSD is big on doing things the traditional old school UNIX way. The "correct" way.

If your looking for a big flashy OS that supports all the latest HW then OpenBSD isn't for you.

>>37332

this.

also hashing your password does not make it stronger, it's just another form of security through obscurity.

>>24233

>>37332

Not to mention it will end up in your shell history file if you have that enabled.

Swift on Security has this site: http://decentsecurity.com/