[ / / / / / / / / / / / / / ] [ dir / baphomet / choroy / dbv / eros / f / int / miku / vore ]

/tech/ - Technology

Winner of the 77nd Attention-Hungry Games
/x/ - Paranormal Phenomena and The RCP Authority

April 2019 - 8chan Transparency Report
Comment *
Verification *
Password (Randomized for file and post deletion; you may also set your own.)
* = required field[▶ Show post options & limits]
Confused? See the FAQ.
Show oekaki applet
(replaces files and can be used instead)

Allowed file types:jpg, jpeg, gif, png, webm, mp4, pdf
Max filesize is 16 MB.
Max image dimensions are 15000 x 15000.
You may upload 3 per post.

File: 8a6a8774e26f91c⋯.png (616.84 KB, 763x525, 109:75, linuxsecurity.png)









Is the mere inclusion of these in a popular british tech magazine a sign that these are mostly useless against anyone except non-state actors? This is from a few years ago so who knows what other strides have been made in algo-cracking.

Are the current privacy best practices completely fucked?


Very much doubt GPG is compromised.


OMEMO is a better OTR

Veracrypt replaced TrueCrypt

Cryptocat has been discontinued and was always a little suspect

Other than that it's a very good baseline set of things you should be using daily.



I would think so too.


We know literally nothing about the people behind Tails and Tor is a project that was released and is funded by the us govt. If anything these tools are just designed so only certain entities are capable of accessing it and has nothing to do with privacy.

And how do we know when something they suggest such as TrueCrypt suddenly becomes useless too? It all seems extremely suspect.




SSL was patched after Heartbleed became known - exploit was likely known by NSA and others, but is now mostly useless since the patch.

Tor is still not broken (despite what you keep hearing).

OTR - no idea, never used it.

TrueCrypt is an old fave that nobody seems to still use... pity. As far as I know it's still reasonably secure, and Wikipedia details many of those limitations.

GPG is not PGP, which was insecure very early on.

I dunno about the other two.



>We know literally nothing about the people behind Tails

Tails is a Debian-based Linux distribution with an public bug tracker and reproducible builds. How much would you need to know about the people behind it to be in a better position to judge its trustworthiness?

>Tor is a project that was released and is funded by the us govt.

It's advisable to use Tor as part of a layered anonymity strategy. Not because it probably has backdoors, but because it's definitely not perfect.

>And how do we know when something they suggest such as TrueCrypt suddenly becomes useless too?

How do you even function as a person?



>Tails is a Debian-based Linux distribution with an public bug tracker and reproducible builds. How much would you need to know about the people behind it to be in a better position to judge its trustworthiness?

And if a person doesn't like Tails for whatever reason, they can use heads instead.




>How do you even function as a person?

He does not. That's why he posts here.


Cryptocat was dangerous amateur hour since its inception and is thankfully ~dead now. GPG is plagued by a complete idiot of a developer (Werner Koch, always make sure to write down names) to the point I wouldn't be surprised if he gets paid to sabotage it, but as far as I can tell it's still the best option available for slow communications. For IM it sucks dick but in my opinion IM generates far too much metadata for the really big guns anyway. TrueCrypt is still doing pretty well. Can't say much about the rest that hasn't been said already.


>SSL was patched after Heartbleed became known

SSL has some critical fuckup every other month, and then there are the ten million CAs from god knows where that your system trusts by default. It's a complete joke against states.



Yep, CAs are complete fuckery.



I switched to LUKS after its developers vanished without trace. Miss the hidden volume feature sometimes though. Veracrypt seems nice but I already got used to LUKS when I first heard about it.


was compromised. Cryptocat devs are incompetent morons who shouldn't be let anywhere near computers.


The rest is secure as far as I'm concerned, especially GPG. Until proven otherwise of course.


HTTPS is not the same thing as TLS. HTTPS relies on TLS to provide privacy and data integrity and certificate authorities to verify otherwise unauthenticated public key exchange.



I'm not sure where you got HTTPS from. Admittedly it was unclear whether I meant the protocol or OpenSSL, but both are garbage -- the protocol is an overcomplicated turd and OpenSSL is so well-trodden territory by now that I'm not going to go into detail.



TLS itself doesn't rely on CAs as far as I'm concerned so I simply assumed you were talking about HTTPS.



I actually can't think of anything that uses TLS without CAs on the spot. Tor, maybe? I vaguely recall something in that direction but that might be wrong. Distros usually use GPG.


File: 68623ddd3d18468⋯.jpg (1.22 MB, 1152x864, 4:3, matrixback2.jpg)


SSL can still be stripped and connection can be downgraded. Session hijacking (sidejacking) tools like Faceniff were prevalent. There was a tool called SSLstrip you could use in conjunction with arp spoofing or DNS spoofing. Back in the say there was a really fun tool called subterfuge for this. The vuln related to sslstrip was fixed. sslsplit became the new tool. I'm not sure what tools people are using these days. I'm sure SSL can be defeated to this day.

TOR was originally funded by the DoD and was developed for Naval personel send secure communications from countries that they were never supposed to be in. There are ways to de-anonymize TOR users. There was a metasploit module for this. There have been numerous methods of attacking TOR in the past. It is likely there are numerous methods of de-anonymizing TOR users. Also numerous TOR nodes are owned by law enforcement.

True Crypt had some issues with a weakness in encryption. There are numerous other tools for creating encrypted containers. Also even with weak encryption you can put one encrypted container inside another or encrypt a file over and over again each round with a separate password or key.

OTR. Anons like it. Never used it personally.

GPG is still trusted.

CryptoCat. Questionable. Dude who invented it was murdered.

Tails. I could never get it to work.

If you want a really secure network find a VPS service that doesn't LOG and accepts cryptocurrency as payment.

You can chain SSH connections and forward other traffic through SSH. You can also use a proxy between each connection. Probably have issues with timeout. That or just set up a VPN on a VPS server offshore.

Using heavy encryption is likely to get you monitored. Since agencies can basically hack you with indemnity these days if they can't break your encryption and intercept your transmissions they will probably try to hack your endpoint and exfiltrate data directly from your system.



>zero source larp



good post, you know your shit


Tails is insecure, because it uses systemd. I'm not a cracker, but I guess they use only minimalistic software, that can be trusted - less code, less bugs.



2015 TrueCrypt

2019 VeraCrypt




Completely unncessary attacks considering you misunderstood my point about mentioning TrueCrypt as an example.

I never trusted SSL either, that is straight up placebo. Tails I always assumed is some deep agency distro even if the NSA supposedly had slides saying it was against their interests and Snowden told the journalists to use it, but even he has moved to Qubes



It doesn't end there. Need strong ciphers and high TLS. Site doesn't work? Well don't use it.

Probably MitM'd site. If you use weak SSL they can crack those data they got from submarine cables they spliced someday or some folding@home type of bruteforce.

It takes one joint effort for the beans to spill.


Recommended by glower "former CIA". Never use this if your life can be in danger.

Standards have standard backdoors.


Standardized digi-comms are bad opsec. Analog ham or btfo.


Better than bitlocker but untrusted. Still better than nothing but windows will just pass the keys over the cloud. Standards have standard backdoors.


Good but it's only a matter of clever and severe bugs to be found.




Recommended by glower "former CIA". Never use this if your life can be in danger.

Standards have standard backdoors.



Snowden didn't "move to Qubes." Tails and Qubes are tailored to wholly different use cases and threat models.



Okay so what alternatives do you suggest anon?



>If you want a really secure network find a VPS service that doesn't LOG and accepts cryptocurrency as payment.

First what is at your end? Your paid ISP will have logs so whatever is your first step is it will be backtracked.

So you downloaded this cryptocurrency client app from that mirrorlist. Then used some VPN over your home network? Come on..

Secure is not synonymous with anonymity.

If you want true security cut off from the internet or any wirelessness/network and use good encryption and not be stupid enough to run or plug stuff there. DMA attacks exist so you better destroy those SD and PC card slots. Maybe even the LAN port has DMA who knows?

If you want anonymiyt just buy a burner modem + subscriber IM from separate places far apart while also taking measures on your online habits (like youtube playlist) and hardware fingerprint or even your waking/surfing hours which they can calculate from your working/offline/sleep hours to get your TZ so be sure to be as /b/ as possible.

Why does the goods have to be purchased far away or apart? Barcodes are data. The metadata is how close those two items are and it must mean that you live there. Don't underestimate the invest in the investigation.

Your last problem would be triangulation. Whitelist only one CellID and boost your signal outside the digital/analog modulation range, in short it is your location data through signal strength from 1, 2 or 3 CellID if you haven't blocked those yet.

Example is if you get good signal on 2 Cells it means you're at the center. On three Cells you can be triangulated immediately!

They can even shut down the CellID or power grid per suspected location and see if you lose activity for a day.

This is why the FCC only wants you to have FCC approved shit so you can easily be triangulated like a small insect trapped in mesh wire about to be scorched.



Unless someone has to die again or be accused with rape charges etc.

>Debian developer insists on systemd adoption somewhere around Debian Jessie

>devuan rises

>normal tweets

>call it quits with debian

>suddenly for no reason becomes suicidal

>dev: dead and possibly know something enough to be put down

>debian: successfully adopts systemd (2015)

>old mailing lists about systemd discussions deleted including one I read ago where two debian versions one "without systemd" could be made

>could have been adopted by most distros if that happened but we have a dead man and deleted mailing lists too. sounds fishy? no you're just imagining things

>can't find that one mailing list about someone finding out debian = deborah+ian and uttered feminism words like white cis and renaming the entire project before death

Redhat mafia strikes again.


>tor dev Appelbaum get accused rape charges

>kicked out of the project

>sexual misconduct charge from several people out of nowhere and 'muh rape' card same shit that happened with Assange

>Soros acquires firefox to strike against fake news

>ESR dropped and immediately adopts the 'new-improved anti fakenews' after Soros funding while tons of privacy leaks happened.


File: 43260dd2af3f7f6⋯.jpg (13.87 KB, 387x375, 129:125, 43260dd2af3f7f62ae090e4887….jpg)


I doubt Tor has any easy backdoors, unless there's some glaring architecture flaw that nobody's figured out yet, but usually there's at least speculation about those before an actual proof-of-concept can be executed.

Why no backdoors? Simple. The government understands that a backdoor is something any actor can use. They can't backdoor it and use it without compromising themselves. That's why most pushes for backdoors come from smaller organizations (generally police who want to access people's texts) or target technology that is common among consumers but completely disused in security circles.

Not to imply every government organization knows about security and has actually solid implementations. But given that the Navy uses Tor and FBI, CIA, NSA, etc all routinely try to find major flaws and publish them it's not hard to believe the implementation is pretty secure.

Nothing is truly "bulletproof" but you need to make it as difficult as possible. The more layers you add, the better. The more layers the average person adds, the better.

Tor is nothing if you have zero OPSEC, anyways. Silk Road got taken down because the owner posted an e-mail on a username tied to his real identity, not because Tor has a backdoor.



>Why no backdoors? Simple. The government understands that a backdoor is something any actor can use. They can't backdoor it and use it without compromising themselves.

Now that's kinda where the NSA differs from the rest of the government in that they don't seem to care as long as nobody notices... which is a short-term plan in practice. The NSA being the thoroughly unprincipled actor that it is, it is simply not interesting in keeping the wheels turning until they have no choice in the matter. Conversely, the DoD (which built Tor) sees far more value in an "unbreakable" system than a "broken" one.

An interesting point to make here is that the NSA (which is built primarily for industrial espionage and mass surveillance) are basically tax-payer supported mercenaries that break and enter into computers networks and sell information to whoever pays them, usually either in money or political cover. It's already well-known that they have whole stations operating in the Middle East (Reuters scratched the surface of that not long along when they did a piece on one in the U.A.E.), and they pretty much give Israel a discount price for unfiltered access, but a bit more bothersome is that the NSA sat on their ass during 9/11 and the 2016 Presidential Elections... and then they arrested Reality Winner when she leaked the proof of the ballot tampering methods used by the Russians, which in turn prompted the Dutch to go public with their own role which exposed the NSA's attempts to play dumb.

Anyway, the multiple failures on their record, they decided to do some face-saving and assist U.S. Cyber Command in prevent a repeat of the last election's problems but only because... they have no choice.


>>1036180 How retarded you are! There are no alternatives.



>Tails and Qubes are tailored to wholly different use cases and threat models.

I admit I don't know much about how they differ in the use cases besides the bootable v virtualization models they use. There is just a fog over Tails development history that reminds me of TrueCrypt.


>Silk Road got taken down because the owner posted an e-mail on a username tied to his real identity

I wonder if that's really what happened. Although it's believable that someone who runs a drug outlet gets sloppy sometimes.


Tails uses systemd, sadly.

Systemd is nu so many many exploits.


File: b36d06d21317386⋯.jpg (42.27 KB, 491x491, 1:1, behindthispost.jpg)






Reminder that the people spreading FUD about Tor are SHILLS

Link below is to a halfchan archive. The thread was pushing the whole "Tor is compromised" meme and using the "restoreprivacy" site, but look into the chain of posts starting with this one. You will find that the people spreading this anti-tor stuff are funded by shady VPN companies to push people towards their products, and the FUD-spreaders are banking off of this. They also push (((Moz://a))) Firefox and Brave, which have had numerous privacy issues in recent years. Furthermore they support the use of and use (((analytics)))

Do not trust these people




Tails still uses systemd. Doesn't need to.

Systemd has exploits on the daily.



ettercap was fun too.



Personally I prefer VPNs over Tor. They proxy all traffic instead of just supported apps, and they are MUCH LESS BLOCKED. That's the big thing Tortards are missing.



No UDP over tor, so can't circumvent game bans automagically, got to fwd a tunnel over tor. :(


Can someone explain what exactly Tails is? I was under the impression it was a distro, but is that not the case? Is it like Whonix? Is Whonix a distro?


What if someone else is using some other PGP implementation? What if it's a different version of GPG?



Tails is a distro, specifically a distro you'd use on a USB stick.

Whonix is also a distro. Whonix is meant to be run using two VMs with some weird routing in between them.

IDK about GPG with other PGP implementations (pretty sure it would still work, as GPG is just an implementation), but different GPG versions won't matter. It's not like they're constantly tweaking the algorithms. It's still all the standardized AES, RSA, etc.



Thanks for clearing that up for me.



You realize that literally any PKI system has to set trust anchors somewhere, right? That's an indictment of shitty defaults, not the entire concept of TLS. Set up your own CA, issue certs to you and your buddies, and you're mostly safe.


Leaked NSA internal docs show that they consider deanonymizing tor to be a pain in the ass, which is infinitely more valuable of a perspective than some possible shill on an imageboard.



>Better than bitlocker but untrusted.

Untrusted how you dumb nigger? It's been formally audited.

>Recommended by glower "former CIA". Never use this if your life can be in danger.

It's literally Torbrowser + a minimal Linux that sends all your traffic through the circuit.


File: b7cfc7abe1d76e7⋯.jpg (14.81 KB, 250x323, 250:323, Kultna_posuda_u_obliku_pti….jpg)


Packet timing can easily give you the source, right?

Theoretically speaking, IF YOU WERE IMPORTANT ENOUGH OF A TARGET, some triple letter agency could ask all ISPs about current traffic coming into Tor network and going out of it. If packets consistently have same time intervals between coming into Tor network and coming out of it(read similar, for easier explanation) then you got your "match". Of course, this is just a theory but all agencies around the world talk with each other except in some geopolitical cases.

ie lemme give you a situation

>super duper haxor haxes NSA and starts stealing data


<what is his Tor exit node?

<what are all IPs currently sending their packets into the Tor net?

<what are timestamps of all packets coming into Tor network compared to packets coming from that one hacker from that exit node?

<oh, we have one guy that always has around 40 ms lag between his packets entering Tor and exiting



VPNs ALWAYS cooperate with the police, even if they lie to their customers about not holding your info.



That's not how it works you retard.



Unless you get a VPN from Russia or some strange, unknown place on Earth. What is interpol gonna hack you over your Mongolian tackboard browsing habits? Doubt it. Maybe in some distant apocalyptic scenario in which they're mercilessly hunting down 2D waifus.


File: e994057e5ede98b⋯.jpg (11.96 KB, 180x204, 15:17, 1551657019427-g.jpg)


My fucking face when...




><what is his Tor exit node?

Nigger, that's not how it works.



Avoiding systemDicks is a very good reason indeed tbh.


File: db8ab0f9acc1431⋯.png (514.34 KB, 1911x970, 1911:970, db8ab0f9acc1431e438ab57f25….png)

File: a9be9a993d652c2⋯.png (153.6 KB, 696x639, 232:213, 939be9c17e6f520803f9cfa466….png)

File: 5da6a9dae0d17de⋯.jpg (834.18 KB, 1000x1600, 5:8, 6ee92306e7b5910cfe90127884….jpg)



>Not Heads

Pure garbage. The Heads fork is far more secure.


Tor is literally run by a rabbi. pics related. Anyways, i2p has always been better. Tor has always used confusing settings and nonfunctional default settings to deanonymize the vast majority of users. Then there is the fact that the public facing code has vulnerabilities that the internally used code does not. Then there's the fact that even people into security never compile their own code, so everyone is downloading compromised versions of the software anyways. Even then, the compilers are compromised, so you have to use multiple compilers and compare the hashes. Finally, if you're using unmodified AMD or Intel chips, then the head spooks can take complete control of your PC anyways and the anonymity attempt is futile. That's why Power chips from IBM are getting popular, but they are much more expensive than comparable Intel/AMD ones.



I think you miss the point of Tails. Tails is something that whistleblowers like Snowden use when they're on the run and shit. In that circumstance, I don't think you'd have the luxury of finding the exact configuration of special snowflake hardware that works with Heads (Heads uses Linux-Libre). Obviously I've never been in that situation, but I imagine you'd have to take what you can get. You need that reliable driver compatibility that comes with a more blobby kernel.

That being said, on your home systems where you can have guarantees about the hardware that's used, I can absolutely see your point about Heads being better.



>Then there is the fact that the public facing code has vulnerabilities that the internally used code does not.

Can you elaborate?



>Hey, codemonkey. This is the DoD. If you want funding next year, put this 'bug' that will deanonymize 1% of users. 'Find' it in 6 months and fix it.

>It's really not that bad, is it?

>Do this to every developer unbeknownst to each other every few months.

>muh terrorists

>Of course, the DoD will need the proper code so the Chinese/Russians/Iranians/Norks can't hack us.

You really don't think an organization with hundreds of billions of dollars in budget won't develop a more secure fork than what is on GitHub? None of the head spooks use the unpatched software available to the public. They even have custom hardware from companies like Intel for them that don't have to security holes for the public.



And this applies only to Tor rather than i2p, because?


File: ed83ceba7bb1600⋯.png (490.09 KB, 449x401, 449:401, Girls.png)


>he didn't hear about flow correlation attacks



>Nigger, that's not how it works.

You see his IP right?

List of tor exist nodes is public, right?

You can jam his IP into browser and POP "this is tor exit node"

fuck off



Kill and eat these white girls!



It applies to all open source code, but Tor is openly funded to the tune of millions of dollars by the Feds. The point though is that the high level Feds use more secure forks than what is released on GitHub or wherever, and written by the same authors. Tor is also openly run by a rabbi, where i2p is not, and it is hurt by file sharing whereas i2p is not.



>Even then, the compilers are compromised

What did he meme by this?


File: 015cf47beb354ee⋯.webm (1.81 MB, 1280x720, 16:9, ded.webm)










>What did he meme by this?

Didn't read the post, but compilers are compromised.





did he died?



That link is literally install gentoo.jpg and compile your compiler three times. Where's the proof that compilers are compromised at either the binary distribution or source code level? Since x86 CPU's and nearly every other architecture are non deterministic reproducable builds are near impossible. There's alot of shit you would have to redesign to get reproducable builds like disabling OOE and the MMU.



I decided to start a new thread to answer. >>>1039291




>what is LibreSSL



CAs do not work as intended because there are too many, and they are incentivised to ruin security for profit

banning self-signed TLS as fallback is also rubbish

it's better than nothing, but it's no holy prophet



Turd polishing, that's what it is. I use it myself, but let's not kid ourselves.



>GPG is plagued by a complete idiot of a developer (Werner Koch, always make sure to write down names) to the point I wouldn't be surprised if he gets paid to sabotage it

Tell me more



His code is complete and utter spaghetti, he's as uncooperative as it gets and rather than keeping the codebase small, he keeps adding one useless shit feature after another. Compare the sizes of the GPG releases some time. If you know German, you can search Fefes Blog, the guy behind it did a personal audit of GPG (including published patches) around 2007 and wrote some stuff on the topic, but I'm sure you can find stuff in English too.

Also as a personal anecdote, when I once tried to patch out the 4096 bit RSA limit out for test purposes, I had to remove the hardcoded number 4096 from three different places or so and shitloads of code that could have been pure was linked to I/O routines for no fucking reason, in the way complete beginners tend to write garbage like this:

void square_number()
int x;
scanf("%d", &x);
printf("%d\n", x*x);



>That link is literally install gentoo.jpg and compile your compiler three times.

More like install GuixSD (or Nix), because it's devs care about reproducible builds. I didn't see anything about reproducible builds nor binary bootstrapping on gentoo's wiki.

>Where's the proof that compilers are compromised at either the binary distribution or source code level?

Did you read the website carefully? Compilers can't be trusted, because the earlier version of the same compiler builds the next version. Imagine there was a bug or a malware in the first version of a compiler and it causes every program (including a compiler) to be unsafe.

Here is an example of compiler-based malware:



File: 789ab2ecda8f20d⋯.jpg (45.84 KB, 600x605, 120:121, 78e.jpg)


>full on incel nigger rage response



>compile your compiler three times

GCC has a build option to do that, but if the initial compiler is compromised, it's useless. I don't think that's intended as a mitigation for these kind of attacks.

At some point you have to assume one compiler in the chain as trusted. Maybe there's something involving old Fortran compilers on bootstrappable.org



>Fefes Blog

What I found (in my admittedly quite short search) was http://dl.fefe.de/gnupg.dif (linked on fefe.de) - is that the the complete diff of all his patches? Because in https://blog.fefe.de/?ts=aa285889 he says

>Matt Green, a professor specializing in cryptography at Johns Hopkins University, said he has looked at the GnuPG source code and found it in such rough shape that he regularly assigns chunks of it to his students for review.

>Given the ramshackle state of massive GnuPG code base, its not clear whats the best path forward. A code audit is one possibility, but such reviews typically cost a minimum of $100,000 for complex crypto programs, and it''s not unheard of for the price to be double that.

Seemingly quoting Matt Green of Johns Hopkins University. He then says (translated):

>Or you're lucky and goold ol' Fefe throws you a bunch of patches for free - in his sparetime. And then Werner Koch decides to trash the gifted $100K patch and I have to maintain my own patch in parallel for 9 years.

<Oder man hat halt Glück und der Fefe macht das kostenlos in seiner Freizeit. Und dann schmeißt Werner Koch die geschenkten $100k den Patch weg und ich pflege 9 Jahre lang meinen Patch parallel weiter.

This seems to imply, at least jokingly (?), that it was a full audit. I haven't seen a separate article discussing what he has discovered yet, but I may have overlooked it.

In https://blog.fefe.de/?ts=aa2d1983 he says that Werner Koch didn't deserve the money he got and is basically a whiny bitch. He also says smartcards are a useless feature for 90% of the gpg users and the time could have been spent better. Most of the article is actually pretty whiny itself and mainly accuses Koch of mismanaging his own life, which led to lack of resources.



>whiny article

>accusing others of being whiny


>taking immense credit for himself (despite admittedly his students doing the work for free)

>disparaging all others as inferior

How do you not know that "Green" is a jewish surname? Never trust a kike, retard. Nearly everyone with surnames containing color words is jewish, most commonly gold, silver, green, roth (red), and schwarz (black).



How is Tor hurt by torrenting?

Why is the rabbi so important to you? Did you get nicked by your mohel?



>VPN goyim

>paying for anoymity ever

>triple jewed: paid for jew service, exposed logs to glownigs, anonymously sell data to third-parties in datamarket

>not obfuscated SSH


roundrobin AES and Camellia crypto over your Openwrt installed with shadowsocks.

Let me repeat once again:

Tor project is compromised.


TBB is Soros-compromised.


Exit nodes glow.





It's been two years since this article. Mind pointing me to something that FF blocks that something like Brave doesn't? I have both installed, just need some search/link suggestions




never mind.


What is OTR


Schizophrenia is one hell of a drug.

[Return][Go to top][Catalog][Nerve Center][Cancer][Post a Reply]
Delete Post [ ]
[ / / / / / / / / / / / / / ] [ dir / baphomet / choroy / dbv / eros / f / int / miku / vore ]